This personal data processing policy sets forth the basis, scope and procedure for the processing of client data by Nordic Hypo AS. These principles form an integral part of any agreements entered into between Nordic Hypo As and its clients.

The data controller is Nordic Hypo AS, registry code 11881110, Roseni 7, Tallinn.

General principles of client data processing

Personal data is any information that directly or indirectly relates to a client who is a natural person. Personal data processing is any operation performed with the client’s personal data (incl. collection, recording, storage, amendment, etc.).

Nordic Hypo AS (hereinafter referred to as Nordic Hypo) processes a client’s personal data with the client’s consent. Nordic Hypo ensures that the client has control over their personal data. Nordic Hypo stores the client’s personal data in its databases and the client has the right to receive information about their personal data. Additionally, the client has the right to demand that their personal data be amended, supplemented, corrected and transferred by contacting Nordic Hypo.

The client can withdraw their consent for personal data processing at any time by notifying Nordic Hypo thereof. The client can demand that their personal data be deleted if personal data are being processed with their consent and they have withdrawn this consent. This right does not apply in a situation where the client demands the deletion of personal data that is also being processed on legal bases, e.g., under an agreement or in order to perform legal obligations. The client has the right to contact the Estonian Data Protection Inspectorate if they find that their personal data has not been processed lawfully.

Nordic Hypo processes personal data in accordance with the principles set forth in the Personal Data Protection Act and the EU General Data Protection Regulation. Nordic Hypo uses a contemporary IT system that has undergone various tests, which pays special attention to data protection. Nordic Hypo is obliged to maintain the secrecy of clients’ personal data according to section 50 of the Creditors and Credit Intermediaries Act and the data are kept confidential. Nordic Hypo ensures the integrity and confidentiality of clients’ personal data.

Nordic Hypo processes clients’ personal data as little as possible. Personal data is not stored longer than needed for their processing. The storage period can either be based on an agreement with the client, Nordic Hypo’s justified interest or applicable laws.

Processed personal data

The main categories of processed data are:

Identification data – first and last name, date of birth, personal identification code, personal identification document data (incl. document number and term of validity), citizenship and data related to a residence permit or right of residence.

Contact details – e-mail, telephone number, postal address, preferred language of communication, etc.

Financial data – data on income, obligations, assets (incl. place of residence), marital status and dependants, previous payment behaviour (incl. debts to Nordic Hypo AS and third parties).

Data about the origin of clients’ assets – data on workplace, other sources of income, recent transactions and business partners.

Other data related to the loan application and loan agreement – account number, contents of the loan application and date of submission, contents of the agreement and date of conclusion, agreement performance, disputes and claims related to the agreement.

Feedback or other information submitted by clients.

Digital data – IP address.

Personal data processing objectives

Nordic Hypo uses clients’ personal data for establishing client relationships, providing services and in order to manage client relationships and allow access to services and ensure the convenient use thereof. Nordic Hypo also uses data collected from clients to improve the quality of its services, perform legal obligations and conduct credit and risk assessments in order to apply the principle of responsible lending and for the purpose of identification. Clients’ personal data are also processed in order to prevent money laundering and terrorist financing and perform other obligations arising from the laws of the EU and the Republic of Estonia.

Publishing and forwarding of personal data

Nordic Hypo publishes and forwards clients’ personal data to third parties only in the extent that is required for achieving the objectives of personal data processing.

Nordic Hypo may use data processors for processing clients’ personal data. In such cases, Nordic Hypo ensures that data processors apply appropriate security measures and process clients’ personal data according to Nordic Hypo’s instructions and in accordance with applicable law.

Nordic Hypo may forward data to competent state and law enforcement authorities, e.g., the police or supervisory authorities, but only at their request and only in the cases and pursuant to the procedure provided by law.

Nordic Hypo processes clients’ personal data only within the European Union and does not forward personal data to third countries.

If you have any questions about personal data processing, contact us at (