General information about the bank’s processing of personal data
Regulation on the Processing of Personal Data
Maritime & Merchant Bank handles the processing of personal data in accordance with all applicable legislation, including the Norwegian Personal Data Act (Personopplysningsloven) and the EU’s General Data Protection Regulation 2016/679 (GDPR). The Bank has also committed to Finance Norway’s industry standards for the processing of personal data for banks and credit institutions.
The Bank will primarily collect personal data that is only registered directly by you, the customer. Any personal data collection done by third parties (for example other banks/financial institutions/credit institutions) will be notified to the customer, unless the collection of data is expressly authorized by statute, notification is impossible or disproportionately difficult, or there is no doubt that the data subject already has the information which shall be contained in the notification.
Should the Bank wish to obtain personal data unrelated to the performance of a contract, the Bank shall first inform the data subject of the purpose of the processing, and the fact that the provision of data is voluntary. Personal data may only be processed if the data subject has consented thereto.
Categories of Personal Data
The Bank typically collects, registers and uses the following types of personal data:
- identification information, e.g. name, national ID number and copy of identification documents
- contact information, e.g. telephone number, address and e-mail address
- financial information, e.g. client and product agreements, transaction data and credit history,
- personal data required in accordance with legislation such as anti-money laundering and in connection with reporting to authorities
- sensitive personal data, e.g. trade union membership information required when offering certain lending products
Where personal data is collected from
We only collect and process personal data provided directly to us by the client, or any other person dealing with us on behalf of the corporate client. We also collect data from third parties including the Norwegian National Registry and other publicly accessible sources and registers.
Purpose of Personal Data Processing/Why we process personal data
Upon entering into the agreement and under the ongoing contractual relationship, the Bank will collect and register personal data related to the client and any other person related to the contractual relationship, i.e. managers or directors. Personal data will also be collected on individuals whom the bank has declined to partner with, in order to inform those individuals of the refusal and, if subsequently necessary, to document the relationship, including justification for refusal of deposits and payment orders.
The primary purpose of processing personal data is customer-relationship management, financial advice, invoicing and the execution of banking and financial services in connection with an agreement entered into with you. Otherwise, the Bank will only collect and process personal data if there is a legal basis to do so, for instance when it is our legal duty in accordance with legislation or the client has granted us consent to collect and process their personal data.
Personal data is also processed for the following purposes:
Customer authentication when using electronic services
When using the Bank’s electronic services, the Bank will observe customer behavior and conditions online, as well as deviations from observed behavior and conditions, identify the computer or mobile device used when access the bank’s services, the condition of the computer/device used, etc. This information will be used by the bank to verify that the appropriate user is accessing the service in question. The Bank can also collect data for activities related to conducting risk assessments, including customizing the authentication method required by the client using the service.
Prevention and detection of criminal activity and financing of terrorism
The Bank processes personal data in order to prevent, uncover, resolve and appropriately deal with fraud and other criminal acts directed against the client, other clients or the Bank. Personal data may also be disclosed to other banks and financial institutions, the police or other public authorities as required by law. The Bank stores personal data for up to 10 years after registration.
The Bank processes personal data in order to prevent and uncover transactions related to proceeds from criminal activities or the financing of terrorism. The Bank is obligated to report and investigate any suspicious transactions in accordance with the Anti-Money Laundering Act, as well as to report suspicious information and transactions to Økokrim. All personal data related to these events will be kept by the Bank for 5 years following the termination of a customer relationship.
Internet/Web Cookies and Similar Technology
The Bank’s webpage contains internet cookies. A cookie is a small text file stored on the user’s computer, containing information making it possible to identify users between individual page loads. This information can be used for statistical purposes through Google Analytics in order to monitor usage of the website. If you wish to prevent storage of cookies, adjust the settings on your browser. If cookies have not been enabled on the webpage, certain aspects of the site’s functionality may be limited.
Appropriate technical, organizational and administrative safeguards are implemented to protect and prevent the loss, misuse, unintentional access, disclosure, alteration or destruction of personal data.
Analysis and Development of New Services
Data collected and registered by the Bank may be used to analyze how customers use the Bank’s services in order to improve existing products or develop new services.
In some cases, the Bank may have a legitimate interest in the analysis of internet usage patterns in order to identify potential demand for new products and services, improve existing product and service functionality and perform tests in conjunction with further development.
Transfer of Personal Data Outside the EU/EEA
Personal data may be transferred to countries outside the EU/EEA as long as there is a valid basis. Valid basis includes:
- The EU Commission has decided there is an adequate level of protection of data in the country in question, or
- Additional, appropriate security measures have been implemented, such as the use of Standard Contractual Clauses (SCC), as approved by the EU Commission, or that the data processor has implemented valid binding corporate rules (BCR), or
- Exceptions may be made in special cases if the data subject has consented to the transfer or the transfer is necessary for the performance of a contract with the data subject.
Upon opening an account and throughout the contractual relationship, the bank will retain personal data connected to the customer and others associated with the account, ie. agents acting on behalf of another person. The Bank also retains personal data for a period even if the Bank declines to enter into an agreement with a customer. This purpose is to ensure the Bank can inform the person concerned/the customer of the Bank’s decision and can provide evidence of the matter subsequently if so required.
The Bank’s processing of personal data is primarily for customer management, financial advisory, invoicing and implementing banking and financial services in accordance with the agreements entered into with the customer. The Bank also processes personal data to the extent required or permitted by legislation or where the person concerned has given his/her consent.
Use of Data Processors
Storage of Personal Data
Upon completion of individual data processing, unless stored for longer as a result of legislation, the Bank will delete or make anonymous all personal data related to the customer. For example, personal data that is processed on the basis of the data subject’s consent, shall be deleted if the client withdraws their consent. Personal data that is processed in order to fulfill an agreement is deleted upon completion of the agreement and fulfillment of all obligations arising from the agreement.
Customer Rights When Processing Personal Data
You have the right to request access to, correction or deletion of the personal data we have registered about you. You also have the right to restrict the usage of personal data, to object to the processing of personal data and to receive a copy of the personal data provided.
You also can, by contacting the Bank, request insight into your personal data, what type of personal data is collected and further information about how the Bank processes personal data.
The right to access personal data also includes how long we store personal data and who receives personal data in the Bank or the Bank’s data processor connected to accounts or other customer obligations. Information regarding access to personal data is limited to a period of up to 3 months after personal data has been accessed. Based on individual customers’ specific circumstances, the Bank may limit the number of employees in the Bank who can gain access to, and insight into, your personal data.
In order to exercise the rights above, contact the Bank by sending a secure message via the online banking platform, sending a written request in the mail along with a certified copy of your passport or by personally visiting the Bank’s office and presenting a valid form of identification.
We respond to inquiries as soon as possible, at the latest within 30 days.
In order to respond to your inquiry, we require confirmation of your identity or will request additional information. This is to ensure limited access to your personal data and to not provide access to others who claim to be you.
Changes to Personal Data
Changes to the services provided by the Bank or changes to the rules governing the processing of persona data may lead to necessary changes of information provided. Updated information will always be readily available on our webpage.
Complaints About Processing of Personal Data
Any questions regarding the processing of personal data or wish to submit a complaint, contact us via telephone: 22 39 83 70 / e-mail: firstname.lastname@example.org. You also may request the Bank’s Data Protection Officer.
Any complaints regarding the Bank’s processing of personal data can be directed to Norwegian Data Protection Authority (Datatilsynet). Please see www.datatilsynet.no for further information.