When advising on and concluding financial products or services, we ask a lot of confidential information from customers. Clients of M-Credit Financial Corp must be able to assume that we will handle the information that a client provides us with due care and that this information will not be shared with others without the explicit consent of the client.
In this sense, careful handling of the recording and exchange of personal data is a condition for careful financial services. Confidentiality is an important aspect for our company and the attitude of the professionals working in it.
For the effective performance of our work, it is necessary that we exchange personal data with providers and, for example, repairers and counterparties, because this affects the core of our tasks as a financial service provider. In addition, we may provide information on the basis of legal obligations to, for example, the American Tax Authorities or the Boston Authority for the Financial Markets.
We have mapped the personal records kept by us and processed them in our internal processing register. Customers and other stakeholders can receive these on request. Here they will find information about the data that we process and about the parties with whom we can exchange this data.
In these regulations the following terms have the following meanings:
- the law: the General Data Protection Regulation (GDPR) and the GDPR Implementation Act;
- personal data: any information about an identified or identifiable natural person;
- processing of personal data: any action or set of actions relating to personal data, including in any case the collection, recording, organization, storage, update, modification, retrieval, consultation, use, provision by means of transmission, distribution or any other form of making available, bringing together, linking together, as well as shielding, erasing or destroying data;
- file: any structured set of personal data, regardless of whether this set of data is centralized or distributed in a functionally or geographically determined manner, which is accessible according to certain criteria and relates to different persons;
- controller: the natural person, legal person or any other person or administrative body that, alone or together with others, determines the purpose of and the means for the processing of personal data;
- processor: the person who processes personal data on behalf of the controller, without being subject to his direct authority;
- data subject: the person to whom personal data relates;
- third party: any person, other than the data subject, the controller, the processor or any person who is authorized under the direct authority of the controller or processor to process personal data;
- recipient: the person to whom the personal data are provided;
- consent of the data subject: any free, specific and informed expression of will by which the data subject accepts that personal data relating to him will be processed;
- supervisor: American Data Protection Authority;
- provision of personal data: the disclosure or making available of personal data;
- collection of personal data: obtaining personal data.
- These regulations apply to the fully or partially automated processing of personal data. It also applies to the non-automated processing of personal data contained in a file or intended to be included therein.
- These regulations apply within M-Credit Financial Corp and relate to the processing of personal data of customers, employees and other natural persons involved.
- The purpose of collecting and processing personal data is to have access to the data that is necessary for the realization of the purposes as described in the articles of association, the annual plans and other plans of M-Credit Financial Corp, the realization of legal purposes and the conduct of policy and management in the context of these purposes.
- The purposes for which data is collected and processed within M-Credit Financial Corp are explicitly described in the appendix.
4. Representation of the person concerned
- If the person concerned is a minor and has not yet reached the age of sixteen or if the person concerned is of age and placed under guardianship, the consent of his legal representative is required instead of the consent of the person concerned. The consent is recorded in writing. If the data subject has issued a written authorization with regard to his representative to the processor, the consent of the agent in writing is required.
- Consent can be withdrawn at any time by the person concerned, service authorized in writing or his legal representative.
5. Responsibility for management and liability
- The controller is responsible for the proper functioning of the processing and management of the data; Under the responsibility of the controller, an administrator is usually charged with the actual management of the personal data.
- The responsible party ensures that appropriate technical and organizational measures are taken to protect against any loss or any form of unlawful processing of data.
- The responsibility referred to in paragraph 1 and the provisions of paragraph 2 apply without prejudice if the processing takes place by a processor, this is regulated in an agreement (or by means of another legal act) between the processor and the controller.
- The responsible person is liable for damage or disadvantage caused by non-compliance with the provisions of the law or these regulations. The processor is liable for that damage or that disadvantage, insofar as this / that is caused by his actions.
- Personal data is processed in a proper and careful manner in accordance with the law and these regulations.
- Personal data is only collected for the purposes referred to in these regulations and is not further processed in a way that is incompatible with the purposes for which they were obtained.
- Personal data must be adequate and relevant in view of the purposes for which they are collected or subsequently processed; no more personal data must be collected or processed than is necessary for the purpose of the registration.
- Personal data may only be processed if:
- the data subject has given his unambiguous consent to the processing;
- the data processing is necessary for the performance of an agreement to which the person concerned is a party (for example, an agreement to conclude a financial product or financial service or the employment contract with the person concerned) or for actions, at the request of the person concerned, that are necessary for the conclusion, or assisting in the management of an agreement;
- the data processing is necessary to fulfill a legal obligation of the controller;
- the data processing is necessary in connection with a vital interest of the data subject;
- the data processing is necessary with a view to an interest of the controller or a third party, unless that interest conflicts with the interest of the person whose data are processed and that interest precedes.
- The registration of the citizen service number only takes place if there is a legal basis for this. As a rule, there will be no such basis for our services. When entering into a credit agreement, the lender can request this in order to comply with its identification obligation.
- Anyone who acts under the authority of the controller or processor - and also the processor himself - only processes personal data on behalf of the controller, except in the case of deviating legal obligations.
- The data is only processed by persons who are obliged to observe secrecy on the basis of an (employment) agreement.
7. Processing of personal data
- The processing is carried out by employees of our company or other natural persons who are engaged in financial services under our responsibility.
- The processing generally takes place in connection with the performance of an agreement, namely the agreement to provide services. In those cases where there is no performance of such a contract, the processing takes place with the express consent of the data subject.
- The processing is done in order to be able to carry out our activities as an advisor and / or broker in financial products and services.
8. Special personal data
- The processing of personal data about a person's religion or belief, race, political affiliation, health, sexual life, trade union membership or criminal personal data is prohibited, except in cases where the law expressly provides by whom, for what purpose and under what conditions such data may be processed (Articles 9 and 10 of the GDPR).
- As a financial service provider, we may process information about your health in our administration, provided this is necessary for the proper performance of our work. We may also request information about a possible criminal past from you, if this is necessary for the proper execution of the agreement, provided that you give your explicit permission for this.
9. Data processing
Data obtained from the person concerned
- If the personal data are obtained from the data subject himself, the controller shall inform the data subject before the moment of collection:
- his identity;
- the purpose of the processing for which the data are intended, unless the data subject already knows that purpose.
- The controller shall provide the data subject with further information to the extent that - given the nature of the data, the circumstances under which they were obtained or the use to which it is made - it is necessary to guarantee proper and careful processing towards the data subject.
Data obtained without the involvement of the person concerned
- In addition to the information received from the data subject, the controller may, for the purposes described, obtain information from external sources that the controller considers reliable. This includes the CRO for your credit data, Roy data for the registration of your bonus / malus statement, the RDW for your vehicle data and the CIS foundation for the prevention and combating of fraud in the insurance sector.
- The responsible party shall ensure that with any processing of personal data, only those personal data are processed that are accurate, adequate, relevant and not excessive.
10. Right of access
- The data subject has the right to be informed of the processed data relating to his person.
- The controller will inform everyone at his / her request - as soon as possible but no later than four weeks after receipt of the request - in writing whether personal data concerning him or her will be processed. Costs may be charged for providing such a notification. In addition, the data subject, who requests access to his personal records, may be asked for a copy of a valid proof of identity.
- If that is the case, the controller will provide the applicant with a complete written statement, as soon as possible, but no later than four weeks after receipt of the request, with information about the purpose or purposes of the data processing, the data or categories of data. to which the processing relates, the recipients or categories of recipients of the data as well as the origin of the data.
- If a weighty interest of the applicant requires this, the controller will comply with the request in a form other than the written form that is adapted to that interest.
- The controller can refuse to comply with a request if and insofar as this is necessary in connection with:
- the investigation and prosecution of criminal offenses;
- the protection of the data subject or of the rights and freedoms of others.
11. Provision of personal data
- In principle, the provision of personal data to a third party does not take place other than with the consent of the person concerned or his representative, except in the case of a statutory provision to that effect or the situation of emergency.
- An exception to this rule is information exchange with parties that need information for the performance of the agreement, such as insurance companies, banks, lenders or parties involved in claims handling.
- Finally, we can provide personal data in order to comply with legal obligations, such as to the American Tax Authorities and the Boston Authority for the Financial Markets.
12. Right to correction, addition, deletion
- At the written request of a data subject, the controller will correct, supplement, delete and / or protect the personal data processed about the applicant, if and insofar as these data are factually incorrect, incomplete or irrelevant for the purpose of the processing. or comprise more than is necessary for the purpose of the registration, or otherwise processed in violation of a legal provision. The request of the person concerned contains the changes to be made.
- The controller will inform the applicant in writing as soon as possible, but no later than four weeks after receipt of the request, whether he complies with it. If he does not want to comply with this or not fully, he will give reasons. In this context, the petitioner has the option of addressing the controller's complaints committee.
- The responsible party will ensure that a decision to correct, supplement, remove and / or shield is implemented within 14 working days, and if this is not reasonably possible otherwise as soon as possible afterwards.
13. Retention of data
- Personal data will not be kept in a form that makes it possible to identify the data subject for longer than is necessary for the realization of the purposes for which they are collected or subsequently processed.
- The controller determines how long the recorded personal data will be kept.
- If the retention period of the personal data has expired or the data subject requests deletion before the expiry of the retention period, the relevant data will be deleted within a period of three months.
- However, removal will not take place if it can be reasonably assumed that this is the case
the storage is of great importance to someone other than the data subject;
the storage is required by law (including the Financial Supervision Act) is or
if there is agreement on this between the data subject and the controller.
14. Processing register
- A fully or partially automated processing of personal data intended for the realization of a goal or related purposes has been mapped out by us and processed in an internal processing register before the processing starts.
- In those cases where an automated process deployed for the processing of personal data poses a high risk for the data subject, taking into account the nature and context of the personal data held, we will carry out a data protection impact assessment before starting this processing and we ensure that we adequately control the associated risks, in order to guarantee the rights of data subjects sufficiently.
- The internal processing register states:
- the name and address of the controller;
- the purpose or purposes of the processing;
- a description of the categories of data subjects and of the (categories of) data relating to them;
- the recipients or categories of recipients to whom the data may be disclosed;
- the retention periods used.
15. Data breaches
- If the controller is confronted with a data breach, it will investigate whether personal data has been lost or whether unlawful processing cannot be ruled out.
- If the aforementioned investigation shows that personal data of a sensitive nature has been leaked or there is (a significant chance of) adverse consequences for the protection of the processed personal data for another reason, the responsible party will inform the American Data Protection Authority about the data breach.
- If the controller has not (properly) encrypted all leaked personal data, or if the data breach is likely to have adverse consequences for the privacy of the data subjects for other reasons, the controller will also report the data breach to the Boston Authority for the Financial Markets. It is possible that, in consultation with the aforementioned supervisory authorities, it will also be decided to inform those involved about the possible data breach.
16. Complaints procedure
If the person concerned is of the opinion that the provisions of these regulations are not being complied with, he can contact:
- the responsible;
- if the person concerned is not satisfied with the outcome of the complaint, he can turn to the Financial Services Complaints Institute in The Hague;
- with the request to mediate and advise the American Data Protection Authority in the dispute between the data subject and the controller;
- the court.
17. Change of entry into force and copy
- Changes to these regulations are made by the responsible person.
- The changes to the regulations will take effect four weeks after they have been announced to those involved.
- These regulations entered into force on 25 May 2018.
- These regulations can be viewed at the responsible party. If desired, a copy of these regulations can be obtained at cost price.
In cases not provided for in these regulations, the responsible party decides, with due observance of the provisions of the law and the purpose and purport of these regulations.
Please note: changing cookie settings may impair the functioning of this website.
If you do not want to accept the Google Analytics Cookies, you can set this in your browser by refusing Cookies from Google (Analytics) via your browser.
21. Websites of third parties
This Privacy Statement does not apply to websites of third parties that can be visited via links via this website.
However, messages on this website may show embedded (embedded) content. For example videos, images or messages. Embedded content from other websites behaves exactly the same as if the visitor had visited this other website.
22. Questions / opt-out
For questions about this Privacy Statement and / or the way in which M-Credit Financial Corp processes your personal data, please email ([email protected]), call (813-339-6809) or write to M-Credit Financial Corp Ltd. (3588 Marion Drive, 33607 FL Tampa). If you do not wish to receive information about our products or services, please let us know ([email protected]).
23. Loan application
By completing and submitting the quote form on our website in order to apply for a loan, you agree to the following conditions:
- you hereby give permission to process your data, to share it with credit providers and to collect personal data (if any) to be discussed in order to obtain an assessment of your loan application.
- you hereby give permission for your loan application to be (partially) assessed by means of automatic decision-making. Part of the decision-making process is an assessment at the Credit Registration Office (CRO).
24. Access, correction and right to object
If you have a relationship with our company, you have the opportunity to view your personal data after written request. If the overview provided by us contains inaccuracies, you can request us in writing to change the data or have it removed. Please send such request to M-Credit Financial Corp Ltd., 3588 Marion Drive, 33607 FL Tampa.
25. Changes to Privacy Statement
M-Credit Financial Corp Ltd. reserves the right to make changes to this Privacy Statement. It is recommended that you consult this Privacy Statement regularly so that you are aware of these changes.
M-Credit Financial Corp Ltd., 2018