The Norwegian personal data act imposes certain obligations on Kommunalbanken
KBN (org. number: 981203267) is subject to the Norwegian Personal Data Act and the EU’s General Data Protection Regulation (2016/679) in respect of its processing of personal data.
Personal data means information that can be related directly or indirectly to an identifiable person. Examples of such information include an individual’s address, national identification number, email address, photograph and specific behavioural patterns, as well as special categories of personal data.
KBN as the data controller provides below general information on the processing of personal data.
2. Purpose for which personal data is procesed
KBN’s processing of personal data is primarily for customer management purposes. We record information about customers, parties authorised to sign on behalf of customers and other persons associated with customers when we enter into an agreement and on a continual basis.
KBN also processes personal data to the extent required or permitted by legislation or where the person concerned has given his/her consent.
In addition to the above, KBN processes personal data for the following purposes:
- Customer follow up and marketing
- Risk classification in relation to customers and lending portfolios
- Preventing and uncovering criminal offences
- Visitor lists
- Physical security: cameras at street level and in KBN’s premises
- Processing applications to work at KBN
3. Personal data processed by KBN
The personal data, cf. section 2, that KBN records in order to manage its contractual relationships is primarily received directly from customers. This type of personal data is contact information, national identification numbers and copies of ID documents. When collecting data from third parties (for example from banks/financial institutions or credit rating agencies), the customer will be notified unless KBN is required to collect the data by legislation, it is impossible or disproportionately difficult for KBN to provide such notification, or it is clear that the customer is already aware of the information of which it would be notified.
If KBN wishes to collect data from a customer that it does not require in order to attend to its contractual relationship with the customer, KBN will first inform the customer what any such data would be used for (i.e. the purpose for which the data would be processed) and that the customer does not have to provide such data.
KBN also keeps personal data for a period even if KBN declines to enter into an agreement with a customer. The purpose of this is to ensure KBN is able to inform the person concerned/the customer of KBN’s decision and can provide evidence of the matter subsequently if so required.
4. Risk classification of customers
KBN processes credit data and other personal data in connection with entering into an agreement with a customer in accordance with the rules set out in the Norwegian Financial Institutions Act and in order to be able to perform its agreement with the customer.
5. Preventing and uncovering criminal offences - Money laundering notices
KBN processes personal data for the purpose of preventing, uncovering, resolving and managing fraud and other criminal offences. Data may be gathered from and distributed to other banks and financial institutions, the police and other public authorities.
KBN processes personal data in order to fulfil its duty to investigate and report suspicious transactions in accordance with the Norwegian Money Laundering Act. KBN is required to report suspicious information and transactions to the Financial Intelligence Unit of ØKOKRIM (the Norwegian National Authority for Investigation and Prosecution of Economic and Environmental Crime).
Pursuant to Section 16, paragraphs b and f, of the Norwegian Personal Data Act, the customer does not have the right to access any information KBN has recorded for the purposes set out in this section.
6. Customer follow up and marketing
KBN sends out newsletters about nine times a year. In order for KBN to be able to send you emails, you need to register your email address. Your email address will be stored in a separate database, will not be shared with other parties, and will be deleted if you choose to unsubscribe. Your email address will also be deleted if we receive a return message stating that the address is not active. You can specify whether you represent an organisation, are a private individual, a journalist or other. This enables us to send you information relevant to you.
7. Visitor list
A register is kept of all visitors to KBN’s premises. This register records visitors’ names, telephone numbers and the organisation they represent. The register exists to record who is in KBN’s premises at any time, both for security purposes and in case the premises have to be evacuated. The list is stored for a maximum of 2 weeks after a visit.
8. Door buzzer and entrance door cameras
There is a camera at the entrance to KBN’s offices at street level that is activated when the entry buzzer is pressed. Images from the camera are displayed in real time and cannot be recorded. A camera that does record footage is located in KBN’s premises, with the footage deleted after three weeks. This camera has been installed for security purposes.
9. Applicants for employment at KBN
KBN may receive and store personal data in connection with both job advertisements and other employment enquiries. We have a legitimate interest in storing such data about you in connection with your application.KBN will delete data about applicants once the process has ended, unless the applicant and KBN agree otherwise.
10. Use of processors
KBN uses data processors to collect, store and otherwise process data on its behalf. In such instances, we enter into an agreement with the data processor to ensure that data is processed in accordance with our privacy rules and our personal data processing requirements. KBN’s use of data processors shall not be regarded as constituting the disclosure of personal data. Information on our data processors can be obtained by contacting the Compliance Department at Compliance@kommunalbanken.no using the subject “Request for information on data processors”.
12. Right to access data and to have data corrected and deleted
Individuals can request access to the personal data held about them, a description of the type of data that is processed and further information about KBN’s processing of personal data by submitting a written and signed enquiry to KBN.
KBN will delete or anonymise registered personal data once the purpose for which it was processed has been fulfilled, unless the information has to be or can be stored for longer pursuant to legislation. Subject to the limits set out in the Norwegian Personal Data Act, the customer can request that incorrect or unnecessary personal data regarding it be corrected or deleted. Valid identification must be provided when requesting access to and/or deletion of personal data. All requests must be addressed to Compliance by emailing Compliance@kommunalbanken.no using the subject “Request for personal data”.
Personal data recorded by KBN will be disclosed to public authorities and other third parties in the event that KBN is subject to a statutory duty of disclosure or another party has a right to disclosure.
If you have a question about how KBN processes your personal data, please see the section “Right to access data and to have data corrected and deleted” section above. If you have a complaint about KBN’s processing of your personal data, this can be addressed to the Norwegian Data Protection Authority (Datatilsynet). More information is available on www.datatilsynet.no.
In the event of changes to our services or rules regarding the processing of personal data, this may result in updates or changes to the information provided to you in this document. Up-to-date information on such matters will always be easily accessible on our website.