SEB AB Privacy Notice
– Corporates and Institutional business
Last updated:June 12, 2024
SEB AB Privacy Notice provides information as to how, when and why Skandinaviska Enskilda Banken AB as a controller of personal data will collect and process personal data about you, depending on your interaction with us when you use any products or services from SEB.
This privacy notice describes how Skandinaviska Enskilda Banken AB (publ.) ("SEB", "we" or "us") collects and uses information about individuals in connection with the products and services we provide to our corporate and investment banking customers.
By “you” in this notice, we mean you as an individual who is a representative of our current or prospective customers, for example a legal representative or authorised signatory, or other individuals who work for or are otherwise engaged by our current or prospective customers.
We also inform about the rights individuals have in relation to their personal data and how to exercise those rights and get in contact with us.
Rights of individuals
You have certain rights related to the information that we hold about you, these rights and how to use them are explained below. Sometimes we may need to ask for additional information to confirm your identity. We do this to protect the information and ensure that no unauthorised person can access or change data that is not theirs.
You can request access to the information we hold about you, with some limited exceptions for example confidential information or trade secrets, internal drafts and memos.
We will also inform you about:
- why we are processing the information
- who we are sharing the information with and if any information is transferred to a country not deemed to have adequate protection in place for personal data
- how long we will be keeping the information
- the source of the information, if it was not collected directly from you
- if we are using the data for automated decision making or profiling
If you make a request for a copy of the personal information that we are processing, please be as specific as possible as this will both help us to identify the information more quickly and provide you with a copy without any undue delay.
The Swedish Authority for Privacy Protection's (IMY): Right of access
If you feel that the information we hold about you is inaccurate, you can ask us to correct and update it. If we have shared the personal data with a third party, we will inform such third parties so that they can correct inaccurate information.
The Swedish Authority for Privacy Protection's (IMY): Right to have incorrect information corrected
You can also request that we erase information, although that might not always be possible if doing so means we cannot perform our contract with the customer, or we have a legal obligation or legitimate interest to keep the information. We will explain the consequences for erasing your information.
The Swedish Authority for Privacy Protection's (IMY): Right to erasure of personal data
If you feel that we are processing the information unlawfully or with inaccurate information, you can request us to restrict the processing. Where personal data is subjected to restriction in this way, we will only process it with your consent or for the establishment, exercise or defence of legal claims unless we have your consent. If the processing is restricted, we will continue to store the information.
The Swedish Authority for Privacy Protection's (IMY): Right to restriction
If you disagree with any legitimate interest or public interest, we have relied upon to process the information, you can object to the processing. We will then stop processing the information unless we can demonstrate a compelling legitimate basis that overrides your rights, or the processing is required to establish, exercise or defend a legal claim.
The Swedish Authority for Privacy Protection's (IMY): Right to object
Where we are relying upon your consent or the fact that the processing is necessary for the performance of a contract to which you are party as the legal basis for processing, and that personal information is processed by automatic means, you have the right to receive all such personal information which you have provided to SEB in a structured, commonly used and machine-readable format, and also to require us to transmit it to another controller, in a machine-readable format, that is a format that can be read with technical means. The right to data portability does not apply if the information:
- is only available in paper form or as a scanned document in SEB's electronic archive
- would infringe the rights of someone else
- does not come directly from individual
- is created for internal use through analysis or evaluation
The Swedish Authority for Privacy Protection's (IMY): Right to move personal data
SEB is committed to safeguarding your information and upholding your rights as a data subject, but if you feel we have not done that, please contact us at:
- For data protection-related matters only
SEB
Data Protection Officer
106 40 Stockholm
dataskyddsombud@seb.se
- For other matters
SEB
106 40 Stockholm
dsr@seb.se
You can always reach out to the Swedish Data Protection Authority (IMY):
Complain about incorrect processing of your personal data
What personal data we collect and how we collect it
We collect the information directly from you or from our customer, such as your employer or the company where you are an officer or director.
This occurs when we administer the contractual or prospective contractual relationship. For example, we collect information when you:
- fill out applications and forms and submit specific documents to us
- use our products and services
- participate in meetings with us
- contact us via phone, e-mail, chat, or web form
We collect the following categories of personal information from you or from our customer:
- Identification information
For example first and last name, national identification number and information included in government-issued ID documents such as gender, nationality, photo. - Authentication information
Information we use to identify and authenticate you. For example, multi-factor identification details, signature and additional information that we receive from external sources we need for compliance purposes. - Contact information
For example, email address, telephone number, information about our relationship with you and/or our customer. - Work-related information
For example, job title, area of responsibility, employment, company officer or director, professional certifications, membership in professional organisations, education, experience. - Communication information
For exampl,e email and chat correspondence, notes, voice recordings, Teams recordings, where you are advised in advance of the recording. Information about the communication channels you use and ways of interacting with us. - Information required by law
Information we need to support our legal obligations. For example, information about and information required for detection of any suspicious and unusual activity and information about parties connected to you or these activities. - Sensitive personal data
For example, political opinions which could be revealed by lists of so-called politically exposed persons (PEPs), including family members and close associates. It includes information such as name, date of birth, place of birth, occupation or position, as well as the reason why the person is on such a list. Sensitive personal data can also be your possible food preferences when attending an event. - Investigation and Risk rating information
For example, due diligence checks, sanctions and anti-money laundering checks, external intelligence reports, internal investigation reports, content and metadata related to relevant exchanges of information between and among different representatives, credit risk rating/score, risk assessment reports, transactional behaviour and underwriting information. - Crime data
For example, information about criminal convictions or offences and recordings from our camera surveillance that are used to investigate crimes.
We may also collect and store information automatically about you when interacting with us, for example visiting our websites or mobile channels, or any other use of our online services. Such information is usually collected using so-called cookies or similar technologies:
Device information
For example:
- IP address
- language settings
- browser settings
- time zone
- operating system
- platform
- screen resolution
- device identifiers
- browser type and similar information about the device you use, such as mobile or computer, and device settings/usage
Technical information generated when using SEB's products and services, for example technical data such as:
- page response times
- ownload errors
- logs of the date and time when the service was used
Location determination data, where you are when logging in to our digital services for example:
- GPS coordinates
- login timestamps
Based on the specific products, services or business relationship as well as requirements under applicable law, we may collect the following categories of personal data on our own or from third parties about you:
- Public information
For example information you, your employer or other representative makes publicly available via a company website or in social media profiles. And information about you available in news feeds, exchange data feeds and other public data sources, including the public interest. - Government or organisational information
For example information provided by relevant regulators, government agencies and non-government credentialing or professional organisations. - Sanction information
For example information related to your status under economic sanctions, anti-money laundering and similar laws. Or other information that may impact our ability to engage in business with you or a company at which are an employee, officer or director. - Profile information
For example information from companies providing professional contact information to their customers or subscribers. - Other personal data
Information to the extent permitted by applicable law and reasonably necessary for the performance of our business obligations, compliance with laws applicable to our business or pursuit of our legitimate business interests.
The purposes for which we process your personal data
We may process your personal data for any of the following purposes, depending on the capacity in which you interact with us.
Examples to when we process your personal data for administration of customer relationship and access control:
- verifying who is authorised to represent the customer
- to authorise and control access to services and products by for example using BankID
- to communicate and advise about the product and services
- documenting agreements.
An example to when we process your personal data for marketing:
- To market our products and services by contacting you in your professional role or host events you attend to.
One purpose to why we process your personal data is to analyse your use for product improvement purposes. Such as to analyse information about the communication channels you use and ways of interacting with us, that is, customer insights for product and service improvements.
Examples to when we process your personal data to comply with our legal obligations:
- To perform the Know Your Customer (KYC) process, by obtaining information required to comply with to detection and prevention of money laundering and terrorist financing under the Anti-Money Laundering (AML) Act.
- To record telephone conversations relating to, at least, transactions concluded when dealing on own account. It is also done when providing client order services that relate to the reception, transmission and execution of client orders. This is in order to comply with MiFID II and applicable EU member state laws and MIFIR, and related acts and regulations.
Examples to when we process your personal data to defend:
- to establish or exercise legal claim or complaint
- when we are subject to a regulatory investigation
- when we may need to defend ourselves in legal proceedings
- when we may need to respond to a regulator or to a valid legal request, such as a preservation order, subpoena or search warrant
We process your personal data to ensure information security in our products and services and to monitor for security threats and fraud involving use of our products, services, sites or physical facilities. This processing involves the use of video surveillance and CCTV at the entrance to our offices, reception and customer areas.
We process your personal data for to share information with companies within the SEB Group, authorities or other third parties such as suppliers and subcontractors.
In order to improve the quality of our digital services and tailor them to your preferences we process your personal data. To do so we use cookies and similar technologies on our website and in our digital apps, including for marketing via digital channels.
If you have downloaded the SEB app or one of our other apps, we may send notifications to the device in which the app is installed. This is normally done in the form of push notifications. The message may include information that a purchase has been made, that an incorrect PIN code has been used, or that a purchase has been declined. In the system settings on your device, you can decide if you want to receive these types of messages, as well as how the information in the messages should be displayed on your device in locked mode.
Our legal basis for processing your personal data
We will only collect and use your information if we have a so-called legal basis to do so. This is a summary of the legal basis. If you want to know more details, please read the purpose table in the policy document.
- We use your information based on ours and our customer’s legitimate interest.
- We also use your information where we must comply with a certain legal obligation or obligations to comply with court orders arising in civil or criminal court proceedings, binding requests from regulatory authorities.
- We may ask for consent to certain processing which is not otherwise justified on any of the other legal basis. If consent is required for the processing in question, it will be sought directly from you to make sure it is freely given, informed and explicit. Information about such processing will be provided to you at the time consent is requested along with the impact of not providing such consent.
You should be aware that it is not a condition or requirement to consent. Where consent is given, it may be withdrawn by you at any time, but this will not impact any other lawful basis for processing relied on by SEB.
Duration of personal data retention by SEB
SEB will retain personal data for as long as needed or permitted considering the purposes for which it was obtained.
- the length of time we have an ongoing relationship with our customer and provide our products and service
- if there is a legal obligation to which we are subject
- if retention is advisable in light of our legal position, such as in regard to applicable statutes of limitation, litigation or regulatory investigations.
The appropriate retention period is determined on a case-by-case basis and will depend on the length of time we need to keep your personal data for the purposes for which it was collected, for example:
- To administrate the customer relationship for example verifying who is authorised to represent the customer, communicate about the product and services, documenting agreements until the termination of the customer relationship and relevant time period thereafter.
- Where it is reasonably necessary for reasons related to a legal claim or complaint, where we are subject to a regulatory investigation, or where we may need to defend ourselves in legal proceedings or respond to a regulator or to a valid legal request, such as a preservation order, subpoena or search warrant.
- To meet our legal and regulatory obligations to detect and prevent money laundering and terrorist financing under the Anti-Money Laundering (AML) Act.
- To meet our legal obligations to retain certain information regarding payments in accordance with PSD II and applicable EU member state laws.
- To meet our legal obligations to retain information regarding all services, activities and transactions that our in-scope entities undertake under MiFID II and applicable EU member state laws and MIFIR, and related acts and regulations. Such information includes recording of telephone conversations or electronic communications relating to, at least, transactions concluded when dealing on own account and providing client order services that relate to the reception, transmission and execution of client orders.
When we no longer need to retain personal data, we will destroy, delete or anonymise. Information about how long we are entitled to use your information in relation to a specific purpose, please read the purpose table in the policy document.
Profiling and automated decision making
Profiling is an automated processing of personal data that is used to evaluate certain personal characteristics of a natural person, for example to analyse or predict a person's financial situation, personal preferences, interests and whereabouts.
We use profiling for the following purposes:
- Market and customer analysis, as well as customer satisfaction and market research to develop and improve our products and services. By analysing our customers' use of the same product or service, we can better understand how to improve our products and services.
- Adapt what products and services are displayed in our digital services.
- Deliver customised marketing through both our own and external platforms and services.
Automated decision-making means that we use our systems to make decisions without any human intervention or involvement solely based on the data we hold about an individual. Depending on the specific decision, we might also use information from public registers and other public sources.
We may use technology, such as machine intelligence and learning to help us identify the level of risk involved in a customer or account activity for example for fraud, money laundering and other financial crime reasons. This type of processing is necessary to protect our customers against criminal or fraudulent activity. If we are unable to verify your identity, we may also request additional identification information from you. We continuously monitor transactions to and from accounts to identify unusual transactions. This may stop us from executing a payment that is likely to be for example fraudulent.
A decision if there is a fraud risk is based on information that SEB has received directly from you, or our customer, and SEB's own internal information.
You have rights relating to automated decision-making. You have the right to receive information about how an automated decision was made, and you can ask for manual review of the automated decision.
If you have any objections about the outcome, you can always contact us directly by sending an email to dsr@seb.se.
Who we may share your personal data with
We only share personal data with others if it is lawful to do so – to provide you with products and services requested by our customer – if it is required to comply with a legal obligation, for example, to assist with detecting and preventing fraud, reporting to an authority, where sharing of data is mandatory or permitted – if we have a legitimate interest for doing so, for example, to manage risk or to verify identity – or we if you have given permission to share it. When we share personal data with others, we ensure that the recipient processes the personal data in accordance with this privacy notice, for example by entering into so-called data transfer agreements or data processing agreements with the recipient.
SEB may need to share information within the SEB Group to provide the products, services and functionalities to our customer or due to money laundering legal obligations. In some cases, we also collect information about you from other companies within the SEB Group to be able to offer better advice as well as for customer surveys and profitability calculations.
SEB has a public or legal duty to provide information to authorities such as the Swedish Police Authority, the Swedish Financial Supervisory Authority, the Swedish Tax Agency or other authorities. We may also need to share your information in connection with regulatory reporting, litigation or asserting or defending legal rights and interests.
We engage suppliers to provide services and functionalities that SEB cannot offer itself, such as suppliers of IT services, payment services, BankID, administration and finance. Suppliers and subcontractors may only process the personal data they receive from us on our instructions and to the extent necessary for their delivery to us, so-called personal data processors.
In connection with a potential or actual corporate restructuring, merger, acquisition or takeover, including any transfer or potential transfer of any of our rights or duties under our agreement with our customer, we may need to share your information with a third party.
If you choose to contact us via social media, such as through Facebook, Instagram or X, your information will be collected and processed by these companies. The processing carried out by these companies is carried out in accordance with their own respective privacy notices.
Joint controller
We are joint controller together with the other parties using BankID in the event of blocking and blocking when using BankID.
To prevent misuse, fraud and other unlawful use linked to the BankID service, we have, together with other parties in the BankID collaboration, a list of users who have been blocked from using the BankID service for various reasons such as abuse and breach of contract:
Villkor Betalkonton och Betaltjänster, m.m. - Privat A7479_v_bilaga_web.
The list only contains information about if and for how long a block is linked to an identification number and is only used to check if a customer is blocked from using BankID and therefore should be blocked from being able to obtain a new BankID.
Relevant parties:
- Swedbank AB (publ)
- Nordea Bank Abp, branch in Sweden
- Svenska Handelsbanken AB (publ)
- ICA Banken AB
- Länsförsäkringar Bank AB
- Sparbanken Syd
- Skandiabanken Aktiebolag (publ)
- Danske Bank A/S, Denmark, Sweden branch
- Bank of Åland plc, Sweden branch
As we are joint controllers, you can contact us or the other parties to exercise your rights.
Transfer of personal data to countries outside the EU and EEA
We may need to transfer your information to a country outside the EU/EEA, a so-called third country. For example, for the performance of a contract with our customer – to fulfill a legal obligation – to protect the public interest, and/or for our legitimate interest. When we transfer personal data to a third country, we ensure that the transfer is covered by an approved transfer mechanism and supplementary safeguards have been implemented and that the transfer is lawful.
These are the approved transfer mechanism that needs to be covered before we transfer personal data to a third country:
- The European Commission has decided that there is an adequate level of protection for individuals’ personal data in the third country in question.
- The recipient of the personal data is bound by the European Commission's agreements, so-called standard contractual clauses or binding corporate rules.
- The data protection supervisory authority has granted a specific authorisation for certain transfers.
- It is otherwise permitted under applicable data protection legislation, for example to fulfil an agreement with or situations where you have given us consent to carry out the specific transfer.
How we protect your personal data
We are constantly working to improve our safeguards to ensure the integrity, availability and confidentiality of personal data.
Our safeguards include both technical and organisational safeguards, such as:
- Encryption of personal data.
- Access restriction when handling personal data.
- Automatic deletion of personal data when a specific purpose for processing ceases to apply.
- Regular tests to assess and evaluate the effectiveness of applicable security measures.
- SEB always ensures that we do not process more information than what is strictly necessary.
- When a partner processes personal data on our behalf, a so-called data processor, we require that they have appropriate levels of protection and use equivalent safeguards as SEB.
Data Protection Officer
We have appointed a Data Protection Officer to ensure that SEB complies with applicable legislation on the protection of personal data. The Data Protection Officer carries out objective checks and the assignment is completely independent in relation to SEB. The assignment also includes assisting SEB with information and advice on how we can best develop the protection for the personal data we process. The Data Protection Officer also acts as a contact person for individuals whose personal data we process.
Contact us with questions regarding data protection
If you have any further questions, you are always welcome to contact us:
SEB
Data Protection Officer
106 40 Stockholm
dataskyddsombud@seb.se