1. Information about the controller
Our name is SIA Mobilly, registration number: 40003654405, registered address: Dzirnavu iela 91-k3, Riga, LV-1011.
We are an electronic cash institution registered in the register of Financial and Capital Market Commission with rights to provide payment services: HERE
2. Contact information for communication regarding matters on personal data protection
3. General description of our personal data processing
Personal data can be collected from the customer, from use of the customer services and external sources, for example, public and private registers and third parties. Personal data categories that we generally collect and process are, but are not limited to the following:
▪ Identification and due diligence data, for example, name, surname, personal code, data of birth, status of a politically exposed person, data of the personal ID (for example, a passport copy, ID card), mobile phone number.
▪Contact details, for example, address, telephone number, e-mail address.
▪Data about the Customer’s tax residence, for example, data about the country of residence, taxpayer’s number, citizenship.
▪ Data obtained and/or created while performing the statutory obligations, for example, data that result from information requests, which have been received from investigation authorities, sworn notaries, tax administration authorities, courts and bailiffs, etc.
▪ Data collected when the customer uses our services, for example, entered vehicle numbers, state of vehicle number plate, except in cases when the recognition of a vehicle number is made automatically, but the vehicle number is not associated with a specific person, i.e. the person is not Mobilly customer, service payment time and dates, user’s individual profile settings, technical characteristics of the used mobile devices, version number of the used Mobilly mobile application, time of the last visit to Mobilly application.
▪ Communication data that are used when the customer contacts us by phone, visual and/or audio records, e-mail data and other means of communication, for example, social media, data obtained when the customer visits our web site or contacts us through other channels, data of the used devices.
▪ Data on participation in our games and campaigns, for example, gained points, prizes won at games or campaigns.
We are aware that personal data is your property and value, and we will process them in compliance with confidentiality requirements and by ensuring security of your personal data available to us.
4. For what purpose we process your personal data and what is the legal basis for processing the personal data?
We will process your personal data only for the pre-defined legitimate purposes, including:
a) To initiate and provide services, as well as to perform and ensure obligations under a contract (including a cooperation contract) –
For this purpose, we need to identify you, ensuring appropriate calculation of payments and ensuring the payment settlement, communicating with you about service provision and/or matters related to performance of the contract, in certain cases also ensuring collection of outstanding payments.
For this purpose and the indicated sub-purposes, we might need at least the following personal data: name, surname, personal code, address (mail address), bank account number, payment card number and validity term, telephone number, vehicle number, e-mail address of the customer, customer’s and/or cooperation partner’s contact person.
Main applicable legal basis to exercise these purposes:
– Conclusion and performance of a contract with the data subject (Article 6(1)b of the General Data Protection Regulation);
– Compliance with a legal obligation (Article 6(1)c of the General Data Protection Regulation);
– Controller’s legitimate interests (Article 6(1)f of the General Data Protection Regulation), for example, identifying you as a customer’s and/or cooperation partner’s contact person, ensuring communication with you.
b) Performance of requirements specified in regulatory enactments with regard to customer identification, due diligence and service provision or performance of other requirements specified in regulatory enactments
Within the scope of this purpose, we need to comply with requirements of the “Payment services and electronic money law”, “Law on the Prevention of Money Laundering and Terrorism Financing”, regulations issued by the FCMC (Financial and Capital Market Commission), law “On accounting”, law “On taxes and duties”, “Archive law” and other regulatory enactments.
For this purpose and implementing principle “Know your client”, we might need to process the following personal data: Name, surname, personal code, address, IP address of the customer, customer’s representative, customer’s beneficial owner, customer’s and/or cooperation partner’s contact person, customer’s status as a politically exposed person, family member of a politically exposed person, or the customer being closely related to a politically exposed person;
Main usable legal basis to exercise these purposes:
– Compliance with a legal obligation (Article 6(1)c of the General Data Protection Regulation).
c) Provision of marketing activities
For this purpose, we might send you commercial notifications, ensure your participation in our organised lotteries and/or raffles, as well as publish materials from our organised published events.
For this purpose, we might need at least the following personal data: Name, surname, telephone number, e-mail address of the customer, customer’s and/or cooperation partner’s contact person.
Main usable legal basis to exercise these purposes:
– data subject’s consent (Article 6(1) a of the General Data Protection Regulation);
– conclusion and performance of a contract with the data subject (Article 6(1)b of the General Data Protection Regulation);
– controller’s legitimate interests (Article 6(1)f of the General Data Protection Regulation), for example, ensuring communication.
You are entitled to waive receiving our marketing notifications. This can be done, as follows:
(a) following instructions in the respective marketing notification about refusing from the notifications;
(b) contacting us by e-mail indicated in Section 2.
Could you please take into account that if you waive receiving marketing notifications, you can still receive administrative notifications and text messages from Mobilly, for example, notifications about activities in your account (for example, account approval and password change or that expires bank card, etc).
d) Elimination of threats to security, financial interests and ensuring other our or third parties’ significant legitimate interests
For this purpose, we need to ensure video surveillance of our territory, building and other properties, record telephone calls to improve service quality, use personal data processors to ensure various functions in case of lawful necessity, disclose information to the Control Service, State Revenue Service, Financial and Capital Market Commission, State Police, bailiffs and other state authorities, share information within the group of companies, use the rights granted by regulatory enactments, ensure one’s legitimate interests.
For this purpose, we might need to process at least the following personal data: name, surname, personal code of the customer, customer’s and/or cooperation partner’s contact person, vehicle number, vehicle location and time, and other data, as needed.
Main usable legal basis to exercise these purposes:
– Controller’s legitimate interests (Article 6(1)f of the General Data Protection Regulation), for example, to detect criminal offences, ensure collection of debts.
e) To ensure due provision of services
For this purpose, we need to maintain and improve technical systems and IT infrastructure, use technical and organisational solutions that could use also your personal data (for example, by using cookies) with the aim to ensure due provision of services.
We wish to inform that at the moment when Mobilly services are used in the mobile application or web site, we perform data and information journaling, to help Mobilly in case of operation faults. These data contain the following information – internet protocol address or IP of the used device, device name, operating system, version of the mobile application, time and date of using Mobilly service, as well as other statistics. Majority of data are collected in Mobilly internal system; however, we use also use third party systems to collect statistics.
Third party systems used for due performance of services:
Main usable legal basis to exercise these purposes:
– Controller’s legitimate interests (Article 6(1)f of the General Data Protection Regulation).
5. Who could access your personal data?
We take measures to process your personal data in compliance with the applicable norms of law and to ensure that your personal data are not accessed by third parties who have no appropriate legal grounds to process your personal data.
Your personal data, where necessary, could be accessed by
1) our employees or directly authorised persons who need them for performance of job duties;
2) personal data processors in compliance with their provided services and only to the required extent, for example, auditors, finance management and legal advisers, data base developers/technical maintainers, other parties who are related to provision of controller’s services;
3) sate and municipality institutions in cases specified in regulatory enactments, for example, law enforcement institutions, municipalities, tax administration, bailiffs;
4) third parties, by carefully considering, whether this data transfer has the appropriate legal basis, for example, debt collectors, courts, extra-judicial dispute solution institution, bankruptcy or insolvency administrators, third parties that keep registers (for example, population register, debtor and other registers).
6. What cooperation partners do we choose in personal data processing?
We take measures to ensure processing, protection and transfer of your personal data to data processor in compliance with regulatory enactments. We carefully choose personal data processors, and upon transferring data we assess its necessity and the scope of the transferable data. Data are transferred to the processor in compliance with requirements of personal data confidentiality and safe processing.
We cooperate with the following categories of personal data processors:
1) auditors, finance management and legal advisers;
2) technical keepers of IT infrastructure, data base;
3) other parties who are related to ensuring provision of our services.
Personal data processors can be changed from time to time. In that case, the respective changes are introduced also in this document.
7. Are your personal data sent outside the European Union (EU) or European Economic Area (EEA)?
We do not transfer data to countries that are located outside the European Union or European Economic Area.
8. How long will be store your personal data?
Your personal data are stored while they are necessary for the respective purpose of personal data processing, as well as in compliance with requirements of the applicable norms of law (for example, laws on accountancy, prevention of money laundering, lapse, civil rights, etc.). Upon assessing the length of personal data storage, we take into account the effective requirements of regulatory enactments, aspects of contract performance, your instructions (for example, in case of your consent), as well as our legitimate interests. If your personal data are not needed anymore for the determined purpose, we will delete or destroy them.Below, we indicate the most popular terms of personal data storage:
· personal data needed to perform the contract – we will store, until the contract is completed and until other storage terms expire (see below);
· personal data that must be stored to perform requirements of regulatory enactments – we will store for the term specified in the respective regulatory enactments, for example, law “On accounting” states that source documents must be stored until the day when they are needed to detect origins of each economic transaction and to track its progress; however, not less than 5 years;
· data to prove performance of one’s liabilities – we will store for a general term of claim lapse in compliance with the time limits specified in regulatory enactments: 10 years in the Civil Law, 3 years in the Commercial Law and for other terms taking into account the deadlines specified in the Civil Procedure Law for bringing claims.
· under the Law on the Prevention of Money Laundering and Terrorism Financing, we will store information about a Customer for 5 years after expiry of the transaction relations.
9. What are your as a data subject’s rights in relation to processing of your personal data?
Personal data update
If changes have been introduced to the personal data that you have provided to us, for example, changes to the personal code, communication address, telephone number or e-mail, we ask you to contact us and submit the updated data allowing us to comply with the personal data processing purposes.
Your rights to access your personal data and correct them
According to the provisions of the General Data Protection Regulation, you are entitled to access your personal data that are available to us, to claim their correction, deletion, restriction of processing, object to processing of your data, as well as rights to data portability in the cases and pursuant to the procedure specified in the General Data Protection Regulation. Important! To prevent money laundering, as a financial institution we must introduce and maintain personal data processing systems about customers and persons, with whom business relations have not been started or have been terminated in compliance with the procedure specified in the Law on the Prevention of Money Laundering and Terrorism Financing. The personal data processing systems can include information about these persons’ beneficial owners and authorised persons. In these cases, the personal data processing is not subject to the data subjects’ rights specified in the Personal Data Protection Law to claim information about data processing, including its purposes, recipients and sources. Under the Law on the Prevention of Money Laundering and Terrorism Financing, data subjects are not entitled to access their data and request to amend, destroy them, stop or prohibit their processing. The Data State Inspectorate is entitled to verify whether personal data processing complies with requirements of regulatory enactments, in cases when the controller is prohibited by law from informing the data subject, and a respective application has been received from the data subject (Section 29 of the Personal Data Protection Law). We respect your rights to access and control your personal data; therefore, when we receive your request, we will respond within the term specified in regulatory enactments (usually within one month at the latest, unless the request is special and requires a longer time to draft a reply), and where possible, we will respectively correct or delete your personal data.
You can obtain information about your personal data available to us or enforce your as a data subject other rights, as follows:
1) by submitting a respective Request in person and identifying yourself at our office at the address: Dzirnavu iela 91 k-3, Riga, LV-1011, each business day from 9 to 17;
2) by submitting a respective request by sending it to us by mail at the following address: Dzirnavu iela 91 k-3, Riga, LV-1011.
3) by submitting a respective request by sending it to us by e-mail: email@example.com, it is advisable to sign it with a safe electronic signature.
Data subject request form is available here: HERE Upon receiving your Request, we will assess its content and possibilities to identify you, and depending on the respective situation we keep the right to ask additional identification from you to ensure safety of your data and disclosure to the respective person.
Revocation of the consent
If processing your personal data is based on your consent, you are entitled to revoke it at any time, and for the respective purpose, we will not process your personal data, which were processed on the basis of the consent. However, we inform you that revocation of the consent cannot affect processing of personal data that is needed to comply with regulatory enactments or that is based on a contract, our legitimate interests or other grounds specified in regulatory enactments for lawful processing of data.
You can object to processing of your personal data if the processing of personal data is based on legitimate interests or is used for marketing purposes (for example, to send commercial notifications or participation in lotteries).
10. Where can you submit a complain on issues related to personal data processing?
If you have any questions or objections to our personal data processing, we ask you to turn to us at first.
If, however, you consider that we have been unable to solve mutual problems and you believe that we still violate your rights to personal data protection, you are entitled to submit your complaint to the Data State Inspectorate. Application samples for the Data State Inspectorate and other related information is available at the home page of the Data State Inspectorate (HERE).
11. Why do you need to submit your personal data to us?
We collect your information to comply with the contractual obligations, perform our binding legal obligations and enforce our legitimate interests. In these cases, we need to collect information to reach the set purposes, thus failure to submit this information can threaten entering into business relations or performance of the contract. If submission of data is not mandatory, but their submission could improve the service or offer you beneficial contract provisions and/or offers, upon collecting the data we will indicate that provision of data is voluntary.
In addition, we wish to inform you about the main requirements of regulatory enactments with regard to personal data processing:
1) the Law on the Prevention of Money Laundering and Terrorism Financing, Cabinet Regulations and regulations of the Financial and Capital Market Commission specify what data and information are needed to identify the customer, due diligence and enhanced due diligence;
2) The law On Accounting requires indication of the following personal data in an economic transaction document (contract) concluded by the natural person: name, surname, personal code (if the person has obtained a personal code), address indicated by the person, or, if no address has been indicated, address of the declared residence.
12. How do we obtain your personal data?
We can obtain your personal data in any of the following ways:
1) during conclusion of a mutual contract, by obtaining data directly from you;
2) if the contract is concluded with a third party, and it has indicated you as the contact person;
3) from you if you submit any applications, e-mails, call us;
4) from you if you subscribe to our services online;
5) from you upon authorisation in web site www.mobilly.lv
6) from you upon authorisation in the application.
7) in web site www.mobilly.lv, by (cookies);
8) in certain cases, from third-party data bases, for example, upon assessing your compliance with the status of a politically exposed person, upon inspecting sanction lists (OFAC, UNO, EU etc.), we can obtain data from third parties for this purpose;
9) in certain cases, from video surveillance records.
13. Are your personal data used to adopt automated decisions?
We do not use your data to adopt automated decisions.
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).