Danske Bank A/S Privacy Notice for Business Customers (Denmark) Effective from 5 February 2020

Danske Bank A/S privacy notice for business customers (Denmark) Effective from 5 February 2020

1. Introduction • personal details such as your name, social security We process other personal data as necessary to provide you number or other national ID number and proof of identity with specific products or services or if we are required by law This privacy notice applies to the processing of personal data such as a copy of your passport, driver’s licence and to do so. in Danske Bank A/S (Danske Bank) in Denmark. Danske Bank birth certificate is the data controller for the processing of the personal data 3. What we use your personal data for comprised by this privacy notice. Contact details: Danske • contact information, including your address, telephone Bank A/S, CVR no. 61126228, Holmens Kanal 2-12, DK- number and email address Danske Bank may process your personal data for any of the 1092 København K. • information about your education, profession, work, following purposes, depending on the capacity in which you knowledge and experience interact with us: In the course of our business, we process information about • details about the services and products we provide to you (personal data). you, including accounts, cards and access rights • For potential customers to be able to offer relevant • how you use our services and products and your products and services, and, if they choose to accept This privacy notice applies to individuals who are connected preferences in relation to them one or more of our products or services and with a business customer of Danske Bank. You may be an become a customer, for onboarding purposes in • digital information related to your use of our websites, authorised signatory, a beneficial owner, a director, an relation to identification and verification for anti- platforms and digital applications, including, traffic data, employee, a guarantor, a pledgor or another third party money laundering purposes. connected with a business customer. location data, behavioural data and other communication data • Customer services and customer relationship management, including advice, administration, • information about the devices you use to access our This privacy notice sets out how and why Danske Bank management of employee corporate cards, websites as well as technical information, including the processes your personal data and protects your privacy recovery of outstanding debt, handling of type of device and operating system rights. complaints and to make information available to • information provided by you about preferences for service providers authorised to request 2. What personal data do we process? various types of marketing and events information about you. • information about your visits to our offices, including • Communicating with you about your products and Depending on your connection with our business customer, video surveillance we process different types of personal data, including services for legal, regulatory and servicing • telephone conversations with you purposes.

Danske Bank A/S privacy notice for business customers Danske Bank A/S Page 1 of 6 CVR-nr. 61 12 62 28 - København

• To improve, develop and manage our products and • To comply with a legal obligation, cf. the GDPR, art. 5. Sensitive personal data services and setting fees and prices for our 6.1(c), for example, in accordance with products and services, including using data Some of the information we hold about you may be sensitive analytics and statistics to improve products and o the Danish Anti-Money Laundering Act personal data (also known as special categories of data). services and to test our systems. (hvidvaskloven) o the Danish Tax Control Act Types of sensitive personal data • Marketing of our services and products, including In particular, we may process the following types of sensitive marketing on behalf of other entities of the Danske (skattekontrolloven) o the Danish Bookkeeping Act personal data: Bank Group, if we have your permission for this or (bogføringsloven) are allowed such marketing by law. We use cookies o the Danish Credit Agreements Act • Information about your health and your genetic and similar technology on our website, including for (kreditaftaleloven) background, for example inherited health qualities marketing via digital channels and social media o the Danish Financial Business Act (lov om • Biometric data, for example via facial recognition platforms such as Facebook. Please refer to our finansiel virksomhed) cookie policy for further information. technology o the Danish Payments Act (betalingsloven) Information about your religious or philosophical • To comply with applicable law and for other • o the Danish Data Protection Act beliefs regulatory and administrative purposes, including (databeskyttelsesloven) • Information about your political opinions identification and verification according to anti- o the Danish Capital Markets Act (lov om money laundering legislation, risk management, and kapitalmarkeder) We also process sensitive personal data that may appear in prevention and detection of money laundering, o the Danish CPR Act (CPR-loven) budget information you give us and transactions you ask us fraud and other types of financial crime. In relation to execute. to anti-money laundering, identification data is • It is necessary to pursue Danske Bank’s or another collected at regular intervals during our business third party’s legitimate interest, cf. the GDPR, art. Purposes for processing sensitive personal data customer’s relationship with us as required by law. 6.1(f). For example, if Danske Bank or the business We will process sensitive personal data only when we need • Security, including the use of video surveillance of customer that you have a connection with has a to, including the front of buildings, entrances to our branches business or commercial reason, such as and other premises, reception and customer areas, administration of the services and products that • for the purpose of a product or service we provide ATMs and counters. the customer has requested, to give you the to you or the business customer that you have a required access to digital services, for connection with documentation and security purposes, to prevent 4. What is our legal basis for processing your personal • for identification and verification purposes data? and detect money laundering, to prevent and detect fraud, abuse and loss, to strengthen IT and payment • for the prevention and detection of money We must have a legal basis (lawful reason) to process your security and for direct marketing purposes. We will laundering and other types of crime, including for personal data. The legal basis will be one of the following: do so only if our legitimate interest in each case is fraud prevention and detection purposes not outweighed by your interests or rights and • to comply with legal requirements that apply to us • You have given us consent to use your personal freedoms. as a financial institution data for a specific purpose, cf. the GDPR, art. 6.1(a) Legal basis for processing sensitive personal data • You have entered into or are considering entering We may process sensitive personal data about you on the into an agreement with us on a service or product, legal basis of cf. the GDPR, art. 6.1(b)

Danske Bank A/S privacy notice for business customers Danske Bank A/S Page 2 of 6 CVR-nr. 61 12 62 28 - København

• your explicit consent, cf. the GDPR, art. 6.1(a) and Personal data collected from third parties external business partner you have signed up for, to 9.2(a) We receive and collect data from third parties, including enable our customers to use banking services • the establishment, exercise or defence of legal from abroad, or to prevent and detect money laundering, claims, cf. the GDPR, art 6.1(f) and 9.2(f) fraud, abuse and loss. • substantial public interest, cf. the GDPR, art. 6.1(c) • The business customer that you have a connection or 6.1(f) and art. 9.2(g) with. 7. Third parties that we share your personal data with • Shops, banks and payment and service providers We will keep your information confidential but we may share 6. How do we collect the information we have about you? when you use your credit or payment cards, Danske eBanking, District or other payment services. We it with the following third parties (who also have to keep it Personal data collected from you process the data to execute payments and prepare secure and confidential): We collect information directly from you or by observing your account statements, payment summaries and the actions, including when you like. • Other entities of the Danske Bank Group if we have • Asset managers when we provide trade reports to your consent, for example to provide you with better • fill in applications and other forms for ordering their customers. customised products and services. services and products • The Danish Central Office of Civil Registration (CPR- • Other entities of the Danske Bank Group if existing • submit specific documents to us kontoret) and other publicly accessible sources and legislation allows or requires us to share the • participate in meetings with us, for instance as a registers. We process the data, for example for information, for example if it is necessary to comply representative of the business customer that you identification and verification purposes and to with group-based management, control and/or have a connection with check data accuracy. reporting requirements established by law, or the • talk to us on the phone • Credit rating agencies and warning registers. We sharing of notifications to the State Prosecutor for • use our website, mobile applications, products and process the data to perform credit assessments. Serious Economic and International Crime (SØIK) in services We update the data regularly. accordance with anti-money-laundering legislation. • participate in our customer surveys or promotions • Other entities of the Danske Bank Group if we have • Service providers authorised as an account organised by us your consent, for example to provide you with better information service, payment initiation service or card-based payment instrument provider, when the • communicate with us via letter and digital means, customised products and services. service provider duly requests information about including e-mails, or social media • Other entities of the Danske Bank Group if existing legislation allows or requires us to share the the account belonging to the business customer Voice recordings: information, for example if it is necessary to comply with which you are connected. When you call us or when we call you at your request or to with group-based management, control and/or • Guarantors, individuals holding a power of attorney, follow up on your inquiry, conversations may be recorded and reporting requirements established by law, or the lawyers, accountants or others you have authorised stored for documentation and security purposes. Before an sharing of notifications to the State Prosecutor for us to share the information with. employee answers a call or before you enter the queue, you Serious Economic and International Crime (SØIK) in • External business partners (including will be notified if the call will be recorded. In a few situations, accordance with anti-money laundering legislation. correspondent banks and other banks) if we have for example in case of a long waiting time, your call may be • External business partners (including your consent or if permitted under existing redirected to a non-recorded employee without notification correspondent banks and other banks) if permitted legislation, for example to prevent and detect money to you. If we talk with you about investment services, we are under existing legislation, for example to provide laundering, fraud, abuse and loss. obliged to record and store our telephone conversation. you with a service or product provided by an

Danske Bank A/S privacy notice for business customers Danske Bank A/S Page 3 of 6 CVR-nr. 61 12 62 28 - København

• Our suppliers, including lawyers, accountants, When Danske Bank transfers your personal data to third We use automated decisions for example to approve loans consultants and courier services. We use courier parties outside the EU and the EEA, we ensure that your and credit cards, to prevent and detect money laundering and services to deliver, for example, credit cards to you, personal data and data protection rights are subject to to prevent and detect fraud. Automated decision-making and we disclose your name, address and telephone appropriate safeguardings by helps us make sure that our decisions are quick, fair, efficient number to them, so you can receive the and correct, based on what we know. consignment. • ensuring that there is an adequacy decision by the • Data processors, including IT service providers who European Commission In relation to loans and credit cards, we consider information may be located outside the EU and the EEA, such as • using standard contracts approved by the about your income, your expenses and how well you have kept Danske Bank India. European Commission or the Danish Data up on payments in the past. This will be used to determine the • Social media companies, such as Facebook. Protection Agency amount we can lend you.

• Public authorities as required by law or according In relation to the prevention and detection of money to court orders or requests from the police, the You can get a copy of the standard contract by contacting us (see contact details in section 13). laundering, we perform identity and address checks against bailiff or other authorities. This could include the public registers and sanctions checks. State Prosecutor for Serious Economic and 9. Profiling and automated decisions International Crime (SØIK) in accordance with the In relation to fraud prevention and protection, we do our best Danish Anti-Money Laundering Act, to the Danish to protect you and your account against criminal or tax authorities in accordance with the Danish Tax Profiling fraudulent activity by monitoring your transactions Control Act and the Danish central bank (Danmarks Profiling is a form of automated processing of your personal (payments to and from your account) to identify unusual Nationalbank) for statistical and other purposes. data to evaluate certain personal aspects relating to you to analyse or predict aspects concerning for example, your transactions (for example, payments you would not normally • Regulators, such as the Danish Financial economic situation, personal preferences, interests, make, or that are made at an unusual time or location). This Supervisory Authority (Finanstilsynet), law reliability, behaviour, location or movements. may stop us from executing a payment that is likely to be enforcement agencies and authorities in Denmark fraudulent. and other countries, including countries outside the We use profiling and data modelling to be able to offer you EU and the EEA, in connection with their duties. specific services and products that meet your preferences, You have rights relating to automated decision-making. You • Credit rating agencies. If you default on your prevent money laundering, determine prices of certain can obtain information about how an automated decision obligations to Danske Bank, we may report you to services and products, prevent and detect fraud, evaluate the was made. You can ask for a manual review of any automated credit rating agencies and/or warning registers in likelihood of default risk and value assets and for marketing decision. Please see section 11, “Your rights” and accordance with applicable law. purposes. “Automated decision-making”. • For social and economic research or statistics purposes, where it is in the public interest. Automated decision-making 10. For how long do we store your personal data? With automated decision-making, we use our systems to 8. Transfers outside the EU and the EEA and international make decisions without any human involvement on the basis We keep your data only for as long as it is needed for the organisations of the data we have about you. Depending on the specific purpose for which your data was processed. decision, we might also use information from public registers When your relations with us have terminated, or when the Some third parties that we share personal data with may be and other public sources. located outside the EU and the EEA, including in Australia, business relationship with the business customer that you Canada and India. have a connection with has terminated, we normally keep your data for another seven years. This is due primarily to our

Danske Bank A/S privacy notice for business customers Danske Bank A/S Page 4 of 6 CVR-nr. 61 12 62 28 - København

obligations under the Danish Bookkeeping Act, the Danish See section 13 for more information on how to contact Right to object Anti-Money Laundering Act and requirements from the Danske Bank about data protection. In certain circumstances, you have the right to object to the Danish Financial Supervisory Authority. In certain processing of your personal information. This is the case, for circumstances, we keep your information for a longer period Right to access your personal data example, when the processing is based on our legitimate of time. This is the case, for example You may request access to the personal data we process interests. and information about where it comes from and what we use • if your personal information forms part of the it for. You can obtain information about the period for which Objection to direct marketing calculation of our capital requirements, then we we store your data and about who receives data about you, to You also have the right to object to our use of your personal may keep your information for up to 20 years the extent that we disclose data in Denmark and abroad. Your information for direct marketing purposes, including profiling • if the statute of limitation is 10 years, then we may right of access may, however, be restricted by legislation, that is related to such purpose. keep your data for up to 10 years protection of other persons’ privacy and consideration for • if required due to your connection with our business our business and practices. Access to video surveillance Right to rectification of your data customer may be restricted due to the prevention, investigation, If data is inaccurate, you are entitled to have the data detection or prosecution of criminal offences or the rectified. If data is incomplete, you are entitled to have the • if required due to other regulatory requirements execution of criminal penalties, including the safeguarding data completed, including by means of providing us with a against and the prevention of threats to employees. Our supplementary statement. If the business you are connected with as a potential know-how, business secrets as well as internal assessments customer has asked for a loan offer or another product or and material may also be exempt from the right of access. Right to erasure (‘right to be forgotten’) service, but refuse the offer and do not become a customer, You are entitled to have your data erased, if the data is no personal data will normally be stored for six months, but may Under the “Profile” section of the Danske Mobile Banking app, longer necessary in relation to the purposes for which it was for some purposes be stored longer to comply with other you can get an overview of the personal data you have given collected. legal obligations, for example under the Danish Anti-Money us. You will find your contact details and information you have Laundering Act. given us about your household, income, debt and so on. You However, in the following cases, we may or are required to

can update the information if changes have occurred in your keep your data: Surveillance videos are deleted 30 days after they were life. You can also manage consent given. made in accordance with applicable law. In certain circumstances, and in connection with a specific case, the • For compliance with a legal obligation, for instance You can make an access request via Danske Mobile Banking if we are obliged by law to hold your data for a information may be stored for a longer period. or our webpage at danskebank.dk/gdpr. certain period of time, for example according to anti- money laundering legislation or the Danish 11. Your rights Rights related to automated decision-making Bookkeeping Act. In such situations, we cannot You can obtain information on how an automated decision erase your data until that time has passed. Your rights in relation to personal data are described below. was made and the effects of the decision, you can express To exercise your rights, you can your point of view, you can object to the decision, and you can • For the performance of a task carried out in the request a manual review of any automated decision. public interest. • make a request online at danskebank.dk/gdpr • For establishment, exercise or defence of legal • contact us on our main telephone number (+45 70 claims. 12 34 56) • contact your adviser directly if you have one

Danske Bank A/S privacy notice for business customers Danske Bank A/S Page 5 of 6 CVR-nr. 61 12 62 28 - København

Restriction of use the changes to allow you to exercise your rights (for example If you believe that the data we have registered about you is to object to the processing). incorrect or if you have objected to the use of the data, you may demand that we restrict the use of the data to storage 13. Contact details and how to complain until the correctness of the data can be verified or it can be checked whether our legitimate interests outweigh your You are always welcome to contact us if you have questions interests. about your privacy rights and how we process personal data. If you are entitled to have the data we have about you erased, You can contact us on our main telephone number (+45 70 you may instead request us to restrict the use of the data to 12 34 56). You are also welcome to contact your adviser storage. If we need to use the data solely to assert a legal directly. claim, you may also demand that any other use of the data be restricted to storage. We may, however, be entitled to use You can contact our Data Protection Officer by email at the data for other purposes, for instance to assert a legal [email protected]. claim or if you have granted your consent to this. If you are dissatisfied with how we process your personal Withdrawal of consent data and your dialogue with the Data Protection Officer has Where consent is the legal basis for a specific processing not led to a satisfactory outcome, you can contact our activity, you may withdraw your consent at any time. Please complaints handling unit: Danske Bank, Legal Department, note that if you withdraw your consent, we may not be able to Holmens Kanal 2-12, DK-1092 København K, email: offer you specific services or products. Note also that we will [email protected]. You can also lodge a complaint continue to use your personal data, for example to fulfil an with the Danish Data Protection Agency: Datatilsynet, Carl agreement we have made with you or if we are required by Jacobsens Vej 35, DK-2500 Valby, email: [email protected]. law to do so. Data portability If we use data based on your consent or as a result of an agreement and the data processing is automated, you have the right to request a copy of the data you have provided in a digital machine-readable format.

12. Changes to this privacy notice We may change or update this privacy notice on a regular basis. In case of a change, the “effective from” date at the top of this document will be amended. If changes to how your personal data is processed will have a significant effect on you personally, we will take reasonable steps to notify you of

Danske Bank A/S privacy notice for business customers Danske Bank A/S Page 6 of 6 CVR-nr. 61 12 62 28 - København