Processing of Personal Data

These Principles of Processing Personal Data (“the Principles”) describe how Swedbank AS, Swedbank Līzings SIA, Swedbank Ieguldījumu Pārvaldes Sabiedrība AS, Swedbank Atklātais Pensiju Fonds AS, Swedbank P&C Insurance AS Latvian branch and Swedbank Life Insurance SE Latvian branch (“Swedbank” or “we”) process your Personal Data as Data Controllers.

You can find further information on the Processing of Personal Data in specific areas in Section 2 which has been prepared considering frequently asked questions from Data Subjects. Here you will find information about Processing of your Personal Data depending on the Services you use and/or the nature of your relationship with Swedbank.

Additional information on the Processing of Personal Data may also be included in our agreements and other documents related to the Services, as well as on our website. Further details on our Processing of Personal Data can be obtained by submitting the Data Subject’s request to us. For more information on how to exercise your rights of a Data Subject and our contact details, see Section 5 of the Principles.

Client or you means any natural person who uses, has used or has expressed a wish to use the Services or is otherwise related to the use and/or user of the Services and/or has any other relationship with us.

Corporate Client means any legal person who uses, has used or has expressed a wish to use the Services.

Data Controller means anyone who, individually or jointly with others, determines the purposes and means of the Processing of Personal Data. In the Processing of Personal Data described in these Principles, Swedbank AS acts as the Data Controller when it provides banking services to the Client. In leasing services, the Data Controller is Swedbank Līzings SIA, in pension plan asset management services – Swedbank Ieguldījumu Pārvaldes Sabiedrība AS, in pension plan administration services – Swedbank Atklātais Pensiju Fonds AS, in non-life insurance services (for example, home insurance) – Swedbank P&C Insurance AS Latvian branch, and in life insurance services – Swedbank Life Insurance SE Latvian branch.

Data Processor means anyone who Processes Personal Data on behalf of the Data Controller. Swedbank engages Data Processors for Processing of Personal Data and takes necessary steps to ensure that Processing of Personal Data by Data Processors takes place under a contract or the Applicable Law and according to our documented instructions.

Data Protection Legislation means the applicable EU and national data protection legislation that Swedbank is subject to, for example, Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR).

EU/EEA means the European Union/European Economic Area.

Personal Data and your data means any information related to you directly or indirectly.

Processing means any operation or set of operations performed with regard to Personal Data, whether or not performed by automated means, such as collection, recording, organization, storage, adaptation, alteration, retrieval, gathering, use, combination, blocking, erasure or destruction.

Recipient means a natural or legal person, public authority or another entity, to whom Swedbank is entitled to disclose Personal Data. See the categories of Recipients in Section 1.5.

Applicable Law means the applicable legislation that Swedbank is subject to, for example, that relating to anti-money laundering, prevention of terrorist and proliferation financing, enforcement of sanctions, banking secrecy, commercial activity, data protection, taxes, bookkeeping, lending, consumer credits, payments, payment services, insurance, leasing, investment, 2nd and 3rd pension pillar, and financial business.

Services mean any services, advice and products of Swedbank relating to financing, savings, investment, lending, cards, payments, insurance, pensions, leasing, as well as products and services of cooperation partners that are provided digitally on Swedbank’s app and website, in consultations by phone, via video-based customer service for Clients, in a Swedbank’s branch or in other channels.

Swedbank, we, us and our means any legal entity or branch belonging to the Swedbank Group with its registered office in Latvia. The list of the Swedbank Group companies in Latvia is available at www.swedbank.lv.

Swedbank Group means Swedbank AB (publ), a public limited liability banking company incorporated in Sweden, and all legal entities which Swedbank AB (publ) directly controls (the subsidiaries).

Profiling means any form of automated Processing of Personal Data to evaluate certain personal aspects relating to the Client, in particular, to analyse or predict aspects concerning that natural person’s economic situation, personal preferences, interests, reliability and behaviour.

Automated Decision-Making means taking a decision without human involvement (i.e. decision-making using only technological means) which produces legal or similar significant effect on the Data Subject.

Data Subject means any identifiable living natural person whose Personal Data is Processed by Swedbank. Swedbank Processes Personal Data of Data Subjects such as Clients, legal representatives, authorized persons, contact persons, counterparties, payers, board members, ultimate beneficial owners, as well as Personal Data of other Data Subjects provided for in the Principles. Categories of Data Subjects referred to in this definition are included in the definition of the Client.

Examples of Personal Data categories which Swedbank Processes:

Identification Data such as name, personal identification number, identity document details.

Contact Data such as address, phone number, email address, language of communication.

Financial Data such as ownerships, transactions, credits, income, liabilities, assets.

Account Data such as card number and bank account number.

Data about the Client’s financial experience such as data collected during the selection and provision of investment services and other products carrying investment risk, for example, data containing proof of financial experience in trading.

Data about trustworthiness and due diligence such as data about payment behaviour, damage or loss caused to Swedbank or other party, data that enables Swedbank to perform due diligence measures on the Client regarding the prevention of money laundering and terrorism and proliferation financing and to ensure the compliance with national and international sanctions, including the purpose of the business relationship and whether the Client is a politically exposed person, data on the origin of assets or wealth such as data regarding the Client's counterparties and business activities; as well as data regarding existing and historical insurance contracts and applications (e.g. duration of insurance relationship and claim history, insurance risk assessment history including declined insurance applications).

Data obtained while performing a statutory obligation such as data that Swedbank is required to report to the authorities, for example, tax authorities, courts, law enforcement agencies, including details of income, credit commitments, property holdings, remarks and debt balances; as well as to the motor vehicle insurance bureau, including details of concluded insurance contracts and paid insurance indemnities.

Communication and device Data such as the data contained in messages, emails, visual images, video and/or audio recordings, as well as other conversations and interactions, collected when the Client visits Swedbank premises, cash machines (ATMs) and other areas where Swedbank renders Services or communicates with the Client, data related to the Client’s visits to Swedbank website and communication through Swedbank Internet Banking and mobile app.

Data about habits, preferences and satisfaction such as the activeness of using the Services, Services used, personal settings, your sustainability preferences, survey responses, Client satisfaction, as well as hobbies and/or personal habits that may affect Client’s health which may be assessed during the risk factor evaluation within the insurance underwriting process.

Family Data such as information about the Client’s family and relationships.

Demographic Data such as country of residence, date of birth and citizenship.

Children’s Data such as data collected and Processed when a child uses the Services or when a child is the beneficiary or the insured in an insurance contract.

Professional Data such as education or professional career.

Data about relationships with legal entities such as data submitted by the Client or obtained from public databases or a third party as a service provider for the execution of transactions on behalf of a particular legal entity.

Relationship status Data such as the segment to which the Client belongs, information about the Client’s participation in a customer service programme or the assignment of a risk level to the Client.

Sensitive Data such as special categories of Personal Data (data concerning health) and Data about criminal convictions and offences. The provision of some Services requires Swedbank to Process special categories of Personal Data. Swedbank will ask for the Client’s consent when Processing special categories of Personal Data, for example, when information is required for the Services related to insurance services. Special categories of Personal Data may also be Processed to pursue a legal claim or based on a legal obligation that Swedbank is subject to, for example, data on administrative penalties in motor third-party liability insurance cases.

We Process your data only if we have a valid reason to do so and based on the following legal ground(s):

• Performance of agreement is one of the main legal bases according to which we Process Personal Data to provide Services. This includes Processing necessary to take steps at your request prior to entering into an agreement, as well as to conclude, amend, execute, maintain and terminate an agreement.
• Compliance with legal obligation is the legal basis for the Processing that is necessary for us to comply with the Applicable Law.
• Legitimate interest to Process Personal Data is the legal basis for the Processing of Personal Data for our specific reasonable interest of Data Controller or third party, which is balanced against your interests and rights as a Data Subject.
• Public interest arising from the Applicable Law is the legal basis for the Processing when it is stipulated in the law and it is necessary for the performance of a task carried out in the public interest. In these cases the Processing may only be done to the extent stipulated in the Applicable Law, for example to prevent money laundering.
• Consent as the legal basis of data Processing. In cases where you provide your consent, you will be separately informed of the specific purpose of Processing Personal Data. You can withdraw your consent at any time.

To be able to provide the Services, as well as in other cases when it is necessary, Swedbank may share the Clients’ Personal Data with Recipients.

Swedbank will not share more Personal Data than necessary for the particular purpose of Processing. Recipients may Process the Personal Data as Data Processors and/or as Data Controllers. When the Recipient Processes Client’s Personal Data on its own behalf as a Data Controller, the Recipient is responsible for providing information to Data Subjects on such Processing of Personal Data. In such a case Swedbank advises the Client to contact the relevant Recipient for information on the Processing of Personal Data by the Recipient.

The Recipients acting as Data Controllers are, for example:

• Legal entities and their branches belonging to the Swedbank Group.
• Authorities and officials such as supervisory authorities, tax authorities, law enforcement agencies, sworn bailiffs, sworn notaries, Notary Council, courts, out-of-court dispute resolution bodies.
• Financial and legal consultants, auditors or any other service providers of Swedbank, Swedbank’s authorized persons.
• Providers of information systems, databases and registers, for example, credit register, account register, population register, commercial register, securities register, pension register, asset registers (such as the Land Registry), registers related to vehicles and their owners, as well as register related to motor third party liability insurance.
• Debt collection service providers, assignees, insolvency administrators.
• Surety providers, pledgors.
• Persons and suppliers related to the provision of Services to Swedbank, such as providers of telecommunications, postal services, services rendered to the Client if the Client has ordered e-invoices for these Services.

The Recipients acting as Data Processors are, for example:

• Legal entities belonging to the Swedbank Group and their branches when they Process Personal Data on behalf of Swedbank.
• Other persons involved in the provision of the Services, such as providers of information technologies, hosting, cloud computing, archiving, printing services, technical experts and valuators.

Normally, Clients’ Personal Data is Processed within the EU/EEA.

However, in some exceptional cases they may be transferred to and Processed in countries outside of the EU/EEA provided there is a legal basis for it and at least one of the following conditions is met:

• The country outside of the EU/EEA where the Recipient is located has adequate level of data protection as decided by the EU Commission. The list of countries so far recognised by the EU Commission as providing adequate protection is available on the EU Commission’s page here.
• The controller or processor has provided appropriate safeguards, for example, the agreement that includes the EU Standard Contractual Clauses or other authorized contractual clauses is concluded, approved codes of conduct, binding corporate rules or certification mechanisms are provided. The applicable EU Standard Contractual Clauses used by Swedbank for the transfer of Personal Data to third countries can be found here.
• Derogations for specific situations apply, for example, in case of the Client’s explicit consent, performance of a contract with the Client, conclusion or performance of a contract concluded in the interest of the Client, establishment, exercise or defence of legal claims, important reasons of public interest.

Upon request, the Client can receive further details on Personal Data transfers to countries outside of the EU/EEA and the appropriate safeguards.

Personal Data will be retained only as long as necessary for the particular purpose of Processing for which the data is collected or which is stipulated in the Applicable Law. For example, after the contractual relationship has expired, Swedbank will Process Personal Data for accounting purposes and for compliance with the Applicable Law, as well as for purposes based on Swedbank’s legitimate interest, for example, for the establishment, exercise or defence of legal claims. This means that Swedbank is required by the Applicable Law to store Personal Data for longer than necessary for the performance of the contract with you, for example to comply with legal obligations.

Examples of retention periods:

• Client’s Personal Data during business relationship that is related to the provision of Services – this Personal Data remains at the disposal of Swedbank until the end of your business relationship with us, unless another valid reason exists that requires retaining Personal Data longer.
• When Client’s Personal Data is necessary to protect the legitimate interest of Swedbank or the Client under the Civil Law in the event of a claim – a maximum of 10 years from the termination of contract.
• When Client’s Personal Data is necessary to fulfil a legal obligation under the Applicable Law related to the prevention of money laundering and terrorist and proliferation financing – 5 years from the termination of business relationship.
• When Client’s Personal Data is necessary to protect legitimate interest if Swedbank is under investigation or litigation – until the end of the investigation and litigation.
• When Client’s Personal Data is Processed in relation to video surveillance for the purpose of defending Swedbank’s legal claims and legitimate interest; for detecting and preventing unlawful activities – a maximum of 90 days.
• When Client’s Personal Data is Processed for marketing purposes – only for as long as the Client’s consent is valid.

Why we Process Personal Data: the Applicable Law obligates us to identify our Clients and, in certain events, their representatives and persons participating in an occasional transaction.

How we Process Personal Data: for this purpose, we will ask you to provide a valid identity document and if necessary, other documentation necessary for identification. We use the authentication tools when verifying your identity. We must ensure that your Identification data is correct and up to date during the Service provision period.

Identification

When you apply for a Service or conclude a Service agreement, we have a legal obligation to identify you. For identification, we will ask you to provide a valid identity document which we verify in the Register of Invalid Documents.

If you conclude a Service agreement on behalf of a child, we will ask you to provide a valid identity document of the child which we will verify in the Register of Invalid Documents, in addition to verifying your child’s identity and your right to represent the child by checking Personal Data in the Register of Natural Persons. In such cases we perform Personal Data Processing for the purposes of concluding and performing the agreement.

When you use our Services continuously, we need to ensure that your Identification data is correct and up to date. For this purpose, we will ask you to update your Identification data provided to Swedbank, and we also obtain necessary Identification data from the Register of Natural Persons and update them automatically.

We will share your Identification data within the Swedbank Group entities registered in Latvia depending on the products and Services you use or have requested, to ensure that your Personal Data is correct and up to date.

Authentication

During authentication, we verify the identity of persons who obtain our Services.

Authentication is mainly done by using the authentication tools provided by companies like SK ID Solutions AS (Smart-ID, Mobile-ID). You can also use authentication tools that we accept based on the regulatory requirements (eID card, eParaksts Mobile), or other solutions which we consider secure and efficient (biometrics, PIN in Swedbank’s mobile app, security token).

When you use an authentication tool provided by another company, we may share with that company your Identification data and Communication and device data (such as the IP address and device type). In addition, we inform such companies that you use our Services. As part of the authentication, we do not Process biometric data. Biometric data is Processed by the companies providing the authentication services as Data Controllers. Therefore, to find out more details about Personal Data Processing as part of authentication, please visit the websites of the relevant authentication service providers.

For the purposes described in this Section, based on our legal obligation or performance of agreement, we may Process categories of Personal Data like Identification data, Contact data, Communication and device data.

Why we Process Personal Data: we Process Personal Data to fulfil a legal obligation imposed by the Applicable Law on prevention of money laundering and terrorism and proliferation financing, and enforcement of international and national sanctions.

How we Process Personal Data: we collect Personal Data from you and external sources such as public registers. Your Personal Data is transferred to data Recipients, such as the authorities, when it is required by and according to the Applicable Law.

Applicable Law obligates us to perform Client due diligence activities, including to know our Clients and understand the purpose and nature of the business relationship and occasional transactions with us. We must also assess the risks associated with money laundering, terrorism and proliferation financing, international and national sanctions. This helps to safeguard certain public interests, as well as ensure that our Services are used for legitimate purposes and are protected against persons who have inappropriate intentions.

For this purpose, we are obligated to identify you (please see the “Identification and authentication” section), as well as to ask you to provide accurate and truthful Personal Data about yourself and, if necessary, documents confirming the Personal Data. We may use the Personal Data about you obtained directly from you or from the external registers such as the Register of Natural Persons, business registers, asset registers, publicly available databases of politically exposed persons (PEP), if necessary. Also, we may review your data in the media. According to the Applicable Law we are obligated to review your Personal Data against sanction lists to ensure that our Services are not provided to sanctioned persons or persons related to sanctions.

During our business relationship, we, regularly or based on a particular case, may ask you to update the Personal Data you’ve provided and may check if the data obtained from the external registers mentioned above is up to date. The Applicable Law also obligates us to monitor your activity and transactions to ensure that they are not considered suspicious and do not fall under sanctions. The scope of due diligence activities and their regularity depend on our assessment of the risk of money laundering, terrorism and proliferation financing and sanctions risk. We stand a guard over your financial assets to prevent unauthorised activity with your funds or other fraud attempts. In such cases we act promptly by investigating information we receive about possible fraudulent activities. We also proactively, to the extent possible, in analysing your transactions with the aim of identifying or preventing unauthorised or authorised but possibly fraudulent outflows of your funds. In case of criminal investigation we provide any relevant information that may contribute to the investigation.

According to Applicable Law, we also Process Personal Data of individuals related to Corporate Clients. We identify the legal entity’s representatives (legal representatives, authorized persons, persons holding a position in the company’s highest management body such as the procurator, insolvency administrator) and ask to provide their Identification data, Demographic data, Contact data and data about the relationship with legal entities. We may also ask to provide Identification data and Demographic data about the legal entity’s shareholders. The legal entity has an obligation to disclose its beneficial owners and provide their Identification data, Demographic data and Contact data. If it is necessary, we ask the legal entity to provide additional documents and information about beneficial owners, for example, proof of source of wealth, or data on relationships with legal entities. Where relevant, we also collect and regularly update Personal Data about the legal entity’s representatives, shareholders and beneficial owners from the external registers such as the Register of Natural Persons, business registers, asset registers (such as the Land Registry) etc.

For the purposes described in this Section, based on our legal obligation, public interest or our legitimate interest, we may Process such categories of Personal Data as Identification data, Contact information, Financial data, Account data, Data about trustworthiness and due diligence, Family data, Demographic data.

Why we Process Personal Data: we Process your Personal Data to provide the daily banking Services, such as current accounts, deposits, payment services and other daily banking Services requested by you, as well as to manage relationship with you, including the controlling and administering access to the Services.

How we Process Personal Data: the Processing involves the collection of Personal Data from you and from the use of the Service, transfer of Personal Data to the Recipients in order to perform a Service agreement, when it’s required under the Applicable Law, and the receipt of Personal Data from third parties, such as other payment service providers.

You have opened and hold a current account with us

When you open an account with us, we Process your Personal Data for the purpose of serving you according to the agreement and to provide you with other Services related to the bank account as requested by you.

When the account information service is provided to you by Swedbank, which allows you to access account information from your account held at another financial institution, your Personal Data, such as the Identification, Account, Communication and device data, is transmitted to Swedbank by this financial institution.

Based on our legal obligation, we Process your Personal Data to fulfil the account information Service requests initiated through an account information Service provider. This Service ensures that you have access to your Swedbank account information at another financial institution. For this purpose at your request, we disclose your Personal Data, such as Identification, Account, Communication and device data, to that financial institution.

For the purposes described in this Section, based on our legal obligation or our legitimate interest, we may Process such categories of Personal Data as Account data, Identification data, Contact data, Demographic data, Family data, Children’s data, and Financial data.

You use a Swedbank payment card

If you request and conclude an agreement for a Swedbank payment card (credit or debit card), we Process your Personal Data for the purpose of concluding and fulfilling the respective payment card agreement, including card ordering, personalization and activation, providing support in card related issues and preventing card fraud.

We Process your Personal Data in order to execute card transactions, authorize transactions (incl. transactions initiated by the merchant) and perform payment processing. If you file a complaint about a card transaction, your transaction data may be shared with the relevant international payment card organisation (for example, Mastercard).

When a Client orders a supplementary payment card linked to the Client’s account, we Process the Personal Data of the holder of the supplementary card, to perform the agreement and provide the Service.

Based on our legal obligation, we process your Personal Data in order to comply with the requirements under Applicable Law in respect of reporting cross-border transactions to the tax authorities.

For the purposes described in this Section, based on our legal obligation, performance of agreement or our legitimate interest, we may Process such categories of Personal Data as Identification data, Account data, Contact data, Professional data, Children’s data, Demographic data, Communication and device data (for example, when enabling and managing digitized cards and mobile contactless payments), Family data, Financial data.

You make or receive payments

We Process Personal Data when providing domestic and international payments, including payment initiation services. When you submit a payment order, for providing these Services we Process your Personal Data (including sharing data with external parties like the payee, payment organisations, correspondent banks) according to your instructions.

If you have registered your phone number linked to your account with the Proxy Registry "Instant Links" maintained by the Bank of Latvia acting as an independent Data Controller, your Personal Data is Processed for the purpose of including it in the register based on out agreement to use the Service. The Processing involves sharing Personal Data (your phone number, full name and IBAN) with the payee.

Based on our legal obligation, we Process your Personal Data to fulfil requests and to provide payment initiation services from your account initiated through a payment initiation service provider. This service ensures that you can authorize payments from your Swedbank account through interface provided by another financial institution. For those purposes your Personal Data, such as Identification, Account, Communication and device data, is disclosed to the relevant financial institution.

Similarly, your Personal Data is Processed when you initiate payments from your account held at another financial institution through Swedbank as a payment initiation service provider. Swedbank provides the payment initiation service through multiple tools such as Swedbank Internet Banking, mobile app or Bank Link service.

Based on our legal obligation, we process your Personal Data in order to comply with the requirements under Applicable Law in respect of reporting cross-border transactions to the tax authorities.

For the purposes described in this Section, based on a legal obligation, performance of agreement or our legitimate interest, we may Process such categories of Personal Data as Identification data, Account data, Communication and device data.

Why we Process Personal Data: We Process Personal Data for the purpose of providing the financing Services chosen by you and to comply with the Applicable Law in the area of financing Services.

How we Process Personal Data: Personal Data is Processed when we conclude, perform and terminate agreements such as agreements for consumer credit (like Small Loan, Car Loan, Home Small Loan, Solar Panels Loan, Study Loan, credit card limits), mortgage loan, leasing and similar Services related to the provision of financing to the Client. Personal Data is collected from you and from external sources. Depending on the financing Service and the particular situation of the Client, Personal Data is disclosed to the Recipients in order to conclude and perform the agreement, to comply with the Applicable Law or to defend our legitimate interest.

To assess your creditworthiness and enable fast decision-making, we Process your Personal Data by automated means, including Profiling and Automated Decision-Making. To do this, we evaluate the Personal Data provided in your application as well as Personal Data collected from internal and external data sources. Assessment of your creditworthiness is carried out to ensure compliance with legal obligations, such as the responsible lending requirements. Such an assessment is also necessary for entering into an agreement with you. You have the right to object to Profiling and to ask the Automated Decision-Making to be reviewed. In such an event, this decision will be reviewed by our employee. The legal ground for Automated Decision-Making is the conclusion and performance of an agreement.

When you enter into an agreement with us (including a pledge or surety agreement), we have a legal obligation to provide data on the concluded financial Services agreements, their performance and/or changes in the performance, therefore we share certain Personal Data of contracting parties with an external register like the Credit Register of the Bank of Latvia.

When you conclude a financing agreement, the fulfilment of which is secured by a third party under special approved programmes or when you conclude an agreement on granting financing for a specific purpose, your Personal Data may be shared with third parties involved in such approved financing schemes, for example a third party providing a guarantee for the borrower (Altum), or in case of a student loan, the State Education Information System.

For the purposes described in this Section, based on a legal obligation, performance of agreement or our legitimate interest, we may Process such Personal Data categories as Identification data, Demographic data, Family data, Account data, Financial data, Contact data, Professional data, Data about trustworthiness and due diligence.

The amount of your Personal Data which we Process depends on your role in the financing process, i.e. whether you are the Client concluding the agreement with us or you have a different role in the financing relationship, for example, your creditworthiness will not be assessed if you are the seller of an asset in a leasing deal. In case of the role of a contact person or authorized representative we only Process Identification data and Contact data.

You are a person related to a Corporate Client

For purpose of creditworthiness assessment of Corporate Client, based on legitimate interest we Process Personal Data of individuals related to a Corporate Client, such Identification data, Data about relationship with legal entities, Financial data.

This enables Swedbank to evaluate if funding may be granted to the relevant Corporate Client and minimizes the default risks.

Why we Process Personal Data: we Process your Personal Data to advise you on selecting suitable products, provide the Services chosen by you and in order to comply with the Applicable Law.

How we Process Personal Data: Personal Data is collected and regularly updated from you directly, from your use of our Services, including communication with us, and from external sources such as third-party registry providers (for example, State Social Insurance Agency of the Republic of Latvia). Depending on the Service, Personal Data is disclosed to the Recipients if necessary to conclude and perform an agreement and/or to comply with a legal obligation set forth in Applicable Law.

Investment Services

When you have applied for an investment Service or ancillary Service, we Process your Personal Data for the conclusion, performance, maintenance and termination of the agreement. This involves safekeeping of your financial instruments, execution of your orders, performing the activities necessary for the execution of corporate actions related to your financial instruments, provision of investment advice or portfolio management to you, as well as the provision of other investment and ancillary Services.

We process your Personal Data, including Profiling, for purpose of applying target market rules, as well as assessing the suitability and appropriateness of the relevant Service or financial instrument to you.

Based on Applicable Law, we must also record phone conversations and video streams in the provision of investment and ancillary services.

We Process your Personal Data to prepare and provide mandatory reports to you about the fees and other charges, trade execution, financial instrument holdings, losses in connection with certain Services and financial instruments, and for other types of reports.

Your Personal Data may be disclosed to local and foreign supervisory and tax authorities, central securities depositories, exchanges, issuers of financial instruments or third parties appointed by the issuers, fund managers and other financial intermediaries.

Personal Data is collected and regularly updated from your use of the Services, including your communication with us, and from external sources, such as the Register of Natural Persons, business registers, asset registers.

For the purposes described in this Section, based on a legal obligation, performance of agreement or our legitimate interests, we may Process such Personal Data categories as Identification data, Contact data, Children’s data, Family data, Demographic data, Professional data, Financial data, Data about financial experience, Account data, Data about habits, preferences and satisfaction, Data about trustworthiness and due diligence, Communication and device data.

2nd pension pillar investment plans

If you build up your 2nd pillar pension savings with Swedbank, we process your Personal Data in accordance with the requirements of Applicable Law. This involves receiving information from the State Social Insurance Agency (VSAA) about the participants in the 2nd pillar pension plans managed by Swedbank, processing it in accordance with Applicable Law and the relevant mandatory communication with you (from the age of 15).

For the purposes described in this section, we may process categories of Personal Data such as your Identification Data, Demographic Data, Contact Data, Children's Data (for mandatory communications from the age of 15), Relatives Data and Communication and Device Data based on our legal obligation, legitimate interests or your consent.

3rd pension pillar pension plans

If you invest under Swedbank’s 3rd pension pillar pension plans, we Process your Personal Data according to the requirements of Applicable Law and pension plan regulations. This includes providing you with necessary information, administering and processing your investments in the pension plan, keeping record of your individual pension account, pay-outs from the pension plans and inheritance, providing information to tax authorities and supervisory authorities.

Based on your application, we transfer your accrued pension capital from Swedbank to other pension funds managed by third-party pension fund management companies. In such an event, the Processing of your Personal Data involves sharing your Personal Data with the pension fund specified in your application.

For the purposes described in this Section, based on compliance with a legal obligation or performance of an agreement, we may Process such Personal Data categories as your Account data, Demographic data, Contact data, Financial data and Identification data.

Why do we Process Personal Data: we Process Personal Data to provide you with the life and unit-linked life insurance Service chosen by you, including to assess your individual risk and calculate insurance premiums where necessary, to handle claims related to the insurance contract and pay the insurance benefit, as well as to conclude and perform the insurance contract with you. Personal Data is also Processed in order to comply with a legal obligation set forth the Applicable Law in relation to the life and unit-linked life insurance Service, as well as to protect our legitimate interests.

How we Process Personal Data: Personal Data is collected and updated from you directly and from external sources. Depending on the type of life insurance Service, Personal Data is disclosed to data Recipients in order to conclude and perform the agreement or to comply with a legal obligation.

When you have submitted an application for a risk life insurance Service, we Process your Personal Data, including Profiling, to assess your individual risk level, calculate the life insurance premium and sum insured and make an underwriting decision. For this purpose, we Process your Personal Data that is already at our disposal and health data that we receive from you, from medical practitioners and medical institutions. In such cases the legal ground for data Processing is the performance of the agreement or compliance with a legal obligation or the consent you’ve given.

We Process your Personal Data, including health data, by automated means and perform Automated-Decision Making. You have the right to object to Profiling and ask Automated-Decision Making to be reviewed. In such an event the decision will be reviewed by our employee. The legal ground for data Processing in Automated-Decision Making is the performance of the agreement or compliance with a legal obligation or the consent you’ve given.

If you have applied for the unit-linked life insurance Service or to assess the suitability and appropriateness of the Service for you, we Process your Personal Data, including by Profiling. In such cases the legal ground for data Processing is compliance with a legal obligation.

After concluding a life insurance contract, we Process your Personal Data to perform the life insurance contract (including sending messages related to the insurance contract), if necessary, amend and terminate it, and make a pay-out based on the contract. In order to comply with a legal obligation, additionally we Process your Personal Data to send event-based messages and reports and annual reports regarding the unit-linked life insurance contract, as well as to comply with a legal obligation set forth in the Applicable Law regarding taxation of the insurance benefit.

If you have submitted a life insurance benefit claim, we Process your Personal Data in order to handle that claim (including, making a decision in the insurance payout case), including health data we receive from you and medical institutions or medical practitioners, as well as Personal Data that is already at our disposal. We also Process your Financial data we receive from the authorities or registry providers, for example data about criminal convictions and offences. In such cases the legal ground for data Processing is the performance of the agreement or compliance with a legal obligation.

We may share your Personal Data, including health data, with a reinsurance company to fulfil our obligations arising from the reinsurance agreement regarding claim handling and receiving the insurance benefit.

For the purposes described in this Section, based on performance of an agreement, our legal obligation or legitimate interest or your consent, we may Process such Personal Data categories as Identification data, Contact data, Children’s data, Communication and device data, Family data, Data about relationships with legal entities, Demographic data, Professional data, Financial data, Data about financial experience, Account data, health data and data about criminal convictions and offences, Data about trustworthiness and due diligence, Data about habits, preferences and satisfaction.

Why we Process Personal Data: we Process Personal Data to provide you with the non-life insurance Service chosen, including to assess your insurance risk, to calculate insurance premiums, to handle claims related to the insurance contract and to pay out the insurance benefit. Personal Data is also Processed in order to comply with legal obligations set forth in the Applicable Law in relation to the non-life insurance Service, as well as to protect our legitimate interests.

How we Process Personal Data: Personal Data is collected and updated from you directly and from external sources. Depending on the Service, Personal Data is disclosed to data Recipients in order to conclude and perform the contract or to comply with a legal obligation.

We Process your Personal Data to conclude an insurance contract with you, assess your trustworthiness, calculate the insurance premium and conditions according to your risk level. In order to assess the insurance risk, calculate the insurance premium and conclude the insurance contract, we Process your Personal Data by automated means, including Profiling, and perform Automated Decision-Making. You have the right to object to Profiling and ask Automated-Decision Making to be reviewed. In such an event the decision will be reviewed by our employee. The legal ground for data Processing in Automated-Decision Making is the performance of the agreement or compliance with a legal obligation.

For the purposes set out above, we Process Personal Data we receive from you and registry providers and the Personal Data at our disposal regarding you, and the data provided by other Swedbank Group entities in Latvia. In such cases the legal ground for data Processing is the performance of the agreement or compliance with a legal obligation.

After concluding the insurance contract, we Process your Personal Data to perform the contract, to send policy renewals, amend and terminate the insurance contract, as well as to refund insurance premiums. In compliance with our legal obligation, additionally we Process your Personal Data to send messages related to the insurance Service. In such cases the legal ground for data Processing is the performance of the agreement or compliance with a legal obligation.

If you have submitted an insurance benefit claim, we Process your Personal Data to handle the claim, including making the decision in the insurance payout case. We Process your Personal Data we receive from other insurance service providers, registry providers, the authorities, medical practitioners and medical institutions, other Swedbank Group entities, as well as Personal Data on health at our disposal in connection with your previous claims or contracts. In such cases the legal ground for data Processing is the performance of the agreement or compliance with a legal obligation.

When you need medical assistance in connection with an insured event under travel insurance or in order to handle a motor third party liability insurance claim in relation regarding an event that has occurred in a country outside the EU/EEA, to order to perform the contract, your Personal Data is transferred to the respective country outside the EU/EEA.

In addition, we Process your Personal Data to provide you with an insurance price corresponding to your personal level of risk, to develop pricing models, to control the quality of vehicle repair work and to submit a claim for the compensation of damage against the third party who caused damage to you, or to raise a claim against another insurance service provider. We may share your Personal Data, including health data, with the reinsurance company to fulfil our obligations under the reinsurance agreement regarding claim handling and receiving the insurance benefit. We may also share your Personal Data with other insurance service providers in order to reduce their operational risks and risk of fraud. In such cases the legal ground for data Processing is the performance of the agreement, compliance with a legal obligation set forth in Applicable Law or our legitimate interests.

For the purposes described in this Section, based on the performance of agreement, our legal obligation or legitimate interest, we may Process such Personal Data categories as Identification data, Account data, Contact data, Financial data, Family data, Children’s data, Sensitive data (data on health, criminal convictions and offences), Professional data, Data about relationships with legal entities, Communication and device data, Data about habits, preferences and satisfaction, Relationship status data, Demographic data, Data about trustworthiness and due diligence.

Why we Process Personal Data: we Process Personal Data to prepare and provide you with offers that meet your needs, relevant information and to conduct opinion surveys, organise lotteries and campaigns, and provide customer service programs for Clients. For marketing purposes, Personal Data Processing is carried out based on your consent or our legitimate interest. You have the right at any time to object to the Processing of your Personal Data, as well as to withdraw your consent.

How we Process Personal Data: we Process your Personal Data that is collected from you and from your use of Services for marketing purposes, including for building your profile to provide you with personalised marketing communication. For this purpose, we share your Personal Data with Swedbank Group entities operating in Latvia.

Profiling in marketing

We carry out Profiling for marketing purposes in order to assess which products and Services may be suitable and relevant to your interests and needs. This enables producing offers and Services tailored to you, rather than general information.

For these purposes, we assess certain personal characteristics of the Client, in particular to analyse or predict, for example, the individual’s economic situation, personal preferences and interests. For the purpose of providing the Client with suitable recommendations and offers, we Process Personal Data automatically. Such data may be, for example, information about the Client’s product holdings and the Client’s usage of the Services. We also may process data about the Client’s economic situation, typical behaviour and lifestyle patterns based on the Client’s usage of the Service, transactions performed and information provided to Swedbank. This data may be used for building segments and profiles necessary to execute customer service programs to provide offers suitable for the Client. The Processing may result in advice and offers provided based on the Client’s needs, inclusion of the Client in customer service programs and therefore application of special prices and Service conditions, and exclusion from the programs.

You have the right at any time to object to the Processing of your Personal Data, including Profiling. In such an event, we will no longer Process the Personal Data except in cases when the Data Controller provides compelling legitimate reasons for the Processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.

Preparation of offers

Based on consent, to provide you with the best user experience and to prepare relevant offers at the most convenient time by identifying the Client's interests and needs at the time, we prepare the following types of offers:

• Personalized offers – practical marketing offers to you to choose the most appropriate Services, to improve their everyday use or to refrain from inappropriate use and other suggestions to best serve the Client's interests and needs, for example, product upgrade, replacement.
• Personalized financing and insurance limits – practical calculations designed to help you understand what lending and leasing options, as well insurance premiums are available to you (applicable only from the age of 18).
• Offers in cooperation with partners – practical offers designed to help you (applicable from the age of 16) choose suitable services and benefits from Swedbank's cooperation partners. No Personal Data is shared with the cooperation partners.
• Financial education and personalized suggestions – practical offers for your child(ren), such as suggestions for safe and convenient banking, invitations to educational games and other activities, as well as relevant offers for our products and Services.
• Other types of offers for which you have given consent.

You may receive these offers by providing consent to all or some of the above types of offers set out above. You can give and manage your consent by logging in to our Internet Banking and going to the “Privacy settings” section or by visiting any Swedbank branch.

You can withdraw your consent at any time:

• by visiting our Internet Banking site’s section "Privacy settings";
• by visiting any Swedbank branch;
• by calling the Consultation Centre.

If you wish tracking your spending and get a categorized overview of it in all your accounts in a single view, you can use our My Budget tool available via Internet Banking and mobile app. The Processing of your Personal data in this tool is subject to your consent.

We will occasionally remind you of the consents you have given and invite you to consider whether these are in line with your current wishes by offering to renew or withdraw them.

Please note that any changes made by you in the offer preparation settings will take effect within 5 days after making the changes.

For the purposes described in this Section and based on your consent or in order to prepare relevant offers, we may Process such categories of Personal Data as Identification data, Contact data, Account data and Demographic data, information about products/Services/channels the Client already uses, the Client’s previous experience with using them, Financial data including income and transactions in the Client’s accounts, as well as data on whether the Client is eligible for special customer program offers. When the Client visits Swedbank’s website, Internet Banking or uses the mobile app, we also take into account the Client’s browsing habits and targeting technologies to the use of which the Client has consented. Regarding offers with financing and insurance limits, before setting the limits, Swedbank first considers if the Client meets the basic lending and insurance requirements.

Preparation of other information

To improve the Clients’ awareness of Swedbank’s news and Services, we prepare the following types of information for our Clients based on our legitimate interest:

• Relevant information – information created to invite the Client to events, to send greetings and newsletters.
• Client satisfaction surveys – questionnaires designed to invite the Client to provide feedback on the Services they use and to help us improve those.

We prepare this information based on our legitimate interest without asking for consent, but you can decide whether or not to permit us to do so. You can choose which types of information you wish to receive.

You can object to the preparation of this information at any time and further manage your permissions:

• by visiting our Internet Banking site’s section “Privacy settings”;
• by visiting any Swedbank branch;
• by calling the Consultation Centre.

Please note that any changes made by you in the information preparation settings will take effect within 5 days after making the changes.

For the purposes described in this Section and based on our legitimate interest, as well as to conduct Client opinion surveys, we may Process Personal Data categories such as Account data, Relationship status data, Data about habits, preferences and satisfaction, Communication and device data, Contact data, Demographic data, Family data, Identification data and Financial data.

You may receive our marketing offers and other relevant information to which you have given consent or permission as described in the previous Sections through the following communication channels: 1) e-mail; 2) SMS; 3) phone; 4) post.

You may receive offers and other information by giving your consent to one, some or all channels. This consent may be given or withdrawn by you in the same manner as described in Section 2.8.2. In addition, you may opt out of receiving marketing e-mails by clicking on the link in the footer of all e-mails sent.

Please note that the choice of channels may affect the offers and other information you receive. Each offer and information prepared has a dedicated communication channel. For example, some offers and surveys are sent only by e-mail, while other types of offers will also be available via our Internet Banking and mobile app, for example:

• if you consent to the preparation of offers but do not consent to any communication channel, we will prepare an offer which might be valuable for you to receive in the form of an e-mail, but we will not be able to send it. In this case, however, some of the offers may be available on our Internet Banking site, mobile app, branch and Consultation Centre;
• if you consent to any or all communication channels but, for example, do not consent to the preparation of offers, we will not be able to prepare an offer to send to you.

Please note that consent to communication channels is not required for sending service messages to the Client in relation to the Services used, for example, information on expiry of the concluded agreement or important information on fraudulent activity in the current account. We will send such information to perform an agreement entered into between us, ensuring that you are informed in a timely manner about the current status of the Services used.

For the purposes described in this Section and based on your consent, we may Process such Personal Data categories as Identification data and Contact data.

We offer special customer service and loyalty programs for our Clients, where better prices and/or additional benefits are available for the members of the programs. In order to be able to include in and apply the special terms of the customer service programs, we Process Personal Data by automated means. Information about Processing of Personal Data in connection with the project or program is provided in the terms and conditions of the respective project or program or in an additional notification. The Processing of Personal Data for the above purpose is performed if the Client does not object to the Processing when the Processing is based on the legitimate interest of Swedbank, or the Client has accepted the terms or the conditions of the loyalty programme in order to perform the agreement.

For the purposes described in this Section and based on the performance of agreement or our legitimate interest, in order to execute customer service programs, we may Process such Personal Data categories as Identification data, Contact data, Demographic data, Relationship status data, Data about relationships with legal entities, Account data, Financial data.

In order to improve the financial literacy of the society and/or increase our brand recognition, we organize lotteries, competitions, campaigns and events for our Clients.

For the purposes described in this Section, based on consent given by you or our legitimate interest, in order to organize lotteries, competitions, campaigns and events for our Clients, we may Process such Personal Data as Account data, Professional data, Financial data, Contact data, Data about habits, preferences and satisfaction, and Demographic data.

Why we Process Personal Data: Processing of Personal Data is necessary for the purpose of ensuring Service quality, to protect the interests of the Client and Swedbank, to handle Clients’ complaints, to perform an agreement or to comply with a legal obligation set forth in the Applicable Law.

How we Process Personal Data: for the purpose of ensuring Service quality and protecting the interests of the Client and Swedbank, and, when necessary, for the purpose of verification of commercial transactions or carrying out other business communication, to comply with the requirements of the Applicable Law with regard to the provision of investment services, phone calls and video streams are recorded. Additionally, Swedbank Processes Personal Data in connection with written correspondence in order to ensure the quality of the Service and information necessary for serving Clients.

Swedbank Processes Personal Data when it records telephone calls with the Client to improve the Service quality and to protect the interests of the Client and Swedbank. In such an event, the legal ground for Personal Data Processing is the legitimate interest of Swedbank.

We also Process Personal Data in connection with written correspondence received via email, Internet Banking message and chat in order to ensure the quality of the Service by pursuing Swedbank’s legitimate interest. We Process the Personal Data for handling and replying to Clients’ complaints and this Processing is based on the legal obligation of Swedbank.

For the purposes described in this Section, based on our legitimate interest, we may Process Personal Data categories such as Communication and device data, Account data, Professional data, Financial data, Data about habits, preferences and satisfaction, Contact data, Data about trustworthiness and due diligence, Data about relationships with legal entities, Data obtained while performing a statutory obligation, Data about the Client’s financial experience, Identification data and Demographic data, Children’s data in case the Service is related to children, special data (health data) which is necessary in relation to a life and non-life insurance service or to handle the Client’s complaints.

Why we Process Personal Data: we Process Personal Data to provide consultations and service communication to the Clients.

How we Process Personal Data: we Process your Personal Data when we serve you at the branches of Swedbank or in other Client customer service locations, as well as when we communicate with the Client via phone, chat, email and other means of communication. Your Personal Data, such as Contact data, is shared within Swedbank group companies operating in Latvia in order to ensure that the Contact data is up to date.

When you book a consultation at the branches of Swedbank, we Process your Personal Data in order to be able to identify you and successfully register for a consultation at a time of your choice and prepare in advance for the provision of the Services you’ve requested.

We Process your Personal Data at the disposal of Swedbank, such as Financial data, in order to provide you with the requested consultation on our Service. For this purpose your Personal Data can be obtained from Swedbank group companies operating in Latvia.

For the purposes described in this Section, based on our legal obligation, performance of agreement or our legitimate interest, we may Process Personal Data categories such as Contact data, information about requested, provided Services and/or performance of a Service agreement, when we provide information to you and contact you by phone, via chat, e-mail or other communication channels.

Why we Process Personal Data: we Process Personal Data to manage risks, ensuring that Swedbank operates safely and soundly and in compliance with the Applicable Law.

How we Process Personal Data: we Process Personal Data in order to comply with the legal obligations set forth the Applicable Law in relation to risk management, fulfilment of capital requirements, preventing fraud and managing incidents. We disclose Personal Data to data Recipients, such as law enforcement authorities, when it is required under the Applicable Law or to protect the legitimate interest of Swedbank.

Sound risk management is required under the Applicable Law which we must comply with so that we are able to provide you with the Services, provide safe banking Services and protect your money from fraudsters. We strive to ensure low risk because it is the basis for building trust and delivering value in the long-term.

For complying with legal obligations in risk management area, we use your Personal Data for the following purposes:

• Assessing and managing the credit risk, liquidity risk, market risk and counterparty risk.
• Risk hedging and fulfilling Swedbank’s capital requirements.
• Preventing incidents with potential impact on our core processes which may affect the Services provided, as well as Personal Data breaches which may affect your privacy.
• Discovering, investigating and reporting potentially suspicious transactions and market abuse.
• Monitoring transactions, including card transactions to detect and prevent fraud and reviewing, diagnosing and responding to detected activity that has been identified as potential fraud cases.
• Monitoring in connection with compliance with the Applicable Law and relevant internal regulations.
• Ensuring business continuity and crisis management.
• Communicating with supervisory and other authorities, including regular mandatory and event-based reporting.
• Cooperating and providing information to external auditors.

For the purposes described in this Section, based on our legal obligation or our legitimate interest, we may Process Personal Data categories such as Identification Data, Contact data, Financial data, Data on trustworthiness and due diligence, Communication and device data, Data obtained while performing a statutory obligation, Professional data, Data about habits, preferences and satisfaction, Family data, Data about relationships with legal entities, Demographic data, Data about Client’s financial experience.

Why we Process Personal Data: we Process Personal Data to manage, maintain, develop, analyse and improve our business, the Services and your user experience, as well as to protect our legitimate interests.

How we Process Personal Data: we need to Process Personal Data when we perform activities like document management and archiving, perform analysis and testing for improving our Services, ensuring security and compliance of IT solutions, comply with legal obligations set forth in the Applicable Law or protect our legitimate interest.

For running our business, we have a legal obligation to maintain accounting records. As a part of this, we Process your Identification data, Account data, Contact data and Demographic data when processing payments and issuing invoices.

Personal Data Processing is also necessary for the activities supporting our core business of providing Services. This includes, for example, document management and archiving, storage of digital information and documents, based on legal obligations or our legitimate interest.

We have a legitimate interest to maintain, develop, examine and improve our business, the Services and your user experience. Your Personal Data is Processed for administering our website and network, including to ensure quality, security and compliance of IT solutions to be deployed. In each case, Personal Data Processing is limited to the actual Processing of Personal Data necessary in the particular case.

We also Process Personal Data for the establishment, exercise or defence of legal claims. When we need to protect our legal rights or a claim has been lodged, the data relevant to the specific case is Processed. Depending on the case, this may also involve sharing data with other Swedbank Group entities in Latvia, supervisory authorities, courts or out-of-court dispute resolution bodies for the settlement of disputes and providers of legal services to us.

For the purposes described in this Section, based on our legal obligation or our legitimate interest, we may Process Personal Data categories such as Identification Data, Contact data, Financial data, Demographic data, Account data.

Why we Process Personal Data: we Process Personal Data of persons related to Corporate Clients for concluding and maintaining agreements, communicating with Corporate Clients, providing Services under the agreement, and ensuring that we comply with the Applicable Law.

For the sake of clarity, the term “Client” also includes all natural persons related to a Corporate Client whose data we Process.

How we Process Personal Data: Personal Data is collected from the Data Subject, from the representatives of and persons affiliated with the Corporate Client and from external sources, as well as regularly updated. Personal Data is disclosed to Recipients in order to conclude and perform the agreements with the Corporate Client and to comply with legal obligations set forth in the Applicable Law.

When you represent a Corporate Client, we Process your Personal Data to conclude and fulfil agreements between that Corporate Client and us. This could be, for example, for communication with the Corporate Client’s representatives and contact persons and keeping information about the legal and authorized representatives up to date. This also ensures that only authorized persons can sign agreements, perform transactions, submit documents, access information or take other necessary actions on behalf of the Corporate Client.

For the purposes described in this Section, the Personal Data categories that we Process include Identification data, Contact data, Professional data, Data about relationships with legal entities, Data about trustworthiness and due diligence, Demographic data, Financial data, Data obtained while performing statutory obligations arising from the Applicable Law, Data about criminal convictions and offences, other Personal Data (if business relationship with the Corporate Client is terminated due to it ceasing to exist, we need to have the fact of the Corporate Client’s status stored in our systems in order not to prevent some activities like communication and reporting).

Why we Process Personal Data: to ensure the security of Swedbank’s visitors, employees, premises and assets; to defend Swedbank’s legal claims and legitimate interests; to detect and prevent unlawful activities.

How we Process Personal Data: for the purpose of conducting video surveillance as part of safety measures, Swedbank uses surveillance cameras at its premises and ATMs. Areas under video surveillance are marked with informative signs that video surveillance is carried out.

The material obtained through Swedbank’s video surveillance – visual images, video recordings and audio recording – contains Personal Data.

Swedbank carries out video surveillance based on legitimate interest to ensure the security of Swedbank's visitors, employees, premises and assets; to defend Swedbank’s legal claims and legitimate interest; to detect and prevent unlawful activities.

Visual images, video and audio recordings containing Personal Data are shared with the Recipient only in certain cases when the recorded material is needed for criminal investigation according to the procedure set forth in Applicable Law, or with a Recipient that maintains and services the video surveillance systems on behalf of Swedbank.

Swedbank uses cookies on its website. The cookies are used as stated in Swedbank’s Cookie Policy available on the website under “Cookies”: https://www.swedbank.lv/about/cookies.

Under the Data Protection Legislation, the Client has certain rights as a Data Subject with regard to Swedbank’s Processing of Personal Data. Those rights are:

• Receive a confirmation if the Client’s Personal Data is Processed by Swedbank and, if so, then access it.
• Require the Client’s Personal Data to be corrected if it is inadequate, incomplete or incorrect.
• Require the erasure of the Client’s Personal Data.
• Restrict the Processing of the Client’s Personal Data.
• Object to the Processing of the Client’s Personal Data if Processing is based on Swedbank’s legitimate interests.
• Object to the Processing of the Client’s Personal Data for marketing purposes.
• Receive the Personal Data that has been provided by the Client and is Processed based on consent or performance of an agreement in a structured, commonly used electronic format and, where feasible, to have such data transmitted to another service provider (the right to data portability).
• Withdraw the consent provided by the Client for the Processing of the Client’s Personal Data.
• Not to be subject to a decision based solely on automated processing, including Profiling, if such decision-making produces legal effects or similarly significantly affects the Client. This right does not apply if the decision-making is necessary in order to enter into or to perform an agreement with the Client, if the decision-making is permitted under the Data Protection Legislation or if the Client has provided their explicit consent.
• Contest a decision based solely on automated Personal Data Processing, express their point of view and ask Swedbank to involve its employee in the process of reviewing the decision.

Swedbank provides its Clients with access to the basic information at Swedbank’s disposal about the Client and to the Client’s Personal Data like Contact data, Identification data, Professional data and other data. Clients can access, check and, if necessary, update their Personal Data on their own on the Internet Banking site under “My data”.

Taking into account that Swedbank Processes a large amount of information and in order to fulfil the Data Subject’s request as accurately as possible, Swedbank may ask the Client to specify the information, Processing activities or timeframe to which the Data Subject’s request relates.

The Client can exercise their Data Subject’s rights by submitting to Swedbank an identified request via Internet Banking or at a branch, or by calling the Consultation Centre, or by sending a request signed with the e-signature via e-mail. An answer to the Data Subject’s request will be provided not later than within one month of receipt of the request; when necessary, this period may be extended by two more months.

The Client may change or update the Personal Data, manage preferences (consent and data Processing permissions) in the Internet Banking and mobile app, at branches or by calling the Consultation Centre.

The right to the protection of Personal Data is not an absolute right and in particular circumstances could be limited, meaning that the Client will be provided with information that Swedbank is authorized to provide to the Data Subject, considering that the right of access may not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting software. In the cases provided in the Applicable Law, Swedbank may also transmit the information to Data Subjects later, restrict the transmission thereof or not transmit it at all, if this may impede or interfere with the prevention, detection or prosecution of offences or the execution of penal measures, infringe on the rights and freedoms of other persons, endanger the national security, endanger public order or hinder the investigation or legal proceedings.

Swedbank, as a subject of the Applicable Law, may be restricted in providing information to the Data Subject regarding the Processing of Personal Data performed within the scope of the Applicable Law, for example in the area of prevention of money laundering and terrorism and proliferation financing, except for the publicly available data.

If the Client considers that the Processing of the Client’s Personal Data violates the Client’s rights and interests under the Data Protection Legislation, the Client can lodge a complaint regarding it. The complaint can be lodged with the Data State Inspectorate or with a supervisory authority in the EU Member State of the Client’s habitual residence or place of work.

The Client may contact Swedbank with any request, withdrawal of consent, inquiries, changes in Personal Data Processing permission, exercise of Data Subject’s rights and complaints regarding the Processing of Personal Data. Contact details of Swedbank are available on the website: www.swedbank.lv.

The Client may contact Swedbank’s appointed Data Protection Officer by sending an e-mail to: dpo@swedbank.lv or sending a letter by post to: Balasta dambis 15, Riga, Latvia, LV-1048, marked for “Data Protection Officer”.

Swedbank reviews and updates these Principles at least once a year or as necessary.

Swedbank notifies of amendments to the Principles on Swedbank’s website.

These Principles have been drafted in Latvian and translated into English and Russian. In the event of any disputes, arguments or claims of linguistic nature or concerning interpretation, the version of these Principles in Latvian will take precedence.

These Principles enter into force on 1 July 2024, and the up-to-date version is available on the website www.swedbank.lv.