Data protection information 
1. Introduction
Norion Bank AB (Corporate ID no. 556597–0513) (”Norion Bank”, ”we”, ”our” or ”us”) is the data controller for the processing of your personal data according to the European Union’s General Data Protection Regulation (also referred to as “GDPR”).
Norion Bank operates under three brands: Norion Bank (Corporate and Real Estate), Walley (Payments) and Collector (Private). This data protection information is addressed to natural persons - the data subject in the terminology of the GDPR - whose personal data is processed by Norion Bank, regardless of whether you act in the capacity of a representative of a company or other legal entity or in the capacity of a consumer ("customer(s)", "you", "your", or "yours").
This data protection information explains what kind of information Norion Bank, through its Walley brand, collects and processes when you use Walley's products or services including Walley's Checkout and payment solutions and when you as a Merchant are in contact with Walley.
This data protection information further describes why we use personal data, how we use personal data, where we obtain personal data from and how we share personal data. We also explain your rights under the General Data Protection Regulation and how you can get in touch with employees at Norion Bank.
For information on how we process personal data when using our services provided under the bank's other two brands (Norion Bank and Collector), we refer to the respective data protection information at norionbank.se and collector.se.
| Data controller: | PO Box adress: |
| Norion Bank AB | Box 11914, 404 39 Göteborg |
| Corporate ID no.:556597–0513 | Telephone: 010-161 00 00 |
| Visiting address: Lilla Bommens Torg 11, 411 04 Göteborg | E-mail: privacy@norionbank.se |
2. Legal basis
According to the General Data Protection Regulation, a legal basis (legal support) is always required for Norion Bank to have the right to process personal data. We use the following four legal bases to process personal data in the context of the Walley brand:
- Fulfilment of agreement - Personal data may be processed if necessary to fulfil an agreement to which a natural person is party or in order to take measures at the request of a natural person before such an agreement is entered into.
- Legal obligation - Personal data may be processed if necessary in order for Norion Bank to fulfil a legal obligation or a decision by a public authority.
- Legitimate interest - Personal data may be processed based on the legitimate interest of Norion Bank or a third party. You have the right to object to the processing that is carried out based on the legitimate interest of Norion Bank or a third party. See section Fel! Hittar inte referenskälla., below, for more information about your right to object.
For more detailed information about the legitimate interest of Norion Bank or a third party, see the section below with information about the purpose of and legal basis for processing of personal data. If you would like to know more about how we have assessed the legitimate interest of Norion Bank and a third party through a so-called balance of interests, you are always welcome to contact us at privacy@norionbank.se. - Consent - Personal data may be processed if you have agreed to processing for one or more specific purposes. When the legal basis for the processing of personal data is consent, you must give such consent for the personal data to be processed. You have the right to withdraw your consent at any time by e-mailing privacy@norionbank.se. We will then have no continued right to process data with the support of consent. Please note that withdrawn consent does not affect the legality of the processing that was performed on the basis of your consent before the consent was withdrawn.
3. What personal data do we process about you and why?
The tables below set out the purposes for which we process your personal data i.e. why your personal data is processed. We also describe which personal data is processed and whether it has been obtained directly from you or from a third party. A third party means, for example, affiliated merchants, Payment Service Providers, credit information companies or the state address register SPAR. We also explain the legal basis on which we support our processing under the General Data Protection Regulation.
Detailed information about Walley's products and services for both private individuals and companies can be found on this website (www.walley.se).
3.1 When you use Walley products or services
| Purpose | Categories of personal data (collected from you) | Categories of personal data (Collected from a third party) | Legal basis according to the General Data Protection Regulation | Other |
| Secure and verify your identity. |
Contact and identification details in cases where Walley's checkout solution is used: E.g. name, date of birth, social security number, postal/delivery address, email and phone number, Bank ID. Information you provide to our customer service: E.g. recorded phone calls, chat conversations, or email correspondence. |
Contact details you provide to the Merchant: e.g. name, date of birth, social security number, postal/delivery address, delivery address, email and telephone number. Information on your registered address may also be obtained from SPAR or credit reference agencies. |
Performance of a contract with a natural person. Legal obligation to establish the identity of customers under the Act (2017:630) on measures against money laundering and terrorist financing. The legitimate interest of Norion Bank and other customers to prevent fraud and protect customer data from unauthorized disclosure and use. |
|
| Make an assessment of your ability to repay a credit and risk analysis when applying for any form of credit with Norion Bank (Walley). |
Information about your finances: e.g. your income, payment defaults, payment orders and debt restructuring. Information you provide to our customer service: e.g. recorded phone calls, chat conversations, or email correspondence. |
Where Walley credit products are used, we obtain the following information from credit reference agencies: Information about your finances: e.g. your income, payment defaults, payment orders and debt restructuring. |
Performance of a contract with a natural person. Legal obligation to document good lending practices under the Consumer Credit Act (2010:1846). Norion Bank's legitimate interest to comply with the Swedish Financial Supervisory Authority's general advice on credit in consumer relationships (FFFS 2011:47). |
The processing includes profiling and automated decision-making, see section 9 below. |
| To document, administer and fulfil the agreement you have entered into with Norion Bank (Walley). |
Contact details where Walley's checkout solution is used: e.g. name, date of birth, social security number, postal/delivery address. Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings. Information you provide to our customer service: e.g. recorded phone calls, chat conversations, or email correspondence. Payment details where Walley's checkout solution is used: e.g. telephone number, credit and debit card details (card number, expiry date and CVV code), bank account number, bank name. |
Contact details you provide to the Merchant: e.g. name, date of birth, social security number, postal/delivery address. Data about your purchase: e.g. data about your interaction with the Merchant, order, payment method and delivery. We collect information from Payment Service Providers: e.g. means of payment, bank and date of payment. Information about your registered address may also be obtained from SPAR or credit reference agencies. |
Performance of a contract with a natural person or Merchant. The legitimate interest of Norion Bank to perform a contract concluded with a legal person. |
|
|
To send you information (e.g. by email) about the service(s) you use (not including marketing). |
Contact details: e.g. name, date of birth, social security number, postal/delivery address, email, telephone number. |
Performance of a contract with a natural person or Merchant. The legitimate interest of Norion Bank to perform a contract concluded with a legal person. |
||
| Provide you with the Walley Checkout solution when you purchase a product or service from a Merchant that offers Walley Checkout as a payment solution or any of Walley's credit products. |
Contact and identification data where the Walley Checkout solution is used: e.g. name, date of birth, social security number, postal/delivery address, Bank ID. Data about your purchase: e.g. data on your interaction with Merchants, payment methods and delivery. Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings. Depending on the payment method you choose, different payment data are processed: e.g. telephone number, credit and debit card details (card number, expiry date and CVV code), bank account number, bank name. |
Contact details you provide to the Merchant: e.g. name, social security number, email, telephone number, postal/delivery address. Data from the Merchant about your purchase: e.g. data about your interaction with the Merchant, order, payment method and delivery. Data from Payment Service Providers about your payment: e.g. means of payment, bank and date of payment. Information on your registered address may also be obtained from SPAR or credit reference agencies. |
Norion Bank's legitimate interest in providing the payment service to you. |
|
| Provide the Walley App or website (my.walley.se) so you can get an overview of your purchases and invoices. |
Contact details: e.g. name, email and postal/delivery address. Login details: social security number and Bank ID. Information about your purchase: e.g. payment method and delivery. Payment or refund account details: e.g. bank account number, bank name. Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings. |
Contact details you provide to the Merchant: e.g. name, email, postal/delivery address. Data from the Merchant about your purchase: e.g. Order, payment method and delivery. Data from Payment Service Providers about your payment: e.g. Means of payment and date of payment. |
Norion Bank's legitimate interest in providing the Walley App or website (my.walley.se) to you to enable you to keep track of your purchases and invoices. |
|
| Manage any returns or complaints once you have made a return on the Merchant's website and a refund should be made to your account. | Payment details or account for reimbursement: e.g. means of payment or bank account number and bank name. | Information from the Merchant about your purchase: e.g. order, amount and payment method. | Norion Bank's legitimate interest in providing customer service to you. | |
| Provide you with our service when you contact Walley's customer service by email, phone, chat or post. |
Contact details: e.g. telephone number, name, postal/delivery address, e-mail address, social security number. Information about your purchase: e.g. data on your interaction with Merchants, payment methods and delivery. Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings. Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings. |
Information from the Merchant about your purchase: e.g. order, amount and payment method. | Norion Bank's legitimate interest in providing customer service to you. | |
| Provide you with our support and service when you as a representative of an affiliated Merchant contact Merchant Services by email or phone. | Contact details: e.g. name, email and phone number. | Performance of a contract with affiliated Merchants. |
3.2 Preventing money laundering and terrorist financing, fraud and for security purposes
| Purpose | Categories of personal data (collected from you) | Categories of personal data (Collected from a third party) | Legal basis according to the General Data Protection Regulation | Legal basis according to the General Data Protection Regulation |
| To prevent our services, such as the Walley mobile application and website, from being misused or exploited in a way that is contrary to the law or general terms and conditions. |
Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings. Technical information: e.g. response time for web pages. |
|
Legal obligation in accordance with the General Data Protection Regulation to protect personal data. Norion Bank's legitimate interest to conduct systematic network and information security to protect you and other customers and Norion Bank. |
|
| Maintaining and conducting systematic information security work. |
Contact details: e.g. name, date of birth, social security number, postal/delivery address. Information about your finances: e.g. information about your income, payment defaults, payment orders and debt restructuring. Payment data: e.g. credit and debit card details (card number, expiry date and CVV code), bank account number, bank name. Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings. |
Data on your purchase from the affiliated Merchant: e.g. data on your interaction with the Merchant, order, and delivery. |
Legal obligation in accordance with the General Data Protection Regulation to protect personal data. Legal obligation to conduct systematic network and information security in accordance with Finansinspektionen's regulations and general guidelines on information security, IT operations and deposit systems (FFFS 2014:5). |
|
| Prevent Norion Bank's business from being used for money laundering or terrorist financing. Personal data is processed to obtain information about all customers so that the bank can understand who the customer is and how the customer intends to use the bank's services and products. The purpose is to detect anomalies and prevent the bank from being used for criminal purposes. |
Contact details: e.g. name, date of birth, social security number, postal/delivery address. Information on your finances: e.g. information on your income, payment defaults, payment orders and debt restructuring, as well as information on where specific payments are coming from or going to. Payment data: e.g. account details, credit and debit card details (and transactions). Information about your purchase: e.g. data on your interaction with Merchants and delivery. |
Data about your purchase from affiliated Merchants: e.g. data about your interaction with Merchants, order, and delivery. Also data from external lists, so-called PEP lists, which include persons who have or have had an important public position and are therefore considered to be a politically exposed person ("PEP") and their relatives ("RCA"). The lists include information such as name, date of birth, place of birth, profession and/or position and the reason why the person is on the list. |
Legal obligation under the Act (2017:630) on measures against money laundering and terrorist financing. | The processing includes profiling and automated decision-making, see section 9 below. |
| Carry out a control of the personal data against sanctions regulations to ensure that they are not violated. |
Contact details: e.g. name, date of birth, social security number, postal/delivery address. Information about your finances: e.g. information about your income or where other specific payments come from or are to be used for. Information about your purchase: e.g. data on your interaction with Merchants and delivery. |
Information from external sanctions lists and PEP lists: The lists contain the names of persons subject to restrictions decided by the EU and, for example, the Office of Foreign Asset Control (“OFAC”). The lists include information such as name, date of birth, place of birth, profession and/or position and the reason why the person is on the list.
|
Legal obligation under e.g. Act (1996:95) on certain international sanctions. | The processing includes profiling and automated decision-making, see section 9 below. |
| Performing fraud checks before granting a purchase. |
Contact details: e.g. name, date of birth, social security number, postal/delivery address. Information on your finances: e.g. information on your income, payment defaults, payment orders and debt restructuring. |
|
Performance of a contract with a natural person. The legitimate interest of Norion Bank and other customers to prevent fraud in order to protect you, other customers and Norion Bank. |
The processing includes profiling and automated decision-making, see section 9 below. |
| Establish, file and defend legal claims. |
Contact details: e.g. name, date of birth, social security number, postal/delivery address. Information on your finances: e.g. information on your income, payment defaults, payment orders and debt restructuring. Information you provide to our customer service: e.g. recorded phone calls, chat conversations, or email correspondence. |
The legitimate interest of Norion Bank to establish, file and defend legal claims, e.g. to handle complaints and claims in connection with legal proceedings or to prevent the use of Norion Bank's services in violation of the law or the terms of service. | ||
| Managing complaints. |
Contact details: e.g. name, date of birth, social security number, postal/delivery address. Information on your finances: e.g. information on your income, payment defaults, payment orders and debt restructuring. Information you provide to our customer service: e.g. recorded phone calls, chat conversations, or email correspondence. |
Norion Bank's legitimate interest to comply with the Swedish Financial Supervisory Authority's general advice on complaints management regarding financial services for consumers (2002:23). |
3.3 Product development, financial and statistical purposes
| Purpose | Categories of personal data (collected from you) | Categories of personal data (Collected from a third party) | Legal basis according to the General Data Protection Regulation | Other |
| For statistical and risk management purposes, e.g. in the context of establishing risk calculation models and managing capital coverage obligations. |
Contact details: e.g. name, date of birth, social security number, postal/delivery address. Payment data: e.g. credit and debit card details, bank account number, bank name. Information on your finances: e.g. information on your income, payment defaults, payment orders and debt restructuring. |
Data on your purchase from the affiliated Merchant: e.g. data on your interaction with the Merchant, order, and delivery. Information about your finances from credit reference agencies: e.g. information about your income, payment defaults, payment orders and debt restructuring. |
Legal obligation to ensure compliance with the Consumer Credit Act (2010:1846) and capital requirement rules according to the Capital Requirements Regulation and the Capital Requirements Directive. | |
| To conduct bookkeeping and accounting in accordance with the law. |
Contact details: e.g. name, date of birth, social security number, postal/delivery address. Payment details: e.g. means of payment, date of payment and name of the bank. |
Data on your purchase from the affiliated Merchant: e.g. data on your interaction with the Merchant, order, and delivery. | Legal obligation to ensure bookkeeping and accounting according to the Accounting Act (1999:1078). | |
| Anonymize personal data to improve our services and analyze customer behavior. |
Contact details: e.g. name, date of birth, social security number, postal/delivery address. Payment data: e.g. credit and debit card details (card number, expiry date and CVV code), bank account number, bank name. Information on your finances: e.g. information on your income, payment defaults, payment orders and debt restructuring. Information on your finances: e.g. information on your income, payment defaults, payment orders and debt restructuring. Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings. Technical information: e.g. response time for web pages. |
Information about your finances from credit reference agencies: e.g. information about your income, payment defaults, payment orders and debt restructuring. Data on your purchase from affiliated Merchants and Payment Service Providers when using our Checkout solution: e.g. data on your interaction with Merchants, order, and delivery. Contact details: e.g. name, date of birth, social security number, postal/delivery address. Payment data: e.g. credit and debit card details (card number, expiry date and CVV code), bank account number, bank name. |
Norion Bank's legitimate interest to develop our business and services through data analysis in order to test and refine product ideas and concepts. |
Anonymized data is not covered by the GDPR because such data cannot be used to enable the identification of a natural person. By anonymizing information, we process as little information about you as possible and can thus enhance the protection of your privacy. |
| In order to compile data for business and method development, market and customer analysis, both for our internal use and for our partners. This also includes anti-fraud measures. |
Contact details: e.g. name, date of birth, social security number, postal/delivery address. Payment data: e.g. credit and debit card details (card number, expiry date and CVV code), bank account number, bank name. Information on your finances: e.g. information on your income, payment defaults, payment orders and debt restructuring. Data on your purchase: e.g. data on your interaction with Merchants and delivery. Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings. Technical information: e.g. response time for web pages. |
Details of your purchase from affiliated Merchants and Payment Service Providers when using our Checkout solution: Contact details: e.g. name, date of birth, social security number, postal/delivery address. Payment data: e.g. credit and debit card details (card number, expiry date and CVV code), bank account number, bank name. Information about your finances from credit reference agencies: e.g. information about your income, payment defaults, payment orders and debt restructuring. Data on your purchase: e.g. data on your interaction with Merchants and delivery. Information on your registered address may also be obtained from SPAR or credit reference agencies. |
Norion Bank's legitimate interest in developing our business through data analysis to test and refine product ideas and concepts. |
3.4 Credit purposes
| Purpose | Categories of personal data (collected from you) | Categories of personal data (Collected from a third party) | Legal basis according to the General Data Protection Regulation | Other |
| Ensuring payment of overdue debts, e.g. by collecting or selling overdue debts. |
Contact details: e.g. name, date of birth, social security number, postal/delivery address. Payment details: e.g. amount, bank name and date of payment. Information on your finances: e.g. information on your income, payment defaults, payment orders and debt restructuring. Data on your purchase: e.g. data on your interaction with Merchants and delivery. |
Contact details of the debt collection agent: e.g. name and registered address. Information about your purchase: e.g., order, and delivery. Payment data: e.g. payments to debt collectors or authorities. Information on your finances from credit reference agencies or debt collection agencies: e.g. information on your income, payment defaults, payment orders and debt restructuring. Information on your registered address may also be obtained from SPAR or credit reference agencies. |
Norion Bank's legitimate interest in getting paid for overdue debts. |
3.5 Marketing purposes
| Purpose | Categories of personal data (collected from you) | Categories of personal data (collected from a third party) | Legal basis according to the General Data Protection Regulation | Other |
|
Norion Bank wants to be able to send you messages and marketing if you have not opted out of direct marketing. Marketing may include customer offers and discounts. |
Contact details: e.g. name, date of birth, social security number, postal/delivery address. Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings. |
Norion Bank's legitimate interest in marketing its services. | You always have the right to object to direct marketing, see section 8.5 below. | |
|
Norion Bank wants to be able to send you customer satisfaction surveys and market research, unless you have declined to participate in such surveys. Such surveys may be sent by email or SMS. |
Contact details: e.g. name, date of birth, social security number, postal/delivery address, e-mail, phone number. | Norion Bank's legitimate interest to conduct customer satisfaction and market research to improve our services. | You always have the right to object to direct marketing, see section 8.5 below. | |
| Decide which marketing should be sent to you. |
Contact details: e.g. name, date of birth, social security number, postal/delivery address, e-mail, phone number. Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings. |
Norion Bank's legitimate interest in adapting its marketing content to different target groups. | The processing includes profiling, see section 9 below. | |
| When you, as a private individual, leave your feedback after a purchase. | Contact details: The information provided by you in the free text field. | Norion Bank’s legitimate interest in establishing and maintaining contact with persons who have expressed an interest in its services. |
3.6 Processing of personal data through cookies
| Purpose | Categories of personal data (collected from you) | Categories of personal data (collected from a third party) | Legal basis according to the General Data Protection Regulation | Other |
| Tracking purposes: We keep track of visits and sources of traffic so that we can measure and improve the performance of the website. Doing so gives us an overview of which pages are most and least popular and lets us see how visitors navigate the website; it also helps us to understand where our users come from. | Website data: IP address, browser settings, which pages you visit or how long you spend on the page, what type of device you are using, how long it took to load a page and from which country you are visiting. |
Norion Bank’s legitimate interest in developing its websites to make them easier for the customers to use. Please note that enabling cookies requires your prior consent. This consent refers only to enabling cookies and is not a legal basis for processing personal data. |
Detailed information about our placement of cookies and the possibility for you to change your settings can be found further down on the website under "Cookie settings". | |
| Marketing purposes: This type of tracking technology is set and used by our advertising partners to create a profile of your interests and display relevant advertisements on other websites. They do not store personal data, but they are based on unique identification of your browser. | Website data: unique identification of your browser, data on behavior (e.g. what you did on the website), demographic data (e.g. which country or town you visited from). |
Norion Bank’s and third party’s legitimate interest in marketing its services. Please note that enabling cookies requires your prior consent. This consent refers only to enabling cookies and is not a legal basis for processing personal data. |
You always have the right to object to receiving direct marketing – see section 8.5 below. Detailed information about our placement of cookies and the possibility for you to change your settings can be found further down on the website under "Cookie settings". |
4. Sharing of personal data
As stated below, we will disclose and transfer data about you to a partner, supplier or subcontractor. You have
You have the right to object to the processing that is carried out based on the legitimate interest of Norion Bank or a third party. See section Your rights, below, for more information about your right to object.
4.1 Companies within Norion Bank Group
We may transfer and share your personal data to companies within the Norion Bank group. Personal data is shared on the basis of Norion Bank's legitimate interest to share data within the group.
4.2 Credit reference agencies
If you have a credit with us, we will share your personal data such as your social security number, information about your possible debt and information about any deviation with repayments with UC AB. The information sent to UC will be presented in UC's future credit reports about you, which are also available to other companies.
Given that other credit institutions report similar information to UC, we may use the aggregate information provided by UC when performing a credit check. The sharing of your personal data with UC is thus done to enable us to assess your creditworthiness in connection with your credit application, to confirm your identity and contact details, and to protect you and other customers from fraud.
Norion Bank shares your personal data with UC on the basis of Norion Bank's legitimate interest in ensuring an accurate credit assessment and not granting credit to consumers who are unable to repay the credit.
The processing of your personal data shared with UC is subject to UC's terms and conditions and data protection information.
4.3 Merchants that use our payment solutions
We have several affiliated merchants (both e-commerce and physical stores) that use our payment solutions for payment of their products and services (“Merchant”), such as Walley Check-out and Walley, among others.
For the Merchant to be able to perform and administer your purchase and administer your relationship with the Merchant or its group companies (e.g. by confirming your identity, sending goods, dealing with questions and disputes), to prevent fraud and, where appropriate, to send relevant marketing. With regard to the processing of your personal data that has been shared with a Merchant, and that the Merchant processes, the Merchant’s terms and conditions and data protection information apply.
The legal basis is the fulfilment of agreements to which the customer is party and Norion Bank and the Merchant’s legitimate interest in preventing fraud.
4.4 Public Authorities
We may share and transfer information about you to different authorities such as the Swedish Police Authority or the Swedish Tax Agency. We will transfer all or some of your personal data that we process if we are obliged to do so by law or if you have given your consent.
Personal data is shared with authorities when Norion Bank is required by law to do so, or in some cases if you have requested that we do so, for example to prevent and investigate crime.
Depending on the authority and purpose, the legal basis is the fulfillment of a legal obligation, the performance of a contract, or Norion Bank's legitimate interest in counteracting and preventing criminal transactions.
4.5 Payment service providers
Norion Bank shares personal data, such as card details, to PSPs (Payment Service Provider) that are PCI DSS-certified and which we cooperate with in order to manage a card purchase through Walley Check-out. This sharing is based on the legal basis of fulfilment of agreement, in other words, in order to perform the transaction.
4.6 Invoice distributor
If you have paid by invoice, your contact details, such as name, address and details of your purchase, will be sent to our invoice distributor who creates the invoices for us. This sharing is based on the legal basis of performance of contract, in order for us to administer your payment.
4.7 Debt collection agencies
In cases where you have an outstanding credit with us that has fallen due for payment, we will use a debt collection agency to collect the debt. In such cases, we will share your personal data, such as your personal identification number, contact details and debt information, with the debt collection agent. The debt collection companies process personal data in accordance with their own data protection information and are the data controllers for their processing of personal data. This sharing is based on the legitimate interest to collect and sell debts.
4.8 Collaborative partners and suppliers
We may share your personal data with suppliers and partners who act in the role of personal data processor to us or as independent personal data controllers. This sharing is necessary so that we can, e.g.,
- Provide you with technology that enables electronic identification.
- Holding suppliers of IT systems, hosting services and other technology..
- Hold suppliers who provide us with development and operational services, incl. Maintenance and support.
4.9 Others
We may also share your personal data with natural and legal persons who are authorized to access the data for several reasons, such as, e.g.,: limited guardian, administrator or power of attorney of various kinds.
5. Transfer of personal data to recipients in non-EU/EEA countries
We strive to ensure that your personal data only is processed in countries within the EU and EEA, but there are times when data is processed outside the EU or EEA (a so-called "third country"). Such processing takes place only if the other regulations in the General Data Protection Regulation are followed and that one of the following conditions is met:
- The European Commission has decided that there is an adequate level of protection in the country in question, according to Article 45 of the Data Protection Regulation,
- that other appropriate safeguards have been put in place, such as standard contractual clauses or binding corporate rules, in accordance with Articles 46(2) and 47 of the Data Protection Regulation respectively.
When transferring personal data to third countries without an adequate level of protection, Norion Bank uses additional safeguards to protect transferred personal data. Examples of such data may include pseudonymization or not transferring personal data in plain text. Supplementary protection measures are used to ensure an adequate level of protection for transferred personal data.
6. Retention period for personal data
As stated above, we will only store and process your personal data for as long as there is a legal basis for doing so. How long we retain your data depends on the purpose of the processing and the bank's legal obligations to retain data.
6.1 If you have entered into a contract with us
As a general rule, we will retain personal data relating to a contractual relationship for the duration of the contractual relationship with you and thereafter for 10 years in view of the rules on mutual contract statute of limitations. In some cases, the data may be retained for a longer period due to capital cover legislation with which we must comply..
If you do not enter into a contract with us, the personal data is normally retained for a maximum of 3 months, but the data may in some cases be retained for longer due to applicable legislation as exemplified above.
6.2 In case of a legal obligation to retain personal data
In some cases, we may need to store your personal data for a longer period of time in order to comply with legal requirements. Storage times may vary within the Norion Bank Group depending on national legal provisions. e.g., we are obliged to keep personal data about you to fulfill our legal obligations to hold customer knowledge for 5 years or up to 10 years in accordance with the Act (2017:630) on measures against money laundering and financing of terrorism. We also have a legal obligation to preserve accounting records for 7 years plus the current year, in accordance with the Accounting Act (1999:1078).
Below are examples of storage times in accordance with legal obligations under Swedish law. If you want more information about how the assessment has been done, you can always contact us, see contact details in section 10.
| When you use Walley's products or services | Legal basis and retention period |
| Data related to purchases made when using Walley's products or services. | 7 years plus the current year, in accordance with the Swedish Accounting Act (1999:1078). |
| Data related to credit checks when we provide you with a credit in connection with a purchase. |
3 years in accordance with the Swedish Credit Information Act (1973:1173). Credit reports for unapproved credits are deleted after 90 days. |
| Data related to the assessment of a consumer's ability to repay a credit and risk analysis when a consumer applies for any form of credit with Norion Bank. | 7 years in accordance with the Consumer Credit Act (2010:1846). |
| To prevent money laundering and terrorist financing, fraud and for security purposes. | Legal basis and retention period |
| Prevent Norion Bank's activities from being used for money laundering or terrorist financing. | 5 years or up to 10 years in accordance with the Act (2017:630) on measures against money laundering and terrorist financing. |
| Credit purposes | Legal basis and retention period |
| Ensuring payment of overdue debts, e.g. by collecting or selling overdue debts. | 7 years plus the current year, in accordance with the Swedish Accounting Act (1999:1078) after the debt has been extinguished. |
6.3 For specific purposes
If we process your personal data with our legitimate interest, we keep your personal data for as long as the purpose of the processing remains. Below are some examples of retention periods. If you want more information about how the assessment has been made, you can always contact us, see contact details in section 8.
| Purpose | Legal basis and retention period |
| To administer and manage the cases received by Walley Customer Service or Merchant Services. | Up to 10 years from the time of communication in the light of general statute of limitation rules. The processing is based on Norion Bank's legitimate interest to provide customer service and support to both Merchants and end customers. |
| Recording the phone call when you contact Walley's customer service by phone. | 90 days from the date of the recording. Please note that the phone call will only be recorded if you have given your consent. The processing is based on Norion Bank's legitimate interest to provide its customers with a quality and efficient customer service. |
| Conduct market and customer satisfaction surveys to obtain feedback and further develop Walley's products and services. | 12 months from the time of communication. The processing is based on Norion Bank's legitimate interest to further develop products and services and carry out improvement work following feedback from users of Walley's products and services. |
6.4 Legal claims
Personal data may be stored for a longer period than stated above if it is necessary for establish, file and defend legal claims.
6.5 Right to erasure
Under the General Data Protection Regulation, you have the right to request the erasure of your personal data. We delete your data only if there are no legal or contractual obstacles. Read more in section 8 below.
7. Protection of your personal data
Secure processing of your information is of utmost importance to us. We therefore continuously take appropriate technical, organizational and administrative security measures to protect the information we hold against loss, misuse and unauthorized access, disclosure, alteration and destruction.
8. Your rights
To exercise your rights, you are always welcome to contact us at privacy@norionbank.se. You can also find more information about your rights on the website of the Swedish Data Protection Authority.
It is free of charge to use your rights. However, Norion Bank has the right to charge a reasonable administrative fee if your request is clearly unfounded or unreasonable.
8.1 Register extracts
You have the right to obtain a copy of your personal data registered with us in accordance with applicable data protection legislation, a so-called register extract. You can request this by logging on to gdpr.norionbank.se, or by contacting us using the contact details provided in this data protection information.
8.2 Rectification
If you suspect or have discovered that personal data is inaccurate, incomplete or irrelevant, you have the right to request that the data is being corrected or deleted. If so, please contact us using the contact details provided in this data protection information. See further information on the right to be forgotten under the section on erasure, below.
8.3 Erasure (right to be forgotten)
You have the right to request that we erase personal data relating to you (more commonly known as the right to be forgotten). Once we have received such a request, we will make an assessment on a case-by-case basis. We will delete your data only if there are no legal or contractual obstacles. For example, it is not possible to delete data relating to you if there is a legal obligation to keep the data.
8.4 Objection
You have the right to object to the processing based on the legitimate interest of Norion Bank or third parties.
8.5 Objection (blocking of direct marketing)
As stated in section 2.7 above, Norion Bank or one of our partners may use your data for marketing and profiling purposes. This means that you may receive advertising mailings based on the information you have provided. If you do not want to receive direct marketing, you can contact us via privacy@norionbank.se and request a block on direct marketing (so-called direct marketing block).
8.6 Dataportability
You have the right to contact us to obtain, under certain conditions and where we process personal data on the basis of contract or consent, a copy in a structured, commonly used and machine-readable format (e.g. CSV or PDF) of the personal data you have provided to us and the right to have it transmitted directly to another controller if technically feasible.
8.7 Restriction of processing
If you have turned to us with a request for erasure, objection or rectification, you have the right to request restriction of processing while your request is being considered. This may mean, for example, that the authorization for case workers to process your personal data is limited or that your personal data is not processed at all during the time your request is examined.
8.8 Confirmation of identity and processing times
If we have reasonable reasons to doubt your identity, Norion Bank is obliged by law to request additional information to confirm your identity. If it is, in an individual case, not possible to confirm your identity, Norion Bank is thus prevented from fulfilling your request.
Your request will be processed without delay and at the latest within one (1) month from receiving your request. This period may be extended by up to two (2) months taking into account the complexity of your request and the number of requests received.
9. Automated decisions and profiling
9.1 Automated decisions
Automated decision-making means that we make decisions by technical means, using algorithms, without any human intervention by us. The decisions may have legal implications or similarly significantly affect you.
In our automated credit assessment, we use decision rules, repayment capacity calculations and statistical models. The statistical models are designed to estimate the risk of the individual credit application and are based on historical outcomes of previously issued credits. The automated decisions are based on information provided by you and on information obtained from internal and external sources. Norion Bank uses automated decision-making in the following situations:
- Decision to approve your application to use a service involving credit. Information on the personal data used in the automated decision-making can be found in section 3.5.
- Deciding not to approve your application to use a service involving credit. These automated credit decisions are based on information provided by you, information from external sources such as credit reference agencies and Norion Bank's own information. Information on what personal data is used in the automated decision-making can be found in section 3.5.
- Decision on whether there is a risk of money laundering based on an analysis of customer behavior. Norion Bank examines, when relevant, whether specific customers are listed on sanctions lists. Information on what personal data is used in the automated decision-making can be found in section 3.3.
- Deciding whether there is a fraud risk associated with a transaction or whether a particular customer poses a fraud risk. Information on the personal data used in automated decision-making can be found in section 3.3.
If you do not pass the automated decision making described above, you will not be able to access Norion Bank's services, including our payment methods at Walley.
The purpose of automated decision making is to enable us to administer credit efficiently and legally. The automated decision-making process is overseen by Norion Bank's Data Protection Officer.
9.2 Your right to object to an automated decision
Norion Bank’s legal basis for automated decision-making is that it is necessary for entry into or fulfilment of an agreement between you and us, or if you have given your consent (article 22.1 a and 22.1 c of the General Data Protection Regulation).
You have the right to contact us at privacy@norionbank.se or +46 (0)10-161 00 00 for personal contact with an employee at Norion Bank. You have a special right to express your opinion and contest the automated decision. You also have the right to have the automated decision explained to you.
We will examine your objection in the individual case without delay and within one (1) month of Norion Bank receiving your request. This period can be extended by up to two (2) months in view of the complexity of your objection and the number of requests received.
9.3 Profiling
Profiling refers to the automatic processing of personal data that is used to assess certain personal characteristics of a natural person, particularly with regard to analysing or predicting, for example, their financial situation, personal references, interests and residence.
We use profiling for:
- market and customer analyses
- system development.
- marketing.
- transaction monitoring to counter fraud
10. Data Protection Officer (DPO)
We have appointed a data protection officer who will monitor our adherence to the rules on personal data protection in our business. The data protection officer must fulfil their assignment in an independent manner in relation to the other parts of our business.
You have the right to contact the data protection officer regarding any questions concerning your personal data and the fulfilment of your rights.
E-mail:
Telephone:
010-161 00 00
11. Right to lodge a complaint to the Swedish Authority for Privacy Protection
For questions concerning our personal data processing, please contact us at privacy@norionbank.se. If you suspect that we have processed your personal data incorrectly or without permission, please contact us first so that we can investigate your suspicion.
If you believe that we have processed your personal data incorrectly or without permission, you can direct a formal complaint to the Swedish Authority for Privacy Protection in accordance with article 77 of the General Data Protection Regulation. The Swedish Authority for Privacy Protection is the independent supervisory authority that exercises supervision over regulatory compliance with the General Data Protection Regulation in Sweden. You can find more information at www.imy.se/en/
12. Amendments to this data protection information
Norion Bank reserves the right to make amendments to this data protection information at any time insofar as the amendments are necessary. All amendments are published on the website www.walleypay.com. You should therefore review this data protection information regularly to make sure you are satisfied with the amendments.
Last updated
2024–01–08