Privacy

Data Protection

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons about the processing of personal data and on the free movement of such data (“General Data Protection Regulation” or thereinafter referred to as GDPR).

Restart Privacy

This document describes how Restart Capital, Unipessoal, Lda. (‘Restart, we, us, our’) uses and shares personal data that you provide us if it is necessary for the performance of a contract to which the data subject is party and/or to comply with a legal obligation to which the controller is subject.

1. WHO IS RESTART?

Restart is a company that provides advisory services for the business and management of its own and third-party clients, as well as the provision of reformulation and asset recovery services, including, namely, consultancy for the purchase, sale and collection of debts, and also all acts relating to the identification and evaluation of credit portfolios for cession and all acts that are appropriate for the proper management of credit.

2. WHAT DO WE USE PERSONAL DATA FOR?

Customer Information Accuracy

We maintain information, including personal data, as a Data Processor, for the purposes of ensuring advisory/ managing Accounts/Credits on behalf of the owner. This could include activities designed to support:

Tracing and debt recovery

We use data from 3rd party data providers to trace people who are not responding using known contact details.

An example of a tracing activity could be when a customer moves home without informing us of their new address. We may then use the data we obtain from other 3rd party data providers to inform our analytics to identify the customer’s new address and contact details. We then use our analytics capability to help find missing individuals through updated addresses and contact details.

Statistical analysis, analytics, and profiling

We will use and allow the use of personal data for statistical analysis and analytics purposes on behalf and as defined by the Data Controller. Personal data can be used to create scorecards, models and variables in connection with the assessment of credit, fraud, risk or to verify identities. It can also be used to monitor and predict market trends, to allow Restart as Data Processor to refine recovery and trace strategies, and for analysis such as loss and revenue forecasting.

Uses as required by or permitted by law

Your personal data will also be used for other purposes where required by law, such as where we are obliged to provide data to the law enforcement community at their request.

3. WHAT ARE OUR LEGAL GROUNDS FOR HANDLING PERSONAL DATA?

We use the following grounds for handling personal data:

Our primary grounds for handling data are the legitimate interests of our business, in the strict interest of the data subject and compliance with the contractual terms.

The General Data Protection Regulation allow the use of personal data where the organisations legitimate interests aren’t outweighed by the interests, fundamental rights or freedoms of data subjects (customers). The law calls this the ’Legitimate Interests’ condition for personal data processing. The below outlines the activities we undertake in relation to your data, the appropriate legal grounds for processing as well as an explanation of what our legitimate interests are when this is our reason for processing.

InterestReason(s) for ProcessingExplanation
Managing your Account/Credit– Legitimate interests;
– Compliance with a legal obligation.
We have an obligation to appropriately manage your Account/Credit in line with any credit agreement, and/or with respect to the applicable laws and supervisory authorities’ regulations.
Recovery of funds owed– Legitimate interests;
– Compliance with a legal obligation.
Our business is primarily the recovery of funds owed by individuals. As such, customers typically have overdue funds that we are seeking to be repaid, either actively or by awaiting a change to customers’ personal circumstances.

This explicitly requires us to understand customers and their circumstances in order to conduct ourselves in an appropriate way.
Complying with and supporting compliance with legal and regulatory requirements– Legitimate interests;
– Compliance with a legal obligation.
– Fulfilment of a contract.
We must comply with various legal and regulatory requirements and help other organisations comply with their own legal and regulatory obligations.
Maintenance of data for use in defending legal actions– Legitimate interests.We need to be able to investigate and respond to customer claims and to provide appropriate disclosure in the event of proceedings being issued.

This requires us to maintain information for a period after its original legitimate purpose has expired.This is subject to the retention of personal information, described below.
Training and Quality– Legitimate interests;
– Compliance with a legal obligation.
To ensure the good quality of the service we provide, customer data is used while training staff and reviewing the quality and output of ourselves and our partners.
Customer service and market research– Legitimate interests;
– Compliance with a legal obligation.
To ensure the good quality of the service we provide, customer data is used for communication purposes; and where necessary for market research purposes.

Our use of this personal data is subject to an extensive framework of safeguards that help make sure that people’s rights are protected. These include the information given to people about how their personal data will be used and how they can exercise their rights to obtain their personal data, have it corrected or restricted, object to it being processed, and complain if they are dissatisfied. These safeguards help sustain a fair and appropriate balance so that our activities don’t override the interests, fundamental rights and freedoms of data subjects.

4. WHAT KINDS OF PERSONAL DATA DO WE USE, AND WHERE DO WE GET IT FROM?

We obtain and use information from different sources, so we often hold different information and personal data about each customer. All information we hold about our customers falls into the below categories:

Information TypeDescriptionSource
Key Customer IdentifiersWe hold personal data that can be used to identify people; this includes:
– Name, Forename and Surname.
– Domestic identification numbers.
– Birth date and age.
– Address, including current and previous addresses, if these are marked as no longer resident. Additionally, we will hold address confirmed as inaccurate to prevent these being reused.
– Contact details, including telephone and email information, past and present. Additionally, we will hold contact details marked as inaccurate to prevent these being reused.
This personal data is included with all the other data sources.
For example, names, addresses and dates of birth are attached to financial Account data, so it can be matched and associated with all the other data Restart holds about the relevant person.

Data obtained from the lender, that is the current Data Controler.

Data is obtained from the lender of the debt prior to the acquisition by the Data Controller.

Data is also provided by customers directly in the daily interactions with us or our sub-processors.

Data about Portuguese postal addresses is also obtained from sources like CTT.

We also have access to public data sources on people and businesses, including from the Insolvency Service, Registry Offices, the CRC reports and commercial business directories.
Customer CircumstancesWe hold personal data relating to individual’s circumstances including mental and physical health, financial status (including hardship) and difficulties relating to communication.

The purpose of this information is to ensure all circumstances are taken into account when managing your Account(s)/Credit(s).
This information will be obtained from:
1. You, the customer, during an interaction directly with Restart.
2. A 3rd party you have authorized to represent you, or
You, the customer, directly during an interaction with one of our sub-processors.
3. We do not actively obtain data from external sources relating to customer circumstances.

We will always obtain customer consent before recording information relating to personal circumstances such as health, or communication requirements.
Financial dataWe receive information that includes personal data from credit accounts and other financial accounts that people hold with other organisations. This includes data about bank accounts, credit card accounts, mortgage accounts and other agreements that involve credit agreements such as utilities and communications contracts (including mobile and internet).
The collected data includes the date the account was opened, the amount of debt outstanding (if any), any credit limits and the repayment history on the Account/Credit, including late and missing payments.
We may also receive data about financial accounts like current accounts, credit cards or loans and may receive payment information that businesses hold from the organisations who maintain other Account/Credits belonging to you.
Banks, lenders and other financial services providers supply data including personal data about people’s financial accounts.

These are then provided to us with regards to customers, to assist us in our legitimate purposes.
Court judgments, decrees and administration ordersWe obtain data about court judgments that have been issued. This may include, for example, the name of the court, the nature of the judgment, how much money was owed, and whether the judgment has been satisfied.

Additionally, we may receive information about enforcement taken, such as Charging Orders on properties held by customers.
Judgments and some other decrees and orders are made publicly available through statutory public registers.

Charging Order information may also be provided by the Land Registry.
Bankruptcies,
Individual
Voluntary
Arrangement, debt relief orders and similar events
We obtain data about insolvency related events that happen to customers and may also obtain this type of data about businesses. This includes data about, foreclosures, bankruptcies, special restructuring plans, insolvency payment plans, insolvency recovery plans and debt relief orders. This data includes the start and end dates of the relevant insolvency or arrangement.We obtain this data from customers, their representative (v.g. Insolvency Practitioner), courts, Public List of Foreclosures, Public List of Restructuring Plans and Insolvency Payment Plans and Insolvency.
Scores and ratingsWe will use the data they receive to produce scores and ratings including potential affordability, risk, fraud and identity checks, screening, collections, litigation, and insolvency scores about customers.We produce their scores and ratings using the data available to them detailed in this section only.
Public interest dataWe receive data from commercial sources which includes lists of politically exposed persons (PEPs) and sanctions data; this is to ensure we meet our regulatory requirements.We receive this data from reputable commercial sources as agreed from time to time.
Other derived dataWe produce other kinds of data ourselves to manage our databases efficiently and ensure that all the relevant data about a person is on the correct credit file.

Address links: when we detect that a person seems to have moved to a different residence, it may create and store a link between the old and new address.

Flags and triggers: through analysis of other data, we can add indicators to a customer’s Account/Credit file. These aim to summarize particular aspects of a person’s financial situation. For example, a Potential Insolvency flag protects those who may be insolvent and invites additional checks as a defense against further fraud risk.
Restart generates this data from the data sources available to them.

5. WHO DO WE SHARE PERSONAL DATA WITH?

This section describes the types of recipients we share data with and our process for ensuring it is an appropriate organisation.

In some cases, some organisations have the ability to compel us, by law, to disclose certain data for certain purposes.

Supervisory authorities

We share information with supervisory authorities as part of our obligations and help ensure the health of the Portuguese financial services industry.

Sub-processors

We may entrust your Account/Credit for management by one of our Sub-processors, who will operate as our agent. We use market leading partners, and we rely on their expertise in their fields to co-manage or manage your Account/Credit efficiently on the owner´s behalf. We will communicate with you appropriately if such outsourcing takes place.

Many of these companies simply operate as our Agents and do not have the control over your data.

If we deem appropriate to commence legal procedures in relation to your Account/Credit, we will pass your data to lawyers and solicitors.

Information Technology Processors

We may use other organisations to perform tasks on their own behalf (for example, IT service providers and call centre providers) in order to assist us with running our business. These providers will always act as our agents, should we instruct them to contact you.

Court Service

If proceedings are issued against you or enforcement activity is taken, we will provide information to the relevant Court service, solicitors and lawyers.

Payment Processors

If you have chosen to make payments via Debit or Credit Card, Restart will provide relevant information to payment processing companies to facilitate the transaction. 

Individuals

People are entitled to obtain copies of the personal data Restart holds about them. You can find out how to do this in Section 10 below.

Legal and Regulatory 

Any law enforcement agency, regulator, court, government authority or other third party where we believe this is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights or the rights of any third party.

Debt Purchasers/Sellers

We may share data with any organisation who holds an interest, whether legal or beneficial in nature, who may act as an individual or joint data controller. They may process the data for the purposes of management of your account. Should you wish to obtain further information about it, you can contact us using the methods outlined in section 10 of this notice.

6. WHERE IS PERSONAL DATA STORED AND SENT?

Where we process your data within the European Economic Area (“EEA”) personal data in those locations is protected by European data protection law, specifically the GDPR. We will only share personal data with others when we are legally permitted to do so. When we share data with others, we put contractual arrangements and security mechanisms in place as appropriate to protect the data and to comply with our data protection, confidentiality, and security standards.

Restart is a subsidiary company of Arrow Global Group (“AGG” and / or “Arrow”), headquartered in the UK. As a result of Brexit, the UK was provided with an “adequacy decision” by the EU Commission on the 28 June 2021. Consequently, no additional safeguards are necessary if your data is transferred to the UK, and it will be protected by both UK and EU privacy laws. 

We only share personal data with others outside of the EEA when we are legally permitted to do so, namely where: 

We can rely on another basis under the law such as that we must share the personal data because this is necessary for the purpose of a court case, investigation or to protect our legal rights.

7. FOR HOW LONG IS PERSONAL DATA RETAINED?

In general, we will retain all information held about customers for as long as they continue to have an active Account/Credit with one of our clients. This will include for as long as funds are owed to one of our clients.

Once the Account/Credit is closed and no funds are owed, we will continue to retain all data for a period typically of ten (10) years from closure. The criteria used to determine the storage period will include the legal limitation of liability period, agreed contractual provisions, applicable regulatory requirements, and industry standards.

Exceptions to this standard ten-year approach are detailed below:

Archived data

We will hold archived data in both physical and digital formats for business continuity purposes. Where data is retained in archives for longer than the periods described above, it will not be accessible to unauthorized staff and in the case of digital backups data is encrypted. We will take steps to ensure that, if such archives are required to be accessed, we will have all personal information no longer required removed.

Legal Claims

For the establishment, exercise, or defense of legal claims the periods described above may not apply.

8. WHAT RIGHTS DO I HAVE UNDER DATA PROTECTION REGULATION?

RightDescriptionSection
Right to be informedYou have the right to be informed about how we collect and use your personal data. This has been described within this Privacy Notice.All
Rights related to automated decision makingYou have rights in relation to any automated decision-making and/or profiling that has legal or similarly significant effects on you.9
Right of accessYou have the right to access your personal data and supplementary information held by us.10
Right to data portabilityIn certain circumstances, you have the right to obtain and reuse your personal data for your own purposes across different services.10
Right of rectificationYou have the right to have inaccurate personal data rectified, or completed if it is incomplete.11
Right to objectYou have the right to object to the processing of your personal data.12
Right of erasureIn certain circumstances, you have the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing.12
Right to restrict processingIn certain circumstances, you have the right to request us to ‘block’ or suppress processing of personal data.13

If you wish to exercise any of these rights, you can contact us at:

Restart Capital, Unipessoal, Lda.
Avenida Almirante Gago Coutinho, nº. 30, piso 0, 1000-017 Lisboa, Portugal

9. HOW DOES RESTART MAKE DECISIONS ABOUT ME (“RIGHTS RELATED TO AUTOMATED DECISION MAKING”)?

Scores and ratings

We use the data we hold on to the Accounts/Credits we manage along with data from the Bank of Portugal CRC to the Data Controller and other 3rd party data providers to produce various scores such as risk, fraud, affordability, collection, litigation and/or insolvency scores to profile Account/Credits and customers. The following factors are likely to impact these scores:

These scores will inform appropriate actions to manage customers’ Accounts/Credits with us and ensure appropriate steps are taken with respect to personal circumstances. An example would be where we use the insolvency scores and data to place an Account/Credit with a specialist insolvency practitioner.

10. WHAT CAN I DO IF I WANT TO SEE THE PERSONAL DATA HELD ABOUT ME (“RIGHT OF ACCESS”)? DO I HAVE A ‘PORTABILITY RIGHT’ IN CONNECTION WITH MY RESTART DATA (“RIGHT TO DATA PORTABILITY”)?

You have the right to ask us what data we hold about you. This is known as a Subject Access Request (SAR). You have a right to find out what personal data we hold about you.

New data protection legislation also contains a right to data portability that may give consumers a right in some data processing contexts, to receive their personal data in a portable format when it’s processed on certain grounds, such as consent. This is not a right that will apply to  processed data because this data is processed on the grounds of legitimate interests.

11. WHAT CAN I DO IF MY PERSONAL DATA IS WRONG (“RIGHT TO RECTIFICATION”)?

When we receive personal data, we perform several checks on it to try and detect any defects or mistakes. Ultimately though, we rely on our suppliers and our customers to provide accurate data to us.

If you think that any personal data, we hold about you is wrong or incomplete, you have the right to request this is updated.

If our data does turn out to be incorrect, we will update our records accordingly. If we still believe our data is correct after completing our checks, we will continue to hold and keep it – although you can ask us to add a note to your file indicating that you disagree or providing an explanation of the circumstances. Additionally, we will need to keep a copy of the incorrect record but solely for auditing purposes.

If you’d like to do this, you should contact us.

12. CAN I OBJECT TO THE USE OF MY PERSONAL DATA (“RIGHT TO OBJECT”) AND HAVE IT DELETED (“RIGHT TO ERASURE”)?

As an individual you have specific rights under the General Data Protection Regulation. You have the right to object to our use of your personal information, or to ask us to delete, remove, or stop using your personal information if there is no need for us to keep it. This is known as the ‘right to object’ and ‘right to erasure’, or the ‘right to be forgotten’.

Section 4 of this notice details what information we process, and why we need this information within our organisation in relation to the activities we undertake. This is why your right to object doesn’t automatically lead to deletion of your information, but we will deal with every request we receive and if we can’t delete your information, we shall inform you and explain why we cannot.

13. CAN I RESTRICT WHAT YOU DO WITH MY PERSONAL DATA (“RIGHT TO RESTRICT PROCESSING”)?

In some circumstances, you can ask us to restrict how we use your personal data. This is not an absolute right, and your personal data may still be processed where certain grounds exist. These grounds include:

Only one of these grounds needs to be demonstrated to continue data processing. We will consider and respond to requests we receive, including assessing the applicability of these exemptions.

Please note that given the importance of complete and accurate records, for purposes outlined above, it will usually be appropriate to continue processing data. In particular, to ensure appropriate management of your Account/Credit.

14. WHO CAN I COMPLAIN TO IF I’M UNHAPPY ABOUT THE USE OF MY PERSONAL DATA?

We try to deliver the best customer service levels, but if you’re not happy you should contact us so we can investigate your concerns.

NameRestart Capital, Unipessoal, Lda.
ContactsPost
Avenida Almirante Gago Coutinho, nº. 30, piso 0, 1000-017 Lisboa, Portugal

Website: www.restartcapital.pt

You can also refer your concerns to the Comissão Nacional de Proteção de Dados or (CNPD), the body that regulates the handling of personal data in Portugal. You can contact them by:

Our local data protection officer can be contacted by emailing DPO@whitestar.pt or by writing to us at our address.