Processing of Personal Data

These Principles of Processing Personal Data (hereinafter – “the Principles”) provide information on how Swedbank AB, Swedbank Lizingas UAB, Swedbank Investicijų Valdymas UAB, Swedbank P&C Insurance AS, acting through its branch in Lithuania, and Swedbank Life Insurance SE, acting through its branch in Lithuania, process Personal Data as data controllers.

More detailed information on how Personal Data are processed in certain key areas of Swedbank’s operations can be found in Section 5 of these Principles. The information provided in Section 5 of these Principles applies with respect to the Services provided to you and/or your business relationship with Swedbank.

Additional information on the Processing of Personal Data may be provided in Service Agreements, other documents related to the Services, on the Swedbank website, or upon individual request. Information on how to exercise your rights as a Data Subject and Swedbank’s contact details are provided at the end of this document.

Customer or you means any natural person who uses, has used or has expressed an intention to use the Services or is otherwise related to the Services, users of the Services, or business relationships with Swedbank, including business relationships that arose before the Principles came into force.

Corporate Customer means a legal person that uses, has used or has expressed an intention to use the Services.

Data Controller means a natural or legal person that, individually or jointly with others, determines the purposes and means of the Processing of Personal Data. Where Personal Data are processed in accordance with these Principles, Swedbank AB is the Data Controller when it processes Personal Data in the course of providing banking services to the Customer. In the case of lease services, the Data Controller is Swedbank Lizingas UAB, and in the case of lease agreements concluded from 1 January 2025 onward, the Data Controller is Swedbank, AB. In the case of pension accumulation services, Swedbank Investicijų Valdymas, UAB is the Data Controller; in the case of investment, third pillar pension accumulation and life insurance services, the Data Controller is Swedbank Life Insurance SE, acting through its branch in Lithuania; and in the case of non-life insurance services (e.g., home insurance), the Data Controller is Swedbank P&C Insurance AS, acting through its branch in Lithuania.

Processor means a natural or legal person that processes Personal Data on behalf of the Data Controller.

When processing Personal Data, Swedbank uses Processors and takes the necessary measures to ensure that said Processors process Personal Data in accordance with Swedbank’s documented instructions, and in compliance with necessary and sufficient security measures and the requirements of legal acts regulating Data Protection.

Data Protection Legislation means any personal data protection legislation applicable to Swedbank, such as Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation (GDPR)).

EU/EEA means the European Union/European Economic Area.

Personal Data or your data means any information that is related to you directly or indirectly.

Processing means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, structuring, storage, adaptation or alteration, retrieval, consultation and use, as well as alignment, restriction, erasure or destruction.

Data Recipient means a natural or legal person, public authority or other body which Swedbank may disclose Personal Data to. The categories of Data Recipients are provided in item 1.6 and separate sections of these Principles.

Applicable Legislation means the laws and other legal acts that apply to Swedbank, such as legal acts that regulate activities for the prevention of money laundering and terrorist financing, banking secrecy, commercial activities, data protection, taxes, accounting, lending, consumer credits, payments, payment, insurance, lease and investment services, and other financial activities.

Services mean any Swedbank service, consultation or product that is provided at a customer service unit, on the website, via the Swedbank mobile application, by telephone, by video transmission, or by other means or at a Swedbank branch. This service relates to financing, saving, investing, lending, payment cards and payments, pension accumulation, insurance or leasing, as well as the services and products of carefully selected partners.

Swedbank, we, our and us means any legal entity or legal entity branch that belong to the Swedbank Group and has its registered office in Lithuania. The list of the Swedbank Group companies and branches in Lithuania is published online at www.swedbank.lt.

Swedbank Group means the public limited liability company Swedbank AB (publ.) established in Sweden and all legal entities (subsidiaries) directly or indirectly controlled by Swedbank AB (publ.).

Profiling means any form of automated processing of Personal Data that is carried out to evaluate certain personal aspects relating to a natural person, in particular concerning that natural person’s economic situation, personal preferences, interests, reliability or behaviour. More information about the profiling of Customers’ Personal Data can be found in items 5.4, 5.5, 5.6, 5.7, 5.8 and 5.12 of the Principles.

Automated Decision-Making means taking a decision without human involvement (i.e., a decision taken by automated means alone), which produces legal effects concerning the Data Subject or similarly significantly affects him or her. More information about Automated Decisions used by Swedbank can be found in items 5.4, 5.6 and 5.7 of the Principles.

Data Subject means an identifiable, living natural person whose Personal Data are processed by Swedbank. Swedbank processes Personal Data of Data Subjects such as customers, legal representatives, authorised representatives, contact persons, counterparties, payers, board members and ultimate beneficial owners, as well as of other Data Subjects specified in these Principles. These Data Subjects also mean the Customer as defined in the Principles.

Personal Data are collected from you directly, created when you use or express your intention to use the Services and collected from Swedbank Group companies. Depending on the Services provided to or requested by the Customer, Swedbank obtains Personal Data from external data sources such as:

• public registers (including the Population Register, the Register of Legal Entities, the Securities Register, the Real Property Register, the Motor Vehicle Register);
• entities acting as intermediaries for financial institutions in providing and obtaining Personal Data on the financial liabilities assumed by the Customer and the performance thereof, where necessary for the purposes of the person’s solvency and debt management (UAB Creditinfo Lietuva and UAB Scorify);
• consolidated debtor files (UAB Creditinfo Lietuva), where necessary for the purposes of the person’s solvency and debt management;
• other database managers, as well as the persons referred to in separate items of the Principles.

Swedbank collects Personal Data by recording telephone conversations, making video and/or audio recordings, saving correspondence received by e-mail, and otherwise documenting relations and communication with the Customer.

Swedbank collects and processes the following categories of Personal Data:

Identification data, such as name, surname, national identification number, date of birth, identity document data.

Contact details, such as address, telephone number, e-mail address, preferred language of communication.

Financial data, such as data on owned property, transactions, loans, income, liabilities and accrued assets.

Bank account details, such as payment card number and bank account number.

Data on the customer’s financial experience and investment goals, such as data collected during the selection and provision of investment services and other products carrying investment risk, for example, data proving investment knowledge related to trading in financial instruments.

Data related to the Customer’s reliability and performance assessment, such as data on financial operations and damage caused to Swedbank; data that Swedbank needs to apply the necessary measures in the prevention of money laundering and terrorist financing, to ensure the implementation of international sanctions, and to determine the purpose of the business relationship with the Customer, whether the Customer is a politically exposed person, and the source of origin of the assets; data on the Customer’s counterparties and business activities; as well as data on valid and expired insurance contracts and applications submitted (e.g., the duration of the insurance relationship, claim history and insurance risk assessment history including rejected insurance applications).

Data that are obtained and/or created in compliance with the requirements of the Applicable Legislation, such as data that Swedbank must provide to public authorities, including tax authorities, courts and other executive authorities. This information includes data on income, financial liabilities, property holdings and outstanding debts; it also includes the data that Swedbank must provide to the Motor Insurers’ Bureau of the Republic of Lithuania, including data on concluded insurance contracts and paid insurance benefits.

Data collected using communication and other technical means, such as data provided in messages, e-mails, photographs, and video and/or audio recordings; data collected when the Customer visits a Swedbank customer service unit, uses an ATM, visits other Service locations or communicates with Swedbank; data related to the Customer visiting Swedbank websites, data collected when the Customer uses Swedbank internet banking or the Swedbank app, and data related to the use of devices, such as IP address.

Data on behaviours, priorities and satisfaction with the Services, such as data on how active the Customer is in using the Services, the Services being provided to the Customer, and the Customer’s Swedbank internet banking or app settings, preferences with regard to sustainability and feedback on the Services; information on whether the Customer is satisfied with the Services; and data on the Customer’s hobbies and/or personal habits that may affect the Customer’s health and must therefore be taken into account as risk factors when assessing insurance risk.

Family details, such as information about the Customer’s family and relationships.

Demographic data, such as data on the country of residence, date of birth and citizenship.

Children’s details, such as data that are collected and processed when a child uses the Services, or when a child is a beneficiary or insured person under an insurance contract.

Professional data, such as data on education and professional activities.

Data on relationships with legal entities, such as data submitted by the Customer that is obtained from public registers or third-party service providers in executing transactions on behalf of the legal entity.

Data on the status of the relationship with Swedbank, such as information about the Customer belonging to a certain customer segment or customer service programme, or information that the Customer has a certain risk rating.

Special categories of Personal Data (e.g., health data) and data on criminal convictions and criminal offences (e.g., when such data are necessary for the purpose of examining an insurance claim or assessing the risk associated with money laundering and terrorist financing). In certain cases, Swedbank must process special categories of Personal Data in order to provide the Services. In cases where processing special categories of Personal Data is necessary, for example, when this is required for the provision of life insurance Services, Swedbank asks for the Customer’s consent. The processing of special categories of Personal Data may also be based on the need to comply with or assert a legal claim.

We only process your personal data when we have a legitimate purpose to do so. This purpose may be based on the following grounds:

• Performance of a contract is one of the main legal grounds on which we base the processing of Personal Data carried out in order to provide the Services. This includes the processing that is necessary in order to take steps at the request of the data subject prior to entering into a contract, or for the purpose of entering into, amending, performing, administering or terminating a contract.
• Discharge of a legal obligation is the basis for the processing of Personal Data in order to comply with the Applicable Legislation.
• Legitimate interest in processing Personal Data is the legal grounds for the processing of Personal Data for the purposes of the legitimate interests of the Data Controller or a third party, which override the interests or rights and freedoms of the data subject.
• Your consent. In cases where we ask for your consent to process Personal Data, you will be separately informed of the purpose of the said processing. You can withdraw your consent at any time.

In order to ensure the provision of Services or in other cases where necessary, Swedbank may disclose Personal Data to Data Recipients.

Swedbank does not disclose Personal Data beyond what is necessary for the specific purpose of processing the Personal Data. Data Recipients may process Personal Data by acting as Processors and/or Data Controllers. In the event that the Data Recipient processes Personal Data as a Data Controller, it is responsible for informing the data subjects about the said processing of Personal Data.

Data Recipients acting as Data Controllers are, for example:

• legal entities belonging to the Swedbank Group and the branches thereof;
• state bodies and institutions, and other persons performing functions assigned to them by law, such as supervisory authorities, tax administration and law enforcement authorities, judicial officers, notaries, courts and out-of-court dispute settlement bodies;
• persons providing financial and legal advice, performing audits for Swedbank or providing other services for Swedbank, as well as persons authorised by Swedbank;
• persons managing registers (including the Population Register, the Register of Legal Entities, the Securities Register, the Real Property Register, the Motor Vehicle Register, consolidated debtor files (Creditinfo Lietuva UAB), or any other registers where Personal Data are processed);
• persons and companies involved in debt collection, persons assuming rights and obligations under contracts and persons administering insolvency proceedings;
• persons ensuring the proper fulfilment of the Customer’s obligations to Swedbank, such as surety providers, guarantors and pledgors;
• other persons related to the provision of Services, telecommunications and postal service providers, and providers of services rendered to the Customer, when the Customer orders electronic invoices for these services.

Swedbank recommends that the Customer contact the Data Recipient regarding the processing of Personal Data by the Data Recipient.

Data Recipients acting as Processors are, for example:

• legal entities belonging to the Swedbank Group and the branches thereof when they process Personal Data on behalf of Swedbank;
• other persons involved in the provision of the Services, such as information technology, hosting, cloud computing, archiving and printing service providers, as well as technical experts and appraisers;
• entities acting as intermediaries for financial institutions in providing and obtaining Personal Data on the financial liabilities assumed by the Customer and the performance thereof, where necessary for the purposes of the person’s solvency and debt management (e.g., UAB Creditinfo Lietuva and UAB Scorify);
• persons acting as intermediaries for financial institutions in providing and obtaining Personal Data from public registers.

You can find the Data Recipients related to the processing of Personal Data for a specific purpose in Section 5 of these Principles.

Generally, Personal Data are processed within the territory of the EU/EEA, but in certain cases they may be transferred and processed outside the EU/EEA.

Personal Data may be transferred and processed outside the EU/EEA where there are legal grounds for the transfer of Personal Data and at least one of the following conditions applies:

• the Data Recipient is located in a non-EU/EEA country where an adequate level of data protection is ensured by decision of the European Commission;
• the Data Controller or Processor implements suitable data security measures, for example, the Personal Data are transferred in accordance with a contract that includes standard clauses approved by the European Commission or other standard clauses approved in accordance with the established procedure; the Personal Data are transferred in accordance with an approved code of conduct or a certificate has been issued to the Data Recipient;
• derogations apply, for example, when the Customer has expressly consented to the transfer of Personal Data; the transfer of Personal Data is necessary for the performance of a contract with the Customer or for the conclusion or performance of a contract concluded in the interests of the Customer; the transfer of Personal Data is necessary for the establishment, exercise or defence of legal claims or for reasons of substantial public interest.

The Customer may obtain more information about the transfer of Personal Data outside the EU/EEA upon request.

The period for which the Personal Data will be stored is determined according to the specific purposes for which the Personal Data were collected or is defined by the Applicable Legislation. Personal Data are processed for the duration of the business relationship with the Customer. After the termination of the business relationship, Swedbank will process the Personal Data in compliance with the obligations established by the Applicable Legislation in the field of prevention of money laundering and terrorist financing. Personal Data will also be processed during the storage period that is established with regard to Swedbank’s legitimate interest. In such a case, Personal Data are processed for the purpose of establishing, exercising or defending legal claims in accordance with the general statute of limitations under the Applicable Legislation.

Examples of storage periods:

• When the Personal Data are needed to protect Swedbank’s legitimate interests in the event of a claim under civil law – no more than 10 years from the termination of the Service Agreement.
• When the Personal Data are needed to comply with the requirements of the Applicable Legislation related to the prevention of money laundering and terrorist financing – 8 years from the end of the business relationship.
• When the Personal Data are needed to protect legitimate interests when Swedbank is involved in legal proceedings or an investigation – until the end of the said investigation or legal proceedings.
• Personal Data related to video surveillance conducted by Swedbank in order to ensure the safety of Swedbank employees and visitors and the protection of property is stored for no longer than 60 days from the time the recording was made, except when the Personal Data are processed for another purpose (for example, in connection with a pre-trial investigation).
• When the Personal Data are processed for marketing purposes – no longer than the validity of the consent given by the Customer.

Why we process Personal Data: Applicable Legislation obliges us to identify Customers as well as their representatives and persons involved in one-off transactions where relevant.

How we process Personal Data: For this purpose, we ask you to provide a valid identity document as well as any other documents necessary to establish your identity. We use authentication tools to verify your identity. When processing Personal Data, we must ensure that your identification data are correct and up-to-date during the Service provision period. We also share your identification data with Swedbank Group companies operating in Lithuania when this is necessary to provide you with Services from these companies.

5.1.1. Identification

For the purpose of identification, we ask you to provide a valid identity document, the details of which we will check against the Invalid Personal Documents Database.

In cases where you are representing a minor (child) in concluding a contract, we ask you to provide a valid identity document for the minor, which we check against the Invalid Personal Documents Database. We will also check your (as the parent) right to represent the minor in the Population Register of the Republic of Lithuania.

When you continue to use the Services, we must ensure that your identification data are accurate and up-to-date. We therefore ask that you update the identification data provided to Swedbank.

We automatically update the identification data in your identity document according to the Personal Data processed in the Population Register of the Republic of Lithuania.

Your identification data are transferred to the Swedbank Group companies operating in Lithuania whose services you use or wish to use, in order to ensure that your Personal Data are correct and up-to-date.

5.1.2. Authentication

During authentication, we verify a person’s identity in order to provide Services at a Swedbank branch or remotely, for example, when you call us or use internet banking.

Authentication is usually performed with authentication tools provided by us or other service providers, such as Smart-ID from SK ID Solutions AS. You may also use other authentication tools that are acceptable to us under the law. Such tools include, for example, mobile signatures, ID cards and other solutions that we consider secure and acceptable (biometric login, use of a PIN on the Swedbank app, PIN generator). When you use an authentication tool provided by another company, we will transfer your identification data and communication and data collected using communication and other technical means (such as IP address and device type) to this company. Additionally, in this case, information will be transferred about your use of our Services.

Why we process Personal Data: We process Personal Data to fulfil a legal obligation imposed by the Applicable Legislation in the areas of prevention of money laundering and terrorist financing and implementation of international sanctions.

How we process Personal Data: We collect Personal Data from you, as well as from external sources such as public registers, process data obtained when you use the Services, including when the “Know Your Customer” principle is applied and the Customer’s operations are monitored, and we store the collected information.

Where required to do so by the Applicable Legislation, we transfer your Personal Data to delegated public authorities.

The Applicable Legislation obligates us to perform due diligence activities, including application of the “Know Your Customer” principle, and to understand the purpose and nature of business relationships and one-off monetary operations. We must also assess the risks associated with money laundering and terrorist financing and implement international sanctions. This helps ensure that our Services are used for legitimate purposes and prevents their unauthorised use.

For these purposes, we are required to establish your identity (for more information, see “Identification and Authentication”). We also ask you to provide accurate and correct information about you and documentation to support the information you provide where necessary. We may use the information we have received from public registers, such as the Population Register, the Register of Legal Entities and the Real Real Property Register, as well as data provided by you. For this purpose, we may also review publicly available information about you.

In order to comply with the requirements of the Applicable Legislation or based on our legitimate interest, we check lists (databases) of persons subject to sanctions. We do this to ensure that our Services are not provided to persons subject to or associated with international sanctions and that our Services are not used to violate or circumvent such sanctions.

During your business relationship with us, we regularly (or depending on the specific situation) ask you to update the Personal Data you have provided; we also check to make sure that the data previously obtained from external are up-to-date. The Applicable Legislation also obligates us to constantly monitor business relations and concluded transactions in order to make sure that they are not suspicious. Due diligence activities and their regularity depend on the level of risk attributed to the Customer in relation to money laundering and terrorist financing.

In accordance with the requirements of the Applicable Legislation, we are obliged to notify the competent public authorities (the Financial Crime Investigation Service) of suspected cases of money laundering and terrorist financing and to ensure the confidentiality of such notification.

We also process the Personal Data of natural persons associated with Corporate Customers for the above purpose. We establish the identity of the representative of the legal entity (manager, authorised representative, procurator or other persons in management positions at the legal entity, e.g., insolvency administrators). For this purpose, we collect their identification data, demographic data, contact details and data on relationships with legal entities.

We also ask for the identification and demographic data of the legal entity’s participants and beneficiaries. If necessary, we ask the legal entity to provide additional documents and information about the beneficiaries, such as the source of funds and assets or data on relationships with legal entities. Where necessary, we also collect and regularly update the Personal Data of the legal entity’s representatives, participants and beneficiaries from registers such as the Population Register and the Register of Legal Entities, including the Information System of Legal Entities Participants, the Information Subsystem for Beneficiaries of Legal Persons, and the Real Property Register, and by using publicly available information. In order to ensure compliance with international sanctions, we check lists and databases of sanctioned persons.

Why we process Personal Data: We process your Personal Data to provide the everyday banking Services, such as bank accounts, deposits, payment services and other everyday banking Services that you would like to receive. We also process Personal Data for the purposes of communicating with you, and providing, controlling and administering access to these Services.

How we process Personal Data: Processing activities involve the collection of Personal Data from you and your use of the Services, and the transfer of Personal Data to Data Recipients in order to perform a Service contract or when it is required under the Applicable Legislation. Processing activities also include obtaining Personal Data from third parties, such as other payment service providers.

5.3.1. You have opened and are using a bank account

When you open a bank account, we process your Personal Data in order to provide this Service in accordance with the contract, as well as other Services related to the bank account that you would like to receive.

In addition to processing Personal Data for the purpose of performance of the contract, we also take into account the obligation established by the Applicable Legislation and transfer Personal Data related to the opened account to the tax administration authority (the State Tax Inspectorate of the Republic of Lithuania).

At your request, Swedbank provides you with the account information service, which allows you to receive online information about the bank accounts you have opened with other financial institutions. In this case, your Personal Data (identification data, bank account details, data collected using communication and other technical means) are transferred to us by the said financial institution.

In compliance with the legal obligation, we process your Personal Data in order to fulfil your requests for the account information service initiated from another financial institution. As part of this service, where you have given your consent to the other financial institution, you will be granted access to your account information held with Swedbank using your existing access at that financial institution. For this purpose, we disclose your Personal Data to the other financial institution, such as your identification data, bank account details and data collected using communication and other technical means.

5.3.2. You are using a Swedbank payment card

When you apply for and conclude an agreement for a Swedbank payment card, we process your Personal Data for the purpose of concluding and performing this payment card agreement. We also process Personal Data for card ordering, card personalisation and activation, providing assistance in matters related to the payment card and preventing fraud with payment cards.

In order to execute card payments, we process your Personal Data for the purpose of authorisation and clearing of the payment operation (including operation initiated by the seller). If you file a complaint about a card payment operation, your Personal Data may be shared with the relevant international payment card organisation (e.g., Mastercard).

In the event that you order an additional card linked to your bank account, we process the Personal Data of the additional cardholder; this processing of Personal Data is based on our legitimate interest in carrying out business activities and ensuring the provision of Services.

5.3.3. You make or receive payments

We process your personal data in order to execute payments, including payment initiation services. For this purpose, we process your Personal Data on the basis of the data provided in your payment order. We transfer them to third parties, such as recipients of funds, payment institutions, correspondent banks, etc.

If you have linked your telephone number to your bank account in the Proxy Lookup Service, your Personal Data are processed in order to include your data in this system, in accordance with your consent to these Services. This enables you to make payments by telephone number; this processing also includes the transfer of your Personal Data (telephone number, bank account number, name and surname) to the recipient of the payment. The Proxy Lookup Service is managed by the Bank of Lithuania, acting with Swedbank and other participants of the system as joint Data Controllers.

In order to comply with a legal obligation, we process your Personal Data in order to comply with requests to initiate a payment from your bank account where such a payment is initiated by a third-party payment service provider. As part of this service, where you have given your consent to the other financial institution, you will be granted access to your account information held with Swedbank using your existing access at that financial institution. For this purpose, we disclose your Personal Data to the other financial institution, such as your identification data, bank account details and data collected using communication and other technical means.

Similarly, your Personal Data are processed when you initiate a payment from an account with Swedbank using a third-party payment service provider’s online banking service. This includes a payment initiation service using Bank Link payments via the Open Banking interface.

Why we process Personal Data: We process Personal Data for the purpose of providing the financing Services chosen by you and to comply with the Applicable Legislation in the area of financing Services.

How we process Personal Data: Personal Data are processed when we conclude, perform and terminate contracts, such as consumer credit contracts (small loans, car loans, home small loans, solar panels loans, credit cards, lines of credit, study loans), mortgage loans, leasing contracts and contracts for similar financing services to the Customer. We also process your Personal Data in order to comply with the Applicable Legislation, including managing debt during the term of the contract. In this case, the Personal Data are collected from you and from external sources. Depending on the Services provided and the particular situation of the Customer, Personal Data are transferred to the Data Recipients in order to perform a contract, comply with the requirements of the Applicable Legislation or pursue our legitimate interests.

5.4.1. You are a natural person who has applied for financing services

Swedbank has a legitimate interest to ensure the quick adoption of a decision when a Customer applies for financing. Considering this, we process, by automated means, the Customer’s Personal Data obtained from the Customer and the use of the Services thereby. In this case, we also process the data of payment operations in Swedbank accounts to ensure fast and accurate decision-making when a Customer submits a financing application.

Some credit applications are evaluated and decided upon using the automated processing of Personal Data, including profiling. This means we perform creditworthiness assessments by automated means. For this purpose, the Personal Data you provide in the application form are assessed, as are the Personal Data held by Swedbank and the Personal Data obtained from external sources.

The assessment of your creditworthiness is carried out in order to ensure that the provision of financing services complies with the requirements of the Applicable Legislation, such as responsible lending. This automated processing is necessary for the conclusion of an contract between you and Swedbank. In the event that a decision is taken by automated means alone, you have the right to ask Swedbank to have the decision reviewed by an employee.

For the purpose of the creditworthiness assessment and in order to verify whether the Customer meets the financing criteria, we process Personal Data such as the types and amounts of the desired financial and/or property liabilities for which a positive or negative decision was taken, data on the fulfilment of obligations, data on the workplace, income (including its types and sources), marital status and number of children, and data on the funds accumulated and operations carried out in Swedbank accounts. We also process other data necessary for risk assessment and debt management. In addition to the information we receive from you, we also collect data from external sources such as databases and registry service providers – UAB Creditinfo Lietuva, UAB Scorify, the Social Insurance Fund Board, and the registers managed by State Enterprise Centre of Registers. In certain cases, we use the services of persons who act as intermediaries in providing and receiving Personal Data (Processors) in order to obtain Personal Data.

When you enter into an contract (including when the contract is entered into by a co-borrower or surety provider), in order to comply with the requirements of the Applicable Legislation, we provide the Bank of Lithuania with your counterparty’s data about concluded financial services contracts and their performance and/or changes in the performance thereof.

To promote responsible lending on the market and based on our legitimate interest, we transfer your Personal Data about concluded financial services contracts, their performance and/or changes in the performance thereof, and non-fulfilment of obligations, to other financial institutions. We transfer these Personal Data when you apply to such a financial institution for financing. In this case, Personal Data are transferred using the services of intermediaries in the transmission of Personal Data, such as UAB Creditinfo Lietuva or UAB Scorify.

Where you conclude a contract for financing services, the fulfilment of which is guaranteed by a third party operating under an approved special financing programme, or where financing is provided for a specific purpose, your Personal Data may be transferred to third parties participating in these financing programmes. Such third parties providing a financing guarantee to the borrower are the Ministry of Social Security and Labour of the Republic of Lithuania, and in the case of a student loan – the State Studies Foundation.

For the purposes set out above, we process the following categories of your Personal Data: identification data, demographic data, family details, health data (when you request a deferral of your loan payment for health-related reasons). We also process your contact details, bank account data, financial data, related to the Customer’s reliability and performance assessment, data obtained and/or created in compliance with the requirements of the Applicable Legislation, and professional data.

The scope of Personal Data processed depends on your role in the financing process. If you are a Customer concluding a contract with us, your role in the financing process is different from, for example, that of a seller in the case of asset leasing, whose creditworthiness would not be assessed. If you are a contact person or an authorised representative, we will only process your identification data and contact details for the purpose states above.

In the event of default or insolvency of the Customer, we may disclose Personal Data to persons involved in loan restructuring or debt collection, based on our legitimate interest.

5.4.2. If you are a natural person related to a Corporate Customer

In the course of assessing the creditworthiness of a Corporate Customer, we also process the Personal Data of natural persons closely related to the Corporate Customer. For this purpose, we process the Personal Data of the participant and the beneficiary of the legal entity (identification data, data on relationships with legal entities, financial data such as fulfilment of financial liabilities, arrears, bankruptcy). Such Personal Data are obtained through the use of the Services by the Customer.

The processing of Personal Data for this purpose helps to determine the amount of financing to be provided to the Corporate Customer and to mitigate the lender’s risk of a possible default by the Corporate Customer.

Why we process Personal Data: We process your Personal Data so that we can provide you with investment recommendations and provide you with the investment Services you have selected. We process Personal Data in order to properly administer your pension savings and comply with the Applicable Legislation related to a specific Service.

How we process Personal Data: Personal Data are collected and regularly updated when it is obtained directly from you through your use of the Services and through communications, as well as from external sources such as registrars (e.g., Sodra’s Republic of Lithuania Register of Pension Accumulation Participants, Pension Accumulation and Pension Benefit Agreements). For the purpose of assessing the suitability of a Service for you, the processing of your Personal Data also includes profiling. Depending on the Service provided, your Personal Data are disclosed to Data Recipients if this is necessary for the conclusion and performance of a contract and/or to comply with the requirements of the Applicable Legislation.

5.5.1. You are receiving investment services

When you apply for investment services and investment activities (hereinafter – “Investment Services”) or the provision of ancillary services, we process your Personal Data for the purpose of concluding, performing, administering and terminating the contract.

This includes the storage of your selected financial instruments and the execution of orders relating to them, as well as the processing of Personal Data necessary for the execution of material events (public offerings) relating to your financial instruments, the provision of investment recommendations, the provision of a portfolio management services to you, and the provision of other investment and ancillary services.

We process your Personal Data, including profiling, to assess the suitability and acceptability of a Service or financial instrument for you before providing the relevant Services.

Based on the Applicable Legislation, we are required to record telephone conversations or audio during video calls when providing investment and ancillary services.

We process your Personal Data in order to provide you with mandatory information about costs and fees, transaction execution, accounting for financial instruments, losses of a certain service or financial instrument, and other types of reports and information.

Your Personal Data may be disclosed to national and foreign supervisory authorities, the Central Securities Depository, stock exchanges and trading venues, issuers of financial instruments, fund managers and financial intermediaries.

For the purposes set out above, we process certain categories of your Personal Data, such as identification data, contact details, children’s data (where a child is a user of the Services), family details, demographic data, professional data and financial data. We also process data on your financial experience and investment goals, your bank account details and data on your behaviours, priorities and satisfaction with the Services. Where necessary, we process data related to the Customer’s reliability and performance assessment, data collected using communication and other technical means, data on relationships with legal entities, data that are obtained and/or created in compliance with the requirements of the Applicable Legislation, data on the status of the relationship with Swedbank, as well as any other Personal Data necessary for the provision of the relevant Services.

5.5.2. You are contributing to pension funds

If you accumulate savings in Swedbank pension funds, we process your Personal Data in accordance with the requirements of the Applicable Legislation and the rules of these funds. This includes providing you with mandatory information, administering and executing various applications for pension accrual, managing personal pension accounts and fund accounting, managing the disbursement and inheritance of funds accumulated in the funds, and applying restrictions on assets in accordance with the instructions of judicial officers.

For these purposes, we need to process your bank account details, demographic data, contact details, financial data and identification data, including your social security number.

Why we process personal data: We process Personal Data in order to provide the term and/or whole life insurance services you have chosen. We process Personal Data to assess individual insurance risk and calculate the insurance premium, and, where necessary, to examine applications for insurance benefits and pay such benefits; we also process them to comply with the requirements of the Applicable Legislation related to term and whole life insurance.

How we process personal data: Personal Data are processed when we conclude, perform and terminate term and/or whole life insurance contracts. In addition, we process Personal Data in order to comply with the requirements of the Applicable Legislation relating to life insurance. Personal Data are collected directly from you, Swedbank AB, as well as from external sources. Personal Data are regularly updated. Depending on your choice of life insurance services, Personal Data are transferred to Data Recipients in order to conclude and perform the contract or to fulfil the requirements of the Applicable Legislation.

5.6.1. If you are applying for an insurance contract, are concluding one, or have submitted an insurance claim

If you are applying for a term insurance contract, we process your Personal Data in order to assess your needs and individual risk, calculate the insurance premium and the coverage amount, and take a decision regarding insurance risk. In order to make a quick decision on insurance risk, we process your Personal Data, including health data, by automated means and take decisions by automated means. We also use profiling.

When additional information is needed or you request that the decision be taken manually, the application is reviewed by our specialist. For this purpose, we process your health data, which are provided by you, as well as by doctors and medical institutions; we also process health data related to your current or previous insurance contracts, submitted insurance applications, applications for payment of an insurance benefit, and insured events. In the event that a decision is taken by automated means alone, you have the right to ask that it be reviewed by an employee.

If you apply for a whole insurance contract, we also process your Personal Data, including profiling, in order to assess the suitability of the Service for you.

When you conclude an insurance contract, we process your Personal Data in order to perform the insurance contract, amend or, where necessary, terminate the insurance contract, refund the premium or pay the insurance benefit under the contract, and tax the benefits. We also process Personal Data for the purpose of sending insurance-related notifications, debt notifications, annual statements or, in the case of a whole life insurance contract, other statements as needed.

For the purposes set out above, we process your identification data, bank account details, contact details, financial data, family details and children’s details (where the provision of the Services is related to a child). We also process health data, data on relationships with legal entities, data collected using communication and other technical means, data on the status of the relationship with Swedbank and demographic data.

If you submit an insurance claim, we process your Personal Data in order to examine the claim, take a decision on the insurance benefit and pay the insurance benefit in the case of an insured event. This processing includes your health data, which are provided by you, as well as by doctors and medical institutions, as well as Personal Data related to your current or previous insurance contracts, submitted insurance applications, applications for payment of an insurance benefit, and insured events. Where it is necessary for the payment of an insurance benefit, we process your financial data, which we receive from Swedbank AB. We also process Personal Data obtained from public authorities, such as data on criminal convictions and criminal offences.

For the above purpose, in addition to these specified Personal Data, we also process your professional data, data on criminal convictions and criminal offences, and data on behaviours, priorities and satisfaction with the Services.

5.6.2. Processing of personal data for the purpose of insurance risk management

If you have submitted an insurance claim, we transfer your Personal Data, including health data, to the reinsurance service provider. In this case, Personal Data are transferred in order to comply with the obligations imposed on us in the reinsurance contract. Your Personal Data transferred to the reinsurance service provider is stored in data centres in Switzerland, which ensure an adequate level of data protection.

For the purposes set out above, we process your identification data, bank account details, contact details, financial data, family details and children’s details (where the provision of the Services is related to a child). We also process health data, professional data, data on criminal convictions and criminal offences, data on relationships with legal entities, data collected using communication and other technical means, data on behaviours, priorities and satisfaction with the Services, and demographic data.

Why we process personal data: We process Personal Data in order to provide you with the non-life insurance services you have selected.

We process Personal Data to assess insurance risk, to calculate the insurance premium, and, where necessary, to examine applications related to the insurance contract, to pay out insurance benefits, as well as to comply with the requirements of the Applicable Legislation related to non-life insurance.

How we process personal data: Personal Data are processed when we conclude, perform and terminate non-life insurance contracts. In addition, we process Personal Data in order to comply with the requirements of the Applicable Legislation relating to non-life insurance. Personal Data are collected directly from you as well as from external sources, and are regularly updated. Depending on your choice of non-life insurance services, Personal Data are transferred to Data Recipients in order to conclude and perform the contract or to fulfil the requirements of the Applicable Legislation.

5.7.1. If you are applying for an insurance contract, are concluding one, or have submitted an insurance claim

If you are applying for a term insurance contract, we process your Personal Data in order to assess your reliability, calculate the premium and determine the terms and conditions of insurance according to your risk level. In order to assess the insurance risk, calculate the insurance premium and conclude the insurance contract, we process your Personal Data by automated means. To ensure quick decision-making regarding insurance risk, we take decisions by automated means and use profiling.

When additional information is needed or you request that the decision be taken manually, the application is reviewed by our specialist. We process Personal Data obtained from you, from public registers, as well as Personal Data we hold about you, such as data about previous insurance contracts, insured events and data obtained from Swedbank AB and Swedbank Lizingas UAB. In the event that a decision is taken by automated means alone, you have the right to ask that it be reviewed by an employee.

When you enter into an insurance contract, we also process your Personal Data for the purposes of performing the insurance contract, sending insurance policy renewals, amending and terminating the insurance contract, and refunding the insurance premium or paying the insurance benefit under the contract. We also process Personal Data for the purpose of providing insurance-related notifications, debt notifications or statements as needed.

For the purposes set out above, we process your identification data, bank account details, contact details, financial data, family details and children’s details (where the provision of the Services is related to a child). We also process health data, professional data, data on relationships with legal entities, data collected using communication and other technical means, data on behaviours, priorities and satisfaction with the Services, data on the status of the relationship with Swedbank, and demographic data.

If you submit an insurance claim, we process your Personal Data in order to examine the application, take a decision on the insurance benefit and pay the insurance benefit in the case of an insured event. We process your Personal Data that are obtained from other insurance companies, public registers, public authorities, doctors and medical institutions, Swedbank AB and Swedbank Lizingas UAB, as well as other Personal Data, including health data, relating to your previous insurance claims.

For the above purpose, in addition to these specified Personal Data, we also process your professional data, data on criminal convictions and criminal offences, and data on behaviours, priorities and satisfaction with the Services.

When you require medical assistance under travel insurance in connection with an insured event related to a country outside the EU/EEA, your Personal Data are transferred to the respective country outside the EU/EEA to confirm the validity of the insurance coverage. The transfer of your Personal Data is necessary for the performance of the contract between you and Swedbank.

Your Personal Data may also be transferred to a country outside the EU/EEA in order to examine an insurance claim for motor third-party liability in the case of an insured event related to the said country (such as Albania, Andorra, Azerbaijan, Bosnia and Herzegovina, Macedonia, Moldova, Montenegro, Morocco, Serbia, Switzerland, the United Kingdom, Tunisia, Turkey and Ukraine).

The transfer of your Personal Data is necessary for the performance of the contract between you and Swedbank. Please note that the European Commission has adopted decisions that Andorra, Switzerland and the United Kingdom ensure an adequate level of personal data protection.

5.7.2. Processing of personal data for the purpose of insurance risk management

We process your Personal Data in order to develop pricing, carry out quality control of vehicle repair work, and submit a claim for compensation to the third party who caused you damage. Also, when we pay you an insurance benefit, your Personal Data are transferred to the reinsurance provider in order to fulfil the obligations imposed on us in the reinsurance contract.

For the purpose of performing an insurance contract or exercising a right of recourse, we also transfer your Personal Data to the other insurance company at the request thereof.

For the purposes set out above, we process your identification data, bank account details, contact details, financial data, family details and children’s details (where the provision of the Services is related to a child). We also process health data, professional data, data on criminal convictions and criminal offences, data on relationships with legal entities, data collected using communication and other technical means, data on behaviours, priorities and satisfaction with the Services, and data on the status of the relationship with Swedbank, and demographic data.

Why we process Personal Data: We process Personal Data in order to prepare and provide offers and relevant information that meet your needs, conduct opinion surveys, organise promotions and campaigns, and implement customer service programmes.

How we process Personal Data: We process your Personal Data that we receive directly from you and when you use the Services. We also create a profile for you to provide you with customised marketing information. We share your Personal Data with Swedbank Group companies operating in Lithuania for this purpose. We use social media for marketing and communication purposes (such as Facebook, LinkedIn, Instagram, TikTok). When you contact us on these social media sites, your Personal Data are processed in accordance with the terms and conditions of that site.

5.8.1. Profiling and your rights in marketing

We carry out profiling using your Personal Data for marketing purposes in order to assess which product or Service is appropriate and relevant to your interests and needs. This allows us to provide you with tailored offers and Services rather than general information.

For these purposes, we evaluate certain personal aspects relating to you, primarily in order to analyse or predict aspects related to your economic situation, personal preferences and interests. We collect your Personal Data as a Customer and process them by automated means in order to create a profile for you and provide recommendations for services and offers to you as a Customer accordingly.

The Personal Data that are processed include information about your products and use of the Services. We also collect information about your economic situation, behaviours and personal preferences based on your use of the Services, the operations you perform, and the information you provide to Swedbank. These data are used for creating customer segments and profiles, which are needed to implement customer service programmes and provide you with relevant offers. The result of this processing is recommendations for Services and offers tailored to your needs, your inclusion in the customer service programme and, accordingly, the application of special prices and service conditions or removal from the programme.

In all cases, you have the right to object to the processing of your Personal Data for marketing purposes or to withdraw consent where the processing is based on consent. Information about the Personal Data being processed when you provide consent or do not object to the processing of your Personal Data based on legitimate interest is provided together with such consent or permission to process the Personal Data (in the case of legitimate interest).

5.8.2. Preparation of offers

In order to provide you with the best experience and prepare relevant and timely suggestions based on your interests and needs at a given time, we prepare the following types of offers:

• Personalised offers – practical offers to help you choose the most appropriate Services, improve your day-to-day use of them or to avoid inconveniences. This includes other suggestions designed to best serve your interests and needs, such as updating the Services or replacing some Services with others (applicable to Customers aged 14 and over).
• Personalised financing and insurance limits – calculated offers to help you understand what lending and leasing options are available to you, as well as what insurance premiums might apply to you (for Customers aged 18 and over).
• Joint offers with partners – practical offers to help you choose the right Services and benefits from Swedbank’s partners. In this case, Personal Data are not transferred to said partners (applicable to Customers aged 14 and over).
• Personalised offers and information to help your child develop financial literacy – practical offers and educational information related to you and your child (consent may be given by parents or guardians for children under 14 years of age).
• Other types of offers for which you have given consent.

You can receive these offers if you give your consent. You can choose to give your consent to all types of offers, some of them or none of them. You can submit, manage or revoke your consents in the internet banking Privacy Settings section, by visiting any Swedbank customer service unit or by incoming call.

If you want to track your spending and see an overview of your expenses in different areas, you can use the My Budget tool, which is available in internet banking and on the Swedbank app. The processing of your Personal Data using this tool is carried out with your consent.

5.8.3. Preparation of other information

In order to familiarise the Customer with Swedbank news and Services, we prepare the following types of information for Customers:

• Relevant information – information created to invite the Customer to events and to send greetings and newsletters.
• Customer opinion surveys – surveys conducted to invite the Customer to provide feedback on the Services and their use so that we can improve them.

We prepare this information based on our legitimate interest, so we do not ask for your consent, but you can decide whether to allow us to do so. You can individually choose what type of information you wish to receive or what type you object to.

You can object to the preparation of this information at any time and manage your choices in the internet banking Privacy Settings section, by visiting any Swedbank customer service unit or by incoming call.

5.8.4. Receipt of offers and other information

You may receive marketing offers and other relevant information that you have consented to or not objected to through the following communication channels: 1) e-mail; 2) SMS; 3) telephone; 4) post.

You may receive offers and other information by providing your consent to one, some or all channels. You may give or withdraw your consent in the same manner as specified in item 5.8.2 of the Principles. You can also opt out of direct marketing by e-mails by clicking on the link in the footer of each e-mail.

5.8.5. Customer service programmes

We offer a number of customer service programmes, with special service conditions, preferential pricing and additional benefits to their members. In order to enrol a Customer in a customer service programme and apply the special conditions, we process Personal Data by automated means. Information about the relevant customer service programme is contained in the terms and conditions of each programme or in an additional notice to the Customer. Personal Data are processed for the purpose set out above unless you have objected to such processing where it is based on a legitimate interest. They are also processed if you have accepted the terms and conditions of participation in the customer service programme and have thus agreed to participate in the programme.

To run customer service programmes, we process your identification data and contact details in each case. Depending on the specific programme, we additionally process other relevant Personal Data, such as demographic data, data on the status of the relationship with Swedbank, data on relationships with legal entities, data collected using communication and other technical means, bank account details, data on behaviours, priorities and satisfaction with the Services, and financial data.

5.8.6. Promotions and campaigns

We process Personal Data for the purpose of organising and carrying out promotions and campaigns. This includes the enrolment of a Customer who is eligible to participate in a promotion or campaign in the promotion or campaign.

Personal Data are processed for the above purpose if you have not objected to such processing where it is based on a legitimate interest, or if you have confirmed the terms and conditions of participation in the promotion or campaign and thus agreed to participate. You have the right to request to be removed from the list of participants in the promotion or campaign; this request will be implemented within five days.

In order to organise promotions, games, campaigns and events for our Customers, we process bank account details, professional data, financial data, contact details, data on behaviours, priorities and satisfaction with the Services, demographic data, family details, identification data, and data on relationships with legal entities.

Why we process personal data: The processing of Personal Data is necessary to ensure the quality of the Services, protect the interests of the Customer and Swedbank, investigate Customer complaints and ensure compliance with the requirements of the Applicable Legislation.

How we process Personal Data: To ensure the quality of our Services, we record telephone conversations and audio during video calls. For the purpose of ensuring the quality of Services and in order to examine Customer complaints, we also process Personal Data related to written correspondence.

We process Personal Data when recording telephone conversations and audio during video calls in order to improve the quality of the Services and protect the interests of the Customer and Swedbank. For this purpose, telephone conversations and audio during video calls are recorded if you give your consent thereto.

In addition, in order to improve the quality of the Services, we process, based on Swedbank’s legitimate interest, Personal Data related to written correspondence received by e-mail or via Internet banking, as a message or in the chat window. We also process Personal Data when we examine and respond to Customer complaints – this processing is based on the discharge of a legal obligation.

The categories of your Personal Data processed for the purposes set out above depend on the Services provided to you and/or the complaint or other request you have submitted.

Why we process Personal Data: We process Personal Data in order to provide the Customer with advice and information regarding the Services used by thereby.

How we process Personal Data: We process your Personal Data when we serve you at any Swedbank customer service unit or other Swedbank Service locations. We also process your Personal Data when you contact us by phone, live chat, e-mail or otherwise. In order to ensure that your Personal Data are up-to-date, data such as your contact details are transferred to Swedbank Group companies operating in Lithuania when you apply for or use their Services.

In cases where you register to visit a Swedbank customer service unit, we process your Personal Data in order to identify you, ensure successful registration of the visit and prepare to provide the Services you requested.

We process Personal Data held by Swedbank such as your financial data in order to provide you with the consultation you requested regarding the Services. For this purpose, your Personal Data may be obtained from other Swedbank Group companies operating in Lithuania.

When we provide you with information and communicate with you by telephone, live chat, e-mail or otherwise, we must process your Personal Data in order to ensure the provision of the Services or to comply with the requirements of the Applicable Legislation. In this case, we process your contact details, information about the requested and/or provided Services, and the performance of existing contracts.

Why we process Personal Data: We process Personal Data to manage risks and ensure that Swedbank operates safely and soundly and in compliance with the Applicable Legislation.

How we process Personal Data: We process Personal Data in order to perform legal obligations established by the Applicable Legislation in the areas of risk management, capital adequacy, fraud prevention and incident management, among others. We disclose Personal Data to Data Recipients, such as public authorities where necessary in accordance with the requirements of the Applicable Legislation and in order to protect Swedbank’s legitimate interests.

Sound risk management is part of the Applicable Legal Requirements that we must comply with in order to provide you with the Services, ensure safe banking or protect your funds from fraud. We focus on low-risk activities because this is the basis for building trust and value for you in the long term.

In order to ensure compliance with legal obligations in the field of risk management, we process your Personal Data in:

• assessing and managing credit risk, liquidity risk, market risk and counterparty risk;
• meeting capital requirements;
• resolving incidents that may affect our core business processes that are necessary to provide the Services, and investigating Personal Data security breaches that relate to your privacy;
• identifying, investigating and reporting suspicious transactions and market abuse;
• taking steps to prevent fraud, identify and investigate potential cases of fraud by monitoring operations, including payment card operations, and reviewing, assessing and taking action on activities that may constitute fraud;
• monitoring compliance with laws, internal regulations and other legal acts;
• ensuring business continuity and crisis management;
• providing information to supervisory and other state authorities, including mandatory regular provision of information and provision of information upon separate request, complying with the obligation to notify the authorities of Customer activity suspected of market abuse, and cooperating with public authorities in carrying out their supervisory functions and inspections;
• working with and providing information to external auditors.

Why we process Personal Data: We process Personal Data to maintain, expand, assess and improve Swedbank’s operations, Services and Customer experience, as well as to protect our legitimate interests.

How we process Personal Data: We need to process your Personal Data when we perform activities such as document management and archiving. We process Personal Data when we perform analysis and testing to ensure the security and compliance of information technology solutions, in order to comply with the Applicable Legislation or to pursue our legitimate interests.

We carry out certain administrative activities to ensure the operational efficiency and appropriateness. For example, we have an obligation to maintain accounting records. Part of this is the processing of your Personal Data – your identification data, bank account details, contact details, demographic data – when we issue an invoice. We use profiling to assess and determine the strategic directions of our business. For this purpose, we process information such as your financial data (economic situation) and data on behaviours, priorities and satisfaction with the Services.

The processing of Personal Data is also necessary for activities related to our core business – the provision of Services. This encompasses, for example, document management and archiving, including the storage of paper documents and digital information, based on discharge of a legal obligation or our legitimate interests.

It is our legitimate interest to maintain, develop, assess and improve our operations and Services, and to improve the Customer experience. This activity includes the processing of your Personal Data in order to administer our website, as well as testing in order to ensure the quality of the Services and the security and compliance of the information technology solutions we develop, or to manage the incidents that occur. We may use artificial intelligence. In each case, the processing of Personal Data is limited according to its necessity in the particular case, including the categories of Personal Data and Data Subjects.

We also process Personal Data for the establishment, exercise or defence of legal claims. As a rule, this processing of Personal Data is limited to storing information to handle potential claims. When we need to defend our rights or when a claim is made, information that is relevant to the specific case is processed. Depending on the situation, this may include transferring information to other Swedbank Group companies, public authorities (such as the financial supervisory authority), judicial and out-of-court dispute settlement bodies in order to resolve a dispute, and companies and individuals providing legal services.

Why we process Personal Data: We process Personal Data of Data Subjects related to Corporate Customers in order to conclude and administer contracts with Corporate Customers, maintain relations with them, provide Services and ensure compliance with the requirements of the Applicable Legislation.

In these Principles, the term “Customer” also includes all natural persons whose Personal Data we process and who are related to a Corporate Customer.

How we process Personal Data: Personal Data are obtained directly from Data Subjects and Corporate Customers, as well as from public registers, and are updated regularly. Personal data are provided to Data Recipients in order to conclude and perform a contract with a Corporate Customer and ensure compliance with the Applicable Legislation.

When you represent a Corporate Customer, we process your Personal Data based on our legitimate interest to conclude and perform the contract with the Corporate Customer. This processing includes communicating with the Corporate Customer’s representative or contact person and storing relevant information about managers and authorised representatives. This helps ensure that only a person with the authority to do so can sign contracts, perform operations, submit documents, access information or take other necessary actions on behalf of the Corporate Customer. You can find more information about the processing of Personal Data for a specific Service in the section about that Service in the Principles.

The categories of your Personal Data processed for the purposes set out above include identification data, contact details, professional data, and data on relationships with legal entities. For these purposes, we also process Data related to the Customer’s reliability and performance assessment, demographic data, financial data, and data that are obtained and/or created in compliance with the requirements of the Applicable Legislation.

Why we process Personal Data: To ensure the security of Swedbank’s visitors, employees and assets.

How we process Personal Data: As one of the safeguards implemented by Swedbank for the protection of persons and property, Swedbank carries out, on the basis of legitimate interest, video surveillance and/or audio recording on Swedbank’s premises and in other places where Swedbank provides services. Areas under video surveillance are marked with informative signs.

When Swedbank conducts video surveillance, the Personal Data processed by Swedbank includes the Customer’s facial image and video recording. When Swedbank conducts video surveillance at customer service units, Personal Data may include facial images, video recordings and audio recordings.

Swedbank’s processing of Personal Data in the context of audio/video surveillance and recording is based on the legitimate interest of ensuring the safety of Swedbank’s employees and visitors and the protection of its assets and premises. Video and/or audio recording information may be provided to Data Recipients when this is necessary for the investigation of unlawful acts, or to a Data Recipient responsible for looking after and managing video surveillance equipment on behalf of Swedbank.

As a data subject, you have the following rights guaranteed by data protection legislation in relation to the processing of your Personal Data:

• the right of information about whether Swedbank processes your Personal Data and, if so, the right of access thereto;
• the right to rectification of your Personal Data if they are incorrect, incomplete or inaccurate;
• the right to erasure of your Personal Data;
• the right to restriction of processing of your Personal Data;
• the right to object to the processing of your Personal Data where the processing of Personal Data is based on Swedbank’s legitimate interest;
• the right to receive, in writing or in a commonly used and machine-readable format, the Personal Data provided by you that are processed on the basis of your consent or the performance of a contract and, if possible, to transmit those data to another service provider (right to data portability);
• the right to withdraw your consent to the Processing of Personal Data;
• the right to object to a fully automated decision being used, including profiling, if said decision-making has legal or similarly significant effects on you. This right does not apply in the event that this decision-making is necessary for the purpose of concluding or performing a contract with you, or is permitted under the Applicable Legislation, of if you have given his or her explicit consent thereto.

Swedbank provides you with remote and direct access to the majority of your Personal Data processed by Swedbank via Internet banking.

Swedbank processes a large amount of information, so in order to fulfil a Data Subject’s request as accurately as possible, Swedbank may ask you to specify the information, operations or period that are related to your request as a Data Subject.

You can exercise your rights as a Data Subject by submitting an identified request to Swedbank via Internet banking, by visiting a customer service unit, by incoming call, or by e-mailing a request signed with a qualified electronic signature. A response to your request will be provided within one month of receipt of the request of the Data Subject (when necessary, this period may be extended for another two months).

You can change or update your Personal Data and manage settings (consent and authorisations for the processing of Personal Data) via Internet banking or the mobile app, or by visiting a customer service unit or incoming call.

You have the right to lodge a complaint regarding the processing of Personal Data with the State Data Protection Inspectorate (www.vdai.lrv.lt) if you believe that your Personal Data are being processed in violation of your rights and legitimate interests in accordance with personal data protection legislation.

You have the right to contact Swedbank to submit enquiries, withdraw consent, submit requests for the exercise of data subject rights, or lodge complaints regarding the processing of Personal Data.

Swedbank’s contact details are published on the Swedbank website: www.swedbank.lt. You can contact the designated data protection officer by e-mail at: duomenuapsauga@swedbank.lt.

Swedbank has the right to unilaterally amend the Principles at any time, upon informing the Customers thereof on the Swedbank website or by an Internet banking message, SMS or e-mail.

The principles were prepared in Lithuanian and translated into English and Russian. In the event of disputes as to the interpretation of the language of the text, the Lithuanian version of the Principles shall prevail. The Principles shall enter into force on 1 May 2025 and the latest version will be available at Swedbank’s customer service units and on the Swedbank website (www.swedbank.lt).