Privacy Policy

We enable payments - globally

Privacy Policy

1. Background

1.1 In the course of conducting our business, Westpay AB (”Westpay, we/us”) processes, among other things, information about individuals who visit our website, contact persons at our customers and suppliers, and individuals who communicate with us using, for example, forms on our website or email (“you“). Such information constitutes personal data, and we find it important to protect your personal data and your privacy.

1.2 By means of this privacy policy, we wish to inform you about which principles are adhered to when processing personal data, explain which categories of personal data are processed, the purposes of the processing, which legal grounds the processing is based on, where and with whom the personal data may be shared, and our obligations and your rights in connection with the processing of the personal data.

1.3 Hur personuppgifter får behandlas framgår av lag. Dataskyddsförordningen (som också kallas ”GDPR” efter den engelska benämningen) gäller som lag i alla EU:s medlemsländer sedan den 25 maj 2018 och ersatte då nationella regler, som t.ex. personuppgiftslagen i Sverige. GDPR syftar till att skydda människors personliga integritet i samband med behandling av personuppgifter och innehåller därför ett antal principer och detaljerade bestämmelser som den som behandlar personuppgifter ska ta hänsyn till. En viktig del av integritetsskyddet är att den vars personuppgifter behandlas har rätt att få information om behandlingen.

2. Important concepts

2.1 Personal data means any information relating to an identified or identifiable natural person e.g. name, address, telephone number, email address, personal identification number, title, role, photograph, and IP address.

2.2 Processing of personal data includes each operation which is performed on the personal data, e.g. collection, registration, adaptation, organisation, structuring, consultation, use, and storage.

2.3 Controller means the party who, alone or jointly with another, determines the purposes and means of the processing of the personal data and who is ultimately responsible for ensuring that the processing takes place in accordance with applicable personal data legislation.

2.4 Data subject means an identified or identifiable natural person.

3. Who is responsible for the processing of your personal data?

Westpay AB, reg. no. 556321-8105, Kanalvägen 14, 2tr, 194 61 Upplands Väsby, Sweden, telephone: +46 (0)8 506 68 400, email: info@westpay.se, is the controller for the processing of personal data which Westpay performs in connection with you visiting our website, being a contact person at a customer or supplier, or communicating with us via, e.g., email.

4. Principles for personal data processing

4.1 The GDPR establishes fundamental principles for all processing of personal data. We process personal data in light of the principles for personal data processing.

4.2  The principles are set forth in Article 5 of the GDPR, which stipulates that the following shall apply in conjunction with processing personal data.

  1. The data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject (lawfulness, fairness, and transparency).
  2. They shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner which is incompatible with these purposes (purpose limitation).
  3. They shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (data minimisation).
  4. They shall be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate having regard to the purposes for which they are processed are erased or rectified without delay (accuracy).
  5. They may not be kept in a form which permits the identification of the data subject for longer than is necessary for the purposes for which the personal data are processed (storage limitation).
  6. They shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or impermissible processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures (integrity and confidentiality).
  7. The person processing the data shall be responsible for, and able to demonstrate, compliance with the principles through clear information and documentation (accountability).

5. Which personal data about you do we collect when you visit our website, and for which purposes?

Processing activities

Categories of personal data

Purposes

  • Logging IP addresses of visitors to our website
  • Logging data regarding use of IT devices, e.g. how long the person was on our website and whether the visit was made via computer or smartphone
  • IP-adress
  • Cookies
  • Data regarding use of IT devices
  • In order to ensure technical functionality
  • In order to provide our website
  • In order to evaluate our website
  • In order to identify our interested parties
Legal basis: Legitimate interest. The processing is necessary for our legitimate interest in being able to: i) provide and evaluate our website; ii) ensure technical functionality; and iii) identify the behaviour of interested parties on our website.
Storage period: Your personal data is saved for a maximum of 180 days and is thereafter erased.

6. Which personal data about you do we collect if you are a contact person at a customer or supplier, and for which purposes?

Processing activities

Categories of personal data

Purposes

  • Administer agreements with customers/suppliers
  • Mailout of information regarding our service to customers/suppliers
  • Processing in email messages in internal communication as well as in communication with suppliers and customers
  • Processing in unstructured material e.g. various types of running texts and simple lists
  • Name
  • Telephone number
  • Email address
  • Other personal data which may appear in unstructured material
  • In order to administer agreements with customers/suppliers
  • In order to handle customers/suppliers wishes
  • In order to conduct the day-to-day operations in an effective and suitable manner
Legal basis: Legitimate interest. The processing is necessary for our legitimate interest in being able to: i) contact individuals at customers and suppliers with information; ii) contact individuals at customers and suppliers in order to evaluate content and design of our service; iii) meet customers’ and suppliers’ wishes; iv) conduct our day-to-day operations in an effective and suitable manner; and v) perform contractual obligations under agreements with customers and suppliers.
Storage period: We retain your personal data for as long as is necessary for the above stated purposes. We endeavour to achieve storage minimisation and have routines to on an ongoing basis cull personal data which we no longer need, e.g. after a customer or supplier relationship has ended.

7. Which personal data about you do we collect if you communicate with us via, for example, forms on our website or email, and for which purposes?

Processing activities

Categories of personal data

Purposes

  • Processing in email messages
  • Processing of data which is sent via contact forms on our website
  • Those which you personally provide to us, e.g. name, contact details, and information regarding your question, feedback, or matter
  • Name and email address in contact form on the website
  • In order to respond to your question, take care of your feedback, or handle your matter
Legal basis: Legitimate interest. The processing is necessary for our legitimate interest in being able to handle your question, feedback, or matter.
Storage period: We endeavour to achieve storage minimisation, but how long we retain the personal data depends on the purpose of the specific processing.

8. Which personal data is processed in connection with collecting corporate reports and for which purposes?

Processing activities

Categories of personal data

Purposes

  • In conjunction with collecting corporate reports for new customers; in other words, creditworthiness information regarding the customers’ companies which only involve legal persons is accompanied by data regarding which persons are directors and CEOs of the customers’ companies.
  • Name of directors and CEOs
  • Personal identification number
  • In order to be able to obtain corporate reports about new customers
Legal basis: Legitimate interest. The processing is necessary for our legitimate interest in being able to obtain corporate information about new customers.
Storage period: The personal data is erased after the corporate report has been reviewed and a decision taken regarding whether to accept the company as a customer.

9. From what sources do we collect your personal data?

In addition to the personal data which you personally provide to us, we process the following personal data.

We process personal data which is provided by customers and suppliers.

In addition, we may also collect contact information for employees of customers and suppliers from public registers in order to offer or order services.

Data which is stored about visitors to our website are data which the visitor provides via their electronic device, e.g. computer or smartphone.

10. Who has access to the personal data and where can the personal data be transferred?

10.1 For the above purposes, the personal data may be disclosed to Westpay’s representatives in Norway, South Africa and Australia, as well as to other companies with which we cooperate (e.g. customers, suppliers, and other cooperation partners, e.g. to offer services or for information).

10.2 We may transfer the personal data to countries outside of the EU/EEA (third countries). This may occur, e.g., because we have representatives outside of the EU/EEA, through personal data being stored on servers located in third countries, or because we retain IT providers who provide support and maintenance of IT systems from a third country.

10.3 In those cases where we transfer personal data to a third country, we will enter into agreements and take other measures to protect the personal data in accordance with applicable legal requirements. For transfers to representatives in South Africa and Australia, we will use the EU Commission’s standard contractual clauses for data protection so that it is permissible to transfer personal data to them. We will provide clear, written information on an ongoing basis if additional third country transfers become relevant.

11. What are your rights as a data subject?

You have a right to request access to personal data by requesting what is known as a register extract, as well as to request correction, erasure, or restriction of the processing, and you have a right to object to the processing. In addition, in certain cases you also have the right to receive your personal data in a machine-readable format and transfer these data to another controller of personal data.

12. What can you do if you want to make a complaint?

If you have questions for us about the processing of personal data or if you believe that our processing of your personal data violates the GDPR, you are asked to firstly contact us so that we can correct any errors. However, you always have the possibility of submitting complaints to the supervisory authority, the Data Protection Authority, if you believe that we are processing your personal data in violation of the personal data legislation.