Privacy Notice - Invoice Payers

Respect for the privacy of the individual is important to us at Billogram and we work proactively to protect the personal data that we process. All personal data is processed in accordance with the GDPR and other applicable data protection legislations. This document contains information about how we as a data controller process personal data when you pay an invoice through our service.

In this document, we describe how and for what purposes we process your personal data, the lawful basis for the processing and what measures we take to protect your personal data. We also describe how you can invoke your rights in respect of our processing of your personal data.

Billogram’s role when processing your personal data

Billogram provides a billing and payment service. When it comes to processing of personal data, Billogram has different roles for the different parts of our service.

Billogram as controller

This Privacy notice describes the processing when we act as the controller, i.e. when we are the party that decides the purposes (why the processing shall take place) and the means (the methods, which personal data to be processed and for how long it should be stored). Billogram processes your personal data as a controller only within the framework of our licensed payment service operations, in other words processing related to when we receive the payment from you and transfer the payment to the invoice issuer.

Data controller is Billogram AB (corporate registration number 556801-7155), headquartered at Klara Södra Kyrkogata 1, SE-111 52 Stockholm, Sweden.

If you have questions about how we process your personal data or wish to invoke any of your rights, you can always contact us at support@billogram.com

Billogram as processor

For other personal data processing within our billing service, we act as a data processor for the company where you are a customer. In our role as processor, we process your personal data only in accordance with the instructions of the invoice issuer. If you have questions about how your personal data is processed or would like to invoke your rights in respect of billing and payments outside the scope of this Privacy notice, you should contact the invoice issuer where you are a customer.

General information about our personal data processing

In this section, we describe general principles governing our personal data processing and how we meet the requirements when we process your personal data.

Lawful basis

According to the GDPR, the controller must have a lawful basis for the processing of personal data. We base our processing of your personal data on the following lawful grounds:

- Legal obligation: Processing of your personal data is necessary for us to meet the legal requirements imposed on us.

- Legitimate interest: we have undertaken a legitimate interest assessment and determined that our interests in processing your personal data outweigh your right not to be covered by the processing.

For how long do we store your personal data?

We save your personal data only for as long as necessary for the purpose for which it was collected. Depending on the lawful basis, the storage period may be governed by legal requirements or be determined by an internal legitimate interest assessment. In the section “How your personal data is processed” below, we specify the criteria for when the purpose ceases and thus the time when we no longer process your data.

When we share your personal data with others

We may share your personal data with others in order for us to perform any of the processing described in this notice, for example for storage of data. We always enter into Data processing agreements with the data processors we use, in which we, among other things, give the processor instructions on how the personal data may be processed and what security measures are required for the processing. The processor may not carry out any processing of your personal data that goes beyond these instructions.

If required by law, decree, regulation, government decision or other ruling binding on Billogram, we may disclose your personal data to various authorities, such as the Swedish Police Authority.

Transfer of personal data outside the EU/EEA

In case of personal data transfers to countries outside the EU/EEA, we implement safety measures to ensure that the level of security is adequate and in accordance with the GDPR. Such safety measures include, inter alia, ensuring the following:

- The European Commission has decided that the third country to which your personal data is transferred achieves an adequate level of protection, in other words, that the protection of your personal data is equivalent to the requirements of the GDPR, or

- The European Commission’s standard contractual clauses have been signed between Billogram or its processors, as applicable, and the recipient outside the EU/EEA, meaning that we have entered into an agreement with the processor to ensure that your personal data is protected in accordance with the GDPR. In these cases, we also assess whether there is legislation in the recipient country that affects the protection of your personal data. Where necessary, we take special measures to ensure that the protection of your data remains in place when transferring it to the relevant country outside the EU/EEA.

About profiling and automated decisions

In the GDPR there are specific requirements regarding profiling and automated decisions. “Profiling” means an automated processing of personal data to evaluate certain personal characteristics and behaviors, for example, by analysing or predicting personal preferences. “Automated decisions” means that certain decisions, having a significant effect on you, are completely automated, without any real persons being involved.

When processing your personal data, Billogram does not perform any profiling or automated decisions.

How your personal data is processed

The table below defines the personal data we process and for what purpose, where the data has been collected, the lawful basis for our processing, when the purpose of the processing ceases and, the basis for the assessment of the storage period (in brackets).

Purpose	Personal data	Source	Lawful basis	When the purpose ceases
Purpose To carry out transactions within our payment service	Personal data Name, Bank, Bank account number, Payment details	Source Incoming payments: Your bank Outgoing payments: the invoice issuer	Lawful basis Legal obligation - Swedish Payment Service Act (2010:751)	When the purpose ceases 5 years after the payment is made (regulatory requirement)
Personal data Identification number or date and place of birth	Source Your bank
Purpose To prevent, discover, investigate and	Personal data Name, Address, Payment details	Source Your bank	Lawful basis Legal obligation - Swedish Act (2017:630) on measures against money laundering and financing of terrorism	When the purpose ceases Minimum five years and up to ten years from the completed transaction. (regulatory requirement)
Personal data Invoice details	Source The invoice issuer
Personal data Case details	Source Billogram
Purpose To perform sanctions screening to detect, prevent, manage, and mitigate financial crime risks	Personal data Name, Country information, Identification number or date and place of birth	Source Your bank	Lawful basis Sanctions legislation issued by the EU and, UN: Legal obligation. Sanctions legislation issued by OFAC*: Our legitimate interest to ensure that we do not provide service to any party registered on sanction lists.	When the purpose ceases When you no longer conduct payments through our service or, if an errand arises, five years after the errand is handled (the time we deem necessary to be able to prove our compliance with sanction regulations).
Personal data Case details	Source Billogram
Purpose To handle incoming data subject requests and data breaches in accordance with data protection legislation	Personal data Name, E-mail address, Address, Communication information	Source From you	Lawful basis Legal obligation - General Data Protection Regulation (EU 2016/679)	When the purpose ceases Three years after the data subject request or data breach has been handled and documented (the time we deem necessary to be able to proof our handling of a data protection issue)
Personal data Case details	Source Billogram

Processors we share your personal data with

To fullfil the purposes described above we may share your personal data with other parties. In the table below, we indicate the data processors we may use when processing your personal data. The processing is carried out only within the EU/EEA, in other words the processing does not entail any third country transfer of your personal data.

Data processor	Instruction (area of application)
Data processor Amazon Web Services (AWS)	Instruction (area of application) Platform hosting and storage
Data processor Softronic (CM1)	Instruction (area of application) System for anti-money laundering and terrorism financing measures, and sanctions screening
Data processor DPOrganizer	Instruction (area of application) System for data protection handling

Your rights

According to the GDPR, you as a data subject have several rights that you should be aware of. You can invoke any of your rights by contacting us through the contact channels below. Within the framework of our processing of your personal data, you have the following rights:

You have the right to request a record extract of the information recorded about you.
If the data we hold on you is incorrect, you have the right to have it corrected.
You have the right to have your personal data deleted, provided that we do not need to process them for the purposes for which they were collected, for example, for example when we have a legal obligation to continue processing the data.
If you believe that the data is incorrect or that our processing is unlawful or that we do not need the data for a specific purpose, you may request that we restrict the processing of data about you. You can also request restriction of processing while awaiting verification from us as to whether our interest in processing your data outweighs your right not to have this data processed.
If we cite legitimate interest as a lawful basis, you have the right to object to the processing.
If you believe that the processing of your personal data is in violation of GDPR, you have the right to make a complaint by contacting the Swedish Authority for Privacy Protection.

Contact details and Data Protection Officer

If you have questions about how we process your personal data or wish to invoke any of your rights, you can always contact us at support@billogram.com.

You can also contact our Data Protection Officer at dpo@billogram.com

If you prefer to contact us by post, our postal address is:

Billogram AB

Klara Södra Kyrkogata 1

SE-111 52 Stockholm

Sweden

Privacy notice updates

This Privacy notice may be updated due to changes in legislation or changes in our personal data processing as a result of the development of our services.

The latest version is always published on our website.

This version was updated on 2024-11-11.