Privacy Notice of Saxo Bank A/S
Pursuant to the General Data Protection Regulation (“GDPR”), Saxo Bank A/S (“we”, “us”, “our”) as the data controller is required to provide individuals such as clients, leads and contact persons employed at other business partners (individually referred to below as “you”) information on the processing of their personal data.
The purpose of this Privacy Notice of Saxo Bank ("Privacy Notice") is to provide you with such information and among this outline your rights as a data subject under the GDPR.
1. Responsible for the processing of your personal data (data controller)
Saxo Bank A/S
Philip Haymans Allé 15,
(Company No: 15731249)
We are required to handle (“process”) your personal data securely and in accordance with the requirements in the GDPR and the Danish Data Protection Act. If any special national legislation provides a higher level of protection of natural persons' personal data than the GDPR and the Danish Data Protection Act, such stricter requirements in special national legislation precede the requirements in the GDPR and the Danish Personal Data Protection Act.
Should you have queries or complaints about our processing of your personal data, you may contact firstname.lastname@example.org or our Data Protection Officer via the following email address: email@example.com.
2. The personal data we collect about you and further process
We will only collect and further process personal data about you that is necessary in the context of the business relationship which we have with you. We will obtain such information directly from you. However, we might also process personal data about you, which we have obtained from other sources. This may include other Saxo Bank A/S entities, other external companies and financial institutions, publicly available sources (e.g. the press, registers of companies, internet websites, including social media platforms) and from providers of business-risk screening services, anti-fraud databases, sanctions lists and databases of news articles.
The personal data that we process about you as a client include:
- Identity and contact information;
- Records in relation to our business relationship and relevant services, including data deriving from your usage of our IT platforms (including electronic communications), mobile apps, recorded telephone lines, office buildings, and from your engagement with our marketing activities;
- Know your customer ("KYC") records, such as passport details, social security number (CPR-number if you are a Danish citizen), date and place of birth, source of wealth, rationale for use of corporate structures, relationships with public officials, any criminal record; and
- Financial information, such as bank account details, specimen signature, income, assets, outgoings, investment objectives, marital status and details of knowledge about financial products and services, risk appetite, capacity for loss, tax status, domicile.
The personal data that we process about you as a lead include:
- Identity and contact information; and
- Financial information, such as bank account details, specimen signature, income, assets, outgoings, investment objectives, marital status and details of knowledge about financial products and services, risk appetite, capacity for loss, tax status, and domicile.
The personal data that we process about you as a contact person:
- Identity and contact information; and
- Correspondence and inquiries.
3. The purposes of the processing of your personal data and the legal basis
The purposes for which we process your personal data are summarized below, together with the specific legal basis which the lawfulness of the processing of your personal data is based on.
- For the performance of a contract
It may be necessary for us to process your personal data in order to perform a contract with you relating to our financial services, or in order to take steps at your request prior to entering into such a contract, cf. Article 6(1)(b) in the GDPR. For further details, please refer to your contractual documentation with us. Thus, the purpose of the processing of your personal data will be the fulfilment of our contractual obligations towards you.
- For compliance with a legal obligation to which we are subject
As a licensed bank, we are subject to a number of statutory and regulatory obligations that may require us to collect, store, disclose or otherwise process personal data, such as for KYC checks and anti-money laundering purposes or to respond to investigations or disclosure orders from the police, regulators, and tax or other public authorities, cf. Article 6(1)(c) in the GDPR.
If you are a Danish citizen, Saxo Bank A/S processes your name, address and CPR-number as part of the legal obligations in relation to the carrying out of KYC checks. The legal basis for such processing of your CPR-number is Section 11(2)(1) in the Danish Data Protection Act.
- For the purposes of our legitimate interests
We process your personal data when such processing is necessary for the purposes of legitimate interests pursued by Saxo Bank A/S or those of a third party, and where it is our assessment that our legitimate interests override your interests or fundamental rights and freedoms, cf. Article 6(1)(f) in the GDPR. We rely on our legitimate interests when we process personal data in connection with the operation of our business, among others, in the following specific cases:
- Client and vendor relationship management;
- Business analysis and development of products and services;
- Activities relating to information security and building security, including use of recordings;
- Managing the risk and optimizing the efficiency of our group operations;
- Recording of telephone communication and monitoring of electronic communications for business and compliance purposes, including to document verbal agreements;
- Prevention and detection of financial crime;
- Establishing, exercising, defending or evaluating legal claims;
- Servicing of Saxo Bank A/S’ products;
- Audits; and
- Business restructurings.
- On the basis of your consent
If we have deemed that it is necessary for us to process your personal data and such processing cannot be based on the legal bases outlined above, we will obtain your prior consent, cf. Article 6(1)(a) in the GDPR. If you give your consent to us, you are entitled to withdraw it at any time by contacting Saxo Bank A/S. Please note that the withdrawal of your consent does not affect the lawfulness of our processing of your personal data based on your consent before its withdrawal. If you withdraw your consent, and we have no other legal basis for our continued processing of your personal data, we will discontinue the processing requiring your consent , and this might have an impact on our ability to continue to provide our services in the same way going forward.
There are some personal data which the GDPR categorizes as special categories of personal data (so-called sensitive personal data)(health data as an example). As a clear stating point, we will not process your sensitive personal data. However, if we - in exceptional cases - deem it necessary to process such sensitive personal data, the processing shall most likely be based on your prior explicit consent, cf. Article 9(2)(a) in the GDPR.
4. The categories of recipients of your personal data
Where necessary to fulfil your instructions to us and for the other purposes outlined above, we may share information about you with a range of recipients including the following categories of recipients:
- background screening providers;
- financial institutions;
- payment recipients;
- payment and settlement infrastructure providers;
- public authorities (including tax authorities);
- group entities and service providers;
- professional advisers;
- insurers; and
- potential purchasers of elements of our business.
We will only disclose personal data about you if and to the extent this is permitted under the GDPR and the Danish Data Protection Act, and in accordance with our client confidentiality obligations and the contractual terms we have in place with you.
5. Transfer of your personal data to countries outside the EU/EEA
We are active globally, which is part of our DNA and our wish to offer you the best possible service. Thus your personal data may, in accordance with the purposes described above, be transferred to countries outside the EU/EEA . This may include transfers to so-called “unsafe" third countries, meaning countries outside the EU or the EEA that do not by default ensure an adequate level of protection of your personal data.
However, if we transfer personal data to for instance service providers in an unsafe third country, we are required to providing appropriate safeguards or in the absence of such ensuring that the transfer is in compliance with certain derogations for specific situations. the providing of appropriate safeguards is typically ensured by the use of the European Commission's standard contractual clauses adopted by the European Commission. Under any circumstances we will only transfer your personal data to a third country if it is permitted under the GDPR.
6. The period for which your personal data will be stored
In general terms, we store your personal data for as long as it is necessary for the purposes for which the personal data are processed. The criteria used to determine the period of storage of your personal data are the following:
- The termination date of the relevant contract or business relationship;
- Any retention period required by law, e.g. the rules in the Danish Bookkeeping Act, regulation or internal policies; or
- Any need to store records beyond the above periods in order to be able to handle actual or potential audits, tax matters or for the establishment, exercise or defence of legal claims.
7. Your data protection rights
Subject to certain exceptions and limitations, you have the right to:
- Request access to your personal data. This right enables you to receive a copy of the personal data we process about you.
- Request correction of the personal data that we process about you. This enables you to have incomplete or inaccurate personal data that we process about you corrected.
- Request erasure of your personal data. This right enables you to request to have your personal data erased prior to the expiry of our usual period of storage. This is sometimes referred to as the “right to be forgotten”.
- Request the restriction of processing of your personal data. This right enables you, for instance, to ask us to suspend the processing of your personal data for a period enabling us to verify the accuracy of the personal data if the accuracy of the personal data being processed is contested by you, or if the processing is unlawful and you oppose to the erasure of the personal data and request restriction of their use instead.
- Request us to transfer the personal data, which we have received from you, to you in a structured, commonly used and machine-readable format, and you will then have the right to transmit those personal data to another data controller without hindrance from us. This is known as the right to data portability.
- Right to Object to processing of your personal data. This enables you to object to the processing of your personal data, which is based for instance on our legitimate interests, including profiling based on this legal basis.
- Request not to be subject to automated individual decision-making, including profiling. This enables you to request of us that you are not subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. (We do not as a rule make decisions of this nature based solely on automated processing and without any human assessment whatsoever. We would notify you specifically and on beforehand if we did)
The personal data that we process about you as a contact person:
To exercise any of the above-mentioned rights, please write to us at firstname.lastname@example.org.
You are also entitled to submit any complaint you may have about our processing of your personal data to the Danish Data Protection Agency. The Danish Data Protection Agency's contact information can be accessed on their website www.datatilsynet.dk.
The Danish Data Protection Agency has prepared guidelines regarding the data subjects' rights. The guidelines are only available in Danish and can be accessed here.
8. Processing of your personal data for profiling purposes
Saxo Bank does not as a main rule process your personal data for profiling purposes. Profiling in the context of this Privacy Notice means any form of automated processing of your personal data consisting of the use of your personal data to analyze your personal data in order to assess or predict aspects of your behavior.
Saxo Bank may process personal data for the purpose of segmentation of our customers in different categories. We do not process personal data for the purpose of profiling as defined in the GDPR and specifically not for the purpose of carrying out automated decision-making.
9. Are you under an obligation to provide us with your personal data?
You are not required by applicable law to provide us with your personal data. However, if you refuse to do so we may not be able to conduct further business with you. For example we are legally required to process your personal data in order to comply with our anti-money laundering obligations. Thus, we have to verify the identity of you among other matters if you are to engage in a client trading relationship.
10. Changes to this Privacy Notice
We may update this Privacy Notice from time to time in order to clarify the content or due to a change of our address, changes or amendments in applicable data protection legislation or other relevant legislation, changes in our business operations and/or changes in our processing activities. We will notify you if we make any substantial updates, and you can always access the current version by using the following link to Saxo Bank A/S' website:
The date of latest revision May 2020