MCI Logo

Policy on protection and confidentiality of personal data within O.C.N. Microinvest S.R.L.

1. 1.General provisions

1.1 Operator of personal data

O.C.N. MICROINVEST S.R.L. (hereinafter referred as the Company) is a commercial company registered according to the laws of the Republic of Moldova with the State Registration Chamber on April 29, 2003, having the unique fiscal code 1003600053518 with headquarters in 12, Renaşterii Naţionale Ave, Chişinău Municipality, registered in the Register of personal data operators of the National Center for Personal Data Protection, with the number 0000172 in accordance with the Law no.133 of July o8, 2011 on the protection of personal data (hereinafter the Law no. 133) as the operator of personal data, with the purpose of its activity – non-banking financial services. National Center for Personal Data Protection is a supervisory authority of the Republic of Moldova that monitors and controls the processing of personal data in terms of legality. The Company, as an Operator, processes personal data in good faith and for achieving the purposes specified herein.


1.2 Purpose of the Policy

This Policy is intended to uniquely inform any private individual whose personal data are processed by the Company and applies to the following parties referred to collectively as “Persons Interested” or ”Subjects of personal data”:
– Customer (even after the termination of the contractual relationship), potential clients, persons with whom the Company carries out occasional transactions, the legal or conventional legal representatives of the Client, Guarantor, borrower pledger, borrower mortgagee;
– Contact persons, employees and / or private individuals designated by a Customer (even after the termination of the contractual relationship) of the Company;
– Contact persons, legal or conventional representatives, colleagues, employees and / or other private individuals designated by a contractual partner of the Company;
– Employees of the Company;
– Candidates who wish to fill positions within the Company;
– Visitors of the Company’s websites;
– Private individuals who submit a petition addressed to the Company and who do not meet the criteria specified above.
This Policy on confidentiality explains how the Company processes personal data, also describes the types of personal information processed. Furthermore, it establishes the rights of the data subjects with respect to personal data processed by the Company.


1.3 Relevant definitions used

Relevant definitions in the context of personal data protection:
Personal data – any information relating to an identified or identifiable private individual. An identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more specific elements, of its physical, physiological, genetic, psychic, economic, cultural or social identity.
Personal data processing – any operation or set of operations performed on personal data using automated or non-automated means such as: collection, recording, organization, storage, keeping, restoring, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
Data subject – may be the applicant for a product or service offered by the Company, parties authorized by data subject, as well as any other private individual whose Personal Data may be transmitted or collected by the Operator for the purpose of carrying out Personal Data Processing activities, both own purposes and in the name and on behalf of its contractual partners, according to the purposes determined by the latter.


2. 2. Personal data processed by the Company

In the course of its activity, the Company processes the following categories of personal data:
• Identification and contact details – name and surname, customer code, IDNP, series and number of identification document, copy of such document, date and place of birth, gender, citizenship, signature, place and date of birth, home address, residence address, mail address, telephone number, fax, e-mail, contact and identification data for remote means of communication, IP address of an electronic device, unique identification codes (eg: client or user codes), authentication codes, passwords.
• Data and financial information required to establish the payment capacity – types of income and expense, credit history information, any other information provided by credit bureau entities, data on movable / immovable property (addresses, cadastral numbers, data from the technical passport of means of transport).
• Social and family data – family status, profession, occupation, occupation, workplace / employer name, medical insurance, vocational training, nature of own activity, public office held, political exposure (if applicable).
• Data related to fraudulent activities – allegations, convictions related to crimes such as fraud, money laundering and terrorist financing.
• Image and voice data – the image (contained in the identity documents or reordered by the video surveillance cameras installed at the Company’s offices), voice, including featured on recordings of phone conversations, or both in case of advertisement which the customers participate as well.


3. 3. Purpose of data processing

The financial non-banking activity of the Company is governed by legislation in most aspects of it, from customer identification, confidentiality of the relationship, prudence and diligence in the provision of services, to security measures and even the way contractual partners are to be chosen. Besides legal framework and contracts, the Company also relies on legitimate interest when processing personal data. Thus, personal data are processed for the following purposes:
a) For the performance of a contract to which the personal data subject is party, or in order to take certain steps prior to entering into a contract, at the request of the data subject, the company is entitles to perform data processing for the following purposes:
– assessing eligibility to deliver products and services to the company;
– performing any contractual relationships (with customers, employees or members of the supervisory board, partners or employees of the company);
– safe and secure execution of transactions with financial means: at the counter, through transfer, card, POS, payment terminals, etc.;
– monitoring all obligations assumed towards the Company;
– collection of debts / debt recovery (as well as pre-activities);
– establishing, exercising or defending certain rights in court or other authorities;
– managing requests / reclamations / complaints / petitions / investigations in connection with the Company’s activity, services / products or employees;
– concluding and executing employment contracts.

b)  In order to comply with legal obligations, it is necessary for the Company to process data for purposes such as:
– identifying and knowledge of clients, preventing money laundering and combating terrorist financing, preventing frauds;
– providing reports and information at the request of the authorities (e.g.: courts of law, investigative bodies, enforcement bodies, notaries, tax authorities, supervisory authorities, anti-money laundering services etc.);
– management of audits, reporting, as well as controls and investigations by national authorities;
– ensuring security in the premises of the Company;
– credit risk management and risk management by creating risk profiles;
– keeping / depositing / storing and archiving documents;
– implementing data security measures and managing business continuity in the event of unforeseen circumstances, including by getting back up copies;
– implementing means to allow any person to report inconsistencies / complaints about the services provided by the Company;
– compliance with labor law as regards employee relations.

c) In order to achieve / follow the Company’s legitimate interests in the proper management of its business, the Company may perform data processing for purposes such as:
– designing, developing, testing and using computer systems and services (including database storage / archiving, designing credit risk assessment models – rating, scoring, etc.);
– diversifying products and services and adapting them to customer needs;
– maintaining the reputation, integrity and security of the business;
– simple marketing and surveys on the services provided by the Company and its activity;
– identifying the assets and updated contact details of customers and partners for the purpose of exercising the Company’s rights to recover claims/receivables;
– recruitment and human resources with regard to the Company’s candidates and employees, the granting of benefits.

d) Certain data processing is done by the Company only if it has the consent to do so. Consent is required to process data for the following purposes:
– transmitting and receiving credit information from credit bureau entities on behalf of clients (for example, the credit risk situation and status of loans in arrears, as well as information about credit products or other commitments that the customer benefits from), for the purpose of initiating, developing and monitoring credit relationships with customers;
– direct transmission of advertising messages (direct marketing) in order to promote products and services;
– analyze the transaction history, their characteristics, the location of transactions initiation, in order to customize dedicated and exclusive offers for a category of clients;
– analyze the behavior of visitors of the Company’s site by using cookies.


4. 4. Legal grounds of data processing

Personal data are processed by the Company according to the following legal grounds:
a)  On the basis of the consent of the data subject, pursuant to art. 5 par. (1) of the Law no. 133. If consent was requested and expressed either at the beginning of the relationship with the Company or later, for some data processing, the subject of the data may change his/her mind at any time. Withdrawal of consent will not affect the lawfulness of data processing made prior to withdrawal, and the contractual relationship will not suffer.
b)  For the execution of a contract to which the data subject is a party or to take action at the request of the data subject prior to the conclusion of a contract (e.g. grating of a credit product, communication with the data subject in order to execute the contract, analysis required to assess payment capacity, etc.), pursuant to art. 5 par. (5) letter a) of the Law no. 133;
c) In order to meet a legal obligation assumed by the Company (e.g. reporting to competent authorities, knowledge of clients to prevent money laundering and terrorist financing, etc.), pursuant to art. 5 par. (5) lit. b) and art. 2 par. (2) lit. d) of Law no. 133;
d) For the purpose of legitimate interests pursued by the Company (e.g. recovery of claims relating to the contractual relationship concluded, ensuring the security of persons and property, etc.), but in view of protecting the interests, fundamental rights and freedoms of the data subject, according to art. 5 par. (5) lit. e) of Law no. 133.


5.5. Personal data disclosure through processing

In order to achieve the processing purposes listed in Chapter 3 of this Policy, the Company may transmit some or all categories of personal data to the following recipients:
– employees of the Company within specific departments;
– public institutions for supervision of non-bank lending activity;
– public authorities (e.g. State Tax Service, Office for prevention and fight against money laundering);
– entities organized as Credit Bureaus;
– bailiffs, notaries, auditors;
– courts;
– contractual partners and service providers such as printing, IT and telecommunication services, document destruction services, debit collection or debt recovery companies, etc.;
The Company performs an appropriate prior assessment upon selection of service providers and imposes adequate security, technical and organizational measures to protect personal data and to process personal data only under the relevant legislation on personal data.


6. 6. Duration of personal data processing

In order to achieve the purposes stated in this Policy, personal data will be processed by the Company throughout the contractual relationship with the data subjects concerned and after its termination in order to comply with the applicable legal obligations, including those relating to archiving. The legal deadlines for archiving vary depending on the type of data, and in some cases may constitute up to 75 years. In general, transaction data should be kept for 5 years after termination of relationship with customer. However, the data may be kept for a longer period at the request of the authorities or for the protection of legitimate interests.
The personal data specified in the loan application and those processed for knowing the clients for the purpose of preventing and sanctioning money laundering and combating terrorism are stored in the Company’s records for a period of 10 years from the date of signing the loan application, if it is rejected and, respectively, for a period of 10 years starting on the date of termination of credit relationship, if a credit agreement is concluded following the approval of the loan application.
For data processed under the consent of the data subjects for the purpose of transmitting advertising messages, such data will be processed until termination of the business relationship with the Company or, as the case may be, until such consent is withdrawn.
In order to prove that petitions / referrals / complaints / requests for information / measures have been received and replies to them have been made, including for the quality control of the answers provided by the Company, messages of this type received through any channel will be kept in the records of the Company in both paper and electronic format, during the business relationship for the clients, respectively for a period necessary to fulfill purpose for which such data were processed (making a reply / providing information), plus a period of 3 years – the legal period of limitation/prescription, if the data do not belong to persons with whom the Company has established a business relationship.
Personal data processed for the purpose of recruitment will be retained by the Company until the recruitment process for the available job is completed. If the data subjects wish to be contacted for several suitable posts, the CV data and other records they have made available to the Company for this purpose will be retained for up to 2 years if during this time it is not required to delete such data from the Company’s records.
The storage time of the data obtained through the video surveillance system is proportional to the purpose for which the data are processed, i.e. does not exceed 30 days, the period after which the recordings are deleted by automatic procedure, in the order in which they were recorded. In case of a security incident, the retention time of the relevant reordered material may exceed the normal limits according to the time required to further investigate the security incident.
Any other personal data processed by the Company for any other specified purposes will be retained for the period necessary to meet the purposes for which they were collected, to which may be added non-excessive deadlines established in accordance with the applicable legal obligations in the field, including but not limited to, to the archiving provisions.


7.7. Rights of personal data subjects

For complete information, data subjects shall benefit from the following exclusive rights to their personal data, foreseen by the Law no. 133.
The right to information – the right to receive information about the personal data processing activities performed by the Company as well as about the rights of the data subject.
The right of access to personal data – the data subjects have the right to access their personal data, respectively to obtain a confirmation whether the Company processes their personal data or not, as well as a copy of such data, so that they have the possibility to verify whether they are processed by the Company in compliance with the applicable legislation.
The right of intervention upon personal data – any personal data subject has the right to rectification, update, blocking or erasure of personal data. Data subjects have the right to have their personal data corrected if they are in a wrong format in the Company’s systems, if they are inaccurate or incomplete. Data deletion is also called the right “to be forgotten”, and on the basis of it the data subjects may request the deletion of their personal data that the Company processes, if the basis for processing them no longer exists. There may be situations in which the Company will not be able to comply with the data deletion requests, namely: in cases where the Company has a legal obligation to store/retain personal data; in cases where data are stored for purposes of archiving in the public interest or for statistical purposes; in cases where the data are necessary for the establishment, exercise or defense of a right in court.
The right (of the personal data subject) to object – the right of the data subject to oppose at any time, and free of charge for grounded and legitimate reasons relating to his / her particular situation, that personal data relating to him / her are subject to processing, including by creation of profiles; also the personal data subject has the right to object at any time and free of charge without any justification, to the processing of personal data relating to him for the purpose of marketing.
The right not to be subject to an individual decision – data subject is entitled to request and obtain the withdrawal, cancellation or reassessment of any decision based exclusively on the processing by automatic means (including the creation of profiles, establishing of payment capacity, automatic decision-making) which produces legal effects in relation to the data subject.
Right to address to the justice – the right of the data subject to refer in a court in order to repair the material and moral damages, if he/she has suffered damages as a result of an unlawful processing operation of personal data or his/her rights and interests guaranteed by the Law no.133 have been violated.


8. 8. Usage of cookies

8.1 Notion of cookies

“Cookies” are fragments of text created in the browser by the Company’s website that you access. Using these, the website retains information about a user’s visit to the site, such as your preferred language and other settings. Thus, the following visits can be simpler. Cookies play an important role. Without them, using the internet would be a far more frustrating experience.

8.2 8.2 Types of cookies used by the Company

The Company uses the following categories of cookies:
• Cookies strictly required – without which you can not operate and navigate on the company’s website, such as those that help identify, authenticate, and access the Company’s website; These cookies are necessary for the operation of the website and can not be disabled in the Company’s systems. In the browser that the user uses, it is possible to set the blocking or receipt of a warning about these cookies, but in this case, certain parts of the site may not work.
• Performance cookies – These cookies are used to improve the performance and functionality of the Company’s sites, but are not essential to their operation. The information provided by the analytics cookies module helps operators understand how visitors use sites and then use this information to improve the way content is presented to users. However, without these cookies, some functionality may become unavailable.
• Measure cookies – these cookies are strictly used for statistical purposes and allow counting of users visiting the site or how much is accessed a particular item on the page (e.g. a button). These cookies do not collect personal data and expire at the end of each session.
• Promotional cookies – These cookies are set on the site based on agreements the Company has with advertising partners (e.g., Social Media pages, Google, etc.). With the help of these cookies, partners can create a profile of site visitors, for whom it will be possible to display certain advertisements related to the Company’s website on other sites they access.
For more detailed information about the cookies used and their manual management, please, visit Each user if free to make the decision to keep or delete cookies. The purpose of cookies is to improve your browsing experience and help with statistical data collected from visits to the website to improve the products and services that the Company offers. These files do not pose a threat to user data security. They will not access or transmit any information stored on the hard drive of the computer or the user’s phone. Their dimensions are negligible, not altering the performance of the computer or phone on which they are stored. A possible deletion of these files could make navigation on difficult, limiting the user’s content viewing capabilities.

9. 9. Final provisions

The provisions of this Policy will be subject to change or review periodically or whenever necessary. The Policy, as well as any proposed changes, will be brought to the attention of the User and the individuals concerned, by publishing the updated version on the Company’s website as well as the information panels at the premises of the Company’s Offices.
The Company reserves the right to make changes to the Data Protection and Privacy Policy at any time, without the obligation to notify, if such changes are required by applicable law.