Tietosuojakäytäntö
Effective Date: 23 November 2023
1. Introduction
This website and our LEI services are provided by Nordic Legal Entity Identifier AB, corporate identity number 556708–1699 ("NordLEI") with address Kungsgatan 56, 111 22 Stockholm, Sweden. NordLEI is the data controller for the processing of your personal data when you visit our website, use our customer portal, or otherwise contact us. We are also data controllers for the provision of our LEI services.
At NordLEI, we work systematically with information security and data protection to ensure the secure handling of information and personal data. We take responsibility for ensuring that personal data processed by us is used only for the intended purposes and is protected against unauthorized access. All processing of personal data takes place in accordance with applicable data protection legislation.
In this privacy policy you will find information about our processing of your personal data. Personal data means data that either directly or indirectly can identify you. This information applies to you who use our services, are a contact person to the customer, supplier, counterparty, or partners to us, visit our website, and otherwise have contact with us regarding our business or are directly or indirectly affected in the performance of our services. You are encouraged to read this information carefully. Please stay updated on any changes to this privacy policy by regularly visiting our website.
For questions or comments about anything stated herein or anything else regarding our data protection work or handling of cookies, you are welcome to contact us through privacy@nordlei.org. You can also contact us at privacy@nordlei.org or at the above postal address if you wish to assert any of your rights listed under section 6.
This information has been produced in Swedish. In case of discrepancies between the language versions of the privacy policy, the Swedish language version prevails.
For questions or assistance with our services, please refer to our customer service (support@nordlei.org).
2. Information We Collect and Use
The personal data is collected through you, the company you work for or represent, or the person you have commissioned to administer LEI codes on your behalf, external persons, as well as from publicly available and public sources, such as websites, various registers, and databases as well as authorities (e.g., the Swedish Companies Registration Office). If you visit us on LinkedIn, we collect the personal data that you provide to us through that channel.
When you use our online services, we collect your electronic identification data and other information. When you visit our website, we collect data by using cookies and other technologies in your browser or device, some of which may be considered personal data. See more in our cookie policy to find out how we use cookies and similar technologies.
The personal data we collect about you when you use our services, visit our website, and otherwise interact with us regarding our business includes the following.
- Identity information, such as name and social security number / organization number (if sole proprietorship).
- Contact details, such as postal address, e-mail address, telephone number.
- Profile information, such as job title, ownership interest in companies, organization number, name and address of the company or organization to which you belong.
- Order data, such as payment information and payment history
- Other information, such as login information, signatory information for digital signing, LEI codes and country and language settings.
3. Why do we process your personal data?
Below we list why we handle personal data, where applicable. Which processing your personal data is covered by depends on the relationship you have with us. To read more about which categories of personal data and on what legal basis we process the personal data, see our detailed information about our processing of personal data.
3.1. Providing our services
In order to provide our services, we process the personal data necessary for:
- administration of user accounts.
- provision of support.
- Issuance, renewal, transfer, or challenge of LEI codes.
- compliance with securities market rules.
- fulfilment of agreements with the Global Legal Entity Identifier Foundation (GLEIF) to maintain access to the Global Legal Entity Identifier System (GLEIS) such as the LOU.
3.2. Manage relationships with customers, suppliers, partners and GLEIF
If you are a contact person for a customer, supplier, partner or GLEIF, we process your personal data for the purpose of managing the customer or supplier relationship, cooperation, or our relationship with GLEIF and when necessary for follow-up and evaluation. Our handling is, for example:
- Registration of you as a contact person.
- Communication.
- Management and archiving of agreements.
- Administration of order confirmations and invoices.
3.3. Communicate about us and our business
We use your personal data to communicate about us and our business in various channels, for example through mailings before maintenance work in the customer portal or in marketing. You can unsubscribe from our marketing communications at any time by contacting us (privacy@nordlei.org).
3.4. Communicate internally and externally
In connection with communication, e.g., by e-mail, telephone, or other digital means, we may, where applicable, process your personal data. Communication takes place both between employees and with external persons.
3.5. Evaluate and develop our business
Where applicable, we may use your personal data to compile reports and statistics at an overall level and analyze these for the purpose of following up and evaluating the business. We also use these reports and statistics to develop and improve our business, business practices and strategies. When compiling these reports and statistics, anonymization/pseudonymization of personal data takes place. No profiling takes place within the framework of this processing.
For analyses carried out within the framework of data quality issues, we may use personal data such as organization number, company form, addresses, company signatory, board of directors, etc. When it comes to quality control, no anonymization of the data takes place. No profiling takes place within the framework of this processing.
3.6. Carry out our business
When we carry out our business, except in the provision of services, we use your personal data to:
- Document the business, e.g., to manage and save agreements, decision support, minutes, and presentations.
- Carry out recruitment processes or assess spontaneous applications, including reference contacts.
- Answer questions and provide customer service.
- Review the quality of our data.
- Detect and prevent misuse of our services, for your, others' and the service's safety.
- Ensure technical functionality and security, e.g., in security logging, error handling and backup.
- Manage and respond to legal claims, e.g., in connection with a dispute or legal process. For this purpose, we may share your information with other recipients, see more below.
- Comply with legal obligations, e.g., to comply with requirements of accounting or data protection legislation. For this purpose, we may share your information with other recipients, see more below.
4. Recipients with whom we share information
When necessary, we share your personal data with different recipients. For more information about categories of data and on what legal basis we share your personal data with recipients, please see our detailed information on when we share information. Where applicable, we share information, including personal data, with these recipients.
- 4.1. Customers
In order to deliver the agreed service, personal data may be shared with our customers, for example during the verification process of LE-RD or in support cases.
- 4.2. Data processors
In our operations, we use service providers. These service providers provide, for example, IT services (e.g., storage) and communication services (e.g., communication in support), in which case personal data may be processed. When the service providers process personal data on our behalf, they are data processors to us. They may not use your personal data for their own purposes and are obliged by law and data processing agreement with us to protect your data.
- 4.3. Companies that are data controllers for personal data
- 4.3.1. Government agencies (e.g., the Swedish Police, the Swedish Tax Agency)
If we are required to do so by law or in case of suspicion of crime.
- 4.3.2. Payment service providers
To administer payments via the website or customer portal, we use a payment service provider. We share and receive information from the payment service provider to enable you to pay for – and thus use – our services. In order to get paid, we may direct you to a third-party website that handles the payment. We are not responsible for the privacy processes of websites that we do not provide or operate. The payment service provider is the data controller/or processor for another controller, for its processing of your personal data. More information about their personal data management can be found at the payment service provider.
- 4.3.3. Group companies
We may share personal data with other companies within our corporate group to achieve our business purposes and to market our services in accordance with applicable legislation.
- 4.3.4. Other
In order to comply with our legal obligations, your personal data may be shared with our auditor, external advisors, and the Global Legal Entity Identifier Foundation (GLEIF) for registration in the Global Legal Entity Identifier System (GLEIS). In connection with a legal dispute, we may transfer data to other parties, such as external advisors, arbitration tribunals or counterparties. The processing is necessary to satisfy our legitimate interest in establishing, exercising and defending legal claims. We may also share information with potential buyers and sellers if we were to sell all or part of the business or in the event of a merger. The processing is necessary to satisfy our legitimate interest in carrying out the divestment or merger.
- 4.3.1. Government agencies (e.g., the Swedish Police, the Swedish Tax Agency)
- 4.4. Other recipients
In recruitment processes, we may share your personal data with external parties, such as provided references.
5. Transfer to third countries
When we use service providers based outside the EU/EEA, we ensure that the personal data processing takes place in accordance with the provisions of applicable data protection legislation, such as the EU Commission's adequacy decision for the country, transmission with the necessary guarantees, EU standard contractual clauses or equivalent.
If you would like more detailed information about to which countries outside the EU/EEA area the transfer may take place and what safeguards are applied to the transfer in question, you are welcome to contact us.
6. Your rights
As the data subject, you have certain rights in relation to your personal data that we process under applicable data protection legislation. In this section, we provide more detailed information about these rights. You also have the right to receive this information verbally, provided that your identity has been verified. More information about your rights can be found on the website of the Swedish Authority for Privacy Protection (IMY) (www.imy.se)
Please note that certain rights are limited with respect to our obligations under financial market regulation and under GLEIF regulations.
We will also not comply with your request if it would be against law or if the request is manifestly unfounded, unreasonable, or repetitive.
We normally provide your rights free of charge. If your request is manifestly unfounded, unreasonable, or repetitive, we have the right to either charge an administrative fee for the processing or to deny your request.
6.1. Right of access (extract from the register), art. 15 GDPR
You have the right to request confirmation from us as to whether we are processing your personal data. If you want to get a deeper insight into what personal data we process about you, you can request access to the information. The information is provided in the form of a register extract stating the purpose, categories of personal data, categories of recipients, storage periods, information about where the information has been collected from and the existence of automated decision-making, and, where applicable, with the support of which safeguards transfer takes place to countries outside the EU/EEA.
The right to a copy of the register extract must not have a negative impact on the rights of others, including ours. If we make the assessment that your right to a copy of the register extract has a negative impact on the rights of others and we therefore exclude information from the copy, you will be informed of this and the reason why.
A request for an extract from the register must be made in writing and be signed in person. The request should be sent to Kungsgatan 56, 111 22 Stockholm. Please be aware that if we receive a request for access, we may ask for additional information to ensure effective handling of your request and that the information is provided to the right person.
6.2. Right to rectification, Art. 16 GDPR
If you believe that the information, we have about you is inaccurate or misleading, you have the right to request correction. Within the scope of the stated purpose, you also have the right to supplement any incomplete personal data. You can request correction by contacting us at privacy@nordlei.org. If you are logged in to our customer portal, you can change certain information yourself.
Please note that a historical information is not automatically considered incorrect, as it may have been correct at the time of registration.
6.3. Right to erasure, Art. 17 GDPR
You can request the deletion of personal data (the right to be forgotten) we process about you if:
- the data are no longer necessary for the purposes for which they have been collected or processed;
- You object to a balance of interests we have made based on legitimate interest and your reason for objection outweighs our legitimate interest;
- You object to processing for direct marketing purposes;
- The personal data is processed in an unlawful manner; or
- The personal data must be deleted in order to comply with a legal obligation to which we are subject.
We do not process any personal data of a child (under the age of 16) whose collection has taken place in connection with the provision of information society services (e.g., social media).
If you request deletion, we will review whether your request can be met. We have the right to deny your request if there are legal obligations that prevent us from immediately deleting certain personal data. These obligations come from, for example, accounting and tax legislation, banking, and money laundering legislation, but also from EU directives and regulations. Continued processing may also be necessary for us to be able to establish, exercise or defend legal claims. Should we be prevented from complying with a request for deletion, we will ensure that the processing of personal data is limited to only the purposes that prevent the requested deletion.
6.4. Right to restriction of processing, Art. 18 GDPR
You have the right, in certain cases, to request a restriction of our processing of your personal data. If you dispute that the personal data we process is correct, you can request limited processing for the time we need to check whether the personal data is correct. If we no longer need the personal data for the stated purposes, but you do need it to be able to establish, exercise or defend legal claims, you can request limited processing of the data from us. This means that you can request that we do not delete your data.
If you have objected to our balancing of interests for the processing of your personal data, you can request limited processing during the time we need to check whether our legitimate interests outweigh your interests in having the data deleted.
If the processing has been restricted in accordance with any of the situations above, we may only, in addition to the storage itself, process the data to establish, exercise or defend legal claims, to protect someone else's rights or if you have given your consent.
6.5. Right to data portability, art. 20 GDPR
You have the right to receive the personal data that you have provided to us and that concerns you in an electronic format that is widely used. You also have the right to transfer such data to another data controller (so-called data portability). A prerequisite for data portability is that the transfer is technically possible and can be automated. A further prerequisite for the right to data portability is that the processing takes place on the basis of your consent or to fulfill an agreement with you (Art. 6.1(a) and 6.1(b) GDPR respectively). In our detailed information you can see when we handle your personal data on the basis of consent or to fulfill an agreement with you.
6.6. Right to object to certain types of processing and direct marketing, Art. 21 GDPR
Some of our processing takes place with a balance of interests as a legal basis. You have the opportunity to object to these. If you make such an objection, we need to be able to show a legitimate reason for the processing in question that outweighs your interests, rights, or freedoms. Otherwise, we may only process the data to establish, exercise or defend legal claims.
You have the opportunity to object to your personal data being processed for direct marketing. The objection also covers the analyses of personal data (so-called profiling) carried out for direct marketing purposes. Direct marketing refers to all types of outreach marketing measures (e.g., by post, e-mail, and SMS). Marketing measures where you as a customer have actively chosen to use one of our services or otherwise sought us out to find out more about our services are not counted as direct marketing.
We do not carry out any so-called automated decision-making that produces legal consequences or otherwise significantly affects you.
6.7. Right to withdraw consent, art. 7 GDPR
When, where applicable, we base our processing of your personal data on your consent, you have the right to withdraw from this at any time. Such revocation may be limited to only part of the processing.
6.8. Right to lodge a complaint
In addition to the rights listed above, you also have the right to lodge a complaint with your relevant data protection authority. In Sweden, the Swedish Authority for Privacy Protection (IMY) is the supervisory authority. Their contact details can be found on www.imy.se. If you live or work in a country other than Sweden, you can turn to the privacy protection authority in that country. You can find your privacy protection authority here: Our Members | European Data Protection Board (europa.eu)
7. Updates to this information
Detailed information on the processing of personal data
Our processing of personal data
In this section you can see detailed information about which categories of personal data we process, on what legal basis and for how long we save the data for each processing.
| Purpose | Personal data | Legal basis | Duration |
|---|---|---|---|
| User account administration |
|
| Personal data is stored for this purpose for as long as required by the agreement with GLEIF (normally 10 years). |
| Provision of support |
|
| Personal data is stored for this purpose for as long as required by the agreement with GLEIF (normally 10 years). |
| Issuance, renewal, transfer, or challenge of LEI codes |
|
| Personal data is stored for this purpose for as long as required by the agreement with GLEIF (normally 10 years). |
| Compliance with securities market rules |
|
| Personal data is stored for this purpose for as long as required by the agreement with GLEIF and by the rules of the financial market (normally 10 years). |
| Fulfillment of agreements with GLEIF to maintain access to GLEIS |
|
| Personal data is stored for this purpose for as long as required by the agreement with GLEIF and by the rules of the financial market (normally 10 years). |
| Manage relationships with customers, suppliers, partners and GLEIF |
|
| Personal data is stored for this purpose as long as there is an active relationship and for a period of 10 years thereafter to meet our legitimate need to handle and respond to any legal claims. The relationship is considered active if you have had contact with us in the last 12 months. Personal data necessary for accounting is saved for 7 years from the end of the calendar year in which the relevant financial year ended. |
| Monitoring and evaluation of the relationship with customers, suppliers, partners and GLEIF |
| Legitimate interest: The processing is necessary to satisfy our legitimate interest in following up and evaluating the relationship with customers, suppliers, partners and GLEIF. | Personal data is stored for this purpose for a period of 2 years from the time of collection. Reports at an overall level that do not contain personal data and anonymous statistics are saved until further notice or until they are deleted. |
| Monitoring and evaluation of operations and our services |
|
| Personal data is stored for this purpose for a period of 2 years from the time of collection, if not specified otherwise in the cookie policy. Reports at an overall level that do not contain personal data and anonymous statistics are saved until further notice or until they are deleted. |
| Communicate about us and our business |
| Legitimate interest: The processing is necessary to satisfy our legitimate interest in communicating about us, our business, and our services. | Personal data is saved for this purpose as long as there is an active relationship and for a period of 12 months thereafter for the same purpose. Published personal data in digital channels, e.g., in our feeds on LinkedIn, is saved until further notice. |
| Communication between employees and external persons |
| Legitimate interest: The processing is necessary to satisfy our legitimate interest in employees and external persons communicating, for example during recruitment processes, customer service, marketing or similar. | Personal data is stored for this purpose for 12 months from the time of the last communication in the same conversation, then for a period of 10 years to satisfy our legitimate interest in handling and responding to any legal claims. In recruitment processes, personal data is saved for a period of 2 years after completion of recruitment. Published personal data in digital channels, e.g., in our feeds on LinkedIn, is saved until further notice. |
| Communication in the event of an accident, illness, or similar event |
| Legitimate interest: The processing is necessary to satisfy our legitimate interest in registering your information in our family register and to communicate with you in the event of an accident, illness or similar event for the employee concerned. | Personal data is saved until the employee, consultant or contractor concerned reports otherwise, but no later than the date the employee's employment or consultants or contractors’ assignment ended. |
| Document the business |
| Legitimate interest: The processing is necessary to satisfy our legitimate interest in documenting the business. | Personal data is saved for this purpose until further notice. |
| Detect and prevent misuse of our services |
| Legitimate interest: The processing is necessary to satisfy our legitimate interest in detecting and preventing misuse of our services. | Personal data is saved for this purpose as long as your user account is active. The user account is considered active if login has taken place within the last 10 years. |
| Ensure technical functionality and security | All categories of personal data concerned | Legitimate interest: The processing is necessary to satisfy our legitimate interest in ensuring the necessary technical functionality and security on our website and in our IT systems. | Personal data is saved for the same period as stated in relation to the respective purpose of the processing. Personal data in logs is retained for troubleshooting purposes for a period of 10 years from the time of the log event. Personal data in backup copies is stored for a period of 10 years from the time of backup. |
| Manage and respond to legal requirements | Categories of personal data concerned that are necessary in the individual case to address the relevant legal requirement | Legitimate interest: The processing is necessary to satisfy our legitimate interest in handling and responding to legal claims. | Personal data is saved for the same period as stated in relation to the respective relevant purpose of the processing, and in the individual case for the time necessary to handle the current legal claim. |
| Comply with legal obligations | Categories of personal data concerned that are necessary for compliance with the respective legal obligation |
| Personal data is saved for the time necessary for us to be able to fulfill the respective legal obligation that we have and for a period of 10 years thereafter in order to satisfy our legitimate interest in handling and responding to legal claims, as well as for the time thereafter necessary for handling the current legal claim. |
With whom we share personal data
In this section you will find detailed information about which categories of personal data we share with different categories of recipients, for what purpose and what legal basis we rely on.
| Receiver | Purpose | Personal data | Legal basis |
|---|---|---|---|
| Customers | Fulfill agreements with the customer, communication and handle and respond to legal claims. |
|
|
| Service providers | Communication between employees and external persons, use of services for the purpose of running the business and delivering LEI services. | Categories of personal data concerned that are necessary in relation to the service provided by the respective provider. |
|
| Government agencies such as courts, the Swedish Tax Agency or the Police Authority, arbitration tribunals and external advisors | When there is a legal obligation or suspicion of a criminal offence and to handle and respond to legal claims on one's own behalf (determine, assert, and defend). | the categories of personal data concerned that are necessary in each case; |
|
| Group companies | To achieve our business purposes and to market our services. | the categories of personal data concerned that are necessary in each case; | Legitimate interest: The processing is necessary to satisfy our legitimate interest in developing our companies' respective businesses. |
| GLEIF | Fulfill agreements with the client, fulfill agreements with GLEIF, communication and to comply with regulations for the securities market. |
|
|
| Auditors, external advisors, authorities | Comply with legal obligations. | Only the categories of personal data that are necessary to comply with the respective legal obligation. | Comply with legal obligation: The processing is necessary for us to comply with our legal obligations. |
| External persons | Communication between employees and external persons. |
| Legitimate interest: The processing is necessary to satisfy our legitimate interest in employees, consultants or contractors and external persons communicating. |