1. INTRODUCTION

Privacy notice has been prepared for BB Merchant Services’ (hereafter «BB»). Also, it covers the handling and storage of personal data in accordance with the EU’s Privacy Policy, the GDPR. This entered into force on May 25^th, 2018.

The content of this document is in accordance with the privacy statement in BB’s internal routines. In addition, this is binding for all of our employees.

2. PRIVACY NOTICE CLASSIFICATION

BB offers a wide range of financial services for businesses (B2B). This includes mainly cost reduction services for our clients’ current banking arrangements and setup. In addition, BB receives financial information about our customers and our customers’ customers. Also 3rd parties, through our ordinary course of business. These third parties may be private individuals. Also, the information pertaining to these third parties. This may in some cases be personal information, in the form of behavioural patterns. For example, the information may contain personal information. In addition, this could include details on what, where and how much the third-parties trade with our customers. Also, as well as other information that BB’s customers use for commercial purposes.

BB does not utilise the information about its customers’ customers (third parties). However, information may be made available to BB as part of the service performed on behalf of our customers. Although the information is not required for the services rendered by BB. Als, BB is responsible for handling and storing the information received.

3. DATA CONTROLLER, SUPERVISORY AUTHORITY AND DATA PROCESSOR AGREEMENTS

BB operates in several European countries.

The Head of Shared Services on the BBs Group Executive team handles and stores the company’s personal data and oversees all markets in which BB operates. Additionally, they ensure a special duty of confidentiality for all personal data stored and/or handled by BB.

Head of Shared Services is based in BB’s head office in Oslo, and as such, BB’s supervisory authority for all markets in EU/EEA is The Norwegian Data Protection Authority (Datatilsynet).

A separate data processor agreement between BB and SuperOffice Norge AS for our CRM-System regulates what information the provider has access to and how it should be processed.

4. PRIVACY NOTICE CONSENT

Our agreements, which come with a copy of the Privacy Notice, require our customers to sign in advance of commencing our services. Upon accepting the contract, the customer explicitly consents to BB potentially receiving personal data and agrees that BB will handle these data in accordance with the Privacy Notice and any additional restrictions imposed by the data source.

5. PURPOSE/ PROPORTIONALITY /SECURITY

BB will store and collect personal information only for specified, legitimate purposes and will not disclose it to others under any circumstances.

The registration of privacy data is proportional, balancing the needs of the registered individual and the Registrar (BB).

When the received and collected data is no longer necessary for fulfilling the contractual obligations, BB will delete or anonymise it.

6. PRIVACY NOTICE PROCEDURES

A) RECEIPT OF DATA

Bank Brokers Shared Services team is responsible for handling the data we receive from our customers, and/or the data collected on behalf of our customers. The data is added to our filing system, as well as our well developed and highly secure CRM-system.

The responsible analyst from the Shared Services team that receives the information. Also, they are responsible for assessing the received information and determining whether the information contains personal data. If the data received contains personal information, or if there is any uncertainty regarding the content of the received information, the Head of Shared Services shall be informed and will thereafter be responsible for the appropriate handling of the received information.

If the data received contains personal data it shall be assessed. This will check whether the information is required by BB to be able to meet the contractual obligations to our customers. In addition if the data can be deleted.

If the personal data is required by BB to meet the contractual obligations to our customers, the storage of personal data will be highlighted in the project information in our CRM-system.

B) HANDLING

The CRM-system and filing system clearly states who has the permission to access information relevant to any ongoing or historic project.

When a Bank Brokers employee has the ability to access data containing personal information, the person shall be made aware of the fact that the file may contain personal information and that accessing the information is therefore subject to a special duty of confidentiality.

C) STORAGE AND DELETION

Upon completion of the contractual obligations, the data that contains personal information is deleted. Also, unless storage is considered necessary for further customer involvement or if it is likely that BB will perform additional services for the client within the next 12-months.

7. DEVIATIONS

If a possible deviation from this Privacy Notice occurs, BB’s employees must immediately notify the Head of Shared Services. This requirement also applies to events or circumstances not covered by this Privacy Notice, and if the occurrence is unforeseen.

We also encourage our customers to notify us if they believe BB is deviating from the Privacy Notice.

In the event of any deviation, BB will immediately take necessary actions to ensure that the personal information is processed anonymously and in accordance with the Privacy Notice.

If there is a security breach or unauthorised access to personal information for which BB is responsible, BB must notify The Norwegian Data Protection Authority (Datatilsynet) within 72 hours, even if BB does not have a complete overview of the breach.