Third Act Financial Services AB, 559152-9366, is a private limited company registered in Sweden, hereinafter referred to as “The Third Act”. This policy explains how The Third Act uses personal data.
What is personal data
The legal definition of personal data is any kind of information that is related to an identified or identifiable natural person. An identifiable person is someone who can be identified directly or indirectly with the help of the information in combination with additional information that the person responsible for personal data has or is likely to have access to.
The Third Act as personal data controller
The Third Act provides a platform for digital pension advising that helps the individual to take control of their pension situation, create their pension plan and which is followed up on an ongoing basis, hereinafter referred to as the “Service”.
The Third Act is authorised by the Financial Supervisory Authority (FSA) in Sweden (SW: Finansinspektionen) to conduct business in insurance distribution and is subject to i.a. the Insurance Distribution Directive and FSA’s Regulations on Insurance Distribution. To provide advice on pensions, The Third Act has an obligation under this law and regulations.
To be able to provide the Service according to the terms, we also need to be able to process personal data.
There may be a need for information where you give your consent for your personal data to be processed for one or more specific purposes. In these cases, you will be informed about the purpose of the collection. If we need your consent to process additional personal data, we will inform you about what consent entails.
Collection, processing and use of personal data (processing)
We process personal information provided by you directly in the Service and pension information that we collect directly from insurance companies and the Swedish Pensions Agency through a digital power of attorney, as well as your personal information from the Swedish Personal Address Register, SPAR, which you approve via electronic BankID.
If the Service is provided via your employer, the Service will be able to identify you through the personal information we have received. If your employer sends information, The Third Act is data processor and your employer are data controller.
Examples of personal data that are necessary for us to be able to provide the Service and for The Third Act to meet the legal requirements.
Information provided by you includes:
- Personal information that is necessary for the Service.
Information that we collect through your approval includes:
- Information about your existing pensions, i.e., public pension, occupational and private pensions, which are obtained from the Swedish Pensions Agency and the insurance companies.
- Your personal information obtained via the Swedish Personal Address Register, SPAR.
Information about the employer when it provides the Service to employees includes, among other things:
- Contact information for the responsible person at the company.
Information that you explicitly and knowingly provide to The Third Act will be used for the following main purposes –
- Deliver services in the form of advice on and communication about pensions and insurance.
- Offer you a user account and view your account in the Service.
Fulfil and administer obligations under The Third Acts’ advisory responsibilities.
- Provide information on changes regarding regulations, conditions, products, and services.
- Communicate about the Service with you and your employer.
- Communicate about complementary services with you and the employer.
- Perform market and customer analysis as well as risk management.
- Improve and develop The Third Acts services for you as a user and your employer.
- Prevent and investigate criminal acts and incidents.
- Handle questions and opinions from customers.
Who do we share personal information with
Your personal data will only be disclosed or transferred to third parties if it is necessary for The Third Act to be able to perform its services if it is required to comply with applicable law or if you have given your prior consent. In some cases, we may also be required by law to provide your personal information to authorities, such as the Swedish Financial Supervisory Authority.
Each subcontractor hired by The Third Act and who will thus process personal data on behalf of The Third Act must enter into a separate agreement as a personal data processor. According to such an agreement, the subcontractor undertakes to follow instructions from the relevant data controller as well as current data protection legislation.
The Third Act uses the following subcontractors who receive personal data –
- SPAR, The Swedish Personal Address Register – Collection of the individual’s address information
- Roaring – Collection of the individual’s address information
- Fullmaktskollen – Administrator of digital power of attorney
- Svenska Försäkringsfabriken – Collection and processing of insurance information
- Criipto – Authentication of the Banks’ ID service
- Provider of invoicing services
Storage and transfer of data
The Third Act only stores and processes personal data to provide its services within the European Economic Area. No personal data is transferred to third countries outside the EEA.
For more information, visit www.allaboutcookies.org
The Third Act ensures that appropriate security measures are taken to ensure that personal data is always protected. The company’s security system includes firewalls, secure login, and access controls.
How long do we store your personal information
The Third Act stores your personal information during the time you are a user of the Service. We will then delete your information if we are not obliged by current law to store the information for a longer period. The Third Act is subject to the Insurance Distribution Directive, which requires us to store your personal information in the advice we provide 10 years after the time of advice.
What rights do you have
You who are registered in the Service have several rights that you should be aware of. You have the right to request a register extract free of charge of what information is registered about you. There is a right for The Third Act to charge an administrative fee if you request more than one copy of your personal information.
You also have the right to data portability of personal data. You have the right to have your personal data corrected if it is incorrect, incomplete, or misleading and the right to limit the processing of personal data until it is amended. You have the right to be forgotten, but deletion of personal data cannot take place if it is required to fulfil the agreement or if other Swedish or European law, court or authority decision says otherwise or if it is based on balancing of interests. Should you consider that there are no justifiable reasons or that the balance of interests is incorrect, you have the right to object to the treatment. You also have the right to withdraw consent, submit complaints about the processing to The Swedish Data Protection Authority (SW: Datainspektionen), oppose automatic decision-making, profiling, and object to direct marketing.
The Third Act is obliged to return without undue delay, however, no later than one month from the time we have received your request and inform you of the measures we have taken. This period can be extended depending on how complicated the request is; however, we must inform if it arises.
If you want to know more
The person responsible for personal data is Cecilia Seddigh.
If you wish to complain about The Third Acts’ handling of your case, please contact The Swedish Authority for Privacy Protection (IMY). For more information on how to handle complaints and notification procedures see,
Address: Integritetsmyndigheten, Box 8114, 104 20 Stockholm, Sweden
Changes and updates