Processing of Personal Data

These Principles of Processing Personal Data (“the Principles”) describe how Swedbank, AB, Swedbank lizingas, UAB, Swedbank investicijų valdymas, UAB, Swedbank P&C Insurance AS acting through its Lithuanian branch and Swedbank Life Insurance SE acting through its Lithuanian branch process your Personal Data as Data Controllers.

You can find further information on the Processing of Personal Data in specific areas that are main activity of Swedbank in Section 5 of the Principles. Information provided below in Section 5 applies to the Processing of your Personal Data depending on the Service you use and/or the nature of your relationship with Swedbank.

Additional information on the Processing may also be included in agreements and other documents related to the Services, as well as on our website or be available at an individual request. For more information on how to exercise your rights as a Data Subject and our contact details, see the end of this document.

“Client”/“you” means any natural person who uses, has used or has expressed a wish to use the Services or is otherwise related to the use and/or user of any of the Services and/or has any other relationship with us established before these Principles entered into force.

“Corporate Client” means any legal person who uses, has used or has expressed a wish to use the Services.

“Data Controller” means a natural or legal person who, individually or jointly with others, determines the purposes and means of the Processing of Personal Data. Where Personal Data is processed in accordance with these Principles, Swedbank AB is the Data Controller when it processes Personal Data in the context of providing banking services to the Client, in the case of leasing services, the Data Controller shall be Swedbank Lizingas, UAB, in the case of pension fund services, Swedbank Investicijų Valdymas, UAB, in the case of investment services, pension fund services in the third pillar of the pension system, in the case of life insurance services, Swedbank Life Insurance SE, operating via its Lithuanian branch, in the case of non-life insurance services (for example, for non-life insurance (e.g. home insurance)) –Swedbank P&C Insurance AS, acting via its Lithuanian branch.

“Data Processor” means anyone who Processes Personal Data on behalf of the Data Controller. Swedbank, when processing Personal Data, uses Data Processors and takes the necessary measures to ensure that such Data Processors handle Personal Data in accordance with Swedbank’s documented instructions, in compliance with the necessary and sufficient security measures, and in compliance with the requirements of legal acts regulating Data Protection.

“Data Protection Legislation” means any personal data protection legislation applicable to Swedbank, such as Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation (GDPR)).

“EU/EEA” means the European Union/European Economic Area.

“Personal Data” and “your data” means any information related to you directly or indirectly.

“Processing” means any operation or set of operations performed with regard to Personal Data, whether or not performed by automated means, such as collection, recording, organization, storage, adaptation, alteration, retrieval, gathering, use, combination, blocking, erasure or destruction.

“Recipient” means a natural or legal person, public authority or another body, to whom Swedbank is entitled to disclose Personal Data. See the categories of Recipients in Section 1.6.

“Governing Law” means the applicable legislation that Swedbank is subject to, for example, that relating to anti-money laundering, banking secrecy, commercial activity, data protection, taxes, bookkeeping, lending, consumer credits, payments, payment services, insurance, leasing, investment and financial business.

“Services” mean any Swedbank service, advisory service, product provided or made available at a customer service point, on a website, through a Swedbank mobile application, on a website, by telephone, by video broadcasting or by other means or at a Swedbank branch, and which relates to financing, saving, investing, lending, payment cards and payments, retirement savings, insurance, or leasing, as well as services and products of carefully selected partners.

“Swedbank”, “we”, “our” and “us” means any legal entity or branch belonging to the Swedbank Group with its registered office in Lithuania. The list of the Swedbank Group companies in Lithuania is available at www.swedbank.lt.

“Swedbank Group” means Swedbank AB (publ.), a public limited liability banking company incorporated in Sweden, and all legal entities which Swedbank AB (publ.) directly controls (the subsidiaries).

“Profiling” means any form of automated Processing of Personal Data to evaluate certain personal aspects relating to the Client, in particular, to analyse or predict aspects concerning that natural person’s economic situation, personal preferences, interests, reliability and behaviour. You can find further information about the Profiling of Clients’ Personal Data by Swedbank in Sections 5.4, 5.5, 5.6 and 5.7, 5.8.

“Automated Decision-Making” means taking a decision without human involvement (i.e., a decision taken only using technological means), including Profiling, which produces legal or similar significant effect on the Data Subject. You can find further information about automated decision-making by Swedbank in Sections 5.4, 5.6 and 5.7.

“Data Subject” means any identifiable living natural person whose Personal Data is Processed by Swedbank. Swedbank Processes Personal Data of Data Subjects such as Clients, legal representatives, authorized persons, contact persons, counterparties, payers, board members, ultimate beneficial owners, as well as Personal Data of other Data Subjects provided for in the Principles. Categories of Data Subjects referred to in this definition are included in the definition of the Client.

Personal Data is collected from you directly from your use or express wish to use of the Services. Swedbank, depending on the Services provided to the Client, obtains Personal Data from external data sources such as:

• public registers (including the Population Register, the Register of Legal Persons, the Securities Register, the Real Estate Register, the Motor Vehicle Register);
• persons acting as intermediaries for financial institutions in providing and obtaining Personal Data on the Client’s financial obligations and their performance, where necessary for the purposes of solvency and debt management of the person such as (UAB Creditinfo Lietuva and UAB Scorify);
• consolidated debtor files (UAB Creditinfo Lietuva) when necessary for the purposes of management of personal solvency and debts;
• other database processors, as well as the persons referred to in separate sections of the Principles.

Swedbank collects Personal Data through recording telephone calls, images and/or audio and through saving e-mail communication, and documents the Client’s interaction and communication with Swedbank.

Swedbank collects and processes the following categories of Personal Data:

Identification data such as name, last name, personal identification number, date of birth, identity document details.

Contact data such as address, phone number, email address, language of communication.

Financial data such as ownerships, transactions, credits, income, liabilities, accrued assets. Account data such as card number and bank account number.

Data about the Client’s financial experience and investment goals such as data collected during the selection and provision of investment services and other products carrying investment risk, for example, data containing proof of financial experience in trading.

Data about trustworthiness and due diligence such as data about payment behaviour, damage caused to Swedbank or other party, data that enables Swedbank to perform its due diligence measures regarding money laundering and terrorist financing prevention and to ensure the compliance with international sanctions, including the purpose of the business relationship and whether the Client is a politically exposed person, data on the origin of assets or wealth such as data regarding the Client’s counterparties and business activities; as well as data regarding existing and historical insurance contracts and applications (e.g. duration of insurance relationship and claim history, insurance risk assessment history including declined insurance applications).

Data obtained and/or created while performing an obligation arising from the Governing Law such as data that Swedbank is required to report to the authorities, for example, tax authorities, courts, law enforcement agencies including details of income, credit commitments, property holdings, remarks and debt balances; as well as the motor vehicle insurance bureau including details of concluded insurance contracts and paid insurance indemnities.

Data collected by means of communication and other technical means such as data contained in messages, e-mails, photographs, video and/or audio recordings; data collected from the Client upon arrival at Swedbank’s customer service offices, ATMs and other Service locations or in communication with Swedbank; data related to the Client’s visit to Swedbank’s websites or collected using Swedbank’s Internet Banking or the mobile application.

Data on behavioural habits, preferences and satisfaction with the Services such as data on activity in using the Services, the Services provided to the Client, personal settings in Swedbank’s internet bank or app, preferences with regard to sustainability, feedback on the Services; whether the Client is satisfied with the Services; data on the Client’s hobbies and/or personal habits which may affect the Client’s health and which may be taken into account as risk factors in the assessment of the insurance risk.

Family data such as information about the Client’s family and relationships.

Demographic data such as country of residence, date of birth and citizenship.

Children’s data such as data collected and Processed when a child uses the Services or when a child is the beneficiary or the insured in an insurance contract.

Professional data such as education or professional career.

Data about relationships with legal entities such as data submitted by the Client or obtained from public databases or a third party as a service provider for the execution of transactions on behalf of a particular legal entity.

Relationship with Swedbank status data such as the segment to which the Client belongs, information about the Client’s participation in a customer service programme or the assignment of a risk level to the Client.

Sensitive data such as special categories of Personal Data (for example, data concerning health) and data about criminal convictions and offences, for example, when necessary to handle an insurance claim or to assess the money laundering and terrorist financing risk. The provision of some Services requires Swedbank to Process special categories of Personal Data. Swedbank will ask for the Client’s consent when Processing special categories of Personal Data, for example, when information is required for the Services related to insurance services. Special categories of Personal Data may also be Processed to pursue a legal claim or based on a legal obligation that Swedbank is subject to.

We Process your personal data only if we have a valid reason to do so. This reason can be based on the following legal ground(s):

• Performance of agreement is one of the main legal bases according to which we Process Personal Data to provide Services. This includes Processing necessary to take steps at your request prior to entering into an agreement, as well as to conclude, amend, execute, maintain and terminate an agreement.
• Compliance with legal obligation is the legal basis for the Processing that is necessary for us to comply with the Governing Law.
• Legitimate interest to Process Personal Data is the legal basis for the Processing of Personal Data for our specific reasonable interest of Data controller or third party, which is balanced against your interests and rights as a Data Subject.
• Consent provided by you. In cases where we ask for your consent to Process Personal Data you will be separately informed of the specific purpose of Processing. You can withdraw consent given at any time.

To be able to provide the Services, as well as in other cases when it is necessary, Swedbank may share the Clients’ Personal Data with Recipients.

Swedbank will not share more Personal Data than necessary for the particular purpose of Processing. Recipients may Process the Personal Data as Data Processors and/or as Data Controllers. When the Recipient Processes Client’s Personal Data on its own behalf as a Data Controller, the Recipient is responsible for providing information to Data Subjects on such Processing of Personal Data. In such a case:

The Recipients acting as Data Controllers are, for example:

• Legal entities and their branches belonging to the Swedbank Group.
• Public bodies and institutions and other persons exercising functions conferred on them by law, such as supervisory authorities, tax administrations, law enforcement authorities, bailiffs, notaries, courts and out- of-court dispute resolution bodies.
• Financial and legal consultants, auditors or any other service providers of Swedbank, Swedbank’s authorized persons.
• Persons maintaining registers (including the Population Register, the Register of Legal Entities, the Securities Register, the Real Estate Register, the Motor Vehicle Register, the Joint Debtors’ Files (Creditinfo Lietuva UAB), or any other registers where Personal Data is processed).
• Persons and undertakings collecting debts, persons assuming rights and obligations under contracts, persons administering insolvency proceedings.
• Persons who guarantee due discharge of the Client’s obligations to Swedbank, such as guarantors, surety and collateral providers.
• Persons and suppliers related to the provision of Services to Swedbank such as telecommunications, postal services, providers of services rendered to the Client, when the Client orders e-invoices for these services.

Swedbank recommends that the Client contact the Data Recipient regarding the processing of Personal Data by the Data Recipient.

The Recipients acting as Data Processors are, for example:

• Legal entities belonging to the Swedbank Group and their branches when they Process Personal Data on behalf of Swedbank.
• Other persons involved in the provision of the Services, such as providers of information technologies, hosting, cloud computing, archiving, printing services, technical experts and valuators.
• Persons acting as intermediaries for financial institutions in providing and obtaining Personal Data on the Client’s financial commitments and their performance, where necessary for the purposes of personal solvency and debt management (such as UAB Creditinfo Lietuva and UAB Scorify).

You can find information on Data Recipients in relation to the specific purpose of Processing Personal Data in Section 5 of the Principles.

As a general rule, Clients’ Personal Data is Processed within the EU/EEA but in some cases transferred to and Processed in countries outside of the EU/EEA.

The transfer and Processing of Personal Data outside of the EU/EEA can take place provided there is a legal basis for it and one of the following conditions is met:

• The country outside the EU/EEA in which the Data Recipient is located ensures an adequate level of protection of personal data as decided by the European Commission.
• The Data Controller or Data Processor implements appropriate data security measures, for example, the transfer of Personal Data is carried out in accordance with a contract containing standard terms and conditions approved by the European Commission or other standard terms and conditions approved in accordance with the established procedure, an approved code of conduct, or the Data Recipient is certified.
• Derogations for specific situations apply, for example, in case of the Client’s explicit consent, performance of a contract with the Client, conclusion or performance of a contract concluded in the interest of the Client, establishment, exercise or defence of legal claims, important reasons of public interest.

Upon request, the Client can receive further details on Personal Data transfers to countries outside of the EU/ EEA and the appropriate safeguards.

Personal Data will be retained for the period which depends on the particular purpose of Processing for which the data is collected, or which is stipulated in the Regulatory Legislation. Personal Data will be processed by Swedbank as long as the business relationship with the Client exists. For example, after the contractual relationship has expired, Swedbank will Process Personal Data in order to comply with Governing law in area of prevention of money laundering and terrorist financing anti-money laundering purposes, as well as for retention period established and applied when the Personal Data is processed for purposes based on Swedbank legitimate interest, for example, for the establishment, exercise or defence of legal claims for a period of general prescription according to the Regulatory Legislation.

Examples of retention periods:

• Client’s Personal Data during business relationship that is related to the provision of Services – this Personal Data remains at the disposal of Swedbank until the end of your business relationship us, unless another justified purpose exists that requires to retain Personal Data longer.
• When Client’s Personal Data is necessary to protect the legitimate interests of Swedbank under the civil law in the event of a claim – a maximum of 10 years from the termination of contract of the Service.
• When Client’s Personal Data is necessary to fulfil a legal obligation under the Governing Law related to the prevention of money laundering and terrorist financing – 8 years from the termination of business relationship.
• When Client’s Personal Data is necessary to protect legitimate interests if Swedbank is under investigation or litigation – until the end of the investigation and litigation.
• When Client’s Personal Data is Processed in relation to video surveillance for the purpose of ensuring the security of Swedbank’s visitors, employees and assets – a maximum of 90 days, days from the moment of recording, unless there is another purpose of Processing (for example, in connection with criminal investigation).
• When Client’s Personal Data is Processed for marketing purposes – only for as long as the Client’s consent is valid.

Why we Process Personal Data: The Governing Law obligates us to identify our Clients and, where relevant, their representatives and persons participating in an occasional transaction.

How we Process Personal Data: For this purpose, we will ask you to provide a valid identity document and if necessary, other documentation relevant for identification. We use the authentication tools when verifying your identity. We must ensure that your identification data is correct and up to date during the Service provision period; we also share your identification data with the Legal entities within Swedbank Group operating in Lithuania to provide you with the Services of these entities.

5.1.1. Identification

For the purpose of identification, we ask you to provide a valid identity document, the details of which we check against the Invalid Personal Documents Database.

In cases where you represent a minor (child) in the conclusion of a contract, we ask you to provide the minor’s valid identity document, which we check in the Invalid Personal Documents database, and we additionally check your (the parent’s) eligibility to represent the minor in the Population Register of the Republic of Lithuania.

When you continue to use the Services, we must ensure that your identification data is correct and up-to-date. For this purpose, we ask you to update your identification data provided to Swedbank and we update your identification data, which is indicated in the identity document, automatically in accordance with the personal data processed in the Population Register of the Republic of Lithuania.

Your identification data is transferred to Swedbank Group companies operating in Lithuania, whose services you use or wish to use, in order to ensure that your Personal Identity Data is correct and updated.

5.1.2. Authentication

During the authentication process, we verify a person’s identity in order to provide the Services at a Swedbank branch or remotely, for example, when you call us or use online banking.

Authentication is usually carried out using authentication tools provided by us or other service providers, such as Smart-ID provided by SK ID Solutions AS. You may also use authentication tools that are acceptable to us in accordance with the law, such as mobile signature, ID card, or other solutions that we consider to be secure and acceptable (biometric login, use of a PIN in the Swedbank app, Pin generator). When you use an authentication tool provided by another company, we will transfer your identification data and communication and device data (such as IP address and device type) to this company. Additionally, in this case, information about your use of our Services will be transferred.

Why we Process Personal Data: We Process Personal Data to fulfil a legal obligation imposed by the Governing Law on money laundering and terrorist financing, international sanctions.

How we Process Personal Data: we collect Personal Data from you and external sources such as public registers, use of the Services, including execution of Know Your Client requirements and fulfilment of our obligation to monitor transactions. Your Personal Data is transferred to data Recipients, such as the authorities, when it is required according to the respective Governing Law.

Applicable legislation obligates us to perform due diligence activities, including knowing our clients and understanding the purpose and nature of the business relationship and occasional transactions. We must also assess the risks associated with money laundering and terrorist financing and enforce international sanctions. This helps safeguarding certain public interests, as well as ensuring that our Services are used for legitimate purposes and are protected against misuse.

For these purposes, we are required to establish your identity (for more information, see section “Identification and Authentication”), and we ask you to provide accurate and valid information about you and documentation to support the information you provide where necessary. We may use information obtained from public registers, such as the Population Register, the Register of Legal Entities, the Real Estate Register, as well as data provided by you. For this purpose, we may also review publicly available information about you. In order to comply with the requirements of Governing Law or based on our legitimate interest, we check lists of persons subject to sanctions (databases) to ensure that our Services are not provided to, or used by, persons subject to, or associated with, international sanctions for the purpose of violating or circumventing such sanctions.

During your business relationship with us, we, regularly or based on a particular case, will ask you to update the Personal Data you’ve provided and will check if the data obtained from the external registers mentioned above is up to date. The Governing Law also obligates us to constantly monitor your activity and transactions to ensure that they are not considered suspicious and do not fall under sanctions. The due diligence activities and their regularity depend on our assessment of the Client’s risk of money laundering and terrorist financing.

In accordance with the requirements of the Governing Law, we are obliged to inform the competent authorities (the Financial Crime Investigation Service) of suspected cases of money laundering and terrorist financing and to ensure the confidentiality of such notification.

We also process Personal Data of natural persons associated with Business Clients for the above purpose. We identify the identity of the representative of the legal entity (manager, authorised representative, proxy, other persons holding management positions of the legal entity, e.g. insolvency administrators) and collect their personal identity data, demographic data, contact data, data on their relationship with legal entities for this purpose. We also ask for the identification and demographic data of the legal entity’s participants, beneficiaries. If necessary, we ask the legal entity to provide additional documents and information about the beneficiaries, such as the source of funds and assets or details of links to legal persons. Where necessary, we also collect and regularly update Personal Data of the legal entity’s representatives, participants and beneficiaries from registers such as the Population Register, the Register of Legal Persons, including the Information System for Participants of Legal Persons, the Information Subsystem for Beneficiaries of Legal Persons, and the Real Estate Register, using publicly available information, where necessary. In order to ensure compliance with international sanctions, we check lists and databases of sanctioned persons.

Why we Process Personal Data: We Process your Personal Data to provide the daily banking Services, such as bank accounts, deposits, payment services and other daily banking Services requested by you, as well as to manage relationship with you, provide, control and administer access to the Services.

How we Process Personal Data: the Processing involves the collection of Personal Data from you and from the use of the Service, transfer of Personal Data to the Recipients in order to perform a Service agreement, when it’s required under the Governing Law, and the receipt of Personal Data from third parties, such as other payment service providers.

5.3.1. You have opened and hold a current account with us

When you open an account with us, we Process your Personal Data for the purpose of serving you according to the agreement and to provide you with other Services related to the bank account as requested by you.

In addition to processing Personal Data for the purpose of performance of the Contract, in accordance with the obligation imposed by the Governing Law, we transfer Personal Data relating to the opened account to the tax administering authority (the State Tax Inspectorate of the Republic of Lithuania).

When the account information service is provided to you by Swedbank at your request, which allows you to see information regarding your account opened and available online at another financial institution, your Personal Data, such as the identification, account, communication and device data, is transmitted to Swedbank from this financial institution.

We process your Personal Data in order to comply with a legal obligation in order to fulfil your requests for an account information service initiated from another financial institution. As part of this service, where you have given your consent to the other financial institution, you will be granted access to your account information held with Swedbank using your existing access at that financial institution. For this purpose, we disclose to the other financial institution your Personal Data, such as identification data, bank account data, communication and device data.

5.3.2. You use a Swedbank payment card

If you request and conclude an agreement for a Swedbank payment card, we Process your Personal Data for the purpose of concluding and fulfilling the respective payment card agreement, including card ordering, card personalization and activation, providing support in card related issues and preventing card fraud.

In order to execute card transactions, we Process your Personal Data for authorization and clearing of the transaction (incl. transactions initiated by the merchant). If you file a complaint about a card transaction, your transaction data may be shared with the relevant international payment card organisation (for example, Mastercard).

When Clients order a supplementary payment card linked to their account and we Process Personal Data of the holder of the supplementary card, the Processing is based on our legitimate interest to carry out business activity and provide the Service.

5.3.3. You send or receive payments

We Process Personal Data when providing payments, including payment initiation services. For providing these Services we Process your Personal Data (including sharing data with external parties like the payee, payment organisations, correspondent banks and similar parties) as indicated by you when you submit a payment order.

If you have registered your phone number linked to your account with the Proxy Lookup Service System maintained by the Bank of Lithuania acting with Swedbank and other participants of the system as joint Data Controllers, your Personal Data is Processed for the purpose of the inclusion in the register based on your consent to use the Service. This enables You to perform payments under phone number, and the Processing involves sharing Personal Data (telephone number, bank account number, name and surname) with the payee.

In order to comply with a legal obligation, we process your Personal Data in order to comply with requests to initiate a payment from your bank account where such payment is initiated by a third party payment service provider. As part of this service, where you have provided your consent to the financial institution, you are granted access to your account information held with Swedbank using your existing access at that financial institution. For this purpose, we disclose to another financial institution your Personal Data such as Identification data, bank account data, communication and device data.

Similarly, your Personal Data is processed when you initiate a payment from an account with Swedbank using a third-party payment service provider’s online banking service, including a payment initiation service using Bank Link payments via the Open Banking Interface.

Why we Process Personal Data: We Process Personal Data for the purpose of providing the financing Services chosen by you and to comply with the Governing Law in the area of financing Services.

How we Process Personal Data: Personal Data is Processed when we conclude, perform and terminate agreements such as agreements for consumer credit (like the Small Loan, Car Loan, Home Small Loan, Solar Panels Loan, Study Loan, credit card limits), mortgage loan, leasing and similar Services related to the provision of financing to the Client. We also Process your Personal Data in order to comply with the Governing Law, including to manage your solvency during the term of the agreement, and to pursue our legitimate interest. Personal Data is collected from you and from external sources. Depending on the financing Service and the particular situation of the Client, Personal Data is disclosed to the Recipients in order to conclude and execute the agreement, to comply with the Governing Law or to defend our legitimate interest.

5.4.1. You are a natural person who has applied for financing services

Swedbank pursues legitimate interest to enable fast decision-making once the Client applies for financing. Considering this, we Process, by automated means, the Client’s Personal Data obtained from the Client and the Client’s use of the Service, including the Personal Data from transactions performed in an account held with Swedbank and data obtained from external registers, in order to ensure fast and accurate decision- making when the Client applies for financing.

Some credit applications are evaluated and decided upon using automated processing of Personal Data, including profiling. This means we assess your creditworthiness by automated means. For this purpose, your Personal Data provided in the application form, as well as Personal Data held by Swedbank and Personal Data obtained from external sources are evaluated. The assessment of your creditworthiness is carried out in order to ensure that the provision of financing services complies with the requirements of the Governing Law, such as responsible lending, and is necessary for the conclusion of the contract between you and Swedbank. In the event that the decision has been made solely by automated means, you have the right to request Swedbank to have it reviewed by an employee.

For the purpose of creditworthiness assessment and in order to verify whether the Client meets the financing criteria, we process Personal Data such as the types and amounts of the desired financial and/or property obligations for which a positive or negative decision has been made, data on the fulfilment of obligations, data on the workplace, income, its types and sources, marital status, number of children, data on the funds accumulated in Swedbank’s accounts and the transactions therein, and any other data necessary for risk assessment and debt management. In addition to the information we receive from you, we also collect data from external sources such as databases and registry service providers - UAB Creditinfo Lietuva, UAB Scorify, the Social Insurance Fund Board, and registers maintained by the State Enterprise “Centre of Registers”. In certain cases, in order to obtain Personal Data, we use the services of persons who act as intermediaries in providing and receiving Personal Data (Data Processors).

When you enter into an agreement with us (including the co-borrower or surety contract), in order to comply with the statutory requirements to provide data on the concluded financial Services agreements, their performance and/or changes in the performance, we share the Personal Data of contracting parties with an external register the Bank of Lithuania.

To promote responsible lending on the market and based on our legitimate interest, we disclose Personal Data about the Client’s financial Services agreements, their performance and/or changes in the performance, including arrears, to another financial institution when the Client applies for financing service of that financial institution. The Personal Data is shared through the services of intermediaries in the transmission of Personal Data, such as: UAB Creditinfo Lietuva, UAB Scorify.

Where you conclude a contract for financing services, the performance of which is guaranteed by a third party operating under an approved special financing programme, or where financing is provided for a specific purpose, your Personal Data may be transferred to third parties participating in such financing programmes: such as, for example, a third party providing a financing guarantee to the borrower, or, for example, in the case of a study loan, to the State Fund for Studies and the Ministry of Social Security and Labour of the Republic of Lithuania.

For the purposes set out above, we process the following categories of your Personal Data, such as identification data, demographic data, family data, health data (in the case of a request for deferment of a credit payment for health reasons), contact data, bank account data, financial data, Data about trustworthiness and due diligence, data obtained and/or created while performing an obligation arising from the Governing Law, and professional data.

The extent of Processing your Personal Data depends on your role in the financing process, i.e. whether you are the Client concluding the agreement with us or you have a different role in the financing relationship, for example, your creditworthiness will not be assessed if you are the seller of an asset in a leasing deal. In case of the role of a contact person or authorized representative we only Process identification data and contact data.

In the event of default or insolvency of the Client, we may disclose Personal Data to persons involved in the restructuring of the loan or to debt collectors based on our legitimate interest.

5.4.2. You are a person related to a Corporate Client

In the course of assessing the creditworthiness of a Business Client, we also process Personal Data of natural persons closely related to the Business Client. For this purpose, we process the Personal Data of the participant and the beneficiary of the legal entity (personal identity data, data on relationships with legal entities, financial data such as fulfilment of financial obligations, arrears, bankruptcy fact). Such Personal Data is obtained through the use of the Services by the Client.

The processing of Personal Data for this purpose helps to determine the amount of financing to be provided to the Business Client and to mitigate the lender’s risk of a possible default by the Business Client.

Why we Process Personal Data: We Process your Personal Data to advise you on selecting suitable products, provide the Services chosen by you and in order to comply with the Governing Law applicable in relation to the specific Service.

How we Process Personal Data: Personal data is collected and regularly updated directly from you through your use of the Services, including through communications, as well as from external sources such as registry managers (for example, Sodra’s Register of participants of pension accumulation, pension accumulation and pension benefit contracts of the Republic of Lithuania). For the purpose of assessing the suitability of the Service for you, the processing of your personal data also includes profiling. Depending on the Service provided, your Personal Data is disclosed to Data Recipients if necessary for the conclusion and performance of the contract and/or to comply with the requirements of the Governing law.

5.5.1. Investment Services

When you apply for investment services and investment activities (“Investment Services”) or the provision of ancillary services, we process your Personal Data for the purpose of concluding, performing, administering and terminating the contract. This includes the storage of your selected financial instruments and the execution of orders relating to them, as well as the processing of Personal Data necessary for the execution of material events (public offers) relating to your financial instruments, the provision of investment recommendations, the provision of a portfolio management service to you, and the provision of other investment and ancillary services.

We Process your Personal Data, including the use of Profiling, for assessing the suitability and appropriateness of the relevant Service or financial instrument to you before the provision of the Service.

Based on Governing Law, we must also record phone conversations and video streams in the provision of investment and ancillary Services.

We Process your Personal Data to provide mandatory reports to you about the costs and charges, trade execution, financial instrument holdings, losses for certain Services and financial instruments, and for other types of reports.

Your Personal Data may be disclosed to local and foreign supervisory and tax authorities, central securities depositories, exchanges or other execution venues, issuers of financial instruments or third parties appointed by the issuers, fund managers and other financial intermediaries.

For the purposes set out above, we process the following categories of Personal Data about you, such as identification data, contact data, children data (where a child is a user of the Services), family data, demographic data, professional data, financial data, data about the Client’s financial experience and investment objectives, bank account data, Data about habits, preferences and satisfaction, data about trustworthiness and due diligence, communication and device data, data about relationships with legal entities, data obtained and/or created while performing an obligation arising from the Governing Law, relationship status data, and any other Personal Data necessary for the provision of the relevant Services.

5.5.2. Pension funds

If you invest in Swedbank’s pension funds, we Process your Personal Data according to the legal requirements and fund rules. This includes providing you with necessary information, administering and Processing your orders for buying and selling fund units, keeping record of your accounts, payouts from the pension funds and inheritance, and keeping track of arrests by bailiffs.

For those purposes, we need to Process your account data, demographic data, contact data, financial data and identification data and state insurance number.

Why do we Process Personal Data: We Process Personal Data to provide the Service of risk-life and unit-linked life insurance chosen by you, including to assess your individual risk and calculate insurance premiums where needed, to handle claims related to the insurance contract and pay insurance benefit, and in order to comply with the Governing Law applicable in relation to the Service of risk-life and unit-linked life insurance.

How we Process Personal Data: Personal Data is Processed when we conclude, execute and terminate risk- life and/or unit-linked life insurance agreements. In addition, we Process your Personal Data in order to comply with the Governing Law applicable regarding life insurance Services. Personal data is collected from you and from, Swedbank AB, external sources, as well as regularly updated. Depending on the life insurance Service, Personal Data is disclosed to data Recipients in order to conclude and execute the agreement or to comply with the Governing Law.

5.6.1. You apply for insurance and have concluded insurance contract or submitted insurance benefit application

When you have submitted an application for a risk insurance Service, we Process your Personal Data to assess your individual risk level, calculate the insurance premium and sum insured and make an underwriting decision. We Process your Personal Data, including health data, by automated means and take automated decisions based on the Profiling to deliver fast underwriting decisions. When additional information is needed or you demand that the decision be taken manually, our specialist evaluates the application received. For this purpose, we Process your health data we receive from you, from: doctors: and medical institutions, and health data relating to your existing and previous insurance contract(s), insurance application submitted claims and insured event(s). You have the right to contest the automated decision and ask for the review of it by its employee.

When you have submitted an application for the unit-linked insurance Service, we Process your Personal Data, including use of Profiling, to assess the suitability and appropriateness of the Service for you.

When you have concluded an insurance contract, we Process your Personal Data to perform the insurance contract, amend and terminate the insurance contract when necessary, to refund the insurance premium, and make a payout based on the contract and taxation of the benefit. We also process Personal Data for the purpose of sending insurance-related notifications, debt notifications, annual reports or reports as required in the case of a cumulative life insurance contract.

For the purposes set out above, we Process your personal identification data, bank account data, contact data, financial data, family data, children’s data (where the provision of the Services is related to a child), health data, data on relations with legal entities, communication and device data, relationship status data, demographic data.

If you make a claim for an insurance benefit, we process your Personal Data in order to process the claim, including to decide on the benefit and to pay the insurance benefit in the event of an insured event. For this purpose, we process your Personal Data, including health data provided by you, as well as Personal Data obtained from doctors and medical institutions, and Personal Data relating to your current or previous insurance contracts, insurance applications, claims for insurance benefits and insured events. We process your financial data that we receive from Swedbank, AB, where this is necessary for the payment of an insurance claim, as well as Personal Data received from public authorities, such as data about criminal convictions and offences.

For the purposes set out above, additionally we Process the Personal Data such as your professional data, data about criminal convictions and offences, data about habits, preferences and satisfaction.

5.6.2. Personal Data Processing to manage insurance risk

When you have submitted an insurance benefit application, we share your Personal Data, including health data, with the reinsurance company to fulfil our obligations arising from the reinsurance agreement to handle the claim and receive the insurance benefit. Your Personal Data shared with the reinsurer is stored on servers located in Switzerland. Please note that the European Commission has adopted a decision that Switzerland ensures an adequate level of personal data protection.

For the purpose set out above, we process your identification data, bank account data, contact data, financial data, family data, children’s data (where the provision of the Services is related to a child), health data, professional data, data about criminal convictions and offences, data relating to your relationship with legal entities, communication and device data, data about habits, preferences and satisfaction and demographic data.

Why we Process Personal Data: We Process Personal Data to provide the Service of non-life insurance chosen by you, including to assess your insurance risk and calculate insurance premiums where needed, to handle claims related to the insurance contract and pay the insurance benefit, and in order to comply with the Governing Law applicable in relation to the Service of non-life insurance.

How we Process Personal Data: Personal Data is Processed when we conclude, perform and terminate non- life insurance contracts. In addition, we Process your Personal Data in order to comply with the Governing Law in the area of non-life insurance Services. Personal Data is collected from you and from external sources, as well as regularly updated. Depending on the non-life insurance Service, Personal Data is disclosed to data Recipients in order to conclude and perform the contract, to comply with the Governing Law.

5.7.1. You apply for insurance and have concluded insurance contract or you have submitted a claim application

When you have applied for an insurance Service, we Process your Personal Data to assess your trustworthiness and to set the insurance premium and the conditions according to your risk level. In order to assess the insurance risk, calculate the insurance premium and conclude the insurance contract, we Process your Personal Data by automated means. We also take automated decisions based on Profiling to deliver fast underwriting decisions. When additional information or risk assessment is needed or you demand that the decision be taken manually, our specialist evaluates the application received. We Process Personal Data we receive from providers of registers and the Personal Data we have regarding you, e.g., data about any previously concluded insurance contracts and the occurrence of insured events, and the data shared by Swedbank, AB and Swedbank lizingas, UAB. You have the right to contest the automated decision and ask for the review of it by its employee.

When you have concluded an insurance contract, we Process your Personal Data to perform the insurance contract, to send policy renewals, amend and terminate the insurance contract, refund insurance premiums. In addition, we Process your Personal Data to send insurance Service-related messages, debt and event- based letters.

For the purposes set out above, we process your identification data, bank account data, contact data, financial data, family data, children’s data (where the provision of the Services is related to a child), health data, professional data, data about criminal convictions and offences , data about relationships with legal entities, communication and device data, data about habits, preferences and satisfaction, relationship status data, demographic data.

Where you make a claim for an insurance benefit, we process your Personal Data for the purposes of processing the claim, including deciding on the benefit and paying the insurance benefit in the event of an insured event. We process your Personal Data obtained from other insurance companies, public registers, public authorities, doctors and medical institutions, Swedbank, AB, Swedbank lizingas, UAB, as well as Personal Data, including health data, relating to your previous claims for insurance benefits.

For the purposes set out above, in addition to the Personal Data set out below, we process data your professional data, data about criminal convictions and offences, data about habits, preferences and satisfaction.

When you need medical assistance in connection with an insured event under travel insurance in relation to a country outside the EU/EEA, Your Personal Data is transferred to the respective country outside the EU/ EEA to confirm the validity of the insurance cover. The transfer of your Personal Data is necessary for the performance of the contract between you and Swedbank.

Your Personal Data is transferred to the country outside the EU/EEA in order to handle the motor third party liability insurance claim in case of an insured event related to a specific country (such as Albania, Andorra, Azerbaijan, Bosnia and Herzegovina, Macedonia, Moldova, Montenegro, Morocco, Serbia, Switzerland, the United Kingdom, Tunisia, Turkey and Ukraine). The transfer of your Personal Data is necessary for the performance of the contract between you and Swedbank. Please note that the European Commission has adopted decisions that Andorra, Switzerland and the United Kingdom ensure an adequate level of personal data protection.

5.7.2. Personal Data Processing to manage insurance risk

We Process your Personal Data to provide you with an insurance price corresponding to your personal level of risk and to develop pricing models, to control the quality of vehicle repair work and to submit a claim for the compensation of damage against the third party who caused damage to you. When we have paid you insurance benefit, we share your Personal Data with the reinsurance company to fulfil our obligations under the reinsurance agreement to handle the claim and receive the insurance benefit.

For the purpose of enforcing an insurance contract or exercising a right of recourse, we also transfer your Personal Data to another insurance company at its request.

For the purpose set out above, we process your identification data, bank account data, contact data, financial data, family data, children’s data (where the provision of the Services is related to a child), health data, and data relating to your profession, data about criminal convictions and offences , data relating to relationships with legal entities, communication and device data, data about habits, preferences and satisfaction, relationship status data, demographic data.

Why we Process Personal Data: We Process Personal Data to prepare and provide you with offers that meet your needs, relevant information and to conduct opinion surveys, organise lotteries and campaigns, and customer service programs for Clients.

How we Process Personal Data: We Process your Personal Data that is collected from you and from your use of Services for marketing purposes, including creation of your profile to provide you with personalised marketing communication. We share your Personal Data within Swedbank Group companies operating in Lithuania for this purpose.

5.8.1. Profiling and your rights in marketing

We carry out Profiling using Personal Data for marketing purposes in order to assess which products and Services may be suitable and relevant to your interests and needs. This enables you to receive tailored offers and Services rather than general information.

For marketing purposes, we assess certain personal characteristics of the Client, in particular to analyse or predict, for example, the economic situation, personal preferences, interest of such individual. We collect and automatically Process Personal Data for the purpose of creating a Client profile and thereby providing the Client with suitable recommendation and offers. Such data are, for example, information about the Client’s product holdings and the Client’s usage of the Service. We also collect data about the Client’s economic situation, typical behaviour and lifestyle patterns based on the Client’s usage of the Service, performed transactions and information provided to Swedbank. This data is used for creating segments and profiles, which are necessary to execute customer service programs for the Client and providing suitable offers to the Client. The Processing results in advice and offers provided based on the Client’s needs, inclusion of the Client in customer service programs and therefore application of special prices and service conditions, and exclusion from the programs.

You have the right to object at any time to the Processing of Personal Data for marketing purposes or to withdraw your consent when the Processing is based on consent. Information about data Processed when you provide consent or do not object to Processing based on legitimate interest is provided to you in the information concerning such consent or permission (legitimate interest) for the Processing.

5.8.2. Preparation of offers

To provide you with the best user experience and to prepare relevant offers at the most convenient time. By identifying the Client’s interests and needs at the time, we prepare the following types of offers:

• Personalized suggestions – practical suggestions for you to help you choose the most appropriate Services, to improve your day-to-day use or to avoid inconvenience, and other suggestions designed to best serve the interests and needs of the Client, such as updating the Services or replacing some Services with others (applicable to Clients aged 14 and over).
• Personalized financing and insurance limits – calculated offers to help you understand what lending and leasing options are available to you, as well as what insurance premiums you might be eligible for (for Clients aged 18 and over).
• Offers together with partners – practical suggestions to help you choose the right Services and benefits from Swedbank’s partners. In this case, Personal Data is not transferred to such partners (applicable to Clients aged 14 and over).
• Other types of offers to which you have provided consent.

You may receive these offers if you give your consent. You can choose to consent to all types of offers, some of them or none of them. You can provide your consent, manage your withdrawal in the Privacy Settings section of the Internet Bank, by visiting any Swedbank Customer Service Unit or by calling the Advice Centre.

If you want to monitor your spending and see an overview of your spending in different areas, you can use the My Budget tool available in the Internet Bank and the Swedbank app. The processing of your Personal Data using this tool is subject to your consent.

5.8.3. Preparation of other information

To increase the Clients’ awareness of Swedbank’s news and Services, we prepare the following types of information for our Clients:

• Relevant information – information created to invite the Client to events, to send greetings and newsletters;
• Client satisfaction surveys – questionnaires designed to invite the Client to provide feedback on the Services they use and to help us improve those.

We shall prepare this information based on our legitimate interest without asking for consent, but you can decide whether or not to permit us to do so. You may choose which types of information to receive or to object to, that is, each type separately or both together.

You can object to the preparation of this information at any time and manage your choices in the Privacy Settings section of the Internet Bank, by visiting any Swedbank Client Service Unit or by calling the Advice Centre.

5.8.4. Receiving offers and relevant information

You may receive our marketing offers and other relevant information to which you have provided consent or permission through the following communication channels: 1) e-mail; 2) SMS; 3) phone; 4) post.

You may receive offers and other information by providing your consent to one, some or all channels. This consent may be provided or withdrawn by you in the same manner as described in Section 5.8.2. In addition, you may unsubscribe from receiving direct marketing e-mails by clicking on the link in the footer of each e-mail sent.

5.8.5. Client service programs

We offer several programs for our Clients, for example, special customer service conditions, better pricing and/or additional values are available for participants of the programs. In order to be able to include in and apply special conditions of the customer service programs, we Process Personal Data by automated means. Information about Processing of Personal Data in relation to the project or program is provided in the terms and conditions of the respective project or program or in an additional notification. The Processing of Personal Data for the above purpose is performed if the Client does not object to the Processing when the Processing is based on legitimate interest of Swedbank, or the Client has accepted the terms and conditions and thereby agreed to participate in the program.

To execute customer service programs, in case of each program we Process identification data and contact data. Depending on the specific program, we Process relevant additional Personal Data categories, such as demographic data, relationship status data, data about relationships with legal entities, communication and device data, account data, data about habits, preferences and satisfaction, financial data.

5.8.6. Promotions and campaigns

We process Personal Data for the purpose of organising and carrying out promotions and campaigns. This includes the inclusion of a Client who is eligible to participate in a promotion or campaign in such promotion or campaign.

Personal Data is processed for the above purpose unless the Client has objected to such processing where it is based on legitimate interest, or where the Client has confirmed the terms of participation in the promotion or campaign and thus consented to participate. The Client has the right to request to be removed from the list of participants in the promotion or campaign and such request will be implemented within 5 days.

In order to organise promotions, games, campaigns and events for our Clients, we process bank account data, professional data, financial data, contact data, data about habits, preferences and satisfaction, demographic data, family data, identification data, data on relationships with legal entities.

Why do we Process Personal Data: Processing of Personal Data is necessary for the purpose of Service quality and to protect the interests of the Client and Swedbank, to handle Clients’ complaints and comply with the Governing Law.

How do we Process Personal Data: For the purpose of Service quality and to protect the interests of the Client and Swedbank, phone calls and video streams are recorded. Additionally, Swedbank Processes Personal Data in relation to written correspondence in order to ensure the quality of the Service and data for handling Clients’ claims.

Swedbank Processes Personal Data when it records telephone calls and video streams with the Client to improve the Service quality and to protect the interests of the Client and Swedbank, For this purpose phone calls and video streams are recorded if the Client agrees to such recording.

Additionally, we Process Personal Data in relation to written correspondence received via email, Internet Banking message and chat in order to ensure the quality of the Service by pursuing Swedbank’s legitimate interest. We Process the Personal Data for handling and replying to Clients’ complaints and this Processing is based on the legal obligation of Swedbank.

The categories of your Personal Data processed for the purposes set out above depend on the Services provided to you and/or the complaint or other request made by you.

Why we Process Personal Data: We Process Personal Data to provide consultations and service communication to the Clients.

How we Process Personal Data: We Process your Personal Data when we serve you at customer-serving branches of Swedbank or in other ways of serving Clients and when we communicate with the Client via phone, chat, email and other means of communication. Your Personal Data, such as contact data, is shared within Swedbank group companies operating in Lithuania in order to ensure that the Personal Data is kept up to date.

When you register for a consultation at customer-serving branches of Swedbank, we Process your Personal Data for the purposes of identifying you and successfully registering for a consultation at a time of your choice and preparing for the provision of the Services you’ve requested.

We Process your Personal Data available to Swedbank, such as financial data, in order to provide you with the requested consultation on our Service. For this purpose your Personal Data can be obtained from Swedbank group companies operating in Lithuania.

Your Personal Data, such as contact data, information about requested, provided Services and/or performance of a Service agreement, when we submit information to you and communicate with you via phone, chat, email and other means of communication when it is necessary in relation to the provision of a Service or is required according to the Governing Law.

Why we Process Personal Data: We Process Personal Data to manage risks, ensuring that Swedbank operates safely and soundly and in compliance with the Governing Law.

How we Process Personal Data: We Process Personal Data in order to perform legal obligations established by the Governing Law in relation to risk management, fulfilment of capital requirements, preventing fraud and managing incidents. We disclose Personal Data to data Recipients, such as the authorities, when it required under the Governing Law or to protect the legitimate interest of Swedbank.

Sound risk management is part of the Governing Law which we must comply with, so that we are able to provide you with the Services, ensure secure banking and protect your money from fraudsters. We strive for low risk in our operations because it is the basis for building trust and delivering high value to you in the long-term.

For complying with legal obligations in risk management area, we use your Personal Data for the following purposes:

• Assessing and managing the credit risk, liquidity risk, market risk and counterparty risk.
• Carrying out risk hedging and fulfilling capital requirements for Swedbank.
• Solving incidents which may have impact on our core processes affecting the Services provided, as well as Personal Data breaches which may affect your private life.
• Discovering, investigating and reporting potentially suspicious transactions and market abuse.
• Monitoring transactions, including card transactions to detect and prevent fraud and reviewing, diagnosing and responding to detected activity that has been identified as potential fraud incidents.
• Monitoring compliance with laws, statutes, other regulations and relevant internal regulations.
• Ensuring business continuity and crisis management.
• Communicating with supervisory and other authorities, including regular mandatory and event-based reporting, obligation to alert the authorities of the Client’s behaviour that is suspicious from the market abuse perspective, cooperating with the authorities in carrying out various supervisory procedures or investigations.
• Cooperating and providing information to external auditors.

Why we Process Personal Data: We Process Personal Data to manage, maintain, develop, analyse and improve our business, the Services and your user experience, as well as to protect our legal interests.

How we Process Personal Data: We need to Process Personal Data when we perform activities like document management and archiving, perform analysis and testing for improving our Services, ensuring security and compliance of IT solutions in order to comply with the Governing Law or protect our legitimate interest.

Running our business requires us to carry out several administrative activities to ensure prudent operations. For example, we have a legal obligation to maintain accounting records. As a part of this, we Process your identification data, account data, contact data and demographic data when invoicing payments and issuing invoices.

Personal Data Processing is necessary also for the activities supporting our core business of providing Services. This includes, for example, document management and archiving, including storage of paper and digital information based on legal obligations or our legitimate interest.

It is our legitimate interest to maintain, develop, examine and improve our business, the Services and your user experience. Among other things, this includes using your data for administering our website and network, including testing to ensure quality, security and compliance of IT solutions to be deployed or when an incident occurs. In each case, Personal Data Processing is limited to the needs of the particular case, regarding categories of data subjects, the data used and the actual Processing.

We also Process Personal Data for the establishment, exercise or defence of legal claims. In most cases, data Processing for this purpose is limited to storing the data for potential legal claim cases. When we need to protect our legal rights or a claim has been lodged, the data relevant to the specific case is Processed. Depending on the case, this may also involve sharing data with other legal entities within Swedbank Group, the authorities, such as the Financial Supervisory Authority, courts or out-of-court disputes resolution bodies for the settlement of dispute and law firms providing legal services to us.

Why we Process Personal Data: We Process Personal Data of data subjects related to Corporate Clients for concluding and maintaining agreements, communicating with Corporate Clients, providing Services under the agreement, and ensuring that we follow the Governing Law.

For the sake of clarity, the term “Client” also includes all natural persons related to a Corporate Client whose Personal data we Process.

How we Process Personal Data: Personal Data is collected from the data subject, from the Corporate Client and from external sources, as well as regularly updated. Personal Data is disclosed to Recipients in order to conclude and perform the agreement with the Corporate Client and to comply with the Governing Law.

When you represent a Corporate Client, we Process your Personal Data based on our legitimate interest to conclude and fulfil agreements between that Corporate Client and us. This could be, for example, for communication with the Corporate Client’s representatives and contact persons and keeping information about legal and authorized representatives up to date. This ensures that only authorized persons can sign agreements, perform transactions, submit documents, access information or take other necessary actions on behalf of the Corporate Client. To learn more about data Processing regarding a specific Service, please see the section about that Service.

For the purposes listed above, the Personal Data categories we Process include identification data, contact data, professional data, data about relationships with legal entities, data about trustworthiness and due diligence, demographic data, financial data, data obtained and/or created while performing an obligation arising from the Governing Law.

Why we Process Personal Data: to ensure the security of Swedbank’s visitors, employees and assets.

How we Process Personal Data: For the purpose of conducting video surveillance as part of safety measures, Swedbank uses surveillance cameras and/or record sound at Swedbank’s premises and ATMs. Areas under video surveillance are marked with informative signs.

When Swedbank conducts video surveillance, Personal Data is contained in visual images and video recordings. When Swedbank conducts video surveillance of its branch offices, Personal Data may be contained in visual images, video and audio recordings.

Swedbank carries out video surveillance based on legitimate interests to ensure the security of Swedbank visitors, employees and assets. Visual images, video and audio recordings containing Personal Data are shared with the relevant Recipient in case the recorded material is needed for criminal investigation, or with a Recipient that maintains and services the video surveillance systems on behalf of Swedbank.

Under the Data Protection Legislation, the Client has the rights of a Data Subject with regard to Swedbank’s Processing of Personal Data. Those rights are:

• Receiving a confirmation if the Client’s Personal Data is Processed by Swedbank and, if so, then accessing it.
• Requiring the Client’s Personal Data to be corrected if it is inadequate, incomplete or incorrect.
• Requiring the erasure of the Client’s Personal Data.
• Restricting the Processing of the Client’s Personal Data.
• Objecting to the Processing of the Client’s Personal Data if Processing is based on Swedbank’s legitimate interests.
• Receiving the Personal Data that is provided by the Client and is Processed based on consent or performance of an agreement in a structured, commonly used electronic format and, where feasible, having such data transmitted to another service provider (the right to data portability).
• Withdrawing the consent provided for the Processing of the Client’s Personal Data.
• Requesting not to be subject to fully Automated Decision-Making, including Profiling, if such decision-making has legal effects or similarly significantly affects the Client. This right does not apply if the decision- making is necessary in order to enter into or to perform an agreement with the Client, if the decision-making is permitted under the Data Protection Legislation or if the Client has provided explicit consent.

Swedbank provides its Clients with remote and direct access to a large part of their Personal Data in the Internet Banking.

Taking into account that Swedbank Processes a large amount of information and in order to fulfil the Data Subject’s request as accurately as possible, Swedbank may ask the Client to specify the information, Processing activities or timeframe to which the Data Subject’s request relates.

The Client can exercise the Data Subject’s rights by submitting to Swedbank an identified request via the Internet Banking or branch office, or by calling the Consultation Centre, or by sending a request signed with the e-signature via email. An answer to the Data Subject’s request will be provided not later than within one month of receipt of the request; when necessary, this period may be extended by two more months.

The Client may change or update the Personal Data, manage preferences (consent and data Processing permissions) in the Internet Banking and mobile app, at branch offices or by calling the Consultation Centre.

The Client can lodge complaints pertaining to Swedbank’s Processing of Personal Data with the State Data Protection Inspectorate (website address: www.vdai.lrv.lt) if the Client considers that the Processing of the Client’s Personal Data violates the Client’s rights and interests under Data Protection Legislation.

The Client may contact Swedbank with any request, withdrawal of consent, update of data Processing permission, Data Subject’s rights or complaint regarding the Processing of Personal Data. Contact details of Swedbank are available on the website: www.swedbank.lt.

The Client may contact the appointed Data Protection Officer by email at: duomenuapsauga@swedbank.lt.

Swedbank is entitled to unilaterally amend the Principles at any time by informing the Clients on Swedbank’s website, by internet banking message, text message or e-mail at least one month prior to the effective date of the amendments, unless the amendments are necessary to ensure compliance with the Governing Law.

The Principles are available in Lithuanian and translated into English and Russian. In the event of disputes as to the interpretation of the language of the text, the Lithuanian version of the Principles shall prevail. The Principles shall enter into force on 1 September 2023 and the latest version shall be available at Swedbank’s customer service offices and on Swedbank’s website www.swedbank.lt.