Background
Following the introduction of the EU’s new General Data Protection Regulation (GDPR) Bridge Capital have updated our policy on data processing. On the following pages you can read about how Bridge Capital process your data and your rights. General Data Protection Regulation (or abbreviated GDPR) is an EU regulation adopted on 27 April 2016, and which enters into force immediately in all EU member states (also adopted in Norwegian law) as per 25 May 2018. The special aspect of a regulation is that it comes into force directly, without requiring to be implemented in national legislation. GDPR concerns with the protection of natural persons regarding to the processing of personal data.
The document is divided into the following sections:
1.0 Personal data
2.0 Processing of personal and customer data in Bridge Capital
3.0 Information about you (identification)
4.0 Purpose of processing in Bridge Capital
5.0 Storage of personal and customer information in Bridge Capital
6.0 Data traffic
7.0 Disclosure of personal and customer information
8.0 Your rights and access to data
9.0 Correction or erasure of data
10.0 Complaints about Bridge Capitals data processing
11.0 Data Protection Officer (DPO)
1.0 Personal data
Personal data is any kind of information concerning an identified or identifiable person, i.e. information that refers to a natural person, e.g. such as name, address, e-mail, telephone number, national identity number, salary details, tax matters, account number and credit information. This also applies to personal data relating to the owner of a sole proprietorship, but not information concerning companies, except for information on employees of the company.
2.0 Processing of personal and customer data in Bridge Capital
Bridge Capital is the data controller for collection and processing of personal data received from existing and future customers and partners. As data processor Bridge Capital is committed to ensure a high level of security in solutions and services, which is ensured by relevant organizational, technical and physical security measures required by information on security measures as described in Article 32 of the GDPR.
In Bridge Capital, information is collected for the purpose of conducting financing activities and in connection with our offering of our financial services and solutions. Personal data is usually obtained from Bridge Capital directly from the customer or through partners at the request of the customer – this in connection with financing of equipment at Bridge Capital. Bridge Capital will register information about the customer on the establishment of the agreement and during the current contractual relationship. In some cases, Bridge Capital also collects and processes information about persons associated with our customers or the contractual relationship, e.g. actual right holders of the company, employees, agents, clerks, guarantors, debtors or chargors.
The data can be grouped into the following categories:
- Identity data
- Contact data
- Data traffic on our digital platforms
- Financial data
- Sensitive data
- Legally required data
In particular, information for compliance with the law applies that Bridge Capital, as a financial company, collects the following information (and documentation) for identification purposes – and for reporting to the authorities. The legal basis for our data processing is financial sector regulations, as well as other legislation including the Act on Measures to Prevent Money Laundering and Financing of Terrorism (Money Laundering Act), the Tax Control Act, the Accounting Act or Bookkeeping rules, the Credit Agreement Act, the Payment Act and the Data Protection Act. Furthermore, Bridge Capital may process data if this is required in connection with an agreement you have entered or are considering entering into with us. Processing is also possible if you have given your consent as stated in Article 6, paragraph 1 in the GDPR – or if any of the other conditions for processing set out in Article 6, paragraph 1 and Article 9 apply. In addition, we process your data when required based on a legitimate interest of Bridge Capital, e.g. to prevent misuse, losses, strengthen security and/or for direct marketing purposes.
3.0 Information about you (identification)
– to comply with legislation we have to establish your identity entering an agreement – and this must be documented with a copy of passport, driver’s license, health card or equivalent, address (s), national identity number. As a business customer, we must obtain information about the legal form of the company, VAT/TAX number, financial details, actual right holders of the company, management, provisions regulating the power to bind.
In addition, we collect information that we find necessary to comply with the Money Laundering Act and to discourage money laundering. This after a concrete risk assessment. Personal data obtained under the Money Laundering Act – and which are not general personal data – may only be processed for the purpose of money laundering prevention. We obtain information from publicly available sources and records, local public company register, e.g. Bisnode, virk.dk, proff.dk, allabolag.se, proof.no, Brønnøysundregistrene and EU or UN sanctions registers.
We also collect information about you, actual right holders, as well as politically exposed persons and their relatives from international information providers and other publicly available sources – and Internet searches, when it is justified after a risk assessment and when it complies with the guidelines of Finanstilsynet/Finansinspektionen/Finanssivalvonta (Norway, Sweden, Denmark and Finland).
When assessing a credit, we may investigate whether information about you or your company is registered with other companies in Bridge Capital (and group affiliates) – if permitted by law – or you have provided consent, credit reporting agencies. In addition, we may receive information about you from other companies in Bridge Capital (and group affiliates) and business partners. We do this in cases where consent has been given or where there is legal basis for this, including Article 6 paragraph 2 in the GDPR.
4.0 Purpose of processing in Bridge Capital
The purpose of data processing and registration of personal data in Bridge Capital is primarily in connection with customer administration, invoicing of services, and fulfillment of the obligations that Bridge Capital has undertaken for the execution of transactions and service agreements with the customer. Personal data is processed to the extent that the law requires or gives access to it – or the customer has consented to such processing.
Personal and customer information is collected and processed in connection with:
- Credit processing/assessment
- Entering an agreement
- Invoicing
- Customer administration
- Partner- and reseller administration
- Compliance with regulatory requirements (including anti-money laundering)
5.0 Storage of personal and customer information in Bridge Capital
Bridge Capital keeps your information for as long as it is necessary for the purposes that are the basis for the collection, processing or storage of your data. According to the Money Laundering Act, information, documents and records are kept for at least five years after the end of the business relationship or the execution of each transaction.
Bridge Capital may process personal information for the purpose of preventing, uncovering, resolving and handling fraud and other criminal offenses. The information will be obtained from and disclosed to other financial companies, the police and other public authorities. The reporting obligation for reporting and inquiries will be up to ten years after registration. Bridge Capital will process personal information to fulfill the investigative and reporting obligation concerning suspicious transactions under the Money Laundering Act. Bridge Capital will be required to report suspicious information and transactions to ØKOKRIM v/Enheten for finansiell etterretning (EFE) in Norway, to Statsanklageren for særlig Økonomisk og International Kriminalitet (SØIK) in Denmark, to Finanspolisen (FIPO) in Sweden, and to National Bureau of Investigation (Keskusrikospoliisi – KRP) in Finland. You will not have access to the information Bridge Capital has registered for this purpose.
6.0 Data traffic & cookies
Bridge Capital process data relating to the use of www.bridgecapital.dk, www.bridgecapital.no, www.bridgecapital.se and www.bridgecapital.fi.
Cookies
Cookies are small text files that are placed on your computer by websites that you visit. We only use necessary cookies to make our site work. Necessary cookies enable core functionality – such as accessibility, security and network management. You can disable these by changing your browser settings – but this may affect how the website functions. We use Google Analytics which allow us to count visits and traffic sources, so we are able to measure and improve the performance of our site – and help us to see how visitors move around our site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies, we will not know when you have visited our site.
7.0 Disclosure of personal and customer information
Bridge Capital discloses information about you to public authorities, to the extent that we are required to do so by law. Furthermore, information is transmitted to ØKOKRIM v/Enheten for finansiell etterretning (EFE) in Norway, to Statsanklageren for særlig Økonomisk og International Kriminalitet (SØIK) in Denmark, to Finanspolisen (FIPO) in Sweden, and to National Bureau of Investigation (Keskusrikospoliisi – KRP) in Finland – and TAX authorities.
In addition, with your consent or if required by law, information is provided internally in Bridge Capital (and group affiliates) – and to business partners and banks. Transferring data to Bridge Capital’s data processors is not considered to be issue of the data. Personal data may be disclosed to other group affiliated companies if this is necessary for monitoring and reporting purposes required by law.
In the event of breach of obligations, we may report you to credit reporting agencies and / or warning records in accordance with applicable rules. In connection with IT development, hosting, support and customer-specific solutions, personal data can be transferred to data processors. In this context, Bridge Capital uses standard contracts approved by the European Commission or the Data Protection Agency to ensure that your rights and the level of protection accompany your information.
8.0 Your rights and access to data
As a customer in Bridge Capital you may require access to your registered data. By writing to Bridge Capital (Data Protection Officer, see further section 11.0), you can gain insight into what information we process about you, where we have data from and what we use the information for. You may also be informed of who may have received the information to the extent that they are disclosed. However, your access to insights may be limited by legislation, consideration of other people’s privacy, and consideration of business-protected knowledge.
9.0 Correction or erasure of data
If your information is incorrect, incomplete or irrelevant, you have the right to have the information corrected or deleted with the restrictions provided by law. If you dispute the accuracy of the information we have recorded about you – or you have objected to the processing for which the information is subject to Article 21 of the GDPR – you may require that we limit the processing of that information to retention. The processing is limited to retention only until the accuracy of the information can be ascertained or it can be verified whether our legitimate interests precede your interests. If you have a request for deletion of information, you may request that the processing of this information be restricted to retention. If the processing of the information is only necessary to make a legal claim, you may also require that other processing of this information be restricted to storage. Bridge Capital has the opportunity to take other action if it is necessary to make a legal claim or you have given your consent.
10.0 Complaints about Bridge Capitals data processing
If you think that Bridge Capital has not complied with its GDPR rights, you have the right to complain to the current regulatory authority. This is done by sending a complaint to the local Data Inspectorate – contact information can be found at; www.datatilsynet.no (Norway), www.datatilsynet.dk (Denmark), www.datainspektionen.se (Sweden) and www.tietosuoja.fi (Finland).
11.0 Data Protection Officer (DPO)
Bridge Capital is responsible for the processing of personal data in Bridge Capital, cf. the GDPR and the Data Protection Act. Bridge Capital has appointed a Data Protection Officer (DPO) for the Nordic region. The DPO will be Bridge Capital’s contact person in all questions and requests regarding GDPR and personal information – including access to documents, corrections, deletions, revocation of consent relating to Bridge Capital in the Nordic region. DPO can be contacted by email dpo@bridgecapital.no.