The party responsible for the processing of your personal data is one of the Gothia / Riverty entities in the following countries – Denmark, Finland, Norway, Sweden.

Please find name of legal entity and contact information applicable for you request in the bottom of this privacy policy under “If you have questions/contact”.

In order to fulfil our purpose in the processing of personal data, we process the following categories of personal data:

Name
Address details
Personal ID number
Contact details - e.g. email address and phone number
Personal information - information about your living situation that is relevant to the case
Financial information - e.g. income, expenses, debts
Purchasing information - e.g. which product has been ordered, how it was ordered and delivery address
Invoice information - e.g. invoice amount 
Payment information - information about payments you have made
Vehicle registration number
IP address
Bank account        
Special categories of personal data – only processed with consent
Convictions in criminal cases and violations - if necessary in order to confirm a legal claim
Representative (if relevant) - if you have a representative to represent you

In addition to the data that you yourself submit to us, we also collect data from other, so-called third parties, who are our clients, authorities and companies that provide personal data. 
We collect the following data from third parties: 

1) Names, address details, personal ID numbers, contact details, invoice information and payment information from our clients.

2) Address and contact details from public registers to make sure that we have the correct address details for you. 

3) Financial information from credit agencies and authorities, for example details of your income, expenses, potential credit commitments, records of non-payment and debt balance.

4) Personal ID numbers from public registers. We process personal ID numbers as little as possible and when it is clearly justified with regard to the purpose of processing, for example when we need to identify you for certain.

5) Personal information. We can obtain personal information about you from authorities in connection with an authority’s handling of, for example, debt relief cases.

Purpose
In order to achieve payment or other fulfilment or enforcement in an effective way.

Processing activities
Collection
Identification and age check. 
Analysis of how the case can be handled most effectively, which can involve a check against payment history and the collection of financial information.
Application for order to pay, enforcement, bankruptcy or other legal measure.
Debt relief.
Handling of payment. 
Address check. 
Sending of debt collection demand and other correspondence in the case.
Telephone contact.
Storage.
Checking contact details.
Disclosure of information to client.
Disclosure of information to authorities.

Categories of personal data
Names. 
Personal ID numbers. 
Payment information. 
Financial information.
Purchasing information (e.g. which product has been ordered or whether the product is to be delivered to another address). 
Invoice information.
Information you submitted to us in connection with contacts.
Financial information.
Login/User details.
Special categories of personal data.
Convictions in criminal cases and violations.
Representative (if relevant).
Personal information.

Legal basis
Performance of task in public interest. Debt collection activities constitute a matter of public interest in accordance with Article 6, 1, e, and the processing of personal data therefore takes place on this basis. 

Consent. In certain cases, special categories of personal data will be processed. Such processing will only take place if you have given consent for processing.

Storage period
The data will be purged within 36 months of completion of a debt collection assignment.

Automated decision-making
No.

Purpose
Evaluation and development of our procedures and systems in order to make sure that they are effective and appropriate, as well as statistics.

Processing activities
Analyses of the data used for the purpose. 

Anonymisation or pseuodonymisation of data, so that there is no longer any link to you as an individual. 

Categories of personal data
Age. 
Gender. 
Financial information
Payment information

Legal basis
Performance of task in public interest. Debt collection activities constitute a matter of public interest in accordance with Article 6, 1, e, and the processing of personal data therefore takes place on this basis in respect of development that is necessary for debt collection activities to be legal.

Legitimate interest pursuant to Art. 6, 1, f. Processing is necessary in order to fulfil our legitimate interest in being able to provide effective and appropriate services.

Storage period
The data will be purged within 36 months of completion of a debt collection assignment.

Automated decision-making
No.

Purpose
Analyses and calculations in connection with possible acquisitions of receivables

Processing activities
Personal data originating from receivables owned by Arvato Finance AB are matched against personal data in respect of people against which Arvato may possibly acquire receivables.

Categories of personal data
Personal ID numbers. 
Payment information. 
Financial information

Legal basis
Legitimate interest pursuant to Art. 6, 1, f. Processing is necessary in order to satisfy our legitimate interest in maintaining an effective business model.

Storage period
The data will be purged within 36 months of completion of a debt collection assignment.

Automated decision-making
No.

Purpose
Fulfilment of obligation in respect of accounting.

Processing activities
Storage and, if requested, disclosure of data necessary for accounting obligation.

Categories of personal data
Payment information. 
Purchasing information (e.g. which product has been ordered or whether the product is to be delivered to another address). 
Invoice information

Legal basis
Legal obligation. Processing is necessary in order to fulfil a legal obligation.

Storage period
Data is stored for seven years after full payment has been made.

Automated decision-making
No.

Purpose
To combat money laundering and financing of terrorism

Processing activities
Storage and, if requested, disclosure of data necessary to fulfil obligations in accordance with current legislation in this area.

Categories of personal data
Names. 
Personal ID numbers. 
Payment information. 
Purchasing information (e.g. which product has been ordered or whether the product is to be delivered to another address). 
Invoice information

Legal basis
Legal obligation. Processing is necessary in order to fulfil a legal obligation.

Storage period
Data is stored for five years after full payment has been made.

Automated decision-making
No

In certain cases we share your personal data with companies and authorities that Gothia Inkasso engages and uses for the fulfilment of the purposes described above. In addition, we will process data in anonymized form for analyses and for the purposes of product improvement and quality assurance. This non-personal data may also be made available to other companies of the Riverty Group for the same purposes. 

The parties to which we disclose data fall into two categories.

Processors

In certain cases we need to share your personal data with companies that are referred to as ‘processors’ for us. Companies that we engage as processors may only process the information on our behalf and in accordance with our instructions. All processing takes place in accordance with the purposes we have specified for the processing activities.

All processors we engage are checked to ensure that they meet the security requirements for the processing of personal data. We also conclude personal data processing agreements with all processors in order to further guarantee the secure processing of your data.

Controllers

We also share your personal data with companies (e.g. the company that engaged us) and authorities (e.g. the Swedish Enforcement Authority, the Swedish Tax Agency) that are themselves controllers. The fact that they are controllers means that it is they who decide how the information is to be processed. In certain cases we may be obliged by law to disclose personal data.

When your personal data is shared with a company or authority that is a controller, it is their Personal Data Policy that applies. We do not disclose data to companies or authorities that do not comply with current laws for the protection of personal data.

We do not sell your personal data to a third party. Furthermore, we do not pass on your data to a third party for direct advertising, distance selling or other forms of direct marketing, opinion surveys or market surveys.

It is our aim at all times that your personal data shall be processed within the EU/EEA. If we transfer your data outside the EU/EEA, we make sure that the data is processed in the best possible way. Any transfer will only take place if there is an adequate protection level, or suitable protective measures, for example binding company provisions, standardised data protection provisions, an approved code of conduct or internal company rules.

We use the latest technology to keep your data secure. This means that we use all necessary technical and administrative security measures in order to protect your information against unauthorised access, transfer, destruction or other unauthorised processing. These security measures include firewalls, encryption, use of secure IT areas, correct access control, training of personnel who process your information and the careful selection of subcontractors. Furthermore, the right to have access to your information is limited to Riverty personnel who process the information in their work.

You have a number of rights in connection with our processing of your personal data. These rights are set out in current legislation in the area and mean that you have the right to:

Access. You always have the right to know whether we are processing personal data relating to you and in such cases to have access to the personal data.  You have the right to receive a copy of the personal data being processed. This information is issued in an extract from a register, which also states the purpose, categories of personal data, categories of recipients, storage periods, your rights, information about where the data was collected and the existence of automated decision-making as well as protective measures in the event of transfer to a third country.

For your security, we may need additional information from you in order to make sure that it is you who have requested access to the data and so that we can provide you with the data in a secure way.

Rectification. You have the right to have incorrect personal data relating to you rectified. You also have the right, with due regard to the purpose of processing, to supplement incomplete personal data.

Erasure. In the following cases, you have the right to have your personal data erased:

• Data that is no longer necessary for the purposes for which it was collected or processed in any other way. 
• If you revoke consent that had been given and there is no other legal basis for the processing activity.
• If you object to the processing of your personal data performed by us with a legitimate interest as legal basis. This requires that there is no justifiable reason for processing that outweighs your grounds for objection. 
• You object to the processing of your personal data for the purpose of direct marketing.
• If your personal data has been processed in an illegal way.
• If the personal data must be erased in order to fulfil a legal obligation that we are bound to observe.

It is not certain that we can comply with your request to have your personal data erased. For example, if data is needed in order to meet a legal obligation by which we are bound, to perform a duty in the public interest or the data is needed in order that we can confirm, lodge or defend legal claims.

Restriction. You have the right to demand that we restrict the processing of your personal data in the following cases:

• If you claim that the personal data we are processing about you is not correct, the processing activity shall be restricted during the time that we check whether the data is correct.

• If the processing of personal data is illegal and you oppose the erasure of the personal data and request instead that processing be restricted.

• If we no longer need the personal data for the purposes of the processing activity, but you need it in order to confirm, lodge or defend legal claims.

• If you have objected to the processing of your personal data that we are processing with a legitimate interest as the legal basis, you have the right to restricted processing during the time

• that we check whether our legitimate reasons outweigh yours.

If the processing of your personal data has been restricted, apart from storing your personal data, we may only process it, with your consent, to confirm, lodge or defend legal claims, to protect another natural or legal person, or for reasons relating to an important public interest.

Data portability. You have the right to receive the personal data that you have provided to us in a structured, commonly used and machine-readable format. You also have the right to transfer this data to another controller and, if it is technically possible, the right to transfer directly from us to another controller. This is on the condition that we are processing the personal data with consent or fulfilment of agreement as a legal basis and that the processing activity is automated.

Right to lodge objections. You have the right to lodge objections against the processing of your personal data that is being processed with the fulfilment of a duty of public interest or fulfilment of agreement as the legal basis, including profiling. If you object to such processing, we may no longer process your data unless we can provide binding, legitimate reasons that outweigh your interests, rights and freedoms, or if we are processing your personal data in order to confirm, lodge or defend legal claims.

You have the right at all times to object to the processing of your personal data for the purpose of direct marketing, including profiling in connection with direct marketing. 

Cookies are used on our website. Cookies are small text files that are saved to your computer when visiting a website.

This website uses two types of cookies: required cookies and function-based cookies. The required cookies are used to ensure the website functions smoothly from a technical and functional perspective (e.g. identification and authentication of the user, language settings, displaying visual recordings). Without the required cookies, the website services will only be available on a limited basis. The functional cookies help the optimisation of the website services, whereby the user behaviour is logged and analysed in a statistical form. We have a legitimate interest according to GDPR art. 6.1 (f) to use required and functional cookies on our website. Therefore, a cookie consent management is not required.

We are continually developing our business and reserve the right to make changes to our Personal Data Policy. Such changes, which can be based on changes in current legislation, are announced here. We therefore recommend that you read our Personal Data Policy regularly.

If you have any questions about our handling of your personal data, you are welcome to contact us. You can write to us or contact the supervisory authority for matters relating to personal data. You also have the right to lodge a complaint with the supervisory authority if you are dissatisfied.

Contact Riverty:

Sweden:
Riverty Sweden AB
Personuppgiftsansvarig 
Box 1143 
432 15 Varberg 
info.se@riverty.com

You can also contact our Data Protection Officer:

att: Data Protection Officer
Box 1143 
432 15 Varberg 
dataskydd.se@riverty.com

Norway: 
Gothia AS 
v/ Personvernombud 
Postboks 115
7901 Rørvik
personvernombud@gothiagroup.com 

FInland: 
Riverty Finland 
PL 414
00101 Helsinki 
Puhelin +358 (0) 20 7229 440
Sähköposti: tietosuoja.fi@riverty.com 

Denmark: 
Gothia A/S 
Persondataansvarlig 
Østbanegade 55, 2. 
2100 København Ø 
mail: info@gothia.dk

You can also contact our Data Protection Officer:
Gothia A/S 
att: Data Protection Officer
Østbanegade 55, 2.
2100 København Ø 
mail: persondata@gothia.dk

Contact the supervisory authority:

Sweden:
Integritetsskyddsmyndigheten
Box 8114
104 20 Stockholm

Norway: 
Datatilsynet 
Postboks 8177 Dep. 
0034 Oslo

Finland: 
Tietosuojavaltuutetun toimisto
PL 800, 00521 Helsinki
Puhelin: 029 56 66700
Sähköposti: tietosuoja@om.fi 

Denmark:
Datatilsynet
Borgergade 28,5
1300 København K