Privacy Policy for Maritime & Merchant Bank

 

Regulation of the Bank’s Processing of Personal Data

The bank is subject to the Personal Data Act and the General Data Protection Regulation (GDPR) 2016/679 in its processing of personal data. The bank has also joined the Finance Norway industry norm for the processing of personal data in banking and credit institutions.

Primarily, the bank will collect personal data directly from you as a customer. If information is collected from third parties (for example, from other banks/financial institutions and credit information companies), you will be notified, unless the collection is mandated by law, notification is impossible or disproportionately difficult, or it is clear that you are already aware of the information the notification would contain.

If the bank wishes to collect information from you that is not necessary for the fulfilment of the contractual relationship, the bank will first inform you that providing this information is voluntary and explain how the information will be used. In such cases, we will obtain your consent for the processing of personal data.

Categories of Personal Data Processed by the Bank

  • Identification information such as name, personal identification number, and a copy of identification documents.
  • Contact information such as phone number, address, and email address.
  • Financial information such as customer and product agreements, transaction data, and credit history.
  • Information to fulfil legal obligations such as anti-money laundering and reporting to public authorities.
  • Special categories of personal data such as trade union membership for certain loan products.

Sources of Personal Data

We will process personal data you provide directly to us, or through an authorized agent you have empowered. We may also collect personal data about you from public registers.

Why We Process Your Personal Data

The bank will, at the inception and during the ongoing contractual relationship, register information about you and others associated with the contract, such as account operators. The bank will also register information about individuals whom the bank has declined to enter into an agreement with, in order to notify the person of the rejection and, if necessary, to document the relationship later, including that a rejection of deposits and payment orders was justified.

The primary purpose of the bank’s processing of personal data is customer management, financial advising, billing, and execution of banking and financing services in accordance with the agreements we have entered into with you. The bank will process personal data to the extent legislation imposes or permits such processing, or the customer has consented to such processing.

Customer Authentication for the Use of Electronic Services

When you use the bank’s electronic services, the bank may register user behaviour and environment as well as deviations from these, identify the computer or mobile device the customer uses for the bank service, and the status of the device, etc. This information will be used by the bank to ensure that the correct customer is using the service. The bank may also use this information in a risk assessment to tailor the authentication method the customer should use for the service.

Prevention and Detection of Criminal Acts and Financing of Terrorism

The bank will process personal data with the aim of preventing, detecting, investigating, and managing fraud and other criminal acts directed against you, other customers, or the bank. Information collected for this purpose may also be obtained from and disclosed to other banks and financial institutions, the police, and other public authorities. The information recorded can be stored for ten years after registration.

The bank will process personal data to prevent and detect transactions related to the proceeds of crime or related to financing of terrorism. The bank is obligated to conduct investigation and report suspicious transactions according to the Anti-Money Laundering Act. The bank is also required to report suspicious information and transactions to the Economic Crime Authority (Økokrim). Such information will be stored by the bank for five years after the end of the customer relationship.

Cookies

The bank’s website contains cookies. A cookie is a small text file stored on your machine. The file contains information that enables identifying a user across individual page loads. This can be used for statistical purposes through Google Analytics so that we can see how the website is used. You can adjust your browser settings if you wish to reject the use of cookies. By rejecting cookies from this site, you may not be able to fully utilize the website’s functionality.

Security

We use appropriate technical, organizational, and administrative security measures to protect information against loss, misuse, unauthorized access, disclosure, alteration, or destruction.

Analysis and Development of New Services

The bank may collect information used to analyse how you as a customer use our services in connection with the improvement of existing products or the development of new services.

The bank may have a legitimate interest in analysing usage patterns to identify demand for potential new products and services, improve functionality in already existing products and services, and conduct tests in connection with development.

 

Transfer of Personal Data Outside the EU/EEA

To transfer personal data outside the EU/EEA, there must be a valid basis. Valid bases may include:

  • The European Commission has decided there is an adequate level of protection in the respective country.
  • Other appropriate safeguards are in place, such as the use of standard contractual clauses (EU’s standard clauses) approved by the European Commission.
  • The data processor has valid binding corporate rules (BCR).
  • There are exceptions in special cases, for example, to perform a contract with you or if you give your consent to the specific transfer.

Use of Data Processors

The bank uses data processors to collect, store, or otherwise process personal data on behalf of the bank. In such cases, the bank will enter into agreements with the data processor to ensure that the processing of the data is in accordance with privacy regulations and the bank’s requirements for the processing of personal data. The use of data processors is not considered a disclosure of personal data.

Retention Period

The bank will delete or anonymize personal data about you when the purpose of the individual processing is fulfilled unless the information shall or can be stored beyond this as a result of legislation. This means that personal data we process based on your consent will be deleted if you withdraw your consent. Personal data we process to fulfil a contract with you will be deleted when the contract is fulfilled and all obligations arising from the contract relationship are met.

Right of Access

You have the right to request access, correction, or deletion of the personal data we process about you. You also have the right to request limited processing, object to the processing, and the right to data portability.

You can request access to registered personal data, a description of the types of information processed, and more detailed information about the bank’s processing of the information by contacting the bank.

The right of access also includes the number of electronic inquiries as well as the time of the inquiry that employees of the bank or the bank’s data processor have made in accounts or other customer engagements. The right of access to electronic inquiries is limited to a period of up to three months after the inquiry. In case of special needs of individual customers, the bank can limit the number of employees in the bank who shall have access to, and insight into, the customer’s personal data.

To exercise your rights, contact the bank by sending a secure message via your online banking, sending a written request by mail along with a verified copy of your passport, or by personal appearance and presentation of approved ID.

We will respond to your inquiry as quickly as possible, and no later than 30 days. To respond to your inquiry, we ask you to verify your identity or to provide further information before we can respond to your inquiry. We do this to ensure that we only give access to your personal data to you and not to someone pretending to be you.

Changes in Regulations

Should there be changes in our services or changes in the regulations on the processing of personal data, this may lead to changes in the information you are given here. Updated information will always be readily available on our website.

Questions About Our Privacy Policy

If you have questions about our processing of personal data or wish to complain about this, you can contact us by sending a secure message via your online banking. See also contact information at the bottom of the page.

Any complaints about the bank’s processing of personal data about you can be directed to the Data Protection Authority.