Privacy policy (English translation of Danish privacy policy)

Following the introduction of the EU’s General Data Protection Regulation (GDPR) we have updated our policy on data processing. On the following pages you can read about our processing of your data and your rights. The document is divided into seven sections:

1. Processing of personal and customer data
Which types of data do we process and store and for which purposes?

2. Legal basis for processing personal and customer data
What is the legal basis for our processing of your data?

3. Disclosure and transfer of personal and customer data
When do we disclose data about you – internally at Nordea and to other parties?

4. Your rights
What rights do you have to access your data, to have your data erased or to restrict the use of your data?

5. Changes to Data processing policy
When and how can we change this document?

6. Complaints about Nordea’s data processing
What are your options to complain about our processing of personal data?

7. Controller and contact information
How can you contact us?

Whom do we collect and process data about?

We collect and process data about existing and potential corporate and personal customers. In some cases we also collect and process data about persons associated with our customers, for example employees, beneficial owners, agents, guarantors, chargors – and persons who are in contact with Nordea in respect of a single banking transaction. All data about you is comprised by the bank secrecy rules. The data is protected by us and cannot be disclosed without valid reasons.

1. Processing of personal and customer data

1.1 Collection of personal and customer data

Nordea collects data for the purpose of conducting banking operations and providing financial services of any kind. For example:

• Cards
• Digital banking solutions
• Insurance and pension services
• Payments
• Advisory services, customer care and customer administration
• Credit assessment
• General compliance with legislative requirements
• New products, research and marketing, including analyses of the use of social media to provide better and more targeted marketing, services and advice.

The data can be grouped into the following overall categories:

• Identity data, such as name, passport and driving licence
• Contact data, such as postal address, e-mail address and phone number
• Financial data, such as income, assets and liabilities
• Data traffic on our digital platforms
• Sensitive data
• Legally required and taxation data

As regards the latter category we are legally required to collect the following data (and relevant documentation) for identification of you and reporting to the authorities:

• Data about you: name (documented by copies of passport, driving licence, health insurance card or similar), addresses and personal registration (CPR) number or business registration (CVR) number. For corporate customers we are required to collect data on the company’s legal form, controlling owners, management and provisions regulating the powers to bind the company as well as data about the company’s beneficial owners. In case of a foreign address, data about the home country and foreign tax identification number is collected.
• Data about your customer relationship with us, the origin of your funds, and transaction data so that we can identify any unusual transactions and transaction patterns.

We moreover collect data that we – based on a risk assessment – find necessary to comply with the Danish Money Laundering Act and to prevent money laundering. Personal data collected in compliance with the Danish Money Laundering Act may only be processed with a view to preventing money laundering and financing of terrorism. Other examples of laws that require us to process specific types of data are the Danish Tax Reporting Act:

When you buy and sell financial instruments (for example equities and bonds) through Nordea, we collect data about citizenship and tax identification number and/or other data required or relevant for reporting your transactions in financial instruments to the authorities. We also collect corporate customers’ LEI codes (legal entity identifier). 

In accordance with the provisions of legislation, we anonymise all types of financial, demographic, transaction and card data for statistical purposes and for the development and testing of new products and services.

In order to make payments, prepare bank statements, payment summaries etc we collect data from beneficiaries, shops and banks when you use credit or cash cards, Netbank, payment services or other forms of payment transmission services.

We collect data from publicly available sources and registers, for example the Danish Civil Registration System, the Central Business Register, virk.dk and EU or UN sanctions registers (see the Danish Ministry of Foreign Affairs’ list of sanctions) or similar (for example US authorities such as OFAC). We also collect data about you, the beneficial owners and politically exposed persons and their closely related parties from international information providers and other publicly available sources. We search for inform<ation on the internet, for example, when this, after a risk assessment, is deemed warranted and in accordance with the guidelines issued by the Danish Financial Supervisory Authority. When doing a credit assessment we may check whether other companies of the Nordea Group (if allowed under the law or you have given your consent), credit rating agencies or warning registers have registered data on you.

We also receive information from other companies of the Nordea Group when they report to the Money Laundering Secretariat with the Danish State Prosecutor for Serious Economic and International Crime as required by the anti-money laundering legislation.

In addition, we receive data about you from other companies of the Nordea Group and collaboration partners (including correspondent banks and other financial institutions) if you have given your consent or there is a legal basis, including Article 6(1) of the General Data Protection Regulation (GDPR). 

Social media may share data with us in accordance with your personalised privacy settings in those channels/media.

1.2 Storage of personal and customer data

We keep your data as long as the data is necessary for the purposes for which they were collected, processed and/or kept on record.

Under the Danish Money Laundering Act, data, documents and registrations are kept for at least five years after the termination of the business relationship or execution of the individual transaction.

1.3 Recording of telephone conversations, online meetings and video surveillance and storage of chat conversations

Telephone and chat conversations, including online meetings, are recorded and stored to document what happened and was said during the conversation, including any agreements entered into. Moreover, we record conversations that lead or may lead to securities transactions etc.

For security reasons, including crime prevention and investigation purposes, we use video surveillance etc to monitor, for example, customer transactions, entrance areas, fronts of buildings, access and escape routes and ATMs.

1.4 Data traffic 

We process data on the use of nordea.dk and our digital platforms such as Netbank and the mobile banking app.

We use cookies and similar technologies to deliver targeted products and services and to provide a safe online environment. The aim is to provide better digital experiences and make our content more relevant for you.

You can find more information on cookies, including our cookie policy and access to cookie settings at nordea.dk/persondata.

2. Legal basis for processing personal and customer data

To be a customer of Nordea you are legally or contractually required to provide us with certain data. See the preceding section for examples of such data.

The legal basis for our data processing is financial sector regulations and other legislation, including:

• The Act on Measures to Prevent Money Laundering and Financing of Terrorism (Money Laundering Act)
• The Tax Control Act
• The Bookkeeping Act
• The Credit Agreements Act
• The Payments Act
• The Danish Data Protection Act.

Also, we may process your data if this is required in connection with an agreement you have entered into or are considering entering into with us. Processing is also possible if you have given your consent as stated in points (a) and (b) of Article 6(1) of the General Data Protection Regulation (GDPR) or if any of the other conditions for processing set out in Article 6(1) and Article 9 apply.

In addition, we process your data when required on the basis of a legitimate interest of Nordea – for example to prevent misuse and losses, strengthen IT and payment security and/or for direct marketing purposes.

3. Disclosure and transfer of personal and customer data

To comply with agreements with you – for example if you have instructed us to transfer an amount – we disclose the information about you that is necessary to identify you and to execute the transaction.

We also disclosure information about you to public authorities. This is done to the extent that we are legally required to do so. As part of this, we disclose data to the Money Laundering Secretariat with the Danish State Prosecutor for Serious Economic and International Crime as required by the Danish Money Laundering Act, to the Danish tax authorities under the Danish Tax Reporting Act and the Danish Tax Control Act and to the Danish central bank, which for example uses the data for statistical purposes.

Outward international transfers are made through SWIFT, which is an international partnership between financial institutions. Under US legislation, SWIFT is under an obligation to disclose information to the US authorities about international transfers if there is reason to believe that the transfer concerns money laundering or financing of crime or terrorism. Accordingly, such information may be disclosed to the US authorities.

Anonymised data, which is information that cannot be linked to a natural person, can be disclosed to or otherwise shared with public authorities and private undertakings. You can object to your personal data being used in external statistics and manage your consent via Nordea’s digital channels or by contacting Nordea.

In addition, with your consent or if it is allowed under the law, we disclose data about you internally at the Nordea Group and to collaboration partners (including correspondent banks and other financial institutions) and other businesses if compliant with current legislation. This data can include images recorded during video surveillance.

If you default on your obligations, we may report you to credit reference agencies and/or warning registers in accordance with the rules in force.

In connection with IT development, hosting and support, personal data is transferred to data processors, including data processors in third countries outside the EU and EEA. A list of such third countries is available at nordea.dk/persondata.

We use standard contractual clauses approved by the EU Commission or the Danish Data Protection Agency to ensure that your rights and the data protection level follow your data. See the standard contractual clauses at nordea.dk/persondata.

4. Your rights

4.1 Right of access to our data processing

You have a right of access to the data that we process about you and to know where it comes from and what we use it for. You also have the right to know who receives your data to the extent that such data is disclosed.

However, your right of access may be restricted by law or in order to protect other persons’ privacy or our business concept and practice. Moreover, our know-how and protected business knowledge and internal assessments and material may be exempted from the right of access.

4.2 Objection against direct marketing

You may at any time object to the processing of your personal data for the purpose of direct marketing and profiling in connection with marketing.

4.3 Profiling and automated decision-making

We may in some cases use automated decision-making, for example when it is authorised by legislation, when you have provided an explicit consent or when it is necessary for the performance of a contract. One example is the automated credit approval process in our online channels. You have the right to know how an automated decision about you was made and the consequences of the processing. Also, you can require manual processing of an automated decision.

4.4 Correction or erasure of data

If data about you is incorrect, incomplete or irrelevant, you are entitled to have it corrected or erased to the extent allowed by law.

4.5 Restriction of processing

If you contend the correctness of the data we have registered on you, or you have objected to the processing of your data in accordance with Article 21 of the General Data Protection Regulation (GDPR), you may require that we restrict our processing of such data to storage.

Our processing is only restricted to storage until it is ascertained that the data is correct or that our legitimate interests override your interests.

If you are entitled to erasure of the data which we have registered about you, but the data is necessary to enforce a legal claim, you may request that Nordea restricts the processing of such data to storage.

Even when processing of your data has been restricted as described above, Nordea may process your data in other ways if this is necessary to enforce a legal claim or you have given your consent.

4.6 Withdrawal of consent

You may at any time withdraw your consent to disclose data that requires your consent. You can always contact us if you want to withdraw your consent (see under section 7).

4.7 Data portability

If we process your data based on your consent or as part of an agreement, and the processing is done automatically, you are entitled to receive the data electronically that you have yourself disclosed to us.

5. Changes to Data processing policy

Our Data processing policy is effective from 8 October2021 and Nordea may change it by giving one month’s notice. The notice is communicated via nordea.dk, Netbank, Netbank konto-kik or one of Nordea’s office banking systems. It may also be communicated via national media.

Changes to your advantage may be implemented without notice.

6. Complaints about Nordea’s data processing

Complaints about our processing of your personal data should be directed to: Datatilsynet (the Danish Data Protection Agency), Carl Jacobsens Vej 35, 2500 Valby or dt [at] datatilsynet.dk.

7. Controller and contact information

Nordea Bank Abp, Finland, is the controller for processing of personal data at Nordea in Denmark, see the General Data Protection Regulation (GDPR) and the Danish Data Protection Act.

Contact information for Nordea:

Nordea Danmark, filial af Nordea Bank Abp, Finland, Grønjordsvej 10, 2300 Copenhagen S, Denmark

Tel: +45 70 33 33 33

nordea [at] nordea.dk Contact information for the data protection officer for Nordea Bank Abp, Finland: Nordea, Group Data Protection Office, Grønjordsvej 10, 2300 Copenhagen S

dataprotectionoffice [at] nordea.com