Processing of Client Data

• Client (or you) is any natural person who uses, has used or has expressed a wish to use the services or is otherwise related to the use of any service or user or who has any other relationship with Swedbank. The principles are also applied to a client relationship that has arisen before the principles entered into force. All the rights of the data subject specified in the legislation regulating data protection apply to the client.
• Business client is any legal person that uses, has used or expresses a desire to use the services.
• Controller is Swedbank, who determines the purposes and means of processing client data. Swedbank AS is the controller of your personal data when it provides banking services to you. Swedbank AS may also be a processor when it provides services on behalf of other Swedbank Group companies. For example, if you have a car lease, the controller is Swedbank Liising AS. The controller for Swedbank pension funds is Swedbank Investeerimisfondid AS, for property insurance (e.g. home insurance) Swedbank P&C Insurance AS, and for life insurance Swedbank Life Insurance SE.
• Processor is any natural or legal person who processes client data on behalf of Swedbank. Swedbank engages processors for the processing of client data and takes the necessary steps to ensure that the authorised processors process client data on the basis of an agreement or applicable law and in accordance with Swedbank’s documented instructions.
• Data protection legislation means all European Union and national data protection legislation that Swedbank is obliged to comply with, such as the General Data Protection Regulation of the European Union.
• EU/EEA means the European Union / European Economic Area.
• Client data is any information known to Swedbank (including bank secrecy and information treated as personal data) about the client and business client.
• Processing means any operation or set of operations which is performed with client data, whether by automated means, such as collection, storage, organisation, retention, adaptation, modification, consultation, use, combination, deletion or destruction.
• Recipient is a natural or legal person, public sector institution or other body to whom Swedbank has the right to disclose client data. The categories of recipients are described in more detail in Section 1.6 ‘Recipients, processors, and sources of client data’.
• Legislation means all legal acts, rules, and guidelines applicable to Swedbank, including legislation on the prevention of money laundering and terrorist financing, banking secrecy, business activities, data protection, taxes, accounting, credit, payments, payment services, insurance, leasing, investments, and financial activities.
• Services are all services and products related to financing, saving, investing, lending, bank accounts, cards, payments, insurance, pension, and leasing, or the products and services of Swedbank’s cooperation partners, which Swedbank provides to the client at a branch, via the website, Internet Bank, mobile app, telephone or video.
• Swedbank (or we) means any legal entity or branch belonging to Swedbank Group that has its registered office in Estonia. The list of the Swedbank Group companies in Estonia is available on the website at www.swedbank.ee.
• Swedbank Group means Swedbank AB (publ.), a public limited company incorporated in Sweden, and all legal entities in which Swedbank AB (publ.) (AS) directly or indirectly has a controlling influence (subsidiaries).
• Profiling is the automatic processing of client data, which is used to assess certain personal aspects of the client to analyse or forecast, for example, the economic situation, personal preferences, interests, reliability, behaviour. More information on profiling can be found in the principles under the “Sections ‘Financing’, ‘Investment services’, ‘Life insurance services’, ‘Non-life insurance services’, and ‘Marketing’.
• Automated decision-making refers to taking decision without human participation (i.e. the decision is made using only technological means), including profiling, which has a legal or other significant impact on the data subject. More detailed information on Swedbank’s automated decision-making can be found in Sections ‘Financing’, ‘Life insurance services’, and ‘Non-life insurance services’.

Swedbank collects client data directly from the client and from external sources, such as public and private registers or other third parties, when concluding an agreement and using the services (see Section ‘Recipients, processors, and sources of client data’).

Swedbank records phone calls, visual images, video and/or audio, records emails or otherwise documents client communications with Swedbank.

Examples of categories of client data processed by Swedbank include:

Identification data, such as name, personal identification code, date of birth, data of an identity document.

Contact details, such as address, telephone number, email address, language of communication.

Financial data, such as transactions, loans, income, liabilities, assets, ownership.

Account details, such as bank account number, card number.

Data on the client’s financial experience, such as data collected during the selection and provision of investment services and other investment-risk products.

Data about trustworthiness and due diligence, such as data on payment behaviour, damage caused to Swedbank or a third party; as well as data regarding existing and previous insurance contracts and declarations (e.g. duration of the insurance relationship and claims history, history of insurance risk assessment, including rejected claims); information that allows Swedbank to perform its due diligence obligations relating to the prevention of money laundering and terrorist financing and to ensure compliance with international sanctions, including an understanding of the purpose of the business relationship, the client’s transaction partners and payment practices, whether the client is a politically exposed person, the origin of the client’s wealth, and the origin of the assets used in the transaction.

Data obtained and/or created in the performance of an obligation arising from legislation, such as data that Swedbank must provide to authorities, such as tax authorities, law enforcement agencies, including data on income, loans, real estate, notations and arrears; as well as data submitted to the motor third party liability insurance fund, including data on concluded insurance contracts and insurance indemnities paid.

Data concerning communication and devices, such as video or audio recordings, which are collected when the client visits Swedbank’s offices or other places where Swedbank provides its services, and when the client uses ATMs or communicates with Swedbank by phone. In addition, other data collected via email, messages, and other communications channels, such as data related to the client’s visit to Swedbank’s websites or communication through other Swedbank’s channels (e.g. the Internet Bank and the mobile app).

Data on habits, preferences, and satisfaction, such as activity in the use of services, services provided, personal preferences, answers to surveys, client satisfaction; as well as hobbies and/or personal habits that may affect the client’s health, are risk factors that may be assessed during the conclusion of an insurance contract.

Family data, such as information about the client’s family, kinship relationships, and other related persons.

Demographic data, such as country of residence, date of birth, and citizenship.

Children’s data, such as data collected and processed when the child uses services or when the child is a beneficiary or insured person specified in the insurance contract.

Professional data, such as data on education or professional career.

Data on the relationship with legal entities, for example, the data of the representative provided by the client or obtained from public registers or through third parties for the purpose of concluding transactions on behalf of the said legal person.

Client’s status, such as the client programme (private banking, gold customers, seniors, young people), to which the client belongs, information that the client belongs to the client programme, or the level of risk assigned to the client and business client.

Sensitive data, such as special types of client data (e.g. health data) and data on convictions and offences. To provide some services, Swedbank needs to process sensitive client data, for example, if the data is necessary for the provision of insurance services, the submission of claims or the performance of a legal obligation.

Swedbank processes client data on the following legal bases:

• performance of an agreement is the legal basis for taking, at the request of the client, the necessary steps before the conclusion of an agreement, as well as the conclusion of an agreement with the client and the modification, performance, management, and termination of the agreement concluded;
• compliance with legal obligations is the legal basis on which Swedbank processes client data in order to fulfil its legal obligations;
• legitimate interest is the legal basis on which the processing of client data is necessary for Swedbank’s business interests and outweighs the interests of the client;
• public interest is the legal basis where it is provided for by law and it is necessary for the performance of a task carried out in the public interest; in these cases, client data can only be processed to the extent provided for by applicable law, for example, for the purposes of preventing money laundering and terrorist financing and enforcing sanctions;
• consent is the legal basis on the basis of which Swedbank processes client data if the client has given their consent. The client may withdraw their consent at any time.

Swedbank uses both recipients and processors to process client data.

The recipient is a natural or legal person, public sector body, agency or other body to whom Swedbank discloses client data and who may process client data as an independent controller. If the recipient processes client data as an independent controller, they are obliged to inform the client about the processing of client data. If necessary, the client can contact the recipient for the relevant information.

Examples of recipients to whom Swedbank discloses client data are:

• legal entities belonging to the Swedbank Group and their branches;
• public authorities such as supervisory authorities, tax authorities, law enforcement and bailiffs, trustees in bankruptcy, notaries, out-of-court dispute resolution bodies;
• financial and legal advisers, auditors or other service providers of Swedbank, persons authorised by Swedbank;
• third parties keeping registers, such as payment default registers, population registers, commercial registers, securities registers, Pensionikeskus or other registers in which client data are stored or mediated;
• debt acquirers and debt recovery service providers (debt collection service providers);
• persons who ensure the proper performance of the client’s obligations, such as surety providers, guarantors, and collateral holders;
• persons involved in the provision of services to Swedbank, such as providers of communication and postal services and persons providing services to the client if the client orders e-invoices for the services.

Information about the recipients in connection with the specific purpose of processing client data can be found in Section ’What are our purposes?“.

The processor processes client data on behalf of Swedbank. When using processors, Swedbank ensures that the processors process client data in accordance with Swedbank’s instructions and in accordance with legislation, and implement proper security measures.

For example, Swedbank’s processors are:

• legal persons belonging to the Swedbank Group and their branches if they process data on behalf of Swedbank;
• other persons involved in the provision of services to Swedbank, such as providers of video surveillance, information technology, web hosting, cloud computing, archiving and printing services, technical experts and assessors.

Swedbank uses cookies on its website. Cookies are used in accordance with Swedbank’s cookie policy, which is available on the website at https://www.swedbank.ee/private/home/more/legislation.

As a general rule, client data is processed in the EU/EEA. Swedbank transfers client data to countries outside the EU/EEA only in exceptional cases and provided that there is a legal basis for this and one of the following conditions is met:

• there is an adequate level of data protection in the country outside the EU/EEA where the recipient is located, as decided by the European Commission. The list of countries recognised by the European Commission so far that provide adequate protection is available on the European Commission’s website.;
• the controller or processor has put in place appropriate safeguards, such as adopting EU standard contractual clauses or other contractual clauses, codes of conduct or certification mechanisms. The applicable standard contractual clauses of the Treaty on European Union, which Swedbank uses when transferring personal data to third countries, can be found here;
• there is an exception for a specific situation, such as the client’s explicit consent, the performance of an agreement with the client or the conclusion or performance of an agreement with a third party in the interest of the client, the establishment or defence of legal claims, important reasons of public interest.

The client receives additional information from Swedbank concerning the transfer of client data to countries outside the EU/EEA by submitting a corresponding application to Swedbank.

Swedbank stores the client data collected during the business relationship after the end of the business relationship. Swedbank stores client data based on the retention periods provided by legislation for the preparation and submission of claims or a legitimate interest in order to protect the interests of Swedbank.

Examples of retention periods:

• client data is necessary to protect the legitimate interests of Swedbank in the event of a civil law claim – a maximum of 10 years from the expiry of the agreement;
• client data is necessary for the performance of a legal obligation arising from the law related to the prevention of money laundering and terrorist financing – 5 years from the end of the business relationship;
• client data is necessary to protect the legitimate interests of Swedbank if Swedbank is under investigation or in litigation – until the end of the investigation and litigation;
• client data is processed in connection with video surveillance – a maximum of 90 days.

Why Swedbank processes client data: to ensure the legal obligation to identify the client and, where applicable, to identify the client’s representative and the persons involved in occasional transactions.

How Swedbank processes client data: in order to verify your identity, you will be asked to provide a valid identity document and, if necessary, other documents relevant for identification. Swedbank uses authentication tools to verify identity. Client data is shared with the Swedbank Group companies operating in Estonia in order to provide clients with the services of these companies.

Identification

Identity document submitted for identification is verified by Swedbank through an e-inquiry in the Police and Border Guard Board.

If you conclude a service agreement on behalf of a child, the identity of the child and your right to represent the child are also verified through the population register.

In order to ensure that your identification data is correct and up-to-date, Swedbank will ask you to regularly update the client data. The data in the identity document obtained from the population register are updated automatically.

Swedbank shares client identification data with the Swedbank Group companies registered in Estonia, depending on the products and services used or requested by the client in order to ensure that client data is correct and up-to-date in all entities of the Swedbank Group.

Authentication

During authentication, Swedbank verifies the identity of the client when the client uses the services at a bank branch or remote channel, for example, calls the Consultation Centre or uses the Internet Bank.

Authentication tools offered by Swedbank or other companies, such as SK ID Solutions AS (Smart-ID, Mobile-ID), are used for authentication. The client may also use an ID card or other solutions (biometrics (fingerprint and facial recognition), PIN in Swedbank mobile app, PIN calculator) as a means of authentication. If you use an authentication tool provided by another company, we will share your identity verification data, communication and device data (such as the IP address and device type) with that company and inform them that you are using Swedbank services.

Why Swedbank processes client data: to fulfil a legal obligations to prevent money laundering and terrorist financing and to comply with international and national sanctions.

How Swedbank processes client data: Swedbank collects data directly from clients and from external sources (e.g. public registers). The aim of collecting and analysing data is to fulfil the ‘Know Your Client’ (KYC) principle. In cases required according to the legislation, data is also transferred to recipients.

Swedbank is obliged by legislation to perform due diligence activities, including understanding the purpose and nature of the business relationship and occasional transactions. This helps to protect the public interest and ensure that services are used for legitimate purposes, and protected against misuse. Swedbank must assess the risks related to money laundering and terrorist financing and comply with and, if necessary, implement the established European Union and UN, as well as national sanctions. Swedbank also has a legitimate interest in ensuring compliance with the financial sanctions imposed by the United States of America and the United Kingdom.

Swedbank is obliged to identify the client (see Section ‘Identification and authentication’), and the client is also asked to provide accurate and truthful information about themselves. In specific cases, Swedbank may ask for documents confirming the submitted data. Swedbank uses client data obtained from external registers, such as population registers, commercial registers, or obtained directly from the client. Swedbank also uses the data published in the media about the client. To fulfil legal obligations or in case of a legitimate interest, Swedbank checks client data against sanctions lists to make sure that the services are not provided to sanctioned persons or persons related to the sanctions, or that the services are not used to violate or evade sanctions.

During the business relationship, Swedbank will ask you to update the provided client data on a regular basis or in a specific case. Swedbank verifies whether the data obtained from the above-mentioned external registers is up-to-date. The legislation also obliges Swedbank to constantly monitor your activities and transactions to ensure that there is no risk-raising circumstances in connection with them and that they are not subject to sanctions. Due diligence activities and its regularity depend on Swedbank’s assessment of the client’s risk of money laundering and terrorist financing.

Swedbank has a legal obligation to report suspicions of money laundering and terrorist financing to the authorities (Financial Intelligence Unit) and ensure the confidentiality of reports. Swedbank is obliged not to disclose information about the processing of personal data carried out within the framework of legislation and the Money Laundering and Terrorist Financing Prevention Act in the field of money laundering and terrorism and non-proliferation financing, unless the data is publicly available.

For the purposes described above, Swedbank also processes the data of persons related to business clients. Swedbank identifies the representatives of a legal person (legal representatives, authorised persons, persons belonging to the highest management body of the company, including a procurator, trustee in bankruptcy) and asks to provide their personal data, demographic data, contact details, and data on connections with other legal entities. Swedbank also asks to provide identification data and demographic data of the company’s shareholders. The company is obliged to disclose its final beneficiaries and provide their identification data, demographic data, and contact details. If necessary, the company is asked to provide additional documents and information about the final beneficiaries, such as evidence of wealth and the origin of assets or data on relations with other legal entities. Swedbank also regularly collects and updates the client data of the company’s representatives, shareholders, and final beneficiaries from external registers, such as the population register, commercial registers, property registers (e.g. land register), sanctions lists, and publicly available information (media).

Why Swedbank processes client data: to provide everyday banking services, such as current accounts, deposits, payment services, and other everyday banking services, as well as for ensuring the management of your client relationship and access to services.

How Swedbank processes client data: processing includes the collection of client data from you and your use of the services, the transfer of client data to a recipient for the performance of a service contract and the receipt of personal data from third parties such as other payment service providers.

Current account

When you open an account with Swedbank, we process your data to fulfil the agreement concluded with you and to provide you with other services related to the current account that you wish to use.

In addition, we need to share client data about the accounts with us and related data with the tax authority, trustee in bankruptcy, notary, and other entitled persons.

If you use the account information service in Swedbank to see information about your payment account opened with another payment service provider, that payment service provider will, at your request, provide Swedbank with data on the designated account and related payment transactions.

If you have submitted a request to access your payment account information opened with Swedbank with another payment service provider, we will disclose to that account information service provider information about your designated Swedbank account and related payment transactions.

Payment cards

When you apply for a Swedbank payment card and enter into a payment card agreement, Swedbank processes your data for the purpose of concluding and fulfilling a payment card agreement, including ordering a card, personalising and activating the card, providing assistance with card-related issues, and preventing card fraud.

In order to carry out card transactions (including transactions initiated by merchants), Swedbank processes client data for the purpose of authorising and invoicing the transaction. If you make a complaint about a card transaction, transaction data is shared with the relevant international card organisation (such as Mastercard).

If you order an additional payment card linked to your account, Swedbank will process the data of the additional card holder.

For these purposes, Swedbank processes your identification data, account data, contact details, professional data, children’s data, demographic data, communications and device data (e.g. when to allow and manage digitised cards and mobile contactless payments), family data, financial data, data on reliability, habits, preferences, and satisfaction.

Payments

Swedbank processes client data when making payments, including the provision of payment initiation services. In order to provide these services, Swedbank processes client data (including sharing data with third parties, such as the payee, payment service providers, payment systems, correspondent banks, and other similar persons), as indicated by the client when placing the payment order or how it is necessary for the execution of the payment order. When proxy payments are made, your data (phone number, name, and IBAN) will be shared with the payee.

Swedbank processes client data in order to start a payment transaction from your account initiated at your request at a third-party payment service provider. For that purpose, client data, such as authentication data, account details, and device data, will be disclosed to that payment service provider.

Why Swedbank processes client data: to offer credit products.

How Swedbank processes client data: client data collected from you, internal and external sources (e.g. Commercial Register, Land Register, Population Register, Payment Default Register). Client data is disclosed to the recipient (see Section ‘Recipients, processors, and sources of client data’) if there is a legal ground for doing so.

Swedbank collects and processes client data, including automatically, in order to assess the client’s creditworthiness and offer suitable credit products. The client has the right to challenge the automated decision and ask a Swedbank employee to review it. In order to assess creditworthiness, the client data specified in the request and the client data collected from internal and external data sources are verified.

If you enter into a credit agreement, the fulfilment of which is guaranteed by third parties (e.g. surety providers, KredEx, holders of collateral), client data will be transmitted to them.

The extent to which client data is processed depends on whether you are a client entering into an agreement or have another role in the financing process, for example, you are the seller of the leased property or the holder of the collateral.

If the client fails to fulfil their obligations, Swedbank will publish data about the client’s debt to the payment default register (e.g. Creditinfo Eesti AS) in accordance with the terms and conditions notified at the conclusion of the credit agreement. Swedbank also discloses client data to persons who are involved in processing overdue debts.

For these purposes, Swedbank processes your identification data, demographic data, family data, health data, contact details, account data, financial data, data on your association with legal entities, reliability data, and professional data.

Why Swedbank processes client data: to advise you on selecting the right product for you and the services of your choice.

How Swedbank processes client data: client data is collected from you, as well as when you use our services, including when you interact with Swedbank, and from external sources (e.g. AS Pensionikeskus, Central Register of Securities). As part of the suitability assessment, the processing of your client data also includes profiling.

Investment services

When providing investment services, Swedbank processes client data for the safekeeping of your securities, the execution of orders and corporate events related to securities, the provision of investment advice or portfolio management services to you, and the provision of other investment services.

This includes use of profiling to assess the suitability and appropriateness of a particular service or security for you before providing it.

According to legislation, when providing investment services, we must record phone calls and video streams.

Swedbank processes client data to provide clients with mandatory reports on expenses and fees, execution of transactions, losses in securities and securities held, and other types of reports.

Client data will be disclosed to local and foreign supervisory authorities and tax authorities, central securities depositories, stock exchanges or other execution venues, issuers of securities or third parties appointed by issuers, management companies, and other financial intermediaries.

For these purposes, Swedbank processes your identification data, contact details, children’s data (if the child uses the services), family data, demographic data, professional data, financial data, financial experience data, account data, data on habits, preferences, and satisfaction, data on reliability, data on communications and devices, data on connections with legal entities, client status data and other client data that is necessary under specific terms of service.

Pension funds

If you invest in Swedbank pension funds, Swedbank processes client data, for example, to provide you with the necessary information, to process your orders for buying and selling of fund units, to keep records of your accounts, and pay-outs from funds. In addition, we exchange information about your investments in pension funds with the pension registrar, who keeps a record of all investments made in your pension funds.

Based on your application, we will transfer your pension fund payments or cash received from the redemption of your accured pension fund units from Swedbank to other pension funds managed by third-party management companies.

For these purposes, Swedbank processes your account data, demographic data, contact details, financial data, and identification data.

Why Swedbank processes client data: to provide life insurance and/or investment risk life insurance services, including the assessment of your individual risk and the calculation of the insurance premium, the handling of claims related to the insurance contract, and the payment of insurance indemnities.

How Swedbank processes client data: client data is collected from you and external sources (doctors and medical institutions), and regularly updated. Depending on the life insurance service, client data is disclosed to the recipient.

You are applying for insurance, have entered into an insurance contract or have submitted an application for insurance indemnity

When you submit an application for a risk-based life insurance contract, Swedbank processes client data to assess the insurance risk related to you, calculate the insurance payment and the sum insured, and make a decision on concluding an insurance contract. Among other things, Swedbank processes health data automatically and makes automated decisions based on profiling to make quick decisions about concluding an insurance contract. If you need additional information or want the decision to be made by an employee, you have the right to challenge the automated decision and ask a Swedbank employee to review it. For the above purposes, Swedbank processes health data received from you, doctors, and medical institutions, as well as health data related to your existing and previous insurance contract(s), claims submitted, and insured event(s).

When applying for a unit-linked life insurance contract, Swedbank processes client data, including the use of profiling, to assess the suitability and relevance of the relevant service for you.

After concluding the insurance contract, Swedbank processes client data for the purpose of amending and terminating the contract, refunding the insurance premium, making payouts, and taxing the insurance indemnity. In addition, Swedbank processes client data for sending notices related to the insurance contract and mandatory notices and annual reports if you have entered into an insurance contract with an investment risk.

For these purposes, Swedbank processes personal identification data, account data, contact details, financial data, family data, children’s data, health data, data on links with legal entities, communications and device data, client status data and demographic data, data on the client’s financial experience, data on reliability and due diligence.

If you have submitted an insurance benefit application, Swedbank processes client data for the purpose of handling the claim, including making a decision and paying the insurance indemnity. To this end, Swedbank processes health data received from you, doctors, and medical institutions, as well as client data related to your existing and previous insurance contract(s), claims submitted, and insured event(s). To make a decision and pay indemnity, Swedbank also processes your financial data, which we have received from Swedbank and the public authorities, as well as client data, such as data on criminal convictions and offences. In addition to the personal data listed above, Swedbank also processes your professional data, data on habits, preferences, and satisfaction.

Processing of personal data for the purpose of managing the insurance risk

If you have submitted an insurance indemnity application, we will provide the reinsurance undertaking with your client details (including health data) to fulfil our obligations under the reinsurance contract.

For the said purpose, Swedbank processes your identification data, account data, contact details, financial data, family data, children’s data, health data, professional data, data on criminal convictions and offences, data on connections with legal persons, data concerning communications and devices, data on habits, preferences, and satisfaction, and demographic data.

Why Swedbank processes client data: to provide the non-life insurance service of your choice, including the assessment of your insurance risk and the calculation of your insurance premium, the handling of claims related to the insurance contract, and the payment of insurance indemnities.

How Swedbank processes client data: client data is collected from you and external sources, and is regularly updated. Based on the non-life insurance service, client data is disclosed to the recipient for the conclusion and performance of the agreement.

You are applying for insurance, have entered into an insurance contract or have submitted a claim

If you have submitted an application for concluding an insurance contract, Swedbank processes client data to assess your reliability and, based on your risk level, calculate the insurance premium and determine the conditions. For this purpose, Swedbank processes client data automatically, including profiling. If we need additional information, or if an additional risk assessment is necessary, or if the client wants the decision to be made manually, our specialist will evaluate the received request. Swedbank processes client data that we receive from registers and client data that we have about you, such as data about previously concluded insurance contracts and insured events that have occurred, and data that we receive from legal entities belonging to the Swedbank Group.

After the conclusion of the insurance contract, Swedbank processes the client’s data for the purposes of renewal of the contract, amendment and termination of the insurance contract, and refunding of the insurance premium. In addition, Swedbank processes client data for sending notices and mandatory notices related to the insurance contract. For these purposes, Swedbank processes your identification data, account data, contact details, financial data, family data, children’s data, health data, professional data, data on criminal convictions and offences, data on connections with legal persons, data concerning communications and devices, data on habits, preferences, and satisfaction, client status data, and demographic data.

If you have submitted a claim application, Swedbank processes client data for the purpose of handling the claim, including making a claim decision and paying the insurance indemnity in the event of an insured event. Swedbank processes client data received from other insurance companies, registrars, authorities, doctors and medical institutions, as well as client data, including health data, that Swedbank has in connection with your previous claims. In addition, Swedbank processes your professional data, data on convictions and offences, and data on habits, in addition to the personal data listed above.

If you need medical assistance in connection with a travel insurance insured event in a country outside the EU/EEA, Swedbank will transfer your personal data to that country to confirm the validity of the insurance cover. Your personal data will be transferred to a country outside the EU/EEA to handle motor third party liability insurance claims for insured events related to that country. Client data must be transferred for the performance of the agreement concluded between you and Swedbank.

Swedbank processes client data in order to offer an insurance payment that corresponds to your risk and to develop pricing models, to inspect the quality of vehicle repairs, and bring a claim for damages against the third party who caused you the damage or against another insurance provider or you. We may also transfer your personal client data, including health data, to a reinsurance undertaking in order to fulfil our obligations under the reinsurance contract relating to the handling of the claim and the receipt of insurance indemnity.

In addition, Swedbank processes client data in order to inform the mortgagees about setting a term for you to pay the insurance premium and about the cancellation of the agreement and the occurrence of an insured event. Also in order to inform mortgagees about the existence of insurance cover and the amount of the insurance sum. At the request of another insurance service provider, we will provide them with the personal client data necessary to file a claim for refund in order to determine the obligation to indemnify the damage. For these purposes, Swedbank processes your identification data, account data, contact details, financial data, family data, children’s data, health data, professional data, data on criminal convictions and offences, data on connections with legal persons, data concerning communications and devices, data on habits, preferences, and satisfaction, and demographic data.

Why Swedbank processes client data:to prepare and provide offers that meet the needs of the client and business client, to provide relevant information, and to organise opinion surveys, lotteries, campaigns, and client programmes.

How Swedbank processes client data:Swedbank collects client data, including to create your profile, to provide you with personalised marketing communications. To achieve this goal, we share client data with the Swedbank Group companies operating in Estonia.

Profiling and your marketing rights

Swedbank carries out profiling to assess which products and services may be suitable and relevant to your interests and needs. This allows you to receive offers and services tailored to you.

Swedbank automatically collects and processes client data to create a client profile and thereby make recommendations and offers to the client. Such data includes, for example, information about the client’s product portfolios and service usage. We also collect data about the client’s financial situation, behaviour, and habits, which are based on the client’s use of the service, the transactions made by the client, and the information provided by the client to Swedbank. Such data is used to create profiling that is necessary to serve the client in the client programme (e.g. young or gold customers) and to make suitable offers to the client. As a result of the processing, advice and provision based on the needs of the client, involvement of the client in client programmes, and thus the application of special prices and service conditions are provided.

You have the right to object at any time to the processing of personal data for marketing purposes or to withdraw your consent to the processing of data.

Preparation of offers

We want to provide you with the best user experience and prepare relevant offers at the most appropriate time. As a result of identifying the interests and needs of the client and business client, we prepare various offers:

• personal recommendations – practical marketing offers to choose the services that are most suitable for you, to improve your daily use or to avoid inappropriate use, and other proposals that best serve your interests and needs, such as product upgrades, replacements;
• personal loan and insurance limits – a practical calculation designed to help you understand what loan and lease options and insurance payments are available to you;
• offers made in cooperation with partners – practical offers that help you choose suitable services and discounts from Swedbank’s cooperation partners; client data is not shared with these partners;

From time to time, we conduct opinion surveys among our clients, also using the services of professional market research companies.

If you are interested in tracking and categorised insights on your spending, as well as spending across all your accounts in one view, you can use the ‘My Budget’ tool, which is available in the Internet Bank and the mobile app.

For these purposes, Swedbank processes your identification data (except for your personal identification code), contact details, account details and demographic data, information about the products/services/channels already used by the client, the client’s previous experience in using them, financial data, as well as data indicating whether the client is entitled to receive offers from the client programmes. If the client uses Swedbank’s website, Internet Bank or mobile app, we also take into account the client’s browsing behaviour and targeted technologies. In the case of offers with financing and insurance limits, Swedbank first considers whether the client meets the basic loan and insurance conditions before establishing the limits.

Compiling other information

To inform clients and business clients about Swedbank’s news and services, we prepare two types of information for them:

• relevant information – information designed to invite a client to events, send them greetings and newsletters;
• client satisfaction surveys – questionnaires asking you to give feedback on the services used and help Swedbank to improve them.

For this purpose, Swedbank processes account data, client status data, data on habits, preferences, and satisfaction, communications and device data, contact details, demographic data, family data, identification data (except personal identification code), and financial data.

Receipt of offers and relevant information

As a client, you may receive marketing offers and other relevant information through four communications channels:

• email;
• SMS;
• telephone;
• post.

The offers and other information you receive will vary depending on the channel you choose. Each offer and other information has a communications channel, for example, some offers and surveys are sent only by email, other types of offers also via Internet Bank and mobile app.

Client programmes

Swedbank offers its clients a variety of client programmes. For example, special service conditions, better prices and/or added value are available to the programme participants. For Swedbank to be able to add and apply the special terms and conditions of client programmes, Swedbank processes client data automatically. Information about the processing of personal data in connection with the client programme is provided in the terms and conditions of the programme or in an additional notice. Client data is processed for the above purpose if the client does not object to the processing, or if the client agreed to the terms and conditions of the client programme and thus also agreed to participate in the programme.

To include clients in the client programme, Swedbank processes identification and contact information for each programme. Based on the programme, Swedbank processes relevant additional categories of personal data, such as demographic data, data on client status, data on relationships with legal entities, data on communication and devices, account data, data on habits, preferences, and satisfaction, and financial data.

Lotteries and campaigns

Swedbank processes client data for the purpose of conducting raffles and campaigns – this means involving clients who meet the criteria of participants in the raffle, campaign or client programmes. The client has the right to demand that they are removed from the list of participants in the raffle, campaign or client programme.

To organise raffles, competitions, campaigns, and events for its clients, Swedbank processes account data, professional data, financial data, contact details, data on habits, preferences, and satisfaction, demographic and family data, identification data, as well as data on connections with legal entities.

Why Swedbank processes client data: to ensure the quality of the service and to protect the interests of the client and Swedbank, to handle client complaints, and to comply with legislation.

How Swedbank processes client data: Swedbank records telephone and video calls. In addition, Swedbank processes client data, which is collected via email, bank messages, and other communications channels.

For these purposes, Swedbank processes your communications and device data, account data, client status data, professional data, financial data, data on habits, preferences, and satisfaction, family data, children’s data where the service relates to children, contact details, reliability data, data on links with legal entities, data obtained in the performance of a legal obligation, identification data and demographic data, special categories of data (health data) where necessary in connection with a non-life and life insurance service or a client complaint.

Why Swedbank processes client data: to provide consultations and service to the clients.

How Swedbank processes client data: Swedbank processes your data when we serve you at a Swedbank branch and when we communicate with you by telephone, chat, email, and other means of communication. Client data, such as contact details, is transferred to the Swedbank Group companies operating in Estonia to ensure that personal data is up to date.

Swedbank processes client data that is available to Swedbank, such as financial data, to provide you with the requested consultation.

For these purposes, Swedbank will process your contact details, information about the service requested, the service provided and/or the performance of the service agreement, when we provide you with information and communicate with you by telephone, chat, email, and other communications channels as necessary in connection with the provision of the service.

Why Swedbank processes client data: to comply with risk management obligations established by legislation, to comply with capital requirements, to prevent fraud and to manage potential incidents.

How Swedbank processes client data: we disclose client data to recipients, such as public authorities and the Swedbank Group companies.

Risk management is important for Swedbank to provide services to you and protect your money from fraudsters. The goal of Swedbank is to maintain a low level of risk in its activities, as this is the basis for building trust and offering you greater value in the long term.

In the field of risk management, we use client data for the following purposes:

• assessment and management of credit risk, liquidity risk, market risk, and counterparty risk;
• mitigation of risks and performance of Swedbank’s capital requirements;
• settlement of incidents and personal data breaches that may affect Swedbank’s core processes and services;
• detection, investigation, and reporting of potential suspicious transactions and market abuse;
• monitoring of transactions, including card transactions, in order to detect and prevent fraud, and to review, assess, and respond to activities identified as potential fraud;
• compliance with legislation and internal regulations;
• assurance of business continuity and crisis management;
• communication with supervisory and other authorities, including regular mandatory and ad hoc reporting, an obligation to alert public authorities about suspicious behaviour in relation to client market abuse, cooperation with public authorities in carrying out various supervisory procedures or investigations;
• cooperation with and provision of information to an external auditor.

Why Swedbank processes client data: to manage, maintain, develop, analyse, and improve business activities, services, and your user experience.

How Swedbank processes client data: we process client data when we manage and archive our documents, carry out analyses and tests to improve our service, security, and compliance of IT solutions.

Swedbank must keep accounting data. As part of this, Swedbank processes your identity data, account data, contact details, and demographic data when submitting and issuing invoices.

The processing of personal data is also necessary for activities that support the main activity. This includes, for example, document management and archiving, including the storage of information stored on paper and digitally.

Swedbank’s legitimate interest is to maintain, develop, research, and improve its business activities and services, as well as the client’s user experience. This includes, but is not limited to, the use of your data to manage our website and network, including testing to ensure the quality, security, and compliance of the IT solution used.

Why Swedbank processes client data: Swedbank processes client data related to business clients, including the client data of a representative of a business client, for the purpose of concluding and storing agreements, communicating with business clients, providing contractual services, and ensuring compliance with applicable law. For the sake of clarity, the concept of client includes all natural persons related to a business client, whose data is processed by Swedbank.

How Swedbank processes client data: client data is collected from the client, business client, and external sources, and is regularly updated. Client data is disclosed to the recipient for the purpose of concluding and performing an agreement with a business client and for complying with legislation.

The European Union’s General Data Protection Regulation does not apply to business clients. Business client data is protected by banking secrecy and their disclosure is regulated by legislation. Swedbank may disclose or transfer business client data to the recipient to the extent necessary to achieve the purposes of the data transfer.

If you represent a business client, Swedbank processes client data, for example, to communicate with business client’s representatives and contact persons, and to keep the information of legal and authorised representatives up to date. This ensures that only persons with the right of representation can sign agreements, make transactions, submit documents, access information or perform other necessary actions on behalf of a business client. For more information on data processing related to a particular service, please refer to the specific service in Section „What are our purposes?“.

Business client data is also processed for the purpose of preventing money laundering and terrorist financing and complying with international and national sanctions, see for more details in Section ‘Prevention of money laundering and terrorist financing and compliance with sanctions’.

In the course of assessing the creditworthiness of a business client, Swedbank processes client data of persons related to the business client. These are shareholders with a holding in the company of 20% or more, the final beneficiaries, as well as members of the board of directors and procurators. For this purpose, Swedbank obtains data from Creditinfo Eesti AS on the external credit history of persons closely related to the company. This allows Swedbank to assess whether financing services can be provided to clients who are legal persons, and reduces the risks of insolvency for the credit provider.

For the purposes listed above, the categories of personal data processed include identification data, contact details, professional data, data relating to links with legal entities, reliability and due diligence data, demographic data, financial data, data obtained in the performance of a legal obligation, data relating to convictions and offences, other client data (if a business relationship with a business client is terminated because it ceases to exist, we need to keep records of the business client’s status in our systems so as not to prevent some activities, such as communication and reporting).

Why Swedbank processes client data: ensuring the security of Swedbank’s visitors, employees, premises and assets; protecting Swedbank’s claims, as well as detecting and preventing illegal activities.

How Swedbank processes client data: Swedbank uses surveillance cameras in its premises and ATMs. Areas with video surveillance are marked with a corresponding sign.

If Swedbank uses video surveillance in its branches, personal data is included in visual images, and video and audio recordings.

Visual images, video and audio recordings containing client data are shared with the relevant recipient if the recorded material is needed for criminal investigations, or with the recipient who maintains the video surveillance systems on behalf of Swedbank.

The client has the following rights under data protection legislation:

• to receive information if Swedbank processes client data and, if so, to access the data;
• to request the correction of their client data if it is inadequate, incomplete or incorrect;
• to request the erasure of their client data, for example, if client data is processed on the basis of consent and the client has withdrawn their consent. This right does not apply if the client data, the erasure of which the client requests, is also processed on other legal grounds, for example, on the basis of an agreement or for the legal obligations;
• to restrict the processing of their client data;
• to object to the processing of their client data if the processing is based on the legitimate interest of Swedbank, including profiling for direct marketing purposes (e.g. sending marketing offers or participating in surveys);
• to receive their data, which the client has provided themselves and which is processed on the basis of consent or for the performance of an agreement, in writing or in a commonly used electronic format, and, if technically possible, to transfer such data to another service provider (the right to data portability);
• to withdraw their consent to the processing of client data;
• to request that no decision based solely on automated processing, including profiling, be taken in respect of them if it produces legal effects concerning them or significantly affects them. This right does not apply if the decision-making is necessary for the conclusion of an agreement with the client or for the performance of the concluded agreement, or if the decision is permitted under data protection legislation or if the client has given their express consent;
• to express their point of view and ask Swedbank to involve its employee in the review process.

The client can access a large part of the client data in Swedbank’s Internet Bank.

Swedbank processes a large amount of client data. In order to complete the client’s inquiry as correctly as possible, Swedbank may ask the client to specify the information, processing operations or time period to which the client’s request relates.

The client can exercise the rights of the data subject by submitting an inquiry to Swedbank via the Internet Bank or a branch, or by calling the Consultation Centre or sending a digitally signed inquiry by email. A response to the client’s inquiry is provided no later than one month after receiving the inquiry; if necessary, this period may be extended by up to two months.

The client may change data, preferences (manage consents) and choices in the Internet Bank or mobile app, at a Swedbank branch or by calling the Swedbank Consultation Centre.

The right to the protection of client data is not an absolute right. Swedbank provides the client with the information that Swedbank is allowed to provide to the client as a data subject, considering that the right of access must not harm the rights of other persons, including trade secrets or intellectual property and, above all, the copyright protecting the software. In cases provided for in legislation, Swedbank may also forward the information to the client at a later date, restrict its transmission or refuse to transmit it if it may hinder or damage the prevention, detection or prosecution of criminal offences or the execution of penalties, damage the rights and freedoms of others, endanger national security, the protection of public order or hinder official investigations or proceedings.

Legislation may restrict Swedbank from providing the client with information about the processing of client data within the framework of legislation, for example, the processing of data in the field of international sanctions and the prevention of money laundering and terrorist financing, except for publicly available data.

The client can lodge a complaint with the Data Protection Inspectorate (website www.aki.ee) if the client considers that the processing of their client data infringes their rights and interests under data protection legislation.

The client may contact Swedbank in connection with any request and withdrawal of consents. In addition, the client may request exercise of their rights in the processing of client data and file complaints about the use of client data. The contact details of Swedbank are available on the website of Swedbank at www.swedbank.ee.

The client may contact Swedbank’s designated data protection officer by sending an email to andmekaitse@swedbank.ee or by post to Liivalaia 8, 15040 Tallinn, Estonia, marked as ‘Data Protection Officer’.

Swedbank has the right to unilaterally amend the principles at any time in accordance with legislation by notifying clients of the amendments via Swedbank’s website, Internet Bank notice, text message (SMS) or email no later than one month before the amendments enter into force.

The principles are drafted in Estonian and translated into English and Russian. In the event of a dispute, the Estonian version of the principles is legally binding.

The principles will enter into force on 1 September 2023 and the latest version is available in Swedbank’s branches and on the website at www.swedbank.ee.