PRIVACY STATEMENT FUNDION SERVICING B.V.
Article 1: Definitions
For the purposes of this Privacy Policy, the following terms shall have the following
meanings:
1. Data Subject, Third Party, Personal Data, Processor, Processing and Controller: the
terms as defined in Article 4 of the GDPR.
2. Asset manager: the company that, for the management of the fund from which
Financiers wish to grant loans to Data Subjects, has entered into an Agreement with
Controller for this purpose.
3. GDPR: the General Data Protection Regulation.
4. Data breach: an infringement in connection with Personal Data, as referred to in
Article 4 under 12 of the GDPR.
5. Service: the service called Controller servicing that is provided to the Client and is
described in the Agreement.
6. Financier: the company that provides loans to Data Subjects and that has entered
into an Agreement with Controller for this purpose or makes use of the services
offered by Asset Manager for this purpose.
7. Controller: the private company Fundion Servicing B.V., administratively located at
Zuiderzeelaan 23 in (8017 JV) Zwolle, registered in the Chamber of Commerce Oost
Nederland under number 69779694.
8. Fyndoo: the software program used by Controller for the execution of the Service.
9. Personal Data: all data (including documents) that the Client makes available or
enters when using the Service, as well as all data (including documents) that are
processed and created when using the Service and can be traced back to an identified
or identifiable natural person (the Data Subject).
10. Data Subject (entrepreneur): the natural person (in the case of a sole proprietorship
or a V.O.F.) or the director-shareholder of a legal entity wishing to take out a loan
with Financier, which may or may not be provided from the fund managed by the
Asset Manager, and whose Personal Data are processed by Controller in the context
of the Service it provides to the client. It can also be an executive director or UBO of
our business partners or clients, whose personal data are processed in the context of
a KYC compliance check.
11. Client: the Asset Manager or Financier who has entered into an Agreement with
Controller in the context of the Service.
12. Agreement: the Agreement concluded between Controller and the Client, which is
also the contractual basis for the provision of the Service.
13. Parties: Controller and Client.
14. Privacy regulations: these regulations of Controller that describe how Controller
interprets the protection of Personal Data in accordance with the legal provisions as
included in the GDPR.
Article 2: Subject matter and division of roles
1. This Privacy Policy applies to the Processing in the context of the purposes referred to
in Article 6 and is part of the Agreement. These Privacy Regulations will be accepted
by the Client and made available to the Client at the time of entering into the
Agreement.
2. Controller is the Controller for the Processing of the Personal Data of the Client’s
employees. Controller is also the Controller for the Processing of the Personal Data of
the Data Subjects.
3. In addition to Controller, the Client is also the Controller for the Processing of the
Personal Data of the Data Subjects and (if applicable) Financiers.
4. By using the Service, the Client explicitly agrees with the Processing by Controller of
the Personal Data of its employees as well as of the Personal Data of the Data
Subjects and (if applicable) Financiers, all this as described in this Privacy Policy and
the Agreement.
Article 3: Basis for Processing Personal Data of (employees of) the Asset Manager and/or
Financier
1. Controller Processes the Personal Data of (employees of) Asset Manager and/or
Financier for the purpose of concluding the Agreement, the performance of the
Service, in the context of a legal obligation and in the context of the legitimate
interest of the Client and/or itself.
2. The Personal Data referred to in paragraph 1 relate to all Personal Data entered and
information provided by the Client when using the Service. The following Personal
Data are processed by Controller:
a. the name, function and business contact details of the natural person(s) that
the Service uses on behalf of the Client;
b. technical information, such as the computer of the person referred to under
a., the operating system, the browser, the statistics regarding viewed pages
within the software used by Controller, the geographical location, the
referring URL and the IP address;
c. information that Controller (or its subcontractor on its behalf) collects using
cookies and web beacons.
3. In addition to the Processing referred to in paragraphs 1 and 2, Controller Processes
the Personal Data relating to Asset Manager or Financier in the context of compliance
with the Money Laundering and Terrorist Financing Prevention Act (Wwft). This
concerns:
a. the identity details (such as names, gender, date of birth, place and country,
nationality, marital status, details about and on the identity card and other
(contact) details);
b. (if applicable) information on the residence status;
c. details of the Financier’s profession and business;
d. Financial data, including:
– (if applicable) information about Financier’s company (including trade name,
VAT and Chamber of Commerce number, sector, annual accounts, directors
and shareholders);
– bank and payment details.
4. By entering into the Agreement, the Client agrees that Controller will proceed with
the Processing of the Personal Data referred to in this article. Controller is
Responsible for
Processing the Personal Data referred to in this article and therefore has independent
control over the purpose and means of Processing this Personal Data.
5. The Client himself fulfils his information obligations from the GDPR towards the Data
Subjects referred to in this article, whereby the Client will in any case report on the
Processing to be carried out by Controller.
6. The Client indemnifies Controller against any claims from third parties, which in any
case include the Data Subjects referred to in this article and the supervisor, which
relate to the Processing carried out by Controller within the framework of the
performance of the Service, unless there is an infringing Processing for which
Controller itself is responsible.
Article 4: Basis of the Processing of Data Subjects
1. In addition to the Processing as referred to in Article 3, Controller Processes the
Personal Data relating to the Data Subject for the performance of the Service, in the
context of a legal obligation and in the context of the legitimate interest of the Client
and/or itself.
2. The Personal Data referred to in paragraph 1 concern – depending on whether this is
necessary for the implementation of the Agreement concluded between the Parties -:
a. the identity details (such as names, gender, date of birth, place and country,
nationality, marital status, details about and on the proof of identity and
other (contact) details);
b. (if applicable) information on the residence status;
c. details of the Data Subject’s profession and business;
d. Financial data, including:
turnover data;
– information about the company (including trade name, VAT and Chamber of
Commerce number, branch, annual accounts, directors and shareholders);
– WOZ value of any real estate;
– Income from a possible spouse, registered partner or tax partner;
– information about the assets;
– data on any obligations (such as current credits and mortgages);
– data on creditworthiness;
– bank and payment details.
e. interest rates, premiums, conditions of the products that the Data Subject has
applied for and of the agreement that the Data Subject has concluded.
3. By entering into the Agreement, the Client agrees that Controller will proceed with
the Processing of the Personal Data referred to in this article. Controller is
Responsible for Processing the Personal Data referred to in this article and therefore
has independent control over the purpose and means of Processing this Personal
Data.
4. The Client shall himself fulfil his information obligations towards the Data Subjects
under the GDPR, whereby the Client shall in any case report on the Processing
Operations to be carried out by Controller.
5. The Client indemnifies Controller against any claims from third parties, which in any
case include the Data Subjects referred to in this article and the supervisor, in
connection with the Processing carried out by Controller within the framework of the
performance of the Service, unless there is an infringing Processing for which
Controller itself is responsible.
Article 5: Purposes of Processing Personal Data
1. Controller Processes the Personal Data referred to in Articles 3 and 4 for the
following purposes:
a. the provision of its Services, consisting of facilitating the process of applying
for a loan, including assessing the creditworthiness, drawing up loan
documentation, monitoring, revising and managing the loans;
b. if applicable: the verification of identity and reliability under the Money
Laundering and Terrorist Financing Prevention Act (Wet ter voorkoming van
witwassen en financiering van terrorisme, Wwft);
c. the promotion of safe trade via the Service and the follow-up of complaints
and/or reports with regard to unlawful acts via the Service;
d. answering questions from the (employees of) the Asset Manager, Financiers
or Data Subjects;
e. compliance with these Privacy Regulations and the Agreement;
f. measuring the interest in its Service and improving and/or promoting the
Service;
g. improving risk models;
h. maintaining and expanding the (commercial) relationship with the Client and
the Data Subject (for example by offering other services to the Client or
offering an alternative product to an Data Subject);
i. carrying out market research;
j. the conversion of the Personal Data into statistical data, the result of which
can no longer be traced back to persons;
k. the implementation of applicable laws or regulations concerning the
Processing;
l. any other purposes as specifically described when collecting the information.
Article 6: Confidentiality and transfer of Personal Data to third parties
1. The parties shall ensure that everyone, including employees, representatives and/or
any Processors, involved in the Processing shall keep this information confidential.
Controller will ensure that a confidentiality agreement or clause has been concluded
for everyone involved in the Processing.
2. The confidentiality obligation referred to in paragraph 1 does not apply insofar as the
Client has explicitly consented to provide the Personal Data to a third party, if the
provision of these Personal Data to a third party results from the nature of the
purposes as stated in article 5 or if there is a legal obligation or a judicial decision to
provide the Personal Data to a third party.
3. Within the framework of the execution of the Service, Controller is authorized to
provide the Personal Data to Clients and the following categories of Processors:
– The software supplier engaged by Controller (Topicus.Finance B.V.) or a
hosting party;
– Credit registration agencies (such as Graydon, Focum and BKR);
– Know your Client (KYC) service providers (such as Lexus Nexus and Partner in
Compliance)
– Wwft review bureaus (such as Graydon);
4. If Controller proceeds to provide the Personal Data to other categories of parties
than those referred to in paragraph 3, Controller shall inform the Client thereof
separately.
Article 7: Modification of Personal Data, Rights of Data Subjects and Cooperation
1. Client can view the Personal Data of the Data Subjects within Fyndoo.
2. To view the Personal Data stored and not directly accessible through the Service, the
Client can contact Controller, unless Controller is not obliged under the GDPR to
provide such access.
3. If the Personal Data Processed by Controller are factually incorrect or incomplete or
are irrelevant for the purposes for which Controller Processes the Personal Data, the
Client can request Controller to improve, supplement, remove or protect the
Personal Data. Such requests will be dealt with in accordance with the applicable
laws and regulations in the field of Personal Data (including the GDPR, the GDPR
Implementation Act and the Wft). This request can be send to info@fundion.nl.
4. In addition to the rights of rectification and erasure described in 7.3 above, a person
has the rights to be informed, access, restrict processing, data portability, object and
rights related to the automated decision making, including profiling. Requests in
relation to these rights can be send to the Controller, as per 7.3 above.
5. A complaint or request from a Data Subject or Financier with regard to the Processing
of his Personal Data will be dealt with by Controller in consultation with the Client.
6. The parties will – as far as reasonably possible and necessary – cooperate with each
other:
a. to comply within the statutory deadlines with the obligations under the
applicable legislation and regulations in the field of personal data (including
the GDPR, the GDPR Implementation Act and the WFT), more specifically the
duty to provide information to and the rights of Data Subjects, such as a
request to inspect, correct, supplement, destroy or protect their Personal
Data;
b. in the context of controls or audits;
c. in carrying out the data protection impact assessment (DPIA) and any
resulting consultation with the Authority for Personal Data;
d. in responding to requests from the Personal Data Authority or any other
public authority;
e. in the preparation, assessment and reporting of Data Leaks.
Article 8: Retention period and destruction
1. The Personal Data will not be kept longer than is necessary for the purposes as
described in article 5. Personal Data which, pursuant to applicable (tax) laws and
regulations, must be kept by Controller for a longer period of time, will not be kept
longer than 7 years after termination of the Agreement.
2. In the event of termination of the Agreement, the arrangements set out in Article 8
of the Agreement with regard to the return and deletion of the Personal Data shall
apply.
3. The information related to the Client and/or Data Subjects and resulting from the use
of the Service will only be kept longer than the period referred to in paragraph 1, in a
form that no longer makes it possible to identify the Data Subject.
Article 9: Security and control
1. Controller and its suppliers take various technical and organizational measures
(including encryption, passwords, physical security) to protect and protect Personal
Data against unauthorized or unlawful Processing and against accidental loss,
destruction or civilization.
2. All Personal Data is stored on multiple servers in secure data centres which are
monitored and monitored 24 hours a day, 7 days a week. Only a limited number of
authorized persons have access to these servers which are physically located at
multiple locations in the eastern Netherlands.
3. The personal data is stored encrypted and illegible for unauthorized persons.
4. The Service is secured with an encrypted connection (256-bit SSL – shown by the lock
symbol in the browser) to ensure security between the Client’s computer and the
servers of (the suppliers of) Controller.
5. The measures referred to in the preceding paragraphs guarantee, taking into account
the state of the art and the costs of implementation, an appropriate level of security
in view of the risks involved in the Processing and the nature of the Personal Data to
be protected. The measures are also aimed at preventing unnecessary collection and
further Processing. The Personal Data will not be transferred outside the European
Economic Area.
6. The security of the Personal Data is regularly tested by leading external parties and
according to internationally recognised testing procedures.
Article 10: Exchange of information and data breaches
1. The parties shall inform each other of facts which they can reasonably expect to
affect the Processing by the other Party. If there is a change in the Service that affects
the Processing and/or security of the Personal Data, Controller will inform the Client
immediately.
2. The parties will inform each other as soon as possible about each Data Breach. The
parties will immediately take all reasonable measures to the best of their ability that
are necessary to safeguard Personal Data, restore security and prevent further
unauthorised access, modification and provision of the Personal Data. Parties shall
take these measures at their own expense, unless it appears that the Data Breach can
be attributed to one of the Parties, in which case the costs shall be borne by that
Party. In such cases, the Parties will cooperate with each other on request to inform
the competent authorities and the Parties concerned.
3. Insofar as a Party is required to inform the Data Subjects about one or more Data
Leaks as referred to in the preceding paragraphs, the Parties will provide each other
with all necessary cooperation. Parties are entitled to charge each other any
reasonable costs involved, depending on the question of who can be considered
responsible for the Data Leak.
Article 11: Amendment of the Privacy Policy
1. Controller is at all times entitled to unilaterally amend and/or supplement the Privacy
Regulations made available to the Client when registering for the Service. The most
current version will be found in Fyndoo within the Client’s Client environment.
Changes will also be brought to the attention of the Client during the use of the
Service and the Client will be given the opportunity to download the new version of
the Privacy Policy.
2. If the use of the Service is continued after this Privacy Policy has been amended or
supplemented, these will be deemed to have been accepted by the Client, unless the
Client has objected to this within seven days of the notification. If the Client does not
agree with the amended or supplemented Privacy Policy, he is entitled to terminate
the use of the Service with immediate effect.
3. Parties have the right to renegotiate the amendment of this Privacy Policy if this is
necessary as a result of changes in the Processed Personal Data, the applicable
security requirements and/or a change is necessary for compliance with the
applicable laws and regulations.
4. This Privacy Policy was last amended in August 2019.