12/08/2023
1. Introduction
Your personal privacy is important to us and your personal data is therefore processed securely and in accordance with the current rules.
This Privacy Policy explains how we collect and use your personal data when you use Sambla’s loan and insurance brokerage services (individually referred to as the “Service”, and collectively the “Services”), when you are a member of Sambla Plus (“PlusTjänsten”) or when we process personal data about you in other circumstances. It also describes your rights and how you can exercise these rights.
The data controller for the processing of personal data under the Sambla brand is Sambla Group AB, corp. reg. no. 556974-8378, Box 5300, 102 46 Stockholm. This means that Sambla Group AB is responsible for ensuring that your personal data is processed in accordance with the applicable data protection legislation, i.e. the General Data Protection Regulation (“GDPR”) and supplementary national legislation.
You can always contact us if you have any questions about our processing of your personal data by sending an email to kundtjanst@sambla.se.
2. Important terms
Personal data means any information that can be linked to a person, either directly or indirectly in combination with other information. Examples of personal data include personal ID number, name and address and IP address.
The processing of personal data means an action or combination of actions regarding your personal data, regardless of whether they are performed automatically or not. Examples of personal data processing include when we collect, register, store or work with your personal data.
3. What information do we collect and what do we do with it?
3.1 How do we collect information about you?
Here we summarize what kind of personal data we collect and process about you. Later in the policy, you can read in more detail how we process your data in different contexts.
Information that you send to us yourself (when you use our services)
You actively submit personal data to us when you use the Service or contact us, for example your name, personal ID number and address details for you and any co-applicant, income and form of housing, etc. We process this data in order to provide the Service, as well as PlusTjänsten if you have chosen to become a member of this.
Information that we collect from other sources
If you are not a customer of ours: If you are not our customer, we may collect information about you from address suppliers, such as your name, telephone number and address, for the purpose of providing you with marketing by telephone and post.
If you are a customer: When you apply for loan brokerage from us, we obtain credit information about you from the credit reference agency UC AB. We do this so as to be able to offer you the Service. In some cases, some of the lenders we work with may obtain credit information about you from another credit reference agency, such as Bisnode, to ensure that the information provided is correct.
When you visit our digital channels: We collect technical data when you visit our digital channels (such as our website), which can include the URL, which is your unique access to your login page, your IP address, unique device ID, user history, type of browser, language and information about identification and operating system. We do this in order to simplify, improve and develop the Service and PlusTjänsten, as well as to ensure that the Service is used in the correct way. Such information is partly collected via cookies. You can read more about how we use cookies and how you can decline cookies in our Cookie Policy, which is available on our website www.sambla.se.
3.2 Personal data processing in connection with loan brokerage
Here we describe what personal data we process in connection with loan brokerage, the purpose for which we process the data and what legal grounds we have for the processing, as well as how long we store your personal data.
The purpose of the processing – what we do and why | Types of personal data used for the purpose, as well as where it comes from See section 3.1 for more information. | Legal grounds for processing personal data in accordance with the GDPR. | How long we store your personal data for different types of processing. |
In order to register and administer your loan application for the purpose of providing the Service to you in accordance with our User Agreement, including presenting loan offers from the lenders we work with and complying with our agreements with any lender you enter into a loan agreement with. |
|
The processing is necessary so that we can fulfil our agreement with you (Article 6(1)(b) GDPR). | The processing continues for as long as you use our service. If you stop using our service, we will store your data for a further five years, pursuant to the Act (2017:630) on Measures against Money Laundering and Terrorist Financing. |
In order to perform an ID check and a PEP (politically exposed person) check on you and to check that you do not appear on the EU sanction lists, with a view to ensuring that we have the right to provide the Service to you. |
|
We are legally required to confirm our customers’ identity (Article 6(1)(c) GDPR). (Act (2017:630) on Measures against Money Laundering and Terrorist Financing). | We store your data for five years after an application has been made, pursuant to the Act (2017:630) on Measures against Money Laundering and Terrorist Financing. |
In order to analyze information in the loan application, as well as credit information, for the purpose of determining whether you are entitled to a loan. |
|
The processing is necessary so that we can fulfil our agreement with you (Article 6(1)(b) GDPR). | The processing continues for as long as you use our service. |
In order to transfer the loan application to the lenders we work with and whose basic requirements for borrowers you meet |
|
The processing is necessary so that we can fulfil our agreement with you (Article 6(1)(b) GDPR). | The processing continues for as long as you use our service. |
In order to contact you by email, SMS, telephone and post for the purpose of administering the Service |
|
The processing is necessary so that we can fulfil our agreement with you (Article 6(1)(b) GDPR). | The processing continues for as long as you use our service. |
In order to record telephone calls for the purpose of documenting and ensuring any agreements and consent with you and to improve our communication. |
|
The processing is necessary so that we can fulfil our agreement with you (Article 6(1)(b) GDPR).
The processing is based on a balance of interests (Article 6(1)(f) GDPR). Sambla has determined via a balance of interests that we have a legitimate interest in being able to store recorded calls for training purposes. |
We store recorded calls for 12 months. |
In order to handle customer-service matters and complaints that you have contacted us about. |
|
The processing is necessary so that we can fulfil our agreement with you (Article 6(1)(b) GDPR). | The processing continues until the case is closed. We then store your personal data relating to the case for a further two years, so as to have access to the history and the result of the complaint. |
In order to prevent, reveal and counteract fraud and misuse of the Service. |
Any other information we need. |
The processing is based on a balance of interests (Article 6(1)(f) GDPR). Sambla has determined via a balance of interests that we have a legitimate interest in processing personal data in order to counteract fraud. | The processing continues for as long as you use our service. |
In order to maintain, develop, test and improve our Service and the technical platforms on which it is provided. |
|
The processing is necessary so that we can fulfil our agreement with you (Article 6(1)(b) GDPR). | The processing continues for as long as you use our service. |
3.3 Personal data processing in connection with insurance brokerage
Here we describe what personal data we process in connection with insurance brokerage, the purpose for which we process the data and what legal grounds we have for the processing.
The purpose of the processing – what we do and why | Types of personal data used for the purpose, as well as where it comes from See section 3.1 for more information. | Legal grounds for processing personal data in accordance with the GDPR. | How long we store your personal data for different types of processing. |
In order to register and administer your insurance application for the purpose of providing the Service to you in accordance with our agreement. |
|
The processing is necessary so that we can fulfil our agreement with you (Article 6(1)(b) GDPR). | The processing continues for as long as you use our service. If you stop using our service, we will store your data for a further five years, pursuant to the Act (2017:630) on Measures against Money Laundering and Terrorist Financing. |
In order to transfer insurance information to the insurance company. |
|
The processing is necessary so that we can fulfil our agreement with you (Article 6(1)(b) GDPR). | The processing continues for as long as you use our service. |
In order to contact you by email, SMS, telephone and post for the purpose of administering the Service. |
|
The processing is necessary so that we can fulfil our agreement with you (Article 6(1)(b) GDPR). | The processing continues for as long as you use our service. |
In order to record telephone calls for the purpose of documenting and ensuring any agreements and consent with you and to improve our communication. |
|
The processing is necessary so that we can fulfil our agreement with you (Article 6(1)(b) GDPR).
The processing is based on a balance of interests (Article 6(1)(f) GDPR). Sambla has determined via a balance of interests that we have a legitimate interest in being able to store recorded calls for training purposes. |
We store recorded calls for 12 months. |
In order to handle customer-service matters and complaints that you have contacted us about. |
|
The processing is necessary so that we can fulfil our agreement with you (Article 6(1)(b) GDPR). | The processing continues until the case is closed. We then store your personal data relating to the case for a further two years, so as to have access to the history and the result of the complaint. |
In order to maintain, develop, test and improve our Service and the technical platforms on which it is provided. |
|
The processing is necessary so that we can fulfil our agreement with you (Article 6(1)(b) GDPR). | The processing continues for as long as you use our service. |
We use automated decision-making
Automated decision-making refers to a decision that is made solely on the basis of the automated processing of your personal data. We and the lenders we work with use automated decision-making when you use the loan brokerage service. This means that the information about you and any co-applicant that you have provided, and the information that we obtain via a credit check, is automatically matched with the basic requirements for borrowers that our affiliated lenders apply to the granting of a loan, such as income, form of employment, loan amount applied for and similar information. If you do not meet the basic requirements of a specific lender, your application will be screened out automatically and not forwarded to the lender.
In some cases, you have the right to request a manual decision process. In such cases, please contact us using the contact details below. You can also approach the different lenders for more information about how they use automated decision-making and if you have any questions about how the different lenders process personal data.
The purpose of automated decision-making is to be able to provide a fair and correct loan brokerage service, and it is necessary in order for us to be able to comply with the agreement that we have entered into with you. If you have an objection to an automated decision that we have made, please contact us at kundtjanst@sambla.se.
3.5 Personal data processing in connection with PlusTjänsten
Here we describe what personal data we process in connection with PlusTjänsten, the purpose for which we process the data and what legal grounds we have for the processing.
The purpose of the processing – what we do and why | Types of personal data used for the purpose, as well as where it comes from See section 3.1 for more information. | Legal grounds for processing personal data in accordance with the GDPR. | How long we store your personal data for different types of processing. |
In order to administer your membership. |
|
The processing is necessary so that we can fulfil our agreement with you (Article 6(1)(b) GDPR). | The processing continues for as long as you use our service. |
In order to send information, offers, marketing and newsletters via post, telephone, SMS and email in accordance with our terms and conditions for PlusTjänsten. |
|
The processing is necessary so that we can fulfil our agreement with you (Article 6(1)(b) GDPR).
The processing is also based on a balance of interests (Article 6(1)(f) GDPR). Sambla has determined via a balance of interests that we have a legitimate interest in processing personal data for analytical purposes so as to be able to improve our service. |
The processing continues for as long as you use our service. |
3.4 Personal data processing in connection with marketing
Here we describe what personal data we process in connection with marketing, the purpose for which we process the data and what legal grounds we have for the processing.
What personal data is processed
If you are not a customer of ours:
- Name
- Date of birth
- Contact details (e.g. address, telephone number)
- Information about income, payment defaults etc.
If you visit our websites:
- IP address and other technical data
- Information about you that is collected through cookies
If you are a customer or a member of PlusTjänsten:
- Name
- Date of birth
- Contact details (e.g. address, telephone number, email address)
The purpose of the processing
If you are not a customer of ours:
- In order to contact you by telephone and to send directly addressed post for marketing purposes.
- In order to analyze and evaluate marketing mailings.
- In order to avoid directing marketing at persons who we consider could not or should not be customers (the data is deleted immediately after the checks).
If you visit our websites:
- In order to create lookalike target groups and customized target groups on Facebook based on your selections and preferences for the purpose of providing you with relevant advertisements through Facebook.
- In order to create similar audiences and customized target groups on the Google Adwords advertising network based on your selections and preferences for the purpose of providing you with relevant advertisements through Google.
- In order to analyze and evaluate marketing mailings.
If you are a customer or a member of PlusTjänsten:
- In order to send marketing to you by email, SMS, telephone and directly addressed post.
- In order to analyze and group our customers according to certain choices and preferences (so-called profiling) for the purpose of providing you with relevant and adapted information.
- In order to analyze and evaluate marketing mailings.
Legal grounds for processing
We can process your personal data because we have a legitimate interest in marketing our Service.
If you have chosen to be a member of PlusTjänsten, when we provide you with customized marketing and offers, we will process your personal data in order to fulfill our agreement with you concerning PlusTjänsten.
Our reasoning on marketing
It is important to us that only those who actually wish to receive our marketing, offers and informational mailings receive them. We set out our reasoning below and also provide information on how you can opt out of future marketing.
If you are not a customer – We will only contact you by post or telephone. If you do not wish to receive our marketing by post or telephone, you can contact us at kundtjanst@sambla.se and we will register you on our block list. Please note that in such cases, we will keep your name and contact details for the purpose of ensuring that we do not contact you again. You can also register with the NIX registry, www.swedma.se/reklamsparr, if you do not wish to receive marketing by post or telephone.
If you are, or have been, a customer of ours – If you are, or have been, a customer of ours, we may contact you regarding our offers by post, telephone, SMS text or email. You can opt out of future marketing via a link contained in every marketing email or SMS, or you can contact us at kundtjanst@sambla.se. We will only send marketing by email or SMS for up to a year after you have ceased to be a customer, unless you continue to subscribe to our newsletter or are a member of PlusTjänsten.
If you subscribe to our newsletter or are a member of PlusTjänsten – If you subscribe to our newsletter or are a member of PlusTjänsten, we may contact you regarding our offers by post, telephone, SMS or email until you unsubscribe from the newsletter or cancel your membership of PlusTjänsten. You can opt out of future marketing via a link contained in every marketing email or SMS, or you can contact us at kundtjanst@sambla.se.
We use profiling
We use profiling for marketing purposes. This is done, for example, by creating lookalike target groups and customized target groups on Facebook and by creating similar audiences and customized target groups on the Google Adwords advertising network. The purpose of profiling is to provide you with information and marketing that we think you will appreciate. The profiling is based on personal data about you that we have collected (such as address and age). Based on this information, we place you in a customer group (e.g. persons aged 20–30 in area x) and customize marketing to you based on the customer group in which you have been placed.
4. Who could we share your data with?
We take all reasonable contractual, legal, technical and organizational measures to ensure that your personal data is processed in a secure way and with an adequate level of protection when it is transferred to or shared with selected third parties. Such third parties may be:
Suppliers. Certain suppliers of ours may receive your personal data, such as suppliers who provide IT services, for example, or who assist us with marketing, analysis or statistics.
Credit reference agencies and similar suppliers. Your personal data may be shared with credit reference agencies in order to assess your credit rating when you use our loan brokerage service. Your personal data may also be shared with suppliers of services for identity referencing and the prevention of fraud, so as to confirm your identity and address and to protect you from fraud.
Government agencies. We may provide necessary information to the police, Finansinspektionen or other government agencies if we are legally obliged to do so. For example, we are legally obliged to provide information for measures to prevent money laundering and the financing of terrorism.
Lenders. In a loan comparison, we forward your application to the lenders we work with and whose basic requirements are consistent with your application. The lenders that receive your application are the data controllers for their own processing of your personal data. Information on the lenders that we work with may be found on our website.
Insurance providers. When you take out an insurance product, we send the insurance data to the insurers that we work with. Information on the insurers that we work with can be found on our website.
Group companies. We may share data with other companies in our group for the purpose of streamlining internal processes and compiling joint statistics.
Divestment. In the event that we sell or buy companies, we may send your personal data to a potential seller or buyer of such a company. If we or a substantial part of our company is acquired by a third party, personal data about our customers may be shared. Before such data sharing takes place, we will ensure that appropriate confidentiality measures are in place.
Collaborative partners. we may share the personal data with partners who offer insurance services.
5. Where do we process your personal information?
We primarily process your personal data within the EU/EEA. In exceptional cases, personal data may be transferred to and processed in a country outside the EU/EEA, known as a third country. Companies that process personal data on our behalf always sign a data processing agreement with us to ensure an equivalent level of protection for your personal data, as required by the GDPR. With regard to partners outside the EU/EEA, special protective measures are taken, for example by signing an agreement that includes the European Commission’s standard model clauses for data transfer, the purpose of which is to ensure a level of protection for your personal data that is equivalent to the protection that is offered within the EU/EEA.
6. How long do we store your personal data?
Your personal data is only stored for as long as necessary for the purpose of processing or if we are required to keep the data under applicable legislation. In the sections above for each type of processing, you can find specific information about how long we store your personal data for each type of data processing.
- Personal data that is needed in order to deliver our Services will be kept for as long as necessary in order for us to fulfill our agreement with you and then for a further five years thereafter. We are required by law to keep some data for a defined period, for example in order to comply with the requirements of the Bookkeeping Act, the Money Laundering Act and other statutory requirements that we have as loan and insurance brokers, after which the data will be deleted.
- Personal data that is needed in order to fulfill our agreement with a specific lender will be kept for as long as the data is necessary in order for us to fulfill our agreement with the lender.
- Personal data that we use to send direct marketing to persons who are not customers is only used for the marketing in question and then deleted.
- Personal data that is processed to provide you with PlusTjänsten is stored for as long as you are a member. If you cancel your membership, we will delete your data at the earliest opportunity.
- Communications with you regarding customer services matters and complaints are stored for as long as the case is active or for so long as they are needed for us to defend ourselves from legal claims and are then deleted one year thereafter.
- We may keep anonymized data, i.e. data that cannot be connected to you as a person, for analysis and statistical purposes for up to five years, after which the data is deleted.
7. What are your rights?
Right to access to your data
You can request a copy of your data if you wish to know what data we have about you. This is known as a register extract.
Right to rectification
You have the right to have incorrect personal data about you corrected or to have incomplete personal data about you supplemented.
Right to be deleted
You have the right to request the deletion of certain personal data. This right is limited to data that, by law, may only be processed with your consent, if you withdraw your consent and object to the processing. If you wish for us to delete such personal data, please email us at kundtjanst@sambla.se. Kindly use ‘Request for Deletion’ as the subject line. To process your request, we need you to provide: phone number, email, and personal identification number, or alternatively, request a callback for identification via BankID. Please note that if you have used the company’s services, we may need to retain your personal data for different periods depending on its purpose and the legal requirements regarding how long we must retain it, as outlined in our Data Protection Policy. Once the purposes for processing have been fulfilled, the personal data will be deleted.
Right to restriction of processing
You have the right to request that the processing of your personal data is restricted, for example if you object to the accuracy of the data.
Right to object
Where we consider that we have a legitimate interest in processing your personal data, you can object to such processing at any time. If you choose to make such an objection, we will no longer be able to process your personal data for this purpose unless we can demonstrate a legitimate interest in the processing. Such a legitimate interest must carry more weight than your interest in not having your personal data processed for reasons of privacy. You can also always object to processing that we perform for direct marketing purposes.
Right to data portability
You have the right to receive and/or require the personal data that you have provided to us yourself to be transferred to another data controller. The personal data must be in a structured, commonly used and machine-readable format. It is a precondition for data portability that the transfer is technically possible and can be done in an automated manner.
Right to submit a complaint
If you have any viewpoints or complaints regarding our processing of your personal data or if you wish to exercise any of your rights, you are welcome to contact us at kundtjanst@sambla.se.
In the unlikely event that we are unable to find a solution together, you can direct your complaint to Integritetsskyddsmyndigheten, which is the supervisory authority for the processing of personal data:
Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm
Email: imy@imy.se
Telephone: 08-657 61 00
Website: www.imy.se
8. Amendments to the Privacy Policy
We reserve the right to amend and update our Privacy Policy. The most recent version can always be found on our website www.sambla.se. In the case of updates that are of crucial significance for our processing of your personal data, you will receive information about the changes on our website in good time before the updates come into force. If you have any views on our processing of personal data as a result of the updates, you are welcome to contact us at kundtjanst@sambla.se.