Privacy policy

Effective from 01.06.2022

1. General Provisions

The purpose of these personal data processing terms (hereinafter referred to as the Terms) is to describe how Täisteenusliisingu AS and Fairown Finance OÜ process the personal data of their clients and potential clients.

The data controller of the personal data of representatives of legal entity clients (including sole proprietors), as well as potential clients or their representatives, is AS Täisteenusliisingu, registry code 14028999, legal address Laeva 2, Tallinn, 10111, email: teenusliising@teenusliising.ee (hereinafter referred to as Teenusliising or Controller).

For the purposes of these Terms, the data subject is a natural person representative of a legal entity (including a sole proprietor) who, as a client, uses or has expressed interest in using the services of the Controller either as a potential client or as a representative of such a client (hereinafter referred to as the Data Subject).

2. Legal Basis and Purpose of Data Processing

The processing of personal data of Data Subjects is based on:

  • The consent of the data subject. The Controller processes personal data only to the extent and for the purposes for which the Data Subject has given consent. The Data Subject provides consent voluntarily. The Controller processes personal data based on consent for the following purposes:
    • When submitting an inquiry;
    • For direct marketing purposes;
    • To assess the suitability of the service provided to the data subject.
  • Contract formation, execution, and fulfillment for the following purposes:
    • Identification of the data subject or their representative;
    • Drafting, signing, and managing contracts and related documentation;
    • Issuing loans and performing related activities (including debt collection), such as:
      • Collecting and storing publicly available information necessary for processing leasing applications and verifying ownership rights;
      • Processing relevant data to prepare and manage agreements, maintain contact, monitor contract fulfillment, assess creditworthiness, and evaluate collateral properties;
      • Collecting data to protect business interests, prevent illegal service use, and ensure service quality;
      • Storing data from past contracts and applications for profiling and improving loan decision-making processes.
  • Compliance with legal obligations, including:
    • Implementing due diligence measures required by the Anti-Money Laundering and Terrorist Financing Prevention Act.

3. Categories of Processed Data

The Controller may process the following categories of data to achieve the purposes listed in section 2:

  • Identification data (e.g., name, personal identification number, date of birth, ID document details);
  • Contact details (e.g., address, phone number, email address);
  • Other data needed for client profiling (e.g., occupation, education);
  • Financial and creditworthiness data (e.g., bank account details, liabilities, income, assets, employment history, payment defaults, and financial obligations);
  • Property-related data obtained from public registries (e.g., Land Register, Building Register);
  • Data on the origin of the client’s assets (e.g., employer, business partners, beneficial owners);
  • Contract-related data (e.g., account numbers, payment dates, past transactions, and contract compliance information);
  • Data obtained from legal obligations (e.g., inquiries from authorities, associations with financial crimes or money laundering investigations).

4. Storage and Retention of Personal Data

The Controller ensures the integrity and accuracy of stored data and retains documentation supporting financial decisions for credit issuance.

Retention periods include:

  • Personal data collected for contract formation, execution, and compliance: 8 years after the termination of the business relationship.
  • Personal data collected based on consent: At least 3 years after consent withdrawal.
  • Personal data processed under legal obligations: 10 years after the end of the business relationship.

5. Disclosure of Personal Data to Third Parties

The Controller may authorize other entities (Authorized Processors) to process personal data under confidentiality agreements and GDPR compliance. Data may be shared with:

  • Affiliated companies;
  • Business partners involved in client agreements;
  • Legal advisors, accountants, auditors;
  • Debt collection agencies and financial institutions;
  • Public registers (e.g., Creditinfo Eesti, debt registers);
  • Service providers ensuring IT security, direct marketing, and data processing;
  • Entities fulfilling regulatory obligations and international data-sharing agreements.

Data transfers outside the EU/EEA occur only with client consent or under legal grounds with adequate protection measures.

6. Employee Responsibilities in Data Processing

Client data is accessed based on employee roles, with defined data permissions:

  • Customer Service Representatives, Debt Collectors, and Relationship Managers: Access to all client data for application processing, contract management, payment monitoring, and financial reporting.
  • Accountants: Access to aggregated financial reports.
  • Auditors: Limited access for audit purposes.
  • Partners: Access to application processing and agreement preparation data.
  • IT Administrators: Access for security and system support.