2. The purpose of personal data processing
The purposes of the bank’s personal data processing will only be those that are normal and necessary for the secure and profitable operation of the banking activity.
The purposes of the personal data processing are first and foremost:
- To draw up customer contracts, including credit details
- Customer administration, including marketing of the bank’s own products and services
For the purpose of concluding contracts with customers, information is collected from external sources for assessing creditworthiness. An assessment of the customer’s ability and willingness to pay will also be carried out, on the basis of the information the customer provides himself and the information that is otherwise available under applicable law.
Customer administration refers to processing that is necessary for a well-functioning customer relationship, and includes the mailing of invoices and, where necessary, reminders, information on the products and services, and the fulfillment of obligations companies have assumed for the implementation of assignments and service contracts with the customer.
Other important purposes are as follows:
- Statutory duties in connection with taxes, fees and accounting, and notification requirements including the prevention and publication of crime.
- To meet legal obligations by which the bank is bound.
- To protect the bank against repeated credit losses, including repeated attempted fraud.
In addition to this, personal data is processed for the following purposes with the customer’s consent:
- Marketing of partners’ products and services.
- Marketing and customer administration based on personal profiles.
3. Information on the processing, the right of access and correction of personal data
Information on the customer’s contract with the company will mainly be available on ‘My Pages’. If the customer does not have My Pages or is unable to read electronic documents for other reasons, the information can be given in paper format. The customer may request that the bank provides access to registered personal data in accordance with the provisions of the GDPR. Customers will be able to provide their email address and telephone number by logging into ‘My Pages’. Customers’ registered addresses will be amended in the Civil Register automatically. In the event that a customer’s registered address is wrong, the customer must contact the Tax Agency and request correction.
4. Personal data collected by the company
The company will mainly receive the personal data that is registered from the customer direct. Where data is collected from third parties (for example, banks/financial companies, financial agents, credit information companies and the Civil Registry), the customer will be informed, unless the collection is required by law, notification is impossible or unreasonably difficult, or if it is clear that the customer is already aware of the information to be contained in the notification.
5. Personal data registered by the company
Upon conclusion of the contract and throughout the contract period, the company will register personal data pertaining to the customer and other persons forming part of the contractual relationship.
If an application for a loan is discontinued after an email address has been entered in the application form, the bank’s data system will send two email messages to seek clarification as to whether the person applying intends to complete the loan application. If the applicant does not complete the application after the second message, the bank will remove all information that has been entered by the applicant.
The company will also register personal data concerning persons with whom the company has refused to enter into a contract, for the purpose of informing the person of the refusal and, where appropriate, documenting the relationship at a later stage, for example, if a deposit and payment instruction was refused for objective reasons. This data regarding refusal is stored for three months.
For the purpose of preventing credit loss, for example, when new applications are rejected, the bank will register data regarding the loss after debt collection. This information will only be made available to the bank’s credit co-workers and will be stored until outstanding loans are paid back to the bank.
6. Transfer to other parties and transfer to a third country.
Registered personal data will be transferred to public authorities and other third parties in the event that this is required by a statutory duty of disclosure or right to information. Where permitted by applicable law and provided for by the company’s obligation of professional secrecy, personal data may also be transferred to other banks and financial companies.
Information will also be transferred to partners that carry out necessary operational and development tasks for the bank’s processes and systems.
The transfer of personal data to data processors is not the equivalent of transfer in this context. Such data processors are typically suppliers of IT services.
The bank does not transfer personal data to states outside the EEA.
7. Risk classification of customers and credit portfolios
The company will process credit information and other personal data in accordance with applicable law, for the purpose of establishing and using systems for the calculation of statutory capital requirements for credit risks. Systems for internal measurement methods refer here to the company’s models, work and decision-making processes for the provision and control of credit, control mechanisms, IT systems and internal guidelines that are associated with the classification and quantification of the institution's credit risks and other relevant risk.
Personal data regarding this may be collected from credit reporting agencies
8. Prevention and disclosure of criminal acts - money laundering
The company will process personal data for the purpose of preventing, identifying, resolving and managing fraud and other criminal acts. The data will be collected from and transferred to other banks and financial institutions, the police and other public authorities. The period of storage will be ten years after registration.
Furthermore, the company will process personal data in order to fulfill its duty to investigate and report suspicious transactions in accordance with Norwegian legislation on money laundering. The company is responsible for reporting suspicious information and transactions to the National Authority for Investigation and Prosecution of Economic and Environmental Crime (Økokrim).
9. Sound recording of telephone conversations and storage of other customer information
All telephone conversations with customers may be recorded. The conversations will be used in the first instance for the quality assurance of the work that is carried out in connection with complaints or for training purposes. Such recording of conversations to/from fixed telephony and mobile telephony, as well as documentation of other types of communication with the customer, will be stored for three years. Sound recordings may be sought from the company on the basis of incoming and outgoing telephone numbers, the time of the call and/or employees of the company who made the call. It will be possible to search communication via other communication channels on the basis of the customer’s identity, time of communication and employees of the company who communicated.
10. Amendment and deletion
The company will delete or anonymise registered personal data when the purpose of the processing is achieved, unless the information should or can be saved longer than this as a consequence of legislation. Within the scope of the limitations stipulated in the Norwegian Personal Data Act, the customer may demand that incomplete or unnecessary personal data be corrected or deleted.
12. Personal data controller
The bank has established a personal data officer. The representative can be contacted via the following email address: email@example.com
13. Supervisory authority and the right to complain
The supervisory authority that monitors the use of personal data is the Norwegian Data Protection Authority (Datatilsynet). Any complaints about the bank’s use of personal data can be lodged with them, but we would urge you to contact the bank first via the Personal Data Controller (firstname.lastname@example.org) so that any misunderstandings can be clarified.