Privacy Notice –
Processing of Personal Data for Recruitment Purposes
Last updated: 29 October 2025.
This Job Applicant Privacy Notice (“the Privacy Notice”) describe how Swedbank Pay AB process the Personal Data of Job Applicants.
Swedbank Pay AB, 559465-5366, (“Swedbank Pay”, “we”, “our”, “us”, etc) is the Controller of your Personal Data.
As an employer, Swedbank Pay needs to process information about Job Applicants for hiring and evaluation purposes and to enable it to run its recruitment process effectively, lawfully and appropriately.
Definitions
Job Applicant
a natural person: applicants, candidates, leads, etc who are applying/applied for a position at Swedbank Pay, i.e. you.
Personal Data
Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific. In the context of this Privacy Notice, Personal Data refers to any information directly or indirectly related to Job Applicant.
Processing
Any operation carried out with Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Swedbank Pay Group
Swedbank Holding AB and its companies forming part of the company group at any given time.
Swedbank Pay Group company
Any company within the Swedbank Pay Group (Swedbank Holding AB and its subsidiaries).
Swedbank
Swedbank AB (publ).
Controller
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, i.e. Swedbank Pay
Processor
A natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
Regulatory Legislation
Applicable legal acts that Swedbank Pay is subject to, for example, relating to anti-money laundering, banking secrecy, commercial activity, data protection, taxes, bookkeeping, credit, consumer credit, payment, payment services, insurance, leasing, investment and financial business.
Data Protection Legislation
Applicable EU- and national data protection legislation that Swedbank Pay is subject to, for example, GDPR and supplementary national data protection legislation as well as guidelines and guiding decision from supervising authorities and other applicable legislative acts.
GDPR
The Regulation (EU/2016/679) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data […].
Where this Privacy Notice uses terms that are defined in GDPR, unless otherwise explicitly defined in this Privacy Notice, those terms shall have the same meaning as in the GDPR, regardless of if used with a capital initial letter or not.
General
This Privacy Notice describes how Swedbank Pay generally carries out processing of Personal Data in adjunction with recruitment. If the recruitment process results in your employment, additional information regarding Swedbank Pay processing of Personal Data will be provided.
Swedbank Pay ensures, aligned with the framework of Data Protection Legislation, confidentiality of Personal Data and has implemented appropriate technical and organizational measures to safeguard your Personal Data from unauthorized access, unlawful processing or disclosure, accidental loss, modification or destruction.
Swedbank Pay may use Processors for the processing of Personal Data. In such cases Swedbank Pay takes all necessary steps to ensure that such Processors process your Personal Data only in accordance with Swedbank Pay documented instructions and in compliance with applicable Data Protection Legislation.
Swedbank Pay may use authorized Processors for processing or sharing of Personal Data with other recipients (such as partners, authorities, government agencies or other institutions as required by law and/or regulation). Read more about Processors in section 8.
Categories of Personal Data
Personal Data is collected directly from you, through the activities performed during the recruitment process, and from external sources such as public and private registers or other third parties, such as referees. When applying for a position within the Swedbank Pay Group, refrain from emitting Personal Data that is not necessary for the process of your application.
Personal Data categories, and main examples of personal identifiers within that category, that Swedbank Pay collect and process are:
Category
Personal identifiers
Identity and Contact Information
Information that enables identification of and communication with you as an individual.
Name, personal ID number, address, email, phone number, nationality, citizenship (only in Norway)
Employment and Work-Related Information
Information related to your current employment.
Type of employment, job role, employment start and end date
Demographic information
such as age, country of residence, citizenship, language of communication.
Competence and Development Data
Information related to previous experience, education, and development.
CV, education, certifications, references, test results.
Financial Information
Financial status, income and debt
Special category information
Sensitive data such as Special Categories of Personal Data (for example, data concerning health/allergies and trade union membership) and Data about criminal convictions and offences such as data about absence of criminal convictions or existence of conviction for wilful crime against the state, property or administrative order, or wilful crime of economic nature or in state authority service, or for commitment of such a crime which is connected with terrorism and conviction for that is not expunged or extinguished; or about convictions for breach of international or national sanctions or anti-money laundering and counter terrorist financing legislation and at least one year has not passed since the day of imposition of the sanction.
Legal ground and purpose of processing
As an employer on a regulated market, Swedbank Pay needs to process information about Job Applicants to enable it to run its business effectively, lawfully and appropriately.
Swedbank Pay prioritizes processing your Personal Data in a transparent manner and in accordance with applicable Regulatory and Data Protection Legislation.
Although Swedbank Pay is subject to certain regulatory requirements and occasionally under obligation to process your Personal Data in a certain way, the majority of Job Applicants Personal Data is processed since it is necessary to take steps at the request of you, prior to entering into a contract. The legal ground for the majority of our processing activities is thus “fulfilment of agreement”, GDPR art 6.1(b).
Some Personal Data may be processed based on the overall legal basis that it is necessary for the purpose of legitimate interests pursued by Swedbank Pay which outweighs the Job Applicants interest regarding fundamental rights and freedom which require protection of Personal Data, GDPR art 6.1(f).
Additionally, Personal Data may be processed since it is necessary to for compliance with a legal obligation to which Swedbank Pay is subject, GDPR art. 6.1(c).
In some cases, Swedbank Pay processes the same/supplementary Personal Data for additional purposes, if obliged by law or has a legitimate interest in doing so. These cases and some additional information regarding our processing activities are described below.
Legal obligation
Swedbank Pay process Personal Data to be able to fulfil its legal obligations according to Regulatory and Data Protection Legislation, or other mandatory legal requirements as described below.
The purposes for the processing are:
- Suitability assessments of Job Applicants (see FFFS 2010:3 and Joint ESMA and EBA Guidelines on the assessment of the suitability of members of the management body)
- Categories of Personal Data: Identity and Contact information, Demographic information, Financial information, Special category information
- Data can be shared within the Swedbank group and with governing authorities
- Managing compliance with Regulatory Legislation (specifically when processing is required to comply with the Banking and Financing Business Act, Debt Collection Act, labour laws and NIS2)
Categories of Personal Data: Identity and Contact Information, Employment and Work-related Information, and information relating to criminal convictions and offences.- Data is shared within Swedbank Pay Company Group, when such sharing is required to comply with applicable regulatory legislation or labour laws.
- Conflict of interest assessments to identify and record the probability of conflict between the interests of the company and personal interests of the Job Applicants (when processing is required to comply with the Banking and Financing Business Act, EU regulations GL2021/05 and GL2021/06, S-FSA Regulatory Code FFFS 2014:1 (Sweden) and The Financial Institutions Act 15-1 (Norway))
Categories of Personal Data: Identity and Contact Information, Employment and Work-related Information, Competence and Development Information.
Legitimate Interest
Certain processing of Job Applicants Personal Data is based on Swedbank Pay legitimate interests.
The overall interests for Swedbank Pay to perform the activities below are business- and cost efficiency and Swedbank Pay determination of providing an attractive work environment for you and future Job Applicants, employees and consultants.
Swedbank Pay has assessed that the following processing activities are necessary for the purposes of the entitled parties’ interests pursued by Swedbank Pay, and that these interests override those of the Job Applicant regarding fundamental rights and freedom, primarily considering the protection of Personal Data, in accordance with the GDPR, art 6.1(f).
Several of the described processing activities below are conducted within Swedbank Pay right to direct and manage its business or to comply with general regulatory demands, further strengthening Swedbank Pay interest assessment.
The purposes and Swedbank Pay legitimate interests for the processing are:
- To conduct suitability assessments
Categories of Personal Data: Identity and Contact Information, Financial Information Special category information, external assignments, i.e. result of background check, in accordance with IMYFS 2024:1. Swedbank Pay does not save any information regarding criminal offence, merely verifying that a background check has been conducted.
The background check itself is conducted by a third party provider, who is the controller for the actual processing. Swedbank Pay only views or get a verbal summary of the background check, and does not store any of its content.
- Establishing, defending and exercising legal claims
Categories of Personal Data: Identity and Contact Information, Employment and Work-related Information, Competence and Development Data, Special Category Information
- Data can be shared with auditors, legal- and financial advisors, authorities (such as law enforcement agencies, sworn bailiffs, public notary offices, tax administration agencies, supervisory authorities, and financial investigation authorities), judicial and extrajudicial dispute settlement institutions, Trade unions, professional- and industry associations, depending on the claim.
- Data can be retained for as long there are unsettled, anticipated or sufficiently high risk of legal claim; but as a general rule no longer than 24 months.
Consent
Swedbank Pay will in some cases ask for the consent of the Job Applicants to the processing of Personal Data. Before you are given the option the consent, you receive additional information about the processing if necessary. You can always revoke your consent, see Section 11-12, and you will be informed about the possible consequences of such withdrawal.
The purposes for the processing are generally:
- When registering yourself in our candidate pool, for the purposes of contacting you regarding future job openings.
- Categories of Personal Data: Professional information, Contact information, Competence and Development Data.
- If you have not registered yourself in our candidate pool, but have applied for a certain position, contacting you regarding job openings we think that you might be suitable for, after valuating your profile.
- Categories of Personal Data: Professional information, Contact information.
- If you have not registered yourself in our candidate pool, to be able to contact you in order to collect a new consent for the above mentioned processing activity.
- Categories of Personal Data: Contact information.
Personal Data is retained and updated as long as your consent is valid, but no longer than 24 months at a time.
Profiling and automated decision making
Swedbank Pay does not engage in automated decision making, including profiling.
Retention Periods
Personal Data will only be processed as long as it is necessary to achieve the purposes of processing as presented in section 3.
In accordance with the GDPR, Personal Data is not processed by Swedbank Pay for a longer period of time than necessary to achieve the purposes set forth above. However, as described under section 4, there are multiple purposes for processing your Personal Data. Swedbank Pay has implemented technical as well as organisational measures to prevent that your Personal Data is object to purpose creep, i.e. not further processed in a manner that is incompatible with the initial purposes.
In such a way, your Personal Data is processed by Swedbank Pay under longer time for one purpose than another. In the event of any deviations, these are specified in section 4, in conjunction with a specific processing activity. As a general rule, data collected as described in this Privacy Notice is not kept by Swedbank Pay in a way that enables them to be related to you as a person longer than necessary.
For further information regarding Swedbank Pay retention rules, please consult information under each legal ground in section 4, but as a general rule the processing for the specific purposes are ongoing only as long as the application process. If your application does not result in an employment, your Personal Data will be processed in accordance with section 4.3 if otherwise is not stated specifically.
Recipients of Personal Data
Within the performance of the abovementioned Purposes, your Personal Data will, depending on the nature of processing, be shared with the following categories of recipients:
- Swedbank Pay Group companies
- Swedbank
- Auditors, legal- and financial advisors
- Third parties maintaining registers (e.g. population register and other registers which contain Personal Data or through which Personal Data is shared)
- Authorities (such as law enforcement agencies, sworn bailiffs, public notary offices, tax administration agencies, supervisory authorities, and financial investigation authorities)
- Judicial and extrajudicial dispute settlement institutions
- Other persons or entities providing services to Swedbank Pay, incl. archiving, postal service providers, providers of services of recruitment services.
Processors and sub-processors
Swedbank Pay may share your Personal Data with suppliers and subcontractors such as consultants, software suppliers, data storage suppliers and companies that provide, amongst other, printing- and postal services and additional services addressed above.
Swedbank Pay use their services in order to perform the processing activities described in this Privacy Notice, as they can perform services or functionalities that Swedbank Pay can’t provide itself.
Swedbank Pay share your Personal Data with various suppliers primarily to fulfil our contract with you, based on our legitimate interest or to comply with legal requirements. There are also times when Swedbank Pay use external programs for analysis, the processing is then based on a legitimate Interest.
The companies that process Personal Data on behalf of Swedbank Pay constitutes so-called Personal Data Processors. This means that they have the right to process Personal Data that they receive from Swedbank Pay in accordance with Data Protection Regulation, only on our behalf and according to our documented instructions. This is regulated in a Data Processing Agreements (“DPA”) between Swedbank Pay and the Processor.
For a full list of third parties that Swedbank Pay may share your Personal Data with, please contact us as set out below.
Security measures
Swedbank Pay protects the confidentiality of your Personal Data through the implementation of appropriate technical and organizational security measures to prevent unauthorized access, illegal processing or removal, unintentional loss, amendment or destruction of Personal Data. If you wish to receive more information regarding Swedbank Pay security measures, please contact us (contact information is provided in section 12).
Geographical area of processing
In general, your Personal Data will be processed within the European Union/European Economic Area (“EU/EEA”).
But, as you may expect, some of the recipients Swedbank Pay share Personal Data with may be located in countries outside of the EU/EEA.
Some countries where recipients may be located already provide an adequate level of protection for this data (e.g., those within the EU/EEA and some additional countries).
If recipients are located in countries without proper framework for adequate protection of Personal Data, Swedbank Pay will take all necessary measures to ensure that transfers out of the EEA are adequately protected as required by applicable Data Protection Legislation. This may include appropriate safeguards for the transfer by means of binding corporate rules or standard contractual clauses adopted by the European Commission, or other contractual terms approved by the European Commission or competent supervisory authorities
In several of our services, Swedbank Pay use U.S.-based cloud service providers where Swedbank Pay have chosen Europe as the primary storage location. In exceptional cases, your Personal Data may also be processed in other countries in which the supplier or the suppliers Processors operates.
Swedbank Pay will always ensure that the countries in question have an adequate level of protection and/or that Processor has introduced appropriate security measures so that the same level of protection is applied to your Personal Data as under the Data Protection Legislation.
When sharing/processing Personal Data via US services, Swedbank Pay ensure the company in question is a member of the Data Privacy Framework: dataprivacyframework.gov
For further information about the transfer of Personal Data outside the EU/EEA, see Contact details below, section 12.
Rights of Data Subjects
As a Data Subject, you have several rights regarding the processing of your Personal Data. These rights ensure transparency and give you control on how your Personal Data is processed.
Right to access (GDPR art 15)
You have the right to request access to your Personal Data that Swedbank Pay process. This includes information about the purposes of processing, the categories and recipients of Personal Data, and how long Swedbank Pay store your information.
Right to rectification (GDPR art 16)
If your Personal Data is incorrect, incomplete, or outdated, you have the right to request that Swedbank Pay correct or update it without undue delay.
Right to erasure (GDPR art 17)
You can request the deletion of your Personal Data in certain circumstances, such as if the data is no longer necessary for the purpose it was collected, if you withdraw your consent (where consent is the legal basis), or if the data has been processed unlawfully.
Right to restriction of processing (GDPR art 18)
You have the right to request that Swedbank Pay temporarily restrict the processing of your data under specific conditions, such as if you contest the accuracy of the data or object to the processing.
Right to data portability (GDPR art 20)
If the processing is based on your consent or the performance of a contract and is carried out by automated means, you have the right to receive your Personal Data in a structured, commonly used, and machine-readable format. You can also request that Swedbank Pay transfer this data directly to another data controller, where technically feasible.
Right to Object (GDPR art 21)
You have the right to object to the processing of your Personal Data if the processing is based on legitimate interests or performed for direct marketing purposes. If you object to direct marketing, Swedbank Pay will immediately stop processing your data for such purposes.
Right to withdraw consent (GDPR art 7.3)
If Swedbank Pay process your data based on your consent, you can withdraw your consent at any time. This will not affect the lawfulness of the processing carried out before the withdrawal.
Right to lodge a complaint (GDPR art 77)
If you believe that your Personal Data is being processed in violation of Data Protection Legislation you have the right to file a complaint with the supervisory authority. Contact details to respective jurisdictions supervisory authority:
Sweden - Integritetsskyddsmyndigheten
📍 Address: Box 8114, 104 20 Stockholm
📞 Phone: +46 (0)8 657 61 00
📧 Email: imy@imy.se
🌍 Website: www.imy.se
Finland – Tietosuojavaltuutetun toimisto
📍 Address:
PL 800, 00531 Helsinki, Finland
📞 Phone: +358 29 566 6700
📧 Email: tietosuoja@om.fi
🌍 Website: www.tietosuoja.fi
Norway – Datatilsynet
📍 Address:
Postboks 458 Sentrum, 0105 Oslo, Norway
📞 Phone: +47 22 39 69 00
📧 Email: postkasse@datatilsynet.no
🌍 Website: www.datatilsynet.no
Denmark – Datatilsynet
📍 Address:
Carl Jacobsens Vej 35, 2500 Valby, Denmark
📞 Phone: +45 33 19 32 00
📧 Email: dt@datatilsynet.dk
🌍 Website: www.datatilsynet.dk
Contact details
To exercise your rights, you can use our web portals:
Sweden: https://www.swedbankpay.se/dataskydd/dsar
Norway: https://www.swedbankpay.no/personvern/dsar
Denmark: https://www.swedbankpay.dk/databeskyttelse/dsar
Finland: https://www.swedbankpay.fi/henkilotietosuoja/dsar
You can also send an e-mail to our DPO address: dpo@swedbankpay.com
For more general questions regarding our GDPR and Privacy work you can e-mail the privacy function: privacy@swedbankpay.com
Validity and amendment of the Privacy Notice
This Privacy Notice is available on Swedbank Pay website and upon request.
