Your Agreement with Buypass
“Personal data” describes data and evaluations that can be connected to an individual. Buypass processes personal data in accordance with the Norwegian Personal Data Act and its associated regulations, as well as other relevant legislation, such as the Norwegian Marketing Control Act and the Norwegian Accounting Act.
Data Protection Officer
Buypass has its own data protection officer who you can contact if you have any questions about how Buypass processes your personal data, or if you need help exercising your rights in relation to your personal data. The data protection officer has a duty of confidentiality.
Processing of Personal Data
Our legal basis and purpose for processing personal data
In order to process your personal data, we must have a legal basis for doing so. We process data on the following legal bases:
1) It is necessary to fulfil our agreement with you
Our primary purpose for processing your data is user administration. Depending on which of our services you have chosen, we also process data for the purposes of invoicing and executing payment orders.
2) Legal obligations
Buypass also processes your personal data to fulfil our obligations in accordance with the relevant laws, regulations, and government decisions, such as the Norwegian Personal Data Act, the Norwegian Bookkeeping Act, and the Norwegian Money Laundering Act, as well as any mandatory disclosure orders.
The purposes of this type of processing include to prevent and uncover criminal acts (such as identity theft, money laundering, terrorist financing, and fraud), to fulfil our bookkeeping requirements, and to meet our obligations in terms of reporting to the police, regulatory authorities, and other authorities pursuant to the law.
3) Legitimate interest
Buypass may process your personal data with the purpose of safeguarding a legitimate interest. In order to take precedence over individual privacy concerns, the legitimate interest must be lawful, predefined, genuine, and reasonably justified in the business activity.
One example of processing personal data on this basis would be monitoring user transaction patterns in order to discern whether a criminal act has taken place.
If no other legal basis applies, Buypass processes your personal data on the basis of voluntary, explicit, and informed consent from you, as the user of our services. If you have given your consent for Buypass to process your personal data, you may withdraw it any time. If you withdraw your consent, we will stop the processing and, if the sole legal basis for our processing was your consent, erase your personal data.
When does Buypass collect personale data?
- When you register with us to use our services
- When you or Buypass make any changes to the information related to your user account with us
- When you make use of our eID and/or payment services
- When you answer our inquiries
- When you order a product or service from us
- When you use one or more of our solutions
- When you send us an inquiry
- When you sign up to an activity
- When you consent to receiving newsletters and other relevant information from us
- When you apply for a job with us
- When you visit our website www.buypass.no or www.buypass.com
- See also the customer agreement where relevant
Visiting Our Websites
When you visit our website, it places a cookie on your computer or mobile phone, which is a small text file that stores information about your activity on our website. Using cookies means that we can recognise your device every time you visit us, making it easier for you to access and use our services. Some cookies are necessary for certain services on our website to be able to work.
We use the cookie scanning tool from OneTrust to scan our website regularly in order to maintain the list of cookies we use. We classify cookies in the following categories:
- Strictly necessary cookies
- Performance cookies
- Functional cookies
- Targeting cookies
You can change your cookie settings whenever you want (with the exception of Strictly necessary cookies) by clicking on the “Cookies setting" button at the bottom of the website.
Buypass collects de-identified and anonymised data on visitors to our websites. The purpose of this collection is to develop statistics that can be used to improve and further develop the content on our websites. Examples of the type of data we collect include how the visitor uses our website, which website the visitor has come from, how many visitors visit different pages, how long visits last, what visitors click on, and which browser the visitor is using.
This data is processed in a de-identified and aggregated form. “De-identified” means that we cannot trace the data that we collect back to the individual user. “Aggregated” means that all the data is combined into one group and not processed individually. In addition, IP addresses that are collected via our websites are anonymised.
Our legal basis for processing data with the purpose of generating anonymous statistics is Article 6(1)(f) of the General Data Protection Act (GDPR), which allows us to process data that is necessary for safeguarding a legitimate interest. In this case, the legitimate interest is to improve and further develop the information on our websites.
All visits to our website are stored in a log on our servers. This data is collected to secure our website’s operationality. In the event of an attack against our website, the IP address that is used in connection with the attack will be blocked.
Other Information Collected via Our Website
If you use the contact form on our websites, we will ask for the following information: first name, last name, company, phone number, e-mail address, and the message you want to send. Data from the contact form is stored in our customer service system (CSS), as well as in our customer relationship management (CRM) system when relevant. All registered data will be temporarily stored in our content management system (CMS).
- Our CCS sends e-mail and stores data
- Sales-related inquiries are stored in our CRM system
- Consent for electronic marketing
Our legal basis for this processing is Article 6(1)(f) of the GDPR, which allows us to process data that is necessary for safeguarding a legitimate interest. In this case, the legitimate interest is to be able to answer and have a conversation concerning your inquiry.
Subscribing to newsletter
Buypass sends newsletters via e-mail to those who want to receive them. The newsletter contains the latest news from Buypass, as well as information on our solutions and any activities that we are offering.
In order to send you our newsletter, we register your name, company name, and e-mail address. When you subscribe to our newsletter, you simultaneously consent to our processing of this data. Your contact details are saved in our CRM system and are not shared with any other party. If you unsubscribe from our newsletter, you simultaneously withdraw your consent to this processing, and your data is subsequently erased. You can unsubscribe by clicking the link for this within the newsletter or by using our contact form (see Contact Information below).
Our legal basis for processing your personal data in connection with our newsletter is Article 6(1)(a) of the GDPR – in other words, your consent. You can withdraw your consent any time by unsubscribing from the newsletter. Withdrawing your consent will not impact the legitimacy of the processing that happened before consent was withdrawn.
When signing up to an event, we will ask for personal data such as your name, contact information and workplace. This data is collected with the purpose of providing information to other participants, managing, and facilitating the event itself, and preparing an attendance list. This data is stored in our CRM system.
Our legal basis for this processing is Article 6(1)(f) of the GDPR, which allows us to process data that is necessary for safeguarding a legitimate interest. In this case, the legitimate interest is to be able to conduct activities, such as seminars, smoothly and efficiently.
Our Use of Other Tools
Hotjar is an analytical tool that we use to analyse user behaviour on our websites in order to make them more user friendly. It uses the visitor’s IP address to collect data on their movement, clicks and general behaviour on the website. This data is anonymised and stored for a maximum of 365 days.
Microsoft Dynamics CRM
We use Microsoft Dynamics CRM to manage information about our contacts (customers, partners, and prospective customers), such as names, e-mail addresses, telephone numbers, and notes related to conversations/sales processes. This data is stored for as long as there is a need for it, or until the user requests for it to be erased.
We use Pureservice from Syscom AS as a case management tool for our customer support service. We store data such as names, e-mails, telephone numbers, and description of the matter and the suggested solution. Our legal basis for this processing is Article 6(1)(f) of the GDPR, which allows us to process data that is necessary for safeguarding a legitimate interest, as well as Article 6(1)(b) of the GDPR, which allows us to process data that is either necessary for fulfilling an agreement with the data subject or for implementing measures at the data subject’s request before entering into an agreement.
Buypass is required to keep a copy of validations for any issued certificates for 10 years after the certificate has expired or been revoked.
Buypass will not disclose your personal data to any third parties unless this is required by the relevant legislation or in accordance with a final judgement, or unless this is known and approved by you beforehand.
For more details on sharing information, see point 2.5 of the customer agreement.
Storage and Security
When you submit your personal data to us, you can be sure that storage and processing only takes place in Norway. Buypass does not store personal data for longer than is necessary to fulfil the purpose of processing.
In accordance with the GDPR, we have established and documented measures and routines that safeguard the integrity, accessibility, and confidentiality of all the personal data we process.
All our eID and payment services are encrypted with technology that has been deemed secure by the relevant legislation and standards.
It is your responsibility as the data subject to keep the password or PIN code that gives you access to our services, or services from other providers that use our eID and payment services, secret.
For more details on how we process and store your personal data, see point 2.3 of the customer agreement. For more details on liability, see section 3 and point 7.2 of the customer agreement.
Accessing, Changing, and Rectifying Information
In accordance with the Norwegian Personal Data Act, you have the right to access your own personal data. If the information we have about you is incorrect, you have the right to have the information rectified, supplemented, or erased. You can correct certain information yourself by logging in to “Min side” on Buypass.no or “My page” on Buypass.com.
If you have any questions related to our processing of your personal data, you can contact us either by telephone or through our contact form (see Contact Information below). To ensure that your personal data is disclosed to the correct person, Buypass may require that any requests for access be made in writing or that your identity be verified in another way.
Buypass AS stores personal data in accordance with the applicable legislation. In accordance with Section 28 of the Norwegian Personal Data Act, any data that no longer fulfils the purpose of its storage is erased. Any personal data that is processed on the basis of your consent is erased once that consent is withdrawn unless there is a legal basis or requirement for further storage.
For more details related to your right of access, right to rectification, and right to erasure, see section 2.4 of the customer agreement.
Right of Access and Disclosure of Personal Data
If you want to exercise your right of access, you can contact our customer support service, who will handle your request, and either answer your questions or advise you on how to proceed with gaining access to your personal data.
Once your access request has been received, we will respond as soon as possible and no later than 30 days after we have received your request. If unusual circumstances mean that we are unable to answer within 30 days, we will send a preliminary response explaining the delay and providing an expected response time.
Access into How Buypass Stores and Uses Customer Data
You have the right to request information on which personal data we are processing on you and which security measures are in place to protect your personal data.
With regard to 23(1)(b) and 23(1)(f) of the Norwegian Personal Data Act, you do not have the right to access any data we have registered on you in order to fulfil our duty to investigate and report suspicious transactions under the Norwegian Money Laundering Act.
Suspicions on unauthorised access:
If you suspect that someone has gained unauthorised access to your personal data, contact us immediately by using our contact form (see Contact Information below).
You have the right to terminate your customer relationship and have all your data erased without needing to provide a reason for this.
If you wish to exercise this right, you must inform Buypass via our customer support service (see Contact Information below). We will provide a response on the erasure as soon as possible and within 30 days. However, regardless of this, Buypass is obliged to store information about use of our eID and payment services in accordance with the laws and regulations that cover such services.
For more details related to your right of access, right to rectification, and right to erasure, see section 2.4 of the customer agreement.
If you believe we are processing personal data contrary to the relevant personal data legislation, you can contact our data protection officer at firstname.lastname@example.org or complain to the Norwegian Data Protection Authority. You can find all the contact information for the Norwegian Data Protection Authority at www.datatilsynet.no.
Changes to this Policy
Changes may be made to this policy as a result of legal requirements, in order to include new products and services or changes to existing products, or as a result of changes in how we collect and process personal data.
Buypass AS, Nydalsveien 30A, 0484 Oslo, Norway. Phone number: +47 22 70 13 00.