Nordea Asset Management 1 December 2023
Nordea Asset Management Privacy Policy for Clients and Third Parties
Nordea Asset Management Singapore Pte. Ltd. (“NAM SG”) is fully committed to protecting your privacy rights and protecting your personal data in accordance with the Personal Data Protection Act 2012 of Singapore (“PDPA”). In this Privacy Policy we describe the collection, usage, storage and sharing practices of personal data, how the personal data are protected and what your privacy rights are.
In addition to this Privacy Policy, you can read more details about setting and use of cookies by visiting the Cookies Policy in the footer of our webpages.
NAM SG is one of the subsidiaries of the asset management business owned by Nordea Asset Management Holding AB and conducted by the legal entities Nordea Investment Funds S.A., Nordea Investment Management AB and their branches, subsidiaries and representative offices. When we write “we”, “us” or “our” in this Privacy Policy, we mean NAM SG and each direct or indirect subsidiaries/branches of NAM.
The entity that you contract with is the controller of your personal data.
We process individuals’ personal data for a number of reasons in line with all applicable privacy and data protection laws. In this Privacy Policy, when we write «you», we mean you as an individuals whose personal data is processed by NAM, including a (potential) customer, customer’s employee, officers, agents or representative. It can also mean other relevant parties, such as beneficial owners, authorised representatives and managers, beneficiaries, shareholders and associated parties.
This Privacy Policy covers the following areas:
1. What personal data do we collect?
“Personal data” means data, whether true or not, about an individual who can be identified: (a) from that data; or (b) from that data and other information to which we have or are likely to have access.
In most cases we collect personal data directly from you or is generated as part of the use of our services, products and channels, including mobile applications. Sometimes additional information is required to keep information up to date or to verify the information we collect. In some cases we also collect and process personal data about individuals associated with you, for example employees, beneficial owners, board members, signatories, legal representatives and persons who are in contact with NAM in respect of trading transactions, and other individuals with whom we interact and collaborate with.
1.1 The types of personal data we collect
The personal data we collect can typically be contained or grouped into the following categories. We have provided examples of the types of personal data that fall within each category. Please note that the list of examples is not exhaustive. The type of personal data that we collect from you will depend on the service or the product we are providing to you as a customer:
- Identity and contact information: for example name, citizenship/nationality, date of birth, gender, home contact details (e.g., address, email), nickname or alias, national identification number, photograph and place of birth
- Sensitive personal data: for example indirect political opinions for political exposed persons (PEP’s) as part of anti-money laundering documentation.
- Third party details: for example authorised representatives, name, details of beneficiaries, external advisors
- Details of Nordea internal identifiers: for example account linkage, customer number, details of contract between Nordea entities, intermediaries and individuals, hashed identifiers, relationship manager.
- Regulatory data: for example individual and family details for anti-money laundering, politically exposed person checks, and prevention of insider trading, compliance approval status, and conflict of interest disclosure.
- Marketing and communications data: marketing and communication preferences
- Monitoring data such as call recordings and CCTV, to the extent permitted by applicable law.
- Financial details such as credit rating, documentation on supporting investor status, employment status, financial history, bank account details, investment preferences, restrictions and objectives, investor status/classification, net worth & estimated income, professional and academic background, risk profiles, tax codes/classification identification numbers, third party account details/custody
- Transaction details such as intermediary and industry identification numbers, investment details, payee/investee details, product details, transaction details and identification numbers
- Technical data such as name of version of the OS, processor model, language on mobile phone/tablets. Other data which might be collected via cookies, please visit the Cookies Policy in the footer of our webpages.
1.2 The sources from which we gather your personal data
Personal data we may collect from you:
We collect information you provide directly to us. For example, when becoming a representative or contact of a customer or collaboration partner, we collect personal data, such as name, e-mail address and phone number. For most individuals, work as opposed to private contact information is the only contact information we collect or process.
We collect national identification number, other identity information, regulatory data and third party details for verification and compliance purposes. Some financial details and transaction details we collect for compliance purposes and others in order to provide you with our services and products and validate performance.
We also collect information which you provide to us, such as messages you have sent us as feedback, a request in our digital channels or use our applicable form.
Personal data that we collect from third parties, if allowed by local law:
To be able to offer you our products and services and to comply with statutory requirements, we collect personal data from third parties, such as publicly available and other external sources. For example, to fulfil legal requirements for anti-money laundry and prevention of financial crime we may collect information in registers held by governmental agencies (tax authorities, company registration offices, enforcement authorities), sanction lists (held by international organisations), registers held by other commercial information providers providing information on e.g. beneficial owners and politically exposed persons.
We also collect information from other entities within NAM, the Nordea Group or other entities which we collaborate with.
1.3 Recording of telephone conversations, online meetings and storage of chat conversations
To the extent permitted by applicable law, we record and log telephone calls and chat conversations for documentation of customer request, verification of orders, security and fraud management purposes and to fulfil legal requirements. For example, online meetings, telephone and chat conversations may be stored to document what happened and was said during the conversation, including any agreements entered into. Moreover, we record conversations that lead or may lead to securities transactions.
2. How do we use your personal data and what is the basis for doing so?
We use and process your personal data to comply with legal obligations and purposes described below.
2.1 Necessary to perform an agreement with you
One reason we process personal data is to collect and verify the data prior to giving an offer and entering into a contract with you. We also process personal data to document and complete tasks in order to fulfil our contractual obligations towards you, e.g. to provide and administer our products and services to you.
Examples of activities necessary to perform an agreement with you:
- Collecting information needed to verify your identify in order to provide you with our products and services
- Collecting your contact information to provide you with customer service during the contract period, including customer care and customer administration and communication with you
2.2 Legal requirements
We mainly process personal data to fulfil obligations under law, regulations or authority decisions in the countries where our offices are located.
Examples of processing due to legal obligations:
- Know Your Customer requirements
Preventing, detecting, and investigating money laundering, terrorist financing, and fraud
Sanctions screening - Record keeping regulation
- Reporting to tax authorities, police authorities, enforcements authorities, supervisory authorities
- Creating and maintaining legal contracts, fund documentation and corporate governance related documentation
- Other obligations related to service or product specific legislations, for example securities or funds
2.3 Legitimate interest
We use your personal data where necessary to further our legitimate interests, as long as those legitimate interest are not overridden by your interests or fundamental rights and freedoms.
Examples of our processing based on legitimate interests:
- Relationship and vendor management. We collect and use personal data for ongoing oversight, management of the relationship and interaction with you.
- Compliance with legal obligations under e.g. financial and tax regulation. For example we may collect and use your contact details when processing invoices for your company
- Portfolio decisions. We use personal data when documenting that portfolio decisions (e.g. redemptions, subscriptions or investment guidelines) are implemented on behalf of the correct customers
- Investment decision. As part of making investment decisions we process personal data such as contact information, when collecting research from you as an external brokers.
- Corporate actions. When managing, implementing and maintaining corporate actions we process personal data with the purpose of instructing the custodians.
- Security trading. We process personal data for the purpose of trading and settling security trading.
- System testing. In a limited number of cases we may use personal data for system testing and development. The testing process is by design limited to key identifiers necessary to perform the testing and all other directly or indirectly identifiable personal information are masked.
2.4 Consent
There may be situations where we will nevertheless ask for your consent to process your personal data. Information about the purpose, processing activity, types of personal data and your right to withdraw your consent will be provided when you are asked to give NAM your consent. If you have given consent to processing of your personal data you can always withdraw the consent at any given time.
3. Who do we disclose your personal data to?
Your personal data can be shared with others to the extent we are under statutory obligation to do so and to fulfil services and agreements we have with you. We may share your personal data with others such as public authorities, NAM entities, Nordea Group companies, suppliers, service providers and business partners. Before sharing, we will always ensure that we respect relevant financial industry secrecy obligations and that we comply with applicable data protection regulation.
To provide our services to you, we disclose data about you data that is necessary to identify you and perform an assignment or agreement with companies that we cooperate with. This include, but is not limited to, instructing custodians on specific custody accounts, to trade and settle securities, distribution services cash account reconciliation, invoicing and reporting, balance monitoring and payments.
We may also disclose personal data to authorities to the extent we are under statutory obligation to do so. This includes, but is not limited to, facilitating reclaims and financial reporting.
Without limiting the generality of the aforesaid, in general we may disclose your personal data to:
- Authorities: We may disclose employee personal data to relevant government authorities to the extent NAM SG is under a legal obligation to do so. Please note that we may share employee information with relevant government authorities for statistical and research related purposes, although in such cases, the information would usually be anonymised, and would thus not be considered to be personal data for the purposes of the PDPA.
- NAM entities and Nordea Group Companies: we disclose personal data internally in the Nordea Group with your consent or if this is permitted pursuant to legislation.
- Suppliers and other Nordea Group companies: NAM SG has entered into agreements with selected suppliers, which include the processing of personal data on behalf of us. In some cases NAM SG uses other Nordea Group companies as supplier. Examples thereof are suppliers of payroll, benefit, travel, invoicing, training services remuneration and compensation policy analysis, IT services as well as industry wide surveys for statistical purposes.
- External business partners: we disclose personal data to external business partners with your consent or if this is permitted pursuant to legislation. External business partners include for example correspondent banks and custodians.
3.1 International transfer and transfer to service providers
To provide our services and in the course of running of our business, we transfer personal data to entities as referenced above in third countries which might not have the same level of privacy and data protection law. In all cases where we use overseas external suppliers and when we transfer personal data outside of Singapore, we are required by law and we will use contractual and other appropriate measures to ensure that the transferred personal data is given a level of protection that is comparable to that under Singapore law.
3.2 Meetings and webinars
NAM uses external suppliers for meetings and webinar. When you participate in meetings or webinars your personal data will be collected by the external supplier directly, and they will be data controller. Information on which personal data the external suppliers collects, for which purpose, usage, storage and more can be found in the external suppliers privacy policy or privacy notice available through the application.
Some external suppliers make available and/or stored personal data in USA and any other countries which may not offers protection equivalent to the one provided by in the European Union or European Economic Area. This can create certain risks for example unauthorized data access to personal data, including requests from foreign government agencies, excessive data collection and retention and unwanted commercial solicitation.
The impact of these risks can be lessened by using the meeting or webinar application in a way that is as minimally invasive as possible for your given purpose. Communicating sensitive personal data such as personal health information, credit card information, and SIN numbers should be avoided. NAM has configured the settings of certain meeting and webinar application to be minimally invasive.
3.3 External website and Social Media Platforms
Our websites contains links to external web pages. We also use social media to communicate with the NAM community. Please note that NAM is not responsible for the privacy practices or content of external webpages and applications. NAM encourage you to read all applicable third party privacy policy before visiting external sites or engaging with us via social media.
4. How we protect your personal data
Keeping your personal data safe and secure is at the centre of how we do business. We use reasonable and appropriate technical, organisational and administrative security measures to protect any information we hold from loss, misuse and unauthorised access, disclosure, alteration and destruction.
5. Your rights
You as an individual/data subject have the following rights in respect of personal data we hold about you:
a) Request access to your personal data
You have a right to access the personal data we are keeping about you. Your right to access may, however, be restricted by legislation, protection of other persons’ privacy related rights, or consideration for NAM’s business concept and business practices. NAM’s know-how, business secrets as well as internal assessments and material may restrict your right of access.
b) Request rectification of incorrect or incomplete data
If your personal data is outdated, incorrect or incomplete, you are entitled to have the personal data rectified, with the restrictions that follow from legislation.
c) Request erasure
You have the right to request erasure of your personal data in the following cases:
- you withdraw your consent to the processing and there is no other legitimate reason for processing,
- you object to the processing and there is no justified reason for continuing the processing, or
- you object to the processing and there is no justified reason for continuing the processing
- processing is unlawful.
- When processing personal data on minors, if the data was collected in connection with the provision of information society services.
Due to the financial sector legislation we are in many cases obliged to retain personal data concerning you during your customer relationship, and even after that, e.g. to comply with a statutory obligation or where processing is carried out to manage legal claims.
d) Limitation of processing of personal data
You may request us to restrict the processing of your personal data to storage only, if:
- you contest the accuracy of your personal data or the lawfulness of processing,
- you have objected to the processing of your personal data in accordance with your right to object,
- you are not entitled to erasure of your personal data, or
- our processing of your personal data is solely necessary to assert a legal claim. However, we may process your personal data for other purposes if this is necessary to assert a legal claim or if you have granted your consent to this.
The processing will only be restricted to storage, until the accuracy of the personal data can be established, or it can be checked whether our legitimate interests override your interests.
e) Data portability
You have a right to receive personal data that you have provided to us in a machine-readable format. This right applies to personal data processed by automated means only and on the lawful basis of consent or performance of a contract. Where secure and technically feasible the data can also be transmitted to another data controller by us.
Your request to exercise your rights as listed above will be assessed given the circumstances of the individual case. Where NAM SG has rectified, erased or restricted the processing of your personal data, NAM SG will notify the recipient to whom the personal data have been disclosed, unless this is impossible or requires disproportionate effort. Please note that we also retain and use your personal data as necessary to comply with legal obligations, resolve disputes and enforce our agreements.
6. How long do we keep your personal data?
We will keep your personal data for as long as it is needed for the purposes for which your data was collected, or as required or permitted by applicable laws.
This means that we keep your personal data for as long as necessary for the performance of a contract and as required by retention requirements specified by law.
Where we keep your personal data for other purposes than compliance with legal obligations, we will generally aim to keep the personal data for no longer than it is absolutely necessary.
The specific retention periods may vary according to the type of personal data and the requirement under which the personal data is collected or is to be used.
For example:
- Preventing and detection of money laundering and terrorist financing, and fraud: storing of Know Your Customer (KYC) information for a minimum of five years after termination of the business relationships or the performance of the individual transaction
- Service or product specific regulations such as securities markets: storing your financial information for ten years after termination of the client relationship
- Bookkeeping regulations: Such records may be kept up to ten years or longer if local law requires so.
- Details on performance of an agreement: storing information related to your agreement with us for up to ten years after end of customer relationship
- Client reporting: your contact information is stored five years after as of end of the year of the reporting.
- Client CRM information: information stored about you in our CRM system is stored until 2 weeks after end of business relationship.
7. Contacting us or the data protection authority
7.1 Contact information
7.2 Complaint to the Data Protection Authority
You can also lodge a complaint or contact the data protection authority in the country where you reside, are employed or in which the infringement has occurred. In the case of NAM SG, this authority is the Personal Data Protection Commission of Singapore.
8. How are changes made to this Privacy Policy?
We are constantly working on improving and developing our services and ways of working, so we may change this Privacy Policy from time to time. We will not diminish your rights under this Privacy Policy or under applicable data protection laws in the jurisdictions we operate in. If the changes are significant, we will provide a more prominent notice, when we are required to do so by applicable law.