Cookie & Privacy Policy

1 Introduction

This privacy statement ("Privacy Statement") has been prepared by ZTL Payment Solution AS ("ZTL", "we", or "us") to ensure that you receive the information we are required to provide to you- and which is necessary for you to exercise your rights under the General Data Protection Regulation (the "GDPR") and Norwegian data protection legislation (together "data protection legislation"). 
This Privacy Statement describes how we process personal data about you, the purpose of our processing activities, and the legal basis for our processing activities. This Privacy Statement also describes your rights in connection with our processing of your personal data under applicable data protection legislation. 

2 Personal data

Personal data means any information relating to an identified or identifiable natural person (a "data subject"). Your name, phone number, address and e-mail address are examples of information which is generally regarded as personal data.

3 ZTL’s responsibility as a controller

Our processing of your personal data is described in Section 4 below. We will act as a controller when we process this personal data. 
 

4 Our processing of personal data

4.1 Processing activities and the purpose of the processing activities
The following list includes information about the personal data which we process, and the purposes which the personal data is processed for:
Payment services: We process personal data about our customer's employees, counterparties, representatives, beneficial owners and close associates of these, in order to administer and fulfill the agreements we have entered into with our customers and our regulatory obligations. Such personal data includes the data subject's name, social security number, telephone number, email, address, copy of the data subject's ID, account details etc.
We may, depending on the circumstances, also process other categories of personal data, and/or the above listed personal data for other purposes. This may for example be the case if you contact us with questions or comments. You may at any time request confirmation and/or information regarding the personal data which we process about you, by contacting us as described below.

4.2 The sources we obtain personal data from
We collect the personal data described in Section 4.1 above from the following sources:
Publicly available and other external sources, including: 
registers held by governmental agencies (such as the Norwegian Register of Business Enterprises (Enhetsregisteret), population registers (Folkeregisteret) and registers held by tax authorities, enforcement authorities, etc.); 
sanction lists (held by international organizations such as the EU and UN as well as national organizations such as Office of Foreign Assets Control (OFAC) and Office of Financial Sanctions Implementation HM Treasury (OFSI)); and
registers held by credit-rating agencies and other commercial information providers providing information on e.g. beneficial owners and politically exposed persons.  
Our customer’s representatives and contact persons. 

5 Our legal basis for processing personal data

We will rely on the following legal basis for our processing of the above described personal data:

5.1 Performance of a contract (Article 6(1)(b) GDPR) 
We may process your name, phone number, email, address, social security number, copy of your ID, account details, and similar information on the basis that such processing is necessary for the performance of a contract to which you are a party. 
Some examples of necessary processing for the performance of a contract are: 
processes needed to start using our payment services or account information services;
customer service during the contract period; and
possible establishment, exercise or defense of legal claims and collection procedure.
If you are not part of a contract with us, our processing of personal data in connection with the performance of the contract is based on our legitimate interests, as further described in section 5.3 below. 

5.2 Compliance with legal obligations (Article 6(1)(c) GDPR)
We process your name, account information, payment details, and other personal data that may necessary to comply with our legal obligations.
Some examples of our processing due to legal obligations are:
Know Your Customer requirements
Preventing, detecting, and investigating money laundering, terrorist financing, and fraud
Sanctions screening
Bookkeeping in accordance with applicable laws and regulations
Reporting to tax authorities, police authorities, enforcements authorities, supervisory authorities
Payment service requirements and obligations

5.3 Legitimate interests (Article 6(1)(f))
We may process your name, telephone number, email, address, account information, payment details, and similar information on the basis of our legitimate interests in documenting, administering and completing tasks under or in connection with an agreement we have entered with our customers and partners. 

6 Do we transfer or disclose data to third parties?

We use external service providers to assist with IT services and other administrative services, as well as co-operating with accounting systems (ERP systems). These service providers will act as processors on our behalf. We have entered into data processing agreements with our processors which contain obligations for the data processor to implement technical and organizational measures to ensure an appropriate level of security, confidentiality and integrity for the personal data, as well as to only process the relevant personal data in accordance with the data protection legislation and our instructions.
We will not disclose your personal data to any other third parties than the third parties described above, unless we are required to do so under applicable law, or if it is necessary in order to establish, exercise or defend legal claims.

7 Data retention

We will keep your data for as long as they are needed for the purposes for which your data was collected and processed or required by laws and regulations. 
This means that we keep your data for as long as necessary for the performance of a contract and as required by retention requirements in laws and regulations. Where we keep your data for other purposes than those of the performance of a contract, such as for anti-money laundering and bookkeeping requirements, we keep the data only if necessary and/or mandated by laws and regulations for the respective purpose.

8 Your data protection rights

Under the data protection legislation, you have certain rights we need to make you aware of. You have the following rights in connection with our processing of your personal data: 

​

• Access: You may contact us if you want to obtain confirmation with respect to whether or not we are processing your personal data, as well as access to and further information regarding our processing of your personal data. You may also request a copy of the personal data we are processing about you. 

• Rectification: You may request us to rectify and/or complete inaccurate or incomplete personal data. 

• Erasure: You may request that we delete your personal data. We will respect and comply with your request insofar as there are no other legal obligations or overriding legitimate interests requiring further retention, or the personal data is necessary for the establishment, exercise or defense of legal claims. 

• Restriction of processing: You may also request the restriction of our processing of your personal data in accordance with data protection legislation. If the processing has been restricted, such personal data will, with the exception of storage, only be processed with your consent, for the exercise or defense of legal claims, the protection of the rights of another person, or for reasons of important public interest. 

• Right to object: You are entitled to object to certain processing activities, including for example processing of your personal data for marketing purposes. You are furthermore, on grounds relating to your particular situation (for example, a specific need for protection of your identity), entitled to object to processing of personal data based on legitimate interests, which we will comply with, unless there exists compelling legitimate grounds for our processing which override your interest, or if our processing is necessary for the establishment, exercise or defense of legal claims. 

• Data Portability: If we process your personal data based on consent or based on our performance of a contract, and the processing is carried out by automated means, you may request us to transfer the personal data to you or another controller, in a structured, commonly used and machine-readable format.

​

Certain limitations exist in the rights provided by the data protection legislation and the rights available to you will depend on the particular circumstances of the processing. You can find more information on this topic on Norwegian Data Protection Authority's website, which is linked below. 
Please contact us as described below if you wish to invoke your rights. Please also note that we may request additional information from you if such information is necessary to confirm your identity. 

9 Security

As a controller, ZTL is responsible for the security and confidentiality of the personal data we process. Keeping your personal data safe and secure is at the center of how we do business. We use appropriate technical, organizational and administrative security measures to protect any information we hold from loss, misuse, and unauthorized access, disclosure, alteration and destruction.

10 Lodging complaints – The Norwegian Data Protection Authority and other supervisory authorities

You may contact us at any time if you have any questions or complaints regarding our processing of your personal data. You may also file a complaint to the Norwegian Data Protection Authority, or a data protection authority in the EU/EEA Member State of your habitual residence, place of work, or the place of the alleged data protection infringement. The Norwegian Data Protection Authority is responsible for supervising Norwegian organizations' processing of personal data.
You can obtain the contact details of the Norwegian Data Protection Authority on the following website: www.datatilsynet.no. You will also find more information on your rights and the data protection legislation on this website.

11 Changes

We may, from time to time, update this Privacy Statement for example due to changes in our processing activities, applicable data protection legislation or other legislation which may affect our processing of personal data. An updated version of this Privacy Statement will be published on our website if any revisions to the Privacy Statement is made. 

12 Contact information

ZTL has designated a data protection officer (DPO) (Nw: personvernombud) to advise and monitor our compliance with the data protection legislation. The DPO is the Legal Director of ZTL. The contact information for our DPO is the same as below.
If you have any questions about this Privacy Statement, including how we process personal data, or would like to submit a request to exercise your rights, please contact us at:

ZTL Payment Solution AS

Kristian IVs gate 15, 0164 Oslo

E-mail: hello@ztlpay.io

Ph: + 47 9811 3838