Privacy Statement Debtors/Debtors Portal My EOS Contentia

In this Privacy Statement we describe and inform you about what Personal Data we process about you, how we process it, for what purposes we process it, to whom we may provide it, how long we retain it, how we secure it and what rights you have.

This Privacy Statement was drawn up pursuant to the General Data Protection Regulation ("GDPR"), in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which entered into force on 25/05/2018.

EOS Contentia is a collection company. It is located at Industriëlaan 54K, 7700 Moeskroen/Mouscron, Belgium and has company number 0454.609.009.

A debt collection company can recover debts according to 2 scenarios:

Definitions:

• Customer/partner: the companies that either entrust EOS Contentia with a service contract for debt collection or sell a debt portfolio to EOS Contentia.
• Debtor: the debtor of the debt, either to the customer/partner in the case of a debt collection service contract or to EOS Contentia in the case of a debt transfer

1° as a service provider for creditors

Our customers or partners, the creditors, entrust the recovery of their outstanding claims against debtors (debtors) to our company. Our firm offers debtors the possibility of paying their debts by means of an amicable settlement, without any legal proceedings. If the debtor fails to do so, legal proceedings can still be initiated for the recovery of the debt.

2° as principal or assignee in the context of a contract, in particular for the management and collection of debts when EOS Contentia has taken over a portfolio of debts from a creditor.

The processing of debtors' personal data is carried out on the basis of:

• If recovery is amicable: the activity of debt recovery as permitted and regulated by the law of 20 December 2002 on the amicable recovery of consumer debts;
• If recovery does not take place amicably (e.g. on the basis of a judgment, a court order or a notarial deed): EOS Contentia's legitimate interest in recovering the debt entrusted to it by the creditor or sold to it by the creditor. The creditor has a legitimate interest in recovering the debt from the debtor. It respects the interests of both parties.

Reporting and analysis:

• Performance of contractual obligation towards creditor
• the justified importance of EOS Contentia in optimising recovery procedures and evaluating the outstanding debt(s) in the context of a debt transfer.

Audit and control:

• By the customer: performance of a contractual obligation towards the creditor;
• By public authorities: legal obligation

For all other processing operations: the justified interest of EOS-Contentients, which consists of

• improve recovery procedures,
• increase the security of offices and systems,
• organising debt recovery faster, more efficiently and more cheaply
• monitoring and processing of the optimal functioning and security of all software and IT systems.

EOS Contentia is a service provider that decides only on the resources it deploys and the way in which recovery files are handled on behalf of the creditor. EOS Contentia keeps the creditor informed of the progress of debt recovery and is remunerated by the creditor for its services. The creditor determines the purpose (collection of the debts) of the processing and remains the owner of the claim.

EOS Contentia acts as creditor, owner of the claim, in the event of assignment of claims.

In this case, EOS Contentia is the controller who determines the purpose and manner in which your personal data are processed.

EOS Contentia processes the following personal data of debtors provided and transferred by the creditor in the context of a service contract for debt collection or a transfer of a debt portfolio:

• your identity and contact details (name, title, address, e-mail address, telephone and mobile number);
• national number (for the recovery of consumer and mortgage credits): registrations with the Central Individual Credit Register (CCR).
• date of birth
• bank account
• Information on outstanding debts, contracts, payments made and not made, correspondence conducted with the debtor
• Additional information provided directly by the debtor to our services, to the extent relevant for the recovery procedure (for evaluation and considered handling of your file: reasons for non-payment based on information provided by you, such as individual or family circumstances, work related circumstances, the fact that you are in prison,...).
• financial information for risk analysis: payment history, information on your debts, income, solvency, visit reports

We kindly remind you that you are responsible for all data you provide to us and that we rely on its accuracy. If your data is no longer up to date, please inform us immediately.
If you fail to do so (e.g. do not update your contact details (such as a new address, email or telephone number)), we will request these details from third parties or the public services authorised to provide them.

EOS Contentia is thus able to process new data relating to debtors through the contacts it has with them (correspondence, telephone, text messages, chat, personal conversations, etc.).

You are not obliged to provide any additional personal data, but you understand that solving your debt file becomes more difficult or even impossible if you do not consent to its collection and processing.

We do not process special categories of personal data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of data concerning your health).

You are free to decide whether to provide us with personal information relating to your health, disability and/or private life when this affects your ability to pay your debts. On the basis of this information, we may, if necessary, tailor the collection to your situation and take this into account for a repayment plan.

In this case, this information will only be used for the duration of the assessment of your personal situation or until you no longer authorise us to process it or for as long as it is necessary for filing, exercising or defending legal files.

Debt recovery management

• Processing of debtors' data and outstanding debts
• Execution of recovery activities
• Contacts via correspondence, telephone, sms, chat
• Contacts via the debtors portal (online My Eos Contentia)

Recovery activities

• Formatting, printing and sending letters to debtors
• Organising and carrying out home visits to debtors in order to provide explanations and conduct negotiations to speed up and facilitate recovery

Opening of court case

• Involving a lawyer for recovery if this will have to be done by court order. In this case, a lawyer will have access to the complete debtor file.

Cross-border/international files

• Processing of debtors' data and outstanding debts
• Execution of recovery activities
• Involving a foreign debt collection company for collection. In this case, this collection company will have access to the complete debtor file.

Information to the creditor

• Reporting on the status and progress of debt recovery for each debtor

Preservation, storage and processing via special software

• The management of debtors files is done in specific management software (application, data base and backups).

Business analytics

• The use of the debtor database for analysis, reporting, statistics and forecasts whose output is anonymous
• The use of the debtor database for internal reporting and management as well as for reporting to creditors, on the basis of a contractual reporting obligation

Audit and control

• Legal obligation to communicate debtors' personal data for the purposes of public control (accounting, tax, legislation on the prevention, monitoring and detection of fraud, money laundering and other criminal activities).
• Deletion and destruction of personal data after the retention period applicable to the specific processing.

Transmission to the Central Individual Credit Register

• For bank or credit claims, personal data are processed within the framework of our statutory obligation to notify the Central Individual Credit Register on the basis of the Royal Decree of 23 March 2017 regulating the Central Individual Credit Register.

Improving our debt recovery procedures

• search activities in the debtor database
• evaluations concerning payment behaviour
• recording and analysis of recorded telephone calls from our agents to accounts receivable for coaching and training purposes

Development of our debt collection activities

• The de-identification of debtors data in order to develop activities.

Securing our debt collection activities

• Use of debtors' personal data to secure them and to develop and adapt appropriate tests of our IT system.

IT management

• storage, backup, deletion of data,...

Telephone calls between debtors and our agents are recorded and used to check their quality and to train employees.

The calls will be stored for the period provided for in the Electronic Communications Act of 13/06/2005.

EOS Contentia may pass on personal data of debtors to:

For the debt collection itself

• the creditor
• collection staff
• courts
• bailiffs
• lawyers
• social assistant/public center for social welfare (OCWM/CPAS) (in the case of collective debt settlement)
• other service providers involved in the debt recovery process

IT systems

• IT service providers for hosting and back up
• IT service providers for development, maintenance and updates of IT systems
• foreign debt collection companies or debt collection services
• EOS Contentia group companies ( within the European Economic Area)

For audits and controls

• the creditor
• the competent authority

Judicial authorities

• for judicial debt recovery
• combating fraud
• declaration of offences
• legal obligation

Central Office for Credits to Private Individuals

• statutory notification obligation to the Central Individual Credit Register on the basis of the Royal Decree of 23 March 2017

All debtor data are stored, processed and kept only in the European Union (more specifically in Belgium, France and Germany). The transfer of data outside the European Union takes place on the basis of EU Standard Model Clauses on data protection where the country to which the data is transferred does not provide adequate protection within the meaning of the GDPR. No transfers will be made to the United States of America on the basis of the EU-US or Swiss-US Privacy Shield/Safe Harbour.

We will retain your personal data:

• as long as they are necessary for the legitimate purpose for which they were obtained, e.g. to ensure good recovery practices or to defend ourselves against legal claims.
• As long as this is necessary within the framework of a legal obligation to keep your personal data for a certain period of time in order to prevent fraud and to detect and prove anti-money laundering practices, and for financial audits.

All the debtor's personal data shall be retained for a maximum of ten years from the end of the year in which one of the following events occurs:

• the cancellation of the debt; or
• end of the recovery file (by payment of the debt or end of the recovery mandate).

This period corresponds to the limitation period under general law (Article 2262bis of the Civil Code) as well as anti-money laundering legislation.

For statistical, analytical and business intelligence purposes, we will only retain anonymised or pseudonymised data after this retention period.

EOS-Contentia has appointed a Data Protection Officer (DPO):
E-mail: Privacy@eos-contentia.be
Postal address: Industriëlaan 54K, 7700 Mouscron/Mouscron, Belgium

If, after reading this Privacy Statement, you have further questions or comments with regard to the collection and processing of your personal data, please contact our DPO.

We make every effort to handle your Personal Data in a careful and legitimate manner in accordance with applicable regulations. Nevertheless, if you believe that your rights have been violated and if your concerns have not been addressed within our company, you are free to lodge a complaint with the:

Data Protection Authority
Drukpersstraat 35, 1000 Brussels
+32 (0)2 274 48 00
+32 (0)2 274 48 35
contact@apd-gba.be

You can also come there for all general questions relating to the processing and protection of Personal Data.

In addition, you may bring an action before a court if you believe that you would suffer damage as a result of the processing of your Personal Data.

In accordance with and subject to the conditions of Belgian privacy law and the provisions of the General Data Protection Regulation, we inform you that you have the following rights:

• Right of access and inspection: You have the right to inspect, free of charge, the information we hold about you and to find out what it is used for.
• Right of rectification: you have the right to obtain rectification (correction) of your incorrect personal data, as well as to complete incomplete personal data.
• Right to erase data or restrict processing: You have the right to request us to erase or restrict the processing of your personal data in the circumstances and under the conditions set out by the General Data Protection Regulation. We may refuse the deletion or restriction of any personal data which is necessary for us to fulfil a legal obligation, the performance of the contract or our legitimate interest, and this for as long as these data are necessary for the purposes for which they were collected.
• Right to transfer data: You have the right to obtain the personal data you have provided us with in a structured, common and machine-readable form. You have the right to transfer this data to another data controller.
• Right of objection: you have the right to object to the processing of your personal data for serious and legitimate reasons. Please note, however, that you cannot object to the processing of personal data which is necessary for us to fulfil a legal obligation, the performance of the contract or our legitimate interest, for as long as these data are necessary for the purposes for which they were collected.
• Right of withdrawal of consent: If the processing of personal data is based on prior consent, you have the right to revoke this consent. These personal data will then only be processed if we have another legal basis for doing so.
• Automatic decisions and profiling: we confirm that the processing of personal data does not include profiling and that you will not be subject to fully automated decisions.

You can always view the data we process about you and, if necessary, have it corrected. All you have to do is request it via our Data Protection Officer with proof of your identity. This is in order to prevent your data from being passed on to anyone who is not entitled to it.

You can object at any time to the use of your data by our company for direct marketing purposes. If you do not wish to be kept informed of our company's offers, you can report this via our Data Protection Officer.

To the extent that we process your data solely on the basis of your consent, you may withdraw your consent at any time by contacting our Data Protection Officer, whereupon we will cease processing the data. All processing carried out previously on the basis of your consent will remain lawful.

Personal data collected by EOS Contentia will only be stored and processed in the European Union. We take steps to ensure that the data we collect under this Privacy Statement is processed in accordance with the provisions of this Statement and the requirements of applicable law wherever the data is located.

We take the necessary technical and organisational measures to process your personal data to an adequate level of security and to protect them against destruction, loss, falsification, alteration, unauthorised access or accidental notification to third parties, as well as any other unauthorised processing of this data.

Under no circumstances can EOS Contentia be held liable for any direct or indirect damage resulting from the incorrect or unlawful use of the personal data by a third party.

EOS Contentia makes every effort to protect the security of your personal data. We use a variety of security techniques and procedures to protect your personal data against unauthorised access, use or disclosure.

EOS Contentia is also committed to reducing the risks of human error, theft, fraud and misuse of EOS Contentia facilities. EOS Contentia's efforts include raising staff awareness of security policies and training staff to implement security policies. EOS Contentia employees are required to maintain data confidentiality. Employee obligations include written confidentiality agreements, regular training on information protection and compliance with the company's policy on the protection of confidential information.

EOS Contentia quickly evaluates and responds to incidents that cause suspicions of unauthorised data processing. If EOS Contentia determines that your data has been unlawfully used (including by an EOS Contentia employee) or otherwise improperly obtained by a third party, EOS Contentia will report such misuse or acquisition to you immediately.

EOS Contentia will carry out annual compliance audits. Any employee found by EOS Contentia to be in breach of the GDPR is in breach of this Privacy Statement and will be subject to disciplinary action up to and including termination of employment. Any third party violating this privacy policy will be required by all agreements with EOS Contentia to indemnify and hold EOS Contentia harmless against claims relating to such violations.

Cookie controls are described in our Cookie Statement.

We will update this Privacy Statement as necessary to reflect customer feedback and changes to our services. When we post changes to this statement, we will revise the "last updated" date at the top of the statement. If there are material changes to the statement or to how EOS Contentia will use your personal data, we will notify you by prominently posting a notice of such changes before they become effective or by sending you a notice directly. We encourage you to periodically review this Privacy Statement to find out how EOS Contentia is protecting your information.