3. Automated decision-making
We may in some cases use automated decision-making, if it is authorized by legislation, if you have provided explicit consent or if it is necessary for the performance of a contract, e.g., automated credit approval process in the online channels. You can always request a manual decision-making process instead, express your opinion, or contest-decision based solely on automated processing, including profiling, if such a decision would produce legal effects or otherwise similarly significantly affect you.
When using automated decision-making, we will provide you with further information aboutthe logic involved, as well as the significance and the envisaged consequences to you.
4. Who we may disclose your personal data to
We may share your personal data with others such as authorities, Nordea Group companies, suppliers, payment service providers, and business partners. Before sharing we will always ensure that we respect relevant financial industry secrecy obligations. To fulfill services and agreements we have to disclose information about you. If, for example, you have asked us to transfer funds, we need to disclose certain information to fulfill that transfer.
Third parties and Nordea Group companies
To provide our services, for example, credit transfer, we disclose data about you that is necessary to identify you and perform an assignment or agreement with companies that we cooperate with in order to perform our services. These services include, but are not limited to, secure identification solutions in the relevant country and between parties in the financial system such as central banks, transaction receivers, and clearinghouses.
We also disclose personal data to authorities to the extent we are under statutory obligation to do so. Such authorities include tax authorities, police authorities, enforcements authorities, and supervisory authorities in relevant countries.
In addition, data are disclosed, with your consent or if this is permitted pursuant to legislation, internally in Nordea Group, and to external business partners (including correspondent banks, other banks, vendor partners of finance object, and re-insurers).
We have entered into agreements with selected suppliers, which include processing of personal data on our behalf. Examples thereof are suppliers of IT development, maintenance, hosting, and support.
Third country transfers
In some cases, we may also transfer personal data to organisations in so-called third countries (countries outside of the European Economic Area).
Such transfers can be made if;
- the EU Commission has decided that there is an adequate level of protection in the country in question, or
- other appropriate safeguards have been taken, for example the use of the standardcontractual clauses (EU model-clauses) approved by the EU Commission or the data processor has valid Binding Corporate Rules (BCR) in place, or
- there are exceptions in special situations, such as to fulfila contract with you or your consent to the specific transfer.
You can access a copy of the relevant EU model-clauses used by Nordea for transfers by going to www.eur-lex.europaand search for 32010D0087.
5. How we protect your personal data
Keeping your personal data safe and secure is at the center of how we do business. We use appropriate technical, organizational, and administrative security measures to protect any information we hold from loss, misuse, and unauthorized access, disclosure, alteration, and destruction.
6. Your privacy rights
You as a data subject have rights in respect of the personal data we hold on you.
You have the following rights:
A) Request access to your personal data: You have a right to access the personal data we are keeping about you. In many cases, this information is already present to you in your online services from us. Your right to access may, however, be restricted by legislation, protection of other person's privacy, and consideration for the Nordea Group’s business concept and business practices. The Nordea Group’s know-how, business secrets as well as internal assessments and material may restrict your right of access.
B) Request correction of incorrect or incomplete data: If the data are incorrect or incomplete, you are entitled to have the data rectified, with the restrictions that follow from legislation.
C) Request erasure: You have the right request erasure of your data in case;
- you withdraw your consent to the processing and there is no other legitimate reason for processing,
- you object to the processing and there is no justified reason for continuing the processing, and/or
- you object to processing for direct marketing, the processing is unlawful or when processing personal data on minors, if the data was collected in connection with the provision of information society services.
Due to the financial sector legislation, we are in many cases obliged to retain personal data on you during your customer relationship, and even after that, e.g., to comply with a statutory obligation or where processing is carried out to manage legal claims.
D) Limitation of processing of personal data: If you contest the correctness of the data which we have registered about you or lawfulness of processing, or if you have objected to the processing of the data in accordance with your right to object, you may request us to restrict the processing of these data to only storage. The processing will only be restricted to storage until the correctness of the data can be established, or it can be checked whether our legitimate interests override your interests.
If you are not entitled to erasure of the data which we have registered about you, you may instead request that we restrict the processing of these data to only storage. If the processing of the data which we have registered about you is solely necessary to assert a legal claim, you may also demand that other processing of these data be restricted to storage. We may process your data for other purposes if this is necessary to assert a legal claim or if you have granted your consent to this.
E) Object to processing based on our legitimate interest: You can always object to the processing of personal data about you for direct marketing and profiling in connection to such marketing.
F) Data portability: You have a right to receive personal data that you have provided to us in a machine-readable format. This right applies to personal data processed only by automated means and on the basis of consent or of fulfilling a contract. Where secure and technically feasible the data can also be transmitted to another data controller by us.
Your request to exercise your rights as listed above will be assessed given the circumstances in the individual case. Please note that we may also retain and use your information as necessary to comply with legal obligations, resolve disputes, and enforce our agreements.
We collect, process, and analyse data regarding the use of our web pages. Traffic data is data connected to visitors on the webpage and data handled in communication fields for sending, distributing, or making messages available.
You can set or amend your web browser controls to accept or reject cookies. If you choose to reject cookies, you may still use our websites and some services, however, your access to some functionality and areas of our website or services may be restricted substantially.
For more information, see cookies at the footer of your local website.
8. How long we process your personal data
We will keep your data for as long as they are needed for the purposes for which your data was collected and processed or required by laws and regulations. This means that we keep your data for as long as necessary for the performance of a contract and as required by retention requirements in laws and regulations.
Where we keep your data for other purposes than those of the performance of a contract, such as for anti-money laundering, book-keeping, and regulatory capital adequacy requirements, we keep the data only if necessary and/or mandated by laws and regulations for the respective purpose.
The data retention obligations will differ within the Nordea Group subject to local law.
Specific examples are:
- Preventing, detecting, and investigating money laundering, terrorist financing, and fraud: minimum five years after termination of the business connection or the performance of the individual transaction
- Book-keeping regulations (up to ten years)
- Payment service requirements and obligations (five years)
- Other service or product-specific regulations such as securities, collateral, insurance, or mortgage regulation (up to seven years)
- Loan offers (up to three months after the expiration of an offer)
- Details on performance of an agreement: up to ten years after end of customer relationship to defend against possible claims
The above is only for explanatory purposes and the retention times may differ from country to country.
10. Contacting us or the data protection authority
You can also lodge a complaint or contact the data protection authority in any of the countries where we provide services or products to you.