Privacy notice

This privacy notice describes how we process your personal data and your data protection rights. You can rest assured that we make every effort to process your personal data in a satisfactory manner and in accordance with legal requirements for the processing of personal data.
The privacy notice was last modified 15.04.2024

  • Svenska Handelsbanken AB NUF and Stadshypotek AB NUF are Norwegian branches of Svenska Handelsbanken AB and Stadshypotek AB, respectively. Svenska Handelsbanken AB and Stadshypotek AB are the data controllers responsible for the branches' processing of your personal data. When we use words such as "Handelsbanken" and "we" in this privacy notice, we are referring to Svenska Handelsbanken AB NUF and Stadshypotek AB NUF, as it is the branches that perform the day-to-day processing of your personal data on behalf of the data controllers. 

    Which branch processes your personal data depends on which products you have with us. This will typically be stated in the agreement you have entered into with us.

  • Personal data is any information relating to an identified or identifiable person. In the operation of our business, we process personal data about the following:

    • Existing customers, 
    • Potential customers,
    • Former customers,
    • Guarantors,
    • Beneficial owners,
    • Authorised representatives (holders of power of attorney) and individuals sharing accounts, 
    • Business card holders, 
    • Guardians and those with parental responsibility,
    • Contact persons and other persons associated with our business customers and private customers, suppliers and business partners, 
    • Visitors to our website, our social media pages, and/or our premises.

  • We mainly collect personal data directly from you, for example when you complete an application form and customer declaration form or contact one of our branches. Some data is generated when you use our services, such as online banking or mobile banking. We also collect personal data in connection with camera surveillance of our bank premises and ATMs, and through statutory audio recordings of telephone conversations. 

    In order to offer you services and comply with legal requirements, we will also collect personal data from other sources such as: 

    • Public registers and public authorities. This includes Folkeregisteret and Brønnøysundregistrene, as well as registers administered by the tax authorities nationally and internationally and crime-fighting authorities. 
    • Sanctions lists maintained by international organisations and other countries' authorities such as the EU, the UN, the Office of Financial Sanctions Implementation (OFSI) and the Office of Foreign Assets Control (OFAC).
    • Credit reporting companies.
    • Agents and distributors.
    • Information services related to the identification of beneficial owners and politically exposed persons.
    • Account information from financial institutions other than Handelsbanken, when you use various payment services or wish to collect your account details in one place.
    • Debt information companies.
    • Business partners and third parties, such as publicly available and/or open sources.

  • Below you will find the types of personal data that Handelsbanken collects. Note that the personal data collected depends on the product or service we offer you as a customer or what other relationship you have with us. 

    • Identification information, such as customer number, national identity number and copies of identification documents. 
    • Contact information, such as name, telephone number, address and e-mail address. We use these to, for example, ensure that you are the correct recipient for information and documents.
    • Neutral customer information, such as contact details and non-detailed product information.
    • Financial information, such as income data, credit history, expenses, employment and updated debt and tax information. We use this, for example, in connection with credit assessments that we must carry out before we can offer you a loan or other form of credit and/or in connection with investment advice.
    • Transaction data, such as place of payment, payee and amount, card purchase, repayment of loan or deposit.
    • Information to fulfil statutory obligations relating to, for example, compliance with sanctions and anti-money laundering regulations and tax reporting. This may include information about beneficial owners, expected use of the bank’s services, origin of funds and assets, close associates who are politically exposed persons, where people/entities are resident/domiciled for tax purposes, foreign tax identification numbers, etc. This also includes reporting to public authorities, such as tax information in connection with tax reporting. Other examples are information on investment competence, risk classification, risk tolerance and loss tolerance capacity, which is information we are required by law to process in connection with investment services and advice.
    • Your contact preferences, how you would like to be contacted (e.g. for marketing purposes).
    • Other agreement information, such as copies of the agreements you have with us and information related to your agreements, in order to be able to manage and follow up your ongoing agreement with us. This category also includes your communication with us about contractual relationships, such as advice or questions about your products.
    • Special categories of personal data, such as health information or union membership, are processed only when strictly necessary. For example, we will process information about your trade union membership to ensure that you are eligible for particularly favourable terms that your union or association has negotiated on behalf of its members. In some cases, it may be necessary to process health information, for example if it is necessary to grant a grace period. In such cases, we will process as little information as possible, and we will not store information about diagnoses.
    • Information on criminal offences, such as information on criminal convictions and offences, including information on whether you have been sanctioned under a sanctions programme (if the sanctions programme contains any details of criminal offences) and information from publicly available sources. 
    • Communications, via e-mail, chat, SMS or other channels. 
    • User data generated when you use our services, such as information about how you use our services, device identifiers, clicks and preferences. 

  • Purpose: To provice services to you, such as banking and financial services (this may include account agreements, payment agreements, loan agreements, conducting securities trading, as well as communication in connection with this.
    Type of data and source: Contact information, transaction data, financial information. The information is collected from you.
    Legal basis: To fulfil our agreement with you.
    Storage time: Stored for up to 13 years after the product/service ends. This enables us to have background information in cases of disagreements or if any claims were to arise.

    Purpose: To process applications relating to our services, e.g. applications for credit cards and credit.
    Type of data and source: Financial information, identification information. The information is collected from you, credit referance agencies and/or public registers.
    Legal basis: To enable us to enter into an agreement with you as our customer.
    Storage time: Stored for up to 6 months from when the offer was made.

    Purpose: To assess whether you are eligible for special favourable terms.
    Type of data and source: Special categories of personal data (trade union membership). The information is collected from you.
    Legal basis: Consent. You can withdraw your consent at any time by contacting us. If you are a member of the Norwegian Association of Lawyers of the Norwegian Bar Association, we process your trade union membership to provide you with particularly favourable terms as a data processor.
    Storage time: Stored for up to 13 years after the product/service ends. This enables us to have background information in cases of disagreements or if any claims were to arise.

    Purpose: Prevention and detection of criminal offences, such as money laundering and terrorist financing, as well as sanctions violations.
    Type of data and source: Identification information, transaction data, information to fulfil statutory obligations, including any special categories of personal data and, where applicable, information on criminal offences. The information is collected from you, public and open sources and registers and possibly other reporting entities (e.g. other banks). 
    Legal basis: To fulfil our legal obligations under applicable anti-money laundering and sanctions regulations, etc.
    Storage time: Stored for up to 10 years after the customer relationship has ended or the transaction was completed.

    Purpose: Tax reporting
    Type of data and source: Identification information, financial information and transaction data.
    Legal basis: To fulfil our legal obligations under applicable tax administrations (the Tax Administration Act and the Tax Administration Regulation).
    Storage time: Stored for 10 years after the end of the reporting year.

    Purpose: To document the content of communications about investment services.
    Type of data and source: Information to comply with statutory obligations (audio recordings), communications. The information is collected from you.
    Legal basis: To fulfil our legal obligations under securities regulations.
    Storage time: Stored for up to 13 years after the product/service ends. This enables us to have background information in cases of disagreements or if any claims were to arise.

    Purpose: To carry out suitability assessments in connection with investment and advisory services.
    Type of data and source: Information required to comply with statutory obligations (necessary information about customers or potential clients' knowledge and experience in the investment area, information about the client's financial situation and investment objectives, and the client's risk tolerance and ability to bear losses). The information is collected from you.
    Legal basis: To fulfil our legal obligations under applicable securities regulations.
    Storage time: Stored for up to 13 years after the product/service ends. This enables us to have background information in cases of disagreements or if any claims were to arise.

    Purpose: To offer you apps and digital wallets.
    Type of data and source: Transaction data, contact information. The information is collected from you.
    Legal basis: To fulfil agreements with you.
    Storage time: Store time depends on which apps and digital wallets are activated. More information is proviced in section 9 below.

    Purpose: To communicate with you, contribute to a good customer experience and handle any customer complaints and claims.
    Type of data and source: Contact information, transaction data, your preferences, communications. The information is collected from you.
    Legal basis: Our legitimate interests in communication with you, providing good customer service and safeguarding your and our interests. This includes, among other things, providing you with relevant information and measures to minimise the risk of fraud.
    Storage time: Stored for up to 13 years after the product/service ends. This enables us to have background information in cases of disagreements or if any claims were to arise.

    Purpose: Security measures in the form of camera surveillance at bank branches and ATMs, as well as visitor registration.
    Type of data and source: Camera recordings. The information is obtained from camera equipment, etc.
    Legal basis: Our legitimate interest in preventing and detecting criminal offences, as well as ensuring the physical safety of our customers and employees.
    Storage time: Deleted within 90 days and stored in a data centre with strict access control.

    Purpose: Disclosure and collection of account information to and from other financial institutions in order for you to view this information in your online bank with other financial institutions.
    Type of data and source: Transaction data. This information is collected from you and/or generated through the use of our services.
    Legal basis: Consent. You can withdraw your consent at any time in our or the other institution's online bank.
    Storage time: For as long as you have accounts with multiple financial institutions and do not withdraw your consent to the sharing of information.

    Purpose: To improve, analyse, maintain, develop, etc. products and services.
    Type of data and source: User data. The information is collected from you and/or generated through the use of our services.
    Legal basis: Our legitimate interest in improving, analysing, developing and maintaining our services.
    Storage time: Stored for up to 5 years after the information was collected.

    Purpose: To manage our relationships with corporate customers.
    Type of data and source: Contact information, communications. The information is collected from you and/or partners.
    Legal basis: Our legitimate interest in managing purchases, sales and other business activities.
    Storage time: Stored for up to 13 years after the product/service ends. This enables us to have background information in cases of disagreements or if any claims were to arise.

    Purpose: To register information about your customer relationships in a our group register.
    Type of data and source: Neutral customer information. The information is collected from you.
    Legal basis: Our legitimate interest in maintaining an overview of customer relationships across Handelsbanken, as a group of undertakers.
    Storage time: Stored for 2 years after the customer relationship ends.

    Purpose: To market our services and products, including to provide you with personalised marketing.
    Type of data and source: Contact information, other agreement information (information about which products and services you have purchased from us), your preferances. The information is collected from you.
    Legal basis: Consent for direct and personalised marketing. If you have an existing customer relationship with us, we may in some cases send you direct marketing based on our legitimate interest in marketing our offers. Other marketing, which is not direct or personalised, is also based on our legitimate interest.
    Storage time: If the marketing is based on consent: until you withdraw your consent. If the marketing is based on our legitimate interest, we typically store information relating to the marketing activity for 6 to 12 months.

    Purpose: To manage our social media pages.
    Type of data and source: Insights/statistics, communications (e.g. comments, likes, chat), profile information. The information is collected from you and/or via social media. 
    Legal basis: Our legitimate interest in communicating with users, customers and other business partners on social media. For more information, see section 10. 
    Storage time: We do not store personal data in our own systems for this purpose. The personal data is stored only in the social media service - and the storage time depends on the service in question. See section 10 for more information. 

    Purpose: Sharing of an account between two or more customers.
    Type of data and source: Contact information, financial information, transaction data. The information is collected from you and/or the others you share the account with.
    Legal basis: Our legitimate interest in allowing our customers the opportunity to share accounts. Information about your transactions etc. will be available to the account owner and others who may share the account. Before you choose to use a shared account, you must be aware that the account owner may in the future invite others to also share account.
    Storage time: Stored for up to 13 years after the product/service ends. This enables us to have background information in cases of disagreements or if any claims were to arise.

    Purpose: Documentation and legal claims.
    Type of data and source: Identification information, contact information neutral customer information, financial information, transaction data, information to fulfil statutory obligations, other agreement information, special categories of personal data, communications. The information is collected from you, registers, partners and/or generated through the use of our services.
    Legal basis: Our legitimate interest in being able to access background information should disagreements and/or claims (legal claims and/or compensation claims) arise. Access to this information is limited to employees who have a legitimate need for access to such information.
    Storage time: Stored for up to 13 years after the product/service ends. This enables us to have background information in cases of disagreements or if any claims were to arise.

    Purpose: Compliance with industry-specific legislation.
    Type of data and source: Information to fulfil statutory obligations. From you and/or records.
    Legal basis: To fulfil our legal obligation under industry-specific legislation. This includes: Accounting regulations, Tax administration regulations, Reporting obligations, Requirements and obligations related to payment services, Product-specific legislation for funds, securities, surety and mortgages, and, Electronic Signature Act.
    Storage time: Stored for up to 10 years after the end of the reporting year.

  • We use automated processing for some loan applications. If you wish, you can have your application processed manually. 

    You will be provided with more information about automated decisions when you apply for a loan through your online bank or app. 

  • We may disclose your personal data to the categories of recipients mentioned below, to the extent necessary and provided that our duty of confidentiality does not preclude the disclosure.

    • Public authorities or third parties, such as the police, debt information companies, the Financial Supervisory Authority of Norway or the Norwegian Tax Administration, if required to do so by law. 
    • Other companies in the Group, in order to manage our Group customer register or if it is necessary to satisfy the Group's statutory management, control or reporting requirements. 
    • Approved credit reporting companies, such as Experian, when you apply for a loan. 
    • Payment service providers involved in a payment transaction.
    • Payment processors, such as Mastercard or Vipps, when we make a payment you have initiated.
    • Other banks and payment institutions, when we make payments or other orders you have placed. The same applies to fraud and investigations pursuant to the Norwegian Money Laundering Act.  
    • Citibank for customers who have the product Premium Depot and VP Depot. Customers with these products can choose Tax Service as a voluntary service. In addition, the authorities in some countries require the creation of individual accounts for the customer in Citibank, which means that the name of the customer is provided to Citibank. You can read more about how Citibank processes personal data in Citibank’s
      privacy statement Opens in a new window
      .
    • Our suppliers, such as providers of websites and IT systems. We have agreements with the relevant suppliers to ensure that they do not process the data for purposes other than those described in this privacy notice. 
    • Our advisers and partners to the extent necessary to conduct business in a customary manner for our industry and to offer you a good customer experience, which may also include third parties in connection with possible mergers or transactions.

  • A processor is a company that processes personal data on our behalf. When we use processors to collect, store or otherwise process personal data on our behalf, we enter into an agreement with the processor. We do this to ensure that the use of the data is in accordance with the privacy regulations and the bank's requirements for the processing of personal data. Processors include IT providers and providers of payment services and securities services. 

    When Handelsbanken NUF provides services on behalf of Handelsbanken Eiendomskreditt NUF, this means that Handelsbanken AB, at Handelsbanken NUF, is the processor for Stadshypotek AB.

  • Handelsbanken processes your personal data mainly within the EEA. However, in some cases, it may be necessary to transfer personal data to recipients outside the EEA, as some of our suppliers or other group companies are located in such countries. 

    We will only transfer your personal data to third countries that the European Commission has decided have rules that adequately safeguard your data protection (adequacy decision) or if your personal data has the same degree of protection in the relevant third country as it would have in the EEA. This is ensured by, for example, putting guarantees in place in order to safeguard your privacy, such as the EU’s standard contractual clauses. If necessary, we will ensure that additional safeguards, such as encryption and pseudonymisation, are implemented to ensure an adequate level of protection.

    In cases where we transfer personal data to third countries, this mainly involves transferring personal data to the USA and/or India. This is often done in connection with us using subcontractors with headquarters in the USA, e.g. Microsoft, or a subcontractor with support functionality for the operation of Mastercard's IT systems in India. Another typical example of such a transfer may be when you want to transfer money to another bank in connection with a money transaction from a bank in the EEA to a bank outside the EEA. Contact us for more detailed information about transfers to countries outside the EEA.

  • Handelsbanken's apps

    Handelsbanken takes a proactive approach to information security in order to protect your data and ours against breaches of confidentiality, privacy and accessibility. For example, we require strong authentication when you log in to our services, and data transfers between you and our online bank or apps are encrypted.

    Our mobile apps require various permissions on your phone. Some of these are necessary for the apps to work on the phone and are automatically contained within the solutions. For example, the app will check if you are connected to the internet. Without internet access, you will not be able to log in. However, we only ask for the permissions that are necessary for the app to work and we cannot see any other information on your phone. Other functions are your user settings and you must actively give the app permission here for those you want to use. These permissions are stored only on your phone. You can withdraw and manage permissions that you have previously granted in the settings. 

    Your facial recognition and/or fingerprint data are stored only locally on your phone. Handelsbanken does not have access to this data, it only receives confirmation that the correct face/fingerprint has been verified. 

    The bank's other services will continue to be available on other platforms even if an app is uninstalled or the app's permissions are changed. This means, for example, that transaction data and other information stored in your online bank will not be affected if you uninstall or delete the app. Other information that is not directly linked to the app will also not be affected.

    Third-party applications

    You have the option to activate various third-party applications, including digital wallets. You will be provided with more information about what activation entails when activating via your online bank or the app.

    As of 15/04/2024, we offer the following apps and digital wallets:

  • The bank is active on several different social media platforms. If you visit our social media pages, we may, for example, process your user name, comments you write in the comments field, the fact that you “like” content and messages you write to us as a direct message. 

    We also process aggregated data about visits and activity on our pages on social media for statistical and analytical purposes. We cannot link the information to you as an individual. We have access to the information as long as our page on social media exists, but Handelsbanken does not store the information itself. 

    We and the individual social media platform have a joint processing responsibility, which means that you as an individual are entitled to assert your rights against both parties. We are jointly responsible for the processing related to our site/account. You can read more about the joint processing responsibility and the processing of your personal data on the social media platforms, such as LinkedIn Opens in a new window and Meta Opens in a new window (Facebook and Instagram). 

  • As a data subject, you have a number of rights. These are described in more detail below. 

    You have the right to request access to your personal data, a description of the types of data processed and further information about our processing of the data. In some cases, there are exceptions to the right of access. These include, for example, where we have a statutory duty of confidentiality or where we are required to keep the information secret for the purposes of the prevention, investigation, disclosure and legal prosecution of criminal acts or if information is only found in documents prepared for internal case preparation and exemptions from the right of access are necessary to ensure proper case processing.

    You have the right to have information corrected, for example if we have registered incorrect or incomplete information about you.

    You also have the right to request that your data be deleted, if the data is no longer necessary for the purpose for which it was collected or if you withdraw your consent to the processing. This does not mean we are obligated to delete the information if we still have a legitimate need to process the data for the purpose. The same applies if we still need the information to fulfil a legal obligation or to establish, exercise or meet a legal or compensation claim as described above.

    You have the right to object to the processing of your personal data that we process on the basis of legitimate interests. We will stop processing your personal data for this purpose unless we can demonstrate that there are compelling legitimate grounds for the processing that override your interests, rights or freedoms, or if the processing is necessary for the establishment, exercise or defence of a legal claim. However, we will always take into account objections to direct marketing, regardless of the legal basis. 

    You can ask us to restrict the processing of your personal data to storage only. You can do this if you dispute the accuracy of the information we have registered about you, the lawfulness of the processing, if you have objected to the processing, or if we no longer need the data but you still want the data to be stored because you are going to use it in connection with a legal claim. However, we may still process your data for other purposes if this is necessary to assert a legal claim or if you have given your consent to the processing. Note also that if you request that the processing of your personal data be restricted, this may lead to certain products and services no longer being available to you. 

    You are also entitled to data portability in some cases. This means that you are entitled to have the personal data you have provided to us made available in a simple, machine-readable format. You also have the right, where technically feasible, to have your personal data transferred directly from us to another data controller. The right to data portability applies where the processing is based on consent or agreement, and where the processing of the data is automated.

    You have the right to withdraw consent you have given for the processing of personal data at any time. Future processing of personal data based on consent will then cease. 

    If you would like to exercise any of your rights, please contact our Privacy Officer at po-no@handelsbanken.no. In order to respond to your enquiry, we will need to confirm your identity. We do this to make sure that we only give access to your personal information to you and not to others claiming to be you. We will respond to your enquiry as soon as possible, and no later than 30 days after receiving it. Sometimes a longer period of time may be required, in which case you will receive further information about this before 30 days have passed.

  • Handelsbanken processes personal data to protect you against misuse, unintentional access, and to safeguard the bank's assets. For example, through logging conducted on servers and operating infrastructure. In order not to compromise the security of personal data about you, we cannot go into detail about how the information is secured. Nevertheless, we have a clear goal to ensure the safe and sufficiently secure processing of personal data, whether through securing electronic systems, our websites and applications, physical security of premises or by other means.

    For security reasons, we would like to inform you that sending and receiving e-mail from ordinary e-mail accounts without encryption does not provide sufficiently secure communication of the e-mail's content. We ask you to avoid sending us e-mails containing national identity numbers or other personal information that requires protection.

    For the communication of such information, we recommend that you use the mailbox in online banking for secure transfer of information or Digipost.

  • If you have a question or wish to complain about how we process your personal data, please contact our Data Protection Officer at Digipost Opens in a new windowHandelsbanken DPO e-mail: dpo-no@handelsbanken.no. We will reply to you within 30 days. 

    You also have the right to lodge a complaint with the supervisory authority regarding our processing of your personal data. More information about complaining to the Norwegian Data Protection Authority can be found at datatilsynet.no. 

  • We are constantly working to improve our products and services. If we change the way we process personal data, we will update this privacy notice. When we make changes to this notice, we will change the revision date at the top of this page, and a modified privacy notice will take effect from the revision date. We therefore recommend that, from time to time, you check whether there have been any changes to the privacy notice.