Skip to main content
This webpage does not support Internet Explorer anymore. We recommend changing browser, to increase your online safety. Read more on Microsoft's webpages

Data protection at KBN

KBN as data controller provides below general information on how we process personal data, as well as on the rights you have and how they can be exercised.

Last updated: November 2023

1. Your rights in relation to KBN when we process personal data about you

The right to access your data

You can request access to the personal data held about you and information on how the data we have about you is processed by submitting a written enquiry to KBN. There are some exceptions to this. This is typically the case where we have a statutory duty of confidentiality, or where we must keep the information confidential in the interests of the prevention, investigation or legal prosecution of criminal offences. If KBN cannot grant your request for access, you will be informed of this in writing together with a justification for the refusal.

The right to have your data corrected

If you think that we are processing data about you that is inaccurate or misleading, you can request that we correct or supplement it with additional information. You must be able to show that the data is inaccurate and to tell us what is correct. Once we receive such a request, we will ensure that we correct the inaccurate personal data as quickly as possible, normally within one month at the latest.

Erasure

If we process personal data about you, you have, in certain circumstances, the right to request that your data is erased.

You can ask to have your personal data erased if one of the following conditions is met:

  • You withdraw your consent for the processing.
  • You have objected to the processing of the data that you have asked to be erased, and your objection is upheld. More information is provided in the text below on the right to object to processing.
  • The data that you are asking to have erased has been processed unlawfully.
  • The data needs to be erased for compliance with a legal obligation to which we are subject.

In many instances, we will have to continue to store data on you, even if you request erasure. This applies both during the time you have a relationship with KBN and for a time after any agreement and your relationship have come to an end. In practical terms, this means that as a rule you cannot request that your data is erased when we have a legal obligation to store the data or where we require the data in order to attend to our legitimate interests or, similarly, to establish, pursue or defend a legal claim.

KBN will delete or anonymise personal data once the purpose for which it was processed has been fulfilled, unless the information has to be or can be stored for longer pursuant to legislation. Subject to the limits set out in the Norwegian Personal Data Act, customers can request that inaccurate or unnecessary personal data regarding them be corrected or deleted.

Restriction of processing

You can ask us to restrict the way in which we process your personal data, which involves your personal data ceasing to be used actively. This often takes place in combination with the exercising of other rights, such as the processing of your data being restricted while we consider a request for erasure or correction.

The right to object

The right to object gives you the possibility, in certain instances, to ask that we cease using your personal data.

Requests

All requests must be sent to Compliance at Compliance@kbn.com with the subject ‘Personal data request’. A signed copy of KBN’s form “Exercising Your Rights as a Data Subject” can be used.

We will respond as quickly as possible, and normally no later than within 30 days. KBN will require all individuals submitting a request to exercise a data subject's rights to submit proof of their identity.

Form: Exercising Your Rights as a Data Subject (PDF)

2. Types of personal data that are processed by KBN


Depending on the nature of your relationship with KBN, we process the following types of personal data:

  • Identification information: full name, date of birth, a copy of your passport, citizenship, sex, age
  • Contact data: name, address, telephone number, email address
  • Relationship data: number of children, marital status, data on close associates, data on next of kin, line manager, department, role, conflict of interest
  • Pictures, videos and sound recordings
  • Digital behavioural data: the type of digital device you have (e.g. PC, tablet, mobile) and its technical ID, clicks, logins and how your digital device connected to KBN.com, your browser type and operating system
  • Financial data: your employment status (salary, any payroll deductions required by the public authorities, the percentage of full-time hours you work), credit data, account numbers, tax deduction card
  • Expertise and experience: education, transcript of grades, school/college leaving certificate, references, appointments
  • Special categories of personal data: trade union membership, police certificates, sick leave, political opinions

3. Why does KBN process personal data?

a. Customer follow up


How we process personal data

The personal data that KBN records in order to manage its customer relationships is primarily received directly from customers. In the event that KBN obtains data from third parties (e.g. from other banks/financial institutions or credit reference agencies), the customer will be informed, unless KBN is required by law to obtain the data, or notifying the customer is impossible or disproportionately difficult, or it is clear that KBN would be notifying the customer of information of which it was already aware.

Why we process the personal data and the legal basis for the processing

  • KBN processes credit data and other personal data in connection with the establishment of lending agreements. Its legal basis for this is so that it can comply with the rules in the Norwegian Financial Contracts Act and so that it can perform its agreement with the customer.
  • KBN sends out newsletters. The legal basis for this is consent.
  • KBN will receive and process personal data in connection with conferences. The legal basis for this is consent.
  • KBN uses pictures and videos of customers. The legal basis for this is consent.

How long we store the personal data for

Information about any person who signs a master agreement with KBN is stored for the entire duration of the agreement. Information on other contact persons is updated on a continual basis, and is deleted once it ceases to be relevant. Contact data provided with consent is stored until the consent is revoked.

What types of personal data do we process?

  • Identification information
  • Contact data
  • Images
  • Videos

b. Prevention and detection of money laundering and terrorist financing

How we process personal data

KBN processes personal data for the purpose of detecting circumstances that may indicate money laundering or terrorist financing. Such data may be obtained from and provided to other banks and financial institutions, the police and other public authorities. KBN is required to report suspicious data and transactions to the Norwegian National Authority for Investigation and Prosecution of Economic and Environmental Crime (Økokrim).

Why we process the personal data and the legal basis for the processing

KBN processes personal data to comply with the rules regarding anti-money laundering and terrorist financing in customer relationships. Under the Norwegian Personal Data Act, customers do not have the right to access data that KBN has recorded for such purposes.

How long we store the personal data for

In accordance with the rules in the Norwegian Anti-Money Laundering Act, we are generally required to store the data that we process for five years after the end of the customer relationship, or for five years after the final transaction is completed. If a customer relationship or transaction was subject to enhanced customer monitoring at the time it ended or completed, the storage period is ten years.

What types of personal data do we process?

  • Identification information
  • Contact data
  • Relationship data
  • Financial data

c. IT security

How we process personal data

Security at KBN is primarily a question of protecting KBN’s information assets from intentional and unintentional incidents. In order to reduce this risk, a range of security measures and security systems have been implemented. We process personal data to achieve this purpose.

Why we process the personal data and the legal basis for the processing

The purpose of this type of processing is the prevention, detection and management of IT security incidents at KBN.

How long we store the personal data for

Backups are stored for up to 12 months.

What types of personal data do we process?

  • Identification information
  • Digital behaviour data

d. PHYSICAL SECURITY – VISITOR LIST


How we process personal data

Visitors to KBN’s premises register their name, company, mobile number and email address in a visitor registration system.

Why we process the personal data and the legal basis for the processing

KBN has a legitimate interest in logging visitors to KBN’s premises in the interests of security. KBN also needs to have a list of who is in its premises at any time, including in connection with any evacuation of its premises.

How long we store the personal data for

The contact data is as a rule stored for seven days after the visit.

What types of personal data do we process?

  • Contact data

e. Physical security – camera surveillance


How we process personal data

The owner of the building (the landlord) in which KBN’s commercial premises are located uses camera surveillance for security purposes at its entrances.

Why we process the personal data and the legal basis for the processing

The purpose of the processing is to prevent and detect criminal offences by means of the landlord monitoring the property that KBN leases. The landlord has a legitimate interest in conducting this processing in the interests of security.

How long we store the personal data for

Recordings are deleted seven days after they are made.

What types of personal data do we process?

  • Images
  • Video

f. SUPPLIERS AND COUNTERPARTIES


How we process personal data

  • KBN records all agreements into which it enters in a central register of agreements for the purpose of supplier follow up and contractual relationship management.
  • KBN continually updates its contact data for external collaboration partners, and this information is used to invite them to events.
  • KBN maintains contact data for external suppliers for use in tender processes.

Why we process the personal data and the legal basis for the processing

In order to ensure we monitor and manage the agreements into which KBN enters in a proper manner, contact data for suppliers and financial counterparties is recorded. The legal basis for this processing is the individual agreement that KBN enters into. KBN has a legitimate interest in maintaining other contact data in order for it to ensure it effectively monitors suppliers and financial counterparties.

How long we store the personal data for

Agreements are stored for ten years after the end of the agreement. CVs are deleted one year from the end of the agreement. Other contact data is updated on a continual basis.

What types of personal data do we process?

  • Contact data

g. Recruitment and advertising of pieces of work


How we process personal data

KBN receives and stores personal data in connection with recruitment processes and its advertising of pieces of work (consulting services). Background checks, which include credit checks, are carried out for all positions of employment at KBN.

Why we process the personal data and the legal basis for the processing

KBN processes the personal data to ensure that candidates that KBN is considering employing or awarding a piece of work to are identified, have the right qualifications and are suitable for the position. KBN has a legitimate interest in ensuring that only candidates with orderly personal financial situations are given access to KBN’s information assets.

How long we store the personal data for

KBN deletes data on candidates (who are not appointed) once the recruitment or advertising process has finished, unless the applicant and KBN agree otherwise.

What types of personal data do we process?

  • Identification information
  • Contact data
  • Relationship data
  • Financial data
  • Special categories of personal data – police certificates for some positions

h. Monitoring of employees, next of kin, hired-in workers, employee representatives and close associates


How we process personal data

  • KBN maintains personnel folders containing personal data on employees and their next of kin. A time reporting system is used so that employees can recorder their hours and leave from work and submit notices of sick leave.
  • KBN maintains folders with personal data on employee representatives and their close associates.
  • KBN maintains and publishes lists of insiders and their close associates.
  • KBN carries out suitability assessments of its Board of Directors and management team.

Why we process the personal data and the legal basis for the processing

  • KBN processes personal data on employees, their next of kin, and hired-in workers so that it can administer individuals’ employment relationships and carry out the rights and obligations imposed by the public authorities.
  • KBN processes the contact data of employee representatives and their close associates in order to implement decisions made by the general meeting.
  • KBN publishes insider lists in order to fulfil its legal obligations.
  • KBN carries out suitability assessments in order to fulfil its legal obligations.

How long we store the personal data for

  • Contact data for employees is stored during their period of employment.
  • Contact data for employee representatives and their close associates is stored until they cease to hold the position.
  • Lists of insiders and their close associates are stored for five years after they are produced or last updated.
  • Suitability assessments are stored for five years after the end of the appointment/position.

What types of personal data do we process?

  • Identification information
  • Contact data
  • Relationship data
  • Digital behavioural data
  • Financial data
  • Special categories of personal data

i. AUDIT

How we process personal data

KBN uses external audit services (for external and internal auditing) and, in order for the audit work to be carried out, the audit materials requested by such external parties will in certain instances also contain personal data.

Why we process the personal data and the legal basis for the processing

The purpose of the processing of the personal data is so that KBN can exercise proper management and control. The legal basis is that internal audits are a legal requirement in accordance with the Norwegian Financial Institutions Act.

How long we store the personal data for

The data will be stored for as long as KBN exists.

What types of personal data do we process?

  • Contact data
  • Financial data

j. Use of cookies

KBN uses cookies on www.kbn.com.

The information that applies at any given time to KBN’s use of cookies can be found on our website (www.kbn.com) in the ‘Terms and Conditions’ section.

4. Who do we share personal data with?


a. Third parties

Personal data recorded by KBN will be disclosed to public authorities and other external parties in the event that KBN is subject to a statutory duty of disclosure or another party has a right to be provided with the data.

b. Data processors

KBN uses data processors to collect, store and otherwise process personal data on its behalf. In such instances, we enter into an agreement with the data processor to ensure that the data is processed in accordance with our privacy rules and our personal data processing requirements.

c. The transfer of personal data to states outside the EU/EEA

In some instances, we transfer personal data to institutions in states outside the EU/EEA. This can, for example, happen in connection with know-your-customer (KYC) processes from our suppliers of financial services. In order for KBN to be able to transfer personal data to states outside the EU/EEA, there must be a valid basis for the transfer pursuant to GDPR.

One of the following conditions must also be met:

  • There must be an adequacy decision or similar agreement from the EU Commission for the state concerned.
  • Other appropriate security measures have been taken, and/or the third party has provided sufficient guarantees that the personal data will be processed in a secure manner. This could, for example, consist of using the EU’s Standard Contractual Clauses (SCCs), an agreement that is approved by the EU Commission.