Terms and conditions

Privacy policy

We want you to make a safe and smooth car purchase. That’s why we are open 24 hours a day by email and can show cars anytime between 06:00 and 22:00. If you live in the capital region, we can show the car at your home or workplace.

1. Introduction

This policy covers the board of directors, management and all employees of the AMCAP Group and aims to ensure that all companies within the group comply with EU Regulation 2016/679 (“GDPR”). Each company within the group is personally responsible for compliance with the GDPR and this policy.

2. Liability, compliance and training

Each company belonging to the group is obliged to ensure that the processing in the company complies with the data protection regulation and the rules of this practice.

2.1 Data protection officer in the company

AMCAP has assessed that the group does not need to appoint a data protection officer. The CEO of each company is therefore responsible for ensuring that the data processing that takes place complies with the rules of this practice.

2.2 Internal training on the company’s processing of personal data

If it is deemed necessary and it is clear that the company’s internal knowledge is not sufficient, every company must ensure that the personnel receives the required training. The company’s internal routines and training needs are constantly reviewed and updated.

3. Overview of the Company’s processing of personal data

3.1 Treatment register

AMCAP has established a register in accordance with Article 11. 30 GDPR on the processing of personal data of each company. The register contains information on:

Contact details of a business;
the purposes and legal basis of each individual processing;
categories of data subjects, e.g. customers, suppliers, etc.;
categories of personal data, e.g. name, address, bank details, etc.;
groups of recipients to whom the Company discloses personal data, e.g. service providers;
transfers to third countries to the extent that they occur;
deadlines for deleting different categories of personal data;
an overview of the technical and organizational security measures implemented by the company.

4. The organization’s data protection measures

The company must, taking into account the nature, scope, context and purpose of the processing of personal data, as well as risks of varying probability and severity to the rights and freedoms of natural persons, implement appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with the GDPR. For this reason, the company has produced GDPR-compliant guidance documents, in which the areas described below are described.

4.1 Personal data processing overview routines

The purpose of the company’s processing of personal data is to be able to offer a well-functioning, user-friendly and secure service for vehicle sales. In order to do this, AMCAP needs to store certain information about the company’s customers, such as:

the user’s personal and contact information;
manage the User’s payments and customer relationship with the User;
provide users with information (not marketing) in a clear and simple manner;
perform user credit checks;
to detect, prevent and manage misuse and fraud of the Service;
perform risk analysis and risk management;
perform internal troubleshooting, data analysis and generate statistical information;
perform user analytics.
All processing of personal data carried out by the Company must be related to the legal basis according to the GDPR. The Company primarily relies on three legal grounds: (i) performance of contract, (ii) statutory obligation under law, and (iii) legitimate interest. From the points mentioned above, the processing takes place (i) to perform user analysis and (ii) to detect, prevent and control misuse and fraud of the Service, supported by the Company’s legitimate interest. In other sections, processing takes place with the support of the Service agreement with the user and the Company’s legal obligations.

In cases where the Company uses a legitimate interest as a legal basis for processing, this legitimate interest is to be able to develop the Service to improve the user experience and increase the ability to provide services securely. It is vital to detect, prevent and correct abuse and fraud by using the Service as widely as possible. Ultimately, it’s about protecting users, which users should also be able to expect the company to do.

4.2 Data Collection Procedures

AMCAP always tries to collect as little personal data as possible to achieve the purpose of the processing. The company must therefore be selective regarding the personal data requested by the user when the customer uses AMCAP’s services. Information that is generally necessary to process in order for the Company to provide the service is:

Personal and contact information: name, date of birth, social security number, billing and delivery address, email address, mobile phone number, etc.
Financial information – income, possible credit information, negative payment history of the user.
Historical data – User’s payment and credit history.
Information about interaction with AMCAP – how the user uses the service, including page response time, loading errors, logging in and out of the Service, and delivery notifications when the Company contacts the user. Device

information – such as the user’s IP address, language settings, browser settings, time zone, operating system, platform and screen resolution.

4.3 Procedures for transferring personal data to others than the user himself (“third parties”)

The company’s main rule is that personal data may not be disclosed to third parties if it is not necessary to fulfill the customer’s wishes. However, the company informs users that users’ personal data is shared with third parties using the personal data policy in accordance with Appendix 1, which is currently available on the website and soon also in the mobile application. The company shares users’ personal data with third parties only to the extent that it is necessary to fulfill the contract with the user about the Service or to comply with Swedish law. If the transfer takes place, the Company will take reasonable contractual, legal, technical and organizational measures to ensure that the user’s data is processed safely and with an adequate level of protection.

The categories of third parties to which the Company may share personal data are as follows:

Suppliers and subcontractors;
Credit reference agencies and similar providers;
The company’s other group companies;
Offices; The Company may hand over necessary information to authorities, such as the police, the Tax Office or other authorities, if the Company is obliged to do so by law. An example of a statutory reporting obligation is measures against money laundering and terrorist financing.
Collection/factoring company. The company may also share information When selling receivables to a third party, such as a collection agency.

4.4 Procedures for transferring personal data to countries outside the EU/EEA (“third country”)

The company strives to process users’ personal data to the greatest extent possible, always in the EU/EEA area. However, in certain situations, a company belonging to the company’s group or another supplier or subcontractor may transfer personal data to a third country and process it there. The company then takes reasonable contractual, legal, technical and organizational measures to ensure that your data is processed safely and with an adequate level of protection comparable to and at the same level as that offered in the EU/EEA area. To the extent that transfers take place to third countries, the Company aims to ensure that they take place with the support of the following:

The European Commission’s decision that a third country guarantees a so-called adequate level of protection;
binding corporate rules; or
standard contract clauses.

4.5 Storage period routines

Regarding the retention period, the Company classifies personal data differently depending on whether there are statutory retention periods or not. Statutory retention periods occur e.g. to meet the requirements of anti-money laundering and anti-accounting measures. In the processing of personal data that the Company carries out, but to which the statutory retention period does not apply, the personal data is stored as long as is necessary to provide the service in question.

4.6 Procedures to protect users’ rights

The company has established contact channels for e-mail and post, through which users can exercise their rights. Through these contact channels, the company can respond to users’ requests for the following functions:

get access to their personal data to the extent that the data can be disclosed in accordance with the law, constitution or decision;
correct incorrect information;
delete the information provided by the customer with his consent
restrict the processing of personal data;
portability of personal data provided by the user himself;
When the Company receives a request to exercise one of the aforementioned rights, the Company acts as follows:

Notify without undue delay the Customer’s request to the Company’s data protection officer/CEO;
The company’s data protection officer/CEO must then ensure that the customer receives a response to the incoming request without undue delay. In any case, the customer must be given the information to respond to the request no later than 30 business days after receiving the request.

4.7 Procedures for processing personal data transactions

The company defines a “personal data incident” as an intentional or unintentional data security breach that may cause risks to people’s freedoms and rights. Risks can mean that someone loses control over their data or that their rights are restricted, so e.g. in the case of fraud or breach of confidentiality.

The CEO of the company is responsible for reporting a personal data event by filling in the correct form of the Data Protection Agency for reporting a personal data event and sending it by letter to the Data Protection Agency (IMY) Box 8114, 104 20 Stockholm.

If the Company comes to the conclusion that there is a right to notify the affected persons of a personal data incident, this happens as follows:

Those concerned will be informed by e-mail, in which the personal data

the cause of the nucleus is clearly described;
The experts are given the name and contact information of the data protection officer/CEO or a person belonging to the group who is familiar with the matter and can answer questions;
The likely consequences of a personal data event are described;
Describe the measures that have been taken or will be taken to handle the personal data incident and mitigate the negative effects;
a recommendation on the appropriate measures that the data subjects should take to protect themselves from the effects of the personal data provided.

4.8 Personal data service agreement with third parties

The company has a routine to assess whether an external party processes personal data on behalf of the company when hiring external parties. If the Company believes that this will happen, the Company requires an external agreement for a personal data processor, where an external party takes over the role of personal data processor.

The instructions given to the personal data processor in accordance with the personal data processor agreement have been specially adapted to the unique circumstances and circumstances related to the hiring of a personal data representative.

5. Technical data protection measures

The following security measures are implemented to protect data.

An isolated production environment that cannot be accessed by a single developer alone
A secure way to handle login information and other sensitive information;
Defined access levels for employees with access to personal data and product interface – created so that not all employees have access to all data
Protection against external attacks, Trojans and viruses

6. Data protection DPIA impact assessment

AMCAP, taking into account the size of the group, the scope of the business and the fact that none of the companies in the group process sensitive personal data, has concluded that there is no need to carry out a DPIA at this time and that it is sufficient for the group to continuously assess the processing taking place in each company. However, the management of each company must constantly assess the need for a DPIA based on the following criteria:

–         Frequency of processing of sensitive personal data

–          Outsourcing treatment to third countries.

–          Actions that mean the system environment is considered complex.

7. Deciding on policy

The company’s board of directors decides on the policy if necessary, but at least once a year, even if no changes have been made. The date of the last update and determination can be seen on the front page of the policy.