English

Our Privacy Notice

This Privacy Notice is a guide to our use of the personal information we have about you.

 

Who are we and what do we do?

Hoist Finance AB (publ) (HFAB) is the Controller of the data we hold about you in relation to processing activities mentioned in the table below. Your account is owned by HFAB, but all matters related to debt collection, debt administration and exercising the rights of the lender in relation to your account is managed by one of our partners, who is a separate Controller for processing of your data related to debt collection. All communication with you will be managed by the partner in question, including but not limited to complaints handling, delivery of notices, accepting and managing written correspondence relevant to your debt. To find out more about how our partners process your personal data, please refer to their websites for more information.

What information do we hold, why do we process it, & how long do we keep it for?

HFAB uses your information only for the purposes of debt administration and processes associated with servicing credit. We will use the data in accordance with General Data Protection Regulation (GDPR), Swedish Data Protection Act 2018 and good debt collection practice to gather and update documentation necessary for compliance with applicable laws such as Anti Money Laundering Law, Swedish tax laws, Accounting laws etc.


In order to pursue the above purposes and to act lawfully, transparently and fairly, we process the following types of information, always under strict controls, such as encryption, internal access rights, and audits to keep your information safe:

 

 

Type of information

Reason for processing    

Legal basis for processing

How long we keep your information for

Contact and account information, such as your name, home address, date of birth, national identification number, phone number and details of previous communication with us, emails, and letters. We process this data to be able to contact you, keep records of any previous conversations or correspondence, and in general keep a full and up to date picture of your circumstances and your dealings with us. This is necessary to handle your case fairly and in your best interests. The legal basis for processing this information is the original credit agreement to which you are a party, legitimate interest or legal obligation which we need to fulfil. Once your account has been closed, we will hold your data to satisfy relevant regulations such as, Anti Money Laundering, Tax laws, Accounting laws etc. 5 years (AML), 7 years (Tax), 7 years + days left in the calendar year (Accounting) from the moment the account is closed but, in any case, no longer than 10 years (for AML legal requirements), at which point it will be deleted/irreversibly anonymized.
Payment information, such as your bank account number, transaction history, financial data etc. To be able to provide Accounting, AML and Tax reports to relevant authorities and to fulfil our legal requirements. We also process this data in order to be able to create Analytical and Performance reports which are used to improve process how we deal with our customers and to educate our employees.

Where do we get the information from?

We initially receive the information from the previous owner of the claim as part of its sale and transfer to us.

We may also obtain information from third parties in order to increase the accuracy of the information we hold and/or to gain a better understanding of your circumstances. These third parties are credit reference agencies, public government records, and other organisations which provide services to improve the quality of the data we hold about you.

Disclosure of your information

We do not disclose your information except in the following limited circumstances:

  • We may share your personal information within the Hoist Finance group of companies, to which we belong. For example, our IT infrastructure is managed at Group level. This helps to keep our systems operational and secure allowing us to provide the best services to you that we can. Any personal data sharing is subject to security and privacy requirements set in the law and our internal governance documents.

 

We may also share your personal data with carefully vetted organisations, who must comply with our strict contractual security and privacy requirements and follow our guidelines, for the following purposes:

  • To assist us in managing your account and/or maintaining accuracy of the information we hold about you. An example of this would be credit reference agency reporting.
  • To provide us with specialised services to run our business. An example would be the printing company that sends out our physical letters to you, or where we use a third party to collect or manage a debt on our behalf.

 

Finally, we may also disclose your personal information to third parties:

  • In the event we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
  • If we are under a duty to disclose or share your personal data in order to comply with any legal obligation or in order to enforce or apply our terms of use or to protect our rights, property or safety. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction, or with authorities for the purposes of tax reporting or anti-money laundering.

 

Your information will generally be kept within the EU/EEA or in countries deemed by the European Commission to have an adequate level of protection; only for limited purposes and temporarily may data be transferred to other countries. This is in particular where we need 24/7 technical support to maintain our IT infrastructure, and where the support teams of our service providers are located outside the EU/EEA.


In all cases, however, we have technical, organisational, and contractual protections in place to keep the information safe and to ensure an adequate level of protection. Contractually, transfers outside the EU/EEA to countries without an adequacy decision by the European Commission will be based on standard data protection clauses adopted by the European Commission.

Data Security

We have put in place appropriate technical and security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we only give access to your personal data to employees, contractors and other third parties who have a business relation with us on a need-to-know basis. They will only process your personal data on our specific instructions, and they are subject to a duty of confidentiality.

 

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable authority of a suspected breach where we are legally required to do so.

Your statutory data protection rights

  • Right to access: You have the right to request a copy of the information that we hold about you. If you would like a copy of some or all of your personal information, please contact us. We will respond to your request within one month.

  • Right to rectification: We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate. We may ask that you provide reasonable proof to verify your request.

  • Right to restrict processing: If you believe the personal information we hold is inaccurate, unlawful, or that we do not have a legitimate interest to process it, you can request that we restrict any processing until this is rectified.

  • Right to object to processing: Where your particular situation merits that we no longer process your information for the performance of a task carried out in the public interest or based on our legitimate interest, you have the right to object to the processing.

  • Right to data portability: This right allows you to obtain in a structured, commonly used format, and to reuse the information you have provided to us for your own purpose and have it transmitted directly to different services. This applies only to information we use based on your consent or on a contractual basis.

  • Rights related to automated decision making and profiling: You have the right to safeguards against the risk of potentially damaging decisions being taken without human intervention. This right applies where a decision is based solely on automated processing and produces a legal effect or similar significant effect. If this is the case, we must ensure you are able to obtain human intervention, to express your point of view, and to have the opportunity to challenge it. We will also explain the logic behind the decision.

    Profiling is defined as any form of automated processing intended to evaluate certain personal aspects of an individual in order to analyse or predict aspects of their personal circumstances, behaviours or abilities. Processing must be fair and transparent, use appropriate mathematical or statistical procedures, use appropriate controls to minimise inaccuracies and secure personal data.

    We do not use any such automated individual decision making.

  • Right to erasure (“right to be forgotten”): You may ask us to delete the information we hold on you where it is no longer necessary for the purpose for which it was collected; where you withdraw any consent you provided for its processing; where you object to our processing of it (see above); or where our processing is unlawful. Please note, however, that we are also subject to certain legal obligations that prevent us from immediately deleting all of your information. For example, we are legally obliged to keep certain data for anti-money laundering purposes for at least five years. However, any data we are prohibited from deleting will be blocked and, when we are no longer obliged to keep it, erased.

  • Right to lodge a complaint: You have the right to lodge a complaint with the Swedish data protection supervisory authority. (imy.se)

Changes to this Privacy Notice

We regularly review this Privacy Notice. We will notify you of any substantial updates that affect you 2 weeks in advance. Minor changes to the policy, such as making it clearer, will be implemented without directly notifying you.

 

This privacy notice was last updated: 24 June 2024.

Who do I contact if I have questions?

If you have questions, comments or want to exercise any of your rights, please contact us at contact@hoistfinance.se, our Data Protection Officer at dpo@hoistfinance.com or send mail to our postal address Hoist Finance AB (publ), Dataskyddsombud, Box 7848, SE-111 21 Stockholm, Sweden. You can also file a complaint to the Swedish Authority for Privacy Protection (IMY) via email: imy@imy.se, or their postal address: Integritetsskyddsmyndigheten, Box 8114, SE-104 20 Stockholm, Sweden.