Privacy and data protection
General
Last updated: 21/10/2022
Privacy and data protection in Finnish.
Who should read this page?
Anyone whose personal data Enfuce processes for the purposes described in the section “Purposes & legal bases / Why and on which legal bases we process your personal data?” below. This page describes the processing of your personal data, including why and how we process it.
Who are we and how to contact us?
Enfuce (or “we” or “us”) refers to Enfuce Financial Services Ltd. or any of our group companies, including Enfuce License Services Ltd, that is the controller for your personal data. Enfuce is an e-money and payment institution, authorised and regulated by the Finnish Financial Supervisory Authority. Our registered office address is at Metsänneidonkuja 12, 02130 Espoo, Finland. If you have any questions about this privacy notice, how we process your personal data or you are looking to exercise your rights, please contact privacy(at)enfuce.com.
What is covered?
This page forms our privacy notice and covers how we use, look after, manage or otherwise process information that identifies you or could be combined with other information to identify you (referred to as personal data). Also, this notice covers your rights related to the processing of your personal data.
Enfuce is committed to protecting your privacy. We will process your personal data only in accordance with relevant data protection and privacy legislation and good data processing practices. Enfuce is the data controller of your personal data as described in this notice, which means that we define the purposes and means for processing of the personal data and are responsible for the processing.
What personal data we may process?
Personal data means any information which can (or could be used to) identify a living person. We collect personal data from you in different occasions, for example when you apply for a payments card which is issued by us, use your card to make transactions, are in touch with us as a representative of our customer, or apply for a job at Enfuce. We may also obtain information from third parties (such as identity verification or fraud prevention agencies) who may check your personal data against any information listed on population registers, sanction databases and/or other databases.
We have grouped together the types of personal data that we may process of you in the table below. The types of personal data processed depend on the purpose for which we process your personal data. This means that typically all the types of personal data listed below do not apply to you. To understand which personal data we process of you, please see “Purposes & legal basis / Why and on which legal bases we process your personal data?” section below.
Types of personal data
Contact data: first and last name, email address, phone number, physical address
Identification data: full name, physical address, phone number, email address, personal ID number, date of birth, nationality, national identification / social security number (SSN), signature, photo, other information on ID documents, organization you represent, position or role
Payment transaction data: date, amount, currency, name of the merchant, creditor or supplier, transaction location, technical authorisation, clearing, settlement and routing data
Payment card data: card number (PAN), card name, expiry date, CVV code, card PIN block, service code
Card account information: information on account your card is linked to, such as account ID and account balance
User information: user account details on our services, such as MyEnfuce, including username or other identifier, password and other login information, content or inputs provided by you
Technical data: such as data on system logs, IP address, device information, cryptographic data
Web analytics data: data related to e.g. page visits, time spent on pages, links clicked, accessed content, device used, operating system, browser type, screen resolution, plug-ins and add-ons. As this information can be collected through use of cookies, please refer to our cookie notice and preferences at the bottom-left corner of the page.
Customer support data: information related to you included on customer support cases from your card program provider, such as account ID
Information on preferences: information related to your interests or preferences, such as interest towards one of our services
Recruitment and qualification data: information related to your education, previous work experience, certifications, training records, professional memberships, right to work documents and other information you provide during a recruitment process
Social media data: information included on your social media account (where you provide such information to us)
Information on political exposure and sanctions: data of persons constituting politically exposed persons (“PEP”) and sanction lists, such as name, date of birth, place of birth, occupation or position, country of residence, nationality and the reason why the person is on the list in question
Whistleblowing-related data: data included in notifications submitted through our Speak Up channel to report suspected unethical conduct or non-compliance, including your name and other personal data in case you submit a notification
Sensitive data: special categories of personal data as defined in data protection legislation. Processing of personal data about you that is very sensitive is only allowed in limited situations. Data protection legislation defines special categories of personal data as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification purposes, data concerning health or data concerning sex life or sexual orientation. Whereas we do not directly process these types of data, sensitive personal data may potentially be derived from payment transaction data, for example when a payment is done for a specific recipient, e.g. to a religious or political organisation.
Why and on which legal bases do we process your personal data?
As a principle, we only collect your data to provide, manage and market our services or for purposes related to our business in general, such as for recruitment. Under data protection legislation, we can only process personal data for specific purposes. In addition, we always need to have a legal basis for processing personal data. The legal bases are defined in data protection legislation and include:
- To enter into and perform our contract with you: Your personal data is necessary to enter into a contract and carry out obligations in the contract with you, e.g. in order to provide you with our services or to employ you.
- To comply with a legal obligation that we have: We may also process your personal data to comply with our legal or regulatory obligations, such as obligations related to identifying you as set out in anti-money laundering legislation.
- Your consent to us for processing of your personal data: We may process your personal data based on your consent where you have consented to processing for a specific purpose.
- To pursue our legitimate interests: We may have a legitimate interest to process your personal data where the processing is necessary to fulfil certain business requirements and the processing does not conflict with your rights, freedoms or reasonable expectations.
You can find out to which purposes and under which legal basis we process your personal data by clicking the sections that are relevant for you below. You can also find out if the data is collected directly from you or from other sources.
When you visit our website
| Purpose for processing | Types of personal data | Legal basis | Collected from |
| Providing you with requested material and information on our products or services | Contact data | Consent | You (when you sign up e.g. to our newsletter or other material) |
| Manage, operate and improve the performance of our websites and services by understanding their effectiveness and optimizing our digital assets | Web analytics data | Consent | You (through technical means) |
| Analyse and advertise our services | Web analytics data | Consent | You (through technical means) |
| Ensure network and information security | Technical data | Legitimate interest | You (through technical means) |
When you are a contact person for our customer, potential customer or vendor company
| Purpose for processing | Types of personal data | Legal basis | Collected from |
| Marketing and sales of our services | – Contact data – Web analytics data |
Legitimate interest, consent (where required e.g. for analytics) | – You (submitting or through technical means) – Other sources, such as marketing partners |
| Delivery of our services | Contact data | Legitimate interest | – You – Other sources, such as your employer (our customer) |
| Customer relationships management | Contact data | Legitimate interest | – You – Other sources, such as your employer (our customer) |
| Invoicing for our services | Contact data | Legitimate interest | – You – Other sources, such as your employer (our customer) |
| Purchase of services and related vendor assessments | Contact data | Legitimate interest | – You – Other sources, such as your employer (our vendor) |
| Vendor relationships management | Contact data | Legitimate interest | – You – Other sources, such as your employer (our vendor) |
| Assessments and auditing | Contact data | Legitimate interest | You, your employer |
When you apply for a job at Enfuce
| Purpose for processing | Types of personal data | Legal basis | Collected from |
| Recruitment, including screening, evaluating, interviewing and selecting potential employee candidates | – Contact data – Recruitment and qualification data – Social media data |
Performance of contract (necessary steps to enter into a contract), consent (where required), legitimate interest | – You, when you apply for a job and submit information via recruitment tools, email, phone or in an interview – Other sources (with your consent where required), such as referees, recruitment companies, LinkedIn, screening agencies or publicly available registers (as allowed by law) |
| Identity verification and background checks | – Contact data – Identification data – Recruitment and qualification data |
Performance of contract, consent (where required) | – You – Other sources (with your consent where required), such as credit check agencies |
When you use MyEnfuce
| Purpose for processing | Types of personal data | Legal basis | Collected from |
| Provide login to MyEnfuce service | – Contact data – User information – Technical data |
Legitimate interest | You (through your input and technical means) |
| Provide MyEnfuce service | – Contact data – User information – Technical data |
Legitimate interest, consent | You (through your input and technical means) |
| Ensure network and information security | Technical data | Legitimate interest | You (through technical means) |
| Promote, analyse, modify and improve our systems, and tools, and develop new services | Technical data | Legitimate interest | You (through technical means) |
| Manage, operate and improve the performance of our services | Web analytics data | Consent | You (through technical means) |
When you apply for or have a card issued by us
| Purpose for processing | Types of personal data | Legal basis | Collected from |
| Identification of you and verifying your identity as required in applicable legislation. | – Contact data – Identification data |
Legal obligation, performance of contract | – You, when you apply for a card – Other sources, such as Identity verification services and your card program provider |
| Setting up your account, including processing your application for a card and creating your account | – Contact data – Identification data – Payment card data – Card account information |
Performance of contract (consumer cards), legitimate interest (commercial cards) | – You, when you apply for a card – Other sources, such as Identity verification services and your card program provider |
| Maintaining and administering your account and the customer relationship | – Contact data – Identification data – Payment card data – Card account information – Payment transaction data |
Performance of contract (consumer cards), legitimate interest (commercial cards) | – You – Other sources, such as payment service providers, where applicable and your card program provider |
| Authentication for payment transactions | – Payment card data – Payment transaction data |
Performance of contract (consumer cards), legitimate interest (commercial cards) | – You, through technical means, when you make a transaction – Other sources, such as technical service providers and your card program provider |
| Processing your payment transactions, including authorization, clearing and settlement | – Payment transaction data – Sensitive data (see more information on section “Types of data”) |
Performance of contract (consumer cards), legitimate interest (commercial cards) | – You, through technical means, when you make a transaction – Other sources, such as payment service providers and your card program provider |
| Physical and virtual card management | – Contact data – Identification data – Payment card data |
Performance of contract (consumer cards), legitimate interest (commercial cards) | – You – Other sources, such as identity verification services and your card program provider |
| Monitoring your account for fraud | – Payment transaction data – Card account information – Payment card data |
Performance of contract (consumer cards), legitimate interest (commercial cards) | You, through technical means when you make a transaction and your card program provider |
| Prevent, reveal and/or resolve issues related to money laundering and terrorism financing, including providing data to public authorities for investigation of such crimes in accordance with anti-money laundering and terrorism financing legislation. | – Contact data – Identification data – Information on political exposure and sanctions – Payment transaction data |
Legal obligation | – You – Other sources, such as our business partners, government-maintained lists or sources, financial service providers, identity verification and fraud prevention services, sanction list providers, public sources and payment service providers and your card program provider |
| Providing a secure environment for the transmission of our services | Technical data | Performance of contract (consumer cards), legitimate interest (commercial cards) | You (through technical means) |
| Providing customer support related to your card, account or transactions | – Payment card data – Payment transaction data – Card account information |
Legitimate interest | – You (through technical means) – Other sources, such as your card program provider |
| Auditing and reporting | – Payment transaction data (in aggregated form) – Card account information (in aggregated form) – Contact and identification data – Technical data (in aggregated form) |
Legitimate interest | – You (through technical means) – Other sources, such as payment service provider, where applicable and your card program provider |
| Ensuring and developing security of our systems with technical means, such as with data encryption, access controls, log management and auditing | Technical data | Legitimate interest | You (through technical means) |
| Promote, analyse, modify and improve our systems, and tools, and develop new services | Technical data | Legitimate interest | You (through technical means) |
| Conduct aggregate analysis and develop business intelligence that enable us to operate, protect, make informed decisions, and report on the performance of, our business; | – Payment transaction data (in aggregated form) – Card account information (in aggregated form) – Technical data (in aggregated form) – Customer support data (in aggregated form) |
Legitimate interest | – You (through technical means) – Other sources, such as payment service providers (where applicable) |
Other purposes we may process your personal data for
| Purpose for processing | Types of personal data | Legal basis | Collected from |
| Maintain a shareholder register | – Contact data – Identification data – Recruitment and qualification data – Information on political exposure and sanctions |
Legitimate interest | – You – Other sources, such as our business partners, government-maintained lists or sources, financial service providers, identity verification and fraud prevention services, sanction list providers, public sources, |
| Manage PR and media relations | Contact data | Legitimate interest | – You – Other sources, such as your employer, public sources |
| Visitor management and securing our premises | Contact data | Legitimate interest | – You – Other sources, such as your employer |
| Processing of whistleblowing notifications and investigating potential unethical conduct or non-compliance | – Contact data – Identification data – Whistleblowing-related data |
Legal obligation, legitimate interest | – You – Other sources, such as internal systems or other parties involved |
Who can process your personal data?
Your personal data is processed only by personnel who are authorized to do so based on their role. Enfuce does not sell your personal data.
Your personal data can only be transferred or disclosed to the following categories of third parties, in the following situations:
Regardless of the purpose of processing
- Our group companies: Enfuce group companies can be involved in processing of your personal data, including processing of your payment card transactions.
- Our service providers: We use service providers in order to manage and operate our business. Service providers are needed for a variety of purposes, such as for operation of our IT systems, or for providing physical payment cards. These service providers can only process your personal data based on our instructions and use it only for purposes defined by us. Such processing is always regulated by data processing agreements in order to ensure that all our service providers keep your personal data safe and process it only in accordance with applicable legislation.
- Regulatory and law enforcement authorities where the law requires us to do so.
- Anyone to whom we lawfully transfer or may transfer our rights and duties under the agreement;
- Any third party as a result of any restructure, sale or acquisition of Enfuce or any associated entity, provided that any recipient uses your information for the same purposes as it was originally supplied to us and/or used by us.
When you apply for or have a card issued by us
- Your card program provider: your card program provider is our customer and supports certain activities relating to your card, such as verifying your identity.
- Parties involved in the payment transaction process: to enable payment transactions, we disclose your personal data to other parties involved in the payment transaction process, such as banks and card scheme companies
- Identity verification and sanction list providers to undertake required verification, regulatory and fraud prevention checks.
When you are a contact person for our customer or potential customer company
Our business partners: we may disclose your personal data to our business partners, where relevant for the services provided or for your interests.
Where is your personal data located or transferred to?
We may transfer your personal data within Enfuce group companies in countries where we have operations.
We store your personal data in servers located in the European Economic Area (EEA), but we may use service providers that are based elsewhere in limited occasions. In cases where your personal data may be transferred outside of the European Union (EU), the European Economic Area (EEA), the United Kingdom (UK) or Switzerland, we ensure the lawfulness of the transfer using a valid legal mechanism. These mechanisms include adequacy decisions adopted by the European Commission concerning a specific country and European Commission’s Standard Contractual Clauses for international transfers of personal data. In addition, we use additional security safeguards such as encryption to ensure the security of the personal data transferred.
For how long do we store your personal data?
The storage period for your personal data depends on the purpose it is processed for. We only retain your personal data for as long as is required for the purpose. Legislation applicable to us, such as anti-money laundering legislation, sets out mandatory retention periods that define for how long we must store your personal data. Where there is no legal obligation to store certain personal data, the retention times are defined based on our legitimate business needs. The following table illustrates examples of retention periods and criteria for defining retention periods for key categories of personal data.
Retention periods for key categories of personal data
| Categories of personal data | Retention period and/or criteria for defining it |
| Information used for cardholder identification and identity verification | Six years after the end of the customer relationship, based on anti-money laundering legislation |
| Payment transaction-related data | Six years after the end of the customer relationship or after an occasional transaction, based on anti-money laundering legislation |
| User data on our services, such as MyEnfuce | Based on the usage of the service: Inactive user accounts are deleted after a period of inactivity, depending on the service. |
| Data used for recruitment purposes | 18 months, unless you request a deletion or to store it for longer |
| Data used for customer or vendor relationship management | Depending on the length of the customer or vendor relationship |
| Data used for electronic direct marketing purposes | Depending on the subscription; data is deleted in case you withdraw your consent for receiving electronic direct marketing. |
| Data related to the use of our website | Depending on the purpose (e.g. analytics or marketing). Please see cookie settings and notice at the bottom-left corner of the page for more information. |
| Whistleblowing-related data | Personal data not necessary for processing a notification is deleted without undue delay. Generally, personal data is retained up to five years, unless obligatory to be stored for longer, e.g. due to legal procedures. |
How do we ensure the security of your personal data?
Enfuce is committed to maintaining the security of your personal data with robust, state-of-the art technical and organisational security measures. We secure the confidentiality, integrity and availability of your personal data, and protect it against loss, misuse, unauthorized access, disclosure, alteration and destruction. These security measures include, inter alia:
- advanced encryption of data both in transit and at rest;
- pseudonymisation of personal data;
- role-based access controls and user authentication;
- technical IT and network security measures;
- comprehensive information security policies and staff training in accordance with them;
- incident and breach management processes;
- business continuity and disaster recovery processes;
- regular testing and review of our security measures;
- agreements covering data protection and security measures with our partners.
What are your rights?
You have specific legal rights in relation to your personal data. If you would like to exercise any of your legal rights, please contact privacy(at)enfuce.com.
Your data protection rights
Right of access: You have the right to know whether we process your personal data and to know what personal data about you we process. You may request for a copy of such data.
Right to rectification: You have the right to correct and update your personal data or ask us to update it if it is inaccurate or incomplete. We encourage you to keep all your personal information up to date.
Right to erasure (“Right to be forgotten”): You have the right to request us to delete your personal data. We will delete your personal data unless we have a legal obligation or other overriding reason to retain your data. In such case, we will let you know and explain our decision.
Right to restriction of processing: You can, under certain limited circumstances, ask us to restrict how we use your personal data and temporarily limit the way we use it (e.g. whilst we check that the personal data we hold of you is correct).
Right to objection: You can object to us processing your personal data if you want us to stop using it, provided that our legal basis for processing that personal data is legitimate interest or in relation to marketing communications.
Right to data portability: You can ask us to send you or another organisation an electronic copy of your personal data, provided that the processing is based on performance of a contract with you or on your consent.
Complaints: If you are unhappy with the way we collect and use your personal data, we hope we can resolve it. Please contact privacy(at)enfuce.com in the first instance. However, if you consider that our processing infringes your rights as a data subject, you always have the right to complain to a data protection supervisory authority, in the country where you work, normally live or where any alleged infringement of data protection laws has occurred. The supervisory authority in Finland is the Office of the Data Protection Ombudsman, www.tietosuoja.fi.
Can this information be changed?
Our services and applicable laws are continuously developing. There will be updates to this privacy notice page whenever changes or developments require so. The up-to-date version of can always be found on this website. The date of this notice can be found at the top of the page. We recommend that you revisit this page from time to time to review any possible changes. If any substantial changes in the way we process your personal data occur, we will post a notice of such change on this website.