We want to clarify the responsibility of the Company to protect your rights and your integrity. Therefore, we will in this policy explain how we use the personal data that you share with us to enable us to offer you the Company’s services and to give you the best possible experience when using them, the applications, the website and when you are in contact with us. The policy describes what personal data we collect and how we use it under the rules set out in the EU’s new data protection regulation, (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) (“GDPR”). The policy also describes your rights and how you can exercise them.
1. General information
When you as a costumer creates an account and/or use the Service, the Company processes your personal data by obtaining and providing information on your mobile phone, tablet or other devices.
2. Terminology and definitions
2.1. The following terms are used in this policy with the meanings stated below:
2.2. Personal data refers to all types of information that directly or indirectly can be attributed to a natural person who is alive. This could mean name, personal identity number, address etc. Encrypted data and several types of electronic identifiers (such as IP addresses) are considered personal data if they can be linked to natural persons.
2.3. Processing of personal data refers to everything that happens to the personal data. Every action taken with personal data represents processing, irrespective of whether it is performed in an automated manner or not. Examples of common forms of processing is collection, registration, organizing, structuring, adaptation or alteration, transmission and erasure.
3. Data that we collect
3.1. Data that you provide to us
3.1.1. Registration – when creating an account you must provide information such as your personal identity number through BankID, your e-mail address and your mobile phone number. We supplement your registration with name and address from the address register of the Swedish Government (Statens personadressregister (SPAR)), see section 3.2.
3.1.2. Enhanced customer due diligence – to comply with the rules that we as a payment institute must follow, we will from time to time ask for further information about you, i.e. in which country you were born, in which countries you hold a citizenship, in which country you are resident for tax purposes, what your occupation is and if you or someone in your family or a person known to be a close associate with you is or has been a politically exposed person.
3.1.3. The processing of this data is a prerequisite for you to be able to use the Service and is undertaken to enable us to fulfil our agreement with you, as well as to enable us to fulfil statutory obligations.
3.2. Data from others
3.2.1. In addition to the data that you provide us with, we may also collect personal data from another source (third party). For example, the Company collects address information from public registers, such as SPAR, to ensure that we have the correct address details for you.
3.2.2. The processing of this data is a prerequisite for you to be able to use the Service and is undertaken to enable us to fulfil our agreement with you, as well as to enable us to comply with our statutory obligations.
3.3. Use of the Service
3.3.1. We store user data when you visit or use our Services, including our applications, websites and our platform technologies (for example add-ons outside of the website), such as when you visit or click on content and install or update one of our mobile applications. We use logins, cookies, device information and IP addresses to identify you and to log your use of the Service.
3.4. Cookies, web beacons and similar technologies
3.5. Your device and location
3.5.1. When you download the Company’s application on your mobile phone, tablet or other device the Company needs to store and obtain certain technical information from your device to be able to provide and update the Service. By downloading the application, you agree to the Company storing and obtaining certain technical information from the device. The processing of this data is a prerequisite for you to be able to use the Service and the information is stored to enable the Company to fulfil the agreement with you to provide to Service. If you no longer want the Company to store and obtain the technical information, you must uninstall the application.
4. This is how we use your data
4.1. As stated above, the Company process your personal data for several purposes based on various legal grounds. The Company mainly processes personal data to provide, administrate, develop and adjust the Service and its functionalities to fulfil our agreement with you. The personal data is also processed to ensure customer due diligence, to administrate the customer relationship with you, and to meet requirements related to security and other statutory obligations, to fulfil the Company’s legal obligations. The personal data in sections 3.1-3.5 above may also be used for market- and customer analysis, market surveys, statistics, business follow-up and business development and method development, which is based on either a consent that is obtained from you when you register to create an account at the Company, or on the Company’s legitimate interest to market itself and its services, and to develop and provide the costumers an improved supply of services.
4.2. The Company also processes your personal data to give you better and more personal offers and service. Personal data and information on positioning data may for example be processed, merged, segmented and analysed, through targeted marketing, to provide information, offers or recommendations about our own or our partners goods or services, based on the user’s preferences, behaviours, needs or lifestyle. Such processing is based on either a consent that is obtained from you when you register to create an account at the Company, or on the Company’s legitimate interest to market itself and its services, and to develop and provide the customers an improved supply of services.
4.3. Furthermore, personal data may be processed to protect the Company’s legal interests or to discover, prevent or draw attention to fraud and other problems related to security or technology, which all constitute legitimate interests for the Company to perform the processing.
4.4. If you do not wish for the Company to process your personal data for direct marketing, you may announce this to the Company in writing through the contact information in section 10.
5. This is how we share your personal data
5.1. Personal data may be shared if it is necessary to comply with requirements provided in law or by authorities, in order for the Company to comply with legal obligations.
5.2. Furthermore, the Company may share your data to other parties in order to enable the processing of your transaction and to facilitate payments, enable updates of your transaction status and to send offers from the Company and the Company´s partners through SMS, e-mail or other direct marketing. This processing is performed to fulfil the agreement that you have entered with the Company and, in terms of marketing, based on a consent or a legitimate interest.
5.3. To be able to provide the Service the Company will share your personal data to partners, such as Wirecard Card Solutions Limited, for the management of your card data and information.
5.4. Where it is necessary to enable the Company to offer you the Service, we share your personal data with companies that act as processors for the Company. A processor is a company that processes the information on behalf of The Company and in accordance with the Company’s instructions. The Company has processors that assist the Company with IT-services, as well as companies that conduct marketing activities on behalf of the Company. However, the Company is always responsible for ensuring that your personal data is processed correctly. When your personal data is shared with processors, it is only for purposes that are compatible with the purposes for which The Company has obtained the information (for example to be able to fulfil The Company’s commitments in accordance with the agreement with you as a customer). The Company checks all processors to ensure that they can provide sufficient guarantees regarding the security and secrecy of personal data. The Company has written agreements with all processors (data processing agreements) under which they guarantee the security of the personal data processed and undertake to fulfil The Company’s security requirements and requirements regarding international transmission of personal data.
6. Where is your personal data processed?
6.1. Your personal data is in general processed only within the EU/EEA.
6.2. Your personal data may be transmitted to or stored in a country outside the EU/EEA, on the condition that there is a legal ground, i.e. a legal obligation or consent from you, and that there are appropriate safeguards or that The Company and its processors have taken adequate precautions. Appropriate safeguards are that an agreement is in place that covers EU standard agreement clauses or other approved clauses, codes of conduct, certifications, etc. approved in accordance with GDPR. See ec.europa.eu/info/law/law-topic/data-protection_en for further information. It is also required that the country outside the EU/EEA where the recipient is located has a reasonable level of data protection which is established by the European Commission, and that the recipient is certified in accordance with Privacy Shield (applicable to recipients in the United States).
6.3. Further information on transmission of personal data to countries outside the EU/EEA can be obtained on request.
7. Information about storage
7.1. Data storage
7.1.1. Your personal data is normally not stored for longer period of time than what is necessary to fulfil the purposes for which the data was collected. The Company will erase or de-identify the data collected that may be traced back to you when you terminate your account at The Company, except for such information that The Company is obliged to keep in accordance with law, normally ten years after you have terminated your account at the Company. The personal data is stored only to comply with such legal obligations or to protect the Company’s legal interests, such as if there is a pending legal process.
7.1.2. When an account is terminated, we normally erase information that is stored in the terminated account within 30 days of the termination of the account.
8. Your choices and rights
8.1. The right to access and control your personal data
8.2. Regarding personal data that we store about you:
· Delete personal data: you can request erasure of all or some personal data (for example if the data is no longer necessary to provide the Services).
· Change or correct personal data: you can edit some of your personal data through your account. You can also request that we edit, update or correct your personal data if, for example, the personal data is inaccurate.
· Object to or request limited or restricted processing of personal data: you can ask us to stop using all or some off your personal data or limit our processing of it.
· Right to object to a particular type of processing: you have the right to at any time object to the Company’s processing of your personal data if the legal ground for the processing is public interest or balance of interest under Article 6(1)(e) and (f) GDPR, or if the processing refers to direct marketing. You also have the right to at any time withdraw your consent regarding processing of personal data that is based on such consent.
· Right to access and/or obtain your personal data: you can ask us about information regarding the personal data that the Company processes about you and request a copy of the personal data in electronic form. You can also request to be informed about the purpose of the processing that the Company has conducted and who has received your personal data. If it is technically possible and the legal ground for personal data processing is consent or that the processing is necessary to fulfil an agreement, you have the right to obtain the personal data that you have provided us to transmit data to another controller.
8.3. The Company may charge an administrative fee in case of unfounded or implausible requests (for example if they are made repetitively). You will then be notified about this in advance. The Company will normally answer your request within one (1) month. Requests are made through email@example.com.
9. Other important information
9.1.1. We have appropriate safeguards designated to protect your information, such as encryption of your data during all processing. We supervise our systems regularly to discover possible weaknesses and attacks. We can, however, not guarantee the security of all information that you provide us. There is no guarantee that information cannot be accessed, exposed, changed or destructed through attacks on our physical, technical or administered firewalls.
9.2. Management of personal identity numbers
9.2.1. The Company will only process your personal identity number when it is clearly warranted in consideration of the purpose, necessary for a reliable identification or if there is any other notable reason. The Company always minimizes the use of your personal identity number as far as possible through, when it is sufficient, using a User ID that does not contain your birth date.
9.3. Legal grounds for processing
9.3.1. We will only collect and process your personal data when there is a legal ground for it. These legal bases include consent (when you have given us your consent), agreement (when processing is necessary for the execution of the agreement (for example to deliver the Services from the Company that you have requested)) and legitimate interests, such as to protect you, us or others from security threats or frauds, to improve your experience with the Service or to comply with the statutory obligations that apply to us.
9.3.2. If the processing of personal data is based on your consent, you have the right to withdraw your consent at any time. If the processing is based on legitimate interests, you have the right to object to our processing. If you have any questions about the legal grounds on which we collect and use your personal data, you may contact us in accordance with section 10 below.
9.4. The Company reserves the right to make changes in this policy at any time. The Company shall, with reasonable notice through website or application, inform users that hold an account at the Company in case of upcoming changes of the policy. If you do not accept the changes, you have the right to terminate the agreement with the Company before the revised policy enters into force. You terminate your agreement with the Company by terminating your account at the Company.
10. Contact information
10.1. The Company is the controller and responsible for that your personal data is processed in accordance with applicable law.
10.2. Do not hesitate to contact the Company if you have any questions regarding the processing of your personal data or any complaints. Written or verbal questions and complaints are primarily directed to:
PFC Technology AB
102 16 Stockholm
Telephone number: +46 (0) 8 662 96 00
E-mail: firstname.lastname@example.org write “Data protection” as topic.
10.3. In case you are still dissatisfied after contacting us, you can turn to the Swedish Data Inspection Board (Swe. Datainspektionen), which is the supervisory authority in regard to personal data processing, and to whom you are able to present your complaint.
104 20 Stockholm
Telephone number: +46 (0) 8 657 61 00