Nordea Privacy Policy

In addition to this Privacy Policy, you can get more information about the setting and use of cookies by visiting the  Cookies Policy in the footer of our webpages.

We process personal data for a number of reasons. In this Privacy Policy, when we write «you», we mean you as a customer, a potential customer or our customer’s employees. It can also mean other relevant parties, such as beneficial owners, authorised representatives and managers, cardholders, beneficiaries, shareholders and associated parties. When we write «we» in this Privacy Policy, we mean Nordea Bank Abp including branches and all companies owned and/or controlled directly or indirectly by Nordea Bank Abp at any given time. A list of the data controllers in the Nordea Group can be found on our webpages.

The categories of personal data that we collect and use are listed below. We have provided examples of the types of personal data that fall within each category. Please note that the list of examples is not exhaustive. The type of personal data that we collect from you will depend on the service or product we are providing to you as a customer.  

• Identification information: such as your national identification number, full name, copy of your passport or driver’s license, Netbank ID, Mobile bank ID and IP address. 
• Contact information: such as physical address, phone number and e-mail address. 
• Financial information: such as income, account information, asset and debt information, transactional data, credit history, insurance history, credit/payment card details, and type of agreement that you have entered into.
• Information related to legal requirements and taxation: such as asset and debt information, country of taxation or foreign tax payer reference, Energy Performance Certificate Data and information required to be collected for customer due diligence and anti-money laundering requirements.
• Profile information: such as citizenship, demographic information, marital status and occupation. 
• Nordea relationship information: such as the history of the customer relationship between you and Nordea.
• Special categories of personal data: such as information concerning health for some insurance-specific products provided from the Nordea life and pension companies, and information on trade-union membership related to certain loan products or Life&Pension products. 

From you

We collect information you provide directly to us. For example, when becoming a new customer, we collect personal data such as name, national identification number, e-mail address and phone number. We also collect income and debt information to be able to provide you with the product or service in question. Nordea also collects information which you provide to us, such as messages you have sent as feedback, request in our digital channels, or when becoming a follower on our social media channels or subscribing to our newsletters.

From third parties

To be able to offer you our products and services and to comply with statutory requirements, we will also collect personal data from third parties, such as publicly available and other external sources. For example, when you apply for a loan from us, we may collect information in relation to your loan from other sources, such as centralised credit information providers which collect loan information from other creditors. To ensure your personal data is accurate and up-to-date, we receive periodic updates of some personal data categories from third parties (e.g. public authorities). 

Examples of third party data sources include:

• Registers held by governmental agencies (such as population registers and registers held by tax authorities, company registration offices, enforcement authorities, etc.)
• Financial sanction lists (for example, lists held by international organisations such as the EU and UN as well as national organisations such as Office of Foreign Assets Control (OFAC)) 
• Registers held by credit-rating agencies and other commercial information providers providing information on e.g. beneficial owners and politically exposed persons. 
• In connection with payments, we collect information from remitters, shops, banks, payment service providers and others. 
• Health data from health institutions (for our Life and Pension companies). 
• From other companies in the Nordea Group or other entities which we collaborate with. 
• Publicly available data, for example from social media or via search engines. Social media may also share data with us in accordance with your personalised privacy settings in those channels/media. 

We may record phone calls and chat conversations for documentation of customer requests, verification of orders, security and fraud management purposes, and to fulfil legal requirements. For example, online meetings, telephone and chat conversations may be stored to document what happened and was said during the conversation, including any agreements entered into. Moreover, we record conversations that lead or may lead to securities transactions. In some countries, we may use a recording for quality control of services delivered, training of employees, educational purposes and for improvement of our processes, if allowed by law. 

For security purposes, including crime prevention, we have cameras in our branch offices and ATMs. In Nordea's premises, camera surveillance is used as part of our security work. Areas that are under camera surveillance are marked with signs. The purpose of camera surveillance is to prevent and investigate crime and increase security for customers and employees. Nordea has assessed that it is necessary for the bank's legitimate interest in preventing and investigating crime. In case of suspicion of a crime, we process personal data so that legal claims can be established, asserted or defended. Recorded material can be shared with authorities if it is necessary for criminal investigation.

One reason we process personal data is to collect and verify the data prior to giving an offer and entering into a contract with you. We also process personal data to document and complete tasks in order to fulfil our contractual obligations towards you, e.g. to provide and administer our products and services to you. 

Examples of activities necessary to perform an agreement with you: 

• collecting your financial information to open an account or to grant a card or a credit
• collecting information needed to verify your identity in order to provide you with our digital banking solutions 
• collecting your contact information to provide you with customer service during the contract period, including customer care and customer administration and communication with you
• collecting your identification information and financial information to provide insurance and pension services (processing special categories of personal data in relation to these services is based on the need to establish, exercise or defend against legal claims)
• collecting information to maintain and update our records related to your shareholding with us or other companies 

In addition to the performance of contract, processing of personal data also takes place for us to fulfil our obligations under law, other regulations or authority decisions. 

Examples of processing due to legal obligations:

• Know Your Customer (KYC) requirements
• Prevention of money laundering and terrorist financing
• Sanctions screening
• Bookkeeping regulations
• Reporting to tax authorities, police authorities, enforcements authorities, and supervisory authorities 
• Risk management obligations such as credit performance and quality, capital adequacy, and insurance risks
• Payment service requirements and obligations, such as fraud monitoring and reporting 
• Other obligations related to service or product specific legislations, for example securities, funds, collateral, insurance or mortgage legislation

We use your personal data where necessary to further our legitimate interests, as long as those legitimate interests are not overridden by your interests or fundamental rights and freedoms. 

Examples of our processing based on legitimate interests:

• Marketing, product and customer analyses. This processing forms the basis for marketing, process-, business- and system development, including testing. This is to improve our product range and to optimize our customer offerings. In some situations we collect your consent for marketing related activities as described below.
• Profiling, for example when conducting customer analysis for marketing purposes or when monitoring transactions in order to detect frauds.
• Anonymizing financial and demographic data to create statistics to test and develop new products and services. Anonymised and aggregated statistics cannot be linked to an individual. 
• Analyses of the use of social media for the purpose of providing better and more targeted marketing and communication, services and advice, including to respond to your comments and provide you with user support.  
• Possible establishment, exercise or defence of legal claims and collection procedure.

As mentioned in chapter 2c there are situations when we will ask for your consent to process your personal data. Examples of such situations are processing of payment transaction data for marketing purposes, recording calls for educational purposes or for some processing of special categories of personal data. Information about the purpose, processing activity, types of personal data and your right to withdraw your consent will be provided when you are asked to give Nordea your consent. If you have given consent to processing of your personal data, you can always withdraw the consent at any given time.  

When using automated decision-making we will provide you with further information about the logic involved, as well as the significance and the envisaged consequences to you.

You can always express your opinion about a decision based solely on automated processing, including profiling, if such a decision would produce legal effects (e.g. contract cancellation) or otherwise similarly significantly affect you (e.g. refusal of an online application) and have the right to obtain human intervention in the decision-making (e.g. credit application made purely by algorithm to be rehandled by a Nordea employee).

To provide our services to you, we disclose data about you that is necessary to identify you and perform an assignment or agreement with companies that we cooperate with. These services include, but are not limited to, secure identification solutions in the relevant country and between parties in the financial system such as central banks, correspondent banks, transaction receivers and clearing houses. 

If, for example, you have asked us to transfer funds, we need to disclose certain information to fulfil that transfer. We may disclose your information to other creditors through centralised credit information service providers when you apply for a loan from a different creditor. 

We may also share anonymized data for social and economic research or statistics purposes, where we believe it is in the public interest. 

• Authorities: we disclose personal data to authorities to the extent we are under statutory obligation to do so. Such authorities include tax authorities, police authorities, enforcements authorities and supervisory authorities in relevant countries.
• Nordea Group Companies : we disclose personal data within the Nordea Group with your consent or if this is permitted pursuant to applicable legislation.  
• External business partners: we disclose personal data to external business partners with your consent or if this is permitted pursuant to applicable legislation. External business partners include for example correspondent banks, other banks, vendor partners of finance object and re-insurers. In order to provide our services, we may also disclose personal data to other insurance companies, reinsurance companies and service companies within the field of collectively agreed occupational pensions.
• Suppliers: we have entered into agreements with selected suppliers, which include processing of personal data on behalf of us. This can be suppliers of IT development, maintenance, hosting and support.

In some cases, we may also transfer personal data to organisations in so-called third countries (countries outside of the European Economic Area). Such transfers can be made if any of the following conditions apply;

• the EU Commission has decided that there is an adequate level of protection in the country in question, or
• other appropriate safeguards have been taken, for example the use of the Standard Contractual Clauses approved by the EU Commission or the data processor has valid Binding Corporate Rules (BCR) in place, or
• that there are exceptions in special situations, such as to fulfil a contract with you or your consent to the specific transfer.

You can access a copy of the relevant Standard Contractual Clauses used by Nordea for transfers by going to www.eur-lex.europa.eu and searching for 32021D0914. 

We use appropriate technical, organisational and administrative security measures to protect any information we hold from loss, misuse, and unauthorised access, disclosure, alteration and destruction.

You have a right to access the personal data we are keeping about you. In many cases this information is already available to you in your online services from us. Your right to access may, however, be restricted by legislation, protection of other persons’ privacy and consideration for our business concept and business practices. Our know-how, business secrets as well as internal assessments and material may restrict your right of access. 

If the data we are keeping about you is incorrect or incomplete, you are entitled to have the data corrected, with the restrictions that follow from legislation.

You have the right to request erasure of your data in the following cases;

• you withdraw your consent to the processing and there is no other justified reason for processing, 
• you object to the processing and there is no justified reason for continuing the processing,
• you object to processing for direct marketing, 
• processing is unlawful or
• when processing personal data about minors, if the data was collected in connection with the provision of information society services.

Due to the financial industry regulations we are in many cases obliged to retain personal data about you during your customer relationship, and even after that, e.g., to comply with a statutory obligation or where processing is carried out to manage legal claims.

If you contest the correctness of the personal data which we have registered about you or lawfulness of processing, or if you have objected to the processing of the personal data in accordance with your right to object, you may request us to restrict the processing of these personal data. The processing will be restricted to storage only, until the correctness of the personal data can be established, or it can be checked whether our legitimate interests override your interests.

If you are entitled to erasure of the personal data which we have registered about you but the personal data is necessary for you to defend a legal claim, you may request that Nordea restricts the processing to storage only if you want to keep the data. 

Even when processing of your personal data has been restricted as described above, Nordea may process your personal data in other ways if this is necessary to enforce a legal claim or you have given your consent. 

1. You can always object to the processing of your personal data if the processing is based on Nordea’s legitimate interest, including direct marketing and profiling in connection to such marketing. 

When the lawful basis for a specific processing activity is your consent, you have a right to withdraw your consent at any given time. Information about your right to withdraw it is provided when you are asked to give Nordea your consent. 

You have a right to receive personal data that you have provided to us in a machine-readable format. This right applies to personal data processed only by automated means and on the lawful basis consent or of fulfilling a contract. Where secure and technically feasible the data can also be transmitted to another data controller by us. 

This means that we keep your personal data for as long as necessary for the performance of a contract and as required by retention requirements in laws and regulations. Where we keep your personal data for other purposes than those of the performance of a contract, such as for anti-money laundering, bookkeeping and regulatory capital adequacy requirements, we keep the personal data only if necessary and/or mandated by laws and regulations for the respective purpose.

The data retention obligations will differ within the Nordea Group subject to local laws. 

In general, Nordea will store customer data for 10 years after the end of the customer relationship to establish, exercise and defend against legal claims, for debt collection/claims handling and to demonstrate compliance with legal and regulatory obligations upon request by authorities. However, the retention period applied to the personal data in a specific case depends on the purpose of processing. You can find examples of different purposes below.

• Loan offers: storing of loan related documentation for up to three months after the expiration of an offer
• Customer relationships not established: up to 18 months if a credit check has been performed and up to 12 months if a credit check has not been performed 
• Payment service requirements and obligations: transaction related information for five years
• Preventing and detection of money laundering and terrorist financing, and fraud: storing of Know Your Customer (KYC) information for a minimum of five years after termination of the business relationships or the performance of the individual transaction
• Other service or product specific regulations such as securities, collateral, or mortgage regulation: storing your financial information for up to seven years
• Bookkeeping regulations: storing legally required information for up to ten years
• Details on performance of an agreement: storing information related to your agreement with us for up to ten years after end of customer relationship
• Insurance regulations: storing legally required information for up to twenty one years
• Capital requirements for credit risk: storing information related to calculation of capital requirements for up to twenty years

Nordea Group has appointed a data protection officer that you can contact by sending a message to: dataprotectionoffice [at] nordea.com or by sending a letter to: Nordea, Group Data Protection Office, Data Protection Officer, Satamaradankatu 5, FI-00020 Nordea, Finland. 

You can also lodge a complaint with or contact the data protection authority in any of the countries where we provide services or products to you.