Our processing of your personal data
At Nordiska, we attach great importance to protecting the privacy of our customers. All personal data is being processed in accordance with the applicable data protection legislation at any given time. Here, we briefly describe how we collect, process and share personal data. If you want to know more, you can find our data protection policy at the bottom of this page!
In general, regardless of what type of customer you are, we may need to process personal data in order to be able to enter into and administer agreements and fulfil the obligations contained therein. In addition, we process data to meet the requirements imposed on us by laws and regulations, as well as to further develop our business.
Personal data is processed for the purposes of:
processing and administration of the service applied for (e.g. credit information or other credit assessments);
confirmation of identity;
fulfilment of concluded agreements (e.g. invoicing, credit register);
to prevent and counter money laundering and terrorist financing and fraud; and
to fulfil other obligations pursuant to laws, ordinances and government regulations.
When applying for a private loan, our personal data processing may include a certain type of automated decision-making based on the financial information provided by the customer and information we collect from credit reporting companies. Such an automated decision can, for example, mean that the application for a loan is denied if the applicant's income is below our minimum requirements.
Automated decision making
Nordiska uses automated decision-making, including profiling, in connection with out credit assessment process for credit applications. Nordiska is obligated by law to assess your creditworthiness before we grant credits. To ensure the objectivity of our decisions regarding your credit application and to protect your integrity, we minimize our employees' access to your personal data and use automated decision-making to process applications. Your data is evaluated against our internal policy and our models that reflect the evaluation of your liquidity and the repayment ability, in combination with scoring models from credit reporting companies. The assessment determines whether you will be granted the requested credit or not. If a credit application is rejected due to a search in a database, we will immediately notify you of the result of such a search to the extent that such disclosure would not be contrary to current legislation.
Nordiska has the right to use automated decisions if it is necessary for the completion of an agreement with you or if you have given your consent. However, you always have the right to object to an automated decision with legal consequences or decisions that similarly significantly affect you. More information about your right to object can be found in the section "Your rights" below.
Nordiska may also use your data to communicate relevant information regarding services you have used or similar services and to carry out customer satisfaction surveys regarding our services (e.g. after you have contacted Nordiska's customer service) via electronic communication channels and by telephone. If you do not wish to receive such communication, you are welcome to send an e-mail to email@example.com.
Who can we share your information with?
Your personal data is protected by banking secrecy, which means that we are not allowed to disclose your information without authorization. However, certain information is shared with other recipients when permitted in accordance with banking secrecy. We may transfer information to, or share your information with, selected third parties for the performance of our contractual obligations towards you and for other purposes that appear in this Data Protection Policy. To which recipients we share your data with, and for which purposes, depends on which of Nordiska's services you use. We take all reasonable legal, technical and organizational measures to ensure that your data is handled securely and with an adequate level of protection when transferred to or shared with such selected third parties.
In order to fulfil the purpose of processing of your personal data, we share your personal data with companies that provide services to us, e.g. identification providers, communication providers, providers of payment services, providers of notification services, as well as providers of IT services. These companies may only process your personal data according to our specific instructions and may not use your information for their own purposes. Furthermore, they are also obligated by law and agreement to protect your personal data.
Payment recipients and payment service providers
Personal data can be shared with the payee and the payee's bank during a payments process, as well as payment service providers, e.g. Bankgirocentralen. The information shared is, among other things, identity information, such as name, national identification number and account information, e.g. account number. This processing is required for the fulfilment of our agreement with you and in order to verify your identity.
Other banks and identification service providers
When using BankID, personal data is shared with the provider of the BankID e-service, i.e. your identification service provider. The information shared is, among other things, identity information, such as name, national identification number and account information, e.g. account number. This processing is required for the fulfilment of our agreement with you as well as ensuring your rightful identity.
Credit reporting company
Your personal data may be shared with credit reporting companies and providers of similar services in order to assess your creditworthiness when you apply for one of Nordiska's credit products, as well as to confirm your identity and address. We may also disclose information about potential defaults on payments to credit reporting companies.
If you have a loan with us through a credit intermediary, we share certain information to the credit intermediary in order to fulfil our agreement with the credit intermediary. The information disclosed is identity information (e.g. name and national identification number) and credit information (e.g. credit amount, payment date). The processing is based on balance of interests between your legal interests and ours. Our legal interest in processing your personal data is to be able to fulfil our agreement with the credit intermediary with whom you have been in contact. National identification number is processed to ensure a secure identification and verify your rightful identity.
Debt collection companies
Nordiska may share your personal data based on our legal interest in collecting and selling debts. If we have a claim against you, we may share the personal data necessary with debt collection companies to establish, assert and exercise our legal claim or to other companies that take over our claim against you (either by us assigning our claim or by selling all or parts of our business).
Authorities and counterparties
Nordiska may provide necessary information to authorities such as the police, tax authorities or other authorities if obliged to do so by law, if you have approved to do so or if it is required to administer tax deductions. An example of a legal obligation to provide information is for measures against money laundering and terrorist financing. In Sweden, Nordiska also shares information about interest with the tax authorities to calculate your tax. Your personal data may also be shared with anti-fraud agencies to combat criminal activity.
Other third parties
Nordiska may share your information with other third parties. This can happen if Nordiska sells or buys operations or assets. In such a case, Nordiska may provide your personal data to a potential seller or buyer of such operations or such assets. Furthermore, if Nordiska, or a significant part of Nordiska's assets, is acquired by a third party, personal data about Nordiska's customers may be shared.
We will not sell your personal data to third parties unless we have your permission to do so.
Transfer of personal data to third countries and protective measures
As a general rule, our suppliers, partners and we only process your personal data within the EU/EEA. However, in some cases, personal data may be processed outside the EU/EEA if there is a decision from the Commission that the third country in question ensures an adequate level of protection or after appropriate protective measures have been taken.
Appropriate protective measures may be:
binding corporate regulations,
standard contract clauses that the EU Commission has decided on,
approved codes of conduct or certification mechanisms,
legally binding instrument between authorities.
If you would like a copy of the safeguards we have taken or information about where these have been made available, please contact us.
How long do we store your personal information?
How long Nordiska saves your personal data depends on the purpose for which the personal data is used. Personal data that we process for the purpose of administering the contractual relationship and to fulfil our agreement with you is processed as a starting point during the time the agreement applies, and thereafter for a maximum of ten (10) years due to statutes of limitation. We may also process the personal data for as long as is necessary to protect ourselves from legal claims and exercise our rights under the agreement based on a balance of interests.
In some cases, Nordiska must save personal data to meet applicable legal requirements, such as accounting and money laundering legislation, which stipulate that personal data is saved for seven (7) and five (5) years respectively (see the Accounting Act (1999:1078) and the Act (2017:630) on measures against money laundering and terrorist financing).
Below you will find a summary of your rights, i.e. what you are entitled to vis-à-vis Nordiska.
Right to access your data (“data portability”). You can request a copy of the personal data we process free of charge. Under certain conditions, you have the right to request the data in a structured and machine-readable format so it can be transferred to another recipient.
Right to correction. You have the right to correct incorrect or incomplete information we have about you.
Right to be deleted ("the right to be forgotten"). Under certain conditions, you have the right to have your personal data deleted. This applies, for example, to data that is no longer necessary to process for the purpose for which it was collected, or if you withdraw your consent for a certain processing. However, there may be cases where Nordiska cannot delete your data. This may be because the data is still necessary to process for the purpose for which it was collected, that Nordiska's interest in continuing to process the data outweighs your interest in having it deleted, or that Nordiska has legal obligations that prevent us from immediately deleting the data. If you submit a request to have your personal data deleted, we will block the data that we have to save in order to prevent it from being processed for purposes other than the reasons mentioned above. We will inform you of this when you submit a request for deletion.
Right to limitation of Nordiska’s processing. You can object to our processing based on Nordiska's legitimate interest (see Article 6(1)(f) GDPR) with reference to your personal circumstances. You can also always object to us using your data for direct marketing, see above under the section "Communication".
Right to withdrawal of consent. In cases where Nordiska processes your personal data based on your consent (e.g. when you have given us power of attorney for a third party to access your data), you have the right at any time to revoke all or part of a given consent with effect as of the time the revocation is made.
Right to object to an automated decision that significantly affects you. You have the right to object to an automated decision made by Nordiska if the decision involves legal consequences or constitutes a decision that similarly significantly affects you.
Right to file a complaint. If you have a complaint about Nordiska’s processing of personal data, you can contact our Data Protection Officer by sending an email to firstname.lastname@example.org. You can also contact the Swedish Data Protection Authority (IMY), which is the Swedish supervisory authority for Nordiska’s processing of personal data. Contact details can be found on their website http://imy.se.
Contact Nordiska or Swedish Authority for Privacy Protection (IMY)
Nordiska Kreditmarknadsaktiebolaget (publ) is registered with the Swedish Companies Registration Office with organization number 556760-6032 and is based at Riddargatan 10, 114 35 Stockholm.
Nordiska has a data protection representative. Our customer service is an important part of our business and is happy to receive your questions about data protection and personal data. You can always reach Nordiska's customer service at email@example.com. You can also send an e-mail to our Data Protection Officer at their email: firstname.lastname@example.org.
Nordiska Kreditmarknadsaktiebolaget (publ) is responsible for the processing of your personal data as described above. Nordiska Kreditmarknadsaktiebolaget (publ) complies with Swedish data protection legislation.
You can also submit a complaint or contact the Swedish Privacy Protection Agency (IMY), contact information can be found on their website http://imy.se.