Privacy Policy
- What answers can you find in the Privacy Policy
This privacy policy contains information on how Kan AS collects and processes personal data about you, and your rights in this regard.
In the declaration, you will find answers to what kinds of personal data are collected about you, the purpose of the processing, how the data is collected and protected, and to whom the personal data is disclosed.
Kan AS processes personal data about individuals using Kan AS's financial advisory application and consulting service. We also process personal data about contact persons at our established and future customers and suppliers. The processing of personal data in these different relationships will vary. For this reason, the processing will be described separately in this declaration in sections 3 to 4 below.
Kan AS is the data controller for the processing of personal data that takes place in our operations.
- Regulations Governing Kan AS's Processing of Personal Data
Kan AS processes personal data about you within the framework of the rules in the General Data Protection Regulation (GDPR) and the Personal Data Act, as well as other specific legal rules on the processing of personal data. An overview of the most important regulations for Kan AS's processing of personal data is provided below.
- GDPR
- Personal Data Act
- How we process personal data about you as a user of the service
Relationship – Individuals using Kan AS's app and financial advisory service, "user"
3.1 Purpose of the processing
Kan AS collects and processes personal data about you to provide you with an economic overview and financial guidance. The purpose of the processing is to give you an overview of your financial situation, budgeting, planning, and activities you can undertake yourself or with individual advice to improve your personal finances and provide you with general financial advice.
Kan collects and processes personal data about you also to communicate with you regarding the service Kan AS provides, including information on news and functionality updates. Personal data is also collected to send you marketing information if you have consented to receive such information. Personal data collected is also used for analytical purposes. Disclosure of analysis results to our clients occurs only in the form of statistical data. Personal data is not disclosed in this context.
3.2 Personal data processed and how the information is obtained
Upon logging into the application with BankID, Kan AS receives information such as name, date of birth, and personal number.
This information is collected to provide you with secure access to the app, and to identify you when retrieving information from various available registers.
If you use Kan AS's services, financial information such as income and asset status, credit and debt information, and profile data such as name, address, and contact information is collected.
For users in Norway, debt information is obtained from the Debt Register, Collection Register, Tax Return, other creditors, and yourself. Account information is obtained from the banking connection, income from the tax return or employer, and expenditure information from your banking connection. Information on asset status and wage deductions is obtained from the Clearing House and the Mapping Agency. Information on property value is obtained from Bisnode to estimate your financial capacity. For users in Sweden, the mentioned information is obtained directly from you, except for account information which is obtained from your banking connections.
The purpose of processing the information is to compile information to provide you with the best possible overview and financial advice.
Kan AS processes personal data received directly from you. In most cases, we process information about your life situation, occupational status, civil status, and dependents. In some cases, we also process special categories of personal data such as health information, or information about serving a sentence. It is voluntary to provide personal data about yourself to Kan AS.
Kan AS processes only personal data that is adequate, relevant, and limited to what is necessary for the purposes for which they are processed and that are collected for specified, explicit, and legitimate purposes. The personal data is not further processed in a way that is incompatible with these purposes.
3.3 Legal basis for processing
Processing of personal data is lawful only where there is a valid legal basis for the processing.
Kan AS's lawful access to processing personal data in connection with the collection of information and financial advice is based on Article 6(1)(a) of the GDPR, which states that the processing is lawful if the data subject has given consent to the processing of their personal data for one or more specific purposes.
The legal basis for processing special categories of personal data is Article 6(1)(a) in conjunction with Article 9(2)(a) of the GDPR, which states that the basis for processing special categories of personal data is that the data subject has given explicit consent to the processing for one or more specific purposes.
The lawful basis for processing personal data about criminal convictions and offenses is Article 10 of the GDPR and Section 11 of the Personal Data Act, in conjunction with Article 6(1)(a) of the Regulation.
To enter into or fulfill an agreement with you to purchase Kan AS's services, Kan AS’s lawful access to processing personal data about you will be GDPR art. 6(1)(b) as the processing is necessary for the fulfillment of an agreement you are a part of.
The legal basis for using personal data linked to internal control procedures, testing, troubleshooting, and maintenance of operational and security systems in Kan AS’s professional systems is based on Article 6(1)(c) and (f) of the GDPR, which states that processing is lawful if it is necessary to comply with a legal obligation or to safeguard a legitimate interest that outweighs the individual’s privacy.
Kan AS's interest in processing your personal data in such a context is justified by our legal obligation to meet the security requirements of the GDPR. The use of collected data for analytical purposes is limited to statistical data and does not contain personal data. Reference is made in this regard to Article 5(1)(b) of the GDPR.
You may withdraw your consent at any time for processing activities based on your consent.
3.4 Disclosure of personal data
Access to personal data about you is primarily limited to employees of Kan AS who have a legitimate need. All our employees are bound by confidentiality regarding everything related to your matters. All communication you have with Kan AS is subject to this confidentiality.
When obtaining information as mentioned in section 3.2 above, there will be a need to disclose personal data about you to various registers to verify who the information is to be obtained about.
Kan AS uses various subcontractors to deliver the services we offer. Such subcontractors will in many cases have access to or be responsible for processing personal data. We hold our external contractors to the same security and confidentiality standards as we do ourselves.
Reference is also made to Kan AS’s use of third-party cookies, which is described further here.
For booking advisory appointments, MS Booking is used. This is a Microsoft 365 service that provides you with calendar functionality so you can manage advisory sessions with Kan's financial advisors. Personal information used in connection with meeting bookings includes name, phone number, and email address.
3.5 Decisions based on automated processes – scoring
The service does not involve decisions based solely on automated processing, including profiling, which has legal effects for you or similarly significantly affects you.
3.6 Storage limitation (Deletion)
Kan AS adheres to the rules for storage limitation of personal data in Article 5(1)(e) of the GDPR.
Personal data is processed as long as necessary to achieve the purpose of the processing.
Personal data processed based on your consent is deleted after 6 months unless new consent is given. If you withdraw your consent for the processing of personal data at an earlier time, the data will be deleted at your request.
- How we process personal data about you as a contact person at Customers/Suppliers/Potential Customers
Relationship – Contact persons at customers, our suppliers, and potential customers
Kan AS collects and processes personal data about you as a contact person at our clients, suppliers, and potential customers.
4.1 Purpose of the processing
The purpose of processing personal data about you, as a contact person at our clients and suppliers, is to enter into and manage the contractual relationship we have with the business you represent.
The purpose of collecting and processing personal data about you as a contact person at a potential customer is also to market our services and other sales-related inquiries.
4.2 Personal data processed and how the information is obtained
When entering into an agreement with Kan AS, information such as name, email address, phone number, employer, and possibly job title is collected and processed to have necessary contact information about you. The information is obtained directly from you or from the entity you represent.
Corresponding information about contact persons at potential customers is obtained by the contact person themselves providing contact information in our services.
4.3 Legal basis for processing
Kan AS’s lawful basis for processing personal data about you as a representative of a customer or supplier is primarily based on Article 6(1)(b) of the GDPR, which states that the processing must be necessary to fulfill an agreement to which the data subject is a party or because the processing is necessary to comply with a legal obligation that the controller is subject to, cf. Article 6(1)(c) of the Regulation.
It may also occur that the processing will be necessary based on a legitimate interest, cf. Article 6(1)(f) of the Regulation.
The legal basis for processing personal data about contact persons at potential customers is that Kan AS has consent from the contact person, cf. Article 6(a) of the GDPR. The same applies to marketing information to contact persons at existing customers.
If you do not want your personal data to be registered with Kan AS, you can request that it be deleted.
4.4. Automated decisions
We do not use automated decision-making processes when processing personal data about representatives of customers and suppliers.
4.5 Storage limitation (Deletion)
Personal data about contact persons at customers or suppliers is deleted five years after the end of the customer relationship unless there is a basis to process the data longer.
Personal data about contact persons at potential customers is deleted no later than one year after it was registered, unless the registered individual consents to a longer storage period. If a customer relationship is established, the data is deleted five years after the customer relationship ended.
- Subcontractor
To deliver our services, Kan AS uses different subcontractors. Our subcontractors are subject to the same obligations regarding personal data security as Kan AS.
Kan AS has entered into data processing agreements with subcontractors and is entitled to conduct security audits to ensure that the supplier processes personal data in accordance with the requirements of the data processing agreement and applicable data protection regulation.
- Transfer of personal data to third countries
Third countries are defined as countries outside the EU/EEA that have not been approved by the EU Commission. The transfer of personal data to third countries is carried out pursuant to Article 44 of the GDPR.
To integrate contact forms used to collect potential customers from companies interested in offering Kan, Kan AS uses a subcontractor that stores data in a third country.
- What rights do you have when registered with us?
Anyone who requests it has the right to basic information about the processing of personal data by Kan AS. This privacy policy contains such basic information.
7.1 Right of access
If you are registered in one of Kan AS's systems, you have the right to access personal data that Kan AS processes about you when Kan AS is the data controller.
With the limitations set out in the GDPR, the right of access includes information about the purpose of our processing of your personal data, the personal data we process, the sources from which we obtain your personal data, the recipients of your personal data, the retention period of personal data, whether personal data is part of automated decisions, how we protect your personal data, and what rights you have. This privacy policy addresses several of these points.
If you wish to access what personal data Kan AS processes about you, please contact us.
7.2 Right to rectification and restriction
You also have the right to request that your personal data be rectified if they are incomplete or incorrect.
7.3 Right to restriction of processing
If you dispute the accuracy of the personal data Kan AS processes, you believe the processing is unlawful, or you believe the processing is no longer necessary to achieve the purpose of the processing, you have the right to request that the processing be restricted. The same applies if you object to the processing.
7.4 Right to deletion
You also have the right to request that personal data be deleted. The right to deletion does not apply if Kan AS needs the information to fulfill the purpose for which they were collected, or if processing is necessary to comply with a legal obligation or to establish, assert, or defend legal claims.
7.5 Right to withdraw consent
If the processing of personal data is based on your consent, you can withdraw your consent at any time.
7.6 Right to object to processing
You have the right to object to Kan AS's processing of personal data unless the processing is necessary for Kan AS to protect a legitimate interest that outweighs your privacy.
7.7 Right to lodge a complaint
If you believe that Kan AS has not complied with your rights under the data protection regulation, you have the right to file a complaint with the relevant supervisory authority. This is done by submitting a complaint to the Data Protection Authority. Contact information for the Data Protection Authority is available at Datatilsynet (Norway) and Imy (Sweden).
- Information Security
Security and confidentiality regarding the processing and storage of your personal data and financial situation are fundamental to our business. In addition to our privacy practices, we employ various security mechanisms to protect personal data about you and your cases from unauthorized or unlawful processing and against accidental loss, destruction, or damage. Some of Kan security measures are:
- All employees, temporary staff, consultants, and suppliers must sign a confidentiality agreement before gaining access to our professional system and premises and must familiarize themselves with our security policy.
- Kan AS has internal training on privacy in collaboration with Kredinor AS.
- Kan AS has access control and protection of sensitive personal data.
- Technical security measures are in place to prevent intrusion and access to personal data.
- Data processing agreements are made with Kan AS's subcontractors who process personal data on behalf of Kan AS.
For more information on security measures, please contact Kan AS.
- Revision of the Privacy Policy
Changes in our services, regulatory changes, or similar may lead to changes in this privacy policy. The latest revision is dated 31.05.2024.
How to contact us regarding privacy questions?
The data controller for processing personal data at Kan AS is Kan AS. The data controller is responsible for ensuring that Kan AS fulfills its obligations under data protection legislation.
Data Protection Officer:
Benedicte Haarr
E-mail: personvernombud@kredinor.no
Phone: +47 930 22 779
Address: Sjølyst Plass 3, Postboks 782 Sentrum, 0106 Oslo
Data Controller:
Kan AS
Org.nr. 926 97 752
E-mail: kontakt@kan.no
Phone: +47 924 46 918
Address: Sjølyst Plass 3, Postboks 782 Sentrum, 0106 Oslo