Privacy notice
This privacy notice describes how we process your personal data and your data protection rights. You can rest assured that we make every effort to process your personal data in a satisfactory manner and in accordance with legal requirements for the processing of personal data.
The privacy notice was last modified 01.07.2025
-
Svenska Handelsbanken AB NUF and Stadshypotek AB NUF are Norwegian branches of Svenska Handelsbanken AB and Stadshypotek AB, respectively. Svenska Handelsbanken AB and Stadshypotek AB are the data controllers responsible for the branches' processing of your personal data. When we use words such as "Handelsbanken" and "we" in this privacy notice, we are referring to Svenska Handelsbanken AB NUF and Stadshypotek AB NUF, as it is the branches that perform the day-to-day processing of your personal data on behalf of the data controllers.
Which branch prosessing your personal data depends on which products you have with us. This will typically be stated in the agreement you have entered into with us. -
Personal data is any information relating to an identified or identifiable person. In the operation of our business, we process personal data about the following:
- Existing customers,
- Potential customers,
- Former customers,
- Guarantors,
- Beneficial owners,
- Authorised representatives (holders of power of attorney) and individuals sharing accounts,
- Business card holders,
- Guardians and those with parental responsibility,
- Contact persons and other persons associated with our business customers and private customers, suppliers and business partners,
- Visitors to our website, our social media pages, and/or our premises.
-
We mainly collect personal data directly from our customers, for example when they complete an application form and customer declaration form or contact one of our branches. Some data is collected from our systems and services. We also collect personal data in connection with camera surveillance of our bank premises and ATMs, and through statutory audio recordings of telephone conversations.
In order to offer you services and comply with legal requirements, we will also collect personal data from other sources such as:- Public registers and public authorities. This includes the National Population Register and the Brønnøysund Register Centre, as well as registers administered by the tax authorities nationally and internationally and crime-fighting authorities
- Sanctions lists maintaines by international organisations and other countries' authorities such as the EU, the UN, the Office of Financial Sanctions Implementation (OFSI) and the Office of Foreign Assets Control (OFAC)
- Credit reporting companies
- Agents and distributors
- Information services related to the identification of beneficial owners and politically exposed persons
- Financial institutions. Account information from financial institutions other than Handelsbanken, when you use various payment services or wish to collect your account details in one place.
- Debt information companies
- Business partners and third parties
- Publicly available and/or open sources
-
Below you will find the types of personal data that Handelsbanken collects. Note that the personal data collected depends on the product or service we offer you as a customer or what other relationship you have with us.
- Identification information, such as customer number, national identity number and copies of identification documents.
- Contact information, such as name, telephone number, address and e-mail address. We use these to, for example, ensure that the information and documents you need reach you.
- Neutral customer information, such as contact details and non-detailed product information (information about which company the customer is associated with and the types of products you have with us).
- Financial information, such as income data, credit history, expenses, employment and updated debt and tax information. We use this, for example, in connection with credit assessments that we must carry out before we can offer you a loan or other form of credit and/or in connection with investment advice.
- Transaction data, such as place of payment, payee and amount, card purchase, account number, repayment of loan or deposit.
- Information to fulfil statutory obligations relating to, for example, compliance with sanctions and anti-money laundering regulations and tax reporting. This may include information about beneficial owners, expected use of the bank's services, origin of funds and assets, close associates who are politically exposed persons, where people/entities are resident/domiciled for tax purposes, foreign tax identification numbers, etc. This also includes reporting to public authorities, such as tax information in connection with tax reporting. Other examples are information on investment competence, risk classification, risk tolerance and loss tolerance capacity, which is information we are required by law to process in connection with investment services and advice.
- Your contact preferences, how you would like to be contacted (e.g. for marketing purposes).
- Other agreement information, such as copies of the agreements you have with us and information related to your agreements, in order to be able to manage and follow up your ongoing agreement with us. This category also includes your communication with us about contractual relationships, such as advice or questions about your products.
- Special categories of personal data, such as health information or union membership, are processed only when stricly necessary. For example, we will process information about your trade union membership to ensure that you are eligible for particulatly favourable terms that your union or association has negotiated on behalf of its members. In some cases, it may be necessary to process health information, for example if it is necessary to grant a grace period. In such cases, we will process as little information as possible, and we will not store information about diagnoses.
- Information on criminal offences, such as information on criminal convictions and offences, including information on whether a person has been sanctioned under a sanctions programme (if the sanctions programme contains any details of criminal offences) and information from publicly available sources.
- Communications, via e-mail, chat, SMS or other channels.
- User data generated when you use our services, such as information about how you use our services, device identifiers, clicks and preferences.
-
Purpose: To provide services to you, such as banking and financial services (this may include account agreements, payment agreements, loan agreements, conduction securities trading, as well as communications in connection with this).
Type of data and source: Contact information, transaction data, financial information. The information is collected from you.
Legal basis: To fulfil our agreement with you.
Storage time: Stored for up to 13 years after the product/service ends. This enables us to have background information in cases of disagreements or if any claims where to arise.
Purpose: To process applications relating to our services, e.g. applications for credit cards and credit.
Type of data and source: Financial information, identification information. The information is collected from you, credit reference agencies and/or public registers.
Legal basis: To enable us to enter into an agreement with you as our customer.
Storage time: Stored for up to 6 months from when the offer was made.
Purpose: To assess whether you are eligible for special favourable terms.
Type of data and source: Special categories of personal data (trade union membership). The information is collected from you.
Legal basis: Consent. You can withdraw your consent at any time by contacting us. If you are a member of the Norwegian Association of Lawyers or the Norwegian Bar Association, we process your trade union membership to provide you with particulatly favorable terms as a data processor.
Storage time: Stored for up to 13 years after the product/service ends. This enables us to have background information in cases of disagreements or if any claims were to arise.
Purpose: Prevention and detection of criminal offences, such as money laundering and terrorist financing, as well as sanctions violations.
Type of data and source: Identification information, transaction data, information to fulfil statutory obligations, including any special categories of personal data and, where applicable, information on criminal offences. The information is collected from you, public and open sources and registers and possibly other reporting entities (e.g. other banks).
Legal basis: To fulfil our legal obligations under applicable anti-money-laundering and sanctions regulations, etc.
Storage time: Stored for up to 10 years after the customer relationship has ended or the transaction was completed.
Purpose: Tax reporting
Type of data and source: Identification information, financial information and transactoin data.
Legal basis: To fulfil our legal obligations under applicable tax administration regulations (the Tax Administration act and the Tax Administration Regulation).
Storage time: Stored for 10 years after the end of the reporting year.
Purpose: To document the content of commuications about investment services.
Type of data and source: Information to comply with statutory obligations (audio recordings of relevant conversations), communications. The information is collected from you.
Legal basis: To fulfil our legal obligations under securities regulations.
Storage time: Stored for up to 13 years after the product/service ends. This enables us to have background information in cases of disagreements or if any claims were to arise.
Purpose: To carry out suitability assessments in connection with investment and advisory services.
Type of data and source: Information required to comply with statutory obligations (necessary information about customers or potential clients' knowledge and experience in the investment area, information about the client's financial situation and investment objectives, and the client's risk tolerance and ability to bear losses). The information is collected from you.
Legal basis: to fulfil our legal obligations under applicable securities regulations.
Storage time: Stored for up to 13 years after the product/service ends. This enables us to have background information in cases of disagreements or if any claims were to arise.
Purpose: To offer you apps and digital wallets.
Type of data and source: Transaction data, contact information. The information is collected from you.
Legal basis: To fulfil agreements with you.
Storage time: Storage time depends on which apps and digital wallets are activated. More information is provided in section 9 below.
Purpose: To communicate with you, contribute to a good customer experience and handle any customer complaints and claims.
Type of data and source: Contact information, transaction data, your preferences, communications. The information is collected from you.
Legal basis: Our legitimate interests in communicatin with you, providing good customer service and safeguarding your and our interests. This includes, among other things, providing you with relevant information and measures to minimise the risk of fraud.
Storage time: Stored for up to 13 years after the product/service ends. This enables us to have background information in cases of disagreements or if any claims were to arise.
Purpose: Security measures in the form of camera surveillance at bank branches and ATMs, as well as visitor registration.
Type of data and source: Camera recordings. The information is obtained from camera equipment, etc.
Legal basis: Our legitimate interest in preventing and detecting criminal offences, as well as ensuring the physical safety of our customers and employees.
Storage time: Deletes within 90 days and stored in a data centre with strict access control.
Purpose: Disclosure and collection of account information to and from other financial institutions in order for you to view this information in your online bank with other financial institutions.
Type of data and source: Transaction data. The information is collected from you and/or generated through the use of our services.
Legal basis: Consent. You can withdraw your consent at any time in our or the other institution's online bank.
Storage time: For as long as you have accounts with multiple financial institutions and do not withdraw your consent to the sharing of information.
Purpose: To improve, analyse, maintain, develop, etc. products and services.
Type of data and source: User data. The information is collected from you and/or generated through the use of our services.
Legal basis: Our legitimate interest in improving, analysing, developing and maintaining our services.
Storage time: Stored for up to 5 years after the information was collected.
Purpose: To manage our relationships with corporate customers.
Type of data and source: Contact information, communications. The information is collected from you and/or partners.
Legal basis: Our legitimate interest in managing purchases, sales and other business activities.
Storage time: Stored for up to 13 years after the product/service ends. This enables us to have background information in cases of disagreements or if any claims were to arise.
Purpose: To register information about you customer relationships in our group register.
Type of data and source: Neutral customer information. The information is collected from you.
Legal basis: Our legitimate interest in maintaining an overview of customer relationships across Handelsbanken, as a group of undertakings.
Storage time: Stored for 2 years after the customer relationship ends.
Purpose: To market our services and products and provide you with personalised marketing.
Type of data and source: Contact information, other agreement information (information about which products and services you have purchased from us), your preferences, technical information and identification data, as well as system information (e.g. IP address, system settings). For online advertisements, we process the following information if you click on one of our advertisements: time of click, IP address from which you clicked, and where on the advertisement banner you clicked. The information is collected from you.
Legal basis: Consent for direct and personalised marketing. If you have an existing customer relationship with us, we may in some cases send you direct marketing based on our legitimate interest in marketing our offers. Other marketing, which is not direct or personalised, is also based on our legitimate interest.
Storage time: If the marketing is based on consent: until you withdraw your consent. If the marketing is based on our legitimate interest, we typically store information relating to the marketing activity for 6 to 12 months.
Purpose: To manage our social media pages.
Type of data and source: Insights/statistics, communications (e.g. comments, likes, chat), profile information. The information is collected from you and/or via social media.
Legal basis: Our legitimate interest in communicating with users, customers and other business partners on social media. For more information, see section 10.
Storage time: We do not store personal data in our own systems for this purpose. The personal data is stored only in the social media service, and the storage time depends on the service in question. See section 10 for more information.
Purpose: The sharing of an account between two or more customers.
Type of data and source: Contact information, financial information, transaction data. The information is collected from you and/or the others you share the account with.
Legal basis: Our legitimate interest in allowing our customers the opportunity to share accounts. Information abour transactions etc. will be available to the account owner and others who may share the account. Before you choose to use a shared account, you must be aware that the account owner may in the future invite others to also share account.
Storage time: Stored for up to 13 years after the product/service ends. This enables us to have background information in cases of disagreements or if any claims were to arise.
Purpose: Documentation and legal claims.
Type of data and source: Identification information, contact information, neutral customer information, financial information, transaction data, information to fulfil statutory obligations, other agreement information, special categories of personal data, communications. The information is collected from you, registers, partners and/or generated through the use of our services.
Legal basis: Our legitimate interest in being able to access background information should disagreements and/or claims (legal claims and/or compensation claims) arise. Access to this information is limited to employees who have a legitimate need for access to such information.
Storage time: Stored for up to 13 years after the product/service ends. This enables us to have background information in cases of disagreements or if any claims were to arise.
Purpose: Compliance with industry-specific legislation.
Type of data and source: Information to fulfil statutory obligations. From you and/or records.
Legal basis: To fulfil our legal obligation under industry specific legislation. This includes: accounting regulations, tax administration regulations, reporting obligations, requirements and obligations related to payment services, product-specific legislation for funds, securities, surety and mortages, and Electronic Signature Act.
Storage time: Stored for up to 10 years after the end of the reporting year. -
We may disclose your personal data to the categories of recipients mentioned below, to the extent necessary and proviced that our duty of confidentiality does not preclude the disclosure.
- Public authorities or third parties, such as the police, debt information companies, the Financial Supervisory Authority of Norway or the Norwegian Tax Administration, if required to do so by law.
- Other companies in our group, in order to manage our customer register or if it is necessary to satisfy the group's statutory management, control or reporting requirements.
- Approved credit reporting companies, such as Experian, when you apply for a loan.
- Payment service providers involved in a payment transaction.
- Payment processors, such as Mastercard or Vipps, when we make a payment you have initiated.
- Other banks and payment institutions, when we make payments or other orders you have placed. The same applies to fraud and investigations pursuant to the Norwegian Money Laundering Act.
- Citibank for customers who have the product Premium Depot and VP Depot. Customers with these products can choose Tax Service as a voluntary service. In addition, the authorities in some countries require the creation of individual accounts for the customer in Citibank, which means that the name of the customer is provided to Citibank. You can read more about how Citibank processes personal data in
- Our suppliers, such as providers of websites and IT systems. We have agreements with the relevant suppliers to ensure that they do not process the data for purposes other than those described in this privacy notice.
- Our advisers and partners to the extent necessary to conduct business in a customary manner for our industry and to offer you a good customer experience, which may also include third parties in connection with possible mergers or transactions.
- Account and Address Register (KAR), to increase the quality of payment systems and contribute to the efficient and flexible use of distribution channels for payment services. KAR is a register of payment accounts and account holders, and is used to check that an account number is valid and in use, and whether a specific account number belongs to a specific person. KAR can be used by other public and private organisations.
-
A processor is a company that processes personal data on our behalf. When we use processors to collect, store or otherwise process personal data on our behalf, we enter into an agreement with the processor. We do this to ensure that the use of the data is in accordance with the privacy regulations and the bank's requirements for the processing of personal data. Processors include IT providers and providers of payment services and securities services.
When Svenska Handelsbanken AB NUF provides services on behalf of Stadshypotek AB NUF, this means that Svenska Handelsbanken AB, at Svenska Handelsbanken AB NUF, is the processor for Stadshypotek AB, at Stadshypotek AB NUF. -
Handelsbanken processes your personal data mainly within the EEA. However, in some cases, it may be necessary to transfer personal data to recipients outside the EEA, as some of our suppliers or other group countries are located in such countries.
We will only transfer your personal data to third countries that the European Commission has decided have rules that adequately safeguard your data protection (adequacy decision) or if your personal data has the same degree of protection in the relevant third country as it would have in the EEA. This is ensured by, for example, putting guarantees in place in order to safeguard your privacy, such as the EU's standard contractual clauses. If necessary, we will ensure that additional safeguards, such as encryption and pseudonymisation, are implemented to ensure an adequate level of protection.
In cases where we transfer personal data to third countries, this mainly involves transferring personal data to the USA and/or India. This is often done in connection with us using subcontractors with headquarters in the USA, e.g. Microsoft, or a subcontractor with support functionality for the operation of Mastercard's IT systems in India. Another typical example of such a transfer may be when you want to transfer money to another bank in connection with a money transaction from a bank in the EEA to a bank outside the EEA. Contact us for more detailed information about transfers to countries outside the EEA. -
Handelsbanken's apps
Handelsbanken takes a proactive approach to information security in order to protect your data and ours against breaches of confidentiality, privacy and accessibility. For example, we require strong authentication when you log in to our services, and data transfers between you and our online bank or apps are encrypted.
Our mobile apps require various permissions on your phone. Some of these are necessary for the apps to work on the phone and are automatically contained within the solutions. For example, the app will check if you are connected to the internet. Without internet access, you will not be able to log in. However, we only ask for the permissions that are necessary for the app to work and we cannot see any other information on your phone. Other functions are your user settings and you must actively give the app permission here for those you want to use. These permissions are stored only on your phone. You can withdraw and manage permissions that you have previously granted in the settings.
Your facial recognition and/or fingerprint data are stored only locally on your phone. Handelsbanken does not have access to this data, it only receives confirmation that the correct face or fingerprint has been verified.
The bank's other services will continue to be available on other platforms even if an app is uninstalled or the app's permissions are changed. This means, for example, that transaction data and other information stored in your online bank will not be affected if you uninstall or delete the app. Other information that is not directly linked to the app will also not be affected.
Third-party applications
You have the option to activate various third-party applicatoins, including digital wallets. You will be provided with more information about what activation entails when activating via your online bank or the app.
As of July 1st 2025, we offer the following apps and digital wallets:
- Samsung Pay
-
The bank is active on several different social media platforms. If you visit our social media pages, we may, for example, process your user name, comments you write in the comments section, the fact that you "like" content, and messages you write to us as a direct message.
We also process aggregated data about visits and activity on our pages on social media for statistical and analytical purposes. We cannot link the information to you as an individual. We have access to the information as long as our page on social media exists, but Handelsbanken does not store the information itself.
We and the individual social media platform have a joint processing responsibility, which means that you as an individual are entitled to assert your rights against both parties. We are jointly responsible for the processing related to our site/account. You can read more about the joint processing responsibility and the processing of your personal data on the social media platforms, such as and (Facebook and Instagram). -
As a data subject, you have a number of rights. These are described more in detail below.
You have the right to request access to your personal data, a description of the types of data processed and further information about our processing of the data. This information must be provided to you in writing and electronically if the request is submitted electronically. In some cases, there are exceptions to the right of access. This include, for example, where we have a statutory duty of confidentiality or where we are required to keep the information secret for the purposes of the prevention, investigation, disclosure and legal prosecution of criminal acts or if information is only found in documents prepared for internal case preparation and exemptions from the right of access are necessary to ensure proper case processing.
You have the right to have information corrected, for example if we have registered incorrect or incomplete information about you.
You also have the right to request that your data be deleted, if the data is no longer necessary for the purpose for which it was collected or if you withdraw your consent to the processing. This does not mean we are obligated to delete the information if we still have a legitimate need to process the data for the purpose. The same applies if we still need the information to fulfil a legal obligation or to establish, exercise or meet a legal or compensation claim as described above.
You have the right to object to the processing of your personal data that we process on the basis of legitimate interests. We will stop processing your personal data for this purpose unless we can demonstrate that there are compelling legitimate grounds for the processing that override your interests, rights or freedoms, or if the processing is necessary for the establishment, exercise or defence of a legal claim. However, we will always take into account objections to direct marketing, regardless of the legal basis.
You can ask us to restrict the processing of your personal data to storage only. You can do this if you dispute the accuracy of the information we have registered about you, the lawfulness of the processing, if you have objected to the processing, or if we no longer need the data but you still want the data to be stored because you are going to use it in connection with a legal claim. However, we may still process your data for other purposes if this is necessary to assert a legal claim or if you have given your consent to the processing. Note also that if you request that the processing of your personal data be restricted, this may lead to certain products and services no longer being available to you.
You are also entitled to data portability in some cases. This means that you are entitled to have the personal data you have provided to us made available in a machine-readable format. You also have the right, where technically feasible, to have your personal data transferred directly from us to another data controller. The right to data portability applies where the processing is based on consent or agreement, and where the processing of the data is automated.
You have the right to withdraw consent you have given for the processing of personal data at any time. Future processing of personal data based on consent will then cease.
If you would like to exercise any of your rights, please contact our Privacy Officer at . In order to respond to your enquiry, we will need to confirm your identify. We do this to make sure that we only give access to your personal data to you and not to others claiming to be you. We will respond to your enquiry as soon as possible, and no later than 30 days after receiving it. Sometimes a longer period of time may be required, in which case you will receive further information about this before the 30 days have passed.
When Handelsbanken provides access to or copies of personal data, certain information is excluded from the standard report. This is because this information is available to you in our online bank. This includes:- Transaction history (payments, card transactions, trading in financial instruments, etc.)
You will find up to 13 years of history in our online bank. Contact us for additional transactional history. - Documents related to your products in Handelsbanken (customer agreements, card agreements, loan agreements, etc.)
These are available in our online bank for most customers, depending on the length of the customer relationship. Please contact us if your agreements are not available. - Any written communication you have had with Handelsbanken.
Communication that has taken place via our online bank is available under "mailbox" and "messages". If you have communicated with the bank via Digipost or e-mail, you can find the messages in your Digipost mailbox or e-mail box respectively. - Any recordings of conversations you have had with Handeslbanken in connection with the provision of investment services.
Handelsbanken is obliged to record such conversations in accordance with the Securities Trading Act. Such recordings are not available in our online bank.
- Transaction history (payments, card transactions, trading in financial instruments, etc.)
-
Handelsbanken processes personal data to protect you against its misuse, against unintentional access, and to safeguard the bank's assets, for example when logging on to servers and when operating infrastructure. In order not to compromise the security of personal data about you, we cannot go into detail about how the information is secured. Nevertheless, we have a clear goal to ensure the safe and sufficiently secure processing of personal data, whether through securing electronic systems, our websites and applications, physical security of premises or by other means.
For security reasons, we would like to inform you that sending and receiving e-mail from ordinary e-mail accounts without encryption does not provide sufficiently secure communication of the e-mails content. We ask you to avoid sending us e-mails containing national identity numbers or other personal data that requires protection.
For the communication of such information, we recommend that you use the mailbox in online banking for secure transfer of information or Digipost. -
If you have a question or wish to complain about how we process your personal data, please contact our Data Protection Officer at Handelsbanken DPO or e-mail . We will reply to you within 30 days.
You also have the right to lodge a complaint with the supervisory authority regarding our processing or your personal data. More information about compaining to the Norwegian Data Protection Authority can be found at