DATA PROTECTION INFORMATION
The following data protection information provides an overview of how your data is collected and processed.
Via the following information, we would like to give you an overview of how we process your personal data and of the rights you have under data protection law. The exact data that is processed and how it is used will essentially depend on which services are requested and agreed.
1. Who is responsible for data processing and who should I contact about this?
Contact details as follows:
GC LEASING NORWAY AS
Arnstein Arnebergsvei 30
Tel.: +47 67 10 72 00
Fax: +47 67 10 72 10
You can contact the data protection officer for our company at:
GC LEASING NORWAY AS
FAO the data protection officer
Arnstein Arnebergsvei 30
Email address: firstname.lastname@example.org
2. What sources and data do we use?
We process personal data that we receive from our customers through our business relationship. We also – if required to provide our service – process the personal data that we are permitted to obtain from publicly accessible sources (e.g. lists of debtors, land register, the register of companies and associations, the press, the internet) or sent to us from our sales partners or other third parties (e.g. a commercial credit agency) with good authorised cause.
The personal data of relevance is as follows:
- Personal details (name, address, date and place of birth and nationality)
- Contact details (telephone number, email address)
- Identification details (e.g. ID information)
- Authentication data (e.g. specimen signature)
- Order details (e.g. payment order)
- Data collected to fulfil our contractual obligations (e.g. sales data from payment transactions)
- Information about their financial situation (e.g. credit information, scoring/rating data, origin of assets)
- Advertising and sales data (including advertising scores), documentation data (e.g. minutes of consultation)
3. Why do we process your data (the purpose of the processing) and on what legal basis?
We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act.
a. To fulfil contractual obligations (Article 6 (1 b) GDPR)
Data is processed in order to provide financial services contracts to our customers or in order to take measures at the request of you prior entering into a contract. The purpose of the data processing will be geared in the first instance to the product itself (e.g. leasing and factoring) and may encompass needs assessment, consultation and the execution of transactions. For further details of the purposes for which data is processed, please refer to the relevant contract documents and terms and conditions.
b. As part of balancing interests (Article 6 (1 f) GDPR)
If necessary, we will not only process your data for the actual fulfilment of the contract, but also to protect our own legitimate interests and those of third parties, especially
- consultation and data sharing with credit agencies to determine credit and default risksFor the purposes of checking any credit or default risks, and to defend ourselves against any criminal acts, we provide Experian AS (Postboks 5275, Majorstua, 0303 Oslo) with data concerning the request and the applicant. Furthermore, we will send personal data collected for the request for, execution and ending of this business relationship, as well as data for behaviour not in compliance with the contract or for fraudulent behaviour to Experian AS. The legal basis for sending this data is Article 6 (1 b) and Article 6 (1 f) of the GDPR.
Article 6 (1 f) GDPR may only be used as the basis for sending the data if this is necessary for protecting the legitimate interests of our bank or third parties, and do not prevail over the interests or basic rights and fundamental freedoms of the person affected who needs their personal data to be protected.
Data sharing with credit agencies is also done to fulfil legal obligations in relation to conducting credit checks on customers (the Norwegian Finansforetaksloven § 13-5). In this respect, you also exempt us from banking confidentiality.
The credit agency will process the data received and also use this to create a profile (scoring), in order to provide their contractual partners in the European Economic Area and in Switzerland and, where necessary, other third party countries (provided there is an adequacy decision from the European Commission for this) with information so they can assess the creditworthiness of natural persons, among others.
GC LEASING NORWAY AS cooperates with the credit agency
Experian AS (Postboks 5275, Majorstua, 0303 Oslo).
For detailed information as described in Article 14 GDPR regarding activities undertaken by the credit agency, please click the following link:
- Experian AS, go to www.experian.no
- Checking and optimising needs requirement procedures for the purposes of direct sales approaches
- Advertising or market and opinion research, if you have not objected to your data being used
- Assertion of legal claims and defence during legal disputes
- Guaranteeing IT security and safeguarding IT operations at our company
- Prevention and clarification of criminal acts
- Building and plant safety measures (e.g. access control)
- Measures to guarantee domestic authority
- Business management measures and measures to develop products and services
c. Based on your consent (Article 6 (1 a) GDPR)
If you have given us your consent to process personal data for certain purposes (e.g. forwarding data within the Group, evaluating payment transaction data for marketing purposes), it will be lawful to do this processing based on the consent you have given. Consent can be withdrawn at any time. This also applies to the withdrawal of declarations of consent received before 25 May 2018, the date on which the GDPR comes into force. Withdrawal of the consent does not affect the legality of the data processed up until the withdrawal.
d. Based on statutory provisions (Article 6 (1 c) GDPR) or public interest (Article 6 (1 e) GDPR)
Furthermore, we are required to meet various legal requirements (i.e. the provisions of the German and Norwegian Money Laundering Act, tax laws) and banking supervisory specifications (e.g. the Norwegian Financial Undertaking Act, the Financial Contract Act, the Financial Supervision Act). Reasons for processing data includes to check the creditworthiness, to confirm identity and age, to prevent fraud and money laundering, to fulfil checking and notification requirements set by tax law, and to assess and manage risks.
4. Who will receive my data?
The offices at our companies who need access to your data so that we meet our contractual and legal requirements will receive access to your data. The service providers and agents that we use may also receive the data for these purposes, if they maintain banking confidentiality. These companies fall into the categories of credit-lending services, IT services, logistics, printing services, telecommunications, debt collection, advice and consultation, plus sales and marketing.
Please bear in mind that we are required to keep all customer-related data and valuations that we know confidential (banking confidentiality) in the banking sector when we forward data to recipients outside of our company. We are only permitted to forward information about you if statutory provisions demand this, you have given your consent for this or if we are authorised to provide banking information. Potential recipients of personal data under these conditions include (for example):
- Public bodies and institutions (e.g. Deutsche Bundesbank, Federal Financial Supervisory Authority, the European Banking Authority, the European Central Bank, tax authorities, law enforcement agencies) if there is a statutory or official obligation to do so.
- Other credit and financial service providers or similar institutions to whom we send personal data in order to maintain the business relationship with you (e.g. correspondent banks, credit agencies, depending on the contract).
- Other companies within our Group conducting a risk controlling process because of a statutory or official requirement to do so.
- Our company cooperates closely with the GRENKE AG (Neuer Markt 2, 76532 Baden-Baden, Germany) for example in terms of the administration of leasing contracts, development of a scoring based credit decision process, marketing, IT procurement and software licensing, insurance of leasing assets, controlling and leasing product development. For the direct debit process of leasing installments our company provides data to the treasury department of the GRENKE AG and uses their resources.
- Our company cooperates closely with the GRENKE BANK AG Branch Norway (Arnstein Arnebergsvei 30, 1366 Lysaker, Norway) for example in terms of the administration of leasing contracts, development of a scoring based credit decision process, marketing, IT procurement and software licensing, insurance of leasing assets, controlling and leasing product development. For the direct debit process of leasing installments our company provides data to the treasury department of the GRENKE BANK AG and uses their resources.
Examples of other data recipients include offices for which you have given your consent to the data being sent, and who you have exempted from banking confidentiality as agreed, or via your consent.
5. Is data sent to a third country or to any international organisation?
Data will be sent to locations in states outside of the European Union (‘third countries’) if
- it is necessary for carrying out your orders (e.g. payment orders),
- it is legally required (e.g. notification is obligatory under tax laws) or
- you have given us your consent to do so.
6. How are my data processed on the website?
Unless indicated otherwise, we only process your data on our website in the following way in order to process your request (Article 6 (1b) GDPR) or because of legitimate interests we have (Article 6 (1f) GDPR):
a. Usage data
Any time you access a page or a file, generic data are saved automatically in a log file via this procedure. The data are saved for system-related and statistical purposes only, or as an indicator of criminal acts in certain exceptional cases.
We use these data to improve our websites and to present you with content reflecting your interests on various website pages and on multiple end devices. No usage data are combined with personalised data as part of this process. If you decide to send us your data, these data will have optimum back-up during the input process. The same applies to data saved in our system. For security reasons, we will save your IP address. This can be retrieved if there is a legitimate interest for this.
We do not create a browser history. Data are not forwarded to third parties or otherwise evaluated unless there is a legal obligation to do so.
More specifically, the following data set is stored from every processing request:
- The end device used
- The name of the file accessed
- The date and time of the request
- The time zone
- The amount of data transmitted
- Notification of whether the request was successful
- Description of the type of web browser used
- The operating system used
- The page visited before
- The provider
- The user’s IP address
b. Contact us/requests
If you contact us (e.g. using contact forms), we will save your data for the purposes of processing your request and also in case further correspondence is necessary. All data are deleted after your request has been processed. This does not include data for which there is a legal or other requirement to keep the data.
We only use the data given to us during registration so that it is possible to use our website.
We collect the following data during the registration process:
- Email address,
Subject to your consent (Article 6 (1a) GDPR), we would be happy to keep you informed of recent developments with our newsletter.
For us to send you the newsletter, you have to enter your name and email address and also have the option to provide other information voluntarily. After you have sent your email address, we will send you an email to the email address you entered, in which you have to click a confirmation link to verify the email address you entered.
We only store your data for the purpose of sending our newsletter. We also store your IP address and the date of your registration as proof of your registration for the newsletter in cases of doubt.
You can unsubscribe from the newsletter at any time by clicking on the ‘Unsubscribe’ link at the bottom of the newsletter.
Cookies do not make it possible to access other files on your computer, or discover your email address.
Most browsers have settings that mean they accept cookies automatically. If the standard settings are saved for cookies in your browser, all processes will run unnoticed for you in the background. You can change these settings, however.
You can adjust your browser so that you are informed when cookies are set and can make individual decisions about accepting them, or generally rule out cookies in certain cases.
If you restrict cookies, some individual features of our website may be restricted too.
f. Range analysis using Matomo
We have a legitimate interest (i.e. an interest in the analysis, optimisation and cost-effective operation of our website within the meaning of Article 6 (1f) GDPR) in the use of Matomo, open-source software designed to statistically evaluate user access.
g. Embedded YouTube videos
In line with our legitimate interests, we embed YouTube videos on our website; these videos are stored on www.youtube.com and can be viewed directly on our website.
If you visit the website, YouTube is notified that you have opened the relevant page of our website. Additionally, the data described in section 6 a) are transmitted. This happens regardless of whether or not you have a YouTube account that you have logged into. If you are logged into Google, you data will be attributed to your account directly. If you do not want the data to be associated with your YouTube profile, you must log out before you click on the button. YouTube stores your data as a user profile and uses them for the purposes of marketing, market research and/or customising its website. In particular, your data are evaluated this way (even if you are not logged in) in order to provide personalised advertising and notify other users of the social network of your activity on our website. You are entitled to object to the creation of these user profiles; you must contact YouTube if you wish to exercise this right.
Google also processes your personal data in the USA and has subjected itself to the EU-US Privacy Shield.
8. How long is my data saved?
We process and store your personal data for as long as is necessary to fullfil our contractual and legal obligations. Please note that our business relationship is a continuing obligation that is set up for years.
If the data is no longer required to fullfil contractual or legal obligations, it will be deleted periodically unless temporary further processing is required for the following purposes:
- Fullfilment of a duty to preserve the data under Norwegian commercial and tax laws, i.e. Norwegian Fiscal code, the Norwegian Financial Undertaking Act and the Financial Contract Act, the German and Norwegian Money Laundering Act. These laws require data to be kept/documented for between two and ten years. Retaining evidence in accordance with the statutory periods of limitation that apply. Pursuant to § 2 in the Norwegian Act relating to the limitation period for claims, the normal retention period can be up to three years.
9. What data protection rights do I have?
Each individual we deal with has a right
- of access in accordance with Article 15 GDPR,
- of rectification in accordance with Article 16 GDPR,
- of erasure in accordance with Article 17 GDPR,
- to set restrictions of processing in accordance with Article 18 GDPR,
- to object in accordance with Article 21 GDPR,
- and the right to data portability in accordance with Article 20 GDPR.
Each individual also has a right to complain to the data protection supervisory authority. In Norway this is the Norwegian DPA.
You may withdraw your consent to your personal data being processed by us at any time. This also applies to the withdrawal of declarations of consent received before 25 May 2018, the date on which the GDPR comes into force. Please note that this withdrawal will apply going forward. It will not apply to any data processed before the withdrawal.
10. Do I have to provide data?
You need to provide us with the personal data necessary for us to enter into and maintain a business relationship and to fulfil the requisite contractual obligations associated with this, or when law requires us to collect it. Without this data, we will usually not be able to enter into a contract with you or to execute this contract.
More specifically, money laundering requirements require us to verify your ID document before we enter into a business relationship with you, and to find out and record your name, place and date of birth, nationality, address and ID data when doing so. To ensure that we can meet this obligation, you have to provide us with the necessary information and documents according to Money Laundering Act and notify us immediately of any changes occurring during our business relationship. If you do not provide us with the necessary information and documents, we will not be permitted to enter into or continue the business relationship.
11. To what extent will decision-making be automated?
To establish and maintain the business relationship, we do not use fully automated decision-making in accordance with Article 22 GDPR. If we use this procedure in individual cases, we will provide you with separate information about this, if required by law.
12. Do you do profiling?
We automate the processing of your data in some cases with the purpose to evaluate certain aspects of you personally (profiling). We use profiling in the following cases (for example):
- Due to legal and regulatory requirements, we are duty-bound to fight money laundering, the funding of terrorism and criminal acts putting our assets at risk. Data evaluation (including during payment transactions) is also carried out. These measures have also been put in place to protect you.
- We use evaluation tools to provide you with targeted information and advice about products. These make it possible to communicate and advertise (including market and opinion research) in a way that meets your needs.
- We use scoring when we are assessing your creditworthiness. This process calculates the probability of a customer meeting their payment obligations in accordance with the contract. This calculation will factor in earning capacity, outgoings, existing liabilities, employment, employer, length of service, experience from previous business relationships, repayment of previous loans as contractual agreed-upon, as well as information from credit agencies, for instance. Scoring is based on an accredited mathematical statistical procedure that has been tried and tested. The score values calculated help us to make decisions on product sales and are factored into routine risk management procedures.
Information about your opt-out right under Article 21 GDPR
1. Right to opt out in individual cases
You have the right, at any time, to opt out of any processing of your personal data taking place based on Article 6 (1 e) GDPR (data processing in the public interest) and Article 6 (1 f) GDPR (data processing to balance interests), for reasons relating to your own particular situation; this also applies to in the meaning of Article 4 number 4 GDPR.
If you opt out, we will not process your personal data anymore, unless we are able to prove that there are legitimate compelling reasons for the processing that prevail over your interests, rights and freedoms, or the purpose of the processing is to assert, exercise or defend legal claims.
2. Right to opt out from data processing direct advertising purposes
In individual cases, we will process your personal data for direct advertising purposes. You have the right to opt out of having your personal data processed for such advertising purposes at any time; this also applies to profiling if this is connected to this kind of direct advertising.
If you opt out of having your data processed for direct advertising purposes, we will no longer process your personal data for these purposes.
Opting out can take any form but should be sent to the following address wherever possible:
GC LEASING NORWAY AS
FAO the data protection officer
Arnstein Arnebergsvei 30
Email address: email@example.com