Security and incident management
Incident management
We may be required to process personal data both before and if a crisis situation or incident occurs in DNB. This will be personal data that is related to an incident such as violence, threats, unwanted behaviour or an accident.
Personal data processed in this context relates to the event itself. The incidents may contain both general personal data, but also special categories of personal data such as health data.
DNB Bank ASA is normally responsible for the processing of your personal data.
DNB Bank ASA may also act as a data processor when this is done on behalf of other legal entities in the DNB Group.
The purpose of the processing is to detect and handle a crisis situation.
We are legally obliged to process personal data for this purpose, and the legal basis is the regulatory statutory requirements that apply to the financial industry regarding security and incident management.
- Identification data
- Special categories of personal data collected from the data subject during incident management, including health data
We store events in access-controlled internal information systems and retain the personal data for as long as necessary to fulfil the purpose of the processing. Some logs are kept 10–15 years in accordance with our internal archiving routines.
We may share personal data within the Group for internal processing purposes. In addition, we may share information with external authorities such as the police. We may also share data with suppliers who process personal data on our behalf.
When we collect and process information about you, you have several rights under data protection rules and legislation. This includes the right of access, the right to data portability, the right to rectification of any errors and the right of erasure, which means that we must, on our own initiative, delete information that is no longer necessary for the purpose of the processing. We will always consider any objections you may have to the processing of your personal data, and we will follow up when you opt out of direct marketing.
Read about how you can exercise your data protection rights in our privacy notice under "Your rights".
IT security
Security in DNB primarily relates to protecting the bank against crime and other intentional and undesirable incidents, but also unintentional incidents as a result of errors and accidents.
It is very important for us to protect our equipment, systems and information from damage, misuse, unauthorised access, alteration and vandalism. In this regard, a number of different security measures and systems are needed to detect and prevent unwanted incidents and damage to our assets and services, as well as to handle incidents that do occur.
We process personal data to achieve this purpose. This will typically be personal data such as your user identity and IP address. The information is processed by analysing internet activities on our secure networks and the use of our systems. We continuously seek to ensure that your personal data is protected against loss, destruction, corruption or unauthorised access.
DNB Bank ASA is normally responsible for the processing of your personal data.
The purpose of the processing is prevention, detection and handling of IT security incidents in DNB.
DNB is legally obliged to process personal data for this purpose, and the legal basis is the regulatory statutory requirements that apply to the financial industry regarding security and incident management, as well as data protection rules and legislation.
- Identification data
- IP address
- Digital behaviour data
We retain your personal data as long as is necessary to achieve the purpose. This is up to a maximum of three years, unless the purpose entails a special need to keep the data longer.
We may share personal data within the Group for internal processing purposes. In addition, we may share information with external authorities such as the police. We may also share data with suppliers who process personal data on our behalf.
When we collect and process information about you, you have several rights under data protection rules and legislation. This includes the right of access, the right to data portability, the right to rectification of any errors and the right of erasure, which means that we must, on our own initiative, delete information that is no longer necessary for the purpose of the processing. We will always consider any objections you may have to the processing of your personal data, and we will follow up when you opt out of direct marketing.
Read about how you can exercise your data protection rights in our privacy notice under "Your rights".
Physical security - Guest registration
When you visit our offices and register as a guest in our system, we register personal data about you.
The personal data we collect is your name and phone number. If you wish, you can also register whether you represent a company or are a private individual.
DNB Bank ASA is responsible for the processing of your personal data.
The purpose of the processing is to keep track of where visitors are in our buildings. This is to ensure the safety of people, our assets and our property, as well as to handle incidents and criminal offences that should arise. The purpose is based on both preventive and reparative considerations.
We have a legitimate interest for this processing of your personal data. Our legitimate interest is to keep track of where visitors are in our buildings.
The guest must consent to the legal basis for processing so that we may store their contact details for one year.
- Contact details
If you are a guest and you want the system to remember the information entered, you may consent to this.
The personal data provided during guest registration is anonymised after 90 days. If the visitor wishes to be remembered beyond 90 days, they must consent to this. In this case, their personal data will be retained for 365 days.
We share personal data with our data processor and the supplier of the visitor registration system.
When we collect and process information about you, you have several rights under data protection rules and legislation. This includes the right of access, the right to data portability, the right to rectification of any errors and the right of erasure, which means that we must, on our own initiative, delete information that is no longer necessary for the purpose of the processing. We will always consider any objections you may have to the processing of your personal data, and we will follow up when you opt out of direct marketing.
Read about how you can exercise your data protection rights in our privacy notice under "Your rights".
Physical security - Camera surveillance
We use camera surveillance for security purposes to prevent unwanted incidents from occurring, and to monitor our own actions and secure evidence when investigating criminal acts. Video and camera surveillance are installed at fixed locations inside and outside our buildings.
We use video surveillance to record videos/images of employees, customers, guests and other third parties. The number of cameras in DNB has been reduced to a minimum in order to best safeguard privacy considerations and prevent unnecessary recordings. The need for a camera is assessed in relation to different zones and purposes. Each camera’s coverage area is thoroughly assessed and areas that should not be included in the processing are removed.
The recordings are deleted on an ongoing basis according to different deletion deadlines for different zones.
DNB Bank ASA is responsible for the processing of your personal data.
The purpose of the processing is to prevent and detect criminal acts through the surveillance of buildings managed or leased by DNB. This is to ensure the safety of people, our assets and our property, as well as to handle incidents and criminal offences that should arise. The purpose is based on both preventive and reparative considerations.
We have a legitimate interest for this processing of your personal data. Our legitimate interest is to conduct surveillance for security purposes.
- Images
- Videos
We retain surveillance videos recorded by our security cameras for seven days after the recording date. We retain camera surveillance of the bank’s offices and branches for 90 days.
Personal data that is processed is shared with our security provider of the solution. Personal data may also be shared with police authorities upon request for disclosure.
When we collect and process information about you, you have several rights under data protection rules and legislation. This includes the right of access, the right to data portability, the right to rectification of any errors and the right of erasure, which means that we must, on our own initiative, delete information that is no longer necessary for the purpose of the processing. We will always consider any objections you may have to the processing of your personal data, and we will follow up when you opt out of direct marketing.
Read about how you can exercise your data protection rights in our privacy notice under "Your rights".