Effective date: 25/11/2020
Last updated: 17/12/2020
This Privacy policy is addressed to private individuals (natural persons) who visit our website and/or use our services and explains the information on the processing of their personal data (hereinafter will be addressed as you/your).
This Privacy policy describes how we collect, use, process, and disclose your information, including personal information, relating to your access to and use of Finci UAB (Finci) services. Please read it carefully as this policy is legally binding on you when you use Finci services. If you do not agree with this Privacy policy, you should immediately refrain from using our website and/or services.
We may collect and process your individually identifiable information, namely information that identifies a person or can, with reasonable efforts, identify a person (hereinafter – "Personal data") in order to provide proper services for you.
We respect your privacy, protect and process your Personal data in accordance with the rules of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter – "GDPR"), Law on Legal Protection of Personal Data of the Republic of Lithuania and other applicable regulatory enactments.
We reserve the right to update, change or replace any part of this Privacy policy by posting updates and/or amendments and/or alterations to our website, updating the "Last Updated" date at the top of this Privacy policy. It is your responsibility to check this page periodically for changes. If you continue to use and/or access the website following the posting of any changes, this automatically constitutes acceptance of those changes. In the event you disagree with any amendment and/or alteration and/or update you shall immediately terminate the use of our website and/or services.
The Controller and owner of the website www.finci.com is Finci UAB, registration number: 304934066, registered office: Mėnulio str. 11-101, LT-04326 Vilnius, Republic of Lithuania. The Controller operates as electronic money institution (E-Money institution) under Electronic Money Institution (EMI) license Nr. 60, issued and regulated by the Bank of Lithuania.
You can contact us by phone: +370 691 106 93 or by writing to the following e-mail address: info@finci.com.
If you have any questions relating to this Privacy policy or processing of your Personal data, you may contact us by using the communication channels listed in the previous paragraph (paragraph 1) or by contacting our personal data protection officer by writing to the following e-mail address: dpo@finci.com.
We collect and process your Personal data only for legitimate purposes in accordance with the rules of data protection and processing established by GDPR and other applicable rules.
As a regulated EMI, we are obliged to comply with the legal obligations provided by the following legal regulations (but not limited): the Law on Payments of the Republic of Lithuania, the Law on Electronic Money and Electronic Money Institutions of the Republic of Lithuania, Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006 (hereinafter – "Regulation (EU) 2015/847") and the Law on Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania Money Laundering and Terrorist Financing Prevention legislation (hereinafter – "Applicable legislation").
We shall also comply with local and international anti-money laundering (hereinafter – "AML") and counter-terrorist financing ("CTF") obligations, as well as to implement know your customer (hereinafter – "KYC") requirements. We will only process your Personal data for lawful purposes defined in this Privacy Policy (please see further points 3.1 to 3.6).
While processing your Personal data we will comply with GDPR and other Personal data protection applicable laws and regulatory enactments, as well as with data processing principles, which means that your Personal data will be:
As part of this, we will process the following Personal data: name, surname, personal identification number, tax identification number, address, date of birth, data from an identity document/residence permit and a copy of the identity document/residence permit , photo, direct video transmission (live video broadcast records) recording, citizenship, email address, phone number, payment account number, bank statements, pay slips, employment agreements, contracts, invoices, employment history, IP address, current activity, current public function, information about main business partners (and their Personal data), source of funds and wealth, data from a power of attorney and other data required by the Applicable legislation.
Below you can find the details and additional information why, for what sub-purposes and/or what data for certain sub-purpose (where explained) we will process.
We will process your Personal data to:
Within the client onboarding process, in addition to Personal data processing for the purposes of client identification and contact details verification, in compliance with the requirements of AML and KYC, we will use document authenticity verification services provided by external vendor, including validation of KYC documentation, business documentation required for legal entity onboarding, verification of beneficial ownership and information checking in national registers of Member States as required by the Applicable legislation. We will use vendor’s overnight screening services for potential sanctions and politically exposed person (PEP) matches, negative information in adverse media.
If you are indicated as the beneficial owner or a controlling person of a legal client, we shall process the following your Personal data: name, surname, date of birth, residency/nationality, identification document’s/residence permit’s data, nature and description of the beneficial ownership, source of funds and wealth (where required) and other data required by the Applicable legislation
If you are indicated as the client’s main business partner we may process the following your Personal data: name, surname, date of birth, citizenship, invoices, data revealing business relationship between you and the client and other Personal data according to the Applicable legislation.
As part of transaction processing we will process your identification data and your payment account data, payment transaction data, payment recipients Personal data (name, surname, account number and the recipient bank details), IP address, other data required by the Applicable legislation;
In order to communicate with you and process the requests and complaints received from you in accordance with the General Terms and Conditions for the Provision of services, where relevant, we may process the following your Personal data: name, surname, position/representation rights, e-mail address, telephone number and other Personal data that is indicated in your requests/complaints. In order to fulfil our Contractual obligations, ensure the best quality of services and resolve disputes, we have a right to collect evidence about business communication with the clients (correspondence, recordings of conversations).
The main legal grounds of Personal data processing for these purposes are:
As part of this, we would need to comply with AML/CTF legal framework, establish your/your represented legal entity’s client risk classification, monitor transactions, carry out risk score and AML/CTF risk exposure assessment.
For the implementation of our legitimate interest within the AML/CTF framework we may verify information relating to you against credible publicly available information sources; ensure monitoring of your transaction and provide information to the supervisory authorities and investigative authorities in the cases provided by legal enactments, ensure the maintenance of relevant registers, e.g., risk register, beneficial owners’ register.
As a regulated entity, we are obliged to conduct retrospective monitoring of clients’ activities. In order to fulfil these obligations, additional information request for Personal data may be sent to verify information required by Applicable legislation. While monitoring payment transactions, we may also require to provide us the documents confirming economic substance/legitimacy of the transaction, that might also contain Personal data.
The legal ground of Personal data processing for this purpose is:
As part of this we may send you commercial communications to e-mail according to your consent or our legal relationships (agreement) with you. If you subscribe for our newsletters or you are our existing client/client’s representative/contact person, we may send you information and offers/special offers regarding our products and services that might interest you. We may also provide you with information about other goods and services we offer that are similar to those you have already used or asked for. We may also provide you with (push) notifications of our new products and offers via our applications if you are using them, if you have subscribed to them.
If you are not willing to receive our commercial communications, you can inform us and refuse the further receipt of commercial communications any time, we also providing you free of charge and easy-to-implement opportunity to unsubscribe in our commercial communication sent to you by e-mail. If you don’t want to further receive push notifications via our applications, you can manage user preferences by switching off this option.
For this purpose, we might need at least the following personal data: your name, surname, data of legal entity you represent, e-mail address, location, services and products you have used or asked for or looked for in our applications and other user experience data.
The legal grounds of Personal data processing for this purpose are:
As part of this, we should carry out video surveillance of our territory, buildings and other property, make telephone records, use personal data processors to provide a variety of functions, if necessary, to disclose information to supervisory authorities, judicial bodies, agencies, courts and other public authorities or officials, to exercise the rights conferred by law to ensure other legitimate interests of the Controller or third parties.
For this purpose, we might need to process at least the following Personal data: client’s/visitor’s appearance (image), name, surname (if possible), object address, location and time, and other data as necessary.
The legal ground for the processing of Personal data for this purpose is:
As part of this, we would need to carry out the maintenance and development of our websites, technical systems and IT infrastructure, technical and organizational solutions that can also use your Personal data (for example, by watching cookies), with a view to ensure providing of proper services to you. Regarding our use of cookies, please read also our policy.
The legal ground for the processing of Personal data for this purpose is:
We shall take appropriate measures to process your personal data in accordance with the Applicable legislation and to ensure that your Personal data is not accessed by third parties who do not have the appropriate legal basis for the processing of your Personal data.
We can get your personal data in one of the following ways:
Above all, we are collecting your information to fulfil the commitments under the General Terms and Conditions for the Provision of services entered with you, to fulfil the legal obligations that are binding on us, and to pursue our legitimate interests. In these cases, it is necessary for us to obtain certain information for the purposes involved, so that failure to provide such information may endanger the commencement of or provision of services to you. If the data are not required, but their submission could help to improve our services provided to you, we will indicate that the provision of data is voluntary.
Your Personal data could be accessed as needed by and shared with:
Personal data processors:
Your Personal data will be transmitted to third parties that we use to provide our services; these parties have been rigorously assessed and offer a guarantee of compliance with the legislation on the processing of Personal data. These parties have been designated as data processors and carry out their activities according to the written agreement, the instructions given by us and under our control.
We may work with the following categories of Personal data processors:
Personal data processors may change from time to time, so we may also make relevant changes to this Privacy policy.
Third parties:
We may also be required to share your Personal data with various financial institutions, payment services providers and/or law enforcement bodies and officials, supervisory authorities/regulatory bodies and financial crime investigation service to comply with Applicable legislation, prevent fraud or enforce an agreement we have with you;
We may also share your personal data to comply with applicable laws and regulations, to respond to a legal requests of law enforcement bodies and officials, supervisory authorities/regulatory bodies, or to other third parties if it is provided by applicable law, and/or if it is relevant for the protection of our and our employees legitimate interests, property or safety, or legitimate interests of third parties or data subject.
Your Personal data is stored for as long as their storage is required for appropriate purposes for the processing of Personal data, as well as in accordance with the Applicable legislation.
Data may be stored in an electronic form and/or in paper format, provided always that your Personal data will be stored securely and protected against unauthorized or unlawful processing and against loss or destruction, using appropriate technical and organizational measures.
When assessing the length of the storage of Personal data, we take into account existing regulatory requirements, aspects of contractual performance, your instructions (e.g. in the case of consent), and our legitimate interests. If your Personal data is no longer needed for the purposes specified, we will delete them or destroy them.
Below, we indicate the most common time limits for the storage of your Personal data:
Usually, we do not transfer your Personal data to countries outside the European Union or the European Economic Area. However, if we need to transfer your Personal data to third countries in the meaning of GDPR for the purposes related to provision of our services or protection of our legitimate interests, we will do that in strict compliance with GDPR rules.
For instance, your Personal Data may be provided to third countries in the meaning of GDPR in those cases, when your payment transfer is carried out to a third country, or a partner (correspondent) from a third country is engaged in the payment execution.
All Personal data sharing events are controlled under strict data sharing agreements with relevant parties in order to maintain correspondent banking relationships and provide smooth services under agreement.
We may also send your information to third countries in the meaning of GDPR to keep to global legal and regulatory requirements and to provide ongoing support services.
Profiling carried out by us involves processing of Personal data by automated means for the purposes of legislation relating to risk management and continuous and periodic monitoring of transactions in order to prevent fraud, money-laundering and terrorist financing events. However, we do not make automatic decisions based on profiling.
For the purpose of direct marketing and statistical analysis, profiling may be carried out by using Google, Facebook and other analytics tools.
The main legal grounds of Personal data processing for these purposes are:
Restoring your personal data
If there are changes to Personal data that you have provided to us, please contact us at e-mail info@finci.com and provide us with the relevant data so that we can achieve the relevant Personal data processing purposes.
Your right to access and correct your Personal data
In accordance with the provisions of the GDPR, you have the right to require us to have access to your Personal data at our disposal, to request their rectification, erasure, processing limitation, to object to the processing of your Personal data, as well as the right to data portability in the cases and procedures set out in the GDPR.
We respect your right to access and control your Personal data, so if we receive your request, we will respond to it within the time limits laid down in the regulatory framework (usually not later than one month if there is no specific request that takes longer to prepare the answer), and if it is possible, we will correct or delete your Personal data accordingly, or undertake the necessary measures to enable your Personal data portability as possible.
You may obtain information about your Personal data or exercise other rights as a data subject in one of the following ways:
Upon receipt of your submission, we will evaluate the content and the possibility of identifying you, and, depending on the situation, we reserve the possibility of asking you to further identify yourself in order to ensure the security and disclosure of your Personal data to the person concerned.
Withdrawal of consent
If the processing of your Personal data is based on your consent, you have the right to withdraw it at any time and we will no longer process your Personal data processed on the basis of your consent. However, please be informed that the withdrawal of consent cannot affect the processing of Personal data which is necessary for the fulfilment of the requirements of regulatory enactments or which is based on a contract, our legitimate interests or other legal bases for the lawful processing of Personal data provided for in regulatory enactments.
If you have any questions or concerns regarding our processing of your Personal data, we encourage you to contact us first.
If, however, you believe that we have not been able to resolve the issue with each other and you believe that we are nevertheless in violation of your right to the protection of Personal data, you have the right to lodge a complaint with the Lithuanian State Data Protection Inspectorate (https://vdai.lrv.lt/en/).