Privacy Notice
1. Introduction
Norion Bank AB (company registration number 556597-0513) ("Norion Bank,” “we,” “our,” or “us”) is the data controller for the processing of your personal data under the EU General Data Protection Regulation (also known as GDPR).
Norion Bank operates under three brands: Norion Bank (Corporate and Real Estate), Walley (Payments) and Collector (Retail). This privacy notice is addressed to natural persons - the data subject in GDPR terminology - whose personal data is processed by Norion Bank, whether you are acting in your capacity as a representative of a company or other legal person or as a consumer (‘customer(s)’, ‘you’, ‘your’, or ‘yours’).
This privacy notice explains what kind of information Norion Bank collects and processes when you, as a representative of a company, use Norion Bank's products or services including business loans, property loans, factoring and Corporate Accelerator.
This privacy notice further describes why we use personal data, how we use personal data, where we obtain personal data and how we share personal data. We also explain your rights that you have under the GDPR and how to contact staff at Norion Bank.
For information on how we process personal data when using our services provided under the bank's other two brands (Walley and Collector), we refer to the respective data protection information at walley.se and collector.se.
| Data controller: | PO box address: |
| Norion Bank AB | Box 11914, 404 39 Gothenburg |
| Company registration number: 556597–0513 |
Telephone: +46 (0)10-161 00 00 |
| Visiting address: Lilla Bommens Torg 11, 411 04 Gothenburg | E-mail: privacy@norionbank.se |
2. Purpose and legal basis for processing data
According to the GDPR, a legal basis (legal support) is always required for Norion Bank to be authorised to process personal data. We use the following four legal bases to process personal data in the context of the Norion Bank brand:
- Performance of a contract - Personal data may be processed if necessary for the performance of a contract to which a natural person is a party or to take steps at the request of a natural person prior to entering into such a contract.
- Legal obligation - Personal data may be processed if necessary for Norion Bank to fulfil an obligation under law or a decision by an authority.
- Legitimate interest - Personal data may be processed on the basis of Norion Bank's or a third party's legitimate interest. You have the right to object to processing carried out on the basis of Norion Bank's or a third party's legitimate interest. See the section Your rights, below, for more information on your right to object.
For more information on the legitimate interest of Norion Bank or third parties, please see the section below on the purposes and legal basis for processing personal data. If you want to know more about how we have assessed Norion Bank's and third parties' legitimate interest through a so-called balance of interests, you are always welcome to contact us at privacy@norionbank.se
- Consent - Personal data may be processed if you have given consent to processing for one or more specific purposes. Where the legal basis for processing personal data is consent, you may give such consent to the processing of personal data. You have the right to withdraw your consent at any time by contacting us at privacy@norionbank.se. In such a case, we have no further right to process the data on the basis of the consent. Withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of your consent, before the consent was withdrawn.
3. What personal data do we process about you as a representative of a company and why?
The tables below describe the purposes for which we process your personal data, i.e. why your personal data is processed when you represent a company or organisation that is a customer of ours. We also describe what personal data is processed and whether it has been obtained directly from you or from a third party. Third parties include, for example, the Swedish Companies Registration Office (Bolagsverket) or the Swedish state personal address register (SPAR). We also describe the legal basis on which we support our processing under the Data Protection Regulation.
More detailed information about Norion Bank's products and services is available on this website (www.norionbank.se).
3.1 Purpose and legal basis in relation to the company you represent start using any of Norion Bank's services or products
| Purpose | Categories of personal data (collected from you) | Categories of personal data (collected from a third party) | Legal basis according to the General Data Protection Regulation | Other |
| Secure and verify your identity as a representative of the company when the company applies to use Norion Banks services or products. |
Contact and identification details of you as a representative: Name, personal ID number, company registration number and e-mail address. Information you provide to our customer service: E.g. recorded phone calls, chat conversations, or email correspondence.
|
Performance of a contract. Legal obligation to establish the identity of customers under the Anti Money Laundering Act (2017:630). The legitimate interest of Norion Bank and other customers to prevent fraud and protect customer data from unauthorized disclosure and use. |
||
| To document, administer and fulfil the agreement the company has entered into with Norion Bank. |
Contact and identification details: Name, personal ID number, copy of passport (board members), company registration number and e-mail address. Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings. Information you provide to our customer service: e.g. recorded phone calls, chat conversations, or email correspondence.
|
|
Performance of a contract. The legitimate interest of Norion Bank to perform a contract concluded with a legal person. |
|
| To provide the company with Norion Bank's business loan offer. |
Contact and identification details: Name, personal ID number, copy of passport (board members) and company registration number. |
Contact and identification details from e.g. the Swedish Companies Registration Office (Bolagsverket) or other search engines: E.g. name and personal ID number. |
Performance of a contract. The legitimate interest of Norion Bank to perform a contract concluded with a legal person. |
|
| Providing the company with Norion Bank's property loan offer. |
Contact and identification details: Name, personal ID number, copy of passport (board members) and company registration number.
|
Contact and identification details from e.g. the Swedish Companies Registration Office (Bolagsverket) or other search engines: E.g. name and personal ID number. |
Performance of a contract. The legitimate interest of Norion Bank to perform a contract concluded with a legal person.
|
|
| Providing the company with the Norion Bank factoring offer. | Contact and identification details: Name, personal ID number, telephone number, e-mail address and company registration number. |
Contact and identification details from e.g. the Swedish Companies Registration Office (Bolagsverket) or other search engines: E.g. name and personal ID number. |
Performance of a contract. The legitimate interest of Norion Bank to perform a contract concluded with a legal person.
|
|
| When you participate in Norion Bank's Corporate Accelerator training programme. |
Contact details: Name, e-mail address and mobile number.
|
Norion Bank's legitimate interest in providing the Corporate Accelerator training programme aimed at SMEs with a growth focus. | ||
| To send you information (e.g. by email) about the service(s) the company uses (not including marketing). |
Contact and identification details: Name, date of birth, personal ID number, e-mail address and telephone number. |
Performance of a contract. The legitimate interest of Norion Bank to perform a contract concluded with a legal person. |
3.2 To prevent money laundering, financing of terrorism, fraud and for security purposes
| Purpose | Categories of personal data (collected from you) | Categories of personal data (collected from a third party) | Legal basis according to the General Data Protection Regulation | Other |
| To prevent and discourage our services, such as Norion Bank’s website, being misused or exploited in ways that contravene laws or general terms and conditions. |
Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings. Technical information: e.g. response times for websites.
|
Legal obligation according to the General Data Protection Regulation to protect personal data. Norion Bank’s legitimate interest in conducting systematic network and information security to protect you and other customers, as well as Norion Bank.
|
||
| To maintain and conduct systematic information security work. |
Contact and identification details: Name, personal ID number, copy of passport (board members) and company registration number. Payment details: e.g. credit and debit card details (card number, validity date and CVV code), bank account number, bank name. Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings. |
Legal obligation according to the General Data Protection Regulation to protect personal data. Legal obligation to conduct systematic network and information security according to the Swedish Financial Supervisory Authority’s regulations and general advice on information security, IT operations and deposit systems (FFFS 2014:5).
|
||
| To prevent Norion Bank’s operations being exploited for money laundering or the financing of terrorism. Personal data is processed to collect information about all customers to enable the bank to understand who the customer is and how the customer intends to use the bank’s services and products. The purpose is to detect deviations and prevent the bank from being used for criminal purposes. |
Contact and identification details: Name, personal ID number, copy of passport (board members) and company registration number. Information about your finances: e.g. information about, for example, your income, record of non-payment, order to pay and debt restructuring and information regarding where specific payment are coming from or what they will be used for. Payment details: e.g. credit and debit card details (and transactions). |
Data about your purchase: e.g. data about your interaction with Merchants, ordering and delivery. Also data from external lists, so called PEP lists, which include people who have or have had an important public function and are therefore considered to be persons in a politically exposed position (“PEP”) and their relatives and close associates (“RCA”). The lists include information such as name, date of birth, place of birth, profession or position and reason why the person is on the list. | Legal obligation according to The Money Laundering and Terrorist Financing (Prevention) Act. | The processing includes profiling and automated decision-making – see section 9 below. |
| Carry out a control of the personal data against sanctions regulations to ensure that they are not violated. |
Contact and identification details: Name, personal ID number, copy of passport (board members) and company registration number. Information about your finances: e.g. information about, for example, your income and information regarding where specific payment are coming from or what they will be used for.
|
Information from external sanctions lists and PEP lists: The lists contain the names of persons subject to restrictions decided by the EU and, for example, the Office of Foreign Asset Control (“OFAC”). The lists include information such as name, date of birth, place of birth, profession and/or position and the reason why the person is on the list. | Legal obligation under e.g. Act (1996:95) on certain international sanctions. | The processing includes profiling and automated decision-making – see section 8 below. |
| Establish, file and defend legal claims. |
Contact and identification details: Name, personal ID number, copy of passport (board members) and company registration number. Information you provide to our customer service: e.g. recorded phone calls, chat conversations, or email correspondence. |
The legitimate interest of Norion Bank to establish, file and defend legal claims, e.g. to handle complaints and claims in connection with legal proceedings or to prevent the use of Norion Bank's services in violation of the law or the terms of service.
|
||
| Managing complaints. |
Contact and identification details: Name, personal ID number and company registration number. Information you provide to our customer service: e.g. recorded phone calls, chat conversations, or email correspondence. |
|
Legal obligation under e.g. the Swedish Financial Supervisory Authority's general advice on complaints management regarding financial services for consumers (2002:23). |
3.3 Product development, finance and statistics purposes
| Purpose | Categories of personal data (collected from you) | Categories of personal data (collected from a third party) | Legal basis according to the General Data Protection Regulation | Other |
| For statistical and risk management purposes, e.g. in the context of establishing risk calculation models and managing capital coverage obligations. |
Contact and identification details: Name, personal ID number, company name and company registration number. Payment details: e.g. credit details such as amount, date and debt-to-income ratio). |
Information about your finances: e.g. information about, for example, your income, record of non-payment, order to pay and debt restructuring. |
Legal obligation to ensure compliance with the Consumer Credit Act (2010:1846) and capital requirement rules according to the Capital Requirements Regulation and the Capital Requirements Directive. | |
| To conduct bookkeeping and accounting in accordance with the law. |
Contact and identification details: Name, personal ID number and company registration number. Payment details: e.g. credit and debit card details (card number, validity date and CVV code), bank account number, bank name. |
|
Legal obligation to ensure bookkeeping and accounting according to the Swedish Accounting Act (1999:1078). | |
| Anonymize personal data to improve our services and analyze customer behavior. |
Contact and identification details: Name, personal ID number, copy of passport (board members) and company registration number. Payment details: e.g. credit and debit card details. Information about your finances: e.g. information about your income. Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings. Technical information: e.g. response times for websites. |
Contact details: e.g. name, date of birth, personal ID number, postal/delivery address. Payment details: e.g. credit and debit card details. Contact and identification details: Name, personal ID number, copy of passport (board members) and company registration number. Information about your finances: e.g. information about, for example, your income, record of non-payment, order to pay and debt restructuring. Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings. Technical information: e.g. response times for websites. |
Norion Bank's legitimate interest to develop our business and services through data analysis in order to test and refine product ideas and concepts. |
Anonymized data is not covered by the GDPR because such data cannot be used to enable the identification of a natural person. By anonymizing information, we process as little information about you as possible and can thus enhance the protection of your privacy. |
| In order to compile data for business and method development, market and customer analysis, both for our internal use and for our partners. This also includes anti-fraud measures. |
Contact and identification details: Name, personal ID number and company registration number. Payment details: e.g. credit and debit card details. Information about your finances: e.g. information about your income. Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings. Technical information: e.g. response times for websites.
|
Contact details: e.g. name, date of birth, personal ID number, postal/delivery address. Payment details: e.g. credit and debit card details. Information about your finances: e.g. information about, for example, your income, record of non-payment, order to pay and debt restructuring. Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings. Technical information: e.g. response times for websites. |
Norion Bank's legitimate interest in developing our business through data analysis to test and refine product ideas and concepts. |
3.4 Credit purposes
| Purpose | Categories of personal data (collected from you) | Categories of personal data (collected from a third party) | Legal basis according to the General Data Protection Regulation | Other |
| Ensuring payment of overdue debts, e.g. by collecting or selling overdue debts. |
Contact and identification details: Name, personal ID number, copy of passport (board members) and company registration number. Payment details: e.g. credit and debit card details. nformation about your device (computer, phone or similar): e.g. IP address, information about your device, device settings. |
Contact details: e.g. name, date of birth, personal ID number, postal/delivery address. Payment details: e.g. credit and debit card details. Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings. |
Norion Bank's legitimate interest in getting paid for overdue debts. | |
| Transfer of a payment claim for an unmatured debt to another owner. | See the row above. |
See the row above.
|
Norion Bank's legitimate interest in being able to sell debt receivables as part of Norion Bank's business. | |
| Transfer of payment claims from a store to Norion Bank (‘factoring’). |
See the row above. |
See the row above. |
Norion Bank's legitimate interest to be able to purchase receivables (payment claims) as part of its business. The legitimate interest of the third party (the store) to be able to purchase receivables (payment claims) as part of its business. |
|
3.5 Marketing purposes
| Purpose | Categories of personal data (collected from you) | Categories of personal data (collected from a third party) | Legal basis according to the General Data Protection Regulation | Other |
|
Norion Bank wants to be able to send you messages and marketing if you have not opted out of direct marketing. Marketing may include customer offers and discounts. |
Contact details: e.g. name, e-mail and phone number. Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings. |
|
Norion Bank's legitimate interest in marketing its services. | You always have the right to object to direct marketing, see section 8.5 below. |
|
Norion Bank wants to be able to send you customer satisfaction surveys and market research, unless you have declined to participate in such surveys. Such surveys may be sent by email or SMS. |
Contact details: e.g. name, e-mail and phone number. |
|
Norion Bank's legitimate interest to conduct customer satisfaction and market research to improve our services. | You always have the right to object to direct marketing, see section 8.5 below. |
| Decide which marketing should be sent to you. |
Contact details: e.g. name, e-mail and phone number. Information about your device (computer, phone or similar): e.g. IP address, information about your device, device settings.
|
Norion Bank's legitimate interest in adapting its marketing content to different target groups.
|
The processing includes profiling, see section 9 below. |
|
| When you, as an individual or as a representative of a company, provide your contact details in one of our contact forms in order to obtain more information regarding the services we can offer you. |
Contact details: e.g. name, e-mail and company registration number. |
Norion Bank's legitimate interest to establish and maintain contact with persons who have expressed interest in our services. |
|
3.6 Processing of personal data through cookies
| Purpose | Categories of personal data (collected from you) | Categories of personal data (collected from a third party) | Legal basis according to the General Data Protection Regulation | Other |
|
Tracking purposes: We keep track of visits and sources of traffic so that we can measure and improve the performance of the website. Doing so gives us an overview of which pages are most and least popular and lets us see how visitors navigate the website; it also helps us to understand where our users come from. |
Website data: IP address, browser settings, which pages you visit or how long you spend on the page, what type of device you are using, how long it took to load a page and from which country you are visiting.
|
|
Norion Bank’s legitimate interest in developing its websites to make them easier for the customers to use. Please note that enabling cookies requires your prior consent. This consent refers only to enabling cookies and is not a legal basis for processing personal data. |
Detailed information about our placement of cookies and the possibility for you to change your settings can be found further down on the website under "Cookie settings". |
|
Marketing purposes: This type of tracking technology is set and used by our advertising partners to create a profile of your interests and display relevant advertisements on other websites. They do not store personal data, but they are based on unique identification of your browser. |
Website data: IP address, browser settings, which pages you visit or how long you spend on the page, what type of device you are using, how long it took to load a page and from which country you are visiting. |
|
Norion Bank’s and third party’s legitimate interest in marketing its services. Please note that enabling cookies requires your prior consent. This consent refers only to enabling cookies and is not a legal basis for processing personal data. |
You always have the right to object to receiving direct marketing – see section 8.5 below. Detailed information about our placement of cookies and the possibility for you to change your settings can be found further down on the website under "Cookie settings". |
4. Sharing of personal data
As stated below, we will disclose and transfer data about you to a partner, supplier or subcontractor. You have the right to object to the processing that is carried out based on the legitimate interest of Norion Bank or a third party. See section Your rights, below, for more information about your right to object.
4.1 Companies within the Norion Group
We may transfer and share your personal data with companies within the Norion Group. Personal data is shared on the basis of Norion Bank’s legitimate interest in sharing data within the group.
4.2 Public authorities
We may share and transfer information about you to different authorities such as the Financial Supervisory Authority, the Swedish Police or the Swedish Tax Authority. We will transfer all or some of your personal data that we process if we are obliged to do so by law or if you have given your consent.
Personal data is shared with the authorities when Norion Bank is obliged to share it by law, or in certain cases if you have requested that we do so. For example, we have a legal obligation to provide information for anti-money laundering and counter-terrorist financing measures to law enforcement authorities in case of suspicion of a criminal offence.
Depending on the authority and purpose, the legal basis is the fulfilment of a legal obligation, the fulfilment of agreements, or Norion Bank’s legitimate interests in counteracting and preventing criminal transactions.
4.3 Debt collection companies
Norion Bank may need to share your information when it sells or instructs a debt collection company to collect overdue unpaid debts. This sharing takes place in order to collect your overdue debts. The debt collection companies process personal data in accordance with their own data protection information and are the data controllers for their processing of personal data. We carry out this sharing of information based on our legitimate interest in collecting and selling debts.
4.4 Partners and suppliers
We may share your personal data with suppliers and partners who act as our data processors or as independent data controllers. This sharing is necessary in order for us to, for example
- Provide you with technology that enables electronic authentication.
- Engage suppliers of IT systems, hosting services and other technology.
- Have suppliers that provide us with development and operational services, including maintenance and support.
4.5 Others
We may also share your personal data with natural and legal persons who are authorised to access the data for various reasons, such as proxy holders of various kinds.
5. Transferring personal data to recipients in countries outside the EU/EEA
We strive to ensure that your personal data is processed only in countries within the EU and EEA, but data may be processed outside the EU and EEA (so-called “third countries”). Such processing takes place only provided that other rules in the General Data Protection Regulation are complied with and that one of the following conditions are satisfied:
- the European Commission has decided that there is an adequate protection level in the country in question according to article 45 in the General Data Protection Regulation; and
- other appropriate protective measures have been taken, e.g. standard contractual clauses or binding company provisions, according to article 46.2 and 47 of the General Data Protection Regulation.
When transferring personal data to a third country without an adequate level of protection, Norion Bank uses supplementary protection measures to protect transferred personal data. Examples of such data include pseudonymisation or personal data not being transferred in plain text. Supplementary protection measures are used to ensure a suitable level of protection for transferred personal data.
You have the right to access a copy of the signed standard contractual clauses that form the basis for transferring personal data attributable to you. In this case, contact us at privacy@norionbank.se or at the address stated below.
6. Storage timeline for personal data
As stated above, we will only store and process your personal data for as long as there is a legal basis for it. The length of time we keep your data depends on the purpose of the personal data processing and the Bank's legal obligations to keep data.
6.1 To fulfil a contract
Generally, we will retain personal data relating to a contractual relationship for as long as the contractual relationship with you exists and for 10 years thereafter, taking into account mutual contractual limitation rules. In some cases, the data may be retained for a longer period of time due to capital requirement regulations to which we must comply.
If you have not entered into a contract with us but have for example provided personal data in an application, your personal data will normally be stored for up to three months. In some cases, your data may be kept for a longer period due to legal requirements.
6.2 For purposes required by law
In some cases, we may need to retain your personal data for a longer period of time to fulfil requirements under applicable laws. Retention periods may vary within the Norion Group depending on national legal provisions.
Below are examples of retention periods in accordance with legal obligations under Swedish law. If you want more information about how the assessment has been made, you can always contact us, see contact details in section 10.
| When you use Norion Bank´s products or services | Legal basis and retention period |
| Data related to factoring. | We will process your personal data with us for the duration of the contractual relationship. As a general rule, your personal data will be deleted 8 years after your engagement with us has ended. However, certain information in relation to your engagement may be retained for up to 10 years after the engagement has ended in accordance with general limitation rules. This retention period is set to allow us to establish, enforce and defend our possible legal claims. If you do not enter into a contract with us, but have provided us with personal data, for example in an application, we will normally keep that data for a maximum of three months. In some cases, we may need to keep the data for longer, for example because of Anti Money laundering legislation. |
| Data related to granted business loans. |
We will process your personal data to administer your business loan(s) with us for the duration of the contractual relationship. As a general rule, your personal data will be deleted 8 years after your engagement with us has ended. However, certain information in relation to your engagement may be retained for up to ten years after the engagement has ended in accordance with general limitation rules. This retention period is set to allow us to establish, enforce and defend our possible legal claims. If you do not enter into a contract with us, but have provided us with personal data, for example in an application, we will normally keep that data for a maximum of three months. In some cases, we may need to keep the data for longer, for example because of Anti Money laundering legislation. |
| Data related to granted property loans. |
We will process your personal data to administer your Property Loan(s) with us for the duration of the contractual relationship. As a general rule, your personal data will be deleted 8 years after your engagement with us has ended. However, certain information in relation to your engagement may be retained for up to 10 years after the engagement has ended in accordance with general limitation rules. This retention period is set to allow us to establish, enforce and defend our possible legal claims. If you do not enter into a contract with us, but have provided us with personal data, for example in an application, we will normally keep that data for a maximum of three months. In some cases, we may need to keep the data for longer, for example because of Anti Money laundering legislation. |
| To prevent money laundering and terrorist financing, fraud and for security purposes | Legal basis and retention period |
| Prevent Norion Bank's business from being used for money laundering or terrorist financing. | 5 years or up to 10 years in accordance with the Anti Money Laundering Act (2017:630). |
| Credit purposes | Legal basis and retention period |
| Ensuring payment of overdue debts, e.g. by collecting or selling overdue debts. | 7 years plus the current year, in accordance with the Swedish Accounting Act (1999:1078) after the debt has been extinguished. |
6.3 For specific purposes
If we process your personal data on the basis of our legitimate interest, we will keep your personal data for as long as the purpose of the processing remains valid. Below are some examples of retention periods. If you want more information on how the assessment has been made, you can always contact us, see contact details in section 8.
| Purposes | Legal basis and retention period |
| To administer and manage the cases received by Customer Service. | Up to 10 years from the time of communication in the light of general statute of limitation rules. The processing is based on Norion Bank's legitimate interest to provide customer service and support. |
| Recording the phone call when you contact Customer service by phone. | 90 days from the date of the recording. Please note that the phone call will only be recorded if you have given your consent. The processing is based on Norion Bank's legitimate interest to provide its customers with a quality and efficient customer service. |
| Conduct market and customer satisfaction surveys to obtain feedback and further develop Norion Banks's products and services. | 12 months from the time of communication. The processing is based on Norion Bank's legitimate interest to further develop products and services and carry out improvement work following feedback from users of Norion Bank's products and services. |
6.4 Legal claims
Personal data may be stored for a longer period than stated above if it is necessary for the establishment, exercise or defence of legal claims.
6.5 Right to erasure
Under the General Data Protection Regulation, you have the right to request the erasure of your personal data. We will only delete your data if there are no legal or contractual obstacles. Read more in section 8 below.
7. Protection of personal data
Secure processing of your information is of the utmost importance to us. We therefore continually take appropriate technical, organisational and administrative security measures to protect the information we have against loss, misuse and unauthorised access, disclosure, amendment or destruction.
8. Your rights
To exercise your rights, you are always welcome to contact us at privacy@norionbank.se. You can also find more information about your rights at the Swedish Authority for Privacy Protection’s website.
8.1 Register extract
You have the right to receive a copy of your personal data that is registered with us in accordance with the applicable data protection legislation, i.e. so-called register extract. You can request this by logging on to gdpr.norionbank.se or contacting us through the contact routes specified in this data protection information.
8.2 Rectification
If you suspect or have discovered personal data that is incorrect, incomplete or irrelevant, you have the right to request that the data be corrected or deleted. Contact us through the contract routes specified in this data protection information. See also the right to be forgotten under the section erasure below.
8.3 Erasure (the right to be forgotten)
You have the right to request that we erase personal data that concerns you (better known as the right to be forgotten). Once we have received such a request, we will make an assessment based on the individual case. We will erase your data only if there are no legal or contractual obstacles to doing so. For example, it is not possible to erase data that concerns you if there is a legal obligation to save the data.
8.4 Objection
You have the right to object to processing that is based on the legitimate interest of Norion Bank or a third party.
8.5 Objection (block against direct marketing)
As stated in section 3.5 above, Norion Bank or one of its partners will use your data for marketing and profiling. This means that you may receive advertising based on the data you have submitted. If you do not want to receive direct marketing, you can contact us through privacy@norionbank.se and request a block against direct marketing (so-called direct advertising block).
8.6 Data portability
Under certain circumstances where we process personal data with the support of an agreement or consent, you have the right to contact us to receive a copy of the personal data that you have provided us with yourself in a structured, generally used and machine-readable format (e.g. CSV or PDF), and you have the right to have this transferred directly to another data controller if this is technically possible.
8.7 Limitation
If you have contacted us with a request for erasure, objection or correction, you have the right to request a limitation to processing while your request is assessed. This may, for example, involve restricting the authority of officers to process your personal data or your personal data not being processed at all while your request is being assessed.
8.8 Confirmation of identity and processing times
If Norion Bank has reasonable grounds to doubt your identity, Norion Bank is obligated by law to request supplementary information to confirm your identity. If it is not possible in an individual case to confirm your identity, this will prevent Norion Bank from complying with your request.
Your request will be handled without delay and within one (1) month of your request being received by Norion Bank. This period can be extended by up to two (2) months in view of the complexity of your request and the number of requests received.
9. Automated decisions and profiling
9.1 Automated decisions
Norion Bank uses automated decision-making in the following situations:
- Decisions to approve your application to use a service that includes credit.
- Decisions not to approve your application to use a service that includes credit – these automated credit decisions are based on the data that you have provided, data from external sources such as credit reporting agencies and Norion Bank’s own information.
- Decisions on whether there is a risk of money laundering based on an analysis of customer behaviour – Norion Bank investigates, when relevant, whether specific customers are listed on sanction lists.
- Decisions on whether there is a risk of fraud in connection with a transaction or whether a certain customer constitutes a risk of fraud.
If your application is not approved during the automated decision-making described above, you will not receive access to Norion Bank’s services, such as our payment services. The purpose of automated decision-making is to make decisions in a time efficient, objective and predictable way. Automated decision-making is monitored by Norion Bank’s data protection officer.
9.2 Your right to object to an automated decision
Norion Bank’s legal basis for automated decision-making is that it is necessary for entry into or fulfilment of an agreement between you and it, or if you have given your consent (article 22.1 a and 22.1 c of the General Data Protection Regulation).
You have the right to contact us at privacy@norionbank.se or +46 (0)10-161 00 00 for personal contact with an employee at Norion Bank. You have a special right to express your opinion and contest the automated decision. You also have the right to have the automated decision explained to you.
We will examine your objection in the individual case without delay and within one (1) month of Norion Bank receiving your request. This period can be extended by up to two (2) months in view of the complexity of your objection and the number of requests received.
9.3 Profiling
Profiling refers to the automatic processing of personal data that is used to assess certain personal characteristics of a natural person, particularly with regard to analysing or predicting, for example, their financial situation, personal references, interests and residence.
We use profiling for:
- market and customer analyses
- system development
- marketing
- transaction monitoring to counter fraud
10. Data protection officer
We have appointed a data protection officer who will monitor our adherence to the rules on personal data protection in our business. The data protection officer must fulfil their assignment in an independent manner in relation to the other parts of our business.
You have the right to contact the data protection officer with regard to any questions concerning your personal data and the fulfilment of your rights.
E-mail: dpo@norionbank.se
Telephone: +46 (0)10-161 00 00
11. Right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY)
For questions concerning our personal data processing, please contact us at privacy@norionbank.se. If you suspect that we have processed your personal data incorrectly or without permission, please contact us first so that we can investigate your views.
If you believe that we have processed your personal data incorrectly or without permission, you can direct a formal complaint to the Swedish Authority for Privacy Protection in accordance with article 77 of the General Data Protection Regulation. The Swedish Authority for Privacy Protection is the independent supervisory authority that exercises supervision over regulatory compliance with the General Data Protection Regulation in Sweden. You can find out more at www.imy.se.
12. Amendments to this privacy notice
Norion Bank reserves the right to make amendments to this data protection information at any time insofar as the amendments are necessary. All amendments are published on the website www.norionbank.se. You should therefore review this data protection information regularly to make sure you are satisfied with the amendments.
Last updated 2024–11–09