1 Who is the controller?
Which branch that formally carries out the processing of your personal data depends on which products you have entered into an agreement for. The branch that processes your personal information will be stated in the agreement you have entered into with us. The operation of Handelsbanken Eiendomskreditt NUF is placed under Handelsbanken NUF. This means that Handelsbanken AB (by Handelsbanken NUF) is also a data processor in this relationship, see more about this below in section 7.
2 Where do we collect personal data from?
- Public registers such as the National Population Register, the Brønnøysund Registers, and registers managed by the tax authorities and crime-fighting authorities
- Sanctions lists maintained by international organizations such as the EU, the UN and the Office of Foreign Assets Control (OFAC)
- Credit bureaus
- Agents and distributors
- Information services related to licensees and politically exposed persons
- Account information from financial institutions other than Handelsbanken when you use various payment services or want to collect your account information in one place
- Debt register with information on consumer debt
Handelsbanken also has a central group customer register. We collect some information from this, but of course only within the limits of the law. Examples of such, may be your name and contact information. Still, you can consent to sharing more information between the companies in the Handelsbanken Group, see more about the group customer register and consent below.
3 What types of personal information do we collect?
Identification information such as birth number and copy of identification papers.
Contact information such as name, telephone number, address and e-mail address.
Financial information such as transaction data, balance from other banks, credit history and updated debt and tax information, including income information
Information necessary to comply with statutory obligations such as anti-money laundering and reporting to public authorities.
Special categories of personal information such as trade union membership for certain products.
4 Legitimate grounds and purpose for processing
4.1 To enter into or fulfill an agreement
Handelsbanken processes your personal information if it is necessary for entering into an agreement with you or to fulfill the agreement (s) you have entered into with us. This can be an account agreement, loan agreement or similar. We also need to process your personal data if you place a Handelsbanken card in a digital wallet, or if you use one of our apps. Retention of contact information, contract documentation, recording of transactions and payments as well as information from communication with customer advisor, are key examples of daily processing we must carry out in order to fulfill ongoing agreements between us and our customers.
- Mobilbank PM
- Mobilbank BM
- Garmin Pay
- Fitbit Pay
Duty of storage in accordance with the accounting regulations
Reporting to tax authorities, regulators and police authorities
Requirements and obligations related to payment services
Other obligations related to product-specific legislation for funds, securities, mortgages or mortgages
Electronic Signature Act
4.3 Legitimate interest
We also process personal data when it is necessary to protect a legitimate interest that outweighs your privacy. We make concrete and documentable balancing tests of interest before such treatment is carried out. For example, Handelsbanken is of the opinion that it has a legitimate interest in processing personal data for the following purposes:
- Handelsbanken NUF
- Handelsbanken Eiendomskreditt NUF
- Handelsbanken Liv NUF
- SHB Liv Forsikringsaksjeselskap NUF
Account information from payment accounts that you own or have charge of can be disclosed to other financial institutions than Handelsbanken if you consent to it. This gives you the opportunity to view the information in the online bank of this institution. You consent to the disclosure in the online bank of the relevant financial institution. The institution will automatically route you to our online bank, where you must consent to the transfer. Your consent may later be withdrawn in our or the other institution's online bank.
5 Who do we disclose personal data to?
Disclosure to affiliates and payment service providers may be necessary for the bank to provide services and products to you. For example, we provide information to credit reporting agencies when applying for loans, and to payment service providers involved in a payment transaction as far as necessary to secure the transaction. In cases where the bank carries out payment orders to or from abroad, certain personal information will necessarily have to be disclosed to the foreign bank or banks that are part of the transaction chain.
If you use another payment service provider to initiate payments from accounts at Handelsbanken, we will share the personal information needed to make the payment. This applies, for example, if you pay from one of your Handelsbanken accounts through Vipps.
6 Transfer to third countries
We will only transfer personal data to third countries if the transfer takes place with an adequate degree of protection. We will then use special agreements with those who handle your personal data based on EU Model Clauses, to parties who are US Privacy Shield certified, or have approved corporate rules (BCR). You can find more information about such security mechanisms at datatilsynet.no. All sharing will be in accordance with laws and regulations Handelsbanken is subject to and your personal data will not be used for anything other than what we have already informed you of.
In some cases, we are also obliged to disclose personal information to the authorities of a third country.
7 Using Data Processors
When Handelsbanken NUF provides services on behalf of Handelsbanken Eiendomskreditt NUF, this means that Handelsbanken AB, at Handelsbanken NUF, is the data processor for Stadshypotek AB, at Handelsbanken Eiendomskreditt NUF. Furthermore, we use, for example, data processors in connection with IT deliveries and the provision of payment services.
8 Data retention
Even though the agreement has been terminated, there is still some information we can and must keep. One reason for this is to comply with statutory storage obligations. For example, according to the money laundering regulations, we must store information obtained in connection with customer control for five years after the end of the customer relationship. The information should then be deleted after one year. Furthermore, the bank has the right to retain some information about the contractual relationship and payment information after the customer relationship has been concluded in order to meet possible future claims, such as a claim for damages, see section above on "Documentation and other". Such information will be retained until any claims will be outdated and only a few people will have access to the information.
The personal information we process on the basis of your consent will be deleted if you withdraw your consent. Personal data processed to safeguard a legitimate interest in the business is deleted when we can no longer document a legitimate interest that outweighs your right to privacy.
9 Your rights
As a Data Subject you have a number of rights. These are described in more detail below. Your rights can be exercised without incurring any costs on your part.
You may demand access to registered personal data, a description of the types of data processed and further information about our processing of the data. The information must be provided in writing and electronically if the request is electronic. In some cases, there are exceptions to the right of access. This is, for example, where we are required by law to maintain confidentiality or where it is required to keep the information confidential for the purposes of prevention, investigation, disclosure and legal prosecution of criminal offenses, or if information is contained only in documents prepared for internal case preparation and exceptions to the right of access are required to ensure proper case management.
Furthermore, you have the right to have data corrected, for example if we have incorrect or incomplete data recorded about you.
You also have the right to request that your information is deleted, where the information is no longer necessary for the purpose for which it was collected or where the consent to the treatment is withdrawn. This does not imply an obligation to delete the information if there is still a need to process the information for the purpose. The same applies if we still need the information to fulfill a legal obligation or to establish, enforce or comply with a legal or compensation claim as described above.
You have the right to object to the processing of your personal data on the basis of legitimate interests unless our interests override your fundamental rights or freedoms. In cases where the processing of your personal data is based on our legitimate interest and the information is used for direct marketing and profiling in connection with such marketing, you are always entitled to raise objections to the processing.
You may ask us to limit the processing of your personal data to storage only, if you dispute the accuracy of the information we have recorded about you or the legality of the processing, or if you have objected to the processing of the information in accordance with your right to object. The processing will be limited to storage only until the information has been corrected or it may be determined that our legitimate interests take precedence over your interests.
If you do not have the right to delete the information we have recorded about you, you may request that we limit the processing of this information to storage only. If the processing of the information we have recorded about you is necessary to put forward a legal claim, you may also require that other processing of this information is restricted to storage. We may process your information for other purposes if this is necessary to further a legal claim or if you have consented to it.
If you request a restriction on the processing of your personal data, some products and services may no longer be available to you.
You are also entitled to data portability in some cases. This means that you are entitled to obtain personal data that you have provided to us in a simple, machine-readable format. The right to data portability applies where the processing is based on consent or agreement and where the processing of the data is automated.
If you would like to exercise any of your rights, please contact our Privacy Officer at firstname.lastname@example.org. In order to respond to your request, we must confirm your identity. We do this to make sure that we only give access to your personal information to you and not to others who claim to be you. We will respond to your inquiry as soon as possible, and within 30 days at the latest.
Handelsbanken processes personal data to protect you from misuse of such data, unintentional access and in order to safeguard the bank's values, for example when logging on servers and operating our infrastructure. In order not to compromise the security of your personal data, we cannot go into detail about how the data is secured. Nevertheless, it is a clear goal for us to provide a safe and sufficiently secure processing of personal data, whether it is through the security of electronic systems, our websites and applications, physical security of our premises or by other means.
Communication of information where confidentiality is required
For security reasons, we would like to inform you that sending and receiving e-mails from ordinary e-mail accounts without encryption does not constitute a sufficiently secure sending of the e-mail content. Please avoid sending us emails containing your national ID-number or other personal data that requires protection.
If you send us information as mentioned above, we recommend that you use the mailbox in the online bank for the secure transfer of information or Digipost.
11 Contact information and complaints
If you have a question or would like to complain about how we handle your personal data, please contact our Data Protection Officer on: email@example.com. We will reply within 30 days.
You also have the right to file a complaint with the regulating authority regarding our handling of your personal data. More information about the complaint to the Data Inspectorate can be found at datatilsynet.noOpens in a new window.
12 Changes and Updates
We are constantly working to improve our products and services. If we change the way we process personal data, we will update this privacy notice. When we make changes to this notice, we will change the revision date at the top of this page, and a revised privacy notice will take effect from the revision date. We therefore recommend that you periodically check for changes to the notice.