End User Privacy Policy

Of Nordigen’s Account Information Service

Last Updated on 14th December, 2022

This privacy policy explains how Service Provider uses the Personal Data that is collected, used and shared once You access and use the Account Information Service (as defined in Terms and Conditions of Service Provider’s account information service).

INTRODUCTION

Services are provided by SIA "Nordigen Solutions", a private limited liability company registered under the laws of the Republic of Latvia, company registration number 40103982535 (hereinafter referred to as Nordigen). Nordigen SIA was acquired by GoCardless (as defined below) in July 2022. As a result of such acquisition, the parties are currently going through an integration period. Throughout this integration period, the Services will be provided by Nordigen and GoCardless S.A.S, with company number 834422180 and registered address 7 Rue de Madrid, 75008 Paris, France for all services provided to Users located in the European Economic Area and by GoCardless Ltd with company number 07495895 and registered address Sutton Yard, 65 Goswell Road, London, England, EC1V 7EN for the provision of services provided to Users located in the United Kingdom and the rest of the world (with the exception of the European Economic Area) (hereinafter jointly and independently referred to as “GoCardless”). From 1 April 2023, the Services will be provided solely by GoCardless and Norgiden will no longer be a party of these Terms. Nordigen and GoCardless shall jointly and severally be defined as “Service Provider”, “we” or “us”. Service Provider is committed to protecting your personal data and to respect your privacy. By accessing and using Account Informations Service You agree to the data processing practices described in this Privacy Policy.

DEFINITIONS OF TERMS USED IN THIS PRIVACY POLICY

"Applicable data privacy laws" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the GDPR ) or any national or internationally binding data privacy laws or regulations that may be applicable at any time during the term of this Privacy Policy.

"Data Controller" means the natural or legal entity/entities which determines the purposes and means of the processing of Personal Data;

"Data Processor" means the legal entity processing Personal Data on behalf of the Data Controller(s);

"Personal Data" means any information relating to an identified or identifiable natural person;

"Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"You" or “User” means You or the legal entity You represent.

“Account Information” means information relating to payment accounts.

"Account Information Service" means a service which enables to access, view or share (where relevant) information relating to payment accounts.

“Account Servicing Payment Service Provider” means an entity which provides and maintains a payment account for a payer.

“Service Provider Partner” means a third party, for example bank, credit institution or other service provider, which requires Your Account Information via Service Provider’s Account Information API to provide You services.

WHEN THIS POLICY APPLIES?

This Privacy Policy applies when You access and use Service Provider’s Account Information Services on Service Provider’s website or via Service Provider’s Partner application, website or similar service.

When You access and use Account Information Services via Service Provider’s Partner application or website, the Partner application or website will redirect You to an Account Information Service provided by Service Provider. This policy describes how Service Provider will use Your Personal Data when providing Account Information Services.

This policy does not apply to services provided to You by Service Provider’s Partner. Such services may be subject to Service Provider’s Partner terms and conditions and privacy policies.

PERSONAL DATA, PROCESSING PURPOSES AND LEGAL BASIS

The provision of Account Information Services requires Service Provider to collect information regarding Your payment accounts, transactions and other financial information from Your Account Servicing Payment Service Provider You have selected. Service Provider collects Your information to provide You Account Information Service pursuant to Terms and Conditions of Service Provider’s Account Information Service (to fulfil contract between Service Provider and You). Collection of such information is always based on Your explicit consent.

Types of personal data we are Processing

Purpose of Processing

Lawful basis of Processing

Any Personal Data obtained from Your Account Servicing Payment Service Provider as part of Account Information in accordance with Your explicit consent (First name, last name, social security number, personal identity code, IBAN, BBAN, type of account, transaction details including amount and payment recipient/sender, account balance)

To provide You Account Information Services according to Account Information Service terms and conditions and to transfer Personal Data to Service Provider Partner, if you have requested to do so and if it is necessary for You to use Service Provider Partner’s services.

Performance of contract between You and Service Provider

User identification,to investigate any fraud, illegal activity or wrongdoing in connection with the Services; to conduct any due diligence required for us to provide You Services

To comply with our legal obligations (including KYC checks to comply with applicable AML laws)

To improve, modify, enhance and further develop our Services, to anonymise or pseudonymise the Personal Data in order for it to be part of market study or analytics by us or a third party.

Our legitimate interest in ensuring that we can provide You with the Services and to continuously improve our Services

Service Provider may also collect some information about You from Service Provider’s Partner which is necessary to provide You Account Information Services. In addition, Service Provider may perform data cleansing, transaction categorization, data enrichment and similar data processing activities on the retrieved Account Information where it is reasonably necessary for You to be able to receive services provided by Service Provider’s Partner.

FOR HOW LONG DOES NORDIGEN STORE YOUR DATA?

In general, Service Provider only keeps Your Personal Data for the time necessary to fulfil the purpose of collection or further Processing, namely providing the required Services.To determine data retention periods Service Provider takes into account:

  • whether Personal Data is processed based on Your consent;
  • our legal obligations under applicable law; 
  • our contractual obligations and rights;
  • our legitimate interests;
  • potential disputes, necessity to be able to investigate any fraud, illegal activity or wrongdoing in connection with the Services;

If You wish You can request to delete the Personal Data You have provided to Service Provider via Account Information Service, by sending an e-mail to: help@gocardless.com

However, some data may be kept for a longer period when it is necessary to fulfill Service Provider’s legal obligations, for example the applicable anti-money laundering laws.

WHAT ARE YOUR DATA PROTECTION RIGHTS?

Service Provider would like to make sure You are fully aware of Your data protection rights. Every user of the Account Information Service is entitled to the following:

The right to access – You have the right to request Service Provider for copies of Your personal data.

The right to rectification – You have the right to request that Service Provider corrects any information You believe is inaccurate. You also have the right to request Service Provider to complete information You believe is incomplete.

The right to restrict Processing – You have the right to request that Service Provider restrict the Processing of Your personal data.

The right to data portability – You have the right to request that Service Provider transfers the data that Service Provider has collected to another organization or directly to You.

Where Personal Data is Processed for direct marketing purposes or Processing is based on our legitimate interests, You have the right to object to such Processing.

If You make a request, Service Provider will answer You within one month. If You would like to exercise any of these rights, please contact us at our email: help@gocardless.com.

In case of requests that are manifestly unfounded or excessive, in particular because of their repetitive character, Service Provider is entitled to charge an administrative fee. In such cases You will be notified thereof beforehand.

RECIPIENTS OF PERSONAL DATA AND TRANSFERS

Your Personal Data may be accessed and processed only by authorized Service Provider employees in connection with provision of Account Information Service. All authorized employees are under confidentiality agreements with a legitimate need to process Personal Data for the Processing purposes stated in this policy.

When Service Provider’s Partner redirects You to Service Provider’s Account Information Service and You agree to Terms and Conditions of Service Provider’s Account Information Service, Your Account Information will be transferred to Service Provider’s Partner on Your own initiative if You have requested Service Provider to do so. In such cases, the Service Provider’s Partner becomes responsible for the Personal Data as a Data Controller immediately after the data transfer. Please be informed, in some cases Service Provider’s Partner may be located outside of the European Economic Area / European Union and Your Personal Data may be at a higher data protection risk due to the absence of an adequacy decision and appropriate safeguards in the respective country. If Service Provider’s Partner is located outside of the European Economic Area / European Union, we rely on Your explicit consent and the necessity for the performance of a contract between You and Service Provider for such data transfer (Article 49, section 1 (a) and (b) of the GDPR). Service Provider’s Partner will be identified in the consent window, which will always be presented before You use the Account Information Service.

We have also engaged multiple suppliers and vendors as Data Processors to help us provide You Services, e.g. cloud service providers, client relations management service providers, email service providers, payment processors etc. Service Provider will be responsible for the correct Processing of Your Personal Data according to Service Provider’s instructions given to such Data Processors and Applicable data privacy laws. Your Personal Data may be disclosed if it is required by a competent authority, the Applicable data privacy laws and other applicable laws in order to fulfill Service Provider's legal obligations.

Your Personal Data will not be transferred or stored in countries outside of the United Kingdom and or the European Economic Area / European Union unless legal grounds for such transfer exist and there is an adequate level of data protection.

SECURITY MEASURES

In order to protect Your Personal Data, Nordigen has put in place a number of technical and organisational measures. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the Processing and the nature of the Personal Data being processed. Organisational measures include restricting access to the Personal Data solely to authorised persons under confidentiality agreements with a legitimate need to process Personal Data for the Processing purposes stated in this policy.

CHANGES TO OUR PRIVACY POLICY

Service Provider keeps this privacy policy under regular review and places any updates on this web page. Service Provider will inform You about substantial changes to this privacy policy via Service Provider’s website, via email or other means of electronic communication. Service Provider has the right to change this privacy policy solely at any time.

HOW TO CONTACT OUR DATA PROTECTION OFFICER?

If You have any questions about this privacy policy, the data Service Provider holds on You, or You would like to exercise one of Your data protection rights, please do not hesitate to contact our data protection officer:

E-mail: help@gocardless.com

HOW TO CONTACT THE APPROPRIATE AUTHORITY?

Should You wish to report a complaint or if You feel that Service Provider has not addressed Your concern in a satisfactory manner, You may contact the Information Commissioner’s Office of the United Kingdom via e-mail: icocasework@ico.org.uk and via phone at: +440303 123 111. You may also contact the Data State Inspectorate of the Republic of Latvia via e-mail: info@gvi.gov.lv and via phone at +37167223131.