This personal data policy applies to the Nordic Payments Council (NPC), Swedish corporate identity number 802524-8645.
The NPC is the data controller according to this personal data policy and is responsible for ensuring that processing is done in accordance with the applicable legislation. All processing of personal data within the NPC is done in accordance with the General Data Protection Regulation (GDPR) and associated legislation.
This personal data policy describes what personal data we collect, the purpose of the processing of personal data, the lawful grounds for processing of personal data, and what rights you have as regard processing of personal data under the GDPR and how to contact us.
The types of data we collect and the purpose of the processing
The NPC safeguards your personal privacy and does not collect more data than is necessary to realise the purpose of collecting the data. The NPC among other things collects and processes personal data relating to employees of our member companies, employees of authorities, journalists, politicians, employees of other professional associations and others that register for our newsletters or participate in our activities. We also process personal data concerning contact persons at our suppliers and collaborating partners.
The purpose of the NPC processing of personal data is to perform tasks with the aim of realising the purposes laid down in the NPC’s Bylaws.
When the NPC collects personal data as described above, the person in question is informed of where he/she can find the NPC’s personal data policy.
The personal data the NPC collects include name, e-mail address, phone number, employer’s name and in certain cases professional title. We have received your data from you directly, from your employer or, in certain cases, from publicly available sources.
Lawful ground for processing of personal data
When the NPC processes personal data, we rely on one of the four lawful grounds stated below. If the NPC intends to process the personal data further for another purpose than for which the data was originally collected, you will be informed of this beforehand.
Storage and erasure of personal data
Personal data is not stored for longer than is deemed necessary for the purpose of the processing of the personal data.
Processing of personal data by other than the NPC
Processing of personal data can within the framework of the current regulations be done by companies that the NPC collaborates with, to carry out its services, for example IT maintenance and support or in conjunction with organising events that the NPC arranges itself or together with other organisations. Security for the protection of personal data
The NPC has established internal guidelines and adheres to guidelines and policies established by the Swedish Bankers’ Association to protect your personal data. Appropriate security measures are applied to ensure that personal data is protected against destruction, unauthorised disclosure, unauthorised access, loss or alteration.
Rights
Under the GDPR you have a range of rights as regards the processing of your personal data as described below. To exercise your rights, you are welcome to contact us using the contact information given at the end of this policy.
Right of access to personal data
You have the right to receive confirmation of whether personal data concerning you are processed by the NPC and, if so, be given access to the personal data and, for example, obtain information about:
If the NPC processes personal data about you, you are entitled to receive, free of charge, information about the processing, a so-called register extract. If your request is obviously unfounded or unreasonable, we may charge a reasonable fee for such request in accordance with the provisions of the GDPR. In order to meet our security requirements, we also reserve the right to verify that it is the right person who is requesting personal data about him- or herself.
Right to rectification of inaccurate personal data
You have the right, without undue delay, to have inaccurate personal data about you rectified and to have incomplete personal data completed.
Right to erasure (“right to be forgotten”)
In certain cases, you have the right to have your personal data erased, for example if:
The right to erasure does not apply if the personal data is required for the NPC to fulfil a legal obligation.
Right to restriction
In certain cases, you have the right to request that the processing of your personal data be restricted, i.e. that it may only be processed with your consent. This may be, for example, if you do not consider that the personal data is correct and want the use of the personal data to be restricted while the NPC verifies whether the personal data is correct.
Right to data portability
In certain cases, you have the right to transfer your personal data that you have provided to the NPC to another data controller, if this is technically possible. This might for example be the case if the processing of the personal data is based on consent.
Right to object
You have the right to object to processing of your personal data that is based on a legitimate interest. The NPC may no longer process the personal data unless we can prove that compelling legitimate grounds exist for such processing which override your interests and rights.
Right to lodge a complaint with a supervisory authority
If you consider that we are not respecting your rights, you also have the right to lodge a complaint with the Swedish Data Protection Authority.
Contact
If you have questions about the processing of personal data or wish to exercise your rights according to the above, please contact us at:
info@npcouncil.org, or
Nordic Payments Council
Box 7603
103 94 Stockholm
Sweden