Privacy Policy

Data Protection Policy (applicable from 20-07-2018)

 

Your personal integrity and confidence in our processing of your personal data are of the highest importance to us. This Data Protection Policy explains how Arvato processes your personal data. It also describes your rights relating to the processing of your personal data and how to enforce your rights. It is therefore important for you to familiarise yourself with the contents of the policy. If you have questions, you are always welcome to contact us.

For information on the processing of personal data in connection with debt collection, click here

For information on the processing of personal data specifically for AfterPay, click here

Data controller

Arvato Finance AS (Arvato), Norwegian Org. No. 994 210 130, is the data controller for your personal data. 

What personal data do we process?

To fulfil our purposes when processing personal data, we process the following categories of personal data:

  • Name
  • Address information
  • Personal identification number
  • Contact information
  • Financial information
  • Invoice information
  • Payment information
  • Recordings of conversations
  • Vehicle registration number
  • IP address
  • Bank account

Where do we obtain the personal data?

In addition to the information you give us or which we gather from you based on your purchases and how you use our services, we may also gather personal data from various others (so-called third parties).

The information gathered from third parties is as follows:

  1. Address and contact information from public registers in order to ensure we possess the correct address information about you.
  2. Financial information from credit reference agencies and public authorities, such as information about your income, expenditure, any other lending obligations, overdue payments, payment remarks and debt balance.
  3. Personal identification number from public registers. We process the personal identification number as little as possible and only where the purpose of the processing gives a clear reason for doing so, for example when we need to identify you.

Why and how do we process your personal data?

Purpose

To perform the contract and provide the payment solution.

 

Type of processing

·         Data gathering

·         Identification and age checks.

·         Analysis of possible payment solutions, which may include checking payment history and gathering of financial information.

·         Payment handling

·         Address checks

·         Issue of invoices

·         Data storage

 

Categories

·         Name

·         Personal identification number.

·         Contact information (e.g. address, e-mail and Tel. no.)

·         Payment information.

·         Financial information.

·         Purchasing information (e.g. which items have been ordered, or if the items are to be delivered to another address).

·         Invoice information

·         Information you provided us with at the time of contact

·         Log-in/user information

 

Legal basis

Fulfilment of the contract. The processing of your personal data is necessary so that we and you are able to fulfil our obligations under the contract. If the information is not provided, our obligations cannot be fulfilled and the contract cannot be entered into.

 

Storage period

Until the contract has been performed in terms of delivery and payment, and for a period of 36 months thereafter for other contract matters, including statutory time limits for complaints.

 

Automated decision-making processes

No

 

-----------------------------

 

Purpose

Evaluation and development of our services, products and systems to ensure their effectiveness and adequacy and for statistical purposes.

 

Type of processing

Analyses of information we use for the purpose.

Deidentification or pseudonymisation of data, such that they can no longer be linked to you as a person.

 

Categories

·         Age

·         Gender

·         Contact information

·         Purchasing and user-generated data (e.g. click and visits history)

·         Technical data relating to devices and settings (e.g. device ID and browser settings)

·         Information on your interactions with us (e.g. e-mail, telephone, etc.)

 

Legal basis

Legitimate interest The processing is necessary to fulfil our legitimate interest in providing efficient and tailored services

 

Storage period

Until the underlying contract has been fulfilled in terms of delivery and payment and for a period of 36 months thereafter.

 

Automated decision-making processes

No

 

-----------------------------

 

Purpose

Analyses and calculations relating to any purchase of receivables

 

Type of processing

Personal data relating to receivables owned by Arvato is matched to personal data relating to claims which Arvato may decide to purchase.

 

Categories

·         Personal identification number.

·         Payment information.

·         Financial information.

 

Legal basis

Legitimate interest under Article 6 (1) (f). Processing is necessary to secure our legitimate interest in only purchasing claims where the creditor is creditworthy.

 

Storage period

Until the underlying contract has been fulfilled in terms of delivery and payment and for a period of 36 months thereafter.

 

Automated decision-making processes

No

 

-----------------------------

 

Purpose

Administering and maintaining customer agreements

 

Type of processing

Identity checks and data storage

 

Categories

·         Name

·         Contact information

 

Legal basis

Fulfilment of the contract. Processing of personal data required for performing a contract with the customer. If the information is not provided, our obligations may not be capable of fulfilment in some cases and the contract cannot be entered into.

 

Storage period

Until the contract has been entered into and for a period of 36 months thereafter to permit management of the contract and the client relationship.

 

Automated decision-making processes

No

 

-----------------------------

 

Purpose

Compliance with accounting obligations

 

Type of processing

Storage, and, on request, release of information necessary for accounting obligations

 

Categories

·         Payment information.

·         Purchasing information (e.g. which items have been ordered, or if the items are to be delivered to another address).

·         Invoice information

 

Legal basis

Legal obligation The processing is necessary to fulfil a legal obligation

 

Storage period

The data are stored for 10 years in accordance with accounting legislation.

 

Automated decision-making processes

No

 

-----------------------------

 

Purpose

Preventing money laundering and terror financing

 

Type of processing

Storage and, on request, release of data necessary for fulfilling obligations under the applicable legislation in this area.

 

Categories

·         Name

·         Personal identification number.

·         Payment information.

·         Purchasing information (e.g. which items have been ordered, or if the items are to be delivered to another address).

·         Invoice information

 

Legal basis

Legal obligation. The processing is necessary to fulfil a legal obligation.

 

Storage period

The data are stored for 5 years in accordance with the applicable legislation.

 

Automated decision-making processes

No

Who do we share your personal data with?

In some cases we share your personal data with companies with whom Arvato cooperates for the fulfilment of the above purposes. This applies to companies both within and outside Arvato Bertelsmann. The parties we disclose the information to can be divided into two categories.

Data processors

In some cases, in order to offer you our services, we need to share your personal data with suppliers who act as so-called data processors for us. The suppliers we use as data processors can only process information on our behalf and in accordance with our instructions. All processing is done in accordance with the purposes we have specified for the processing.

All data processors we engage have been inspected for compliance with the security requirements for the processing of personal data. We also sign a data processing contract with all suppliers in order to ensure the safe processing of your personal data.

Data controllers

We also share your personal data with companies/public authorities (e.g. the company you bought the product from and from which an invoice is payable to us/the tax authorities), which are themselves data controllers for the personal data. Being a data controller entails selecting how the information is to be processed. In some cases we may be obliged to disclose personal data under the applicable legislation.

When your personal data are shared with a company or a public authority, which is a data controller, the data will be covered by their Data Protection Policy. We do not share information with companies which do not comply with the data protection legislation.

We do not sell your personal data to third parties. In addition, we do not disclose your data to third parties for direct advertising, remote sales or other forms of direct marketing, opinion surveys or market research.

Where do we process your personal data?

We attempt to process your personal data within the EU/EAA. If we transfer your data outside the EU or EEA, we ensure that the data has the optimum protection. Transfers will only be made where there is an adequate security level, for example, Privacy Shield or other suitable safety measures, e.g. binding company rules, standardised data protection, approved code of conduct or internal company rules.

How do we ensure that your information is safe?

We use the latest technology to keep your information safe. This means that we employ all necessary technical and administrative precautions for protecting your information from unauthorised access, destruction or other unauthorised processing. These security measures include firewalls, encryption, use of safe IT areas, correct access control, training of the personnel who handle your information and careful choice of contractors. In addition, the right to access to your information is restricted to Arvato employees who process the information as part of their work.

Your rights?

In connection with our processing of your personal data, you have a number of rights. The rights are stated in the applicable legislation for this area, and mean that you have a right to:

 

Access. You always have the right to know whether we are processing personal data about you, and, if so, to gain access to your personal data. You have the right to obtain a copy of the personal information being processed. The information is available in a register extract, which also includes the purpose, categories of personal data, recipient categories, storage periods, your rights, information on where the data was gathered and any automated decisions, together with protection measures relating to transfer to third countries.

For your security, we may need further information from you to ensure that it is you asking for access to the data and to allow us to give you the information in a safe manner.

 

Correction. You have the right to have incorrect personal information about you corrected. You also have the right to supplement incomplete personal information, having regard to the purpose of the processing.

 

Deletion. In the following cases, you have the right to have your personal data deleted:

§  The data is no longer necessary for the purposes for which it was gathered or was otherwise processed.

§  If you withdraw your consent and there is no other legal basis for the processing.

§  If you object to the processing of your personal data carried out by us on the legal grounds of legitimate interest. This assumes that the legitimate interest in processing does not override considerations of personal privacy.

§  You object to the processing of your personal data for direct marketing.

§  If your personal data have been processed unlawfully.

§  If personal data needs to be deleted to comply with a legal obligation to which we are subject.

 

 

It is not certain that we can meet your request to have your personal data deleted. For example, if the data is necessary for complying with a legal obligation to which we are subject, for performing a task of public interest or if the information is necessary for determining, enforcing or defending legal claims.

 

Limitation. You are entitled to have us limit the processing of your personal data in the following cases:

§  If you disagree that the personal data we process concerning you are correct, processing must be limited while we check whether the information is correct.

§  If the processing of personal data is unlawful, and you object to the deletion of the personal data but instead ask for processing to be limited.

§  If we no longer need your personal data for the purpose of the processing, but you need them to determine, raise or defend legal claims.

§  If you object to the processing of your personal data which we are processing on the legal basis of legitimate interest, you are entitled to limited processing while we check whether our legitimate interest overrides your personal privacy.

If the processing of your personal data is limited, we may, beyond storing your personal data, only process them with:

·         Your consent

·         To determine or defend legal claims

·         To protect another physical or legal person

·         Or out of consideration for an important public interest.

 

Data portability. You have the right to receive the personal data you gave us in a structured, commonly used and machine-readable format. You also have the right to transfer these data to another data controller, and, if technically possible, have them transferred directly from us to another data controller. This assumes that the processing of the personal data is done on the legal bases of consent or in order to fulfil a contract, and that the processing is automated.

 

Right to object. You have a right to object to the processing of your personal data where it is processed on the basis of general or legitimate interest, including profiling. If you object to such processing, we shall no longer be able to process your data unless we can demonstrate compelling reasons, which override your interests, rights and freedoms, or unless we are processing your personal data for the purpose of establishing, enforcing or defending a legal claim.

You are always entitled to object to the processing of your personal data for direct marketing, including profiling linked to direct marketing. 

Cookies and other tracking technology

Cookies are small temporary files stored in the browser’s memory where the user has visited a website. Our websites use cookies to gather statistical data about how the website is being used and to improve the user’s experience. 

If you do not wish to store information capsules on your PC, you may block their use by means of browser settings. Note that access to certain of the website’s services may be dependent on your permitting cookies.

You may also remove information capsules from the browser’s history. By regular deletion of cookies, you can change the identifier used to create a user profile based on the browser’s log. If you delete cookies from the browser’s log, you will not stop the collection of data completely. This action will only remove the profile based on your previous browsing history. 

Changes to our Data Protection Policy

We are constantly developing our websites and reserve the right to change our Data Protection Policy. The changes, which may be based on amendments to the applicable legislation, can be found here. We therefore recommend regular reading of our Data Protection Policy.

For questions/contact