Privacy and security
Here we have put together important information for you to know regarding privacy, security and the General Data Protection Regulation (GDPR) when you use Payson’s services. We protect your privacy and security. GDPR, the new law on the processing of personal data, sets higher requirements for transparency, which is why we have put this information together: so that you know how your personal data is processed.
In connection with the new law, on 2018-05-15 we updated the Payson General Terms and Conditions. By using our services you confirm that you accept these General Terms and Conditions and associated Policies.
Go directly to:
General information about the GDPR
Here we have compiled information about the Act and what it means, as well as where you can find more information to get a better idea of how it will affect you. There are a number of concepts that it’s a good idea to understand, including what the basic principles of the GDPR mean.
GDPR stands for General Data Protection Regulation and is a new data protection regulation from the EU that will become law in all EU Member States on 25 May 2018. The GDPR will replace the current Personal Data Act (PDA). The Act is intended to protect individuals’ privacy and to modernise, harmonise and reinforce protection within the EU.
Each EU Member State has a supervisory authority that will monitor this. In Sweden this authority is the Privacy Protection Authority, formerly the Data Protection Authority. On their website there is more information and help that you can read to find out what you need to do.
Processing of personal data
The Act addresses how companies are to process personal data, for which there are two important concepts to understand. Personal data can be explained as each piece of information that refers to an identified or identifiable natural person (also referred to as the data subject), whereby an identifiable natural person is a person who can be directly or indirectly identified, in particular with reference to an identifier such as a name, an identification number, localisation data or online identifiers, or to one or more factors that are specific to the physical, physiological, genetic, psychological, financial, cultural or social identity of the natural person. Processing of this data means that an action or combination of actions is carried out concerning personal data or sets of personal data, regardless of whether the actions are performed automatically or not. Examples of such processing are collection, structuring, storage, processing, distribution or deletion.
Personal Data Controller and Personal Data Processor
There are two primary roles in the processing of personal data that you should know about, including their different areas of responsibility.
Payson is the Personal Data Controller
Personal Data Processor for Payson
In certain cases personal data will be processed by external parties acting as the Personal Data Processor for Payson. The Personal Data Processor (PDP) will process personal data on behalf of Payson and will be responsible for the technical and organisational security measures.
Fundamental principles of the GDPR
The law is based on these fundamental principles, with which Payson complies when personal data is processed:
Personal data must only be processed for specific, clearly stated and legitimate purposes.
Personal data must not be saved for longer than needed for the purpose for which it is saved.
Personal data must be adequate, relevant and limited to what is necessary with respect to the purpose.
Lawfulness, fairness and transparency
Processing must be legal, fair and transparent in relation to the individual and includes an obligation to ensure that the data is accurate.
Integrity and confidentiality
Requirement for the taking of appropriate measures in all relevant respects in order to ensure that personal data is processed in a secure manner.
This responsibility includes an obligation to demonstrate compliance with the principles.
You can read more about these fundamental principles on the Privacy Protection Authority’s website.
Security and technology
As Payson manages large amounts of money every day, there are extreme demands imposed on our security work. Therefore, we use a secure payment system and together with our partners we continuously monitor all transactions.
Information on Payson’s security management
As the Personal Data Controller, Payson has a general responsibility to implement appropriate technical and organisational measures that are based on the risks to privacy associated with the processing, in order to ensure and be able to demonstrate that the processing is conducted in accordance with the General Data Protection Regulation (GDPR). Payson is certified by the security companies Trustwave and GlobalSign.
Authentication and encryption
All data communications take place using Transport Layer Security (TLS). To gain access the Services, login is required using BankID or username and password.
Storage and backups
Payson’s services are operated entirely within Sweden on servers hosted in Sweden.
Knowledge and information protection
Receive notifications of the status of the services
Payson works to make our systems available twenty-four hours a day, seven days a week. On the website www.payson.se and on Payson’s Facebook page, you can read notifications of issues with our services in the event of disruptions.
Security for e-commerce
PaysonGuarantee is an example of how we are creating secure internet commerce among our members. Read more about how this works here.
Four tips for more secure e-commerce among private individuals
- Use common sense. If an offer seems too good to be true then it probably is. You certainly can do good business on the internet but there is a limit here too. Check the normal price of the goods on sites such as www.pricerunner.se or www.prisjakt.se to get an idea of whether the offer seems believable or not.
- Ask for the name and telephone number of the seller and check that this person exists. Search on e.g. www.eniro.se or www.hitta.se.
- The majority of serious buying and selling sites have some sort of rating system for their users so you can see which ones are serious and responsible. You should feel free to contact their customer service if you are even a little unsure about your purchase.
- Do not pay in advance to an unknown bank account – instead, use a secure payment service that transfers the money to the seller after you have received the item, for example the PaysonGuarantee service.
In order to meet new requirements with regard to incident management in accordance with the GDPR, our incident management process is presented here. Having procedures established for the detection, reporting and investigation of incidents is also important given that personal data incidents need to be reported to the Swedish Privacy Protection Authority within 72 hours.
If a serious incident occurs, this may mean that there will be a personal data incident. An example could be if information containing personal data ends up in the wrong hands via a security incident, which would be considered a personal data incident.
Payson has procedures to handle the necessary coordination, communication and responsibility for assessing, responding to and learning from incidents to reduce the risk of their happening again. Personal data incidents and actions will be communicated to those affected. After taking active measures and informing those affected, we will conduct a causal analysis to prevent the problem from occurring again.
Payson needs to process your personal data in order to offer you the opportunity to use our website or our payment options, and we give the utmost consideration to your privacy.
Which information do we use?
Information that you give to us
Information that we request in connection with, for example, a purchase using Payson’s payment options on an e-commerce website, a contact with us, use of our website or use of another Payson service may be as follows. Note that not all information will be requested on all occasions.
Information collected from you
When our services are used by you, we may collect the following information in order to manage the transaction or manage your case on our website:
All information that you provide to us and information collected, such as financial information and payment information, is necessary in order to enter into a business relationship with us. Other information is collected for other purposes. These purposes are described below.
What do we use your information for?
To perform our services and meet our obligations to you. Information is collected and extracted in order for Payson to be able to offer the services that you want to use. This information is used for the following and with the following legal basis:
|Purpose||Why the information is processed
|Automatic decision (Yes/No)|
|Identification and verification of you as a person, information and product delivery||Contractual grounds for an established business relationship||Yes|
|Administration of payment intermediation services including credit assessments etc.||Contractual grounds for an established business relationship and to comply with applicable legislation||Yes|
|Basis for statistics and product development||Contractual grounds and other legitimate interests||Yes|
|Conducting risk analyses and other risk assessments||Contractual grounds for an established business relationship and to comply with applicable legislation||Yes|
|Minimising the risk of fraud||Contractual grounds and other legitimate interests||No|
|Product development and creation of solutions and information adapted to customers||Contractual grounds and other legitimate interests||No|
|To fulfil statutory requirements such those set by the Swedish Act on Measures against Money Laundering and accounting legislation and capital adequacy requirements||Legal obligation – Legal requirements||No|
The data is used by Payson for invoicing, information and delivery of products, as well as for marketing and as a basis for statistics and product development. The data may be used as a basis for Payson’s, and where appropriate our partners’, customisation of content, advertisements and offers.
The data is analysed and grouped before the selection, prioritisation and planning of contacts with the Member. The data is linked to one or more markers of which type of customisation of web services and marketing communication is targeted to the user, known as profiling.
Payson’s Members consent to marketing via post, telephone or email and text message, as well as via other digital channels. Marketing via email and text message is governed by the Swedish Marketing Act.
Personal data may be provided to Payson’s partners. Personal data is disclosed to authorities only when there is a requirement to do so under law or administrative decision.
In communications with you
The data collected about you is used in order to enable us to send you relevant offers and share important information with you. If you do not want to receive such information and communications, this message can easily be submitted using your account profile settings after login or via the contact form on the Payson website.
Will Payson share your information with anyone?
Your information will be shared with pre-selected third parties using secure methods and technical solutions. These third parties are scrutinised and will manage your information in a secure manner. If necessary, your information will be shared with subcontractors and suppliers in the Svea Bank Group, which includes Payson, in order to allow us to meet our agreed commitments to you. Under no circumstances will we sell your personal data to third parties if you have not expressly approved this.
Credit reporting agencies
If you choose to pay your purchase by invoice, your personal data will be shared with credit reporting agencies in order to evaluate your creditworthiness, verify your address details and comply with applicable legislation. The credit reporting agencies used are Bisnode AB and UC AB.
In the event that administrative authorities request information and activity related to your personal data Payson is obliged to disclose the information requested. Examples of such authorities are the Swedish Tax Agency and the Police. Legal requirements also support the sharing of data regarding possible money laundering and terrorist financing.
Purchase or sale of the business
In the event of the sale of Payson or the purchase of another business by Payson, your personal data may be shared with third parties.
In which countries will processing of your personal data occur?
On every occasion your personal data will be processed within the EU/EEA.
For how long is your personal data saved?
Your personal data will be saved for as long as the law (for example, the Swedish Bookkeeping Act, the Swedish Act on Payment Services and the Swedish Act on Measures against Money Laundering and Terrorist Financing) requires it to be saved and as long as is necessary for us to fulfil the commitments we have to you as the customer. When the personal data is no longer required in accordance with the description above, all your personal data will be depersonalised, “culled” and cannot be recovered or restored in any other way.
An active user account that is in use will therefore not be culled/depersonalised. A user account containing funds will not be culled/depersonalised without consent. Consent will be requested by email at regular intervals after seven years of inactivity on the Payson service, with inactivity being considered your not having carried out transactions, not logged in to your user account and not communicated with the company. In the event of no response, the user account will be culled/depersonalised after one (1) more year and after at least four reminders have been sent. Any outstanding funds will then be credited to Payson.
Your rights of access, rectification and deletion
- Right to access your data
You can request to receive an extract containing the data that we have about you. The extract will be sent free of charge in one copy on one occasion per year.
- Right of rectification.
You have the right to have rectified any wrong or incomplete information about yourself.
- Right to be forgotten
You have the right to request the removal of your personal data when the purpose of the processing is no longer current. The removal cannot be revoked/recreated and once the removal is complete, no person can be associated with the user account any longer. However, there may be legal obligations for Payson as the Payment Institution which prevent the immediate deletion of your personal data or parts of it. These obligations stem from accounting and tax legislation and banking and money laundering legislation, but also from consumer rights legislation. In such a case, only the personal data that we are required to save in order to fulfil such legal obligations will be saved.
How can you make contact with Payson in the event of privacy issues?
It is easiest to reach us using the contact form on our website. Payson AB is the Personal Data Controller for the processing of your personal data in accordance with the above and complies with Swedish data protection legislation.
Policy on cookies
When you use Payson’s services, you approve the receipt of Payson’s “cookies”. If you have chosen to accept cookies in your web browser, a small text file will be saved on your computer. Using this cookie, we can see information about your visits to us and can customise the content to enable you to experience the site in the best possible way. We do not save any sensitive personal data in our cookies. A cookie has an expiry date and when this is reached it will be automatically deleted. You can set parameters for the management of cookies yourself using the Help menu in your web browser.
Necessary cookies are required in order to enable us to provide Payson’s services, for example account login and purchase management.
Analysis cookies collect anonymous information on how our services are used, e.g. which pages are popular, if you receive an error message anywhere or which kind of device is used. For example, third party cookies for Google Analytics and Google Tag Manager.
Function cookies improve your experience of our services when you return to our website or checkout. For example, we save your preferred language and the data that you have used on previous purchase occasions.
Marketing cookies are usedin order to collect information about your surfing habits, so as to be able to offer advertisements that are relevant to you. We use this type of cookie to remind you that we would very much like you to come back if you have visited our site before.
Different types of cookie are saved for different lengths of time. We have some cookies that are only saved while you are actively using our services, whereas language settings for example are saved for a long time. We are actively trying to minimise the number of third party cookies we use in our services but for some services we consider them necessary for analysis and marketing work.
Go to your browser or device settings to learn more about how to adjust the settings for cookies. For example, you can choose to block all cookies, accept only first party cookies or delete cookies when you close your web browser.
Note that some of our services may not work if you block or delete cookies.
Advice and tips for e-stores
Payson acts as Personal Data Controller in its relationship with both private and corporate customers and is therefore responsible for all protection of the personal data obtained or otherwise collected from you as the customer. You as an e-store also act as Personal Data Controller for the data that you obtain or otherwise collect. In the capacity of Personal Data Controller you must have control over the data that you obtain, collect and store. You need to know for how long and why you are saving the personal data. You also need to know which type of personal data is in your register.
About Personal Data
If you are an e-store, it is important to have control over the information that you are storing about your customers. You need to take a position regarding what information you are collecting and the reason for collecting this specific information. Three simple questions you should be able to answer are:
– Why do we need this specific data?
– How is the data being collected?
– Who has access to the data?
The General Data Protection Regulation requires all companies to be able to demonstrate compliance with the regulation, so you may need to conduct a risk assessment. What needs to be improved? Is the information that you obtained earlier collected and stored in the correct manner? If not, you may need to delete this information. The person must give you consent in order for you to be permitted to store the information. It is therefore the customer’s choice whether you may use that person’s data or not, and this choice is made by active approval. If a person wants their personal data to be deleted from your system, you must also be able to do this.
About Sensitive Personal Data
If you process sensitive personal data as a result of the activities conducted by you or your suppliers, you are required to find out which security measures may be required for such processing before such processing is started.
Examples of sensitive personal data are:
Race or ethnic origin
Religious or philosophical beliefs
Trade union membership
Sexual life or sexual orientation
Biometric data (for example finger prints and iris patterns) that uniquely identifies a person
The Swedish Privacy Protection Authority writes more about the processing of sensitive personal data here.
What you should consider for email marketing
From a marketing perspective there are also matters that you need to consider regarding the General Data Protection Regulation. In order for a person to receive marketing material from you, it is required for the person to give you consent. For example, if you send newsletters to your customers, you must review how you currently collect email addresses. Simply using a feature which allows people to unsubscribe from a newsletter is not sufficient: you must also have a feature by which the subscriber actively chooses to receive newsletters at their email address. This is best done using a form on your website, or a box to tick with each purchase, which clearly describes what information they will be receiving when they give their consent. Ensure that you are transparent with your customers. Explain how and why their data is used!
Questions regarding privacy and data protection can always be sent to us via the contact form on our website.