General Data Protection Regulation (GDPR)
On May 25th, 2018, new EU regulation on personal data protection came into force – the so-called General Data Protection Regulation (GDPR). The regulation is legally applicable in all EU and EEA-states and aims at improving protection of individual rights when their personal data is processed.
Protective rules on personal data processing
FOREX processes your personal data in accordance with GDPR, Act on Preventing Money Laundering and Terrorist Financing (444/2017) and other supplementary regulations, such as the Data Protection Act (1050/2018). Among other things, GDPR contains rules on the basic principles relating to processing of personal data and stipulates valid preconditions for permissible processing. It also contains rules on the right to information on processing and access to personal data, rules regarding correction of incorrect data and the possibilities of limiting on-going processing in some cases.
FREQUENTLY ASKED QUESTIONS ABOUT OUR DATA PROCESSING
Why do FOREX process my personal data?
FOREX processes personal data in order to provide the services you request and to be able to manage payment service operations and related functions. Customer “agreements” between you as a customer and FOREX relate to your use of a service provided by us such as use of currency, online currency and currency exchange services as well as other services. The personal data that is processed include, for instance, your name, social security number, contact information such as address, telephone number and email-address.
”Know your customer” or ”KYC”-related data and other personal information can be used to prevent, detect, report and investigate suspected money laundering and financing of terrorism as well as related crimes generating the illegitimate funds that are being laundered.
How long do FOREX process your personal data?
FOREX retains your personal data so that we can answer to legal claims and to exercise our rights and fulfil our obligations in relation to potential claims and inquiries by former customers and authorities.
Retention periods may change depending on the purpose of the data processing. For example, we are obliged in accordance with the Money Laundering Act to identity our customers and verify their identity when we are establishing a permanent customer relationship. The same obligation exists in the case of individual transactions that exceed the threshold value in the Money Laundering Act or in the case of individual transactions that can otherwise be considered suspicious which we are required to report, section. 4 (1) the Money Laundering Act. A transaction is considered “suspicious” when the transaction deviate from the customers normal transactions, or is exceptional in terms of the financial value.
KYC-related data, including personal data, is retained for five years from the termination of the permanent customer relationship or from the last transaction, provided that the data is not needed for criminal investigations, pending trials or our employees rights. In these cases, the aforementioned personal data may be stored for more than five years.
As a general rule, ID-copies are not stored if the transaction is below the threshold value in the Money Laundering Act. We only store personal data that can be linked to a specific scanned document that has expired or is a suspected counterfeit. The ID-copy will not be stored for more than 30 days. The purpose of the data retention is that we must be able to leave the ID-copy to the police in case of suspicion of crime, according to the Money Laundering Act. The legal basis for retention is that we must be able to fulfill our legal obligations in accordance with Article 6(1) GDPR, i.e. the processing is necessary to fulfill a legal obligation.
What are my rights according to GDPR?
According to GDPR, you have the following rights (in some cases they may be limited by other regulations):
Article 15 GDPR statues your right to request a data subject access free of charge, which contains a summary of your personal data being processed by FOREX along with information on how the processing is carried out. To verify your identity upon such request, FOREX will send you the information by way of registered mail. In addition, you may request rectification of incorrect data in accordance with Article 16 GDPR, erasure of data no longer needed or relevant for processing in accordance with Article 17 GDPR. In some cases, you also may request restriction of processing in accordance with Article 18 GDPR.
You also have a right to data portability, in accordance with Article 20 GDPR. It allows you to obtain the personal data, which you have provided to FOREX in a structured, commonly used and machine-readable format and transmit the personal data to another controller.
If you wish to exercise any of your rights, or if you have questions regarding our processing of personal data, please contact us by emailing email@example.com or calling 09 417 1053.
How do I request a data subject access?
If you wish to file a request for access to your personal data, please fill in the PDF-form provided in the right-hand column in this page. Having done so, you may file the request by submitting the form to us by letter, email or by visiting a FOREX location. Full instructions are available on the form.
How do I object to the processing of personal data for purposes of direct marketing send-outs?
FOREX may process your personal data for marketing purposes in accordance with GDPR and the Information Society Code (917/2014). At any time and free of charge, you have the right to object to the processing of your personal data for purposes of direct marketing send-outs. You can opt-out by clicking the unsubscribe-link provided in our emails or by sending your request to firstname.lastname@example.org or by mail to
FOREX, Tietosuojavastaava, PL 1139, 00101 Helsinki.
Why do we use ID scanners?
As a measure to secure the safety of all our customers, we´ve introduced ID scanners in all our branches.
WHY DO FOREX HAVE CAMERA SURVEILLANCE?
The safety of our employees and customers are important to us. Consequently, we have camera surveillance in our stores. The material is only used to prevent, stop and investigate crimes or suspicion thereof. The material may be handed to authorities.
We follow EU-rules and regulations such as GDPR, the Data Protection Act (1050/2018) for how recordings can be made and the material used. We are also obliged to comply with the Act on the Protection of Privacy in Working life (13.8.2004/759) towards our employees, meaning that camera surveillance is only used to prevent and investigate crimes. The recordings go on 24 hours a day and in some special cases, sound recordings are also made. The material is stored for 90 days. The legal basis for retention is our legitimate interest, Article 6.1(f) GDPR.
DATA PROTECTION OFFICER AND DATA CONTROLLER
Data Protection Officer
If you are unable to find the information you are looking for or have questions regarding the processing of your personal data by us, please feel free to contact our data protection officer at email@example.com or by telephone 09 417 1053 (customer service Finland).
Personal Data Controller
FOREX is the data controller for the processing of personal data.
org. nr: 516406-0104
Visiting address: Stora Nygatan 27, 111 27 Stockholm, Sweden
Phone: + 46 (0)10-211 1000 (reception), + 358 (0)9 417 1053 (customer service Finland)