This privacy policy applies as of June 1, 2025.
1. Introduction
This website and the services listed herein are provided by Global vLEI AB, corporate identity number 559501–1395 (“GvLEI”) with address Kungsgatan 56, 111 22 Stockholm, Sweden. At GvLEI, we work systematically with information security and data protection to ensure the secure handling of information and personal data. We take responsibility for ensuring that personal data processed by us is used only for the intended purposes and is protected against unauthorized access. All processing of personal data takes place in accordance with applicable data protection legislation.
In this privacy policy you will find information about our processing of your personal data. Personal data means data that either directly or indirectly can identify you. This information applies to you who use our services, are a contact person to our corporate client, supplier, counterparty, or partners to us, visit our websites, and otherwise are in contact with us regarding our business or are directly or indirectly affected in the performance of our services. You are encouraged to read this information carefully. Please stay updated on any changes to this privacy policy by regularly visiting our websites.
The term “website” refers to the following domains:
https://onboarding.globalvlei.com/
GvLEI is the data controller for the processing of your personal data when you visit our website, use our onboarding process, or otherwise are in contact with us. We are also the data controller for the processing of personal data related to our provision of the vLEI services, as a Qualified vLEI Issuer (“QVI”). However, when we issue vLEI credentials, there are some processing activities to which we together with the legal entity who is our corporate client are joint controllers.
For questions or comments about anything stated in this policy or otherwise regarding our data protection work or use of cookies, or if you wish to assert any of your rights listed under section 6, please contact us at privacy@globalvlei.com or at the above mentioned postal address.
We are a Swedish company, and this information has been produced in Swedish. In case of discrepancies between the language versions of the privacy policy, the Swedish language version prevails.
For questions or assistance with our services, please contact our corporate client service support@globalvlei.com.
2. Information we collect and use
The personal data is collected through you, the company you work for or represent, external persons, as well as from publicly available and public sources, such as websites, various registers, and databases as well as authorities (e.g., the Swedish Companies Registration Office). If you visit us on LinkedIn, we collect the personal data that you provide to us through that channel.
When you use our online services, we collect your electronic identification data and other information. When you visit our website, we may collect data by using cookies and other technologies in your browser or device, some of which may be considered personal data. Please note that the placement of non-essential cookies requires your prior consent. This consent only applies to the placement of cookies and is not a legal basis for the processing of personal data collected therewith. See more in our cookie policy to find out if, and how, we use cookies and similar technologies.
The personal data that we collect about you when you use our services, visit our website, and otherwise interact with us regarding our business includes the following categories.
- Identity and contact information, such as name and social security number / organization number (if sole proprietorship), government-issued identification (such as passport, government issued ID, or driver’s license) including your photo, video, and audio.
- Contact details, such as postal address, e-mail address, telephone number.
- Profile information, such as job title (including ISO 5009 Official Organization Role), ownership interest in companies, organization number, name and address of the company or organization to which you belong.
- Order data, such as payment information and payment history
- Other information, such as login information, signatory information for digital signing, LEI codes, vLEI credentials, public and private keys, transaction event logs, and country and language settings.
3. Why do we process your personal data?
Below we list why we handle personal data, where applicable. Which processing activities your personal data is subject to depends on the relationship you have with us.
When providing our vLEI services, we use personal data to make an independent assessment of whether our corporate clients align with certain third-party standards. As QVI we act as an independent validation party and are obligated to comply with industry standards developed and enforced by certain third-party organizations or authorities, such as the Global Legal Entity Identifier Foundation (GLEIF). A vLEI credential issued by us is therefore the result of a standalone assessment against the third-party validation criteria and under a process that the recipient of the vLEI credential is unable to influence or interfere with. For more information on our industry standards, please visit each link or see www.gleif.org.
To read more about which categories of personal data and on what legal basis we process the personal data, see our detailed information about our processing of personal data.
3.1. Providing our services
In order to provide our services, we process the personal data necessary for:
- Provision of customer service and support.
- Verification and validation of our corporate clients and/or corporate client’s signatories.
- Verification and validation of our corporate clients employees (when applicable).
- Issuance, revocation, or witnessing of vLEI credentials.
- Fulfilment of agreements with the Global Legal Entity Identifier Foundation (GLEIF) as QVI.
3.2. Manage relationships with corporate clients, suppliers, partners and GLEIF
If you are a contact person for a corporate client, supplier, partner or GLEIF, we process your personal data for the purpose of managing the corporate client or supplier relationship, cooperation, or our relationship with GLEIF and when necessary for follow-up and evaluation. Our handling is, for example:
- Registration of you as a contact person.
- Communication.
- Marketing.
- Management and archiving of agreements.
- Administration of order confirmations and invoices.
3.3. Communicate about us and our business
We use your personal data to communicate about us and our business in various channels, for example through mailings before maintenance work in the client portal or in marketing. You can unsubscribe from our marketing communications at any time, either by clicking “unsubscribe” in mailings or by contacting us at privacy@globalvlei.com.
3.4. Communicate internally and externally
In connection with communication, e.g., by e-mail, telephone, or other digital means, we may, where applicable, process your personal data. Communication on our behalf takes place both between employees and with external persons (e.g. consultants).
3.5. Evaluate and develop our business
Where applicable, we may use your personal data to compile reports and statistics at an overall level and analyze these for the purpose of following up and evaluating the business. We also use these reports and statistics to develop and improve our business, business practices and strategies, including the website. When compiling these reports and statistics, anonymization/pseudonymization of personal data takes place. No profiling or automated decisions takes place within these processing activities.
For analyses carried out within the framework of data quality issues, we may use personal data such as organization number, company form, addresses, company signatory, board of directors, etc. When it comes to quality control, no anonymization of the data takes place. No profiling or automated decision takes place within this processing activity.
3.6. Carry out our business
When we carry out our business, except in the provision of services, we use your personal data to:
- Document the business, e.g., to manage and save agreements, underlying documentation, minutes, and presentations.
- Carry out recruitment processes or assess spontaneous applications, including reference contacts.
- Answer questions and provide corporate client service.
- Review the quality of our data.
- Detect and prevent misuse of our services, for your, others’ and the service’s safety.
- Ensure technical functionality and security, e.g., in security logging, error handling and backup.
- Manage and respond to legal claims, e.g., in connection with a dispute or legal process. For this purpose, we may share your information with other recipients, see more below.
- Comply with legal obligations, e.g., to comply with requirements of accounting, employment, or data protection legislation. For this purpose, we may share your information with other recipients, see more below.
4. Recipients with whom we share information
When necessary, we share your personal data with different recipients. For more information about categories of data and on what legal basis we share your personal data with recipients, please see our detailed information on when we share information. Where applicable, we share information, including personal data, with these recipients.
4.1. Corporate clients
In order to deliver the agreed service, personal data may be shared with our corporate clients, for example during the verification process of LE-RD or in support cases.
4.2. Data processors
In our day-to-day operations, we use service providers. These service providers provide, for example, IT services (e.g., storage) and communication services (e.g., communication in support), in which case personal data may be processed. When the service providers process personal data on our behalf, they are data processors to us. They may not use your personal data for their own purposes and are obliged by law and data processing agreement with us to protect your data.
4.3. Companies that are data controllers for personal data
4.3.1. Government agencies (e.g., the Swedish Police, the Swedish Tax Agency)
If we are required to do so by law or in case of suspicion of crime.
4.3.2. Payment service providers
To administer payments via the website or client portal, we use a payment service provider. We share and receive information from the payment service provider to enable you to pay for – and thus use – our services. In order to get paid, we may direct you to a third-party website that handles the payment. We are not responsible for the privacy processes of websites that we do not provide or operate. The payment service provider is the data controller/or processor for another controller, for its processing of your personal data. More information about their personal data management can be found at the payment service provider.
4.3.3. Group companies
We may share personal data with other companies within our corporate group to achieve our business purposes and to market our services in accordance with applicable legislation.
4.3.4. Other
In order to comply with our legal obligations, your personal data may be shared with our auditor, external advisors or authorities. In order to provide our services and retain our QVI status, your personal data may be shared with witnesses from the witness pool for vLEI credential verification and the Global Legal Entity Identifier Foundation (GLEIF).
In connection with a legal dispute, we may transfer data to other parties, such as external advisors, arbitration tribunals or counterparties. The processing is necessary to satisfy our legitimate interest in establishing, exercising, and defending legal claims.
We may also share information with potential buyers and sellers if we were to sell all or part of the business or in the event of a merger. The processing is necessary to satisfy our legitimate interest in carrying out the divestment or merger
4.4. Other recipients
In recruitment processes, we may share your personal data with external parties, such as provided references.
5. Transfer to third countries
We offer our vLEI services worldwide. If our corporate client or its employees and/or signatories are based outside of the EU/EEA personal data related to the vLEI service will be transferred to that country.
When we use service providers based outside the EU/EEA, we ensure that the personal data processing takes place in accordance with the provisions of applicable data protection legislation, such as the EU Commission’s adequacy decision for the country, transmission with the necessary guarantees, EU standard contractual clauses or equivalent.
If you would like more detailed information about to which countries outside the EU/EEA area the transfer may take place and what safeguards are applied to the transfer in question, you are welcome to contact us.
6. Your rights
As the data subject, you have certain rights in relation to your personal data that we process under applicable data protection legislation. In this section, we provide more detailed information about these rights. You also have the right to receive this information verbally, provided that your identity has been verified. More information about your rights can be found on the website of the Swedish Authority for Privacy Protection (IMY) (www.imy.se).
Please note that certain rights are limited with respect to our obligations under financial market regulation and under GLEIF regulations.
We will also not comply with your request if it would be against law or if the request is manifestly unfounded, unreasonable, or repetitive.
We normally provide your rights free of charge. If your request is manifestly unfounded, unreasonable, or repetitive, we have the right to either charge an administrative fee for the processing or to deny your request.
6.1. Right of access (extract from the register), art. 15 GDPR
You have the right to request confirmation from us as to whether we are processing your personal data. If you want to get a deeper insight into what personal data we process about you, you can request access to the information. The information is provided in the form of a register extract stating the purpose, categories of personal data, categories of recipients, storage periods, information about where the information has been collected from and the existence of automated decision-making, and, where applicable, with the support of which safeguards transfer takes place to countries outside the EU/EEA.
The right to a copy of the register extract must not have a negative impact on the rights of others, including ours. If we make the assessment that your right to a copy of the register extract has a negative impact on the rights of others and we therefore exclude information from the copy, you will be informed of this and the reason why.
A request for an extract from the register must be made in writing and be signed in person. The request should be sent to Kungsgatan 56, 111 22 Stockholm. Please be aware that if we receive a request for access, we may ask for additional information to ensure effective handling of your request and that the information is provided to the right person.
6.2. Right to rectification, Art. 16 GDPR
If you believe that the information, we have about you is inaccurate or misleading, you have the right to request correction. Within the scope of the stated purpose, you also have the right to supplement any incomplete personal data. You can request correction by contacting us at privacy@globalvlei.com. If you are logged in to our client portal, you can change certain information yourself.
Please note that a historical information is not automatically considered incorrect, as it may have been correct at the time of registration.
6.3. Right to erasure, Art. 17 GDPR
You can request the deletion of personal data (the right to be forgotten) we process about you if:
- the data are no longer necessary for the purposes for which they have been collected or processed;
- You object to a balance of interests we have made based on legitimate interest and your reason for objection outweighs our legitimate interest;
- You object to processing for direct marketing purposes;
- The personal data is processed in an unlawful manner; or
- The personal data must be deleted in order to comply with a legal obligation to which we are subject.
We do not process any personal data of a child (under the age of 16) whose collection has taken place in connection with the provision of information society services (e.g., social media).
If you request deletion, we will review whether your request can be met. We have the right to deny your request if there are legal obligations that prevent us from immediately deleting certain personal data. These obligations come from, for example, accounting and tax legislation, banking, and money laundering legislation, but also from EU directives and regulations. Continued processing may also be necessary for us to be able to establish, exercise or defend legal claims. Should we be prevented from complying with a request for deletion, we will ensure that the processing of personal data is limited to only the purposes that prevent the requested deletion.
6.4. Right to restriction of processing, Art. 18 GDPR
You have the right, in certain cases, to request a restriction of our processing of your personal data. If you dispute that the personal data we process is correct, you can request limited processing for the time we need to check whether the personal data is correct. If we no longer need the personal data for the stated purposes, but you do need it to be able to establish, exercise or defend legal claims, you can request limited processing of the data from us. This means that you can request that we do not delete your data.
If you have objected to our balancing of interests for the processing of your personal data, you can request limited processing during the time we need to check whether our legitimate interests outweigh your interests in having the data deleted.
If the processing has been restricted in accordance with any of the situations above, we may only, in addition to the storage itself, process the data to establish, exercise or defend legal claims, to protect someone else’s rights or if you have given your consent.
6.5. Right to data portability, art. 20 GDPR
You have the right to receive the personal data that you have provided to us and that concerns you in an electronic format that is widely used. You also have the right to transfer such data to another data controller (so-called data portability). A prerequisite for data portability is that the transfer is technically possible and can be automated. A further prerequisite for the right to data portability is that the processing takes place on the basis of your consent or to fulfill an agreement with you (Art. 6.1(a) and 6.1(b) GDPR respectively). In our detailed information you can see when we handle your personal data on the basis of consent or to fulfill an agreement with you.
6.6. Right to object to certain types of processing and direct marketing, Art. 21 GDPR
Some of our processing activities takes place with a balance of interests as a legal basis. You have the opportunity to object to these. If you make such an objection, we need to be able to show a legitimate reason for the processing in question that outweighs your interests, rights, or freedoms. Otherwise, we may only process the data to establish, exercise or defend legal claims.
You have the opportunity to object to your personal data being processed for direct marketing. The objection also covers the analyses of personal data (so-called profiling) carried out for direct marketing purposes. Direct marketing refers to all types of outreach marketing measures (e.g., by post, e-mail, and SMS). Marketing measures where you as a corporate client have actively chosen to use one of our services or otherwise sought us out to find out more about our services are not counted as direct marketing.
We do not carry out any so-called automated decision-making that produces legal consequences or otherwise significantly affects you.
6.7. Right to withdraw consent, art. 7 GDPR
When we base our processing of your personal data on your consent, you have the right to withdraw from this at any time, where applicable. Such revocation may be limited to only part of the processing.
6.8. Right to lodge a complaint
In addition to the rights listed above, you also have the right to lodge a complaint with your relevant data protection authority. In Sweden, the Swedish Authority for Privacy Protection (IMY) is the supervisory authority. Their contact details can be found on www.imy.se. If you live or work in a country other than Sweden, you can turn to the privacy protection authority in that country. You can find your privacy protection authority here: Our Members | European Data Protection Board
7. Updates to this information
The information in this privacy policy is subject to change. The latest version of the information is always published on our website.
Detailed information on the processing of personal data
Our processing of personal data
In this section you can see detailed information about which categories of personal data we process, on what legal basis and for how long we save the data for each processing.
| Purpose | Personal data | Legal basis | Duration |
|---|---|---|---|
| Provision of customer service and support | • Identity information • Contact details • Profile information • Order data • Communication • Video and audio material • Other information | Legitimate interest The processing is necessary to satisfy our legitimate interest in providing good service for users of our services, including educational purposes. Fulfillment of contracts If an agreement on our services has been made for a sole proprietorship, the processing takes place to fulfill the agreement with the sole proprietorship. | Personal data is stored for this purpose for as long as required by the agreement with GLEIF (normally 10 years). |
| Verification and validation of our clients and/or client’s signatories | • Identity information • Contact details • Profile information • Communication • Video and audio material • Other information | Legitimate interest The processing is necessary to satisfy our legitimate interest in providing good service for users of our services, including educational purposes. Fulfillment of contracts If an agreement on our services has been made for a sole proprietorship, the processing takes place to fulfill the agreement with the sole proprietorship. | Personal data is stored for this purpose for as long as required by the agreement with GLEIF (normally 10 years). |
| Verification and validation of our clients employees | • Identity information • Contact details • Profile information • Communication • Video and audio material • Other information | Legitimate interest The processing is necessary to satisfy our legitimate interest in providing good service for users of our services, including educational purposes. Fulfillment of contracts If an agreement on our services has been made for a sole proprietorship, the processing takes place to fulfill the agreement with the sole proprietorship. | Personal data is stored for this purpose for as long as required by the agreement with GLEIF (normally 10 years). |
| Issuance, revocation or witnessing of vLEI credentials | • Identity information • Contact details • Profile information • Order data • Communication • Video and audio material • Other information | Legitimate interest The processing is necessary to satisfy our legitimate interest in providing good service for users of our services, including educational purposes. Fulfillment of contracts If an agreement on our services has been made for a sole proprietorship, the processing takes place to fulfill the agreement with the sole proprietorship. | Personal data is stored for this purpose for as long as required by the agreement with GLEIF (normally 10 years). |
| Fulfillment of agreements with GLEIF | • Identity information • Contact details • Profile information • Order data • Communication • Video and audio material • Other information | Legitimate interest The processing is necessary to satisfy our legitimate interest in fulfilling the terms of the agreement with GLEIF in order to retain our QVI status. | Personal data is stored for this purpose for as long as required by the agreement with GLEIF (normally 10 years). |
| Manage relationships with corporate clients, suppliers, partners and GLEIF | • Identity information • Contact details • Profile information • Order data • Communication • Video and audio material • Other information | Legitimate interest The processing is necessary to satisfy our legitimate interest in managing the relationship with corporate clients, suppliers, partners and GLEIF. Fulfillment of contracts If an agreement on our services has been made for a sole proprietorship, the processing takes place to fulfill the agreement with the sole proprietorship. Comply with legal obligation The processing is necessary to fulfill our legal obligations under the Accounting Act (1999:1978). | Personal data is stored for this purpose as long as there is an active relationship and for a period of 10 years thereafter to meet our legitimate need to handle and respond to any legal claims. The relationship is considered active if you have had contact with us in the last 12 months. Personal data necessary for accounting is saved for 7 years from the end of the calendar year in which the relevant financial year ended. |
| Monitoring and evaluation of the relationship with corporate clients, suppliers, partners and GLEIF | • Identity information • Contact details • Profile information • Order data • Communication • Video and audio material • Other information | Legitimate interest The processing is necessary to satisfy our legitimate interest in following up and evaluating the relationship with corporate clients, suppliers, partners and GLEIF. | Personal data is stored for this purpose for a period of 2 years from the time of collection. Reports at an overall level that do not contain personal data and anonymous statistics are saved until further notice or until they are deleted. |
| Monitoring and evaluation of operations and our services, including website | • Identity information • Contact details • Profile information • Order data • Other information | Legitimate interest The processing is necessary to satisfy our legitimate interest in following up and evaluating our business and services. Consent Please note that the placement of non-essential cookies requires your prior consent. This consent only applies to the placement of cookies and is not a legal basis for the processing of personal data. | Personal data is stored for this purpose for a period of 2 years from the time of collection, if not specified otherwise in the cookie policy. Reports at an overall level that do not contain personal data and anonymous statistics are saved until further notice or until they are deleted. |
| Communicate about us and our business | • Identity information • Contact details • Communication • Profile information | Legitimate interest The processing is necessary to satisfy our legitimate interest in communicating about us, our business, and our services. | Personal data is saved for this purpose as long as there is an active relationship and for a period of 12 months thereafter for the same purpose. Published personal data in digital channels, e.g., in our feeds on LinkedIn, is saved until further notice. |
| Communication between employees and external persons | • Identity information • Contact details • Communication • Profile information • Order data • Other information | Legitimate interest The processing is necessary to satisfy our legitimate interest in employees and external persons communicating, for example during recruitment processes, corporate client service, marketing or similar. | Personal data is stored for this purpose for 12 months from the time of the last communication in the same conversation, then for a period of 10 years to satisfy our legitimate interest in handling and responding to any legal claims. In recruitment processes, personal data is saved for a period of 2 years after completion of recruitment. Published personal data in digital channels, e.g., in our feeds on LinkedIn, is saved until further notice. |
| Communication in the event of an accident, illness, or similar event (applicable only to our employees or consultants) | • Identity information • Contact details • Communication • Profile information | Legitimate interest The processing is necessary to satisfy our legitimate interest in registering your information in our family register and to communicate with you in the event of an accident, illness or similar event for the employee concerned. | Personal data is saved until the employee, consultant or contractor concerned reports otherwise, but no later than the date the employee’s employment or consultants or contractors’ assignment ended. |
| Document the business | • All categories of personal data concerned | Legitimate interest The processing is necessary to satisfy our legitimate interest in documenting the business. | Personal data is saved for this purpose until further notice. |
| Detect and prevent misuse of our services | • All categories of personal data concerned | Legitimate interest The processing is necessary to satisfy our legitimate interest in detecting and preventing misuse of our services. | Personal data is saved for this purpose as long as your user account is active. The user account is considered active if login has taken place within the last 10 years. |
| Ensure technical functionality and security | • All categories of personal data concerned | Legitimate interest The processing is necessary to satisfy our legitimate interest in ensuring the necessary technical functionality and security on our website and in our IT systems. | Personal data is saved for the same period as stated in relation to the respective purpose of the processing. Personal data in logs is retained for troubleshooting purposes for a period of 10 years from the time of the log event. Personal data in backup copies is stored for a period of 10 years from the time of backup. |
| Manage and respond to legal requirements | • Categories of personal data concerned that are necessary in the individual case to address the relevant legal requirement | Legitimate interest The processing is necessary to satisfy our legitimate interest in handling and responding to legal claims. | Personal data is saved for the same period as stated in relation to the respective relevant purpose of the processing, and in the individual case for the time necessary to handle the current legal claim. |
| Comply with legal obligations | • Categories of personal data concerned that are necessary for compliance with the respective legal obligation | Comply with legal obligation The processing is necessary to fulfill our legal obligations, such as the Accounting Act, Employment laws, GDPR etc. Legitimate interest The processing is necessary to satisfy our legitimate interest in handling and responding to legal claims. | Personal data is saved for the time necessary for us to be able to fulfill the respective legal obligation that we have and for a period of 10 years thereafter in order to satisfy our legitimate interest in handling and responding to legal claims, as well as for the time thereafter necessary for handling the current legal claim. |
With whom we share personal data
In this section you will find detailed information about which categories of personal data we share with different categories of recipients, for what purpose and what legal basis we rely on.
| Receiver | Purpose | Personal data | Legal basis |
|---|---|---|---|
| Corporate clients | Fulfill agreements with the corporate client, communication and handle and respond to legal claims. | • Identity information • Contact details • Profile information • Order data • Communication • Other information | Legitimate interest The processing is necessary to satisfy our legitimate interest in providing our services. Fulfillment of contracts If an agreement on our services has been made for a sole proprietorship, the processing takes place to fulfill the agreement with the sole proprietorship. |
| Service providers | Communication between employees and external persons, use of services for the purpose of running the business and delivering vLEI services. | • Categories of personal data concerned that are necessary in relation to the service provided by the respective provider. | Legitimate interest The processing is necessary to satisfy our legitimate interest in managing the relationship with our suppliers, running our business, and delivering our vLEI services to the client. Fulfillment of contracts If an agreement on our services has been made for a sole proprietorship, the processing takes place to fulfill the agreement with the sole proprietorship. |
| Government agencies such as courts, the Swedish Tax Agency or the Police Authority, arbitration tribunals and external advisors | When there is a legal obligation or suspicion of a criminal offence and to handle and respond to legal claims on one’s own behalf (determine, assert, and defend). | • the categories of personal data concerned that are necessary in each case; | Comply with legal obligation The processing is necessary to comply with our legal obligations. Legitimate interest The processing is necessary to satisfy our legitimate interest in being able to handle and respond to legal claims on our own behalf. |
| Group companies | To achieve our business purposes and to market our services. | • the categories of personal data concerned that are necessary in each case. | Legitimate interest The processing is necessary to satisfy our legitimate interest in developing our companies’ respective businesses. |
| GLEIF | Fulfill agreements with the client, fulfill agreements with GLEIF. | • All categories of personal data concerned | Legitimate interest The processing is necessary to satisfy our legitimate interest in providing our services and fulfilling the conditions of the agreement with GLEIF. |
| Auditors, external advisors, authorities | Comply with legal obligations. | • Only the categories of personal data that are necessary to comply with the respective legal obligation. | Comply with legal obligation The processing is necessary for us to comply with our legal obligations. |
| External persons | Communication between employees and external persons. | • the categories of personal data concerned that are necessary in each case. | Legitimate interest The processing is necessary to satisfy our legitimate interest in employees, consultants or contractors and external persons communicating. |