Slide PRIVACY POLICY DATA PROCESSOR How we use personal data.

1. Introduction

This privacy and data processing policy (hereinafter referred to as “Privacy Policy”), is intended to inform you, the Data Subject as defined by article 4 of the General Data Protection Regulation – (EU) 2016/679) (“GDPR”), about the rules, methods and procedures used by FINOLOGEE S.A., the Data Processor as defined by article 4 of the GDPR, to collect and process your personal data, as defined by article 4 of the GDPR ( “Personal Data”), on behalf of Data Controllers.

FINOLOGEE S.A. is a Luxembourg public limited liability company, whose registered office is located at 7 rue Jean Fischbach, L-3372 Leudelange, Luxembourg, that is registered with the Luxembourg Business and Companies Register (RCS Luxembourg) under number B217853 (“FINOLOGEE”). FINOLOGEE has been granted a Professional of the Financial Sector (“Support PFS”) licence by the Luxembourg Minister of Finance (licence number 06/19) and is supervised by the Commission de Surveillance du Secteur Financier (CSSF).

2. Does this Privacy Policy affect you?

FINOLOGEE runs trusted digital platforms enabling connectivity between financial institutions and other businesses (hereafter defined as “Institutions”) on one side, and FinTech products and solutions provided by various companies and partners (“Third-Party Products”) on the other side. It also provides a range of services and digital products to these Institutions that are either built on top of these FinTech products and solutions and enhance or use their features or that run as stand-alone components of FINOLOGEE’s trusted digital platforms (“Components”). Institutions can use, access, acquire and implement Third-Party Products and Components made available by FINOLOGEE such as ID document validation, video chat, electronic and remote signature, access to bank account (PSD2), KYC/remediation tools and messaging features, among others. Use cases by Institutions can be remote client onboarding, client KYC file/document update/remediation, signature of SEPA Direct Debit authorisations, PSD2/Access to Account features, among others.

For this purpose and in this context, FINOLOGEE is the Data Processor and Institutions are Data Controllers, according to the definitions of the GDPR.

When you are using services, features or products of these Institutions, they you may also rely on services provided by FINOLOGEE, allowing you, for example, to open a bank account remotely, to process your payments, to provide access to account aggregation services, to e-sign SEPA direct debit authorisations, to remotely e-sign documents via the Institution, or others. In these cases, if FINOLOGEE provides Third-Party Products or Components to these Institutions, FINOLOGEE might collect and process your Personal Data as a Data Processor on behalf of the Institution, the Data Controller, as defined by the GDPR.

3. What Personal Data is processed by FINOLOGEE? How is it collected? For what purpose?

When using the term Personal Data in this Privacy Policy, FINOLOGEE means data that relates to you, as the end-consumer(s) and data subject, and allows FINOLOGEE to identify you, either directly or in combination with other information that FINOLOGEE may hold, as defined by the GDPR. FINOLOGEE will process Personal Data to the extent applicable law provides a lawful basis for FINOLOGEE to do so.

Personal Data processed may be the following or similar to the following:

  • Personal identification data: Last name, first name(s), complete address and country of tax residence, country and place of birth, gender, date of birth, citizenship(s), mobile phone number, e-mail address, financial information and investor profile data, politically exposed and Insider Status, employment status and sector, IBAN, marital status;
  • Photos/screen shots of the end-consumer(s) and the front and back of the identification document as well as an audio/video recording of a video-chat session;
  • Data retrieved from identification document(s) (ID Card and/or Passport), such as validity date, expiry date, issuing authority and identification number as proof of the existence of valid, official identification documents;
  • Technical data: IP address, type of device;
  • All additional data retrieved during the onboarding process;
  • Biometric data: retrieved from a face scan session;
  • PSD2-related data such as strong customer authentication credentials, payments order details, account history details and other data required in the context and for the purpose of operating and executing the Services;
  • Preferences in terms of products and services of the end-consumer(s);
  • End-consumer(s)’s settings, preferences, people in charge and their data, access rights;
  • Data available on documents which can be requested from the end-consumer(s): proof of residence (e.g. invoice), proof of origin of funds / wealth (e.g. payslip).

Personal Data is processed by Finologee (the Data Processor) on behalf of the Institution (the Data Controller), typically in the framework of the performance of a contract that you have entered with the Institution, in order to take steps at the request of the data subject prior to entering into a contract, for compliance with a legal obligation to which the controller is subject, for or the purposes of the legitimate interests pursued by the controller or by a third party or is based on consent given by you to the processing of your personal data for one or more specific purposes. Please refer to the information provided by the Data Controller for the Lawfulness of Processing (article 6 of the GDPR) details.

4. How long is your Personal Data kept?

FINOLOGEE will delete the Personal Data in the timeframe needed to fulfil its service obligations towards the Institution. By default, Personal Data is kept for a maximum period of seven (7) days after completion of Personal Data processing by FINOLOGEE’s systems. Other durations and rules may apply, please refer to the Institution for further details.

For PSD2 / Access to Account Product(s): by default, Personal Data will be erased from the System and any storage media no later than thirty (30) days after the termination of any retention period specifically agreed with the Institution and in any case upon deletion of the Personal Data by the Institution. Other durations and rules may apply, please refer to the Institution for further details.

5. Where is my Personal Data stored?

The servers used by FINOLOGEE to store your Personal Data are located in Luxembourg in high security data centres.

Furthermore, FINOLOGEE may transmit some of your Personal Data to subcontractors, carrying out some of its services and data processing on its behalf (“Sub-Processors”). For an extensive list of subcontractors, please refer to section 6 hereafter. Subcontractors are located in the EU or are bound by agreements compliant with the GDPR and the European Commission’s adequacy decisions, if applicable.

Subcontractors may store your Personal Data on servers located either in the European Union or in other locations compliant with the GDPR and the European Commission’s adequacy decisions, if applicable.

6. Who are the third-parties receiving Personal Data?

6.1 Authorised FINOLOGEE Employees

Only FINOLOGEE employees that are specifically authorised may access your Personal Data, in the framework of carrying out their missions. Employees of FINOLOGEE having access to your Personal Data are subject to strict privacy and professional secrecy obligations.

6.2 Competent authorities and auditors

FINOLOGEE may be required to transfer Personal Data to competent public authorities. FINOLOGEE is also subject to audit requirements; auditors may access Personal Data on an occasional basis. All auditors are bound by strict privacy and professional secrecy obligations.

6.3 FINOLOGEE subcontractors

FINOLOGEE contractually imposes upon its subcontractors to comply with the obligations of data protection, security and privacy, to implement appropriate technical and organisational measures so that data processing is carried out in a manner that complies with applicable regulations and guarantees the protection of your rights.

FINOLOGEE’s sub-processors are the following:

AriadNEXT

ZAC des Champs Blancs
1219 Avenue des Champs Blancs
35510 CESSON SEVIGNE – FRANCE
(+33) 2 30 96 05 70

contact@ariadnext.com

Clearstream Services

42 av. J.-F. Kennedy
L-1855 LUXEMBOURG – LUXEMBOURG
(+352) 243 38 000

web@clearstream.com

ID NOW

Auenstraße 100
80469 MUNICH – GERMANY
(+49) 89-24 88 92 80

support@mail.idnow.de

LuxTrust

IVY Building
13-15 Parc d’Activités
L-8308 CAPELLEN – LUXEMBOURG
(+352) 24 550 550

info@luxtrust.lu

Mpulse

7, Rue de Jean Fischbach
L-3372, LEUDELANGE – LUXEMBOURG
(+352) 27 75 08 1

info@mpulse.eu

This list may change and is updated from time to time. Please make sure to check back regularly.

7. What are your rights concerning your personal data?

Your rights are defined in Chapter 3 (articles 12-23) of the GDPR.

If you want to exercise these rights, please contact the Data Protection Officer (“DPO”) of the Data Controller.

8. How is your Personal Data secured?

FINOLOGEE implements the appropriate security measures in order to guarantee the protection and privacy of your Personal Data, and specifically, to prevent its destruction, loss, alteration, unauthorised disclosure of Personal Data, or unauthorised access of this Personal Data.

These security measures specifically consist of encrypting of Personal Data, as well as implementing measures that allow for guaranteeing their privacy, integrity, availability and constant resiliency in terms of data processing services.

9. Change to this privacy notice & contact information

Modifications to the Privacy Policy are published on FINOLOGEE’s website with an indication of the last update.

FINOLOGEE has designated a DPO. If you have questions or concerns regarding this Privacy Policy, please do not hesitate to contact us at dpo@finologee.com or send your request to the following address:

FINOLOGEE S.A.

Data Protection Officer
7, rue J. Fischbach,
L-3372 Leudelange,
Luxembourg