Privacy policy
1. General provisions
1.1 Operator of personal data
In this internal regulatory document, the terms “Company” or “Microinvest” refer to the entire Microinvest Group, which includes O.C.N. Microinvest S.R.L. and Microinvest Technology S.R.L., as applicable. Depending on the specific context, these terms may refer exclusively to O.C.N. Microinvest S.R.L., either in relation to both entities or solely to O.C.N. Microinvest S.R.L., if no other specification is made in the express provisions of this document.
O.C.N. MICROINVEST S.R.L. is a commercial company registered under the laws of the Republic of Moldova with the State Registration Chamber on April 29, 2003. The company has the unique fiscal code 1003600053518 and its registered office is located at 12 Renașterii Naționale Blvd, Chisinau. As a data controller, it processes personal data in accordance with Law No. 133 of July 8, 2011, on the protection of personal data (hereinafter referred to as Law No. 133), as well as other relevant legal and regulatory provisions governing personal data protection. Its business activities are focused on providing non-bank financial services.
The National Center for Personal Data Protection is the supervisory authority in the Republic of Moldova, responsible for overseeing and ensuring the legality of personal data processing. The Company, as the Data Controller, processes personal data in good faith and for the purposes outlined in this policy.
1.2 Purpose of the Policy
This policy aims to provide consistent information to any individual whose personal data is processed or may be processed as a result of interacting with the Company. It applies to the following individuals, collectively referred to as “Data Subjects” or “Personal Data Subjects”:
– Customers (even after the termination of contractual relationships), potential customers, individuals with whom the Company conducts occasional transactions, legal or conventional representatives of the Customer, Guarantors, wage/ mortgage debtors;
– Contact persons, employees, and/or individuals designated by a Customer of the Company (even after the termination of the contractual relationship);
– Contact persons, legal or conventional representatives, collaborators, employees, and/or individuals designated by a contractual partner of the Company;
– Employees of the Company;
– Candidates wishing to fill positions within the Company;
– Visitors to the Company’s official websites, official social media pages, when browsing leads to the processing of personal data, including automated remote systems, chatbots;
– Visitors to the Company’s offices, where video surveillance cameras are installed, without the purpose of identifying the individual;
– Users of the Personal Cabinet/Mobile Application;
– Individuals who have submitted a petition to the Company and do not fall under the categories listed above.
The information provided to the data subject/about the individual concerned, regarding the purpose and conditions for the processing of personal data, is ensured through the relevant notifications in the forms presented to them within the services provided (applications/contracts/questionnaires/statements), via the website and automated remote service systems, as well as through other communication channels established within the company. At the same time, this Privacy Policy explains how the Company processes personal data, describes the types of personal information processed, the purposes of personal data processing, establishes the rights of the data subjects concerning their personal data, outlines how these rights can be exercised, and provides details about cookies.
1.3 Relevant definitions used
Relevant definitions in the context of personal data protection:
Personal data – any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more specific elements of their physical, physiological, mental, economic, cultural, or social identity.
Personal data processing – any operation or set of operations performed on personal data, whether automated or manual, such as collection, recording, organization, storage, retention, retrieval, adaptation or modification, extraction, consultation, use, disclosure by transmission, dissemination, or otherwise, alignment or combination, blocking, deletion, or destruction.
Data subject – may be the applicant for a product or service offered by the Company, their authorized representatives, as well as any other natural persons whose Personal Data may be transmitted or collected by the Controller for the purpose of carrying out Personal Data processing activities, both for its own purposes and on behalf of and for the benefit of its contractual partners, according to the purposes determined by them.
2. Personal data processed by the Company
Within its operations, the Company processes the following categories of personal data related to an identified or identifiable natural person (data subject):
• Identification and contact details – First and Last Name, national identification number (series and number of the identity document), a copy of the identity document, signature, date and place of birth, gender, nationality, handwritten signature, home address, residence address, correspondence address, telephone number.
• Contact and identification details for remote communication means – telephone number, email address, electronic signature, IP address(es), operating system and platform of the electronic devices used to connect to the Company’s information systems, unique identification and authentication codes: client code, login, one-time password (OTP), authentication type (native biometric of the phone and/or login PIN hash from the mobile application), biometric data (fingerprint or facial biometric image used to unlock the device), mobile phone name (device type and brand), other information included in cookie files, etc.
• Financial data and information necessary to assess the payment capacity – types of income and expenses, credit history information, any other information provided by entities such as the Credit Bureau; data regarding movable/immovable property owned (addresses, cadastral numbers, data from the Movable Property Register, data from the State Transport Register).
• Social and family data – family status, profession, occupation, workplace/employer’s name, health insurance, professional training, nature of the individual’s activity.
• Political affiliation data – information related to being a politically exposed person, in specific cases, processed only as required by legislation on preventing and combating money laundering and the financing of terrorism.
• Fraud-related data – accusations, convictions related to crimes such as fraud, as well as data from public media sources that may reveal information about fraudulent or potentially fraudulent activities, money laundering, and terrorism financing, data regarding international sanctions.
• Data related to image, photo, voice, or geolocation – image (contained in identity documents or captured by video surveillance cameras installed at the Company’s premises), voice, including in telephone conversation recordings, or both in the case of promotional spots of the Company involving clients. Geolocation (e.g., for displaying the nearest Secondary Offices of the Company).
• Other data necessary for business purposes.
The Company avoids processing data from the special category of personal data (racial or ethnic origin, political, religious beliefs, health status or intimate life, as well as criminal convictions), except in cases where:
– The processing is necessary to fulfill obligations and exercise specific rights, as authorized by applicable legislation;
– The processing concerns personal data made public;
– The processing is necessary for the establishment or exercise of a right in court.
Refusing to provide the necessary personal data to the Company for the intended/requested activities may prevent the provision of services and/or the fulfillment of other data processing purposes.
3. Purpose of data processing
The non-banking financial activity of the Company is regulated by legislation in most of its aspects, ranging from customer identification, confidentiality of the relationship, prudence, and diligence in providing services, to security measures and even the way in which contractual partners are selected. In addition to the legal framework and contracts, the Company also relies on legitimate interest when processing personal data. Thus, personal data is processed for the following purposes:
a) For the execution of a contract to which the data subject is a party or for taking measures before the conclusion of the contract, at the request of the data subject, the company may process data for purposes such as:
• assessing eligibility and creditworthiness in order to provide the company’s products and services;
• managing any contractual relationships (with clients, collaborators, members of the supervisory board, partners, or employees of the company);
• ensuring the proper and secure execution of financial transactions: at the counter, via transfer, card, POS, payment terminals, etc.;
• monitoring all obligations assumed towards the Company;
• collecting debts/recovering claims (including activities leading up to this);
• establishing, exercising, or defending rights in court or before other authorities;
• managing requests/complaints/petitions/investigations related to the company’s activities, services/products, or employees;
• concluding and executing employment contracts;
b) For compliance with legal obligations, the Company needs to process data for purposes such as:
• applying measures to prevent and combat money laundering, terrorism financing, and fraud, in order to identify and know the clientele, assess risks, and report transactions;
• providing reports and information upon request by public authorities (e.g., courts, investigative bodies, enforcement authorities, notaries, tax authorities, supervisory authorities, the Service for Preventing and Combating Money Laundering (SPCSB), etc.);
• managing audits, reports, as well as inspections and investigations by national authorities;
• ensuring security at the Company’s premises/offices;
• managing credit risk and risk management by creating risk profiles;
• preserving/storing/archiving documents;
• implementing data security measures and managing business continuity in case of unforeseen situations, including by making backup copies.
• implementation of means that allow any person to report discrepancies/discontent related to the services provided by the Company;
• compliance with labor legislation regarding employee relations.
c) In order to achieve/monitor the legitimate interests the Company has in connection with the proper management of its activities, provided these interests do not harm the interests or fundamental rights and freedoms of the data subject, the Company may process data for purposes such as:
– design, development, testing, and use of information systems and services (including storage/archiving of databases, designing credit risk assessment models – rating, scoring, etc.);
– diversification of products and services and their adaptation to customer needs;
– offering products/services, including online, for the company’s clients who benefit from the services provided;
– recording communications via digital/analog channels (e.g., the company’s website, online chat, mobile application, email, etc.);
– maintaining the reputation, integrity, and security of the business;
– simple marketing and conducting surveys regarding the services offered by the Company and its activities;
– identifying the assets and updated contact details of clients and partners, for exercising the Company’s rights regarding debt recovery, enforcement of amounts due, and managing seizures;
– recruitment and human resources concerning the Company’s candidates and employees, internships, training participation, provision of benefits;
– providing security and protection for the buildings, assets, staff members, and visitors of the Company through the video surveillance system;
– transmitting and receiving credit information from entities like Credit Bureaus regarding loans taken out by clients (e.g., credit risk status and overdue loan information, as well as information about credit products, or other commitments the client benefits from), for initiating, carrying out, and monitoring credit relationships with clients;
– providing responses/information, addressing requests/complaints/notifications of any kind made through any channel, including digital ones;
– for statistical purposes;
– other purposes related to the Company’s activities.
d) Certain data processing of the data subjects is only carried out by the Company if it has the consent in this regard or another legal basis. Consent or another legal basis is required to process data for purposes such as:
– direct sending of advertising messages (direct marketing) to promote products and services;
– analysis of transaction history, characteristics, and transaction initiation locations, in order to personalize dedicated offers.
In the cases described in points a) – c) above, the consent of the data subject is not required.
4. Legal grounds of data processing
Personal data are processed by the Company according to the following legal grounds:
a) On the basis of the consent of the data subject, pursuant to art. 5 par. (1) of the Law no. 133. If consent was requested and expressed either at the beginning of the relationship with the Company or later, for some data processing, the subject of the data may change his/her mind at any time. Withdrawal of consent will not affect the lawfulness of data processing made prior to withdrawal, and the contractual relationship will not suffer.
b) For the execution of a contract to which the data subject is a party or to take action at the request of the data subject prior to the conclusion of a contract (e.g. grating of a credit product, communication with the data subject in order to execute the contract, analysis required to assess payment capacity, etc.), pursuant to art. 5 par. (5) letter a) of the Law no. 133;
c) In order to meet a legal obligation assumed by the Company (e.g. reporting to competent authorities, knowledge of clients to prevent money laundering and terrorist financing, etc.), pursuant to art. 5 par. (5) lit. b) and art. 2 par. (2) lit. d) of Law no. 133;
d) For the purpose of legitimate interests pursued by the Company (e.g. recovery of claims relating to the contractual relationship concluded, ensuring the security of persons and property, etc.), but in view of protecting the interests, fundamental rights and freedoms of the data subject, according to art. 5 par. (5) lit. e) of Law no. 133.
5. Personal data disclosure through processing
In order to achieve the processing purposes listed in Chapter 3 of this Policy, the Company may transmit some or all categories of personal data to the following recipients:
– employees of the Company within specific departments;
– public institutions for supervision of non-bank lending activity;
– public authorities (e.g. State Tax Service, Office for prevention and fight against money laundering);
– entities organized as Credit Bureaus;
– bailiffs, notaries, auditors;
– courts;
– contractual partners and service providers such as printing, IT and telecommunication services, document destruction services, debit collection or debt recovery companies, marketing agencies, IT application and system suppliers, etc.
All the above mentioned recipients are contractually and / or legally obliged to comply with the legal requirements and the measures of security and confidentiality of personal data.
The Company performs an appropriate prior assessment upon selection of service providers and imposes adequate security, technical and organizational measures to protect personal data and to process personal data only under the relevant legislation on personal data.
6. Duration of personal data processing
In order to achieve the purposes stated in this Policy, personal data will be processed by the Company throughout the contractual relationship with the data subjects concerned and after its termination in order to comply with the applicable legal obligations, including those relating to archiving. The legal deadlines for archiving vary depending on the type of data, and in some cases may constitute up to 75 years. In general, transaction data should be kept for 5 years after termination of relationship with customer. However, the data may be kept for a longer period at the request of the authorities or for the protection of legitimate interests.
The personal data specified in the loan application and those processed for knowing the clients for the purpose of preventing and sanctioning money laundering and combating terrorism are stored in the Company’s records for a period of 10 years from the date of signing the loan application, if it is rejected and, respectively, for a period of 10 years starting on the date of termination of credit relationship, if a credit agreement is concluded following the approval of the loan application.
For data processed under the consent of the data subjects for the marketing purposes, such data will be processed until revocation of the agreement given by the data subject in this regard.
In order to prove that petitions / referrals / complaints / requests for information / measures have been received and replies to them have been made, including for the quality control of the answers provided by the Company, messages of this type received through any channel will be kept in the records of the Company in both paper and electronic format, depending on how they are received and responded to, during the business relationship for the clients, respectively for a period necessary to fulfill purpose for which such data were processed (making a reply / providing information), plus a period of 3 years – the legal period of limitation/prescription, if the data do not belong to persons with whom the Company has established a business relationship.
Personal data processed for the purpose of recruitment will be retained by the Company until the recruitment process for the available job is completed. If the data subjects wish to be contacted for several suitable posts, the CV data and other records they have made available to the Company for this purpose will be retained for up to 2 years if during this time it is not required to delete such data from the Company’s records.
The storage time of the data obtained through the video surveillance system is proportional to the purpose for which the data are processed, i.e. does not exceed 90 days, the period after which the recordings are deleted by automatic procedure, in the order in which they were recorded. In case of a security incident, the retention time of the relevant reordered material may exceed the normal limits according to the time required to further investigate the security incident.
Any other personal data processed by the Company for any other specified purposes will be retained for the period necessary to meet the purposes for which they were collected, to which may be added non-excessive deadlines established in accordance with the applicable legal obligations in the field, including but not limited to, to the archiving provisions.
7. Rights of personal data subjects
For complete information, data subjects shall benefit from the following exclusive rights to their personal data, foreseen by the Law no. 133.
The right to information – the right to receive information about the personal data processing activities performed by the Company as well as about the rights of the data subject.
The right of access to personal data – the data subjects have the right to access their personal data, respectively to obtain a confirmation whether the Company processes their personal data or not, as well as a copy of such data, so that they have the possibility to verify whether they are processed by the Company in compliance with the applicable legislation.
The right of intervention upon personal data – any personal data subject has the right to rectification, update, blocking or erasure of personal data. Data subjects have the right to have their personal data corrected if they are in a wrong format in the Company’s systems, if they are inaccurate or incomplete. Data deletion is also called the right “to be forgotten”, and on the basis of it the data subjects may request the deletion of their personal data that the Company processes, if the basis for processing them no longer exists. There may be situations in which the Company will not be able to comply with the data deletion requests, namely: in cases where the Company has a legal obligation to store/retain personal data; in cases where data are stored for purposes of archiving in the public interest or for statistical purposes; in cases where the data are necessary for the establishment, exercise or defense of a right in court.
The right (of the personal data subject) to object – the right of the data subject to oppose at any time, and free of charge for grounded and legitimate reasons relating to his / her particular situation, that personal data relating to him / her are subject to processing, including by creation of profiles; also the personal data subject has the right to object at any time and free of charge without any justification, to the processing of personal data relating to him for the purpose of marketing.
The right not to be subject to an individual decision – data subject is entitled to request and obtain the withdrawal, cancellation or reassessment of any decision based exclusively on the processing by automatic means (including the creation of profiles, establishing of payment capacity, automatic decision-making) which produces legal effects in relation to the data subject.
Right to address to the justice – the right of the data subject to refer in a court in order to repair the material and moral damages, if he/she has suffered damages as a result of an unlawful processing operation of personal data or his/her rights and interests guaranteed by the Law no.133 have been violated.
In order to exercise these rights, or if it considers that the processing of personal data by the Company violates the legal provisions in the field of personal data protection, the subject of personal data may file a complaint or send a written request, dated and signed handwritten or electronically , on the contact address of the Company indicated in the contacts section on the official website https://microinvest.md/contacte/ or by e-mail sesizari@microinvest.md. The request will be examined and resolved without delay, in accordance with the internal procedures and legislation in force. Unsubscribing from the “newsletter” can be done independently, voluntarily and free of charge, at any time by accessing the special link for unsubscribing, from the end of the newsletter received.
8. Usage of cookies
8.1 Notion of cookies
8.2 Types of cookies used by the Company and their settings
The Company uses the following categories of cookies:
• Cookies strictly required – without which you can not operate and navigate on the company’s website, such as those that help identify, authenticate, and access the Company’s website; These cookies are necessary for the operation of the website and can not be disabled in the Company’s systems. In the browser that the user uses, it is possible to set the blocking or receipt of a warning about these cookies, but in this case, certain parts of the site may not work.
• Performance cookies – These cookies are used to improve the performance and functionality of the Company’s sites, but are not essential to their operation. The information provided by the analytics cookies module helps operators understand how visitors use sites and then use this information to improve the way content is presented to users. However, without these cookies, some functionality may become unavailable.
• Measure cookies – these cookies are strictly used for statistical purposes and allow counting of users visiting the site or how much is accessed a particular item on the page (e.g. a button). These cookies do not collect personal data and expire at the end of each session.
• Promotional cookies – These cookies are set on the site based on agreements the Company has with advertising partners (e.g., Social Media pages, Google, etc.). With the help of these cookies, partners can create a profile of site visitors, for whom it will be possible to display certain advertisements related to the Company’s website on other sites they access.
For more detailed information about the cookies used and their manual management, please, visit www.microinvest.md. Each user if free to make the decision to keep or delete cookies. The purpose of cookies is to improve your browsing experience and help with statistical data collected from visits to the www.microinvest.md website to improve the products and services that the Company offers. These files do not pose a threat to user data security. Their dimensions are negligible, not altering the performance of the computer or phone on which they are stored. A possible deletion of these files could make navigation on www.microinvest.md difficult, limiting the user’s content viewing capabilities.
By accessing and further browsing the company’s website, being informed, the user accepts the use and placement of cookies. In any case, the user can change the settings related to cookies at any time, or can delete these cookies, through the settings related to the browser used. Details on changing browser settings can be found on the browser developer websites in the “Settings” section indicated below:
The data collected by cookies are generally anonymous and are hidden and cannot be used to identify a particular visitor. Persistent cookies are saved on the user’s device and are not automatically deleted when the browser is closed, unlike a session cookie, which is deleted when the browser is closed. In cases where cookies process personal data capable of identifying the person, the data subject enjoys the rights provided in this policy, regarding personal data.
9. Final provisions
The provisions of this Policy will be subject to change or review periodically or whenever necessary. The Policy, as well as any proposed changes, will be brought to the attention of the User and the individuals concerned, by publishing the updated version on the Company’s website as well as the information panels at the premises of the Company’s Offices.
The Company reserves the right to make changes to the Personal Data Protection and Confidentiality and Cookies Policy at any time, without the obligation to notify, if such changes are required by applicable law.
10. Contacts
- E-mail: protectiadatelor@microinvest.md
- Adress: 12, Renasterii Nationale Ave, Chisinau, Republic of Moldova, MD-2024.
