Who are we and what do we do?
We are Hoist Finance AB (publ) Netherlands . We are part of the Hoist Finance AB (publ) group of companies.
What information do we hold, why do we process it, & how long do we keep it for?
We collect and otherwise process personal data for a variety of purposes within our operations.This Privacy Notice outlines the different processing activities we as controllers perform with your personal data. In the sections below you will find detailed information on the personal data processed in the different areas of our company.
Processing activities in our debt collection operations
In order to pursue the above purposes and to act appropriately and fairly, we process the following types of information, always under strict controls, such as encryption, internal access rights, and audits to keep your information safe.
Type of information |
Reason for processing |
Legal basis for processing |
How long we keep your information for |
Contact and account information, such as your name, address, date of birth, national identification number and details of previous communication with us, for example records and recordings of telephone calls, emails, and letters. |
To be able to contact you, keep records of any previous conversations or correspondence, and in general keep a full and up to date picture of your circumstances and your dealings with us. This is necessary to handle your case fairly and in your best interests. |
The legal basis for processing this information is the original credit agreement, whereby a third party has acquired the claim and appointed us as the master servicer. Once your claim has been satisfied, we will hold your data to satisfy relevant regulations such as, Anti Money Laundering, Dispute Resolution Rules, Capital requirements rules etc. |
7 years from when the account is closed, at which point it will be deleted (excluding call recordings which are deleted after 6 months from when the call took place). |
Payment information, such as your bank account number, to set up direct debit or process your payments. |
To be able to process payments and payment requests. |
7 years from when the account is closed, at which point it will be deleted. |
|
Litigation information, such as court information and the specific outcomes and costs. |
As part of our collection strategy, we may decide to take litigation action against you. You will be notified prior to any action being taken, but in the event we need to, we will hold up to date and relevant information on all actions and outcomes in order to be able to act in the fairest way possible. |
7 years from when the account is closed, at which point it will be deleted. |
|
Credit reference information, such as historical addresses, credit application data, and credit score information. |
We require this information to help form a complete picture of your circumstances as well as to improve the accuracy of the information we may already hold. |
7 years from when we acquired the information from the credit reference agency, at which point it will be deleted. |
|
Sensitive Information, such as regarding your health or any other factor that may have an impact on your dealings with us
|
We are required to understand the financial circumstances of our customers so we can provide the most appropriate and fair outcomes, especially in cases of vulnerability. Therefore, in the act of debt collection, the processing of sensitive information can be crucial to ensure customers are treated fairly and appropriately. |
This sensitive information will only be processed with your consent. You have the right to withdraw this consent at any time. |
7 years from when the account is closed or when consent is removed, whichever comes first, at which point it will be deleted. |
Where do we get the information from?
We initially receive the information from the previous owner of the claim as part of its sale and transfer to us.
However, we also get information directly from you, such as when you talk to one of our agents or send us a letter, email or text providing us with your new address, payment details, or any other information.
Finally, we may also obtain information from third parties in order to increase the accuracy of the information we hold and/or to gain a better understanding of your circumstances. These third parties are credit reference agencies, public government records, and other organisations which provide services to improve the quality of the data we hold about you.
We may also retain records of your access to, and use of our website to enhance your experience. Please see the cookies page for further information.
Disclosure of your information
We do not disclose your information except in the following limited circumstances:
We may share your personal information within the Hoist Finance group of companies, to which we belong. For example, our IT infrastructure is managed at group level. This helps to keep our systems operational and secure allowing us to provide the best services to you that we can. Any sharing is subject to security and privacy requirements.
We may also share your personal data with carefully vetted organisations, who must comply with our strict security and privacy requirements and follow our guidelines, for the following purposes:
- To assist us in managing your account and/or maintaining accuracy of the information we hold about you. An example of this would be credit reference agency reporting.
- To provide us with specialised services to run our business. An example would be the printing company that sends out our physical letters to you, or where we use a third party to collect or manage a debt on our behalf.
Finally, we may also disclose your personal information to third parties:
- In the event we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
- If we are under a duty to disclose or share your personal data in order to comply with any legal obligation or in order to enforce or apply our terms of use or to protect our rights, property or safety. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction, or with authorities for the purposes of tax reporting or anti-money laundering.
Your information will generally be kept within the EU/EEA or in countries deemed by the European Commission to have an adequate level of protection; only for limited purposes and temporarily may data be transferred to other countries. This is in particular where we need 24/7 technical support to maintain our IT infrastructure, and where the support teams of our service providers are located outside the EU/EEA.
In all cases, however, we have technical, organisational, and contractual protections in place to keep the information safe and to ensure an adequate level of protection. Contractually, transfers outside the EU/EEA to countries without an adequacy decision by the European Commission will be based on standard data protection clauses adopted by the European Commission, a copy of which may be obtained by contacting us. For transfers to the USA and other third country transfers we rely solely on standard contractual clauses, SCC’s.
Processing activities in our My Environment (online self-service portal)
To give our customers the best overview of their liabilities and an easy-to-use management of payment orders, instalment plans and individual repayments, we offer our own online customer portal with a social login function.
An individual user account must be set up in order to use the functions of the online customer portal.
Proper verification of the personal data used to set up the user account is required to maintain confidentiality. This takes place in two essential steps, which we would like to inform you about below.
The registration process
If you choose to register an individual user account in order to use the customer portal, we will first ask you to verify that you are a customer of ours. For the purpose of verification will will need to collect some personal data from you. The information you provide will be compared with our database only for the purpose of verifying your authorization to use the portal. We will only process the following data categories to verify that you are a customer of ours:
Type of information |
Reason for processing |
Legal basis for processing |
How long we keep your information for |
Your surname, date of birth and your reference number |
To verify that you are a customer of ours and athorized to use the self service portal. |
Performance of a contract |
Verification is complete |
Set up a login (login via your social media or email account)
If the first step could be carried out successfully, you will get to the second step, in which you have to set up a login to register in our online customer portal. In addition to the usual registration process by entering a valid email address, you have the option of setting up a social login via the social media provider you have selected .
This offers you the advantage of being able to log in when you access the online customer portal in the future simply by entering the user data of your preferred social media account linked to our portal (e.g. Facebook, Linked in, Google, etc.).
If you decide to set up a social media login, after selecting the social media account to be linked, you will be redirected to its login page by clicking on the respective provider logo, where you can verify yourself as usual by entering your login data.
If you only want to use your preferred email account, just enter your email address and the password that you would like to use to log into our online customer portal in the input mask provided for this purpose.
You will then receive a verification email, which you must first confirm. Simply click on the verification link provided for this purpose.
If your selected social media or email provider has been successfully verified, they will transmit the corresponding verification data to us via the authentication routine we use for this purpose, whereupon the verified social media account or your email address can be used to log into our online portal.
The data processed exclusively to link your social media or email account with our online portal is transmitted via an encrypted connection (SSL / TLS encryption). A knowledge of the security-critical login data used by you (in particular passwords) by us is technically excluded as part of the linking process.
Overview of the data categories processed in the registration process of the online self service portal
If you decide to register on our online customer portal using email verification, we only process the following data categories to handle your registration on our online customer portal:
Type of information |
Reason for processing |
Legal basis for processing |
How long we keep your information for |
Communication data, such as Email address, Hub IP, Auth0 ID, social media provider ( e.g. Facebook), user logs (registration date, access date |
To be able to provide you with the option of verification through the use of your Facebook, LinkedIn, Microsoft or Google account |
Performance of a contract |
Until closure of account |
Technical data, such as Operating system (version), browser type (version), language setting |
To be able to provide you with access to our self service portal. |
Performance of a contract |
Until closure of account |
If a link to your social media account is set up for the purpose of social login, we process the following data categories exclusively for the technical processing of your registration on our online customer portal:
Type of information |
Reason for processing |
Legal basis for processing |
How long we keep your information for |
Public profile data, such as your name, surname, profile name, profile URL, gender, age |
To be able to provide you with the option of verification through the use of your Facebook, LinkedIn, Microsoft or Google account |
Your prior consent |
Until closure of account |
Communication data, such as Email address, Hub IP, Auth0 ID, social media provider ( e.g. Facebook), user logs (registration date, access date |
To be able to provide you with the option of verification through the use of your Facebook, LinkedIn, Microsoft or Google account |
Your prior consent |
Until closure of account |
Technical data, such as Operating system (version), browser type (version), language setting |
To be able to provide you with the option of verification through the use of your Facebook, LinkedIn, Microsoft or Google account |
Your prior consent |
Until closure of account |
Please note that the aforementioned data will not be viewed as part of the processing of claims. These are only used for the technical provision of the social login function, which makes it easier for you to log into our online customer portal.
You are of course free to deactivate the Auth0 application's access to your social media account in the settings there. Please note, however, that you will then also lose the opportunity to log into our online customer portal with them.
Overview of the data categories that are processed when using the MijnHoist (digital portal)
In our self service portal you have the opportunity to set up a repayment plan and to make direct payments. If you choose to us these service will will nedd to process your personal data. The following categories of data will be processed if you use the services in the online self service portal:
Type of information |
Reason for processing |
Legal basis for processing |
How long we keep your information for |
Contact information, debt- and transaction information, such as name and surname, debt reference number, phone number, e-mail address, Residency, payment history (payment date, transaction typ and payment amount). |
For debt management purposes and to be able to provide you with an overview over your debt. |
Performance of a contract, legal obligation |
Until closure of account |
Debt, payment and transaction information, such as payment ability, disposable income, outstanding debt, payment method, first payment date, |
To be able to provide you with the oppurtunity to create and amend your repayment plan. |
Performance of a contract, legal obligation |
Until closure of account |
Contact information, payment information and financial information, such as bank account number, credit card information (card number, CVC/CVV, expiry date and name of cardholder) |
To authorize payments from your bank or your credit card provider. |
Performance of a contract, legal obligation |
Until closure of account |
Where do we get the information from?
The information processed to give you access to the online self service portal and to use the services in the online self service portal is generelly provided to us by you yourself as part of the registration process or when you enter information in the online self service portal.
Disclosure of your information
We do not disclose your information except in the following limited circumstances:
We may share your personal information within the Hoist Finance group of companies, to which we belong. For example, our IT infrastructure is managed at group level. This helps to keep our systems operational and secure allowing us to provide the best services to you that we can. Any sharing is subject to security and privacy requirements.
We also share your personal data with carefully vetted organisations, for the following purposes:
- With our authentication solution service provider, in order to enable you to authenticate your self and access theonline self service portal. The authentication solution we use is provided and operated by:
Auth0 Inc., 10900 NE 8th Street, Suite 700, Bellevue, WA 98004 (USA - United States)
The aforementioned service provider is obliged by the standard contractual clauses (order processing) issued by the European Commission and agreed with us to ensure through technical and organizational measures that the processing of personal data carried out for the purpose of the service (authentication of portal users) is in accordance with European data protection law, in particular of the General Data Protection Regulation (GDPR).
- With your bank our credit card company in order for you to make direct payments via the online self service portal.
Processing activities in the Job Application Process
When you apply for a job at Hoist Finance AB or any other company within the Hoist Group, either directly via our website or through external recruitment agencies we are recuired to process your personal data. The purpose of the processing of your personal data is the administration of received job applications and the selction of suitable candidats for open positions at Hoist Finance or any other company within the Hoist Group.
In order to properly fulfill the aforementioned purposes, the following categories of personal data will be processed:
Type of information |
Reason for processing |
Legal basis for processing |
How long we keep your information for |
Contact details , such as name, title, home address, telephone number, personal email address, contact details of refereesResume data , such as employment history, date of birth, gender, qualifications, nationality, occupation, professional memberships, educational achievements, degrees, transcripts, languages, computer skills, identification number, cover letter. |
The administration of received job applications and the selction of suitable candidats for open positions at Hoist Finance |
Performance of a contract |
5 years post end of recuritment (successful candidates), 2 year post end of recruitment (unsuccesful candidates) |
Reference data, ie all data provided to us by your reference |
To ensure that the job applicant is suitable for the applied position |
Performance of a contract |
5 years post end of recuritment (successful candidates), 2 year post end of recruitment (unsuccesful candidates) |
Background data , such as social security number, CV verification, tax information and internet searches, credit information, information from the enforcement authority, information about business obligations and property, as well as information about civil proceedings and tax surcharges |
To ensure that the job applicant is suitable for the applied position |
Performance of a contract, legitimate interest |
End of recuritment |
How we use particulary sensitive personal data
We will use your sensitive personal data only in so far as we are permitted by law to do so:
- We will use data about your disability status to consider whether we need to provide appropriate adjustments during the recruitment process, for example whether adjustments need to be made during a test or interview.
- We will use data about your nationality or ethnicity, to assess whether a work permit and a visa will be necessary for the role.
Where do we get the information from?
We collect personal data about candidates from the following sources:
- You, the candidate.
- Your named referees, from whom we collect the following categories of data: full name, periods of previous employment, performance during previous employment.
- From publicly accessible sources, such as LinkedIn etc., where we collect your full name, email, work history, and other data included on your profile.
- From third parties (such as recruitment agencies) that have introduced you to us or you may have directly applied for a vacancy at our company on their website. Those third parties are data controllers for the data which they collect and process for their own purpose. More information about how they process your personal data can be found in their respective privacy notices on their websites.
- From third parties (such as pre-employment screening companies) that will perform checks on candidates in last stage of the recruitment process.
Disclosure of your information
We will only share your personal data within Hoist group of companies including subsidiaries and branches.
All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal data in line with data protection law and data processing is limited to EU/EEA area. Contractually, if transfers outside the EU/EEA or to countries without an adequacy decision by the European Commission occur in the future they will be based on standard data protection clauses adopted by the European Commission.
Data Security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal data on our specific instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable authority of a suspected breach where we are legally required to do so.
Your statutory data protection rights
Right to access: You have the right to request a copy of the information that we hold about you. If you would like a copy of some or all of your personal information, please contact us. We will respond to your request within one month.
Right to rectification: We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate. We may ask that you provide reasonable proof to verify your request.
Right to restrict processing: If you believe the personal information we hold is inaccurate, unlawful, or that we do not have a legitimate interest to process it, you can request that we restrict any processing until this is rectified.
Right to object to processing: Where your particular situation merits that we no longer process your information for the performance of a task carried out in the public interest or based on our legitimate interest, you have the right to object to the processing.
Right to data portability: This right allows you to obtain in a structured, commonly used format, and to reuse the information you have provided to us for your own purpose and have it transmitted directly to different services. This applies only to information we use based on your consent or on a contractual basis.
Rights related to automated decision making and profiling: You have the right to safeguards against the risk of potentially damaging decisions being taken without human intervention. This right applies where a decision is based solely on automated processing and produces a legal effect or similar significant effect. If this is the case we must ensure you are able to obtain human intervention, to express your point of view, and to have the opportunity to challenge it. We will also explain the logic behind the decision.
Profiling is defined as any form of automated processing intended to evaluate certain personal aspects of an individual in order to analyse or predict aspects of their personal circumstances, behaviours or abilities. Processing must be fair and transparent, use appropriate mathematical or statistical procedures, use appropriate controls to minimise inaccuracies and secure personal data.
We do not use any such automated individual decision making.
Right to erasure (“right to be forgotten”): You may ask us to delete the information we hold on you where it is no longer necessary for the purpose for which it was collected; where you withdraw any consent you provided for its processing; where you object to our processing of it (see above); or where our processing is unlawful. Please note, however, that we are also subject to certain legal obligations that prevent us from immediately deleting all of your information. For example, we are legally obliged to keep certain data for anti-money laundering purposes for at least five years. However, any data we are prohibited from deleting will be blocked and, when we are no longer obliged to keep it, erased.
Right to lodge a complaint: You have the right to lodge a complaint with the [country] data protection supervisory authority, the [Name of your country supervisory authority]: [URL].
Changes to this Privacy Notice
We regularly review this Privacy Notice. We will notify you of any substantial updates and any updates that affect you 2 weeks in advance. Minor changes to the policy, such as making it clearer, will be implemented without directly notifying you.
This privacy policy was last updated: January 20th, 2023.
How to contact us
Please contact us if you have any questions about our privacy policy or information we hold about you or the basis upon which we process such information:
Hoist Finance AB (publ), Dutch branch
PO Box 70150, NL 1007 KD – Amsterdam
privacyNL@hoistfinance.com