Information on how we process personal data
Protecting your personal data
To ensure we earn your trust, we, DNB Auto Finance Oy, strive to be open about how we process your personal data.
Below you can read about how we process your personal data. You will also receive information about your rights and how you can exercise your rights in practice.
Data Protection in the DNB Group
DNB Auto Finance Oy is part of an international financial group consisting of the parent company DNB Bank ASA and a number of branches and subsidiaries. Together, these entities constitute the DNB Group.
The company within the DNB Group which you have a relationship generally acts as the controller for the processing of your personal data. You can read further about the DNB Group’s processing of personal data in the privacy notices of the DNB group below: Privacy Policy | From A to Z – DNB.
The data controller
The data controller is responsible for determining what your personal data will be used for, how it will be processed and what aids and tools will be used. The controller for the processing of your personal data is DNB Auto Finance Oy, business ID 2960538-8) (“DNB”) a fully owned subsidiary of DNB Bank ASA.
We have appointed a Data Protection Officer (DPO). If you have any questions regarding the processing of your personal data, you may contact our DPO at .
What rights do you have when we process your personal data?
When we collect and process information about you, you have rights under data protection rules and legislation. Below, we will provide you with an overview of your rights, what they entail, and how you can exercise your rights.
We are obliged to respond to you as soon as possible and normally within 30 days at the latest. Sometimes we will need some more time to respond to you. If so, we will provide you with an explanation of why it is taking us longer time to process your request and when you can expect a response from us.
How to exercise your rights
If you would like to exercise any of your rights described below, or have any questions about how we process your personal information, please contact us in writing at the following address:
DNB Auto Finance Oy, business ID 2690538-8
Address: Urho Kekkosenkatu 7B, 00100 Helsinki
e-mail: .
Phone: 0102060700
If you would like to exercise your rights below, such as request for access, data portability, rectification, deletion or restriction of your personal data, you must submit “Exercise your rights” below and send it to us.
Form to exercise your rights: Template for excercise your rights
How to contact us: .
Complaints
We strive to continuously improve our self and our product and services that we offer you. If you are unsatisfied after having talked to us, you can submit a complaint by following the address below. When you submit a complaint, we will process your complaint as soon as possible.
Give feedback
If you have any specific questions or concerns regarding the processing of your personal data, you may contact the Data Protection Officer in writing at the following address: or DNB Auto Finance, Urho Kekkosen katu 7 B, 00100 Helsinki.
If you do not agree with us and wish to complain further, you can send your complaint directly to the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto | Tietosuojavaltuutetun toimisto)
Your rights
Right of access
You have the right to know whether we process your personal data. This means that you have a right to be given a copy of/access to this data. You also have the right to receive more detailed information about what personal data we process and how we process it.
There are some exceptions to the right of access. This typically applies where we have a statutory duty of confidentiality, or where we are required to keep information secret in the interest of preventing, investigating or prosecuting criminal acts. If DNB cannot provide you with the information you request, you will be notified of the reason for this in writing.
How to exercise your right of access?
If you would like to request information about the personal data, we hold about you (Data Subject Access Request), please fill out and send the form above or contact us in writing at the address provided under “How to exercise your rights”.
Right of rectification
If you believe that we are processing personal data about you that is inaccurate or misleading, you may require the data to be corrected or supplemented by additional information. You must be able to show that the data is inaccurate and inform us as to what is correct. After your enquiry, we will make sure to correct the incorrect personal data as soon as possible, and normally no later than within one month.
There may be cases where rectification is not practically possible, or where the information is correct but gives an incorrect impression. In these cases, we will ensure that your data is supplemented with additional information. That is, we will include your understanding of the situation, so that others will have a comprehensive overview of your situation.
If we have corrected your personal data, and we have previously provided that data to any third parties, we will attempt to notify those recipients of the changes if relevant. The obligation to notify of any changes does not apply if it proves to be virtually impossible for the recipient to implement corrections.
How to request rectification or supplementation with additional information?
If you would like to request rectification or supplementation with additional information of your personal data, please fill out and send the form above or contact us in writing at the address provided under “How to exercise your rights”.
Right to object
The right to object gives you, in certain cases, the opportunity to request that we stop using your personal data. We will always consider and respond to such an objection.
When processing personal data for direct marketing purposes, you always have the right to object (right to opt out).
The right to object applies in different contexts with slightly different conditions:
- In cases where your personal data is processed because it is necessary to attend to a legitimate interest. Or because it is necessary to perform a task in the public interest. In such cases, you have the right to object on grounds relating to your particular situation. We address such objections specifically and individually. We may reject the objections if there are compelling reasons.
- In cases where your personal data is processed for direct marketing purposes without your consent. In these cases, we will always make sure to stop the processing of your personal data.
- If your personal data is processed for scientific or historical research purposes or for statistical purposes. In such cases, you may have the right to object on grounds relating to your particular situation. We will process your objection as quickly as possible.
How to exercise your right to object in DNB?
If you would like to object to a specific processing of your personal data, please fill out and send the form above or contact us in writing at the address provided under “How to exercise your rights”.
For a more detailed overview of what types of processing you can object to, see the chapter entitled ‘Why we process personal data’. You may always request that we stop using your personal data for marketing aimed directly at you, including profiling for such a purpose.
For any use where we use your consent as a legal basis, you can revoke your consent at any time by contacting us at the contact details above or by following the steps below. If you revoke your consent, you may not be able to use our products and services in the intended way.
Right to data portability
You have the right to receive certain personal data that we process about you so that it can be reused across different systems and services. The information you request is sent directly to you in a machine-readable format and may make it easier for you to transfer your information to a new service provider. This right is called ‘data portability’ and applies only to the personal data that:
- you yourself have provided directly, and
- is processed on the basis of your consent, or
- is processed on the basis of an agreement that we have with you.
Exceptions: You are not entitled to receive the following personal data, even if the above conditions are met:
- Personal data that is only available in paper form or as scanned documents in our electronic archives.
- The transfer of your data infringes the rights of others.
- Personal data that is not collected directly from you and is thus not covered by this right.
- Personal data prepared in analyses or assessments for internal use.
How to request to have your personal data in DNB transferred to others
To request a portable copy of the personal data in scope of data portability, please fill out and send the form above or contact us in writing at the address provided under “How to exercise your rights”.
We will provide your data in a structured, commonly used and machine-readable format.
Right to erasure / right to be forgotten
If we process personal data about you, you have, in some cases, the right to demand that your data will be deleted.
You may request the erasure of personal data if one of the following grounds is met:
- Your personal data is no longer necessary for the purposes for which it was collected.
- You withdraw your consent for the processing and there are no other legal grounds for the processing.
- You have objected to the processing of the data that you request to be deleted, and your objection is upheld. See more about the right to object above.
- The data you request to be deleted has been processed unlawfully.
- The information must be deleted in order to comply with a legal obligation to which we are subject.
In many cases, we are required to retain information about you, even if you request erasure. This applies both during your customer relationship, and for a certain time after agreements and your customer relationship has ended. In practice, this means that you cannot demand that your personal data be deleted when we have a legal obligation to retain your personal data or we must safeguard our legitimate interests. This also applies if we need to establish, exercise or defend a legal claim.
How to exercise your right to erasure in DNB?
If you wish to request the erasure of your personal data, please fill out and send the form above or contact us in writing at the address provided under “How to exercise your rights”.
Right to restrict processing
You may request that we restrict the way we process your personal data. This means that we cannot use your personal data actively. This is often in combination with other rights, for example to restrict the processing of your personal data while we consider a request for erasure or rectification.
For example, if you have asked us to correct your personal data, you can in the meantime request that we restrict the processing of this data until the error has been rectified.
We are obliged to restrict processing in some specific cases:
- If you believe that the personal data is inaccurate, the processing may be restricted to a period so that both you and DNB can check whether the personal data is correct and perform corrections if necessary.
- If the processing is unlawful, but you oppose the erasure of the personal data and requests the restriction of the use instead.
- If we no longer require the data for the purpose of the processing, but we need the data to establish, enforce or defend a legal claim and therefore wish to retain your personal data.
- If you have objected to the processing and are awaiting feedback on the assessment of whether we have legitimate reasons for continued processing that take precedence over your interests.
How to restrict the processing of personal data in DNB?
If you would like to restrict the way we process your personal data, please fill out and send the form above or contact us in writing at the address provided under “How to exercise your rights”.
What type of personal data do we process and where do we collect it?
Types of personal data
Depending on your relationship with us and the products and services you use, we process the following types of personal data:
- Identification data: full name, gender, Finnish personal identity code (henkilötunnus), date of birth, customer number, copy of passport, driving license.
- Contact details: name, address, telephone number, email address.
- Business relations: profession, roles in own and others’ customer relationships.
- Relationship data: information about spouse, cohabitant, children and marital status.
- Demographic data: income, education level and family structure.
- Financial data: information related to type of product and service agreement, employment situation (salary, FTE percentage), transaction data, credit history, account number and insurance history.
- Images, video or audio files.
- Data relating to the status of a ”politically exposed person” such as a member of a national parliament, member of government, holder of a senior position in a state-owned company or the like.
- Digital behavioral data: type and technical number of digital device (e.g. PC or mobile phone), clicks, login and how the digital device arrived at our site, browser type and operating system.
- International sanctions
- Other: In addition to the categories above, we also process other types of personal data when necessary for a specific type of processing. We will inform you about this when we collect the data.
We collect the personal data directly from you
Most of the personal data that we collect, and process will come directly from you, for instance when we process an application for a loan and other products and services we offer.
If you are affiliated with a company or other business that is a customer of DNB, we will collect and use your personal data if you are the owner, signatory or user of the company’s account.
Other examples where we collect personal data directly from you are:
- When you become a customer and we need to ask for your personal data in order to provide you with the product or service we offer.
- When you provide feedback through our digital channels and via chat.
- When you have been in contact with us, and we ask about your experience in order to provide better customer service.
We collect your personal data from third parties
In order to provide you with services, comply with statutory requirements and quality assure the information you have provided to us, we collect personal data about you from third parties such as:
- publicly available sources and other external sources managed by public authorities (e.g. the National Population Register, Positive credit register (positiivinen luottotietorekisteri) when we apply customer due diligence measures pursuant to anti-money laundering rules and legislation
- debt registers and the credit information and rating agencies such as Suomen Asiakastieto Oy and Dun & Bradstreet Finland Oy when you apply for a loan
- databases to adverse media search
- companies within the DNB Group
- company registers
- law enforcement authorities
- sanctions lists
- social media
- agents and distributors.
Why do we process personal data in DNB Auto Finance Oy?
Provide products and services
Asset financing
How do we process personal data?
We process your personal data when you, either as a private or business customer, apply for various products related to secured loans from us. The products we offer are secured loans with collateral in vehicles (asset financing). This includes hire purchase loans and leasing for private and corporate customers and Inventory financing for corporate customers. We collect the relevant information directly from you, your company, our internal systems, and from the positive credit register (positiivinen luottotietorekisteri) maintained by the Incomes Register unit of the Finnish Tax Administration, and Suomen Asiakastieto Oy to establish the agreement.
When you have entered into an agreement, we process your personal data to monitor the customer relationship, including your ongoing repayment, and to prevent and detect money laundering and terrorist financing.
To safeguard our financial interests, we will in some cases transfer personal data to a debt collection agency. If a breach of contract has resulted in a loss, we are required to retain certain personal data about you for future credit assessments.
The credit assessment is automated but based on a predefined model managed by DNB. Within the framework for these processes, we use your personal data to create a profile of you which constitutes the basis for assessing whether you are suitable for being granted credit. Making the decision automatic means that an algorithm decides and notifies you if you are to be granted credit, based among other things, on information about your income, your debts, and what expenses you may have, taking into consideration factors such as where you live and how many people are in your household. If you suspect that the assessment is incorrect, or you want to complain about the assessment, you can do so under “Complaints” or “Contact us”.
Why do we process your personal data and what is the legal basis?
The purpose of processing personal data is to offer, follow up and provide you with products.
The legal basis for the processing is to be able to fulfil the agreement we have with you and to fulfill our legal obligations. If you are a representative or a contact person for a DNB, the legal basis for processing of personal data is legitimate interest. Our legitimate interest is to offer, monitor and provide the services to the company for which you are a contact person.
In the event of loan defaults, we have a legitimate interest in sending personal data to debt collection agencies. Our legitimate interest is to safeguard the bank’s financial rights.
How long do we retain your personal data?
We primarily retain your personal data for 12 months following the end of the contractual relationship, in line with the statutory limitation period. However, certain legislation or other obligations may require us to retain the data for a longer duration.
What are your rights?
When we collect and process information about you, you have several rights under data protection rules and legislation. This includes the right of access, the right to data portability, the right to rectification of any errors and the right of erasure, which means that we must, on our own initiative, delete information that is no longer necessary for the purpose of the processing.
We will always consider any objections you may have to the processing of your personal data, and we will follow up when you opt out of direct marketing. Read about how you can exercise your data protection rights in our privacy notice under ”How to exercise your rights”.
Who is responsible?
DNB Auto Finance Oy is responsible for the processing of your personal data.
What type of personal data do we process?
- identification data
- contact details
- business relationship data
- relationship data
- demographic data
- financial data
- digital behavioural data
Who do we share your personal data with?
There are several situations where we share personal data with third parties. Such third parties include e.g. the authorities, our business partners. We also share personal data with the companies in the DNB Group.
We use car dealerships as data processors in connection with establishing a customer relationship and processing the services offered. In accordance with our reporting obligations, we may disclose personal data to public authorities and registers.
If you are a customer and have financed a car using one of our financial products, we will transfer the personal data to the dealership so that they are able to deliver the car to you. We provide the positive credit register (positiivinen luottotietorekisteri) with the information of the credit granted to you.
Customer service
How do we process personal data?
We offer customer service and respond to enquiries, both by e-mail and by phone. We provide this service to help resolve enquires and follow up your agreements Customer service is available for private customers, corporate customers and retailers who need help to solve various problems.
As part of your customer relationship, we follow up both hire purchase and private leasing agreements. Inquiries may include finding a copy of an invoice, calculating the price of buying out leasing agreements, and insurance in connection with car loans. In these cases, we document that the agreements that you have been entered into are correct.
If you contact our customer service center, we need to process your personal data in order to help you resolve your enquiries. In these cases, our customer advisor will have access to information about your customer relationship, your products and your basic personal data.
Why do we process your personal data and what is the legal basis?
The purpose of the processing of personal data is to provide customer service, respond to enquiries and provide advisory services through our various channels. The legal basis for the processing is to be able to fulfil the agreement we have with you.
How long do we retain your personal data?
We retain personal data in chat logs and email correspondence for 180 days. Further we retain information that you have been in contact with customer service for five years.
What are your rights?
When we collect and process information about you, you have several rights under data protection rules and legislation.
This includes the right of access, the right to data portability, the right to rectification of any errors and the right of erasure, which means that we must, on our own initiative, delete information that is no longer necessary for the purpose of the processing. We will always consider any objections you may have to the processing of your personal data, and we will follow up when you opt out of direct marketing.
Read about how you can exercise your data protection rights in our privacy notice under “How to exercise your rights”.
Who is responsible?
DNB Auto Finance Oy is responsible for the processing of your personal data.
What type of personal data do we process?
- identification data
- contact details
- business relationship data
- relationship data
- demographic data
- financial data
- digital behavioural data
Who do we share your personal data with?
There are several situations where we share personal data with third parties. Such third parties include e.g. the authorities and business partners. We also share personal data with the companies in the DNB Group.
We use car dealerships as data processors in connection with establishing a customer relationship and processing the services offered. In accordance with our reporting obligations, we may disclose personal data to public authorities and registers.
You can find more information on the chapter “Who do we share your personal data with?”
Anti- money laundering and counter-terrorist financing
How do we process personal data?
We are committed to knowing and making risk classification of our customers. For you to become a customer, we must therefore process a series of personal data about you. We ask multiple questions, and we require documentation, such as identification papers, contact details, citizenship and country of birth. You must state the purpose of your customer relationship with us, and you must also answer questions about relationship with politically exposed persons (PEP).
To ensure correct due diligence, we will consider whether there is a need for enhanced customer due diligence. Some customers will therefore be marked with a need for enhanced customer due diligence, based on certain predefined criteria.
We are also required to have electronic surveillance systems in place for detecting circumstances that may indicate money laundering and terrorist financing, including risk classifying you as a customer. Each individual DNB company processes personal data about its own customers if there are alerts from the electronic surveillance system, including sanction alerts and PEP alerts.
As part of the customer relationship, we are required to screen customers and transactions against sanction lists from the UN, EU and OFAC. We also screen customers to determine whether the customer or other parties in the customer relationship are PEPs or close associates of a PEP. We must also identify whether the customer, representatives and account signatories are beneficial owners pursuant to the Finnish Act on Preventing Money Laundering and Terrorist Financing (laki rahanpesun ja terrorismin rahoittamisen estämisestä).
If we detect anything suspicious during the course of the customer relationship, we have a duty to conduct examinations, which we follow up and possibly report to Financial Intelligence Unit of the National Bureau of Investigation (KRP:n rahanpesun selvittelykeskus).
Why do we process your personal data and what is the legal basis?
The purpose of the processing of personal data is to comply with the rules and legislation for anti-money laundering and terrorist financing when establishing customer relationships as well as during the customer relationship.
Our legal basis is the Finnish Act on Preventing Money Laundering and Terrorist Financing and appurtenant regulations, as well as the sanctions regime.
How long do we retain your personal data?
We are obliged to retain information that is processed in accordance with the Finnish Act on Preventing Money Laundering and Terrorist Financing, as a rule for five years after the customer relationship has ended, or an individual transaction has been completed.
What are your rights?
When we collect and process information about you, you have several rights under data protection rules and legislation.
This includes the right of access, the right to data portability, the right to rectification of any errors and the right of erasure, which means that we must, on our own initiative, delete information that is no longer necessary for the purpose of the processing. We will always consider any objections you may have to the processing of your personal data, and we will follow up when you opt out of direct marketing.
Read about how you can exercise your data protection rights in our privacy notice under “How to exercise your rights”.
Who is responsible?
DNB Auto Finance Oy is responsible for the processing of your personal data.
What type of personal data do we process?
- identification data
- contact details
- business relationship data
- relationship data
- demographic data
- financial data
- digital behavioural data
Who do we share your personal data with?
We are obliged to disclose personal data to public authorities. We may also share your personal data with other obliged entities in the Group when we have a right or obligation to do so.
You can find more information on the chapter “Who do we share your personal data with?”
Prevention of Fraud
How do we process personal data?
We are working systematically to prevent our products and services from being used for criminal activities. In order for us to be able to prevent, detect, investigate, and deal with fraud and other criminal acts against the bank and you as a customer, we need to process personal data.
It is often difficult to detect fraud and other criminal acts carried out against us and our customers. It often takes a long time for such actions to be detected, or for suspicions to arise at all. We are also required by law to have monitoring solutions for certain forms of fraud. For this reason, we have access to personal data that has already been collected from you as a customer to the extent necessary to detect, report or prevent financial crime. We emphasise that access to personal data reused in such cases is strictly regulated.
Why do we process your personal data and what is the legal basis?
The purpose of the processing of personal data is to prevent, detect, investigate, and deal with financial fraud and other criminal acts against the bank and you as a customer. The legal basis is to fulfil a statutory duty. In addition, we have legitimate interest in preventing, detecting, investigating, and dealing with other criminal offences against the bank or any other company in the Group.
The processing also has the purpose of protecting customers against loss and we have a legitimate interest in protecting our customers and their financial interests.
How long do we retain your personal data?
We retain your personal data for at least five years due to the authorities’ case processing time from the time when the criminal act was detected or until a legally enforceable decision has been made.
What type of personal data do we process?
- identification data
- contact details
- business relationship data
- relationship data
- demographic data
- financial data
- Digital behavioral data
Who is responsible?
DNB Bank Auto Finance Oy is responsible for the processing of your personal data.
Who do we share your personal data with?
We are obliged to disclose personal data to the police upon request. We may also share your personal data with other obliged entities in the Group when we have a right or obligation to do so.
Marketing
DIRECT MARKETING
How do we process personal data?
We process your personal data for marketing and targeted marketing purposes. By targeting marketing, we mean classifying you as a customer based on demographic selection criteria, such as age, gender, marital status or place of residence, in order to send you direct marketing and non-tailored information about offers, services, news and competitions.
If you want to receive tailor-made offers and information about news and competitions specifically targeted at you, such as offers on particularly advantageous service packages, we need your consent.
For example, we analyze which months you use our different services and how often. We also analyze how you browse our website, your purchase and payment history, as well as your name, age, gender, address and education in order to provide you with relevant information.
Why do we process your personal data and what is the legal basis?
The purpose for processing of personal data is to offer relevant advice and advertise our products and services to you. The legal basis for our marketing purpose is legitimate interest, unless you object to the marketing.
For electronic direct marketing (via automated calling systems, e-mails, text messages, picture messages and other automated systems), we need your consent (in accordance with the requirements of the Act on Electronic Communications Services, laki sähköisten viestinnän palveluista). For the marketing of our third-party products and services via emails, text messages, picture messages and other automated systems we also need your consent.
How long do we retain your personal data?
If you are our customer: Your personal data will be stored for the duration of the contract period and for a maximum of 12 months after its expiry. This requires that you have not objected to direct marketing during this period and, in the case of electronic direct marketing, that you have given your consent to such marketing.
If you are not yet our customer: We will store your personal data for marketing purposes for 3 months from the date, we received your contact details. This requires that you have not objected to direct marketing and, in the case of electronic direct marketing, that you have given your consent to such marketing. If you choose to become our customer, the information in the section ”If you are our customer” will also apply to you.
What are your rights?
When we collect and process information about you, you have several rights under data protection rules and legislation.
This includes the right of access, the right to data portability, the right to rectification of any errors and the right of erasure, which means that we must, on our own initiative, delete information that is no longer necessary for the purpose of the processing. We will always consider any objections you may have to the processing of your personal data, and we will follow up when you opt out of direct marketing.
Read about how you can exercise your data protection rights in our privacy notice “How to exercise your rights”.
Who is responsible?
DNB Auto Finance Oy is responsible for the processing of your personal data.
What type of personal data do we process?
- identification data
- contact details
- business relationship data
- relationship data
- demographic data
- financial data
- digital behavioural data
Who do we share your personal data with?
There are several situations where we share personal data with third parties. Such third parties include e.g. the authorities and business partners. We also share personal data with the companies in the DNB Group.
We use car dealerships as data processors in connection with establishing a customer relationship and processing the services offered. In accordance with our reporting obligations, we may disclose personal data to public authorities and registers.
You can find more information on the chapter “Who do we share your personal data with?”
Business development
BUSINESS DEVELOPMENT AND IMPROVEMENT OF OUR PRODUCTS AND SERVICES
How do we process personal data?
We reuse your personal data to analyze how our customers use our services. The customer analysis mainly consists of statistical data and data from implemented marketing segmentations and customer satisfaction surveys. We use the results for analysis to improve, replace or develop new services, methods or way of working to meet your expectation and wishes. For example, we may process personal data to improve our customer service, provide new package solutions or customize our website to meet your needs. We may also process your personal data to assess credit quality for capital requirement purposes, as a basis for financial advice or to provide information about DNB Auto Finance’s products and services.
The development and validation of data models is based on pseudonymized data in predefined data sets to conduct strategic, insight-based business operations. Model development is a constant process and is intended to ensure good business development decisions.
Why do we process your personal data and what is the legal basis?
The purpose of processing personal data is to improve and develop our products services.
We have a legitimate interest for this processing of your personal data. Our legitimate interest is to develop, build, improve and build business models, pre-detection models, systems, products and services to produce and deliver reports for our benefit, and to provide a high standard of service.
How long do we retain your personal data?
We will retain and use your personal data for this purpose for the duration of the contractual relationship and for a maximum of 12 months after its termination.
What are your rights?
When we collect and process information about you, you have several rights under data protection rules and legislation.
This includes the right of access, the right to data portability, the right to rectification of any errors and the right of erasure, which means that we must, on our own initiative, delete information that is no longer necessary for the purpose of the processing. We will always consider any objections you may have to the processing of your personal data, and we will follow up when you opt out of direct marketing.
Read about how you can exercise your data protection rights in our privacy notice “How to exercise your rights”.
Who is responsible?
DNB Auto Finance Oy is responsible for the processing of your personal data.
What type of personal data do we process?
- identification data
- contact details
- business relationship data
- relationship data
- demographic data
- financial data
- digital behavioural data
Who do we share your personal data with?
There are several situations where we share personal data with third parties. Such third parties include e.g. the authorities and business partners. We also share personal data with the companies in the DNB Group.
We use car dealerships as data processors in connection with establishing a customer relationship and processing the services offered. In accordance with our reporting obligations, we may disclose personal data to public authorities and registers.
You can find more information on the chapter “Who do we share your personal data with?”
Control, reporting and analysis
How do we process personal data?
We reuse personal data about you to ensure proper management of our business operations and to keep track of all the data we have. Information about you and your customer relationship is included in the data we process when we control, analyse and report figures for the Group.
Information that is reused includes your customer number and associated contractual relationships. To ensure that we have complete and correct data registered in our systems, we will process personal data when we control and quality assure data.
Personal data is anonymised and summarised for analysis purposes, for example to assess the profitability of the products we offer, or other analyses we need to ensure proper management of our business operations. In order to full fill our legal requirements towards authorities we must include, among other things, all payments made through our systems, including all customer transactions.
Every year, we report the status of our customers’ accounts to Finnish and international authorities for tax purposes. We are required to report information about name, business id address and other data requested by the authorities.
Why do we process your personal data and what is the legal basis?
The purpose of the processing of personal data is to ensure control of our business operations and to carry out necessary analyses and mandatory financial reporting. We have a legal obligation to process your personal data for tax purposes. We have a legitimate interest in controlling and quality assuring the personal data that we have stored in our systems.
How long do we retain your personal data?
After the analyses are complete, they will no longer contain identifiable personal information as the personal information will be removed or anonymized.
What type of personal data do we process?
- identification data
- contact details
- business relationship data
- relationship data
- demographic data
- financial data
- digital behavioural data
What are your rights?
When we collect and process information about you, you have several rights under data protection rules and legislation.
This includes the right of access, the right to data portability, the right to rectification of any errors and the right of erasure, which means that we must, on our own initiative, delete information that is no longer necessary for the purpose of the processing. We will always consider any objections you may have to the processing of your personal data, and we will follow up when you opt out of direct marketing.
Read about how you can exercise your data protection rights in our privacy notice “How to exercise your rights”.
Who is responsible?
DNB Bank Auto Finance Oy is responsible for the processing of your personal data.
Who do we share your personal data with?
There are several situations where we share personal data with third parties. Such third parties include e.g. the authorities and business partners. We also share personal data with the companies in the DNB Group.
We use car dealerships as data processors in connection with establishing a customer relationship and processing the services offered. In accordance with our reporting obligations, we may disclose personal data to public authorities and registers.
You can find more information on the chapter “Who do we share your personal data with?”
Tax Reporting
How do we process personal data?
Every year, we report the status of all clients’ fund accounts in DNB to Finnish and international authorities for tax purposes. We are required to report details of business id, name, address and fund holdings. As a result of international agreements on the automatic exchange of tax information, we must also collect and report information about which countries you as a customer have tax affiliation to. We disclose the information to the Finnish tax authorities, who pass this on to the tax authorities in the respective countries where the account holder or beneficial owner is resident for tax purposes.
Why do we process your personal data and what is the legal basis?
The purpose of processing personal data is to combat tax avoidance or evasion of international tax crime.
We are required by law under the FATCA and CRS regulations to identify and annually report the balance/value of our customers who have tax residency in a country other than the one in which the account is held.
How long do we retain your personal data?
We store personal data for 5 years after the end of the year in which the customer relationship was reported to the tax authorities or new documentation has been obtained.
What are your rights?
When we collect and process information about you, you have several rights under data protection rules and legislation.
This includes the right of access, the right to data portability, the right to rectification of any errors and the right of erasure, which means that we must, on our own initiative, delete information that is no longer necessary for the purpose of the processing. We will always consider any objections you may have to the processing of your personal data, and we will follow up when you opt out of direct marketing.
Read about how you can exercise your data protection rights in our privacy notice “How to exercise your rights”.
Who is responsible?
DNB Bank Auto Finance Oy is responsible for the processing of your personal data.
What type of personal data do we process?
- identification data
- contact details
- business relationship data
- relationship data
- demographic data
- financial data
- digital behavioural data
Who do we share your personal data with?
There are several situations where we share personal data with third parties. Such third parties include e.g. the authorities, our Loyalty Merchants (yhteistyökumppanit) and business partners. We also share personal data with the companies in the DNB Group.
We use car dealerships as data processors in connection with establishing a customer relationship and processing the services offered. In accordance with our reporting obligations, we may disclose personal data to public authorities and registers.
You can find more information on the chapter “Who do we share your personal data with?”
Audit
How do we process personal data?
In DNB, Internal Audit is one of our central control bodies that will check and ensure that we are organised and operate in a prudent manner. Furthermore, we will ensure that we have satisfactory internal management and control systems that cover the overall business.
We do not collect personal data directly from you for this purpose. In order to carry out our audit work, a limited area in DNB has unrestricted access to the Group’s documents, electronic data, physical assets/premises and personnel. Access to electronic data entails access to the Group’s data warehouses, data sources and databases, including regular data collection in connection with topic-based activities and continuous audit monitoring. In this way, we will be able to reuse personal data collected by DNB business areas with direct customer contact.
Employees who work with internal auditing have a duty of confidentiality and sign a separate non-disclosure agreement upon appointment. We have strict access control in our case management systems and physical premises.
Why do we process your personal data and what is the legal basis?
The purpose of processing personal data is to be able to comply with legal requirements to be organized with proper management and control, including independent control functions responsible for internal auditing, risk management and compliance with requirements laid down in laws and regulations.
We have a statutory obligation to process your personal data for this purpose in accordance with the requirements of the Financial Institutions Act and the CRR/CRD IV regulations.
How long do we retain your personal data?
We store personal data for 5 years after the end of the year in which the customer relationship was reported to the Internal Audit or new documentation has been obtained.
What are your rights?
When we collect and process information about you, you have several rights under data protection rules and legislation.
This includes the right of access, the right to data portability, the right to rectification of any errors and the right of erasure, which means that we must, on our own initiative, delete information that is no longer necessary for the purpose of the processing. We will always consider any objections you may have to the processing of your personal data, and we will follow up when you opt out of direct marketing.
Read about how you can exercise your data protection rights in our privacy notice under “How to exercise your rights”.
Who is responsible?
DNB Bank Auto Finance Oy is responsible for the processing of your personal data.
What type of personal data do we process?
- identification data
- contact details
- business relationship data
- relationship data
- demographic data
- financial data
- digital behavioural data
Who do we share your personal data with?
There are several situations where we share personal data with third parties. Such third parties include e.g. the authorities and business partners. We also share personal data with the companies in the DNB Group.
We use car dealerships as data processors in connection with establishing a customer relationship and processing the services offered. In accordance with our reporting obligations, we may disclose personal data to public authorities and registers.
You can find more information on the chapter “Who do we share your personal data with?”
Security and incident management
INCIDENT MANAGEMENT
How do we process personal data?
We may be required to process personal data both before and if a crisis or incident occurs in DNB. This will be personal data that is related to an incident such as violence, threats, unwanted behavior, or an accident. Personal data processed in this context relates to the event itself. The incidents may contain both general personal data, but also special categories of personal data such as health data.
Why do we process your personal data and what is the legal basis?
The purpose of the processing is to detect and handle a crisis or an incident. We are legally obliged to process personal data for this purpose, and the legal basis is the regulatory statutory requirements that apply to the financial industry regarding security and incident management.
How long do we retain your personal data?
We retain your personal data for at least five years due to the case processing time from the time when the incident was detected.
You can find more information on chapter “Defending legal claims”
What are your rights?
When we collect and process information about you, you have several rights under data protection rules and legislation.
This includes the right of access, the right to data portability, the right to rectification of any errors and the right of erasure, which means that we must, on our own initiative, delete information that is no longer necessary for the purpose of the processing. We will always consider any objections you may have to the processing of your personal data, and we will follow up when you opt out of direct marketing.
Read about how you can exercise your data protection rights in our privacy notice under “How to exercise your rights”.
Who is responsible?
DNB Auto Finance Oy is responsible for the processing of your personal data.
What type of personal data do we process?
- identification data
- special categories of personal data collected from the data subject during incident management, including health data
- contact details
- business relationship data
- relationship data
- demographic data
- financial data
- digital behavioural data
Who do we share your personal data with?
There are several situations where we share personal data with third parties. Such third parties include e.g. the authorities, our Loyalty Merchants (yhteistyökumppanit) and business partners. We also share personal data with the companies in the DNB Group.
We use car dealerships as data processors in connection with establishing a customer relationship and processing the services offered. In accordance with our reporting obligations, we may disclose personal data to public authorities and registers.
You can find more information on the chapter “Who do we share your personal data with?”
Defending legal claims
How do we process personal data?
We process personal data to assert our contractual rights and to protect our reputation and financial interests.
We reuse information from our internal systems so that we can handle complaints, disputes and legal processes for debt recovery or other disputes. The type of personal data we process depends on DNB Legal’s assessment of what is necessary to shed light on the individual case.
Throughout your customer relationship and after your agreement expires, we must retain and have access to reuse your personal data in the event of a complaint or legal dispute. If we did not retain case history, it would not be possible for us to handle complaints, disputes and other legal processes.
DNB has internal lawyers who provide legal services to the Group. DNB Legal process personal data about our clients only if it is relevant to the case they are considering.
Why do we process your personal data and what is the legal basis?
The purpose of the processing of personal data is to assert our contractual rights and to protect our reputation and financial interests. We have a legitimate interest for this processing of your personal data. Our legitimate interest is to safeguard the bank’s financial rights pursuant to agreements with our customers.
The processing is also based on our legitimate interest to establish, exercise or defend legal claims.
We also have a legitimate interest in being able to process personal data in order for our lawyers to provide legal advice.
How long do we retain your personal data?
The need to retain personal data is associated with the protection of our legal position related to the risk associated with the product, as well as the absolute limitation period for claims, cf. the Finnish Act relating to the Limitation Period for Claims.
The personal data is saved during the entire contractual relationship and up to 12 months after the agreement is terminated. The personal data may be saved longer if it is needed to meet legal requirements. For example, information about granted credit is saved five years after the agreement has been terminated and the agreement itself is saved for seven years after termination of the agreement. In addition, personal data may be stored longer than 12 months after the agreement has been terminated in order to establish, defend and assert a legal claim, e.g. in the event of a dispute about payment.
What are your rights?
When we collect and process information about you, you have several rights under data protection rules and legislation.
This includes the right of access, the right to data portability, the right to rectification of any errors and the right of erasure, which means that we must, on our own initiative, delete information that is no longer necessary for the purpose of the processing. We will always consider any objections you may have to the processing of your personal data, and we will follow up when you opt out of direct marketing.
Read about how you can exercise your data protection rights in our privacy notice under “How to exercise your rights”.
Who is responsible?
DNB Auto Finance Oy is responsible for the processing of your personal data.
What type of personal data do we process?
The personal data we process for this purpose will depend on the case. Any relevant information about you may be used in the courts of law.
- identification data
- contact details
- business relationship data
- relationship data
- demographic data
- financial data
- digital behavioural data
Who do we share your personal data with?
We may share personal data with courts, external lawyers/parties and public authorities.
There are several situations where we share personal data with third parties. Such third parties include e.g. the authorities, business partners. We also share personal data with the companies in the DNB Group.
We use car dealerships as data processors in connection with establishing a customer relationship and processing the services offered. In accordance with our reporting obligations, we may disclose personal data to public authorities and registers.
You can find more information on the chapter “Who do we share your personal data with?”
Who do we share your personal data with?
Third parties
We may, within the framework of current bank secrecy rules, disclose your personal data to third parties, such as to other companies in DNB Group, as well as to IT suppliers and companies we collaborate with to provide our products and services. In some cases, we may also need to provide information at the request of authorities such as the Finnish Financial Supervisory Authority (Finanssivalvonta), the Finnish Tax Agency, Finnish Financial Intelligence Unit (FIU), or to other parties in the context of judicial or corporate acquisition processes or the like. We will not sell your personal data to third parties.
There are several situations where we share personal data with third parties. Such third parties include e.g. the authorities, , our business partners. We also share personal data with the companies in the DNB Group.
Data protection rules and legislation regulate how and when such sharing with third parties may take place. In addition, there are provisions on confidentiality in several other acts that apply to the financial and securities sectors.
To provide our services and products, there are several situations where we need to disclose your personal data. In some cases, we also need to disclose personal data at the request of authorities, such as the Norwegian or Finnish Financial Supervisory Authority, the Finnish Tax Administration or to other parties in connection with legal proceedings or corporate acquisitions.
Data processors
We use data processors in several situations. A data processor is a third party who processes personal data on our behalf. The data processor does not have its own purposes for processing of personal data. We have data processors in Finland and in other countries both inside and outside the EEA, such as:
- IT service providers that maintain DNB Auto Finance’s information systems
- Car dealerships that process credit applications on our behalf
- Debt collection agencies help with the collection of overdue receivables
- Service providers investigating the location and holder of the vehicle to be repossessed.
- Companies in the DNB Group
Sharing between companies in the DNB Group
DNB is a group consisting of different companies, and thus there are multiple companies that are data controllers. There may be one or more companies within the Group that are the data controller for your personal data, depending on your relationship with one or more companies.
Sometimes we need to share personal data about you within the Group. For instance, this may be to fulfil customer agreements, to meet obligations under company law because requirements to our information security make it necessary, or due to anti-money laundering obligations. It may also be because we have a legitimate interest for various purposes mentioned in the privacy notice.
There are strict rules on confidentiality for financial services and investment firms, including for companies in the DNB Group. Before sharing personal data, we will always ensure that we also comply with our duty of confidentiality.
DNB has a shared customer register. The purpose of the Group customer register is to manage your customer relationship and coordinate offers of services and advice from the various companies in the DNB Group. The Group customer register contains information about you, such as name, date of birth, address and other contact details, which Group company you are a customer of, and the services and products for which you have entered into an agreement.
Transfer of personal data to countries outside the EU/EEA
DNB Auto Finance always strives to process your personal data within the EU/EEA. In certain cases, we may disclose your personal data to countries outside the EU/EEA. If personal data is transferred to such a country, we will ensure that the personal data is still secure and that the transfer takes place in accordance with the law. When transferring personal data to a country outside the EU/EEA that does not provide an adequate level of data protection, we apply appropriate safeguards for the transfers such as the European Commission’s standard contractual clauses or the Binding Corporate Rules.
In order for us to transfer your personal data outside the EEA, the GDPR requires us to have a valid legal basis for the transfer.
One of the following conditions must also be met:
- When the European Commission has determined that there is an adequate level of protection in the country in question.
- When other suitable security measures have been implemented and/or the data processor has provided the necessary guarantees that the personal data will be processed in a secure manner. This may be through the use of standard contracts (EU Standard Contractual Clauses) approved by the European Commission, or that the data processor has valid Binding Corporate Rules (BCRs).
- When there are exceptions in special cases, for example to fulfil an agreement with you or when you give your consent to the specific transfer.
How do we use cookies?
Automated decision-making
DNB Auto Finance’s credit decision process is automated for certain products and services. In the credit decision process, we process your personal data to create a profile of you, which forms the basis for assessing your creditworthiness. Automated decision-making means that the algorithm makes a decision and notifies you if you are granted credit. These processes help us make fair and responsible decisions.
DNB Auto Finance’s automated decision-making is based on a proprietary scoring model, where data is collected partly from your application and credit reference agencies and partly from internal data relating, inter alia, to your current commitment to and administration of DNB Auto Finance, as well as your previous commitments with DNB Auto Finance. Variables in the scoring model that influence your decision include, but are not limited to, your income, debts, credit behavior, possible defaults, payment history of current and past credits, credit information regarding any connections you may have with other companies, what costs you may incur, for example, based on your area of residence and the number of people living in the same household, and the characteristics of the object financed (if applicable).
The scoring model checks your debt servicing capacity and credit rating. In order to assess your solvency, the information described above is compared with the amount of financing and the loan period. In addition, the classification of your application is affected by certain internal profile rules, such as the requirement that you have no payment defaults or that you have lived in Finland for a certain minimum period. When the information described above is viewed in connection with these rules, an automated or manual decision is made. Information that may lead to the automatic rejection of your application includes, for example, payment defaults or failure to meet the minimum period of residence in Finland. If your application is not automatically rejected or transferred for consideration, you will receive a scoring result on the basis of which a final credit decision can be made. A decision on the amount of credit to be granted may be taken on the basis of that scoring result.
As a result of automated decision-making, you will receive a decision on your application, that is, you may be granted a loan or your credit application may be refused. Based on the scoring model, three types of decisions can be made: your application can be automatically approved, postponed for consideration or rejected. All applications submitted for consideration are processed by trained credit controllers, as well as some automatically rejected applications. If the credit history register indicates that you have a bad credit rating, credit will not be granted. Also, your high debts, low income, or high expenses can affect your ability to borrow money or the terms of the loan.
The automated credit decision processes we use are regularly reviewed and verified to ensure they are fair, impartial and efficient. If you would like to comment on a decision made or wish to contest it, you can contact us using the contact details at the end of this file. In this case, we will manually review the decision based on both the information on which that decision was based and any additional information you may have provided. This check shall be carried out by the person who has the right to change the decision if it is found to be incorrect.
Changes to this Privacy Policy
DNB Auto Finance has the right to make changes to this Privacy Policy at any time.
When we make changes that are not merely linguistic or editorial, we will clearly inform you about those changes and how they affect you before they take effect. If the change requires your consent and you do not accept the amended terms, you have the right to terminate your agreement with us before the terms come into effect.
Contents:
- Your Privacy in DNB Auto Finance Oy
- Information on how we process personal data
- Protecting your personal data
- Data Protection in the DNB Group
- The data controller
- What rights do you have when we process your personal data?
- How to exercise your rights
- Your rights
- What type of personal data do we process and where do we collect it?
- Why do we process personal data in DNB Auto Finance Oy?
- Provide products and services
- asset financing
- Customer service
- Anti- money laundering and counter-terrorist financing
- Prevention of fraud
- Marketing
- Direct marketing
- Business development
- Business development and improvement of our products and services
- Control, reporting and analysis
- Tax reporting
- Audit
- Security and incident management
- Incident management
- Defending legal claims
- Who do we share your personal data with?
- Third parties
- Data processors
- Sharing between companies in the DNB Group
- Transfer of personal data to countries outside the EU/EEA
- How do we use cookies?
- Automated decision-making
- Changes to this privacy policy