Rules regarding the bank’s processing of personal data
The bank’s access to process personal data is subject to the Personal Data Act and its implementing Personal Data Regulations and the Norwegian Data Protection Authority’s licensing terms. On this basis, the bank has drawn up the following supplementary privacy protection rules. These rules supplement any other contractual terms and conditions in force between you and MyBank and apply to all services, both present and future.
Personal data are taken to mean customer information and assessments that can be linked to you as a private customer.
In the absence of any other authority in law, the bank’s processing of your personal data will be based on voluntary, express and informed consent given by you. Consent is not, for example, required when personal data are registered and used in order to execute an agreement or perform a transaction for the customer
The purpose of data processing
The purpose of the bank’s processing of personal data is primarily customer administration, billing and in order to fulfil the obligations assumed by the bank for executing transactions and service agreements with the customer. The bank will otherwise process personal data to the extent required or permitted by Norwegian law or consented to by the customer.
In addition, personal data will be processed for purposes such as the following:
- Customer relationship management and marketing (see Section 7)
- Risk-classification of customers and credit portfolios (See Section 8)
- Prevention and detection of criminal acts (see Section 9)
Information on data processing and right of access
In the rules below, the bank provides general information on its processing of personal data.
Information on the customer’s service agreements with the bank will in the main be made available in the customer’s internet banking service. If the customer does not have internet banking or other means of reading electronic documents, that information can be made available by e-mail. The customer has the right to demand, by written and signed request to MyBank ASA, Enebakkveien 133, N-0680 Oslo, Norway, access to other registered personal data, a description of the type of data processed and detailed information on the bank’s processing of such data.
Personal data procured by the bank
Personal data registered by the bank will in the main have been received directly from the customer. When procuring data from third parties (such as from other banks/financial undertakings, credit information undertakings and the Norwegian Banks’ Improper Use Register), the customer will be notified, unless such procurement is statutory, notification is impossible or unreasonably difficult or the customer is known to be familiar with the information the notification is to contain.
If the bank wishes to procure data from the customer which is not necessary for management of the customer relationship, the bank shall first inform the customer that disclosure of such data is voluntary and what the data will be used for (meaning the purpose of the data processing).
The nature of personal data registered by the bank
Upon entry into agreement and during the term of the ongoing agreement, the bank will register data on the customer and other persons associated with the agreement, such as authorised users. The bank will also register data on persons the bank has declined to sign an agreement with, with a view to being able to notify that person as to why their application was denied, and subsequently to be able to document the customer relationship, including substantiate that non-fulfilment of a deposit or payment instruction was on objective grounds.
Personal data registered by the bank will be disclosed to public authorities and other third parties where this is pursuant to a legal obligation or right to disclose information. Where permitted by Norwegian law and the bank’s duty of confidentiality, personal data may also be disclosed to other banks and financial undertakings and to business partners for use within the purposes stated for the processing. The transmission of personal data to the bank’s data processors is not regarded as disclosure.
The bank will also disclose personal data to other business undertakings within its business group or consolidated group provided that such disclosure is necessary for the purpose of fulfilling group management, control and/or reporting requirements prescribed by or pursuant to legal statutes. It is assumed that the processing of personal data is subject to confidentiality within the undertaking to which the data are disclosed.
When executing payment transactions to or from abroad, the associated personal data will be disclosed to the foreign bank and/or its intermediary. The extent to which such personal data are to be disclosed to public authorities or supervisory bodies, for example, in compliance with the recipient country’s tax and excise legislation and measures to counter money laundering and the financing of terrorism, is subject to the legislation of the recipient country.
Customer relationship management and marketing
The bank will inform the customer about products within the product categories in which an agreement already exists between the customer and the bank. The bank’s products are divided into the following categories:
- Payment services
- Savings and deposit products
- Loans and other credit facilities
Without the customer’s consent, the bank will be able to use the following neutral data for customer relationship management and marketing: the customer’s name, contact details, date of birth and regarding which services or products the customer has contracted for. The bank may obtain such neutral data from a group-wide customer register.
If products and services are marketed within another product category than the one for which the bank and the customer have concluded an agreement (See first paragraph), the customer’s consent is required for use of customer data other than those that are neutral.
The customer may contact the bank to demand his or her name be blocked for marketing purposes.
Risk-classification of customers and credit portfolios
Pursuant to the rules of the Financial Services Act, the bank will process credit information and other personal data when setting up and using systems for calculating capital requirements for credit risk. Systems for internal survey methods are in this context defined as the bank's models, operational and decision-making procedures for granting and managing credit facilities, control mechanisms, IT systems and internal guidelines for classification and quantification of the institution’s credit risk and other relevant risk.
Personal data for this purpose will be procurable from credit information service providers.
Prevention and detection of criminal acts (anti-money laundering)
The bank will process personal data for the purpose of preventing, detecting, solving and managing fraud and other criminal acts. The data will be procured from and disclosed to other banks and financial institutions, the Norwegian Banks’ Improper Use Register, the police and other public authorities. The data retention period will be up to ten years after registration.
The bank will process personal data in order to meet its investigative and reporting obligations for suspicious transactions pursuant to the Money Laundering Act. The bank is under obligation to report suspicious information and transactions to the Financial Intelligence Unit (FIU) of the National Authority for Investigation and Prosecution of Economic and Environmental Crime in Norway (ØKOKRIM).
Under Section 23 (1) (b) and (f) of the Personal Data Act, the customer does not have right of access to the data registered by the bank for these purposes.
Correction and deletion
The bank will delete or anonymise registered personal data if the purpose for the processing of each set has been fulfilled, unless Norwegian law requires or permits retention of the data beyond such time. Within the limitations prescribed by the Personal Data Act, the customer has the right to have inaccurate and unnecessary personal data corrected or deleted.