Data Confidentiality

Personal data protection policy

Introduction

Data protection is very important for us. We respect your privacy and personal life. Therefore, we will inform you below on the processing of personal data when you use the services within online applications and on the internal processing activities made available by FINS IFN SA. These services consist, for the most part, of lending activities which we, as a non-bank institution, make available to students.

As for us, the legal entity FINS IFN SA, we are part of the EDUCATIVA group, with more than 12 years of experience in the field of education, currently taking the first steps in terms of lending activity for students. Joining us, as a part of the EDUCATIVA group, are all the following legal entities: EDUCATIVA SRL, EDUCATIVA Group Foundation, Reviro HR SRL, Reviro Association, Universalio Consultanta SRL, Universalio EDU-Advising SRL, Universalio Consiliere Educationala SRL, FINS IFN SA, EDISON, EDUCATIVA Group Ltd.).

In order to achieve our object of activity, we are responsible -as all entities of the EDUCATIVA group, moreover- for compliance with the provisions of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, abbreviated in English GDPR or in Romanian RGPD).

The General Data Protection Regulation is an European regulation which has a role in protecting the processing of personal data and the rights and freedoms of natural persons relating to their personal data, establishing the free movement of such data.

This personal data protection policy describes our practices regarding the processing (activities that include the collection and use) of data communicated to FINS IFN SA by agencies to which students are addressed for the purpose of obtaining a loan to support educational activities. Agents may be natural or legal persons (e.g.universities, educational consultants, other educational institutions) who identify the opportunities that the student/applicant can benefit from and register that student on the special website provided by our organization, and we will carry out the entire evaluation and possibly funding process.

Processing personal data by FINS IFN SA may include activities such as:

analysis of the customer data and loan file, followed by its validation or rejection.
centralizing of received files, with the highlighting of validated files and student beneficiaries.
transfer of the agreed loan to the account of the student whose file has been validated.

In our activity, we are making us responsible for strictly respecting the principles existing at the level of the GDPR.

Some of the GDPR principles after which we guide are:

lawfulness, fairness and transparency – in this sense we are processing your personal data in a concise, comprehensible form, only according to legal basis, respecting the conditions imposed by this regulation.
purpose limitation – processing of data is carried out for a clear, well-defined, and established purpose known from the beginning.
data minimization – processed personal data will be only those relevant to the situation and limited only to the established purpose.
accuracy – which indicates that the data processed must be accurate, and updated-etc.

Our data protection practices comply with applicable data protection legislation but if, for whatever reason, the terms set out in this data protection policy are not acceptable to you, you can communicate your objection at the address dpo@educativa.group. (dpp@educativa.ro)

Definitions and clarification of certain concepts

Personal data

Personal data is all data that relates to you in terms of the individualization of each profile. These generally include personal identification data and characteristics (name, first name, PIN, email address, telephone number, residence address, IBAN account and other billing data, citizenship, busy function, etc.), electronic identification data (identification elements from various applications, IP, Skype ID, Facebook ID, Instagram, etc.). During our activity, that personal data is that data contained in the file that you submit to the accredited agent, with an intention to obtaining the money loan from FINS IFN SA. These can be name, first name, home address, email address, phone number, IBAN, PIN, information on educational history, potential information about social media accounts (if you contact us from these backgrounds), etc.

Data subject. Personal Data Processing. Controller, processor

First, it seems appropriate to explain the concept of data subject, common in this notification. This concept refers to that person whose personal data are processed, and who enjoys protection and safety thanks to the GDPR. This can be represented by people who seek the support of FINS IFN SA, through forward loan files with the help of agents responsible for this. At the same time, we provide a definition for the concept of processing, which means any operation or set of operations carried out on personal data or on sets of personal data, with or without the use of automated means, such as collection, registration, organization, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure by transmission, dissemination or otherwise making available, aligning, or combining, restricting, deleting, or destroying. Therefore, whenever your personal data, provided by you or by other people but in your interest, is collected and then used in various ways, we can consider that your personal data is processed. According to the GDPR, controller means the natural or legal person, public authority, agency, or other entity which, alone or together with others, determines the purposes and means of processing personal data. In this situation, FINS IFNS SA performs the role of controller, processing personal data received from persons using the services that we, as a non-bank institution, offer. In the same way, FINS IFN SA is the entity setting the framework and rules for processing. In this context, we are forced to ensure that our processing activity complies with the rules imposed by the GDPR to provide certainty to data subjects who entrust their personal data for the fulfilment of certain purposes. The text of the GDPR also defines the concept of processor as ‘the natural or legal person, public authority, agency or other entity processing personal data on behalf of the controller’. It shall process the personal data of the data subjects only with the consent of the controller, within the limits and conditions imposed by the controller. In the present case, the processors may be the persons assessing the money loan application files of the students (for example consultants from the FINS IFN SA team).

Volume of services provided

In the following, we will describe the volume of services provided by us, based on the existing solutions available to you: relationship management systems (CRM/ERP), call-center systems, electronic systems for the collection of information provided by third parties, electronic messaging systems, and especially through websites with online registration, sign-up, communication services. In the case of the basic service, it is provided through the systems of management of the relationship with the candidate/applicant or the persons empowered by him, the request for granting a loan of money. In the case of the provision of services to pupils under the age of 16, processes and activities can only be carried out after obtaining the approval of the parent/guardian (by express consent granted), the data of the parent will also be processed. All information collected about you is strictly used for the individual purpose for which it was collected, in accordance with the mandate granted and/or signed contracts respectively – where appropriate. Our group also has other internal operational systems for the purpose of covering the requirements and providing the necessary support for the performance of the contracted services, through which we transit the information collected to provide the best services related to the request received. For granting the loan requested by the student/applicant, you make available to us, for the purpose of analyzing the loan file and granting the requested money loan, the following types of information:

identification data and personal characteristics (name, first name, PIN, category of classification, home address, residence address, e-mail address, telephone number, class/year study, etc.);
information of educational history (details of graduated institutions);
professional history (details of professional history);
IBAN (for the subsequent transfer of the amount of money borrowed).

This data is necessary for making up the loan application file, and subsequently for our analysis FINS IFN SA will validate or reject the file. Validation is clearly followed by the grant of the amount of money requested. FINS IFN SA does not require or process personal data from special categories, but only necessary and relevant non-sensitive data, unless it is legally necessary to do so at a later stage. Data considered sensitive/special could be, but not limited to information on race or ethnicity, political opinions, religion, trade union membership, health, sexual preferences, or criminal record. In carrying out the student lending programme, FINS IFN SA has nothing to do with the processing of personal data relating to persons who have not reached the age of 16, because logically the data subjects are the students, who are precisely older than 16 years of age. The information made available to us by you and found in the loan application remains within our organization and is not transferred to other entities, other partners or processors. This is explained by the fact that the loans granted come from the resources accumulated in advance by FINS IFN SA, then granted to students whose loan files are considered valid. In this way, as no other entities are involved, the analysis of loan applications takes place only within our organization. Synthetic reports can be made without your information being presented. funders of FINS IFN SA.

Duration of data storage

Your personal data that you make available to us under this program will be retained, first of all, for the duration of the contract – until the full repayment of the loan received. Your personal data will then be retained by FINS IFN SA for a period of 10 years to keep track of the history of the loans granted.

The use of service providers for processing personal data/processing data in countries outside the European Economic Area

Our organization does not use for the provision of services and the processing of your data suppliers outside the European Economic Area.

The source of personal data

Personal data are obtained either

directly from the person concerned by registering on the organization’s website or
through accredited agents to which the data subject turned for loan. The role of these agents is to identify credit opportunities and to sign up on a special website provided by the organization, the agent also having the role of revalidating your request, acting as an operator.

From the moment you register, you enter in our database and your request enters in the approval stream, additional information may be requested in general related to the activity you will carry out or on the coverage of the necessary guarantees. This step is followed by the validation or invalidation of the loan application, regardless of how the information is to be sent directly to the data subject with the necessary explanations.

Once validated, you are accepted for the purpose of granting the loan, along with concrete information about the payment schedule to be considered and the related methods of payment.

Legal ground for the processing of personal data

The legal basis for the processing of personal data described in this information note is a contractual basis represented by the performance of a credit agreement to which you are a party or to take steps to conclude a loan offered by FINS IFN SA.

Data security

To prevent unauthorized access, to maintain data accuracy and ensure the correct use of data, we implement reasonable physical, IT and organizational security measures to effectively protect all personal data we process.
We take technical and organizational security measures to protect your data from unwanted access as much as possible. Besides securing the operating environment, for example, in certain areas (client account, contact form for the site) we use the encryption process. The information you provide will subsequently be transmitted in encrypted form, using Secure Socket Layer (SSL) protocol to prevent inappropriate use of data by third parties. You can identify this aspect by seeing the closed padlock symbol in your browser’s status bar, and the address bar starts with “https”. Data security will be adjusted according to the current technique.

Among the organizational measures taken by our organization that guarantee the safety of the processing of your personal data is also the fact that we assure the procedure of training processors to comply with GDPR rules and to make them aware of their importance is fulfilled. If the processors or its employees come into contact with your personal data, this is done under legal, security conditions, meeting the necessary safeguards.

If we, as a controller, work with another controller in the processing of personal data, we guarantee the lawful and transparent conclusion of an agreement on the processing of personal data, in which the content of which is explained at length the disclosure of personal data to the other controller, all of which are carried out under conditions that ensure the protection of the processing of your personal data.

Your rights

Right of access

You may request information from us at any time about the data stored about you, as well as, amongst other things, about the origin of the data, the recipients, or categories of recipients to which the data is transmitted and about the purpose of storage. For all other copies except the first copy, reasonable administrative costs may be charged. This does not apply to the electronic communication of information.

Right of withdrawal

If you have consented to the use of data, you may withdraw it at any time with effect for the future (once the contracted services have been completed), without giving any reasons. For that, just send an e-mail to dpo@educativa.group. Also, the right to erase your personal data may be exercised under certain circumstances provided by the applicable law, including: the situation where personal data is no longer necessary for the purposes of processing, the situation in which the data subject opposes processing and there are no other legitimate interests that prevail for processing, the situation in which personal data has been processed illegally.

Right to rectification

If your data collected by our organization is incorrect, you can request its correction at any time by contacting the project/service of interest to you or the representative you are in contact with.

Right to erasure

You are entitled to obtain from FINS IFN SA the erasure of your data, which may be exercised under certain circumstances provided by the applicable law, including: the situation where Personal Data is no longer necessary for the purposes of processing, the situation in which the data subject opposes processing and there are no other legitimate interests that prevail for processing, the situation in which Personal Data has been processed illegally. Erasure of your personal data can be made at any time, by requesting the already announced methods or by using our general contact data for each project/service. Usually, your data is erased immediately, but no later than one month from requesting this right. If data erasure is contrary to or maintaining the data is necessary according to data storage obligations established by law, contract or legal regulations, respectively commercial regulations or other reasons provided by law, instead of erasure, only data blocking may be performed. If this is the case for your customer account, you will receive a notification from us in this respect. After erasing your data, it is no longer possible to receive the information. If you did not use your account for 5 years, your account will be considered inactive. In this case, any personal data that is no longer necessary to be stored for legislative reasons will be erased after the above-mentioned term. Personal data (such as basic data) that must not be erased for legal reasons will be blocked for your safety.

Right to data portability

In case you request your personal data made available, if you wish, we will provide or communicate the data to you or another responsible person in a structured, common and electronically processable format. The latter is valid only if it is technically feasible and only related to the data you have entrusted to us. The data obtained from the services rendered is not subject to such a process, and a discussion will be addressed separately.

Right to object

You have the right to oppose data processing under the conditions and cases provided by the applicable law (including data processing for direct marketing purposes) at any time and without giving any reasons. In addition, we would like to draw your attention to the fact that, by refusing all data processing processes, it is possible that the performance of the contract for the services hired and the development of the programs for customers may be limited or cannot be done, thus asking you to analyze carefully before submitting such requests.

Extensive rights in terms of data processing for personalized assessment

Apart from the above-mentioned rights, in terms of data processing for personalized assessment (where profile creation is applicable), you have the additional right to human intervention in the decision-making process, the right to challenge the decision and the right to express your point of view.

Contact (for the enforcement of the rights of data subjects)

If you contact us by e-mail at dpo@educativa.group or by mail (Semilunei Street, No. 4-6, District 2, Bucharest, Romania), the information provided by you (your e-mail address, your name and phone number, if appropriate) will be stored by us to answer to questions and respectively to comply with your request. We erase the data appearing in this context after the storage space is no longer necessary or we limit processing if there are storage obligations stipulated by law.

Right to file a complaint

You have the right to file a complaint with a competent supervisory authority (referred to ch. X below) regarding the processing of your personal data if you believe that your data protection rights have been violated.

Questions about data protection

Questions about all data processing can be addressed at any time to:

Address: Semilunei Street, No. 4-6, District 2, Bucharest, Romania.
Data Protection Officer: Serban Popa
Email: dpo@educativa.group
Mobile: +40724.215.361

Last but not least, you have the right to contact the National Supervisory Authority for Personal Data Processing at the following contact details:

Web page: http://www.dataprotection.ro
E-mail adress: anspdcp@dataprotection.ro
Tel.: 40.318.059.211/ +40.318.059.212

Version 1, 2^nd August 2021.