Of Nordigen’s Account Information Service
Last Updated on 14th December, 2022
"Data Controller" means the natural or legal entity/entities which determines the purposes and means of the processing of Personal Data;
"Data Processor" means the legal entity processing Personal Data on behalf of the Data Controller(s);
"Personal Data" means any information relating to an identified or identifiable natural person;
"Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"You" or “User” means You or the legal entity You represent.
“Account Information” means information relating to payment accounts.
"Account Information Service" means a service which enables to access, view or share (where relevant) information relating to payment accounts.
“Account Servicing Payment Service Provider” means an entity which provides and maintains a payment account for a payer.
“Service Provider Partner” means a third party, for example bank, credit institution or other service provider, which requires Your Account Information via Service Provider’s Account Information API to provide You services.
When You access and use Account Information Services via Service Provider’s Partner application or website, the Partner application or website will redirect You to an Account Information Service provided by Service Provider. This policy describes how Service Provider will use Your Personal Data when providing Account Information Services.
This policy does not apply to services provided to You by Service Provider’s Partner. Such services may be subject to Service Provider’s Partner terms and conditions and privacy policies.
The provision of Account Information Services requires Service Provider to collect information regarding Your payment accounts, transactions and other financial information from Your Account Servicing Payment Service Provider You have selected. Service Provider collects Your information to provide You Account Information Service pursuant to Terms and Conditions of Service Provider’s Account Information Service (to fulfil contract between Service Provider and You). Collection of such information is always based on Your explicit consent.
Types of personal data we are Processing
Purpose of Processing
Lawful basis of Processing
Any Personal Data obtained from Your Account Servicing Payment Service Provider as part of Account Information in accordance with Your explicit consent (First name, last name, social security number, personal identity code, IBAN, BBAN, type of account, transaction details including amount and payment recipient/sender, account balance)
To provide You Account Information Services according to Account Information Service terms and conditions and to transfer Personal Data to Service Provider Partner, if you have requested to do so and if it is necessary for You to use Service Provider Partner’s services.
Performance of contract between You and Service Provider
User identification,to investigate any fraud, illegal activity or wrongdoing in connection with the Services; to conduct any due diligence required for us to provide You Services
To comply with our legal obligations (including KYC checks to comply with applicable AML laws)
To improve, modify, enhance and further develop our Services, to anonymise or pseudonymise the Personal Data in order for it to be part of market study or analytics by us or a third party.
Our legitimate interest in ensuring that we can provide You with the Services and to continuously improve our Services
Service Provider may also collect some information about You from Service Provider’s Partner which is necessary to provide You Account Information Services. In addition, Service Provider may perform data cleansing, transaction categorization, data enrichment and similar data processing activities on the retrieved Account Information where it is reasonably necessary for You to be able to receive services provided by Service Provider’s Partner.
In general, Service Provider only keeps Your Personal Data for the time necessary to fulfil the purpose of collection or further Processing, namely providing the required Services.To determine data retention periods Service Provider takes into account:
If You wish You can request to delete the Personal Data You have provided to Service Provider via Account Information Service, by sending an e-mail to: firstname.lastname@example.org
However, some data may be kept for a longer period when it is necessary to fulfill Service Provider’s legal obligations, for example the applicable anti-money laundering laws.
Service Provider would like to make sure You are fully aware of Your data protection rights. Every user of the Account Information Service is entitled to the following:
The right to access – You have the right to request Service Provider for copies of Your personal data.
The right to rectification – You have the right to request that Service Provider corrects any information You believe is inaccurate. You also have the right to request Service Provider to complete information You believe is incomplete.
The right to restrict Processing – You have the right to request that Service Provider restrict the Processing of Your personal data.
The right to data portability – You have the right to request that Service Provider transfers the data that Service Provider has collected to another organization or directly to You.
Where Personal Data is Processed for direct marketing purposes or Processing is based on our legitimate interests, You have the right to object to such Processing.
If You make a request, Service Provider will answer You within one month. If You would like to exercise any of these rights, please contact us at our email: email@example.com.
In case of requests that are manifestly unfounded or excessive, in particular because of their repetitive character, Service Provider is entitled to charge an administrative fee. In such cases You will be notified thereof beforehand.
Your Personal Data may be accessed and processed only by authorized Service Provider employees in connection with provision of Account Information Service. All authorized employees are under confidentiality agreements with a legitimate need to process Personal Data for the Processing purposes stated in this policy.
When Service Provider’s Partner redirects You to Service Provider’s Account Information Service and You agree to Terms and Conditions of Service Provider’s Account Information Service, Your Account Information will be transferred to Service Provider’s Partner on Your own initiative if You have requested Service Provider to do so. In such cases, the Service Provider’s Partner becomes responsible for the Personal Data as a Data Controller immediately after the data transfer. Please be informed, in some cases Service Provider’s Partner may be located outside of the European Economic Area / European Union and Your Personal Data may be at a higher data protection risk due to the absence of an adequacy decision and appropriate safeguards in the respective country. If Service Provider’s Partner is located outside of the European Economic Area / European Union, we rely on Your explicit consent and the necessity for the performance of a contract between You and Service Provider for such data transfer (Article 49, section 1 (a) and (b) of the GDPR). Service Provider’s Partner will be identified in the consent window, which will always be presented before You use the Account Information Service.
We have also engaged multiple suppliers and vendors as Data Processors to help us provide You Services, e.g. cloud service providers, client relations management service providers, email service providers, payment processors etc. Service Provider will be responsible for the correct Processing of Your Personal Data according to Service Provider’s instructions given to such Data Processors and Applicable data privacy laws. Your Personal Data may be disclosed if it is required by a competent authority, the Applicable data privacy laws and other applicable laws in order to fulfill Service Provider's legal obligations.
Your Personal Data will not be transferred or stored in countries outside of the United Kingdom and or the European Economic Area / European Union unless legal grounds for such transfer exist and there is an adequate level of data protection.
In order to protect Your Personal Data, Nordigen has put in place a number of technical and organisational measures. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the Processing and the nature of the Personal Data being processed. Organisational measures include restricting access to the Personal Data solely to authorised persons under confidentiality agreements with a legitimate need to process Personal Data for the Processing purposes stated in this policy.
Should You wish to report a complaint or if You feel that Service Provider has not addressed Your concern in a satisfactory manner, You may contact the Information Commissioner’s Office of the United Kingdom via e-mail: firstname.lastname@example.org and via phone at: +440303 123 111. You may also contact the Data State Inspectorate of the Republic of Latvia via e-mail: email@example.com and via phone at +37167223131.