Hoist Finance AB (publ) Netherlands (“HOFI”) is the Controller of the data we hold about you in relation to processing activities mentioned in the table below. Your account is owned by HOFI, but all matters related to debt collection, debt administration and exercising the rights of the lender in relation to your account is managed by one of our partners, who is a separate Controller for processing of your data related to debt collection. All communication with you will be managed by the partner in question, including but not limited to complaints handling, delivery of notices, accepting and managing written correspondence relevant to your debt. To find out more about how our partners process your personal data, please refer to their websites for more information.
What information do we hold, why do we process it, & how long do we keep it for?
HOFI uses your information only for the purposes of debt administration and processes associated with servicing credit. We will use the data in accordance with General Data Protection Regulation (GDPR), Dutch Data Protection Act 2018 and good debt collection practice to gather and update documentation necessary for compliance with applicable laws such as Anti Money Laundering Law, Dutch tax laws, Accounting laws etc.
In order to pursue the above purposes and to act lawfully, transparently and fairly, we process the following types of information, always under strict controls, such as encryption, internal access rights, and audits to keep your information safe:
Processing activities in our debt collection operations
HOFI uses your information only for the purposes of debt administration and processes associated with servicing credit. We will use the data in accordance with General Data Protection Regulation (GDPR), Dutch Data Protection Act 2018 and good debt collection practice to gather and update documentation necessary for compliance with applicable laws such as Anti Money Laundering Law, Dutch tax laws, Accounting laws etc.
In order to pursue the above purposes and to act lawfully, transparently and fairly, we process the following types of information, always under strict controls, such as encryption, internal access rights, and audits to keep your information safe:
Type of information |
Reason for processing |
Legal basis for processing |
How long we keep your information for |
|
Contact and account information, such as your name, home address, date of birth, national identification number, phone number and details of previous communication with us, emails, and letters. |
We process this data to be able to contact you, keep records of any previous conversations or correspondence, and in general keep a full and up to date picture of your circumstances and your dealings with us. This is necessary to handle your case fairly and in your best interests. |
The legal basis for processing this information is the original credit agreement, whereby a third party has acquired the claim and appointed us as the master servicer.Once your claim has been satisfied, we will hold your data to satisfy relevant regulations such as, Anti Money Laundering, Dispute Resolution Rules, Capital requirements rules etc. |
5 years (AML) and 7 years (Tax) from the date of conclusion of the complaint or lawsuit anonymized.
|
|
Payment information, such as your bank account number, transaction history, financial data etc. |
To be able to provide Accounting, AML and Tax reports to relevant authorities and to fulfil our legal requirements. We also process this data in order to be able to create Analytical and Performance reports which are used to improve process how we deal with our customers and to educate our employees. |
Where do we get the information from?
We initially receive the information from the previous owner of the claim as part of its sale and transfer to us.
We may also obtain information from third parties in order to increase the accuracy of the information we hold and/or to gain a better understanding of your circumstances. These third parties are credit reference agencies, public government records, and other organizations which provide services to improve the quality of the data we hold about you.
Disclosure of your information
We do not disclose your information except in the following limited circumstances:
- We may share your personal information within the Hoist Finance group of companies, to which we belong. For example, our IT infrastructure is managed at Group level. This helps to keep our systems operational and secure allowing us to provide the best services to you that we can. Any personal data sharing is subject to security and privacy requirements set in the law and our internal governance documents.
We may also share your personal data with carefully vetted organizations, who must comply with our strict contractual security and privacy requirements and follow our guidelines, for the following purposes:
- To assist us in managing your account and/or maintaining accuracy of the information we hold about you. An example of this would be credit reference agency reporting.
- To provide us with specialized services to run our business. An example would be the printing company that sends out our physical letters to you, or where we use a third party to collect or manage a debt on our behalf.
Finally, we may also disclose your personal information to third parties:
- In the event we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
- If we are under a duty to disclose or share your personal data in order to comply with any legal obligation or in order to enforce or apply our terms of use or to protect our rights, property or safety. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction, or with authorities for the purposes of tax reporting or anti-money laundering.
Your information will generally be kept within the EU/EEA or in countries deemed by the European Commission to have an adequate level of protection; only for limited purposes and temporarily may data be transferred to other countries. This is in particular where we need 24/7 technical support to maintain our IT infrastructure, and where the support teams of our service providers are located outside the EU/EEA.
In all cases, however, we have technical, organizational, and contractual protections in place to keep the information safe and to ensure an adequate level of protection. Contractually, transfers outside the EU/EEA to countries without an adequacy decision by the European Commission will be based on standard data protection clauses adopted by the European Commission.
Processing activities in the Job Application Process
When you apply for a job at Hoist Finance AB or any other company within the Hoist Group, either directly via our website or through external recruitment agencies we are recuired to process your personal data. The purpose of the processing of your personal data is the administration of received job applications and the selction of suitable candidats for open positions at Hoist Finance or any other company within the Hoist Group.
In order to properly fulfill the aforementioned purposes, the following categories of personal data will be processed:
Type of information |
Reason for processing |
Legal basis for processing |
How long we keep your information for |
Contact details , such as name, title, home address, telephone number, personal email address, contact details of refereesResume data , such as employment history, date of birth, gender, qualifications, nationality, occupation, professional memberships, educational achievements, degrees, transcripts, languages, computer skills, identification number, cover letter. |
The administration of received job applications and the selction of suitable candidats for open positions at Hoist Finance |
Performance of a contract |
5 years post end of recuritment (successful candidates), 2 year post end of recruitment (unsuccesful candidates) |
|
Reference data, ie all data provided to us by your reference |
To ensure that the job applicant is suitable for the applied position |
Performance of a contract |
5 years post end of recuritment (successful candidates), 2 year post end of recruitment (unsuccesful candidates) |
|
Background data , such as social security number, CV verification, tax information and internet searches, credit information, information from the enforcement authority, information about business obligations and property, as well as information about civil proceedings and tax surcharges |
To ensure that the job applicant is suitable for the applied position |
Performance of a contract, legitimate interest |
End of recuritment |
How we use particulary sensitive personal data
We will use your sensitive personal data only in so far as we are permitted by law to do so:
- We will use data about your disability status to consider whether we need to provide appropriate adjustments during the recruitment process, for example whether adjustments need to be made during a test or interview.
- We will use data about your nationality or ethnicity, to assess whether a work permit and a visa will be necessary for the role.
Where do we get the information from?
We collect personal data about candidates from the following sources:
- You, the candidate.
- Your named referees, from whom we collect the following categories of data: full name, periods of previous employment, performance during previous employment.
- From publicly accessible sources, such as LinkedIn etc., where we collect your full name, email, work history, and other data included on your profile.
- From third parties (such as recruitment agencies) that have introduced you to us or you may have directly applied for a vacancy at our company on their website. Those third parties are data controllers for the data which they collect and process for their own purpose. More information about how they process your personal data can be found in their respective privacy notices on their websites.
- From third parties (such as pre-employment screening companies) that will perform checks on candidates in last stage of the recruitment process.
Disclosure of your information
We will only share your personal data within Hoist group of companies including subsidiaries and branches.
All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal data in line with data protection law and data processing is limited to EU/EEA area. Contractually, if transfers outside the EU/EEA or to countries without an adequacy decision by the European Commission occur in the future they will be based on standard data protection clauses adopted by the European Commission.
Data Security
We have put in place appropriate technical and security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we only give access to your personal data to employees, contractors and other third parties who have a business relation with us on a need-to-know basis. They will only process your personal data on our specific instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable authority of a suspected breach where we are legally required to do so.
Your statutory data protection rights
- Right to access:
You have the right to request a copy of the information that we hold about you. If you would like a copy of some or all of your personal information, please contact us. We will respond to your request within one month. - Right to rectification:
We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate. We may ask that you provide reasonable proof to verify your request. - Right to restrict processing:
If you believe the personal information we hold is inaccurate, unlawful, or that we do not have a legitimate interest to process it, you can request that we restrict any processing until this is rectified. - Right to object to processing:
Where your particular situation merits that we no longer process your information for the performance of a task carried out in the public interest or based on our legitimate interest, you have the right to object to the processing. - Right to data portability:
This right allows you to obtain in a structured, commonly used format, and to reuse the information you have provided to us for your own purpose and have it transmitted directly to different services. This applies only to information we use based on your consent or on a contractual basis. - Rights related to automated decision making and profiling:
You have the right to safeguards against the risk of potentially damaging decisions being taken without human intervention. This right applies where a decision is based solely on automated processing and produces a legal effect or similar significant effect. If this is the case, we must ensure you are able to obtain human intervention, to express your point of view, and to have the opportunity to challenge it. We will also explain the logic behind the decision.
Profiling is defined as any form of automated processing intended to evaluate certain personal aspects of an individual in order to analyze or predict aspects of their personal circumstances, behaviors or abilities. Processing must be fair and transparent, use appropriate mathematical or statistical procedures, use appropriate controls to minimize inaccuracies and secure personal data.
We do not use any such automated individual decision making. - Right to erasure (“right to be forgotten”):
You may ask us to delete the information we hold on you where it is no longer necessary for the purpose for which it was collected; where you withdraw any consent you provided for its processing; where you object to our processing of it (see above); or where our processing is unlawful. Please note, however, that we are also subject to certain legal obligations that prevent us from immediately deleting all of your information. For example, we are legally obliged to keep certain data for anti-money laundering purposes for at least five years. However, any data we are prohibited from deleting will be blocked and, when we are no longer obliged to keep it, erased. - Right to lodge a complaint:
You have the right to lodge a complaint with the Dutch data protection supervisory authority. (https://www.autoriteitpersoonsgegevens.nl)
Changes to this Privacy Notice
We regularly review this Privacy Notice. We will notify you of any substantial updates that affect you 2 weeks in advance. Minor changes to the policy, such as making it clearer, will be implemented without directly notifying you.
This privacy notice was last updated: 13 November 2024.
How to contact us
Please contact us if you have any questions about our privacy policy or information we hold about you or the basis upon which we process such information:
Hoist Finance AB (publ), Netherlands
PO Box 70150, NL 1007 KD – Amsterdam
privacyNL@hoistfinance.com
