GDPR – what is it?
The GDPR or General Data Protection Regulation is the name of the regulation on the protection of private individuals with regard to the processing of personal data and on the free flow of such data (hereinafter “GDPR”).
The GDPR aims to protect the privacy of private individuals in the European Union (EU) as well as harmonise the laws of the European countries. The European Parliament adopted the Regulation on 27 April 2016.
The GDPR does not prohibited to receive and process personal data, but defines the principles for the processing, storage and deletion of data.
The GDPR requirements apply to all companies, institutions, and organisations that process personal data. The requirements must be met not only by banks, but also by insurance companies, medical institutions, retailers and others.
Yes, generally, the Regulation only applies and is referred to personal data. However, the data of legal entities may include personal data. For example, information about shareholders, management board members, etc. If a single shareholder owns a company, the data on that company may also apply to the shareholder as an individual.
We already follow the data security and protection requirements, therefore the GDRP will not change our relationship with customers significantly. The Regulation specifies the options for the customer to control the use of their data.
In the interests of customers, SEB has been reviewing applications for services and agreements to make sure that the collection and processing of personal data has an appropriate reason and that in certain cases the customer’s consent has been obtained.
Data processing at the bank
Personal data include all information (written, audio, video, electronic, biometric) about the relevant individual, i.e., their date of birth, telephone number, postal and email addresses, photos, as well as any other information that helps to identify that individual.
In a broader sense, personal data may also include such information, which relates to the individual indirectly. For example, an individual’s birth data, phone, and address identify that individual directly, whereas the real estate register with the Land Registry or the GPS system in a car which shows the coordinates of movement enable that individual to be identified indirectly.
SEB processes data only for specific purposes and the data are not stored for longer than necessary. SEB maintains the data, which is necessary for providing the services selected by the customer and SEB is able to deliver it to the customer.
SEB processes customer data in one or more of the cases mentioned below:
- for signing and executing the agreement;
- requested by the law;
- for pursuing legitimate (lawful) interests;
- the consent has been obtained from the customer.
SEB uses the data for content and marketing campaigns, lotteries, commercial information, and similar activities only with the customer’s consent.
More detailed information on the processing of customer data is described in agreements for services, other documents related to services, and on SEB’s website www.seb.lv.
SEB processes customer data only for as long as needed for a particular purpose to perform its liabilities towards the customers and comply with the legal data processing requirements. For example, we store data on the customer until the expiry of their agreement. To protect SEB's legitimate interests, we may store the data for ten (10) years after termination of the agreement. The law may require SEB to store the data for a specific term.
SEB may share customer data only in the cases set in the laws (credit institutions must also comply with requirements of the Credit Institutions Law on data protection and transfer):
- If the data are required by a public authority (for example, SEB may share the data to a public authority only in the cases prescribed in Section 63 of the Credit Institutions Law)
- If that is necessary for prividing the relevant service (performance of the agreement. In this case, two categories can be identified:
1. the data receivers authorised by SEB, i.e., the companies that process the data on behalf of SEB. In such cases, SEB shall take the necessary measures to ensure that the authorised data receivers carry out the customer data processing according to the guidance received from SEB, comply with the required security and confidentiality requirements, as well as act in accordance with the legal requirements.
- SEB Group companies for ensuring the provision of services by SEB
- For invoice management and storage
- For ensuring archiving
- For communication with customers
- For making of payment cards
- For carrying out of online surveys
- For ensuring card payments
- For preparation of insurance proposals
- For the assessment of credit liabilities
- For ensuring video advice
- For providing reinsurance
2. other service providers unrelated to SEB (e.g., providers of services or other credit institutions, to which data are transferred to execute the customer's payment, or merchants, in cases where customers log in through SEB Internet Bank to receive the service from the merchant.