Privacy Policy of Nykredit Bank A/S

Nykredit Bank collects personal data about you as a potential customer in the form of contact details and any information about interests and personal circumstances that you provide using our contact forms etc. If you show interest in specific products or services, we will also collect information from you for the purpose of sending you offers, including information about your tax affairs, nationality and civil registration (CPR) number, a copy of your passport or driver's licence, financial information (details of income, debt and personal assets), and information about your occupation and education, your household and family, and the purpose and expected scope of your business with us. If you show interest in one of our investment products, our communications with you may be recorded.

We collect certain information from the Danish Civil Registration System and other publicly available registers and sources. In connection with credit assessments, we may collect information from bad debtor and credit default registers.

The legal basis we rely on to process your personal data is Article 6(1)(b) (necessary for entering into a contract), (c) (compliance with a legal obligation, in particular the Danish Anti-Money Laundering Act ("AML Act") and MiFID and market abuse rules), (e) (performance of a task in the public interest, including creditworthiness assessments) and (f) (our legitimate interest in being able to communicate with you and initiate a customer relationship) of the General Data Protection Regulation ("GDPR"). The legal basis we rely on to process your CPR number is section 11(2)(1) of the Danish Data Protection Act.

We may disclose your data where such disclosure is necessary, for example if you show interest in products that we distribute on behalf of our business partners. Read more about the scenarios in which we disclose personal data about you later in this Policy.

We also collect personal data about persons related to our customers, such as employees of business customers, chargors and guarantors, and other persons who are in contact with us in connection with single services or other matters. The data depends on the specific relationship and may be identification and contact details, CPR number and possibly CVR number, a copy of your passport or driver's licence or other proof of identity, information about your occupation and education, financial information such as details of personal assets, debt and income, and registrations and recordings of our communications with you.

We collect certain information from the Danish Civil Registration System and other publicly available registers and sources. In connection with credit assessments, we may collect information from bad debtor and credit default registers.

The legal basis we rely on to process the above data is Article 6(1)(b) (necessary for performance of a contract), (c) (compliance with a legal obligation, in particular the Danish AML Act, the Danish Credit Agreements Act, the Danish Tax Reporting Act and the Danish Act on Payments) and (f) (our legitimate interest in being able to communicate with you, prevent losses and abuse and run our business) of the GDPR.

When you are a customer of Nykredit Bank, we process personal data about you to be able to manage your banking relationship with us and to offer you our broad range of financial services as well as any related advisory services, customer care, administration, and credit assessment and review. Examples of our services and products:

• payment services
• payment accounts
• loans and credit facilities
• digital banking solutions
• investment services and advice
• pension plans and advice
• car loans and leasing, and
• administration of trust funds by authorised administrator.

The categories of personal data about you that we process depend on your specific customer relationship, but we always process your contact and identification details and your CPR number. In addition, we may process your payment information, information about your personal assets and home, insurance and pension information, and information about purchased and chosen products and services as well as your use of such products and services.

When you use your debit or credit card, we register data such as the card number and the amount, place and time of the transaction, and in connection with payment handling, for example the execution of payment orders, we collect general personal data from points of sale, banks and others for the purpose of completing payments and preparing bank statements, pre-notification statements and the like. Through our provider NETS, we monitor the transactions you make in order to detect and prevent fraud and abuse and may, if specific parameters are met, block your card or stop the transactions. You will always be contacted by NETS or us directly for the purpose of following up and either issuing a new card for you or unblocking the card, or completing the transaction. In connection with the individual product terms, you will receive more detailed information about such processing.

We also process your data if you wish to borrow money; in that case, we will search for any information recorded about you in bad debtor and credit default registers, including international data providers and other publicly available sources, and, subject to your prior consent, by Group companies and business partners.

The legal basis we rely on to process your data is Article 6(1)(b) (enabling us to perform the customer contract we have entered into with you) and (c) (because we are subject to a number of legal obligations as a financial institution) of the GDPR. You can read more about this below. 

The above data can either be obtained directly from you or originate from other sources, including from public registers, other companies of the Nykredit Group and other business partners (such as banks and other correspondents that offer national and international credit and payment handling). We collect the data either on the basis of your consent pursuant to Article 6(1)(a) of the GDPR or where permitted or required by law.  

As a financial institution, we are legally obliged to process certain personal data about you as either a personal customer or a person related to a business customer, for example under the Danish AML Act. In order to comply with our obligations to combat money laundering and terrorist financing, we process your identification and contact details, your CPR number, nationality data, information about your family and other relations (agents, guarantor relations, co-account holders, etc), tax information, information about funds and personal assets, and information about any criminal offences, including from media searches.

The Danish AML Act prescribes that we must have good knowledge of our customers and their business with us, and for this purpose we carry out a number of customer due diligence procedures when onboarding customers and on a regular basis during the customer relationship.

This entails that we must obtain proof of and check your identity, and you are therefore obliged to provide proof of your name and CPR number using, for example, your MitID login through our digital services, your passport, your driver's licence or other official document, such as your national health insurance card. If you are a business customer, we will collect information about the ownership and control structure of your business and about its beneficial owners. This means that if you are a beneficial owner of, agent of, or member of the management of, a business customer, we will collect proof of and check your identity in the same way as for personal customers.

We also need to know the purpose and intended nature of your relationship with us, ie how you use your Nykredit products. This means that information must also be collected about the origination of your funds and personal assets. We may also collect information about you from international data providers and other publicly available sources, eg through internet searches, for example if you have an ownership interest in a business, or you are a politically exposed person or a close relative of a politically exposed person, when such collection is justified by a risk assessment and is in accordance with the guidelines of the Danish FSA. We may also receive information from other companies of the Nykredit Group when the Danish Money Laundering Secretariat of the National Special Crime Unit receives reports under the AML legislation, and to the extent permitted by law.

Personal data collected solely to comply with the rules of the Danish AML Act is only used for the prevention of money laundering and terrorist financing.

Our legal basis for the above processing is Article 6(1)(c) (legal obligation) of the GDPR and sections 11(2)(1) (regarding CPR numbers) and 8(3) (regarding information about criminal offences) of the Danish Data Protection Act. Processing may also be necessary for us to pursue a legitimate interest, see Article 6(1)(f) of the GDPR, as we have an interest in, for instance, the prevention and solution of crime.

In some cases, it may be necessary to process sensitive personal data, including information about political opinions or religious or philosophical beliefs, in connection with our customer due diligence processes, if the information is relevant to the specific check. In such cases, processing will be based on Article 9(2)(g) of the GDPR.

We also process personal data about you to comply with other legal obligations, including in relation to tax and financial matters. For example, we process your CPR number and data relating to your financial and tax affairs, including tax assessment notices, financial statements and budgets, your use of Nykredit products and services, including payments, trades etc, for the purpose of statutory registration and reporting to tax and financial authorities at national and European level. If you reside abroad, we also need information about your home country and foreign tax identification number. 

Our legal basis for the above processing is Article 6(1)(c) (legal obligation) of the GDPR and section 11(2)(1) (CPR numbers) of the Danish Data Protection Act, as we are subject to a number of obligations under, for example, the Danish Tax Control Act, the Danish Tax Reporting Act, the Danish Credit Agreements Act, the Danish Financial Business Act, the Danish Act on Payments, the Danish Act on Consumer Loan Businesses, the Danish Capital Markets Act, the Markets in Financial Instruments Regulation, the Market Abuse Regulation, the Capital Requirements Regulation and the Markets in Financial Instruments Directives. 

We process your personal data for the purpose of optimising our internal processes, products and services, including for statistical purposes, system testing and AI solution training. This is to ensure that we operate and develop our business to be able to offer our customers and business partners the best solutions. The data may therefore originate from the various purposes for which we process data, as described in this Privacy Policy in general. By way of a few concrete examples, we use AI as a supporting tool to present data to our analysts to help them in their research, and we use AI to assist our customer advisers in preparing minutes after customer meetings.

The legal basis we rely on to process your data is mainly our legitimate interest in being able to operate and develop our business in the best possible way, see Article 6(1)(f) of the GDPR. In some cases, as described above, processing is considered necessary for the performance of a task in the public interest that we are required by law to perform, see Article 6(1)(e) of the GDPR, in particular for the purpose of complying with our obligations in connection with credit assessments of businesses, see section 4(2) of the Danish Executive Order on Management and Control of Banks.

We record or transcribe our conversations with you – whether by phone or digitally – for a variety of purposes. We transcribe conversations to improve the customer experience and to be able to document what we have discussed and agreed. We record conversations for the purpose of training our employees if you have given your consent. Also, we record and keep records of all conversations and electronic communications that will or may result in a securities trade because we are under an obligation to do so.

The legal basis we rely on to process your data in relation to securities trading is Article 6(1)(c) of the GDPR to comply with a legal obligation, including Article 16(7) of the MiFID II Directive and Article 16(2) of the Market Abuse Regulation. When we transcribe conversations for the purpose of training our employees, it is based on your consent pursuant to Article 6(1)(a) of the GDPR, and when we transcribe or record conversations to improve the customer experience and for documentation purposes, Nykredit has a legitimate interest in the data processing, see Article 6(1)(f) of the GDPR.

You can read more about our transcription or recording of conversations, including how long we keep the recordings, at www.nykredit.dk/samtaler 

We use television surveillance around our office buildings, at entrance doors of buildings, in reception and customer service areas and at ATMs and cashiers desks etc for the purpose of preventing and solving crime and providing security. We have television surveillance at Nykredit's headquarters at Sundkrogsgade 25, DK-2150 Nordhavn, Copenhagen, as well as at all our centres across the country.

Our use of television surveillance is in accordance with the Danish Act on Television Surveillance and in pursuance of Article 6(1)(f) of the GDPR, as we have a legitimate interest in monitoring and protecting our physical premises and managing any accidents. Where television surveillance recordings show criminal offences, processing will be based on section 8(3) of the Danish Data Protection Act, as we have a legitimate interest in the prevention and solution of crime.

If you are employed by or related to one of our business partners, suppliers or other third parties, we will process information about your name, position and contact details. Depending on the relationship, we may also process data from communications with you in connection with our general business operations and development or a specific case, from interviews or conversations with you etc, depending on the specific circumstances. For example, you could be employed by a partner bank, and we could be communicating with you about customers or products as part of the operation and development of our business.

The legal basis we rely on to process your data is Article 6(1)(f) of the GDPR, as we have a legitimate interest in communicating with you for the above purposes.

We may process personal data about you for marketing purposes, including to send targeted marketing of our products and services to you. For example, when you sign up for our newsletter, we process your contact details, information about the areas of interest you wish to receive news about, and subsequently we process information about your interaction with the content of newsletters, including whether you open the newsletter and what you click on. This interaction will be considered in the editorial work to ensure quality and relevance. We also process your contact details when you participate in events, competitions and the like.

Moreover, we use personal data for profiling and data modelling to be able to offer you services and products that meet your preferences.

Where you have given us your consent, we will personalise our marketing of products and services to you and contact you via the channels you have consented to. This personalisation is based on information about your banking relationship with us, including information about your products and services and your use of Nykredit's digital services. The data will be collected via cookies/pixels in Nykredit's newsletters and on Nykredit's websites, if you have given separate consent for this. Personalisation can also be based on publicly available information from authorities and registers. Personal data may be contact details, information about your household, gender, age, accounts, loans and credit facilities, home, pension, car, investments, payment cards, insurance, financial circumstances, and clicks, views or search behaviour.

The legal basis we rely on to process your data is your consent pursuant to Article 6(1)(a) of the GDPR and marketing law rules on consent.

When we market via banners and advertisements on Nykredit's and our business partners' websites, such as social and news media, processing is based on your consent pursuant to Article 6(1)(a) of the GDPR, which you can read more about under "Cookies" below.

When you sign up for our events, participate in competitions, respond to satisfaction surveys or the like, we process your contact details as well as the information necessary in the context, for example information about your meal preferences and submitted responses. This type of processing will take place on the basis of our legitimate interest under Article 6(1)(f) of the GDPR in being able to communicate with you and carry out our marketing activities.

You have the right to object to our direct marketing; read more about this below under "Your rights".