November First processes personal data from users of our website and the N1 Platform, employees of November First and our customers as well as partners. November First protects the personal data and complies with the laws in force at all times to protect the personal data processed by November First.
Personal data means any information relating to an identified or identifiable individual, such as an indirect or direct identified person’s name and email address.
November First has taken the appropriate technical and organisational measures so that personal data always is protected against any, loss, manipulation, and unauthorised access. And November First continuously works on strengthening our security.
All processed personal data is considered confidential information by November First, and November First ensures this by ensuring that all employees are subject to and bound by confidentiality, as well as having procedures and ensuring that our employees know how personal data will be processed.
November First is the data controller for the processing of personal information that occurs at November First in connection with the creation of a customer (business entity), the ongoing administration, and any termination.
If consent has been given for the disclosure of personal data to business partners of November First, the respective business partners will themselves become data controllers for the processing of personal data that is done for their own purposes.
3.The purposes of processing personal data
November First uses personal data to provide, support and customize and develop November First's services and make these available for customers.
3.1 User creation
November First, as a payment institution, is subject to Act on Measures to prevent Money Laundering and Financing of Terrorism ("the AML Act"). In order to comply with legal requirements, we request to obtain information on the identity of all customers etc., and for legal persons, November First must identify the company's ownership and control structure, including the identity of the company's beneficial owners, cf. section 2, no. 9 of the AML Act November First uses registration data to validate identity and allow access to November First's Platform in accordance with the Terms and Conditions and November First’s onboarding procedure.
When applying to become a customer with November First, November First process the following information: home country; CVR-number; Social Security number or national identification number; ownership; name; email; contact information; birthplace and country; country of residence; date of birth; photo; citizenship, etc. In this context, November First may also obtain information about persons and their activities from public registers and other sources, including company databases for validation purposes. Furthermore, the purpose of the business relationship and the intended business scope must be specified.
In addition, November First processes information on possible criminal activity; registered offences or other matters relevant to the assessment of money laundering and terrorist financing, regarding persons and the beneficial owners of legal persons, information on whether the person is a politically exposed person (the AML Act section 2, no. 8) or close association to a politically exposed person.
In this context, November First collects data from people; our customer (legal persons); authorities; websites; sometimes from social media or other publicly available information; providers of business information and similar services; from companies and persons subject to the AML Act Section 1, subsection (1), no. 1-15, 17, 19 and 21 in accordance with Section 38, subsection (6) of the AML Act.
The purpose of processing the above information is to be able to complete and document November First’s statutory know-your-customer procedures (KYC), as well as to be able to answer questions or rectify errors or otherwise before approval of the customer relationship.
3.2 Administration and transactions
As part of November First's ongoing customer relationship management, November First will process the information provided to us in connection with user creation. In addition, November First regularly processes information about the use of the Platform. November First logs personal data whenever the website is visited, or the November First services are used on the Platform. For example, when an article is clicked on, when anything is downloaded, or a search is performed. November First uses logins, device information and IP addresses to identify users and login usage. Communication with November First is archived to provide the best customer support possible.
Under the AML Act, November First is required to investigate the background and intended nature of all complex and unusual transactions and the activities in connection with the customer relationships with November First. Furthermore, we have a duty to document the findings in connection with AML checks.
If a customer has been approved as a customer and uses November First’s services, November First processes data such as transaction data with the information necessary for November First to settle payments initiated by the customer, this information includes: bank account in base currency, settlement date , beneficiary's name, either an IBAN or the beneficiary's account number in the beneficiary’s bank, beneficiary’s bank's BIC code, amount, currency, choice of all beneficiary’s fees on the transaction to be paid by the customer or the beneficiary, message to the beneficiary (optional), as well as the beneficiary's address (street, number, zip code, city and country).
The purpose of the processing is for November First to be able to complete transactions, transfers, etc., provide the services, and perform customer support and to ensure compliance with November First’s legal obligations, including documenting and completing know-your-customer procedures (KYC).
If a customer no longer wishes to be a customer of November First, November First will process personal information to terminate the customer relationship and close all user account(s).
The purpose of processing related information is to enable the closure of user account(s), communicate with the respective customers and to answer any questions the customer may have.
However, November First will store relevant information for at least 5 years after the termination of the customer relationship or the completion of a transaction, if the customer relationship is not established, so November First can comply with all legal obligations under the AML Act. In addition, to protect November First against fraud and to be able to document any consent(s) etc.
3.5 Communication and support
November First collects information when any contact forms are completed on the website, as well as when writing to or calling November First.
November First can communicate via email, via website and the Platform as well as by telephone. This may include information on the use of services, updates, reminders, questions related to payment initiations or transactions.
November First uses data to provide customer support and resolve any issues.
In doing so, November First uses the data collected, including the communication with November First that is necessary to investigate, respond and react to any errors or problems with the services.
3.6 Information from device
November First collects information from devices, including technical information such as IP address; information on when and from where November First's website was visited, as well as information about the visits, including which links are clicked on, what services or articles are read; or if contact details are filled out or if something is downloaded.
November First uses data and content about end users for communications as well as for invitations that promotes the services of November First. However, November First will only send marketing material to you if consent has been given.
General service information about the content, changes, availability, etc. of November First services on the Platform is sent to customers when relevant to the respective customer's use of the Platform.
November First uses information to produce aggregated data sets. In this context, it is no longer possible to be identified on an end-user level. For example, November First uses data to create statistics on transactions, use of services, customer activity, etc.
3.9 Information from employer
If you are employed by a company that is a customer of November First and you have been given an authorization as a user on the Platform as part of your work, your respective employer will provide November First with information about the individual user. This will typically be name, email, and title. Besides, November First collects information about when and how the services are used on the Platform and what payments the user is initiating and sending for approval or completion. Furthermore, November First collects information from the device(s), as explained above.
3.10 Automated decisions
Depending on the services used on the Platform, November First may in some cases make automated decisions. This may be in connection with increasing the credit limit, the creation of authorizations, AML check, etc.
This means that November First may use technology to evaluate the circumstances of the transactions made or payments initiated in order to be able to assess risks or investigate the background and intended nature of all complex and unusual transactions and/or activities in any customer relationship with November First, to which November First is required to do so under the AML Act. Furthermore, November First has a duty to document the results of November First's investigations. Such investigations are always manually controlled by a person.
If November First is aware of, or has reasonable grounds to suspect, that a transaction, funds, or activity is related to money laundering or terrorist financing, November First is obliged by law to notify the authorities. The same applies to suspicions arising from an attempt by a customer to initiate a transaction or a request from a potential customer seeking to initiate a transaction or activity, cf. in its entirety Section 26 of the AML Act.
Information, including personal data, may be shared in this connection with the following recipients: relevant supervisory authorities, the Public Prosecutor for Special Economic and International Crime ("SØIK") (for compliance with the obligation to report under the AML Act); November First's professional advisors (lawyers and accountants); November First’s IT hosting providers (data processors); companies and persons included in Section 1, subsection (1), no. 1-15, 17, 19 and 21, of the AML Act, in accordance with Section 38, subsection (6) of the AML Act.
4. Legal basis
The processing of personal data is done to fulfill the Terms and Conditions, agreements, legal obligations and to fulfil November First's legitimate interests.
The legal basis for November First's processing is the financial regulation as well as other legislation, including the AML Act and the Data Protection Act.
In addition, personal data may be processed if the processing is necessary based on an agreement or an agreement that is considered to be entered into with November First. For this purpose, processing may also take place on the basis of consent or on the other lawful basis set out in Articles 6(1) and 9 of the Data Protection Regulation (GDPR).
5. When does November First disclose personal data?
In order to fulfil agreements, November First discloses the information provided to November First and which is necessary to be able to complete the delivery of the services.
In connection with payment initiation, which November First carries out on behalf of the customer, the information provided will be disclosed to the relevant business partners, including correspondent banks and the beneficiary, to manage the transaction. In addition, based on consent or another legal basis information will be disclosed internally within November First.
5.1 Statutory disclosure
November First may have to share information when November First determines that it is required by law, or to protect individuals, their safety, and their rights.
November First never discloses personal data to third parties without the subject's consent, unless there is a legal basis or November First is required to do so because of legal obligation(s), government claims, bankruptcy, death, or similar cases. Such disclosure will always happen with due consideration to the, of the time of disclosure, existing legislation.
November First may also disclose information without consent, if November First suspects that it is reasonably necessary to disclose the information in order to investigate, prevent or act on suspected or actual illegal activities or to assist public authorities, enforce November First's agreements, including the Terms and Conditions, protect the security or integrity of the Platform.
In the event of breach of obligations, November First may report to credit information agencies and/or warning registers in accordance with applicable rules.
5.3 The Platform
Name, email, user permissions, and title are visible to the company's selected administrator on the Platform. November First provides the administrator with access to information about the payment initiations made, and is sent for possible approval, as well as related information.
5.4 November First's third-party security
November First may use others to assist November First with its services. November First uses subcontractors to e.g., host November First’s IT systems, for example, when maintaining November First’s systems, data, auditing, debt collection, development. In addition, data will be shared with November First’s banking partners to provide the services, as well as any third parties who, by the "Payment Collection" service, deposit money into the respective November First "Payment Collection" account.
November First may share information with third parties in cases where November First's partners help November First provide services through November First's integration and API, such as using an ERP-system or payment initiation service agreement. November First only shares information if you have asked to use this service or a partner's product.
November First's sub-contractors or partners have access to information to the appropriate proportions in order to perform tasks on November First’s behalf. They are obliged not to disclose the information or use it for other purposes.
November First may use data processors outside November First. Such external data processors only process personal data on behalf of November First for the specific purposes for which the personal data were originally collected, and only on the instructions of November First. November First also has a number of minimum security privacy requirements that November First’s data processors must always meet.
November First enters into data processing agreements with subcontractors in accordance with EU/EEA rules, EBA guidelines and the Outsourcing Executive Order to ensure a high level of protection. The agreements ensure that the processing of personal data by subcontractors is carried out in accordance with the applicable rules. The terms and conditions of the agreements always meet the requirements of the European Commission and the applicable data protection legislation.
5.5 Will information be transferred to countries outside the EU?
Since November First delivers foreign payments on behalf of our customers, information related to this may be transferred outside Denmark or the EU and EEA for November First to provide all available services.
As a main rule, November First does not transfer personal data to countries outside the EU and EEA, but if necessary, in order to fulfil an instruction or contractual obligation to a customer, November Fist may do so.
Where November First is instructed to make an international payment outside the EU and EEA, November First will, through correspondent banks, transfer the information entered to the beneficiary's bank's country for November First to provide November First's services and fulfil agreements.
5.6 Changes or sale
All employees of November First are subject to confidentiality, and employees may not inappropriately disclose or exploit confidential information that comes to the employees' knowledge through their work at November First.
6. How long does November First store personal data?
November First keeps personal data for as long as is necessary to comply with legal obligations under the AML Act, but at least 5 years after the termination of the customers relationship, or after the completion of a single transaction, cf. Section 30 of the AML Act.
7. Rights of the data subject
Under GDPR, the data subject has rights in relation to November First's processing of data.
The data subject, with the Data Protection Act’s and the AML Act’s restrictions, has certain rights in relation to the processing of personal data, including the right of access to personal data, the right to rectification, the right to erasure, the right to have restriction of processing and the right to object to the processing of the data. The data subject also has the right to complain to a competent supervisory authority, including the Danish Data Protection Agency.
Right to access information (right of access):
The data subject has the right to access the information that November First processes about the data subject, as well as a number of additional information.
Right of rectification (correction):
The data subject has the right to have incorrect information corrected.
Right of erasure (“right to be forgotten”):
In particular cases, the data subject has the right to have information about him or herself deleted before November First’s general deletion occurs.
Right to restriction of processing:
In particular cases, the data subject has the right to have the processing of personal data restricted. If the data subject has the right to have the processing restricted, henceforward November First may only process the data, except for storage, with the consent of the data subject, or for the purpose of determining, exerting, or defending legal claims, or to protect a person or important public interests.
Right to object:
In certain cases, the data subject has the right to object to November First's otherwise lawful processing of the data subject's personal data. The data subject may also object to the processing of data for direct marketing.
Right to transmit information (data portability):
In particular cases, the data subject has the right to receive the personal data provided to November First in a structured, commonly used, and machine-readable format and to have that personal data transferred from one data controller to another without hindrance.
More can be read about the data subject's rights in the Danish Data Protection Agency's Guidelines on the rights of the data subject, which can be found at www.datatilsynet.dk.
If one wishes to exercise their rights, please write to: email@example.com.
By letter: November First A/S, Strandgade 98, 3rd floor, 1401 Copenhagen K
One can expect to hear from November First within 30 days of a request being received.
If one wishes to complain about the way November First processes information, please write to: firstname.lastname@example.org.
By letter: November First A/S, Strandgade 98, 3rd floor, 1401 Copenhagen K
You can expect to hear from November First within 30 days of a request being received.
You also has the right to complain to a competent supervisory authority, including the Danish Data Protection Agency. The Data Protection Authority's contact details can be found at www.datatilsynet.dk.
- FT number:22017
- Latest updated:12th April 2021