Handling of personal data private and corporate customers

Personal data is information that can be directly or indirectly linked to a living person. For example, this may include name and social security number, but also other data such as your IP address or your recorded voice may also be considered personal data if it can be linked to you.

Some personal data is considered particularly sensitive and is subject to special rules. Sensitive personal data refers to information that reveals for example trade union membership or health data. Also dietary information is sensitive information.

We collect information about you if you have entered into, or want to enter into, an agreement with us. This may be as a customer, guarantor or mortgagor, for example. Alternatively, we sometimes need to collect information about you if you are a depositor, legal guardian, custodian, proxy holder, representative, authorised signatory, certain type of contact person or beneficial owner. You will find information on how we process your personal data as a representative, company signatory or beneficial owner further down in this privacy policy, starting with the paragraph entitled - Information for you as a corporate customer.

Information you provide to us

When you are in contact with us, for example in connection with an application to become a customer, we request information about you to make this possible. We do this to be able to ensure that we can deliver the desired service to you, but also to live up to various laws and regulations, such as the Act on Preventing Money Laundering and Terrorist Financing.

The information we collect about you includes information about identity such as name, address, date and place of birth, passport copy, signature copy and tax identification number. We also collect contact information such as registered address and information about connections, such as status as a politically exposed person and close family members. We may supplement this information with information from public sources and registers.

We may also save or need to use information that arises when you have contact with us. For example, we record telephone calls and save the communication we receive via e-mail. We also save and use information about how our customers use our internet services, for example when you use the portfolio service. For some of our websites, we also want to be able to analyse information to get a basis for developing and improving our services. This type of information is based on personal data that comes from the digital devices you use when you visit our websites and digital services such as IP addresses or other unique identifiers and it is collected using so-called cookies. You have the opportunity to control the use of cookies and we process the information we use for analysis anonymously

Information we collect about you

In addition to the information you provide to us, we may collect information about you from other sources. This applies, for example, when we:

• regularly update information about name and contact details via the Finnish Population Register Centre,
• carry out checks that we are required to perform in order to prevent our products and services being used for money laundering, by retrieving information from the sanctions lists of international organisations
• retrieve information from credit reference agencies

We process your personal data for specific purposes and when we have a legal reason for doing so.

To prepare and administer agreements

The most common reason we process your personal data is to document, administer and fulfil agreements we have with you. We need to collect personal data for this purpose so we can enter into agreements with you. That can be for example:

• to open an account or other services
• to grant a card or credit
• to handle legal claims and debt collection cases
• for customer service during the agreement period

To comply with laws and authority decisions

We also need to process your personal data in order for us to fulfil our obligations under law, other statutes or authority decisions. It can be, for example:

• to comply with the requirements of accountancy legislation
• to comply with the requirements of money laundering legislation
• to check personal data against sanctions lists as required by law or a decision from an authority
• to report to the Finnish Tax Authorities, the Police, the Enforcement Authorities, the Finnish Financial Supervisory Authority and other Finnish and foreign authorities
• to comply with legislation concerning risk management, which includes processing personal data to determine the quality of credit for capital adequacy purposes
• to comply with legislation concerning payment services, for example through providing data to so-called third-party payment service providers who are authorised to offer account information or payment initiation services, and through our payment monitoring measures to detect fraud
• to comply with legislation relating to securities business

Legitimate interest (marketing, product and customer analysis)

When we have a legitimate interest, we may process your personal data to perform market and customer analyses for business development and to improve our product range. The information can also be used to develop our systems and to perform customer analyses in order to detect fraud. We can also use the information to perform risk analyses and to produce statistics to, for example, improve our credit risk models.

We may also use your personal information to target direct mail and offers to you. If you do not want to receive direct mail, you can let us know. You can read more about how to do it under the heading "How do I do not get advertising from you?".

We can also process your information to give you personal offers, we do this through socalled profiling. Such marketing may, among other things, be based on how you use our services and your behaviour in our digital channels.

Especially about camera surveillance

For security reasons, we have recording surveillance cameras in our office. The legal basis for camera surveillance is legitimate interest, i.e., we have assessed that camera surveillance is necessary to prevent and investigate crimes.

We normally save recordings from camera surveillance for 60 days.

When you have given your consent

In some cases, we need your consent to process your personal data. For example you can give your consent for receiving marketing material such as newsletters or event invitations.

You can withdraw a consent you have given at any time. The processing we have already done will not be affected, but we will not continue to process the data unless we have another basis for the processing than that for which the consent was intended.

According to data protection legislation, the processing of sensitive personal data is only permitted in certain circumstances. You can read what a sensitive personal information is under the heading "What constitutes personal data?".

We may process sensitive personal data, such as dietary preferences, if you have given your consent.

We will store your personal data for as long as the agreement with you lasts. Thereafter, taking into account the rules on prescription, we keep the data for normally another 10 years. When we store personal data for other purposes than the contractual relationship, other time limits may apply. This may be, for example, to comply with anti-money laundering and accounting legislation.

If you do not enter into an agreement with us, we will normally keep your data for a maximum of three months after indication that an agreement will not be entered into. In some cases, we may need to store the data for a longer time, for example to comply with anti-money laundering legislation.

We do our best to protect your personal data from accidental or unlawful destruction, loss or alteration, unauthorised disclosure or unauthorised access. We do this using both technical and organisational measures.

We always aim to not process any more data than necessary. If a partner processes personal data for us as a so-called data processor, they must always commit to maintaining the appropriate level of security and take appropriate protective measures.

Within the SEB Group

Sometimes another company within the SEB Group may process your personal data. This can be, for example, to give you offers on other products, improve our product range, do different types of analyses and risk models or to be able to offer you advice. When that happens, we support that processing on legitimate interest.

Outside the SEB Group

It is possible that your information will be processed by other companies we are in partnership with, though of course this will always take place pursuant to the applicable confidentiality rules.

By law, we are also obliged in some cases to disclose personal data to various authorities. You can read more about this in one of the sections above.

Transfers to third countries (countries outside the EU and EEA)

In some cases, we may transfer personal data to countries outside the EU and EEA (also known as third countries) and to international organisations. We only make such transfers after a special risk assessment has been conducted and if other rules in General Data Protection Regulation (GPDR) have been followed and if any of the following conditions are met:

• The European Commission has determined that there is an adequate level of protection in the country in question.
• We have taken other appropriate protective measures, e.g. standard contractual clauses or binding company rules.
• Special authorisation from a supervisory authority has been obtained.
• Such transfers are permitted in special cases by applicable data protection legislation.

The information we collect about you includes information about identity such as name, address, date and place of birth, passport copy, signature copy and tax identification number. We also collect contact information such as registered address and information about connections, such as status as a politically exposed person and close family members. We may supplement this information with information from public sources and registers.

We routinely collect and update information about you as a beneficial owner, in accordance with the requirements of applicable law where we are required to identify you as a beneficial owner. We receive the information directly from the company, its representative or from you directly as the beneficial owner.

We process your personal data for specific purposes and when we have a legal reason for doing so.

To comply with laws and authority decisions

We have a requirement to be able to identify the beneficial owner in the countries where we are present in order to combat anti-money laundering (AML). The legal requirement will normally apply jointly and separately in each country where our customer has business with us. For example, where a customer has accounts in several different countries, each country may have a separate requirement to identify the customer's beneficial owner.

In addition to the AML requirements, there are requirements for identification of the beneficial owner in several other regulations, e.g. some of the tax reporting rules.

Once we have identified you, we will also check for external sanction lists, for negative media coverage and for verification against other third-party relationships to which we have access. If necessary, we will include your information in reports to or during reviews by regulators as the beneficial owner of a company for which we are required to provide details. Where you are also a customer of SEB as a private person, we may combine information about you in your role as a beneficial owner.

We will store information about you as a beneficial owner as long as it is valid. We also need to save the information about you for as long as it is needed to be able to comply with relevant legislation and accounting requirements, for example legislation on antimoney laundering and accounting.

We do our best to protect your personal data from accidental or unlawful destruction, loss or alteration, unauthorised disclosure or unauthorised access. We do this using both technical and organisational measures. We always aim to not process any more data than necessary. If a partner processes personal data for us as a so-called data processor, they must always commit to maintaining the appropriate level of security and take appropriate protective measures.

Within the SEB Group

We will share information collected about you as a beneficial owner with other parts of the SEB Group in accordance with internal data sharing agreements.

Outside the SEB Group

We will also share personal information about you as a beneficial owner with regulatory authorities where there is a legal requirement for us to disclose such information. We will share personal information about you as a beneficial owner with third parties when we are asked to do so by the company for which you are the beneficial owner.

For you as a company representative

We will routinely collect contact information such as phone, email, office address, title and the company you represent. In addition, for certain roles, we will collect information about your knowledge, experience and understanding of financial products. When you interact with SEB-staff, the phone calls can also be recorded. Finally, where we invite events to you, we can collect dietary preferences.

We collect information directly from you or from the corporate customer you represent. The information may be obtained from agreements entered into by our client, through ongoing dialogue, correspondence and conversations.

For you as an authorised signatory or proxy holder

We collect personal information about you such as name, social security number or other unique identifier, registered address, the representative company and any restrictions relating to signing or power of attorney rights. We also keep records of arrangements and transactions that you have entered into as such.

Information is collected from our immediate customers and external public records.

We process your personal data for specific purposes and when we have a legal reason for doing so

To prepare and administer agreements

Customer representatives

Where our products and services have been agreed with a legal entity, we work with our customers at various levels to deliver these products and services. We do this to fulfil our contractual obligations or rights, to prevent fraud and manage various types of risks and to pursue our legitimate interest in marketing our products and services to the entities you represent.

Signatories and authorised representatives
If you are an authorised signatory or similar representative of a customer, we may collect personal information for the purpose of verifying the authority to enter into relevant agreements and enable the related customer to enter into transactions and agreements with us and to prevent fraud of various kinds

To comply with laws and authority decisions

We also need to process your personal data in order for us to fulfil our obligations under law, other statutes or authority decisions. It can be, for example:

• to comply with the requirements of accountancy legislation
• to comply with the requirements of money laundering legislation
• to check personal data against sanctions lists as required by law or a decision from an authority
• to report to the Finnish Tax Authorities, the Police, the Enforcement Authorities, the Finnish Financial Supervisory Authority and other Finnish and foreign authorities
• to comply with legislation concerning risk management, which includes processing personal data to determine the quality of credit for capital adequacy purposes
• to comply with legislation concerning payment services, for example through providing data to so-called third-party payment service providers who are authorised to offer account information or payment initiation services, and through our payment monitoring measures to detect fraud
• to comply with legislation relating to securities business

Customer representatives

We will keep your information as long as it is current. Where we collect such information for regulatory purposes, e.g. recorded conversations or information about experience and understanding of financial products, the information will be retained until applicable record keeping requirements expire in each jurisdiction in which they are invoked.

Signatories and authorised representatives

We will retain personal information about you as long as it is accurate and as long as we need them in order to comply with relevant legislation, including during any registration requirements to which we are subject.

We do our best to protect your personal data from accidental or unlawful destruction, loss or alteration, unauthorised disclosure or unauthorised access. We do this using both technical and organisational measures. We always aim to not process any more data than necessary. If a partner processes personal data for us as a so-called personal data processor, they must always commit to maintaining the appropriate level of security and take appropriate protective measures.

Within the SEB Group

Sometimes another company within the SEB Group may process your personal data. This can be, for example, to give you offers on other products, improve our product range, do different types of analyses and risk models or to be able to offer you advice. When that happens, we support that processing on legitimate interest.

Outside the SEB Group

We will not share your personal information outside of SEB except in the following specific circumstances: i) we are obliged to do so by law, e.g. for regulatory reporting; ii) we act as a financial intermediary and are instructed by our nearest customer to e.g. pay a payment in your name to an account that is not with SEB; or iii) we act as agents and are instructed by our nearest customer to share the information within e.g. a syndicate. In financial intermediation, we will transfer your information to a recipient in the relevant market when we are asked to do so. This can be e.g. a bank, stock exchange, depositary or issuer in a third country.

According to the data protection legislation, you are entitled to control over your own data and to know how we process data about you. You can contact us if you want to exercise any of your rights.

Requesting a personal data extract

You have the right to obtain information about what personal data we process about you. You can obtain this by requesting an extract from us.

Correcting incorrect or incomplete data

If it transpires that we are processing personal data about you that is incorrect, you are entitled to request the data to be corrected. You may also request that an incomplete piece of data about you be supplemented.

Removing your data

You have the right to have any or all of your personal data deleted. This is sometimes referred to as “the right to be forgotten”. In some cases, we may be unable to delete all the data. In such cases, this is due to the fact that we are required to store the data on the basis of contractual obligations or legislation. In such cases, this is due to the fact that the data is still necessary for its original purpose and we still have a legal basis for processing it.

Restricting how we process your data

In some situations, you are entitled to ask for our processing of your data to be restricted for a certain period of time. This could be, for example, if you believe that a piece of data about you is incorrect and we need to verify this. This may also be if you have objected to processing that are basing on a legitimate interest. In this case, we have to check whether our reasons take precedence over yours.

Objecting to how we process your data

If we process data about you on the basis of a legitimate interest, you may object to this processing. In order for us to continue to process the data, we need to be able to demonstrate that we have justified compelling reasons for the processing, and that these reasons take precedence over your interests and rights. You can read more about legitimate interest in the appropriate section above.

Transferring your data to another actor

If we process your personal data on the basis of an agreement or consent, you have the right to obtain the personal data you have provided to us. If it is technically possible, you also have the right to have the data transferred to another actor. This is known as data portability.

Filing a complaint with the supervisory authority

If you want to file a complaint about how we process your personal data, please contact the supervisory authority. In Finland, this is the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
Lintulahdenkuja 4
00530 Helsinki
tietosuoja@om.fi

Profiling is when personal data is automatically processed to make analyses about your financial situation, personal choices, interests or behaviours in our various sites.

We collect statistical data from external sources. This may be data about your lifestyle and typical behaviour based on demographic household data. Using this statistical data, we create profiles and can combine them with the data that we already have about you.

We use profiling to perform customer analyses for marketing purposes. This marketing may be based on information obtained when you use our services and are active in our digital channels. We also use profiling to improve your experience when you use our digital services, by streamlining the services and products and by creating customised offers just for you. We may also use profiling to monitor transactions to prevent fraud.

You can request not to receive direct marketing from us. You will need to contact us and let us know that you want to prohibit direct marketing.