of Tenen Payments JSC
(This document was adopted by virtue of a Resolution of the Board of Directors of Tenen Payments JSC, of 11 May 2020, amended by virtue of a Resolution of the Board of Directors dated 12 July 2021)
Who are we?
We are Tenen Payments Jsc, with Headquarters and registered office: Sofia 1303, Vazrazhdane district, 52 Strandzha Str., entered in the Commercial Register at the Registry Agency with UIC 206032163 (“We” or The Company”). The Company is an electronic money institution in accordance with the Law on Payment Services and Payment Systems, which operates under a license issued pursuant to Resolution No. 131 of 27 April 2021 of the Governing Council of the Bulgarian National Bank.
When can we process your personal data?
In order to enter into a contract and to open and maintain customer accounts, we collect and store personal data. This document has been prepared in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 (GDPR or the General Regulation) and the Personal Data Protection Act. The law permits us to process personal data if one or more of the following conditions are met:
- When performing an existing contract between you and the Company or during the precontractual process;
- When we are legally obliged;
- When it is in our legitimate interest;
- When we have received your consent.
A legitimate interest for processing of personal data is considered to be carrying out for commercial or other interest of the Company or a third party, where the processing does not infringe the rights of the subjects whose data are being processed. Even in the presence of such an interest, our actions towards you will always be truthful and transparent and in any case will be subject to a preliminary assessment of the balance of interest of the Company or the third party and the rights of the individual.
The purpose of this policy is to explain how we process your personal data and what your rights and obligations under the GDPR are.
Purposes of personal data processing
We use your personal data to process and evaluate any request for use of products and services offered by the Company, to maintain your electronic money accounts, to develop and improve our products and services, and to comply with the laws governing our activity. In this regard, we collect and process personal data for the following purposes:
What data do we need and why?
- To know who you are – We are legally obliged to identify our customers. The identification process involves collection of your personal data, including identity document, a copy of which the Company holds. Proper identification allows us to protect our clients from malicious actions such as identity theft and attempted fraud through the use of false documents;
- To assess the risk – We have a legitimate interest in assessing the risks when determining whether a person is eligible for electronic money account and accessing the payment services offered by the Company. In conjunction with the risk assessment, during the verification of the data submitted by you, we acquire additional data from registers maintained by government bodies, institutions and agencies. Where applicable, in line with the requirements set by some of the institutions, we carry out these verifications upon obtaining your consent;
- For the purpose of entering into contracts and performing them – Your personal data is processed for the purpose of establishing and maintaining established contractual relationships, and we are legally obliged to store the data after their termination. Processing your data is prerequisite for opening and maintaining your electronic accounts, including executing your transactions, maintaining a history of your transactions and providing you with transaction statements, notifying you of changes that affect you, and assisting you when problems have arisen, or in case you have filed a complaint;
- To prevent money laundering, financing of terrorism and fraud – the Company has both a legal obligation to apply measures against money laundering and financing of terrorism and a legitimate interest in preventing malicious acts (example: internet fraud, use of forged and/or false documents, etc.). Personal data may also be processed to protect the legitimate interests of third parties;
- In order to comply with our legal obligations – the Company has a legitimate interest in managing its activities as an electronic money institution in accordance with the requirements set by the Bulgarian financial system regulatory framework. This means that we process personal data to ensure the operation of a record-keeping system, to report and communicate with competent authorities, auditors or other recipients of data to which personal data may be lawfully disclosed. In addition, the Company outsources the processing of personal data to third parties, which are called processors. Processors are third parties, subcontractors – legal entities and parties who provide additional services to the Company. Processors are required to ensure appropriate personal data confidentiality compliance.
- In order to communicate with you – in order to provide you with our services, we would require up-to-date and accurate data regarding your email address, telephone number or other agreed means of communication. The data is necessary for your verification and to perform the procedures for validation of payment transactions.
In the process of opening an account / wallet and providing the corresponding services, we collect:
- Your personal identification data, such as name, address, identity document, date of birth, means for contact and other relevant data that will allow us to confirm and verify your identity;
- Data concerning your financial situation, profession, knowledge and experience in order for us to assess whether the services provided by us are suitable for you;
- Any other data allowing us to conduct due diligence in accordance with the requirements of the Law on Measures against Money Laundering.
In some specific cases we may use your personal data even if you are not our customer, e.g. if you are the beneficial owner or a senior managing official of our business client.
We will request this data through our onboarding forms, and will use our own records and data from other sources where applicable. If you do not provide us with all of the necessary data, we may be unable to provide the requested by you service or may not be able to continue providing services to you.
How will the data be used?
We collect your data in order to fulfill both our legal and contractual obligations, in conjunction with our legitimate interest in the services we provide, to improve the services we offer to you and our customers in general. With regards to that, we exercise a great care in processing your personal data when it involves third party disclosure. Whenever a personal data is being disclosed it is due to pursuant of legitimate goals as described above.
Depending on our relationship, we may disclose your personal data to the following categories of recipients:
- Companies from the group to which Tenen Payments JSC belongs;
- Companies and parties who provide us with services for implementation and maintenance of IT systems, technical services, legal advisors, data archiving, administrative or other similar services relevant to the functioning of the Company and providing you and us with services.
- Government bodies, institutions and agencies, whose registers are being used for obtaining additional data, necessary for precontractual steps or for performing an existing contract (NSSI, NRA, ASGD, Ministry of Interior, etc.);
- Parties to whom production, printing, assembly, delivery (including via SMS messages or other electronical means) of written correspondence and / or information materials of the Company are assigned;
- Payment service system operators;
- Payment service providers regarding the Company’s obligations under Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006;
- National Revenue Agency (NRA) regarding the automatic exchange of financial information under Art. 142b, para 1 of the Tax and Social Insurance Procedure Code, which requires provision of information for clients of the Company, including beneficial owners of companies. The provided information includes names, addresses, tax numbers, date and place of birth, account numbers, account balances, and income realized through the account;
- Other information recipients who have the legal authority to request personal information through Tenen Payments JSC. Such recipients are the Bulgarian National Bank, ministries, commissions, agencies, judicial bodies, law enforcement bodies, etc. In certain cases, it is the Company that is legally obliged to initiate the provision of your personal data (for example, pursuant to the Law on Measures against Money Laundering) or out of our legitimate interest, including that of a third party;
- Any third party that you may authorize to act on your behalf, or who may be authorized under the terms and conditions of an existing contract with us.
We require any organization that we disclose your data to or which may acquire it on our behalf, to ensure its confidentiality and process it in accordance with the Personal Data Protection Act and the General Data Protection Regulation.
How will we store your confidential data?
Your data will be stored on our secure computer systems and paper files. We have systems and procedures in place to prevent unauthorized access, improper modification or disclosure, misuse or loss of data.
How long do we retain your data?
We must keep your data for a certain period of time after it is provided to us, even if we no longer have a contractual or other relation with you. How long we retain your data depends on the statutory regulatory terms applicable to our business activities. When you apply for our any of our products or services but are not approved or you decide to withdraw, your personal data will be retained for a limited period of time (1 year).
If you are our client and use the products and services of the Company, we have a legal obligation to retain your personal data not only for the duration of our contractual relationship, but also for 5 years after their termination. In certain cases, this period may be extended to 7 years at the request of a competent public authority. If the retention of your data is necessary for pending legal proceedings in which the Company is a party (e.g. a court, administrative proceedings, when considering your complaint to the Company, etc.), we will retain them until the completion of these proceedings.
If you exercise your right to restrict processing, the Company will retain personal data until you specify otherwise.
Your rights under the General Regulation
According to the General Regulation, you can:
- request a copy of the personal data we hold about you, as well as request data regarding the purpose of the processing, the ways and means for processing (right of access);
- request to correct factual inaccuracies, in case your data is inaccurate or out of date (right of rectification). The right of access may be restricted partially or entirely by the Company pursuant to Art. 54, para. 3 of the Personal Data Protection Act, considering the fundamental rights and legitimate interests of the affected party;
- object the processing of your personal data for the purposes of legitimate interest and / or for the purposes of direct marketing (right of object);
- request the erasure of your personal data within the applicable legislation (right to erasure / right to be forgotten) – personal data related to the subject are erased in compliance with the requirements of Article 17 of the Regulation. In case of refusal, you shall be provided with reasoning regarding our decision and the legal grounds for it;
- request from the Company your personal data to be placed in a common machine-readable format and received by you or a third party (right to data portability). The data you can request can only be the one you have provided to us in relation to a contractual relationship or with your consent and is being processed in automated means;
- request the Company to not process your personal data, including to not erase them, for the purpose of protecting your legal claims (right of restriction of processing);
- withdraw consent at any time if such consent was necessary for processing your personal data. This withdrawal shall not affect the lawfulness of the processing until the withdrawal of the consent. In the event of consent withdrawal, the personal data processing, being caried out on other grounds without requirements for consent, is not affected (right to withdraw consent);
If you believe that we have violated the requirements of the Personal Data Protection Act or the General Regulation, or have otherwise failed to maintain your privacy, you may file your complaint by contacting us using the following contact details:
Tenen Payments JSC
Address: 52 Strandzha Str, Sofia 1303
e-mail : email@example.com
Phone: +359 2 439 81 92
If you are not satisfied with our response to your complaint, you may contact the Commission for Personal Data Protection
e-mail : firstname.lastname@example.org
Address: 2 Prof. Tsvetan Lazarov Blvd, Sofia 1592
APPLICATION FOR EXERCISING RIGHTS
(Fields marked with * are mandatory in order for the application to be processed).
Details of the natural person wishing to exercise the right:
Date of birth*:
- right of access
- right of adjustment
- right to erasure
- right to limit processing
- right of objection
- right of portability
- right of withdrawal of consent
(Please mark by underlining, the right/rights you would like to exercise);
Request description *:
(Please describe your request, including the reasons.)
Preferred form of communication *:
- in writing to an e-mail address
- in writing to a correspondence address
(Please state your preference)