1. Data Controller Information
Data Controller: Sahajjo Micro Finance
Address: Mudi Market,Bolpur,Birbhum
Near Bolpur High School
PIN-731204
Email: help@sahajjofinance.com
Data Protection Officer: dpo{{ parse_url(url('/'), PHP_URL_HOST) }}
2. Legal Basis for Processing
We process your personal data based on the following legal grounds:
- Contract Performance: Processing necessary for loan agreements and services
- Legal Obligation: Compliance with financial regulations and anti-money laundering laws
- Legitimate Interest: Risk assessment, fraud prevention, and business operations
- Consent: Marketing communications and optional services (where applicable)
3. Categories of Personal Data
Identity Data
- Full name and title
- Date of birth
- Government ID numbers
- Photographs and signatures
Contact Data
- Email addresses
- Phone numbers
- Postal addresses
- Emergency contacts
Financial Data
- Income information
- Bank account details
- Credit history
- Employment details
Usage Data
- Website interactions
- Application usage
- Communication records
- Transaction history
4. Your GDPR Rights
Right of Access
You have the right to request copies of your personal data and information about how we process it.
Right to Rectification
You can request correction of inaccurate or incomplete personal data we hold about you.
Right to Erasure
You can request deletion of your personal data in certain circumstances ("right to be forgotten").
Right to Restrict Processing
You can request limitation of processing your personal data in specific situations.
Right to Data Portability
You can request transfer of your data to another organization in a structured format.
Right to Object
You can object to processing based on legitimate interests or for direct marketing purposes.
5. Data Retention
We retain your personal data for different periods depending on the purpose:
- Active Loans: Duration of the loan plus 7 years for regulatory compliance
- Declined Applications: 12 months for regulatory and audit purposes
- Marketing Data: Until consent is withdrawn or 3 years of inactivity
- Legal Requirements: As required by applicable financial regulations
6. Data Security Measures
Encryption
All data is encrypted in transit and at rest using industry-standard protocols.
Secure Infrastructure
Our systems are hosted in secure, certified data centers with 24/7 monitoring.
Access Controls
Strict access controls ensure only authorized personnel can access your data.
7. International Data Transfers
If we transfer your data outside the EEA, we ensure adequate protection through:
- Adequacy decisions by the European Commission
- Standard Contractual Clauses (SCCs)
- Binding Corporate Rules (BCRs)
- Certification schemes and codes of conduct
8. Automated Decision Making
We may use automated systems for:
- Credit Scoring: Initial assessment of loan applications
- Fraud Detection: Identifying suspicious activities
- Risk Assessment: Evaluating loan default probability
You have the right to request human review of automated decisions that significantly affect you.
9. Data Breach Notification
In case of a data breach that poses high risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours
- Inform affected individuals without undue delay
- Provide clear information about the breach and mitigation steps
- Implement measures to prevent future breaches
10. Supervisory Authority
You have the right to lodge a complaint with your local data protection authority if you believe we have not handled your data properly. Contact details for EU supervisory authorities can be found at: https://edpb.europa.eu/about-edpb/board/members_en