1. Definitions
“Client” means any legal person and its representatives who use, had used or have expressed a wish to use the Services or is in any other way related to the use and/or user of any of the Services and/or has established any other relationship with SupplierPlus, including before these Principles entered into force. In addition, categories of data subjects referred to in Section 3.1 of the Principles are included in the definition of the Client.
“Data Controller” is SupplierPlus, which determines the purposes and means of the Processing of Client Data.
“Data Processor” means anyone who Processes Client Data on behalf of SupplierPlus.
“Data Protection Legislation” means the applicable EU and national data protection legislation that SupplierPlus is subject to, for example, General Data Protection Regulation (GDPR).
“EU/EEA” means the European Union/European Economic Area.
“Client Data” means any information known to SupplierPlus about the Client.
“Processing” means any operation or set of operations performed concerning Client Data, whether or not performed by automated means, such as collection, recording, organisation, storage, adaptation, alteration, retrieval, use, combination, erasure or destruction. The meaning of “Process”, “Processes”, and “Processed” shall be construed accordingly.
“Recipient” means a natural or legal person, public authority or another body to whom SupplierPlus is entitled to disclose Client Data. See the categories of Recipients in Section 6 of the Principles.
“Regulatory Legislation” means the applicable legal acts that SupplierPlus is subject to, such as regulations that govern the prevention of money laundering and terrorist financing, commercial and financing activities, data protection, taxes, bookkeeping, credit, payments, etc.
“Services” means any services and products provided by SupplierPlus to the Client via SupplierPlus platform or any other channels relating to supply chain financing and/or other financial services, as well as products and services of our cooperation partners.
“SupplierPlus” means any legal entity or branch belonging to the SupplierPlus Group whose main activity is supply chain financing or any other type of financing.
“SupplierPlus Group” means SupplierPlus Group OÜ, a private limited liability company incorporated in Estonia, with the registry code 12871059, and all legal entities which SupplierPlus Group OÜ either directly or indirectly controls (the subsidiaries).
2. General provisions
These Principles describe how SupplierPlus Processes Client Data. Detailed information on the Processing of Client Data might be additionally described in agreements and other documents related to the Services as well as on the website of SupplierPlus or be available upon a separate request.
Within the framework of Regulatory Legislation, SupplierPlus ensures the confidentiality of Client Data. SupplierPlus has implemented appropriate technical and organisational measures to safeguard Client Data from unauthorised access, unlawful disclosure, accidental loss, modification, destruction or any other unlawful Processing.
SupplierPlus engages Data Processors for the Processing of Client Data and takes necessary steps to ensure that the Processing of Client Data by Data Processors takes place according to instructions as outlined by internal procedures of SupplierPlus as well as Regulatory Legislation and that adequate security measures are implemented.
3. Processing of Client Data by SupplierPlus
3.1. Collection of Client Data and categories of data subjects
SupplierPlus collects Client Data from the Client directly and from the Client’s use of the Services and indirectly from external sources such as public and private registers or other providers of databases or other persons (see Section 6). SupplierPlus may record phone calls, visual images, video and/or audio, save email communication, or otherwise document the Client’s interaction and communication with SupplierPlus.
SupplierPlus also collects from and Processes Client Data of such natural persons as:
- Legal representatives, authorised persons, contact persons, transaction partners, agents, and payers;
- Those connected to Clients of SupplierPlus as legal persons, including but not limited to their shareholders, board members, corporate representatives, signatories, and ultimate beneficial owners;
- Beneficial owners, representatives and employees, as well as external stakeholders of the business partners of SupplierPlus, including but not limited to politicians, opinion leaders, journalists and followers on social media;
- Attendees at events organised by SupplierPlus and the visitors to its premises.
3.2. Categories of Client Data
Examples of Client Data categories that SupplierPlus collects and Processes:
- Identification data such as name, personal identification number, date of birth, and data regarding identification documents.
- Contact data such as an address, phone number, email address, and language of communication.
- Financial data included in transactions, credits, income, liabilities, and assets.
- Account data such as bank account number.
- Data about trustworthiness and due diligence such as data about payment behaviour, damage caused to SupplierPlus or another party; data that enables SupplierPlus to 3 perform its due diligence measures regarding the prevention of money laundering and terrorist financing and to ensure the compliance with international sanctions, including the purpose of the business relationship, the Client’s transaction partners and business practices, whether the Client is a politically exposed person, data on the origin of wealth and assets used in the transaction.
- Data obtained and/or created while performing an obligation arising from the Regulatory Legislation, including but not limited to data that SupplierPlus must report to authorities, such as tax authorities and law enforcement agencies, therein details of commitments and debt balances.
- Communication and device data, such as the data contained in messages, emails, visual images, video, and/or audio recordings, are collected when the Client visits the premises of SupplierPlus or has conversations with SupplierPlus via means of telecommunication. In addition, other data is collected while using email, messages, and other channels, e.g. data related to the Client’s visit to the SupplierPlus platform, websites or communication through other SupplierPlus channels.
- Data about habits, preferences, and satisfaction, such as the activeness of using the Services, Services used, personal preferences, survey responses, as well Client satisfaction.
- Demographic data including but not limited to country and municipality of residence, date of birth, and citizenship.
- Data about the relationship with legal entities, such as data submitted by the Client or obtained from public databases or the third party as a service provider for executing transactions on behalf of a particular legal entity.
- Sensitive data such as special categories of Client Data and data about criminal convictions and offences. To provide some Services, SupplierPlus may be required to Process special categories of Client Data. In these cases, SupplierPlus will ask for the Client’s consent when Processing particular types of Client Data. Special categories of Client Data can also be processed based on the legitimate interests of SupplierPlus, such as exercising a legal claim or based on a legal obligation that SupplierPlus is subject to.
4. Legal bases and purposes of Processing Client Data
Performance of agreements is one of the leading legal bases according to which SupplierPlus Processes Client Data. Examples of purposes of such Processing include:
- To take steps at the Client’s request before entering into an agreement and conclude, amend, execute, maintain, and terminate an agreement with the Client.
- To handle domestic and international transactions via financial institutions, settlement and payment systems.
- To manage relations with the Clients and identify and authenticate, provide, control, and administer access to the Services.
- To exchange Client Data with third-party payment service providers to provide account information and/or payment initiation services.
- To verify and handle commercial transactions and other business communication. SupplierPlus may record phone calls and video streams with the Client for this purpose.
4.2. Compliance with legal obligations
To comply with legal obligations under the Regulatory Legislation, SupplierPlus is required to process Client Data for such purposes as:
- To check and verify the Client’s identity and keep Client Data updated and correct by verifying and enriching data through external registers.
- To prevent, discover, investigate and report potential money laundering and terrorism financing and implementation of international sanctions.
- To discover, investigate and report potential suspicious transactions and market abuse.
- To carry out credit and risk assessments when providing Services and carrying out risk hedging for SupplierPlus.
- To carry out mandatory communication and reporting to the supervisory and other authorities and the Clients and external registers.
- To manage incidents, including data breaches.
- To manage complaints, as well as to retain information for this purpose.
- To comply with other legal obligations in accordance with the Regulatory Legislation, such as in areas of money laundering and terrorism financing and sanctions, payment services, market abuse, personal data protection, accounting, and taxation.
4.3. Legitimate interest
The Client Data Processing purposes are based on the legitimate interests of SupplierPlus, which are balanced against the fundamental rights of the Client as a data subject. Examples of such purposes of processing are:
- To maintain, develop, examine and improve the business of SupplierPlus, its Services, and the Client’s user experience.
- To strengthen the Client’s satisfaction and loyalty to the Services offered by SupplierPlus as well as to perform surveys, analyses, and statistics related to its Services.
- To organise marketing campaigns and events for the Clients.
- To protect the interests of the Client and/or SupplierPlus and SupplierPlus employees, including security measures. To prevent, limit and investigate any misuse or unlawful use or disturbance of the Services.
- To ensure adequate provision of the Services and the safety of information within the Services and improve, develop, and maintain SupplierPlus website, platform, technical systems, and IT infrastructure, including the testing of SupplierPlus digital channels.
- To carry out internal credit and risk assessments and prepare pricing models to determine which Services and on what terms can be offered to the Client, take decisions related to servicing the Client, monitor the portfolio, and mitigate potential risks for SupplierPlus.
- To assess whether a Client is eligible for a particular product or service to ensure compliance with the Regulatory Legislation in financing and supporting credit decision-making processes.
- To establish, exercise, defend, assign or sell legal claims and retain information for this purpose.
- To record phone calls and video streams with the Client for SupplierPlus service quality assurance and claims processing purposes.
4.4. Public interest
In the cases provided for in the Regulatory Legislation, the Processing of Client Data occurs in the public interest. Examples of such purposes for processing are:
- Prevention of money laundering and terrorist financing.
- Implementation of international sanctions.
4.5. Consent
SupplierPlus will ask for the Client’s consent to Process Client Data in some cases. In those cases, the Client will be separately informed about the particular purpose of Processing, and the Processing will take place based on the Client’s explicit consent. The Client can withdraw consent at any time.
5. Cookies
SupplierPlus uses cookies on its website. The cookies are used as stated in the SupplierPlus Cookie policy available on the website: supplierplus.com/cookie-policy
6. Recipients and sources of Client Data
To be able to provide the Services, SupplierPlus may share the Clients’ Data with Recipients. These Recipients are, in general:
- Legal persons and their branches that belong to SupplierPlus.
- Authorities and officials such as supervisory authorities, tax authorities, law enforcement agencies, bailiffs, notaries, and out-of-court dispute resolution bodies.
- Third-party payment providers, in case SupplierPlus has a legal obligation and/or contract to provide such entities access to the Client Data.
- Credit and financial institutions, correspondent banks, custodian banks, insurance and reinsurance service providers, intermediaries of Services, and third parties participate in the trade execution, settlement, and reporting cycle.
- Financial and legal consultants, auditors, or any other service providers and authorised representatives of SupplierPlus.
- Third-party providers of registers, for example, credit registers, population registers, commercial registers, or other registers where Client Data are stored or transmitted; acquirers of claims and trustees in bankruptcy.
- Participants and/or parties related to domestic, European, and international payments, such as SWIFT.
- Persons who guarantee the due discharge of the Client’s obligations to SupplierPlus, such as guarantors, surety, and collateral providers.
- Other persons related to the provision of Services to SupplierPlus, such as providers of telecommunications, IT, hosting, cloud computing services, archiving, postal services, and providers of services rendered to the Client when the Client orders e-invoices for these services.
SupplierPlus will not share more Client Data than necessary for the particular purpose of Processing.
Recipients may Process the Client Data as Data Processors and/or as independent data controllers. When the Recipient is Processing Client Data on its behalf as an independent data controller, the Recipient is responsible for providing information to data subjects on such Processing of Client Data. If necessary, the Client may contact the Recipient for information on the Processing of relevant Client Data by the Recipient.
7. Geographical area of Processing
As a general rule, Client Data is Processed within the EU/EEA.
SupplierPlus transfers Client Data outside of the EU/EEA only in exceptional cases and subject to the condition that there is a legal basis and one of the following conditions is met:
- The country outside of the EU/EEA where the Recipient is located has an adequate level of data protection as decided by the European Commission.
- The independent data controller or data processor has provided appropriate safeguards; for example, the agreement that includes the EU standard contractual clauses or other authorised contractual clauses are concluded, approved codes of conduct or certification mechanisms.
- There are derogations for specific situations applicable, for example, the Client’s explicit consent, the performance of a contract with the Client, conclusion or performance of a contract concluded in the interest of the Client, establishment, exercise or defence of legal claims, significant reasons of public interest. Upon request, the Client can receive further details on Client Data transfers to countries outside the EU/EEA.
8. Client Data retention period
Client Data will not be Processed longer than necessary for specific purposes or required by Regulatory Legislation. For example, after the end of the contractual relationship and expiry of the retention period according to Regulatory Legislation, SupplierPlus will retain Client Data for the establishment, exercise, or defence of legal claims based on the legitimate interests of SupplierPlus.
9. Rights of a data subject
Under the Data Protection Legislation, the Client has the following rights:
- Receive confirmation if the Client Data is being Processed by SupplierPlus and, if so, then access it.
- Require the Client Data to be corrected if it is inadequate, incomplete, or incorrect.
- Require the erasure of the Client Data, for example, when the Client Data is processed based on the Client’s consent, and the Client has withdrawn their consent. This right does not apply if the Client Data that the Client requests to be deleted is also processed based on other legal grounds, e.g. based on a contract or fulfilling legal obligations.
- Restrict the Processing of the Client Data.
- Object to the Client Data Processing if the processing is based on legitimate interest of SupplierPlus, including profiling for direct marketing (e.g. sending marketing offers or participating in surveys).
- Receive the Client Data provided by the Client and is being Processed based on consent or performance of an agreement in a structured, commonly used electronic format and, where feasible, transmit such data to another service provider (right to data portability).
- Withdraw the consent to Process the Client Data.
- Request not to be subject to wholly automated decision-making, including profiling, if such decision-making has legal effects or significantly affects the Client. This right does not apply if the decision-making is necessary to enter into or perform an agreement with the Client, if the decision-making is permitted under the Data Protection Legislation or if the Client has provided explicit consent.
SupplierPlus shall ensure its Client’s remote and direct access to a large part of their Client Data on the platform.
To execute the Client’s request as correctly as possible, SupplierPlus may ask the Client to specify the information, Processing activities, or time frame to which the Client’s request relates.
The Client can exercise their rights by submitting SupplierPlus a request:
- By calling customer support, or
- By sending via email, a request signed with an e-signature. 8 SupplierPlus shall respond to the Client’s request not later than within one month of receipt of the request; when necessary, this period can be extended by two further months.
The right to the protection of Client Data is not absolute. SupplierPlus will provide to the Client information that SupplierPlus is allowed to provide to the Client as the data subject, considering that the right of access should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular, copyright protecting the software. In the cases provided by Regulatory Legislation, SupplierPlus may also transmit the information to the Client later, restrict the transmission thereof or not transmit it if this may prevent or impair prevention, detection or proceedings of offences or execution of punishments, damage the rights and freedoms of other persons, endanger the national security, endanger the protection of public order or hinder formal investigation or proceedings.
SupplierPlus, as the subject of the Regulatory Legislation, may be restricted to providing information to the Client regarding the Processing of Client Data performed in the scope of the Regulatory Legislation, for example, in the areas of sanctions and prevention of money laundering and terrorism and proliferation financing, except for the publicly available data.
The Client can lodge complaints regarding the Processing of Client Data by SupplierPlus to the Estonian Data Protection Inspectorate (website address www.aki.ee) if the Client considers that the Processing of their Client Data infringes the Client’s rights and interests under Data Protection Legislation.
The Client may contact SupplierPlus with any request and withdrawal of consent and, in addition, request the exercise of their rights in the processing of Client Data and file a complaint regarding the Processing of Client Data. Contact details of SupplierPlus are available on the website: www.supplierplus.com.
11. Data storing and security
SupplierPlus stores Client Data on a scalable MySQL relational database - AWS RDS. Communication with the database is encrypted with the TLS 1.2 protocol. Client Data is also encrypted at rest on the database level. AWS RDS is compliant with SOC and ISO standards.
12. Validity and amendments of the Principles
SupplierPlus is entitled to unilaterally amend the Principles at any time, in compliance with the Regulatory Legislation, by notifying the Clients of any amendments via the SupplierPlus website or email, not later than one month before the amendments enter into force. These Principles are drafted in English and translated into Estonian. In the event of disputes, arguments, or claims of linguistic nature or concerning the interpretation, the version of these Principles in English is legally binding.
These Principles entered into force on 1 January 2023, and their latest version is available on the website: www.supplierplus.com.