PRIVACY NOTICE to job applicants and whistleblowing procedures at Nordnet  

How Nordnet handles job applicants’ personal data 

As a potential employer, we seek to be as transparent as possible to our potential employees. We collect and process personal data in order to find the right fit for our open positions and to manage the recruitment process appropriately and in accordance with applicable rules. We process job applicants’ personal data, where it is reasonable and proportionate, for legitimate interests as described below. It is of great importance to us that we provide thorough information on how we use personal data during the recruitment and that you feel confident that we process your personal data in a legitimate and secure manner.

Data controller and Data subjects

Data controller

Data subjects

Nordnet Bank AB

Company reg. no. 516406-0021

Alströmergatan 39

104 25 Stockholm

Sweden

You who apply for a specific position at or connect to the candidate pool with Nordnet Bank AB

Nordnet Pensionsförsäkring AB

Company reg. no. 516406-0286

Alströmergatan 39

SE-104 25 Stockholm

Sweden

You who apply for a specific position at or connect to the candidate pool with Nordnet Pensionsförsäkring AB

Nordnet Fonder AB

Company reg. no. 556541-9057

Alströmergatan 39

SE-104 25 Stockholm

Sweden

You who apply for a specific position at or connect to the candidate pool Nordnet Fonder AB

Nordnet Livsforsikring AS

Company reg. no. 914 350 956

Akersgata 45

0158 Oslo

Norway

You who apply for a specific position at or connect to the candidate pool with Nordnet Livsforsikring AS

Our data processing

Processing

Purpose

Personal data

Retention

Legal basis

Data collection to recruitment system, recordings of contacts/events during recruitment and assessment of suitability for employment.

To communicate during the recruitment process, to assess appropriate fit for a position and for entering into an employment agreement.

Identification data (first name, surname, date of birth, age, picture)

Contact data (e-mail address, telephone number)

Professional data (information in CV/cover letter, employment and educational details)

2 years after application

Legitimate interests

Storage of personal test results/profiles

To assess appropriate fit for a position (e.g. internal recruitment or promotion).

Identification data (first name, surname, social security number)

Contact data (e-mail address)

Financial data (credit reference, payment remarks, debts with the Enforcement Authority)

Criminal convictions data (criminal records)

Data on personal aspects (previous and ongoing judicial processes)

Personal attributes (personality profile, skills/cognitive test)

Two weeks reg. reports from background controls.

90 days reg. tests results and profiles.

Legal obligation

Legitimate interests

Collection and recording of references.

To verify submitted recruitment documents and assess appropriate fit for a position.

Identification data (first name, surname)

Contact details (e-mail address, telephone number)

Professional data (data in CV/cover letter, employment and educational details)

2 years after application

Legitimate interests

Handling of recruitment related claims

To assess and defend against recruitment related claims, in both extrajudicial and judicial processes.

Identification data (first name, surname, social security number)

Contact data (home address, e-mail address and telephone number)

Professional data (data in CV/cover letter, employment and educational details)

Communications (personal data entailed in the communication)

2 years after application

Legitimate interests

Where we get the personal data from

We collect the personal data from a variety of sources:

• from you, either on specific requests or during the ordinary course of the recruitment;

• from the references that you provide us with;

• from third parties who provide it to us (e.g. information service providers, recruitment agencies); and

• from public registers and online platforms (e.g. LinkedIn)
  
  

Whom we share the personal data with

The personal data that we process will be shared with trusted service providers to us. We also share the personal data with administrative authorities and any authorized representative in case of extrajudicial and judicial processes.

Personal data transfer to third countries (i.e. outside of EU/EEA)

We strive to process your personal data within the EU/EEA. We do, however, share the personal data with third country vendors, and will in such cases restrict the personal data to data centers within the EU/EEA if possible and also rely on the following transfer mechanisms, separately or combined:

• European Commission’s adequacy decisions;

• approved Binding Corporate Rules;

• officially adopted Standard Contractual Clauses; or

• other valid transfer mechanisms.

The chosen transfer mechanism(s) is accompanied by supplementary safety measures of technical and organizational nature suitable for mitigating any risk that is not efficiently mitigated by the transfer mechanism(s) at hand.

More about legitimate interest as our legal basis

We always carry out legitimate interest assessments in relation to the processing activities that are rested on this legal basis. Such assessment include a necessity evaluation and a weighing of interests. We have concluded that our interests in processing your personal data for the purposes as specified above takes precedence over your potential privacy interests and the associated impacts, based on the benefits that these processing activities provide for.

Rights as a data subject

• Right to access

You have the right to know if we are processing your personal data and in such case get information about what personal data we are processing about you.

• Right to rectification

If you find any of your personal data subjected to our processing to be incorrect or incomplete, you have the right to request amendment or supplementation of that personal data.

• Right to erasure

You have the right to have your personal data deleted. However, this is not applicable in certain cases, e.g. if the retention of the personal data is mandatory to fulfil legal obligations or if we are relying our processing on legitimate interest and we have compelling justification for the processing.

• Right to limitation of data processing

Under certain conditions, you have the right to limit our processing of your personal data to certain selected purposes or restrict our processing during a limited time period.

• Right to data portability

You have the right to obtain your personal data in a structured way or request it to be sent to a third party. However, this right is limited to the personal data that you have provided us yourself and which we are processing on the basis of your consent or our contractual relationship.

• Right to object

You can object to further processing of your personal data. However, this is not applicable in certain cases, e.g. if we can demonstrate compelling legitimate reasons for the processing that override the individual's interests, rights and freedoms or if the processing is carried out in order to establish, exercise or defend against legal claims. You always have the right to object whenever our data processing is based on you given consent or whenever your personal data is being used for direct marketing purposes.

• Right to lodge a complaint

If you are dissatisfied with our data processing, you may lodge a complaint to the supervisory authority (see contact details below).

How to exercise you rights

You can send your request to: dataprotection@nordnet.se.

For safety reasons, please do not include your social security number or any other special category/integrity sensitive data in your e-mail to us!

Contact details for questions or complaints

Nordnet’s HR department

E-mail: HR@nordnet.se

Nordnet’s data protection officer

E-mail: dataprotection@nordnet.se

Swedish Authority for Privacy Protection

Postal address:

Integritetsskyddsmyndigheten

Box 8114

SE-104 20 Stockholm

E-mail: imy@imy.se

Website: www.imy.se

Norwegian Data Protection Authority

Postal address:

Datatilsynet

P.O. Box 458 Sentrum

NO-0105 Oslo

E-mail: postkasse@datatilsynet.no

Website: www.datatilsynet.no

Version 1.2

(2022-05-05)

Whistleblowing procedures at Nordnet

Nordnet has a whistle blowing process to enable all employees, job applicants, owners and management etc. to draw attention to significant and legitimate concerns regarding matters connected with internal governance and possible misconduct. The whistle blowing process offers a possibility to alert Nordnet about suspicions of misconduct in confidence. It is an important tool for reducing risks and maintaining trust in our operations by enabling us to detect and act on possible misconduct at an early stage.

Whistleblowing can be done openly or anonymously through the whistleblowing tool. Copy and paste the following link into your browser to get to the communication tool: https://report.whistleb.com/nordnet

The whistleblowing tool allowing anonymous messaging is provided by WhistleB, an external service provider. All messages are encrypted. To ensure the anonymity of the person sending a message, the external provider does not save IP addresses or other meta-data. The person sending the message also remains anonymous in the subsequent dialogue with the Nordnet’s appointed whistleblowing contact person. If you submit a whistleblowing report through the tool you will receive unique credentials and you may log in to the tool afterwards to communicate further with the receiver of the report (Head of Compliance and other appointed members of the Compliance team) or to keep track of the progress of the case.