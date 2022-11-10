I N T E R N

1. BACKGROUND AND PURPOSE

1.1 INTRODUCTION

The Privacy Policy describes the overarching principles and requirements for protecting privacy in the SpareBank 1 Østlandet Group. The policy applies to subsidiaries wherever appropriate and provides a basis for the companies' own privacy procedures. The policy is reviewed annually and revised as necessary.

SpareBank 1 Østlandet (SB1Ø) processes personal data as part of its everyday operations. SB1Ø must safeguard the data subjects' rights and freedoms related to privacy in relevant processes and tasks.

1.2 PURPOSE

The purpose of the Privacy Policy is to establish principles and requirements, roles and responsibilities for the processing of personal data in SB1Ø.

The policy is an integral part of the governance element of internal control. It describes general requirements and obligations for processing personal data, as well as the internal organisation, responsibilities and authorities. The policy is supported by specific routines that specify the requirements in this policy.

1.3 OBJECTIVES

It is important that SB1Ø processes personal data in a proper and secure manner in order to earn the trust of customers and employees, and at the same time be able to create new business opportunities. The objective of the privacy work is, through a systematic and risk-based approach:

to respect the data subjects' privacy and family life, their home and their correspondence, as well as their other human rights

to comply with the Norwegian Personal Data Act and the EU's General Data Protection Regulation

(GDPR), other privacy legislation and recognised guidelines to ensure that business operations in SB1Ø are in control over its processing of personal data at all times to ensure SB1Ø's reputation is protected through to the correct processing of personal data

2. PRINCIPLES FOR PROCESSING PERSONAL DATA

SB1Ø's processing of personal data must comply with fundamental principles for processing personal data. SB1Ø must demonstrate and document that it is complying with the requirements of privacy legislation.

Personal data shall: