Sambla Privacy Policy
1. Introduction
Your privacy is important to us and the processing of your personal data must be secure.
This Data Protection Policy explains how we collect and use your personal data when you use Sambla’s loan brokerage and insurance brokerage services (the “Services”), if you are a member of Sambla Plus (the “Plus Service”) or when we otherwise process personal data about you. It also describes your rights and how you can enforce your rights.
The data controller for the processing of personal data under the Sambla brand is Sambla Group AB, company registration number 556974-8378, Box 5300, 102 46 Stockholm, Sweden. This means that Sambla Group AB is responsible for ensuring that the processing of your personal data is carried out in accordance with applicable data protection legislation, i.e. the General Data Protection Regulation (“GDPR”) and supplementary national legislation.
You can always contact us with any questions about our processing of your personal data by sending an email to kundtjanst@sambla.se.
2. Key concepts
Personal data is any information that can be linked, directly or indirectly together with other data, to a living person. Examples of personal data are personal identity number, name and address, IP address and preferences. Processing of personal data means any operation or combination of operations which is performed upon personal data or sets of personal data, whether or not by automatic means. Examples of processing of personal data are collection, recording, storage and processing.
3. What information do we collect and what do we do with it?
3.1 How do we collect information about you?
Here we summarise the types of personal data we collect and process about you. Further down in the policy you can read in more detail about how we process your data in different contexts.
Information that you provide to us
You actively provide us with personal data when you use the Service or contact us, such as name, personal number and address of you and any co-applicant, income and type of accommodation, etc. We process this data in order to provide the Service and, if you have chosen to become a member of the Plus Service, also to provide the Plus Service.
Information we collect about you from other sources
If you are not yet a customer with us: If you are not a customer of ours, we may collect information about you from address providers, such as your name, telephone number and address, for the purpose of providing you with marketing by telephone and by post.
You, our customer: When you apply for a loan with us, we will take a credit report on you from the credit reference agency UC AB. We do this in order to provide the Service. In some cases, some of the lenders we work with may take a credit report on you from another credit reference agency, such as Bisnode, to ensure that the information provided is correct.
You who visit our digital channels: We collect technical data when you visit our digital channels (e.g. our website), which may include the URL that is your unique access to your login page, your IP address, unique device ID, usage history, browser type, language, and identification and operating system information. We do this to facilitate, improve and further develop the Service and the Plus Service and to ensure that the Service is used correctly. Such information is partly collected through cookies. You can read more about how we use cookies and how to opt-out of cookies in our Cookie Policy, which is available on our website at www.sambla.se.
3.2 Personal data processing in connection with loan intermediation
Here we describe what personal data we process in connection with loan intermediation, for what purposes we process them and what legal basis we have for the processing.
Purpose of processing:
- To register and administer your loan application in order to provide the Service to you in accordance with our User Agreement.
- To carry out an ID check and PEP (politically exposed person) check on you and verify that you are not on any EU sanctions lists in order to ensure that we are entitled to provide the Service to you.
- To analyse loan application data and credit report data in order to determine whether you are eligible for a loan.
- To transfer the loan application to the lenders we work with, whose basic borrower requirements you meet.
- To contact you by email, SMS, telephone and post for the purpose of administering the Service.
- To record telephone conversations for the purposes of documenting and securing any agreements and consents with you and improving our communications.
- Handling customer service issues and complaints that you contact us about.
- Presenting loan offers from the lenders we work with.
- To fulfil our agreement with any lender you enter into a loan agreement with.
- To analyse how the Service is used and compile de-identified statistics.
- To prevent, detect and deter fraud and misuse of the Service.
What personal data is processed:
- Name
- Contact details (e.g. address, telephone number, e-mail)
- Personal number
- IP address and other technical data
- Account number
- Employment information
- Accommodation information
- Marital status
- Number of children
- Other information you provide in the loan application
- Information you provide in customer service and complaints
- Information in the credit report, (e.g. if you have any remarks with the Enforcement Authority)
- Extracts from EU sanctions lists and PEP registers
- Information you provide about any co-applicant and credit report information and extracts from EU sanctions lists and PEP registers about your co-applicant
Legal basis for processing
We process your personal data when it is necessary to enter into and perform the contract with you or when we have a legitimate and legitimate interest in processing your personal data, e.g. to respond to questions you ask to customer service and for the purpose of developing and improving the Service.
We process certain personal data about you in order to comply with a legal obligation, such as to comply with the requirements of the Money Laundering Act and the Accounting Act. Information on ID checks, PEP checks and checks against the EU sanctions lists are made, for example, to comply with legal obligations under the Money Laundering Act.
We record telephone conversations we have with you because we have a legal obligation to document any agreements we enter into with you over the telephone. We also record telephone conversations for the legitimate and legitimate interest of improving the Service, avoiding misunderstandings in our communications and to prevent fraud.
We use automated decision-making
Automated decision-making means a decision made solely on the basis of automated processing of your personal data. We and our partner lenders use automated decision-making when you use the Loan Brokerage Service. This means that the information you have provided and the information we obtain through a credit check on you and any co-applicant is automatically matched with the basic borrower requirements that our affiliated lenders apply to grant a loan, such as income, type of employment, loan amount sought and similar information. If you do not meet the basic requirements set by a specific lender, your application will automatically be sorted out and not provided to the lender.
In some cases, you have the right to request a manual decision process. In this case, please contact us using the contact details below. You can also contact the respective lender for more information on their use of automated decision-making and if you have any questions about the respective lender’s personal data processing.
Our use of automated decision making is for the purpose of providing a fair and accurate loan intermediation service and is necessary for us to perform the contract we have entered into with you. If you have an objection to an automated decision made by us, please contact us at kundtjanst@sambla.se.
3.3 Personal data processing in connection with insurance mediation
Here we describe what personal data we process in connection with insurance mediation, for what purposes we process them and what legal basis we have for the processing.
Purpose of processing
To register and administer your insurance application in order to provide the Service to you in accordance with our Agreement.
- Name
- To transfer insurance details to the insurance company.
- To contact you by email, SMS, telephone and post for the purposes of administering the Service.
- To record telephone conversations for the purposes of documenting and securing any agreements and consents with you and improving our communications.
- To handle customer service issues that you contact us about.
What personal data is processed:
- Name
- Contact details (e.g. address, telephone number, e-mail)
- Personal number
- Account number
- IP address and other technical data
- Any other information you provide when registering for the insurance
- To analyse the use of the Service and to compile de-identified statistics.
- to prevent, detect and combat fraud and misuse of the Service.
- to maintain, develop, test and improve the Service and the technical platforms on which it is provided.
Legal basis for processing
We process your personal data when it is necessary to enter into and perform the contract with you or when we have a legitimate and legitimate interest in processing your personal data, e.g. to respond to questions you ask to customer service and for the purpose of developing and improving the Service.
We process certain personal data about you in order to comply with a legal obligation, e.g. in accordance with the Bookkeeping Act.
We record telephone conversations that we have with you because we have a legal obligation to document any agreements that we enter into with you over the telephone. We also record telephone conversations for the legitimate and legitimate interest of improving the Service, avoiding misunderstandings in our communications and to prevent fraud.
3.4 Personal data processing in connection with marketing
Here we describe what personal data we process in connection with marketing, for what purposes we process it and what legal basis we have for the processing.
Purpose of processing
If you are not our customer:
- To contact you by telephone and send you direct mail for marketing purposes.
- analysing and evaluating marketing mailings
- To avoid targeting marketing to people who are not considered to be able or should not become customers (the data will be deleted immediately after verification).
You who visit our websites:
- To create “lookalike” audiences and custom audiences on Facebook based on your selections and preferences in order to provide you with relevant ads through Facebook.
- To create lookalike audiences and custom audiences on the Google Adwords ad network based on your selections and preferences in order to provide you with relevant ads through Google.
- To analyse and evaluate marketing mailings.
What personal data is processed:
If you are not our customer:
- Name
- Date of birth
- Contact details (e.g. address, telephone number)
- Information on income, credit history, etc.
You who visit our websites:
- IP address and other technical data
- Information about you collected through cookies
You are a customer of ours or a member of the PlusService:
- Name
- Date of birth
- Contact details (e.g. address, telephone number, e-mail)
- To send you marketing by email, SMS, telephone and direct mail.
- To analyse and group our customers according to certain samples and preferences (so-called profiling) in order to provide you with relevant and personalised information.
- To analyse and evaluate marketing mailings.
Legal basis for processing
We process your personal data on the basis that we have a legitimate and legitimate interest in marketing our Service.
When we provide customised marketing and offers to you who have opted-in to the Plus Service, we process your personal data in order to perform the contract with you for the Plus Service.
How we reasoned about marketing
It is important to us that only those who actually want to receive our marketing offers and information mails receive them. Below we describe our reasoning and how you can opt out of future marketing mailings.
If you are not our customer:
We will only contact you by post or telephone. If you do not wish to receive our mailings by post or telephone, please contact us at kundtjanst@sambla.se and we will add you to our blacklist. Please note that in this case we will store your name and contact details in order to ensure that we do not contact you again. You can also register on the NIX register, www.swedma.se/reklamsparr, if you do not wish to receive marketing by post or telephone.
You are, or have been, a customer with us:
If you are, or have been, a customer of ours, we may contact you about our offers by post, phone, SMS or email. You can unsubscribe from future mailings via a link in each email/SMS mailing or by contacting us at kundtjanst@sambla.se. We will only send marketing by email or SMS for up to one year after our customer relationship has ended unless you are currently subscribed to our newsletter or are a member of the PlusService.
You who subscribe to our newsletter or are a member of the PlusService:
If you subscribe to our newsletter or are a member of the PlusService, we may contact you about our offers by post, phone, SMS or email until you unsubscribe from the newsletter or terminate your membership of the PlusService. You can unsubscribe from future mailings via a link in each email/SMS mailing or by contacting us at kundtjanst@sambla.se.
We use profiling
We use profiling for marketing purposes. This includes the creation of “lookalike” audiences and custom audiences on Facebook and the creation of “similar audiences” and custom audiences on the Google Adwords advertising network. The purpose of profiling is to provide you with information and marketing that we think you will appreciate. The profiling is based on the personal data we have collected about you (e.g. address and age). Based on this information, we place you in a customer group (e.g. people aged 20-30 in area x) and tailor the marketing to you based on the customer group you have been placed in.
3.5 Personal data processing in connection with the PlusService
Here we describe what personal data we process in connection with the PlusService, for what purposes we process it and what legal basis we have for the processing.
Purpose of processing
- To manage your membership.
- To send out information, offers, marketing and newsletters by post, phone, SMS and email in accordance with our PlusService terms and conditions.
- Please read more about our personal data processing in connection with marketing under the heading “Personal data processing in connection with marketing” above.
- To analyse and evaluate our mailings gen.
Legal basis for processing
We process your personal data as necessary to perform the contract with you and to meet our obligations under the terms of the PlusService.
What personal data is processed:
- Your name
- Contact details
- Personal number
4. Who may we share your information with?
We take all reasonable contractual, legal, technical and organisational measures to ensure that your personal data is processed securely and with an adequate level of protection when it is transferred to or shared with selected third parties. Such third parties will be:
Suppliers. Some of our suppliers who provide, for example, IT services, or help with marketing, analysis or statistics, may receive your personal data.
Credit reporting agencies and similar providers. Your personal data may be shared with credit reference agencies in order to assess your creditworthiness when you use our loan brokerage service. Personal data may also be shared with providers of identity lookup and fraud prevention services to confirm your identity and address and to protect you from fraud.
Authorities. We may provide necessary information to authorities such as the Police, the Financial Supervisory Authority or other authorities if we are required to do so by law. For example, we are required by law to provide information for anti-money laundering and anti-terrorist financing measures.
Lenders. In the event of a loan match, we will forward your application to the lenders with whom we work and whose basic requirements match your application. The lenders who receive your application are responsible for their own processing of your personal data. Information on the lenders we work with is available on our website.
Insurers. When you take out an insurance policy, we send the insurance data to the insurers with whom we cooperate. Information on the insurers with whom we cooperate can be found on our website.
Group companies. We may share data with our group companies in order to streamline internal processes and compile common statistics.
Disposals. In the event that we sell or buy businesses, we may disclose your personal information to a potential seller or buyer of such business. If we or a substantial part of our business is acquired by a third party, personal data about our customers may be shared. Prior to such sharing, we will ensure that the appropriate privacy commitment is in place.
5. Where do we process your personal data?
We primarily process your personal data within the EU/EEA. In exceptional cases, personal data may be transferred to, and processed in, countries outside the EU/EEA, so-called third countries. Companies that process personal data on our behalf always sign agreements with us to ensure a high level of protection for your personal data.
In relation to partners outside the EU/EEA, specific safeguards are applied, for example by entering into agreements that include the European Commission’s standardised model clauses for data transfers and which aim to ensure a level of protection for your personal data that is equivalent to the protection offered within the EU/EEA.
6. How long do we keep your personal data?
Your personal data will only be stored for as long as it is necessary for the purpose of the processing or where we are required to store it in accordance with applicable law.
- Personal data required for the performance of our Services will be retained for as long as it is necessary for the performance of our contract with you and for one year thereafter. We are required by law to retain certain data for a set period of time, for example to comply with the requirements of the Accounting Act, the Money Laundering Act and other legal requirements imposed on us as a loan and insurance intermediary, and we will then delete the data thereafter.
- Personal data required for us to perform our contract with a specific lender will be stored for as long as is necessary to perform our contract with the lender.
- Personal data that we use to send direct marketing to you as a non-customer will only be used at the time of marketing and will be deleted thereafter.
- Data relating to your previous relationship with us will be stored for marketing purposes for up to 10 years and then deleted.
- Personal data processed for the purpose of providing you with the Plus Service is stored for as long as you are a member. If you terminate your contract, we will delete your data as soon as possible.
- Communications with you regarding customer service issues and complaints are kept for as long as the matter is active or needed to defend us against legal claims and are deleted one year thereafter.
- De-identified data, i.e. data that is not linked to you as an individual, may be kept for analysis and statistical purposes for up to five years and will be deleted thereafter.
7. What are your rights?
Right of access to your data
You can request a copy of your data if you want to know what information we have about you, a so-called register extract.
Right to rectification
You have the right to have inaccurate personal data corrected or incomplete personal data about you completed.
Right to erasure
You have the right to request the deletion of certain personal data. This right is limited to data that, by law, may only be processed with your consent, if you withdraw your consent and object to the processing. If you wish for us to delete such personal data, please email us at kundeservice@sambla.no. Kindly use ‘Request for Deletion’ as the subject line. To process your request, we need you to provide: phone number, email, and personal identification number, or alternatively, request a callback for identification via BankID. Please note that if you have used the company’s services, we may need to retain your personal data for different periods depending on its purpose and the legal requirements regarding how long we must retain it, as outlined in our Data Protection Policy. Once the purposes for processing have been fulfilled, the personal data will be deleted.
Right to restriction of processing
You have the right to request that the processing of your personal data be restricted, for example if you object to the accuracy of the data.
Right to object
Where we consider that we have a legitimate interest in processing your personal data, you may at any time make an objection to the processing. If you choose to object, we may no longer process your personal data for that purpose unless we can demonstrate a legitimate interest in the processing. Such legitimate interest must outweigh your interest in not having your personal data processed for privacy reasons. You can also object at any time to processing carried out by us for direct marketing purposes.
Right to data portability
You have the right to receive and/or request the transfer of the personal data you have provided to us to another data controller. The personal data must be in a structured, commonly used and machine-readable format. A prerequisite for data portability is that the transfer is technically feasible and can be automated.
Right to lodge a complaint
If you have any comments or complaints regarding our processing of your personal data or wish to exercise any of your rights, please contact us at kundeservice@sambla.no.
In the unlikely event that we are unable to find a solution together, you can appeal to the Data Protection Authority, which is the supervisory authority for the processing of personal data:
Integritetsskyddsmyndigheten,
Box 8114, 104 20 Stockholm
E-mail: imy@imy.se
Telephone: 08-657 61 00
Website: www.imy.se
8. Changes to the Data Protection Policy
We reserve the right to change and update our Data Protection Policy. The latest version is always available on our website www.sambla.se. In the event of updates that are material to our processing of your personal data, you will be informed of the changes on our website in good time before the updates take effect. If you have any concerns about our processing of personal data as a result of the updates, please contact us at kundtjanst@sambla.se.