In situations where the person has concluded a contract or the person has provided their consent to conditions of receipt of any product or service, while the person fails to fulfil financial obligations resulting from such contract, the specific service provider is entitled to use debt collection services for recovery of such debt, lawfully transferring personal data to disposal of Conventus for performance of debt recovery procedure or assign the debt or a part of it to Conventus according to an agreement concluded between Conventus and the service provider.

In such situation, Conventus has a legal reason to perform processing of the specific person’s data, incl. to make records of voice conversations, in order to provide for fulfilment of the contract, promote protection of general public interests and provide for fulfilment of legitimate interests.

Therefore, personal data processing is allowed even without consent of the data subject/natural person since another legal reason is applicable to such data processing.

Conventus only processes personal data necessary for recovery of debts:

• basic information for correct identification of and communication to the person – name, surname, personal ID No, birth data and contact information – address, phone number, e-mail address;
• debt data for correct performance of debt collection, informing the debtor – debt/violation date, service provider’s contact number, violation type, amount, subject of the contract (e. g., vehicle license plate number), photo images, etc.;
• payment history for provision for accounting and correct debt collection, including evaluation of solvency, risk analysis and management, preparation and supervision of payment plans – amount, dates of payments, payer, payment justification, respective debt case, for which payments have been made, payment schedules;
• previous communication notes for correct further communication and information provided by the person himself or herself about circumstances affecting repayment of the debt – phone conversation notes, e-mails and attachments thereof, text messages, content of objections and other letters, payment promises.
• Voice conversations with a purpose to certify the truthfulness of the information obtained during communication and to protect legitimate and legal interests of Conventus.

All personal data are processed for the purpose of providing for fulfilment of requirements of the law and performing an efficient communication with the debtor, in order to resolve and settle debt cases, maximally avoiding worsening the debtor’s situation, as well as to be able to respond to objections correctly. Conventus has an obligation according to the law to provide personal data to certain national regulatory authorities, judiciary, supervisory and operational authorities set forth in the law, including, but not limited to, with the aim to prevent, supervise and prove fraudulent activities, laundering of proceeds from crime and other criminal activities. In cases, when Conventus does not have at its disposal all the necessary personal data or the received personal data is outdated and cannot be used to fulfil obligations stipulated by the law, Conventus has the right to obtain and process additional personal data in addition to the aforementioned personal data necessary for recovery of debts or clarify and update data, which already is at the disposal of Conventus.

Personal data for the recovery of the debt is primarily obtained from the service provider, with whom the person had concluded a contract or from who the service or the goods, from which financial obligations that are not being met arise, was received, as a result of which the respective service provider has turned to Conventus for debt recovery services. Conventus is also entitled to obtain and process data provided by natural persons, including using voice records and their content in accordance with the regulatory framework to certify the information received during the conversation in relation to the person, whose data is processed.

In accordance with Sec. 11 para. 3 of the Law on Extrajudicial Recovery of Debt, Conventus may request data of the debtor in the Register of Population of the Republic of Latvia, obtaining up-to-date information of the person’s name, surname, personal ID No and declared residence address. In evaluation of further progress of the debt collection case (commencement of debt extrajudicial recovery case or filing a claim to the court), on the basis of a cooperation agreement with a sworn advocate, Conventus may obtain data of the person from AS Ceļu Satiksmes Drošības Direkcija, hereinafter referred to as CSDD, by the vehicle license plate number, obtaining the person’s name, surname, personal ID No and the residence address registered with CSDD. Conventus may also obtain data of the debtor from other databases or authorities, e. g., from the Register of Insolvency, AS Kredītinformācijas birojs, official publication of the Republic of Latvia Latvijas Vēstnesis, etc. Additional personal data can also be obtained from the person himself or herself in the process of communication.

In accordance with the Law On Credit Bureaus and for the purpose of contributing to responsible crediting, Conventus may submit personal data to AS Kredītinformācijas birojs, including the person’s name, surname, personal ID No, debt amount, date and data submission reason.
Conventus may transfer personal data according to the procedure and to the extent provided for in the law also to national regulatory authorities, supervisory, operational and judicial authorities to enable them to fulfil their obligations according to the law and protect legitimate interests of Conventus.

To provide full debt recovery services to its customers and to protect its legitimate interests in recovering debts, with regard to which Conventus has become a creditor based on a contract of assignment or other legal basis, Conventus may attract other providers of debt recovery services concluding a respective contract or granting adequate powers to perform debt recovery activities, including processing of personal data at the disposal of Conventus.

Personal data may also be obtained by data processors Conventus is cooperating with. These are the companies helping Conventus perform daily tasks, for example, sending letters, performing phone communication, maintaining servers and databases. These companies are professionals in their fields, with who contracts have been concluded and personal data processing agreements, and high security requirements are defined for them, in order to provide for security, due processing and non-disclosure of personal data at the disposal of Conventus. Information about the processors and personal data at their disposal, along with information about their sub-processors can be obtained from Conventus using contact information provided below.

Usually, Conventus does not transfer personal data outside the borders of European Economic Area (EEA). However, in some cases, for example, when the vehicle, which is the subject of the outstanding contract or the received service, is registered outside EEA, for example, but not only, in Switzerland, US, Australia or in other country, or in cases, when the last known address of the person is located outside EEA, Conventus may involve cooperation partners in the respective country to ensure recovery of the debt. In such case Conventus ensures suitable protection mechanisms to ensure compliance with the requirements of Regulation (EU) 2016/679 (27 April 2016) of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR). Conventus will not begin a transfer of personal data outside the borders of EEA before gaining assurance that an adequate level of safety and protection of personal data has been ensured. Before transferring personal data, Conventus makes sure that recipients of personal data have signed EU standard clauses that serve as a basis for transferring personal data, or that the receiving country guarantees adequate level of protection according to GDPR requirements.

Conventus does not perform processing of sensitive or special category personal data according to the meaning of this term set forth in Article 9 Paragraph 1 of GDPR – data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Conventus protects personal data at its disposal using the possibilities offered by the modern organisational and technological possibilities, taking into consideration the existing privacy risks and reasonable organisational, financial and technical resources available to Conventus, including:

• protection of personal data stored by Conventus in its internal systems, databases and electronic mail against unauthorised access using the internal network, security certificates and individually assigned usernames and passwords;
• assigning to persons employed by Conventus and its representatives only such access rights to personal data and data processing that correspond to their direct work duties and positions held;
• using of a firewall and anti-virus software;
• performing relevant security checks on a regular basis to learn if intentional attacks have been made on information systems, databases, electronic mail and server maintained by Conventus, and if a leakage of personal data has taken place;
• storing of personal data and other information on servers located in EEA;
• prevention of accidental or illegal deletion, damaging, loss, editing, processing, publishing or disclosure of personal data to third parties;

storage of all paper documentation and confidential information in restricted access area in locked cabinets that can only be accessed by persons employed by Conventus and its representatives to perform their direct work duties.

Data subjects have various rights in respect of their personal data, including:

• the right to access their data;
• the right to make correct amendments thereto;
• the right to object against personal data processing;
• the right to be forgotten;
• the right to restrict processing of personal data in certain cases;
• the right to data portability;
• the right to revoke one’s consent to data processing.

All requests about exercising their rights or complaints about personal data processing performed by Conventus must be submitted to Conventus using contact information below. Upon receipt of a request about exercising the data subject’s rights Conventus checks the person’s identity, reviews the request, and satisfies it according to laws and regulations.

Although by law the data subject has the right to fulfilment of all these paragraphs, a number of the data subjects’-initiated activities mentioned by these paragraphs in debt collection procedure are not performed, in order to be able to fulfil other legal bases. For instance, the data subject has the right to request to be forgotten, however, such request will be rejected, since data processing is necessary for implementation of the mentioned legal bases (contract fulfilment, conformity to the law, observance of legitimate interests). Conventus only performs data amendments in cases, where the data subject provides a correct alternative. For example, if data subject does not want communication with them to take place using a specific phone number, they must provide another phone number for Conventus to be able to continue communicating with the debtor in accordance with the Law on Extrajudicial Recovery of Debt. In accordance to the law, Conventus must provide a response to the data subject’s request within 30 days from the day of receipt of such request. Sometimes, a situation may arise that Conventus has received a large number of requests from data subjects, therefore, the mentioned term may be extended, however no more than up to two months, of which the data subject is informed accordingly.

Personal data is stored while the debt collection case is active, as well as five years after the end of the collection case. Some data categories, e.g., payment information, are stored 75 years, in accordance with the requirements of the Law on Accounting. For the completion of obligations set forth in the law Conventus stores personal data to the extent and according to the procedure that enables Conventus to prevent and uncover fraudulent activity and prove laundering of proceeds from crime, and also for the purpose of financial audits. If Conventus client specifies or debtor proves that the debt collection case is submitted to Conventus incorrectly, and Conventus, therefore, has no legal basis to perform processing of the specific person’s data anymore, all data of this person are completely deleted from Conventus databases or otherwise permanently destroyed.