Of Nordigen’s Account Information Service
Last Updated on 1st December, 2021
"Data Controller" means the natural or legal entity/entities which determines the purposes and means of the processing of Personal Data;
"Data Processor" means the legal entity processing Personal Data on behalf of the Data Controller(s);
"Personal Data" means any information relating to an identified or identifiable natural person;
"Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Services" means Open Banking Portal.
"You" or “User” means You or the legal entity You represent.
“Account Information” means information relating to payment accounts.
"Account Information Service" means a service which enables to access, view or share (where relevant) information relating to payment accounts.
“Account Servicing Payment Service Provider” means an entity which provides and maintains a payment account for a payer.
“Nordigen Partner” means a third party, for example bank, credit institution or other service provider, which requires Your Account Information via Nordigen Account Information API to provide You services.
WHEN THIS POLICY APPLIES?
When You access and use Account Information Services via Nordigen’s Partner application or website, the Partner application or website will redirect You to an Account Information Service provided by Nordigen. This policy describes how Nordigen will use Your Personal Data when providing Account Information Services.
This policy does not apply to services provided to You by Nordigen’s Partner. Such services may be subject to Nordigen’s Partner terms and conditions and privacy policies.
PERSONAL DATA, PROCESSING PURPOSES AND LEGAL BASIS
The provision of Account Information Services requires Nordigen to collect information regarding Your payment accounts, transactions and other financial information from Your Account Servicing Payment Service Provider You have selected. Nordigen collects Your information to provide You Account Information Service pursuant to Terms and Conditions of Nordigen’s Account Information Service (to fulfill contract between Nordigen and You). Collection of such information is always based on Your explicit consent.
Types of personal data we are Processing
Purpose of Processing
Lawful basis of Processing
Any Personal Data obtained from Your Account Servicing Payment Service Provider as part of Account Information in accordance with Your explicit consent (First name, last name, social security number, personal identity code, IBAN, BBAN, type of account, transaction details including amount and payment recipient/sender, account balance)
To provide You Account Information Services according to Account Information Service terms and conditions and to transfer Personal Data to Nordigen Partner, if you have requested to do so and if it is necessary for You to use Nordigen Partner’s services.
Performance of contract between You and Nordigen
User identification,to investigate any fraud, illegal activity or wrongdoing in connection with the Services; to conduct any due diligence required for us to provide You Services
To comply with our legal obligations (including KYC checks to comply with applicable AML laws)
To improve, modify, enhance and further develop our Services, to anonymise or pseudonymise the Personal Data in order for it to be part of market study or analytics by us or a third party.
Our legitimate interest in ensuring that we can provide You with the Services and to continuously improve our Services
Nordigen may also collect some information about You from Nordigen’s Partner which is necessary to provide You Account Information Services. In addition, Nordigen may perform data cleansing, transaction categorization, data enrichment and similar data processing activities on the retrieved Account Information where it is reasonably necessary for You to be able to receive services provided by Nordigen’s Partner.
FOR HOW LONG DOES NORDIGEN STORE YOUR DATA?
In general, Nordigen only keeps Your Personal Data for the time necessary to fulfil the purpose of collection or further Processing, namely providing the required Services.To determine data retention periods Nordigen takes into account:
If You wish You can request to delete Your Personal Data You have provided to Nordigen via Account Information Service, by sending an e-mail to: firstname.lastname@example.org
However, some data may be kept for a longer period when it is necessary to fulfill Nordigen’s legal obligations, for example the applicable anti-money laundering laws.
WHAT ARE YOUR DATA PROTECTION RIGHTS?
Nordigen would like to make sure You are fully aware of Your data protection rights. Every user of the Account Information Service is entitled to the following:
The right to access – You have the right to request Nordigen for copies of Your personal data.
The right to rectification – You have the right to request that Nordigen correct any information You believe is inaccurate. You also have the right to request Nordigen to complete information You believe is incomplete.
The right to restrict Processing – You have the right to request that Nordigen restrict the Processing of Your personal data.
The right to data portability – You have the right to request that Nordigen transfer the data that Nordigen has collected to another organization or directly to You.
Where Personal Data is Processed for direct marketing purposes or Processing is based on our legitimate interests, You have the right to object to such Processing.
If You make a request, Nordigen will answer You within one month. If You would like to exercise any of these rights, please contact us at our email: email@example.com.
In case of requests that are manifestly unfounded or excessive, in particular because of their repetitive character, Nordigen is entitled to charge an administrative fee. In such cases You will be notified thereof beforehand.
RECIPIENTS OF PERSONAL DATA AND TRANSFERS
Your Personal Data may be accessed and processed only by authorized Nordigen employees in connection with provision of Account Information Service. All authorized employees are under confidentiality agreements with a legitimate need to process Personal Data for the Processing purposes stated in this policy.
When Nordigen’s Partner redirects You to Nordigen’s Account Information Service and You agree to Terms and Conditions of Nordigen’s Account Information Service, Your Account Information will be transferred to Nordigen’s Partner on Your own initiative if You have requested Nordigen to do so. In such cases, the Nordigen’s Partner becomes responsible for the Personal Data as a Data Controller immediately after the data transfer. Please be informed, in some cases Nordigen’s Partner may be located outside of the European Economic Area / European Union and Your Personal Data may be at a higher data protection risk due to the absence of an adequacy decision and appropriate safeguards in the respective country. If Nordigen’s Partner is located outside of the European Economic Area / European Union, we rely on Your explicit consent and the necessity for the performance of a contract between You and Nordigen for such data transfer (Article 49, section 1 (a) and (b) of the GDPR). Nordigen’s Partner will be identified in the consent window, which will always be presented before You use the Account Information Service.
We have also engaged multiple suppliers and vendors as Data Processors to help us provide You Services, e.g. cloud service providers, client relations management service providers, email service providers, payment processors etc. Nordigen will be responsible for the correct Processing of Your Personal Data according to Nordigen’s instructions given to such Data Processors and Applicable data privacy laws.
Your Personal Data may be disclosed if it is required by a competent authority, the Applicable data privacy laws and other applicable laws in order to fulfill Nordigen's legal obligations.
Your Personal Data will not be transferred or stored in countries outside of the European Economic Area / European Union unless legal grounds for such transfer exist and there is an adequate level of data protection.
In order to protect Your Personal Data, Nordigen has put in place a number of technical and organisational measures. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the Processing and the nature of the Personal Data being processed. Organisational measures include restricting access to the Personal Data solely to authorised persons under confidentiality agreements with a legitimate need to process Personal Data for the Processing purposes stated in this policy.
HOW TO CONTACT OUR DATA PROTECTION OFFICER?
Address: Ģertrūdes str. 44A, Riga, Latvia, LV-1011
HOW TO CONTACT THE APPROPRIATE AUTHORITY?
Should You wish to report a complaint or if You feel that Nordigen has not addressed Your concern in a satisfactory manner, You may contact the Data State Inspectorate of the Republic of Latvia.
Phone: +371 67223131