This privacy statement provides information on how Norges Bank processes your personal data. Personal data refers to any information or assessment that can be directly or indirectly linked to you as an individual.

Norges Bank is the data controller for all processing of personal data. As the data controller, Norges Bank is responsible for ensuring that the processing of personal data complies with applicable privacy laws, including the EU's General Data Protection Regulation (GDPR).

Norges Bank continuously strives to ensure that your personal data is processed in a responsible and secure manner.

Data Controller

Norges Bank, represented by the Governor, is the data controller for the processing of personal data within the organization. The data controller is responsible for ensuring that the processing of personal data complies with current privacy legislation.

Processing of Personal Data

When you visit the bank, register your email address, visit our websites, or contact us in other ways, we receive various types of personal information from you. Below you can find more information about our processing. In certain instances, we may acquire personal data from third-party sources. Unless the law stipulates otherwise, we will keep you informed about such occurrences.

Norges Bank has different legal grounds when processing your personal data. These legal grounds could include your consent or a legal obligation.

Norges Bank can only disclose your personal data if we have a legal basis for doing so under the Personal Data Act and GDPR.

Purpose of Processing Personal Data

Norges Bank's processing of your personal data may serve various purposes. We process personal data for the purpose of preparing statistics and analysis, sending out email news alerts, handling inquiries and visits from the public, for administrative purposes, and to ensure the security of Norges Bank.

We process personal data in the following manner:

Statistics, Web Analytics, and Use of Cookies

Cookies are files that contain small amounts of information downloaded to the device you use when visiting a website. These files enable us to recognize your browser and to know the country, region, and city from which you are accessing our website, but they do not provide us with any directly identifiable information about you.

As part of our efforts to create a user-friendly website, Norges Bank collects information about the use of the web pages. The purpose is to generate statistics to improve the websites and the editorial content. Some of the cookies are necessary for various services on our website to function.

We utilize the analytical tools Siteimprove and Microsoft Application Insight. In the cookie banner on the website, you can at any time see which cookies are used on norges-bank.no and choose which ones you wish to accept or reject.

Norges Bank uses tracking codes from Microsoft Application Insight, which anonymize your IP address before the information is stored. Therefore, we cannot link information about your use of the website to you as an individual, and you cannot be identified.

You can view the cookies used on norges-bank.no in the banner at the bottom of all pages, which will always display the current cookies in use.

The legal basis for generating anonymous statistics is GDPR Article 6(1)(f), which allows us to process information necessary to protect a legitimate interest, provided it supersedes individual privacy concerns. The legitimate interest is to improve and further develop the information on our websites.

Feedback Function

At the bottom of some articles on norges-bank.no, you will find a function where you can provide feedback on whether you found the information you were looking for or not. We use this feedback to improve the content on the website. If you submit feedback, your IP address will be logged.

The function is not used for guidance, and therefore, we kindly ask you not to register questions that you seek answers to. We also request that you refrain from providing any personal information about yourself or others. We review the feedback manually on a periodic basis.

The legal basis for processing personal data through the feedback function is the General Data Protection Regulation (GDPR) Article 6(1)(f), which allows us to process information necessary to protect a legitimate interest, provided it supersedes individual privacy concerns Our legitimate interest is to provide content that meets the informational needs of the public.

News Alerts and RSS Notifications

If you choose to subscribe to e-mail alerts, publications, and other information from Norges Bank, we will register your email address and subscription details.

The email address will only be used to send e-mail alerts related to the selected topics, and you can change or stop your subscription at any time. Your email address will then be deleted from our database. The processing is based on your consent.

RSS (Really Simple Syndication or Rich Site Summary) can be used to subscribe to new information published on our website. You will receive notifications about new information published in connection with the topics you have selected via an RSS service. Norges Bank does not store information about which RSS notifications you subscribe to. You manage the subscription yourself and can unsubscribe from the service whenever you wish.

Recruitment

If you apply for a job at Norges Bank, we need to process information about you to assess your application. The recruitment process involves the processing of the information you provide to us through the documents you submit, including your application, CV, transcripts, and certificates. In addition to any interviews, Norges Bank may also conduct its own inquiries, typically through talks with the job applicant's references.

Norges Bank uses a job application portal to manage submitted applications for our vacant positions. Our privacy statement for recruitment is available on our recruitment portal.

The legal basis for assessing submitted documentation, conducting interviews, and contacting references is GDPR Article 6(1)(b). This provision allows us to process personal data when it is necessary to take steps at the job applicant's request before entering into a contract. By applying for the position and uploading documents, we consider that the job applicant is requesting us to assess the submitted documentation, conduct interviews, and contact references with the aim of entering into an employment contract.

If we conduct additional inquiries beyond this, such as contacting someone who issued a certificate but was not listed as a reference, the legal basis for such inquiries is GDPR Article 6(1)(f), which allows us to process information necessary to protect a legitimate interest, provided it supersedes individual privacy concerns. The legitimate interest is to find the right candidate for the position.

Employees, Contracted Personnel, Consultants, and Next of Kin

Norges Bank collects and processes personal data about employees, contracted personnel, and consultants. Employees and other personnel with access to our intranet can find our privacy statement there for further information.

We also process personal data about our employees' next of kin and emergency contacts, including their names, contact information, and dates of birth. We collect this information from our employees at the start and during the course of their employment. We use this information to manage emergencies and to administer insurance and pension schemes. Therefore, the information may be shared with third parties when necessary for the purposes mentioned above.

The legal basis for processing this data is GDPR Article 6(1)(b) when it is necessary to fulfill a contract with individuals and GDPR Article 6(1)(f), which allows us to process information necessary to protect a legitimate interest, provided it supersedes individual privacy concerns. Norges Bank's legitimate interest is to be able to contact next of kin and emergency contacts in an emergency situation.

Contacting Norges Bank

When you contact Norges Bank, we may collect your name, email address, and other information provided to us in order to respond to your inquiry.

We use email to carry out our tasks. Emails we receive will be deleted when they are no longer necessary for performance of our daily tasks. We kindly ask that sensitive personal data not be sent via unencrypted email.

Norges Bank scan all incoming and outgoing emails for viruses and malware to ensure the integrity, confidentiality, and availability of our systems.

The legal basis for this scanning is GDPR Article 6(1)(c). Norges Bank has a legal obligation to ensure information security under GDPR Article 5(1)(f) and Article 32. Following a specific risk assessment, we have concluded that this measure is necessary for Norges Bank to fulfill its obligations. At the same time, we have assessed that the processing of personal data does not exceed what is necessary to fulfill this obligation.

Visiting Norges Bank

When visiting Norges Bank's premises, we register your name and the company you work for upon arrival. Additionally, you will be asked to provide identification with a passport or driver's license.

As part of Norges Bank's security measures, the bank's premises are access-controlled and monitored through surveillance cameras. If you visit Norges Bank, we process information about you in the form of access history and camera recordings in publicly accessible areas within the bank. Moreover, we have camera surveillance around the bank's buildings at Bankplassen 2, Rådhusgata 10, 12, and 14, Kirkegata 6, and Finanstilsynet's premises at Revierstredet 3, where we may process personal data about you if you pass by these buildings. The purpose of this processing is to prevent, detect, limit, and investigate crimes directed against the bank and its employees. For security purposes, certain phones within the bank are subject to audio recording.

The legal basis for this processing is GDPR Article 6(1)(c). Norges Bank has a legal obligation to ensure adequate security under the provisions of the Security Act.

Events

Norges Bank is committed to being an open and accessible central bank. As part of this commitment, we regularly organize events and extend invitations to relevant individuals. Our aim is to ensure a diverse representation of guests at our events, reflecting both relevance and inclusivity. To facilitate this, we maintain a contact register that includes information such as name, title, organizational affiliation, phone number, and email. This information enables us to extend invitations for relevant events. If necessary, we may also collect specific information related to each event.

The legal basis for this processing is GDPR Article 6(1)(f), which allows us to process information necessary to fulfill a legitimate interest, provided it supersedes individual privacy concerns.

There are occasions when Norges Bank organizes events with open registration for the general public. In these instances, individuals are given the option to allow Norges Bank to retain their contact information. This enables us to provide them with information about future events.

The Education Centre

When school classes or other groups express interest in visiting the Norges Bank’s Education Centre, we gather personal information from the designated contact persons. This information is collected during the registration process for the visit. The purpose of collecting this information is to effectively manage and coordinate the visit, and the legal basis for this processing is consent. Volved.’

Suppliers, service providers and other Business Contacts

We collect and process personal data relating to individuals associated with our suppliers, service providers and other business relations. Such information may include names, employer/entity name, business contact details, CVs, communications etc. We use this information as necessary to consider bids and tenders, to conclude and execute agreements with suppliers, service providers and other business relations and to communicate with, support and manage our relationship with such parties. Any personal data that is required for these purposes will be archived in accordance with the Norwegian Archiving Act.

The legal basis for this processing is Article 6(1)(e) of GDPR, which allows for processing that is necessary for the performance of a task carried out in the public interest. Additionally, the legal basis is Article 6(1)(f), which permits the processing of information that is necessary for the purposes of legitimate interests pursued by Norges Bank. The legitimate interest is to be able to administer suppliers and business contacts.

Additionally, we conduct Integrity Due Diligence (IDD) on existing and potential third parties providing goods and services to our organization, including counterparties, partners, and other business contacts. Such screenings cover individuals associated with third parties, such as owners, shareholders, directors, senior management and key personnel. The personal data collected will depend on the type of third party and the risks involved, but will generally include name, business role, contact information, listings in sanctions or restricted lists, political exposure, as well as information relating to corruption, crime, regulatory fines and penalties.

We collect this information directly from the individuals or from third parties, such as through questionnaires, searches in publicly available sources like newspapers and official sanction lists, and/or from external providers specializing in integrity due diligence.

The legal basis for this processing is Article 6(1)(f) of the GDPR, which allows us to process information necessary for the legitimate interest of ensuring the proper selection and administration of our business contacts, and Article 6(1)(c) to fulfill legal obligations imposed on the bank by anti-money laundering laws. We have obtained authorization from the Data Protection Authority to process personal information in connection with our integrity due diligence.

Depositing in Debt Settlement

Norges Bank processes personal information received by mail or email in connection with depositing in Norges Bank. This may include names, addresses, bank account numbers, and other information about the depositor(s) and claimant(s). The processing is necessary to fulfill a legal obligation imposed on Norges Bank under the provisions of the Depository Act.

Additionally, Norges Bank may conduct integrity checks on the claimant(s). These checks may include individuals associated with the claimant, such as owners, shareholders, board members, key employees, and key personnel. The type of personal information collected will depend on the type of claimant and the perceived risk, but typically includes names, business roles, contact information, entries in sanction and restriction lists, political exposure, as well as information related to corruption, criminal activities, regulatory fines, and penalties.

We collect this information directly from the individuals themselves or from third parties, such as through questionnaires, searches in publicly available sources like newspapers and official sanction lists, and/or from external providers specializing in Integrity Due Diligence (IDD).

The legal basis for this processing is Article 6(1)(c) of GDPR, which allows for processing that is necessary to comply with a legal obligation to which the bank is subject under anti-money laundering laws. Norges Bank also has the authorization from the Data Protection Authority (Datatilsynet) to process personal information in connection with our IDD.

Exchange of Invalid and Compensation for Damaged Banknotes and Coins

Norges Bank collect and process personal data when exchanging invalid or damaged banknotes and coins. This may include names, addresses, email addresses, phone numbers, bank account numbers, and in some cases, copies of valid identification and/or probate documents. The processing of this data is necessary to fulfill a legal obligation imposed on Norges Bank under the Central Bank Act § 3-4 and § 3-5, the Regulation on Compensation for lost, burned, or damaged banknotes and coins, and the Anti-Money Laundering Act.

Ordering Information Material

To place an order for information material for banks and shops, a user account for ordering must be created. We request your name and email address for this purpose. The personal data provided will be used to manage the orders. The legal basis for processing is consent.

Research and Analysis

Norges Bank collects personal data about the Norwegian population with the purpose of supporting the execution of the bank's tasks under the Central Bank Act. The information is gathered from third parties such as Statistics Norway (SSB), the Norwegian Labor and Welfare Administration (NAV), the Norwegian Tax Administration, and others. The data is used for research and analysis, forming the basis for the bank's decisions related to the implementation and advice within monetary policy and financial stability.

To enhance the analyses underlying Norges Bank's decisions on monetary policy and financial stability, we process contact information of individuals in a selection of companies in a contact register. We retain contact information (name, title, organization affiliation, telephone number, and email) to conduct necessary surveys.

The legal basis for processing is Article 6(1)(e) of GDPR. This provision allows us to process personal data when it is necessary for the performance of a task carried out in the public interest.

How We Safeguard Your Personal Information

Norges Bank places strict requirements on information security, and when we process your personal data, it is done in a secure and responsible manner. Your personal information is protected against unauthorized or unlawful processing, as well as accidental loss, destruction, or damage. Employees of Norges Bank are bound by confidentiality obligations, and access to your personal data is limited to personnel with a legitimate professional need for such access.

Data Processors and Sharing of Personal Information

Access to personal information is limited to authorized personnel with a clear professional need for the information. Norges Bank will only share personal information with authorized service providers and advisors.

Norges Bank uses external service providers, for example, to operate IT systems and maintain our internal IT services, including case management, archiving, and video conferencing solutions. When third parties process personal information on behalf of the bank, we have data processing agreements to ensure adequate security and proper handling of the information.

When we use data processors outside the EU/EEA to process personal information on our behalf, we ensure that adequate safeguards are in place to ensure a level of protection equivalent to that provided by the GDPR, usually by using EU's standard contractual clauses.

Norges Bank may disclose information to third parties in some cases. This is done only when there is a legal basis for disclosing the information, for example, to public authorities, including regulatory authorities.

How long do we retain your personal information?

Norges Bank will only store personal information for as long as necessary to fulfill the purposes for which they were collected or to comply with regulatory requirements or legal obligations, including archival, accounting, and reporting obligations. The retention period for different types of personal information is determined based on the extent, nature, and sensitivity of the information, the potential risk of harm from unauthorized use or disclosure, the purposes of the processing, the statute of limitations for claims, and legal retention and deletion periods.

Your Rights

If Norges Bank processes your personal information, you have certain rights. The scope of these rights will depend on the circumstances and data protection laws. Typically, they include the following:

• The right to be informed upon request about the personal information we process about you and to receive a copy of the information,
• The right to have incomplete or inaccurate personal information corrected or deleted,
• The right to restrict the processing of your personal information.

If you need more information or wish to exercise your rights, or if you want to lodge a complaint about how we handle your personal information, you can contact us at personvern@norges-bank.no.

If you believe that Norges Bank is processing your personal information in violation of data protection laws, you also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet). You can find information about this on Datatilsynet's own website.

Data Protection Officer

Norges Bank has appointed a dedicated Data Protection Officer whom you can contact if you have any questions about how Norges Bank processes your personal information or if you need assistance in exercising your rights. The Data Protection Officer is bound by confidentiality.

You can contact our Data Protection Officer at personvern@norges-bank.no.