Privacy Notice –
Processing of Personal Data for Recruitment Purposes
Last updated: 29 October 2025.
This Job Applicant Privacy Notice (“the Privacy Notice”) describe how PayEx Group Companies (as defined below) process the Personal Data of Job Applicants.
The PayEx Group company at which you are seeking employment is the Controller of your Personal Data.
The companies within the PayEx Group that may be acting as Personal Data controller are PayEx Sverige AB (556735-5671), PayEx Norge AS (979 315 503), PayEx Danmark A/S (70986914) and PayEx Suomi Oy (215 68 11-3). If you seeking employment at a branch of PayEx Sverige AB, the Controller of your Personal Data is PayEx Sverige AB.
As an employer, PayEx needs to process information about Job Applicants for hiring and evaluation purposes and to enable it to run its recruitment process effectively, lawfully and appropriately.
Definitions
Job Applicant
a natural person: applicants, candidates, leads, etc who are applying/applied for a position at PayEx (as defined below), i.e. you.
Personal Data
Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific. In the context of this Privacy Notice, Personal Data refers to any information directly or indirectly related to Job Applicant.
Processing
Any operation carried out with Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
PayEx
PayEx company acting as a Controller: PayEx Sverige AB (including its branches in Denmark, Norway and Finland), PayEx Norge AS, PayEx Danmark A/S or PayEx Suomi Oy.
PayEx Group
Swedbank PayEx Holding AB and its companies forming part of the company group at any given time.
PayEx Group company
Any company within the PayEx Group (Swedbank PayEx Holding AB and its subsidiaries).
Swedbank
Swedbank AB (publ).
Controller
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, i.e. PayEx
Processor
A natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
Regulatory Legislation
Applicable legal acts that PayEx is subject to, for example, relating to anti-money laundering, banking secrecy, commercial activity, data protection, taxes, bookkeeping, credit, consumer credit, payment, payment services, insurance, leasing, investment and financial business.
Data Protection Legislation
Applicable EU- and national data protection legislation that PayEx is subject to, for example, GDPR and supplementary national data protection legislation as well as guidelines and guiding decision from supervising authorities and other applicable legislative acts.
GDPR
The Regulation (EU/2016/679) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data […].
Where this Privacy Notice uses terms that are defined in GDPR, unless otherwise explicitly defined in this Privacy Notice, those terms shall have the same meaning as in the GDPR, regardless of if used with a capital initial letter or not.
General
This Privacy Notice describes how PayEx generally carries out processing of Personal Data in adjunction with recruitment. If the recruitment process results in your employment, additional information regarding PayEx processing of Personal Data will be provided.
PayEx ensures, aligned with the framework of Data Protection Legislation, confidentiality of Personal Data and has implemented appropriate technical and organizational measures to safeguard your Personal Data from unauthorized access, unlawful processing or disclosure, accidental loss, modification or destruction.
PayEx may use Processors for the processing of Personal Data. In such cases PayEx takes all necessary steps to ensure that such Processors process your Personal Data only in accordance with PayEx documented instructions and in compliance with applicable Data Protection Legislation.
PayEx may use authorized Processors for processing or sharing of Personal Data with other recipients (such as partners, authorities, government agencies or other institutions as required by law and/or regulation). Read more about Processors in section 8.
Categories of Personal Data
Personal Data is collected directly from you, through the activities performed during the recruitment process, and from external sources such as public and private registers or other third parties, such as referees. When applying for a position within the PayEx Group, refrain from emitting Personal Data that is not necessary for the process of your application.
Personal Data categories, and main examples of personal identifiers within that category, that PayEx collect and process are:
Category
Personal identifiers
Identity and Contact Information
Information that enables identification of and communication with you as an individual.
Name, personal ID number, address, email, phone number, nationality, citizenship (only in Norway)
Employment and Work-Related Information
Information related to your current employment.
Type of employment, job role, employment start and end date
Demographic information
such as age, country of residence, citizenship, language of communication.
Competence and Development Data
Information related to previous experience, education, and development.
CV, education, certifications, references, test results.
Financial Information
Financial status, income and debt
Special category information
Sensitive data such as Special Categories of Personal Data (for example, data concerning health/allergies and trade union membership) and Data about criminal convictions and offences such as data about absence of criminal convictions or existence of conviction for wilful crime against the state, property or administrative order, or wilful crime of economic nature or in state authority service, or for commitment of such a crime which is connected with terrorism and conviction for that is not expunged or extinguished; or about convictions for breach of international or national sanctions or anti-money laundering and counter terrorist financing legislation and at least one year has not passed since the day of imposition of the sanction.
Legal ground and purpose of processing
As an employer on a regulated market, PayEx needs to process information about Job Applicants to enable it to run its business effectively, lawfully and appropriately.
PayEx prioritizes processing your Personal Data in a transparent manner and in accordance with applicable Regulatory and Data Protection Legislation.
Although PayEx is subject to certain regulatory requirements and occasionally under obligation to process your Personal Data in a certain way, the majority of Job Applicants Personal Data is processed since it is necessary to take steps at the request of you, prior to entering into a contract. The legal ground for the majority of our processing activities is thus “fulfilment of agreement”, GDPR art 6.1(b).
Some Personal Data may be processed based on the overall legal basis that it is necessary for the purpose of legitimate interests pursued by PayEx which outweighs the Job Applicants interest regarding fundamental rights and freedom which require protection of Personal Data, GDPR art 6.1(f).
Additionally, Personal Data may be processed since it is necessary to for compliance with a legal obligation to which PayEx is subject, GDPR art. 6.1(c).
In some cases, PayEx processes the same/supplementary Personal Data for additional purposes, if obliged by law or has a legitimate interest in doing so. These cases and some additional information regarding our processing activities are described below.
Legal obligation
PayEx process Personal Data to be able to fulfil its legal obligations according to Regulatory and Data Protection Legislation, or other mandatory legal requirements as described below.
The purposes for the processing are:
- Suitability assessments of Job Applicants (see FFFS 2023:13 and Joint
ESMA and EBA Guidelines on the assessment of the suitability of members of the management body)
- Categories of Personal Data: Identity and Contact information, Demographic information, Financial information, Special category information
- Data can be shared within the Swedbank group and with governing authorities
Categories of Personal Data: Identity and Contact Information, Employment and Work-related Information, and information relating to criminal convictions and offences.
- Data is shared within PayEx Company Group, when such sharing is required to comply with applicable regulatory legislation or labour laws.
Categories of Personal Data: Identity and Contact Information, Employment and Work-related Information, Competence and Development Information.
Legitimate Interest
Certain processing of Job Applicants Personal Data is based on PayEx legitimate interests.
The overall interests for PayEx to perform the activities below are business- and cost efficiency and PayEx determination of providing an attractive work environment for you and future Job Applicants, employees and consultants.
PayEx has assessed that the following processing activities are necessary for the purposes of the entitled parties’ interests pursued by PayEx, and that these interests override those of the Job Applicant regarding fundamental rights and freedom, primarily considering the protection of Personal Data, in accordance with the GDPR, art 6.1(f).
Several of the described processing activities below are conducted within PayEx right to direct and manage its business or to comply with general regulatory demands, further strengthening PayEx interest assessment.
The purposes and PayEx legitimate interests for the processing are:
- To conduct suitability assessments
Categories of Personal Data: Identity and Contact Information, Financial Information Special category information, external assignments, i.e. result of background check, in accordance with IMYFS 2024:1. PayEx does not save any information regarding criminal offence, merely verifying that a background check has been conducted.
The background check itself is conducted by a third party provider, who is the controller for the actual processing. PayEx only views or get a verbal summary of the background check, and does not store any of its content.
- Establishing, defending and exercising legal claims
Categories of Personal Data: Identity and Contact Information, Employment and Work-related Information, Competence and Development Data, Special Category Information
- Data can be shared with auditors, legal- and financial advisors, authorities (such as law enforcement agencies, sworn bailiffs, public notary offices, tax administration agencies, supervisory authorities, and financial investigation authorities), judicial and extrajudicial dispute settlement institutions, Trade unions, professional- and industry associations, depending on the claim.
- Data can be retained for as long there are unsettled, anticipated or sufficiently high risk of legal claim; but as a general rule no longer than 24 months.
Consent
PayEx will in some cases ask for the consent of the Job Applicants to the processing of Personal Data. Before you are given the option the consent, you receive additional information about the processing if necessary. You can always revoke your consent, see Section 11-12, and you will be informed about the possible consequences of such withdrawal.
The purposes for the processing are generally:
- When registering yourself in our candidate pool, for the purposes of contacting you regarding future job openings.
- Categories of Personal Data: Professional information, Contact information, Competence and Development Data.
- If you have not registered yourself in our candidate pool, but have applied for a certain position, contacting you regarding job openings we think that you might be suitable for, after valuating your profile.
- Categories of Personal Data: Professional information, Contact information.
- If you have not registered yourself in our candidate pool, to be able to contact you in order to collect a new consent for the above mentioned processing activity.
- Categories of Personal Data: Contact information.
Personal Data is retained and updated as long as your consent is valid, but no longer than 24 months at a time.
Profiling and automated decision making
PayEx does not engage in automated decision making, including profiling.
Retention Periods
Personal Data will only be processed as long as it is necessary to achieve the purposes of processing as presented in section 3.
In accordance with the GDPR, Personal Data is not processed by PayEx for a longer period of time than necessary to achieve the purposes set forth above. However, as described under section 4, there are multiple purposes for processing your Personal Data. PayEx has implemented technical as well as organisational measures to prevent that your Personal Data is object to purpose creep, i.e. not further processed in a manner that is incompatible with the initial purposes.
In such a way, your Personal Data is processed by PayEx under longer time for one purpose than another. In the event of any deviations, these are specified in section 4, in conjunction with a specific processing activity. As a general rule, data collected as described in this Privacy Notice is not kept by PayEx in a way that enables them to be related to you as a person longer than necessary.
For further information regarding PayEx retention rules, please consult information under each legal ground in section 4, but as a general rule the processing for the specific purposes are ongoing only as long as the application process. If your application does not result in an employment, your Personal Data will be processed in accordance with section 4.3 if otherwise is not stated specifically.
Recipients of Personal Data
Within the performance of the abovementioned Purposes, your Personal Data will, depending on the nature of processing, be shared with the following categories of recipients:
- PayEx Group companies
- Swedbank
- Auditors, legal- and financial advisors
- Third parties maintaining registers (e.g. population register and other registers which contain Personal Data or through which Personal Data is shared)
- Authorities (such as law enforcement agencies, sworn bailiffs, public notary offices, tax administration agencies, supervisory authorities, and financial investigation authorities)
- Judicial and extrajudicial dispute settlement institutions
- Other persons or entities providing services to PayEx, incl. archiving, postal service providers, providers of services of recruitment services.
Processors and sub-processors
PayEx may share your Personal Data with suppliers and subcontractors such as consultants, software suppliers, data storage suppliers and companies that provide, amongst other, printing- and postal services and additional services addressed above.
PayEx use their services in order to perform the processing activities described in this Privacy Notice, as they can perform services or functionalities that PayEx can’t provide itself.
PayEx share your Personal Data with various suppliers primarily to fulfil our contract with you, based on our legitimate interest or to comply with legal requirements. There are also times when PayEx use external programs for analysis, the processing is then based on a legitimate Interest.
The companies that process Personal Data on behalf of PayEx constitutes so-called Personal Data Processors. This means that they have the right to process Personal Data that they receive from PayEx in accordance with Data Protection Regulation, only on our behalf and according to our documented instructions. This is regulated in a Data Processing Agreements (“DPA”) between PayEx and the Processor.
For a full list of third parties that PayEx may share your Personal Data with, please contact us as set out below.
Security measures
PayEx protects the confidentiality of your Personal Data through the implementation of appropriate technical and organizational security measures to prevent unauthorized access, illegal processing or removal, unintentional loss, amendment or destruction of Personal Data. If you wish to receive more information regarding PayEx security measures, please contact us (contact information is provided in section 12).
Geographical area of processing
In general, your Personal Data will be processed within the European Union/European Economic Area (“EU/EEA”).
But, as you may expect, some of the recipients PayEx share Personal Data with may be located in countries outside of the EU/EEA.
Some countries where recipients may be located already provide an adequate level of protection for this data (e.g., those within the EU/EEA and some additional countries).
If recipients are located in countries without proper framework for adequate protection of Personal Data, PayEx will take all necessary measures to ensure that transfers out of the EEA are adequately protected as required by applicable Data Protection Legislation. This may include appropriate safeguards for the transfer by means of binding corporate rules or standard contractual clauses adopted by the European Commission, or other contractual terms approved by the European Commission or competent supervisory authorities
In several of our services, PayEx use U.S.-based cloud service providers where PayEx have chosen Europe as the primary storage location. In exceptional cases, your Personal Data may also be processed in other countries in which the supplier or the suppliers Processors operates.
PayEx will always ensure that the countries in question have an adequate level of protection and/or that Processor has introduced appropriate security measures so that the same level of protection is applied to your Personal Data as under the Data Protection Legislation.
When sharing/processing Personal Data via US services, PayEx ensure the company in question is a member of the Data Privacy Framework: dataprivacyframework.gov
For further information about the transfer of Personal Data outside the EU/EEA, see Contact details below, section 12.
Rights of Data Subjects
As a Data Subject, you have several rights regarding the processing of your Personal Data. These rights ensure transparency and give you control on how your Personal Data is processed.
Right to access (GDPR art 15)
You have the right to request access to your Personal Data that PayEx process. This includes information about the purposes of processing, the categories and recipients of Personal Data, and how long PayEx store your information.
Right to rectification (GDPR art 16)
If your Personal Data is incorrect, incomplete, or outdated, you have the right to request that PayEx correct or update it without undue delay.
Right to erasure (GDPR art 17)
You can request the deletion of your Personal Data in certain circumstances, such as if the data is no longer necessary for the purpose it was collected, if you withdraw your consent (where consent is the legal basis), or if the data has been processed unlawfully.
Right to restriction of processing (GDPR art 18)
You have the right to request that PayEx temporarily restrict the processing of your data under specific conditions, such as if you contest the accuracy of the data or object to the processing.
Right to data portability (GDPR art 20)
If the processing is based on your consent or the performance of a contract and is carried out by automated means, you have the right to receive your Personal Data in a structured, commonly used, and machine-readable format. You can also request that PayEx transfer this data directly to another data controller, where technically feasible.
Right to Object (GDPR art 21)
You have the right to object to the processing of your Personal Data if the processing is based on legitimate interests or performed for direct marketing purposes. If you object to direct marketing, PayEx will immediately stop processing your data for such purposes.
Right to withdraw consent (GDPR art 7.3)
If PayEx process your data based on your consent, you can withdraw your consent at any time. This will not affect the lawfulness of the processing carried out before the withdrawal.
Right to lodge a complaint (GDPR art 77)
If you believe that your Personal Data is being processed in violation of Data Protection Legislation you have the right to file a complaint with the supervisory authority. Contact details to respective jurisdictions supervisory authority:
Sweden - Integritetsskyddsmyndigheten
📍 Address: Box 8114, 104 20 Stockholm
📞 Phone: +46 (0)8 657 61 00
📧 Email: imy@imy.se
🌍 Website: www.imy.se
Finland – Tietosuojavaltuutetun toimisto
📍 Address:
PL 800, 00531 Helsinki, Finland
📞 Phone: +358 29 566 6700
📧 Email: tietosuoja@om.fi
🌍 Website: www.tietosuoja.fi
Norway – Datatilsynet
📍 Address:
Postboks 458 Sentrum, 0105 Oslo, Norway
📞 Phone: +47 22 39 69 00
📧 Email: postkasse@datatilsynet.no
🌍 Website: www.datatilsynet.no
Denmark – Datatilsynet
📍 Address:
Carl Jacobsens Vej 35, 2500 Valby, Denmark
📞 Phone: +45 33 19 32 00
📧 Email: dt@datatilsynet.dk
🌍 Website: www.datatilsynet.dk
Contact details
To exercise your rights, you can use our web portals:
Sweden: https://www.payex.se/dataskydd/dsar
Norway: https://www.payex.no/personvern/dsar
Denmark: https://www.payex.dk/databeskyttelse/dsar
Finland: https://www.payex.fi/henkilotietosuoja/dsar
You can also send an e-mail to our DPO address: dpo@payex.com
For more general questions regarding our GDPR and Privacy work you can e-mail the privacy function: privacy@payex.com
Contact information for PayEx Group companies can be found at: https://payex.com/about-payex-group/company-information/
Validity and amendment of the Privacy Notice
This Privacy Notice is available on PayEx website and upon request.
