Processing of Client Data

The Principles of Processing Client Data (hereinafter principles) describes how and on which basis Swedbank processes client data.

Client data processing in specific areas is described in chapter 2, ‘Why and how Swedbank processes client data’ describes in more detail, depending on the service a client uses and/or on the nature of the client’s relationship with Swedbank.

Additional information about data processing may also be found in service agreements and related documents, as well as on our website or upon request. Please find information on exercising data subject rights and our contact details at the end of this document.

• A client (or you) is any natural person who uses, has used, or has expressed a wish to use Swedbank’s services, or has another connection to the use or users of Swedbank’s services, or who has another relationship with Swedbank. These principles also apply to a client relationship that has arisen before the principles entered into force. A client has the right to enjoy all rights of a data subject, specified in data protection legislation.
• Business client is any legal person that uses, has used or expresses a desire to use the services.
• Swedbank (or we) is a legal entity or branch that belongs in Swedbank Group and has its registered office in Estonia. The list of Swedbank Group companies in Estonia is available on our website at www.swedbank.ee.
• Swedbank Group means Swedbank AB (publ.), a public limited company incorporated in Sweden, and all legal entities in which Swedbank AB (publ.) has a direct or indirect controlling influence (subsidiaries).
• Data protection legislation means all the European Union and national data protection legislation that Swedbank is obliged to comply with, such as the General Data Protection Regulation of the European Union.
• A data subject is any identifiable natural person, whose personal data Swedbank processes, such as clients, legal representatives, authorised persons, contact persons, counterparties, payers, board members, actual beneficiaries, and other data subjects provided for in the principles. Categories of data subjects referred to in this definition are included in the definition of a client.
• Automated decision-making refers to taking a decision without human participation (i.e., making decisions by technological means only), which has a legal or other significant impact on the data subject. Detailed information on Swedbank’s automated decision-making is available in chapters 2.4 ‘Financing’, 2.6 ‘Life insurance services’, and 2.7 ‘Non-life insurance services’.
• EU/EEA refer to the European Union / European Economic Area.
• Client data is any information known to Swedbank (including bank secrecy and information treated as personal data) about a client and a business client.
• Profiling is the automatic client data processing, which is used to assess certain personal aspects of the client to analyse or forecast, for example, their economic situation, personal preferences, interests, reliability, and behaviour. More information on profiling can be found in the principles in chapters 2.4 ‘Financing’, 2.5.1 ‘Investment services’, 2.6 ‘Life insurance services’, 2.7 ‘Non-life insurance services’, and 2.8 ‘Marketing’.
• Services are all services and products related to financing (e.g., lending, leasing, or other financing), saving, investing, bank accounts, cards, payments, insurance, and pension, or products and services of Swedbank’s cooperation partners that Swedbank provides to a client at a branch, on its website, in the Internet Bank or mobile app, by telephone or video.
• Processing means any operation or set of operations that is performed with client data, either by automated or non-automated means, such as collection, storage, organisation, retention, adaptation, modification, consultation, use, combination, deletion, or destruction.
• A controller is someone who, alone or jointly with others, determines the purposes and means of processing personal data. Swedbank AS is the controller of a client’s personal data when providing banking services. For example, if a client has a car lease agreement, the controller is Swedbank AS or Swedbank Liising AS, depending on which one is the lessor in the agreement. The controller for Swedbank pension funds is Swedbank Investeerimisfondid AS, for property insurance (e.g., home insurance) it is Swedbank P&C Insurance AS, and for life insurance Swedbank Life Insurance SE.
• A recipient is a natural or legal person, a public sector institution, or another body to whom Swedbank has the right to disclose client data. Recipient categories are described in more detail in chapter 1.6 of the principles.
• A processor is a natural or legal person who processes client data on behalf of Swedbank. Swedbank engages processors for the processing of client data and takes the necessary steps to ensure that the authorised processors process client data based on an agreement or applicable law and in accordance with Swedbank’s documented instructions.
• Legislation means all legal acts, rules, and guidelines applicable to Swedbank, including legislation on the prevention of money laundering and terrorist financing, banking secrecy, business activities, data protection, taxes, accounting, credit, payments, payment services, insurance, leasing, investments, and financial activities.

Swedbank collects client data directly from the client, from Swedbank Group companies, and from external sources, such as public and private registers or other third parties to prepare an agreement for signing, during the conclusion and execution of an agreement, and while a client is using Swedbank’s services. See chapter 1.6 ‘Recipients, processors, and sources of client data’ for further information.

Swedbank collects client data by recording phone calls, visual images, video and/or audio, and emails, or by documenting client communication with Swedbank through other means. In case the collected personal data is not deemed necessary nor suitable for the stated purpose, it won’t be processed further and will be deleted, if possible.

Examples of client data categories processed by Swedbank include:

Identification data, such as name, personal identification code, date of birth, data of an identity document.

Contact details, such as an address, telephone number, email address, language of communication.

Financial data, such as transactions, loans, income, liabilities, assets.

Account details, such as bank account number, bank card number.

Data on the client’s financial experience, such as data collected during the selection and provision of investment services and other investment-risk products.

Data about trustworthiness and due diligence, such as data on payment behaviour, damage caused to Swedbank or a third party; as well as data regarding existing and previous insurance contracts and declarations (e.g., the duration of insurance relationship and claims history, history of insurance risk assessment, including rejected claims); information that allows Swedbank to perform its due diligence obligations relating to the prevention of money laundering and terrorist financing; and to ensure compliance with international sanctions, including an understanding of the purpose of the business relationship; the client’s transaction partners and payment practices; whether the client is a politically exposed person; the origin of the client’s wealth; and the origin of the assets used in the transaction.

Data obtained and/or created in the performance of an obligation arising from legislation, for example, data that Swedbank must provide to authorities, such as tax authority and law enforcement agencies; this includes data on income, loans, real estate, notations and arrears; as well as data submitted to the motor third party liability insurance fund, such as data on concluded insurance contracts and insurance indemnities paid.

Data concerning communication and devices, for example, video or audio recordings, which are collected when a client visits Swedbank’s offices or other places where Swedbank provides its services, and when a client uses ATMs or communicates with Swedbank in another channel. In addition, other data collected via email, messages, and other communications channels, such as data related to a client’s use of Swedbank’s websites or communication through other Swedbank’s channels (e.g., the Internet Bank and the mobile app, and data on the use of devices, such as an IP address).

Data on habits, preferences, and satisfaction, for example, active use of services, services provided, personal preferences, answers to surveys, client satisfaction; as well as hobbies and/or personal habits that may affect the client’s health and may be assessed as a risk during the conclusion of an insurance contract.

Family data, such as information about the client’s family, kinship relationships.

Demographic data, such as country of residence, date of birth, and citizenship.

Children’s data, such as data collected and processed when the child uses services or when the child is listed as a beneficiary or an insured person in the insurance contract.

Professional data, such as data on education or professional career.

Data on the relationship with legal entities, for example, the data of the representative provided by the client or obtained from public registers or through third parties for the purpose of concluding transactions on behalf of the said legal person.

Client’s status, for example, the client programme (private banking, gold customers, seniors, youth) where the client belongs; information that a client belongs in a client programme; or the level of risk assigned to a client and a business client.

Sensitive data, such as special types of client data (e.g. health data) and data on convictions and offences. To provide some services, Swedbank needs to process sensitive client data; for example, if the data is necessary to provide insurance services, submit claims, or perform a legal obligation.

Swedbank processes client data on the following legal bases:

• Performance of an agreement is the legal basis for taking, at the request of the client, the necessary steps before the conclusion of an agreement, as well as the conclusion of an agreement with the client and the modification, performance, management, and termination of the agreement concluded.
• Compliance with legal obligations is the legal basis on which Swedbank processes client data in order to fulfil its legal obligations.
• Legitimate interest is the legal basis on which the processing of client data is justifiably necessary for our business interests and balanced with your interests and rights.
• Public interest is the legal basis where it is provided for by law and it is necessary for the performance of a task carried out in the public interest; in these cases, client data can only be processed to the extent provided for by applicable law, for example, for the purposes of preventing money laundering and terrorist financing and enforcing sanctions.
• Consent is the legal basis on the basis of which Swedbank processes client data if the client has given their consent. The client may withdraw their consent at any time.

Swedbank uses both recipients and processors to process client data.

A recipient is a natural or legal person, public sector body, an agency or another body to whom Swedbank discloses client data and who may process client data as an independent controller. If the recipient processes client data as an independent controller, they are obliged to inform the client about the processing of client data. If necessary, the client can contact the recipient for the relevant information.

Recipients to whom Swedbank discloses client data include:

• Legal entities belonging to the Swedbank Group and their branches.
• Public authorities such as supervisory authorities, tax authorities, law enforcement and bailiffs, trustees in bankruptcy, notaries, out-of-court dispute resolution bodies.
• Financial and legal advisers, auditors or other service providers of Swedbank, persons authorised by Swedbank, consultants;
• Third parties keeping registers, such as payment default registers, population registers, commercial registers, securities registers, Pensionikeskus or other registers in which client data are stored or mediated.
• Debt acquirers and debt recovery service providers (debt collection service providers).
• Persons who ensure the proper performance of the client’s obligations, such as surety providers, guarantors, and collateral holders.
• Persons involved in the provision of services to Swedbank, such as providers of communication and postal services, and persons providing services to the client if the client orders e-invoices for the services.

Information about the specific purpose of processing client data is available in chapter 2 ‘Why and how Swedbank processes client data’.

A processor processes client data on behalf of Swedbank. When using processors, Swedbank ensures that when processing client data, the processor adheres to Swedbank’s instructions and applicable legislation, and implements proper security measures.

Swedbank’s processors include:

• Legal persons belonging to the Swedbank Group and their branches if they process data on behalf of Swedbank.
• Other persons involved in the provision of services to Swedbank, such as providers of video surveillance, information technology, web hosting, cloud computing, archiving and printing services, technical experts and assessors.

Swedbank uses cookies on its website. Cookies are used in accordance with Swedbank’s cookie policy, available at https://www.swedbank.ee/private/home/more/legislation.

As a general rule, client data is processed in the European Union (EU) / European Economic Area (EEA). Swedbank transfers client data to countries outside the EU/EEA only in exceptional cases and provided that there is a legal basis for this and one of the following conditions is met:

• There is an adequate level of data protection in the country outside the EU/EEA where the recipient is located, as decided by the European Commission. The list of countries currently recognised by the European Commission that provide adequate protection is available on the European Commission’s website.
• The controller or processor has put in place appropriate safeguards, such as adopting standard EU or other terms of contract; or approved codes of conduct or certification mechanisms. The applicable standard terms of contract of the Treaty on European Union, which Swedbank uses when transferring personal data to third countries, is available here.
• There are exceptions for specific situations, such as the client’s explicit consent; the performance of an agreement with the client; the conclusion or performance of an agreement with a third party in the interest of the client; the establishment or defence of legal claims; or important grounds of public interest.

The client receives additional information from Swedbank concerning the transfer of client data to countries outside the EU/EEA by submitting a corresponding application to Swedbank.

Swedbank stores the client data collected during the business relationship after the end of the business relationship. Swedbank stores client data based on the retention periods provided by legislation for the preparation and submission of claims or a legitimate interest in order to protect the interests of Swedbank.

Examples of retention periods are as follows:

• Client data required to protect the legitimate interests of Swedbank in the event of a civil law claim are retained for a maximum of 10 years from the expiry of the agreement.
• Client data required for the performance of a legal obligation arising from the law related to the prevention of money laundering and terrorist financing are retained for 5 years from the end of the business relationship.
• Client data required to protect the legitimate interests of Swedbank if Swedbank is under investigation or in litigation are retained until the end of the investigation and litigation.
• Client data related to video surveillance are processed for a maximum of 90 days.
• Client data related to marketing purposes are processed until a client withdraws their consent.

Why Swedbank processes client data: to ensure the legal obligation to identify the client and, where applicable, identify the client’s representative and the persons involved in occasional transactions.

How Swedbank processes client data: in order to verify your identity, you will be asked to provide a valid identity document and, if necessary, other documents relevant for identification. Swedbank uses authentication tools to verify identity.

Identification

An identity document submitted for identification is verified by Swedbank through an e-inquiry in the Police and Border Guard Board.

If you conclude a service agreement on behalf of a child, the identity of the child and your right to represent the child are also verified through the population register.

In order to ensure that your identification data is correct and up-to-date, Swedbank will ask you to regularly update your client data. The data in the identity document obtained from the population register are updated automatically.

Swedbank shares client identification data with the Swedbank Group companies registered in Estonia, depending on the products and services used or requested by the client, in order to ensure that client data are correct and up-to-date.

Authentication

During authentication, Swedbank verifies your identity when you use the services at a bank branch or in a remote channel, for example, when you call the Consultation Centre or use the Internet Bank.

Authentication tools provided by Swedbank or other companies, such as SK ID Solutions AS (Smart-ID, Mobile-ID), are used for authentication. You may also use an ID card or other solutions (biometrics (fingerprint and facial recognition), PIN in Swedbank’s mobile app, PIN calculator) as means of authentication.

If you use an authentication tool provided by another company, we will share your identity verification data, communication and device data (such as the IP address and device type) with that company and inform them that you are using Swedbank’s services.

Why Swedbank processes client data: to fulfil the legal obligation of preventing money laundering and terrorist financing and to comply with international and national sanctions.

How Swedbank processes client data: Swedbank collects data directly from clients and from external sources (e.g., public registers). The aim of collecting and analysing data is to fulfil the ‘Know Your Client’ (KYC) principle. In cases established in legislation, we also transfer data to recipients.

Swedbank is legally obliged to perform due diligence activities; this includes understanding the purpose and nature of a business relationship and occasional transactions. This helps Swedbank protect public interest and ensure that services are used for legitimate purposes and remain protected against misuse. Swedbank must assess the risks related to money laundering and terrorist financing and, if necessary, comply with and implement sanctions imposed by the European Union and UN, as well as the local government. Swedbank also has a legitimate interest in ensuring compliance with the financial sanctions imposed by the United States of America and the United Kingdom.

Swedbank is obliged to identify clients (see chapter 2.1 ‘Identification and authentication’), and the client is asked to provide accurate and truthful information about themselves. In specific cases, Swedbank may ask for documents confirming the submitted data. Swedbank uses client data obtained from external registers, such as population registers, commercial registers, or directly from the client. Swedbank also uses data about the client published in the media. To fulfil legal obligations or in case of a legitimate interest, Swedbank checks client data against sanctions lists to make sure that the services are not provided to sanctioned persons or persons related to the sanctions, or that the services are not used to violate or evade sanctions.

During the business relationship, Swedbank will ask you to update the provided client data on a regular basis or in a specific case. Swedbank verifies whether the data obtained from the above-mentioned external registers is up to date. The legislation also obliges Swedbank to constantly monitor your activities and transactions to ensure that there is no risk-raising circumstances in connection with them and that they are not subject to sanctions. Due diligence activities and its regularity depend on Swedbank’s assessment of the client’s risk of money laundering and terrorist financing.

Swedbank has a legal obligation to report suspicions of money laundering and terrorist financing to the authorities (Financial Intelligence Unit) and ensure the confidentiality of reports. Swedbank is obliged not to disclose information about the processing of personal data carried out within the framework of legislation and the Money Laundering and Terrorist Financing Prevention Act in the field of money laundering and terrorist and non-proliferation financing, unless the data is publicly available.

For the purposes described above, Swedbank also processes the data of persons related to business clients. Swedbank identifies the representatives of a legal person (legal representatives, authorised persons, persons belonging to the highest management body of the company, including a procurator, trustee in bankruptcy) and asks to provide their personal data, demographic data, contact details, and data on connections with other legal entities. Swedbank also asks to provide identification data and demographic data of the company’s shareholders. The company is obliged to disclose its final beneficiaries and provide their identification data, demographic data, and contact details. If necessary, the company is asked to provide additional documents and information about final beneficiaries, such as evidence of wealth and origin of assets, or data on relations with other legal entities. Swedbank also regularly collects and updates the client data of the company’s representatives, shareholders, and final beneficiaries from external registers, such as the population register, commercial registers, property registers (e.g., the land register), sanctions lists, and publicly available information (media).

Why Swedbank processes client data: to provide you with everyday banking services, such as current accounts, deposits, payment services, and other everyday banking services, and to ensure the management of your client relationship and access to services.

How Swedbank processes client data: among other things, we collect client data from you and your use of services, we transfer client data to a recipient for the performance of a service contract, and receive personal data from third parties such as other payment service providers.

Current account

When you open an account with Swedbank, we process your data to fulfil the agreement concluded with you and to provide you with other services related to the current account.

In addition, we need to share client data about the accounts with us and related data with the tax authority, trustee in bankruptcy, notary, and other entitled persons.

When the account information service is provided to you by Swedbank at your request, which allows you to see information regarding your account opened and available online at another financial institution, your personal data, such as the identification, account, communication and device data, is transmitted to Swedbank from this financial institution.

If you have submitted a request to access your payment account information opened with Swedbank with another payment service provider, we will disclose to that account information service provider information about your designated Swedbank account and related payment transactions.

Payment cards

When you apply for a Swedbank’s payment card and sign a payment card agreement, Swedbank processes your data for the purpose of concluding and performing the payment card agreement, including ordering a card, personalising and activating the card, providing assistance with card-related issues, and preventing card fraud.

In order to carry out card transactions (including transactions initiated by merchants), Swedbank processes client data for the purpose of authorising and invoicing the transaction. If you make a complaint about a card transaction, transaction data is shared with the relevant international card organisation (such as Mastercard).

If you order an additional payment card linked to your account, Swedbank will process the data of the additional card holder.

For these purposes, Swedbank processes your identification data, account data, contact details, professional data, children’s data, demographic data, communications and device data (e.g., when to allow and manage digitised cards and mobile contactless payments), family data, financial data, data on reliability, habits, preferences, and satisfaction.

Payments

Swedbank processes client data when making payments, including the provision of payment initiation services. In order to provide these services, Swedbank processes client data (including sharing data with third parties, such as the payee, payment service providers, payment systems, correspondent banks, and other similar persons), as indicated by the client when placing the payment order, or as required for the execution of the payment order. When proxy payments are made, your data (phone number, name, and IBAN) will be shared with the payee.

Swedbank processes client data in order to start a payment transaction from your account initiated at your request at a third-party payment service provider. For that purpose, client data, such as authentication data, account details, and device data, will be disclosed to that payment service provider.

Why Swedbank processes client data: to provide financing services (such as loans and leasing) and to comply with legal obligations, including due diligence and responsible lending.

How Swedbank processes client data: we collect client data from you, internal and external sources (for example, payment default register, land register, population register, commercial register) to conclude loan and lease agreements and, if necessary, conclude and amend collateral agreements.

Swedbank collects and processes client data, including by automated means, to assess your creditworthiness and offer suitable credit products. You have the right to challenge the automated decision and ask a Swedbank employee to review it. In order to assess creditworthiness, we verify the client data specified in the request and the client data collected from internal and external data sources.

If you sign a credit agreement, the performance of which is guaranteed by third parties (e.g., guarantors of the owners of the collateral, Enterprise and Innovation Foundation (EIS)), we will forward your client data to them.

If you fail to fulfil contractual obligations, Swedbank will publish data about your debt to the payment default register (e.g., Creditinfo Eesti AS) in accordance with the terms and conditions notified at the conclusion of the credit agreement. Swedbank also discloses client data to persons who are involved in processing overdue debts.

For these purposes, Swedbank processes your identification data, demographic data, family data, health data, contact details, account data, financial data, data on your association with legal entities, reliability data, and professional data. The extent to which client data is processed depends on whether you are a client entering into an agreement or have another role in the financing process, for example, if you are the seller of the leased property or the holder of the collateral.

Why Swedbank processes client data: to advise you on selecting the right product for you and the services of your choice.

How Swedbank processes client data: client data is collected from you, as well as when you use our services, including when you interact with Swedbank, and from external sources (e.g., AS Pensionikeskus, Central Register of Securities). As part of the suitability assessment, the processing of your client data also includes profiling.

Investment services

When providing investment services, Swedbank processes client data to safekeep your securities, for the execution of orders and corporate events related to securities, and provide you with investment advice or portfolio management services and other investment services.

This includes profiling to assess whether a particular service or security is suitable and appropriate for you before providing it.

When providing investment services we are legally obliged to record phone calls and video streams.

Swedbank processes client data to provide clients with mandatory reports on expenses and fees, execution of transactions, losses in securities and securities held, and other types of reports.

We disclose client data to local and foreign supervisory authorities and tax authorities, central securities depositories, stock exchanges or other execution venues, issuers of securities or third parties appointed by issuers, management companies, and other financial intermediaries.

For these purposes, Swedbank processes your identification data, contact details, children’s data (if the child uses the services), family data, demographic data, professional data, financial data, financial experience data, account data, data on habits, preferences, and satisfaction, data on reliability, data on communications and devices, data on connections with legal entities, client status data and other client data that is necessary under specific terms of service.

Pension funds

If you invest in Swedbank’s pension funds, Swedbank processes client data, for example, to provide you with the necessary information; process your orders for buying and selling fund units; and keep record of your accounts and pay-outs from funds. In addition, we exchange information about your investments in pension funds with the pension registrar, who keeps a record of all investments made in your pension funds.

Based on your application, we will transfer your pension fund payments or cash received from the redemption of your accrued pension fund units from Swedbank to other pension funds managed by third-party management companies.

For these purposes, Swedbank processes your account data, demographic data, contact details, financial data, and identification data.

Why Swedbank processes client data: to provide life insurance and/or investment risk life-insurance services, including to assess your individual risk and calculate the insurance premium, handle claims related to the insurance contract, and pay insurance indemnities.

How Swedbank processes client data: client data is collected from you, legal entities within Swedbank Group and external sources (doctors and medical institutions), and regularly updated. To provide life insurance services, client data is disclosed to persons related to the provision of services (e.g., postal service providers). Swedbank records personal data (including medical data) provided in phone calls to conclude insurance contracts and handle claims.

You are applying for insurance, have entered into an insurance contract, or have submitted an application for insurance indemnity

When you submit an application for a risk-based life insurance contract, Swedbank processes client data to assess the insurance risk related to you, calculate the insurance payment and the sum insured, and make a decision on concluding an insurance contract. Among other things, Swedbank processes data automatically and makes automated decisions based on profiling. Upon your request, the decision is made by an employee. For the above purposes, Swedbank processes data received from you and legal entities within Swedbank Group (for instance, financial data), and health data received from doctors and medical institutions. We also process client data, including health data, that we have about you, such as data related to your existing and previous insurance contract(s), submitted claims, and insured event(s).

We process client data when a client applies for an investment risk life-insurance contract; among other things, we use profiling to assess whether the service is suitable and relevant for you.

After concluding the insurance contract, Swedbank processes client data for the purpose of amending and terminating the contract, refunding the insurance premium, making payouts, and taxing the insurance indemnity. In addition, Swedbank processes client data to send notices related to the insurance contract and other mandatory notices. If you have entered into an insurance contract with an investment risk, we process your data to send you annual reports. We share your data with legal entities within Swedbank Group and postal service providers to send you notices and annual reports.

If you have submitted an insurance benefit application, Swedbank processes client data to handle claims, which includes making a decision and paying the insurance indemnity. To this end, Swedbank processes data received from you and legal entities within Swedbank Group; this includes financial data and data received from public authorities, such as data on offences. We also process health data received from doctors and medical institutions, as well as health data related to your existing and previous insurance contract(s), submitted claims, and insured event(s).

For these purposes, Swedbank also processes personal identification data, account data, contact details, financial data, family data, children’s data, data on links with legal entities, communications and device data, data on client status and demographic data, data on the client’s financial experience, data on reliability and due diligence, as well as data on habits, preferences, and satisfaction.

Processing of personal data for the purpose of managing the insurance risk

If you have submitted an insurance indemnity application, we will provide the reinsurance undertaking with your client details (including health data) to fulfil our obligations under the reinsurance contract.

For the said purpose, Swedbank processes your identification data, account data, contact details, financial data, family data, children’s data, health data, professional data, data on criminal convictions and offences, data on connections with legal persons, data concerning communications and devices, data on habits, preferences, and satisfaction, and demographic data.

Why Swedbank processes client data: to provide a non-life insurance service of your choice; this includes assessing your insurance risk and calculating your insurance premium, handling claims related to the insurance contract, and paying insurance indemnities.

How Swedbank processes client data: client data is collected from you, legal entities within Swedbank Group, and external sources (e.g., public registers). To provide a non-life insurance service, client data is disclosed to persons related to the provision of services (e.g., postal service providers). Swedbank records the personal data (including medical data) provided in phone calls to conclude insurance contracts and handle claims.

You are applying for insurance, have entered into an insurance contract, or have submitted a claim

If you submit an application for concluding an insurance contract, Swedbank processes your data to assess your reliability and, based on your risk level, calculate the insurance premium and determine other conditions. For this purpose, Swedbank processes client data by automated means, including profiling. Upon your request, the decision is made by an employee. Swedbank processes client data that we receive from you, legal entities within Swedbank Group, and registers. We also process client data that we have about you, such as data about previously concluded insurance contracts and insured events that have occurred.

After conclusion of an insurance contract, Swedbank processes the client’s data for the purposes of renewal of the contract, amendment and termination of the insurance contract, and refunding of the insurance premium. In addition, Swedbank processes client data for sending notices and mandatory notices related to the insurance contract. For that, your data is shared with legal entities within Swedbank Group and providers of postal services.

If you have submitted a claim application, Swedbank processes client data to handle the claim; this includes making a claim decision and paying the insurance indemnity. Swedbank processes client data received from you and legal entities within Swedbank Group (e.g., financial data) and data from public authorities (e.g., data on convictions and offences). We also process data received from other insurance companies (e.g., data on insurance contracts and events), registrars (e.g., data on property and its owners). In addition, we process data received from doctors and medical institutions, as well as client data, including health data that Swedbank has in connection with your previous claims and insurance events.

If you need medical assistance in connection with a travel insurance insured event in a country outside the European Union / European Economic Area, Swedbank will transfer your personal data to that country to confirm the validity of the insurance cover. Your personal data will be transferred to a country outside the EU/EEA to handle motor third party liability insurance claims for insured events related to that country. Client data must be transferred for the performance of the agreement concluded between you and Swedbank.

For these purposes, Swedbank also processes your identification data, account data, contact details, family data, children’s data, professional data, data on connections with legal persons, data concerning communications and devices, data on habits, preferences, and satisfaction, client status data, and demographic data.

Insurance risk management

Swedbank processes client data to develop pricing models; inspect the quality of vehicle repairs; and bring a claim for damages against the third party who caused the damage, or against another insurance provider, or against you. We may also transfer your personal client data, including health data, to a reinsurance undertaking in order to fulfil our obligations under the reinsurance contract.

In addition, Swedbank processes client data in order to inform the mortgagees of setting a term for you to pay the insurance premium and cancel the agreement; occurrence of an insured event; existence of insurance cover; and the amount of the insurance sum. At the request of another insurance service provider, we will provide them with the personal client data required to file a claim for refund to determine the obligation to indemnify the damage.

For these purposes, Swedbank processes your identification data, account data, contact details, financial data, family data, children’s data, health data, professional data, data on criminal convictions and offences, data on connections with legal persons, data concerning communications and devices, data on habits, preferences, and satisfaction, and demographic data.

Why Swedbank processes client data: to prepare and provide offers that meet the needs of a client and a business client; provide relevant information; and organise opinion surveys, lotteries, campaigns, and client programmes.

How Swedbank processes client data: Swedbank collects client data; this includes profiling to provide you with personalised marketing communications. To this end, we share client data with the Swedbank Group companies operating in Estonia. We use social media networks for marketing and communication purposes (e.g., Facebook, LinkedIn, Instagram, TikTok). When you interact with us on those platforms, your personal data is processed according to the particular platform’s terms and conditions.

Profiling and your rights in marketing

Swedbank carries out profiling to assess which products and services may be suitable and relevant to your interests and needs. This allows you to receive offers and services tailored to you.

Swedbank automatically collects and processes client data to create a client profile and thereby make recommendations and offers to the client. Such data includes, for example, information on the client’s product portfolios and service usage. We also collect data related to the client’s financial situation, behaviour, and habits, based on the client’s use of the service, the transactions made by the client, and the information provided by the client to Swedbank. Such data is used to create profiling that is necessary to serve the client in the client programme (e.g., youth or gold customers) and to make suitable offers to the client. As a result of the processing, we provide advice and offers, based on the needs of the client, involvement in client programmes, and application of special prices and service conditions.

You have the right to object to the processing of personal data for marketing purposes at any time or withdraw your consent to data processing.

Preparation of offers

We want to provide you with the best user experience and prepare relevant offers at the most appropriate time. As a result of identifying the interests and needs of the client and business client, we prepare various offers:

• Personal recommendations – practical marketing offers to help you choose the services that are most suitable for you; improve your daily user experience; or avoid inappropriate use; as well as other proposals that best serve your interests and needs, such as product upgrades, replacements.
• Personal loan and insurance limits – a practical calculation designed to help you understand the loan and lease options and insurance payments available to you.
• Offers made in cooperation with partners – practical offers that help you choose suitable services and discounts from Swedbank’s cooperation partners; client data is not shared with these partners.
• Financial education and personalised suggestions related to child – practical offers and education information related to you and your child (consent can be granted by a parent who has a child up to 18 years of age).
• Other offers you have consented to.

From time to time, we conduct opinion surveys among our clients, also using the services of market research companies.

If you are interested in tracking and categorised insights on your spending, as well as spending across all your accounts in one view, you can use the ‘My Budget’ tool, which is available in the Internet Bank and the mobile app. If you are the legal representative of a child aged 6 to 17, you can give consent to the "My Budget Solution for a Child".

To these ends, we process the following personal data:

• Identification data (except national identification number), contact data, account data and demographic data.
• Information about products/services/channels you already use and your previous experience with using them.
• Financial data, including data that indicates if you are eligible for special customer programme offers.
• Family data and financial property data, if you have provided relevant additional information.

As well, it might be identified whether you represent a company or a child in Swedbank, and what device type you use.

When you visit our website, Internet Bank, or Mobile App or open an email sent by us, we also consider your browsing behaviour and information collected by cookies or similar tracking technologies to the use of which you were informed or have consented to.

In case of offers with financing and insurance limits, Swedbank first considers whether you meet the basic loan and insurance conditions before establishing the limits.

Compiling other information

To inform clients and business clients about Swedbank’s news and services, we provide them with two types of information:

• Relevant information – information designed to invite a client to events, send them greetings and newsletters.
• Client satisfaction surveys – questionnaires asking you to give feedback on the services used and help Swedbank to improve them.

For this purpose, Swedbank processes account data, data on client status, data on habits, preferences, and satisfaction, communications and device data, contact details, demographic data, family data, identification data (except personal identification code), and financial data.

Receipt of offers and relevant information

As a client, you may receive marketing offers and other relevant information through four communications channels: email, SMS, telephone, post.

The offers and other information you receive will vary depending on the channel you choose. Each offer and other information has a communications channel, for example, some offers and surveys are sent only by email, other types of offers also via the Internet Bank and Mobile App.

Client programmes

Swedbank offers its clients a variety of client programmes (including customer group offers). For example, special service conditions, better prices and/or added value are available to the programme participants. For Swedbank to be able to add and apply the special terms and conditions of client programmes, Swedbank processes client data automatically. Information about the processing of personal data in connection with the client programme is provided in the terms and conditions of the programme or in an additional notice. Client data is processed for the above purpose, if a client does not object to the processing, or if the client agreed to the terms and conditions of the client programme and thus also agreed to participate in the programme.

To include clients in the client programme, Swedbank processes identification and contact information for each programme. Based on the programme, Swedbank processes relevant additional categories of personal data, such as demographic data, data on client status, data on relationships with legal entities, data on communication and devices, account data, data on habits, preferences, and satisfaction, as well as financial data.

Lotteries and campaigns

Swedbank processes client data for the purpose of conducting raffles and campaigns to involve clients who meet the criteria of participants in a raffle, campaign, or client programmes. The client has the right to demand removal from the list of participants in a raffle, campaign, or a client programme.

To organise raffles, competitions, campaigns, and events for its clients, Swedbank processes account data, professional data, financial data, contact details, data on habits, preferences, and satisfaction, demographic and family data, identification data, as well as data on connections with legal entities.

Why Swedbank processes client data: to ensure the quality of the service; protect the interests of the client and Swedbank; handle client complaints; and comply with legislation.

How Swedbank processes client data: Swedbank records telephone and video calls. In addition, Swedbank processes client data, which is collected via email, bank messages, and other communications channels.

For these purposes, Swedbank processes your communications and device data, account data, client status data, professional data, financial data, data on habits, preferences, and satisfaction, family data, children’s data (where the service relates to children), contact details, reliability data, data on links with legal entities, data obtained in the performance of a legal obligation, identification data and demographic data, special categories of data (health data) where necessary in connection with a non-life and life insurance service or a client complaint.

Why Swedbank processes client data: to provide consultations and service to clients.

How Swedbank processes client data: Swedbank processes data when we serve clients at a Swedbank branch and communicate with clients by telephone, chat, email, and other means of communication. Client data, such as contact details, is transferred to the Swedbank Group companies operating in Estonia to ensure that personal data is up to date.

Swedbank processes client data that is available to Swedbank, such as financial data, to provide you with the requested consultation.

For these purposes, Swedbank processes your contact details, information about the service requested, the service provided and/or the performance of the service agreement when we provide you with information and communicate with you by telephone, chat, email, and other communications channels as required to provide the service.

Why Swedbank processes client data: to comply with risk management obligations established by legislation, comply with capital requirements, prevent fraud, and manage potential incidents.

How Swedbank processes client data: we disclose client data to recipients, such as public authorities and the Swedbank Group companies.

Risk management is important for Swedbank to provide services to you and protect your money from fraudsters. The goal of Swedbank is to maintain a low level of risk in its activities, as this is the basis for building trust and offering you greater value in the long term.

In the field of risk management, we use client data to:

• Assess and manage credit risk, liquidity risk, market risk, and counterparty risk.
• Manage risks and perform Swedbank’s capital requirements.
• Settle incidents and personal data breaches that may affect Swedbank’s core processes and services.
• Detect, investigate, and report potential suspicious transactions and market abuse.
• Monitor transactions, including card transactions, to detect and prevent fraud, and to review, assess, and respond to activities identified as potential fraud.
• Comply with legislation and internal regulations.
• Assure business continuity and crisis management.
• Communicate with supervisory and other authorities, including for regular and ad hoc reporting, alert public authorities about suspicious behaviour in relation to client market abuse, and cooperate with public authorities in carrying out various supervisory procedures or investigations.
• Fulfil legal obligations and provide information to an external auditor.

Why Swedbank processes client data: to manage, maintain, develop, analyse, and improve business activities, services, and your user experience.

How Swedbank processes client data: we process client data when we manage and archive our documents, carry out analyses and tests to improve our service, security, and compliance of IT solutions.

Swedbank must store accounting data. As part of this, Swedbank processes your identity data, account data, contact details, and demographic data when submitting and issuing invoices.

The processing of personal data is also necessary for activities that support the main activity. This includes, for example, document management and archiving, including the storage of information stored on paper and digitally.

Swedbank’s legitimate interest is to maintain, develop, research, and improve its business activities and services, as well as the client’s user experience. This includes, but is not limited to, the use of your data to manage our website and network, including testing to ensure the quality, security, and compliance of the IT solution used.

Why Swedbank processes client data: Swedbank processes client data related to business clients, including the client data of a representative of a business client to conclude and store agreements, communicate with business clients, provide contractual services, and ensure compliance with applicable law. For the sake of clarity, the concept of a client includes all natural persons related to a business client, whose data is processed by Swedbank. Business client data is subject to the purposes specified in chapter 2.

How Swedbank processes client data: Swedbank collects client data from a client, a business client, and external sources, and updates the data regularly. Client data is disclosed to the recipient to conclude and perform an agreement with a business client and comply with legislation.

The European Union’s General Data Protection Regulation does not apply to business clients. Business client data is protected by banking secrecy and their disclosure is regulated by legislation. Swedbank may disclose or transfer business client data to the recipient in the extent necessary to achieve the purposes of data transfer.

If you represent a business client, Swedbank processes client data, for example, to communicate with a business client’s representatives and contact persons, and to keep the information of legal and authorised representatives up to date. This ensures that only persons with the right of representation can sign agreements, make transactions, submit documents, access information, or perform other necessary actions on behalf of a business client. For more information on data processing related to a particular service, please refer to the clause on this service in chapter 2 ‘Why and how Swedbank processes client data‘.

We also process business client data to prevent money laundering and terrorist financing and to comply with international and national sanctions. For more details, see chapter 2.2 ‘Prevention of money laundering and terrorist financing and compliance with sanctions‘.

In the course of assessing the creditworthiness of a business client, Swedbank processes client data of persons related to the business client. These are shareholders with a holding of 20% or more, the final beneficiaries, as well as members of the management board, members of the supervisory board, and procurators. For this purpose, Swedbank obtains data from Creditinfo Eesti AS on the external credit history of persons closely related to the company. This allows Swedbank to assess whether financing services can be provided to clients who are legal persons, and to reduce the risk of insolvency for the credit provider.

For the purposes listed above, we process identification data, contact details, professional data, data relating to links with legal entities, reliability and due diligence data, demographic data, financial data, data obtained in the performance of a legal obligation, data relating to convictions and offences, other client data (if a business relationship with a business client is terminated because it ceases to exist, we need to keep records of the business client’s status in our systems so as not to prevent some activities, such as communication and reporting).

Why Swedbank processes client data: to ensure the security of Swedbank’s visitors, employees, premises and assets; protect Swedbank’s claims; and to detect and prevent illegal activities.

How Swedbank processes client data: Swedbank uses surveillance cameras in its premises and ATMs. Areas with video surveillance are marked with a corresponding sign.

If Swedbank uses video surveillance in its branches, personal data is included in visual images, videos, and audio recordings.

Visual images, videos, and audio recordings containing client data are shared with the relevant recipient if the recorded material is needed for criminal investigations, or with the recipient who maintains the video surveillance systems on behalf of Swedbank.

Under data protection legislation, clients have the right to:

• Receive information if Swedbank processes client data and, if so, to access the data.
• Request the correction of their client data if it is inadequate, incomplete, or incorrect.
• Request the erasure of their client data, for example, if client data is processed on the basis of consent and the client has withdrawn their consent. This right does not apply, if a client requests erasure of data that is also processed on other legal grounds, for example, based on an agreement or for legal obligations.
• Restrict the processing of their client data.
• Object to the processing of their client data, if the processing is based on the legitimate interest of Swedbank, including profiling for direct marketing purposes (e.g., sending marketing offers or participating in surveys).
• Receive data, which the client has provided themselves and which is processed on the basis of consent, or for the performance of an agreement, in writing or in a commonly used electronic format, and, if technically possible, to transfer such data to another service provider (the right to data portability).
• Withdraw their consent to the processing of client data.
• Request that no decision based solely on automated processing, including profiling, be taken in respect of them, if it produces legal effects concerning them or significantly affects them. This right does not apply, if the decision-making is necessary for the conclusion of an agreement with the client or for the performance of the concluded agreement, or if the decision is permitted under data protection legislation, or if the client has given their express consent.
• Express their point of view and ask Swedbank to involve its employee in the review process.

Clients have access to a large part of their client data in Swedbank’s Internet Bank.

Swedbank processes a large amount of client data. In order to complete the client’s inquiry as correctly as possible, Swedbank may ask the client to specify their information, processing operations, or time period to which the client’s request relates.

The client may exercise the rights of a data subject by submitting an inquiry to Swedbank via the Internet Bank; at a branch; by calling the Consultation Centre; or by sending a digitally signed inquiry by email. A response to the client’s inquiry is provided within one month after receiving the inquiry. If necessary, this period may be extended by up to two months.

The client may change their data, preferences (manage consents), and choices in the Internet Bank or Mobile App, at a Swedbank branch, or by calling the Swedbank Consultation Centre.

The right to the protection of client data is not an absolute right. Swedbank provides the client with the information that Swedbank is allowed to provide to the client as a data subject, considering that the right of access must not harm the rights of other persons, including trade secrets or intellectual property, and, above all, the copyright protecting the software. In cases provided for in legislation, Swedbank may also forward the information to the client at a later date, restrict its transmission, or refuse to transmit it, if it may hinder or damage the prevention, detection or prosecution of criminal offences, or the execution of penalties; damage the rights and freedoms of others; endanger national security or the protection of public order; or hinder official investigations or proceedings.

Legislation may restrict Swedbank from providing the client with information about the processing of client data within the framework of legislation, for example, the processing of data in the field of international sanctions and the prevention of money laundering and terrorist financing, except for publicly available data.

The client may lodge a complaint with the Data Protection Inspectorate (website: www.aki.ee), if the client considers that the processing of their client data infringes their rights and interests under data protection legislation.

The client may contact Swedbank in connection with any request and withdrawal of consents. In addition, the client may request exercise of their rights in the processing of client data and file complaints about the use of client data. The contact details of Swedbank are available on the website of Swedbank at www.swedbank.ee.

The client may contact Swedbank’s designated data protection officer by sending an email to andmekaitse@swedbank.ee or by post to Liivalaia 34, 15040 Tallinn, Estonia, marked as ‘Data Protection Officer’.

Swedbank has the right to unilaterally amend the principles at any time in accordance with legislation by notifying clients of the amendments via Swedbank’s website, Internet Bank notice, text message (SMS), or email no later than one month before the amendments enter into force.

The principles are drafted in Estonian and translated into English and Russian. In the event of a dispute, the Estonian version of the principles is legally binding.

The principles will enter into force on 1 June 2025 and the latest version is available in Swedbank’s branches and on the website at www.swedbank.ee.