Privacy and security

Here we have put together important information for you to know regarding privacy, security and the General Data Protection Regulation (GDPR) when you use Payson’s services. We protect your privacy and security. GDPR, the new law on the processing of personal data, sets higher requirements for transparency, which is why we have put this information together: so that you know how your personal data is processed.

In connection with the new law, on 2018-05-15 we updated the Payson General Terms and Conditions. By using our services you confirm that you accept these General Terms and Conditions and associated Policies.

Go directly to:

  • General information about the GDPR
  • Security and technology
  • Incident Management
  • Privacy Policy
  • Policy on cookies
  • Advice and tips
  • General information about the GDPR

    Here we have compiled information about the Act and what it means, as well as where you can find more information to get a better idea of how it will affect you. There are a number of concepts that it’s a good idea to understand, including what the basic principles of the GDPR mean.

    GDPR stands for General Data Protection Regulation and is a new data protection regulation from the EU that will become law in all EU Member States on 25 May 2018. The GDPR will replace the current Personal Data Act (PDA). The Act is intended to protect individuals’ privacy and to modernise, harmonise and reinforce protection within the EU.

    Each EU Member State has a supervisory authority that will monitor this. In Sweden this authority is the Privacy Protection Authority, formerly the Data Protection Authority. On their website there is more information and help that you can read to find out what you need to do.

    Processing of personal data

    The Act addresses how companies are to process personal data, for which there are two important concepts to understand. Personal data can be explained as each piece of information that refers to an identified or identifiable natural person (also referred to as the data subject), whereby an identifiable natural person is a person who can be directly or indirectly identified, in particular with reference to an identifier such as a name, an identification number, localisation data or online identifiers, or to one or more factors that are specific to the physical, physiological, genetic, psychological, financial, cultural or social identity of the natural person. Processing of this data means that an action or combination of actions is carried out concerning personal data or sets of personal data, regardless of whether the actions are performed automatically or not. Examples of such processing are collection, structuring, storage, processing, distribution or deletion.

    Personal Data Controller and Personal Data Processor

    There are two primary roles in the processing of personal data that you should know about, including their different areas of responsibility.

    Payson is the Personal Data Controller

    The Personal Data Controller (PDC) is the party that under the law has the ultimate responsibility for data processing and decides the purpose and the means of this. The Personal Data Controller must ensure compliance with the law, must inform those persons whose personal data is being processed and must ensure regulatory compliance by the Personal Data Processor. We are the Personal Data Controller for all processing of personal data about you as a customer or user when you use Payson’s services or, for example, contact us. What we do, or do not do, with your personal data is described in our Privacy Policy.

    Personal Data Processor for Payson

    In certain cases personal data will be processed by external parties acting as the Personal Data Processor for Payson. The Personal Data Processor (PDP) will process personal data on behalf of Payson and will be responsible for the technical and organisational security measures.

    Fundamental principles of the GDPR

    The law is based on these fundamental principles, with which Payson complies when personal data is processed:

    Purpose limitation
    Personal data must only be processed for specific, clearly stated and legitimate purposes.

    Storage limitation
    Personal data must not be saved for longer than needed for the purpose for which it is saved.

    Data minimisation
    Personal data must be adequate, relevant and limited to what is necessary with respect to the purpose.

    Lawfulness, fairness and transparency
    Processing must be legal, fair and transparent in relation to the individual and includes an obligation to ensure that the data is accurate.

    Integrity and confidentiality
    Requirement for the taking of appropriate measures in all relevant respects in order to ensure that personal data is processed in a secure manner.

    This responsibility includes an obligation to demonstrate compliance with the principles.

    You can read more about these fundamental principles on the Privacy Protection Authority’s website.

    Security and technology

    As Payson manages large amounts of money every day, there are extreme demands imposed on our security work. Therefore, we use a secure payment system and together with our partners we continuously monitor all transactions.

    Information on Payson’s security management

    As the Personal Data Controller, Payson has a general responsibility to implement appropriate technical and organisational measures that are based on the risks to privacy associated with the processing, in order to ensure and be able to demonstrate that the processing is conducted in accordance with the General Data Protection Regulation (GDPR). Payson is certified by the security companies Trustwave and GlobalSign.



    Authentication and encryption

    All data communications take place using Transport Layer Security (TLS). To gain access the Services, login is required using BankID or username and password.

  • Payson uses encrypted communication in the form of TLS. All data communications to and from the user’s computers are encrypted with TLS, the latest approved internet standard for encrypted communications.
  • Payson applies password protection in the form of a fully encrypted login process, which means that no information is sent as unencrypted text. The user’s password is stored in one-way encrypted format with a standardised one-way cipher.
  • To avoid unauthorised access to information if a computer is left unattended, the system automatically logs out the user when the user becomes inactive. The user is always responsible for the risk in the case of unauthorised use of the Services as a result of having left a logged-in computer unattended.
  • Continuous user verification is carried out. Each call to the Payson servers entails a check of the logged-in user’s authorisations.
  • All card transactions are based on banks’ 3D-Secure technology.

    Storage and backups

    Payson’s services are operated entirely within Sweden on servers hosted in Sweden.

  • Only approved staff have access to the platform.
  • Payson’s services are based on a modern platform with redundancy and scalability at several levels.
  • Backups are done automatically at predetermined intervals.

    Knowledge and information protection

  • Only a few key people know how the security system is constructed.
  • All staff are bound by a confidentiality agreement that prevents the dissemination of data, information and the personal data of the customer or user. Only authorised staff have access to the data and authorisation is managed by Payson’s management.

    Receive notifications of the status of the services

    Payson works to make our systems available twenty-four hours a day, seven days a week. On the website and on Payson’s Facebook page, you can read notifications of issues with our services in the event of disruptions.

    Security for e-commerce

    PaysonGuarantee is an example of how we are creating secure internet commerce among our members. Read more about how this works here.

    Four tips for more secure e-commerce among private individuals

    1. Use common sense. If an offer seems too good to be true then it probably is. You certainly can do good business on the internet but there is a limit here too. Check the normal price of the goods on sites such as or to get an idea of whether the offer seems believable or not.
    2. Ask for the name and telephone number of the seller and check that this person exists. Search on e.g. or
    3. The majority of serious buying and selling sites have some sort of rating system for their users so you can see which ones are serious and responsible. You should feel free to contact their customer service if you are even a little unsure about your purchase.
    4. Do not pay in advance to an unknown bank account – instead, use a secure payment service that transfers the money to the seller after you have received the item, for example the PaysonGuarantee service.

    Incident Management

    In order to meet new requirements with regard to incident management in accordance with the GDPR, our incident management process is presented here. Having procedures established for the detection, reporting and investigation of incidents is also important given that personal data incidents need to be reported to the Swedish Privacy Protection Authority within 72 hours.


    If a serious incident occurs, this may mean that there will be a personal data incident. An example could be if information containing personal data ends up in the wrong hands via a security incident, which would be considered a personal data incident.

    Incident process

    Payson has procedures to handle the necessary coordination, communication and responsibility for assessing, responding to and learning from incidents to reduce the risk of their happening again. Personal data incidents and actions will be communicated to those affected. After taking active measures and informing those affected, we will conduct a causal analysis to prevent the problem from occurring again.

    Privacy Policy

    The Privacy Policy describes how Payson processes personal data in the role of Personal Data Controller and how your rights and privacy are protected.

    Payson protects your personal privacy, and our Privacy Policy is intended to explain how Payson collects your personal data and how it will then be used. In the Policy you can read what rights you have with regard to us and how you can exercise them. Questions regarding privacy and data protection can always be sent to us via the contact form on our website.

    You accept our Privacy Policy and our processing of your personal data by using Payson’s services. You also accept Payson’s use of electronic communication channels to send information to you. It is important to us that you read and understand our Privacy Policy before you use our services.

    Payson needs to process your personal data in order to offer you the opportunity to use our website or our payment options, and we give the utmost consideration to your privacy.

    Which information do we use?

    Information that you give to us
    Information that we request in connection with, for example, a purchase using Payson’s payment options on an e-commerce website, a contact with us, use of our website or use of another Payson service may be as follows. Note that not all information will be requested on all occasions.

  • Personal information: First and last name, National ID number, Address details, Email address and Telephone number.
  • Payment information: Card details, Bank, Bank account number and details of purchase.
    Information collected from you
    When our services are used by you, we may collect the following information in order to manage the transaction or manage your case on our website:

  • Personal information: First and last name, National ID number, Address, Email address and Telephone number.
  • Information on the purchase: Information and details about which e-store the product or service was purchased at and, where applicable, which product or service was purchased.
  • Financial information: Your income details, your Credit history and your Payment history.
  • Technical information: IP address, Language, Web browser, Operating system, Platform, Response times, Error messages, Information for Bank ID verification.
  • All information that you provide to us and information collected, such as financial information and payment information, is necessary in order to enter into a business relationship with us. Other information is collected for other purposes. These purposes are described below.

    What do we use your information for?

    To perform our services and meet our obligations to you. Information is collected and extracted in order for Payson to be able to offer the services that you want to use. This information is used for the following and with the following legal basis:

    Purpose Why the information is processed
    (Legal basis)
    Automatic decision (Yes/No)
    Identification and verification of you as a person, information and product delivery Contractual grounds for an established business relationship Yes
    Administration of payment intermediation services including credit assessments etc. Contractual grounds for an established business relationship and to comply with applicable legislation Yes
    Basis for statistics and product development Contractual grounds and other legitimate interests Yes
    Conducting risk analyses and other risk assessments Contractual grounds for an established business relationship and to comply with applicable legislation Yes
    Minimising the risk of fraud Contractual grounds and other legitimate interests No
    Product development and creation of solutions and information adapted to customers Contractual grounds and other legitimate interests No
    To fulfil statutory requirements such those set by the Swedish Act on Measures against Money Laundering and accounting legislation and capital adequacy requirements Legal obligation – Legal requirements No

    The data is used by Payson for invoicing, information and delivery of products, as well as for marketing and as a basis for statistics and product development. The data may be used as a basis for Payson’s, and where appropriate our partners’, customisation of content, advertisements and offers.

    The data is analysed and grouped before the selection, prioritisation and planning of contacts with the Member. The data is linked to one or more markers of which type of customisation of web services and marketing communication is targeted to the user, known as profiling.

    Payson’s Members consent to marketing via post, telephone or email and text message, as well as via other digital channels. Marketing via email and text message is governed by the Swedish Marketing Act.

    Personal data may be provided to Payson’s partners. Personal data is disclosed to authorities only when there is a requirement to do so under law or administrative decision.

    In communications with you
    The data collected about you is used in order to enable us to send you relevant offers and share important information with you. If you do not want to receive such information and communications, this message can easily be submitted using your account profile settings after login or via the contact form on the Payson website.

    Will Payson share your information with anyone?

    Your information will be shared with pre-selected third parties using secure methods and technical solutions. These third parties are scrutinised and will manage your information in a secure manner. If necessary, your information will be shared with subcontractors and suppliers in the Svea Bank Group, which includes Payson, in order to allow us to meet our agreed commitments to you. Under no circumstances will we sell your personal data to third parties if you have not expressly approved this.

    In order to allow you to purchase goods and services from e-stores affiliated with Payson, some of your personal data will be shared with the e-store in order for the e-store to be able to administer your purchase. Management of personal data by the e-store is governed by the e-store’s Terms and Conditions of Use and Privacy Policy.

    Credit reporting agencies
    If you choose to pay your purchase by invoice, your personal data will be shared with credit reporting agencies in order to evaluate your creditworthiness, verify your address details and comply with applicable legislation. The credit reporting agencies used are Bisnode AB and UC AB.

    Administrative authorities
    In the event that administrative authorities request information and activity related to your personal data Payson is obliged to disclose the information requested. Examples of such authorities are the Swedish Tax Agency and the Police. Legal requirements also support the sharing of data regarding possible money laundering and terrorist financing.

    Purchase or sale of the business
    In the event of the sale of Payson or the purchase of another business by Payson, your personal data may be shared with third parties.

    In which countries will processing of your personal data occur?
    On every occasion your personal data will be processed within the EU/EEA.

    For how long is your personal data saved?

    Your personal data will be saved for as long as the law (for example, the Swedish Bookkeeping Act, the Swedish Act on Payment Services and the Swedish Act on Measures against Money Laundering and Terrorist Financing) requires it to be saved and as long as is necessary for us to fulfil the commitments we have to you as the customer. When the personal data is no longer required in accordance with the description above, all your personal data will be depersonalised, “culled” and cannot be recovered or restored in any other way.

    An active user account that is in use will therefore not be culled/depersonalised. A user account containing funds will not be culled/depersonalised without consent. Consent will be requested by email at regular intervals after seven years of inactivity on the Payson service, with inactivity being considered your not having carried out transactions, not logged in to your user account and not communicated with the company. In the event of no response, the user account will be culled/depersonalised after one (1) more year and after at least four reminders have been sent. Any outstanding funds will then be credited to Payson.

    Your rights of access, rectification and deletion

    • Right to access your data
      You can request to receive an extract containing the data that we have about you. The extract will be sent free of charge in one copy on one occasion per year.
    • Right of rectification.
      You have the right to have rectified any wrong or incomplete information about yourself.
    • Right to be forgotten
      You have the right to request the removal of your personal data when the purpose of the processing is no longer current. The removal cannot be revoked/recreated and once the removal is complete, no person can be associated with the user account any longer. However, there may be legal obligations for Payson as the Payment Institution which prevent the immediate deletion of your personal data or parts of it. These obligations stem from accounting and tax legislation and banking and money laundering legislation, but also from consumer rights legislation. In such a case, only the personal data that we are required to save in order to fulfil such legal obligations will be saved.

    How can you make contact with Payson in the event of privacy issues?
    It is easiest to reach us using the contact form on our website. Payson AB is the Personal Data Controller for the processing of your personal data in accordance with the above and complies with Swedish data protection legislation.

    Policy on cookies

    When you use Payson’s services, you approve the receipt of Payson’s “cookies”. If you have chosen to accept cookies in your web browser, a small text file will be saved on your computer. Using this cookie, we can see information about your visits to us and can customise the content to enable you to experience the site in the best possible way. We do not save any sensitive personal data in our cookies. A cookie has an expiry date and when this is reached it will be automatically deleted. You can set parameters for the management of cookies yourself using the Help menu in your web browser.

    Necessary cookies are required in order to enable us to provide Payson’s services, for example account login and purchase management.

    Analysis cookies collect anonymous information on how our services are used, e.g. which pages are popular, if you receive an error message anywhere or which kind of device is used. For example, third party cookies for Google Analytics and Google Tag Manager.

    Function cookies improve your experience of our services when you return to our website or checkout. For example, we save your preferred language and the data that you have used on previous purchase occasions.

    Marketing cookies are usedin order to collect information about your surfing habits, so as to be able to offer advertisements that are relevant to you. We use this type of cookie to remind you that we would very much like you to come back if you have visited our site before.

    Different types of cookie are saved for different lengths of time. We have some cookies that are only saved while you are actively using our services, whereas language settings for example are saved for a long time. We are actively trying to minimise the number of third party cookies we use in our services but for some services we consider them necessary for analysis and marketing work.

    How you can control our use of Cookies
    Go to your browser or device settings to learn more about how to adjust the settings for cookies. For example, you can choose to block all cookies, accept only first party cookies or delete cookies when you close your web browser.

    Note that some of our services may not work if you block or delete cookies.

    Advice and tips for e-stores


    Payson acts as Personal Data Controller in its relationship with both private and corporate customers and is therefore responsible for all protection of the personal data obtained or otherwise collected from you as the customer. You as an e-store also act as Personal Data Controller for the data that you obtain or otherwise collect. In the capacity of Personal Data Controller you must have control over the data that you obtain, collect and store. You need to know for how long and why you are saving the personal data. You also need to know which type of personal data is in your register.

    About Personal Data

    If you are an e-store, it is important to have control over the information that you are storing about your customers. You need to take a position regarding what information you are collecting and the reason for collecting this specific information. Three simple questions you should be able to answer are:

    – Why do we need this specific data?
    – How is the data being collected?
    – Who has access to the data?

    The General Data Protection Regulation requires all companies to be able to demonstrate compliance with the regulation, so you may need to conduct a risk assessment. What needs to be improved? Is the information that you obtained earlier collected and stored in the correct manner? If not, you may need to delete this information. The person must give you consent in order for you to be permitted to store the information. It is therefore the customer’s choice whether you may use that person’s data or not, and this choice is made by active approval. If a person wants their personal data to be deleted from your system, you must also be able to do this.

    About Sensitive Personal Data

    If you process sensitive personal data as a result of the activities conducted by you or your suppliers, you are required to find out which security measures may be required for such processing before such processing is started.

    Examples of sensitive personal data are:
    Race or ethnic origin
    Political views
    Religious or philosophical beliefs
    Trade union membership
    Sexual life or sexual orientation
    Genetic data
    Biometric data (for example finger prints and iris patterns) that uniquely identifies a person

    The Swedish Privacy Protection Authority writes more about the processing of sensitive personal data here.

    What you should consider for email marketing

    From a marketing perspective there are also matters that you need to consider regarding the General Data Protection Regulation. In order for a person to receive marketing material from you, it is required for the person to give you consent. For example, if you send newsletters to your customers, you must review how you currently collect email addresses. Simply using a feature which allows people to unsubscribe from a newsletter is not sufficient: you must also have a feature by which the subscriber actively chooses to receive newsletters at their email address. This is best done using a form on your website, or a box to tick with each purchase, which clearly describes what information they will be receiving when they give their consent. Ensure that you are transparent with your customers. Explain how and why their data is used!

    Questions regarding privacy and data protection can always be sent to us via the contact form on our website.