GDPR

GDPR

Data protection policy

Tavex AB (Tavex; the Company) offers financial services to both private individuals and legal entities. Tavex protects all personal data received and processed in its operations. In order to use Tavex’s services, customer data must be registered and Tavex thus collects the necessary customer data to conduct its business.

This data protection policy (the “Data Protection Policy”) provides information in the following on how the Company uses personal data in accordance with applicable law.

Applicable legislation and legal scope

Data processed in the business is done in accordance with the Act (2018:218) with supplementary provisions to the EU Data Protection Regulation (Data Protection Act) and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Data Protection Regulation).

Tavex’s operations are also subject to the data protection rules contained in Chapter 5 of the Act (2017:630) on measures against money laundering and terrorist financing

Personal data processing is only lawful if at least one of the following requirements is met, see GDPR Article 6:

  1. The data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes.
  2. The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  3. The processing is necessary for compliance with a legal obligation to which the controller is subject.
  4. The processing is necessary to protect the vital interests of the data subject or of another natural person.
  5. The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  6. The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Data stewards

The data manager is Tavex AB, corporate identity number 556671-1189. Tavex AB has its registered office in Stockholm with the address:

Tavex AB

Smålandsgatan 9

111 46 Stockholm

Handling of data

This Privacy Policy applies only to personal data managed and processed by Tavex. This Privacy Policy applies to all data collected online and offline, including the personal data provided by Tavex customers.

Tavex collects and processes information provided by customers through the Company’s website or by any other means, including name, surname, social security number/date of birth, and in some cases, registered address, e-mail address, telephone number, and in cases where the customer is a company, company name and position of company representative in the company.

Collection is only for the specific, explicit and legitimate purposes disclosed to the data subject and not at any time in a way that is incompatible with those legitimate purposes, see GDPR Article 5(1)(b).

The Company also processes data relating to the Company’s employees and other staff connected to the Company.

The personal information Tavex collects is primarily information directly from the customer, either collected on site during the customer’s visit to one of Tavex’s stores or via Tavex’s web shop. The customer information collected by Tavex also refers to indirect information obtained through the customer’s use of Tavex’s products and services.

Tavex may also obtain personal data from third parties, from public or other external sources such as registers maintained by public authorities, for example, population registers, company registers and registers of law enforcement authorities, sanctions lists and other commercial information providers.

The data and information that Tavex handles in the course of its business is divided into the following categories:

  • Identity data such as name, social security number, identity data including copies of ID documents.
  • Customer demographic data such as date of birth, gender, country of residence.
  • KYC data – the purpose of the customer’s business relationship with Tavex and the nature of the business relationship, customer data obtained from external sources, and the corporate involvement of customers and representatives.
  • Clients’ and representatives’ contact details such as registered address, registered address, telephone number and e-mail address.
  • Communication and marketing data such as customers’ preferences and interests regarding marketing and emailing.
  • Customer transaction data including details of payment methods and customers’ product and service usage.
  • Financial information regarding the origin of customer funds, account and card details and customer contracts.
  • Film and image material obtained from surveillance cameras.

Tavex is not responsible for the handling and processing of personal data by other third parties, even if links to third parties are provided on the Company’s website or otherwise.

Third party websites or applications that an individual may access through the Tavex website or applications are not covered by this Privacy Policy.

Processing of customer information relating to individuals is done with the consent of the individual when required by applicable laws and regulations.

Tavex processes all personal data lawfully, fairly and in a transparent manner in relation to the Tavex data subject, see Article 5(1)(a) GDPR.

All collections of personal data are proportionate, i.e. they are adequate, relevant and not excessive in relation to the purposes for which they are processed (“data minimization”), see Article 5(1)(c) GDPR.

Situations where personal data is processed

Legal obligation

In certain situations, Tavex is obliged to process personal data in order to fulfill a legal obligation to authorities such as the Swedish Financial Supervisory Authority, the County Administrative Board in Stockholm and the Police.

The processing of personal data in these situations is carried out in order for Tavex to be able to provide and perform the services and products requested by customers and to be able to conduct currency exchange and precious metals activities and other related activities.

Tavex may process personal data for any of the following purposes (purposes may vary from case to case)

  1. For customer support: Tavex processes personal data to provide its customers with customer support.
  2. For customer transactions: Tavex obtains consent from all customers regarding the processing of personal data, which also includes the right for Tavex to contact the customer via e-mail, text messages, telephone or regular mail about services and products we think may interest you (marketing information, offers, etc.)
  3. For administrative purposes: in relation to security and access to Tavex systems, platforms, secure websites or applications and to secure such systems.
  4. Preventing crimes such as money laundering and terrorist financing.
  5. fulfill their accounting obligations in accordance with applicable laws and regulations

The processing of personal data as described above 1 – 5 is preferably done at:

  • Identification and verification of customers’ identity.
  • Execution of KYC measures in accordance with the applicable legislation and Tavex KYC framework.
  • Initiation and processing of a customer payment where the transfer of personal data takes place to a payment service provider that is a third party.
  • Taking measures to prevent, detect and investigate attempts at money laundering, terrorist financing and fraud.
  • Reporting to the police, supervisory authorities and tax authorities.

Balancing of interests

In some cases, the processing of customers’ personal data is based on a balance of interests between the customer’s interest and Tavex’s legitimate interest where Tavex’s legitimate interest is deemed to outweigh the data subject’s protection of their personal data.

Situations where Tavex processes personal data on the basis of a balancing of interests include situations intended to:

  1. prevent, restrict and investigate misuse or illegal use of Tavex services including fraud, or to prevent and disrupt such attempted misuse and illegal use,
  2. ensure the physical safety of customers, employees and other persons involved in the business and to protect Tavex property and premises,
  3. improve Tavex products, services, marketing and customer experience,
  4. ensuring adequate information security in the provision of Tavex services, as well as for the improvement and development of the Tavex website, technical systems and IT infrastructure, including testing of the Tavex digital environment.

Processing of personal data according to the above mentioned purposes, 1 – 4, takes place:

  1. for customer support: Tavex processes personal data to provide its customers with customer support,
  2. for customer transactions: Tavex obtains the customer’s consent regarding the processing of personal data so that Tavex can contact the customer via e-mail, text messages, telephone or regular mail about services and products Tavex finds may be of interest to the customer (marketing information, offers, etc.),
  3. for statistical analysis: Tavex may process your personal data to perform statistical analysis; marketing analysis, customer base evaluation, etc,
  4. for administrative purposes: in relation to security and access to Tavex systems, platforms, secure websites or applications and to secure other legitimate business purposes,
  5. For business protection: in protecting and maintaining Tavex’s business and systems through data analysis, testing, system maintenance, support, reporting and troubleshooting of systems,
  6. through camera surveillance that takes place in the business.

The safety of Tavex customers and employees is a high priority and therefore surveillance cameras are used in all Tavex stores to prevent and facilitate the investigation of suspected crimes and to protect Tavex’s legal claims.

Tavex complies with the General Data Protection Regulation and the Data Protection Act in all camera recording and handling of camera-recorded material.

Camera surveillance is carried out on the basis of Tavex’s legitimate interest in ensuring the safety of Tavex visitors, customers, employees, premises and property.

After a thorough balancing of interests, which also includes an assessment of the activities Tavex conducts, Tavex has concluded that Tavex’s customers’ interest in protecting their privacy does not outweigh Tavex’s legitimate interest.

Consent to the processing of personal data

See GDPR Article 7 “Conditions for consent”.

Where the processing of personal data is based on consent, the controller must be able to demonstrate that the data subject has consented to the processing of their personal data. Requests for consent are always presented to the individual in an intelligible and easily accessible form, using clear and plain language.

A data subject has the right to withdraw consent at any time. Where an individual withdraws consent, the withdrawal shall not affect the lawful right of the Company to process personal data prior to the withdrawal of consent. Before giving consent, the data subject shall have been informed thereof.

It shall be as easy to withdraw as to give consent to the processing of personal data. In assessing whether consent is freely given, the main consideration shall be, inter alia, whether the performance of a contract, including the provision of a service, has been made conditional on the individual’s consent to the processing of personal data which was not necessary for the performance of that contract.

The conditions under which personal data received may be processed beyond the purposes for which they were initially processed are set out in Article 6(4) of the GDPR.

Tavex does not offer its services to persons under the age of 18, cf. Article 8 of the GDPR.

In some cases, Tavex bases its personal data processing on the consent of the individual. All Tavex customers always have the right to withdraw such consent at any time by contacting Tavex.

In cases where Tavex processes personal data with the customer’s consent, the customer in question will be informed specifically about the specific purpose of Tavex’s processing of personal data.

Tavex processes personal data through consent in the following cases:

  1. To improve the products and services offered to Tavex customers and to improve the customer experience through targeted customer surveys and market analysis.
  2. For marketing and promotional activities.

Processing of personal data for purposes 1 – 2 above takes place:

  • when a person/customer chooses to subscribe to the Tavex newsletter,
  • when customers agree to receive direct marketing from Tavex when they become VIP customers.

Data subject’s right to access personal data

See Article 15 of the Data Protection Regulation.

A data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, if so, access to the personal data and to the following information

  1. the purposes for which the personal data are processed
  2. the categories of personal data concerned by the processing
  3. the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations
  4. where possible, the envisaged period for which the personal data will be stored or, if this is not possible, the criteria used to determine that period
  5. the existence of the right to request from the controller rectification or erasure of the personal data or restriction of processing of personal data concerning the data subject or to object to such processing
  6. The right to lodge a complaint with a supervisory authority (the Data Protection Authority).
  7. If the personal data was not collected from the data subject himself/herself, all available information on the source of the data.
  8. the existence of automated decision-making, including profiling as referred to in Article 22(1) and (4), whereby, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject, shall be provided

All processing of personal data by Tavex takes place within the EU/EEA. Tavex does not exchange or provide customer information to third parties unless there is a legal basis for such disclosure. Examples of such a legal basis are typically a consent from the individual customer or a legal obligation which requires Tavex to disclose information.

Register of personal data processing

In order to demonstrate compliance with the GDPR, Tavex keeps a specific register of the personal data processing carried out by its data controller in accordance with the GDPR.

Article 30 of the GDPR requires each controller and, where applicable, its representative, to keep a register of the processing operations carried out under their responsibility.

This register shall contain all the information listed below:

  1. the name and contact details of the controller and, where applicable, the joint controllers, the controller’s representative and the data protection officer
  2. The purposes of the processing.
  3. A description of the categories of data subjects and of the categories of personal data.
  4. the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or in international organizations
  5. where applicable, transfers of personal data to a third country or an international organization, including the identification of the third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of appropriate safeguards.
  6. If possible, the foreseen deadlines for deletion of the different categories of data.
  7. If possible, a general description of the technical and organizational security measures referred to in Article 32(1) (see further below under the heading “Data protection”).

However, the obligation under Article 30 of the GDPR to keep records of its personal data processing does not apply to an undertaking or organization employing fewer than 250 persons, unless the processing carried out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing involves special categories of data referred to in Article 9(1) (“particularly sensitive personal data”) or in Article 10 (“criminal convictions and record of offences”) carried out under the responsibility of the controllers, see Article 30(5) of the GDPR.

Correction and deletion of data

Tavex takes all reasonable steps to ensure that all personal data processed is accurate and, where necessary, kept up to date. Inaccurate personal data will be deleted or corrected without delay, see GDPR Article 5(1)(d).

According to Article 16 of the GDPR, the data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to complete incomplete personal data, including by providing a supplementary statement. The controller shall inform any recipient to whom the personal data have been disclosed of any rectification of personal data or restriction of processing that has taken place, see GDPR Article 19.

Tavex always processes personal data in a lawful and fair manner and the processing is always done for a purpose that is clear and specific to the data subject and the Company.

Individuals affected by the Company’s processing of personal data are simultaneously informed of the risks, rules, safeguards and rights that exist and how the individual can exercise their rights.

The right to object

See Article 21 of the Data Protection Regulation.

A data subject of Tavex has the right to have their personal data held by Tavex erased without undue delay and the controller is obliged to erase personal data without undue delay if any of the following apply

  1. The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
  2. The data subject withdraws the consent on which the processing is based (under Article 6(1)(a) or Article 9(2)(a)) and there is no other legal basis for the processing.
  3. the data subject objects to the processing pursuant to Article 21(1) (in case of personal individual grounds) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) (in case of direct marketing).
  4. The personal data has been processed unlawfully.
  5. The personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject.

The controller shall inform each recipient to whom the personal data have been disclosed of any erasure of personal data that has taken place, see GDPR Article 19.

Information when collecting personal data

See the General Data Protection Regulation Article 13.

Where personal data relating to a data subject are collected from the data subject, the controller shall, upon receipt of the personal data, provide the data subject with the following information

  1. the identity and contact details of the controller and, where applicable, of its representative
  2. Contact details of the Data Protection Officer, if applicable.
  3. the purposes of the processing for which the personal data are intended and the legal basis for the processing

In addition to this information (a) – (c), the controller shall, at the time of collection of the personal data, provide the data subject with the following information to ensure fair and transparent processing:

  1. the period for which the personal data will be stored or, if this is not possible, the criteria used to determine this period
  2. the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing and the right to data portability
  3. Where the processing is based on the data subject’s consent (under Article 6(1)(a) or Article 9(2)(a)), that there is a right for the data subject to withdraw consent at any time, without prejudice to the lawfulness of the processing based on consent before its withdrawal.
  4. The right to lodge a complaint with a supervisory authority (Integration Protection Authority).
  5. Whether the provision of personal data is a legal or contractual requirement or a requirement necessary for the conclusion of a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of not providing such data.
  6. the existence of automated decision-making, including profiling as referred to in Article 22(1) and (4), whereby, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject, shall be provided

The above procedure is only relevant in cases involving the collection of data not already in the possession of the data subject.

Disclosure/transfer of personal data

Tavex may also disclose personal data received to other units within Tavex and, when necessary, to Tavex’s subcontractors or partners.

The above-mentioned parties may process an individual’s personal data on behalf of Tavex for the purposes described above. Tavex will not sell, rent or pass on personal data received to other parties.

Tavex is also obliged to disclose personal data if required by applicable laws or regulations or to respond to a request from a judicial or administrative authority.

All disclosures to the above mentioned actors are made territorially within the EU.

Risks related to personal data collected

Tavex considers that none of the personal data received and processed in its operations involves an increased or serious risk to the rights and freedoms of data subjects.

The risk that exists is mitigated by clear procedures, policies and measures for the management and protection of personal data, as well as by the data protection and data security systems applied by the Company.

Security of personal data collected

Data Protection Regulation Article 25.

The controller shall implement appropriate technical and organizational measures, such as pseudonymization, when determining the means by which personal data are to be processed and during the processing of personal data itself, in the form of measures designed to be effective for the implementation of established data protection principles such as data minimization and for the integration of the necessary safeguards in the processing of personal data.

The above shall be implemented to protect the rights of the data subject and to comply with the requirements of the GDPR.

According to Article 32 of the GDPR, an appropriate level of security must be ensured and appropriate measures taken when processing personal data.

Tavex strives to protect personal data received and maintains appropriate technical and organizational measures to prevent inappropriate, unauthorized or involuntary disclosures or inappropriate, unauthorized or involuntary use, access, loss, alteration or damage relevant to personal data received.

Tavex uses secure data systems that comply with current industry standards. Only Tavex and its employees who need access to personal data received for a specific task for any of the systems listed above will have access to that personal data. In addition, all Tavex employees and, where applicable, Tavex subcontractors and their employees are subject to confidentiality agreements.

Tavex’s data controllers continuously evaluate the risks associated with the Company’s processing of personal data and ensure that, where necessary, encryption of the personal data processed by the Company takes place.

The Company considers that its processing of personal data does not involve a likely high risk to the rights and freedoms of individuals such that a specific impact assessment must be carried out under the GDPR.

Management of personal data breaches

According to the GDPR, a personal data breach that is not promptly addressed can result in physical, material or non-material damage to the individual. The damage can include loss of control over their own personal data or restriction of their rights, discrimination, identity theft or fraud, financial loss, etc.

According to the same provision, the controller must therefore notify a personal data breach without undue delay and preferably within 72 hours of becoming aware of the breach, see also GDPR Article 33:

“In the case of a personal data breach, the controller shall, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent pursuant to Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by a justification for the delay.

Furthermore, the controller shall (if the breach is likely to result in a high risk to the rights and freedoms of the data subject) inform the data subject without undue delay of the personal data breach that has occurred so that the data subject can take the necessary precautions, see Article 34 GDPR – the information to be provided to the affected individual shall contain a clear and plain description of the nature of the personal data breach and at least the information and measures referred to in Article 33(3)(b), (c) and (d), namely:

  • provide the name and contact details of the Data Protection Officer or other contact points where more information can be obtained,
  • describe the likely consequences of the personal data breach; and
  • describe the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to mitigate its potential adverse effects.

Tavex applies detailed written rules on the format and procedures for the notification of personal data breaches under the GDPR.

Article 33(5) of the GDPR requires the controller to document all personal data breaches, including the circumstances of the personal data breach, its effects and the corrective measures taken. The documentation shall enable the supervisory authority to verify the Company’s compliance with Article 33.

Duration of storage

Tavex retains personal data only for as long as necessary to fulfill the purpose for which it was collected, within the limits of applicable law and in accordance with legal and regulatory requirements.

Access to your personal data

In accordance with the provisions of the General Data Protection Regulation, an individual who is subject to the Company’s processing of personal data has the right to request access to, amendment or deletion of the data provided, and such individual has the right to object to the Company’s processing of his or her personal data. Anyone who believes they have a valid reason for this should contact the Company by sending an e-mail to dpo@tavex.se or in writing by letter to:

Tavex AB

– Data confidentiality

Smålandsgatan 9

111 46 Stockholm

In accordance with the applicable law, the request must be signed in person and a certified copy of an identity document bearing the person’s signature must be attached. You should also indicate the address to which the reply should be sent.

Data controller

Data Protection Regulation Article 24.

The controller shall implement appropriate technical and organizational measures to ensure and be able to demonstrate that processing is carried out in accordance with the GDPR. This shall be done taking into account the nature, scope, context and purposes of the processing and the risks involved.

Risks are to be assessed and may vary in likelihood and severity. The overall aim is to protect the rights and freedoms of natural persons.

Tavex’s measures for ensuring the correct processing of personal data are reviewed and updated as necessary. Where proportionate to the processing, the measures referred to above shall include the implementation of appropriate data protection policies by the controller.

The application of approved codes of conduct referred to in Article 40 of the GDPR or approved certification mechanisms referred to in Article 42 of the GDPR may be used to demonstrate compliance with the controller’s obligations.

Tavex does not apply the possibility of using processors in addition to the controller under Article 28 of the GDPR.

Data Protection Officer

Data Protection Regulation Article 37.

Tavex considers that its activities under the GDPR shall have a Data Protection Officer. The role of the DPO is, in addition to internal tasks under Article 37 of the GDPR, also to have a supervisory role and to be Tavex’s contact person and responsible for consultation with relevant authorities.

The contact details of the Tavex Data Protection Officer are as follows:

E-mail address: dpo@tavex.se

Telephone: +46 (0)72 451 43 33