This Privacy Notice explains how Monestro P2P OÜ (hereinafter: Monestro or we), a company established under the laws of the Republic of Estonia, with its registry code 12651582 and legal address at Tartu mnt 83, 10115 Tallinn, Estonia, processes the personal data of natural persons (hereinafter the data subject or you) in the course of providing its services.
Monestro processes your personal data in accordance with applicable data protection legislation, including the EU General Data Protection Regulation 2016/679 (hereinafter: GDPR).
You have several rights that you can exercise as regards your personal data. Monestro respects these rights and wants to help you exercise these rights. You can find information on how to do this below.
For the sake of clarity, any terms used in this Privacy Notice are understood as defined in the GDPR.
Monestro is the controller of your personal data. Monestro is responsible for the processing of your personal data in accordance with this Privacy Notice and applicable data protection legislation.
Monestro’s contact details:
Address: Tartu mnt 83, 10115 Tallinn, Estonia
DATA PROTECTION OFFICER
Monestro has appointed a Data Protection Officer.
PURPOSES AND LEGAL BASES FOR PROCESSING
We process your following personal data for concluding a contract with you and for fulfilling our obligations thereunder (GDPR Art 6(1)(b)):
- data allowing your identity verification (mainly name, surname, personal identification code, date and place of birth, nationality, identity document data and a copy thereof);
- contact details (mainly telephone number, e-mail address);
- financial data (mainly bank account number, your transactions on Monestro’s platform);
- contracts and their performance (mainly current and previous contracts, payment history and transactions, etc.);
- data on your user account (mainly the user ID, activities on our website).
If you have entered into a contractual relationship with us via the Monestro platform, we may process your personal data for the fulfilment of our legal obligations (GDPR Art 6(1)(c)) to the extent personal data processing is absolutely necessary for the performance of such obligations (e.g., for the performance of the obligations stipulated in the Accounting Act, the Auditors Activities Act, the International Sanctions Act, the Creditors and Credit Intermediaries Act).
We process personal data for the performance of a task in the public interest (GDPR Art 6(1)(e), § 48(2) of the Estonian Anti-Money Laundering and Terrorist Financing Prevention Act adopting Article 43 of Directive (EL) 2015/849 (consolidated version 09/07/2018)).
Since Monestro is obliged to apply measures for the prevention of money laundering and terrorist financing, Monestro may process your personal data for that purpose. Monestro may collect additional information about you to fulfil this obligation (e.g., data on the origin of your wealth, information about you potentially being a publicly exposed person, your field of activity, but also your IP address). For the fulfilment of such obligation, provided that our client is a legal person, we may need to process also personal data of the shareholders, beneficial owners, management board members and other natural persons related to the client.
The information collected by Monestro solely for the application of the money laundering and terrorism financing prevention measures shall not be processed for any other purpose by Monestro.
If you entered into a contractual relationship with us via the Monestro platform, we may process the following of your personal data for the purposes of our following legitimate interests (GDPR Art 6(1)(f)), in which case we have determined that our such interests are not overridden by your interests or fundamental rights and freedoms which require protection of personal data:
- all of your personal data if it is necessary for us to protect our rights and interests (e.g., for preparing and submitting claims against you should you fail to fulfil your contractual obligations or to defend ourselves against your legal claims);
- your user account data and contact details to send you informative e-mails about the status of your user account and the performance of your transactions;
- your user account data and contact details to send to you offers and marketing e-mails or messages about our service or investment opportunities;
- data about your use of our platform or other personal data (including your age, residency, preferred language) to make sure that we only send you suitable marketing materials (for example to ensure that we send you marketing materials in your preferred language and only if they are relevant for persons residing in your country);
- your user account data and contact details to remind you about your obligation to provide us data for the purpose of prevention of money laundering and terrorism financing (for example to provide us a copy of a new personal identification document if the previous document has expired or will soon expire);
- the name and contact details of the representative of a legal person for which a user account is created (in any such case, we may also demand proof or representation rights and data for identity verification) so that we would be able to contact;
- your user account data, IP address, the web browser you use, to analyse the user experience of the website and improve the quality of service.
If you have been granted consumer credit via our platform before 1.02.2021 all of your personal data we have collected about you may also have been processed for the purpose of assessing your creditworthiness. For that purpose we have processed your data to fulfil our legal obligation (GDPR Art 6(1)(c)). Currently we may have to store the personal data used for creditworthiness assessment due to our legal obligation to do so.
If you have been granted consumer credit by a third party who has assigned their claim against you via our platform, we may store your personal provided in your credit agreement based on our legitimate interests or in the legitimate interests of the assignees (GDPR Art 6(1)(f)) to ensure that the claims assigned via our platform are real and that we have the possibility to demand direct payment in case your creditor breaches its obligations before us.
If you are not a registered user, we do not process your personal data unless (i) you start the process of opening a user account in which case we may, based on our legitimate interests, use the contact details you have provided to us and send you reminders if you do not complete the process (GDPR Art 6(1)(f)), (ii) you submit your personal data to us in your request or inquiry in which case we will only process your personal data to the extent necessary for sending you a reply, (iii) you provide your personal data to us via our chatbot which we ourselves will never require you to do, in which case we will not process such personal data any further and ask you to either log into your user account or contact us another way.
We may process your personal data on the basis of your consent. In such a case, the purpose of the personal data processing, the categories of personal data processed on the basis of consent and other necessary details are described in the consent text.
Monestro does not process personal data of underage persons (i.e., persons under the age of 18). If you are underage and wish to open a user account, we will suspend the process once we learn about your age. We will periodically delete the data we have unintentionally collected about underage persons.
Monestro does not process special categories of personal data. Monestro does not process date related to criminal convictions.
If the legal basis for the processing of your personal data is our legitimate interest or that of a third party, you have the right to receive additional information and to object to such processing at any time.
Depending on the type of personal data and the basis for their processing, Monestro may not be able to fulfil all of its contractual obligations or continue the contractual relationship if you refuse to disclose certain personal data to Monestro.
SOURCES OF PERSONAL DATA
We collect your personal data from the following sources:
- from you;
- other companies in the group to which Monestro belongs from whom we may collect personal data to fulfil our contractual and legal obligations towards you, to verify data you have provided to us or for other purposes provided that we have a legal basis for that;
- from third parties, including public databases, public authorities, banks, identity verification service providers, bank account verification service providers and such other persons from whom we collect for fulfilling our obligations related to the prevention of money laundering and terrorism financing.
DISCLOSURE OF PERSONAL DATA
In order to achieve the purposes of the processing described in this Privacy Notice, we may use the following categories of data processors, who may have access to your personal data:
- the companies in the group to which Monestro belongs which provide various services to us (such as accounting services and IT services, incl. platform administration);
- cloud-based storage providers;
- customer support service providers;
- companies providing services which help us fulfil our obligation to apply measures for preventing money laundering and terrorism financing;
- marketing and marketing tools service providers.
We require data processors to keep your data secure and process it in accordance with our instructions and requirements, which in turn are in line with this Privacy Notice, the GDPR, and applicable law.
We may make your personal data available especially to the following third parties:
- banks, payment institutions or e-money institutions providing payment services to us to whom we transfer personal data related to payments for the fulfilment of the agreement concluded between us (GDPR Art 6(1)(b));
- authorities, such as the Tax and Customs Board, the Financial Supervision Authority, the FIU, the controllers of public databases for the fulfilment of our legal obligations (GDPR Art 6(1)(c));
- auditors to whom we transfer personal data in relation with our legal obligations (GDPR Art 6(1)(c));
- other third parties, such as legal service providers, courts, bailiffs, and trustees to whom we transfer your personal data in relation with the protection of our rights and interests (GDPR Art 6(1)(f));
- to legal and financial advisors and other interested parties (persons who plan to acquire Monestro or take over the business of Monestro) in relation with potential mergers, acquisitions, or business transfers for the purpose of our legitimate interests in selling or reorganising our business (GDPR Art 6(1)(f));
- couriers and postal service providers to whom we may transfer data primarily in relation with our contractual relationship (GDPR Art 6(1)(b)).
We disclose your personal data on the basis of our or a third party’s legitimate interest only if we are confident that those interests are not overridden by your interests or fundamental rights and freedoms which require protection of personal data. Since in general we only disclose data under this legal basis when it is necessary to protect our rights and interests (i.e., there has been a violation or suspicion thereof), we consider it justified.
If the legal basis for processing your personal data is our legitimate interest or that of a third party, you have the right to receive additional information about and to object to such processing at any time.
TRANSFER OF PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA
We generally do not process your personal data outside the European Economic Area (EEA, i.e., the Member States of the EU, Norway, Iceland and Liechtenstein), but our processors and third parties to whom we transfer your personal data may do that.
Where necessary, the transfer will only take place if we have a legal basis to do so, including in particular if the recipient: (i) is located in a country which the European Commission considers to have an adequate level of protection of personal data, or (ii) has concluded an agreement, which meets the requirements of the GDPR for the transfer of personal data to recipients outside the EEA, (iii) meets other requirements established in GDPR which allow transfer of personal data outside of EEA to such recipient.
RETENTION AND SECURITY
We will not store your personal data longer than necessary in order to achieve the purposes of processing. When determining the retention periods for personal data, we use the following criteria:
- the purpose for which the personal data were collected;
- the time period during which Monestro is tied to you;
- the existence of a legal obligation under the applicable law;
- necessity due to Monestro’s legal status (e.g., expiry of a claim, litigation or regulatory procedures).
We usually determine the data retention periods based on our respective legal obligations. For example:
- we are obliged to retain the personal data processed for the purpose of prevention of money laundering and terrorism financing for 5 years from the end of our contractual relationship;
- accounting records must be retained for 7 years from the end of the financial year of recording such documents or from the performance of the obligations thereunder.
We may retain your personal data for a longer period of time if it is necessary for the protection of our interests. In this case we do so, we apply the claim expiration period prescribed which for contractual claims is up to 10 years.
Once we have determined that we no longer need your personal data, we will delete them from Monestro’s systems or anonymise them.
You have various rights as regards your personal data we process. We may wholly or partially reject your application if required or allowed by law. If we refuse to comply with the application, we will inform you of the reason for this, unless prohibited by law.
- Right to request access to the data: you can ask us at any time to confirm which personal data we process and receive a copy of those data.
- Right to rectification: you may require us to correct and complete the personal data processed by us if they are inaccurate or incomplete.
- Right to data erasure: you have the right, in certain cases, to request that we erase your personal data, e.g., (i) when the personal data are no longer necessary in relation to the purposes for which they were processed; (ii) you withdraw your consent and there is no other legal basis for processing; (iii) you object to the processing and there are no overriding legitimate grounds for the processing or you object to the processing for direct marketing purposes; (iv) the personal data have been unlawfully processed; (v) or the personal data have to be erased for compliance with our legal obligation. Even then we are not always required to erase the personal data. For example, we are not required to erase your personal data when the processing is necessary for compliance with our legal obligation or for the establishment, exercise or defence of legal claims.
- Right to restriction of processing: you have the right, in certain cases, to request for the processing of your personal data to be restricted, i.e., (i) when the accuracy of the personal data is contested for a period enabling us to verify the accuracy of the personal data; (ii) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; (iii) we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; (iv) you have objected to processing, pending the verification whether our legitimate grounds override yours.
If the processing of personal data is restricted, we may nevertheless store the personal data and process them with your consent; for the establishment, exercise or defence of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest.
- Right to object: in certain cases you have the right to object to the processing of your personal data if they are processed in our legitimate interest or those of third parties. In such case, we shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. When you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
- Right to data portability: you have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format and the right to transfer this data to another controller if the processing is based on your consent or contract and is carried out processed by automated means. If technically feasible, you have the right to request that we transfer the data directly to another controller.
- Right to not be subject to a decision based solely on automated processing: you are entitled not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. The former does not apply if (i) it is necessary for entering into, or performance of, a contract between us; (ii) is authorised by applicable law; or (iii) is based on your explicit consent.
- Right to complain to a supervisory authority: if you have any complaints about how we handle your personal data, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence or place of work or the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).
The Estonian Data Protection Inspectorate can be contacted at:
Address: Tatari 39, 10134 Tallinn
Phone: +372 627 4135
To perform your rights, please contact us using the contact details referred to above.
LINKS TO THIRD-PARTY WEBSITES
Links to third-party websites are only provided when considered useful or informative to you. We are in no way responsible for those websites or their content. Please note that third-party websites may have in place different privacy policies and/or security standards that we recommend you to review.
Whenever Monestro changes its personal data processing practices, we make and notify you of the relevant changes to the Privacy Notice via our website and by e-mail.
Should you have any questions about this Privacy Notice or the processing of your personal data, please contact us on the contact details provided above.
This Privacy notice is valid from 01.04.2021.