Introduction

Straetus Luxembourg (hereinafter: Straetus) places high importance on privacy, and therefore it is essential for it to handle personal data with the utmost care. This privacy statement describes what personal data Straetus collects, how it is stored, and for what purposes it is used. All of this is done based on the General Data Protection Regulation (GDPR).

At Straetus, maintaining the client relationship between creditor and debtor is a priority. Information about the personal reasons for non-payment is recorded to ensure a fair and effective collection process. Telephone calls are recorded for training purposes and for documenting agreements made by phone.

This privacy statement applies to all entities of Straetus. Straetus Luxembourg is established in the Netherlands and is therefore subject to Dutch law and regulations. The entities of Straetus include the franchisor, the franchisee, and all employees. Straetus has the right to transfer personal data within the Straetus franchise organization if appropriate GDPR safety controls have been implemented within the receiving organization.

Execution

Straetus stores personal data in accordance with legal requirements.

Without processing certain personal data, Straetus cannot conduct its business activities. Straetus processes personal data for the execution of a contract where the data subject is a party and/or in the legitimate interest of the creditor in relation to an outstanding invoice. Automated decision-making is necessary for an efficient collection procedure and business operations. Straetus uses technical and organizational security measures to protect the processed personal data in accordance with GDPR guidelines.

The processed personal data are used by Straetus to carry out its business activities. Only authorized personnel have access to this data. After the conclusion of the collection or debtor process, the personal data will be anonymised for statistical and historical purposes.

Definitions:

Transparency: The person whose data is processed is aware of this, has given consent, and knows their rights;

Purpose restriction: Personal data is collected for a specific legitimate purpose and may not be used for other purposes;

Data restriction: Only the necessary data required for the intended purpose may be collected;

Accuracy: Personal data must be accurate and kept up to date;

Storage restriction: Personal data may not be retained longer than necessary for the intended purpose;

Integrity and confidentiality: Personal data must be protected against unauthorized access, loss, or destruction;

Accountability: The responsible party must be able to demonstrate compliance with these rules.

Personal data processed by Straetus:

• Name, address, and contact details
• Gender
• Nationality
• Date of birth
• Phone number(s)
• Email address(es)
• Bank account number(s)
• Company details
• Other personal data provided by phone, mail, or email
• Other personal data obtained from public sources
• Data for assessing financial capacity, such as income (mortgage) debts, payment behavior, defaults, and credit registration
• Data regarding payment arrangements

Straetus obtains personal data from the client and from public sources. In certain cases, personal information such as health issues, disability, or other private situations may contribute to a better resolution of claims, such as arranging a suitable payment plan.

Straetus does not disclose personal data without the data subject's consent, unless necessary for the execution of services and/or the agreement, or required by law.

Straetus employees have access to personal data. Employees are bound by a confidentiality obligation.

With companies processing data on behalf of Straetus, a data processing agreement is concluded to ensure a similar level of security and confidentiality of personal data.

There are exchange agreements with credit registration agencies and other service providers. Personal data are exchanged in the context of the collection procedure with, among others, clients, print and mail services, land registry research, call centers, collection agencies, legal professionals, credit registration agencies, bailiffs, and government authorities. Straetus remains responsible for these processing activities. If collection of the claim occurs abroad, personal data are protected according to GDPR legislation.

Straetus may be legally required to provide personal data to (semi-)governmental agencies.

Data retention period and deletion of personal data

Data are retained as long as necessary to achieve the legitimate purpose for which Straetus obtained the data and as long as Straetus has a justified interest in retaining the data, such as for a proper collection procedure. Furthermore:

• Until the limitation period has expired, allowing Straetus to defend against potential claims
• To prevent/detect fraud
• To detect money laundering activities
• For financial/fiscal inspections

When Straetus deletes no longer relevant personal data and other data, it also removes them from its backups. This is done when the backup tape is updated.

GDPR data subject rights

Every natural person whose personal data are processed by Straetus has the following rights:

• Right to Access (GDPR Article 15): The right to access their personal data and information on how these data are processed;
• Right to Rectification and Erasure (GDPR Article 17): The right to request correction and/or deletion of their personal data on certain grounds;
• Data Portability (GDPR Article 20): Data must be provided by the data controller in a structured, commonly used, and machine-readable format;
• Right to Restrict Processing: After objection, Straetus adjusts personal data, unless in the case of legal claims, to protect the rights of others, or for reasons of public interest;
• Right to Object: To object to the processing of personal data by Straetus;
• Right to Lodge a Complaint: To file a complaint with the supervisory authority.

Contact Person, request and complaints procedure

The GDPR contact person for Straetus is D. Kuipers (email address: avg@straetus.nl). The contact details of this person will be provided upon request.

Upon request, the contact person will provide:

• An overview of the categories of data being processed (GDPR Article 15, paragraph 1 sub b);
• A copy of the actual data (GDPR Article 15, paragraph 3);
• Information on the purpose of the processing (GDPR Article 15, paragraph 1 sub a);
• Information on with whom the data are shared (GDPR Article 15, paragraph 1 sub c);
• Information on how the data were obtained (GDPR Article 15, paragraph 1 sub g).
• Requests and objections can be submitted by email and will be handled within four weeks.

If a request or complaint is not satisfactorily resolved, a complaint procedure is available with the Dutch Data Protection Authority (see: www.autoriteitpersoonsgegevens.nl).

Changes to the privacy statement

Straetus reserves the right to amend this privacy statement without prior notice.

For the privacy statement of Straetus International, please refer to https://www.straetus.com/gdpr-privacy-statement/

Requests for access or anonymisation of data stored in the website database can be submitted on this page.

Note: This only concerns the anonymisation of data in the website database. Requests for access to all other data can be submitted via the aforementioned email address.