Latest updated on March 19, 2021

SweepBank’s Principles of Processing its

Clients Personal Data (Privacy Policy)

These principles of Processing the Clients’ Personal Data (hereinafter also principles) describe how we, SweepBank

(hereinafter also we, us or our) process Personal Data of our Clients and any other Data Subjects (hereinafter also you) in

relation to the services and products we offer. These principles apply if you use, have used, have expressed an intention to

use or are in any other way related to our products or services, or in case you have expressed your wish to receive any

information about our products or services.

1. Definitions

1.1. Client – A natural person who uses, has used or has expressed an intention to use the products or services offered

by SweepBank or to conclude a guarantee or warranty agreement with SweepBank or expressed a wish to receive

information about SeepBank’s products or services;

1.2. Contract – A contract concluded between SweepBank and the Client;

1.3. Data Protection Regulations – Any applicable laws and regulations regulating the processing of Personal Data,

including but not limited to the GDPR;

1.4. Data Subject - an identifiable natural person who can be identified, directly or indirectly, in particular by reference

to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors

specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

1.5. Ferratum Group – SweepBank together with companies the majority shareholder of which is directly or indirectly

SweepBank's parent undertaking Ferratum Oyj (Finnish Trade Register code 1950969-1, address Ratamestarinkatu 11 A,

Helsinki, Republic of Finland);

1.6. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the

protection of natural persons with regard to the processing of personal data and on the free movement of such data, and

repealing Directive 95/46/EC (General Data Protection Regulation);

1.7. Personal Data – Any information relating to Data Subject. Data which is protected by banking secrecy may also

include Personal Data;

1.8. Processing – Any operation or set of operations which is performed on Personal Data or on sets of Personal Data,

whether or not by automated means, such as collection, recording, storing, alteration, granting access to, making enquiries,

transfer, viewing, etc.;

1.9. SweepBank – Ferratum Bank p.l.c., Malta Registry of Companies code C 56251 with address ST Business Centre

120, The Strand, Gzira, GZR 1027, Malta; phone +35627781088; e-mail help@sweepbank.com.

2. Data Controller

2.1. SweepBank is responsible for the Processing of your Personal Data and for those reasons we are the data

controller under the GDPR.

2.2. As SweepBank is a company established under the laws of Republic of Malta, then the Processing of your Personal

Data shall be governed by the laws of Malta and the main language governing the relationship between you and

SweepBank shall be English. In the event of inconsistency or discrepancy between the English version and any of the other

linguistic versions of these principles, the English language version shall prevail.

3. Collecting your Personal Data

3.1. SweepBank collects your Personal Data in the following ways:

3.1.1. In case you apply for a loan or request other services or products from us, you provide your Personal Data directly

to us and additionally we collect it from Ferratum Group (from your previous use of its services or products) and from

external sources. Such external sources include but are not limited to public and private registers (e.g., Asiakastieto, CREFO

or other similar databases) which SweepBank uses to identify you and verify your identity and perform credit and risk

assessments. The Personal Data required depends on the services or products requested by you, e.g., whether you are

applying for a loan, depositing money, or acting as a personal guarantor;

3.1.2. By automatic means when you use SweepBank’s website. Such Processing is further explained in our Cookie

Declaration available at

https://cdn.sweepbank.com/documents/19_03_2021_SweepBank_Cookies_Declaration_EN.pdf.

4. Personal Data Processed

4.1. Considering the financial nature of our services and products, SweepBank Processes Personal Data collected for

the following purposes:

4.1.1. concluding and performing the Contract with our Client. This includes properly identifying the Client and

performing credit and risk checks and assessments on the Client to determine whether and on which conditions to conclude

the Contract. The legal basis for such Processing is either entering into and performing the Contract with the Client or

SweepBank’s legitimate interests to ensure the Client is trust- and creditworthy as well as to collect amounts due;

4.1.2. performance of our obligations arising from law (e.g., anti-money laundering (AML) and terrorist financing rules

and regulations to properly identify the Client (KYC) and ensure the trust- and creditworthiness of the Client);

4.1.3. safeguarding our rights (establishing, exercising, and defending legal claims). The legal basis for such Processing

is SweepBank’s legitimate interest;

4.1.4. assessing and developing further the quality of our services and products, e.g., customer support service and

quality assurance service. The legal basis for such processing is the legitimate interest of SweepBank;

4.1.5. assessing the quality of our (potential) service providers services which enables us to evaluate and develop further

the quality of the services and products we offer to our Clients. The legal basis for such processing is the legitimate interest

of SweepBank.

4.2. For the foregoing, SweepBank Processes the following Personal Data:

4.2.1. identification data (e.g., name, personal identification code, date of birth, place of birth, nationality, information

about and copy of identification document, results of face/ID recognition, voice, picture, video, signature, address);

4.2.2. contact data (e.g., address, phone number, e-mail address, language of communication);

4.2.3. bank data (e.g., bank ID, account holder, account number, transaction information from your bank account, if you

have consented to this);

4.2.4. professional data (e.g., current and former employer and position);

4.2.5. financial data (e.g., salary, income, assets, liabilities, properties, tax data);

4.2.6. data concerning origin of assets (e.g., data concerning employer, transaction partners, business activities and

actual beneficiaries, data showing the source of your income and wealth);

4.2.7. data concerning creditworthiness/trustworthiness (e.g., data concerning payment behaviour, damages caused to

SweepBank or other persons, data that enables SweepBank to perform the due diligence measures regarding money

laundering and terrorist financing prevention and to ensure the compliance with international sanctions, including the

purpose of the business relationship and whether the Client is a politically exposed person);

4.2.8. data obtained when performing an obligation arising from the law (e.g., information received from enquiries

submitted by investigative bodies, notaries, tax authorities, courts and bailiffs);

4.2.9. communications data (e.g., e-mails, phone call recordings);

4.2.10. your personal SweepBank’s account log-in data;

4.2.11. data related to the products and services of SweepBank (e.g., performance of the Contract or the failure thereof,

transactions history, submitted applications, requests and complaints).

5. Processing based on consent

5.1. SweepBank also processes your Personal Data based on your consent (e.g., for direct marketing purposes,

preparing and building lookalike audience groups, etc. ).

5.2. When the Processing is based on your consent, you can withdraw your consent at any time by contacting

SweepBank on the contact details provided below in Section 11. Please note that withdrawing your consent does not affect

the lawfulness of Processing based on consent before its withdrawal.

5.3. As for direct marketing messages received by e-mail, you can also withdraw consent and unsubscribe from

receiving any further e-mails by clicking on the ‘unsubscribe’ link at the end of each e-mail.

6. Automated decision-making and profiling

6.1. SweepBank decides based on profiling and automated decision-making whether the Client’s application to receive

our products or services is fully or partially accepted or rejected.

6.2. The decision is made based on information received from your application, information received from external

sources and other third parties, as well as the Client’s previous payment behaviour with us, Ferratum Group company and

other financial service providers. No special categories of Personal Data (eg. data concerning health, genetic data) are

Processed.

6.3. Profiling and automated decision-making are necessary for entering the Contract, to meet SweepBank’s legal

obligations to properly identify the Client, for assessing the creditworthiness of the Client, fraud prevention and money

laundering. Automated decision-making helps SweepBank to verify your identity and whether you are trust- and

creditworthy to fulfil your obligations under the Contract. Automated decision-making helps us to make fair and

responsible decisions and reduce the potential for human error, discrimination, and abuse of power, as well as enables to

deliver decision-making within a shorter period, taking into account the volume of applications received by SweepBank.

6.4. Because the decision-making is automated, the Client might not be eligible for our products or services. We have

implemented suitable measures to safeguard the Client's rights and freedoms and legitimate interests and can assure that

we regularly test our automated methods, e.g., credit scoring methods, to ensure they remain fair, effective, and unbiased.

However, if you want to contest an automated decision made or express your point of view, please contact us on the

contact details provided below in Section 11.

6.5. SweepBank uses profiling in addition to above to decide based on the Client’s financial soundness in using our

products and services whether to offer on our own initiative a higher credit amount or other services and products to the

existing Client. We have based such Processing on our legitimate interest to market our services and products. As a result

of described profiling, some Clients may not receive such offers. However, such profiling does not directly produce any

legal effects on the Client or otherwise significantly affect the Client, as this does not influence the already existing Contract

and the Client has the chance to apply for a new loan on her/his own initiative.

7. Disclosing the Personal Data

7.1. The financial nature of SweepBank’s products and services require us to share your Personal Data to run our

everyday business to process transactions, maintain customer accounts, and report to public institutions. We will always

ensure to respect relevant financial industry secrecy obligations before sharing any Personal Data.

7.2. We only share your Personal Data with those carefully selected and trusted partners to whom SweepBank wishes

to entrust or has entrusted the provision of services and with the third parties performing functions delegated to them by

law, if stipulated herein, required under the applicable law (e.g., when SweepBank is obligated to share Personal Data with

the authorities) or with your consent.

7.3. SweepBank may share your Personal Data with the following partners and third parties:

7.3.1. other Ferratum Group entities. The legal basis for such sharing is the legitimate interests of SweepBank to ensure

the performance of the Contract or the legal obligation to ensure the services provided by SweepBank would be suitable

and proportionate for the Client;

7.3.2. SweepBank cooperation partners with whom SweepBank offers co-branded products and services for providing

and marketing those services and products. The legal basis for such sharing is either your consent or our legitimate interest

to offer you those product and services if you are our existing Client or used recently our products or services;

7.3.3. Personal Data processors and their sub-processors, e.g., legal and other advisors, data storage providers,

telemarketing, marketing and surveys service providers, communication service providers, identification and certification

service providers, card management service providers, invoicing and payment service providers, credit and financial

institutions, bank data scraping, scoring and credit check service providers, online and offline intermediaries, IT service

providers, etc. The legal basis for such sharing is either your consent or our legitimate interests to ensure the continuity of

our business and the continued provision of our products and services, including the necessary financing for offering our

products and services and the return of loans granted by us;

7.3.4. credit reference agencies who provide credit reports. The legal basis for such sharing is our legitimate interests to

ensure the performance of the Contract or the legal obligation to follow the principles of responsible lending;

7.3.5. persons maintaining databases of defaulted payments. The legal basis for such sharing is our legitimate interests

to ensure the performance of the Contract or the legal obligation to ensure the services provided by SweepBank would be

suitable and proportionate for the Client;

7.3.6. the Central Bank of Malta for the purpose of inclusion in the Central Credit Register in case you have been granted

loans which exceed €5 000. The legal basis for such processing is the legal obligation to follow the Central Bank of Malta

Directive No. 14;

7.3.7. debt collection agencies and bailiffs. The legal basis for such sharing is our legitimate interests to ensure the

performance of the Contract;

7.3.8. SweepBank’s auditors and regulators. The legal basis for such sharing is our legal obligations we are subject to;

7.3.9. other partners and third parties to which we may assign, pledge, or transfer our rights and obligations to the

extent required or allowed under the legislation applicable to SweepBank or according to the agreement concluded with

you. The legal basis for such sharing is either your consent or our legitimate interests of ensuring the continuity of our

business.

7.4. If you submit an open banking request for which you gave your consent to, we will transfer the requested data to

the payment service provider via SweepBank’s API interfaces to comply with a request to access your SweepBank bank

account for payment initiation services, account information services and confirmation on the availability of funds. We

transfer the Personal Data to comply with our legal obligation under the Directive (EU) 2015/2366 on payment services

(PSD2) to provide an interface for communication with regulated payment service providers of your choice.

7.5. When registering for or using the services of SweepBank Card through Apple Pay, through the SweepBank

Platform for Mobile Contactless Payments or through Google Pay, your Personal Data shall be shared with those third

parties as independent controllers and then respectively processed according to the provisions of Annex I to these

Principals.

8. Transferring Personal Data outside the EEA

8.1. SweepBank transfers Personal Data outside of the European Economic Area only where we have a lawful basis to

do so, i.e., to a recipient who is: (i) in a country which provides an adequate level of protection for Personal Data; or (ii)

under an instrument which covers the European Union requirements for the transfer of Personal Data outside the European

Economic Area.

9. Protection of Personal Data

9.1. SweepBank endeavours to maintain physical, technical, and procedural safeguards appropriate to the sensitivity

of the Personal Data in question. These safeguards are designed to protect your Personal Data from loss and unauthorized

access, copying, use, modification, or disclosure. Despite these safeguards, please note that no method of transmission

over the internet or data storage is fully secure. Should we be required by law to inform you of a breach to your Personal

Data we may notify you electronically, in writing, or by phone.

10. Data retention

10.1. SweepBank retains your Personal Data in accordance with industry guidelines for as long as necessary for the

purposes for which they were collected, or for as long as necessary to safeguard our rights, or for as long as required by

applicable legal acts. Kindly note that if the same Personal Data is Processed for several purposes, we will retain the Personal

Data for the longest retention period applicable. For us, the maximum period applicable is the limitation period for claims

arising from transactions, which is up to 10 years from the date of your last transaction or closure of the account, whichever

is the latest.

11. Your rights

11.1. To the extent required by applicable Data Protection Regulations, you have all the rights of a Data Subject as

regards your Personal Data. This includes the right to:

11.1.1. request access to your Personal Data;

11.1.2. obtain a copy of your Personal Data;

11.1.3. rectify inaccurate or incomplete Personal Data relating to you;

11.1.4. erase your Personal Data;

11.1.5. restrict the Processing of your Personal Data;

11.1.6. portability of your Personal Data;

11.1.7. object to Processing of your Personal Data which is based on your overriding legitimate interest and which is

Processed for direct marketing purposes;

11.1.8. should you believe that your rights have been violated, you have the right to lodge a complaint with:

• SweepBank customer support service at help@sweepbank.com; or

• SweepBank data protection officer at DPO@sweepbank.com; or

• The Office of the Information and Data Protection Commissioner, Address: Floor 2, Airways House, Triq Il - Kbira, Tas-

Sliema SLM 1549, Phone: 2328 7100; or

• Data Protection Supervisory Authority of your country; or

• the courts of your country should you believe that your rights have been violated.

11.2. When requesting access to, or rectification or deletion of your Personal Data, please note that we shall request

specific information from you to enable us to confirm your identity and right to access, rectify or delete, as well as to search

for and provide you with the Personal Data that we hold about you.

11.3. Kindly note that your right to access, rectify, or delete your Personal Data we hold about you is not absolute. There

are instances where applicable law or regulatory requirements allow or require us to refuse your request. In addition, the

Personal data may have already been destroyed, erased, or made anonymous in accordance with our record retention

obligations and practices as described above in Section 10.

11.4. If we cannot provide you with access to, or rectification or deletion of your Personal Data, we will inform you of

the reasons why, subject to any legal or regulatory restrictions. We can assure you we will not discriminate you for exercising

any of your rights described in these Principles.

11.5. To exercise your rights, please contact SweepBank on the contact details above. Please note that you can exercise

some rights by logging into your SweepBank personal user account.

12. Amending these principles

12.1. Should our Personal Data Processing practices change or there shall be a need to amend these principles under

the applicable law, case-law or guidelines issued by competent authorities, we are entitled to unilaterally amend these

principles at any time. Our most recent principles will always be published on our website and we urge you to check this

at least once a month.

13. Contact

13.1. In case you have any question regarding the Processing of your Personal Data by SweepBank or you would like

to exercise your rights as a Data Subject, please contact us on contact details provided above in Section 11.

13.2. SweepBank has appointed a data protection officer whom you also may contact regarding the same on the contact

details provided above in Section 11.

Annex I to SweepBank’s Principles of Processing the

Personal Data - Personal Data Processing for Apple Pay, for

SweepBank’s Platform for Mobile Contactless Payments and

for Google Pay

1. Application

1.1. This Annex I explains how your Personal Data is processed when you as a SweepBank Client register for or use

SweepBank Card through Apple Pay or through the SweepBank’s Platform for Mobile Contactless Payments or through

Google Pay (hereinafter altogether named as Platforms) according to the applicable provisions of SweepBank’s General

Terms and Conditions.

1.2. This Annex I complement the SweepBank’s principles of Processing the Personal Data as stated above,

SweepBank’s General Terms and Conditions and in addition should be read by the Client along with the terms and

conditions and the privacy policy of:

a) Apple Pay available on https://support.apple.com/en-us/HT203027; and

b) Google Pay available on https://payments.google.com/payments/apis-

secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=en-GB.

2. Personal Data subject to Processing

2.1. When you register for and use the Platforms as described in Clause 1.1. of this Annex I, SweepBank shall collect

and process your following Personal Data:

a) your name, surname and phone number;

b) the details of your transactions made through Platforms;

c) the contact and shipping details for those payment transactions made at participating merchants;

d) the details of your SweepBank Card and any other card registered for use through Platforms;

e) location data in case you switch on any location service in your device.

3. Purposes of Processing

3.1. Your Personal Data will be processed for the following purposes:

• to verify your SweepBank Card or any other card to be registered for use through Platforms;

• to facilitate the use of SweepBank Card or of any other card registered for use through Platforms;

• to deal with queries from Apple Pay and Google Pay;

• to authorise payments through Platforms on the dedicated section of SweepBank Mobile App;

• to prevent and detect fraud;

• to comply with legal requirements and industry standards; and

• to help us develop, maintain, and improve our products and services.

4. Retrieval of Data

4.1. You shall be able to retrieve on your Mobile Account information concerning each card registered for use through

Platforms on the dedicated section of the SweepBank Mobile App, including, but not limited to, your ten (10) most recent

transactions, the merchant’s name and location, each transaction amount and part of the number identifying your

SweepBank Current Account. You can choose not to have such information displayed, by suspending the use of SweepBank

Card of any other card registered for use through Platforms.

5. Sharing your Personal Data with third parties

5.1. Kindly note that Apple Pay and Google Pay are separate data controllers under GDPR while Processing your

Personal Data to provide you with their services. Therefore, SweepBank is not responsible for the data processing activities

of Apple Pay and Google Pay, including any of the services and/or products provided by their partners. Any Personal Data

(including the details of your SweepBank Card or of any other card registered for use through Apple Pay and/or Google

Pay) given to such separate data controller shall be subject on an exclusive basis to their own terms and conditions and

privacy policies. For more information, please refer to Clause 1.2 of this Annex I.

5.2. In addition, please note that any of your Personal Data (including the details of your SweepBank Card or of any

other card registered for use through Platforms) that is collected by your device provider while you use your SweepBank

Card or other cards through Platforms, shall be subject on an exclusive basis to the terms and conditions and privacy

policies of your device provider and, to the applicable extent, of any other involved third-party.

5.3. For SweepBank to be able to provide the services to you under Schedule B.1., Schedule B.2. and/or Schedule B.3.,

your Personal Data shall be shared with:

• MeaWallet A.S. (a corporation, with offices located at Drengsrudbekken 12, N-1371 Asker, Norway), in order to ensure

the operativity of the dedicated section of the SweepBank Mobile App for payment transactions. This applies only when

the registration process and/or the card payment orders is/are made on such dedicated section, as the software running

it is provided to SweepBank by MeaWallet A.S;

• MasterCard Europe SA (a Belgian limited liability company, with Belgian enterprise number RPR 0448038446, having its

registered office at 198/A, Chaussée de Tervuren, 1410 Waterloo, Belgium), in order to process the relevant transactions

the details of your SweepBank Card or of any other card registered on the dedicated section of SweepBank Mobile App

shall be shared with MasterCard. Mastercard has established a comprehensive privacy and data protection program to

ensure compliance with applicable data protection laws and have embedded privacy and data protection into the

design of their products and services. For more information, please refer to the Binding Corporate Rules of Mastercard

available on https://www.mastercard.us/content/dam/mccom/global/documents/mastercard-bcrs.pdf.