Nordea Privacy Policy

Personal data is in most cases collected directly from you or generated as part of your use of our services, products and channels. Sometimes additional information is required to keep information up to date or to verify the information that we collect. 

In some cases we also collect and process personal data about persons associated with you, for example employees, beneficial owners, agents, guarantors, chargers, payers, persons who are in contact with Nordea in respect of a single banking transaction, and other individuals with whom we interact and collaborate with. 

1a. The types of personal data we collect

The categories of personal data that we collect and use are listed below. We have provided examples of the types of personal data that fall within each category. Please note that the list of examples is not exhaustive. The type of personal data that we collect  about you will depend on the service or product we are providing to you as a customer.  

• Identification information: such as your national identification number, full name, copy of your passport or driver’s license, Netbank ID, Mobile bank ID and IP address. 

• Contact information: such as physical address, phone number and e-mail address. 

• Financial information: such as income, account information, asset and debt information, transactional data, credit history, insurance history, credit/payment card details, and type of agreement that you have with us.

• Information related to legal requirements and taxation: such as asset and debt information, country of taxation or foreign tax payer reference, Energy Performance Certificate Data and information required to be collected for customer due diligence and preventing money laundering and terrorist financing.

• Profile information: such as citizenship, demographic information, marital status, household composition  and occupation. 

• Nordea relationship information: such as the history of the customer relationship between you and Nordea.

• Special categories of personal data: such as information concerning health for some insurance-specific products provided from the Nordea life and pension companies, and information on trade-union membership related to certain loan or life and pension products. 

1b. The sources from which we gather your personal data

From you
We collect information you provide directly to us. For example, when becoming a new customer, we collect personal data such as name, national identification number, e-mail address and phone number. We also collect income and debt information to be able to provide you with the product or service in question. Nordea furthermore collects information such as messages you have sent as feedback, requests in our digital channels, when subscribing to our newsletters, or when becoming a follower on or commenting in  our social media channels.

From third parties
To offer you products and services, comply with statutory requirements, and for other purposes such as profiling and product optimisation, we may collect your personal data from third parties, including publicly available and other external sources. 

For example, when you apply for a loan from us, we may collect information in relation to your loan from other sources, such as centralised credit information providers which collect loan information from other creditors. To ensure your personal data is accurate and up-to-date, we receive periodic updates of some personal data categories from third parties (e.g. public authorities). 

Examples of third party data sources include:

• Registers held by governmental agencies (such as population registers and registers held by tax authorities, company registration offices, enforcement authorities, etc.

• Financial sanction lists (for example, lists held by international organisations such as the EU and UN as well as national organisations such as Office of Foreign Assets Control (OFAC)). 

• Registers held by credit-rating agencies and other commercial information providers providing information on e.g. beneficial owners and politically exposed persons. 

• In connection with payments, we collect information from remitters, shops, banks, payment service providers and others. 

• Health data from health institutions (for our Life and Pension companies). 

• From other companies in the Nordea Group or other entities which we collaborate with. 

• Publicly available data, for example from social media or via search engines. Social media may also share data with us in accordance with your personalised privacy settings in those channels/media. 

• Providers of business-risk screening services.

• Profiling data from external business partners.

1c. Recording of telephone conversations, online meetings and storage of chat conversations

We record phone calls and chat conversations for documentation of customer requests, verification of orders, security and fraud management purposes, and to fulfil legal requirements. For example, online meetings, telephone and chat conversations are stored to document what happened and was said during the conversation, including any agreements entered into. Moreover, we record conversations that lead or may lead to securities transactions. In some countries, we use a recording for quality control of services delivered, training of employees, educational purposes and for improvement of our processes, if allowed by law. You can read more about recording of conversations at this link. 

1d. Video surveillance

For security purposes, including crime prevention, we have cameras in our branch offices and ATMs. In Nordea's premises, camera surveillance is used as part of our security work. Areas that are under camera surveillance are marked with signs. The purpose of camera surveillance is to prevent and investigate crime and increase security. Nordea has assessed that it is necessary for the bank's legitimate interest in preventing and investigating crime. In case of suspicion of a crime, we process personal data so that legal claims can be established, asserted or defended. Recorded material can be shared with authorities if it is necessary for criminal investigation.

We process your personal data on the basis of the legal grounds and purposes described below. 

2a. Necessary to perform an agreement with you 

One reason we process personal data is to collect and verify the data prior to giving an offer and entering into a contract with you. We also process personal data to document and complete tasks in order to fulfil our contractual obligations towards you, e.g. to provide and administer our products and services to you. 

Examples of activities necessary to perform an agreement with you: 

• Collecting your financial information to open an account or to grant a card or a credit or a loan.
• Collecting information needed to verify your identity in order to provide you with our digital banking solutions. 
• Collecting your contact information to provide you with customer service during the contract period, including customer care and customer administration and communication with you
• Collecting your identification information and financial information to provide insurance and pension services (processing special categories of personal data in relation to these services is based on the need to establish, exercise or defend against legal claims).
• Collecting information to maintain and update our records related to your shareholding with us or other companies.

2b. Legal obligations

In addition to the performance of contract, processing of personal data also takes place for us to fulfil our obligations under law, other regulations or authority decisions. 

Examples of processing due to legal obligations:

• Prevention and detection of money laundering and terrorist financing.
• Sanctions screening.
• Bookkeeping regulations.
• Reporting to tax authorities, police authorities, enforcements authorities, and supervisory authorities. 
• Risk management obligations such as credit performance and quality, capital adequacy, and insurance risks.
• Payment service requirements and obligations, such as fraud monitoring and reporting.
• Maintaining and enhancing the security of our IT systems. This includes, for example, protecting against threats and ensuring the integrity of our digital infrastructure.
• Other obligations related to service or product specific legislations, for example securities, funds, collateral, insurance or mortgage legislation.

2c. Legitimate interests 

We use your personal data where necessary to further our legitimate interests, as long as those legitimate interests are not overridden by your interests or fundamental rights and freedoms. 

Examples of our processing based on legitimate interests:

• Marketing, product and customer analyses. This processing forms the basis for marketing, process-, business- and system development, including testing. This is to improve our product range and to optimize our customer offerings including customer loyalty programmes. In some situations we collect your consent for marketing related activities as described below.

• Profiling, for example when conducting customer analysis for marketing purposes, when monitoring transactions to detect frauds or when determining whether an individual exceeds the sanctions risk appetite of the bank.

• Detecting unusual patterns in a user’s behavior or device to prevent fraud. 

• Maintaining and enhancing the security of our IT systems. This includes, for example, protecting against threats and ensuring the integrity of our digital infrastructure. 

• Anonymizing financial and demographic data to create statistics to test and develop new products and services. Anonymised and aggregated statistics cannot be linked to an individual. 

• Analyses of the use of social media for the purpose of providing better and more targeted marketing and communication, services and advice, including to respond to your comments and provide you with user support.  

• Possible establishment, exercise or defence of legal claims and collection procedure.

• Risk modelling, when we develop and maintain our risk models, such as for credit risk and capital requirements.

2d. Consent

As mentioned in chapter 2c there are situations when we will ask for your consent to process your personal data. Examples of such situations are processing of payment transaction data for marketing purposes in external media channels and social media, recording calls for educational purposes or for some processing of special categories of personal data. Information about the purpose, processing activity, types of personal data and your right to withdraw your consent will be provided when you are asked to give Nordea your consent. If you have given consent to processing of your personal data, you can always withdraw the consent at any given time.  

We may in some cases use automated decision-making if it is authorised by legislation, if you have provided an explicit consent or if it is necessary for the performance of a contract. One example is the automated credit approval process in Nordea’s online channels. 

When using automated decision-making we will provide you with further information about the logic involved, as well as the significance and the envisaged consequences to you.

You can always express your opinion about a decision based solely on automated processing, including profiling, if such a decision would produce legal effects (e.g. contract cancellation) or otherwise similarly significantly affect you (e.g. refusal of an online application) and you have the right to obtain human intervention in the decision-making (e.g. credit application made purely by algorithm to be rehandled by a Nordea employee).

Your personal data can be shared with others to the extent we are under statutory obligation to do so and to fulfil services and agreements we have with you or our suppliers. We may share your personal data with others such as authorities, Nordea Group companies, suppliers, payment service providers and business partners.  

Nordea has entered into data processor agreements where relevant, which regulates for what and how personal data shall be processed and ensures that such processing is in compliance with the legislation and our own requirements for data processing. Before sharing, we always ensure that we respect relevant financial industry secrecy obligations.

To provide our services to you, we disclose data about you that is necessary to identify you and perform an assignment or agreement with companies that we cooperate with. These services include, but are not limited to, secure identification solutions in the relevant country and between parties in the financial system such as central banks, correspondent banks, transaction receivers and clearing houses. If, for example, you have asked us to transfer funds, we need to disclose certain information to fulfil that transfer.

We may also share anonymised data for social and economic research or statistics purposes, where we believe it is in the public interest.

We disclose your personal data to:

• Authorities: we disclose personal data to authorities to the extent we are under statutory obligation to do so. Such authorities include tax authorities, police authorities, enforcements authorities and supervisory authorities in relevant countries.
• Nordea Group Companies: we disclose personal data within the Nordea Group with your consent or if this is permitted pursuant to applicable legislation.   
• External business partners: we disclose personal data to external business partners with your consent or if this is permitted pursuant to applicable legislation. External business partners include for example correspondent banks, other banks, vendor partners of finance object and re-insurers. In order to provide our services, we may also disclose personal data  to payment service providers,  other service providers, other insurance companies, reinsurance companies and service companies within the field of collectively agreed occupational pensions.
• Suppliers: we have entered into agreements with selected suppliers, which include processing of personal data on behalf of us. This can be suppliers of IT development, maintenance, hosting and support.

Third country transfers
In some cases, we may also transfer personal data to organisations in so-called third countries (countries outside of the European Economic Area). Such cases would be when we utilise IT-suppliers or contractual partners. Such transfers can be made if any of the following conditions apply:

• the EU Commission has decided that there is an adequate level of protection in the country in question, or
• other appropriate safeguards have been taken, for example the use of the Standard Contractual Clauses approved by the EU Commission or the data processor has valid Binding Corporate Rules (BCR) in place, or
• that there are exceptions in special situations, such as to fulfil a contract with you or your consent to the specific transfer.

You can access a copy of the relevant Standard Contractual Clauses used by Nordea for transfers by going to www.eur-lex.europa.eu and searching for 32021D0914. 

You can access a copy of the relevant Binding Corporate Rules  used by Nordea for transfers by going to the Approved Binding Corporate Rules | European Data Protection Board (europa.eu).

Keeping your personal data safe and secure is at the centre of how we do business. We use appropriate technical, organisational and administrative security measures to protect any information we hold from loss, misuse, and unauthorised access, disclosure, alteration and destruction.

You have the following rights in respect of the personal data we process about you;

a) Right to request access to your personal data 

You have a right to access the personal data we are keeping about you. In many cases this information is already available to you in your online services from us. Your right to access may, however, be restricted by legislation, protection of other persons’ privacy and consideration for our business concept and business practices. Our know-how, business secrets as well as internal assessments and material may restrict your right of access. 

b) Right to request correction of incorrect or incomplete data 

If the data we are keeping about you is incorrect or incomplete, you are entitled to have the data corrected, with the restrictions that follow from legislation.

c) Right to request erasure

You have the right to request erasure of your data in the following cases:

• you withdraw your consent to the processing and there is no other justified reason for processing, 
• you object to the processing and there is no justified reason for continuing the processing,
• you object to processing for direct marketing, 
• processing is unlawful or
• when processing personal data about minors, if the data was collected in connection with the provision of information society services.

Due to regulations directed towards the financial industry, we are in many cases obliged to retain personal data about you during your customer relationship, and even after that, e.g., to comply with a statutory obligation or where processing is carried out to manage legal claims.

d) Right to limitation of processing of personal data 

If you contest the correctness of the personal data which we have registered about you or lawfulness of processing, or if you have objected to the processing of the personal data in accordance with your right to object, you may request us to restrict the processing of these personal data. The processing will be restricted to storage only, until the correctness of the personal data can be established, or it can be checked whether our legitimate interests override your interests.

If you are entitled to erasure of the personal data which we have registered about you but the personal data is necessary for you to defend a legal claim, you may request that Nordea restricts the processing to storage only if you want to keep the data. 

Even when processing of your personal data has been restricted as described above, Nordea may process your personal data in other ways if this is necessary to enforce a legal claim or you have given your consent. 

e) Right to object to processing based on our legitimate interest 

You can always object to the processing of your personal data if the processing is based on Nordea’s legitimate interest, including direct marketing and profiling in connection to such marketing. 

f) Right to withdraw consent

When the lawful basis for a specific processing activity is your consent, you have a right to withdraw your consent at any given time. Information about your right to withdraw it is provided when you are asked to give Nordea your consent. 

g) Right to data portability 

You have a right to receive personal data that you have provided to us in a machine-readable format. This right applies to personal data processed only by automated means and on the lawful basis consent or of fulfilling a contract. Where secure and technically feasible the data can also be transmitted to another data controller by us. 

Your request to exercise your rights as listed above will be assessed given the circumstances in each individual case. Please note that we may also retain and use your information as necessary to comply with legal obligations, resolve disputes, and enforce our agreements. 

If you wish to exercise your individual rights you can do so by visiting our webpages, through your personal Netbank, calling customer service or by visiting your local branch. Because we treat your personal data with the utmost care, we cannot act based on an email request and also cannot share, change or delete your personal data without confirming your identity through one of the channels mentioned above. 

We will keep your personal data for as long as they are needed for the purposes for which your personal data was collected and processed or required by laws and regulations. 

This means that we keep your personal data for as long as necessary for the performance of a contract and as required by retention requirements in laws and regulations. Where we keep your personal data for other purposes than those of the performance of a contract, such as for anti-money laundering, bookkeeping and regulatory capital adequacy requirements, we keep the personal data only if necessary and/or mandated by laws and regulations for the respective purpose.

The data retention obligations will differ within the Nordea Group subject to local laws. 

In general, Nordea will store customer data for 10 years after the end of the customer relationship to establish, exercise and defend against legal claims, for debt collection/claims handling and to demonstrate compliance with legal and regulatory obligations upon request by authorities. However, the retention period applied to the personal data in a specific case depends on the purpose of processing. You can find examples of different purposes below.

Examples of storage times: 

• Loan offers: storing of loan related documentation for up to three months after the expiration of an offer.  
• Customer relationships not established: up to 18 months if a credit check has been performed and up to 12 months if a credit check has not been performed.
• Payment service requirements and obligations: transaction related information for eleven years.
• Preventing and detection of money laundering and terrorist financing, and fraud: storing of Know Your Customer (KYC) information for a minimum of five years after termination of the business relationships or the performance of the individual transaction
• Other service or product specific regulations such as securities, collateral, or mortgage regulation: storing your financial information for up to seven years
• Bookkeeping regulations: storing legally required information for up to ten years.
• Details on performance of an agreement: storing information related to your agreement with us for up to ten years after end of customer relationship.
• Insurance regulations: storing legally required information for up to twenty one years.
• Capital requirements for credit risk: storing information related to calculation of capital requirements for up to twenty years.

If you have any questions regarding our Privacy Policy or are dissatisfied with how we process your personal data, you can always contact Nordea’s customer service or your local branch office. 

8a. Contact the data protection officer

Nordea Group has appointed a data protection officer that you can contact by sending a message to: dataprotectionoffice [at] nordea.com (dataprotectionoffice[at]nordea[dot]com) or by sending a letter to: Nordea, Group Data Protection Office, Data Protection Officer, Satamaradankatu 5, FI-00020 Nordea, Finland. 

8b. Complaint to the data protection authority

You can also lodge a complaint with or contact the data protection authority in any of the countries where we provide services or products to you.