1. GENERAL PROVISIONS
1.1. These Data Protection Terms of Mercury Credit OÜ (hereinafter referred to as the "Lender") establish the conditions and procedures for the Lender's processing of Client Data, including Client Data obtained before the Lender’s general terms came into effect with respect to the Client.
1.2. The Data Protection Terms apply to the extent that they do not contradict the contractual terms of the Lender.
1.3. By entering into a Client relationship with the Lender or expressing a desire to enter into a Client relationship with the Lender, the Client grants the Lender consent to process their Client Data in accordance with the terms and procedures established in the Data Protection Terms.
1.4. The Data Protection Terms apply to the processing of Client Data of all Clients, as well as, to the extent possible, to Client relationships that arose before the Data Protection Terms came into effect.
2. DEFINITIONS
2.1. Client Data – any information that becomes known to the Lender regarding the Client within the framework of the Client relationship (e.g., personal data, contact details, transaction data, etc.), including information lawfully collected by the Lender from public databases and public channels or obtained from Third Parties.
2.2. Processing of Client Data – any automated or non-automated action or set of actions performed on Client Data or its aggregate (including collection, documentation, recording, organization, structuring, storage, adaptation and modification, alteration of access, making requests and generating extracts, use, reading, transfer, disclosure by transmission, dissemination or otherwise making available, merging or combining, restriction, deletion, or destruction of Client Data, etc.).
2.3. Client Relationship – a legal relationship between the Lender and the Client that arises when the Client uses or has used any Service of the Lender or when the Client has contacted the Lender for the purpose of using a Service.
2.4. Client – any natural or legal person who uses, has used, or has expressed a desire to use the Services provided by the Lender.
2.5. Third Party – any natural or legal person who is not the Client, the Lender, or an Authorized Processor, nor a person authorized to process Client Data under the direct supervision of the Controller or the Authorized Processor.
2.6. Lender – Mercury Credit OÜ, registration code 12599137, address Vesivärava tn 50-405, Tallinn, 10152, phone +372 529 7617, email info@merc.ee.
2.7. Service – a service offered and/or provided by the Lender to the Client.
2.8. Controller – the Lender. As the Controller, the Lender determines the purposes of processing Client Data and the requirements for its processing.
2.9. Authorized Processor – a natural or legal person processing Client Data on behalf of the Lender. The list of Authorized Processors and their contact details are available on the Lender’s website www.merc.ee. The Lender has the right to make changes and additions to the list of Authorized Processors.
3. GENERAL PRINCIPLES OF CLIENT DATA PROCESSING
3.1. The processing of Client Data by the Lender is carried out in accordance with the requirements and conditions established by:
3.1.1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
3.1.2. The Personal Data Protection Act;
3.1.3. The Creditors and Credit Intermediaries Act;
3.1.4. The Anti-Money Laundering and Counter-Terrorism Financing Act; and
3.1.5. Other applicable legal acts (hereinafter collectively referred to as the “Legal Acts”);
3.1.6. These Data Protection Terms and the contractual terms of the Lender.
3.2. The Lender processes Client Data, including disclosing it to Authorized Processors:
3.2.1. With the Client’s consent;
3.2.2. For the performance of a contract concluded with the Client or for taking pre-contractual measures at the Client’s request;
3.2.3. For compliance with the Lender’s legal obligations;
3.2.4. For the protection of the vital interests of the Client or another natural person;
3.2.5. For the performance of a task carried out in the public interest;
3.2.6. Where the processing of personal data is necessary due to the legitimate interest of the Lender or a Third Party.
3.3. The Lender’s employees, in accordance with the requirements of Legal Acts and their employment or other similar agreements, are obligated to maintain the confidentiality of Client Data indefinitely. When processing Client Data, they must comply with the applicable legal acts regulating personal data processing and the data processing rules established by the Lender. The Lender’s employees are liable for breaches of this obligation. They may process Client Data only to the extent necessary for performing their designated work duties.
3.4. Authorized Processors, in accordance with the requirements of Legal Acts and the data processing agreements or other agreements concluded with them, are obligated to maintain the confidentiality of Client Data indefinitely. When processing Client Data, they must comply with the applicable Legal Acts regulating personal data processing and the data processing rules established by the Lender. Authorized Processors are liable for breaches of this obligation. They may process Client Data only to the extent necessary for performing their designated contractual obligations.
3.5. The Lender applies organizational, physical, and information technology security measures to ensure the lawful processing of Client Data.
3.6. The Lender requires all Authorized Processors and employees handling personal data in the course of their duties to apply the security measures established by the Lender, protect personal data, and ensure its lawful processing. The Lender documents the obligation to protect Client Data and ensure lawful processing in any agreement concluded with another party processing the data.
3.7. The Lender collects and processes Client Data only to the extent necessary to achieve the purposes specified in Section 4 of the Data Protection Terms.
4. COMPOSITION AND PURPOSES OF PROCESSED CLIENT DATA
4.1. To exercise and fulfill the rights and obligations arising from legal acts, as well as to perform a contract concluded with the Client or ensure its performance, the Lender processes the Client Data specified in the following subsections for the following purposes:
4.1.1. The Client’s personal data, including identifying data (e.g., name and surname, personal identification code, date of birth, place of birth, communication language, identity document details, family members and other relations with Third Parties, residency, citizenship, etc.), which are primarily used for Client identification;
4.1.2. The Client’s contact details (e.g., address, email address, phone number, etc.), which are used to transmit contract-related information to the Client;
4.1.3. The Client’s employment, education, and professional activity data (e.g., education, educational institution, workplace, position, service in the defense forces, retirement status, etc.), which are used to assess the Client’s creditworthiness and to offer an appropriate Service;
4.1.4. The Client’s financial data and creditworthiness-related data (e.g., bank account, obligations, income, other assets, previous payment behavior, including debts, dependents, transactions on the Client’s bank account, damages caused by the Client to the Lender, Third Parties, or Authorized Processors, etc.), which are used to assess the Client’s reliability and creditworthiness, analyze their consumer habits, apply responsible lending principles, and offer an appropriate Service;
4.1.5. Data on the origin of the Client’s assets (e.g., employer details, transaction partners, business activities, actual beneficiaries, etc.), which are used to assess the Client’s reliability, prevent money laundering and terrorist financing, and comply with international and national legal acts and ratified international agreements (e.g., data collection, information exchange, and transmission of data to investigative bodies, notaries, tax authorities);
4.1.6. Data related to transactions concluded between the Client and the Lender and their execution (e.g., details of concluded and terminated contracts, contract performance and breaches, Client applications, requests, etc.), which are used to assess the Client’s reliability and creditworthiness, evaluate contract performance, ensure contract fulfillment, and exercise and protect the Lender’s rights (e.g., issuing debt notices, debt collection, fulfilling evidentiary obligations in case of potential disputes);
4.1.7. Data obtained in compliance with legal obligations (e.g., information received from investigative authorities, notaries, bailiffs, and other state institutions and officials regarding the Client’s potential involvement in money laundering, terrorist financing, or organized crime), which are used to assess the Client’s reliability;
4.1.8. Data on the Client’s segment, habits, and preferences (e.g., Client’s age, service usage activity, etc.), which are used to improve Services, develop new Services, enhance the Lender’s creditworthiness assessment methodology, and conduct statistical studies and market share analyses of client groups, products, Services, and other financial indicators;
4.1.9. To comply with legal requirements, ensure the promised quality of Service, offer a more convenient Service, and conduct marketing activities, the Lender collects cookies in addition to the aforementioned personal data. The terms and conditions of cookie collection are outlined in the Lender’s “Cookie Usage Principles,” available on the Lender’s website at https://merc.ee/en/data-protection-terms-privacy-policy
4.1.10. Data on how the Lender’s websites are used (e.g., Client searches, cookies specified in Section 4.1.9, website visitor statistics, etc.) for compiling website traffic statistics via Google Analytics and for analyzing trends and demographics related to website visits. The Lender does not create individual profiles of visitors;
4.1.11. Requests sent by website users to the Lender’s server (e.g., accessed web address, IP address, browser and device, access time, etc.), which are necessary for providing technical service, ensuring the proper functioning and security of the website, and investigating security-related incidents;
4.1.12. Any of the above-mentioned data for testing and improving the technological solutions, Services, and models used by the Lender in offering Services to the Client, as well as for reducing the Lender’s risks and conducting statistical and financial analyses.
4.2. Based on the Client’s consent, the Lender processes the following Client Data for the following purposes:
4.2.1. Contact details (e.g., address, email address, phone number, etc.) used to offer products or services to the Client, send advertisements from the Lender or entities within the same corporate group as the Lender, and conduct customer satisfaction surveys to improve the Lender’s services and perform statistical analyses;
4.2.2. Data provided by the Client within the framework of consumer games or campaigns, which are used in accordance with the terms of such consumer games or campaigns.
4.3. Sections 4.1 and 4.2 specify the primary purpose of processing each category of Client Data. The Lender is also entitled to process Client Data from the respective category for other purposes not specified in Sections 4.1 and 4.2 if necessary for fulfilling a contract concluded between the Lender and the Client, ensuring contract performance, or in the case of another legitimate interest of the Lender.
4.4. To supplement and verify the data provided by the Client, as well as to establish transaction relationships, make transaction-related decisions, or fulfill the legal obligation of due diligence, the Lender has the right to collect Client Data from Third Parties (e.g., verifying employment status from the Client’s stated employer) and from legally accessible databases and public sources (e.g., AS Creditinfo Eesti, the land registry, the population register, the Ametlikud Teadaanded publication, etc.).
4.5. The collection of the above-mentioned personal data is necessary for the Lender to fulfill the contract concluded with the Client, offer a more convenient service, and for marketing purposes. If the data specified in Sections 4.1.1 – 4.1.12 are not provided, the Lender has the right to refuse to offer the Service.
5. DISCLOSURE OF CLIENT DATA TO AUTHORIZED PROCESSORS AND THIRD PARTIES
5.1. The Lender discloses Client Data to legal entities belonging to the same group as the Lender, as well as to Authorized Processors and Third Parties, considering the purposes of processing Client Data specified in the Lender’s Data Protection Terms:
5.1.1. To legal entities belonging to the same group as the Lender for the identification of the Client, assessment of their reliability and risks, as well as for the application of due diligence measures specified in the Anti-Money Laundering and Terrorist Financing Prevention Act;
5.1.2. To persons involved in providing the Service and performing the contract concluded with the Client (e.g., guarantors, owners of pledged assets, notaries, providers of communication services, printing services, IT services, direct mailing services, postal and archiving services, as well as owners of payment default registers, auditors, debt collection service providers, etc.) for the purpose of fulfilling the contract concluded with the Client for the provision of the Service, as well as other agreements concluded with persons involved in the performance of said contract;
5.1.3. To database owners, such as owners of the Payment Default Register (e.g., Creditinfo Eesti AS), to apply the principle of responsible lending and to enable Third Parties to assess the Client’s payment behavior and creditworthiness;
5.1.4. In the event of an assignment of a claim to a new creditor;
5.1.5. To the Lender’s consultants or other service providers (e.g., auditors) if Client Data is required for providing a quality service to the Lender, provided that such persons comply with the organizational, physical, and information technology requirements established by the Lender concerning confidentiality and Client Data protection;
5.1.6. To service providers to whom the Lender has partially or fully outsourced its activities under the conditions stipulated by law, provided that such persons comply with the organizational, physical, and information technology requirements established by the Lender concerning confidentiality and Client Data protection;
5.1.7. To Third Parties in connection with the Lender’s need to protect its violated or disputed rights;
5.1.8. To Authorized Processors listed in the register of Authorized Processors available on the Lender’s website at www.merc.ee;
5.1.9. To entities to whom the Lender is obliged to disclose Client Data to fulfill legal obligations (e.g., the Financial Supervision Authority, investigative bodies, courts, bailiffs, bankruptcy estate administrators, the Financial Intelligence Unit, etc.).
5.2. If the Client has violated their contractual obligations towards the Lender, the Lender has the right to disclose data related to the contract breach (amount of debt, number of overdue days, etc.) to Third Parties in accordance with legal acts, for the purpose of creditworthiness assessment or other similar objectives, as well as to owners of payment default registers for the publication of contract breach data in the relevant registers. The owner of the payment default register is AS Creditinfo Eesti (registration number 10256137).
5.3. The Lender discloses Client Data to Authorized Processors and Third Parties only to the extent necessary for the purpose of processing Client Data.
5.4. The Lender provides Authorized Processors with mandatory instructions regarding the processing of transferred Client Data and ensures that Authorized Processors are aware of and comply with the requirements stipulated by law and the Lender’s Data Protection Terms when processing Client Data.
6. PROCESSING OF CLIENT DATA FOR MARKETING PURPOSES
6.1. Based on the Client’s consent, the Lender processes the contact details specified in Section 4.2.1 of the Data Protection Terms to send direct marketing messages, advertisements, and general informational materials about the Services offered by the Lender.
6.2. Based on separate consent provided by the Client, the Lender may send direct marketing offers regarding products and services both from the Lender itself and from legal entities belonging to the same group as the Lender.
6.3. The Client has the right to withdraw the consent specified in Sections 6.1 and 6.2 at any time by notifying the Lender. Information on how to opt out of personalized offers and advertisements sent via public data transmission networks is included in each offer or advertisement.
6.4. With the Client’s consent, the Lender may use information technology tools when sending emails to the Client, allowing the Lender to process information related to the reading of sent emails and the use of links included in them.
6.5. The information specified in these Data Protection Terms that is related to contract performance (e.g., debt notifications, notices of new price lists, etc.) is not considered direct marketing. The Client cannot opt out of receiving such information.
7. GROUNDS FOR RECORDING CLIENT DATA AND ESTABLISHING RETENTION PERIODS
7.1. The Lender has the right to record all actions performed by the Client using communication means (e.g., telephone, computer network), i.e., the transmission of Client Data, for the purposes of evaluating the quality of customer service, effectively and objectively resolving potential Client complaints, and, when necessary, proving actions performed by the Client via communication means and declarations of intent made through such means, as well as for other purposes specified in Sections 4.1 and 4.2 of the Data Protection Terms.
7.2. To protect the data of both the Lender and the Client, as well as to ensure the physical safety of the Lender’s employees, visitors, or Clients, the Lender may use a surveillance system to monitor individuals, objects, activities, etc., within the Lender’s premises (e.g., office spaces) and digitally record the results of such surveillance. The Lender may use the collected data to fulfill obligations, protect its rights, and prove actions taken by the Client, including unlawful acts and/or damages caused to the Lender.
7.3. The Lender determines Client Data retention periods based on legally established grounds.
7.3.1. Client Data collected in connection with the fulfillment of obligations and the implementation of anti-money laundering and counter-terrorism financing measures, such as data related to Client identification and the origin of Client assets, is retained for five (5) years after the termination of the Client relationship. Based on legal grounds, the Lender has the right to extend this period for up to five (5) additional years.
7.3.2. Client Data collected during the Client relationship in connection with the provision of Services, the assessment and analysis of the Client’s creditworthiness, the implementation of responsible lending principles, the execution and fulfillment of agreements concluded with the Client, and the Client’s payment behavior is retained for three (3) years after the termination of the Client relationship. In legally defined cases, such as legal disputes or ongoing proceedings, the Lender observes a longer retention period of up to ten (10) years.
7.3.3. Client Data collected based on the Client’s valid consent is retained until the Client submits a request for the deletion of such data, provided that the Lender has no justified interest in retaining them further.
8. MODIFICATION, TRANSFER, AND TERMINATION OF CLIENT DATA PROCESSING
8.1. The Client provides information to the Lender in written or reproducible written form.
8.2. The Client is required to immediately notify the Lender of any changes related to Client Data, including changes in name, address, communication number or email address, residency (including tax residency), and representative details. The Lender has the right to request original documents or notarized copies as proof of such changes, and the Client is obligated to provide them.
8.3. The Lender regularly verifies whether Client Data is complete and accurate.
8.4. The Lender corrects Client Data based on a verified request from the Client if such data has changed or is inaccurate.
8.5. Based on a justified request from the Client, the Lender:
8.5.1. deletes collected Client Data,
8.5.2. ceases the processing of Client Data,
8.5.3. stops disclosing Client Data and/or providing access to it.
8.6. If the Client withdraws consent as specified in Section 4.2 of the Data Protection Terms, the Lender ceases processing the data for which consent was revoked. However, the Lender has the right to continue processing Client Data necessary to fulfill obligations established by legal acts, to execute an agreement concluded with the Client, or to ensure the performance of such an agreement.
8.7. The Lender processes Client Data for as long as necessary to achieve the purposes of Client Data processing or to fulfill obligations arising from legal acts. If the processing of Client Data is no longer required for these purposes or obligations, the Lender promptly deletes the Client Data and requires all Authorized Processors and Third Parties to whom the Client Data has been disclosed or transferred—and who have processed personal data for the corresponding purposes—to delete the data as well.
8.8. Upon receiving a justified request from the Client, the Lender is obligated to provide the Client with the personal data related to them that they have provided to the Lender, in a structured, commonly used, or machine-readable format. Upon a justified request from the Client, the Lender is also obligated to transfer the Client’s personal data directly to the data controller specified by the Client, unless such a transfer is technically impossible.
9. CLIENT RIGHTS AND CLIENT RIGHTS PROTECTION
9.1. The Client has the right to:
9.1.1. access their Client Data;
9.1.2. receive from the Lender the Client Data related to them, as well as the relevant types of personal data;
9.1.3. receive from the Lender information about the composition, sources, and purpose of processing Client Data, unless otherwise provided by law or another legal act;
9.1.4. receive information about the retention period of Client Data or the legal basis for determining the retention period;
9.1.5. receive from the Lender information regarding third parties to whom the Client’s data has been transferred or promised to be transferred;
9.1.6. request the Lender to correct Client Data if their data has changed or is otherwise inaccurate;
9.1.7. request that the Lender, based on the grounds specified in the General Data Protection Regulation or another applicable legal act, cease processing or disclosing personal data, stop providing access to personal data, and/or delete collected Client Data;
9.1.8. fully or partially withdraw the consent specified in Section 4.2 of the Data Protection Terms. Withdrawal of consent does not have retroactive effect;
9.1.9. receive information from the Lender (including name, address, and other contact details) regarding the Authorized Processor or its representative;
9.1.10. exercise other rights arising from legal acts to protect their Client Data.
9.2. The Client has the right to receive their personal data, which they have provided to the Lender, in a structured, commonly used, and machine-readable format. The Client also has the right to transfer these personal data to a designated data controller or request that the Lender transfer such data to the responsible data controller.
9.3. To exercise the rights described in Section 9.1 of the Data Protection Terms, the Client must submit a corresponding application or request in reproducible written form to the Lender’s contact email andmekaitse@merc.ee or visit the Lender’s office at the address specified on the Lender’s website. If the application is submitted electronically, it must be signed with the Client’s electronic digital signature. If submitted in person at the Lender’s office, it must be signed manually and include the submission date. The Lender will respond to the Client’s request with a reasoned explanation within five (5) business days of receiving the request.
9.4. The Lender shall provide the Client with Client Data, transfer information, or justify a refusal to issue Client Data or provide information within five (5) business days from the receipt of the request.
9.5. If the Client believes that their rights have been violated in the processing of Client Data, they have the right to demand that the Lender or the Authorized Processor cease the violation.
9.6. In case of a rights violation, the Client has the right at any time to contact the Data Protection Inspectorate (address: Tatari 39, Tallinn 10134, phone: +372 627 4135, email: info@aki.ee) or take legal action. More detailed reception hours of the Data Protection Inspectorate are available online at www.aki.ee.
9.7. If a violation of the Client’s rights is found in the processing of Client Data, the Client has the right to claim compensation for the damage caused by the violation based on and in accordance with the legal acts.
10. CHANGES TO CLIENT DATA PROCESSING PRINCIPLES
10.1. The Lender has the right to unilaterally change the Principles of Client Data Processing at any time, in accordance with the provisions of legal acts.
10.2. The Lender will notify the Client of changes to the Principles of Client Data Processing by posting the relevant information in a visible place near the Lender's office or by another method (e.g., by email) no later than fifteen (15) days before the changes take effect.