Your Privacy in DNB

DNB is an international financial group consisting of the parent company DNB Bank ASA and a number of Norwegian and international subsidiaries. Together, this constitutes the DNB Group.

The data controller for the processing of your personal data will typically be the DNB companies with which you have a customer relationship. The data controller is responsible for determining what your personal data will be used for, how it will be processed and what aids and tools will be used. Sometimes, several DNB companies have a joint controllership.

This privacy notice applies to the following companies in the DNB Group:

• DNB Bank ASA
• DNB Boligkreditt AS
• DNB Asset Management AS
• DNB Livsforsikring AS
• DNB Næringseiendom AS
• DNB Næringsmegling AS
• DNB Eiendom AS

See a more detailed illustration of the legal structure of the DNB Group here.

In addition to being the parent company in the DNB Group, DNB Bank ASA is in a cooperating group with Fremtind Forsikring AS and Fremtind Livsforsikring AS. Your insurance through DNB is provided by Fremtind Forsikring. Formally, Fremtind has the insurance contract with you. However, as a customer, when you buy or make changes to your insurance policy, or you need to get in touch with an insurance advisor, you will contact DNB. Both DNB Bank ASA and the Fremtind companies will act as independent data controllers. Although Fremtind is the result of a merger between SpareBank 1 and DNB, SpareBank 1 will not have access to your personal customer information in DNB.

You have the right to know whether we process your personal data. This means that you will be given a copy of/access to this data. You also have the right to receive more detailed information about what personal data we process and how we process it.

There are some exceptions to the right of access. This typically applies where we have a statutory duty of confidentiality, or where we are required to keep information secret in the interest of preventing, investigating or prosecuting criminal acts. If DNB cannot provide you with the information you request, you will be notified of the reason for this in writing.

How to exercise you right of access in DNB?

Request access to your personal data

If you have questions about the report or would like further information, you must request this manually. You can contact us via the ‘Write to us’ service in your mailbox in the online bank, or by post to DNB Bank ASA, Card and Bank Complaints PO Box 4750, 7469 Trondheim, Norway.

If you are an employee, former employee or have applied for a position in DNB and wish to request access to your personal data, please contact HR support at peoplesupport@dnb.no. Remember to provide a phone number where you would like to be contacted.

If your enquiry concerns DNB Næringseiendom AS or companies managed by DNB Næringseiendom AS, please contact us at servicesenter@dnb.no. Remember to provide a phone number where you would like to be contacted.

You have the right to receive certain personal data that we process about you so that it can be reused across different systems and services. The information you request is sent directly to you in a machine-readable format and may make it easier for you to transfer your information to a new service provider. This right is called ‘data portability’ and applies only to the personal data that:

• you yourself have provided directly, and
• is processed on the basis of your consent, or
• is processed on the basis of an agreement that we have with you.

Exceptions: You are not entitled to receive the following personal data, even if the above conditions are met:

• Personal data that is only available in paper form or as scanned documents in our electronic archives.
• The transfer of your data infringes the rights of others.
• Personal data that is not collected directly from you and is thus not covered by this right.
• Personal data prepared in analyses or assessments for internal use.

How to request to have your personal data in DNB transferred to others

You can click on the link below to exercise your right to data portability. After you have logged in and we have verified your identity, you will receive a confirmation that we have received your request.

Request data portability

If you are an employee, former employee or have applied for a position in DNB and wish to request data portability, please contact HR support at peoplesupport@dnb.no. Remember to provide a phone number where you would like to be contacted.

If your enquiry concerns DNB Næringseiendom AS or companies managed by DNB Næringseiendom AS, please contact us at servicesenter@dnb.no. Remember to provide a phone number where you would like to be contacted.

The right to object gives you, in certain cases, the opportunity to request that we stop using your personal data. We will always consider and respond to such an objection.

When processing personal data for direct marketing purposes, you always have the right to object (right to opt out).

The right to object applies in different contexts with slightly different conditions:

• In cases where your personal data is processed because it is necessary to attend to a legitimate interest. Or because it is necessary to perform a task in the public interest. In such cases, you have the right to object on grounds relating to your particular situation. We address such objections specifically and individually. We may reject the objections if there are compelling reasons.
• In cases where your personal data is processed for direct marketing purposes without your consent. In these cases, we will always make sure to stop the processing of your personal data.
• If your personal data is processed for scientific or historical research purposes or for statistical purposes. In such cases, you may have the right to object on grounds relating to your particular situation. We will process your objection as quickly as possible.

How to exercise your right to object in DNB

If you would like to object to a specific processing of your personal data, you can do so via our complaints department. For a more detailed overview of what types of processing you can object to, see the chapter entitled ‘Why we process personal data’.

You may always request that we stop using your personal data for marketing aimed directly at you, including profiling for such a purpose. If the marketing is based on your consent, you may withdraw your consent in the online bank under ‘Settings’.

If you are an employee, former employee or have applied for a position in DNB and wish to exercise your right to object, please contact HR support at peoplesupport@dnb.no. Remember to provide a phone number where you would like to be contacted.

If your enquiry concerns DNB Næringseiendom AS or companies managed by DNB Næringseiendom AS, please contact us at servicesenter@dnb.no. Remember to provide a phone number where you would like to be contacted.

If we process personal data about you, you have, in some cases, the right to demand that your data be deleted.

You may request the erasure of personal data if one of the following grounds is met:

• You withdraw your consent for the processing.
• You have objected to the processing of the data that you request to be deleted, and your objection is upheld. See more about the right to object above.
• The data you request to be deleted has been processed unlawfully.
• The information must be deleted in order to comply with a legal obligation to which we are subject.

In many cases, we are required to retain information about you, even if you request erasure. This applies both during your customer relationship, and for a certain time after agreements and your customer relationship have ended. In practice, this means that you cannot demand that your personal data be deleted when we have a legal obligation to retain your personal data or we must safeguard our legitimate interests. This also applies if we need to establish, exercise or defend a legal claim.

How to exercise your right to erasure in DNB

If you wish to request the erasure of your personal data, you can use this form.

Do not use this if you wish to terminate a product or agreement. Instead, please contact customer service by chat or phone on (+47) 915 04800.

If you are a former employee or have applied for a position in DNB and wish to request the erasure of the personal data we collected about you in that context, please contact HR support at peoplesupport@dnb.no.

If your request concerns the erasure of your personal data in DNB Næringseiendom AS or companies managed by DNB Næringseiendom, please contact us at servicesenter@dnb.no. Remember to provide a phone number we can use to contact you.

If you believe that we are processing personal data about you that is inaccurate or misleading, you may require the data to be corrected or supplemented by additional information. You must be able to show that the data is inaccurate and inform us as to what is correct. After your enquiry, we will make sure to correct the incorrect personal data as soon as possible, and normally no later than within one month.

There may be cases where rectification is not practically possible, or where the information is correct but gives an incorrect impression. In these cases, we will ensure that your data is supplemented with additional information. That is, we will include your understanding of the situation, so that others will have a comprehensive overview of your situation.

If we have corrected your personal data, and we have previously provided that data to any third parties, we will attempt to notify those recipients of the changes if relevant. The obligation to notify of any changes does not apply if it proves to be virtually impossible for the recipient to implement corrections.

How to request rectification or supplementation with additional information

If you would like to request rectification or supplementation of your personal data, you can do so via our complaints department.

If you are a former employee or have applied for a position in DNB and wish to request rectification of your personal data, please contact HR support at peoplesupport@dnb.no.

If your request concerns rectification of your personal data in DNB Næringseiendom AS or companies managed by DNB Næringseiendom, please contact us at servicesenter@dnb.no. Remember to provide a phone number we can use to contact you.

You may request that we restrict the way we process your personal data. This means that we cannot use your personal data actively. This is often in combination with other rights, for example to restrict the processing of your personal data while we consider a request for erasure or rectification.

For example, if you have asked us to correct your personal data, you can in the meantime request that we restrict the processing of this data until the error has been rectified.

We are obliged to restrict processing in some specific cases:

• If you believe that the personal data is inaccurate, the processing may be restricted to a period so that both you and DNB can check whether the personal data is correct, and perform corrections if necessary.
• If the processing is unlawful, but you do not request erasure and instead request that we restrict the use of your personal data, we will continue to retain your personal data.
• If we no longer require the data for the purpose of the processing, but we need the data to establish, enforce or defend a legal claim and therefore wish to retain your personal data.
• If you have objected to the processing and are awaiting feedback on the assessment of whether we have legitimate reasons for continued processing that take precedence over your interests.

How to restrict the processing of personal data in DNB

If you would like to restrict the way we process your personal data, you can do so via our complaints department.

If you are a former employee or have applied for a position in DNB and wish to restrict the processing of your personal data, please contact HR support at peoplesupport@dnb.no.

If your request concerns the restriction of the processing of your personal data in DNB Næringseiendom AS or companies managed by DNB Næringseiendom, please contact us at servicesenter@dnb.no. Remember to provide a phone number we can use to contact you.

If you are unsatisfied after having talked to us, you can submit a complaint by logging into our complaints portal, or you can contact us by post at: DNB Bank ASA, Card and Bank Complaints PO Box 4750, 7469 Trondheim, Norway.

In our complaints portal, you will find several categories to choose from. You can write ‘Data protection’ as the heading in the free text field. When you submit a complaint, we will process your complaint as soon as possible and normally within 30 days. You can follow the status of your complaint at the top of the complaint page after you have submitted your complaint. You will be notified in the online bank when your case has been processed, or if we need you to provide more information.

If you do not get the help you want through our complaints procedure, DNB has a Data Protection Officer who will answer your questions concerning the processing of your personal data. You can contact the Data Protection Officer at personvernombudet@dnb.no or by post: DNB, c/o Data Protection Officer, Dronning Eufemias gate 30, 0191 Oslo, Norway.

This applies for the following companies: DNB Bank ASA, DNB Livsforsikring AS, DNB Eiendom AS, DNB Boligkreditt AS and DNB Asset Management AS. If your enquiry concerns only one of the companies, please state that in your enquiry.

If you do not agree with us and wish to complain further, you can send your complaint directly to the Norwegian Data Protection Authority.

Automated decision-making is the process of making decisions solely based on personal data we are processing about you, without any human involvment.

You can always get an explanation of what is behind the automated decision and express your opinion. You can also contest the decision and demand that the decision made via the algorithm be reviewed by a person.

In DNB, we use automated decisions on the following processes

• Credit card and debt consumer loans (unsecured credit)

Depending on your relationship with DNB companies and the products and services you use, we process the following types of personal data:

• Identification data: full name, gender, Norwegian national identity number, temporary identification number (D number), customer number, copy of passport, driving licence.
• Contact details: name, address, telephone number, email address.
• Business relations: profession, roles in own and others’ customer relationships.
• Relationship data: information about spouse, cohabitant, children and marital status.
• Demographic data: income, education level and family structure.
• Financial data: information related to type of product and service agreement, employment situation (salary, FTE percentage), transaction data, credit history, account number and insurance history.
• Images, video or audio files.
• Digital behavioural data: type and technical number of digital device (e.g. PC or mobile phone), clicks, login and how the digital device arrived at our site, browser type and operating system.
• Special categories of data: health data e.g. in connection with insurance products you have purchased, trade union membership, biometric data for proof of identity.
• Other: In addition to the categories above, we also process other types of personal data when necessary for a specific type of processing. We will inform you about this when we collect the data.

Most of the personal data that we collect and process will come directly from you, for instance when we process an application for a loan and other products and services we offer.

If you are affiliated with a company or other business that is a customer of DNB, we will collect and use your personal data if you are the owner, signatory or user of the company’s account.

Other examples where we collect personal data directly from you are:

• When you become a customer and we need to ask for your personal data in order to provide you with the product or service we offer.
• When you provide feedback through our digital channels and via chat.
• When you have been in contact with us, and we ask about your experience in order to provide better customer service.
• When we provide investment services and are required by law to make and retain audio recordings of phone calls.

Cookies are small text files that are stored and read on your device, for example on your computer or mobile phone, when you visit a website. Among other things, cookies make it possible to distinguish visitors to a website from each other and to collect data about how they use the website.

We use cookies on our website (dnb.no) for the following purposes:

• To make sure our website works.
• To ensure security, including detecting misuse of our website.
• To remember the settings and choices visitors make on our website.
• To map usage patterns on our website in order to make improvements.
• To track visitor behaviour in order to personalise our marketing.

The data we process by means of cookies will in many cases constitute personal data. You can read more about how we process personal data under the chapter ‘Why we process personal data’. There, you can also read more about how we process information about your behaviour on our web pages in order to customise our marketing.

There are several situations where we share personal data with third parties. Such third parties include e.g. the authorities, payment service providers and business partners. We also share personal data with the companies in the Group, and with Fremtind Forsikring AS and Fremtind Livsforsikring AS.

Data protection rules and legislation regulate how and when such sharing with third parties may take place. In addition, there are provisions on confidentiality in several other acts that apply to the financial and securities sectors.

In order to provide our services and products, there are several situations where we need to disclose your personal data. For example, if you have instructed us to transfer money or securities, we will need to disclose certain information to relevant third parties in the transaction in order to perform the transfer.

We use data processors in several situations. A data processor is a third party who processes personal data on our behalf. There are also data processing relationships within the DNB Group, such as when DNB Bank ASA is the data processor for other companies in the Group. The data processor does not have its own purposes for processing of personal data.

We have a data processor agreement with all our data processors, which regulates how and what personal data should be processed. This is how we ensure that personal data is processed in accordance with data protection rules and legislation and meets our own requirements for the processing of personal data.

We have data processors in Norway and in other countries both inside and outside the EEA, such as:

• software providers
• cloud solution providers
• distributors and agents
• sourcing partners
• consultants
• companies in the DNB Group.

DNB is a group consisting of a number of different companies, and multiple companies that are data controllers. There may be one or more companies within the Group that are the data controller for your personal data, depending on your relationship with one or more companies.

Sometimes we need to share personal data about you within the Group. For instance, this may be to fulfil customer agreements, to meet obligations under company law because requirements to our information security make it necessary, or due to anti-money laundering obligations. It may also be because we have a legitimate interest for various purposes mentioned in the privacy notice.

There are strict rules on confidentiality for financial services and investment firms, including for companies in the DNB Group. Before sharing personal data, we will always ensure that we also comply with our duty of confidentiality.

DNB has a shared customer register. The purpose of the Group customer register is to manage your customer relationship and coordinate offers of services and advice from the various companies in the DNB Group. The Group customer register contains information about you, such as name, date of birth, address and other contact details, which Group company you are a customer of, and the services and products for which you have entered into an agreement.