Privacy policy
Svea Payments Oy’s personal data register for payment services
1.General
This privacy statement is issued to the data subject and the supervisory authority as required by the EU General Data Protection Regulation (EU) 2016/679 (hereinafter referred to as the “General Data Protection Regulation”) and the national Data Protection Act (2018/1050).
With regard to personal data related to the buyer’s/payer’s payment, the controller is the merchant whose online service collects the payer’s data. Svea Payments acts as the personal data processor with regard to the payer’s personal data that the seller transmits from its online service to Svea Payents’ payment service with the payment transaction data. The processing of the payer’s personal data is agreed in a separate data processing agreement between the merchantr and Svea Payments.
During the payment transaction, Svea Payments collects the information necessary for the execution of the payment transaction as well as information related to data security, which is described in more detail in section 6. Svea Payments acts as the data controller with regard to such data.
2. Controller and their contact information
Svea Payments Oy, business ID: 2121703-0, (“Svea Payments”)
Address: Mechelininkatu 1a, 00180 Helsinki, Finland
Controller’s contact person: Svea Payments Oy Data Protection Team
Email address: tietosuoja.payments@svea.fi
3. Contact information of the data protection officer
Svea Payments’ Data Protection Officer
Postal address Mechelininkatu 1a, 00180 Helsinki, Finland
Email address: tietosuoja.payments@svea.fi
4. Name of the data file
Customer register for payment services. The data subjects are persons who use the payment services offered by Svea Payments.
5. Legal basis and purpose of processing personal data
5.1. Purpose of the processing
The provision of the payment service requires the processing of personal data. The purposes for which we use personal data include:
- customer service and customer relationship management and development
- producing and developing services
- business development
- quality assurance
- compliance with requirements and obligations related to payment services
- fulfilment of obligations based on legislation and regulations and instructions of the authorities
- risk management and reporting
- ensuring the security of services and preventing misuse
Personal data can be used for preventing, detecting and investigating money laundering and terrorist financing and for investigating money laundering and terrorist financing and crime through which the assets or proceeds of crime concerned by the money laundering or terrorist financing are obtained. In addition, personal data may be used to determine whether a person is subject to international sanctions complied with by the controller.
The controller may process personal data in situations where it is necessary to prevent or investigate crimes or suspected crimes directly affecting the business activities of the controller.
5.2 Legal basis for processing
The legal bases for the processing of personal data and examples of processing are described below:
| Legal basis | Example |
| Statutory obligation |
Legislation on the prevention of money laundering and terrorist financing or taxation, accounting regulations and the Act on Strong Electronic Identification and Electronic Trust Services. Reporting to relevant authorities, such as the Financial Supervisory Authority. Industry-specific legislation. In payment intermediation, the data controller delivers the personal data of the payer or payee in connection with a payment transaction to the other party to the payment or to their payment service provider in the manner required by law.
|
| Legitimate interests of the controller or a third party |
The following activities are based on legitimate interest: - service provision |
Automatic processing and profiling
The processing of personal data does not involve automatic decision making or profiling as referred to in the General Data Protection Regulation.
6. Information content of the register
We process data in connection with the payment transaction and clearing of payments.
When creating a payment transaction, the following information is stored in the register:
- Payment information
- IP address
- IBAN account number
- Personal identity code*
- Email address
- Telephone number (when using a Svea Bank’s payment method)
* When using invoice or part payment as payment method
7. Regular sources of data
The data in the data file are obtained from the data subject and from the service provider that provides the services in connection with which the data subject uses the payment service. Personal data is received in connection with a payment transaction.
8. Recipients/recipient groups of personal data
Svea Payments uses various service providers in the processing of personal data, including companies belonging to the same group as Svea Payments. Data may be disclosed to companies within the same group to the extent permitted by law. Personal data may be disclosed to authorities, such as the Financial Supervisory Authority, the police and enforcement authorities when required by law. Agreements on the processing of personal data pursuant to the data protection regulations have been concluded with the processors of personal data.
9. Transfer of personal data outside the EU or EEA
Personal data is not transferred outside the EU/EEA.
10. Personal data, their storage period and basis and the processors
With regard to the payment information of a payment transaction, personal data is stored for five years from the payment transaction on the basis of statutory requirements set for payment institutions. Once the legal obligations related to the payment transaction have expired, the data will be erased or anonymised from the register.
11. Rights of data subjects
The data subject has the right to receive confirmation from the controller as to whether or not the personal data of the data subject is processed or has been processed. If the controller processes the personal data of a data subject, the data subject has the right to receive a copy of the personal data processed. A fee may be collected for repeated requests concerning the same set of data.
The data subject has the right to request the controller rectifies inaccurate personal data and to update the data, as well as the right to request the erasure of personal data in specific situations.
In certain situations, the data subject may have the right to restrict the processing of their personal data. If the processing is restricted, the controller does not, as a rule, process your personal data apart from storing the data. This right exists, for example, when the data subject contests the correctness of the personal data, the processing is unlawful or when the data subject has objected to the processing of their personal data and is waiting for a reply to the request for action in question.
The data subject has the right to obtain their data provided by them in an electronic format and transfer the data from one system to another when the processing is based on consent or agreement, the data has been processed automatically and the transfer of the data has no negative impacts on the rights and freedoms of third parties.
12. Right to withdraw consent
The controller may process personal data on the basis of consent. Consent can be withdrawn at any time by contacting us using the contact information provided in this privacy statement. The withdrawal of consent does not affect the lawfulness of processing based on consent that took place before the withdrawal.
13. Right to file a complaint with a supervisory authority
If the data subject believes that Svea Payments is not complying with the EU’s General Data Protection Regulation (GDPR) or other applicable legislation when processing personal data, you can file a complaint with the competent authority. In Finland, the authority supervising the compliance with the regulation concerning the processing of personal data is the Data Protection Ombudsman: Ratapihantie 9, 00520 Helsinki, Finland, and https://tietosuoja.fi/en/home.
14. Information protection
Svea Payments has appropriately protected the information using technical and organisational measures and protects all information in its possession against loss, misuse, unauthorised use, disclosure, alteration and destruction. The following methods, among others, are used to protect the data file:
- protection of hardware and files
- access control
- access rights
- user log information
- processing instructions and supervision
Svea Payments also requires its subcontractors to protect personal data appropriately.
15. Changes to the privacy statement
You can always find the most recent version of the privacy statement on Svea’s website: Privacy policy | Svea | Svea Bank. Please read the privacy statement on a regular basis.
This privacy statement was last updated on 1 October 2025.