Data Protection Policy for Skandinaviska Enskilda Banken AB (publ), Oslo Branch

Personal data are any information that can be linked directly or indirectly to a living person. A person’s name and national identification number are examples of personal data, but such data can also comprise other information that is specific to an individual’s physical, genetic, psychological, financial, cultural or social identity. For example, your IP address or a recording of your voice can be personal data if they can be linked to you.

Some types of personal data are considered particularly sensitive and are covered by special rules. Examples of sensitive personal data are information that discloses membership of a trade union or information about your health.

Processing of personal data covers all actions done to or with the data, regardless of whether such operations are automated or not. Examples of standard processing operations include the collection, recording, organization, storage, transmission and deletion of data.

We collect information about you if you have entered into, or are intending to enter into, a contract with us. For example, as a customer, a guarantor or a mortgagor. In some cases, we will also collect information about you in your capacity as depositor, guardian, administrator, proxyholder, legal representative, authorized signatory, a form of contact person or beneficial owner. You can read more about the circumstances in which we collect this type of information in the next paragraph.

• Information you provide to us
  We collect information about you that you provide to us, either directly or indirectly. For example, this could be information you supply in an application form when entering into a contract with us or when we are administering a contract.
  
  We can also store information that becomes available when you contact us. For example, we record certain telephone conversations. We can also store communications that we receive via email. In addition, we can store information about your use of our online banking platform, our mobile app, or other digital services. The information we store can include how you use our services, your purchases and payments, your IP address and your geographical location. Most often, this type of information is collected using cookies.
  
  
• Information we collect about you
  In addition to the information you provide to us, we can collect information from other sources. For example, we can collect information when:
  - conducting our continual updates of name and contact information via Folkeregisteret (the National Population Register);
  - collecting information from credit reference agencies; and
  - collecting information from national and international databases in order to conduct mandatory checks to prevent our products and services being used for money laundering and to comply with our obligations with regard to international sanctions regimes adopted by the UN or EU or a similar body.
  
  
• Specifically on trading in financial instruments (securities)
  In accordance with laws governing trading in securities, SEB is obliged, when acting as an investment firm, to make audio recordings and to document other communications with clients (email, chat and so on) conducted in connection with the provision of investment and related services, and also to store such documentation. More detailed rules on audio recordings apply pursuant to SEB’s general terms and conditions for trading in financial instruments and can be accessed at seb.no.

We process your personal data only for specific purposes and only where we have a legal basis for doing so.

• Preparation and administration of contracts
  One of our most usual reasons for processing your personal data is to allow us to document, administer and fulfil contracts that we have entered into with you. Our collection of personal data for this purpose is an essential precondition for us to be able to enter into a contract with you.

• The processing is necessary to enable us to fulfil our legal obligations.
  We also need to process your personal data in order to fulfil our obligations under laws, regulations and official resolutions. Examples include:
  - fulfilling our obligations under the Accounting Act
  - fulfilling our obligations under the Anti-Money Laundering Act
  - fulfilling our obligations under the Securities Trading Act
  - screening your personal data against sanctions lists – something we are required to do to satisfy legislative and official requirements
  - for reporting to Skatteetaten (the Norwegian Tax Administration), the Police, Namsmannen (the Enforcement Commissioner), Finanstilsynet (the Financial Supervisory Authority of Norway) and other Norwegian and foreign authorities
  - to comply with legislation relating to risk management that covers the processing of data in connection with credit scoring in order to ensure our compliance with capital adequacy requirements.

We store your personal data for as long as our contractual relationship with you continues. Thereafter, we will generally store your data for a further 10 years counted from the end of the year when the contractual relationship terminates. Other time limits may apply if your personal data are being stored for purposes other than due to a contractual relationship or statutory or regulatory time limits, for example to satisfy the requirements of anti-money laundering measures or rules concerning accounting or taxation. In some cases, we store your personal data for a longer period in order to satisfy legislative requirements concerning capital adequacy.

We do our best to protect your personal data from unauthorized or illegal destruction, loss or alteration, unauthorized sharing, or unauthorized access. As a financial institution we are subject to strict rules concerning confidentiality. Accordingly, we have put in place extensive technical and organizational measures.

We will always endeavour to avoid processing more data than is necessary. If an external partner processes personal data on our behalf, that partner must always undertake to maintain an adequate level of security and to implement all necessary security measures. We ensure this by entering into contracts with such third parties.

Within the SEB Group

In the paragraph headed ‘Why do you process my personal data and what is your basis for doing so?’, we have explained why and on what legal basis we process your personal data. Primarily, your personal data will be processed by Skandinaviska Enskilda Banken AB (publ) Oslo Branch, but in certain cases other entities within the SEB Group will process your personal data, in accordance with established group directives and the global systems and processes established by the SEB Group. If other entities in the SEB Group process your personal data, such processing will be performed on the grounds of legitimate interest, with the exception of those cases where such processing takes place as the direct result of a legal requirement.

Outside the SEB Group

In some circumstances, your personal data may be processed by other companies or institutions with which we are collaborating. Such collaborations are always covered by the applicable regulatory framework concerning confidentiality. Examples of such companies and institutions could include Folkeregisteret (the National Population Register), Foretaksregisteret (the Register of Business Enterprises), Bisnode, VISA, Mastercard and Signicat (BankID). When such companies or institutions that we are collaborating with process your personal data, this is done so that we can fulfil our contractual obligations or on the grounds of legitimate interest.

In certain circumstances, we are also under a legislative obligation to transfer your personal data to various government authorities. You can read more about this topic in the preceding paragraphs.

Transfers to third countries (countries outside the EU and EEA)

In certain cases, we may transfer your personal data to a country outside the EU and EEA (a ‘third country’) as well as to international organizations. Such transfers are only permitted if additional rules in the Data Protection Regulation are followed and if one of the following criteria is satisfied:

• the European Commission has determined that the relevant country provides an adequate level of data protection;

• we have other necessary safeguards in place, e.g. standard contractual clauses or binding corporate rules;

• the supervisory authority has granted specific permission; or

• such a transfer is permitted in specific circumstances pursuant to the prevailing laws on data protection.

Under the rules on data protection, you have a right to obtain information about how your personal data are processed and you have control over your own data. You can contact us if you want to exercise your rights. Please note that these general rights apply only to the extent that they are not overridden by other legislative provisions.

Request a print-out containing an overview of the personal data we hold about you in our records

You have a right to obtain information about which personal data about you we are processing. You can obtain this by asking us to supply an extract from our records. You can request a simplified extract using our online banking platform, in which case you can view your data immediately. If you do not have access to online banking, or want to request a complete print-out, please complete the form at https://seb.no/regelverk-og-sikkerhet/personvern or contact our Data Protection Officer. You can find contact details for our Data Protection Officer at the end of this document.

Request the rectification of inaccurate or incomplete data

If it becomes apparent that the personal data we are processing about you are inaccurate, you have the right to request that these data are rectified. You also have the right to request the rectification of any incomplete data.

Erase your data

In certain circumstances, you have the right to require the deletion of some or all of your personal data. This is sometimes referred to as the right to be forgotten. In some cases, we cannot delete all of the data we hold about you. This may be because we are obliged to store the data pursuant to contractual provisions or prevailing laws and the data continue to be necessary for the original purpose and we continue to have a legal basis for processing the data.

Restrict our processing of your data for a limited period

I noen situasjoner kan du be om at behandlingen av informasjonen din blir begrenset i en periode. Hvis du for eksempel mener at en opplysning om deg er feil, må vi sjekke dette. Det kan også være om du har protestert mot behandling basert på legitim interesse. Da må vi sjekke om våre interesser veier tyngre enn dine interesser.

Complain about how we are storing your personal data

If we process personal data about you on the basis of a legitimate interest, you have a right to object to the processing. In order to continue processing your personal data, we must be able to show that we have necessary, legitimate reasons for processing the data, and that these outweigh your interests and rights. You can read more about legitimate interests in the preceding paragraphs.

Transfer your personal data to another party (‘right of data portability’)

If we process your personal data pursuant to a contract or your consent, you have the right to obtain from us such personal data as you have given us yourself. Providing it is technically feasible, you also have the right, subject to limitations that may be imposed by other legal provisions, to have your personal data transmitted to another person or actor. This is known as the right of data portability.