Personal Data Protection Policy: B2Kapital Cyprus Ltd
Entity responsible: B2Kapital Cyprus Ltd (hereinafter referred to as “B2K”)
B2Kapital Cyprus Ltd, Data Protection Officer
P.O. Box 52704, 4067 Limassol Cyprus,
tel: +357 25259620
fax: +357 25256107
B2K is a credit acquiring company whose business consists in acquiring and collecting overdue debts. The operation is subject to permission and is under the supervision of the Cyprus Central Bank. In the course of its business, B2K deals with the personal information of its debtors / their guarantors / collateral providers (“the data subjects”) and it is important for B2K to protect and respect this information and to protect the privacy of its data subjects. Ensuring that your personal data is processed correctly and in accordance with applicable legislation is therefore a fundamental principle of the business. The following is information about how B2K collects and processes the personal data of data subjects.
GDPR: The General Data Protection Regulation 2016/679 is an EU regulation on data protection and privacy for all individual citizens of the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas.
Personal Data: Personal data means any information relating to an identified or identifiable natural person. The crucial thing is that the assignment, individually or in combination with other tasks, can be linked to a living person. Examples of personal data are social security numbers, names and addresses.
Sensitive personal data can be, among others, data concerning health, genetic data and biometric data. B2K may process health data only, with the data subject’s consent, for the purpose of assessing and establishing the level of the data subject’s ability to meet his/her financial obligations (for more details please refer to the section “Collection of Sensitive personal data”).
Personal Data Processing: All forms of personal information actions are personal data processing, such as collection, registration, organization, structuring, and storage.
Personal Data Controller: B2K is the entity responsible for personal data in the collection operation. The Company determines the purposes for which personal data are to be processed and how the treatment will be addressed.
Collection of information
B2K mainly collects its data subjects ‘ personal data from a former creditor, such as a bank, when B2K takes over (buys the rights to), for example, a loan or credit agreement (which has expired). In addition to financial information about the claim itself, such as a copy of the credit/loan agreement, the amount of the capital, the current interest rate, costs and transaction information, the data subject’s contact information is also collected. Such information is e.g. the name, social security number, home and/or business address, and in some cases the telephone number and e-mail address. This is necessary in order for B2K to identify its data subjects and enable the collection of claims taken over by the company, whilst also complying with anti-money laundering legislation.
In the case of a data subject appointing a representative, B2K will also process information about that person along with the data subject’s own information.
In some cases, personal information is also collected directly from the data subject. This can be done by the data subject calling or in any other way he/she delivers to B2K new information, such as changing his/her contact information or providing information regarding his or her home address or place of employment. In addition, financial details about the debtor/guarantor’s spouse (and family, where applicable) may be collected where the debtor/guarantor agrees to pay off the debt over a period of time.
Collection via the website, cookies
Collection of Sensitive personal data
We may also collect, in accordance with applicable law and with the explicit consent (see Consent Form below) of the data subject, and process certain sensitive personal information of himself/herself, with reference to his/her health (physical and mental) status, as follows: social security certificates, evidence of current and previous injuries, of disabilities, a medical diagnosis, medical and medicinal treatment, medical reports, doctor’s certificates, government certification of medical condition and any other information related to your medical history, for the purpose of assisting B2KAPITAL in assessing and establishing the level of the data subject’s ability to meet his/her financial obligations.
Use of the information (Purpose and legal basis)
Any personal data transferred to B2K is processed by the latter in accordance with the applicable laws and regulations for the protection of personal data, as well as the laws governing Credit Facilities, with the purpose of performing the agreement by virtue of which debtors were granted the Credit Facilities and exercising the contractual and legal rights of B2K i.e. based on legitimate interest. B2K mainly processes personal data to enable debt collection. The purposes of the processing are, among others, the following:
- identify the company’s data subjects
- communicate with data subjects via email, mail or phone
- take enforcement action by the authorities or courts
- manage payments from data subjects
- update personal information, such as address and phone number, through private or public records, as may be required by anti-money laundering regulations
- monitor and report claims in debt settlement cases, bankruptcies
- create a debtor/guarantor’s accurate financial profile (either solely or with spouse), taking into consideration the family’s income and expenses, mainly in case where the debt will be collected by instalments over a specific period of time.
In addition to the purpose of collecting claims, personal data are also processed to report, or otherwise process, information that B2K may be required by law, constitution or an authority decision to do so. For example:
- send details of paid interest to Tax Authorities
- preserve documents according to accounting legislation
- enable audit and control in accordance with relevant laws
- B2K may also process certain personal data when it is necessary to establish, enforce or defend a legal claim.
How we may share information
B2K monitors the information collected and does not transfer it to any third party as data processed within the collection operation is confidential. However, B2K may share personal data with one or more approved subcontractors (“Data Processors”) if this is necessary for the company to conduct the business; for example, when B2K hires an IT provider for operation and support of its IT systems, a call centre to receive or make calls to data subjects, an external company used to process / envelope letters that will be sent to B2K’s data subjects, its affiliates such as lawyers in Cyprus and European Union states, file storage/archiving companies and record management companies and cloud storage companies, debt collection companies, data backup companies and software service providers, and/or third parties (such as government bodies & supervisory authorities, financial institutions, auditors, credit reference agencies) so that the Company can perform its obligations or if the Company is legally required to do so, or if the Company is authorized under its contractual and statutory obligations, as well as with your legal representatives. In addition, the Company may share personal data within entities of the B2Holdings Group, established in the European Union, for business purposes.
However, disclosure of information always takes into account applicable privacy rules and a Data Processor will not have permission to use the data for any purpose other than B2K has stipulated.
The above also apply when updating personal data, such as e.g. address changes.
As described above, B2K may also share the data with Courts of Law to determine claims and take executive measures such as Court Orders and foreclosure. The information may also be provided to other authorities, such as the Cyprus Office of the Commissioner for Personal Data Protection, the Central Bank of Cyprus, Artemis Information Systems Ltd (Credit Bureau), if B2K is required to report information to them by law or practice.
Transfer to other countries
B2K may transfer personal data to third countries. For any transfer of personal data outside of the European Economic Area, the requirements of the GDPR and Cyprus’ Data Protection Law will be adhered to.
Information about B2K’s data subjects is protected by the law of confidentiality. B2K therefore protects all activities in the business, including personal data processing, through various technical and organizational measures. The company has procedures that limit or control the dissemination of data both internally and externally. If there is an incident (“data breach”) where B2K’s data subjects’ data is distributed to, or accessed by, unauthorized persons B2K will promptly inform the Data Protection Commission.
Data subjects ‘ personal information is stored throughout their relationship with B2K. Once the claim is fully paid the relevant data will be erased after 10 years, provided that B2K is not required by law to continue to store the data, e.g. due to an ongoing court case.
Automated decision making and potential profile creation
As part of processing activities, the company may use personal data for purposes of profiling. The purpose of profiling is to assess the payment behavior of data subjects in order to allow the controller to appropriately proportion its debt collection measures. The profile of the data subject may be compared with the profiles created from other data subjects. However, the company does not exercise any form of automatic decision-making that is based on profiling and that would have legal or other significant repercussions on the data subject.
Data subjects’ rights
Data subjects can request details with regards to the personal data that B2K hold and request access to this personal data (right of access); To review what B2K processes, it is possible for all data subjects to request a data extract. Such a request may be made by post or e-mail to the Data Protection Officer as following:
By email at firstname.lastname@example.org or, by post at: P.O. Box 52704, 4067 Limassol Cyprus.
By requesting a data extract, the data subjects receive information about their personal data being processed. B2K will endeavour to respond to such request 1 month from the date of the request by the data subject. In the event of a data subject’s request, if technically feasible, B2K may also compile the personal data and transmit the information to another party designated by the data subject.
Data subjects may object to B2K’s use of personal data (right to object) however B2k may refuse on the reasons of legitimate grounds for the processing; data subjects wishing to add to incomplete personal data or have reasons to believe that there is a flaw in their data (right of rectification), are encouraged to contact B2K’s Data Protection Officer as above.
A data subject would also be entitled to their data being deleted (right “to be forgotten”) if they are no longer required for the purposes for which B2K has collected them nor any reasonable ground exists to continue processing these. Alternatively, a data subject may request B2K to restrict processing of their personal data.
It is very important for B2K that our data subjects have confidence in our personal data processing and that it is carried out in a correct and legal manner. B2K will therefore promptly investigate any issues raised by the data subject. A data subject wishing to comment or complain on B2K’s personal data processing may also contact the Office of the Commissioner for Personal Data Protection at:
email@example.com or, by post at: P.O. Box 23378, 1682 Nicosia, or by Τel: +357 22818456, or by Fax: +357 22304565