You have the right to request access to the personal data we process about you, and you have the right to receive a copy of this information. You also have the right to information about how we process your data. Information about this can mainly be found in this privacy policy.

Information about, for example, your products, agreements, contact information and transaction history are available in your online bank. If you cannot find the information you are looking for, please send us a request for access. We may ask you to clarify what information or processing activities you want to access. In those circumstances where your online bank is not available or you cannot read electronic documents for some other reason, we can send you the information on paper.

There are some exemptions to the right of access. These include when we have a legal duty of non-disclosure or we have to keep information confidential for the prevention, investigation, detection and prosecution of criminal acts. Another exemption exists regarding information that is solely contained in documents prepared for internal use and an exemption from access is necessary to ensure proper processing.

It is important that the information we have about you is correct. SpareBank 1 checks its data against the Norwegian Population Register and other sources. At regular intervals, we also ask you in your online or mobile bank to confirm that the information we hold about you is correct. If you believe that the information we hold about you is incorrect or incomplete, you have the right to request that the information be corrected or updated.

You have the right to request that your personal data be deleted if

• you withdraw your consent to the processing and no other legitimate basis for the processing exist
• you exercise your right to object to the use of your personal data and there are no compelling grounds for the processing
• you object to the use of your personal data for direct marketing purposes
• the processing is illegal
• the personal data processing concerns minors, if the data was collected in connection with providing information society services

In many circumstances, we have to retain information about you, even though you want the information deleted. This may be true both while you are a customer of ours and for a period after the agreement with us has ended. In practice, this means that you may not always be able to require us to delete your data. This may be because we have a legal duty to retain it or because we must safeguard our legitimate interests. Similarly, we may need to retain your information to establish, exercise or defend a legal claim.

You can require that SpareBank 1 restrict the processing of your personal data in certain situations, for example if

• you believe that the personal data is incorrect or that the processing is not lawful
• SpareBank 1 wants to delete the data, but you need the information due to a legal claim
• you have objected to the processing and we need to assess whether we have a legitimate interest in continuing to process it

We will keep the relevant data stored, but all other processing of the personal data will be temporarily suspended. SpareBank 1 may begin processing your personal data again in connection with legal requirements or to protect another person’s rights.

The main purposes behind processing your personal data are customer management, financial advice, billing and the implementation of banking, insurance and financial services as they are described in agreements we have entered into with you. All of the agreements we have with you, or will enter into with you, describe their terms and conditions clearly such that it is easy to understand what the agreement includes.

We also process your personal data in order to meet our legal obligations, such as:

• Preventing and detecting criminal acts such as money laundering, terrorist financing and fraud.
• Monitoring sanctions.
• Accounting requirements.
• Reporting to tax authorities, law enforcement agencies, enforcement and supervisory authorities.
• Risk classification related to risk management such as credit development, credit quality, capital adequacy and insurance risk.
• Credit rating.
• Requirements and obligations related to payment services.
• Other obligations related to service or product-specific legislation such as securities, funds, collateral security, insurance or home loan mortgages.
  

We may use your personal data if this is required to safeguard a legitimate interest that outweights considerations concerning your privacy. The legitimate interest must be legal, pre-defined, real and factually rooted in our business activities.

Examples of basing our processing on legitimate interest include:

• Marketing, product and customer analyses that help us improve our solutions and provide our customers with the best possible services, products and offers.
• Checks, reporting and analyses that help us develop our business and systems, as well as ensure that our operations are properly managed.
• Profiling, for example when conducting customer analyses for marketing purposes or monitoring transactions to detect fraud and other criminal acts.
  
• Transaction classification of your income and expenses to provide you with a better overview and understanding of your personal finances.
• Automatic transfer to your SpareBank 1 bank when you log into your mobile bank, so you do not have to disclose your bank affiliation every time you log in.
• Developing and using machine learning models to identify suspicious transactions in connection with statutory anti-money laundering work.
• Using machine learning and artificial intelligence to classify your transaction details, including in order to provide you with a better overview of where your money goes.
• Identifying your subscriptions or other regular expenses that we can help you terminate.

When we process personal data about you on the basis of our legitimate interests, you can object to the processing. Read more about the right to object under Your rights.

In some cases, we will ask for your consent to process personal data. Any consent given by you must be voluntary, unconditional and informed. Consent is one of the bases for processing if we need to process special categories of personal data (e.g. information about health and trade union membership).

We also use your consents to, for example, collect information about your activities on our websites (via cookies) and send you more personalised marketing based on data we hold about you.

If you have given us consents concerning cookies or marketing, you can withdraw these at any time in the online and mobile banks. If you withdraw your consent, the processing will stop and the personal data associated with the consent will be deleted. 

You can also read more about what your consents are used for in the overview provided in the online and mobile banks.

To withdraw other consents, email the data protection officer at the bank or company.

We will process your personal data to fulfil the obligations we have assumed concerning the performance of transactions and services for you. For example, we will need to process your personal data to send you invoices, execute payment transactions on your accounts and respond to your enquiries.

Basis for processing: Agreement, legal obligations.

Customer services

We want to be accessible for our customers both digitally and in-person. For that reason, you can contact us by email, chat, letter, phone and other channels. We can also organise digital meetings with you, when you have agreed this with one of our customer advisers.

If you start a chat from the bank’s website without being logged in to the online bank, the chat will be anonymous. The chat will be archived for use in statistics and evaluating customer service, but cannot be linked to you as a customer.

If during the chat you choose to speak to an adviser, the adviser will be given access to the chat. This is done so that they can familiarise themselves with your enquiry before continuing the chat.

If you start a chat when you are logged in to your online bank, it will be saved and linked to you as a customer. This is done to provide you with the best possible customer service when you contact the bank again later on, and as documentation in the event of a dispute arising.

If you contact us via social media (e.g. Facebook), one of our customer advisers will be able to follow up your enquiry with you. If you need to share personal information, we continue to recommend that you use the secure channels on our websites.

Basis for processing: Legitimate interest, agreement.

Investment services

When we provide investment services, we are required by law to make audio recordings and retain calls, meetings and other customer communications. In physical counselling meetings, we must write minutes of the meetings. Such documentation is retained for at least 5 years in order to document the investment services we provide. 

Audio recordings of phone calls

We may occasionally record phone calls made to and from our call centre. You will be informed about this before the call starts, so that you can opt out of being recorded. The recording will be used only if you or we need to document the content of the conversation. To document reports of lost cards, we make audio recordings when a lost card is reported over the phone. The audio recording is retained for 18 months.

In some cases, we want to record phone calls for training purposes. Before the call starts, you will be notified of this and be given the opportunity to opt out of being recorded. You can request access to audio recordings by contacting the bank. You must specify the time of the call and which phone number it was made from when you request access.

Basis for processing: Legitimate interest, legal obligation.

We want to provide you with information about products within the product categories where you already have an agreement with the bank and/or the individual company. In these circumstances, the bank/company will use personal data such as name, contact details, date of birth and the services or products for which the customer already has an agreement. 

Our products are distributed across the following categories:

• Payment services
• Savings and deposit products
• Loans and other credits
• Pension insurance
• General insurance
• Personal insurance

Using personal data, interests and user group profiles, we personalise communication, ads, advice and offers to ensure that they are relevant and useful. The information about you may also be used in analyses and customer surveys to develop and improve products and services and enhance customer service. We will only analyse your transaction data for marketing purposes if you have consented to this.

You may also see ads from us on social media, external news sites and other wesites when we buy ad space through various media.

Digital customer service and marketing channels

• Websites: Homepage/online bank, Exchange Weekend.
• Apps: Apps in App Store,  Apps in Google Play
• Social media: Facebook, Instagram, YouTube, LinkedIn, Snapchat.
• Other channels: email, news media.

If you have opted out of receiving marketing communications in the Reservation Register in Brønnøysund, we will of course respect this.

Basis for processing: Consent, legitimate interest.

Social media

We use various social media sites such as Facebook, Instagram, YouTube, X, LinkedIn and Snapchat to make ourselves available to our customers. In these channels, we share useful information and relevant content and updates about SpareBank 1 in local communities.

If you have a profile on one of the various social media sites, you must also comply with their terms and conditions and privacy policy. We encourage you to review these terms and conditions. We also use aggregated information about visits and activity on our social media pages for statistics and analyses. This information cannot be traced back to individuals. 

Any information you provide us with via social media, such as reactions and comments on our posts, is not held by us. It is held by the social media site to which our site is linked. You can delete the information about yourself at any time, for example if you delete comments you have posted. Please note that the data will not be deleted if you just unfollow our page.

Basis for processing: Legitimate interest.

We use various analytical tools based on what you have consented to. For example, various analytical tools are used to:

• Collect statistics concerning your usage patterns.
• Systemise statistics and build segments for relevant content in our digital channels, for example, websites, apps, on social media and via ads.
• Test and present relevant content to you.

We may collect information about you that is used to analyse how you as a customer use SpareBank 1’s services via digital channels and in other communication channels. This information is also used to identify potential demand for new products and services, and to improve the functionality of existing products and services.

The following are examples of how we apply analysis:

• To determine price levels.
  
• To assess and monitor credit risk.
• To personally adapt our web pages.
• To prevent and detect fraud.
• To analyse website traffic and use of email and text messaging.
• To personally adapt information and relevant ads.

Basis for processing: Consent and legitimate interest.

We process personal data in connection with market and customer satisfaction surveys. For example, after you have been in touch with us, we ask you to tell us how you experienced the contact. Your feedback helps us to provide you with even better products and services. We can also measure the effectiveness of improvement and look at the link between customer satisfaction and customer behaviour over time.

Responding to such surveys is voluntary.

Basis for processing: Legitimate interest.

We use certain personal data to assess risk in the sale of products and services. This provides you, the customer, with the confidence that your assets will be well taken care of.

The Financial Institutions Act, Securities Trading Act and CRR/CRD IV Regulations require us to process credit information, application information and other information about you in order to calculate capital requirements for credit risk. Such processing is also carried out when you establish a customer relationship and when assessing which services and products are suitable for you.

The calculations are conducted using our own models, work processes, decision-making processes, control mechanisms and internal guidelines. This applies to the classification and quantification of credit risk and other risks. In other words, the risk associated with credit and other financial factors is assessed. In conjunction with this, personal data may be collected from credit information agencies. Information may also be collected from the Norwegian Debt Register to develop risk assessment models and to draw up individual credit policy rules.

The Financial Institutions Act, Securities Trading Act and CRR/CRD IV Regulations require companies in the Group to exchange customer information in order to fulfil the institution’s governance, control and reporting requirements. This particularly applies to information regarding defaults on commitments. 

Basis for processing: Legal obligations.

We process personal data to prevent, detect, clear up and deal with fraud and other criminal acts against you, other customers or us.

We will also process personal data to prevent and detect transactions related to gains derived from criminal acts or in conjunction with terrorist financing. This is done because we are required to investigate and report suspicious transactions under the Anti-Money Laundering Act, as well as to verify the identities of all of our customers.

The Anti-Money Laundering Act requires us to report suspicious information and transactions to the Financial Intelligence Unit (EFE) of the Norwegian National Authority for Investigation and Prosecution of Economic and Environmental Crime (Økokrim). The information will be collected from, and may be disclosed to, other banks and financial companies, the police and other public authorities. 

Basis for processing: Legitimate interest, legal obligation.

The banks and companies in SpareBank 1 have a duty of confidentiality regarding customer information. The duty of confidentiality also applies between the companies within SpareBank 1. There are some exemptions where the companies in SpareBank 1 may in some circumstances share some personal data with each other where this is allowed. This could be

• your contact details
• your date of birth
• information about the SpareBank 1 company in which you are a customer and the services and products you have entered into an agreement to receive
• sharing of customer information obtained in accordance with the Anti-Money Laundering regulation

A typical case where information will be shared is, for example, between your bank and SpareBank 1 Forsikring to see whether you need any of the products or services that can be delivered. Information about customers will never be shared between the banks in the Alliance. 

If you would like more relevant advice and offers from us, you can consent to the companies in SpareBank 1 sharing more information about you.

You will find the consent options in your online and mobile banks.

In many cases, SpareBank 1 is required to disclose personal data to public authorities. Examples of these include disclosing information to tax authorities, the Norwegian Labour and Welfare Administration (NAV), the courts, the police, supervisory authorities, the Norwegian National Authority for Investigation and Prosecution of Economic and Environmental Crime (Økokrim) and public committees. Registered personal data will only be disclosed to public authorities and other third parties when this is required by statutory disclosure obligations or disclosure rights.

If we are permitted to do so by law, personal data may be disclosed to other banks, insurance companies, financial companies and partners. One example where this might happen could be if you want to see your account information in another bank, or if you want to see your insurance from Fremtind in your mobile bank.

For payments to or from abroad we will provide pertinent personal data to the foreign bank. The laws of the recipient country determine the extent to which the information is disclosed to government agencies or regulatory bodies. This might be done to comply with the recipient country’s tax laws, measures against money laundering or terrorist financing.

If you default on your credit agreements, the information may be disclosed to a debt collection company for the purpose of collecting the defaulted claim on behalf of the creditor. The claim may also be sold to a debt collection company which then takes over as creditor for the claim.

Norway has entered into agreements with several countries on mutual tax reporting to combat tax evasion and international tax crime. The agreements are often referred to as CRS (Common Reporting Standard) and The Foreign Account Tax Compliance Act (FACTA). Under the agreement, Norwegian financial companies are required to identify and report persons, companies and other entities that reside or are domiciled abroad to the Norwegian tax authorities. You can get more information about CRS and FATCA from the Norwegian Tax Administration.

• SpareBank 1 Utvikling – our own IT and development company that provides services for the entire SpareBank 1 Alliance.
• Amazon (AWS) – the platform we use to build our digital bank, financial platform, etc.
• TietoEvry – one of SpareBank 1’s largest subcontractors of core banking and other payment systems.
• Microsoft – for example, for Teams meetings with you or general email correspondence.

SpareBank 1 primarily wishes to use data processors based in the EU/EEA. If SpareBank 1 uses providers outside the EU/EEA, we will ensure that the following conditions are met to ensure that the privacy and rights of our customers are well safeguarded:

• There is an approved transfer basis for the delivery of personal data to a third country, such as the use of standard contracts (EU standard clauses) approved by the European Commission, the data processor has valid, binding corporate rules (BCR) or the European Commission has decided that there is an adequate level of protection in the relevant country.
• The level of protection for the processing of personal data in a third country has been assessed as corresponding to the level of protection in the EU/EEA, as a result of specified technical and/or organisational measures.

We use cookies in our digital channels: websites, online bank and mobile bank.

Cookies are small pieces of data that are stored on your computer or your mobile phone by the browser or app you are using. A cookie belongs to a specific website and therefore cannot be read by other websites. 

If you use our website without identifying yourself, the cookie consent will only apply to the device (such as mobile or PC) you are using. When logging in to your online or mobile bank, you can choose to allow the answer from the device to apply to you as a customer as well. 

You can choose which categories of cookies we can use. 

Read more about our use of cookies here.

Technical cookies

For the websites to work, we must use technical cookies. These, therefore, cannot be turned off.

Functional cookies

We use functional cookies so that you do not have to go through the same choices every time you are on our websites. They store information about your use of the website and the settings you have selected.

Cookies that archive statistics

We use cookies that store statistics to make our websites better and simpler to use. This information helps us understand how the websites are used, which in turn enables us to improve. 

Cookies for targeted marketing

For you to obtain content that is tailored to you, we use cookies that collect information about your usage pattern and your interests. This means that we can present you with more relevant and targeted marketing, including from our partners. We do this in several channels, for example on our websites and in social media.

In addition to cookies, we use pixels and scripts from third parties. These are snippets of code that allow us to analyse your usage across social media and our channels, and we use this to give you more relevant marketing. 

You can choose which categories of cookies we can use.