Finland
Kirjaudu sisään

Valitse maa

Privacy policy

Svea Payments Oy's customer account register

1.General

This privacy statement is issued to the data subject and the supervisory authority as required by the EU General Data Protection Regulation (EU) 2016/679 (hereinafter referred to as the “General Data Protection Regulation”) and the national Data Protection Act (2018/1050).

This privacy statement concerns specific personal data of the customers that have signed an agreement on payment services with Svea Payments or potential customers, i.e. the contact persons of and persons representing webstores, companies, associations or other operators. 

2. Controller and their contact information

Svea Payments Oy, business ID: 2121703-0, (“Svea Payments”)
Address: Mechelininkatu 1a, 00180 Helsinki, Finland
Controller’s contact person: Svea Payments Oy Data Protection Team 
Email address: tietosuoja.payments@svea.fi

3. Contact information of the data protection officer

Svea Payments’ Data Protection Officer
Postal address: Mechelininkatu 1a, 00180 Helsinki, Finland
Email address: tietosuoja.payments@svea.fi

4. Name of the register

Customer account register.

The data subjects are the responsible persons of corporate customers and the persons acting on behalf of the corporate customer when the company deploys or uses the services offered by Svea Payments.

A potential customer relationship typically emerges when the entity expresses an interest in Svea Payments’ services.

5. Legal basis and purpose of processing personal data

5.1. Purpose of the processing

The provision of the payment service requires the processing of personal data. The purposes for which we use personal data include:

  • customer service and customer relationship management and development
  • producing and developing services
  • business development
  • quality assurance
  • customer communications
  • compliance with requirements and obligations related to payment services
  • fulfilment of obligations based on legislation and regulations and instructions of the authorities
  • risk management and reporting
  • ensuring the security of services and preventing misuse
  • direct marketing

Personal data can be used for preventing, detecting and investigating money laundering and terrorist financing and for investigating money laundering and terrorist financing and crime through which the assets or proceeds of crime concerned by the money laundering or terrorist financing are obtained. In addition, personal data may be used to determine whether a person is subject to international sanctions complied with by the controller. 

The controller may process personal data in situations where it is necessary to prevent or investigate crimes or suspected crimes directly affecting the business activities of the controller.


5.2 Legal basis for processing

The legal bases for the processing of personal data and examples of processing are described below.

 

Legal basis Example:
Contractual relationship or pre-contractual measures The enforcement of agreements regarding Svea Payments’ payment service to which the data subject is a party or is representing such a party or the implementation of measures to be taken before such agreements are concluded. Service production pursuant to agreement. In connection with personal guarantees, we check the guarantor’s credit history
Statutory obligation

Legislation on the prevention of money laundering and terrorist financing or taxation, accounting regulations and the Act on Strong Electronic Identification and Electronic Trust Services.
Reporting to relevant authorities, such as the Financial Supervisory Authority.

Industry-specific legislation. 
Legitimate interests of the controller or a third party

In most cases, the controller’s legitimate interest is based on a customer or corresponding relationship between the controller and the data subject.

Direct marketing or product and service development. We ensure that processing based on legitimate interest is proportionate to the data subject’s interests and benefits and meets their reasonable expectations. 
Consent Direct marketing using an electronic channel is usually based on the data subject’s consent.

 


Automatic processing and profiling
The processing of personal data does not involve automatic decision making or profiling referred to in the General Data Protection Regulation.

6. Data content of the register 

We process personal data of representatives, responsible persons and owners of corporate customers who use payment services, such as the person’s role (contact person, contractual contact person, board member, beneficial owner). 

For corporate customers and potential corporate customers, the following data may be collected about the data subjects in the customer register, depending on the status of the data subject and the channel used:

  • Name
  • Email address
  • Telephone number
  • Personal identity code
  • Citizenship and country of residence
  • Position in the company or association
  • Potential political influence
  • Quantity of stocks or holdings
  • Copy of valid identification card
  • Various forms of recordings and messages involving the data subject as a party
  • Technical identification data
     

7. Regular sources of data

As a rule, data is collected from the customer or the data subject. Data may also be collected when services are used. To the extent permitted by law, we collect and update personal data from third-party registers, such as:

  • registers maintained by the authorities (e.g. Finnish Patent and Registration Office, Digital and Population Data Services Agency)
  • commercial intermediaries maintaining databases necessary for the investigation of international sanctions, politically exposed persons and beneficial owners;
  • credit information registers 

The following information, among other data, is automatically retrieved from the databases: personal identity code, name, citizenship, registered office, position in the company, quantity of shares or participations, new payment default entries. The information retrieved depends on the company form and any changes in persons in charge and beneficiaries.

8. Recipients/recipient groups of personal data

Svea Payments uses various service providers in the processing of personal data, including companies belonging to the same group as Svea Payments. Data may be disclosed to companies within the same group to the extent permitted by law. Personal data may be disclosed to authorities, such as the Financial Supervisory Authority, the police and enforcement authorities when required by law. Agreements on the processing of personal data pursuant to the data protection regulations have been concluded with the processors of personal data.

9. Transfer of personal data outside the EU or EEA

Svea Payments uses subcontractors for data processing. Personal data is not transferred outside the EU/EEA. 

10. Personal data, their storage period and basis and the processors

Personal data related to the customer relationship is processed for the duration of the customer and contractual relationship. The contract data will be erased no later than ten years after the end of the contract. Customer relationship data, such as customer due diligence data, will be erased or anonymised approximately ten years after the end of the last agreement. The data will be erased in accordance with the erasure processes followed by the controller.

With regard to potential customers, the data is stored for as long as the storage of the data is necessary to establish a potential customer relationship.

11. Rights of data subjects

The data subject has the right to receive confirmation from the data controller as to whether or not the personal data of the data subject is being processed or has been processed. If the controller processes the personal data of a data subject, the data subject has the right to receive a copy of the personal data processed. The controller may collect a reasonable administrative fee for additional duplicates requested by the data subject. 

The data subject has the right to request the controller rectifies inaccurate personal data and to update the data, as well as the right to request the erasure of personal data in specific situations. 

In specific situations, the data subject may have the right to restrict the processing of personal data. If the processing is restricted, the controller does not, as a rule, process your personal data apart from storing the data. This right exists, for example, when the data subject contests the correctness of the personal data, the processing is unlawful or when the data subject has objected to the processing of their personal data and is waiting for a reply to the request for action in question. 

The data subject has the right to receive the data they have provided in an electronic format and to transfer the data from one system to another in cases where the processing is based on consent or a contract, the data has been processed by automated data processing and the rights and freedoms of third parties are not adversely affected by the transfer.

All requests mentioned herein must be submitted to the above-mentioned contact person of the controller.

12. Right to withdraw consent

The controller may process personal data on the basis of consent. Consent can be withdrawn at any time by contacting Svea Payments using the contact details provided in this statement. The withdrawal of consent does not affect the lawfulness of processing based on consent that took place before the withdrawal.  

13. Right to file a complaint with a supervisory authority

If the data subject believes that Svea Payments is not complying with the EU’s General Data Protection Regulation (GDPR) or other applicable legislation when processing personal data, the data subject can file a complaint with the competent authority. In Finland, the authority supervising the compliance with the regulation concerning the processing of personal data is the Data Protection Ombudsman: Ratapihantie 9, 00520 Helsinki, Finland, and https://tietosuoja.fi/en/home.

14. Information protection

Svea Payments has appropriately protected the information using technical and organisational measures and protects all information in its possession against loss, misuse, unauthorised use, disclosure, alteration and destruction. The following methods, among others, are used to protect the data file:
- protection of hardware and files
- access control
- access rights
- user log information
- processing instructions and supervision

Svea Payments also requires its subcontractors to protect personal data appropriately. 

15. Changes to the privacy statement

You can always find the most recent version of the privacy statement on Svea’s website: Privacy policy | Svea | Svea Bank. Please read the privacy statement on a regular basis.

 

This privacy statement was last updated on 1 October 2025.