Netgíró’s Privacy Policy

Version 1.0., published June 27th 2018

We are concerned with the privacy and accountability of personal data. The purpose of this Privacy Policy is to inform you about the personal information we collect about you, how your personal information is used and what your rights are for the purpose of ensuring fair and transparent processing in accordance with applicable privacy laws. We encourage you to familiarize yourself with the policy well.
This Privacy Policy is based on applicable privacy laws and the general privacy regulation of the European Parliament and the Council no. 2016/679 of 27 April 2016 on the protection of individuals in regards to the processing of personal data and on the free movement of such information, also known as “GDPR”.

1. Information on us

Netgíró hf., Borgartún 27, 105 Reykjavík, ssn. 681212-2050 (hereinafter “Netgíró” or “We“) is the controller of any personal information we need on you in connection with the services we provide to our customers, whether the service is utilized through the Netgíró website, Netíró app or by using the Netgíró method of payment (hereinafter “Netgíró payment solution”). When referring to “you” or “users” in this policy, we refer to users of Netgíró.
If you have any questions about this policy or would you like to submit a complaint or request to Netgíró for the processing of personal information in connection with Netgíró’s payment solution, please contact Netgíró’s privacy representative by mail or e-mail. Netgíró will respond to your request as soon as possible in writing.
Netgíró hf.
Borgartún 27
105 Reykjavík
B.t. Sigríður Hallgrímsdóttir
Email: personuverndarfulltrui@netgiro.is

2. Personal information Netgíró requires

Personal information is any personally identifiable or personally identifiable information that may be attributed to a particular individual. This means that a person can be identified directly or indirectly with the information.

When creating access to the Netgíró website or the Netgíró app, we request information about social security number, email address and mobile phone number together with the consent of requesting credit rating and registering social security number on watchlist at CreditInfo. Additionally, we gather information on defaults from CreditInfo hf. and information about defaults and business history from Netgíró’s sister company, Aktiva lausnir ltd., ssn 600214-1600. Information about name, address, sex and marital status are retrieved from the National Registry.

When using Netgíró’s payment solution, we record and save all your actions, which is necessary for us to fulfill our contractual obligations with you, including authenticating and verifying your actions and ensuring security of payment. On the same basis, we process information on purchases from merchants. When using the payment solution, Netgíró automatically retrieves information about IP address, type, version of operating system, and unique identifier. Eventual information about device usage, such as error and system functionality are also gathered.

Netgíró uses personal information to track target audiences and create reports based on statistical information about users. This is done for the purpose of improving services and better meeting users’ needs. By your consent, Netgíró will use personal information to analyze your use of the service for the purpose of providing better, personalized service.

Netgíró reserves the right to use statistical information gathered by use of the solution, for continued product development and/or for improving the functionality of the solution. The company reserves the right to disclose such information, such as statistical summaries to third parties in some cases.

3. Netgíró’s authorization for processing

The use of the personal information we hold depends on their purpose. We use personal information to:

a. Comply with contractual obligations

Netgíró processes personal information we collect from you and merchants to fulfill and maintain a contractual relationship and our contractual obligations with you. The purpose of the processing is, in particular, to enable you to create access, use Netgíró’s payment solution based on Netgíró Terms, manage your usage history, secure the payment solution, and provide you with the correct information in order to verify your purchase. The information is also used to ensure the quality and functionality of the solution, e.g. if necessary for support services and diagnostics. For more information about Netgíró services, please refer to Netgíró’s terms and conditions.

b. Comply with legal requirements
Netgíró is legally obligated to obtain personal information for a specific purpose. For example, the execution of a credit rating before a loan is granted is a requirement under Article 10. Act no. 33/2013 on consumer loans.

c. Ensure Netgíró legitimate interests
In cases where processing is necessary for the legitimate interests of Netgíró, we may process your personal information beyond what is required to comply with and enforce contractual and legal obligations, unless your interests are outweighed. Netgíró processes your personal information on this basis, in particular in connection with asset and security management and marketing, such as with collection of claims, customer care, service improvements and product development, etc.

d. On basis of consent

We only use your personal information for legitimate purposes or according to informed consent. Netgíró requires consent for receiving credit rating and placing social security number on watchlist at CreditInfo. This information is collected on the basis of legal requirements, but also for the purpose of determining limits and interest rates. Purposes of direct marketing of others is based on consent. Netgíró may contact you for commercial purposes, if you consent to it. We will not use the information for other purposes without specifically obtaining the consent of the user for such processing.

4. Who has access to your information

To the extent necessary to enforce our contractual obligations with you, Netgíró employees have access to personal information. In addition, Netgíró’s service providers, who process personal information for our benefit, have access to personal information. There are in particular companies providing information technology services, banking and financial services, collection services, sales and marketing services. In addition, Netgíró is obliged to provide certain public institutions access to personal information on the basis of legal requirements, such as tax authorities, supervise authorities, police authorities, liquidators and courts.

5. Sharing outside the European Economic Area

GDPR applies to all states of the European Economic Area (“EEA Area”), and the transmission of personal data within the EEA is therefore unlimited to the extent that it is based on legitimate processing grounds. GDPR, on the other hand, limits the disclosure of personal data to countries outside the EEA, including to the United States. Netgíró uses a service provider in the US, especially in connection with marketing, and, in some cases, transfers personal data to countries outside the EEA. Netgíró is responsible for ensuring that appropriate protection measures are available in the transmission of your personal information to ensure adequate protection of your personal information. Therefore, the company only distributes personal information to parties who are subject to privacy shield rules.

6. Length of retention

Personal information is retained while the business relationship lasts and laws prescribe or the business interests of Netgíró require and a reasonable reason exists. As a rule, personal information governed by the Act on Accounting and Consumer Credit Acts is retained for 5-7 years from each trade. When information is no longer necessary to fulfill Netgíró’s contractual obligations with you or to comply with legal requirements, they are deleted. However, we retain information that has historical value for Netgíró.

7. Your rights

You are entitled to certain rights under the law in connection with Netgíró processing of your personal information. They include the right to:
• request information about how Netgíró processes and retrieve personal information;
• request that Netgíró deletes your information, corrects unreliable personal information or completes imperfect personal information;
• request that Netgíró limits processing in certain cases;
• request that you receive personal information in an accessible and computerized format and delivered to another party.

Please note that Netgíró may, in limited cases, deny the removal of your personal information, transfer or access of your data.
Netgíró will ensure as best it may that the user information is reliable and updated when required, in the best possible capacity.

You also have the right to object to the processing of personal information in certain cases:
• Netgíró processing of personal information for direct marketing;
• Netgíró’s processing of personal data based on their legitimate interests, including processing involving personal identification (see article 8).

Netgíró will discontinue the processing of personal data if you object to their processing in the above cases unless Netgíró is either legally required to or Netgíró’s legitimate interests goes beyond your interests.

You may always file a complaint with the Data Protection Authority if you believe that our processing is in violation of current legislation. For more information about your rights or how to use them, we ask that you contact the Netgíró privacy representative (see contact information in article 1).

8. Automated decision making and personalization

Netgíró uses personal information with the purpose of analyzing the financial situation of users in connection with determining limits and interest rates. This analysis is based on CreditInfo’s credit ratings and synchronization of information with companies within the same group, especially Netgíró’s sister company, Aktiva lausnir.

Netgíró’s service is largely based on automated data processing, but decision on limits and interest rates are determined exclusively electronically. Increase and decrease of limits are automated according to changes in credit rating and are shut down if a user is registered on a debtor default registry. The company’s processing is based on your consent and is a prerequisite for the use of Netgíró. You are welcome to contact our support team by sending an email to netgiro@netgiro.is to comment on such an automatic decision.

9. Security and protection of personal information

Netgíró has taken appropriate steps to ensure the best possible privacy of your personal information against abuse, misuse, damages and unauthorized access, modification or disclosure. Netgíró’s safety measures include:
• implementation of technical and organizational measures designed to ensure continued confidentiality, uptime, operational safety and load resistance of production systems and services;
• controlling access of individuals to our office and security department;
• managing employee access and others to systems that contain personal information;
• to ensure that our service providers who have access to the personal data of users have taken appropriate safeguards to ensure the safety of personal data; and
• deletions, artificial identifiers and encrypted personal information of users.

10. Changes to Privacy Policy

This policy will be updated regularly in accordance with Netgíró’s changes in the processing of personal data to reflect the processing of personal information at the company at any given time. We encourage you to review this policy on a regular basis to be informed about how we use and protect your personal information.