Personal data

For us, Access Finance AD (the Company), the protection of your personal data is of paramount importance. Therefore, we would like to inform you on what grounds, for what purposes, within what terms and by what means your personal data is processed when you visit our website www.accessfinance.eu and apply for a cash loan from the Company. We strictly adhere to the applicable data protection regulations for each personal data processing operation. As of 25 May 2018, the General Data Protection Regulation 2016/679 ("Regulation 2016/679") directly applies on the territory of the EU, including the Republic of Bulgaria. It gives you enhanced data protection rights, to which our more detailed obligations also correspond; You can find out more on this issue below in this Privacy Policy (the "Policy").

I. Introduction

In this Privacy Policy, Access Finance, "we", "us" or "our" means "Access Finance" AD and "you", "your" and "user" means visitors to our website – www.accessfinance.eu.

This Privacy Policy explains and governs:

• how and when we collect your personal data and what information we collect;

• how and why we use your personal data;

• which categories of third parties have access to your personal data; and

• Your rights to control your personal data.

Please read this Privacy Policy carefully. By accessing and using our website and services, you confirm that you have had the opportunity to read this Policy, that you understand it and that you agree to be bound by it. If you do not, you will not be able to make full use of the services provided through the website.

We may modify the Policy from time to time to comply with applicable laws and regulations or to meet changing business requirements. We encourage you to periodically review this page for the latest information about our privacy practices and changes to our Privacy Policy. Each time we make a change to the Policy, we will notify you of the possible effects of the change without delay and in summary on our website www.accessfinance.eu and at our customer service offices on the territory of the Republic of Bulgaria.

II. General information

1 . Some concepts relevant to a better understanding of this Policy:

"Personal data" – this is any information that relates to an individual and which, alone or in combination with other information, can lead to his identification or identification of him.

"Personal data subject" – living natural persons who are identified or identifiable through the processed personal data.

"Processing of personal data" – this is any action that we perform or may perform with your personal data, including, but not limited to, their collection, analysis or destruction.

"Personal Data Administrator" – a person who determines the purpose of the processing of personal data on one of the grounds provided for by law, as well as the means by which such processing is carried out – for example, the technical infrastructure, and is responsible for the obligations regarding the security and protection of personal data. With regard to your personal data that is processed under this Policy, the Company, in some cases together with the joint controllers described below, determines the purpose of the processing of your data on one of the grounds provided for by law. In general, we also determine the means by which this processing is carried out – for example, the technical infrastructure and the applications with which the processing is carried out. Obligations regarding the security and protection of your personal data arise for us.

"Joint administrators" – two or more controllers who jointly determine the purposes and means of the processing of personal data. Within the meaning of this Policy, joint administrators are Access Finance AD, Easy Asset Management AD, Fintrade Finance AD and Viva Credit OOD on the basis of agreements for processing and protection of personal data between joint controllers.

"Personal Data Processor" – this is a third party that processes your personal data on our assignment, whereby Access Finance AD has strictly determined the purpose of the processing, the means by which it occurs and has checked whether the person meets the requirements of the GDPR. Such a processor may be, for example, an agency that is responsible for a marketing campaign of Access Finance AD on a social network and creates reports on its success.

"Personal data breach" – a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

"Digital assets" – the website www.accessfinance.eu, all landing pages maintained by the Company, web, native and mobile applications available to customers.

Group of companies in "Management Financial Group" ("MFG") – a group of companies owned and/or controlled, directly or indirectly, by Management Financial Group AD, incorporated and existing under the laws of the Republic of Bulgaria, with UIC 203753425. For the purposes of this Policy, "MFG Companies" means only those located and operating on the territory of the Republic of Bulgaria. You can find more information about all companies in the MFG Group here.

2. Who are we?

Access Finance AD is a company that has as its object the provision of cash loans with its own funds under the Credit Institutions Act, as well as any other activity not prohibited by law.

3. How can you contact us?

"Access Finance" AD has its headquarters and address of management in Sofia. Sofia, rayon Triaditsa, "Ivan Vazov", ul. "Balsha" No 1, bl. 9, fl. 2, tel. for contact - 0700 20 140. You can contact us by visiting us at the address indicated in the previous sentence or on our website www.accessfinance.eu.

4. Who in the organization is responsible for the protection of my personal data and how can I contact them?

Data Protection Officer ("DPO") – e-mail. Post: dpo@bialakarta.bg, contact phone – 0700 20 140.

5. Types of personal data, purposes and grounds for processing by Access Finance AD:

What personal data do we process?

The personal data that the Company may process are the following:

Full name, PIN, PNF, gender, date, country and place of birth, any citizenship you hold, a copy of an identity document and its data, address of residence and correspondence, IP address and device data, telephone number, voice, e-mail, data about a politically exposed person or affiliation with such within the meaning of Art. 36 of the LMML, IBAN, movements in transactions, education, origin of cash, data on the financial situation - amount of income, real estate and movable property, utility bills, loan obligations, marital status, profile data on the website www.bialakarta.bg or mobile application of the Company, answers to control questions, signature / fingerprint - for people prevented from signing a signature, contact person details (names and telephone), results of checks of the contact person's data in the databases of the Joint Controllers in accordance with point 7.1 below, other data necessary for the fulfillment of obligations under a credit agreement or a contract for the provision of a payment instrument, results of surveys, surveys or tests.

The Company processes personal data necessary for the assessment of creditworthiness received from you or from registers, state authorities and institutions such as CCR (for liabilities under other loans), NSSI (for the presence of employment relations, place of work, profession, length of service, insurance for 6 months back, remuneration, pension) and the Register of Bank Accounts and Safes at the BNB.

The Company also processes data on the validity of the identity document from the register of the Ministry of Interior or from the "RegIX" system for the exchange of data from registers, the results of checks of clients' personal data in the databases of the Joint Controllers pursuant to item 7.1 below, as well as in consolidated databases of persons related to terrorism or terrorist financing.

For what purposes will we use your data?

The personal data you provide will be used to grant and manage a cash loan, provide a payment instrument and other requested services, perform a creditworthiness assessment, register and use a mobile application for credit card management, make credit transfers, deposit, withdraw funds, execute payment transactions.

The personal data you provide will also be used when making phone calls or sending crackty text messages, including digital communication applications for the purpose of contacting you, proving the subject of the conversation, as well as for compliance with the information rights and better protection of the borrower's data, his interests and those of the Company.

The Company processes personal information in accordance with legislative requirements, including for the purposes of prevention, investigation and detection of fraud related to payment services, identification, prevention of money laundering and terrorist financing, for the purposes of the Register of Bank Accounts and Safes, for the purposes of credit risk management under the Credit Institutions Act and for other purposes provided for by law.

Your personal data will be processed by Access Finance AD only in accordance with the applicable data protection regulations. When you correspond with us through any of the contact channels, you confirm that the data you have provided is accurate, correct and up-to-date.

On what grounds do we process your personal data?

The processing of your data is necessary for the conclusion and execution of a credit agreement and an agreement for the provision of a payment instrument-credit card to which you are a party, contracts for related services of the Company, a contract under the General Terms and Conditions for the use of a mobile application for credit card management, as well as under the General Terms and Conditions for conducting promotions, organized by the Company.

We also collect and process your data for compliance with legal obligations in connection with the Measures Against Money Laundering Act (for the purposes of identification and application of other due diligence measures), the Measures Against the Financing of Terrorism Act, the Tax and Social Security Procedure Code, the Consumer Loans Act, the Credit Institutions Act, the Distance Financial Services Act, Personal Data Protection Act (when processing and responding to requests for the exercise of rights, inquiries, objections or complaints).

In order to preserve its legitimate interests, the Company processes your personal data in connection with the verification of the data you provide and fraud prevention, providing a contact person in the performance of contractual obligations, servicing through a mobile application, processing requests for the exercise of rights, inquiries, complaints and complaints, as well as sharing information, which would be of interest to you.

Based on your explicit consent, we may process your personal data to perform marketing activities (direct marketing) of the Company and MFG companies, including offering products, services and participation in marketing campaigns/surveys, as well as to study customer behavior and improve the effectiveness of assessing creditworthiness by conducting statistical analyzes, provided that you have not objected to the use of your personal data for these purposes.

We should inform you that any consent to the processing of your personal data may be withdrawn at any time, as well as by submitting a request in writing to the registered office of the Company in Sofia. Sofia, rayon Triaditsa, "Ivan Vazov", ul. "Balsha" No 1, bl. 9, fl. 2, and by calling - 0700 20 140. The withdrawal of your consent to the processing of your data will in no way negatively affect the conclusion of a Loan Agreement, as well as the granting of the loan you have applied for.

6. How long will my personal data be stored?

Personal data is stored for the periods necessary to achieve the purposes for which it was collected. Once the purposes for which the personal data was collected have been achieved, we will destroy them immediately. If, after achieving our goals, we decide to store the processed personal data for statistical purposes, this will be done in the form of storage of anonymous data that cannot identify you in any way.

Access Finance AD takes all necessary technical and organizational measures for the destruction of data that are no longer needed, except for the cases when there is a legal basis for Access Finance AD to process them for a longer period of time; upon your request for restriction of processing, according to your rights, detailed below; or in order to be compatible with the original purpose of processing, of which you will be informed in a timely manner.

Access Finance AD stores the collected personal data within the following time limits:

a) when the data are processed on the basis of a request for an application for a loan - for a maximum period of two years from the submission of the application for a cash loan, if the request is not approved or the person refuses to conclude a loan agreement.

The data collected from a check in the Register of Bank Accounts and Safes at the BNB and the Register of the Central Credit Register of the person, in cases where the application and conclusion of a contract process has not been completed, will be stored for a period of five years from the submission of the application request.

The data collected from a check in the NSSI register, in cases where the application and contract process has not been completed, will be stored for a period of two years from the submission of the application request.

b) when the data are processed on the basis of a concluded loan agreement – for a period of 5 years, which period begins to run from the date of termination of the loan agreement.

c) when the data are processed on the basis of consent – until the explicit withdrawal of consent.

d) when the data is processed to protect the realization of rights and interests of the Company, which have a justified advantage over the interests of individuals – until the right is extinguished and/or the interest disappears.

e) when the data is processed in connection with making and recording telephone conversations on incoming and outgoing calls of the customer service center – they are kept in a secure archive for a period of not less than five years, and access to the personal data of the customers from the telephone conversations have the persons who maintain the information systems of Access Finance AD in Bulgaria and the call centers for customer service in Bulgaria.

f) when the data are processed in connection with the exercise of rights under Regulation (EU) 2016/679 and under the Personal Data Protection Act – within two years from the final conclusion of the proceedings in connection with the exercise of the rights of data subjects and the implementation of remedies.

After the expiration of the specified periods, if there is no other basis for data processing, they will be deleted. In order to obtain and analyze information related to the financial products and services used, as well as to improve the service, the Company may delete only part of the data. In such cases, it shall continue to store such part of the data that does not allow individuals to be subsequently identified.

7. Categories of persons who may have access to personal data

Access Finance AD will not disclose personal data to third parties other than their disclosure to the Joint Controllers, as well as to the categories of personal data processors or Third Parties listed below[1] for the purpose of offering/providing products and services, fulfilling a contract, preventing fraud, implementing group policies for the prevention of money laundering and terrorist financing and/or assessing creditworthiness.

7.1. In view of the above, we should inform you that Access Finance AD has signed joint administrator agreements with Easy Asset Management AD, Fintrade Finance AD, Financial Bulgaria EOOD and Viva Credit OOD, which contracts have the following main characteristics:

- Joint controllers exchange personal data between themselves on the availability and number of loans, overdue payment of these loans, their transition to the enforcement phase, complete non-fulfillment of payment obligations. The exchange of personal data under the preceding sentence takes place automatically in the course of the processing of personal data collected by the borrower and/or third parties in the procedure for assessing its creditworthiness through specialized software;

- Offering and/or providing products and financial services to other joint controllers, their partners, including MFG companies (e.g. warranty transaction services, insurance, alternative financing and credits);

- Joint controllers independently ensure the security of the personal data they process and protect them from accidental or unlawful destruction or accidental loss, unauthorized access, alteration or dissemination, as well as other illegal forms of processing, and take the necessary special technical and organizational protection measures, periodically review and update the kept personal data records and the measures applied;

- Joint controllers exchange with each other, through the storage of a certain information infrastructure, personal data contained in inquiries made in official public sources of information on: the employment relations of clients; presence of a bank account with a bank on the territory of the Republic of Bulgaria; presence of the circumstances under art. 36, para. 2 and para. 5 LMML, prevention of money laundering; creditworthiness; information collected in accordance with the fulfillment of the legal requirements under the Consumer Credit Act; other information related to the fulfillment of legal obligations of the Company. This processing is carried out in accordance with the legislative requirements and restrictions on the main commercial activity of the companies.

7.1.1. Access Finance AD has concluded a contract for joint administrators with Agency for Control of Outstanding Debts AD as the main objectives of the joint administration between them are:

- administration, storage and processing of personal data in connection with transferred receivables under cession contracts.

7.2. In addition to the disclosure of personal data within the framework of joint administration, the Company exchanges within the Group of Companies in MFG, data collected in the course of customer due diligence carried out for the purpose of fulfilling legal requirements to prevent the use of the financial system for money laundering and terrorist financing, and in particular: clarification of the origin of funds; disclosing information about unusual and suspicious transactions and reporting them to a competent state authority; conducting actions to establish potential connectivity and identify third parties acting on behalf of or on behalf of the client within the meaning of art. 65 of the LMML.

7.3 . Access to your personal data may also have the following categories of persons who, on the basis of contracts concluded with the Company, may be personal data processors, act strictly on our instructions and are not allowed to use the data for their own purposes, namely:

- the persons who maintain the information systems of the Company located in the Republic of Bulgaria, as well as, if necessary, the customer service centers in the Republic of Bulgaria;

- persons entrusted with the elaboration, printing, assembly, delivery (including by SMS or electronic communications) of written correspondence emanating from the Company to its customers, including providers of communication platforms as services (CPaaS);

- the persons entrusted by virtue of a contract with the Company to assist it in connection with the servicing and collection of its receivables from customers;

- the persons to whom the Company offers to sell its receivables from customers;

- persons who, by virtue of a contract concluded with the Company, mediate in the provision of financial products offered by the latter.

7.4. Access Finance AD regularly provides personal data about its borrowers to the Central Credit Register by virtue of its legal obligation. The Company is obliged to provide personal data about its borrowers to the competent authorities and institutions under the applicable legislation and in case such information is legally requested.

The Company may provide access to your personal data to public authorities, institutions and establishments, auditors, in cases where there is a legal obligation to provide the data. Your personal data may also be provided for the purpose of obtaining preliminary information necessary for the conclusion of a contract and / or its performance - to make inquiries and receive information from state authorities, institutions, institutions and registers (for example, the NRA, NSSI, CCR, the BNB Register of Bank Accounts and Safes, etc.), to assess your creditworthiness or for the purpose of obtaining other types of preliminary information, necessary for the conclusion of a contract at your request.

In order to collect its receivables, the Company has the right to transfer your processing data to a third party - a company specialized in debt collection under a debt collection contract.

7.5. When visiting the website of Access Finance AD, the Company may transfer personal data within the European Union and the European Economic Area and/or to a third country or an international organization outside the European Union and the European Economic Area. In the event that when visiting the company's websites you have expressed your consent to the activation and use of third-party cookies, you should keep in mind that your data will be processed, transmitted, transferred and stored in accordance with their privacy policy. Based on your explicit consent, your data may be shared in countries without an adequate level of protection (e.g. the United States of America). Detailed information about the cookies used is available in the Cookie Policy: www.accessfinance.eu/cookies. You can make individual choices for the use and/or restriction of certain cookies from the settings of your browser.

7.6 . For customers who use financial services offered by Access Finance AD, where services the utilization of the cash loan is done through a credit card payment instrument, their personal data is also used by the payment service provider, credit card issuer [2].

The credit card issuer collects and processes the following categories of personal data of loan applicants of Access Finance AD:

- three names, PIN, date of birth, as well as other data from an official identity document, any citizenship of the person, address (current and permanent), copy of ID card, signature / fingerprint - for people prevented from signing it, details of the payment instrument - card number (PAN), date of issue and validity, IBAN, currency, limit, data on transactions – value, time and place of the transaction, details of expired cards, card status history, activation date, information about linked cards or duplicates.

The credit card issuer processes the above categories of personal data for the following purposes:

- for issuance, provision, execution of payment transactions and servicing of a credit card payment instrument by concluding and executing the rights and obligations under the Framework Agreement for the provision of a payment card and its annexes and compliance with legal obligations, including identification and verification under the LMML, processing and responding to Requests for the exercise of rights, processing and responding to inquiries, complaints and complaints.

The above categories of personal data are processed by the credit card issuer on one or more of the following grounds:

- fulfillment of a legal obligation, conclusion and performance of obligations under the Framework Agreement for the provision of a payment card.

In addition to the purposes described above, the credit card issuer uses your personal information, including information generated through the use of payment services, for the purposes of:

7.6.1. Provision of payment services

- Initiating payments, making transactions, withdrawing cash via ATM device, POS terminal, charging credit card costs;

- Providing your personal data to third financial institutions and companies in connection with your transactions with the issued payment instrument, including on the territory of the European Union or third countries;

- Detect and prevent fraud, abuse, security breaches and other harmful actions by blocking the credit card provided or by applying other fraud prevention measures;

- Conducting security studies and risk assessment;

- Conducting checks against certain databases and other data sets;

- Fulfillment of legal obligations (for example, under the LMML and PSPSA);

- Exercising our rights and legitimate interests arising from the framework contract for the provision of a payment card.

The credit card issuer processes information on the basis of its legitimate interest in improving the service provided to the consumer and when necessary for the proper performance of the Framework Contract for the provision of a payment card concluded by you, as well as for the purposes of compliance with the applicable legislation.

7.6.2. Product Delivery, Improvement and Development

- Acceptance, processing and administration of online and offline orders for the payment instrument;

- Processing of purchases made with the provided payment instrument;

- For the organization of the delivery of the payment instrument;

- To perform profiling based on your use of the payment instrument.

The credit card issuer processes this information on the basis of a legitimate interest in enhancing the security of the payment instrument and, where necessary, for the proper performance of the Framework Payment Card Agreement concluded with you and for the fulfillment of legal obligations.

7.6.3 Creating and Maintaining a Secure Environment

- Detection and prevention of fraud, damage, security breach and other harmful actions;

- Conducting security checks and risk assessment;

- Establishing the identity and veracity of the information you provide;

- Perform checks on date bases and other information that a third party retrieves or other checks in the records of competent authorities or information providers, to the extent permitted by applicable law, and your consent where necessary;

- Monitoring your transactions;

- Resolving disputes between the borrowers of Access Finance AD and other users in connection with the use of the payment instrument and for the implementation of our agreements with third parties;

- Exercising the legal rights and interests of the card issuer.

This information is processed on the basis of a legitimate interest to protect the Product, to monitor the proper provision of the service, in accordance with the Framework Agreement for the provision of a payment card and for compliance with the applicable legislation.

The exercise of the rights under this item is carried out in accordance with Section III "Your Rights" of this Policy.

8. How do we protect your personal data?

In order to ensure adequate data protection of the Company and its customers, we apply all necessary organizational and technical measures provided for in the Personal Data Protection Act and the General Data Protection Regulation.

The Company has established structures to prevent abuse and security breaches and has also appointed a Data Protection Officer to support the processes of protecting and ensuring the security of your data.

For maximum security when processing, transferring and storing your data, we may use additional protection mechanisms such as encryption, pseudonymization, etc.

9. Is my personal data subject to automated decision-making, including profiling?

9.1. Yes, the Company may fully process your personal data, including profiling you, assessing your behavior regarding various personal aspects of yours - for the purposes of fraud prevention, offering new products and for marketing purposes, namely – to receive the most relevant advertising and marketing communications given your personal characteristics and past interests. In none of these cases, profiling will have a significant effect on you. For this purpose, it is possible to transfer personal data within the European Union and the European Economic Area and/or to a third country or international organization outside the European Union, such as the United States.

9.2. Apart from the above, please note that you will be subject to fully automated processing, including profiling, for the purpose of assessing and analyzing your creditworthiness, including what amount of credit would be suitable for you, as well as optimizing the mechanisms for this. In this case, we have the obligation to explain to you the logic of fully automatic processing/profiling in a few simple steps: Personal data are examined as a whole and separately, for a statistically significant relationship with events defined as high risk conditions of the client – non-payment of debts, fraud. Criteria are selected to power machine learning algorithms, resulting in a generalized mathematical model that assesses the probability of realizing any of these risks for a particular customer. The basis for such processing will be the conclusion of a loan agreement. 16 of the Consumer Credit Act an assessment of creditworthiness could not in practice happen differently without leading to excessive delay.

In this case, if the notified decision does not satisfy you, you have the right to request the review of the decision by a credit expert in the Company with the relevant competencies.

III. Your rights

As a data subject whose data is processed by Access Finance AD, you have rights, the content of which is exhaustively described below.

You should keep in mind that the provision of personal data is voluntary – it is necessary for the conclusion of a contract with the Company. In the event that the data is not provided, the Company will not be able to provide a product or service.

Access Finance AD satisfies your requests without delay within 30 calendar days of their departure. With our decision, we give or refuse access and/or the information requested by the applicant, but we always motivate our response. For the purpose of the Company's website, a link to this Policy is placed in a clearly visible place.

In order to consider your request to exercise your rights, you need to fill out this form and present it to us in a way that is convenient for you:

- in person or by a person expressly authorized by you, through a notarized explicit power of attorney at the address of the Company in Sofia. Sofia, rayon Triaditsa, "Ivan Vazov", ul. "Balsha" No 1, bl. 9, fl. 2. The notarized power of attorney, which submits a request for exercising rights, should contain an explicit power "To represent me before Access Finance AD, UIC 207140327 with the right on my behalf to submit a request for the exercise of personal data protection rights."

- formatted as an electronic document signed with your electronic signature on the help@bialakarta.bg;

- by letter or courier service at the address of the Company: Sofia, P.O. Box 1408, Triaditsa District, Ivan Vazov District, 1 Tsarigradsko shose Str. 9 Balsha Str., bl.2, fl.0700;

- by calling 20 140 <> – in this case, the form for exercising your rights should be sent to the attention of Access Finance AD in one of the ways mentioned above.

Within one month of receipt of the request, Access Finance AD will notify you of the actions taken in relation to your request.

The exercise of the rights is free of charge and covers all structured and unstructured data, as well as all databases maintained by the Company.

Exceptions to the deadline for satisfying the rights and the free principle are allowed for requests from the same client of data with a frequency greater than 3 times a year and requiring the mobilization of significant administrative resources by the Company. In this case, we may charge a reasonable fee in view of the administrative costs incurred.

Where the data subject makes a request by electronic means, the information shall, where possible, be provided by electronic means, unless otherwise requested by the data subject.

Where the data subject makes a request by electronic means, the information shall, where possible, be provided by electronic means, unless otherwise requested by the data subject.

Where the Company has reasonable concerns regarding the identity of the natural person requesting the exercise of his or her rights under this point, the directly responsible person should immediately consult the Data Protection Officer for the purpose of carrying out the identification of the client.

You should also keep in mind that the withdrawal of consents given does not affect the lawfulness of the processing of your personal data before the withdrawal. Despite the withdrawn consent, your personal data may be processed by the Company if there are other grounds for data processing specified in item 4.

You have the following rights:

a. Right to information

As a data subject, you have the right to receive information about important features of the processing of your personal data, including, but not limited to, its purpose, duration and basis, the recipients and categories of recipients of personal data, etc.

In addition to the information mentioned above, you should keep in mind that you are subject to automated decision-making, including profiling. This means that the data you provide is used to create an appropriate "profile" for you and is intended to prevent fraud, diversify the products offered by the Company, and to select advertising, marketing and promotional materials that are relevant to you.

In accordance with the applicable personal data legislation, you have the rights below, and we undertake to respond to each of your requests within 1 month of receipt of the request and without due fee. In the event of any difficulties for the timely execution of such requests, the deadline for implementation may be extended by another 2 months, for which you will be notified within 1 month of receipt of the request.

b. Right of access

You can request information about what personal data we process about you, as well as whether we process such. You can request access to this data.

We will provide you with an extract of the personal data that is being processed. For additional statements, we may charge a reasonable fee based on administrative costs. When you submit a request by electronic means, we will, if possible, provide the information in a widely used electronic form, unless you have requested otherwise.

c. Right to rectification

If we process your incomplete or incorrect personal data, you may request their correction or supplementation at any time.

d. Right to erasure

You may request the deletion of your personal data in the following cases:

The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.

- withdraw your consent on which the processing is based and there is no other legal basis for the processing;

- you believe that the personal data has been processed unlawfully.

Please note that there may be other reasons to prevent the immediate deletion of your data, such as statutory storage obligations, pending proceedings, establishment, exercise or defence of legal claims, etc.

e. Right to restriction of processing

You have the right to request restriction of processing if:

- you contest the accuracy of the personal data, for a period enabling us to verify the accuracy of the personal data;

the processing is unlawful and the data subject opposes the erasure of the personal data and requests instead the restriction of their use instead;

The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.

- you have objected to the processing of the data pending verification whether the legitimate grounds of Access Finance AD for data processing take precedence over your interests.

In case of requested restriction of processing, we will inform you before the restriction of processing is lifted.

f. Right to data portability

You can ask us to provide you with the personal data we process about you in a format that can be easily read by a computer and transferred to another financial institution, for example. This only applies where:

- the processing of specific data is based on your consent or in connection with the conclusion and performance of a loan agreement; and

- the processing is carried out by automated means.

g. Right to object

You have the right, at any time and on grounds relating to your particular situation, to object to processing of your personal data that is based on a legitimate interest – the grounds are set out in the table above, including profiling based on this basis.

Where you have given your consent to the processing of personal data for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data without stating any grounds.

h. Right to lodge a complaint

If you believe that we have violated applicable data protection legislation in the processing of your data and as a result we have affected your rights, please contact us. Of course, you also have the right to file a complaint with the Commission for Personal Data Protection, which is a supervisory authority in the field of personal data protection at: Sofia 1592, bul. "Prof. Tsvetan Lazarov" No 2, tel. 02/91-53-518, e-mail: kzld@cpdp.bg.

This Personal Data Protection Policy was updated on 31.10.2022.

Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data (Art. 1(4) GDPR).