Change language:

Personal Data Processing Policy of SEB companies in Lithuania

(PDF version)

We aim to keep you fully informed about the processing of your personal data, whether you interact with us in person, electronically (for example, through our Internet Bank, mobile applications, website) or in any other way of your own choosing. This document applies to you if your data are processed by SEB companies in Lithuania.

This Personal Data Processing Policy of SEB companies in Lithuania (hereinafter referred to as the Policy) is intended to inform you about the purposes and legal basis for processing your personal data, where we obtain your personal data from, to whom we provide such data and for how long we retain them, what security measures we use and how to exercise your rights as a data subject. By doing that, we aim to ensure fair and transparent processing of personal data.

Please take some time to review this Policy and, if you have any questions, please do not hesitate to contact us using one of the methods below. We update the Policy regularly and encourage you to review this document periodically.

Your personal data are processed in accordance with the General Data Protection Regulation (EU) 2016/679 (hereinafter referred to as the General Data Protection Regulation or GDPR), the Law of the Republic of Lithuania on Legal Protection of Personal Data, and other legal acts governing the legal protection of personal data and the activities of financial institutions and the services they provide.

Definitions

Personal data means any information relating directly or indirectly to a data subject, such as: name, surname, telephone number, bank account number, details of payments made and received, health data, etc.

Bank means AB SEB bankas, registration number 112021238, registered office address Konstitucijos ave. 24, Vilnius; a SEB Group company providing financial services.

Data processing means any action which is performed on personal data, including collection, recording, organisation, structuring, storage, adaptation or alteration, consultation, use, disclosure, erasure or destruction.

Data Processor means a natural or legal person who processes personal data on behalf of a Data Controller.

Data Controller means a natural or legal person who, alone or jointly with others, determines the purposes and methods of the processing of personal data. In the context of this Policy, the Data Controller shall be deemed to be a specific SEB Group company in Lithuania, depending on the purposes for which it processes personal data.

Data Subject (you) means a natural person whose personal data we process. This may include not only you, but also your family members or third parties in the cases set out in this Policy.

Customer means a natural person and/or a representative of a legal person who uses, used or intends to use the services of any of SEB Group companies in Lithuania, such as, for example, financial services, life insurance, pension savings.

Customer Questionnaire means a questionnaire prepared by the Bank for the purpose of fulfilling the statutory requirements of Know Your Customer, to be filled in by the Customer. Links to documents: https://www.seb.lt/sites/default/files/document/Fizinio_asmens_anketa_EN.pdf; https://www.seb.lt/sites/default/files/document/Juridinio_asmens_anketa_EN.pdf

SEB Life and Pension Baltic SE Lithuanian branch, registration number 305351885, registered office address Konstitucijos pr. 24, Vilnius, Lithuania, is a SEB Group company providing life insurance services.

UAB SEB Investicijų Valdymas, registration number 125277981, registered office address Konstitucijos pr. 24, Vilnius, is a SEB Group company managing pension funds and providing investment management services.

Profiling means any form of automated processing of personal data which involves the use of personal data for the purpose of evaluating certain personal aspects relating to a natural person, in particular for the purpose of analysing or making predictions concerning the aspects of that natural person's performance at work, economic situation, state of health, hobbies, interests, trustworthiness, behaviour, whereabouts or movements.

SEB companies in Lithuania (hereinafter referred to as SEB Lithuania) means any legal person or its branch belonging to the SEB Group which has its registered office in Lithuania and acts as a controller or processor of personal data. A list of SEB Lithuania companies and contact details is available on the website www.seb.lt. In the context of this Policy, SEB Lithuania may refer to AB SEB bankas, UAB SEB Investicijų Valdymas, SEB Life and Pension Baltic SE, Lithuanian branch, or all of these companies together.

SEB Group means Skandinaviska Enskilda Banken, AB (publ.), a company incorporated in Sweden, and all legal persons or their branches directly or indirectly owned by it.

Other terms used in the Policy are understood as defined in the General Data Protection Regulation or in the laws governing the legal protection of personal data and the activities of financial institutions.

Contact details of the Data Protection Officer

If you have any questions regarding the processing of your personal data, please contact the Data Protection Officer of SEB Lithuania by general consultation phone +370 5 268 2800, by e-mail at duomenuapsauga@seb.lt, or by post to Konstitucijos pr. 24, LT-08105, Vilnius.


Whose data do we process (categories of data subjects)?

SEB Lithuania processes in the course of its activities the data of the following data subjects (natural persons): 

  • Customers and/or their legal representatives;
  • Customers' family members and/or close associates.
    A close associate means:
    (a)    a natural person who participates in the same legal person or an organization without legal person status as a politically exposed person, or who has any other business relationship with the politically exposed person;
    (b)    a natural person who has sole beneficial ownership of a legal person set up or operating for the de facto financial or other private benefit of the politically exposed person;
  • Customers' guarantors, co-obligors, collateral providers;
  • Parties to the transactions in which the customer is involved;
  • Customers' debtors, creditors;
  • Persons eligible for life insurance indemnity;
  • Customers' heirs;
  • Payers and payees (including third parties other than customers);
  • Customers who are legal persons' managers, shareholders, members of the board or any other collegial body, ultimate beneficial owners (UBO), representatives of the company acting under a power of attorney or other legal basis;
  • Other persons who apply to SEB Lithuania.

NB: Article 14 of the General Data Protection Regulation provides for cases in which we, as a data controller, are exempted from the obligation to provide data subjects whose data we have not obtained from the data subject with information about the processing of their data, including the cases when the provision of such information proves impossible or would involve a disproportionate effort (e.g. we do not have a business relationship with the third party, we do not know the third party's contact details, etc.). Therefore, if you provide us with the data of third parties, we recommend that you make them aware of this Policy.

What data do we process (categories of data)?

In this section, we outline the main categories of personal data processed by SEB companies in Lithuania. However, given the specific nature of our activities, it is not possible to provide in the Policy an exhaustive list of the data we process, and therefore the list below is not exhaustive. In the case of a specific data subject, the scope of the data processed may vary depending on the purposes for which SEB Lithuania processes that person's data.

We process the following personal data on you:

  • personal identification data, such as forename, surname, personal number, date of birth, data of identity documents (passport, ID card, driving licence) and copies of these documents, photo, nationality; biometric data (such as your facial image (selfie) and video, which are processed only if you intend to become a customer remotely, using the Mobile App of SEB Lithuania);
    NB: In order to ensure that the data contained in your identity documents are accurate and correct, we automatically check the information by obtaining it from the Register of Invalid Documents and updating it from the Population Register.
  • contact details, such as telephone number, email address, address of the place of residence, registration address or correspondence address;
  • data of identification in the Bank's systems, such as the customer's identification number in the Bank's systems (customer ID), Internet Bank user login data (Internet Bank user ID);
  • data on the device used to log in to SEB Lithuania's electronic channels: the manner of using it to make payments, IP address, the date, time and duration of your login sessions to the Internet Bank or the Mobile App;
  • data on your financial literacy and investment objectives, such as your education, investment knowledge and experience;
  • data on your transactions with SEB Lithuania, depending on the services provided to you by SEB Lithuania, e.g. data on bank accounts, pension, savings, Internet Bank, housing loans, leasing, consumer loans, life insurance contracts and on other agreements concluded by you with SEB Lithuania and their performance;
  • data on agreements with third parties, such as contracts for the sale and purchase of immovable property, lease agreements, surety agreements and other data;
  • payment data, such as sender/recipient of funds, account number, purpose of payment, amount and currency of payment, payer ID, means of payment (e.g. bank card, account, Apple Pay, Google Pay, etc.) and the actions taken using them, deposits, withdrawals of cash, etc.;
    NB: When indicating the purpose of the payment, please do not enter special categories of data (data disclosing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, health data, or data concerning sex life and sexual orientation).
  • economic data, such as your current/former employment, your economic and commercial activities (farming, self-employment, etc.), the stability and sources of your income, your assets, financial liabilities, country of residence for tax purposes, taxpayer identification number, whether you are a taxpayer in other countries, etc.;
  • socio-demographic data, such as your marital status, number of dependants, family data, fact whether you receive social benefits;
  • data on your IP address, your online behaviour and habits, which we determine based on your behaviour on the Internet Bank, the Mobile App or using other electronic channels of SEB Lithuania;
  • data on your interests, hobbies and needs, which you provide to us when you communicate with SEB Lithuania staff or when you use SEB Lithuania services;
  • audiovisual data, such as video, audio recordings, when you visit SEB Lithuania's branches, call or answer the Bank's telephone calls which are recorded (in such case, we inform you at the beginning of a conversation that the conversation will be recorded), use remote consultations and/or ATMs, or intend to become a customer of SEB Lithuania remotely;
  • data obtained from public officials and/or authorities, such data obtained from enquiries and decisions by notaries, bailiffs, law enforcement authorities, courts, etc;
  • data on the customer's reliability, economic activity, business relationships, and planned financial transactions in relation to ensuring compliance with the Know Your Customer requirements and with statutory requirements in the area of the prevention of money laundering and terrorist financing and the enforcement of international sanctions;
  • data on the assets to be acquired, depending on the financing product, we process data on vehicles, movable or immovable property which is being acquired, for which you require financing;
  • data on debts, such as the date on which a debt was incurred, the period by which the time limit for the payment of the debt is exceeded, the amount of the debt, payment information, details of a request for deferral of the payment of the debt, etc.;
  • special categories of data, such as :
    • biometric data, namely, your facial image (selfie) and video, which are processed only when you intend to become/become a customer remotely using the SEB Lithuania Mobile App, with your consent;
    • health data:
      • in the case of life insurance, for the purpose of assessing the insurance risk and investigating the circumstances of an insured event (with your consent);
      • assessing your income when intending to provide financing services (ensuring compliance with statutory requirements), assessing customers' requests to defer mortgage or consumer credit payments, or deciding whether to write off a debt or defer payments (with your consent or where required by law).

For what purposes and on what legal grounds do we process your personal data?

In order to identify you when you intend to become our customer at the Bank's branch and to fulfil the Know Your Customer requirements, we process your identity data and contact details, data on your country of origin, nationality, accounts with other banks (including foreign banks), data on ultimate beneficial owners (where the customer is a legal person), the information whether you/your close family member/close associate is a politically exposed person, the projected income, the origin and source of the income, also whether you are on international sanctions lists. We process these data on the basis of a legal obligation and a legitimate interest in order to prevent financial crime, to properly implement anti-fraud measures and to comply with international sanctions (more information on Know Your Customer requirements).
In order to fulfil the requirements of tax evasion prevention legislation, we process your identity data and data on whether you are a taxpayer in other countries, whether you have accounts with other banks, your country of residence for tax purposes.
We process these data on a basis of a legal obligation.

In order to identify you when you intend to become our customer remotely via the Bank's Mobile App and to fulfil Know Your Customer requirements, we process your identity and other data necessary to fulfil the Know Your Customer requirements; details of the device you use to log in to the Mobile App, IP address. We process these data on the basis of a legal obligation.

Where a minor customer is represented by parents/guardians, we additionally process the identity data of the parents/guardians. We process these data on a basis of a legal obligation.

  • Where you become a customer through the Mobile App, we also process your biometric personal data, such as facial recognition data, voice, and video. We only process these data with your consent.
  • Where you become a customer using another remote way (during a video consultation with a member of the Bank's staff), we process your identity data, data on the verification of your identity using a qualified electronic signature and other data in accordance with the Know Your Customer requirements. We process these data on a basis of a legal obligation. We also process a video and audio recording of your remote meeting with us on the basis of a legitimate interest, so that we have evidence of onboarding you legitimately and that no fraud was committed during the video consultation. When a minor is onboarded as a customer and the minor's parents/guardians are present during the same remote meeting, we also process a video and audio recording of them.
  • In the case of a minor (aged 7-13 years), when one of the parents applies through our Internet Bank, we process the identity data of the minor and the parent who applies for an account for the child, as well as the information on whether the applicant is entitled to act as a representative of the child. We receive these data automatically from the registers managed by the State Enterprise Centre of Registers. We process the data on the basis of a legal obligation and a legitimate interest to ensure that a minor can be onboarded as a Bank’s customer and that one of the minor's parents is entitled to represent the minor.

In order to identify you when:

  • we link your identity to SEB Mobile app;
  • you log onto Mobile app or Internet bank via Mobile app;
  • you confirm transactions or other operations in Mobile app or Internet bank
    We process you Internet bank user ID, authentication device data, IP address, device make and model. We process this data on the basis of legal obligation and conclusion of an agreement.

In order a minor (aged 7 to 18) could use SEB Mobile app, we process minor‘s Internet Bank user ID, personal code, device make and model as well as minor’s legal representative‘s authentication device data. We process this data on the basis of a legal obligation and conclusion of an agreement.

In order to enter into service agreements and related agreements with you, we process your identity data, contact details and other data necessary for the conclusion of a specific agreement, e.g. for a bank account, Internet Bank, housing loan, leasing, pension savings, etc. We process these data on the basis of the conclusion and performance of an agreement.

In order to enable you to participate in the "Mylimiausia" loyalty program, when you choose a payment card linked to the loyalty program, we process your personal data, such as your forename, surname, gender, date of birth, email address, telephone number, address of the place of residence, last four digits of the number of the "Mylimiausia" payment card, and its expiry date, and we pass them on to the loyalty program partners. These data are transferred on the basis of the conclusion and/or performance of an agreement. If you give consent for direct marketing to the loyalty program partners, we also pass this information on to them. If you have given your consent for direct marketing to loyalty programme partners, the data received will be processed by the partners not only for the purpose of managing a loyalty program (e.g. providing benefits and discounts), but also for the purpose of direct marketing (e.g. sending you personalised offers).

In order to contact you and provide you with advice on the services you use, to respond to your requests, claims, etc., we process your identity data, contact details and other data related to your enquiry, request or claim. We process this data on the basis of a legal obligation, the performance of an agreement and/or a legitimate interest, depending on the nature of your request.

In order to prevent money laundering and terrorist financing, we carry out regular monitoring of our customers' business relationships and process data on your payment transactions and the source (origin) of your funds - for this purpose, we may ask you to provide documents proving the origin of your funds (e.g. a copy of a contract for the sale and purchase of immovable property, a gift deed, audited annual financial statements, an invoice), enquiries or information provided by other banks, financial institutions or law enforcement authorities. Processing for this purpose includes processing by automated means. In any case, automated decisions are reviewed by our staff. We may, under certain circumstances, process data on persons related to you (e.g. senders of funds) to the extent necessary to comply with requirements for the prevention of money laundering and terrorist financing. We process these data for the purposes of a legal obligation.

In order to ensure compliance with international sanctions, we regularly monitor our customers' payment transactions with a view to determining whether you or a person related to you (e.g. a beneficiary of funds) are on international sanctions lists, and for this purpose we process your identity data, nationality data and payment data. Processing for this purpose includes processing by automated means. In any case, automated decisions are reviewed by our staff. We process these data on the basis of a legal obligation in order to ensure compliance with EU and United Nations sanctions, or on the basis of a legitimate interest in order to ensure compliance with United States sanctions imposed by the Treasury Department's Office of Foreign Assets Control (OFAC), United Kingdom sanctions imposed by the Office of Financial Sanctions Enforcement (OFSI), and Switzerland sanctions imposed by the Switzerland State Secretariat for Economic Affairs (SECO).

In order to provide investment services, which include the provision of investment recommendations and/or portfolio management of financial instruments, we process the data necessary to carry out the assessment of suitability and appropriateness, such as your marital status, education, income, assets, existing financial commitments, financial plans and goals for using the investment services, risk tolerance and investment experience and knowledge. For this purpose, we may process your data by automated means (in cases when you use the Robo-Advisor service). If you disagree with the automated decision, this decision will be reviewed and evaluated by a member of our staff upon your request. We process these data for the basis of a legal obligation.

In order to fulfil legal requirements related to tax evasion prevention, we process your identity data, data on whether you are a taxpayer in multiple countries, your country of residence for tax purposes, the country from which your income will be received, and your accounts with other financial institutions. We process these data on the basis of a legal obligation.

In order to assess your creditworthiness and to be able to provide you with financing (e.g. housing loan, consumer loan, leasing, credit card with a credit limit), also in order to comply with our operational risk management requirements and to manage your debts towards us, we process data on your income and its source, education, employment, job title, work experience, assets, financial commitments, credit and payment history, marital status, absence of negative circumstances (such as debts, seizure of assets, insolvency, etc.). To this end, we must keep all the documents on the basis of which the decision to enter into the transaction was taken. In order to provide you with financing services, we may process your application data and data obtained from public registers and UAB Creditinfo Lietuva by automated means (for more information see "Where do we receive your data from" and "Who we provide your data to"). If you disagree with an automated decision, the automated decision will be reviewed and evaluated by a member of our staff upon your request. We process these data on the basis of a legal obligation and a legitimate interest.

In order to monitor whether the financial or economic situation of our customers jeopardises the proper fulfilment of their contractual obligations, we process data on your fulfilment of your contractual obligations to the Bank and other creditors, data on overdue payments, debts, etc. We process these data on the basis of a legal obligation and a legitimate interest.

In order to manage our day-to-day operations and to protect our legitimate interests and those of our customers, we may process such data as information about judicial or administrative proceedings in which you are involved, debts or other amounts owed by you to third parties, your assets (cash, investments in financial instruments, etc.) and other information forwarded to us by relevant authorities, bodies or persons. We process these data on the basis of a legitimate interest.

In order to ensure the prevention of payment fraud, we process data on the transactions performed (amount, currency, payee, etc.), data on when and from where you log in to the Internet Bank, the IP address, details of the device used to perform the transaction, the manner in which the device or the service is used in order to determine whether, for example, a remote access tool has been installed on the device, etc. We process these data on the basis of a legal obligation and a legitimate interest. For this purpose, we carry out automated data processing, including profiling.
We may share information about fraud cases with SEB Group and SEB Group companies and other financial institutions.

In order to provide payment services related to an open application programming interface, acting in accordance with statutory requirements and subject to your consent, we process in the case of the payment initiation service data such as your account number with another account manager, currency, name, type, balance and, in the case of the account information service, also a list of payment transactions on the selected accounts and the details of those transactions, including the amounts reserved, the information whether the account has a credit limit, etc. In the course of providing these services, we may pass on the IP address of the devices you use, as well as the information about your browser and browser version to other payment service providers that manage your accounts. We process these data on the basis of a legal obligation and/or the performance of an agreement.

In order to provide the over-the-phone payment service, we process your forename and surname, alternate identifier (mobile phone number), payment account number. We process these data on the basis of the performance of an agreement and your consent.

In order to improve the quality of our services, with a view to ensuring the sustainability and consistency of our activities and to improve our digital platforms, content and services provided to you, we analyse your personal data (profile) in an automated way, including information about the services you access in SEB Lithuania, and analyse your history of payment transactions. We process these data on the basis of a legitimate interest.

For the purpose of direct marketing, in order to provide you with personalized, relevant communications and information, to ask for your opinion on the quality of the services provided and to invite you to participate in market research, we perform profiling of customers and, for this purpose, process your identification data, such as your identity data, country of residence, data of identification in the systems of SEB Lithuania (for example, the customer's identification number), type of customer (for example, business/private, age, etc.), contact details, information about the language you communicate in, your use of banking services (agreements entered into, accounts held), financial data, liabilities to SEB Lithuania, data on the applications submitted, economic, socio- demographic data, information about when and where (including your location data) our Internet Bank and other electronic platforms were accessed, information about meetings and calls (conversations) with SEB Lithuania staff (e.g. channel and date), as well as information about offers made to you in the past and other data that help us to select and provide you with offers that are relevant to you. We only profile customers and carry out tailored direct marketing on the basis of your consent.

With your separate consent, we may also send you direct marketing offers, newsletters and surveys from our partners in Lithuania. For an up-to-date list of partners, see: https://www.seb.lt/en/partners-material.

NB: You can modify or withdraw your direct marketing consent at any time by logging in to the Customer Questionnaire in your Internet Bank account, in the Mobile App, by informing us by email at info@seb.lt or by phone +37052682800. We will also additionally ask for your consent to direct marketing when we provide you with the Customer Questionnaire. You will also see a question on updating of direct marketing consent when you review this Questionnaire.

It is important to note that if you withdraw or modify your direct marketing consent, it may take up to one business day for the withdrawal or modification to be processed.

In order to ensure the protection of property and persons on the territory and in premises of SEB Lithuania, we carry out video surveillance and process your video data. We process these data on the basis of a legitimate interest.

In order to systematically monitor and prevent illegal activities and continuously assess the risks involved, to protect you and your assets from criminal acts (e.g. fraud, misappropriation of your data, identity theft), we collect and structure information on the potential misuse of the services of SEB Lithuania, including your use of the Mobile App and the Internet Bank. For this purpose, we may also process contact information (e.g. for the purpose of sending fraud prevention notifications), payment instrument security data, payment transaction data. For this purpose, we may also share numbers of accounts possibly used for committing fraud with other financial institutions. We process these data on the basis of a legal obligation and a legitimate interest.

In order to be able to establish and defend our legal claims and to take other lawful actions to prevent or mitigate losses, we process identity data, contact details, data on services provided, agreement data, payment data, data on financial commitments, debts towards us, etc. of you and of persons related to you (e.g., guarantors, co-obligors, collateral providers, etc.). For this purpose, we may transfer your data and/or the data of the third parties related to you to our partners conducting debtor searches in Lithuania and/or abroad. We process these data on the basis of a legitimate interest.

In order to (i) ensure the quality of our services, including remote services, (ii) have evidence of the conclusion or performance of an agreement or any other transaction that may give rise to legal consequences, (iii) be able to establish, defend, or exercise legal claims, (iv) comply with statutory requirements (e.g. advising on the purchase of securities), we record and store telephone conversations between you and staff of SEB Lithuania; we process these data on the basis of the conclusion of an agreement, fulfilment of a legal obligation, and/or a legitimate interest.

In order to conclude and execute a life insurance contract, to assess the insurance risk and investigate insured events, we collect and provide reinsurers with data on your health, medical examinations and other medical data, data on the life insurance services provided to you by other life insurance companies, and data related to the investigation of insured events from law enforcement authorities; in order to provide advice on life insurance services and to improve the quality of life insurance service provision processes, we may carry out automated analysis (profiling) of your personal data that you voluntarily provided in the course of the advice or product offering process, including health data, data on your age, gender, finances, if this is necessary to achieve a specific purpose. We may make an automated decision based on the information we collect from you. If you disagree with the automated decision, this decision will be reviewed and evaluated by a member of our staff upon your request. We process these data on the basis of your consent.

In order to communicate with you on social networks (Facebook, Youtube, Linkedin, Instagram), we process your forename, surname (name), information about your communication on your SEB Lithuania account ("like", "follow", "comment", "share", etc.), photographs (of your profile and/or with SEB Lithuania tagged), information about the messages you have sent, information about your participation in events and/or games organised by SEB Lithuania, information about the rating you have given to SEB Lithuania. These data are obtained directly from you (in your social network account) when you communicate with us (using social networking tools such as "Send a message" and/or visiting the social networking accounts administered by us). Your personal data are used for communication with each other in a public domain,
i.e. on social networks. We process these data on the basis of a legitimate interest.

Personal data provided on social networks are processed jointly with the social network controller (e.g. Facebook, Youtube, Linkedin and/or Instagram platform), therefore we suggest that you familiarise yourself with the privacy policies of the specific social network controller.

If you use mobile applications for which SEB Lithuania is the developer or the holder of the developer's rights (e.g. "My Footprint | SEB"), we process the data that you provide when you use the application. We process this data on the basis of the conclusion and/or performance of an agreement.
Please read the privacy notice carefully before you use the apps, you can also read it in the app settings at any time afterwards.

In order to test IT systems and to carry out robotisation of processes in SEB Lithuania, we can process various categories of data. Importantly, personal data may only be processed for testing purposes where there is no possibility to use non- personal data and there is a risk that the malfunctioning of a particular system would lead to negative consequences for data subjects. The consequences of the failure of the system in such a case should outweigh the potential risk to the rights and freedoms of data subjects. As part of robotisation of processes, personal data are stored to ensure process supervision and incident management. We process these data on the basis of a legitimate interest.

Where do we receive your personal data from?

We process your personal data which are:

  1. provided to us by you;
  2. provided to us by our customers if you are, for example, their family member, co-obligor, guarantor, etc. (see the section on Categories of Data Subjects), or if you are a representative, employee, contractor, founder, shareholder, participant, owner, etc. of a customer being a legal person;
  3. obtained from the documents provided to us by our customers, such as account statements, payment documents, contracts of sale and purchase, court judgments, etc.;
  4. received from external sources, such as:
  • other banks and financial institutions;
  • providers of payment, digital money services and other financial services;
  • supervisory and other public bodies or institutions, such as the Bank of Lithuania (including the NASIS information system, which contains a list of persons for whom applications have been made to prevent them from concluding consumer loan agreements, the PRDB database, which contains data on borrowers and the loans they have been granted), the Ministry of Finance, the Lithuanian Agricultural Advisory Service, the State Data Agency, the State Social Insurance Fund Board, the National Health Insurance Fund, and the National Paying Agency;
  • the State Enterprise Centre of Registers (Real Property Cadastre and Register, Population Register, Register of Contracts and Restrictions of Rights, Information System of Legal Entities Participants, Register of Legal Entities, Mortgage Register);
  • the Database of Invalid Personal Documents managed by the Information Technology and Communications Department, and other registers;
  • VĮ Regitra;
  • the register of wanted persons of the Ministry of the Interior, law enforcement authorities;
  • UAB Creditinfo Lietuva;
  • insurance companies;
  • health care institutions if you use SEB Lithuania's life insurance services;
  • natural or legal persons (property valuers, notaries, bailiffs, lawyers, etc.) when they provide the data in the context of contractual or statutory requirements (data contained in e.g. mortgage credit, insurance contracts, property valuation reports, certificates, etc.);
  • partners, suppliers or other legal persons that use us to provide services to you.
  1. received when we monitor your use of our systems and services, such as when you make payments and/or take other actions in the Mobile App or the Internet Bank.
     

Who do we provide your personal data to?

We provide your personal data on the basis of a legal obligation (statutory requirements), a legitimate interest or in order to conclude or perform an agreement with you to the following recipients:

  • other banks and financial institutions;
  • correspondent banks, a list of which can be found here: https://www.seb.lt/en/private/daily-banking/payments/correspondent-banks;
  • the MasterCard payment card organisation;
  • insurance and reinsurance undertakings and insurance intermediaries;
  • payment and digital wallet service providers and other service providers involved in your transaction with us (e.g. to process a payment, personalise a payment card, add a payment card to a digital wallet of your choice, etc.);
  • stock exchanges and other trading venues for financial instruments, brokerage firms, central depositories, distributors and/or managers of funds whose units you purchase or transfer using our services, trade repositories, and other entities involved in the process when we provide to you, directly or indirectly, the services related to investments in financial instruments;
  • SEB Group and SEB Group companies, a list of which can be found on the website https://www.seb.lt/en/about-seb/related-companies, as well as AS SEB Banka in Latvia, AS SEB Pank in Estonia, where it is necessary for the purposes of financial accounting, auditing, credit risk assessment, liquidity risk assessment, technical write-off of debts, ensuring the prevention of money laundering and terrorist financing, or where we use common information systems or hardware (servers), or where it is necessary for the provision of services;
  • service providers that act on our behalf and on our instructions when processing your biometric personal data (facial image, video) for the purpose of remote identification using the Mobile App;
  • UAB Creditinfo Lietuva, if your debt towards us is older than 60 days;
  • transfer of data on the debtor who has declared his/her departure to a foreign country to the debt management partners selected by the Bank, who will transfer them to their partners in the debtor's country of residence;
  • transfer of data of the lessee to partners selected by the Bank for the purpose of search and return of leased and unreturned assets belonging to the Bank;
  • notaries, bailiffs, insolvency administrators, asset valuers, foreign state authorities;
  • collateral providers securing the customer's obligations (guarantors, collateral lenders, co-obligors);
  • buyers of rights of claim against the customer (if you are the customer or a person related to the customer);
  • SEB Life and Pension Baltic SE and its affiliates in Lithuania and Estonia, with the personal data related to products and services provided by SEB Life and Pension Baltic SE or its affiliates, where it is necessary for the provision of the services or for the performance of specific functions, e.g. data required for the purposes of pension savings agreements, reports, analysis, etc.;
  • the Bank of Lithuania (including the Loan Risk Database), the Ministry of Finance, the Ministry of Social Security and Labour, the Lithuanian Agricultural Advisory Service, the State Data Agency, the State Social Insurance Fund Board, the National Health Insurance Fund, the National Payments Agency, UAB Būsto Paskolų Draudimas, UAB Julianus Portfolio, VĮ Indėlių ir Investicijų Draudimas, the State Enterprise Centre of Registers, VĮ Regitra, other registers and state authorities;
  • the State Tax Inspectorate in order to comply with tax laws, the Agreement between the Government of the United States of America and the Government of the Republic of Lithuaniato Improve International Tax Compliance and to Implement FATCA, and other international commitments of the Republic of Lithuania in this area;
  • the Financial Crimes Investigation Service, other law enforcement authorities at their request or on our initiative if we suspect that a criminal act has been committed;
  • courts, arbitrators or other dispute resolution bodies, where they are entitled to receive such information in accordance with the procedure laid down by law;
  • companies that run or administer loyalty programmes in which SEB Lithuania participates (e.g. "Mylimiausia" loyalty programme, for which the current list of loyalty programme partners is available here: https://mylimiausia.lt/privatumo- politika/, see the section on Data Controllers;
  • service providers that provide services of the production of payment instruments and personalised identifiers (e.g. payment card manufacturers and/or payment card personalisation service providers);
  • providers of authentication and electronic document signing services;
  • our professional advisers, lawyers and auditors;
  • other third parties as regards the sale, mergers, purchases or reorganisation of our business, in whole or in part, or in connection with similar change in business (including potential or existing business buyers and their advisers);
  • data processors, including, but not limited to, providers of data centre, hosting, cloud, electronic identification and electronic transaction trust services, companies providing website administration and related services, companies providing document archiving services, companies providing advertising, marketing services (e.g. SFDC Ireland Limited (Salesforce), which profiles customers, selects recipients for tailored messages and sends marketing messages), companies that create, provide, support and develop software (Amazon, Microsoft, Genesys, etc.), companies providing IT infrastructure services, companies providing connectivity services, companies providing consultancy services, companies providing web browsing or web activity analysis and services (Amazon, Microsoft, Salesforce, etc.), mail and parcel delivery service providers (e.g. Lithuanian Post, UAB Omniva);
  • When you use over-the-phone payment services, we provide the data to the administrator of the alternative identifier search system, namely, the Bank of Lithuania, which provides/may provide the data to the administrators of other alternative identifier search systems operating in the EU and EEA countries.

Transfer of personal data to third countries

We generally process and store your personal data within the territory of the European Union or the European Economic Area (EU/EEA), but we may transfer your personal data outside the EU/EEA following a country-specific risk assessment (if the country has been determined to be safe).

We transfer your personal data outside the EU/EEA if at least one of the following measures is in place:

  •  the data are transferred to a country, territory or international organisation recognised as appropriate by the European Commission (currently: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Isle of Guernsey, Israel, Isle of Man, Japan, Isle of Jersey, New Zealand, Republic of Korea (South Korea), Switzerland, United Kingdom, Uruguay);
  • the data recipient or processor in the third country has a standard data protection agreement drawn up by the European Commission;
  • the data recipient or processor is a US company certified under the EU-US Data Privacy Framework, e.g. Microsoft Corporation, Google LLC, Amazon Web Services, Inc.;
  • the data recipient or processor relies on binding corporate rules, e.g. Mastercard Incorporated.

NB: The payment and other service providers involved in your transaction with us (e.g. you are making a transfer to a payee based in a third country (outside the EU/EEA)) may be based or operate in a country that does not have an adequate level of data protection (i.e. a country that is not a party to the European Economic Area Agreement and that has not been listed by the European Commission as a country with an adequate data protection level). We take all measures to ensure that your personal data are used securely, but there may be cases where we cannot ensure that the data recipient complies with the same requirements as in the European Union.

How long do we process your personal data for?

We do not process your personal data for longer than is necessary for the purposes for which the data were collected.
The time limits for processing data may be laid down in specific legislation applicable to our activities.
After the purpose of data processing has expired, we retain the data on the basis of a legitimate interest to establish, exercise or defend legal claims.

Time limits for data processing:

  • Data collected in the course of the provision of services, including image data collected in the course of remote consultations or remote identification (including biometric personal data) - for 10 years after the end of the business relationship with you;
  • Data provided in the Customer Questionnaire - for 10 years after the end of the business relationship with you;
  • Data provided in the financial needs assessment, consultation and financial eligibility questionnaire - for 10 years after the filling-in of the questionnaire;
  • Data processed for the purpose of concluding and/or performing agreements with you, data contained in the agreements and copies of the documents on the basis of which the decision to enter into a transaction with you was taken - for 10 years after the end of the business relationship with you;
  • Data provided in applications (e.g. for housing loans, consumer loans, etc.) not being the basis for an agreement - for 1 year after the check of public registers;
  • Data processed for the purpose of preventing money laundering and terrorist financing, such as documents proving the origin of funds held by you - for 10 years after the end of the business relationship with you;
  • Payment transaction data - for 10 years after the end of the business relationship with you;
  • Records of telephone conversations - for 10 years from the date of the recording of the conversation; records of telephone conversations in which the Customer Questionnaire was completed - for 10 years from the end of the business relationship with you;
  • Data of video recordings from premises of SEB Lithuania - for 60 days;
  • Data provided at the time of registration for a meeting with SEB - for 1 day after the meeting with a member of the Bank's staff. If you cancel your registration, your data will be automatically deleted from our systems immediately;
  • Data of persons related to legal persons (managers, representatives, shareholders, etc., where the person does not have any personal agreements with SEB Lithuania) - for 10 years from the end of the business relationship with the legal person;
  • Data of potential customers (who were made an offer but an agreement was not concluded) - for 2 years from the date of the decision not to conclude the agreement;
  • For the purpose of direct marketing, your data will be processed for as long as you are a customer of SEB Lithuania or until your consent is withdrawn, whichever occurs earlier. You can withdraw your consent and change its settings at any time by logging in to the Customer Questionnaire in your Internet Bank account, in the Mobile App, by sending a message to us by email at info@seb.lt or any other email address specified in this Policy, by calling +37052682800, or by updating the details of the Customer Questionnaire. You can also express your will by visiting the Customer Service Point;
  • Data of the seller of an asset (natural person) in the case of a leasing contract - for 10 years after the end of the leasing contract;
  • Data of a pension/insurance contracting party who does not sign the agreement directly, e.g. a beneficiary in the case of inheritance - for 10 years after the end of the contractual relationship with the policyholder;
  • Data processed for the purpose of concluding and/or performing an agreement with you for the over-the- phone payment service - for the duration of your consent to use the service and the validity of the agreement and for 10 years from the date of withdrawal of your consent and/or after the end of the business relationship with you;
  • Personal data you have provided in social networks such as Facebook, Youtube, Linkedin, Instagram - up to the moment of deletion of the data you have provided from your SEB Lithuania account, but no longer than until the deletion of your SEB Lithuania account is deleted. Please note that personal data are only processed on the platform of the social network manager, hence the exact terms and conditions of data processing are determined by the platform manager. In the case of inadmissible communications (such as defamation, disparagement of SEB Lithuania's reputation, etc.), we may retain the communication as evidence for an appropriate period of time for the purpose of defending our violated rights and/or legitimate interests (i.e. for the entire duration of any out-of-court, pre-trial or litigation proceedings).

Security of personal data

We use a variety of security technologies and procedures to protect your personal information from unauthorised access, use or disclosure. Our suppliers are carefully selected, and we require them to use appropriate measures that can protect your confidentiality and ensure the security of your personal information. However, the security of information transmitted by email or mobile communication may sometimes be compromised for reasons beyond SEB Lithuania's control, so you should be careful when submitting confidential information to us outside the electronic systems used by SEB Lithuania.

What are your rights?

You have the following rights:

  • right to access personal data processed by SEB Lithuania;
  • right to have incorrect, inaccurate or incomplete data rectified;
  • right to restrict the processing of your personal data until the lawfulness of the processing has been verified at your request;
  • right to request erasure of personal data where this can be based on one of the grounds set out in the GDPR;
  • right to object to the processing of personal data where data processing is based on consent or our legitimate interests;
  • right not to be subject to a decision based solely on automated processing where such decision produces legal effects concerning you or similarly significantly affects you. This right does not apply where such decision-making is necessary for the purpose of concluding or performing an agreement with you, is permitted by law, or where you have given your explicit consent. In the case of an automated individual decision, you have the right to ask us to review the decision by submitting a written request;
  • right to request the transfer of your personal data to another data controller or to have them provided directly to you in a form that is convenient for you (applies to personal data provided by you and processed by automated means on the basis of consent or on the basis of the conclusion and performance of an agreement);
  • right to withdraw the consent you have given, without affecting the lawfulness of the processing of your personal data carried out prior to the withdrawal of your consent;
  • right to lodge a complaint with the State Data Protection Inspectorate (for more information see www.vdai.lrv.lt) if you believe that your personal data have been processed in violation of your rights/legitimate interests.

How can you exercise your data protection rights?

Based on the information contained in the Policy, You may submit a request for the exercise of the above rights, as well as complaints, notifications or applications (hereinafter referred to as the Request) to the Data Protection Officer of SEB Lithuania by email at duomenuapsauga@seb.lt, by post to Konstitucijos pr. 24, LT-08105, Vilnius, or by visiting the nearest Customer Service Point in Lithuania.

You can apply in the following ways:

  • write a message by logging in to the Internet Bank ("Messages" → "Write a new message");
  • visit your nearest Customer Service Point, and bring your passport or ID card when you apply;
  • send your Request, signed with an electronic signature, by email at duomenuapsauga@seb.lt or info@seb.lt;
  • send your Request by post to AB SEB Bankas, Konstitucijos pr. 24, LT 08105, Vilnius, in which case we will contact you to determine the most convenient and appropriate method of identification. We will respond to your Request no later than within 30 (thirty) calendar days from the receipt of the Request. In exceptional cases requiring additional time, we will have the right to extend the time limit for the provision of the requested data or for the processing of other requirements set out in your Request by up to 60 (sixty) calendar days from the date of your request, upon giving notice to you to that effect.

What are the principles of personal data protection that we comply with?

When processing your data, we comply with the following data protection principles:

  • We process your personal data lawfully, fairly and in a transparent manner (the principle of lawfulness, fairness and transparency);
  • We collect your personal data for specified, explicit and legitimate purposes and do not further process it in a manner that is incompatible with those purposes (the principle of purpose limitation);
  • The personal data processed are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (the principle of data minimisation);
  • The personal data processed are accurate and, where necessary, kept up to date (the principle of accuracy);
  • We keep your data in a form which permits identification of the person for no longer than is necessary for the purposes for which your personal data are processed (the principle of limitation of storage time);
  • We use appropriate technical or organisational measures to ensure adequate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (the principle of integrity and confidentiality principle).

Validity and amendments to the Privacy Policy

This Policy entered into force on 25 May 2018 and was last updated on 21 June 2024. It may be amended to reflect changes in legislation and in our operations. We will notify you of any amendments on the website www.seb.lt.