Data Protection Policy of Cycle Credit Bulgaria EOOD.
“Cycle Credit Bulgaria EOOD.”, 38A Cherkovna Street, Sofia 1505, with UIC 200623729
Last Amended on 2018.12.17
1. Field of Scope
This privacy notice lays out the way Cycle Credit Bulgaria EOOD (hereinafter referred to as “Cycle”) collects, uses, processes, stores, manages, and protects the personal data of entities and individuals, including the contact, financial and demographic data (hereinafter referred to as “Personal Data”), so as to meet the data protection standards of the company and comply with the applicable law.
(i) to whom any third party may have access (hereinafter referred to as the “Client”),
(ii) that relates to the products and services (hereinafter referred to as “Services”) provided by Cycle on the field of Receivables Management. Especially, Cycle provides two kinds of Services: a) B2C Receivables Management. Cycle undertakes to inform Client’s customers about their overdue or doubtful debts and to negotiate the timing and manner of paying these debts back, according to the instructions provided by the Client, b) B2B Receivables Management has been created and developed by Cycle to exclusively manage and handle delays in payment from any business customer of the Client regardless its legal form.
(iii) pertaining to Client data obtained during the use of the Services,
(iv) pertaining to visitors and clients of Cycle’s website http://www.cyclecollections.com/ (hereinafter called “Website”).
With regard to our Data Management Application, we note that it has been developed internally by the company’s IT department using the latest tools (SQL Server 2008, PowerBuilder 11.0 & Visual Studio.net). The application has multiple access levels, distinguished into Agents, Supervisors, Managers and Administrators. Depending on the operator’s access level, the application displays the respective services-operations.
Cycle is bound to protect the privacy of Clients, individuals and other data subjects and adhere to the Data Protection legislation currently in effect.
This policy shall not apply to information collected through any other website, services, products, platforms or for practices of companies that we do not control. We are not responsible for any personal data protection practices pertaining to websites, services, products, platforms of other companies.
2. Categories & Types of Collected Data
A. Individuals Personal Data: Name, surname, address, occupational address, contact phone numbers, personal ID, Tax ID, birth date, voice recording data
B. Companies Commercial Data: Overdues related information such as overdue product, credit card number, issuing branch, overdue amount breakdown (interest etc.)
C. Website data: name, surname, e-mail
Declaration Regarding The Processing of Personal Data By Cycle (by its capacity as Data Controller and Processor - in accordance with the General Data Protection Regulation EU 679/2016)
Why will you process my Personal Data (PD)?
Cycle provides products and services containing commercial and financial information about legal entities, sole proprietorships and individuals based on the intended purpose, such as described in paragraph 6 hereof. Their contents vary depending on the type and purpose of the provided service of Cycle. The lawful basis of the data processing is Cycle’s legitimate interest and in some instances (voice recordings and newsletter subscription) the consent of the data subjects.
● What are cookies and why Cycle uses them: Cookies are pieces of information, in the form of very small text, usually consisting of letters and numbers, which are stored in the browser used by the individual Client (Chrome, Mozilla Firefox etc.), assisting us to make the Website work more efficiently. Cookies do not in any way cause damage to Client’s/visitor’s computers or files stored on them. Information stored in cookies is used for identification purposes. In this way we manage to operate the Website in an efficient way for the service we offer. The Website uses the Cookies to distinguish Clients/visitors and throttle request rate among other things
● Under no circumstances will the cookies contain personal information or information that will allow anyone to contact the Website's visitor by phone, e-mail, etc. Additionally, using cookies does not provide access to your computer's documents or files
● Which cookies are we using? The cookies described below may be stored in the browser. You can view and manage cookies in your browser (however, mobile browsers may not offer this visibility). Of the different types of cookies available, Cycle uses the following:
o Session cookies: Session cookies allow Clients/Visitors to be recognized within a website so any page changes or item or data selection you do is remembered from page to page. Session Cookies are erased when the Client/visitor closes the browser
o The essential technical cookies are of critical importance for the proper operation of the Website as they allow you to browse the Website and make use of its functions. These cookies do not identify your personal ID. Without these cookies, Cycle will be unable to offer proper functioning of the Website
The aforementioned cookies are exempt from the requirement of informed consent for their use from the Clients’/visitor’s part, given that they do not store personal data of the Client/visitor and are used for the sole purpose of carrying out the transmission of a communication.
Cycle does not manage, collect or process geolocation data, which are collected and processed exclusively by the companies providing operating systems for each device you use (in case of use of iOS-Apple Inc or in case of android - Google Inc). Cycle does not have access to the positioning refresh rate of GPS.
3. Data Collection Points
1) Clients - A, B
2) Cycle’s Agents - A, B
3) ICAP Intergoup Company - A, B
4) Cycle Website (newsletter form) - C
4. Transfer of Data to Third Parties
Cycle reserves the right to disclose your personal data to any member of its affiliate/subsidiary companies (parent company and its subsidiaries) or other third parties to the extent it is reasonably necessary for the purposes determined in this notice and in particular:
● Your data will be transferred to the departments of Cycle that are competent for the smooth and trouble-free operation of its services and functions
● Your data may be transmitted and become accessible by legal entities or Cycle’s agents with which, we have entered from time to time into contractual agreements for the purpose of fulfilling our company’s legitimate interest in a correct and within our contractual terms framework.
● Your data may be disclosed to cloud hosting providers for the purpose of storing and safeguarding the data with the appropriate technical and security measures
● Your data may be transmitted, become accessible and processed by subsidiaries of our group within the European union, which apply the appropriate technical, physical and administrative security measures for the protection of the data from loss, misuse, damage, alteration, unauthorised access and disclosure, as provided by article 32 of the GDPR 679/2016
● During all data transfers, we always take all appropriate measures so as to ensure that the transmitted data are the minimum required for the intended processing purpose and that the conditions for legitimate and lawful processing will always be met
● Cycle servers are hosted at IBM’s data centre (hosting provider) located in Athens. You may find more information on IBM’s privacy notice in the following link: https://www.ibm.com/privacy/details/us/en/#section_2
5. Personal Data Retention Period
The data retention period depends on the lawful basis of processing, as set out in detail below:
● In case the lawful basis for processing is the exercise of legitimate interest, the processing of personal data is carried out for as long as it is considered necessary for the achievement of the intended statutory purpose of Cycle described in paragraph 6 below, and until such time the limitation period of any related claims has expired.
● In case the personal data of the Client (Account Information) are provided under their own consent such as when he data subject subscribes to the Cycle’s newsletter, we shall retain those data until the granted consent by the data subject has been withdrawn. In case the consent is withdrawn for any valid reason, we shall retain them for as long as it is required until the limitation period of any related claims expires.
● In case the lawful basis for processing is the performance of the contract, we shall retain your data for as long as you retain the contractual relationship with Cycle in hard copy and in electronic form or we shall retain them for as long as it is required until the limitation period of any related claims expires.
● It especially mentioned that Voice recording and comments exchanged data is retained for 1 year from the last individual communication according to law requirements. In any case each customer is properly informed during the telephone communication about the recording and retention period of the recordings (according to ICAP’s contract obligations and the instructions of each Client).
6. Legitimate Interest - Intended Purpose - Lawful Basis for Data Processing
Cycle is registered to the Commercial Register to the Registry Agency in Bulgaria. Generally, it operates under the provisions of the Bulgarian Commercial Code and its ancillary laws. Its scope of activities includes collection of due receivables. Cycle acts as a controller within the meaning of Art.4, no.7 of the GDPR.
Cycle within the framework of the general business activity according to the above legislatory frame and in pursuit of its statutory objectives, among which it is the collection, management, and provision of commercial and economic information (business information), overdue debts and personal data as described above, of individuals and legal entities, has created and maintains a database, which is daily updated with economic and commercial information in terms of economic units details. Cycle processes and stores the said data within the E.U.
7. Rights of the Data Subjects
You may exercise, as the case may be, the rights deriving from the applicable Bulgarian Legislation and the General Data Protection Regulation (Regulation (EU) 2016/679) which are as follows: (a. the right of information (article 13), b. the right of access (article 15), c. the right to rectification (article 16), d. the right to erasure “right to be forgotten” (article 17), e. the right to restriction of processing (article 18), f. the right to data portability (to receive your personal data in a structured and commonly used format - article 20 where applicable) and g. the right to object (article 21) which applies to certain data processing activities
● These rights can be exercised only in cases where Cycle acts as Data Controller and in particular when Cycle: (i) processes the personal data of candidate employees for the purpose of evaluating future collaborations (ii) processes the personal data that relate to its Services (iii) processes the personal data of visitors and clients of Cycle’s website http://www.cyclecollections.com/ (iv) processes the personal data of individuals (journalists) obtained for the purpose of updating the Press Release Database
● This Privacy Notice does not apply to personal data mentioned on business documents that our customers transmit to our systems when using our Services
● These rights shall be exercised free of charge for you by sending a relevant letter to the Data Protection Office of Cycle: Cherkovna Street, number 38A, PC 1505, Sofia, or via e-mail to email@example.com. In case however the aforementioned rights are exercised excessively and without good cause thus causing us administrative burden, we may charge you with the cost related to the exercise of the respective right.
● In case you exercise any of your rights, we will take all appropriate measures available for the satisfaction of your request within thirty (30) days following the receipt of the relevant request. We may either inform you on the acceptance of your request or on any objective grounds that hinder the processing of your request.
● Notwithstanding the above, you may at any time object to the processing of your Personal Data, by withdrawing your consent (article 7, par. 3 of the GDPR 679/2016) by sending a letter to the Data Protection Office of Cycle Credit Bulgaria EOOD: Cherkovna Street, number 38A, PC 1505, Sofia, or via e-mail to firstname.lastname@example.org. This right applies only in cases where the lawful basis for the data processing is the consent of the Data Subject.
8. Data Processing by Cycle
Cycle in most instances, collects, uses, processes, stores, manages data provided by Cycle’s corporate clients (b2b companies and bank institutions) - which may contain personal data (who may refer to individuals or companies) - within the framework of provision of our services. Such data in most instances has been collected by Cycle’s clients and are related to data of their customers. Therefore Cycle shall operate in most instances as the “Data Processor” of the personal data, which are included in the said business data. Consequently, in those cases different provisions of the GDPR 679/2016 shall apply, with which we comply.
Additionally, Cycle applies throughout the data processing procedure, the appropriate technical, physical, and administrative security measures for the protection and security of the personal data from loss, misuse, damage or modification, unauthorised access and disclosure, in compliance with article 32 of the GDPR 679/2016, in order to ensure the appropriate security level against those risks. Those include, among others, as the case may be: a) application of encryption protocols b) the ability to ensure confidentiality (article 90 GDPR 679/2016), the integrity, availability, and resilience of processing systems and services on an ongoing basis, c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. Moreover, Cycle shall take measures so as to ensure that any physical person acting under the authority of the data controller or of the processor, who has access to personal data, shall not process those data except on instructions from the data controller and limits access to your personal information to authorised employees.
Indicative security measures applied by Cycle are as follows:
● Cycle protects systems and information based on the ISO 9001:2008 and ISO 27001:2013 standards
● Cycle maintains a dedicated information security team that plans, implements and provides surveillance of our information security program. Acknowledging the potential of IT and office automation support and the capability of processing and using data, the company has invested in developing and employing these capabilities. With a team of experienced, specialized, full-time programmers and analysts forming an independent IT division, Cycle is able to cover all of its IT needs.
● The company controls the security and functionality of its services before they are introduced to the Internet, for any vulnerabilities in technology
● The company performs ongoing infrastructure checks to detect weaknesses and potential intrusions, vulnerabilities in systems etc.
● The company’s office automation system is based on a Local Area Network (LAN/TCP/IP) and uses a Microsoft Windows 2008 and 2012 Servers. It consists of multiple Cisco Catalysts Switches and uses special routers, firewalls and safety devices in order to ensure a secure connection to the Internet.
● The company’s Data Center is one of the most advanced in Greece, with dual UPS-sustained power systems, fire detection and automatic fire extinguishing systems. Moreover, the company has a generator that produces electricity and is capable of supporting all HVAC and office automation systems for a 100% uptime operation. There is an access control system in all critical points, be it access to data or access to telecommunications, which are under 24-hour surveillance by security guards.
● Each day, we create backup copies of all the critical data that we store in a special area located outside the company, as specified by our Disaster Recovery Plan.
● Cycle maintains a High Availability Cluster Infrastructure
● The company uses the open standard protocol to access Lightweight Directory Access Protocol (LDAP) directory services and uses encrypted passwords
● The company protects its Web Sites by presenting a Web Application Firewall and an IDS/IPS Firewall in-front of the Web Servers
● The company operates an ISMS - Information Security Management System to reduce Cyber-Security Risks.
9. Submission of Complaint - Appeal
● For any issue regarding the processing of your personal data, you may contact us via e-mail at email@example.com
● Moreover, you shall always be entitled to contact the Bulgarian Personal Data Protection Commission, which may accept the submission of relevant complaints in writing at its protocol in its offices at 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592 or by e-mail (firstname.lastname@example.org or email@example.com) in accordance with the instructions indicated on its website.
● If you no longer wish to receive newsletters from ICAP, please send an e-mail to firstname.lastname@example.org or follow the unsubscribe instructions included in each relevant email/communication.
This policy may be renewed from time to time, due to amendments to the related legislation or change to the corporate structure of Cycle. Thereby, we encourage the Clients to periodically visit this site so as to be informed regarding recent information of privacy practices. In any case, the Clients may be informed by e-mail or a notice in our Website regarding any amendments to this policy.