1. General Provisions
1.1. The purpose of the policy of natural person’s data processing is to protect fundamental rights and freedoms of natural person regarding the processing of personal data, which is performed by Taunigma company according to EU regulatory acts on protection of personal data, as well as to uncover the information about data processing to the data subject according to the requirements of the Regulation 2016/679 of the European Parliament and of the Council (EU) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereafter – “Regulation”)
1.2. Policy establishes general procedure for the processing of personal data, the determination of main reasons for the processing of personal data and the terms of identification of legal basis, main principles of protection of personal data, the period of storage of personal data and the cases of passing the data to third parties and third countries, as well as the procedure for data subject to exercise his rights.
1.3 Policy is designed according to the requirements of the Regulation, aimed at the safety of personal data. Taunigma processes data of natural person with respect to the interests of such persons regarding the protection of their privacy.
1.4 Within the framework of applied regulatory act, Taunigma provides confidentiality of personal data and accepted appropriate technical and managerial measures to protect personal data from unauthorized access, illegal processing, public disclosure, unintentional loss, alteration or destruction of personal data.
1.5. Policy is mandatory for all Taunigma employees.
1.6. Policy of company’s cookie-files is available on www.taunigma.com website.
2. Main Principles of Personal Data Processing
2.1. Taunigma complies with the following principles of personal data processing in order to provide safe personal data processing and its implementation according to the Regulation and the requirements of the other regulatory acts:
2.1.1. Personal data are being processed legally, accountably and transparently for data subject (“Legitimacy, accountability and transparency”). Exercising this principle in practice, Taunigma designed the actual policy which is used to inform data subject about the processing of his personal data, guaranteeing that personal data is being used only with the intention that it was collected for. Company respects the rights of data subject, and allows him to control and observe the processing of his data (see section 7 of the Policy);
2.1.2. Processing of personal data is implemented with specific purposes and only according to them (“limitation of intention”). Taunigma doesn’t collect or storage personal data with indefinite future intentions, the necessity of which has not been considered, and the implementation of which has not been ratified with internal regulations of the Company;
2.1.3. Personal data is adequate, correspondent and hold only such information that is necessary for the purposes of processing (“minimization of data”). Exercising such principle in practice, the Company does not ask and process more data subject’s information that is necessary to achieve the specific purpose;
2.1.4. Personal data is accurate (“accuracy”). Taunigma cares about the processing of correct and accurate data only. And if the Company doubts the relevance and accuracy of information, provided by data subject, the Company will contact data subject in order to specify processed data. Every data subject has to inform the Company about the changes of information (e.g. last name, phone number, residence address etc.), provided to the Company.
2.1.5. Personal data is stored no longer than it’s necessary (“limitation of storage”). Company processes personal data no longer than it is necessary for the implementation of the specific intention. The exceptions are the cases when one intention ends up in another legal intention (see section 8 of the Policy);
2.1.6. Personal data is processed in a way that provides its appropriate safety, including protection from unauthorized or illegal processing, its unintentional loss, destruction or damage, with the use of appropriate technical and managerial measures (“integrity and confidentiality”). Taunigma protects the data of its clients by means of modern technologies with the consideration of risks, existing in the sphere of privacy (e.g. with implementation of various safety measures: data encryption and transmission, firewall, intrusion protection etc.). The Company also constantly improves the system of information technologies in order to provide safety of personal data. Taunigma gives access to personal data to only those employees, who need it to perform their duties. In order to minimize the risks of personal data protection violation, the Company observes the actions related to the processing of personal data, accounts every incident, which affects the safety of data, and takes measures to prevent further threats to data.
2.2. Taunigma is responsible for correspondence of its actions to the principles, listed in subparagraph of paragraph 2.1, and ensures their compliance by means of:
2.2.1. introduction of this policy and correspondence of Company’s activities to this policy;
2.2.2. introduction of appropriate technical and managerial measures;
2.2.3. regular education of active and new employees, including related to the processing and protection of personal data and compliance with the confidentiality and ethics regulations;
2.2.4. designing and maintaining data processing register, which holds all the information about the actions taken to process the data;
2.2.5. informing data subject about his rights and data processing, performed by the Company.
2.3. According to the requirements of the Regulation, in case the violation of personal data protection poses or may pose a serious threat to rights and freedoms of data subject, the Company informs data subject and State Data Inspectorate.
3. Categories of Personal Data
3.1. Collection of personal data may be performed from data subject, client’s actions upon using services (e.g. cookie-files, IP-addresses, authorization) and from external sources, e.g. public and private registers and third parties.
3.2. Mostly, but not limited to, the Company collects and processes the following categories of personal data:
3.2.1. Identification data: first and last names of data subject, birth date, personal code, data held in ID, citizenship, tax residency, taxpayer identification number;
3.2.2. Contact information: residence and/ or declared residence address, phone number, e-mail, communication language;
3.2.3. Family status: information about spouse, dependents, data subject’s heirs and other related persons;
3.2.4. Client’s financial data: accounts, proprietary right, deals, credits, income, obligations, financial experience, purposes of investments etc.;
3.2.5. Data, gained and/ or generated during the execution of duties, set in regulatory acts: data, gained from information requests to inves7tigation bodies, sworn notaries, tax administration offices, courts and jury bailiffs, information about income, loan obligations, owned property, notes and historical notes in databases, and balances of debt liabilities;
3.2.6. Information necessary to make and process payments: bank client’s account number, information of payment card etc.;
3.2.7. System access data: provision of account and password to a user;
3.2.8. Information about the user of company’s website: cookie-files, IP-address.
4. Purpose and Legal Basis of Personal Data Processing
4.1. Running its business, Taunigma processes personal data of different kind, volume and nature, considering different purposes of personal data processing. Company requests and processes personal data only in cases, when there’s a specific purpose and legal basis for its processing.
4.2. Company does not process information that’s not needed to achieve legal purposes. Before processing personal data, Taunigma always considers and defines the purposes of personal data processing.
4.3. Taunigma processes personal data in order to:
4.3.1. provide and manage services of selling its products:
220.127.116.11. identify clients;
18.104.22.168. prepare and execute an agreement (e.g. agreement of sale and purchase, trust agreement etc.) and in order to execute its contract liabilities;
22.214.171.124. provide remote services;
4.3.2. serve a client;
4.3.3. provide financial exchanges with a client;
4.3.4. fulfill obligations set in regulatory acts (e.g. to comply with the Law on Prevention of Legalization of Proceeds of Criminal Activity and Financing of Terrorism);
4.3.5. advertise and distribute services or for the needs of marketing, e.g. to send, advertise offers, to conduct surveys and researches of clients, to run lottery and draw games etc.;
4.3.6. consider and process complaints;
4.3.7. protect its impaired rights;
4.3.8. maintain website and mobile applications, as well as to improve their performance;
4.3.9. provide information to state bodies, state officials or other establishments, officials and entities of business activities in cases and volumes, set in external regulatory acts;
4.3.10. guarantee security of the Company and/ or client, protection of life and health of a client and/ or his representatives and other tights of the Company and the client;
4.3.11. manage the staff;
4.3.12. provide risk management;
4.3.13. fulfill tax liabilities, which are set in international agreements and regulatory acts, liabilities regarding automated exchange of information on financial accounts, and other specific obligations.
4.4. Taunigma mainly gets personal data upon:
4.4.1. identification and researching the client before establishing business relations;
4.4.2. conducting a research of a client during execution of business relations;
4.4.3. the beginning and execution of contractual relations with a client;
4.4.4. consulting clients (if consulting needs identification of a client) or upon the receipt of client’s instructions to execute different operations;
4.4.6. the request regarding a client from various registers;
4.4.7. hiring of new employees;
4.4.8. the receipt of a letter or e-mail from data subject;
4.4.9. the use of information about data subject on Internet resources and another publicly available sources.
4.5. Policy relates to the processing of personal data notwithstanding in which form and/ or conditions a client provides personal data (on company’s website, through mobile applications, on hard copy or by phone), as well as in which system of a company and in which format such data is being processed.
4.6. Taunigma start processing of personal data only if such processing has specific purpose (e.g. execution of an agreement, provision of particular service, execution of obligations according to regulatory acts etc.) and legal basis.
4.7. If data subject refuses the processing of personal data, the Company is entitled to refuse provision of its services.
4.8. Processing of personal data can have the following legal basis:
4.8.1. Legal basis: Establishment and execution of contractual obligations.
Necessity: this legal basis allows to process personal data before the execution of an agreement in order to draft such agreement, as well as to proceed processing during the entire duration of an agreement, executed with data subject. Data subject cannot refuse the processing of his personal data in order to execute the provisions of the agreement, as long as such agreement is valid. Company requests all the necessary information for the execution of the agreement. Besides, legal basis also keeps its full legal power in cases, when the agreement is not executed for any possible reason.
4.8.2. Legal basis: execution of legal obligation.
Necessity: Company uses this legal basis upon the processing of personal data, when the Company has no free choice. Such action is subject to current regulatory acts of EU.
4.8.3. Legal basis: Protection of vital interests of data subject or third parties.
Necessity: Company uses this legal basis in exceptional circumstances, when the processing of personal data is performed, for example, in order to protect the life or health of a person.
4.8.4. Legal basis: Compliance with public interest or the exercise of official powers.
Necessity: Company uses this legal basis in exceptional conditions and it is similar to the execution of legal obligation, for public interests or company’s official powers have to be defined in regulatory acts. Unlike with legal obligation, in this case the Company may have the free choice of actions (or a partial free choice of actions).
4.8.5. Legal basis: Legitimate interests of the Company of a third party.
Necessity: Company uses this legal basis in cases, when the application has to hold third parties’ information, significant for the provision of company’s services, as well as the information, needed to provide property protection, to keep the evidence of execution of a contract, and to defend company’s impaired rights. Upon the processing of data according to this legal basis, the Company runs check-up of balance of interests before starting the actual processing.
4.8.6. Legal basis: Consent of data subject.
Necessity: Company uses this legal basis with, for example, marketing purposes, e.g. upon the person’s filing of an application to get informational material, mailshots etc. Data subject is free to either agree on personal data processing or not. Data subject also has the right to withdraw his consent at any moment, therefore ceasing such processing. Withdrawal of consent does not affect legitimacy of storage, performed before such withdrawal.
4.9. Bank has the right to perform automated decision-making and profiling in respect of the clients. Profiling is automated processing of personal data, used to estimate particular personal traits of a client, especially for analysis or prediction of, for example, economic conditions, personal preferences, interests, location of this natural person. For instance, company uses profiling in the process of identification of suspicious deals. Automated individual solution is a solution only based on automated processing, which, in regard to a client, created legal consequences or which affects data subject in similar way. Automated making of individual decisions may be performed with or without profiling. Company assures that a client would be specifically informed if received personal data would be used for automated making of individual decisions (including profiling).
5. Sharing Personal Data with a Third Party
5.1. Taunigma company’s priority upon processing personal data is the observance of information’s confidentiality. Information can be shared with third parties in such volumes and cases, which are set in current regulatory acts of EU, and in order to provide quality and effective services or whenever it’s necessary for the execution of obligations upon agreements, executed with data subject.
5.2. Bank doesn’t share client’s personal data or any information, received during the provision of services and the term of the agreement, including information on received services, financial relations or other information, except for the cases, when:
5.2.1. data has to be shared to a third party according to executed agreement to perform a specific function, which is necessary to perform the agreement or comply with the law;
5.2.2. client explicitly expressed his unambiguous consent for doing so;
5.2.3. it is based on external regulatory acts, and only in cases, volumes and through procedures, identified in such acts (e.g. to law enforcement authorities, jury bailiffs, supervisory agencies and financial investigation agencies);
5.2.4. it is defined in external regulatory acts to protect legal interests of the Company, e.g. upon initiation of legal action or other state body against a client, that impair legal interests of the Company;
5.2.5. third parties, which process personal data on behalf of the Company;
5.2.6. organizations, related to the Company;
5.2.7. other persons, who guarantee client’s full compliance with his obligations before the Company;
5.2.8. members of European and international settlement systems, including SWIFT, and related persons;
5.2.9. beneficiaries of payments and deals;
5.2.10. other persons, related to the provision of services to the Company, including those who provide services of archiving, mailing, telecommunicating, and services to a client;
5.2.11. business partners, who provide loyalty programs and various benefits to a client;
5.3. Before sharing data to a third party, the Company executes an agreement with it, which specifies the procedure which is to be used by the third party in order to process and protect personal data. Third party gets only such information that is needed to perform a specific intention. When possible, the Company shares the information with nickname, which third party cannot use to identify specific data subject or the information, which holds encrypted personal data. Taunigma may not execute an agreement with third party only in those cases, when the sharing of particular data is regulated with the terms or current regulatory acts of EU.
6. Sharing of Personal Data with Third Countries
6.1. Commonly, personal data is processed in EU/EEA, but in particular cases it can be shared and processed in countries outside EU/EEA (in third countries). Sharing and processing of personal data outside EU/EEA may be performed on legal basis, namely in order to perform legal obligation, to execute or perform an agreement or with consent of a client, and provided that the adequate safety measures are taken. Adequate safety measures are, for example, executed agreement, including standard clauses of EU agreement, ratified according to the Regulation.
6.2. Following request, data subject may receive detailed information on the sharing of personal data with countries outside EU/EEA.
7. Data Subject’s Rights
7.1. Having filed the written application to Taunigma, data subject is entitled to receive information about his personal data, available to the Company, and to ask to amend, delete or extend it. These right of data subject do not apply to the collection and processing of data, performed in order to comply with requirements of regulatory acts, which regulate prevention of legalization of proceeds of criminal activity and financing of terrorism, as well as in the cases, defined in regulatory acts.
7.2. Data subject may file requests and complaints regarding personal data processing the following ways:
7.2.1. in written form, personally in the Company’s office, by showing ID;
7.2.2. by sending an e-mail to: firstname.lastname@example.org;
7.3. Upon receipt of data subject’s request on execution of his rights, the Company verifies identity of data subject. Available information on client and his deals, which the Company receives upon the provision of services according to executed agreements, is not subject to disclosure, and it can only be presented to the client himself or his legal representatives.
7.4. Data subject has the following rights regarding the processing of his personal data:
7.4.1. to get the information on processing of his personal data, its purposes and legal basis. If personal data collected from third parties, the Company is not obliged to inform data subject about the processing of personal data;
7.4.2. to have access to his data and to receive confirmation of data processing. For example, client can use internet-office of the Company to learn the information on personal data, account balance etc.
7.4.3. to change his data, if it’s incorrect or inaccurate. By filing reasonable request with back-up information (if necessary), data subject may demand that the Company amends or changes his incorrect or inaccurate personal data without undue delay.
7.4.4. delete his personal data or be “sank into oblivion”. For example, if data are no longer needed for the purposes it was collected for or if data subject withdrew his consent, based on which data was processed, unless the Company doesn’t have any other purpose or legal basis to process it;
7.4.5. limit processing of data, for example, if data subject objects the accuracy of data or if data is no longer needed to the Company to achieve defined purposes, and data subject does not object data deletion, in order to raise, perform or protect legal claims etc.;
7.4.6. object processing of personal data, if such processing is based on legal interests of the Company and public interest. The right for objection cannot be exercised if legal basis for processing of personal data is consent expressed by data subject, establishment and execution of contractual obligations, execution of legal obligation, protection of vital interests of data subject or third parties;
7.4.7. right for data portability or movement in order to keep or reuse it, for example by passing it to another subject of services. This right cannot be experienced in respect of the entire information in general, but only in respect of such personal data that is provided by data subject, for example, by filling in the forms for the use of products and services of the Company, as well as in respect of personal data, processing of which is performed through automated means (not through paper records).
7.5. Company considers the request of data subject without undue delay, and gives an answer to data subject within no longer than one month since the receipt of request, informing data subject about the measures, which will be taken upon such request. Taunigma may extend the period of considering the request for two more months, provided there’s a basis for it (e.g. large amount or complexity of requests).
7.6. Company answers requests of data subject and takes any other actions related to the execution of the request of data subject for free, except for the cases when the request is clearly groundless, excessive or inadequate to resources available to the Company, namely if handling of request or the terms of its handling pose a threat to the work of Taunigma or the rights of other natural persons.
7.7. Data subject is entitled to file complaints if he considers that his personal data are being processed in violation of the requirements of regulative acts.
7.8. Data subject is entitled to file complaints to supervisory agency of the very member state, in which he resides or works, or in the place of alleged violation, if data subject considers that the Company violates the requirements of regulative acts.
8. Period of Storage of Personal Data
8.1. Personal data would be processed only while it is necessary. Period of storage may be based on the agreement with client, legal interests of the Company, of applied regulative acts.
8.2. Taunigma keeps and processes personal data of data subject during the existence of at least one of the following conditions:
8.2.1. unless and until the agreement, executed with data subject, is valid;
8.2.2. unless and until the Company and data subject may exercise their legal interests (e.g. object or prosecute a claim in court) according to the procedure established by regulatory acts;
8.2.3. unless and until the Company has legal obligation to storage personal data;
8.2.4. unless and until data subject’s consent for the processing of personal data is valid, if there’s no other legal basis for the processing of personal data.
8.3. After the period of storage of personal data is expired according to the point 8.2, personal data of data subject are being deleted.
9. Personal Data Security Expert
9.1. Taunigma has the personal data security expert, who organizes and supervises the compliance of the Company’s personal data processing with the requirements of regulative acts and this Policy.
9.2. Data subject is entitled to get the answers for general questions related to the Company’s processing of personal data (questions that do not require the provision of closed information) and to withdraw his consent for the processing of personal data by sending an e-mail to email@example.com. In turn, the request for the information on the processing of personal data or any complaint should be filed according to the procedure, set in point 7.2 of the Policy. Company provides communication in Russian, German and English.
10. Maintenance of Policy
10.1. Maintenance of Policy is performed with regards to the amendments in Taunigma’s processing of personal data, and according to the amendments in external regulative acts, but at least once a year.
10.2. Personal data security expert is entitled to make proposals to the administration of the Company regarding the improvements of Company’s security system of personal data.
10.3. Administration of the Company is entitled to amend the Policy.
10.4. Policy with all amendments is being published on Company’s website and comes into effect upon its publication.