SEB Privacy Policy

SEB Privacy Policy (PDF)

General principles
Definitions
Types and sources of personal data processed
Purposes of and legal bases for the processing of personal data
Profiling and automated decision-making
Transfer of personal data
Transfer of personal data outside the European Union or the European Economic Area
Use of cookies
Retention of data
Data Subject’s rights

SEB Privacy Policy The data controller¹ of the personal data is a company or a branch of a company registered in Estonia and belonging to the SEB Group: AS SEB Pank, AS SEB Liising, SEB Life and Pension Baltic SE, AS SEB Varahaldus, MTÜ SEB Heategevusfond, and AS Rentacar (hereinafter ‘SEB’).

The greatest value of SEB is a trust-filled relationship with all data subjects, especially (potential) clients, persons wishing to establish a client relationship, and persons wishing to establish an employment relationship with SEB. We process your personal data in accordance with legislation to provide a better service and to properly fulfil all contractual and legal requirements. We handle the information you have entrusted to SEB carefully and responsibly. The processing of personal data at SEB is governed by the General Data Protection Regulation (EU 2016/679) (‘GDPR’) of the European Union (EU), the Personal Data Protection Act, and other applicable EU and national legislation. This document provides an overview of how SEB processes your data and for what purposes, as well as your rights and how you can exercise them.

The Privacy Policy (before “Terms and conditions for processing personal data at SEB”) is valid from 15.02.2025.

General principles

This Privacy Policy describes how SEB processes your personal data. The Privacy Policy applies to you if you are a client or have applied to use the services of SEB, visit our website, are a third party in relation to our clients or services.
The Privacy Policy may be included in other documents and forms, including agreements concluded with you.
Within the SEB Group, the processing of personal data is governed by personal data processing agreements between the companies of SEB Group, which define the purposes, scope, means, and responsibilities for processing personal data.
SEB ensures the security of the processing of personal data by implementing best practices and international standards for the provision of information technology services and information security. SEB also requires its partners and other companies belonging to the SEB Group to whom it transfers personal data in accordance with the Privacy Policy to implement the necessary organisational, physical, and IT safeguards.
The contact address of the Data Protection Officer of SEB is dpo@seb.ee. Other contact details of SEB can be found at www.seb.ee.

Definitions

Personal data (hereinafter also referred to as ‘data’) means any information relating to a natural person which makes it possible to identify, characterise, distinguish, connect or derive that individual, directly or indirectly. Directly, for example, by name or personal identification code; indirectly, for example, by location data, an online identifier, or physiological, genetic, mental, economic, cultural, or social factors.²

Special categories of personal data means personal data revealing racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, biometric data (e.g. image of the iris, facial image, fingerprint) used to uniquely identify a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.

Data subject means a natural person, for example, a person who has expressed a wish to use a service of the Bank (e.g. has submitted an application for the conclusion of an agreement) or who uses or has used a service of the Bank (client), or a third party who is otherwise connected with the services or activities provided by the Bank (e.g. legal representatives, authorised persons, contact persons, transaction partners, insured persons or beneficiaries in an insurance agreement, persons related to clients who are legal persons (members of the management board, beneficial owners, shareholders, partners, founders, members of the supervisory board, authorised company representatives, employees), members of apartment associations, guarantors, recipients of payments or payment initiators who are clients of another payment institution, successors). Third parties are, for example, users of ATMs, passersby in front of surveillance cameras, visitors to the branch offices, persons associated with the client, and payment recipients.

A decision based on automated processing is made by IT tools without human intervention.

Profiling means the automatic processing of personal data, during which SEB assesses the circumstances relating to you to make a forecast about you even if no decision is made.

SEB Group is Skandinaviska Enskilda Banken AB (publ) and all its subsidiaries.

Service means any service provided or offered by SEB and its selected partner, which is provided or mediated by SEB to the client in the branch office, via the mobile application, on the website, via telephone, video, or other channels.

Processing means any operation which is performed on personal data, whether or not by automated means (e.g. collection, recording, storage, use, transmission, and erasure), irrespective of the manner in which the operations are performed or the tools used.

Types and sources of personal data processed

SEB mainly processes the following personal data in its activities (the list is not exhaustive):
data on the right of representation, e.g. information on the legal or authorised representative (e.g. parent, guardian, or member of the management board of a legal person) and the represented person (child or ward), the relationship with the successor or bequeather;
audio, video, and audiovisual data, such as surveillance camera recordings; ATM camera recordings; photo and video recordings made for identification purposes during the establishment of the initial client relationship via video meetings; video recordings made during video meetings for the purpose of concluding agreements; photographs and video recordings made at client events; recordings of calls made to employees of the client service units of SEB;
biometric data are processed to verify identity and liveness, they are not processed by way of technical processing for the purpose of unique identification of a natural person;
data related to the state guarantee of loans by the Estonian Business and Innovation Agency (Kredex until 2022);
financial data, such as wages, other income, assets, liabilities, investment objectives, risk tolerance, past payment behaviour and payment defaults, transactions on the account, information on the performance of agreements concluded;
data relating to education and experience, e.g. school education, insurance experience, investment knowledge and experience;
personal identification data, e.g. first and last name, personal identification code, date of birth, nationality, data on the identity document, photograph, Internet Bank login details;
contact details, e.g. phone number, address, email address, preferred communication channel, language of communication;
account information and payment initiation data (API), e.g. IBAN details in another bank, currency, balance, account statement, IP address, browser, payment amount, name, personal identification code and telephone number of the payer and payee of the payment;
payment default data, e.g. the amount of the debt, the duration of the debt, past and present debts with SEB and other financial institutions, information on the underlying agreement concluded, date of occurrence the payment default and its end;
payment transaction data, such as the name, personal identification code, telephone number of the payer and payee of the payment, account number, account balance, transaction amount, transaction limits, details of the payment (which may include special categories of personal data regarding yourself or a third party if the originator of the payment has indicated them in the details of the payment), card payment and ATM transaction data, payment-related inquiries, chargebacks;
data on tax residency, e.g. country of residence, taxpayer identification number; data on family, e.g. marital status, number of dependents, data on the partner, data on children, the right to represent a minor;
data on written communication, data about exchanges of information with you, including, for example, correspondence/ documents forwarded, virtual adviser;
data on offences, e.g. information on economic, property, professional, and other offences for the commission of which financial services are used or may be used (e.g. money laundering, terrorist financing, violation of sanctions), court judgements made in criminal cases with justifications, pending offences;
data related to the use of services or visiting the SEB website, e.g. data about your Internet Bank and mobile application activities, activity logs, login information, cookies and IP address, location, web browser information, information about the services used, service usage activity, preferences, satisfaction, requests and complaints submitted;
data relating to activities and the origin of assets, e.g. studies, place of employment, occupation, business information (self-employed), information on payment practices, establishment and termination of business relationships, and occasional transactions;
your relationship with legal persons, e.g. shareholder, partner, beneficial owner, member of the management or supervisory board, transaction partner;
data of persons related to you, including authorised users of your accounts, users of your bank cards, beneficiaries of your insurance agreement, guarantor, beneficiary of the guarantee/credit, successors, persons indicated on the vehicle registration certificate in the case of a leasing agreement;
data related to securities and pension schemes, e.g. quantity and currency, volumes and values of transactions, and other information that the register of securities or the pension registry may request in accordance with legislation.
health data, e.g. medical history, test results, diagnoses, prescribed treatments, which are special categories of personal data, are processed by SEB Life and Pension Baltic SE in its core business as an insurance service provider. Health data may also be processed by other SEB companies if you or the persons related to you disclose this data when using a service (for example, when applying for a grace period due to health reasons. In such a situation, the processing of health data is necessary because our decision is based on information provided by you or your representative).
SEB receives your personal data mainly in the following ways:
from you when you submit requests, applications, and other obligatory forms related to the service agreement for the preparation and/or conclusion and/or performance of agreements. If necessary (for example, to prevent money laundering and terrorist financing, to comply with international sanctions, to assess your creditworthiness or insurance risk, for claims handling), SEB will ask you to provide additional information;
when providing a service when you use a service provided by SEB (e.g. making transfers and card payments, forwarding securities orders, and making other service-related transactions), when you communicate with SEB in the course of client communications (e.g. recordings of telephone calls, email communications, data and documents provided during communications), or in the cases where you are otherwise connected with a service provided by SEB (e.g. insured person/beneficiary under an insurance agreement, guarantor, secured party, co-borrower, beneficiary of a guarantee/credit; representative of a legal person, signatory on an account, beneficial owner, etc.).
from other sources, such as:

other financial institutions, e.g. correspondent banks, payment service providers, securities intermediaries, insurers;
companies of SEB Group;
healthcare providers;
public and private registers (e.g. the business register, registers administered by the Tax and Customs Board, the population register, the land register, the securities register, registers administered by the Police and Border Guard Board, credit or payment default register, the e-Arrest system, the Criminal Records Database),
registry of notarised acts, notaries;
public sources (Ametlikud Teadaanded or Internet search engines);
our clients or potential clients if you are connected to them, e.g. if you are a member of the management board, shareholder, partner, member of the supervisory board, beneficial owner, or authorised representative of the company.

Purposes of and legal bases for the processing of personal data

SEB will only process your data if we have a clear purpose, the processing is justified, and there is a legal basis for it. We collect and process your data to the extent necessary for the purposes for which it is collected. We process your data on the following legal grounds and for the following main purposes (the list of purposes is not exhaustive):

for the performance of an agreement – the need to prepare an agreement concluded with you or in your interest (e.g. to identify a person, process an application, prepare a credit decision, etc.), to perform the agreement concluded (e.g. to make payments, exchange information relating to the agreement), and to manage the agreement (e.g. to administer, deposit, archive, etc. the agreement in the banking system);
to comply with legal obligations – SEB has various obligations to process the data of clients and related persons to comply with legal obligations, such as those arising from various acts of Estonian and European Union legislation, as well as from the instructions of the supervisory authority. For example, SEB must comply with the requirements of the Money Laundering and Terrorist Financing Prevention Act, the International Sanctions Act or EU sanctions regulations, and the Law of Obligations Act, the principle of responsible lending under the Credit Institutions Act, as well as requirements under the Securities Market Act, Payment Institutions and E-money Institutions Act, Insurance Activities Act, Funded Pensions Act, and the Credit Institutions Act in the provision of payment and financial services.
on the basis of consent – in some cases, SEB may also process your personal data on the basis of your freely given consent (e.g. to send direct marketing communications). The content, scope, and purposes of the processing are described in the consent, which you can withdraw at any time. The withdrawal of consent does not affect the processing of data that has already taken place, but SEB will not continue to process your data, unless there is another legal basis for doing so.
on the basis of legitimate interest – processing of personal data is necessary for the purposes of the legitimate interest pursued by SEB or the business of a third party, provided that in no case shall the legitimate interest pursued by SEB or a third party override your fundamental rights and freedoms. Legitimate interests may include, for example, ensuring security (implementing safeguards to protect the interests of the client and the employees of SEB), researching the consumption patterns of clients to improve the service experience, as well as provide appropriate services and secure remote channel solutions (including the improvement and development of the website, the Internet Bank, the mobile application, etc. of SEB), preparing statistics, recording phone calls to analyse and improve the quality of service, and in proving and defending the claims of SEB in court or out of court.
for the performance of a function in public interets – for the performance of the obligations set forth in legislation, primarily in the Money Laundering and Terrorist Financing Prevention Act.

The table below sets out the general cases of processing of personal data – the main purposes of the processing, a list of categories of personal data, and the legal basis for the processing.

Purpose	Type of data	Legal basis	Obtained from
Verifying your identity when providing services (including checking your name against the population register if you have changed your name). Please note! If the initial client relationship is established via the SEB mobile application, the photo and video images you provide will be analysed using special technological tools that make it possible to verify the authenticity of the photo on the document, the person’s identity (does the photo depict the same person) and liveness (is it a human being or, for example, a robot).	Personal identification data Biometric data Audiovisual data	Money Laundering and Terrorist Financing Prevention Act Agreement Consent	You Other sources (e.g. the population register)
Offering services (including the assessment of your applications) and for the proper provision of the services (including for the conclusion, preparation, and performance of agreements, in the branch office, Internet Bank, SEB mobile application, as well as via video meeting, virtual adviser, telephone, post, or email	Personal identification data Contact data Financial data Family data Employment data Data on the right of representation Data related to the state guarantee of loans by the Estonian Business and Innovation Agency Data of persons related to you Data related to payment transactions Data relating to securities and pension schemes Account information and payment initiation data (API) Audiovisual data Written communication data Audio data (voice recordings) Communication data	Agreement Legislation (e.g. Creditors and Credit Intermediaries Act, Credit Institutions Act, Insurance Activities Act, Accounting Act, Securities Market Act) Legitimate interest	You Other sources
Providing consultation and fulfilling notification obligations related to the agreement, e.g. investment advice, management of securities portfolios	Personal identification data Audiovisual data Data related to securities and the pension scheme Education and experience Family data	Agreement Legislation (e.g. Securities Market Act, Insurance Activities Act, Law of Obligations Act) Legitimate interest	You Provision of services
Preventing money laundering and terrorist financing and ensuring compliance with international sanctions, including to apply due diligence measures during the establishment of the business relationship and to monitor the business relationship	Personal identification data Contact data Education and experience Data relating to the origin of activities and assets Employment data Payment transaction data Your connection with legal persons Data relating to securities and pension schemes Data on the right of representation Data related to the use of the service Data on offences	Money Laundering and Terrorist Financing Prevention Act, International Sanctions Act	You Provision of services Other sources
Exchanging tax information for the purpose of complying with the Tax Information Exchange Act	Personal identification data Tax residency Contact data Data related to payment transactions Data relating to securities and pension schemes	Tax Information Exchange Act	You Provision of services
Assessing the suitability or appropriateness in the provision of investment, credit, securities, or insurance services	Financial data Education and experience Employment data Data related to securities and the pension scheme	Securities Market Act, Insurance Activities Act, Creditors and Credit Intermediaries Act, Law of Obligations Act, Delegated Regulation (EU) 2017/565 of the European Commission	You Provision of services
Publishing data on arrears in the payment default register Creditinfo Eesti AS (publication of data on arrears of amounts of at least 30 euros that are overdue for more than 45 days in the payment default register)	Payment default data	Legitimate interest	You Provision of services
Assessing creditworthiness and managing credit risk to ensure responsible lending and effective risk management. We request the data on payment defaults from the payment default register Creditinfo Eesti AS.	Financial data Payment default data Your connection with legal persons Family data Employment data	Creditors and Credit Intermediaries Act, Law of Obligations Act Credit Institutions Act Legitimate interest	You Provision of services Other sources
Monitoring payment transactions for the purpose of fraud detection and prevention of misuse to ensure greater security in the use of payment services, risk management, and compliance with the requirements of the Payment Institutions and E-money Institutions Act	Personal identification data Data related to payment transactions Data related to the use of the service	Delegated Regulation (EU) 2018/389 of the European Commission, the Credit Institutions Act, the Payment Institutions and E-money Institutions Act, guidelines of the Financial Supervision Authority Legitimate interest	Provision of services
Monitoring and reporting unusual and suspicious transactions indicative of market abuse to prevent abuses and to ensure information exchange and cooperation in the prevention of money laundering and terrorism	Personal identification data Data relating to securities transactions Data related to the use of the service Data relating to securities and pension schemes Audio data (voice recordings)	Regulation (EU) 596/2014 of the European Parliament and of the Council, Money Laundering and Terrorist Financing Prevention Act	You Provision of services Other sources
Promoting the business of SEB, including to improve the quality of products and services as well as to develop systems.	Data related to the use of services or visiting the website of SEB Audiovisual data (photos and videos of client events) Communication data	Legitimate interest	You Provision of services
Providing information on pension accounts and pension investment accounts	Data relating to securities and pension schemes	Securities Market Act, Funded Pensions Act	You Provision of services Other sources
Sending direct marketing offers to profile clients and offer them personalised services and similar products and services (direct marketing). To do this, SEB will, among other things, study and analyse your consumption patterns, user experience, service usage history, statistics, etc.	Contact data Data related to the use of the service Financial data Data relating to payment transactions Data related to the use of services or visiting the website of SEB Contact data Communication data	Consent; Legitimate interest (for the sale of similar products and services)	You Provision of services
SEB may transfer your data to partners for the purposes of their marketing offers	Contact data	Consent	You Provision of services
Participating in market research	Contact data	Consent	You Provision of services
Assisting clients in using the service, analysing service disruptions	Data related to the use of the service Audio data (voice recordings)	Legitimate interest	Provision of services
Ensuring physical security and data and information security. Protecting data subjects, including in particular employees, visitors, and the assets of SEB	Audiovisual data (surveillance camera recordings, ATM camera photos)	Security Act Legitimate interest	Provision of services
Assessing insurance risk, concluding and performing the insurance agreement, and claims handling	Financial data Health data Personal identification data Contact data Data related to the use of the service Communication data Data on loss events	Agreement Insurance Activities Act, Law of Obligations Act Consent	You Other sources
Responding to requests from courts, bailiffs, trustees, trustees in bankruptcies, tax officials, investigative authorities, and the Financial Intelligence Unit, as well as imposing seizures and restrictions on the disposal of accounts by them	Financial data Personal identification data Contact data Payment default data Data related to payment transactions Data of persons related to you	Legislation (e.g. Code of Enforcement Procedure, Taxation Act, Code of Civil Procedure, Code of Criminal Procedure, Money Laundering and Terrorist Financing Prevention Act, Bankruptcy Act, Natural Person Insolvency Act, etc.)	You Other sources Provision of services

Profiling and automated decision-making

SEB uses profiling and automated decision-making to increase the efficiency of service provision, improve the experience of using the services, create offers suitable for you, ask you to participate in market research, fulfil legal obligations, etc. For this purpose, we process, for example, your personal identification data, contact data, financial data, education and experience data, account information and payment initiation data, payment transaction data, family data, and data related to the use of the service and your visits to the SEB website.

Such data processing may take place:

on the basis of the consent of the client, for example for direct marketing;
to comply with legal obligations, for example, to comply with a court order under the Money Laundering and Terrorist Financing Prevention Act, the International Sanctions Act, or the Securities Market Act, etc.;
on the basis of the legitimate interest of SEB, taking into account the preferences of the data subject, for example, to provide and advertise similar services where a client relationship exists. Please note that an advertising banner may be visible in SEB Internet Bank, which is displayed to all visitors of the website of SEB. Profiling is not used for these banners and they are not targeted offers.

SEB uses automated decision-making to assess the probability of insolvency and to make certain credit decisions (e.g. payment in instalments, consumer loans), to recommend investment services or securities to you, to provide relevant investment services (e.g. investment advice, the Robo-Advisor service), and to offer life insurance products, as well as to establish a client relationship through the SEB mobile application, during which biometric data (facial image, voice) are analysed to verify that your dentity is true and the voice belongs to a human being, which in the case of a positive result makes it possible to establish a client relationship via a remote channel.
You have the right to request a review of the decision based on automated processing if you do not agree with the offer/decision or its underlying data.

Transfer of personal data

SEB has the right to transfer your personal data to third parties, i.e. recipients, if there is a purpose and legal basis for doing so.
SEB transfers your personal data to the following recipients:

legal persons within the SEB Group for the provision of the services they provide, for the efficient organisation of the services we provide, for the operation of general and risk management systems across the SEB Group on the basis of legitimate interest, and for the fulfilment of legal obligations. Within the SEB Group, the processing of personal data is governed by personal data processing agreements, which define at least the purposes, scope, means, and liability for the processing of personal data;
public authorities – SEB is obliged to disclose and transfer the data of data subjects to comply with its obligations under legislation and international mutual legal assistance treaties (e.g. to investigative authorities, notaries, trustees in bankruptcies, bailiffs, the Tax and Customs Board, the Financial Intelligence Unit, supervisory authorities);
credit and financial institutions, correspondent banks, account administrator banks, payment service providers (parties related to interbank payment systems, e.g. SWIFT, EBA Clearing, European Central Bank), insurers and reinsurers, financial service intermediaries and trading venues, for the execution of payment, trading, or transfer orders and related services (e.g. guarantees / letters of credit issued through other banks, debt collection) and to perform a reporting service, to assess the reliability and risks of persons, or to exchange information provided for in the Money Laundering and Terrorist Financing Prevention Act or the International Sanctions Act, respectively, to fulfil an obligation arising from an agreement and/or legislation;
companies, officials, and organisations to perform agreements concluded with the client, to submit information and requirements related to the agreement, and to provide services – e.g. international card 8 organisations for processing card transactions, merchants, payment intermediaries, ATM operators, bank card personalisation service providers; digital wallet service providers for adding a bank card to a digital wallet; sureties, guarantors, collateral property owners, co-borrowers; e-invoice operators, courier and postal service providers; AS Arhiivikeskus; client survey providers, insurers and reinsurers, notaries, trustees in bankruptcy, evaluators of the value of collateral and leased items, electronic identification and digital signature service, communication, and IT service providers; SWIFT, debt claim processors, the Estonian Business and Innovation Agency, Rural Development Foundation, Federation of Estonian Student Unions, Ministry of Education and Research, Social Insurance Board in relation to student loans; companies that are involved in asset leasing, partners to enable added value created for the client to the extent stipulated in the agreement;
auditors and legal advisers – to conduct audits and to obtain legal advice pursuant to a statutory duty or legitimate interest;
administrators of databases and registers – e.g. population register, business register, register of securities, Pension Centre, and other registers in which the data of data subjects is stored, payment default register for the purpose of implementing the principle of responsible lending, to fulfil an obligation arising from legislation, on the basis of a legitimate interest or your consent;
social media platforms – photos and video recordings of client events published on the SEB account on social media (Meta, LinkedIn). We publish photos and video recordings on the basis of consent.

Transfer of personal data outside the European Union or the European Economic Area

In some cases, SEB may transfer your personal data outside the European Union or the European Economic Area. For example, if the data processor engaged by SEB is located outside the given region, the transfer of personal data is necessary for the provision of the service (including the use of correspondent banks for cross-border payments, processing of card transactions by the international card organisations MasterCard/Visa).
SEB may transfer your personal data outside the European Union or the European Economic Area only if there is a legal basis for the transfer and SEB implements the appropriate safeguards:

there is an adequate level of data protection in the country outside the European Union or the European Economic Area where the recipient is located in accordance with the adequacy decision of the European Commission;
the data controller or data processor applies appropriate safeguards and requirements, including standard data protection clauses adopted by the Commission, standard data protection clauses adopted by the supervisory authority, or standard contractual clauses approved by the supervisory authority, certification mechanisms, codes of conduct; there is an exception, such as the explicit consent of the client, the performance of an agreement with the client or the conclusion or performance of an agreement with a third party on behalf of the client, the establishment or defence of legal claims, important reasons relating to the public interest.

Use of cookies

SEB uses cookies and other similar applications on its website to help analyse the behaviour of data subjects on our website.
The purposes and types of use of cookies and similar applications are described in the policy, which can be found at https://www.seb.ee/en/cookie-policy.

Retention of data

After the end of the client relationship, SEB retains the personal data collected during the establishment of the client relationship and the performance of contracts generally for up to 10 years after the end of the client relationship (i.e. from the moment when all of the contracts entered into with you have expired).
We retain the data you submit at the initiation of the client relationship, which is not followed by the establishment of a client relationship (entry into a contract) for 6 months,
Chats with the chatbot

chats with unidentified data subjects held on the website, i.e. the data submitted to the virtual adviser and including the data of the chats aimed at the person, for 1 year of the moment the chat took place;
data of the chats held with identified data subjects via the Internet Bank (the data submitted to the virtual adviser, including chats aimed at the person) for 10 years of the moment the chat took place;

Email correspondence By default, the sender of an email message is an unidentified data subject and the correspondence with them will be retained for 10 years after it took place. If the person is identified, email messages will be kept for 10 years after the end of the client relationship.
Messages sent via Internet Bank and mobile app Correspondence via Internet Bank and the SEB mobile app will be retained for 10 years after it took place.
Video recordings The recordings of video meetings made upon the establishment of the client relationship when primary identification was made – for 10 years after the end of the client relationship.
Call recordings The recordings of calls made with the data subject will be retained for 10 years from the moment they were made, recordings made within the scope of KYC are retained for 10 years after the end of the client relationship, Financial Markets recordings are retained for 5 years from the moment they were made.
The data of an occasional transaction (e.g. currency exchange, cash payment to another person’s account) for 10 years after the transaction was executed.
CCTV recordings for 3 months, unless legislation stipulates the right or obligation to retain them for a different period.
Photos and videos made during a client event for 3 years.
The client data required to defect legitimate interests during proceedings or in litigation until the end of the proceedings and/or litigation.

Data Subject’s rights

You have all the rights under the GDPR, including the right to:

find out whether SEB processes your personal data and, if so, obtain a copy of your personal data or access to your personal data. Access to the data may be restricted by law, by the privacy rights of others, or to protect the business secrets of SEB;
request the immediate rectification of your personal data if it has changed or is inaccurate for any other reason. In the event of a change of personal data, SEB must be informed as soon as possible;
object to the processing of your personal data, including profiling;
request the restriction of the processing of your personal data, e.g. during the time when SEB is verifying the accuracy of the processing of the personal data of the data subject;
withdraw consent to the processing of personal data and sending offers;
request the erasure of your personal data, for example if SEB has no legal basis for processing such data or if SEB processes personal data on the basis of consent and you withdraw your consent. Data erasure cannot be requested if or to such an extent that SEB has the right or obligation to process your personal data (e.g. to fulfil an agreement or legal obligation).

The rights of data subjects under the GDPR may be limited by other laws that SEB is obliged to comply with, for example, the Credit Institutions Act and the Money Laundering and Terrorist Financing Prevention Act.
To exercise your rights, which includes taking back your consent, you may:

contact a branch office of SEB;
contact the Data Protection Officer of SEB by email at dpo@seb.ee;
submit a digitally signed application to info@seb.ee;
perform the respective operation (e.g. withdraw consent in electronic format or send a message to the bank) in the Internet Bank.

SEB will respond to your request or application as soon as possible, but no later than within one month after receiving the claim or application. If circumstances need to be clarified before a response is sent, SEB may extend the deadline of responding.
SEB prefers to resolve any disputes related to the processing of personal data in negotiations. You always have the right to file a complaint with the Data Protection Inspectorate (www.aki.ee) if you find that the processing of your personal data violates your rights and interests under applicable law. You also have the right to take your claim to court.

¹ In certain cases, SEB is the data processor. In such cases, the data controller (for example, SK ID Solutions AS when issuing a Smart-ID certificate) determines the processing arrangements and informs the data subject of the terms and conditions of data processing.

² For more details, see Article 4(1) of the GDPR: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.