• trade union membership information,
• information about your health and your genetic background, e.g. inherited health qualities,
• biometric data, e.g. via facial recognition technology,
• information about your religious or philosophical beliefs, and
• information about your political opinions.

We also process sensitive personal data that may appear in budget and tax information you give us and transactions you ask us to initiate.

Purposes for processing sensitive personal data

We will only process sensitive personal data when we need to, including:

• for the purposes of the product or service we provide to you,
• to give you discounts related to e.g. trade union memberships,
• for identification and verification,
• for prevention and detection of money laundering and other types of crime, including for fraud prevention and detection purposes, and
• to comply with legal requirements that apply to us as a financial institution.

Legal basis for processing sensitive personal data

Our processing of your sensitive personal data can be on the legal basis of:

• your explicit consent, cf. GDPR art. 6.1(a) and 9.2(a),
• for reasons of establishment, exercise or defence of legal claims, cf. art 6.1(f) and 9.2(f) or
• for reasons of substantial public interest, cf. GDPR art. 6.1(c) or 6.1(f) and art. 9.2(g).

6. How do we collect information we hold about you?

Personal data collected from you
We collect information directly from you or by observing your actions, including when you:

• fill out applications and other forms for ordering services and products,
• submit specific documents to us,
• participate in meetings with us, e.g. with your advisor,
• talk to us on the phone,
• use our website, mobile applications, products and services,
• participate in our customer surveys or promotions organised by us, and
• communicate with us via letter, electronic means, including e-mails, or social media.

Voice recordings:
When you call us or when we call you at your request or to follow up on your inquiry, conver-sations may be recorded and stored due to documentation and security purposes. Before an employee answers the call or before you enter the queue, you will be notified if the call will be recorded. In few situations, e.g. in case of long waiting time, your call can though be redirected to a non-recorded employee without notifying you. If we talk with you about investment ser-vices, we are obliged to record and store our telephone conversation.

Personal data collected from third parties
We receive and collect data from third parties, including from:

• Shops, banks, payment and services providers when you use your credit or payment cards, Danske eBanking or other payment services. We process the data to execute payments and prepare account statements, payment summaries and the like.
• If you have a joint account with someone, we may collect information about you and your joint account from your co-account holder.
• The Swedish State Personal Address Register (Statens personadressregister (SPAR)), the Swedish Companies Register (Bolagsregistret), the Swedish Real Property Register (Fastig-hetsregistret), National Board of Housing (Boverket) and other publicly accessible sources and registers. Sometimes we collect these data via other third parties which provides them. We process the data, for e.g. identification and verification purposes and to check data accu-racy.
• Credit rating agencies and warning registers (e.g. UC AB). We process the data to perform credit assessments. We update the data regularly.
• Other entities in the Danske Bank Group if we have your consent, e.g. to provide you with better customized products and services.
• Other entities within Danske Bank Group if existing legislation allow or require us to share the information, e.g. if it is necessary to comply with group-based management, control and/or reporting requirements established by law, or sharing of notifications to the Swedish Financial Intelligence Unit and Swedish Security Service in accordance with anti-money-laundering legislation.
• External business partners (including correspondent banks and other banks) if we have your consent or if permitted under existing legislation, for example to provide you with a service or product provided by an external business partner you have signed up for, to enable our customers to use banking services abroad, or to prevent and detect money laundering fraud, abuse and loss.
• The customer you have a connection with.
  

• Other entities in the Danske Bank Group if we have your consent, e.g. to provide you with better customized products and services.
• Other entities within Danske Bank Group if existing legislation allow or require us to share the information, e.g. if it is necessary to comply with group-based management, control and/or reporting requirements established by law, or sharing of notifications to the Swedish Financial Intelligence Unit and Swedish Security Service in accordance with anti-money-laundering legislation.
• If you have asked us to transfer an amount to others, we disclose data about you that is nec-essary to identify you and fulfil the agreement.
• Service providers who are authorized as an account information service, payment initiation service, or card-based payment instrument provider, if you (or someone who via our online services can view information about your accounts or initiate payments on your behalf) re-quest such a service provider to receive information about you.
• Guarantors, pledgers, individuals holding a power of attorney, lawyers, accountants or others you have authorised us to share the information with.
• If you have a joint account with someone, we may share your information with your co-account holder.
• External business partners (including correspondent banks and other banks) if we have your consent or if permitted under existing legislation, for example to provide you with a service or product provided by an external business partner you have signed up for, or to prevent and detect anti-money laundering, fraud, abuse and loss.
• Our suppliers, including lawyers, accountants and consultants.
• Data processors including IT service providers who may be located outside the EU and the EEA, such as Danske Bank India. Bankgirocentralen AB and Finansiell ID – Teknik BID AB (BankID) are examples of two im-portant suppliers to Danske Bank Sweden.
• Social media companies such as Facebook.
• Public authorities as required by law or according to court orders or requests from the police, the bailiff, tax authorities or other authorities. This could include the Swedish Financial Intel-ligence and Swedish Security Service in accordance with the Swedish Anti-Money-Laundering Act, the Swedish Tax Authorities in accordance with the Swedish Tax Proceed-ings Act and the Swedish central bank (Riksbanken) for statistical and other purposes.
• Regulators, e.g. the Danish and the Swedish Financial Supervisory Authority (DK: Finanstil-synet SE: Finansinspektionen), law enforcement agencies and authorities in Sweden and in other countries, including outside the EU and the EEA, in connection with their duties.
• Credit rating agencies. If you default on your obligations to Danske Bank, we may report you to credit rating agencies and/or warning registers (UC AB) in accordance with applicable law.
• If you activate the payment information function in your smart phone it´s possible that your internet-, tele- or OS supplier like Google or Apple can view the information.
• For social and economic research or statistics purposes, where it is in the public interest.

8. Transfers outside the EU and the EEA and international organisations

Some third parties that we share personal data with may be located outside the EU and the EEA, including Australia, Canada and India.

When Danske Bank A/S transfer your personal data to third parties outside the EU and the EEA, we ensure that your personal data and data protection rights are subject to appropriate safe-guards through:

• ensuring that there is an adequacy decision by the European Commission, or
• using standard contracts approved by the European Commission or the Danish Data Protec-tion Agency.

You can get a copy of the standard contract by contacting us (see contact details in Section 13).

9. Profiling and automated decisions

Profiling

Profiling is a form of automated processing of your personal data to evaluate certain personal aspects relating to you to analyse or predict aspects concerning for example, your economic situation, personal preferences, interests, reliability, behaviour, location or movements.

We use profiling and data modelling to be able to offer you specific services and products that meet your preferences, prevent money laundering, determine prices of certain services and products, prevent and detect fraud, evaluate the likelihood of default risk, value assets and for marketing purposes.

Automated decision-making
With automated decision making, we use our systems to make decisions without any human involvement based on the data we have about you. Depending on the specific decision, we might also use information from public registers and other public sources.

We use automated decisions for example to approve loans or credit cards, to prevent and detect anti-money laundering and to prevent and detect fraud. Automated decision making helps us make sure that our decisions are quick, fair, efficient and correct, based on what we know.

In relation to loans and credit cards, we consider information about your income, your expenses and how well you have kept up on payments in the past. This will be used to work out the amount we can lend you.

In relation to the prevention and detection of money laundering, we perform identity and ad-dress checks against public registers and sanctions checks.

In relation to fraud prevention and protection, we do our best to protect you and your account against criminal or fraudulent activity by monitoring your transactions (payments to and from your account) to identify unusual transactions (for example, payments you would not normally make, or that are made at an unusual time or location). This may stop us from completing a payment that is likely to be fraudulent.

You have rights relating to automated decision-making. You can obtain information about how an automated decision was made. You can ask for a manual review of any automated decision. Please see section 11 on “Your rights” and “Automated decision making”.

10. How long do we store your personal data?

We keep your data only for as long as it is needed for the purpose for which your data were registered and used.

When your business connection with us has terminated, we normally keep your data for a fur-ther 7 years. This is primarily due to our obligations under the Bookkeeping Act, the Anti-Money Laundering Act and requirements from the Financial Supervisory Authority. In certain circumstances, we keep your information for a longer period of time. This is the case for exam-ple:

• if your personal information form part of our calculation of our capital requirements, then we may keep your information for up to 20 years,
• if the statute of limitation is 10 years, then we may keep your data for up to 10 years, and
• if required to due to other regulatory requirements.

If you as a potential new customer have asked for an offer for a loan or another product or ser-vice but refuses and do not become a customer, your personal data will normally be stored for six months, but may for some purposes be stored longer, to comply with other legal obligations for example the Anti-Money Laundering Act.

11. Your rights

Your rights in relation to personal data are described below. To exercise your rights, you can:

• make a request online at danskebank.se
• contact us via our main telephone number 0752-48 45 42, or
• if you have a personal advisor, contact your advisor directly.

See section 13 for more information on how to contact Danske Bank about data protection.

Right to access your personal data
You can request access to the personal data we process, where it comes from and what we use it for. You can obtain information about for how long we store your data and about who receives data about you, to the extent that we disclose data in Sweden and abroad. Your right of access may, however, be restricted by legislation, protection of other persons’ privacy and considera-tion for our business and practices. Our know-how, business secrets as well as internal assess-ments and material may also be exempt from the right of access.

Under the “Profile” section of the mobile bank app, you can obtain an overview of the personal data you have given us. You will find your contact information and information you have given us about your household, income, debt and so on. You can update the information if changes have occurred in your life.

You can make an access request via the mobile bank app or our webpage at danskebank.se.

Rights related to automated decision making
You can obtain information on how an automated decision was made and the effects of the decision, you can express your point of view, you can contest the decision, and you can request a manual review of any automated decision.

Right to object
In certain circumstances, you have a right to object to the processing of your personal infor-mation. This is the case for example when the processing is based on our legitimate interest.

Objection to direct marketing
You have the right to object to our use of your personal information for direct marketing pur-poses, including profiling that is related to such purpose.

Direct Marketing Block
You can always contact us and request a block concerning all types of direct marketing.

Right to rectification of your data
If data is inaccurate, you are entitled to rectification of the data. If data is incomplete, you are entitled to have the data completed, including by means of providing us a supplementary state-ment.

Right to erasure (‘right to be forgotten’)
You are entitled to have your data erased, if the data is no longer necessary in relation to the purposes for which they were collected.

There are some exemptions where we may or are required to keep your data, including:

• For compliance with a legal obligation, for instance if we are obliged by law to hold your data for a certain amount of time, e.g. according to anti money laundering legislation or the bookkeeping act. In such situations, we cannot erase your data until that time has passed.
• For the performance of a task carried out in the public interest.
• For establishment, exercise or defence of legal claims.

Restriction of use
If you believe that the data we have registered about you is incorrect, or if you have objected to the use of the data, you may demand that we restrict the use of these data to storage. Use will only be restricted to storage until the correctness of the data can be established, or it can be checked whether our legitimate interests outweigh your interests.

If you are entitled to have the data we have registered about you erased, you may instead re-quest us to restrict the use of these data to storage. If we need to use the data we have registered about you solely to assert a legal claim, you may also demand that other use of these data be restricted to storage. We may, however, be entitled to other use to assert a legal claim or if you have granted your consent to this.

Withdrawal of consent
Where consent is the legal basis for a specific processing activity, you can withdraw your con-sent at any given time. Please note that if you withdraw your consent, we may not be able to offer you specific services or products. Note also that we will continue to use your personal data, for example, to fulfil an agreement we have made with you or we are required to do so by law.

Data portability
If we use data based on your consent or as a result of an agreement, and the data processing is automated, you have a right to request the copy of the data you have provided in an electronic machine-readable format.

12. Changes to the privacy notice

We may change or update this privacy notice on a regular basis. In case of a change, the “effec-tive from” date at the top of this document will be amended. If changes to how your personal data are processed will have a significant effect on you personally, we will take reasonable steps to let you know of the changes to allow you to exercise your rights (for example, to object to the processing).

13. Contact details and how can you complain

You are always welcome to contact us if you have questions about your privacy rights and how we process personal data.

You can contact us via our main telephone number 0752-48 45 42. You are also welcome to contact your advisor directly.

You can contact our Data Protection Officer via email dpofunction@danskebank.com.

If you are dissatisfied with how we process your personal data, and your dialogue with the Data Protection Officer has not led to a satisfactory outcome, you can contact our complaints handling unit: Danske Bank, Legal Department, Box 7523, 103 92 Stockholm. You can also lodge a complaint with the Swedish Integritetsskyddsmyndigheten (IMY): Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm, e-mail: imy@imy.se.

Privacy notice for all individuals (pdf)