This policy is established by TCM Group International ehf, situated at Sudurlandsbraut 4a, 108 Reykjavik, Iceland, registered in the Icelandic company database under company registration number: 650315-0300.
In this policy, references to “you”, “your”, “yours” are references to these users of the TCM Group Portal.
Who we are
As you are a user of the Portal, you all know that TCM Group is an alliance of independently owned debt collection companies and legal firms offering ethical and professional debt recovery solutions to clients on a national and international basis. TCM Group forms an alliance focusing on debt collection following ethical procedures by applying high moral standards to our way of doing business.
In this policy, references to “us”, “we”, “our” and “ours” are references to TCM Group.
We collect, use, process certain personal data about contact persons within TCM Members who use the Portal. For the purposes of relevant data protection law, TCM Group is then acting as a data controller. We also process personal data of your debtors when sharing this information on the TCM Group Portal. TCM Group is then acting as a data processor.
When we do so, we are regulated under the General Data Protection Regulation (also known as the GDPR) which applies across the European Union (EU) and the European Economic Area (EEA).
Our website and Portal
In this policy, when we refer to website, we mean: https://www.tcmgroup.com and all of its pages.
References to the TCM Group Portal refer to our private exchange portal, being a cloud-based confidential and secure environment for use by TCM Members and TCM Group, which is available via the following address:
INFORMATION ABOUT DATA PROCESSING TCM GROUP HAS THE CONTROLLORSHIP OF
Main Purpose of the processing
TCM Group processes your data for the purpose of providing you an access to the Portal, allowing you to use it for the purpose of exchanging debtors’ and debt data when needed for debt recovery
Our collection and use of your personal information
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed and which cannot be identified again (anonymous data).
We collect personal information about you when you register with us, access to the Portal, contact us, send us feedback, use the TCM Group Portal or upload material to it. We collect this personal information when receiving a request of a TCM Group member to allow you access to the Portal; we also collect it directly from you when you add data on the Portal yourself (by editing your profile).
The personal information we collect may include:
- your name, address and contact details
- your phone number, if you provide it
- details of any feedback you give us by phone, email, post about the services we provide to you
- your Portal account details, such as username, login details
- the use you make of the Portal (and logs of it)
We use this personal information to:
- create and manage your account
- develop and adjust the services we provide
- notify you of any changes to our website or to our business and services that may affect you, and
- creating statistics and reporting
- improve our services by analysing the use of the Portal
- secure the Portal and prevent it from unauthorised accesses and uses
- preventing fraud
- for the establishment, exercise or defence of legal claims
Our legal basis for processing your personal information
When we use your personal information, we are required to have a legal basis for doing so.
The legal bases we rely on include:
- Contract: we use your personal information as necessary for the contract we have with you, or because you have asked us to take specific steps before entering into a contract.
Processing personal data of TCM Members for the use of the TCM Group Portal falls into this category.
- Legal obligation: where our use of your personal information is necessary for us to comply with the law (not including contractual obligations).
- Legitimate interests: where our use of your personal information is necessary for our legitimate interests or the legitimate interests of a third party (unless such interests are overridden by your interests or fundamental rights and freedoms)
Processing personal data for improving our services by analysing the use of the Portal; for preventing unauthorised access or use of the Portal; for detecting fraud; for creating statistics and analyse data for reports; for the establishment, exercise or defence of legal claims falls into this category
- Consent: we may also rely on your express consent to process your personal data where we are legally required to do so
Who we share your personal information with
As a client we share your personal information with your dedicated TCM Member users of the Portal only. As a TCM Member user your personal information is shared with all users of the portal and between and between TCM Members and TCM Group. Your name and contact data are visible for the users of the Portal. This data sharing allows to contact you for the need of data exchange for debt recovery.
We may also share your personal data with our external suppliers and service providers to ensure the proper administration of our services. For example, we may share your personal data with third party service providers providing us with IT, development, cloud hosting and storage, marketing and customer engagement providers, legal, financial and tax services. We may share personal information with law enforcement or other authorities if required by applicable law. This data sharing practice enables the relevant third parties to carry out their tasks and also allows us to properly provide our services to all relevant stakeholders, including provision of the TCM Group Portal. In all cases, the TCM Members and any of our third-party suppliers processing data on our behalf or in their capacity as a separate data controller are always bound by contractual guarantees and, where relevant, are also bound by rules of professional secrecy.
Information provided via the TCM Group Portal will not be passed, sold or rented to any other third party without your prior consent.
In all cases, your personal information will be kept strictly confidential and only used for the purpose of performing services on behalf of TCM Group or the TCM Members.
Some of the TCM Members and third-party debt collector service providers may be based outside the EEA — for further information including on how we safeguard your personal data when this occurs, please see ‘Transfer of your information out of the EEA’.
How long do we store your personal information
There are strict limitations on how long we are allowed to store your information. In accordance with the GDPR we will not store personal information longer than what is necessary for the purpose of the processing of the collected personal data. This will be our general benchmark for retention of personal data.
As a TCM Member, or a representative of a TCM Member, we will keep your personal data for as long as you have a contract with us and/or remain a TCM Member. We may have to keep your personal data for a longer period of time, in order to comply with a legal or technical obligation or to establish, exercise or defend legal claims. However, when it is no longer necessary to retain your personal information, we will delete or anonymise it.
Automated decision – making
TCM Group does not perform automated decision-making which produces legal effects concerning you or similarly significantly affects you.
Transfer of your information out of the EEA
Due to the fact that TCM Group is an international alliance of debt collectors, enabling ethical and fair debt collection across the world, personal data may be transferred from countries inside the EEA to countries outside EEA.
Here is an overview of how your personal data may be transferred outside of the EEA:
- The European Commission has given a formal adequacy decision regarding a number of countries outside of the EEA to which personal data will be transferred. These countries are therefore considered to provide adequate protection of personal data. Therefore, when we conduct transfers of personal data to countries benefiting from an adequacy decision, such transfers are considered to be subject to adequate protection to personal data, in accordance with what we can expect in the EEA.
- In other cases, when transferring personal data to countries outside the EEA and outside the European Commission adequacy scheme, Standard Contractual Clauses (SCCs) are entered into to secure the transfer of personal data outside of the EEA. The SCCs are permitted by the European Commission and are designed to help safeguard your privacy rights and give you remedies in the unlikely event of a misuse of your personal information. This practice will also apply to transfers from the EEA to the UK after Brexit.
Cookies and other tracking technologies
TCM Group will only provide you with information about new services it can provide you as a user of the Portal.
Under the GDPR you have a number of important rights (which are generally free of charge). In summary, those include rights to:
- The right to request erasure of your personal data unless we are required to retain such data in order to comply with a legal obligation or to establish, exercise or defend legal claims;
- The right to rectify your personal data when it is not correct. Please contact the administrator of your account if you have any change to make to your personal data. This can be done online on the Portal;
- Access your data and receive copy of it (for any further copies we may charge a reasonable fee based on our administrative costs);
- Receive the personal information concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations (data portability);
- Object at any time to processing of personal information concerning you for direct marketing;
- Object to processing of your personal data where the legal justification for our processing of your personal data is in our legitimate interest. We will abide by your request unless there are legitimate grounds which override your interests or rights, or if we need to continue to process the data for the establishment, exercise or defence of a legal claim;
- Object in certain other situations to our continued processing of your personal information;
- Request restriction of processing of your personal data if you believe that the data is incorrect, or; if our processing is unlawful, or; if we no longer need to process your data for a particular purpose but cannot delete it due to a legal obligation or because you do not want us to delete it;
- Claim compensation for damages caused by our breach of any data protection laws.
For further information on each of those rights, including the circumstances in which they apply, please visit the website of the Icelandic Data Protection Authority which is available: https://www.personuvernd.is/information-in-english/
If you would like to exercise any of those rights, we would always prefer to resolve the matter with you directly. Therefore, please:
- Email us at firstname.lastname@example.org
- Let us have enough information to identify you (We may request that you provide proof of your identity),
- Submit your query via the message section of the Portal to WEBMASTER-TCM GROUP INTERNATIONAL,EHF. If you have been recorded as ‘Inactive’ on the Portal use the email option, and
- Let us know the information to which your request relates, including any account or reference numbers, if you have them.
For further information on how to exercise your rights, please see the section below, entitled ‘How to complain’.
Keeping your personal information secure
We take security seriously and regularly review our programs and systems. We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way.
As such, TCM Group’s private secure messaging exchange portal (the TCM Group Portal) was successful in being granted a Certificate of Compliance in September 2020, confirming compliance with the extensive system security from SilkSoftware House which is available on our website: https://www.tcmgroup.com
Furthermore, we limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Whilst we strive to protect your personal information, TCM Group cannot ensure or warrant the security of any information you transmit to us online given the inherent nature of the internet. All information is supplied to us at your own risk. More generally, if you want detailed information on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit http://www.getsafeonline.org.
How to complain
We hope that we can resolve any query or concern you raise about our use of your personal information. The GDPR also gives you the right to lodge a complaint with a supervisory authority, in particular in the EU (or EEA) state where you work, normally live or where any alleged infringement of data protection laws occurred.
The supervisory authority in Iceland (where TCM Group is registered) is the Icelandic Data Protection Authority who may be contacted:
- By Post: Icelandic Data Protection Authority, Rauðarárstígur 10, 105 Reykjavík, Iceland
- Telephone: +354 510 9600
- Email: email@example.com
For more information concerning claims and appeal, please visit the website of the Icelandic Data Protection Authority: https://www.personuvernd.is/information-in-english/
INFORMATION ABOUT DATA PROCESSING FOR WHICH TCM GROUP IS A PROCESSOR
As mentioned before, TCM Group is processing debtors’ data on behalf of the TCM Members that use the TCM Group Portal to exchange such data safely when needed for debt recovery. TCM Group Members are data controllers of the processing of such data. TCM Group, being a data processor, shall respect the instructions they provided and the obligations set down in the Data Processing Agreement concluded with the TCM Group Members, as well as the General Data Protection Regulation (also known as the GDPR) which applies across the European Union (EU) and the European Economic Area (EEA).
TCM Group members shall not provide other personal data than those mentioned in the Data Processing Agreement, and shall respect the Terms and Conditions of the Portal detailing the way the Portal can be used, how personal data can be exchanged and under what conditions personal data from other TCM Group members might be used.
The Portal is not intended for gathering data from children, except when necessary for and limited to the identification or justification of the debt.
When they are regulated under the GDPR, TCM Group members shall provide the debtors with all the information required in articles 13 and 14 of the GDPR at the time they contact them for debt recovery.
How to contact us