Data Protection Policy

Data Protection Policy: B2Kapital Cyprus Ltd

Updated May 25, 2018

Entity responsible: B2Kapital Cyprus Ltd (hereinafter referred to as “B2K”)

Contact information:

B2Kapital Cyprus Ltd, Data Protection Officer

P.O. Box 52704, 4067 Limassol Cyprus,

tel: +357 25259620


Our Principle


B2K is a credit acquiring company whose business consists in acquiring and collecting overdue debts. The operation is subject to permission and is under the supervision of the Cyprus Central Bank.  In the course of its business, B2K deals with the personal information of its debtors / their guarantors / collateral providers (“the data subjects”) and it is important for B2K to protect and respect this information and to protect the privacy of its data subjects.  Ensuring that customer personal data is processed correctly and in accordance with applicable legislation is therefore a fundamental principle of the business.  The following is information about how B2K collects and processes the personal data of data subjects.




Personal Data: Personal data means any information relating to an identified or identifiable natural person.  The crucial thing is that the assignment, individually or in combination with other tasks, can be linked to a living person.  Examples of personal data are social security numbers, names and addresses.

Personal Data Processing:  All forms of personal information actions are personal data processing, such as collection, registration, organization, structuring, and storage.

Personal Data Controller: B2K is the entity responsible for personal data in the collection operation. The Company determines the purposes for which personal data are to be processed and how the treatment will be addressed.


Collection of information


B2K mainly collects its data subjects’ personal data from a former creditor, such as a bank, when B2K takes over (buys the rights to), for example, a loan or credit agreement (which has expired).  In addition to financial information about the claim itself, such as a copy of the credit/loan agreement, the amount of the capital, the current interest rate, costs and transaction information, the data subjects’s contact information is also collected. Such information is e.g. the name, social security number, home and/or business address, and in some cases the telephone number and e-mail address. This is necessary in order for B2K to identify its data subjects and enable the collection of claims taken over by the company, whilst also complying with anti-money laundering legislation.


In the case of a data subject appointing a representative, B2K will also process information about that person along with the data subject’s own information.


In some cases, personal information is also collected directly from the data subject.  This can be done by the data subject calling or in any other way he/she delivers to B2K new information, such as changing his/her contact information or providing information regarding his or her home address or place of employment.  In addition, financial details about the debtor/guarantor’s spouse (and family, where applicable) may be collected where the debtor/guarantor agrees to pay off the debt over a period of time.


Collection via the website, cookies


If a data subject or other visitor on B2K’s website approves the use of cookies, B2K will save a cookie on his computer, mobile phone or other device used. B2K may use the information from cookie files to analyse the traffic on the website, for example, to see who visited the B2K website at a certain time. This way the company can evaluate how the website can be further developed. It is possible for a visitor on the website to deny the installation of B2K cookie files by enabling the relevant setting through their browser. In addition, all cookie files can be deleted at any time the visitor chooses to do so on his browser.Information potentially collected through cookies, would be processed according to the data subject ‘s consent.


Use of the information (Purpose and legal basis)


Any personal data transferred to B2K is processed by the latter in accordance with the applicable laws and regulations for the protection of personal data, as well as the laws governing Credit Facilities, with the purpose of performing the agreement by virtue of which debtors were granted the Credit Facilities and exercising the contractual and legal rights of B2K i.e. based on legitimate interest.  B2K mainly processes personal data to enable debt collection. The purposes of the processing are, among others, the following:


  • Identify the company’s data subjects
  • Communicate with data subjects via email, mail or phone
  • Take enforcement action by the authorities or courts
  • Manage payments from customers and authorities
  • Update personal information, such as address and phone number, through private or public records, as may be required by anti-money laundering regulations
  • Monitor and report claims in debt settlement cases, bankruptcies etc.
  • Create a debtor/guarantor’s accurate financial profile (either solely or with spouse), taking into consideration the family’s income and expenses, in case where the debt will be collected over a period of time.


In addition to the purpose of collecting claims, personal data are also treated to report or otherwise process information which B2K may be required to do so by law, constitution or authority decision. For example:


  • Send details of paid interest to the Tax Authorities
  • Preserve documents according to accounting legislation
  • Enable audit and control in accordance with the relevant laws


B2K may also process certain personal data when it is necessary to establish, enforce or defend a legal claim.


How we may share information


B2K monitors the information collected and does not transfer it to any third party as data processed within the collection operation is confidential. However, B2K may share personal data with one or more approved subcontractors (“Data Processors”) if this is necessary for the company to conduct the business; for example, external Auditors, when B2K hires an IT provider for operation and support of its IT systems, a call centre to receive or make calls to data subjects, or uses an external company to process / envelope letters that will be sent to B2K’s data subjects.  The same applies if personal data is updated, such as address updates.

As described above, B2K also may share the data with courts to determine claims and take executive measures such as enforcement and foreclosure. The information may also be provided to other authorities, such as the Cyprus Data Protection Commission, the Central Bank of Cyprus, Artemis Information Systems Ltd (Credit Bureau), if B2K is required to report information to them by law or practice.  However, disclosure of information always takes into account applicable privacy rules and a subcontractor will not have permission to use the data for any purpose other than B2K has stipulated.


Transfer to other countries


B2K may disclose personal data to third countries when a data subject moves abroad, to allow for the determination or fulfillment of a legal obligation. In other cases, B2K does not share information outside the EU or the EEA.




Information about B2K’s data subjects is protected by the law of confidentiality.  B2K therefore protects all tasks in the business, including personal data, through various technical and organizational measures.  The company has procedures that limit or control the dissemination of data both internally and externally. If there is an incident (“data breach”) where B2K’s data subject’s data is distributed to, or accessed by, unauthorized persons B2K will promptly inform the affected data subject/s, as well as the Data Protection Commission.


Storage time


Data subjects’ personal information is stored throughout the customer relationship. Once the claim is fully paid the relevant data will be deleted after 10 years, provided that B2K is not required by law to continue to store the data, e.g. the requirement to keep documents in the company and any obligation to report interest to the Tax Authority.


Data subject’s rights


Data subjects wishing to object to B2K’s use of personal data, or would like to add to incomplete personal data or have reasons to believe that there is a flaw in their data, are encouraged to contact B2K’s Data Protection Officer at the following address:

or by post at:  P.O.Box 52704, 4067 Limassol Cyprus.


A data subject would also be entitled to their data being deleted if they are no longer required for the purposes for which B2K has collected them and there is no longer any reasonable reason to continue processing the task.  It is very important for B2K that the company’s data subjects have confidence in the company’s personal data processing and that it is carried out in a correct and legal manner. B2K will therefore promptly investigate any issues raised by the data subject. A data subject wishing to comment on B2K’s personal data processing may also contact the Data Protection Commission at:

or by post at: P.O. Box 23378, 1682 Nicosia

Τel: +357 22818456 or by Fax: +357 22304565


To review what B2K processes, it is possible for all data subjects to request a data extract.  Such a request may be made by post or e-mail to the Data Protection Officer. By requesting a data extract, the data subjects receive information about their personal data being processed.  Normally, B2K will respond to such request 1 month from the date of the request by the customer. In the event of a customer request, if technically feasible, B2K may also compile the personal data and transmit the information to another party designated by the customer.


This privacy policy may be adjusted and updated if B2K’s internal processes are changed or if the company is required to update the information by law or a regulatory authority decision.  The most current version will always be available on the company’s website at: