What constitutes personal data?
Personal data is information that can be directly or indirectly linked to a living person. For example, this may include name and personal ID number, but also other data specific to a person’s physical, genetic, psychological, financial, cultural or social identity. Data such as your IP address or your recorded voice may also be considered personal data if it can be linked to you.
Some personal data is considered particularly sensitive and is subject to special rules. Sensitive personal data refers to information that reveals:
- racial or ethnic origin
- political views
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data that identifies a natural person
- health data
- data on a natural person’s sex life or sexual orientation
What is processing?
Processing of personal data refers to everything that is done with the information, regardless of whether this happens automatically or not. Common examples of data processing include collection, recording, manipulation, storage, transfer and deletion. Only processing that is done automatically or forms part of a record is covered by data protection rules.
Who you do collect information about?
We collect information about you if you have entered into, or want to enter into, an agreement with us. This may be as a customer, guarantor or mortgagor, for example. Alternatively, we sometimes need to collect information about you if you are a contributor, trustee, director, proxy, representative, authorised signatory, certain type of contact person or actual principal. You can read more about when we collect this type of information in the next section.
What information do you collect, where does it come from and how do you collect it?
Information you provide to us
We collect information about you that you have directly or indirectly provided to us. For example, this could be in relation to a statement of interest or application, when you enter into an agreement with us or when we otherwise administer an agreement.
We may also store information we obtain or that emerges when you contact us. For example, we record certain phone calls. We may also store communications we receive by e-mail. In addition, we may store information from your use of online banking, our mobile app or other online services. For example, this could be information about how you use our services, your purchases and payments, your IP address or your geographical location.
Information we collect about you
In addition to the information you provide to us, we may collect information about you from other sources. This applies, for example, when we:
- regularly update information about name and contact details via the Finnish Population Register Centre ,
- retrieve information from credit reference agencies,
- carry out checks that we are required to perform in order to prevent our products and services being used for money laundering, by retrieving information from the sanctions lists of international organisations.
Why and on what basis do you process my personal data?
We process your personal data for specific purposes and when we have a legal reason for doing so.
To prepare and administer agreements
The most common reason we process your personal data is to document, administer and fulfil agreements we have with you. We need to collect personal data for this purpose so we can enter into agreements with you.
If it is not you who has entered into the agreement, but you are the insured party or a beneficiary, we will process your personal data on the basis of the legal obligations set out in the insurance agreement.
To meet our legal obligations
We also need to process your personal data in order for us to meet our obligations under the law, other statutes or decisions from authorities. This could be, for example:
- to satisfy the requirements of accountancy legislation,
- to satisfy the requirements of money laundering legislation,
- to check personal data against sanctions lists as required by law or a decision from an authority,
- to report to the Finnish Tax Authorities, the Police, the Enforcement Authorities, the Finnish Financial Supervisory Authority and other Finnish and foreign authorities,
- to comply with legislation concerning risk management, which includes processing personal data to determine the quality of credit for capital adequacy purposes,
- to comply with legislation concerning payment services, for example through providing data to so-called third party payment service providers who are authorised to offer account information or payment initiation services, and through our payment monitoring measures to detect fraud.
When we have a legitimate interest
We will process your personal data when necessary for a purpose where we have, after evaluating our interests, determined that our interests take precedence over your interests and rights.
Where we have a legitimate interest, we may process your personal data to carry out market and customer analyses for business development and to improve our product offering to our customers. Information may also be used to develop our systems and to carry out customer analyses in order to detect fraud.
We may also process your information to provide personalised offers to you. This marketing may be based on how you use our services and your behaviour on our digital channels. You can read more about profiling below.
We may also use your personal data to tailor advertising and offers for you. If you do want to receive direct advertising, you can let us know. You can read more about how to do this below.
When you have given your consent
In some cases, we need your consent to process your personal data. If so, we will ask you to agree to our processing of the data for the specific purpose.
You can withdraw any consent you have given at any time. The processing that we have already performed will not be affected, but we will not continue to process the data for this purpose. If you withdraw your consent, this may affect certain terms and conditions of an agreement, for example if you have received a discounted rate on the basis of the data supplied.
How long do you store my personal data for?
We will store your personal data for as long as the agreement with you lasts. After this, we will normally store data for a further ten years in accordance with statutory limitation rules. When we store personal data for purposes other than on the basis of a contractual relationship, the storage period may be shorter so we can comply with e.g. money laundering and accountancy legislation.
If you have not entered into agreements with us, but have provided us with personal data in e.g. an application, we will normally store the data for a maximum of thirteen months. In some cases we may need to store the data for a longer time, for example to comply with money laundering legislation.
How do you protect my personal data?
We do our best to protect your personal data from accidental or unlawful destruction, loss or alteration, unauthorised disclosure or unauthorised access. We do this using both technical and organisational measures.
We always aim to not process any more data than necessary, and we pseudonymise and anonymise your data wherever possible. If a partner processes personal data for us as a so-called personal data processor, they must always commit to maintaining the appropriate level of security and take appropriate protective measures.
Who can access my personal data?
Within the SEB Group
Sometimes another company within the SEB Group may process your personal data. This could be to offer you other products or to be able to offer you advice, for example. When this happens, we justify this processing on the grounds of a legitimate interest.
Outside the SEB Group
It is possible that your information will be processed by other companies we are in partnership with, though of course this will always take place pursuant to the applicable confidentiality rules. Such companies may include Suomen Asiakastieto, Mastercard and CA Technol. When companies we are in partnership with process your personal data, this is done in order for us to be able to fulfil our agreements with you or on the basis of a legitimate interest.
By law, we are also obliged in some cases to disclose personal data to various authorities. You can read more about this in one of the sections above.
Transfers to third countries (countries outside the EU and EEA)
In some cases, we may transfer personal data to countries outside the EU and EEA (also known as third countries) and to international organisations. We only make such transfers if other rules in General Data Protection Regulation (GPDR) have been followed and if any of the following conditions are met:
- The European Commission has determined that there is an adequate level of protection in the country in question.
- We have taken other appropriate protective measures, e.g. standard contractual clauses or binding company rules.
- Special authorisation from a supervisory authority has been obtained.
- Such transfers are permitted in special cases by applicable data protection legislation.
What are my rights?
According to the GDPR, you are entitled to control over your own data and to know how we process data about you. You can contact us if you want to exercise any of your rights.
Requesting a personal data extract
You have the right to obtain information about what personal data we process about you. You can obtain this by requesting an extract from us.
Correcting incorrect or incomplete data
If it transpires that we are processing personal data about you that is incorrect, you are entitled to request the data to be corrected. You may also request that an incomplete piece of data about you be supplemented.
Removing your data
You have the right to have any or all of your personal data deleted. This is sometimes referred to as “the right to be forgotten”. In some cases, we may be unable to delete all the data. In such cases, this is due to the fact that we are required to store the data on the basis of contractual obligations or legislation. In such cases, this is due to the fact that the data is still necessary for its original purpose and we still have a legal basis for processing it.
Restricting how we process your data
In some situations, you are entitled to ask for our processing of your data to be restricted for a certain period of time. This could be, for example, if you believe that a piece of data about you is incorrect and we need to verify this. This may also be if you have objected to processing that are basing on a legitimate interest. In this case, we have to check whether our reasons take precedence over yours.
Objecting to how we process your data
If we process a piece of data about you on the basis of a legitimate interest, you may object to this processing. In order for us to continue to process the piece of data, we need to be able to demonstrate that we have justified compelling reasons for the processing, and that these reasons take precedence over your interests and rights. You can read more about legitimate interest in the appropriate section above.
Transferring your data to another player
If we process your personal data on the basis of an agreement or declaration of consent, you have the right to obtain the personal data you have provided to us. If it is technically possible, you also have the right to have the data transferred to another player. This is known as data portability.
Filing a complaint with the supervisory authority
If you have any complaints about how we process your personal data, please contact the supervisory authority. In Finland, this is the Data Protection Ombudsman.
What is profiling?
Profiling is when your personal data is automatically processed in order to ascertain certain personal details, primarily your financial circumstances, personal preferences, interests or where you are.
We collect statistical data from external sources. This may be data about your lifestyle and typical behaviour based on demographic household data. Using this statistical data, we create profiles and can combine them with the data that we already have about you.
We use profiling to perform customer analyses for marketing purposes. This marketing may be based on information obtained when you use our services and are active in our digital channels. We also use profiling to improve your experience when you use our digital services, by streamlining the services and products that appear when you use online banking for example, and by creating customised offers just for you. We may also use profiling to monitor transactions to prevent fraud and for automated decisions. You can read more about automated decisions in the next section.
When we process personal data for profiling, we do it on the basis of our legitimate interest in order to fulfil an agreement or with your consent. If we need your consent, we will ask you whether you consent to the processing.
What are automated decisions?
In some cases, we may make use of automated decision making. This may involve us automatically approving or rejecting an online credit application, for example.
Our automated decisions may sometimes be based on profiling. Where such a decision has legal consequences for you, or otherwise affects significantly affects you, there are certain restrictions. We only make this type of decision if you have expressly agreed that we may do so, or if it is necessary in order for us to enter into or fulfil an agreement with you.
How do I opt out of advertising from you?
You can request not to receive direct marketing from us. You will need to contact us and let us know you want to have a direct advertising block.
Data protection officer
We have appointed a data protection officer tasked with ensuring that we comply with personal data protection rules. The data protection officer must carry out their duties independently of Eurocard AB. If you want to get in touch with our data protection officer, you can do so by writing Eurocard AB, bransch in Finland, Eteläesplanadi 18, 00130 Helsinki. You can also contact us by phone on +358 (0)9 6162 8000.