Privacy policy for Digifinans
10.07.2023
1. Introduction
Privacy is important to us, and the processing of your personal data must be done securely and in line with current regulations.
This Privacy Policy explains how we collect and use your personal data when you use Digifinans loan mediation and insurance mediation services (individually the “Service”, collectively the “Services”), if you are a member of Digifinans Plus (“PlusService”) or when we process personal data about you in other contexts. It also describes which rights you have and how you can exercise your rights.
The controller for the processing of personal data that takes place under the Digifinans trademark is Sambla Group AS, registered office no. 917454000, Box Arbins gate 2, Oslo. This means that Sambla Group AS is responsible for the processing of your personal data taking place in accordance with applicable data protection legislation, i.e. the General Data Protection Regulation (“GDPR”) and supplementary national legislation.
You can always contact us with any questions about the processing of your personal data by sending an e-mail to epost@digifinans.no.
2. Important concepts
Personal information is any information that, directly or indirectly, together with other information, can be linked to a person. Examples of personal data are social security number, name and address as well as IP address.
The processing of personal data means an action or a combination of actions concerning your personal data, regardless of whether they are performed automatically or not. Examples of personal data processing are when we collect, register, store and process your personal data.
What information do we collect and what do we do with it?
3.1 How do we collect information about you?
Here we summarize what kind of personal data we collect and process about you. Further down in the policy, you can read more in detail about how we process your information in various contexts.
Information that you provide to us yourself (when you use our services)
You yourself actively provide personal data to us when you use the Service or contact us, e.g. name, social security number and address for you and your possible co-applicant, income and living arrangement, etc. We process this information to deliver the Service, and, if you have chosen to become a member of Digifinans Pluss, also to deliver Digifinans Pluss.
Information that we collect about you from other sources
You who are not a customer of ours: If you are not a customer of ours, we may collect information about you from address providers, e.g. name, telephone number and address, to provide you with marketing by telephone and post.
You who are our customers: When you apply for loan mediation with us, we carry out a credit assessment of you via the credit reporting company UC AB. We do this in order to deliver the Service. In certain cases, some of the lenders we work with may make a credit assessment of you via other credit reporting companies, e.g. Bisnode, to ensure that the information provided is correct.
You who visit our digital channels: We collect technical data when you visit our digital channels (e.g. our website), which may include the URL that is your unique access to your login page, IP address, unique device ID, usage history, browser type, language and information about identification and operating system. We do this to simplify, improve and further develop the Service and the Plus Service, as well as to ensure that the Service is used in the correct way. This information is partially collected using cookies. You can read more about how we use cookies and how to reject cookies in our Cookie Policy, which is available on our website www.digitinans.no.
3.2 Processing of personal data in connection with loan mediation
Here we describe what personal data we process in connection with loan mediation, for what purposes we process it and what legal basis we have for the processing, as well as how long we store your personal data.
The purpose of the processing – what we do and why | Types of personal data that are used for the purpose, as well as where they come from. See section 3.1 for more information. | Legal basis according to GDPR for processing the personal data. | How long we store your personal data in the various treatments. |
To register and manage your loan application in order to deliver the Service to you in accordance with the User Agreement, including presenting loan offers from the lenders we work with, and fulfilling our agreement with any lender you enter into a loan agreement with. |
|
The processing is necessary for us to be able to fulfill the agreement with you (Article 6(1)(b)GDPR). | This processing continues as long as you use our service. If you stop using our service, we will store your information for 5 years from this, according to Act 6 March 2009 no. 11 on measures against money laundering and terrorist financing etc.. |
To carry out an ID check and PEP check (person in a politically exposed position) of you and check that you are not registered on the EU sanctions lists in order to make sure that we have the right to deliver the Service to you. |
|
We are required by law to establish the customers’ identity (Article 6(1)(c) GDPR). (Act 6 March 2009 no. 11 on measures against money laundering and terrorist financing, etc.). | We store your information for 5 years after an application has been made according to Act 6 March 2009 no. 11 on measures against money laundering and terrorist financing etc.. |
To analyze information in the loan application as well as information in the credit assessment to determine whether you are eligible for a loan. |
|
The processing is necessary for us to be able to fulfill the agreement with you (Article 6(1)(b)GDPR). | This processing continues as long as you use our service. |
To transfer the loan application to the lenders we work with, when you meet the basic requirements for borrowers. |
|
The processing is necessary for us to be able to fulfill the agreement with you (Article 6(1)(b)GDPR). | This processing continues as long as you use our service. |
To contact you by email, SMS, phone and post to administer the Service. |
|
The processing is necessary for us to be able to fulfill the agreement with you (Article 6(1)(b)GDPR). | This processing continues as long as you use our service. |
To record telephone conversations to document and secure any agreements and consents with you and to improve our communications. |
|
The processing is necessary for us to be able to fulfill the agreement with you (Article 6(1)(b)GDPR).
The processing is based on a balancing of interests (Article 6(1)(f) GDPR). In a balancing of interests, Digifinans has assessed that we have a legitimate interest in being able to store recordings of conversations for training purposes. |
We store recordings of calls for 12 months. |
To handle customer inquiries and complaints about which you contact us. |
|
The processing is necessary for us to be able to fulfill the agreement with you (Article 6(1)(b)GDPR). | Processing continues until the case is closed. We then store your personal data linked to the case for 2 years to have access to history and what the complaint resulted in. |
To prevent, detect and counter fraud and misuse of the Service. |
|
The processing is based on a balancing of interests (Article 6(1)(f) GDPR). In a balancing of interests, Digifinans has assessed that we have a legitimate interest in processing personal data to prevent fraud. | This processing continues as long as you use our service. |
To maintain, develop, test and improve our Service and the technical platforms on which it is delivered. |
|
The processing is necessary for us to be able to fulfill the agreement with you (Article 6(1)(b)GDPR). | This processing continues as long as you use our service. |
3.3 Processing of personal data in connection with insurance mediation
Here we describe which personal data we process in connection with insurance mediation, for which purposes we process it and which legal basis we have for the processing.
The purpose of the processing – what we do and why | Types of personal data that are used for the purpose, as well as where they come from. See section 3.1 for more information. | Legal basis according to GDPR for processing the personal data. | How long we store your personal data in the various treatments. |
To register and manage your insurance application in order to deliver the Service to you in accordance with our agreement. |
|
The processing is necessary for us to be able to fulfill the agreement with you (Article 6(1)(b)GDPR). | This processing continues as long as you use our service. If you stop using our service, we will store your information for 5 years from this, according to Act 6 March 2009 no. 11 on measures against money laundering and terrorist financing etc.. |
To transfer insurance information to the insurance company. |
|
The processing is necessary for us to be able to fulfill the agreement with you (Article 6(1)(b)GDPR). | This processing continues as long as you use our service. |
To contact you by email, SMS, phone and post to administer the Service. |
|
The processing is necessary for us to be able to fulfill the agreement with you (Article 6(1)(b)GDPR). | This processing continues as long as you use our service. |
To record telephone conversations to document and secure any agreements and consents with you and to improve our communications. |
|
The processing is necessary for us to be able to fulfill the agreement with you (Article 6(1)(b)GDPR).
The processing is based on a balancing of interests (Article 6(1)(f) GDPR). In a balancing of interests, Digifinans has assessed that we have a legitimate interest in being able to store recordings of conversations for training purposes. |
We store recordings of calls for 12 months. |
To handle customer inquiries and complaints about which you contact us. |
|
The processing is necessary for us to be able to fulfill the agreement with you (Article 6(1)(b)GDPR). | Processing continues until the case is closed. We then store your personal data linked to the case for 2 years to have access to history and what the complaint resulted in. |
To maintain, develop, test and improve our Service and the technical platforms on which it is delivered. |
|
The processing is necessary for us to be able to fulfill the agreement with you (Article 6(1)(b)GDPR). | This processing continues as long as you use our service. |
We use automated decision making
Automated decision-making refers to a decision made solely on the basis of automated processing of your personal data. We and the lenders we work with use automated decision-making when you use the loan intermediary service. This means that the information you have provided, and the information we obtain from a credit assessment about you and any co-applicants, is automatically compared with the basic requirements for borrowers that our affiliated lenders use to grant a loan, e.g. income, form of employment, applied for loan amount and similar information. If you do not meet the basic requirements set by a specific lender, the application will automatically be sorted out and not forwarded to the lender.
In certain cases, you have the right to request a manual decision-making process. In that case, contact us on the contact details below. You can also contact the respective lender for more information about how they use automated decision-making, and if you have questions about the respective lender’s processing of personal data.
The aim of us using automated decision-making is to be able to deliver a fair and correct loan mediation service and is necessary for us to be able to fulfill the agreement we have entered into with you. If you have an objection to an automated decision made by us, please contact us at epost@digitinans.no.
3.5 Processing of personal data in connection with the Plus Service
Here we describe which personal data we process in connection with the Plus Service, for which purposes we process it and which legal basis we have for the processing.
The purpose of the processing – what we do and why | Types of personal data that are used for the purpose, as well as where they come from. See section 3.1 for more information. | Legal basis according to GDPR for processing the personal data. | How long we store your personal data in the various treatments. |
To manage your membership. |
|
The processing is necessary for us to be able to fulfill the agreement with you (Article 6(1)(b)GDPR). | This processing continues as long as you use our service. |
To send out information, offers, marketing and newsletters by post, telephone, SMS and e-mail in accordance with the terms of the Plus Service. |
|
The processing is necessary for us to be able to fulfill the agreement with you (Article 6(1)(b)GDPR).
The processing is also based on a balancing of interests (Article 6(1)(f) GDPR). When weighing up the interests, Digifinans has assessed that we have a legitimate interest in processing personal data for analysis purposes, in order to have the opportunity to improve our service. |
This processing continues as long as you use our service. |
3.4 Processing of personal data in connection with marketing
Here we describe which personal data we process in connection with marketing, for which purposes we process it and which legal basis we have for the processing.
What personal data is processed
You who are not a customer of ours:
- Name
- Date of birth
- Contact details (e.g. address, telephone number)
- Information about income, payment notes etc.
You who visit our websites:
- IP address and other technical data
- Information about you that is collected via cookies
You who are a customer of ours or a member of PlusTjenesten:
- Name
- Date of birth
- Contact details (e.g. address, telephone number, e-mail)
The purpose of the processing
You who are not a customer of ours:
- To contact you by telephone and send direct mail for marketing purposes.
- To analyze and evaluate marketing mailings.
- To avoid directing marketing to people who are not considered able or should become customers (the information is deleted immediately after the check).
You who visit our websites:
- To create “lookalike” target groups and customized target groups on Facebook based on your selections and preferences in order to offer you relevant advertisements on Facebook.
- To create “Similar audience” and customized target groups on Google Adwords’ advertising network based on your selections and preferences, in order to offer you relevant advertisements via Google.
- To analyze and evaluate marketing mailings.
You who are a customer of ours or a member of PlusTjenesten:
- To send marketing to you by e-mail, SMS, telephone and direct mail.
- To analyze and group our customers according to certain selections and preferences (so-called profiling) to provide you with relevant and customized information.
- To analyze and evaluate marketing mailings.
Legal basis for the processing
We process your personal data on the basis that we have a legitimate interest in marketing our Service.
When we deliver customized marketing and offers to you who have chosen to become a member of PlusTjenesten, we process your personal data in order to fulfill the agreement with you about PlusTjenesten.
How we have thought about marketing
It is important to us that only you who actually want to receive marketing, offers and information mailings receive this. Below we describe how we intend, and how you proceed, to reject future marketing mailings.
You who are not a customer of ours – We will only contact you by post or telephone. If you do not wish to receive mailings by post or telephone, you can contact us at epost@digifinans.no and we will register you in our blocking list. Please note that in such cases we will save your name and contact details to ensure that we do not contact you again.
You who are or have been a customer of ours – If you are or have been a customer of ours, we may contact you regarding our offers by post, telephone, SMS or email. You can unsubscribe from future mailings via a link in each mailing sent by e-mail/SMS, or by contacting us at epost@digifinans.no We will only send marketing by e-mail or SMS for up to one year after the customer relationship has ended, provided that you are not currently subscribed to our newsletter or a member of the Plus Service.
You who subscribe to our newsletter or are a member of PlusTjenesten – If you subscribe to newsletters or are a member of PlusTjenesten, we may contact you regarding our offers by post, telephone, SMS or e-mail until you unregister from the newsletter or cancels membership in PlusTjenesten. You can unsubscribe from future mailings via a link in each mailing sent by e-mail/SMS, or by contacting us at epost@digifinans.no.
We use profiling
We use profiling for marketing purposes. This happens, among other things, when creating “lookalike” target groups and customized target groups on Facebook, as well as when creating “Similar audience” and customized target groups on Google Adwords’ advertising network. The purpose of the profiling is to provide you with information and marketing that we believe you will appreciate. The profiling is based on the personal data we have collected about you (e.g. address and age). Based on this information, we place you in a customer group (e.g. people aged 20-30 in area x) and tailor marketing to you based on the customer group you have been placed in.
4. Who can we share your information with?
We take all reasonable contractual, legal, technical and organizational measures to ensure that your personal data is processed securely and with an adequate level of protection when transferred to or shared with selected third parties. Such third parties will be:
Suppliers. Some of our suppliers who deliver e.g. IT services or help with marketing, analysis or statistics may gain access to your personal data.
Credit reporting companies and similar providers. Your personal information may be shared with credit reporting companies to assess your creditworthiness when you use our loan mediation service. The personal data may also be shared with providers of identity verification and fraud prevention services to verify your identity and address and protect you against fraud.
Authorities. We may hand over necessary information to authorities such as the Police, the Financial Supervisory Authority or other authorities if the law requires us to do so. We are e.g. required by law to hand over information for measures against money laundering and terrorist financing.
Lenders. In a loan comparison, we forward your application to the lenders we work with, and where the basic requirements match the application. Lenders who accept your application are responsible for their own processing of your personal data. Information about which lenders we work with can be found on our website.
Insurers. When taking out insurance, we send the insurance information to the insurers we work with. Information about which insurers we work with can be found on our website.
Group company. We may share information with our group companies to streamline internal processes and compile common statistics.
Disposal. If we sell or buy businesses, we may disclose your personal information to a potential seller or buyer of such business. If we or a significant part of our business is acquired by a third party, personal information about our customers may be shared. Before such sharing is done, we will ensure that suitable privacy measures are in place.
5. Where do we process your personal data?
We process your personal data mainly within the EU/EEA. In exceptional cases, personal data may be transferred to, and processed in, countries outside the EU/EEA, etc. third country. Companies that process personal data on our behalf always sign a data processor agreement with us to ensure an equivalent level of protection for your personal data as required by the GDPR. For business partners outside the EU/EEA, special security measures are implemented, e.g. in that we enter into agreements that include the European Commission’s standardized model clauses for data transfer which will ensure a level of protection for your personal data that is equivalent to the protection offered within the EU/EEA.
6. How long do we store your personal data?
Your personal data is only stored for as long as it is necessary for the purpose of the processing, or when we are required to store it according to applicable law. In the section above regarding respective processing, you can get specific information about how long we store your personal data for the various personal data processing.
- Personal data that is necessary to perform our Services is stored for as long as it is necessary to fulfill the agreement with you and for five years after this. According to the law, we are obliged to store certain information for a set period, e.g. in order to fulfill requirements in the Bookkeeping Act, the Money Laundering Act and other legal requirements imposed on us as loan and insurance intermediaries, and we will then delete the information accordingly.
- Personal data necessary for us to fulfill our agreement with a specific lender will be stored for as long as necessary to fulfill our agreement with the lender.
- Personal information that we use to send direct marketing to you who are not a customer is only used for the marketing occasion and is then deleted.
- Personal data that is processed to deliver the Plus Service to you is stored as long as you are a member. If you terminate the agreement, we will delete your information as soon as possible.
- Communication with you regarding inquiries to customer service and complaints is stored as long as the case is active, or as long as it is necessary to defend us against legal claims, and is deleted one year after this.</li >
- We can store de-identified information, i.e. information that is not linked to you as a person, for analysis and statistical purposes for up to five years, after which it is deleted.
7. What rights do you have?
Right to access your information
You can request a copy of your information if you want to know what information we have about you, for example. register printout.
Right to correction
You have the right to have incorrect personal data corrected or to complete incomplete personal data about you.
Right to be deleted
You have the right to request the deletion of certain personal data. This right is limited to data that, by law, may only be processed with your consent, if you withdraw your consent and object to the processing. If you wish for us to delete such personal data, please email us at kundeservice@digifinans.no. Kindly use ‘Request for Deletion’ as the subject line. To process your request, we need you to provide: phone number, email, and personal identification number, or alternatively, request a callback for identification via BankID. Please note that if you have used the company’s services, we may need to retain your personal data for different periods depending on its purpose and the legal requirements regarding how long we must retain it, as outlined in our Data Protection Policy. Once the purposes for processing have been fulfilled, the personal data will be deleted.
Right to restriction of processing
You have the right to request that the processing of your personal data be restricted, e.g. if you dispute the correctness of the information.
Right to object
When we believe that we have a legitimate interest in processing your personal data, you can object to the processing at any time. If you choose to object, we can no longer process your personal data for the purpose, if we cannot demonstrate a legitimate interest in the processing. Such legitimate interest must outweigh your interest in your personal data not being processed for privacy reasons. You can also always object to processing that we carry out for direct marketing purposes.
Right to data portability
You have the right to have personal data that you have provided to us handed over to us and/or demand that it be transferred to another data controller. The personal information must be in a structured, commonly used and machine-readable format. A prerequisite for data portability is that the transfer is technically possible and can be automated.
Right to complain
If you have views or complaints regarding the processing of your personal data, or want to exercise any of your rights, you can contact us at epost@digifinans.no
If, against all odds, we should not succeed in finding a solution together, you can contact the Norwegian Data Protection Authority, which is the supervisory authority for the processing of personal data:
Datatilsynet, P.O. Box 458 Sentrum, NO-0105 Oslo
Email: Postkasse@datatilsynet.no
Phone number: 22 39 69 00
Website: www.datatilsynet.no
8. Changes to the Privacy Policy
We reserve the right to change or update our Privacy Policy. The latest version is always available on our website www.digifinans.no. In the case of updates that are of decisive importance for our processing of your personal data, you will receive information about the changes on our website in good time before the updates take effect. If you have views on our processing of personal data as a result of the updates, you can contact us at epost@digifinans.no.