A personal data is information that can directly or indirectly identify a person. Examples of this are name, social security number and place of residence, but also information such as transactions, IP address and codes that enable login to Digital Services.

The extent to which your personal data is processed at the Kylla bank depends, among other things, on which products and services you have agreed with the bank to have access to. The Kylla bank collects the personal data either directly from you or it is generated by us through your use of the various products and services we offer. In addition, personal data can be obtained from other companies in the Kylla bank Group, from a third party such as the tax administration and also through cookies on our website. You can read more about the bank's handling of cookies.

Personal data we collect from you

The Kylla bank processes the personal data that you provide to us through an expression of interest and/or application so that you can enter into an agreement with us, but also so that we can administer and fulfill such agreements. In addition, data generated by you as a customer using our products and services is processed. We may record telephone calls and save and/or document your communications with us, including digital ones. Our offices can also be equipped with surveillance cameras for security reasons.

The categories of personal data we primarily collect are:

• Identification data: for example name and social security number. We are also obliged to verify the accuracy of this information and to document the verification by taking a copy of a valid ID document (e.g. passport or driver's license).
• Contact details: e.g. address details (mail and e-mail), phone number and the language you have chosen for the bank to communicate with you in.
• Economic circumstances: for example, information on income, assets and liabilities, employment, household, relationships with legal entities, etc.
• Requirement-specific data for the financial sector: for example, data to combat money laundering and terrorist financing as well as the obligation to know the customer in detail (e.g. KYC).
• Special categories of personal data: for example information about health or membership of trade unions. We only handle such personal data when it is relevant for a specific product or service (such as in connection with credit products or in the bank's capacity as an insurance intermediary).

Personal data we collect from third parties

• Data from authority registers, for example for ongoing updates of customer registers.
• Data from credit bureaus.
• Data from other information providers.
• Data from national and international sanctions lists to review and prevent the business from being used for money laundering purposes or for the financing of terrorism.

Furthermore, data can also be collected from another company within the Kylla bank Group.

The Kylla bank processes your personal data mainly for:

Preparation and administration of agreements (fulfilment of agreements) Mainly, the Kylla bank collects, checks and registers the data required to enter into agreements with you and to document, administer and fulfill such agreements. Processing this personal data is therefore a prerequisite for the Kylla bank to be able to enter into an agreement with you.

Meet obligations according to law, other constitution or authority regulation/decision (legal obligation)

In connection with and in addition to the preparation and administration of agreements, there is also processing of personal data that is required for the Kylla bank to be able to fulfill its obligations according to law, other constitution or authority regulations/decisions.

Examples of processing as a result of legal obligations:

(i) Comply with accounting legislation.

(ii) Measures to prevent, detect and investigate money laundering, fraud and terrorist financing.

(iii) Control against sanctions lists.

.

(iv) Reporting to the tax, police and investigation authorities as well as to the Financial Supervisory Authority and other Finnish and foreign authorities.

(v) Comply with legislation regarding risk management, including the processing of data on borrowers and credit quality assessment for capital adequacy purposes

(vi) Comply with payment services legislation.

(vii) Comply with specific legislation, e.g. in the provision of securities services and housing loans.

Analyses, marketing and service and product development (legitimate interest)

The Kylla bank also processes personal data for market and customer analysis as well as for service and product development. The analyzes by e.g. profiling is done partly with the aim of improving our offer and partly to market it. In addition, some customer analytics can be used to detect and counter fraud. In the mentioned case, we have a legitimate interest in processing personal data for a purpose we consider necessary and as a result of a balancing of interests between different interests.

We may also process your data in order to provide you with offers that are personalized and potentially interesting to you. For customer analyzes for marketing purposes, the Kylla bank has a legitimate interest in using profiling.

What is profiling?

Profiling is any form of automatic personal data processing where the data is used to analyze and assess our customers' financial situation, personal preferences, interests and behavior in our various channels. By, for example, using our digital services, we create an idea of your preferences in order to improve your customer experience.

Consent

You may also in some cases need to consent to us processing your personal data. In such cases, we will ask you to consent to the processing of the personal data for a specific purpose. An example of when we need your consent is when the processing contains special personal data, such as a health certificate or trade union membership.

You can withdraw your consent at any time. The processing that has already been done is not affected, but after this, and in the absence of another legal basis, we will no longer process the personal data.

Companies within the Kylla bank Group may process your personal data. For example, if you subscribe to the Kylla bank's funds, your data will be further processed by the group's fund company.

Your personal data may also be processed by one of our partners, and before that we always ensure that the sharing of the data takes place within the framework of applicable confidentiality obligations. Such actors are, for example, Asiakastieto and insurance companies that process your personal data so that we can fulfill our agreement with you or with the support of our legitimate interest. In some cases, we are also obliged by law to disclose personal data to various authorities. More information about how the Kylla bank uses your personal data and why can be found above under point 2.

In some cases, we may transfer personal data to countries outside the EU and EEA (so-called third countries) and to international organizations. We only do this on the condition that other rules in the data protection regulation are followed and that one of the following conditions is met:

- The EU Commission has decided that there is an adequate level of data protection in the country in question.
- We have taken other appropriate protection measures, such as standard contract clauses or through binding corporate regulations of
our partners (Binding Corporate Rules, BCRs).
- There is special permission from the supervisory authority.
- It is permitted on other grounds according to current data protection legislation.

The Kylla bank saves your personal data only as long as necessary, which varies depending on the task and what it is used for. Your personal data will be with us during the time you have an agreement with us. After that, the data is saved for a maximum of 10 years, taking into account statutes of limitations. In some cases, the data may be saved for an even longer period of time, for example due to legislation on capital adequacy that we must comply with. Other time periods may also apply when we save personal data for reasons other than because of your agreement with us and to comply with applicable legislation, such as combating money laundering (five years) and accounting (seven years).

If you do not enter into an agreement with us but have still submitted your personal data, for example through an application for an account or loan, we will save the data for a shorter period of time.

The time for the retention of personal data may vary within the Kylla bank Group depending on whether the personal data is processed in Finland or in Sweden.

In some cases, we may use automated decision-making provided that you have expressly consented to it, legal obligations require it, or it is necessary for us to be able to fulfill our agreements with you. If such a decision, even when the decision is based on profiling, would have legal consequences for you or otherwise significantly affect you, you can always contact us, contest the decision or request manual processing instead.

You have the right to information about how we process your personal data and can contact us if you want to use any of the rights below.

a. Right to request access

You have the right to receive information about your personal data that is processed by us. In many cases, you already have access to them, for example through the Kylla bank's Internet office. You also have the right to request specific information if you want something other than general information about your personal data. The right of access may be limited by law, the protection of business operations and to protect the rights of others.

b. Right to request correction

You have the right to have incorrect or incomplete personal data corrected and supplemented, unless this is limited by legislation or other regulation.

c. Right to request erasure

You have the right to have your personal data deleted if there are no obstacles in the applicable legislation for the financial sector or in the contractual relationship, including, for example, statutory times for the preservation of data and the handling of legal claims.

d. Right to request limited processing

In some cases, you can request that we begclears the processing of your personal data. You can do this if you believe that the personal data is not correct, the processing of it lacks a legal basis or if you have objected to the processing (see below). For example, the processing may be limited to only storing your personal data or limited during the time that we review whether our legitimate interest takes precedence over your interests.

e. Right to object

You have the right to object to the processing of your personal data based on our legitimate interest. Then we can only continue the processing if it can be established that we have a compelling legitimate interest that takes precedence over your interest (see more about legitimate interest above under point 2). You can always object to direct marketing and the profiling done in connection with it.

f. Right to request data portability

When we process your personal data in an automated manner with the support of an agreement or your consent, you have the right to receive the personal data that you yourself have provided to us in a machine-readable format.

At the Kylla bank, we protect your personal integrity, and responsible processing of your personal data is an important part of our business. We have therefore taken appropriate technical and organizational measures to ensure the protection of your personal data against accidental or unlawful destruction, loss or alteration, unauthorized disclosure or unauthorized access. We also place corresponding demands on our partners.

If you no longer wish to receive direct mail from the Kylla bank, you can contact your account manager or Customer Service.