We want to clarify our responsibility to protect your rights and your integrity. Therefore, we will in this policy explain how we use the personal data that you share with us to enable us to offer you our services and to give you the best possible experience when using them, the applications, the website and when you are in contact with us. The policy describes what personal data we collect and how we use it under the rules set out in the EU’s data protection regulation, 2016/679 2016 on the protection of natural persons with regard to the processing of personal data (“GDPR”). The policy also describes your rights and how you can exercise them.
- General information
When you as a customer creates an account and/or use the Service, the Company processes your personal data by obtaining and providing information on your mobile phone, tablet or other devices.
- Terminology and definitions
2.1. The following terms are used in this policy with the meanings stated below:
2.2. Personal data refers to all types of information that directly or indirectly can be attributed to a natural person who is alive. This could mean name, personal identity number, address etc. Encrypted data and several types of electronic identifiers (such as IP addresses) are considered personal data if they can be linked to natural persons.
2.3. Processing of personal data refers to everything that happens to the personal data. Every action taken with personal data represents processing, irrespective of whether it is performed in an automated manner or not. Examples of common forms of processing is collection, registration, organizing, structuring, adaptation or alteration, transmission and erasure.
- Data that we collect
3.1. Data that you provide to us
3.1.1. Registration – when creating an account at PFC you must provide information such as your personal identity number through BankID, your e-mail address and your mobile phone number. We supplement your registration with name and address from the address register of the Swedish Government (Statens personadressregister (SPAR)), see section 3.2.
3.1.2. Enhanced customer due diligence – to comply with the rules that we as a payment institute must follow, we will from time to time ask for further information about you, i.e. in which country you were born, in which countries you hold a citizenship, in which country you are resident for tax purposes, what your occupation is and if you or someone in your family or a person known to be a close associate with you is or has been a politically exposed person.
3.1.3. The processing of this data is a prerequisite for you to be able to use the Service and is undertaken to enable us to fulfil our agreement with you, as well as to enable us to fulfil statutory obligations.
3.2. Data from others
3.2.1. In addition to the data that you provide us with, we may also collect personal data from another source (third party). For example, PFC collects address information from public registers, such as SPAR, to ensure that we have the correct address details for you.
3.2.2. The processing of this data is a prerequisite for you to be able to use the Service and is undertaken to enable us to fulfil our agreement with you, as well as to enable us to comply with our statutory obligations.
3.3. Use of the Service
3.3.1. We store user data when you visit or use our Services, including our applications, websites and our platform technologies (for example add-ons outside of the website), such as when you visit or click on content and install or update one of our mobile applications. We use logins, cookies, device information and IP addresses to identify you and to log your use of the Service.
3.4. Cookies, web beacons and similar technologies
3.5. Your device and location
3.5.1. When you download PFC’s application on your mobile phone, tablet or other device PFC needs to store and obtain certain technical information from your device to be able to provide and update the Service. By downloading the application, you agree to PFC storing and obtaining certain technical information from the device. The processing of this data is a prerequisite for you to be able to use the Service and the information is stored to enable PFC to fulfil the agreement with you to provide to Service. If you no longer want PFC to store and obtain the technical information, you must uninstall the application.
- This is how we use your data
4.1. As stated above, PFC process your personal data for several purposes based on various legal grounds. PFC mainly processes personal data to provide, administrate, develop and adjust the Service and its functionalities to fulfil our agreement with you. The personal data is also processed to ensure customer due diligence, to administrate the customer relationship with you, and to meet requirements related to security and other statutory obligations, to fulfil PFC s legal obligations. The personal data in sections 3.1-3.5 above may also be used for market- and customer analysis, market surveys, statistics, business follow-up and business development and method development, which is based on either a consent that is obtained from you when you register to create an account at PFC, or on the PFC’s legitimate interest to market itself and its services, and to develop and provide the costumers an improved supply of services.
4.2. PFC also processes your personal data to give you better and more personal offers and service. Personal data and information on positioning data may for example be processed, merged, segmented and analyzed, through targeted marketing, to provide information, offers or recommendations about our own or our partners goods or services, based on the user’s preferences, behaviors, needs or lifestyle. Such processing is based on either a consent that is obtained from you when you register to create an account at the PFC, or on the PFC ’s legitimate interest to market itself and its services, and to develop and provide the customers an improved supply of services.
4.3. Furthermore, personal data may be processed to protect the PFC’s legal interests or to discover, prevent or draw attention to fraud and other problems related to security or technology, which all constitute legitimate interests for PFC to perform the processing.
4.4. If you do not wish for PFC to process your personal data for direct marketing, you may announce this to PFC in writing through the contact information in section 10.
- This is how we share your personal data
5.1. We may share your personal data to other companies and to authorities. PFC will not share more data than necessary for the purpose of the sharing.
The receiver of personal data process it, it may be responsible to provide information on their processing of data.
Examples of recipients of personal data from PFC are:
- Authorities, for example police, tax authority, enforcement authority and other legal enforcing authority, and authorities supervising PFC
- Partners, for example the issuer of our cards
- Suppliers of databases and registers
- Suppliers of IT-services
- Credit monitoring institutions and companies
- Participants and partners related to national, Europe and international payment systems, for example Mastercard
5.2 Personal data may be shared if it is necessary to comply with requirements provided in law or by authorities, in order for PFC to comply with legal obligations.
5.3. Furthermore, PFC may share your data to other parties in order to enable the processing of your transaction and to facilitate payments, enable updates of your transaction status and to send offers from PFC and PFC ´s partners through SMS, e-mail or other direct marketing. This processing is performed to fulfil the agreement that you have entered with PFC and, in terms of marketing, based on a consent or a legitimate interest.
5.4. To be able to provide the Service PFC will share your personal data to partners, such as the issuer of the cards and the processing of the transactions for the management of your card data and information.
5.5. Where it is necessary to enable PFC to offer you the Service, we share your personal data with companies that act as processors for PFC. A processor is a company that processes the information on behalf of PFC and in accordance with PFC’s instructions. PFC has processors that assist PFC with IT-services, as well as companies that conduct marketing activities on behalf of PFC. However, PFC is always responsible for ensuring that your personal data is processed correctly. When your personal data is shared with processors, it is only for purposes that are compatible with the purposes for which PFC has obtained the information (for example to be able to fulfil PFC’s commitments in accordance with the agreement with you as a customer). PFC checks all processors to ensure that they can provide sufficient guarantees regarding the security and secrecy of personal data. PFC has written agreements with all processors (data processing agreements) under which they guarantee the security of the personal data processed and undertake to fulfil PFC’s security requirements and requirements regarding international transmission of personal data.
- Where is your personal data processed?
6.1. Your personal data is in general processed only within the EU/EEA.
6.2. Your personal data may be transmitted to or stored in a country outside the EU/EEA, on the condition that there is a legal ground, i.e. a legal obligation or consent from you, and that there are appropriate safeguards or that PFC and its processors have taken adequate precautions.
6.3. Further information on transmission of personal data to countries outside the EU/EEA can be obtained on request.
- Information about storage
7.1. Data storage
7.1.1. Your personal data is normally not stored for longer period of time than what is necessary to fulfil the purposes for which the data was collected. PFC will erase or de-identify the data collected that may be traced back to you when you terminate your account at PFC, except for such information that PFC is obliged to keep in accordance with law, normally ten years after you have terminated your account at PFC. The personal data is stored only to comply with such legal obligations or to protect PFC’s legal interests, such as if there is a pending legal process.
7.1.2. When an account is terminated, we normally erase information that is stored in the terminated account within 30 days of the termination of the account.
- Your choices and rights
8.1. The right to access and control your personal data
8.2. Regarding personal data that we store about you:
· Delete personal data: you can request erasure of all or some personal data (for example if the data is no longer necessary to provide the Services).
· Change or correct personal data: you can edit some of your personal data through your account. You can also request that we edit, update or correct your personal data if, for example, the personal data is inaccurate.
· Object to or request limited or restricted processing of personal data: you can ask us to stop using all or some off your personal data or limit our processing of it.
· Right to object to a particular type of processing: you have the right to at any time object to PFC’s processing of your personal data if the legal ground for the processing is public interest or balance of interest under Article 6(1)(e) and (f) GDPR, or if the processing refers to direct marketing. You also have the right to at any time withdraw your consent regarding processing of personal data that is based on such consent.
· Right to access and/or obtain your personal data: you can ask us about information regarding the personal data that PFC processes about you and request a copy of the personal data in electronic form. You can also request to be informed about the purpose of the processing that PFC has conducted and who has received your personal data. If it is technically possible and the legal ground for personal data processing is consent or that the processing is necessary to fulfil an agreement, you have the right to obtain the personal data that you have provided us to transmit data to another controller.
8.3. PFC may charge an administrative fee in case of unfounded or implausible requests (for example if they are made repetitively). You will then be notified about this in advance. PFC will normally answer your request within one (1) month. Requests are made through firstname.lastname@example.org.
- Other important information
9.1.1. We have appropriate safeguards designated to protect your information, such as encryption of your data during all processing. We supervise our systems regularly to discover possible weaknesses and attacks. We can, however, not guarantee the security of all information that you provide us. There is no guarantee that information cannot be accessed, exposed, changed or destructed through attacks on our physical, technical or administered firewalls.
9.2. Management of personal identity numbers
9.2.1. PFC will only process your personal identity number when it is clearly warranted in consideration of the purpose, necessary for a reliable identification or if there is any other notable reason. PFC always minimizes the use of your personal identity number as far as possible through, when it is sufficient, using a User ID that does not contain your birth date.
9.3. Legal grounds for processing
9.3.1. We will only collect and process your personal data when there is a legal ground for it. These legal bases include consent (when you have given us your consent), agreement (when processing is necessary for the execution of the agreement (for example to deliver the Services from PFC that you have requested)) and legitimate interests, such as to protect you, us or others from security threats or frauds, to improve your experience with the Service or to comply with the statutory obligations that apply to us.
9.3.2. If the processing of personal data is based on your consent, you have the right to withdraw your consent at any time. If the processing is based on legitimate interests, you have the right to object to our processing. If you have any questions about the legal grounds on which we collect and use your personal data, you may contact us in accordance with section 10 below.
9.4. PFC reserves the right to make changes in this policy at any time. PFC shall, with reasonable notice through website or application, inform users that hold an account at PFC in case of upcoming changes of the policy. If you do not accept the changes, you have the right to terminate the agreement with PFC before the revised policy enters into force. You terminate your agreement with PFC by terminating your account at PFC.
- Contact information
10.1. PFC is the controller and responsible for that your personal data is processed in accordance with applicable law.
10.2. Do not hesitate to contact PFC if you have any questions regarding the processing of your personal data or any complaints. Written or verbal questions and complaints are primarily directed to:
PFC Technology AB
102 16 Stockholm
Telephone number: +46 (0) 8 662 96 00
E-mail: email@example.com write “Data protection” as topic.
10.3. In case you are still dissatisfied after contacting us, you can turn to the Swedish Data Inspection Board (Swe. Datainspektionen), which is the supervisory authority in regard to personal data processing, and to whom you are able to present your complaint.
104 20 Stockholm
Telephone number: +46 (0) 8 657 61 00