Introduction
Handelsbanken NUF org.nr. 971 171 324 and Handelsbanken Eiendomskreditt NUF org.nr. 991 303 995 is collectively referred to in this privacy statement as "Handelsbanken" or "we". Handelsbanken NUF is a Norwegian branch of Svenska Handelsbanken AB and Handelsbanken Eiendomskreditt NUF is a Norwegian branch of Stadshypotek AB.
This privacy statement details how Handelsbanken processes personal information about customers, potential customers, former customers, creditors, guarantors or authorized representatives, business card holders and related parties (hereinafter "the Registered"). We also process information about contact persons at our customers and suppliers.
Personal information is any information that can be linked to an individual. You can be assured that we process all personal data about you in a satisfactory manner, and in accordance with statutory requirements for the processing of personal data.
Read below about how Handelsbanken processes your personal information in connection with your bank agreements.
1. Who is responsible for processing personal data?
Handelsbanken NUF and Handelsbanken Eiendomskreditt NUF are Norwegian branches of Svenska Handelsbanken AB and Stadshypotek AB, respectively. Svenska Handelsbanken AB and Stadshypotek AB are formally responsible for processing the branches' handling of your personal information. The responsibility lies with the CEO of these companies, and he or she decides the purpose of the processing within the framework of our business, and which aids are to be used. On a daily basis, this is nevertheless followed up through the Norwegian branch business.
Which branch is formally responsible for the processing of your personal data depends on which products you have entered into an agreement on. The branch that processes your personal information will be stated in the agreement you have entered into with us. The operation of Handelsbanken Eiendomskreditt NUF is placed under Handelsbanken NUF. This means that Handelsbanken AB (at Handelsbanken NUF) is also a data processor in this relationship, see more about this below under point 7.
2. Where do we collect personal information from?
The personal information we register will mainly be obtained directly from you as a customer, by filling out an application form, inquiries to one of our offices or by using our services, such as online banking or mobile banking. In other cases, we receive personal information from other Registrants, such as information about family information or tips about acquaintances who may be potential customers of Handelsbanken. Furthermore, we also process personal information obtained through camera surveillance of our bank premises and ATMs and through statutory audio recordings of telephone conversations.
In order to offer you services and comply with legal requirements, we will also collect personal information from other sources such as:
• Public registers such as the National Register, the Brønnøysund Register Center, and registers administered by the tax authorities and crime-fighting authorities
• Sanctions lists maintained by international organizations such as the EU, the UN and the Office of Foreign Assets Control (OFAC)
• Credit reporting companies
• Agents and distributors
• Information services related to licensees and politically exposed persons
• Account information from financial institutions other than Handelsbanken when you use various payment services or want to collect your account information in one place
• Debt information companies
Handelsbanken also has a central group customer register. We obtain some information from here, but only within the limits of the law. This could be, for example, your name and contact information. You can still consent to the sharing of more information between the companies in the Handelsbanken Group, see more about the group customer register and consent below.
3. What types of personal information do we collect?
Below you will find examples of types of personal information that Handelsbanken collects. Note that the type of personal information that is collected depends on which product or service we offer you as a customer or what other relationship you have with us, such as a manager.
• Identification information, such as birth number and copy of identification. We use this to check and secure the correct identity of our customers, something we must do, among other things, to fulfill statutory obligations regarding anti-money laundering measures
• Contact information, such as name, telephone number, address and e-mail address. We use this to ensure that the information and documents you need come to you
• Financial information, such as income data, credit history, and updated debt and tax information. We use this, for example, in connection with credit assessments that are carried out before we can offer you a loan or other form of credit.
• Transaction data, such as place of payment, payee and amount, card purchase, repayment of loan or deposit. We need this, among other things, to fulfill statutory obligations regarding transactions, and to fulfill our agreements with you, such as enabling functions in online and mobile banking - for example, displaying your transaction overview
• Information to fulfill statutory obligations. This could be information about the tax domicile, foreign tax registration number and other information required in connection with the bank's statutory anti-money laundering measures, and reporting to public authorities, such as tax information in connection with tax reporting. Other examples are information on investment competence, risk classification, risk tolerance and loss tolerance capacity, which the Bank is required by law to process in connection with investment services and advice.
• Your preferences, such as the channels (for example e-mail) you want to be contacted by the bank, and other marketing preferences you have given consent to
• Other agreement information, such as copies of the agreements you have with us and information related to your agreements, in order to be able to manage and follow up your ongoing agreement with the bank. This also includes communication you have with the bank about your contractual relationships, such as advice or questions about your products
• Special categories of personal information, such as health information or union membership, are processed only when strictly necessary. For example, we will process information about your trade union membership to ensure that you qualify to receive particularly favorable terms that your union or association has negotiated with Handelsbanken on behalf of its members. In some cases, it may be necessary to process health information, for example if it is necessary to grant a grace period. In such cases, we will process as little information as possible, and we will not store information about diagnoses.
4. Basis of treatment and purpose
Handelsbanken processes personal data for specified purposes, and only when we have a legal basis for the processing. Please find examples of this below.
4.1 To enter into or fulfill an agreement
Handelsbanken processes your personal data if it is necessary to enter into an agreement with you or fulfill the agreement (s) you have entered into with us. This can be an account agreement, a loan agreement or similar. We must also process your personal information if you insert a Handelsbanken card in a digital wallet, or if you use one of our apps. Retention of contact information, agreement documentation, registration of transactions and payments as well as information from communication with customer advisors, are key examples of daily processing we must carry out to fulfill ongoing agreements between us and our customers.
4.1.1 Apps and digital wallets
Per 06.01.2023 we offer the following apps and digital wallets:
• Mobilbank PM
• Kortkompis
• Garmin Pay
• Fitbit Pay
4.2 Legal obligations
We are subject to a number of legal obligations that require us to process personal data. By legal obligation we mean requirements that follow from law, regulations or government decisions. Below are some examples of our legal obligations that require us to process your personal information.
4.2.1 Prevention and detection of criminal offenses
As a financial undertaking, Handelsbanken has a statutory duty to help prevent, detect, solve and deal with fraud and other criminal acts, such as terrorist financing and money laundering. We are obliged to investigate and report suspicious transactions under the Money Laundering Act.
4.2.2 Audio recording of telephone calls and storage of other customer communications for investment services
In connection with the provision of investment services and advice, we are obliged to make audio recordings and store other customer communications, for example through e-mail or chat, in order to be able to document the content of such conversations if, for example, disagreement arises about what has been agreed and clarify when specific information was communicated. This follows from the securities regulations.
4.2.3 Investment and advisory services
In order to provide investment and advisory services, the Bank is subject to obligations under the Securities Trading Act to obtain necessary information about customers or potential clients' knowledge and experience in the investment area, information about the client's financial situation and investment objectives, and the client's risk tolerance and ability to bear losses. This is often referred to as suitability assessment.
4.2.4 Compliance with industry-specific regulation
We are also subject to other legal obligations that may necessitate the processing of personal data, such as:
• Duty to store in accordance with the accounting regulations
• Sanction monitoring
• Reporting to tax authorities, supervisory authorities and police authorities
• Requirements and obligations related to payment services
• Other obligations related to product-specific legislation for funds, securities, mortgages or mortgages
• Electronic Signature Act Handelsbanken processes personal data for specified purposes, and only when we have a legal basis for the processing. You will find examples of this below.
4.3 Legitimate interest
We also process personal data when it is necessary for the bank to be able to safeguard a legitimate interest that outweighs the consideration of your privacy. We make concrete and documentable balances of interest before such treatment is implemented. For example, Handelsbanken believes that it has a legitimate interest in the processing of personal data for the following purposes:
4.3.1 Development and analysis
Handelsbanken may collect information that is used to analyze how you use our services in connection with the improvement of existing products or the development of new services. In some cases, we also have a legitimate interest in analyzing your information, such as usage patterns, to identify whether new products and services may be relevant to you. We also have a legitimate interest in improving functionality in already existing products and services as well as performing tests in connection with development.
4.3.2 Group customer register
The Handelsbanken Group consists of several legal entities that are a total supplier of services and products to our customers.
In order to facilitate the administration of the customer relationship, and for the coordination of offers of services and advice to you as a customer, we have a legitimate interest in processing personal information about customers in the group customer register. Unless you have agreed to something more, we only register so-called neutral customer information about you in this register. Neutral customer information is, for example, name, contact information, date of birth and information about services and products. We also have a legitimate interest in using neutral customer information for marketing purposes within the group. You can opt out of such marketing activities at any time. Sharing information within the group in addition to the neutral customer information, requires valid consent from you.
The following branches in Norway share information with Handelsbanken's joint corporate customer register in Sweden, as described above:
• Handelsbanken NUF
• Handelsbanken Eiendomskreditt NUF
• Handelsbanken Liv NUF
• SHB Liv Forsikringsaksjeselskap NUF
4.3.3 Camera surveillance
The bank has a legitimate interest in taking pictures using camera surveillance of bank branches and ATMs, to prevent and detect criminal acts and to ensure the physical security of customers and employees. We always inform that the area is monitored. The monitoring material is deleted within 90 days, and stored in a server hall with a very high access restriction.
4.3.4 Documentation and other
The bank has a legitimate interest in storing information about the Registrants in order to be able to meet a possible future legal claim or claim for compensation. Access to this information is limited to employees who have a factual need for access to such information. We will also be able to implement other measures as part of our work against money laundering, on the basis of Handelsbanken's legitimate interest in this.
4.3.5 Contact persons in companies
The bank has a legitimate interest in storing information about contact persons with corporate customers in order to maintain and manage customer relationships with corporate customers.
Some processing of personal data requires the bank to obtain your consent. Below you will find some examples of this. You can change or withdraw consent in the online bank at any time.
4.4.1 Sharing of information within the group
For example, we obtain consent to be able to share more of your customer information than the "neutral" ones within the group so that we can assist you as a customer in the best possible way, manage your customer relationship and give you the best possible advice. See more about sharing customer information in a group without consent, under the section on group customer registers above.
4.4.2 Marketing
We obtain your consent to be able to send you certain types of marketing in digital channels or send you marketing inquiries from our partners. This can be other companies in the Handelsbanken Group such as our insurance companies, or other companies we work with, such as information about new functions in Vipps.
We also obtain your consent to be able to use information from your customer relationship to adapt our marketing activities so that you receive the most relevant inquiries from us.
4.4.3 Use of cookies
We use cookies when you use our website, by placing a cookie with a unique ID in your browser. Cookies are text files that are stored in the browser's internal memory when you visit a website. The purpose of the use of cookies is to give you a better user experience, in that we can assess how the website is used and map potential for improvement and at the same time ensure that various services on our website work. We never use cookies to map usage patterns or collect other person-specific information.
4.4.4 View your accounts at another bank
Account information about payment accounts you own or where you are the manager can be handed over to other financial institutions than Handelsbanken if you agree to it. This way you will have the opportunity to see the information in the online bank of this institution. You agree to the disclosure by entering the online bank of the relevant financial institution. The institution will automatically route you to our online bank, where you must consent to the handover. Your consent can later be withdrawn from our or the other institution's online bank.
5. To whom do we provide personal information?
Handelsbanken will only disclose personal information about you if we have a legal basis for the disclosure, such as if it is necessary to fulfill an agreement with you or if there is a legal duty to provide information or the right to provide information, such as to the police, debt information companies, Finanstilsynet or the tax authorities. Personal information can also be disclosed to other banks and financial institutions as long as the law allows it, and the duty of confidentiality does not prevent this. If it is necessary to satisfy the Handelsbanken Group's management, control or reporting requirements pursuant to a statutory provision, we will also share personal data with another company in the group or group. All Handelsbanken's employees are subject to a duty of confidentiality, and sign a declaration of confidentiality before they are given access to personal information.
Further examples of who we share personal information with:
• Approved credit reporting companies when applying for loans, such as Experian
• Payment service providers involved in a payment transaction as far as is necessary to complete the transaction in a secure manner
• Payment intermediaries when we make a payment you have initiated, such as Mastercard or Vipps
• Foreign banks when we make payments or other orders you have placed, which are part of the transaction chain
• Citibank for customers who have the product Premium Depot and VP Depot. Customers with these products can choose Tax Service as a voluntary service. To perform this service, information about name, customer number, address and tin number must be provided to Citibank in order to fulfill the agreement with the customer. In addition, the authorities in some countries require that individual accounts be established for the customer in Citibank, which means that the customer's name is handed over to Citibank. Citibank is responsible for the processing of the information provided and information on how Citibank processes personal data can be read more about in Citibank's privacy statement.
6. Transfer to countries outside the EU / EEA
Handelsbanken processes your personal data mainly in countries within the EU / EEA. In some cases, it may be necessary to transfer personal data to recipients outside the EU / EEA, so-called third countries. For example, this may happen when we share your personal information with the Handelsbanken Group or a subcontractor, with operations in countries outside the EU / EEA. Handelsbanken will only transfer your personal data to third countries if the transfer takes place with a sufficient degree of protection. This means that the transfer is only carried out if the third country has the same degree of protection as countries within the EU / EEA, in line with the Personal Data Act and the Privacy Ordinance. Your rights to the personal data (see section 9) are not affected by the transfer of the personal data to third countries. Handelsbanken will mainly transfer personal data to third countries the USA and India. It is often in connection with us using subcontractors with headquarters in the USA, e.g. Microsoft, and a subcontractor with support functionality for the operation of Mastercard's IT systems in India. You will find more information about which recipients we share information with under point 5 [link]. A typical example of such a transfer may be when you want to transfer money to another bank in connection with a money transaction from a bank in the EU / EEA to a bank outside the EU / EEA.
If you want more information about Handelsbanken's transfer of personal information to third countries, you are welcome to contact us. See contact information under point 12 [link]. You can also find more information about requirements for the transfer of personal data to third countries and what is considered an "adequate degree of protection" for the transfer of personal data to countries outside the EEA on The Norwegian Data Protection Authority Opens in a new window.
Handelsbanken's basis for the transfer of personal data to third countries
The transfer of personal data to third countries is based on one of the following grounds:
• Adequacy decision (Article 45 of the Privacy Regulation)
The European Commission has decided that some third countries have rules that adequately protect personal data in line with countries within the EU / EEA. This means that your personal data is transferred to an "adequate" third country where the data is still protected against unauthorized access, and that you can assert your rights to the personal data. This applies to Canada, New Zealand and Japan, among others. See a total overview of which countries this applies to: Adequacy decisions | European Commission (europa.eu) Opens in a new window
• The European Commission's Standard Contractual Clauses (SCC) (Article 46 of the Privacy Regulation)
Based on the EU Commission's standard clause, the recipient of the personal data is obliged to process the data in accordance with the requirements for privacy in the EU / EEA. Handelsbanken assumes that the recipient's national legislation also protects personal data, in addition to implementing additional guarantees and measures to protect personal data. This basis is often used for transfer to the USA, typically where we use a subcontractor with headquarters in the USA.
• Binding Corporate Rules (BCR) (Article 47 of the Privacy Regulation)
Binding business rules are internal rules for the transfer of personal data within a group, and are relevant where it is necessary to transfer personal data to a part of the group in a third country. In some cases, this basis can be used through our subcontractors. For example, Mastercard may transfer personal information about you in connection with a money transaction to another part of the Mastercard Group in a third country.
7. Use of data processors
A data processor is a company that processes personal data on our behalf and only in that way and for the purposes we determine. Therefore, the use of data processors is not a disclosure of personal information. When we use data processors to collect, store or otherwise process personal data on our behalf, we will enter into an agreement with the data processor to ensure that the processing of the information is in accordance with the privacy regulations and the bank's requirements for processing personal data. This includes IT providers, such as TietoEVRY, payment services such as Mastercard, and securities services such as Euronext VPS.
8. Storage time
We delete your personal information when the purpose of the processing of the information has been fulfilled. This means, among other things, that we store personal information for as long as is necessary to fulfill the agreement we have entered into with you.
Even if the agreement has been terminated, there is still some information we can and must keep. One reason for this is to comply with statutory obligations for storage. For example, it follows from the money laundering regulations that we must store information obtained in connection with customer control for five years after the customer relationship has ended. The information must then be deleted after one year. Furthermore, the bank has the right to retain some information about the contractual relationship and payment information after the customer relationship has been terminated in order to be able to meet possible future claims as a compensation claim, see section above on «Documentation and other». We retain such information until any claims will be obsolete and only a few people will have access to the information.
Examples of storage time for personal data:
• Information relating to the prevention, detection and investigation of money laundering, terrorist financing and fraud: up to ten years after the termination of the customer relationship or the transaction was completed
• The Accounting Act sets requirements for storage for: up to ten years
• Requirements and obligations regarding payment services: five years
• Loan offer: up to 6 months after the offer was given
Personal data that is processed in order to safeguard a legitimate interest in the business is deleted when we can no longer document a legitimate interest that outweighs privacy considerations.
9. Social media
The bank is active in several different social media, such as Facebook, Instagram, and LinkedIn. If you contact us via our social media accounts, your personal information will be collected and processed by us, as well as by the individual social media in accordance with their privacy statement.
The purpose of using social media is to market Handelsbanken NUF, and reach out to several of Handelsbanken NUF's target groups and communicate with customers and other stakeholders. Examples of personal information that can be processed are usernames, comments you write in the comments field, that you "like" content and messages you write to the bank as a direct message. The bank will delete personal or sensitive personal information you write in the comments field or in the instant message.
The legal basis for the processing is a legitimate interest. The bank has a legitimate interest in reaching out to new target groups, and in communicating with existing and potential customers.
The bank and some social media have a joint processing responsibility , which means that you as an individual have the right to assert your rights against both parties. The bank is only responsible for the processing associated with the bank's account and the personal information the bank has access to. You can read more about how the responsibility for your rights under the Privacy Ordinance is distributed via this link here Facebook. You can read more about your rights in relation to Handelsbanken in section 10.
As a user of social media you can find more information about how Meta processes your personal information on, for example, Instagram, Facebook or LinkedIn in their privacy statement. You can find the privacy statement on their respective websites. Remember that you must never provide personal information on our wall, our posts or in the chat.
Furthermore, the bank processes aggregate information about visits and activity on our pages on social media for statistical and analytical purposes. We can not link the information to you as an individual, and the information is therefore not considered personal information. We have access to the information as long as our page on social media is maintained, but Handelsbanken does not store the information itself. You can delete the information about yourself at any time.
10. Your rights
As Registered, you have a number of rights. These are described in more detail below. Your rights can be exercised without incurring any costs on your part.
You can demand access to registered personal information, a description of the types of information that is processed and further information about our processing of the information. The information must be provided in writing and electronically if the request is electronic. In some cases, there are exceptions to the right of access. This is for example where we are required by law to maintain confidentiality or where it is required to keep the information secret for the sake of prevention, investigation, disclosure and legal prosecution of criminal acts or if information is only found in documents prepared for internal case preparation and exceptions from the right of access are necessary to ensure proper case processing.
Furthermore, you have the right to have information corrected, for example if we have registered incorrect or incomplete information about you.
You also have the right to request that your information be deleted, where the information is no longer necessary for the purpose for which it was collected or where consent to the processing is withdrawn. This does not imply an obligation to delete the information if there is still a need to process the information for the purpose. The same applies if we still need the information to fulfill a legal obligation or to determine, enforce or meet a legal claim or claim for damages as described above.
You have the right to object to the processing of your personal data that takes place on the basis of legitimate interests unless our such interests override your fundamental rights or freedoms. In cases where the processing of your personal data is based on our legitimate interest and the information is used for direct marketing and profiling in connection with such marketing, you always have the right to raise objections to the processing.
You can ask us to limit the processing of your personal data to storage only if you dispute the accuracy of the information we have registered about you or the legality of the processing, or if you have objected to the processing of the information in accordance with your right of objection. Processing will be limited to storage only until the information is corrected, or it can be determined that our legitimate interests take precedence over your interests.
If you do not have the right to delete the information we have registered about you, you can instead request that we limit the processing of this information to storage only. If the processing of the information that we have registered about you is necessary to promote a legal claim, you can also demand that other processing of this information be limited to storage. We may process your information for other purposes if this is necessary to advance a legal claim or if you have given your consent to this.
If you request a restriction on the processing of your personal data, this may lead to certain products and services no longer being available to you.
You are also entitled to data portability in some cases. This means that you are entitled to have personal information you have provided to us disclosed in a simple, machine-readable format. The right to data portability applies where the processing is based on consent or agreement and where the processing of the information is automated.
You have the right to withdraw consent you have given for the processing of personal data at any time. Future processing of personal data based on consent will cease. The processing of personal data that has already been completed will not be affected by your withdrawal of consent.
If you want to use any of your rights, you can contact our Privacy Officer at po-no@handelsbanken.no. In order to respond to your inquiry, we must confirm your identity. We do this to ensure that we only give access to your personal information to you and not to others who pretend to be you. We will respond to your inquiry to us as soon as possible, and no later than 30 days.
11. Security
Handelsbanken processes personal data to protect you against misuse of these, unintentional access, and secure the bank's values, for example by logging on to servers and operating infrastructure. In order not to weaken the security of personal information about you, we cannot go into detail about how the information is secured. Nevertheless, it is a clear goal for us to ensure a secure and sufficiently secure processing of personal data, whether it takes place through securing electronic systems, our websites and applications, physical security of premises or by other means.
Communication of information where confidentiality is required
For security reasons, we would like to inform you that sending and receiving e-mail from ordinary e-mail accounts without encryption does not imply a sufficiently secure communication of the e-mail's content. We ask you to avoid sending us e-mails containing birth numbers or other personal information that requires protection. For the dissemination of such information, we recommend that you use the mailbox in online banking for secure transfer of information or Digipost.
Security
Opens in a new window
12. Contact information and complaint
If you have a question or want to complain about how we handle your personal information, you can contact our privacy representative at Digipost at Handelsbanken DPO or e-mail: dpo-no@handelsbanken.no. We will reply you within 30 days.
You also have the right to submit a complaint to the supervisory authority regarding our handling of your personal information. More information about complaints to the Norwegian Data Protection Authority can be found at datatilsynet.no Opens in a new window.
13. Changes and updates
We are constantly working to improve our products and services. If we change the way we process personal information, we will update this privacy statement. When we make changes to this statement, we will change the revision date at the top of this page, and a modified privacy statement will take effect from the revision date. We therefore recommend that you check from time to time if there have been any changes in the statement.