The Bank needs to process personal data in order to provide individuals with financial services and financial advice.
Personal data is processed for clear and stated purposes in accordance with the Personal Data Protection Act and this Policy and for no other unrelated purposes, unless the Bank is authorised to do so, and the individuals have been informed of the new purpose.
Processing in connection with implementing agreements
When an individual establishes a business relationship with the Bank, the Bank processes personal data on the individual in accordance with an appropriate authorisation, e.g. Landsbankinn's General Terms and Conditions, special terms and conditions or a specific agreement for certain products or services. The Bank furthermore processes personal data on individuals after the establishment of a business relationship in order to fulfil agreements between them. If an individual requests additional services from the Bank this could result in further processing of his/her personal data by the Bank, in addition to which the customer may need to provide updated information depending on the nature of the services concerned.
Examples of the processing carried out for the purpose of establishing a business relationship and carrying out agreements:
- registration of personal data and preservation of electronic ID on the occasion of new transactions, including the opening of a payment account and access to online banking or a request for the issuance of debit or credit cards;
- preparation of credit rating and credit assessment to take a decision on granting credit;
- analysis of a customer’s situation with respect to the Bank's products and services offered, for the purpose of offering financial advice, asset management advice or other services;
- provision of personal data to domestic or foreign partners, e.g. undertakings providing payment mediation or intermediation in transactions in connection with carrying out payment;
- reception of applications for supplementary pension savings and payment from a pension fund.
Processing carried out due to legislative obligations, regulations and administrative provisions
Landsbankinn processes personal data on individuals to fulfil statutory tasks involved in its activities
as provided for by law, regulations, court orders, administrative rulings, financial market guidelines and other instructions from authorities.
The authorities, including the Financial Supervisory Authority, the Central Bank of Iceland, the District Prosecutor and the tax and customs administration can request certain information from the Bank on individuals provided there are clear statutory authorisations to this effect. The Bank is obliged to comply with such requests for information and, as appropriate, to provide access to the Bank's establishments and IT systems.
Examples of the processing carried out for the purpose of complying with legal requirements:
- risk management and treasury operations, e.g. preparing credit ratings and credit assessments, assessment of the Bank’s capital adequacy ratio and collateral risk;
- due diligence on individuals as required under the Act on Measures to Combat Money Laundering and Terrorist Financing;
- analysis and investigation of cases concerning money laundering, terrorist financing, fraud and other types of criminal activity;
- preservation of certain personal data on the basis of the Act on Annual Financial Statements, the Act on Accounting and the Act on Securities Transactions.
Processing based on legitimate interests
In certain cases, the Bank processes personal information based on legitimate interests if the processing is necessary in order for the Bank, a third party or parties to whom information is communicated to be able to safeguard their legitimate interests. Such processing is not carried out if it is clear that the fundamental rights and freedoms of an individual concerning protection of personal privacy outweigh the interests at stake in processing.
Examples of processing carried out for the legitimate interests of the Bank, the individual or a third party:
- To process applications concerning the rights of individuals based on requests from individuals, e.g. requests for access to personal data, to correct, delete or limit the processing of personal data.
- preparing and sending individuals direct marketing material about the Bank’s benefits, products and services suitable for them;
- analysing and investigating issues related to network and information security and to prevent fraud;
- developing and testing new work procedures, business processes and information systems of the Bank to improve security and the products and services it offers;
- processing information on legal entities, their owners, directors, executive management, authorised signatories and contact persons so that the Bank can make informed decisions about lending, collateral and guarantees.
Processing based on consent
In certain instances, the Bank processes personal data on individuals based on their consent, e.g. using cookies on the Bank's web, as described in more detail in this policy. In such cases, the Bank provides the individual with more information on the specific processing of personal data covered by the consent. It is always possible to notify the Bank of the withdrawal of consent provided, and then the processing covered by the consent is terminated. Withdrawal of consent does not affect the processing of personal data prior to the withdrawal.
In certain instances, the Bank makes automated decisions on services based on a profile of the individual
constructed from the Bank’s data on the person. Automated decision-making only takes place with the individual’s consent, if it is a prerequisite for the conclusion or execution of an agreement between the individual and the Bank, or if authorised by law. An individual may submit objections or contest an automated decision if it affects his/her interests.
Examples of profiling are the calculation of a credit assessment, a credit rating for a customer and a loyalty classification. An example of an automated decision is the automatic extension of an overdraft based on the customer's credit rating. Further details on profiling are provided in Landsbankinn's General Terms and Conditions. Further information on credit assessment is available on the Bank's website.
Processing of personal information on children not legally competent
The Bank needs to process personal data on children for the purpose of conducting business or providing
services which have been requested, e.g. to open a payment account. Marketing material is not addressed to children, but the Bank does send marketing material to guardians for promotion of goods and services. If guardians choose not to receive marketing material on their child’s behalf, they may refuse such through online banking. Before the Bank offers children electronic services via the Internet, which involve the processing of personal data, the guardian's consent is obtained if a child is under the age of 13, as provided for in the Personal Data Protection Act.