Privacy Notice – Individuals related to corporate agreements

This Privacy Notice provides information as to how, when, and why SEB Kort Bank AB 556574-6624 (“SEB Kort” or “we” or “us”) will collect, process, store and share personal data for you as an individual related to a corporate agreement.

This Privacy Notice is divided in four parts depending on the relationship you have with us:

  1. Cardholder on a corporate agreement
  2. Beneficial Owner of a corporate customer
  3. Corporate representatives, Vendor
  4. Signatory, Authorized representatives, or Administrator
  5. General information

We will process your personal data in a careful and responsible manner. By personal data, we mean any information that can be directly or indirectly traced back to you.

Privacy Notice – Individuals related to corporate agreements (PDF)

1. Personal data we process about you as a Cardholder on a corporate agreement

  • Sources of personal data

    Personal data is normally collected directly from you, for instance when you or your company apply for our services or products or generated in connection with your use of our services and products. Sometimes additional information is required to keep the information up to date or to check that the information we have collected is correct.

    Personal data from you

    We collect the following personal data categories directly from you:

    • Identification details such as name, national ID/passport or both in some circumstances, contact details e.g., postal address, email address, telephone number, mobile number and sometimes employee number at your company.
    • Authentication information in all situations where we need to identify you as a customer or when a signature is necessary, for example when signing an agreement or when visiting My pages.
    • Transactional information regarding your purchases with the company card such as which merchant and amount.
    • Your communication with us such as emails, telephone calls or via our app and website.
    • Visual media such as photos or video surveillance if you visit our SEB premises.
    • We may store information from your use of our mobile app or other online services. For example, your IP address or your geographical location for the purpose of improving our service to you.
    Personal data from other sources

    In addition to the information that you provide us with yourself, we may collect information about you elsewhere. This applies, for example, when we:

    • Regularly update information about name and address via population registers.
    • Carry out checks that we are required to perform in order to prevent our products and services being used for money laundering, by retrieving information from sanction lists with international organizations such as European Union (“EU”) and United Nations (UN) or Criminal offense data.
    • Receive payments, we collect information from senders, stores, banks, and payment service providers

    In some cases, we also collect information from other entities in the SEB Group pursuant to Group internal service arrangements and appropriate data transfer mechanisms.

    Please note that our websites use cookies. A cookie is a piece of information that a website transfers to the cookie file on your computer or device.

    Read more about the use of cookies here

  • Why we process your personal data and on which lawful ground

    We are often to be required by law or as a consequence of our contractual relationship with our clients to collect certain personal data. Failure to provide this information may prevent or delay the fulfilment of these obligations.

    The performance of a contract that you are a party of

    The main purpose of our processing of personal data is to collect, control and process personal data before and when signing agreements with your company, as well as to document, administer and perform what is required to fulfil agreements. We process your personal data when:

    • You are applying for a credit card, accounts, or other services. 
    • You are contacting our customer service. 
    • The processing is performed to establish, assert, or defend legal claims and
      debt. 

    Comply with laws & regulations

    We must be able to comply with the various laws and regulations in the jurisdictions that we operate in:

    • Anti-money laundering and terrorist financing laws (“AML/TF”) – we are required to perform due diligence activities, including identity checks and transaction monitoring.
    • Activities relating to financial crime and market abuse prevention and detection, fraud, tax evasion and corruption.
    • We store your transactions made on the company card to comply with regulatory, accounting and tax reporting requirements.
    • When we are asked to co-operate with regulatory-, judicial and other authorities.
    Legitimate interest

    We have, in certain circumstances, a legitimate interest in processing your personal data.
    When vi process personal data with reference to “legitimate interest” we shall demonstrate that we have justified compelling reasons for the processing and that these reasons take precedence over your interests and rights.

    The following are examples of situations where we process personal data using legitimate interest as the legal ground for processing:

    • To perform customer and product analyses to improve our business relationship with you and to provide relevant offers.
    • To improve our business processes in order to provide a better service to you, e.g., when you contact our Customer Service.
    • For fraud monitoring purposes, to unveil fraud situations as early as possible so that you as a customer can feel safe using our products.
    • When we process personal data related to customer surveys.
    Consent

    We usually do not base the processing of your personal data on a consent.

    If you provide us with your consent to process and store your personal data, you can at any time withdraw such consent. Withdrawal of consent will however not affect any processing of personal data based on the consent prior to the withdrawal.

    There might however be other reasons for obtaining a consent from you than for processing of your personal data, e.g., when it is necessary in accordance with local marketing legislation.

    Profiling

    Profiling is when your personal data is automatically processed, primarily your transaction data on the company credit card.

    We use profiling for:

    • combating money laundering and terrorist financing to fulfil our legal obligations
    • fraud prevention, to find and act on fraud behaviors
    • segmenting for marketing research. We use profiling to give you better and relevant offers.
    • the purpose of approving or declining a credit card- or loan application, to secure a proper and correct credit worthiness assessment
    Automatic decisions

    We use automatic decisions, for instance when you apply for a credit card using our online application form. Such application can be approved or declined by using automatic decisions.

    Our automated decisions may sometimes be based on profiling. Where such a decision has legal consequences for you, e.g., a decline of an application or otherwise significantly affects you, you have a right to object to the processing.

  • Personal data sharing and data transfers
    SEB Group

    We will share personal data about you with other SEB Kort AB branches and SEB legal entities and affiliates within SEB Group to meet our legal and regulatory obligations such as:

    • For regulatory and financial transaction reporting
    • Financial crime and external fraud prevention for instance, to be able to comply with our obligations pursuant to the AML/KYC regulation
    • To be able to provide as good service to you as possible and act as one bank
    External recipients

    We will share personal data about you with external recipients for the following purposes:

    • To authorities and institutions where required or requested and where we are permitted to do by law, regulation, supervisory or similar authority or court order.
    • Our suppliers. We share your personal data with service providers. This is relevant where e.g., we authenticate you in different digital channels for example when logging in to My Pages (Signicat AS) or when we produce cards (Tieto Evry Card Services AS), hosting or support services from vendors (e.g., Depona AB or Mastercard). In all such instances and where applicable, we take steps to ensure that there are Data Processing Agreements in place to protect your data and to limit access and use of that data strictly for the purposes and to the extent needed for those services to be performed. When a service is terminated, we impose requirements that any data stored outside of SEB is returned to us or destroyed.
    • If you apply for or already use a digital wallet such as Apple Pay or Samsung Pay, etc, we will be transferring data including e.g. your card information to the digital wallet provider to enable use of the digital wallet.
    Third countries

    We do not share your data with suppliers outside the EU/EEA (“European Union/European Economic Area”) also known as third countries unless it is required by law or necessary for fulfilling our service to you as a customer. One example of the latter is our cooperation with Mastercard where some of your data may be transferred to the United States of America (“USA”).

    Another example is when we use Adobe Campaign for IT support services which are performed in EU/EEA as well as in India.

    We only make such transfers after having performed a Transfer Impact Assessment (“TIA”) to ensure that GDPR has been followed and if any of the following conditions are met:

    • The European Commission has determined that there is an adequate level of protection in the country in question.
    • We have taken other appropriate protective measures, e.g., Standard Contractual Clauses (SCCs) or Binding Company Rules (BCRs). You can obtain a copy of such standard contract by contacting us, see contact details below.
    • Special authorisation from a supervisory authority has been obtained.
    • Such transfers are permitted in special cases by applicable data protection legislation.


2. Personal data we process about you as a Beneficial Owner of a corporate customer

  • Sources of personal data

    Personal data is normally collected directly from you, for instance when your company applies for our services or products or generated in connection with your use of our services and products. Sometimes additional information is required to keep the information up to date or to check that the information we have collected is correct.

    Personal data from you

    We collect the following personal data categories directly from you:

    • Identification details such as name, address, personal id or date of birth, citizenship, tax residence country and in some cases copy of passport.
    • Information regarding affiliations, status as a politically exposed person and close family members.
    • Authentication information in all situations where we need to identify you as a Beneficial Owner or when a signature is necessary.
    • Your communication with us such as emails, telephone calls or via our app and website.
    • Visual media such as photos or video surveillance if you visit our SEB premises.
    Personal data from other sources

    In addition to the information that you provide to us yourself, we may collect information about you elsewhere. This applies, for example, when we:

    • Regularly update information about name and address via population registers.
    • Carry out checks that we are required to perform in order to prevent our products and services being used for money laundering, by retrieving information from sanction lists with international organizations such as the European Union (“EU”) and United Nations (“UN”) or Criminal offense data
    • Obtain data from publicly accessible sources such as publicly available websites, tax registers and press; as well as other sources of data such as sanction lists and company registers.

    In some cases, we also collect information from other entities in the SEB Group pursuant to Group internal service arrangements and appropriate data transfer mechanisms.

    Please note that our websites use cookies. A cookie is a piece of information that a website transfers to the cookie file on your computer or device.

    Read more about the use of cookies here

  • Why we process your personal data and on which lawful ground

    We are often required by law or as a consequence of our contractual relationship with our clients to collect certain personal data. Failure to provide this information may prevent or delay the fulfilment of these obligations.

    Comply with laws & regulations

    We must be able to comply with the various laws and regulations in the jurisdictions that we operate in:

    • Anti-money laundering and terrorist financing laws (“AML/TF”) – we are required to perform due diligence activities, including identity checks and transaction monitoring.
    • Activities relating to financial crime and market abuse prevention and detection, fraud, tax evasion and corruption.
    • Identification of Beneficial Owners is a legal requirement in all jurisdictions where we are present for the purposes of anti-money laundering (“AML”) legislation.
  • Personal data sharing and data transfers
    SEB Group

    We will share personal data about you with other SEB Kort AB branches and SEB legal entities and affiliates within SEB Group in order to meet our legal and regulatory obligations such as: 

    • For internal approval processes
    • For risk measurement, control, and reporting
    • For regulatory and financial transaction reporting
    • Financial crime and external fraud prevention, for instance to be able to
      comply with our obligations pursuant to AML/TF regulation
    • To be able to provide as good service to you as possible and act as one bank
    External recipients

    We will share personal data about you with external recipients for the following purposes:

    • To authorities and institutions where required or requested and where we are permitted to do so by law, regulation, supervisory or similar authority or court order.


3. Personal data we process about you as a Corporate representatives or Vendor

  • Sources of personal data

    Personal data is normally collected directly from you, for instance when your company applies for our services or products or generated in connection with your use of our services and products. Sometimes additional information is required to keep the information up to date or to check that the information we have collected is correct.

    Personal data from you

    We collect the following personal data categories directly from you:

    • Identification details such as name, role, company, contact details e.g., telephone number, mobile number, email address.
    • When we invite you to events, we may collect dietary preferences.
    • Authentication information in all situations where we need to identify you.
    • Your communication with us such as emails, telephone calls or via our app and website.
    • Visual media such as photos or video surveillance if you visit our SEB premises.
    Personal data from other sources

    We collect information directly from you or from the client you represent. The information may be collected from agreements our client has entered into, through ongoing dialogue through correspondence and conversations.

    Please note that our websites use cookies. A cookie is a piece of information that a website transfers to the cookie file on your computer or device.

    Read more about the use of cookies here

  • Why we process your personal data and on which lawful ground

    We are often required by law or as a consequence of our contractual relationship with our clients to collect certain personal data. Failure to provide this information may prevent or delay the fulfilment of these obligations.

    The performance of a contract that you are a party of

    Where our products and services are contracted with a legal person, we engage with you as a client, supplier, or partner at various levels in order to deliver those products and services.

    Legitimate interest

    We have, in certain circumstances, a legitimate interest to process your personal data. When vi process personal data with reference to “legitimate interest” we shall demonstrate that we have justified compelling reasons for the processing and that these reasons take precedence over your interests and rights.

    It is for instance when we:

    • Want to improve our business processes in order to provide a better service to you, e.g., when you contact our Customer Service.
    • Market our products and services to you and your company.
  • Personal data sharing and data transfers
    SEB Group

    We will share personal data about you with other SEB Kort AB branches and SEB legal entities and affiliates within SEB Group in order to meet our legal and regulatory obligations such as: 

    • For internal approval processes 
    • For risk measurement, control, and reporting
    • For regulatory and financial transaction reporting 
    • Financial crime and external fraud prevention, for instance to be able to comply with our obligations pursuant to AML/TF regulation
    • To be able to provide as good service to you as possible and act as one bank 


4. Personal data we process about you as a Signatory, Authorized representative, or Administrator

  • Sources of personal data

    Personal data is normally collected directly from you, for instance when you or your company applies for our services or products or generated in connection with your use of our services and products. Sometimes additional information is required to keep the information up to date or to check that the information we have collected is correct.

    Personal data from you

    We collect the following personal data categories directly from you:

    • Identification details such as name, personal id, citizenship, contact details e.g., postal address, email address, telephone number, mobile number
    • Authentication information in all situations where we need to identify you
    • We keep records of arrangements and transactions that you have entered into
    • Your communication with us such as emails, telephone calls or via our app and website.
    • Visual media such as photos or video surveillance if you visit our SEB premises.
    Personal data from other sources

    Information is gathered from our immediate client and external public registers. Where our client registers an electronic power of attorney in our systems, initial data is provided by our client’s administrator and additional information is gathered from you as a user through our portal. We will also use personal data from other entities in SEB Group pursuant to Group internal service arrangements and appropriate data transfer mechanisms.

    Please note that our websites use cookies. A cookie is a piece of information that a website transfers to the cookie file on your computer or device.

    Read more about the use of cookies here

  • Why we process your personal data and on which lawful ground

    We are often required by law or as a consequence of our contractual relationship with our clients to collect certain personal data. Failure to provide this information may prevent or delay the fulfilment of these obligations.

    The performance of a contract that you are a party of

    The main purpose of our processing of personal data is to collect, control and process personal data before and when signing agreements with you, as well as to document, administer and perform what is required to fulfil agreements.

    We process your personal data when:

    • You or your company are applying for credit cards or services
    • You are contacting our customer service or sales department
    Comply with laws & regulations

    We must be able to comply with the various laws and regulations in the jurisdictions that we operate in:

    • Anti-money laundering and terrorist financing laws (“AML/TF”) – we are required to perform due diligence activities, including identity checks.
    • Activities relating to financial crime and market abuse prevention and detection, fraud, tax evasion and corruption.
  • Personal data sharing and data transfers
    SEB Group

    We will share personal data about you with other SEB Kort AB branches and SEB legal entities and affiliates within SEB Group in order to meet our legal and regulatory obligations such as: 

    • For internal approval processes
    • For risk measurement, control, and reporting
    • For regulatory and financial transaction reporting
    • Financial crime and external fraud prevention, for instance to be able to comply with our obligations pursuant to AML/TF regulation
    • To be able to provide as good service to you as possible and act as one bank
    External recipients

    We will share personal data about you with external recipients for the following purposes:

    • To authorities and institutions where required or requested where we are permitted to do by law, regulation, supervisory or similar authority or court order.


5. General Information

  • Data Retention

    We will store your personal data for as long as it is necessary for fulfilling the purposes for which they were collected. The required retention period differs between the Nordic countries. Below we list some examples on relevant retention periods:

    • If you have a contract with us or is covered by a contract with us, we typically store your personal data for 10 years after our business relationship has ended to be able to exercise our legal claim to defend ourselves. Some data will be deleted after 5 years according to the Money Laundry Act or after up until 10 years according to the Bookkeeping Act (depending on national legislation) e.g., copy of invoices.
    • Marketing activities, such as send outs are saved for a maximum of two years
    • If you are a prospective cardholder and do not have an agreement with us but have provided personal data to us in an application e.g., when your application has been declined, we will store your information for a maximum of two years.
  • Using our websites and our apps

    If you have downloaded one of our apps, we can send information to the device where the app is installed, for example in the form of push notifications. The message may, among other things, contain information that a purchase has been made, an incorrect PIN code has been used or if a purchase has been denied.
    In your device's system settings, you can control whether the information is sent or not and how the information is displayed on the device's screen in locked mode.

    When the information is sent outside the SEB Group, it is done with uninterrupted encryption until the information arrives at your app.

    To be able to do aggregated analysis of user interactions we gather information about what services you use on our website, in our in-logged environment and apps and how you use them.

    The information that we collect are:

    • Identification Data, such as IP address, device type and operation system, and
    • Digital Tracking information, such as geographic location.
  • Your rights

    We respect your rights to request access, modification, deletion, and portability of your personal data.

    According to the GDPR, you are entitled to control your own personal data and to know how we process information about you. You can contact us if you want to exercise any of your rights.

    Sometimes your rights are subject to limitations e.g., when we are unable to delete your personal data due to regulatory requirements and when the retention period has not been reached.

    Requesting a personal data extract

    You have the right to obtain information about what personal data we process about you. You can obtain this by requesting an extract from us.

    Correcting incorrect or incomplete data

    Should it turn out that we are processing personal data about you that is incorrect, you are entitled to request the personal data to be corrected. You may also request that an incomplete piece of personal data about you be supplemented.

    Deletion of your personal data

    You have the right to have any or all your personal data deleted. This is sometimes referred to as “the right to be forgotten”. In some cases, we may be unable to delete all the personal data because this is still necessary for its original purpose, and we still have a legal basis for processing it.

    Restricting how we process your data

    In some situations, you are entitled to ask for our processing of your data to be restricted for a certain period. This could be, for example, if you believe that some personal data about you is incorrect and we need to verify this. This may also be if you have objected to processing that is based on legitimate interest. In this case, we will assess whether our interests take precedence over yours.

    Objecting to how we process your data

    If we process personal data about you based on legitimate interest, you may object to this processing. For instance, if we process your personal data for the purpose of direct marketing.

    Transferring your data to another party (“Data portability”)

    If we process your personal data based on an agreement or based on your consent, you have the right to access the personal data you have provided to us. If it is technically possible, you also have the right to have the data transferred to another party. This is known as data portability.

    Automated decision making

    When a decision is based on automatic processing (including profiling), you have the right to contact us to object to being subject to an automatic processing of your personal data.

  • Contact information and complaints

    You are always welcome to contact us if you have any questions about your rights or about how we process your personal data.

    Contact details to Data Protection Officer (DPO):

    Head Office
    SEB Kort Bank AB
    SEB Data Dataskydd
    106 40 Stockholm
    Sweden
    08-14 70 00

    SEB Kort Bank AB, Denmark branch
    Postbox 100
    0900 København C.
    Denmark
    persondata@seb.dk

    SEB Kort Bank AB, Norway branch
    Personvernsombudet
    Postboks 1843, Vika
    0123 Oslo
    personvernsombud@seb.no

    SEB Kort Bank AB, Finland branch
    Data Protection Officer
    Eteläesplanadi 18
    00130 Helsinki
    Finland

    Where applicable, you have the right to make a complaint to the competent supervisory authority.

    Sweden:
    Swedish Authority for Privacy Protection (“Integritetsskyddsmyndigheten (IMY)”)
    Box 8114
    104 20 Stockholm
    imy@imy.se

    Denmark:
    Danish Data Protection Agency (“Datatilsynet”)
    Carl Jacobsens Vej 35
    2500 Valby
    dt@datatilsynet.dk

    Norway:
    Data Protection Authority
    (“Datatilsynet”)
    Postboks 458 Sentrum
    0105 Oslo

    Finland:
    Office of the Data Protection Ombudsman
    Lintulahdenkuja 4
    00530 Helsinki
    tietosuoja@om.fi

    If you are not satisfied with how we process your personal data and if your contact to our DPO, listed under “Contact details” did not provide you with a satisfying answer, please contact our responsible for complaints.

    Sweden:
    SEB Kort Bank AB
    Att.: Klagomålsansvarig
    106 40 Stockholm
    kundrelationerkort@seb.se

    Denmark:
    SEB Kort Bank AB
    Att.: Klageansvarlig
    Postboks 351
    0900 København C.
    kundeklager@sebkort.dk

    Norway:
    SEB Kort Bank AB
    Att.: Klageansvarlig
    Postboks 1373 Vika
    0114 Oslo
    kundeklage@sebkort.no

    Finland:
    SEB Kort Bank AB
    Att.: Asiakasvalitusvastaava
    P.Box 1085
    00101 Helsinki
    asiakaspalaute@seb.fi