GENERAL PRIVACY POLICY B2 IMPACT CZECH REPUBLIC s.r.o.

B2 Impact Czech Republic s.r.o.  ("we," "us," or "our") is committed to protecting the privacy and security of your personal data, as well as your rights and freedoms of data subjects, according to the European General Data Protection Regulation (GDPR). The core principles of personal data processing: lawfulness, transparency, purpose limitation, data minimization, accuracy, storage limitation, confidentiality, integrity, and accountability, underlie our business activities. This Privacy Policy explains how we collect, use, disclose, and protect the personal data we gather through our website, while providing our services and during daily business.

 

PRIVACY POLICY – MAIN CHAPTERS

 

    

 

1. WEBSITE USERS’ PRIVACY POLICY

This Privacy Policy applies to our Website Users.

 

Content of the Website Users Privacy Policy

1.1. What information do we collect and how?
1.2. Website users: Why we use your information and how we do it legally?
1.3. Third-party services and tools
1.4. Website users: How long do we keep your data?
1.5. Automated decision and profiling

 

1.1. WEBSITE USERS - WHAT INFORMATION DO WE COLLECT AND HOW?

This Website collects some Personal Data from its Users. Users are responsible for any third-party Personal Data obtained, published, or shared through this Website and confirm that they have the third party's consent to provide the Data to us.

 Data Collection

When you visit and use our website, we collect certain data to enhance your experience and provide you with the right content.

The data collection methods we use may include:

• Voluntary Information - Data you share with us when you interact with our site, and you choose to share some personal info by filling out forms, subscribing to our newsletters, or engaging with our content.
• Automatic Information: We collect data automatically during your visit, such as your IP address, browser type, device information, and website usage patterns. This data is obtained through cookies and similar technologies.

Categories of Personal Data Processed when you visit our website may include the following types of data, collected by ourselves or through third parties:

When you are visiting our website, we don't collect financial info, social security numbers, or sensitive personal data through our site. We only gather what's needed for the purposes we've explained in our Privacy Policy. We process your data with your consent, for our legitimate interests in improving our site and services, and to meet legal obligations.

Obligation to Provide Personal Data

Website Users are not obligated to provide personal data. Data collection is primarily based on voluntary sharing and consent. Additionally, some data, such as technical information related to essential cookies, may be automatically collected during website visits to ensure security.

Users can still access and use many features of the website without providing personal data. However, choosing not to share certain data may limit the extent to which the website can offer a personalized experience. Users may receive more generic content and may not benefit from tailored recommendations.

1.2. WEBSITE USERS - WHY WE USE YOUR INFORMATION AND HOW WE DO IT LEGALLY?

We process your personal data collected through our website for the following purposes, as described below, and rely on different legal grounds for such processing, as permitted by applicable data protection laws.

Please note that we do not provide online services directly through our website, and we do not engage in automated decision-making or profiling activities that significantly affect you based on the data collected through our website.

1.3. THIRD-PARTY SERVICES AND TOOLS

Based on your consent and provided preferences, we use statistical and marketing cookies from Matomo Analytics and Google Analytics to enhance our website functionality, analyze user behavior, and improve our services. 

These cookies help us understand how our website is used and provide you with tailored content and marketing communication.  

In simple terms: 

• Statistical Cookies (First Party) come from our website directly. These cookies track your website usage and help us improve our site. Data collected includes page visits and duration, typically retained for up to 12 months. 
• Marketing Cookies (First Party) also come from our website. These cookies understand your interests based on your site interactions, allowing us to show relevant ads. Data collected includes website interactions and is typically retained for up to 12 months. 

 Our trusted partners assist us in managing these cookies. 

• Matomo Analytics is an open-source web analytics platform, to collect and analyze data about our website's usage.  

For more information about Matomo Analytics' privacy practices, please review Matomo's Privacy Policy on their website: Privacy Policy - Analytics Platform - Matomo 

Matomo Analytics is provided by InnoCraft Ltd, located in New Zealand while 100% of the data collected and backups are securely stored in Europe. Although New Zealand is outside Europe Economic Area (“EEA”), is one of the countries that the EU considers to have an adequate level of data protection. 

• Google Analytics and its related products is a web service provided by Google Ireland Limited ("Google") for users of Google services based in the European Economic Area. 

For more information about Google Analytics' privacy practices, please review Google's Privacy Policy on the Google website: Privacy Policy – Privacy & Terms – Google. 

When using Google Analytics for users located in the European Economic Area (EEA), the data collected is typically stored within the European Union (EU) or the European Economic Area. By way of exception data may be stored in servers located in USA. 

 For detailed information about these cookies and data handling, please check our Cookie Policy. Your privacy is important, and we want you to make informed choices while using our website. 

1.4. WEBSITE USERS - HOW LONG DO WE KEEP YOUR DATA?

We keep your data as long as we need to for legal reasons or as long as necessary to fulfill the purposes outlined in this Privacy Policy.

The time we keep it might change based on things like:

• Type of Data - Some data needs longer keeping than others.
• The purposes for which we process your personal data.
• Legal and regulatory requirements. Sometimes the law says we must keep data.
• Our business needs and operational requirements affect how long we keep data.

We may be required to retain certain personal data for a longer period to comply with legal and regulatory obligations, resolve disputes, and enforce our rights.

During the retention period, we will take appropriate technical and organizational measures to ensure the security and confidentiality of your personal data. Once the retention period expires, we will securely delete or anonymize your personal data in accordance with applicable laws and regulations.

Remember, you have rights about your data, like asking us to delete it in certain situations. To know more about your rights and how to use them, check our "Your Rights" section in the Privacy Policy.

1.5. AUTOMATED DECISION AND PROFILING

Automated Decision-Making: We do not engage in automated decision-making processes that produce significant legal effects or similarly significant consequences for individuals based solely on automated processing.

Profiling: We may use profiling techniques in the following contexts:

• Personalization of User Experience to customize your website experience based on your preferences and past interactions. This allows us to provide you with content and features that are most relevant to you.
• Personalized Marketing Communication involves analysing your data to deliver targeted ads and marketing messages that align with your interests and behaviour.
• Website Analytics and Performance to track user behavior, such as page views and clickstream data, to understand how users interact with the site. This data is used to improve website performance, enhance user experience, and optimize content placement.
• Cookies and Tracking Technologies are used to collect data on user behavior, preferences, and interactions with our website. This data is valuable for understanding user preferences, providing personalized experiences, and improving website functionality.
• Security Profiling based on monitoring and auditing involves tracking user activities, access logs, and compliance data to ensure adherence to security standards and regulations. This is done to maintain the security and integrity of the website, protect against unauthorized access, and demonstrate compliance with legal requirements.

In summary, the profiling activities described above are implemented with the intention of enhancing your user experience and improving website performance. We value your privacy and offer options for consent and control over your data preferences. If you have any questions or concerns about our profiling practices, please don't hesitate to contact us using the information provided in our "Contact Us" section.

2. EMAIL EXCHANGE PRIVACY POLICY

This Privacy Policy applies to all individuals involved in email exchange communication with us, including:

• Customers (Debtors)
• Clients and Potential clients
• Investors
• Business partners, suppliers, and external advisors
• Employees
• Candidates
• Legal Authorities
• Other stakeholders involved in the email exchange process.

Content of the Email Exchange Privacy Policy 

2.1. What information do we collect and how?

2.2. Why we use your information and how we do it legally?

2.3. Third-party services and tools

2.4. How long do we keep your data?

2.5. Automated decision and profiling

2.1. EMAIL EXCHANGE - WHAT INFORMATION DO WE COLLECT AND HOW?

How is data collected?

We collect personal data through various means to facilitate our email exchange process and ensure security.

If you choose to share information about other individuals, please bear in mind that you are responsible for any third-party Personal Data obtained and shared through the email exchange process and you confirm the third party's consent to provide such Data to us.

• Direct Collection includes information you provide like data directly shared by you during email exchanges, such as your name, contact details, professional information, and the content of emails, including text and attachments.
• Indirect Collection from Publicly Available Sources. We may collect publicly available information about you from sources like professional social media profiles, business websites, or public directories, if such information is relevant to our email exchange process.

What categories of data are processed?

The specific personal data collected may vary depending on the nature of our email exchanges and the purposes for which they are conducted. We ensure that all data, including sensitive data, is processed in accordance with applicable data protection laws and for the purposes outlined in this Privacy Policy.

During our email exchange process, we may process the following categories of data:

Please note that the specific data categories processed during email exchanges may vary depending on the nature of the professional interaction and the information you choose to share with us via email exchange.

We are committed to handling all data with care and in accordance with applicable privacy laws and regulations.

Obligation to Provide Personal Data during Email Exchange

In the context of email exchange, usually the communication is initiated by you, while providing your personal data voluntarily through the email correspondence. Users are not obligated to provide such personal data for email exchange. However, the absence of certain data may impact the effectiveness of email communication and limit our ability to address your inquiries or provide specific information.

2.2. EMAIL EXCHANGE - WHY WE USE YOUR INFORMATION AND HOW WE DO IT LEGALLY?

In this section, we outline the specific purposes for which we collect and process your personal data during the email exchange process, along with the legal bases and categories of data processed for each purpose.

 

Please note that the specific purposes and legal bases for processing may vary depending on the circumstances and your interactions with us. We always ensure that personal data is processed in accordance with applicable data protection laws and with respect for your privacy rights.

It's important to emphasize that when processing personal data for legitimate interests, we balance these interests with the rights and freedoms of the individuals whose data is being processed. We take measures to ensure your rights are respected, and that personal data is processed in a fair and lawful manner.

2.3. EMAIL EXCHANGE - THIRD-PARTY SERVICES AND TOOLS

We may utilize various third-party tools and services to optimize our email exchange process, ensuring efficient communication and security. These tools may have access to email content or metadata to provide their services. We carefully select and work with trusted third-party providers who comply with data protection standards and confidentiality requirements. Please note that our use of third-party tools is always aimed at enhancing the quality and security of our email exchanges.

2.4. EMAIL EXCHANGE - HOW LONG DO WE KEEP YOUR DATA?

We retain your data as long as needed for email communication and mainly up to 3 years after the end of the email exchange for legal and dispute resolution purposes.

However, please be aware that in certain cases, depending on the subject and content of the email correspondence, the retention period may be longer according to the specific purposes and regulatory requirements.

For example, if we have a contractual relationship, we may retain relevant data for up to 5 years after the contractual relationship is closed or if other legal deadlines apply.

We always ensure compliance with relevant legal obligations and adjust our retention periods accordingly to meet these requirements. Our primary goal is to maintain data for as long as necessary to fulfil the purposes outlined in this Privacy Policy and to meet any legal obligations.

During the retention period, we will take appropriate technical and organizational measures to ensure the security and confidentiality of your personal data. Once the retention period expires, we will securely delete or anonymize your personal data in accordance with applicable laws and regulations.

Remember, you have rights about your data, like asking us to delete it in certain situations. To know more about your rights and how to use them, check our "Your Rights" section in the Privacy Policy.

2.5. EMAIL EXCHANGE - AUTOMATED DECISION AND PROFILING

We emphasize that our email exchange data processing activities do not involve automated decision-making that significantly affects individuals. Our primary focus is on data collection for email communication, security, and analytics, and we do not engage in any automated decision-making processes that could impact your rights and freedoms.

Profiling Activities in Email Exchange process may be used only in the context of Security Risk Profiling:

• We perform automated processing of email usage and related technical data from IT systems, such as access logs, IP addresses, and device data, to identify potential security threats and vulnerabilities, unauthorized access, phishing attempts, and other security risks.
• This profiling activity is important to safeguard the security of our email exchange process, IT infrastructure and environment.
• The processing helps us proactively respond to security incidents, investigate security breaches, and maintain the confidentiality and integrity of email communications.

The logic is to provide a safer, more transparent, and efficient environment to engage in professional relationships. The significance lies in improved security. The envisaged consequences are generally positive and aim to enhance the overall experience and outcomes for our communication.

Please be assured that any profiling activities are conducted in compliance with relevant data protection laws and regulations. You have the right to object to profiling processes, where appropriate.

If you have any concerns or questions about automated decision-making or profiling in our company, please do not hesitate to contact us using the contact details provided in the "Contact Us" section of this Privacy Policy.

3. CUSTOMERS (DEBTORS) PRIVACY POLICY

This Privacy Policy applies to all our Customers who have a debt managed by us and/or are connected to the debt collection process.

 We process the personal data of our Customers who have debts owned by Us or any other entity of our Group and/or are connected to the debt collection process. These categories may include debtors, co-payers, guarantors, mortgage guarantors, adjudicators, potential and final buyers of the collaterals owned or managed by Us. We also process personal data related to legal and/or conventional proxies and representatives of these categories. 

Content of the Customers’ Privacy Policy

3.1. What Information Do We Collect and How?

3.2. Why We Use Your Information and How We Do It Legally?

3.3 Third-Party Services and Tools

3.4. How Long Do We Keep Your Data?

3.5. Automated Decision and Profiling

 

3.1. CUSTOMERS - WHAT INFORMATION WE COLLECT AND HOW?

How is data collected?

We collect your personal data using various methods to make our professional interactions, collaborations, and security more efficient. If you decide to share information about other individuals during the debt collection process, please be aware that you are responsible for any third-party Personal Data obtained and shared with us. You also confirm that you have obtained the third party's consent to provide such data to us.

Methods of Collection:

• Direct Collection includes information you provide like data directly shared by you during the debt collection process and professional interactions, such as your name, contact details, debt-related information, and other pertinent documents or information.
• Indirect Collection. We may collect your data from interested third parties or from publicly available sources like public official data bases or registers if such information is relevant to our contractual relationship and debt collection process.

The possible sources that we may indirectly collect data from include:

• Your initial or current creditor, such as financial institutions or mobile network operators, with whom you have signed a credit or service agreements. They may assign their claim rights to us or authorize us to manage debt collection on their behalf.
• In certain cases, from individuals who have a legitimate interest related to the contract for which we are conducting debt collection activities.
• From individuals authorized by you to communicate with us on your behalf or those making payments on your behalf.
• From public authorities and institutions, or other entities providing services of public interest, such as bailiffs, courts, or public notaries.
• From publicly available publications and databases, or those based on contractual relationships (external sources). This is done to ensure continuous updates and verification of the data we have about you, or to assess your ability to repay the debt. External sources may include public institutions and authorities, registers, public electronic databases, information available on social media, the internet, or from third parties. These third parties may include, but are not limited to, Public Official Population Register, the National Trade Register, Tax Authority, and third parties authorized to hold databases of individuals subject to international sanctions or politically exposed individuals.
• From our contractual partners to whom you have provided your data to conclude a contract with us or to purchase collateral for claims managed by us (like real estate companies or websites).

 If you have any questions or need further clarification about how we collect and handle your data, please feel free to Contact Us. Your understanding of our data collection methods is important to us.

What types of data are processed?

During our debt collection process, professional interactions, and collaborations, we gather various types of personal data essential for managing debts properly. The specific data collected depends on the nature of our contractual relationship, interactions, and the purposes behind them. We take your privacy seriously and handle all data with care and in accordance with relevant data protection laws and regulations.

Below, we present the main categories of personal data we may process:

Obligation to Provide Personal Data for Our Business Relationship

We request personal data from our Customers - including debtors, co-payers, guarantors, mortgage guarantors, adjudicators, potential and final buyers of the collaterals owned or managed by us, as well as legal and/or conventional proxies and representatives of these categories. This data is essential for various purposes, including the debt collection process, risk assessment, compliance checks, and collaborations. While we may collect certain data from other sources, not providing the required data directly may have consequences:

Consequences of Not Providing Required Data:

• Restricted Access: Non-provision of necessary data may limit your access to specific services, resources, or information related to the debt collection process.
• Impact on Debt Payment Resolution: The absence of critical data may impact our ability to effectively manage and resolve your debt in line with your needs, potentially leading to delays or challenges in the debt collection process.
• Limited Debt Settlement Options: In cases where debt settlements or negotiations are necessary for debt resolution, the absence of essential data may constrain our ability to engage in mutually beneficial payment agreement that could facilitate debt settlement.

We are committed to ensuring data accuracy and reliability in our debt collection process, adhering to transparency and ethical standards. We encourage all Customers to provide the required personal data directly to us to facilitate the efficient management of their debts and, where applicable, to help achieve mutually agreeable solutions. Please be aware that data obtained from other sources may be outdated and/or inaccurate, potentially affecting the effectiveness of the debt collection process. Your cooperation in providing accurate and up-to-date information is highly appreciated and contributes to a smoother debt resolution process.

 

3.2. CUSTOMERS - WHY WE USE YOUR INFORMATION AND HOW WE DO IT LEGALLY?

In this section, we outline the specific purposes for which we collect and process your personal data during, along with the legal bases and categories of data processed for each purpose.

 

Please note that the specific purposes and legal bases for processing may vary depending on the circumstances and your interactions with us. We always ensure that personal data is processed in accordance with applicable data protection laws and with respect for your privacy rights.

When processing personal data for our legitimate interests, we balance these interests with the rights and freedoms of the individuals whose data is being processed. We take measures to ensure your rights are respected, and that personal data is processed in a fair and lawful manner.

3.3. CUSTOMERS -THIRD-PARTY SERVICES AND TOOLS

While managing our debt collection process, we may utilize various third-party tools and services to enhance our operations and facilitate effective debt collection services. These tools and services are designed to streamline processes, improve debt management, communication, and support the secure processing and exchange of information.

Our suite of third-party tools and services may encompass a diverse array of functionalities and solutions, including Customer Relationship Management Systems (CRMs), cloud solutions, email platforms, and other similar tools. These technologies enable us to collaborate efficiently while upholding data security standards.

The use of these third-party tools and services may require the sharing of certain categories of personal data related to our Customers. The types of data shared may vary depending on the specific tool or service in use but can include information necessary for the debt management activity.

We carefully select and work with trusted third-party providers who comply with data protection standards and confidentiality requirements. Please note that our use of third-party tools is always aimed at enhancing the quality and security of our activity and operations.Top of Form

3.4. CUSTOMERS - HOW LONG DO WE KEEP YOUR DATA?

We retain your data as long as needed for the execution and management of the debt collection process and up to 5 years after the debt is fully repaid/closed or after all enforcement legal proceedings are completed. In certain cases, the data may be retained for longer period if other legal deadlines apply. Additionally, the personal data could be processed and retained as long as required to secure our legitimate interest in case of any litigation.

We always ensure compliance with relevant legal obligations and adjust our retention periods accordingly to meet these requirements. Our primary goal is to maintain data for as long as necessary to fulfil the purposes outlined in this Privacy Policy and to meet any legal obligations.

The time we keep it might change based on things like:

• Type of Data - Some data needs longer keeping than others.
• The purposes for which we process your personal data.
• Legal and regulatory requirements. Sometimes the law says we must keep data for specific periods.
• Our business needs and operational requirements affect how long we keep data.

During the retention period, we will take appropriate technical and organizational measures to ensure the security and confidentiality of your personal data. Once the retention period expires, we will securely delete or anonymize your personal data in accordance with applicable laws and regulations.

3.5. CUSTOMERS - AUTOMATED DECISION AND PROFILING

Automated Decision-Making: We do not engage in automated decision-making processes that produce significant legal effects or similarly significant consequences for individuals based solely on automated processing. Rest assured that your rights and interests are safeguarded through our manual review and human intervention in decision-making processes.

Profiling: We employ profiling techniques in various contexts to optimize our operations, enhance efficiency, and tailor our services to better meet your needs. Below are the key profiling activities we perform, along with their respective rationales and safeguards:

• Debt Portfolio Performance Analysis techniques involve analysis of data related to the performance of the debt portfolio, including trends and historical data. The objective is to optimize debt collection strategies and identify performance trends. It helps in making data-driven decisions to improve debt collection services. Consequences include enhanced debt collection strategies, improved services, and more effective debt resolution processes.
• Efficiency Analysis of Debt Collection Process involves techniques meant to streamlining the debt collection process by analysing relevant data. It aims to reduce errors and enhance the overall efficiency of debt collection. It assists in making the debt collection process smoother and error-free. Consequences include a more efficient and streamlined debt collection process, resulting in reduced delays and errors.
• Identification of Payment Behaviour Patterns involves analysing data to identify patterns in debtors' payment behaviour. It is used to tailor debt collection strategies based on observed payment patterns. The insights gained help in customizing debt collection approaches. The outcome of such profiling includes more effective and tailored debt collection services, aligned to our Customers’ needs.
• Analysis for the initiation of Legal Enforcement Proceedings is based on profiling techniques which provide relevant information to support the decision-making process concerning initiation of legal enforcement proceedings and the most of suitable approach depending on specific debt details. The goal is to ensure compliance with legal requirements when initiating legal actions and to identify most suitable solutions for the managed debts. Profiling assists in making informed decisions about the necessity and appropriateness of legal enforcement proceedings, including bailiff enforcement. Human intervention is integral to this decision-making process, providing oversight and accountability, guaranteeing that all legal proceedings are carried out with precision and in adherence to regulatory guidelines.
• Security Risk Profiling involves analysing technical data from IT systems, such as access logs, IP addresses, and device data, to identify potential security threats and vulnerabilities. It is essential for ensuring the security of IT systems, tools, and applications during professional relationships. Due to this profiling, you can expect enhanced security measures to protect your data and the systems you interact with leading to a safer and more secure environment.
• Risk Assessment and Due Diligence Profiling techniques are employed to assess and manage risks related to Customers, covering financial stability, reputational issues, compliance history, certifications, licenses, permits, conflicts of interest, integrity due diligence, and fraud prevention. It helps in evaluating and managing compliance risks, integrity issues, and potential vulnerabilities within the debt collection process. In this way you can benefit from a more transparent and ethical business environment. The consequences include improved compliance, reduced fraud risks, and fairer partnerships. Profiling results are reviewed by human intervention to ensure alignment with ethical standards and regulatory requirements.
• Performance Profiling techniques help us to assess our performance and service quality by analysing performance metrics, service level agreements, and feedback data. It aids in evaluating and enhancing the efficiency and effectiveness of our debt collection activities. Consequences include better service quality and more efficient interactions tailored to meet both our needs. Human experts oversee and validate the outcomes of profiling to maintain transparency and fairness.
• Preferences Profiling techniques analyse preferences expressed by you, including marketing communications, feedback, and various survey results. It enables tailored interactions and communications based on your specific preferences. In this way you can enjoy personalized and relevant interactions. Consequences include receiving communications and services that align with your preferences and interests.

In all profiling contexts, the overarching objective is to create a safer, more transparent, and highly efficient environment for debt collection activities. These profiling techniques play an essential role in achieving several key goals. They enhance security by identifying potential risks and vulnerabilities, ensure compliance with regulatory requirements, streamline processes for increased debt collection efficiency, and enable personalized interactions tailored to Customers’ preferences. The envisaged consequences are consistently positive, resulting in improved data security, strengthened compliance, optimized operational efficiency, and a more personalized and satisfactory experience for our Customers, ultimately contributing to successful debt management outcomes for both parties.

Please be assured that all profiling activities are conducted in compliance with relevant data protection laws and regulations. You have the right to object to profiling processes, where appropriate.

If you have any concerns or questions about automated decision-making or profiling in our company, please do not hesitate to contact us using the contact details provided in the "Contact Us" section of this Privacy Policy.

4. BUSINESS PARTNERS PRIVACY POLICY

This Privacy Policy applies generally to all our existing and potential Business Partners including:

• Clients
• Investors
• Vendors
• Suppliers
• External Advisors
• Any third party involved in a business relationship with Us.

Content of the Business Partners’ Privacy Policy

 4.1. What information do we collect and how? 

4.2. Why we use your information and how we do it legally? 

4.3. Wpecific information regarding due diligence process (sanctions and pep screening) 

4.4. Third-party services and tools 

4.5. How long do we keep your data? 

4.6. Automated decision and profiling 

 

4.1. BUSINESS PARTNERS - WHAT INFORMATION WE COLLECT AND HOW?

How is data collected?

We collect personal data through various means to facilitate our professional interactions and collaborations and ensure security.

If you choose to share information about other individuals, please bear in mind that you are responsible for any third-party Personal Data obtained and shared and you confirm the third party's consent to provide such Data to us.

• Direct Collection includes information you provide like data directly shared by you during business relationship and professional interactions, such as your name, contact details, professional information, and other relevant documents or information.
• Indirect Collection from Publicly Available Sources. We may collect publicly available information about you from sources like professional social media profiles, business websites, or public registers, if such information is relevant to our business relationship management.

 What categories of data are processed?

During our professional interactions and collaborations, we may process a wide range of personal data necessary for the management and development of these relationships. The specific personal data collected may vary depending on the nature of our interactions and the purposes for which they are conducted. We are committed to handling all data with care and in accordance with applicable data protection laws and regulations.

Below are presented the main categories of personal data we may process:

Obligation to Provide Personal Data for Our Business Relationship

 We request certain personal data from our Business Partners to fulfil key purposes such as risk assessment, compliance checks, and collaborations. The consequence of not providing this required data may include limited collaboration opportunities and impact on our business relationship:

• Non-provision of necessary data may restrict access to specific services, projects, or collaborations.
• The absence of critical data may constrain our ability to initiate or continue our business partnership.

We value data accuracy and reliability, ensuring transparency and ethical standards in our collaborations. We encourage Business Partners to provide the required personal data to facilitate effective risk assessments and mutually beneficial collaborations.

 

4.2. BUSINESS PARTNERS - WHY WE USE YOUR INFORMATION AND HOW WE DO IT LEGALLY?

In this section, we outline the specific purposes for which we collect and process your personal data during the email exchange process, along with the legal bases and categories of data processed for each purpose.

Please note that the specific purposes and legal bases for processing may vary depending on the circumstances and your interactions with us. We always ensure that personal data is processed in accordance with applicable data protection laws and with respect for your privacy rights.

When processing personal data for our legitimate interests, we balance these interests with the rights and freedoms of the individuals whose data is being processed. We take measures to ensure your rights are respected, and that personal data is processed in a fair and lawful manner.

4.3. BUSINESS PARTNERS - SPECIFIC INFORMATION ON DUE DILIGENCE PROCESS (SANCTIONS AND PEP SCREENING)

Purposes and Legal Grounds of the Screening

We perform screening process on Sanctions and Politically Exposed Persons (PEP) as part of our commitment to comply with applicable laws and regulations governing International Sanctions, Anti-Bribery and Anti-Corruption (ABC) measures, financial crime prevention, Know Your Customer (KYC) requirements, Anti-Money Laundering (AML) regulations, and Counter-Terrorism Financing (CTF) obligations. This screening process is essential to identify and evaluate potential risks associated with individuals or entities involved in our business relationships or financial transactions.

The Sanctions & PEP screening serves several vital purposes, including:

• Ensuring compliance with legal obligations to avoid engaging in business relationships or financial transactions with persons or entities subject to international sanctions.
• Conducting due diligence and screening activities to prevent any misuse of our company for unlawful purposes.
• Facilitating effective risk management practices.
• Demonstrating our commitment to ethical and responsible business conduct.

We perform Sanctions and PEP screening process according to the General Data Protection Regulation (“GDPR”) on the legal grounds provided by article 6(1) letters c) and f)^[1], or by article 9(2) letter e) and f)^[2].

These legal bases allow us to process your data (i) when necessary to comply with our legal obligations and (ii) when necessary for our legitimate interests, such as operating our business securely, protecting the integrity of our systems, operations, clients, business relationships, and users, detecting or preventing fraud, and fulfilling other legitimate interests.

Collection of Personal Data, Categories of Data Subjects and Sources of Data

Our Sanctions and PEP screening process involves the collection and processing of personal data related to two key categories of data subjects:

• Our Business Partners: This category includes personal data such as full names, contact details, dates of birth, genders, nationalities, citizenships, countries of residence, client IDs, and other pertinent information. Additionally, business and financial data necessary for effective screening may be collected. We obtain this data directly from data subjects during our business relationships or indirectly from publicly available sources.
• Individuals Included in Sanctions and PEP Lists: This group comprises individuals listed on relevant Sanctions and PEP lists. The data processed for screening may include full names, dates of birth, genders, nationalities, citizenships, countries of residence, other identification information available in public official sources, contact details, functions or professions, details regarding sanctions, and other relevant publicly available information. We source this data from authorized databases, third-party screening providers, publicly accessible information, regulatory authorities, law enforcement agencies, international organizations, and commercially available PEP databases.

Please note that we have no control over the information contained in public official records and data sets collected by third-party screening providers. These data are gathered from various sources, and decisions regarding the disclosure of personal information rest with the relevant public bodies, balancing the public interest in disclosure and individuals' privacy rights.

Screening Criteria and Possible Consequences in case of a Positive Match

• Screening Criteria. During the screening process, we use advanced and secure technology and algorithms to compare personal data, such as names, dates of birth, nationalities, and other essential information, against relevant Sanctions and PEP lists. This process is automated but requires human intervention for further analysis and investigation in cases of positive matches. No automated individual decision-making is applied.
• Consequences of a Positive Match. If a positive match is detected during screening, it may trigger additional due diligence measures, such as enhanced monitoring or further investigation, as mandated by applicable laws and regulations. Our commitment is to handle such situations in full compliance with legal requirements while safeguarding the confidentiality and integrity of personal data.

Data Retention

We retain personal data collected during the screening process only for as long as necessary to fulfill our legal obligations and legitimate business purposes.

• Business Partners: the data is actively processed during the business relationship and only stored for maximum 5 years[3], after the business agreement is closed.
• Individuals on the Sanctions & PEP Lists from selected data sources: the data is actively processed during each screening session and then automatically removed; the data resulting in potential matches is actively processed during the manual review and analysis and only stored for a period of maximum 5 years after the business relationship with the relevant business partner is closed.

Data Sharing

In some cases, we may be required to disclose personal data to regulatory authorities, law enforcement agencies, or other authorized entities as part of our legal obligations or to fulfil our legitimate interests. We do not share personal data with any third parties for marketing purposes.

To know more about your rights regarding your personal data and how to use them, please check the relevant section "Your Rights" in this Privacy Policy.

4.4. BUSINESS PARTNERS -THIRD-PARTY SERVICES AND TOOLS

While managing our business relationships with our partners, we may utilize various third-party tools and services to enhance our operations and facilitate effective collaboration. These tools and services are designed to streamline processes, improve communication, and support the secure exchange of information.

These third-party tools and services may encompass a variety of functionalities and solutions, enhancing our ability to work together efficiently and securely.

The use of these third-party tools and services may require the sharing of certain categories of personal data related to our Business Partners. The types of data shared may vary depending on the specific tool or service in use but can include information necessary for our professional collaborations.

We carefully select and work with trusted third-party providers who comply with data protection standards and confidentiality requirements. Please note that our use of third-party tools is always aimed at enhancing the quality and security of our activity and operations.

4.5. BUSINESS PARTNERS - HOW LONG DO WE KEEP YOUR DATA?

We retain your data as long as needed for the execution and management of our contractual relationship and up to 5 years after the contractual relationship is closed or for longer period if other legal deadlines apply.

We always ensure compliance with relevant legal obligations and adjust our retention periods accordingly to meet these requirements. Our primary goal is to maintain data for as long as necessary to fulfil the purposes outlined in this Privacy Policy and to meet any legal obligations.

The time we keep it might change based on things like:

• Type of Data - Some data needs longer keeping than others.
• The purposes for which we process your personal data.
• Legal and regulatory requirements. Sometimes the law says we must keep data for specific periods.
• Our business needs and operational requirements affect how long we keep data.

During the retention period, we will take appropriate technical and organizational measures to ensure the security and confidentiality of your personal data. Once the retention period expires, we will securely delete or anonymize your personal data in accordance with applicable laws and regulations.

 

4.6. BUSINESS PARTNERS - AUTOMATED DECISION AND PROFILING

Automated Decision-Making: We do not engage in automated decision-making processes that produce significant legal effects or similarly significant consequences for individuals based solely on automated processing.

Profiling: We may use profiling techniques in the following contexts:

• Security Risk Profiling involves analysing technical data from IT systems, such as access logs, IP addresses, and device data, to identify potential security threats and vulnerabilities. It is essential for ensuring the security of IT systems, tools, and applications during professional relationships. Due to this profiling, you can expect enhanced security measures to protect your data and the systems you interact with leading to a safer and more secure cooperation environment.
• Risk Assessment and Due Diligence Profiling techniques are employed to assess and manage risks related to Business Partners, covering financial stability, reputational issues, compliance history, certifications, licenses, permits, conflicts of interest, integrity due diligence, and fraud prevention. It helps in evaluating and managing compliance risks, integrity issues, and potential vulnerabilities within professional collaborations. In this way you can benefit from a more transparent and ethical business environment. The consequences include improved compliance, reduced fraud risks, and fairer partnerships.
• Performance Profiling techniques help us to assess the performance and service quality of our Business Partners by analysing performance metrics, service level agreements, and feedback data. It aids in evaluating and enhancing the efficiency and effectiveness of our cooperation. Consequences include better service quality and more efficient interactions tailored to meet both our needs.
• Preferences Profiling techniques analyse preferences expressed by you, including marketing communications, feedback, and various survey results. It enables tailored interactions and communications based on your specific preferences. In this way you can enjoy personalized and relevant interactions. Consequences include receiving communications and services that align with your preferences and interests.

In all profiling contexts, the logic is to provide a safer, more transparent, and efficient environment to engage in professional relationships. The significance lies in improved security, compliance, efficiency, and personalized interactions. The envisaged consequences are generally positive and aim to enhance the overall experience and outcomes for our business partnership.

Please be assured that any profiling activities are conducted in compliance with relevant data protection laws and regulations. You have the right to object to profiling processes, where appropriate.

If you have any concerns or questions about automated decision-making or profiling in our company, please do not hesitate to contact us using the contact details provided in the "Contact Us" section of this Privacy Policy.

5. WHO WE SHARE YOUR DATA WITH?

At times, it's necessary for us to share your personal data with others to fulfil our legal and contractual obligations and to pursue our legitimate interests, we may share the data with our affiliates, subsidiaries, or service providers to facilitate our business activity.

The following are examples of possible categories of recipients of your data:

We take measures to ensure the security and confidentiality of your data when shared.

6. INTERNATIONAL DATA TRANSFERS

We may need to transfer your data to countries outside the European Economic Area (EEA) or places with different data protection rules. We take steps to protect your data, including:

• Adequacy Decisions: If the European Commission says a country has good data protection, we can send data there without extra safeguards, including EU-US Data Privacy
• EU-US Data Privacy Framework: The European Commission has approved data transfers from the European Economic Area (EEA) to the United States under the EU-US Data Privacy Framework. Under this framework, your personal data may be transferred to participating U.S. companies without the need for additional safeguards.
• Standard Contractual Clauses: We might use these approved contracts to ensure your data is safe when it goes outside the EEA.

The information about the transfers can be obtained through the “Contact Us” section in the Privacy Policy.

7. HOW DO WE PROTECT YOUR DATA?

While performing our business activity, we are dedicated to ensuring the security of your personal data. We employ a range of technical and organizational measures to maintain the integrity and confidentiality of your personal information, protecting it from unauthorized access, disclosure, loss, alteration, or destruction.

 

While we implement these technical and organizational measures, we are committed to continuously improving our security practices and adapt to evolving threats to safeguard your personal data. If you have any concerns about the security of your personal data or if you suspect any unauthorized access or disclosure, please contact us immediately using the contact details provided in the "Contact Us" section.

8. YOUR RIGHTS

We are committed to transparency and ensuring that your data subject rights are accessible and cost-free:

Limitations or Exceptions to Data Subject Rights:

While we respect your rights, legal or legitimate reasons may prevent us from fulfilling some requests. For instance, if it conflicts with our legal obligations or others' rights. We'll explain why if we can't fulfil your request.

Withdrawing Your Consent

You can withdraw your consent at any time. To do so:

• Opt-Out: For non-essential cookies, adjust your settings in your device or browser. Essential cookies for security will still be active.
• Unsubscribe: If you receive our newsletters or marketing communications, unsubscribe via the provided link.

Consent withdrawal may affect your experience:

• If you withdraw consent for non-essential cookies, some website features and personalized content may not be available to you. This may affect your overall user experience on our website.
• If you unsubscribe from our newsletter, you will no longer receive our news or updates about our services.

Withdrawing consent does not affect the lawfulness of any processing that occurred before your withdrawal. We are committed to respecting your choices and privacy preferences.

To request any action regarding your rights, contact us by email at eliska.dvorakova@b2-impact.com or by postal mail to our head office. Our Data Protection Officer (DPO) will assist you and respond as soon as possible, not later than three months.

9. PRIVACY POLICY UPDATES

We may update this Privacy Policy from time to time to reflect changes in our privacy practices or legal obligations. We will post the revised version on our website and update the "Effective Date" at the top of this policy. We encourage you to check our Privacy Policy periodically for the latest information on our privacy practices.

We are committed to keeping you informed about our data practices and any updates to our privacy policy. You can access the history of previous versions of this privacy policy by visiting the "Privacy Policy History" section on our website. This section provides a record of all previous versions, allowing you to review any changes made over time.

10. KEY LEGAL AND TECHNICAL TERMS USED IN THE PRIVACY POLICY

Here are several definitions for the key terms and legal notions used in our Privacy Policy to ensure clarity. These definitions aim to help you better understand the terminology used in this Privacy Policy.

If you have any further questions or need clarification on any terms or provisions, please don't hesitate to contact us. Your understanding of your data rights and our practices is essential to us.

[1] According to Article 6(1) letter c) and f) of GDPR:” Processing shall be lawful only if and to the extent that at least one of the following applies: (…) c) processing is necessary for compliance with a legal obligation to which the controller is subject. (…); f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. (…)”.

[2] According to Article 9(2) letter e) and f) of GDPR: “(1) Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited. (2) Paragraph 1 shall not apply if one of the following applies: (…) e) processing relates to personal data which are manifestly made public by the data subject; f) processing is necessary for the establishment, exercise, or defence of legal claims or whenever courts are acting in their judicial capacity. (…)”

[3] Guide to the Money Laundering Act (part 2 – Section5.2. Registration and Storage of Information) issued by FINANSTILSYNET (Financial Supervisory Authority of Norway).