Your privacy is important to Oikocredit. We are committed to safeguarding your personal data.
In this notice, we explain how OIKOCREDIT, Ecumenical Development Cooperative Society U.A. and its subsidiaries globally (“Oikocredit International”) treat your personal data.
What is personal data?
Personal data is any information that could be used to identify you without making unreasonable efforts. A name or a national ID number is clearly personal data. Other information may not be personal data on its own (e.g., nationality), but would become personal if combined with other information (e.g., nationality coupled with a name). Similarly, an IP address is not personal data on its own but becomes personal if it can be linked to you.
Why does Oikocredit International have my personal data?
We have your personal data in order to be able to perform on the contracts Oikocredit International has concluded with you (legal basis: Art. 6 (1) b) GDPR), as well as to meet legal obligations (legal basis: Art. 6 (1) c) GDPR), such as Know-Your-Customer rules. In addition, we seek to keep you informed about Oikocredit International’s work by sending you newsletters or other such specialised mailings; we have your data if you choose to sign up for these mailings (based on your consent pursuant to Art. 6 (1) a) GDPR). In some cases, we use your personal data to meet our legitimate interests, incl. to protect our rights or property, and provide for the establishment, exercise, and defense of legal claims (legal basis: Art. 6 (1) f) GDPR)
Data belonging to Oikocredit International’s members and partners
Oikocredit International’s members and partners are all legal entities, and not individuals. The personal data that we have in relation to our members and partners is that of their contact persons, the persons who are the beneficial owners (if any), the authorised representatives/top management, and the board of directors.
We have the following types of data:
1. Data on who a person is:
- Name, address, phone number, email address
- The data contained on a person’s identity document
- A person’s role in a company, if applicable (for example, beneficial owner, legal representative, director, or guarantor)
- If you are an investor investing for the benefit of a child, we have the child’s name and date of birth, as well as the child’s identity document
We have this data because:
- We need to know your identity in order to perform on the contract we have concluded with you
- We need to know your identity and, in the case of a legal entity, the identity of the directors, top management, representatives, and the final owners in order to meet legal requirements – this is why we obtain ID copies
2. Transaction history, for example:
- Name and account number of the person instructing a payment
- Account number of the person receiving a payment
- Share/depository receipt purchases and sales
We have this data in order to be able to give effect to the payment or instruction.
3. Data needed to ensure the integrity of the financial system and of Oikocredit International’s mission.
We use the service of a third-party provider, Refinitiv (former Thomson Reuter’s World-Check), in order to verify in publicly available records whether doing business with an investor, member or partner (including, when applicable, directors, top management, representatives or final owners) is acceptable in light of our legal obligations and our mission. The data that we obtain could include:
- Criminal or civil case history from public court registers
- Presence on national, European or international sanctions lists
- Negative coverage in the media
We examine the screenings with a critical eye, taking into consideration at all times that they might be incomplete or irrelevant. In all cases, we use these tools only to establish that a person:
- Has not committed fraud or otherwise poses a risk to the financial sector
- Is not on national, European or international sanctions lists – if that is the case, we will not give effect to a transaction
- Is not engaged in activities that are incompatible with Oikocredit International’s mission
4. Sensitive personal data, for example:
- Criminal data
- Biometric data, including national number (e.g., BSN or social security number) if it appears on your passport copy/national ID
The collection and treatment of this data is subject to stricter rules. We collect a copy of a passport or national ID to meet our legal obligation to identify persons we do business with. These documents frequently contain a national number and biometric data. We do not use these details beyond the process of gathering copies of IDs.
5. Data from third parties, for example:
- Data on companies and their representatives from the relevant national chamber of commerce register or land registry
- Data from other public sources such as the relevant national credit bureaus, insolvency registers, newspapers, the internet or social media
We use such data to check, for example:
- If the details of members, investors and partner organisations are up to date against what is recorded in the public trade register
- If a prospective partner organisation offers collateral as part of its loan application: we check in the relevant land registry/cadastral system who the owner of the property is, what its value is estimated at, and whether there are any existing mortgages on it
- As part of the approval process for funding to partners, our staff may look at information available publicly online in order to see if anything should be taken into account when considering the funding request – similarly, staff may look at such information as part of the approval process for becoming a member or investor
6. Data for promotion of Oikocredit International’s work.
To promote its work, Oikocredit International takes photographs of the persons who are clients, staff or other persons related to our partners, investors and support associations’ staff, with those person’s consent. The photographs are used by Oikocredit International and support associations to produce publications promoting our work.
Data from web visitors (including the use of MyOikocredit if you are an investor)
People visit our websites for various reasons: to learn more about us; to ask a question or sign up for a newsletter; to make an investment via our online options (for example, in France and Sweden, among others); or to manage their account in MyOikocredit. In all cases, we collect certain data, for example:
- IP address: the internet address of your computer or mobile phone, which is needed to ensure that devices can communicate with each other – it is sometimes possible to identify who is behind a certain IP address (especially when an IP address is combined with other data); however, when the only data from a web visitor is the IP address, tracing the identity of a person needs authorisation by a court
- Data on your visit to our website: at what time the person denoted by an IP address visited which web pages or performed searches
- If you send an inquiry via an online form or sign up to receive a newsletter, we also have the data that you enter in that form. Most often this is your name and email address, so we can contact you or send you the newsletter
- Data on your login to MyOikocredit: at what time the person identified with the chosen username and password logged into MyOikocredit
- The device you used to visit our websites or apps
- Your cookie settings
We use this data as follows:
- We store the IP addresses in order to prevent fraud
- We place different types of cookies on your computer – small text files consisting of letters and numbers: they track data about the websites you visit and can remember your preferences, such as language or your username
- Cookies tell us what pages you viewed on Oikocredit’s websites – we can then show you information that is tailored to that
- We also see what device you used to visit our website – a mobile phone, PC or tablet –, as well as the operating system and version of the browser you are using. This ensures that the content is properly formatted for your device
- Some cookies are required for a website to function, but others are not – if you only want to allow the cookies required for functioning, adjust your cookie settings here.
All our websites are hosted by a third party based in the Netherlands. Therefore, if you visit our website from India, for example, your data will be stored in the Netherlands.
Data from persons who engage with us on our social media accounts
We are active on social media such as Facebook and LinkedIn for example. On these platforms, we share campaigns and information about Oikocredit with anyone who is interested. As a result, if you leave a public message, we retain data about you via our accounts on these media.
We use social media buttons such as the Facebook ‘like’ or ‘share’ button. Social media platforms such as Facebook are able to track your liking or sharing behaviour through such buttons. We ourselves do not track it.
Data from job applicants
When you apply for a job at Oikocredit, you send a motivation letter and a CV. As a result, we have the data that appears on these documents. If you submitted your application via the online form, as well as the information required to fill it out, we also have the IP address of your device.
In addition, as a financial institution we must ensure that all our employees have the required integrity. Therefore, before we make a job offer to an applicant, we conduct a background search to ensure there are no relevant criminal convictions or other factors that pose a risk to Oikocredit International. We check publicly available records via the service of a third-party provider, Refinitiv (former Thomson Reuter’s World-Check).
With whom does Oikocredit International share your data?
We do not share personal data with others for reasons other than to facilitate a contract that we have concluded with you or your organisation, to comply with the law, to exercise or defend legal claims or as otherwise disclosed in this Privacy Statement.
For example, in sending and receiving payments, we use the services of regulated banks. These banks receive the details, which may include personal data, necessary to affect the transfer. These banks are legally obligated to treat your personal data securely.
In principle, we may be required by Dutch government authorities to pass on personal data, pursuant to obligations laid down in laws such as the Money Laundering and Terrorist Financing (Prevention) Act (Wwft).
At times, we make use of the services of other companies. For example, we hire companies to do mailings of your annual account statements by post, or to host and develop our IT systems. In such cases, we share only the personal data required to complete the task, and we conclude a contract with the service provider in which we require it to safeguard your data. In particular, we may use Google Analytics with your consent (Art. 6 (1) a GDPR) to better understand your interests and to continuously improve our website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Insofar as we transfer personal data to third countries outside the EU, we ensure an appropriate level of data protection through contractual measures where the level of protection has not been found adequate by the EU commission. You have the right to receive copies of these contracts.
How does Oikocredit International share data internally?
Regarding the data of persons connected to our partners (not members, investors or job applicants) only data collected for the purpose of creating and assessing proposals for financing, including know-your-customer requirements, is sometimes handled by our colleagues in our regional or country offices. This is the case when the funding application originates via one of these offices, or when the risk assessment of a funding proposal is supported by specialised staff in one of these offices. All of our offices, wherever located, are subject to our common data protection policy, including technical requirements for keeping data secured.
How does Oikocredit International protect your data?
We have measures in place to ensure that your data is secure from unauthorised access. Our systems are protected through a combination of physical and electronic access controls, firewall technology, and other security measures. We maintain segregated access to systems, to ensure that the only staff who have access to your data are those who facilitate the purpose for which you shared your data with us. IT administrators with broader access sign additional agreements obligating them to protect your data. We require the same standards of security from our service providers.
How long does Oikocredit International keep your data?
We keep your personal data only as long as necessary for the purpose for which we process it. We obtain your data only to facilitate an agreement we have with you, with your consent, or to meet a legal obligation. For example:
- If you have an agreement with us (for example, as investor, member or partner), we keep personal data for as long as the law requires us to. Depending on the documentation, this period varies between five and seven years after our business relationship has ended.
- Newsletters for which you have subscribed contain an unsubscribe link. We delete your email address after you have unsubscribed. Please note that, for technical reasons, if you subscribe more than once to a newsletter, you will receive as many copies of the newsletter and you will have to unsubscribe using the link for each copy you receive.
- If you apply for a job, we keep your data for no longer than four weeks after we have filled the respective position. If you agree to have your application stored for future opportunities, we keep your data for 12 months after you have provided your consent.
You have the right to access your personal data
You can request to review which of your personal data we have and request further information about our processing of your personal data. This includes the right to receive the personal data in a structured, commonly used and machine-readable format.
You have the right to correct, add or delete personal data
You can also request to correct or add to your personal data if you deem it to be incorrect or incomplete for the purpose for which we have it. Further, if there is no legal ground for us to have your personal data, you can request to have it deleted. Or, you can withdraw consent you have previously given us to have your data. For example, you can request to unsubscribe from a newsletter, in which case we will delete the personal details we have in order to send you the newsletter. If we are legally required to keep your personal data, we cannot delete it upon your request. We will inform you if this is the case.
You have the right to object
To exercise your rights, you can send your request to firstname.lastname@example.org or to the physical address stated below. Please indicate how you are related to Oikocredit International (e.g., investor, representative of a partner or member, etc.). When sending an access deletion or correction request, please include a copy of your ID document (such as a passport) so we can verify your identity. Please consider redacting the sensitive fields in your identity document (such as the biometric data or identity number). You will receive a written reply within four weeks.
If you have provided your consent, you can withdraw your consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal).
In addition, you have the right to complain to a data protection authority, in particular the one nearest to you, if you believe we have violated GDPR or other data protection laws.
Oikocredit International can make changes to this privacy statement
Oikocredit can change this privacy statement at any time. We will make an announcement regarding any changes on our website. Older versions of our privacy statement will be stored in our archives. To view an older version of the privacy statement, please contact email@example.com. This version was updated on 23 March, 2023.
Questions about this privacy statement or about our services can be directed to firstname.lastname@example.org. You can also reach us by mail at the following address:
C/O Data Protection Officer
PO Box 2136
3800 CC Amersfoort