2. The purposes of the processing
2.1 The Merchant works in conjunction with Sileon and allows you to use one or more Sileon payment methods for your order. The claim arising from the contract between you and the Merchant is then transferred to Sileon if Sileon’s payment method is used (factoring).
2.2 Sileon therefore processes your personal data when this is necessary for the purpose of the purchase and assignment of the claim arising from the contractual relationship between you and the merchant. Sileon also processes personal data for the purpose of processing the subsequent payment transaction from Sileon, in connection with contacts in a contractual context and to prevent fraud and similar crime. Sileon’s processing of personal data is based on the legal basis fulfilment of contracts. If necessary, we also transfer personal data in this context and for this purpose to our partners. Sileon cannot provide its services without processing personal data.
2.3 Your personal data is used by Sileon for payment of the merchant’s products and services, delivery of products, invoicing, information, as well as for contact with you as a customer.
2.4 Processing of personal data is also carried out by Sileon in order to comply with legal obligations imposed on Sileon, e.g. under the Consumer Credit Act (SFS 2010: 1846) and the Act on Measures against Money Laundering and Terrorist Financing (SFS 2017:630) and to disclose necessary information to authorities such as the Police , tax authorities or other bodies, to the extent that we are legally required to do so or we have a legitimate interest in the disclosure. An example of such legally necessary disclosures is disclosure for the purpose of combating money laundering and terrorism.
2.5 We also process your personal data for our legitimate interest to be able to take measures to prevent fraud, develop our services and provide information and marketing that we believe you may be interested in.
3. Personal data being processed
3.1 Personal data is any information that can be linked to a living person. Sileon collects and processes different types of personal data within the framework of its business, depending on the type of service that the data subject uses (such as Swish, PayPal, purchase against invoice, card purchase, credit purchase, etc.). The information is either provided directly by you or collected by Sileon to supplement the information you provided, so that the purchase is as smooth as possible.
3.2 The following personal data may be collected by Sileon from you. What is collected depends on which of Sileon’s services you use:
a) Information about your identity – first name, last name and social security number.
b) Your contact details – address for invoice and delivery, e-mail address, telephone number.
c) Payment information – credit or debit card data (card number, validity date, CVV code, card owner).
d) Travel information – if the purchase relates to a trip, Sileon processes information about the trip and the identity of the traveler or travelers.
3.3 Sileon may also need to process other types of personal data depending on the type of service, either due to requirements from merchants (the person you purchase the service or goods from) or due to law or regulation. Such personal data is collected from credit reporting agencies or the merchant. Sileon may need to collect and treat:
a) Information about the purchase – information about the product, service or trip to which the payment relates.
b) Credit information – information about you needed to assess your credit, such as your income, any credits and negative payment history.
c) History – In order to carry out a credit check, Sileon may process data about your previous purchases and your payment and credit history with the merchants using Sileon’s services.
d) Sanctions and PEP lists – comparison of your personal data with lists of sanctioned and politically exposed persons. These lists contain information such as name, date of birth, place of birth, occupation, or position, as well as reasons for inclusion in the list.
e) Communication data – to know how you have been treated and be able to handle support cases, Sileon processes information about how you used Sileon’s service, pages, and infrastructure. These logs are automatically deleted at regular intervals.
f) IT data – in order for you to communicate with Sileon’s systems, we need to process data about the device you are using, such as the device’s IP address and operating system.
3.4 If you contact Sileon’s customer service for assistance with a case or for a refund, the case will require Sileon to process your personal data. Personal data processed within the framework of customer service may include, for example:
a) Information about your identity – such as first name, last name, and social security number. If you also provide information about the identity of others, Sileon will not save that information unless it is required for the case or to investigate fraud or other matter.
b) Contact details – such as address for invoice, delivery address, e-mail address, mobile number and telephone number, population registration address (can be collected from the Swedish Tax Agency to ensure that the address is correct).
c) Case description – at your contact and description of the support case cannot Sileon control what information you provide. Your case description may therefore include personal data that Sileon has no reason to process. Examples of such duties are trustees, family members, etc. We process your personal data for as long as the support case is ongoing, but for a maximum of twelve (12) months from when the case is closed. Any legal issue will be stored in accordance with legal requirements.
d) Voice Recording – Sileon may process recording of your call for educational purposes and to ensure the best possible customer experience. This recording will be stored for six (6) months.
e) Final invoice – when contacting customer support, your credit agreement can be terminated. Customer Support will then process the personal data required to create a final invoice.
f) Refund processing – if the customer service case concerns or leads to a refund, Sileon will need to process the bank account details for the payout, as well as the price and other details of the purchase to which the refund relates.
4. Automated decision-making
4.1 In connection with purchases against invoice, Sileon performs a credit check. Personal data is then collected from credit reporting companies that Sileon collaborates with to make an overall credit assessment. The data is also collected to confirm your identity and address.
4.2 The credit check assesses factors such as your payment history, your income, your credits, and your credit costs. Based on these factors, the credit check will either allow or deny you a purchase against invoice or the credit you applied for. Information about denied or granted credit will not be processed by Sileon other than to avoid Sileon unnecessarily repeating the credit assessment process.
5. Recipients of personal data
5.1 Sileon’s services require Sileon to cooperate with and interact with other systems and actors. In order to make payments and administer customer relationships, Sileon will transfer your personal data to other organizations when it is necessary for the performance of contracts or in accordance with any law, regulation, or decision that Sileon must comply with. The following types of recipients may apply:
a) Merchants – for the most part, merchants who use Sileon’s services are themselves responsible for collecting the data they need to respond to you. In some cases, Sileon will supplement the merchant’s information in order for Sileon or the merchant to fulfill its obligations under contracts with you.
b) Credit reference agencies – according to the description provided above, Sileon will disclose information about you to credit reference agencies when Sileon is required to assess your creditworthiness. Sileon does this to confirm your identity, assess your creditworthiness and determine whether Sileon can offer you the payment method you have chosen.
c) Authorities – Sileon may need to disclose information to authorities, such as the Police or the Swedish Tax Agency, if we are required to do so by law or if you have requested that we do so. In some cases, Sileon may be prevented by law from telling you that your personal information has been requested by government agencies.
d) Notification Services – Sileon uses services to communicate automatically to you, e.g., with confirmations or reminders by post or email. These companies only have access to your name, address or email address and are committed to not sharing your personal data with anyone other than when it is necessary to carry out the service.
We also share personal data with our partners (for the purpose of carrying out credit checks and making payments), service providers and with credit reference agencies as part of providing our services.
5.2 Sileon processes as much of its data as possible within the EU/EEA. If data is transferred to be processed by a supplier or subcontractor outside the EU/EEA, the transfer will take place in accordance with applicable data protection legislation. For example, Sileon ensures that the recipient always enters into contractual terms and appropriate safeguards (if applicable) with Sileon that ensure that the recipient maintains a level of protection comparable to the EU/EEA.
6. Retention of personal data
6.1 Personal data is only retained for as long as it is necessary to fulfil the purposes described above and if Sileon is obliged to store personal data for a certain period of time by law, e.g., according to rules on accounting and money laundering. This means that most of the personal data collected about you will be automatically deleted after a payment has been made or a credit has been paid off. There are certain exceptions that result in Sileon retaining personal data even after a debt relationship has ended, these are described below.
6.2 Contact information and identity information will be retained by Sileon’s system after each completed purchase for a shorter period in order to enable troubleshooting and testing.
6.3 The data of a financial nature that Sileon collects from credit reference agencies is always retained for three months from the last time it was used. In this way, it can be avoided that the credit assessment process has to be repeated more than necessary.
7. Deletion of personal data
7.1 Personal data is deleted or depersonalized when the data no longer needs to be retained. Depersonalized means that the data can no longer be used to identify a person.
7.2 Before data is used as a basis for statistics and product development, it is depersonalized and aggregated, which means that it can no longer be linked to you, either by Sileon or anyone else. The information therefore no longer contains personal data.
7.3 When Sileon performs a deletion of personal data, it cannot be revoked/recreated and once the deletion has been carried out, no person can any longer be associated with the information that remains.
8. Information security
8.1 As a data controller, Sileon takes appropriate technical and organizational measures to protect the personal data processed in accordance with Section 2 of the General Data Protection Regulation. Sileon has specific internal policies and processes for dealing with information security issues and for preventing and detecting leaks.
8.2 The security measures shall protect personal data against security incidents. A security incident here refers to the attempted or carried out unauthorized and/or unauthorized disclosure or access to the personal data transferred, stored, or otherwise processed. Security incidents are reported to Sileon’s CISO.
8.2 Sileon takes appropriate technical and organizational security measures to protect the personal data processed. The security measures shall protect personal data against security incidents. A security incident here refers to the attempted or carried out unauthorized and/or unauthorized disclosure or access to the personal data transferred, stored, or otherwise processed. Security incidents should be reported immediately to Sileon’s CISO
8.3 Furthermore, the security measures shall achieve the level of protection provided for by law or regulation and IMY’s guidelines and applicable regulations regarding security, as well as what is otherwise appropriate taking into account, among other things, the sensitivity of the processed personal data.
8.4 Access to personal data shall be limited to those individuals who need access to the personal data in order to fulfil their duties. This means, among other things, that people who have access to Sileon’s IT systems should not have more extensive user rights than is necessary. A routine for handling (addition, modification and removal) of user routines is in place. Further information about Sileon’s user rights policy can be found in Sileon’s IT instruction. Logging in to Sileon’s network requires username and password. Access to Sileon’s network outside the firewall requires a VPN connection with a special login. Communication to Sileon’s web-based systems or other external third parties is encrypted (HTTPS).
8.5 Sileon’s production environment is PCI-DSS certified. All card and payment information that Sileon processes in the production environment is encrypted through CBC. The persons who have access to the production environment undergo a special security clearance and enter into an extended confidentiality agreement.
9. Personal data incidents
9.1 Sileon has established specific guidelines for the management of security incidents that result in the accidental or unlawful destruction, loss, alteration, or access of unauthorized persons to personal data processed by Sileon (“Personal Data Breach”). In the event of a personal data breach, the document Process personal data breach must be followed.
9.2 Sileon’s Internal Compliance Manager is responsible for ensuring that DSO is contacted and consulted in the event of personal data breaches. According to the General Data Protection Regulation, the DSO is to act as a contact person for the supervisory authority. DSO must therefore be kept informed in good time of what is discovered about a personal data breach. Where a decision is taken to notify or not to notify a personal data breach to the supervisory authority, the DSO shall be informed of the decision and the reason thereof if the DSO is not already consulted in the handling of the incident.
10. Transfer and disclosure of personal data
10.1 The transfer and disclosure of personal data to third parties, such as service providers, may only take place in accordance with the Personal Data Act and other applicable laws and regulations.
10.2 Transfers of personal data outside the EU/EEA area may only take place to countries that are considered to have an adequate level of protection or if the data subject has given his or her consent to the transfer or if there is otherwise an exception to the prohibition on the transfer of personal data to third countries. Transfer may be made to a recipient in a third country if the recipient has entered into the EU Commission’s standard contractual clauses with the Company. When using standard contractual clauses, the Company shall assess whether additional safeguards of a technical or organisational nature are necessary in the individual case.
10.3 When transferring personal data to recipients who process personal data on behalf of Sileon in their capacity as data processor, there shall be a data processing agreement in place between the parties in accordance with the provisions of the Personal Data Act and IMY’s guidelines. The Personal Data Processor shall be required in the Data Processing Agreement to comply with this Policy.
11. Your rights
11.1 Sileon has a registered Data Protection Officer who can be contacted according to the contact details below. The Data Protection Officer is the contact person for the exercise of rights vis-à-vis Sileon.
11.2 You have the right to withdraw consent to a particular processing free of charge without this affecting the lawfulness of the processing before the withdrawal. For example, you may have chosen to consent to Sileon saving your card details to make it easier for you to make purchases in the future. You can revoke the consent yourself and delete your saved card details.
11.3 You have the right to request that the processing be limited to storage and to object to the processing.
11.4 You also have the right to request a register extract, in electronic format when Sileon is the data processor. Sileon will compile information about how your personal data has been processed and send it to you, normally within one month. Sileon shall also assist merchants in responding to data subjects when Sileon is the data processor, meaning that Sileon shall communicate with its own data processors in these cases in order to compile the relevant information. In the event of a request from a data subject for information about what personal data is processed by us, so-called register extracts, Sileon shall provide information on whether personal data is being processed and, if so, provide written information about:
a) what personal data/categories of personal data of the data subject are being processed;
b) from where this personal data has been retrieved;
c) the purposes of the processing of the data subject’s personal data;
d) to which recipients or categories of recipients the personal data have been disclosed, in particular if any recipient is in a country outside the EU/EEA or an international organisation;
e) the criteria used to determine how long the personal data will be stored;
f) the right of the data subject to request rectification or erasure of personal data or restriction of processing thereof and to object to processing;
g) the right of the data subject to lodge a complaint with a supervisory authority;
h) and finally, if Sileon uses automated decision-making to conduct creditworthiness assessments as well as meaningful information about the logic and significance of the processing and the envisaged consequences of such processing for the data subject.
11.5 You have the right to request that Sileon rectify personal data that you believe is inaccurate and to submit supplementary personal data (in special cases) if you believe that the personal data Sileon has processed has given an inaccurate picture of you.
11.6 You have the right to request that Sileon delete your personal data. Sileon will then delete personal data that Sileon is not required to retain in order to comply with legal obligations. Sileon will also continue to process personal data in certain other cases, including when personal data must be processed according to the legal basis performance of contract. Sileon will always respond to you and explain its view on what personal data Sileon has the right to continue processing.
11.7 You have the right to data portability, meaning that Sileon, in its capacity as data controller, shall transfer your personal data to another when this is technically possible.
11.8 You have the right, for reasons relating to your specific situation, to object at any time to the processing of personal data relating to you based on a balance of interests including profiling based on these provisions. In that case, Sileon may no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights, and freedoms or if it is for the establishment, exercise or defense of legal claims.
11.9 You always have the right to lodge a complaint with the supervisory authority, the Swedish Authority for Privacy Protection (IMY).
11.10 If you wish to request a register extract, revoke a consent, or correct/delete a data, please contact Sileon’s Data Protection Officer who can be reached at: firstname.lastname@example.org.
Sileon’s contact information
102 64 Stockholm
This policy was established during the month of December 2015, and last revised during November 2022.