Personal Data Policy

Arvato Finance AB

Your personal integrity and the fact that you feel secure with our processing of your personal data are extremely important to us. This Personal Data Policy explains how Arvato Finance AB processes your personal data in our debt collection activities. It also describes your rights in respect of the processing of personal data and how you can exercise these rights. It is therefore important that you study the Personal Data Policy. If you have any questions, you are always welcome to contact us.

 In those places where we refer to legal text, this relates to “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC” (GDPR).

For information about processing in respect of personal data in particular for Debt Collection, click here
For information about processing in respect of personal data in particular for AfterPay, click here

Controller

The party responsible for the processing of your personal data is Arvato Finance AB (Arvato), 556495-1704.

Which personal data do we process?

In order to fulfil our purpose in the processing of personal data, we process the following categories of personal data:

Name

Address details

Personal ID number

Contact details - e.g. email address and phone number

Financial information - e.g. income, expenses, debts

Purchasing information - e.g. which product has been ordered, how it was ordered and delivery address

Invoice information - e.g. invoice amount

Payment information - information about payments you have made’

Cast information – information that is relevant to the case

Vehicle registration number

IP address

Bank account 

Where do we obtain the personal data?

In addition to the data that you yourself submit to us, we also collect data from other, so-called third parties, who are our clients, authorities and companies that provide personal data.

We collect the following data from third parties:

1) Address and contact details from public registers to make sure that we have the correct address details for you.

2) Financial information from credit agencies and authorities, for example details of your income, expenses, potential credit commitments, records of non-payment and debt balance.

3) Personal ID numbers from public registers. We process personal ID numbers as little as possible and when it is clearly justified with regard to the purpose of processing, for example when we need to identify you for certain.

Why and how do we process your personal data?

Purpose
In order to achieve payment and provide payment solution.

Processing activities
Collection
Identification and age check.
Analysis of payment history and the collection of financial information.
Handling of payment.
Address check.
Invoicing.
Storage.
Disbursement to processors for the provision of the service. 

Categories of personal data
Name.
Personal ID numbers.
Contact information.
Payment information.
Financial information.
Purchasing information
Invoice information.
Case information.

Legal basis
Fulfilment of the agreement. The processing of your personal information is required in order for us and you to fulfill our obligations under the agreement. If the information is not provided, our commitments can not be fulfilled and the agreement can not be concluded.

Storage period

Until the contract is completed for delivery and payment and for a period of 36 months thereafter in order to deal with the agreement in other parts including statutory deadlines for payment.

Automated decision-making
Yes, regarding the analysis of possible payment solutions offered to you. Checks are made against payment history and financial information. Depending on what the check shows, some payment options may not be offered to you.

Purpose
Evaluation and development of our procedures and systems in order to make sure that they are effective and appropriate, as well as statistics.

Processing activities
Analyses of the data used for the purpose.
Anonymisation or pseuodonymisation of data, so that there is no longer any link to you as an individual.


Categories of personal data
Age.
Gender.
Contact information.
Financial information.
Payment information.

Legal basis
Legitimate interest pursuant to Art. 6, 1, f. Processing is necessary in order to fulfil our legitimate interest in being able to provide effective and appropriate services.

Storage period
Until the underlying agreement was completed for delivery and payment and for a period of 36 months thereafter.

Automated decision-making 


Purpose
Analyses and calculations in connection with possible acquisitions of receivables.

Processing activities
Personal data originating from receivables owned by Arvato Finance AB are matched against personal data in respect of people against which Arvato may possibly acquire receivables


Categories of personal data
Personal ID numbers.
Payment information.
Financial information

Legal basis
Legitimate interest pursuant to Art. 6, 1, f. Processing is necessary in order to satisfy our legitimate interest in maintaining an effective business model.

Storage period
Until the underlying agreement was completed for delivery and payment and for a period of 36 months thereafter.

Automated decision-making
No

 


Purpose
Manage and maintain client agreements.

Processing activities
Identity control
Storage

Categories of personal data
Name.
Contact information.

Legal basis
Completion of the agreement. Processing of Personal Data is required for Compliance with client. If the information is not provided, in some cases, our commitments can not be fulfilled and the agreement can not be concluded.

Storage period
Until the contract is completed for delivery and payment and for a period of 36 months thereafter in order to manage the agreement and client relationship.

Automated decision-making
No

 

Purpose
Fulfilment of obligation in respect of accounting.

Processing activities
Storage and, if requested, disclosure of data necessary for accounting obligation.

Categories of personal data 
Payment information.
Invoicing information.

Legal basis
Legal obligation. Processing is necessary in order to fulfil a legal obligation.

Storage period
The data is stored in accordance with current legislation. Data is stored for seven years after full payment has been made.

Automated decision-making
No

Purpose
To combat money laundering and financing of terrorism

Processing activities 
Storage and, if requested, disclosure of data necessary to fulfil obligations in accordance with current legislation in this area.

Categories of personal data
Names.
Personal ID numbers.
Payment information.
Invoice information.

Legal basis
Legal obligation. Processing is necessary in order to fulfil a legal obligation.

Storage period
Data is stored for five years after full payment has been made.

Automated decision-making
No


Purpose
Counter fraud. 

Processing activities
Verification of information regarding the ordering and ordering of Arvato's services to identify deviations that may indicate fraud.

Categories of personal data
Names.
Personal ID numbers.

Legal basis

Legal obligation. Processing is necessary in order to fulfil a legal obligation.

Storage period
The data is stored in accordance with current legislation. Currently 5 years.

Automated decision-making
No

With whom do we share your personal data?

In certain cases we share your personal data with companies and authorities that Arvato engages and uses for the fulfilment of the purposes described above. The parties to which we disclose data fall into two categories.

Processors

In certain cases we need to share your personal data with companies that are referred to as ‘processors’ for us. Companies that we engage as processors may only process the information on our behalf and in accordance with our instructions. All processing takes place in accordance with the purposes we have specified for the processing activities.

All processors we engage are checked to ensure that they meet the security requirements for the processing of personal data. We also conclude personal data processing agreements with all processors in order to further guarantee the secure processing of your data.

Controllers

We also share your personal data with companies (e.g. the company that engaged us) and authorities (e.g. the Swedish Tax Agency) that are themselves controllers. The fact that they are controllers means that it is they who decide how the information is to be processed. In certain cases we may be obliged by law to disclose personal data.

When your personal data is shared with a company or authority that is a controller, it is their Personal Data Policy that applies. We do not disclose data to companies or authorities that do not comply with current laws for the protection of personal data.

We do not sell your personal data to a third party. Furthermore, we do not pass on your data to a third party for direct advertising, distance selling or other forms of direct marketing, opinion surveys or market surveys.

Where do we process your personal data?

It is our aim at all times that your personal data shall be processed within the EU/EEA. If we transfer your data outside the EU/EEA, we make sure that the data is processed in the best possible way. Any transfer will only take place if there is an adequate protection level, for example Privacy Shield, or suitable protective measures, for example binding company provisions, standardised data protection provisions, an approved code of conduct or internal company rules.

How do we make sure that your data is secure?

We use the latest technology to keep your data secure. This means that we use all necessary technical and administrative security measures in order to protect your information against unauthorised access, transfer, destruction or other unauthorised processing. These security measures include firewalls, encryption, use of secure IT areas, correct access control, training of personnel who process your information and the careful selection of subcontractors. Furthermore, the right to have access to your information is limited to Arvato personnel who process the information in their work.

Your rights?

You have a number of rights in connection with our processing of your personal data. These rights are set out in current legislation in the area and mean that you have the right to:

Access.

You always have the right to know whether we are processing personal data relating to you and in such cases to have access to the personal data. You have the right to receive a copy of the personal data being processed. This information is issued in an extract from a register, which also states the purpose, categories of personal data, categories of recipients, storage periods, your rights, information about where the data was collected and the existence of automated decision-making as well as protective measures in the event of transfer to a third country.

For your security, we may need additional information from you in order to make sure that it is you who have requested access to the data and so that we can provide you with the data in a secure way.

Rectification.

You have the right to have incorrect personal data relating to you rectified. You also have the right, with due regard to the purpose of processing, to supplement incomplete personal data.

Erasure.

In the following cases, you have the right to have your personal data erased:

§  Data that is no longer necessary for the purposes for which it was collected or processed in any other way.

§  If you revoke consent that had been given and there is no other legal basis for the processing activity.

§  If you object to the processing of your personal data performed by us with a legitimate interest as legal basis. This requires that there is no justifiable reason for processing that outweighs your grounds for objection.

§  You object to the processing of your personal data for the purpose of direct marketing.

§  If your personal data has been processed in an illegal way.

§  If the personal data must be erased in order to fulfil a legal obligation that we are bound to observe.

It is not certain that we can comply with your request to have your personal data erased. For example, if data is needed in order to meet a legal obligation by which we are bound, to perform a duty in the public interest or the data is needed in order that we can confirm, lodge or defend legal claims.

Restriction.

You have the right to demand that we restrict the processing of your personal data in the following cases:

§  If you claim that the personal data we are processing about you is not correct, the processing activity shall be restricted during the time that we check whether the data is correct.

§  If the processing of personal data is illegal and you oppose the erasure of the personal data and request instead that processing be restricted.

§  If we no longer need the personal data for the purposes of the processing activity, but you need it in order to confirm, lodge or defend legal claims.

§  If you have objected to the processing of your personal data that we are processing with a legitimate interest as the legal basis, you have the right to restricted processing during the time that we check whether our legitimate reasons outweigh yours.

If the processing of your personal data has been restricted, apart from storing your personal data, we may only process it, with your consent, to confirm, lodge or defend legal claims, to protect another natural or legal person, or for reasons relating to an important public interest.

Data portability.

You have the right to receive the personal data that you have provided to us in a structured, commonly used and machine-readable format. You also have the right to transfer this data to another controller and, if it is technically possible, the right to transfer directly from us to another controller. This is on the condition that we are processing the personal data with consent or fulfilment of agreement as a legal basis and that the processing activity is automated.

Right to objections.

You have the right to lodge objections against the processing of your personal data that is being processed with the fulfilment of a duty of public interest or fulfilment of agreement as the legal basis, including profiling. If you object to such processing, we may no longer process your data unless we can provide binding, legitimate reasons that outweigh your interests, rights and freedoms, or if we are processing your personal data in order to confirm, lodge or defend legal claims.

You have the right at all times to object to the processing of your personal data for the purpose of direct marketing, including profiling in connection with direct marketing.

Cookies and other tracking techniques

Cookies are small temporary files that are saved in the computer’s cache memory for users who visit websites.

Changes to our Personal Data Policy

We are continually developing our business and reserve the right to make changes to our Personal Data Policy. Such changes, which can be based on changes in current legislation, are announced here. We therefore recommend that you read our Personal Data Policy regularly.

If you have any questions/contact

If you have any questions about our handling of your personal data, you are welcome to contact us. You can write to us or contact the supervisory authority for matters relating to personal data. You also have the right to lodge a complaint with the supervisory authority if you are dissatisfied.

Contact Arvato

Arvato Finance AB
556495-1704
Personuppgiftsansvarig
Box 1143
432 15 Varberg
info.se@arvato.com

You can also contact our Data Protection Officer:

DO/Christer Johansson
Box 1143 
432 15 Varberg
dataskydd.se@arvato.com

Contact the supervisory authority

Integritetsskyddsmyndigheten
Box 8114
104 20 Stockholm