Company logotype m
Privacy and security

Data protection information  

1. Introduction

Norion Bank AB (corporate identification number 556597-0513) ("Norion Bank,” “we,” “our,” or “us”) is the data controller for the processing of your personal data under the EU General Data Protection Regulation (also known as GDPR).  

This data protection information is intended for natural persons – the data subject, in accordance with the General Data Protection Regulation terminology – whose personal data are processed by Norion Bank, whether you are acting in the capacity of a representative of a company or another legal person or in the capacity of a consumer “customer(s),” “you,” or “your”.  

This data protection information explains what kind of information Norion Bank collects and processes when you use Norion Bank’s services, such as Walley, the Easyliving credit card, savings accounts and our personal loans and business services. For a more detailed presentation of our services and the associated terms and conditions, see our website.  

This data protection information describes why we use personal data, how we use personal data, where we obtain personal data, and how we share personal data. We also explain your rights under the General Data Protection Regulation and how to contact staff at Norion Bank.  

 

Data controller: PO box address:  
Norion Bank AB Box 11914, 404 39 Göteborg
Corporate identification number: 556597–0513

Telephone:  +46 (0)10-161 00 00

Street address: Lilla Bommens Torg 11, 411 04 Göteborg E-mail:  privacy@norionbank.se

 

2. Purpose and legal basis for processing data  

2.1 What is a legal basis under the GDPR?  
  

According to the GDPR, Norion Bank’s right to process personal data always requires a legal basis. NorionBank uses the following four legal bases for processing personal data:  
  

  • Performance of contracts. Personal data may be processed where necessary for the performance of a contract to which a natural person is party or to take steps at the request of a natural person before entering into such a contract.  
      
  • Legal obligation. Personal data may be processed if necessary for Norion Bank to fulfill an obligation under law or a decision by a government agency.  
      
  • Legitimate interest. Personal data may be processed on the basis of the legitimate interest of Norion Bank or third parties.  
      
    You have the right to object to processing carried out on the basis of the legitimate interest of Norion Bank or third parties. See the section on Your rights, below, for more information on your right to object.  
      
    For more information on the legitimate interest of Norion Bank or third parties, see the section below with information on the purposes and legal bases for processing personal data. If you would like to know more about how we assessed the legitimate interests of Norion Bank and third parties through a so-called balance of interests, you are always welcome to contact us at privacy@norionbank.se  
      
  • Consent. Personal data may be processed if you consent to processing for one or more specific purposes.  
      
    When the legal basis for processing personal data is consent, you may give such consent to the processing of personal data. You have the right to withdraw your consent at any time by sending an email to privacy@norionbank.se. We would then have no further right to process the data on the basis of consent. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of your consent prior to its withdrawal.

 

2.2 Purpose and legal basis when you begin using any of Norion Bank’s services  

Purpose Categories of personal data (collected from you)  Categories of personal data (collected from a third party)  Legal basis according to the General Data Protection Regulation  Other
To secure your identity when you apply to use Collector Bank’s services. 

 

Contact details: e.g. name, date of birth, personal ID number, civil registration address, email and telephone number.

Information that you provide to our customer service: e.g. recorded phone calls, chat conversations, or e-mail correspondence. 

 

Contact details: e.g. name, date of birth, personal ID number, civil registration address, e-mail and telephone number.

Fulfilment of agreement with a natural person.  

Legal obligation to establish the customers’ identities according to the Act (2017:630) on measures against money laundering and terrorist financing.

Collector Bank’s and other customers’ legitimate interest in preventing fraud and protecting customer data from unauthorised disclosure and use.  

 
To document, administer and fulfil the agreement you have entered into with Collector Bank.

 

Contact details: e.g. name, date of birth, personal ID number, civil registration address.

Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings.

Information that you provide to our customer service: e.g. recorded phone calls, chat conversations, or e-mail correspondence. 

 

Contact details: e.g. name, date of birth, personal ID number, civil registration address.

Data about your purchase: e.g. data about your interaction with Merchants, ordering and delivery. 

Fulfilment of agreement with a natural person.

Collector Bank’s legitimate interest in fulfilling an agreement that has been entered into with a natural person.

 
To provide Collector Bank’s savings accounts. 

 

Contact details: e.g. name, date of birth, personal ID number, civil registration address.

Information about your finances: e.g. your income, payment remarks, payment orders and debt restructuring, bank account number. 

 

Information about your finances: e.g. your income, payment remarks, payment orders and debt restructuring, bank account number.  Fulfilment of agreement with a natural person.   
To perform an assessment of a consumer’s ability to repay credit, and to perform a risk analysis in connection with a consumer applying for any form of credit with Collector Bank. 

 

Information about your finances: e.g. your income, payment remarks, payment orders and debt restructuring.

Information that you provide to our customer service: e.g. recorded phone calls, chat conversations, or e-mail correspondence. 

 

Information about your finances: e.g. your income, payment remarks, payment orders and debt restructuring. 

 

Fulfilment of agreement with a natural person.

Legal obligation to document good credit lending practice according to the Consumer Credit Act (2010:1846). 

Collector Bank’s legitimate interest in complying with the Swedish Financial Supervisory Authority’s general advice on credit in consumer relations (FFFS 2011:47). 

 

The processing includes profiling and automated decisionmaking – see section 8 below. 
To send information to you (e.g. by e-mail) about the service or services you use (does not include marketing).  Contact details: e.g. name, date of birth, personal ID number, civil registration address, email, telephone number.   

 

Fulfilment of agreement with a natural person.

Collector Bank’s legitimate interest in fulfilling an agreement that has been entered into with a natural person. 

 

 
When you buy a product or service from a Merchant that offers Walley Checkout as a payment solution or any of Walley’s credit products, your personal data is used to provide the service. 

 

Contact details: e.g. name, personal ID number, e-mail, civil registration address.

Data about your purchase: e.g. data about your interaction with Merchants, ordering, payment method and delivery.

Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings. 

 

 

In cases where Walley’s credit products are used, we collect the following information from the Merchant:  

Contact details: e.g. name, personal ID number, and civil registration address.

Data on your purchase: e.g. data about your interaction with Merchants, ordering, payment method and delivery.

Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings. 

 

Collector Bank’s legitimate interest in providing you with the payment service.   

2.3 To prevent money laundering, financing of terrorism, fraud and for security purposes. 

Purpose Categories of personal data (collected from you)  Categories of personal data (collected from a third party)  Legal basis according to the General Data Protection Regulation  Other
To prevent and discourage our services, such as Collector Bank’s and Walley’s respective mobile applications and websites, being misused or exploited in ways that contravene laws or general terms and conditions.

 

Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings.  

Technical information: e.g. response times for websites. 

 

Contact details: e.g. name, date of birth, personal ID number, civil registration address, e-mail and telephone number.

 

Legal obligation according to the General Data Protection Regulation to protect personal data.  

Collector Bank’s legitimate interest in conducting systematic network and information security to protect you and other customers, as well as Collector Bank. 

 

 
To maintain and conduct systematic information security work. 

 

Contact details: e.g. name, date of birth, personal ID number, civil registration address.  

Information about your finances: e.g. information about, for example, your income, payment remarks, payment orders and debt restructuring.  

Payment details: e.g. credit and debit card details (card number, validity date and CVV code), bank account number, bank name.

Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings.

 

 

Data about your purchase: e.g. data about your interaction with Merchants, ordering and delivery. 

 

 

Legal obligation according to the General Data Protection Regulation to protect personal data.

Legal obligation to conduct systematic network and information security according to the Swedish Financial Supervisory Authority’s regulations and general advice on information security, IT operations and deposit systems (FFFS 2014:5)

 

 
To prevent Collector Bank’s operations being exploited for money laundering or the financing of terrorism. Personal data is processed to collect information about all customers to enable the bank to understand who the customer is and how the customer intends to use the bank’s services and products. The purpose is to detect deviations and prevent the bank from being used for criminal purposes. 

 

Contact details: e.g. name, date of birth, personal ID number, civil registration address.  

Information about your finances: e.g. information about, for example, your income, payment remarks, payment orders and debt restructuring, as well as information about where specific payments come from or what they are to be used for.  

Payment details: e.g. account, credit and debit card details (and transactions).  

Data about your purchase: e.g. data about your interaction with Merchants, ordering and delivery. 

 

Data about your purchase: e.g. data about your interaction with Merchants, ordering and delivery. Also data from external lists, so called PEP lists, which include people who have or have had an important public function and are therefore considered to be persons in a politically exposed position (“PEP”) and their relatives and close associates (“RCA”). The lists include information such as name, date of birth, place of birth, profession or position and reason why the person is on the list.  Legal obligation according to the Act (2017:630) on measures against money laundering and terrorist financing.  The processing includes profiling and automated decision-making – see section 8 below. 
To perform fraud checks before a purchase is granted. 

 

Contact details: e.g. name, date of birth, personal ID number, civil registration address.  

Information about your finances: e.g. information about, for example, your income, payment remarks, payment orders and debt restructuring. 

 

 

 

Fulfilment of agreement with a natural person.  

Collector Bank’s and other customers’ legitimate interest in preventing and discouraging fraud to protect you, other customers, as well as Collector Bank. 

The processing includes profiling and automated decision-making – see section 8 below. 
To establish, exert and exercise legal claims. 

Contact details: e.g. name, date of birth, personal ID number, civil registration address.  

Information about your finances: e.g. information about, for example, your income, payment remarks, payment orders and debt restructuring.

Payment details: e.g. credit and debit card details (card number, validity date and CVV code), bank account number, bank name.  

Information that you provide to our customer service: e.g. recorded phone calls, chat conversations, or email correspondence. 

 

 

Collector Bank’s legitimate interest in establishing, exerting and exercising legal claims e.g. to handle complaints and grievances in connection with a legal process or to prevent the use of Collector Bank’s services in violation of law or the terms of the service. 

 

 
Handling of complaints. 

 

Contact details: e.g. name, date of birth, personal ID number, civil registration address.  

Information about your finances: e.g. information about, for example, your income, payment remarks, payment orders and debt restructuring. 

Payment details: e.g. credit and debit card details (card number, validity date and CVV code), bank account number, bank name. 

Information that you provide to our customer service: e.g. recorded phone calls, chat conversations, or email correspondence. 

 

 

 

 

Collector Bank’s legitimate interest in complying with the Swedish Financial Supervisory Authority’s general advice on complaints management regarding financial services for consumers (2002:23).   

2.4 For product development, finance and statistics purposes. 

Purpose Categories of personal data (collected from you)  Categories of personal data (collected from a third party)  Legal basis according to the General Data Protection Regulation  Other
For statistics and risk management, e.g. in connection with creating risk calculation models and to manage capital coverage obligations.

Contact details: e.g. name, date of birth, personal ID number, civil registration address.

Payment details: e.g. credit and debit card details, bank account number and bank name.

Information about your finances: e.g. information about, for example, your income, payment remarks, payment orders and debt restructuring. 

Data about your purchase: e.g. data about your interaction with Merchants, ordering and delivery.

Information about your finances: e.g. information about, for example, your income, payment remarks, payment orders and debt restructuring. 

Legal obligation to ensure compliance with the Consumer Credit Act (2010:1846) and capital requirement rules according to the Capital Requirements Regulation and the Capital Requirements Directive  
In order to perform bookkeeping and accounting in accordance with law. 

Contact details: e.g. name, date of birth, personal ID number, civil registration address.

Payment details: e.g. credit and debit card details (card number, validity date and CVV code), bank account number, bank name. 

Data about your purchase: e.g. data about your interaction with Merchants, ordering and delivery.  

 

Legal obligation to ensure bookkeeping and accounting according to the Swedish Accounting Act (1999:1078)  
To anonymise personal data to improve our services and analyse customer behaviour. 

Contact details: e.g. name, date of birth, personal ID number, civil registration address. 

Payment details: e.g. credit and debit card details (card number, validity date and CVV code), bank account number, bank name.

Information about your finances: e.g. information about, for example, your income, payment remarks, payment orders and debt restructuring.

Data about your purchase: e.g. data about your interaction with Merchants, ordering and delivery.

Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings.

Technical information: e.g. response times for websites.  

Contact details: e.g. name, date of birth, personal ID number, civil registration address. 

Payment details: e.g. credit and debit card details (card number, validity date and CVV code), bank account number, bank name.

Information about your finances: e.g. information about, for example, your income, payment remarks, payment orders and debt restructuring.

Data about your purchase: e.g. data about your interaction with Merchants, ordering and delivery.

Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings.

Technical information: e.g. response times for websites. 

Collector Bank’s legitimate interest in developing its business and services through data analyses for the purpose of testing and refining product ideas and concepts.

Anonymised data is not covered by the General Data Protection Regulation because such data cannot be used to enable the identification of a natural person.

By anonymising data, we process as little data about you as possible and can therefore increase the protection of your privacy. 

To perform fraud checks before a purchase is granted. 

 

Contact details: e.g. name, date of birth, personal ID number, civil registration address.  

Information about your finances: e.g. information about, for example, your income, payment remarks, payment orders and debt restructuring. 

 

 

 

Fulfilment of agreement with a natural person.  

Collector Bank’s and other customers’ legitimate interest in preventing and discouraging fraud to protect you, other customers, as well as Collector Bank. 

The processing includes profiling and automated decision-making – see section 8 below. 
For the purpose of compiling data for business and method development and market and customer analyses, for both our internal use and for our partners. This also includes work on combatting fraud.

 

Contact details: e.g. name, date of birth, personal ID number, civil registration address.

Payment details: e.g. credit and debit card details (card number, validity date and CVV code), bank account number, bank name.

Information about your finances: e.g. information about, for example, your income, payment remarks, payment orders and debt restructuring.

Data about your purchase: e.g. data about your interaction with Merchants, ordering and delivery.

Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings.

Technical information: e.g. response times for websites. 

 

Contact details: e.g. name, date of birth, personal ID number, civil registration address.

Payment details: e.g. credit and debit card details (card number, validity date and CVV code), bank account number, bank name.

Information about your finances: e.g. information about, for example, your income, payment remarks, payment orders and debt restructuring.

Data about your purchase: e.g. data about your interaction with Merchants, ordering and delivery.

Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings.

Technical information: e.g. response times for websites. 

Collector Bank’s legitimate interest in developing its business through data analyses for the purpose of testing and refining product ideas and concepts.   

2.5 Credit purposes 

Purpose Categories of personal data (collected from you)  Categories of personal data (collected from a third party)  Legal basis according to the General Data Protection Regulation  Other
To ensure payment of overdue debts, e.g. by collecting or selling overdue debts. 

Contact details: e.g. name, date of birth, personal ID number, civil registration address.

Payment details: e.g. credit and debit card details (card number, validity date and CVV code), bank account number, bank name.

Information about your finances: e.g. information about, for example, your income, payment remarks, payment orders and debt restructuring.

Data about your purchase: e.g. data about your interaction with Merchants, ordering and delivery.

Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings. 

Contact details: e.g. name, date of birth, personal ID number, civil registration address.

Payment details: e.g. credit and debit card details (card number, validity date and CVV code), bank account number, bank name.

Information about your finances: e.g. information about, for example, your income, payment remarks, payment orders and debt restructuring.

Data about your purchase: e.g. data about your interaction with Merchants, ordering and delivery.

Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings.

Collector Bank’s legitimate interest in having overdue debts paid.   
Transfer of payment claims for a non-overdue debt to another owner.  See the row above. 

See the row above. 

 

Collector Bank’s legitimate interest in being able to sell receivables as part of Collector Bank’s business.   
Transfer of payment claims from a store to Collector Bank (“factoring”). 

See the row above. 

 

See the row above. 

Collector Bank’s legitimate interest in being able to buy receivables (payment claims) as part of its business.

Third party’s (the store’s) legitimate interest in being able to sell receivables (payment claims) as part of its business. 

 

2.6 Marketing purposes 

Purpose Categories of personal data (collected from you)  Categories of personal data (collected from a third party)  Legal basis according to the General Data Protection Regulation  Other

Collector Bank will be able to send notifications and marketing to you unless you have declined to receive direct marketing.

Marketing may contain customer offers and customer discounts. 

Contact details: name, date of birth, personal ID number, civil registration address, e-mail and telephone number.

Information about your device (computer, phone or similar): IP address, information about your device, device settings.  device, device settings. 

 

 

Collector Bank’s legitimate interest in marketing its services.  You always have the right to object to receive direct marketing – see section 7.5, below. 

Collector Bank will be able to send customer satisfaction surveys and market surveys to you unless you have declined to participate in such surveys.

Such surveys may be sent by e-mail or text message. 

Contact details: name, date of birth, personal ID number, civil registration address, e-mail and telephone number. 

 

 

Collector Bank’s legitimate interest in being able to conduct customer satisfaction and market surveys in order to improve its services.  You always have the right to object to receive direct marketing – see section 7.5, below. 
To decide which marketing will be sent to you. 

Contact details: name, date of birth, personal ID number, civil registration address, e-mail and telephone number.

Information about your device (computer, phone or similar): IP address, information about your device, device settings. 

 

 

 

Collector Bank’s legitimate interest in adapting the content of its marketing to different target groups. 

 

The processing includes profiling and automated decisionmaking – see section 8 below. 

When you, as an individual or as a representative of a company, provide your contact details in any of our contact forms for the purpose of receiving more information about the services we can offer you. 

Contact details: name, e-mail and corporate ID number. 

  Collector Bank’s legitimate interest in establishing and maintaining contact with persons who have expressed an interest in its services. 

 

2.7 Processing of personal data through cookies. 

Purpose Categories of personal data (collected from you)  Categories of personal data (collected from a third party)  Legal basis according to the General Data Protection Regulation  Other

Tracking purposes: We keep track of visits and sources of traffic so that we can measure and improve the performance of the website. Doing so gives us an overview of which pages are most and least popular and lets us see how visitors navigate the website; it also helps us to understand where our users come from. 

 

Website data: IP address, browser settings, which pages you visit or how long you spend on the page, what type of device you are using, how long it took to load a page and from which country you are visiting. 

 

 

 

Collector Bank’s legitimate interest in developing its websites to make them easier for the customers to use.

Please note that enabling cookies requires your prior consent. This consent refers only to enabling cookies and is not a legal basis for processing personal data. 

 

Marketing purposes: This type of tracking technology is set and used by our advertising partners to create a profile of your interests and show relevant adverts on other websites. It does not store personal data but is based on the unique identification of your browser.

Website data: unique identification of your browser, data on behaviour (e.g. what you did on the website), demographic data (e.g. which country or town you surfed from) 

 

 

Collector Bank’s and third party’s legitimate interest in marketing its goods and services.  Please note that enabling cookies requires your prior consent. This consent refers only to enabling cookies and is not a legal basis for processing personal data.  You always have the right to object to receiving direct marketing – see section 7.5 below. 

2.8 Camera surveillance 

Purpose Categories of personal data (collected from you)  Categories of personal data (collected from a third party)  Legal basis according to the General Data Protection Regulation  Other

Camera surveillance in entrances to Collector Bank’s head office in Gothenburg and in Stockholm. 

Video recording (no audio recording). 

 

 

Collector Bank’s legitimate interest in preventing crime.

The address of the head office in Gothenburg is:

Lilla Bommens Torg 11,  411 04 Gothenburg.  

The addresses of Collector’s Stockholm offices are:  

Birger Jarlsgatan 12, 114 34 Stockholm Biblioteksgatan 8, 111 46 Stockholm. 

3. Sharing of personal data

As stated below, we will disclose and transfer data about you to a partner, supplier or subcontractor. You have the right to object to the processing that is carried out based on the legitimate interest of Collector Bank or a third party. See section Your rights, below, for more information about your right to object. 

3.1 Companies within the Collector Group

We may transfer and share your personal data with companies within the Collector Group. Personal data is shared on the basis of Collector Bank’s legitimate interest in sharing data within the group.

3.2 Credit reference institute

If you have credit with Collector Bank, we will share your personal data in the form of your personal ID number and information about any debt you may have, as well as information about any deviation in repayment with UC AB. The information that is sent to UC will be presented in UC’s future credit information about you, which is also available to other companies.

In light of the fact that other credit institutions report corresponding information to UC, we can use the collected information that UC provides when performing a credit report. The sharing of your personal data with UC is therefore performed so we can assess your creditworthiness in connection with your credit application, confirm your identity and your contact details, and protect you and other customers from fraud.

Collector Bank shares your personal data with UC on the basis of Collector Bank’s legitimate interest in ensuring a correct credit assessment and not granting credit to consumers that are unable to repay the credit.

For processing of your personal data that has been shared with UC, UC’s terms and conditions and data protection information shall apply.

3.3 Merchants that use our payment solutions

We have several affiliated merchants (both e-commerce and stores) that use our payment solutions for payment of their products and services (“Merchant”), such as Collector Check-out and Walley, among others.

For the Merchant to be able to perform and administer your purchase and administer your relationship with the Merchant or its group companies (e.g. by confirming your identity, sending goods, dealing with questions and disputes), to prevent fraud and, where appropriate, to send relevant marketing. With regard to the processing of your personal data that has been shared with a Merchant, and that the Merchant processes, the Merchant’s terms and conditions and data protection information apply. The legal basis is the fulfilment of agreements to which the customer is party and Collector Bank and the Merchant’s legitimate interest in preventing fraud.

3.4 Public authorities

We may share and transfer information about you to different authorities such as the Swedish Police Authority or the Swedish Tax Agency. We will transfer all or some of your personal data that we process if we are obliged to do so by law or if you have given your consent.

Personal data is shared with the authorities when Collector Bank is obliged to share it by law, or in certain cases if you have requested that we do so:

  • If it is required to administer tax. Collector Bank shares information about accounts and interest that have been received or paid with the Swedish Tax Agency in order to calculate your tax.
  • To counteract and investigate crime. For example, there is a legal obligation to provide information about measures against money laundering and the financing of terrorism.

 

Depending on the authority and purpose, the legal basis is the fulfilment of a legal obligation, the fulfilment of agreements, or Collector Bank’s legitimate interests in counteracting and preventing criminal transactions.

3.5 Debt collection companies

Collector Bank may need to share your information when it sells or instructs a debt collection company to collect overdue unpaid debts. This sharing takes place in order to collect your overdue debts. The debt collection companies process personal data in accordance with their own data protection information and are the data controllers for their processing of personal data. We carry out this sharing of information based on our legitimate interest in collecting and selling debts.

3.6 Payment service providers

Collector Bank shares personal data in the form of card details to PSPs (Payment Service Provider) that are PCI DSS-certified and which it cooperates with in order to manage a card purchase through Collector Check-out. This sharing takes place on the legal basis of fulfilment of agreement, in other words, in order to perform the transaction.

 

4. Transferring personal data to recipients in countries outside the EU/EEA

We strive to ensure that your personal data is processed only in countries within the EU and EEA, but data may be processed outside the EU and EEA (so-called “third countries”). Such processing takes place only provided that other rules in the General Data Protection Regulation are complied with and that one of the following conditions are satisfied:

  • the European Commission has decided that there is an adequate protection level in the country in question according to article 45 in the General Data Protection Regulation; and
  • other appropriate protective measures have been taken, e.g. standard contractual clauses or binding company provisions, according to article 46.2 and 47 of the General Data Protection Regulation.

 

When transferring personal data to a third country without an adequate level of protection, Collector Bank uses supplementary protection measures to protect transferred personal data. Examples of such data include pseudonymisation or personal data not being transferred in plain text. Supplementary protection measures are used to ensure a suitable level of protection for transferred personal data. You have the right to access a copy of the signed standard contractual clauses that form the basis for transferring personal data attributable to you. In this case, contact us at privacy@norionbank.se or at the address stated below.

 

5. Storage time for personal data

As stated above, Collector Bank will store and process your personal data only for as long as there is a legal basis for it. 

In general, we will save personal data attributable to a contractual relationship for as long as the contractual relationship with you lasts and for 10 years afterwards with regard to the rules on the mutual contract statute of limitations. In some cases the data may be saved longer due to legislation on capital cover that we must comply with. If you do not enter into an agreement with us, personal data is normally saved for a maximum of three months, but the data may in some cases be saved longer due to current legislation as exemplified above.

Personal data will be saved to comply with the following legal obligations: 

Type of case Legal basis and storage time 
Data attributable to loan or purchases  7 years plus the current year, in accordance with the Swedish Accounting Act (1999:1078) 

7 years in accordance with the Consumer Credit Act (2010:1846)

5 years or up to 10 years in accordance with the Act (2017:630) on measures against money laundering and terrorist financing 
Data attributable to debt recovery cases  2 years in accordance with the Swedish Debt Recovery Act (1974:182) and good debt recovery practice 
Data attributable to credit information  3 years in accordance with the Swedish Credit Information Act (1973:1173) 

Personal data that is collected through camera surveillance is saved for up to 72 hours unless the video recording needs to be saved longer in order to investigate a declared or suspected crime.

Personal data may be saved for a longer time than that stated above if this is necessary to establish, assert or defend legal claims.

 

6. Protection of your personal data

Secure processing of your information is of the utmost importance to us. We therefore continually take appropriate technical, organisational and administrative security measures to protect the information we have against loss, misuse and unauthorised access, disclosure, amendment or destruction.

 

7. Your rights

To exercise your rights, you are always welcome to contact us at privacy@norionbank.se. You can also find more information about your rights at the Swedish Authority for Privacy Protection’s website

7.1 Register extract

You have the right to receive a copy of your personal data that is registered with us in accordance with the applicable data protection legislation, i.e. so-called register extracts. You can request this by logging on to gdpr.norionbank.se or contacting us through the contact routes specified in this data protection information.

7.2 Rectification

If you suspect or have discovered personal data that is incorrect, incomplete or irrelevant, you have the right to request that the data be corrected or deleted. Contact us through the contract routes specified in this data protection information. See also the right to be forgotten under the section erasure below.

7.3 Erasure (the right to be forgotten)

You have the right to request that we erase personal data that concerns you (better known as the right to be forgotten). Once we have received such a request, we will make an assessment based on the individual case. We will erase your data only if there are no legal or contractual obstacles to doing so. For example, it is not possible to erase data that concerns you if there is a legal obligation to save the data.

7.4 Objection

You have the right to object to processing that is based on the legitimate interest of Collector Bank or a third party.

7.5 Objection (block against direct marketing)

As stated in section 2.7 above, Collector Bank or one of its partners will use your data for marketing and profiling. This means that you may receive advertising based on the data you have submitted. If you do not want to receive direct marketing, you can contact us through privacy@norionbank.se and request a block against direct marketing (so-called direct advertising block).

7.6 Data portability

Under certain circumstances where we process personal data with the support of an agreement or consent, you have the right to contact us to receive a copy of the personal data that you have provided us with yourself in a structured, generally used and machine-readable format (e.g. CSV or PDF), and you have the right to have this transferred directly to another data controller if this is technically possible.

7.7 Limitation

If you have contacted us with a request for erasure, objection or correction, you have the right to request a limitation to processing while your request is assessed. This may, for example, involve restricting the authority of officers to process your personal data or your personal data not being processed at all while your request is being assessed.

7.8 Confirmation of identity and processing times

If Collector Bank has reasonable grounds to doubt your identity, Collector Bank is obligated by law to request supplementary information to confirm your identity. If it is not possible in an individual case to confirm your identity, this will prevent Collector Bank from complying with your request.

Your request will be handled without delay and within one (1) month of your request being received by Collector Bank. This period can be extended by up to two (2) months in view of the complexity of your request and the number of requests received.    

 

8. Automated decisions and profiling

8.1 Automated decisions

Collector Bank uses automated decision-making in the following situations:

  • Decisions to approve your application to use a service that includes credit.
  • Decisions not to approve your application to use a service that includes credit – these automated credit decisions are based on the data that you have provided, data from external sources such as credit reporting agencies and Collector Bank’s own information
  • Decisions on whether there is a risk of money laundering based on an analysis of customer behaviour – Collector Bank investigates, when relevant, whether specific customers are listed on sanction lists
  • Decisions on whether there is a risk of fraud in connection with a transaction or whether a certain customer constitutes a risk of fraud

 

If your application is not approved during the automated decision-making described above, you will not receive access to Collector Bank’s services, such as our payment services. The purpose of automated decision-making is to make decisions in a time-efficient, objective and predictable way. Automated decision-making is monitored by Collector Bank’s data protection officer.

8.2 Your right to object to an automated decision

Collector Bank’s legal basis for automated decision-making is that it is necessary for entry into or fulfilment of an agreement between you and it, or if you have given your consent (article 22.1 a and 22.1 c of the General Data Protection Regulation). You have the right to contact us at privacy@norionbank.se or +46 (0)10-161 00 00 for personal contact with an employee at Collector Bank. You have a special right to express your opinion and contest the automated decision. You also have the right to have the automated decision explained to you. We will examine your objection in the individual case without delay and within one (1) month of Collector Bank receiving your request. This period can be extended by up to two (2) months in view of the complexity of your objection and the number of requests received.

8.3 Profiling

Profiling refers to the automatic processing of personal data that is used to assess certain personal characteristics of a natural person, particularly with regard to analysing or predicting, for example, their financial situation, personal references, interests and residence.

We use profiling for:

  • market and customer analyses
  • system development
  • marketing
  • transaction monitoring to counter fraud

 

9. Data protection officer  

We have appointed a data protection officer who will monitor our adherence to the rules on personal data protection in our business. The data protection officer must fulfil their assignment in an independent manner in relation to the other parts of our business.

You have the right to contact the data protection officer with regard to any questions concerning your personal data and the fulfilment of your rights.

E-mail: privacy@norionbank.se  

Telephone: +46 (0)10-161 00 00

 

10. Right to lodge a complaint with the Swedish Authority for Privacy Protection 

For questions concerning our personal data processing, please contact us at privacy@norionbank.se. If you suspect that we have processed your personal data incorrectly or without permission, please contact us first so that we can investigate your views. If you believe that we have processed your personal data incorrectly or without permission, you can direct a formal complaint to the Swedish Authority for Privacy Protection in accordance with article 77 of the General Data Protection Regulation. The Swedish Authority for Privacy Protection is the independent supervisory authority that exercises supervision over regulatory compliance with the General Data Protection Regulation in Sweden. You can find out more at www.imy.se.

 

11.  Amendments to this data protection information

Collector Bank reserves the right to make amendments to this data protection information at any time insofar as the amendments are necessary. All amendments are published on the website www.collector.se. You should therefore review this data protection information regularly to make sure you are satisfied with the amendments.  

 

 

Last updated 2023–06–29