We process individuals’ personal data for a number of reasons. When we write «you», we mean you as a customer, a potential customer, our customer’s employee or other relevant parties, such as beneficial owners, authorised representatives, corporate cardholders and associated parties.
- What personal data we collect
- How we may use your personal data and the lawful basis for doing so
- Automated decision-making
- Who we may disclose your personal data to
- How we protect your personal data
- Your privacy rights
- How long we keep your personal data
- Contacting us or the data protection authority
Personal data is in most cases collected directly from you or generated as part of the use of our services, products and channels. Sometimes additional information is required to keep information up to date or to verify the information that we collect.
The personal data we collect can be grouped into the following categories:
- Identification information: examples of personal data in this category include national identification number, name, copies of your passport or driver’s license, Netbank ID and Mobile bank ID.
- Contact information: examples of personal data in this category include postal address, phone number and email address.
- Financial information: examples of personal data in this category include type of agreement, asset and debt information, transactional data, credit history, insurance history.
- Information related to legal requirements and taxation: examples of personal data in this category include asset and debt information, country of taxation or foreign tax payer reference,and information required to be collected for customer due diligence and anti-money laundering requirements.
- Profile information: examples of personal data in this category include nationality, place of birth, demographic information, marital status and occupation.
- Nordea relationship information: an example of personal data in this category is the history of the customer relationship between you and Nordea.
- Special categories of data: examples of personal data in this category include information concerning health for some insurance-specific products provided from the Nordea life and pension companies, and information on trade-union membership related to certain loan products.
Personal data we may collect from you:
We collect information you provide directly to us. For example, when becoming a new customer, we collect personal data such as name, national identification number, e-mail address and phone number, and income and debt information to be able to provide you with the product or service in question.
Nordea also collects information which you provide to us, such as messages you have sent as feedback or a request in our digital channels. We record phone calls and chat conversations for documentation of customer requests, verification of orders, security and fraud management purposes, and to fulfil legal requirements. In addition we may use a recording for quality check of services delivered and for improvement of our processes.
For security purposes, we may have cameras in our branch offices and ATMs. When you apply for a loan from us, we may also collect information in relation to your loans from other sources, such as centralised credit information providers which collect loan information from other creditors.
Personal data that we may collect from third parties:
- Publicly available and other external sources; register held by governmental agencies (such as population registers and registers held by tax authorities, company registration offices, enforcement authorities, etc.), sanction lists (held by international organisations such as the EU and UN as well as national organisations such as Office of Foreign Assets Control (OFAC)), registers held by credit-rating agencies and other commercial information providers providing information on e.g. beneficial owners and politically exposed persons.
- In connection with payments, we collect information from remitters, shops, banks, payment service providers and others.
- Health data from health institutions (for our Life and Pension companies).
- From other entities in the Nordea Group or other entities which we collaborate with.
We use your personal data to comply with legal and contractual obligations, to provide you with offers, advice and services and to create aggregated and anonymous statistics for testing and development of new products and services.
Entering into and administration of service and product agreements (performance of a contract)
The main purpose of our processing of personal data is to collect, verify, and process personal data prior to giving an offer and entering into a contract with you. We also process personal data to document, administer and complete tasks for the performance of contracts.
Examples of the performance of a contract:
- processes needed to e.g. open an account or online service or for granting a card or a credit
- customer service during the contract period
- possible establishment, exercise or defense of legal claims and collection procedure.
Fulfilment of requirements and obligations for Nordea stated in laws, regulations or decisions from authorities and supervisors (legal obligation)
In addition to the performance of contract, processing of personal data also takes place for us to fulfil our obligations under law, other regulations or authority decisions.
Examples of processing due to legal obligations:
- Know Your Customer requirements
- Preventing, detecting, and investigating money laundering, terrorist financing, and fraud
- Sanctions screening
- Bookkeeping regulations
- Reporting to tax authorities, police authorities, enforcements authorities, supervisory authorities
- Risk management obligations such as credit performance and quality, capital adequacy, and insurance risks
- Payment service requirements and obligations
- Other obligations related to service or product specific legislations, for example securities, funds, collateral, insurance or mortgage legislation
Marketing, product- and customer analysis (legitimate interest)
Personal data is also processed in the context of marketing, product- and customer analysis. This processing forms the basis for marketing, process-, business- and system- development, including testing. This is to improve our product range and optimize our customer offerings. This may also involve profiling (see below).
We have a legitimate interest to use profiling for example when conducting customer analysis for marketing purposes or monitoring transactions in order to detect frauds.
We wish to give our customers relevant information and marketing on social platforms and websites, to respond to your comments and inquiries and provide you with user support.
We also analyse social media activity related to our tasks and monitor the use of our own social media channels to review the effectiveness of our marketing programs and analyse other general demographic trends. The conclusions drawn from the analysis help shape Nordea’s marketing and communication strategies.
When you use any of our social media channels we may record and retain information about you. This may include your use of our sites and the frequency of your visits. The individual social media
channels may also be permitted to share certain information with us in accordance with your personalised privacy setting on those channels.
We have a legitimate interest to anonymise financial and demographic data to create statistics to test and develop new products and services. Anonymised and aggregated statistics cannot be linked to a natural person. Statistics can be shared with public and private companies, for example in the context of conducting economic research or analysing payment trends and volumes in certain regions or commercial sectors.
We may also share anonymised and aggregated data for social and economic research or statistics purposes, where we believe it is in the public interest. You can object to the processing of personal data about you for external statistics and manage your consents and objections in Nordea's digital banking channels or by contacting customer service.
There are situations when we will ask for your consent to process your personal data. Examples of such situations are processing of payment transaction data for marketing purposes, or for some processing of special categories of data.
The consent will contain information on that specific processing activity. If you have given consent to a processing of your personal data you can always withdraw the consent.
We may in some cases use automated decision-making, if it is authorized by legislation, if you have provided an explicit consent or if it is necessary for the performance of a contract. One example is the automated credit approval process in Nordea’s online channels.
You can always express your opinion or contest a decision based solely on automated processing, including profiling, if such a decision would produce legal effects or otherwise similarly significantly affect you.
When using automated decision-making we will provide you with further information about the logic involved, as well as the significance and the envisaged consequences to you.
We may share your personal data with others such as authorities, Nordea Group companies, suppliers, payment service providers and business partners. Before sharing we will always ensure that we respect relevant financial industry secrecy obligations.
To fulfil services and agreements we have to disclose information about you. If, for example you have asked us to transfer funds, we need to disclose certain information to fulfil that transfer. We may disclose your information to other creditors through centralised credit information service providers when you apply for a loan from a different creditor.
We may also share anonymised data for social and economic research or statistics purposes, where we believe it is in the public interest.
Third parties and Nordea Group companies
To provide our services, for example credit transfer, we disclose data about you that is necessary to identify you and perform an assignment or agreement with companies that we cooperate with in order to perform our services. These services include, but are not limited to, secure identification solutions in the relevant country and between parties in the financial system such as central banks, transaction receivers and clearing houses.
We also disclose personal data to authorities to the extent we are under statutory obligation to do so. Such authorities include tax authorities, police authorities, enforcements authorities and supervisory authorities in relevant countries.
In addition, data are disclosed, with your consent or if this is permitted pursuant to legislation, internally in Nordea Group and to external business partners (including correspondent banks, other banks, vendor partners of finance object and re-insurers). In order to provide our services, we may also disclose data to other insurance companies, reinsurance companies and service companies within the field of collectively agreed occupational pensions.
We have entered into agreements with selected suppliers, which include processing of personal data on behalf of us. This can be suppliers of IT development, maintenance, hosting and support.
Third country transfers
In some cases, we may also transfer personal data to organisations in so-called third countries (countries outside of the European Economic Area). Such transfers can be made if any of the following conditions apply;
- the EU Commission has decided that there is an adequate level of protection in the country in question, or
- other appropriate safeguards have been taken, for example the use of the standard contractual clauses (EU model-clauses) approved by the EU Commission or the data processor has valid Binding Corporate Rules (BCR) in place, or
- that there are exceptions in special situations, such as to fulfil a contract with you or your consent to the specific transfer.
You can access a copy of the relevant EU model-clauses used by Nordea for transfers by going to www.eur-lex.europa.eu and search for 32010D0087.
Keeping your personal data safe and secure is at the centre of how we do business. We use appropriate technical, organisational and administrative security measures to protect any information we hold from loss, misuse, and unauthorised access, disclosure, alteration and destruction.
You as a data subject have the following rights in respect of the personal data we hold on you;
a) request access to your personal data. You have a right to access the personal data we are keeping about you. In many cases this information is already present to you in your online services from us. Your right to access may, however, be restricted by legislation, protection of other persons’ privacy and consideration for the Nordea Group’s business concept and business practices. The Nordea Group’s know-how, business secrets as well as internal assessments and material may restrict your right of access
b) request correction of incorrect or incomplete data. If the data are incorrect or incomplete, you are entitled to have the data corrected, with the restrictions that follow from legislation.
c) request erasure. You have the right request erasure of your data in case;
- you withdraw your consent to the processing and there is no other legitimate reason for processing,
- you object to the processing and there is no justified reason for continuing the processing,
- you object to processing for direct marketing,
- processing is unlawful or
- when processing personal data on minors, if the data was collected in connection with the provision of information society services.limitation of processing of personal data.
Due to the financial sector legislation we are in many cases obliged to retain personal data on you during your customer relationship, and even after that, e.g. to comply with a statutory obligation or where processing is carried out to manage legal claims.
d) limitation of processing of personal data. If you contest the correctness of the data which we have registered about you or lawfulness of processing, or if you have objected to the processing of the data in accordance with your right to object, you may request us to restrict the processing of these data. The processing will be restricted to storage only, until the correctness of the data can be established, or it can be checked whether our legitimate interests override your interests.
If you are entitled to erasure of the data which we have registered about you but the data is necessary for you to defend a legal claim, you may request that Nordea restricts the processing to storage only if you want to keep the data.
Even when processing of your data has been restricted as described above, Nordea may process your data in other ways if this is necessary to enforce a legal claim or you have given your consent.
e) object to processing based on our legitimate interest. You can always object to the processing of personal data about you for direct marketing and profiling in connection to such marketing.
f) data portability. You have a right to receive personal data that you have provided to us in a machine-readable format. This right applies to personal data processed only by automated means and on the basis consent or of fulfilling a contract. Where secure and technically feasible the data can also be transmitted to another data controller by us.
Your request to exercise your rights as listed above will be assessed given the circumstances in the individual case. Please note that we may also retain and use your information as necessary to comply with legal obligations, resolve disputes, and enforce our agreements.
We collect, process and analyse data regarding the use of our webpages. Traffic data is data connected to visitors on the webpage and data handled in communication fields for sending, distributing or making messages available.
You can set or amend your web browser controls to accept or reject cookies. If you choose to reject cookies, you may still use our websites and some services, however your access to some functionality and areas of our website or services may be restricted substantially.
For more information, see cookies at the footer of our website Nordea.com
We will keep your data for as long as they are needed for the purposes for which your data was collected and processed or required by laws and regulations.
This means that we keep your data for as long as necessary for the performance of a contract and as required by retention requirements in laws and regulations. Where we keep your data for other purposes than those of the performance of a contract, such as for anti-money laundering, bookkeeping and regulatory capital adequacy requirements, we keep the data only if necessary and/or mandated by laws and regulations for the respective purpose.
The data retention obligations will differ within the Nordea Group subject to local law.
For explanatory purposes, see the following specific examples:
- Preventing, detecting and investigating money laundering, terrorist financing and fraud: minimum five years after termination of the business connection or the performance of the individual transaction
- Bookkeeping regulations: up to ten years
- Payment service requirements and obligations: five years
- Insurance regulations: up to eleven years
- Other service or product specific regulations such as securities, collateral, or mortgage regulation: up to seven years
- Loan offers: Up to three months after the expiration of an offer
- Details on performance of an agreement: up to ten years after end of customer relationship to defend against possible claims
You can also lodge a complaint or contact the data protection authority in any of the countries where we provide services or products to you.