Data Protection Privacy Statement, S-Bank Ltd

1. Data controller / data controller’s contact information

S-Bank Ltd

Postal address: S-Bank Ltd
P.O. Box 77
FI-00088 S-RYHMÄ

Visiting address: Fleminginkatu 34, FI-00510 HELSINKI.

 

2. Contact information for Data Protection Officer

S Bank Group, Data Protection Officer

Postal address: S-Bank Ltd
P.O. Box 77
FI-00088 S-RYHMÄ

Email: tietosuojavastaava@s-pankki.fi

 

3. Name of register

S-Bank Ltd.’s customer register

The purpose of the register is to provide and maintain the services of S-Bank and companies belonging to the S-Bank group.

 

4. Purposes of, and legal basis for, the processing of personal data

Banking operations require the processing of personal data. Our customer register operations include the processing of personal data necessary for account, credit and investment services. The data subjects of the register include customers, potential customers and trustees. A data subject can be a private person or an organisation, including a person who operates a business.

Purposes of personal data

  • customer service, management and development of customer relationships, including customer communication
  • handling of obligations stemming from legal mandates, and from orders and instructions issued by public authorities
  • provision, development and quality assurance of services
  • development of business operations
  • tracking and analysis of the use of products and services, and segmentation of customers, in order for the data controller to be able to provide users, for example, with personalised content in products and services
  • opinion polls and market research
  • direct marketing
  • targeting of advertisements and marketing
  • risk management
  • assurance of the safety of services and investigation of malpractice
  • training purposes

 

Automated decision-making and profiling

The processing of personal data that is in the scope of our register includes automated decision-making. If such decision-making is included in a product or service you have acquired, we will inform you thereof at the time when you buy the product or service. If we make a decision in a completely automated process, you may request us to check it and also to make the decision manually.

The processing of personal data that is in the scope of the register includes profiling. “Profiling” means the automatic processing of personal data in which an assessment is made, using personal data, of certain personal features of the data subject. Within our register, we apply automated decision-making to, for example, credit decisions that involve profiling to assess the applicant's creditworthiness. We also carry out profiling, for instance, whereupon we assess your tolerance of risk in connection with investment advice services or form a target market appropriate for you on the basis of your investor profile. As a data controller offering credit and investment advisory services, we  have a statutory obligation to perform such an assessment.

Crime prevention

We can use descriptive data about you, as well as your other personal data, to prevent, expose and investigate money laundering and terrorist financing. The data can also be used towards mounting a formal investigation of money laundering or terrorist financing and of crimes whereby the property or funds that were the object of the money laundering or terrorism funding were acquired.

We can use your personal data for investigating whether you are subject to international sanctions we comply with. You will obtain additional information on compliance with sanctions from the terms and conditions of products or services you generally acquire in S-Bank.

We may process personal data concerning crimes or suspected crimes that are immediately targeted toward the credit institution operations if such processing is unavoidable in order to prevent and investigate such crimes.

Legal bases for processing

There are various legal bases for processing your personal data.

You can find the legal bases for our processing of your personal data below, as well as examples of how the data is processed.

Legal basis

Example

Measures that precede entering into a contractual relationship or agreement

Measures that are based on an agreement, such as agreements on account, credit and investment services, or on entering into one.

Legally-mandated obligation

Legislation preventing, for example, money laundering and terrorist financing, and tax legislation.

 

Sector-specific legislation, such as the Act on Credit Institutions and the Act on Investment Services.

 

Legal basis

Example

Legitimate interests of the data controller or a third party

Marketing activities, and the development of processes, business and systems, require the processing of personal data. Personal data is processed as part of marketing, product and customer analyses. This way, we can improve our product selection and optimise the services offered to you. This may also involve profiling (see the paragraph on profiling). Legitimate interests of the data controller are normally based on a customer relationship, or an equivalent relationship, between the data controller (us) and the data subject (you). As the data controller, we ensure that the processing mentioned here is proportionate in view of your interests, and that this processing meets your reasonable expectations.

Consent

Direct electronic marketing is generally based on your consent.

 

 

5. Personal data categories

The personal data processed for the purpose of the register is divided into categories. You can find the personal data categories we process and descriptions of their data content below.

 

Personal data category

Data content of the category

Basic data

We collect these data from everyone:

- name - address - phone number - email address - taxation data

We collect these data from private individuals:

 - personal identity code - gender - place of birth - place of residence - citizenship - job title / profession - level of education - legal status

We collect these data from institutional customers:

 - identifying data for individuals acting on behalf of institutions and information about their connection with the institution

Descriptive data

Data that identifies and classifies your customer relationship, such as data on your membership in a customer-owner household, and your investor profile data.

Customer relationship data

Consents and prohibitions given by you for the processing of personal data

 

Personal data category

Data content of the category

Agreement and product details

Information on agreements between the data controller (us) and the data subject (you) and data on the products and services you have acquired.

Customer transaction data

Tasks and events related to the management of the customer relationship.

Background data

For example, data concerning your life situation and financial position.

Content of recordings and messages

Recordings and messages in various forms, where you, as the data subject, are one of the parties (for example, telephone call recordings and e-mails).

 

Personal data categories that pertain to potential customers

The data content to be processed is defined on the basis of, among other things, the category of potential customers. A potential customer relationship typically forms when you apply for a loan from us, but are not yet our customer and we have not yet entered into a loan agreement with you.

The data content we typically process can be found below.

 

Personal data category

Data content of the category

Basic data

Your name, personal identity code and contact information, such as street address, phone number and email address.

Customer relationship data

Data that identifies your customer relationship, such as the date on which the customer relationship began, and the nature of the relationship.

Agreement and product details

Data concerning offers we have made to you

Customer transaction data

Tasks and events related to the management of the customer relationship.

Background data

For example, data concerning your life situation and financial position.

Behavioural data (also collected through cookies and similar technologies)

Tracking of your web behaviour and service use, e.g. through cookies. Data collected could include a page you have browsed, the model of your device, your unique device ID and/or cookie ID, the channel involved (e.g. an app, mobile browser or other type of browser), browser version, IP address, session ID, time and duration of session, your screen resolution, and operating system.

Recordings and their content

Recordings of telephone calls that you are a party to.

Technical identifying data

An ID assigned by the device or application whereby you can be identified, using additional information if necessary

 

6. Personal data recipients and recipient categories

We may disclose your personal data to the authorities, such as the Financial Supervisory Authority of Finland and the Finnish Tax Administration, in instances where this is legally mandated. Among the material we disclose to the Tax Administration are our customers’ annual tax declarations.

The disclosure of personal data refers to a situation in which we disclose your personal data for the independent use of another data controller. Your data may be disclosed:

  • within the boundaries of legislation, between companies belonging to the financing and insurance consortium formed by the S Bank Group, S-Bank and LocalTapiola, and to an organisation belonging to the same financial consortium, for the purpose of customer service, customer relationship management or marketing; 
  • to cooperatives serving as agents to S-Bank and other enterprises belonging to the S Group, for example, for the payment of bonuses;
  • to authorities (such as taxation and police authorities and bailiffs) to meet statutory obligations;
  • to insurance companies, when S-Bank is serving as the insurance company's agent;
  • to the joint registers of banks and insurance companies to prevent crime against banks and insurance companies; and
  • to parties outside the S-Bank Group, for example, with your consent or when we offer a product or service in cooperation with our partner.

7. Transfer of personal data

We use subcontractors for data processing and data is transferred, to a limited extent, outside the European Union and the European Economic Area. When data is transferred to third countries, we use standard contractual clauses issued by the EU Commission or another transfer mechanism approved by legislation.

Some of the subcontractors we use are other organisations within the S Group. Among other things, they provide us with IT and other support services.

 

8. Personal data retention time, or criteria for determining retention time

We process your personal data throughout the validity period of the relevant contractual relationship. Once the contractual relationship ends, the data will be deleted or anonymised after 10 years, in accordance with our deletion procedures. Personal data of potential customers is deleted or anonymised no later than two years from the last time of contact, or from the time that the potential customer relationship was first established.

After the contractual relationship ends, we may process personal data for direct marketing purposes, in accordance with applicable legislation.

 

9. Sources and updating of personal data

We collect your personal data mostly from you. We can collect data when you use certain services of ours (such as online services). We can also obtain your personal data from your other representatives, within the framework provided by legislation.

In addition, we can collect and update, within the framework of what is permitted by legislation, your personal data from registers of third parties, such as the Population Register Centre, the Trade Register and other registers of public authorities, and also from data controllers of credit data.

We may obtain necessary information on your political influence and for determining whether you are subject to international sanctions from third parties maintaining databases on these subjects.

 

10. Rights of the data subject

You have the right to obtain our confirmation as to whether your personal data is being processed or not. If we process your personal data, you have the right to receive a copy of such data. We are entitled to charge a reasonable administrative fee for additional copies requested by you.

If you make a request electronically, and have not requested any other delivery format, the data will be delivered in the electronic form that is generally in use, providing that the data can be delivered in a secure manner. To ensure data security, we always deliver a copy of personal data that is to be processed to S-Bank's online bank in electronic form.

You also have the right to request that we correct or delete your personal data, and you may prohibit the processing of personal data for direct marketing purposes.

You also have the right, in certain situations, to request restrictions on the processing of your personal data, or otherwise to object to the processing of this data. Additionally, you may request the transfer, in machine-readable form, of data that you have submitted yourself, on the basis of the General Data Protection Regulation.

Please submit your requests related to the use of your rights to our contact person (contact information can be found in section 2 of this Data Protection Privacy Statement) by sending a message through the online banking service, calling +358 10 76 5800 (Mon–Fri at 9am–8pm, 0.0835 €/call+ 0.1209 €/minute) or by visiting our closest office to you. You can locate our offices on our website.

If you believe that the processing of your personal data is not lawful, you may lodge a complaint to the competent supervisory authority.

 

11. Right to revoke consent

If we process your personal data on the basis of your consent, you have the right to withdraw your consent. Withdrawing consent will not affect the legitimacy of any other processing than that taking place on the basis of consent or processing that was carried out at the data subject’s consent before revocation of the consent. The revocation of consent may, however, affect the functionalities and usability of the service.

 

12. Protection of the register

We implement appropriate technical and organisational data-protection measures to ensure the protection of personal data in our register. The measures we implement to protect our register include the following:

  • protection of hardware and files
  • access control
  • identification of users
  • user authorisations
  • usage event log
  • guidance and supervision of processing

We also require our subcontractors to protect, in an appropriate manner, any personal data that is processed.