Nordea Asset Management 1 December 2022
1. What personal data do we collect?
Personal data is information relating to an individual, which can be used either alone or with other sources of information to identify that individual.
In most cases we collect personal data directly from you or is generated as part of the use of our services, products and channels, including mobile applications. Sometimes additional information is required to keep information up to date or to verify the information we collect. In some cases we also collect and process personal data about individuals associated with you, for example employees, beneficial owners, board members, signatories, legal representatives and persons who are in contact with NAM in respect of trading transactions, and other individuals with whom we interact and collaborate with.
1.1 The types of personal data we collect
The categories of personal data that we collect and use are listed below. We have provided examples of the types of personal data that fall within each category. Please note that the list of examples is not exhaustive. The type of personal data that we collect from you will depend on the service or the product we are providing to you as a customer.
• Identity and contact information such as name, e-mail address, address, phone number, correspondence/meeting preferences, country of residence and tax residences, citizenship/nationality, date of birth, gender, languages spoken, unique government identifier, including national identification number, passport number, ID copy, photography, place of birth, preferred salutation.
• Sensitive personal data such as indirect political opinions for political exposed persons (PEP’s) as part of anti-money laundering documentation.
• Third party details such authorised representatives, name, details of beneficiaries, external advisors.
• Details of Nordea internal identifiers such as account linkage, customer number, details of contract between Nordea entities, intermediaries and individuals, hashed identifiers, relationship manager.
• Regulatory data such as individual and family details for anti-money laundering, politically exposed person checks, and prevention of insider trading, compliance approval status, and conflict of interest disclosure.
• Marketing and communications data: marketing and communication preferences
• Monitoring data such as call recordings and CCTV, to the extent permitted by applicable law.
• Financial details such as credit rating, documentation on supporting investor status, employment status, financial history, bank account details, investment preferences, restrictions and objectives, investor status/classification, net worth & estimated income, professional and academic background, risk profiles, tax codes/classification identification numbers, third party account details/custody
• Transaction details such as intermediary and industry identification numbers, investment details, payee/investee details, product details, transaction details and identification numbers
• Technical data such as name of version of the OS, processor model, language on mobile phone/tablets. Other data which might be collected via cookies, please visit the Cookies Policy in the footer of our webpages.
1.2 The sources from which we gather your personal data
We collect information you provide directly to us. For example, when becoming a representative or contact of a customer or collaboration partner, we collect personal data, such as name, e-mail address and phone number. For most individuals, work as opposed to private contact information is the only contact information we collect or process.
We collect national identification number, other identity information, regulatory data and third party details for verification and compliance purposes. Some financial details and transaction details we collect for compliance purposes and others in order to provide you with our services and products and validate performance.
We also collect information which you provide to us, such as messages you have sent us as feedback, a request in our digital channels or use our applicable form.
From third parties
To be able to offer you our products and services and to comply with statutory requirements, we collect personal data from third parties, such as publicly available and other external sources. For example, to fulfil legal requirements for anti-money laundry and prevention of financial crime we may collect information in registers held by governmental agencies (tax authorities, company registration offices, enforcement authorities), sanction lists (held by international organisations such as the EU and UN), registers held by other commercial information providers providing information on e.g. beneficial owners and politically exposed persons.
We also collect information from other entities within NAM, the Nordea Group or other entities which we collaborate with.
1.3 Recording of telephone conversations, online meetings and storage of chat conversations
1.4 Video surveillance
2. How do we use your personal data and what is the lawful basis for doing so?
2.1 Necessary to perform an agreement with you
One reason we process personal data is to collect and verify the data prior to giving an offer and entering into a contract with you. We also process personal data to document and complete tasks in order to fulfil our contractual obligations towards you, e.g. to provide and administer our products and services to you.
Examples of activities necessary to perform an agreement with you:
• Collecting information needed to verify your identify in order to provide you with our products and services
• Collecting your contact information to provide you with customer service during the contract period, including customer care and customer administration and communication with you
2.2 Legal requirements
We mainly process personal data to fulfil obligations under law, regulations or authority decisions in the countries where our offices are located.
Examples of processing due to legal obligations:
• Know Your Customer requirements
Preventing, detecting, and investigating money laundering, terrorist financing, and fraud
• Bookkeeping regulation
• Reporting to tax authorities, police authorities, enforcements authorities, supervisory authorities
• Creating and maintaining legal contracts, fund documentation and corporate governance related documentation
• Other obligations related to service or product specific legislations, for example securities or funds
2.3 Legitimate interest
We use your personal data where necessary to further our legitimate interests, as long as those legitimate interest are not overridden by your interests or fundamental rights and freedoms.
Examples of our processing based on legitimate interests:
• Relationship and vendor management. We collect and use personal data for ongoing oversight, management of the relationship and interaction with you.
• Compliance with legal obligations under e.g. financial and tax regulation. For example we may collect and use your contact details when processing invoices for your company
• Portfolio decisions. We use personal data when documenting that portfolio decisions (e.g. redemptions, subscriptions or investment guidelines) are implemented on behalf of the correct customers
• Investment decision. As part of making investment decisions we process personal data such as contact information, when collecting research from you as an external brokers.
• Corporate actions. When managing, implementing and maintaining corporate actions we process personal data with the purpose of instructing the custodians.
• Security trading. We process personal data for the purpose of trading and settling security trading.
• System testing. In a limited number of cases we may use personal data for system testing and development. The testing process is by design limited to key identifiers necessary to perform the testing and all other directly or indirectly identifiable personal information are masked.
3. Who do we disclose your personal data to?
Your personal data can be shared with others to the extent we are under statutory obligation to do so and to fulfil services and agreements we have with you. We may share your personal data with others such as public authorities, NAM entities, Nordea Group companies, suppliers, service providers and business partners. Before sharing, we will always ensure that we respect relevant financial industry secrecy obligations and that we comply with applicable data protection regulation.
To provide our services to you, we disclose data about you data that is necessary to identify you and perform an assignment or agreement with companies that we cooperate with. This include, but is not limited to, instructing custodians on specific custody accounts, to trade and settle securities, distribution services cash account reconciliation, invoicing and reporting, balance monitoring and payments.
We may also disclose personal data to authorities to the extent we are under statutory obligation to do so. This includes, but is not limited to, facilitating reclaims and financial reporting.
We disclose your personal data to:
• Authorities: we disclose personal data to authorities to the extent we are under statutory obligation to do so. Such authorities include tax authorities, police authorities, enforcements authorities and supervisory authorities in relevant countries.
• NAM entities and Nordea Group Companies: we disclose personal data internally in the Nordea Group with your consent or if this is permitted pursuant to legislation.
• External business partners: we disclose personal data to external business partners with your consent or if this is permitted pursuant to legislation. External business partners include for example correspondent banks and custodians.
• Suppliers: Nordea Group have entered into agreements with selected suppliers, which include processing of personal data on behalf of us. This can be suppliers of IT development, maintenance, hosting and support.
3.1 International transfer and transfer to service providers
To provide our services and in the course of running of our business, we transfer personal data to entities as referenced above in third countries (countries outside of the European Economic Area) which might not have the same level of privacy and data protection law. Such transfers can be made if any of the following conditions apply:
• The European Commission has decided that there is an adequate level of protection in the country in question
• The standard contractual clauses (EU model-clauses) approved by the European Commission. You can access a copy of the relevant EU model-clauses for transfers by going to EUR-LEX or www.eur-lex.europa.eu and searching for 32021D0914.
• Exceptions in special situations, such as to fulfil a contract with you or you consent to the specific transfer.
3.2 Meeting and webinars
Some external suppliers make available and/or stored personal data in USA and any other countries which may not offers protection equivalent to the one provided by in the European Union or European Economic Area. This can create certain risks for example unauthorized data access to personal data, including requests from foreign government agencies, excessive data collection and retention and unwanted commercial solicitation.
The impact of these risks can be lessened by using the meeting or webinar application in a way that is as minimally invasive as possible for your given purpose. Communicating sensitive personal data such as personal health information, credit card information, and SIN numbers should be avoided. NAM has configured the settings of certain meeting and webinar application to be minimally invasive.
3.3 External website and Social Media Platforms
4. How we protect your personal data?
5. What are your privacy rights?
You have the following rights in respect of the personal data hold about you;
a) Right to request access to your personal data
You have a right to access to the personal data we are keeping about you. Your right to access may, however, be restricted by legislation, protection of other persons’ privacy and consideration for NAM’s business concept and business practices. NAM’s know-how, business secrets as well as internal assessments and material may restrict your right of access.
b) Right to request correction of incorrect or incomplete data
If the data we are keeping about you is incorrect or incomplete, you are entitled to have the data corrected, with the restrictions that follow from legislation.
c) Right to request erasure
You have the right to request erasure of your data in the following cases;
• You withdraw your consent to the processing and there is no other legitimate reason for processing
• You object to the processing and there is no justified reason for continuing the processing
• You object to processing for direct marketing
• Processing is unlawful
• When processing personal data on minors, if the data was collected in connection with the provision of information society services
Due to the financial sector legislation we are in many cases obliged to retain personal data concerning you during your customer relationship, and even after that, e.g. to comply with a statutory obligation or where processing is carried out to manage legal claims.
d) Right to request limitation on processing of personal data
If you contest the correctness of the data which we have registered about you or lawfulness of processing, or if you have objected to the processing of the data in accordance with your right to object, you may request us to restrict the processing of these data. The processing will be restricted to storage only, until the correctness of the data can be established, or it can be checked whether our legitimate interests override your interests.
If you are entitled to erasure of the data which we have registered about you, but the data is necessary for you to defend a legal claim, you may request that we restrict the processing to storage only, if you want to keep the data.
Even when processing of your data has been restricted as described above, we may process your data in other ways if this is necessary to enforce a legal claim or you have given your consent.
e) Right to object to processing based on our legitimate interest
You can we object to the processing of personal data if the processing is based on NAM’s legitimate interest, including direct marketing and profiling in connection to such marketing.
f) Right to withdraw consent(s) previously given to us at any time
When the lawful basis for a specific processing activity is your consent, you have a right to withdraw your consent at any given time. Information about your right to withdraw it is provided when you are asked by NAM to give your consent
g) Right to data portability
You have a right to receive personal data that you have provided to us in a machine-readable format. This right applies to personal data processed only by automated means and on the basis of consent or of fulfilling a contract. Where secure and technically feasible the personal data can also be transmitted to another data controller by us.
Your request to exercise your rights as listed above will be assessed given the circumstances in the individual case. Please note that we may also retain and use your information as necessary to comply with legal obligations, resolve disputes, and enforce our agreements.
6. How long do we process your personal data?
We will keep your data for as long as they are needed for the purposes for which your data was collected and processed or required by laws and regulations.
This means that we keep your data for as long as necessary the performance of a contract and as required by retention requirements in laws and regulations. Where we keep your data for other purpose, such as for anti-money laundering, bookkeeping and financial regulatory requirements, we keep the data only if necessary and/or mandated by laws and regulations for the respective purpose.
The data retention obligations will differ within NAM, subject to applicable local law.
Examples of storage times:
• Preventing and detection of money laundering and terrorist financing, and fraud: storing of Know Your Customer (KYC) information for a minimum of five years after termination of the business relationships or the performance of the individual transaction
• Service or product specific regulations such as securities markets: storing your financial information for ten years after termination of the client relationship
• Bookkeeping regulations: storing legally required information for up to ten years
• Details on performance of an agreement: storing information related to your agreement with us for up to ten years after end of customer relationship
• Client reporting: your contact information is stored five years after as of end of the year of the reporting.
• Client CRM information: information stored about you in our CRM system is stored until 2 weeks after end of business relationship.
7. How to contact us or the data protection authority?
7.1 Contact the Data Protection Officer
7.2 Complaint to the data protection authority
9. Who are the data controllers of NAM?
Within NAM the data controller will be legal entity you have a relationship with. This lists provides an overview of details of data controllers per country including contact details.
Luxembourg: Nordea Investment Funds S.A. 562 Rue de Neudorf, L-2220 Luxembourg
Sweden: Nordea Investment Management AB M 540
SE-105 71 Stockholm / Nordea Asset Management Alternative Investments AB M540
SE-105 71 Stockholm
Denmark: Nordea Investment Management AB, Danmark Filial af Nordea Investment Management AB, Sverige Nicolai Eigtveds Gade 8, DK
1402 Copenhagen K
Finland: Nordea Investment Management AB, Finnish branch Satamaradankatu 5
Norway: Nordea Investment Management AB, NUF filial Norge Olav Kyrres gate 22
5014 BERGEN / Nordea Asset Management Alternative Investments AB, German Branch Hauptstrasse 15
D-61462 Königstein im Taunus
Germany: Nordea Investment Management AB, German Branch Hauptstrasse 15
D-61462 Königstein im Taunus
USA: Nordea Investment Management North America, Inc. 1211 Avenue of the Americas
23rd floor New York
Schweizerland: Nordea Asset Management Schweiz GmbH / Rämistrasse 31, 8001 Zurich
Chile: NAM Chile SpA El Bosque central 92, Piso 8, las Condes, Santiago
For language versions, please go to your local website.