Data processing policy of Bridge Capital
Background
Following the introduction of the EU’s new General Data Protection Regulation (GDPR) Bridge Capital have updated our policy on data processing. On the following pages you can read about how Bridge Capital process your data and your rights. General Data Protection Regulation (or abbreviated GDPR) is an EU regulation adopted on 27 April 2016, and which enters into force immediately in all EU member states (also adopted in Norwegian law) as per 25 May 2018. The special aspect of a regulation is that it comes into force directly, without requiring to be implemented in national legislation. GDPR concerns with the protection of natural persons regarding to the processing of personal data.
The document is divided into the following sections:
1.0 Personal data
2.0 Processing of personal and customer data in Bridge Capital
3.0 Information about you (identification)
4.0 Purpose of processing in Bridge Capital
5.0 Storage of personal and customer information in Bridge Capital
6.0 Data traffic
7.0 Disclosure of personal and customer information
8.0 Your rights and access to data
9.0 Correction or erasure of data
10.0 Complaints about Bridge Capitals data processing
11.0 Data Protection Officer (DPO)
1.0 Personal data
Personal data is any kind of information concerning an identified or identifiable person, i.e. information that refers to a natural person, e.g. such as name, address, e-mail, telephone number, national identity number, salary details, tax matters, account number and credit information. This also applies to personal data relating to the owner of a sole proprietorship, but not information concerning companies, except for information on employees of the company.
2.0 Processing of personal and customer data in Bridge Capital
Bridge Capital is the data controller for collection and processing of personal data received from existing and future customers and partners. As data processor Bridge Capital is committed to ensure a high level of security in solutions and services, which is ensured by relevant organizational, technical and physical security measures required by information on security measures as described in Article 32 of the GDPR.
In Bridge Capital, information is collected for the purpose of conducting financing activities and in connection with our offering of our financial services and solutions. Personal data is usually obtained from Bridge Capital directly from the customer or through partners at the request of the customer – this in connection with financing of equipment at Bridge Capital. Bridge Capital will register information about the
customer on the establishment of the agreement and during the current contractual relationship. In some
cases, Bridge Capital also collects and processes information about persons associated with our customers
or the contractual relationship, e.g. actual right holders of the company, employees, agents, clerks,
guarantors, debtors or chargors.
The data can be grouped into the following categories:
- Identity data
- Contact data
- Data traffic on our digital platforms
- Financial data
- Sensitive data
- Legally required data
In particular, information for compliance with the law applies that Bridge Capital, as a financial company,
collects the following information (and documentation) for identification purposes – and for reporting to
the authorities. The legal basis for our data processing is financial sector regulations, as well as other
legislation including the Act on Measures to Prevent Money Laundering and Financing of Terrorism (Money
Laundering Act), the Tax Control Act, the Accounting Act or Bookkeeping rules, the Credit Agreement Act,
the Payment Act and the Data Protection Act. Furthermore, Bridge Capital may process data if this is
required in connection with an agreement you have entered or are considering entering into with us.
Processing is also possible if you have given your consent as stated in Article 6, paragraph 1 in the GDPR – or
if any of the other conditions for processing set out in Article 6, paragraph 1 and Article 9 apply. In addition,
we process your data when required based on a legitimate interest of Bridge Capital, e.g. to prevent
misuse, losses, strengthen security and/or for direct marketing purposes.
3. 0 Information about you (identification) – to comply with legislation we have to establish your identity
entering an agreement – and this must be documented with a copy of passport, driver’s license, health card
or equivalent, address (s), national identity number. As a business customer, we must obtain information
about the legal form of the company, VAT/TAX number, financial details, actual right holders of the
company, management, provisions regulating the power to bind.
In addition, we collect information that we find necessary to comply with the Money Laundering Act and to
discourage money laundering. This after a concrete risk assessment. Personal data obtained under the
Money Laundering Act – and which are not general personal data – may only be processed for the purpose
of money laundering prevention. We obtain information from publicly available sources and records, local
public company register, e.g. Bisnode, virk.dk, proff.dk, allabolag.se, proof.no, Brønnøysundregistrene and
EU or UN sanctions registers.
We also collect information about you, actual right holders, as well as politically exposed persons and their
relatives from international information providers and other publicly available sources – and Internet
searches, when it is justified after a risk assessment and when it complies with the guidelines of
Finanstilsynet/Finansinspektionen/Finanssivalvonta (Norway, Sweden, Denmark and Finland).
When assessing a credit, we may investigate whether information about you or your company is registered
with other companies in Bridge Capital (and group affiliates) – if permitted by law – or you have provided
consent, credit reporting agencies. In addition, we may receive information about you from other
companies in Bridge Capital (and group affiliates) and business partners. We do this in cases where consent
has been given or where there is legal basis for this, including Article 6 paragraph 2 in the GDPR.
4.0 Purpose of processing in Bridge Capital
The purpose of data processing and registration of personal data in Bridge Capital is primarily in connection
with customer administration, invoicing of services, and fulfillment of the obligations that Bridge Capital
has undertaken for the execution of transactions and service agreements with the customer. Personal data
is processed to the extent that the law requires or gives access to it – or the customer has consented to
such processing.
Personal and customer information is collected and processed in connection with:
- Credit processing/assessment
- Entering an agreement
- Invoicing
- Customer administration
- Partner- and reseller administration
- Compliance with regulatory requirements (including anti-money laundering)
5.0 Storage of personal and customer information in Bridge Capital
Bridge Capital keeps your information for as long as it is necessary for the purposes that are the basis for
the collection, processing or storage of your data. According to the Money Laundering Act, information,
documents and records are kept for at least five years after the end of the business relationship or the
execution of each transaction.
Bridge Capital may process personal information for the purpose of preventing, uncovering, resolving and
handling fraud and other criminal offenses. The information will be obtained from and disclosed to other
financial companies, the police and other public authorities. The reporting obligation for reporting and
inquiries will be up to ten years after registration. Bridge Capital will process personal information to fulfill
the investigative and reporting obligation concerning suspicious transactions under the Money Laundering
Act. Bridge Capital will be required to report suspicious information and transactions to ØKOKRIM
v/Enheten for finansiell etterretning (EFE) in Norway, to Statsanklageren for særlig Økonomisk og
International Kriminalitet (SØIK) in Denmark, to Finanspolisen (FIPO) in Sweden, and to National Bureau of
Investigation (Keskusrikospoliisi – KRP) in Finland. You will not have access to the information Bridge Capital
has registered for this purpose.
6.0 Data traffic & cookies
Bridge Capital process data relating to the use of www.bridgecapital.dk, www.bridgecapital.no,
www.bridgecapital.se and www.bridgecapital.fi.
Cookies
Cookies are small text files that are placed on your computer by websites that you visit. We only use
necessary cookies to make our site work. Necessary cookies enable core functionality – such as accessibility,
security and network management. You can disable these by changing your browser settings – but this may
affect how the website functions. We use Google Analytics which allow us to count visits and traffic
sources, so we are able to measure and improve the performance of our site – and help us to see how
visitors move around our site. All information these cookies collect is aggregated and therefore
anonymous. If you do not allow these cookies, we will not know when you have visited our site.
7.0 Disclosure of personal and customer information
Bridge Capital discloses information about you to public authorities, to the extent that we are required to
do so by law. Furthermore, information is transmitted to ØKOKRIM v/Enheten for finansiell etterretning
(EFE) in Norway, to Statsanklageren for særlig Økonomisk og International Kriminalitet (SØIK) in Denmark,
to Finanspolisen (FIPO) in Sweden, and to National Bureau of Investigation (Keskusrikospoliisi – KRP) in
Finland – and TAX authorities.
In addition, with your consent or if required by law, information is provided internally in Bridge Capital (and
group affiliates) – and to business partners and banks. Transferring data to Bridge Capital’s data processors
is not considered to be issue of the data. Personal data may be disclosed to other group affiliated
companies if this is necessary for monitoring and reporting purposes required by law.
In the event of breach of obligations, we may report you to credit reporting agencies and / or warning
records in accordance with applicable rules. In connection with IT development, hosting, support and
customer-specific solutions, personal data can be transferred to data processors. In this context, Bridge
Capital uses standard contracts approved by the European Commission or the Data Protection Agency to
ensure that your rights and the level of protection accompany your information.
8.0 Your rights and access to data
As a customer in Bridge Capital you may require access to your registered data. By writing to Bridge Capital
(Data Protection Officer, see further section 11.0), you can gain insight into what information we process
about you, where we have data from and what we use the information for. You may also be informed of
who may have received the information to the extent that they are disclosed. However, your access to
insights may be limited by legislation, consideration of other people’s privacy, and consideration of
business-protected knowledge.
9.0 Correction or erasure of data
If your information is incorrect, incomplete or irrelevant, you have the right to have the information
corrected or deleted with the restrictions provided by law. If you dispute the accuracy of the information
we have recorded about you – or you have objected to the processing for which the information is subject
to Article 21 of the GDPR – you may require that we limit the processing of that information to retention.
The processing is limited to retention only until the accuracy of the information can be ascertained or it can
be verified whether our legitimate interests precede your interests. If you have a request for deletion of
information, you may request that the processing of this information be restricted to retention. If the
processing of the information is only necessary to make a legal claim, you may also require that other
processing of this information be restricted to storage. Bridge Capital has the opportunity to take other
action if it is necessary to make a legal claim or you have given your consent.
10.0 Complaints about Bridge Capitals data processing
If you think that Bridge Capital has not complied with its GDPR rights, you have the right to complain to the
current regulatory authority. This is done by sending a complaint to the local Data Inspectorate – contact
information can be found at; www.datatilsynet.no (Norway), www.datatilsynet.dk (Denmark),
www.datainspektionen.se (Sweden) and www.tietosuoja.fi (Finland).
11.0 Data Protection Officer (DPO)
Bridge Capital is responsible for the processing of personal data in Bridge Capital, cf. the GDPR and the Data
Protection Act. Bridge Capital has appointed a Data Protection Officer (DPO) for the Nordic region. The DPO
will be Bridge Capital’s contact person in all questions and requests regarding GDPR and personal
information – including access to documents, corrections, deletions, revocation of consent relating to
Bridge Capital in the Nordic region. DPO can be contacted by email dpo@bridgecapital.no.