Norges Bank Investment Management is the asset management unit of Norges Bank, the Central Bank of Norway. Norges Bank is the controller for all processing of personal data in Norges Bank, including in Norges Bank Investment Management. As controller, Norges Bank is responsible for ensuring that the processing of personal data complies with applicable data protection laws, including the EU General Data Protection Regulation (the “GDPR”).

How and why we process personal data

Job applicants

We collect, use and store personal data about individuals who apply for work with us.

We use a job application system provided by an external service provider to facilitate the recruitment process. Applicants will receive more information about the personal data we collect, how we use, share and retain this data when applying for a role or otherwise entering into a recruitment process with us. Our recruitment privacy statement is available on our recruitment portal.

From potential participants to recruitment events we collect information such as names, contact details, CVs and application letters. This information is used to assess suitability for participation and will be deleted after the recruitment event. The legal basis for this processing is that it is necessary for our legitimate interests of planning and running the recruitment events.

Employees, other staff and dependents

We collect and process personal data relating to our employees and other staff for human resources and personnel management purposes. Employees and other staff with access to our intranet may visit the employee privacy statement on our intranet for further information.

We also process personal data relating to our employees’ dependants and emergency contacts, including their names, contact information and date of birth. We collect this information directly from our employees upon commencement of and during their employment. We use this information to handle emergency situations, manage expatriate or relocation arrangements, and to manage insurance and pensions schemes. The information may therefore be shared with authorised third parties where required for the purposes stated above.

The legal basis for processing this information is that it is necessary for our legitimate interests (or those of a third party) to manage our international assignment, relocation, insurance and pensions schemes and to perform a contract with the individuals.

Suppliers, service providers and other business relations

We collect and process personal data relating to individuals associated with our suppliers, service providers and other business relations. Such information may include names, employer/entity name, business contact details, CVs, communications etc. We use this information as necessary to consider bids and tenders, to conclude and execute agreements with suppliers, service providers and other business relations and to communicate with, support and manage our relationship with such parties. Any personal data that is required for these purposes will be archived in accordance with the Norwegian Archiving Act.

In addition, we carry out screening and integrity due diligence checks (“IDD”) of existing and potential third parties providing services and goods to our organisation, including counterparties, external fund managers, partners, advisory board members, and other business contacts (“third parties”).

Such screenings cover individuals associated with third parties, such as owners, shareholders, directors, senior management and key personnel. The personal data collected will depend on the type of third party and the risks involved, but will generally include name, business role, contact information, listings in sanctions or restricted lists, political exposure, as well as information relating to corruption, crime, regulatory fines and penalties.

We collect the personal data directly from the individuals or the third party, for example through questionnaires, from publicly available sources such as newspapers and official sanctions lists, and/or from external providers specialising in integrity due diligence checks.

The legal basis for this processing is our legitimate interest in ensuring proper selection and management of our business relations, that it is necessary for the performance of a contract (with individual contractors), to comply with a legal obligation and to establish, exercise or defend legal claims. We hold a licence from the Norwegian data protection authorities, Datatilsynet, to process personal data as part of our IDD process.

Board members of companies we currently invest in, companies that we may invest in and companies we have invested in, in the past.

We collect and process personal data relating to board members within companies we currently invest in, may invest in, or have invested in, in the past (the “Investee Companies”). Such information includes names, job titles, CV data, education background and age. We use this information to gain insight in to the Investee Companies.

We collect the personal data from external providers specialising in publicly available board and director data.

The legal basis for this processing is our legitimate interest to gain insight in to the boards of the Investee Companies in order to ensure compliance with our internal investment requirements.

Norges Bank's Academic Programme (NBAP)/Norwegian Finance Initiative (NFI)

We collect and process certain personal data for the purpose of considering applications for participation in specific NBAP and NFI programmes, and to manage the programmes.

The types of personal data we collect will depend on the specific programme but typically include information provided by the applicant, such as name, contact details, nationality, CV, academic transcripts and other supporting documentation. Where relevant, the personal data may be disclosed to evaluation committees.

From successful applicants we may require additional information, such as bank account details, in order to manage the participation in the programme.

The legal basis for the processing is that it is necessary to perform a contract or take the necessary steps at the request of an individual prior to entering into a contract. In some cases, the data is processed in order to comply with our legal obligations (e.g. accounting legislation) or based on our legitimate interest in managing the programmes.

Relevant application data will be archived in accordance with the Norwegian Archiving Act.

Subscription to news, publication and other information

When subscribing to receive news, publications and other information from Norges Bank Investment Management, we collect the subscribers’ email address and subscription details in order to notify of any updates. The processing is based on the subscribers’ consent, which may be withdrawn at any time by unsubscribing to the service.

When contacting or visiting us

When you contact us in other circumstances, we may collect name, email address and other information that you provide in order to respond to the enquiry.

For anyone who visits our offices, we register name and company in order to notify of the arrival and for physical security purposes. The legal basis for this processing is Norges Bank’s legitimate interest. Norges Banks’ security measures also include video surveillance of certain parts of our premises as well as recording of calls made to our switchboard. Video surveillance and recording of phone calls are authorised by the Norwegian Security Act and the Norges Bank Act.  

When visiting nbim.no website – Cookies

Cookies are files containing small amounts of information which are downloaded to the device you use when you visit a website. These files enable us to recognize your web browser and know from which country, region and city you are visiting our site, but does not give us any directly identifiable information about you, such as name, address etc.

Norges Bank Investment Management uses cookies to deliver and adapt the webpages for you, such as by collecting information about which browser you use and your internet speed.

Further, we use cookies to analyse the number of unique visitors we have and whether our website has previously been visited by the same machine/browser. This information is used in order to develop and improve our website, such as by detecting which pages that generate most traffic and whether some of the pages are not working properly.

We use Piwik PRO as our website analytics software and consent management tool. In addition, we use HotJar to analyse user patterns and behaviour to create a user friendly website. The collected information may contain a visitor's IP address, operating system, browser ID, browsing activity and other information. See the list of cookies that can be set by Piwik PRO and HotJar. 

The purpose of data processing: analytics and conversion tracking based on consent. Legal basis: Art. 6 (1)(a) GDPR.

Piwik PRO and HotJar do not send the data about you to any other sub-processors or third parties and does not use it for its own purposes. For more information, read Piwik PRO's privacy policy and HotJar's privacy policy.

You can find a list of cookies that have been stored in the settings in your web browser and delete undesired cookies. Your web browser normally stores cookies in a specific folder on your hard disk as well, where you can examine the contents in more detail.

NB: Disabling cookies may prevent our website from working properly.

Below, we have prepared a list of the cookies that we use on our website, with a brief description of their purpose:

• Arrafinity – This cookie allows us to ensure that the user talks to the same server during the entire session.
• NET_SessionId - This session cookie is essential for the website to operate and is set upon your arrival to the site. This cookie is deleted when you close the browser.
• atuvc – This cookie enables visitors to share content with a range of networking and sharing platforms.
• atuvs – This cookie enables visitors to share content with a range of networking and sharing platforms.
• BC_BANDWIDTH – This cookie is used to detect bandwidth in order to deliver video on the page. 

Where we process personal data

Norges Bank Investment Management is a global organisation with its headquarter in Oslo, and offices in London, New York, Singapore, Shanghai and Tokyo. Personal data we collect may therefore be transferred to or be accessible in all our offices.

We have implemented a global personal data protection framework, which is based on the GDPR and applicable data privacy laws, to ensure the same level or protection of personal data regardless of where the data is processed. Our data protection framework has been approved by the Norwegian data protection authorities, Datatilsynet, as providing sufficient guarantees to personal data transferred to our offices outside the EU/EEA. A public version of this framework is available [here].

How we share personal data

Access to personal data is limited to Norges Bank Investment Management personnel who have appropriate authorisation and a clear business need for the information.

Norges Bank Investment Management will only share personal data on a strict need to know basis with authorised service providers and professional advisors, and as otherwise set out above and where this is necessary for compliance with legal obligations, such as to public authorities (including law enforcement and supervisory authorities).

We use external service providers to provide different types of services on our behalf, such as to operate our recruitment system and other IT systems, to host our website and to perform background and due diligence checks. We ensure the security of their processing by entering into Data Processing Agreements which set out requirements for security and use of the personal data.

Where we use third parties outside the European Economic Area to process personal data on our behalf, we ensure that appropriate safeguards are in place to protect the data, typically by entering into EU standard contractual clauses with the provider.

Security of Personal Data

We process personal data securely and maintain appropriate technical, physical and organisational measures to protect the data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access.

Should a personal data breach occur that is likely to result in a high risk to the rights and freedoms of the individuals affected, we will communicate this without undue delay and take necessary action to mitigate those risks.

Retention and deletion of personal data

We will only retain personal data for as long as necessary to fulfil the purposes we collected it for and for the purposes of satisfying any legal, archiving, accounting or reporting requirements. We determine the retention period for the different types of personal data based on the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process our personal data, limitation periods for claims and applicable legal requirements.

Your rights

If we process your personal data, you are entitled to certain rights. Which rights you have will depend on the circumstances and applicable law, but they normally include:

• The right to be informed upon request of what personal data, if any, we process about you, and to receive a copy of that data
• The right to request to have incomplete or incorrect personal data rectified or deleted
• The right to request that some or all of the processing of your personal data is restricted or object to the processing of your personal data

If you need further information or wish to exercise your rights, or if you wish to make a complaint regarding our handling of your personal data, please contact us on privacy@nbim.no. You may also contact Norges Bank’s Data Protection Officer on personvern@norges-bank.no.

If you believe Norges Bank Investment Management is processing your personal data in a way that violates the GDPR or our global personal data protection framework, you may also lodge a complaint to the Norwegian Data Protection Authority (Datatilsynet) or another supervisory authority within the EU/EEA.