Nets will process the above data, because Nets has a legitimate interest in registering and analysing activity and statistics in relation to the use of the Nets website to ensure and improve the usability of our website and related services, cf. article 6(1)(f) of the GDPR.
Nets will not use your personal data for other purposes which are not compatible with the original purpose for which the personal information was collected without your explicit consent. Compilation for statistical purposes is considered compatible with the original purpose.
When you through our website make a request or register to a service, including a trial service that may only be available for a limited period of time, Nets will be asked to give specific information needed to answer your question or to provide the specific service to you. This information you may be asked to give is e.g.
When you register for such services, Nets will usually process your data on basis of either your consent, cf. article 6(1)(a) of the GDPR, to fulfil a contractual requirement with you, cf. article 6(1)(b) of the GDPR or because we have a legitimate interest in processing your data in order to answer your request or otherwise deliver a service to you, cf. article 6(1)(f).
Nets process personal data from social media such as Facebook and LinkedIn, where Nets has profiles. The information processed in particular relates to social media user activity such as user identity (profile name, picture and other information you have published on your social media user profile), IP-addresses and user activity such as likes, comments and tags on our social media profiles.
Nets is a joint controller with Facebook and LinkedIn with regards to the processing of personal data on our social media profiles. You can read more about the joint controllership arrangements here:
For the processing of personal data in relation to Concardis’ and PayPro’ use of social media please see the privacy notices on their websites mentioned above.
When you submit a data subject request (DSR)
If you make a data subject request through the Nets DSR-portal,
https://www.nets.eu/gdpr/dsr (only available for Nets Nordics and Baltics) or just by sending an e-mail, a letter or via another means of communication, the relevant entity you're sending the request to, will process your:
- Identification information such as name, address, e-mail address, telephone number
- Social security number or CPR-number (if specifically requested)
- Copy of ID (if specifically requested)
- Details of the requests, including whether it's a request for access, rectification, erasure, restriction of processing, data portability
We will process the above information in order to identify you and verify your identity, to assess your request and determine how and to what extent we shall accommodate your request.
Depending on the data in scope and purpose we process your data on basis of your consent, cf. article 6(1)(a) of the GDPR, when applicable article 13 (1) of the Swiss Privacy Act (DSG) and section 11(2)(2) of the Danish Data Protection Act with regards to CPR-numbers, and because we have a legitimate interest to assess your request in order for us to fulfil our obligation under the GDPR and other applicable data legislation to assess and answer your request, cf. article 6(1)(f) of the GDPR and when applicable article 13(2)(a) of DSG.
Visitors to the physical offices, including CCTV
If you as an external party visit our offices we may process information such as:
- Identification information such as name, address, e-mail address, telephone and position with an organization (e.g. when you're registering yourself in the receptions)
- Reason for visiting us (e.g. business purposes, job interview, representation etc.)
- Recordings from CCTV on our physical premises
We have CCTV at our physical premises to ensure a high level of safety and security. This may result in situations where you can be recorded on CCTV. The recording cams are set up in accordance with applicable national legislation (e.g. the Danish TV Monitoring Act), and signs are set up to inform about TV monitoring when required.
We process the above identification information and reasons for visiting, because we have a legitimate interest in registering both your identity and the reason for your visit, cf. article 6(1)(f) of the GDPR and when applicable article 13 (1) of DSG. We perform TV monitoring (CCTV), because we as a payment service provider have a legal obligation to safeguard our systems, which inherently also includes ensuring the physical premises giving access to our systems, cf. article 6(1)(c) of the GDPR, and because we have a general legitimate interest to ensure the resilience and safety of our physical premises, cf. article 6(1)(f) of the GDPR.
Other external parties
From time to time to we may be in contact with external parties that are not subject to the provisions above or similar provisions in other privacy notices. This may be the case with external parties that don't act as consultants, or other external parties where no direct business relationship yet has been established between us and the external party, but where we regardless may process personal data. Such scenarios may non-exhaustively include the below cases:
- Complaints and inquiries not covered by other Nets special privacy notices, where personal data is being processed about the complainant or other parties to the complaint
- Inquiries and requests from competent public authorities and agencies, where personal data is being processed about employees or consultants with the authority
- Tenders or contract offerings
- Social events, including networks, seminars and conferences
- E-mail marketing distribution lists
The information that may be processed in relation to the above may include:
- Name, e-mail address and position within an organization
- Details of a complaint or inquiry, incl. related e-mail communications
- Participation in an event, network, seminar or conference
- Registration on an e-mail marketing distribution list
Depending on the data in scope and purpose we process the above data on basis of your consent, cf. article 6(1)(a) of the GDPR and when applicable article 13(1) of DSG, to fulfil a contractual requirement with you, cf. article 6(1)(b) of the GDPR and when applicable article 13(2)(a) of DSG, or because we have a legitimate interest in registering the above data for the purposes of delivering services, handling your request or registering your participation in an event, cf. article 6(1)(f) of the GDPR and when applicable article 13 (1) of DSG.
4. With whom do we share your data?
We will not share information about you with other entities inside or outside the Nets Group, unless there's a clear legal basis to do so (e.g. your consent).
Examples where we may share information can be in cases of event registrations, where we may disclose your information to an event host or likewise.
We only share CCTV recordings with the police and competent local investigation authorities on basis of a specific request from the police, where required to report or pursue legal claims against perpetrators, a court or a competent supervisory authority. Likewise, we only share data with public authorities and courts on basis of a specific request with a clear legal basis (e.g. regulation, court ruling).
With regards to the use of the website we may share pseudonymized or aggregated data with third-party vendors to improve the usability of the website and to perform statistical analysis.
Nets make use of a number of service suppliers for its IT-operation and IT- operational support. In the event such suppliers have access to personal information collected or processed by Nets, the supplier acts as sub-processor according to written agreement and instructions from Nets.
5. Updating and correction of information
We strive to keep any registered personal information updated at all times. Sometimes we are depended on getting new information from you as the data subject, sometimes we subscribe to updates from public registers. If the delivery of a service is subject to yourself maintaining personal information this will be mentioned on the website in connection to the order procedure or in the terms & conditions for the relevant service.
6. For how long do we store your data?
The personal information you have provided to us is processed and stored for the particular purpose is collected for as long as the particular purpose is valid and after this for a limited time due to our purposely determined back-up and deletion routines. For example, we will only store CCTV recordings as long as necessary and according to applicable national legislation.
7. Transfers to countries outside EU/EEA
In some cases, we will be transferring personal data to countries outside the EU/EEA. Such transfers will only take place subject to appropriate safeguards are in place for the transfer such as:
- The country has been deemed by the Commission of the European Union to have an adequate level of protection of personal data,
- The country has not been deemed by the Commission of the European Union to have an adequate level of protection of personal data, but we provide appropriate safeguards for the transfer through the use of "Model Contracts for the Transfer of Personal Data to Third Countries", as published by the Commission of the European Union, Binding Corporate Rules (BCRs), any other contractual agreement approved by the competent authorities or any other legal basis, including the use of supplementary measures if deemed necessary, or if any of the derogations of article 49 of the GDPR are deemed adequate as a basis for the transfer
Nets Group is dedicated to protecting your personal Information. We have adopted internal security policies and instructed our employees accordingly in order to comply with applicable legislation, e.g. GDPR. We have implemented appropriate procedures and security measures to protect your Personal Information from being destroyed, lost or altered, publicised unlawfully and against being disclosed to unauthorised persons or otherwise processed contrary to applicable Personal Data Protection legislation.
9. Your rights as a data subject
- You have the right to request access to and rectification or erasure of your personal data.
- You also have the right to object to the processing of your personal data and have the processing of your personal data restricted.
- You have an unconditional right to object to the processing of your personal data for direct marketing purposes.
- If processing of your personal information is based on your consent, you have the right to withdraw your consent at any time. Your withdrawal will not affect the lawfulness of the processing carried out before you withdrew your consent. You may withdraw your consent for a specific service by following the instructions for the specific service, see specific service website.
- You have the right to receive your personal information in a structured, commonly used and machine-readable format (data portability).
- You may always lodge a complaint with a data protection supervisory authority in the EU/EEA member state of your habitual residence, place of work or where the alleged infringement has taken place. You can find the contact information of data protection supervisory authorities in the countries in the Nordics, the Baltics, Germany, Croatia, Slovenia and Poland below or at the website of the competent data protection supervisory authority, where you may choose to lodge your complaint. See the contact information below:
Denmark: The Danish Data Protection Agency (in Danish: "Datatilsynet"),
Estonia: Data Protection Inspectorate (in Estonian: "Andmekaitse Inspektsioon"),
Finland: Office of the Data Protection Ombudsman (in Finnish: "Tietosuojavaltuutettu");
Latvia: Date State Inspectorate (in Latvian: "Datu valsts inspekcija"),
Lithuania: Lithuanian Data Protection Inspectorate (in Lithuanian: "Valstybinė Duomenų Apsaugos Inspekcija"),
Norway: The Norwegian Data Protection Authority (in Norwegian: "Datatilsynet"),
Sweden: The Swedish Data Protection Authority (in Swedish: "Datainspektionen"),
Germany (Hessen): The Hessian Data Protection Officer (in German "Der Hessische Beauftragte für Datenschutz und Informationsfreiheit"),
Austria: Austrian Data Privacy Authority (in German: "Österreichische Datenschutzbehörde"),
Switzerland: Swiss Privacy Officer (in German: "Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter"),
Croatia: Croatian Personal Data Protection Agency (in Croatian "Agencija Za Zaštitu Osobnih Podataka"),
Slovenia: Information Commissioner of Slovenia (in Slovenian "Republika Slovenija Informacijski Pooblaščenec"),
Poland: President of the Personal Data Protection Office (in Polish "Urzędu Ochrony Danych Osobowych"),
There may be conditions or limitations on these rights. It is therefore not certain for example you have the right of data portability or to be deleted in the specific case - this depends on the specific circumstances of the processing activity.
You can take steps to exercise your rights by submitting your request here:
If you don't find the specific product or service relevant for your request you may contact us via the contact information below (e.g. with regards to data subject requests aimed at Concardis, Nets CEE and PayPro)
10. Contact us
The contact details of our Data Protection Officers are
For questions of a more general character you can write to us here.