1.1. DPO – Data protection officer.
1.2. DSI – Data State Inspectorate (Datu valsts inspekcija).
1.3. GDPR – General Data Protection Regulation.
1.4. EU/EEA – European Union and European Economic Area.
1.5. Notice – this Privacy notice.
1.6. Sun Finance Group (or “we”) – AS “Sun Finance Group”, registration No. 40203205428, legal address: Skanstes iela 52, Riga, LV-1013, Latvia.
1.7. You – individual (or his/her authorized representative), who is interacting with us and affected by personal data processing conducted by us.
1.8. Webpage – Our webpage available at www.sunfinance.group
1.9. Other terms defined by the GDPR – “personal data”, “processing”, “restriction of processing”, “profiling”, “pseudonymization”, “controller”, “processor”, “recipient”, “third party”, “consent”, “personal data breach”, “supervisory authority” – are used in this Notice with the same meaning.
2.1. This Notice applies to all cases when we collect and otherwise process your personal data (for example, when you are using/visiting our Website, addressing us (for instance, calling, e-mailing, visiting, etc.), having a direct legal relation with us, etc.), applying for a job with us, etc.
2.2. This Notice covers relations/cooperation that you have directly with us. If you also have a relationship with other companies pertaining to the same group as we, they will provide you with a privacy notice separately where required.
2.3. The purpose of this Notice is to explain how your personal data is collected and otherwise processed by us, inform you about the purposes of processing and your rights, as well as give other information related to processing of personal data performed by us.
2.4. Some of the links on our Website lead to other websites with their own privacy notices, which may be different to this Notice. You will need to make sure that you are satisfied with the respective privacy notice when using those other websites.
3.1. Sun Finance Group is regarded controller of personal data processed according to this Notice, which means that Sun Finance Group determines the purposes (namely, “why” personal data is processed) and means of processing (namely, “how” personal data is processed).
3.2. The Company has appointed a DPO, whom you can contact about all matters related to the processing of personal data conducted by us (e-mail address: dpo@sunfinance.group ).
Personal data we collect and otherwise process about you may include the following:
(a) Personal details (name, surname, date of birth, ID number);
(b) Contact details (phone number, e-mail address, address);
(c) Information about your opinion (for instance, about our products, services, etc.);
(d) Other information you fill in or indicate in forms or give us during communication with us or interacting with our Webpage;
(e) Information about your claim;
(f) Information contained in your curriculum vitae (CV) submitted to us (for instance, information about your previous working experience, information about you professional education, etc.);
(g) Information about your device or software that you use (for instance, IP address, technical information/specification, other identifying data);
(h) Information on how you interact with us or our Webpage;
(i) Investigations data (for instance, due diligence checks, sanctions and anti-money laundering checks, etc.);
(j) User login and subscription data (for instance, login credentials);
(k) Audio records of all telephone calls (incoming and outcoming);
(l) Details of other communication with us (for instance, via post, e-mail, live chat, etc.);
(m) Footage and images from video surveillance conducted at our office;
(n) Cookies and similar technologies we use to recognize you, remember your preferences and tailor the content we provide you – our cookie policy contains more details about how we use cookies and can be found at:
(o) Other personal data that may be necessary to achieve purposes described herein.
We collect personal data only according to the provisions of GDPR and other applicable laws. Personal data typically may be collected in two ways:
(a) Directly from you (for instance, when you contact us (call us, e-mail us, etc.), when you use or interact with our Webpage, when you fill in any forms available on the Webpage, when you address us a claim or application, etc.);
(b) From other sources (for instance, from sources (third party providers) that help us to prevent fraud, money laundering and terrorism financing; sources from which you ask us to obtain some information about you, from publicly available sources, etc.).
6.1. We mainly process your personal data for the following purposes:
(a) To deliver our products and services to you;
(b) To administer your account with our Webpage (if you have one) and manage any relationship you have with us;
(c) To answer to your requests, claims queries, etc.;
(d) To carry out your instructions;
(e) To assess your opinion on our products, services, other activities;
(f) For marketing purposes (for instance, via post, e-mail, SMS, calls, social media, mass media, messaging, etc.) and to understand your preferences;
(g) To contact you on matters related to interaction/cooperation with us (for instance, to inform you about changes in our policies, to inform you in cases prescribed by law, etc.);
(h) To protect our legal rights and interests (for instance, in case of a dispute);
(i) To perform our legal obligations;
(j) To ensure security (including cybersecurity) and business continuity;
(k) For market research purposes and to identify trends;
(l) To ensure protection of our property (for instance, our assets, information, computer network, infrastructure, etc.) against physical, cyber and other threats;
(m) To protect vital interests of individuals (for instance, our employees, visitors, etc.);
(n) For risk management purposes;
(o) To prevent and detect unlawful actions (e.g., fraud, theft, property damage, terrorism financing, money laundering etc.);
(p) For product, services and Webpage improvement purposes;
(q) Other related purposes.
6.2. When processing personal data, we may rely on different legal bases, depending on the purpose pursued and personal data type processed, namely:
(a) Your consent (for instance, in case of sending you commercial communications);
(b) Performance of a contract (for instance, if you have contractual relations directly with us, have an account with our Webpage, etc.);
(c) Processing is necessary for fulfilment of our legal obligations (for instance, obligations under tax laws, laws on anti-money laundering and terrorism financing prevention, laws on national/international sanctions, etc.);
(d) Processing is necessary for protection of vital interests of individuals (for instance, in cases when life and health of individuals can be affected);
(e) Processing is necessary for the performance of a task carried out in the public interest (for instance, when carrying out activities for prevention of money laundering; prevention and detection of crime, etc.);
(f) Processing is necessary for the purposed of our legitimate interests (for instance, detection and prevention of fraud; ensuring security (including cybersecurity); protecting our property (assets, information (including personal data); computer network infrastructure, etc.); risk management; ensuring business continuity; protecting of our property and information; direct marketing; protection of our legal rights and interests; improving our products, services and Webpage; customizing or products and services to your interests, etc.).
If it is legally justified in each particular case, personal data may be disclosed to the following recipient categories:
(a) Authorized employees of Sun Finance Group;
(b) Service providers (processors and other controllers) that provide different services to Sun Finance Group (for instance, IT services, data storage services, e-mail service providers, marketing services, etc.);
(c) Competent state institutions (for instance, Data State Inspectorate, court, police, etc.);
(d) Companies belonging to the same group of companies with Sun Finance Group;
(e) Other recipients if there is an appropriate legal basis;
We mainly process personal data within the EU/EEA. However, in course of our business activities information (including personal data) may be transferred outside EU/EEA. In this case we will ensure that all GDPR requirements on transfers of persona data outside the EU/EEA are complied with. You can receive more detailed information on this matter by addressing us using the contact information provided herein.
We will process and store personal data according to our data retention policy. Retention period mostly depends on type of personal data concerned and processing purpose. In respect to some personal data categories, retention periods are provided in applicable laws (for instance, tax laws, accounting laws, consumer protection laws, etc.). In other cases, when retention period is not determined by law, we determine retention period taking into account personal data protection principled provided in the GDPR. For instance, longer retention period may be needed if we need data for our legitimate purposes, e.g., to help us respond to queried and complaint, fighting fraud and financial crime, responding to requests from regulators, etc. At the end or retention period we will delete or irrevocably anonymize your personal data.
10.1. GDPR provides individuals (as data subjects) with a set of different rights, namely:
(a) Right to request access to personal data we hold about you;
(b) Rights to request rectification of personal data;
(c) Rights to request erasure of personal data;
(d) Rights to restriction of processing;
(e) Rights to data portability;
(f) Rights to object to processing;
(g) Rights to withdraw consent at any time if processing is based on your consent as a legal basis (NB! The withdrawal of consent does not affect the lawfulness of Processing based on consent given before its withdrawal).
10.2. You can exercise the said the abovementioned rights by addressing us using the contact information indicated herein.
10.3. We would like to draw your attention to the fact that the abovementioned rights are not absolute. Namely, GDPR and other applicable laws stipulate for conditions that have to be met in order to exercise these rights, limitations and exceptions.
10.4. If we have reasonable doubts about identity of individual, who submits a request on exercise of the said rights, we may request to provide additional information which is necessary for confirmation of your identity.
We would like to resolve any dispute in a friendly manner. Therefore, if you believe that processing of personal data conducted by us is not in compliance with the GDPR or other applicable laws on personal data protection, we encourage you to submit us your complaint, using the information indicated in this Privacy Notice. We will do our best to resolve the matter as soon and effective as possible. However, you can always submit a complaint to the DSI .
Whether it is an obligation or option to provide personal data, will mainly depend on the purpose of processing. For instance, in case or commercial communications (e.g., advertising sent via e-mail, SMS, etc.), you are free to decide, whether you are willing to receive it and thus, whether you are willing to provide personal data. In other cases, for instance, in case you submit a request or complaint to us, provision of personal data (e.g., for verifying your identity) will be obligatory. Failure to provide personal data in case or obligatory processing, may result in failure to achieve the envisaged purpose.
We use appropriate technical (including physical and logical) and organizational measures to protect personal data and other information that we collect and store against accidental or unlawful destruction, loss, alteration, disclosure, access. For example, by limiting access to our premises, using encryption, managing access rights, using secure processors and other partners, raising awareness on personal data protection and security matters of our staff, etc.
We may use automated systems to help us make decisions, for instance, when conducting anti-money laundering or sanction checks. However, decision-making process and/or profiling does not solely rely on automated processing.
We may update this Privacy Notice from time to time. The most recent version can be found at our Webpage.
If you would like to receive any further information on anything, we have said in this Privacy Notice, please contact us or our DPO using the information indicated herein.
This Privacy notice was last updated in November 2020.