How we process information about you
How we process information about you
UC’s role is to collect, process and provide information and services in a secure, lawful and correct manner. The activities conducted within UC benefit many different stakeholders and are useful to various actors in society. Within the framework of its work to protect privacy, UC must therefore also work to remove any obstacles to the flow of personal data between different stakeholders.
UC’s activities are governed by a variety of legislation, particularly the General Data Protection Regulation and Sweden’s Credit Information Act. An important part of this protection involves informing you of how we process your data. For this reason we describe here the purposes for which the data is processed, the lawful basis for this, which data we process, who sees the data, when it is erased and what rights you have as a “data subject” – in other words, a person about whom data is kept.
The information in this document also covers the processing of personal data resulting from your visiting the website uc.se and providing personal data to us there. If a company other than UC AB is responsible for the processing of the personal data, this will be stated – for example, when you enter your details on the website or enter into an agreement.
General information about the Credit Information Act
UC AB is a credit reference agency holding a permit from the Swedish Data Protection Authority to conduct credit referencing activities.
Our credit reference register contains all private individuals over the age of 15 years who are registered as being resident in Sweden, as well as all companies in Sweden. Our aim is for the data to be processed in such a way that individuals whose data we process, as well as authorities and society, can have complete confidence in the processing that we carry out.
Credit referencing is regulated by the Credit Information Act, which contains provisions that supplement the General Data Protection Regulation and Sweden’s Data Protection Act. Among other things, the Act allows us to update our files with information automatically and to store, process and provide this information in the form of credit reports.
The purpose of providing a credit report – i.e. details, scores and guidance about you – is so that the recipient can make various financial assessments. This means that the information is used as a basis for various business and credit decisions. The Credit Information Act also states that the information may be provided as a basis for calculating the capital requirements for credit risks.
As a data subject you do not have a right to object to data about you being processed; neither do you have a right to be erased from a credit reference register. The reason for this is that the legislator considers that the processing that takes place in credit referencing is necessary in order to perform a task that is in the public interest.
The Credit Information Act contains rules protecting privacy, and among other things you have the right to demand that the processing is restricted, the right to request rectification of misleading or inaccurate information and the right to see your own credit file. When we provide a credit report to, for example, a bank, you will also receive a copy of the report showing the information that we have provided as well as who requested the report (this also applies to sole traders and partnerships). The party requesting a credit report for a private individual must have what is known as a legitimate need, which means that not just anybody has access to the credit reference register.
Rules on erasure based on the Credit Information Act
The Credit Information Act and our permit from the Swedish Data Protection Authority (IMY) also contain rules on erasure that are to be applied – which means, for example, that in credit reports for private individuals we do not present information that is more than 36 months old (with the exception of debt reconstruction, which is erased after 60 months). Data concerning a natural person is erased when it is no longer necessary to retain the data for the purpose for which it was processed. This may mean, for example, that data concerning a natural person’s directorships and other positions is erased after 60 months. The information used in credit referencing largely originates from publicly accessible sources such as Swedish authorities. In certain cases the information originates from private operators such as banks and financial institutions. You can read the Credit Information Act in full here, while information on the data contained in our credit reports, the sources from which the data is taken and the periods for which it is retained can be found at uc.se/sources.
Credit referencing does not involve us making automated individual decisions about you or profiling you. Instead we provide information to entities such as banks, financial institutions, authorities and other companies and organisations, which in turn make financial decisions using the information we have provided.
Information about processing and its legal basis as set out in the General Data Protection Regulation and the Credit Information Act
The various legal bases and purposes for which UC processes personal data are described below. None of this processing involves us making automated individual decisions about you, including profiling.
In the public interest
All processing within the framework of the Credit Information Act is carried out on the legal basis that it is in the public interest. We process data as follows:
- To update our files with information, and to store, process and provide this information in the form of credit reports
- To provide and administer services – for example, so that we can identify you
- To assist you if you contact us – for example, to get a copy of your credit reference file or for investigations or rectification of credit reference files
To prepare agreements and perform contracts
One main reason why we process data is so that we can enter into agreements with you and perform contracts. For example, we process personal data for the following purposes:
- So that we can provide and administer services, e.g. administer your payment
- So that you can register for events, seminars and training, and to allow us to administer this
- So that we can receive payment for various things such as products, services and training
- So that we can send information to you (not for marketing purposes)
Sometimes we may process your personal data based on a legitimate interests assessment. In a legitimate interests assessment we assess whether our (or a third party’s) interest in processing your personal data outweighs your interests. The following types of processing are based on legitimate interests:
- To allow us to assist when you contact us
- To allow market and customer analysis, market surveys, statistics and business monitoring, so that we can develop and improve our services and products
- So that we can send you offers and marketing (unless you have opted out)
- If you are acting as an employee of a company or organisation, we may process your personal data so that you can use services/products, buy services/products and receive information from us
- We process data to assist lenders and borrowers by generating statistics and models so that they can assess the risks and opportunities associated with business and credit decisions and within the context of providing credit, and we also provide authorities with analyses and statistics; we do not disclose any identifiable personal data in connection with this processing
Statutory requirement or legal obligation
We have to comply with a number of laws and decisions by authorities, and this may involve processing your personal data. For example:
- To comply with accounting legislation
- To report personal data to various authorities, such as the Swedish Tax Agency
If processing of personal data has no other lawful basis, we will ask you to give your consent voluntarily. In such cases we will describe clearly what information is being collected and for what purpose. You can withdraw your consent at any time and this will take effect from that point onwards. It therefore does not affect the lawfulness of data that was processed based on consent before the consent was withdrawn.
Who do we share your personal data with?
In certain cases we need to share your information with others. In these cases we take appropriate technical and organisational measures to ensure that information about you is processed securely and that there is an adequate level of security when transferring or sharing data with third parties.
Most technology and systems within Enento Group, such as marketing systems and IT platforms, are used throughout the Group. This makes us more productive and cost-efficient. For this reason your personal data may be shared with other companies within the Group.
In certain cases we use data processors such as IT services and marketing services. The processors we engage are permitted to process the personal data only for our stated purposes and only in accordance with the instructions we give. A data processing agreement is signed in respect of such processing.
We may share your information with various authorities – such as the Swedish Tax Agency – to comply with laws, regulations and decisions by authorities.
If we buy or sell operations or assets, or if any part of us is acquired by a third party, the information may be shared with the buyer or seller. (The legal basis for this is our legitimate interest.)
Disclosure as part of credit referencing activities
We also disclose information concerning data subjects (both individuals and companies) within the context of our credit referencing activities. The recipients of the data (other than those mentioned above) may be you yourself, customers of ours, companies, authorities and organisations that have the right to make a financial assessment of you, or other individuals and companies.
Countries to which we transfer your personal data
We will mainly process your data within the EU/EEA. In certain cases, however, we may process your personal data outside the EU/EEA (also known as third countries).
Where we transfer your data to a third country we will take the measures required for us to transfer the personal data lawfully, by ensuring that your data is processed securely and with an adequate level of protection that is comparable with the protection offered within the EU/EEA, for example, by signing an agreement with the recipient that includes the European Commission’s standard clauses.
What information do we process about you?
You may come to provide information about yourself in a number of different ways, such as when you fill in a form on the website, buy services or products or when you contact us in various ways. The personal data that you might provide is personal and contact details such as your name, company name, email address, telephone number and address.
When you use the website and our services, we may collect the following information about you:
- Information about the services you have bought.
- Behavioural information concerning how you use the website, such as use of our services, response time for pages, download errors, how you reached and left the service.
- System information such as IP address at network level, language settings, browser settings, time zone, operating system, platform and screen resolution.
We also process information about you and other data subjects within the context of our credit referencing activities; this data is used in credit reports. To see what a copy of a credit report looks like and what it contains, read more here.
How long do we keep the data for?
See the section “Erasure periods under the Credit Information Act” for more information about how long we retain information within our credit referencing activities. In addition to the period stated in the Credit Information Act, we keep information about you for as long as it is needed to fulfil the purpose for which it was processed. How long it is kept for therefore depends on the purpose for which the data is processed. We may also keep the data for longer if this is necessary in order to establish, defend or assert legal claims, e.g. if legal proceedings are in progress.
A different retention period may apply to processing that is based on statutory requirements or other legal obligations, e.g. to fulfil accounting requirements (seven years after the current year).
Where we process your data on the basis of your consent, we only keep your data for as long as we have your consent to do so.
Where processing is based on our legitimate interests, we will only process your information for as long as we have a legitimate interest in doing so. The retention period for generating statistics and models is related to macroeconomic factors and may therefore vary over time. When generating statistical models, the information must cover two economic cycles in order for the models to have the necessary quality and precision.
In the case of marketing purposes for natural persons, we erase your personal data 12 months after you cease to be a customer or user.
As a natural person, with personal data that is processed by us, you have significant rights.
You have the right to access your personal data at any time. If you would like information about the personal data relating to you that we process, you can request this at any time in the form of a copy of your file. You will receive an answer within one month of the application being made. In special circumstances this period may be extended by a further two months. If we need to utilise the extension period we will notify you of this. If you notice any inaccurate, misleading or incomplete information about yourself you can request that this is rectified.
In certain cases you have the right to request that your personal data is erased (“the right to be forgotten”); for example, if your personal data was processed unlawfully. However, you cannot have your data erased if we have a legal obligation or a right to retain the data or if the processing is in accordance with the Credit Information Act. Other examples of why we may have the right to deny your request include compliance with obligations under accounting and tax legislation. It may also be the case that the processing is necessary in order for us to be able to establish, assert or defend legal claims. Should we be prevented from accommodating a request for erasure, we will instead at your request block the personal data from being able to be used for purposes other than the purpose that prevents the requested erasure.
In certain cases you have the right to demand that the processing of your data is restricted. If, for example, you dispute that the personal data we are processing is correct, you can request restricted processing for the time we need to check whether the personal data is correct. Another example is that if we no longer need the personal data for the purposes determined but you need it in order to be able to establish, assert or defend legal claims, you can request restricted processing of the data by us. This means you can request that we do not erase your data.
In certain cases you have the right to object to the processing of your data. In such circumstances we may only continue to process the data if it can be shown that there are compelling legitimate grounds for the processing. These grounds shall then outweigh the interests, rights and freedoms of the individual or the processing shall take place in order to establish, exercise or defend a legal claim.
There are also restrictions on your rights when the data is processed for statistical purposes.
If you do not want us to process your personal data for direct marketing, you can notify us of this. In each newsletter we tell you how you can unsubscribe from future newsletters.
If you have voluntarily provided us with data, you have the right in certain cases to extract and use your data elsewhere (“the right to data portability”). In such cases we are obliged to facilitate such transfer of the data. This is conditional upon us processing the personal data on the basis of consent or for the performance of a contract with you.
Links on the website
The website may contain links and/or references to other domains. This information does not apply to those domains and we are not responsible for the processing of personal data that takes place in these domains. You should study information from these domains before providing your personal data.
Constitutional protection of freedom of expression
UC AB also has a publishing certificate for the website uc.se that was issued by the Swedish Press and Broadcasting Authority. This means that the website has constitutional protection of freedom of expression.
Contact us at UC
If you would like any further information or have any other queries, you are welcome to contact us at any time and we will do our best to answer your questions. You can contact us via the following postal address, email address or telephone number:
Postal address: Årstaängsvägen 21 B, SE-117 88 Stockholm
Telephone: +46 (0)8-670 90 00
UC AB has a data protection officer who will be happy to receive any questions you may have concerning personal data and data protection. The contact details of the data protection officer are as follows:
The following companies are part of Enento Group (2194007-7):
- UC AB (556137-5113)
- UC Affärsinformation AB (556730-7367)
- Suomen Asiakastieto Oy (0111027-9)
- Emaileri Oy (2825248-8)
Copy of file
If you would like a copy of your file, please send your enquiry to the address below. Please state in your enquiry whether you wish to have a copy of your credit reference file or your customer file.
Postal address: UC AB, Årstaängsvägen 21 B, SE-117 88 Stockholm
If you believe we have processed your data incorrectly please contact us at firstname.lastname@example.org.
Under Article 77 of the General Data Protection Regulation you have the right to lodge a complaint with the Swedish Data Protection Authority (Datainspektionen) at the following address:
Postal address: Box 8114, SE-104 20 Stockholm