DATA PROTECTION
Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
PRIVACY ARROW GLOBAL GROUP
This document describes how the Arrow Global Group (“ARROW”, “Arrow Portugal”) uses and shares personal data that you have provided to us or received from other sources.
In Portugal, the investments include, among other companies, 100% stakes in Norfin SGOIC and Norfin Serviços (leaders in Portugal in the area of real estate asset management), Whitestar (leader in the management of NPLs – Non Performing Loans), Restart Capital (corporate restructuring), Details Hotels & Resorts (hotel operations) and Hefesto (credit securitization).
These entities, often referred to as platforms, interact with each other to guarantee clients, whether institutional or private, Portuguese or international, a broad and integrated range of services in our areas of intervention that is unparalleled in Portugal.
Accuracy of Customer Information
We keep information, including personal data, only for forwarding to Arrow Global Group entities in Portugal. If you need to, you can consult the Privacy Policies of each entity on their websites.
Statistical analysis, analysis and profiling
We will use and allow the use of personal data for statistical analysis and analytical purposes on behalf of the Data Controller and as defined by the Data Controller. Personal data can be used to create scorecards, models and variables in connection with credit assessment, fraud, risk or identity verification.
Use as required or permitted by law
Whenever required by law, your personal data will be used for other purposes, namely when the Arrow Global Group is obliged to provide them at the request of official authorities.
We use the following legal grounds for processing personal data:
Our main basis for processing data is the legitimate interest of our business, supplemented by any legal or regulatory obligations.
The General Data Protection Regulation (“GDPR”) allows the use of personal data whenever the legitimate interest of organizations is not overridden by the interests, rights and fundamental freedoms of the data subject (customer). The law calls this requirement for processing personal data “legitimate interest”.
The use of personal data is subject to an extensive framework of safeguard measures, which helps to ensure the protection of customers’ rights. This includes information given to customers on how their personal data will be used and how they can exercise their rights to obtain their personal data, correct or limit it, object to processing or complain if they are dissatisfied. These safeguards help to maintain a fair and appropriate balance, so that our activities do not override the interests, rights and fundamental freedoms of the data subject.
We obtain and use information from a variety of sources, so we often have different personal information and data about each client. All the information we keep on customers falls into the following categories.
Type of information |
Description |
Source |
Key customer identifiers |
We keep personal data, which can be used to identify the customer; this includes:
|
This personal data is included in all data sources. Data obtained by the lender, who is currently the Data Controller. Data provided directly by customers in their daily interactions with Arrow or our Subcontractors. Zip code data is also obtained from sources such as CTT. We also access public databases on people and companies, including Insolvency Services, Registry Offices, Central Credit Register reports, commercial and business directories. |
Client’s circumstances |
We store personal data relating to the individual’s personal circumstances, including physical and mental health, financial situation (including difficulties) and communication difficulties. |
This information will be obtained through:
We do not actively obtain data on customers’ circumstances from external sources. We will obtain your consent before recording information relating to personal circumstances such as health or communication difficulties. |
Data of public interest
|
We receive data from commercial sources, which includes lists of politically exposed persons (PEPs) and data relating to sanctions, in order to ensure compliance with regulatory requirements. |
We receive this data from reliable commercial sources, as agreed, on a regular basis. |
This section describes the types of recipients with whom we share data and our process for ensuring that they are appropriate entities.
In certain cases, some entities are entitled to oblige us, by law, to disclose certain data for certain purposes.
Supervisory Authorities
We share information with supervisory authorities as part of our obligations and to help ensure the health of the financial services sector in Portugal.
Subcontractors
We may entrust the management of your data to one of our Subcontractors, who will act as our partner, to help us deliver an excellent service. We will let you know when and if this externalization takes place.
Many of these companies simply operate as our partners and do not have control over your data.
Information technology subcontractors
We may use other entities to perform tasks on our behalf (for example, IT service providers and call center service providers), to assist us in running the business. These subcontractors will always act as our partners and will be instructed by us to contact you.
Court proceedings
If actions are brought against you or enforcement measures are taken, we will provide information to the competent court, solicitors and lawyers.
Clients
Customers have the right to obtain copies of their personal data held by Arrow Portugal. Find out how below, in section 10.
Legal and regulatory bodies
In compliance with a legal or regulatory obligation or in order to protect our rights or the rights of a third party, we may share data with any law enforcement agency, regulator, court, governmental authority or otherwise,
Our clients’ personal data is processed within the European Economic Area (EEA), where it is protected by European legislation, specifically the
General Data Protection Regulation (GDPR)
. Our company only shares personal data with third parties, provided it is legally authorized to do so. When we do so, we establish contractual provisions and appropriate security mechanisms to protect the data and comply with data protection, confidentiality and security regulations.
Arrow Portugal belongs to the Arrow Global Group (“AGG” and/or “Arrow”), based in the United Kingdom. Due to Brexit, with effect from January 1, 2021, the United Kingdom will no longer be part of the European Union and the European Economic Area, so from that date, if your data is transferred to the United Kingdom, it will be protected by local privacy laws and by current European legislation. Taking care of your personal data is very important and Brexit hasn’t changed that.
We only share personal data with other non-EEA countries when we are legally entitled to do so, namely when:
– The European Commission has decided that the country in question has adequate data protection rules (an “adequacy decision”);
– we are able to guarantee, by means of relevant “standard contractual clauses” (a set of obligations in the form of a contract), the lawfulness and appropriateness of how your data is protected and used with the recipient of your personal data.
We may also justify sharing data on other legal grounds, such as for the purposes of legal proceedings, investigation or to protect our legal rights.
In general, we will retain all information about customers for as long as they have an active relationship with the service provider.
Archived data
We will keep archived data in physical or digital format for business continuity purposes. When data is retained for longer than the period described above, it will not be accessible to unauthorized employees and in the case of digital copies the data will be encrypted. We will take steps to ensure that, if it is essential to have access to these files, we will remove personal information that is not necessary.
Lawsuits
For the establishment, exercise or defense of a right in legal proceedings.
Rights |
Description |
Section |
The right to be informed |
You have the right to be informed about how we collect and use your personal data. This has been described in this privacy notice. |
All |
Rights related to automated individual decisions |
You have rights in relation to any automated individual decision, which produces effects in your legal sphere or significantly affects you in a similar way. |
9 |
Right of access |
You have the right to access your personal data and additional information stored by us. |
10 |
Right to data portability |
In certain circumstances, you have the right to obtain personal data and reuse it for your own purposes in different services. |
10 |
Right to rectification |
You have the right to rectify inaccurate data or complete incomplete data. |
11 |
Right to object |
You have the right to object to the processing of your personal data. |
12 |
Right to erasure |
In certain circumstances, you have the right to request the erasure or removal of personal data when there is no compelling reason for its continued processing. |
12 |
Right to restriction of treatment |
In certain circumstances, you have the right to ask us to block or limit the processing of your personal data. |
13 |
If you want to exercise any of these rights, you can contact us:
Arrow Global Group
Avenida Almirante Gago Coutinho, no. 30, piso 0, 1000-017 Lisboa , Portugal
For more information see
www.arrowglobal.pt
Scores and rankings
The Arrow Global Group does not use automated individual decisions; however, its constituent companies may do so. Please consult their specific privacy policies.
You have the right to ask us about the data we hold on you. This is referred to as a Data Subject Access Request. You have the right to find out what personal data we hold about you.
The new data protection legislation also covers the right to data portability, which could give consumers, in certain processing contexts, the right to receive their personal data in a portable format when it is processed on certain grounds, such as consent. This right will not apply to data processed by Arrow, as the data is processed on the basis of legitimate interest.
When we receive personal data, we carry out various checks to detect defects or errors. Ultimately, we rely on our suppliers and customers to provide accurate data.
If you consider that any of the data we store is incorrect or incomplete, you have the right to request that it be updated.
If it turns out that the data is incorrect, we will update our records accordingly. If, on completion of the checks, we still trust that the data is correct, we will continue to store and preserve it – although you can ask us to add a note to your file indicating that you disagree or providing an explanation of the circumstances. In addition, we need to keep the incorrect original records for auditing purposes.
If you would like to do so, please contact us.
As a customer, you have specific rights under the GDPR. You have the right to object to the use of personal information or ask us to delete, remove or stop using it if there is no longer a need for us to retain it. They are called the “right to object” and the “right to erasure” or “right to be forgotten”.
Section 4 details the information we process, and why we need this information, in relation to the activities we carry out. This is why your right to object does not automatically imply the deletion of your information, however, we will analyze all requests received and if we are unable to delete your information, we will inform you and clarify why we are unable to do so.
In certain circumstances, you can ask us to restrict how we use your personal data. This is not an absolute right, and your data may continue to be processed when certain grounds are met. These fundamentals include:
Only one of these grounds needs to be demonstrated in order to continue processing the data. We will consider and respond to requests received, including assessing the applicability of these exclusions.
Please note, that given the importance of keeping complete and accurate records, for the purposes described above, it will generally be appropriate to continue processing the data. In particular, to ensure the proper management of your Account/Credit.
We try to provide better customer service, but if you are not satisfied, you should contact us so that we can analyze your questions.
Name |
Arrow Global Group |
Contact us |
Address Avenida Almirante Gago Coutinho, no. 30, piso 0, 1000-017 Lisboa, Portugal Website: |
You can also direct your questions to the National Data Protection Commission (CNPD), the body that regulates the processing of personal data in Portugal:
Our local data protection officer can be contacted by e-mail at DPO@arrowglobal.pt or by letter to our address.