1. About this Privacy Statement
This is the Privacy Statement of Baltic Bill, UAB (“Baltic Bill, UAB” or “we”). It applies to all subsidiaries and branches of Baltic Bill to the extent that they process personal data. Baltic Bill has its registered office at Naugarduko Str.3, LITHUANIA, 01141 Vilnius.
Baltic Bill treats personal data which it receives through its websites, portals and any other means with due care and is dedicated to safeguarding any personal data it receives. Baltic Bill is bound by the General Data Protection Regulation (Regulation (EU) 2016/679), the Dutch Data Protection Act (Wet bescherming persoonsgegevens) and the Dutch Telecommunications Act (Telecommunicati ewet).
This Privacy Statement is designed to advise you about the type of information that Baltic Bill collects and the purposes for which this information is being processed, used, maintained and disclosed.
This Privacy Statement aims to explain in a simple and transparent way what personal data we gather about you and how we process it. It applies to the following persons:
• the legal representatives and ultimate beneficial owners of all past, present and prospective Baltic Bill merchants (webshops/online retailers) and other commercial contracting parties such as independent sales agents (also known as referral partners). We are legally obliged to retain personal data of these persons, also for a certain period after the relationship has ended, in compliance with ‘know your customer’ (“KYC”) regulations; • anyone involved in any transaction with our payment institution, including non-Baltic Bill customers such as consumers/payees of Baltic Bill merchants; and • anyone visiting the Baltic Bill website.
We may amend this Privacy Statement to remain compliant with any changes in law and/or to reflect how our business processes personal data. This version was created on 7 May 2018.
2. Personal Data
Personal data refers to any information that tells us something about you or that we can link to you. Baltic Bill processes any information we receive from you, including personal and financial information you provide to us including when you or your business: make a payment, enquire or make an application for Baltic Bill’s services, register to use and/or use any of our services and when you communicate with us through e-mail, SMS, WhatsApp, a website or portal, telephone or any other electronic means.
Such information may include you or your customer’s: • name including first name and family name, date of birth, e-mail address, billing address, username, password and/or photograph, address, nationality and country of residence; • card account number, card expiry date, CVC details, bank and/or issuer details; and/or • information relating to any items purchased, including the location of the purchase, the value, the time and any feedback that is given in relation to such purchase.
By processing, we mean everything we can do with this data such as collecting, recording, storing, adjusting, organising, using, disclosing, transferring or deleting. For more information about the way we use your personal data, please refer to Section 4 (“What we do with your personal data”).
You share personal information with us, for example when you: visit our website, complete a(n) (online) (application) form, sign a contract, make a payment or alternatively use our payment services, or contact us through one of our channels.
We also use data that is legally available from public sources such as commercial registers, debtor registers and the media, or data that is legitimately provided by other companies within Baltic Bill or by third parties.
3. Sensitive data
We do not record sensitive data relating to your health, ethnicity, religious or political beliefs unless it is strictly necessary. When we do it is limited to specific circumstances, for example if you as a customer of an Baltic Bill merchant make a payment for a membership fee to a political party or religious organisation.
4. What we do with your personal data
We only use your personal data for legitimate business reasons. This includes:
- Administration. When you open a merchant account we are legally obliged to collect personal data that verifies your identity (such as a copy of your ID card or passport) and to assess whether we can accept you or your company as a customer. We also need to know your address or phone number to contact you.
- Managing customer relationships. We may ask you for feedback about our products and services and share this with certain members of our staff to improve our offering. We might also use notes from conversations we have with you online, by telephone or in person to customise products and services for you.
- Credit risk. To assess the financial position of your company we apply specific risk models that may involve the use of personal data.
- Personalised marketing. We may send you letters, emails, or text messages offering you a product or service based on your personal circumstances, or show you such an offer when you log in to our website or mobile apps. You may unsubscribe from such personalised offers. You have the right, not to consent or to object to personalised direct marketing or commercial activities, including profiling related to these activities.
- Providing you with the best-suited products and services. When you visit our website, call our customer service centre or visit a branch, we gather information about you. We analyse this information to identify your potential needs and assess the suitability of products or services. For example, we may suggest investment opportunities suited to your profile. We analyse your payment behaviour, such as large amounts entering or leaving your account. We assess your needs in relation to key moments when a specific financial product or service may be relevant for you, such as starting your first job or buying a home. We assess your interests based on simulations you participate in on our website.
- Improving and developing products and services: Analysing how you use our products and services helps us understand more about you and shows us where we can improve. For instance, when you open a merchant account, we measure the time it takes until your first transaction to understand how quickly you are able to use your merchant account.
- We analyse data on transactions between you and our corporate customers (merchants) to offer information services. When Baltic Bill processes personal data for this purpose, aggregated data may be made available to the Baltic Bill merchant (webshop/onlineFF retailer). This merchant cannot identify you from these aggregated data.
- We analyse the results of our marketing activities to measure their effectiveness and the relevance of our campaigns.
- Preventing and detecting fraud and data security: We have a duty to protect your personal data and to prevent, detect and contain data breaches. This includes information we are obliged to collect about you, for example to comply with regulations against money laundering, terrorism financing and tax fraud. We may process your personal information to protect you and your assets from fraudulent activities, for example if you are the victim of identity theft, if your personal data was disclosed, or if you are hacked.
- We may use certain information about you for profiling (e.g. name, account number, age, nationality, IP address, etc.) to quickly and efficiently detect a particular crime and the person behind it.
- Our merchants (webshops/online retailers) may use contact and security data to secure transactions and communications made via remote channels.
- Internal and external reporting: We process your data for our payment operations and to help our management make better decisions about our operations and services. To comply with a range of legal obligations and statutory requirements (anti-money laundering legislation and tax legislation, for example).
Data that we process for any other reason is anonymised or we remove as much of the personal information as possible
5. Who we share your data with and why
Whenever we share personal data internally or with third parties in other countries, we ensure the necessary safeguards are in place to protect it. For this, Baltic Bill relies on: • EU Model clauses, which are standardised contractual clauses used in agreements with service providers to ensure personal data transferred outside of the European Economic Area complies with EU data protection law. • Privacy Shield framework that protects personal data transferred to the United States.
To be able to offer you the best possible services and remain competitive in our business, we share certain data both internally as well as outside of Baltic Bill. This includes:
Baltic Bill entities – We transfer data across Baltic Bill businesses and branches for operational, regulatory or reporting purposes, for example to comply with certain laws, secure IT systems or provide certain services (see section 4 (“What we do with your personal data”). We may also transfer data to centralised storage systems or to process it globally for more efficiency.
Independent sales agents – We share information with independent sales agents (referral partners) who act on our behalf.
Government authorities – To comply with our regulatory obligations, we may disclose data to the relevant authorities, for example to counter terrorism and prevent money laundering.
In some cases, we are obliged by law to share your data with external parties, including: • public authorities, regulators and supervisory bodies such as fraud protection agencies and the central banks of the countries where we operate • judicial/investigative authorities such as the police, public prosecutors, courts and arbitration/mediation bodies on their express and legal request • lawyers, for example, in case of a claim or bankruptcy, trustees who take care of other parties’ interests and company auditors.
Financial institutions – When funds are transferred from a payer to a payee, the transaction involves other financial institutions, banks or a specialised financial company. Baltic Bill may process payments through such other financial institutions. These external organisations may process and store your personal information abroad and we and they may have to disclose your information to foreign authorities to help them in their fight against crime and terrorism. To process payments, we have to share information about the transaction with other financial institution, such as your name and account number. We also share information with financial sector specialists who assist us with financial services like: • payments and credit transactions worldwide • processing electronic transactions worldwide • settling domestic and cross-border security transactions and payment transactions.
Sometimes we share information with banks or financial institutions in other countries, for example when you make or receive a foreign payment.
Third party service providers – When we use other service providers, we only share personal data that is required for the particular task we involve the service provider for. Service providers support us with activities like: • performing certain services and operations • designing and maintenance of internet-based tools and applications • marketing activities or events and managing customer communications • preparing reports and statistics, printing materials and designing products • placing advertisements on apps, websites and social media.
Business transfers – Baltic Bill may buy or sell business units or affiliates. In such circumstances, we may transfer customer information as a business asset. Without limiting the foregoing, if our business enters into a joint venture with or is sold to or merged with another business entity, your information may be disclosed to our new business partners or owners.
With your permission – Your information may also be used for other purposes for which you give your specific permission, or when required by law or where permitted under the terms of the laws of the relevant jurisdiction.
- Functional cookies – These cookies may store your browser name, the type of computer and technical information about your means of connection to this website, such as the operating system and the Internet Service Providers utilized and other similar information. This information is used to technically facilitate the navigation and use of this website. In addition, functional cookies may be used to store personal settings, such as language, or to remember your information for next visits if so requested.
- Analytics cookies – This website also uses analytics cookies placed by Google Analytics (including Google Tag Manager) to measure the number of visits and the parts of the website that are the most popular among our website visitors as well as for benchmarking purposes. This information is used to provide aggregated and statistical information on the use of this website and is used to improve the contents of this website to enhance your user experience. Baltic Bill has followed the manual of the Dutch Data Protection Authority in order to ensure that Google Analytics is used in a privacy friendly manner. This means that we have instructed Google to remove the last three digits of your IP-address (“Anonymize IP”) and we have disabled the standard setting to share data with Google. Furthermore, Baltic Bill has concluded a data processing agreement with Google Inc. and Baltic Bill does not use other Google services in combination with the Google Analytics-cookies.
- Third-party/social media cookies – This website contains cookies from third-party websites, mainly social media cookies. When placed on your computer, they automatically activate handy extras, for example, a Facebook ‘like’ button or a Twitter messaging option. These cookies inform our website whether you are logged into such social media and they also enable you to share parts of this website on social media. When visiting this website, Baltic Bill will ask for your consent to use these cookies.
Do you object to cookies?
Cookies generally process your IP-address but they do not save your personal information like e-mail address or phone number. If you do not want to have cookies stored on your computer or want to remove cookies that have already been stored, you can arrange this via your browser settings. You can find more information concerning the removal of cookies on the website of the Dutch Consumer Organization and on the website all about cookies.
we will also notify that party.
Right to object to processing – You can object to Baltic Bill using your personal data for its own legitimate interests. There is a list of contact details at the end of this Privacy Statement. We will consider your objection and whether processing your information has any undue impact on you that requires us to stop doing so.
You can also object to receiving personalised commercial messages from us. You cannot object to us processing your personal data if we are legally required to do so, even if you have opted out of receiving personalised commercial messages.
Right to object to automated decisions – We sometimes use systems to make automated decisions based on your personal information if this is necessary to fulfil a contract with you, or if you gave us consent to do so. You have the right to object to such automated decisions (for example requiring a new passport copy if the one we have on file for you as representative of your company is no longer valid) and ask for an actual person to make the decision instead.
Right to restrict processing You have the right to ask us to restrict using your personal data if:
- you believe the information is inaccurate;
- we are processing the data unlawfully;
- Baltic Bill no longer needs the data, but you want us to keep it for use in a legal claim; and/or
- you have objected to us processing your data for our own legitimate interests.
Right to complain – Should you for any reason be unhappy with the way Baltic Bill treats your personal data, you can file a complaint with Baltic Bill’s Compliance Officer via email@example.com. You can also contact the data protection authority in your country.
Exercising your rights – How you can exercise your rights depends on the type of personal data Baltic Bill processes. It could be through our website, by fulfilling our KYC obligations or by processing a transaction. We aim to respond to your request as quickly as possible.
In certain cases, we may deny your request. If it’s legally permitted, we will let you know within a reasonable timeframe why we denied it.
If you want to exercise your rights or submit a complaint, please contact us via the e-mail address provided below.
8. Your duty to provide data
There is certain information that we must know about you so that we can commence and execute our duties as a payment institution and fulfil our associated obligations. There is also information that we are legally obliged to collect. Without this data, we may, for example, not be able to open a payment processing account for your company.
9. How we protect your personal data
We apply an internal framework of policies and minimum standards to keep your data safe. These policies and standards are periodically updated to keep them up to date with regulations and market developments. More specifically and in accordance with the law, we take appropriate technical and organisational measures (policies and procedures, IT security etc.) to ensure the confidentiality and integrity of your personal data and the way it’s processed.
In addition, Baltic Bill employees are subject to confidentiality and may not disclose your personal data unlawfully or unnecessarily.
10. What you can do to help us keep your data safe
Unfortunately, the transmission of information via the internet in general is not always completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your information transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
We do our utmost to protect your data, but there are certain things you can do too:
- install anti-virus software, anti-spyware software and a firewall on your computer and keep them updated;
- do not leave verification tokens or your credit card) unattended;
- keep your passwords strictly confidential and use strong passwords, i.e. avoid obvious combinations of letters and figures; and • be alert online and learn how to spot unusual activity, such as a new website address or phishing emails requesting personal information.
11. How long we keep your personal data
Once you are no longer a customer, we will retain your personal information for a reasonable period, or as otherwise allowed or required by law.
12. Contact us
If you want to know more about Baltic Bill’s data policies and how we use your personal data, you can send us an e-mail at the following dedicated e-mail address: firstname.lastname@example.org