General Data Protection Regulation (GDPR)

New EU rules about protection when processing personal data will come into effect on 25 May 2018. The purpose of the General Data Protection Regulation (GDPR) is to improve protection for the individual when personal data is processed.

The General Data Protection Regulation (GDPR) will become law in all member states of the EU. In Sweden, the regulation and a complementary Swedish law, the Data Protection Act, will replace the present Personal Data Act (PuL).

The GDPR among other things contains rules with fundamental principle for processing of personal data and states what conditions apply for the use of personal data to be lawful. It also contains rules governing rights to information and access to personal data, rules concerning rectification of inaccurate personal data, and possibilities to restrict processing of personal data in certain cases.

Customers’ rights are strengthened
One important aspect of the improved protection for individuals is that data controllers, that is to say all companies and organisations that process personal data, will have to satisfy stricter requirements. A description of how your bank processes personal data is available from your bank, for example on the bank’s website or from its branches.

Register extracts
In the same way as before you have the right to be given information about what personal data the bank processes about you (register extract). Something new in this respect is that requests for such information no longer need to be made in writing by means of a letter to the bank but can now be made in other ways, for example electronically. Ask your bank how to obtain a register extract. A prerequisite to be able to be given a register extract is as before that the bank can identify you reliably so that unauthorised persons are not allowed to see your information.

Data portability
Another aspect that is new is that you can also ask to be given an electronic copy of the personal data that you yourself have given the bank. You can request that your data be transferred to another data controller when this is technically possible. Contact your bank for more information.

In exactly the same way as for a register extract, the bank must be able to reliable identify you so that unauthorised persons are not allowed to see your information.

Right to rectification
You have the right to have inaccurate personal data about you rectified and also to add information if your personal data is incomplete.

Right to erasure (“right to be forgotten”)
The GDPR contains a right for you as a customer to under certain circumstances have your personal data erased when it is no longer necessary for the purpose for which it was collected.

The bank, however, has in certain cases to comply with other legislation that means that the bank cannot always erase your personal data immediately. The bank is obliged to save some of your personal data for a certain time to be able to satisfy requirements in legislation concerning for example accounting, prevention of money-laundering and fraud, or due to statutes of limitation.

Direct Marketing block
You can also say that you do not wish to receive direct marketing from the bank in future (direct marketing block).

Data protection officer
Banks are obliged to appoint a data protection officer who is to oversee the bank’s compliance with the General Data Protection Regulation.

Contact your bank for more information.