Privacy Policy
REQ AS (hereinafter referred to as “REQ” or “we”) is fully committed to protecting your individual rights and keeping your personal data safe in accordance with the Data Protection Regulation (Regulation (EU) 2016/679).
REQ, represented by the Chief Executive Officer, is the data controller.
This privacy policy describes how we collect, disclose and otherwise process your personal data. It also outlines your privacy rights regarding access, correction and deletion of your personal information.
Changes in our services or regulatory changes may lead to changes to this privacy policy. The latest version will always be available at https://req.no/privacy-policy/.
- What is personal data?
Personal data is any information that can be related to an identifiable individual. This can include information such as name, national identity number and contact information.
- Purpose of processing personal data
At REQ, we ensure that there is a legal basis for processing your personal data. We collect and verify your information prior to entering into an agreement with you. Once an agreement is established, we use your personal data to document, administer and execute tasks necessary to deliver the agreed services, in compliance with the legal requirements applicable to investment firms in Norway.
In certain cases, we may process personal data based on a legitimate interest that outweighs your interest in the data protection. This includes processing your data for direct marketing purposes, sending invitations to meetings and other relevant events.
- Sources of information
We collect personal data from various sources to ensure compliance with legal requirements. Primarily, we gather information directly from you or your company through agreements and correspondence.
We may also collect personal data from other external sources, including publicly available records and other external databases. This is particularly relevant when performing mandatory due diligence checks to prevent money laundering. Such information may be retrieved from sanctions lists maintained by international organisations like the EU, as well as registers held by governmental agencies such as the Norwegian National Population Register (“Folkeregisteret”) and the Norwegian Tax Administration (“Skatteetaten”). We also use commercial information providers to obtain details about beneficial owners and politically exposed persons (“PEPs”).
- The Use of Personal Data
We process your personal data to comply with legal obligations and purposes described below.
- To verify your identity: For this purpose, we use contact information and identity information.
- For anti-money laundering and prevention of criminal activities: We will process personal data to prevent, detect, resolve, and handle fraud and other criminal activities and to fulfill the investigation and reporting obligations for suspicious transactions. For this purpose, we use identity information and anti-money laundering information (information about political exposure and sanctions from PEP and sanctions lists, as well as from other financial institutions and banks).
- To conduct suitability tests: For this purpose, we use identity information and financial information.
- To provide investment services: For this purpose, we use contact information and identity information, financial information, investment goals, and investment history.
- To manage your customer relationship: For this purpose, we use contact information, identity information, financial information, investment goals, and investment history.
- To document our investment services: For this purpose, we use communication.
- For accounting purposes: For this purpose, we use investment history.
- Sales and marketing: For this purpose, we use contact information and investment history.
- For internal control routines, troubleshooting, and maintenance of operational and security systems: For this purpose, we use contact information.
The legal basis for purpose 1, 2, 3, 4, 5, and 7 is that it is necessary to fulfill our agreement with you and to comply with our legal obligations under the Securities Trading Act, the Anti-Money Laundering Act, and the Accounting Act. The legal basis for purpose 6 is to comply with our obligations related to investment services under the Securities Trading Act.
The legal basis for purpose 8 is to offer you customised offers and information. We have a legitimate interest to send you marketing material about our services corresponding to the services the client relationship is based on if we have an existing client relationship with you. If we do not have an existing client relationship, the legal basis for the marketing will be your consent if you have given us this.
The legal basis for purpose 9 is a legitimate interest that outweighs the individual’s privacy. REQ’s interest in processing your personal data in such a context is justified by our legal obligation to fulfill the security requirements imposed by the General Data Protection Regulation (GDPR) and the ICT Regulations.
- Security measures
We are dedicated to keep your personal data safe and secure. Our security measures maintain appropriate technical, physical and organisational measures to protect the data against accidental or unlawful destruction or accidental loss, alternation, unauthorised disclosure or access.
We regularly assess the security of systems used for handling personal data and have agreements with our service providers to ensure adequate information security. Access to personal data is limited to personnel who need it to perform their job duties. Additionally, we have established internal IT guidelines and provide regular training to our employees on security and the use of IT systems.
- Retention period
Retention periods vary based on type of information and how it is used. We will keep your data for as long as they are needed for the purposes for which your data was collected and processed or required by laws and regulation.
|
Legal Basis |
Category of Personal Data |
Retention Period |
|
Securities Trading Act and related regulations |
Documentation and information required to be retained under the Securities Trading Act and regulations, including customer information. |
Minimum five years after termination of the client relationship. |
|
Anti-Money Laundering Act |
Retention of information related to customer due diligence and suspicious transactions. |
Minimum five years after termination of the client relationship or completion of the transaction. |
|
Accounting Act and related regulations |
Retention of accounting material. |
Up to 10 years. |
- Disclosure of Personal Data to external parties
We will only share your personal data on a strict need to know basis with authorised third parties, as required by statutory obligation and to fulfil the agreement with you. This may include public authorities, our service providers and business partners such as custodian, distributors, IT provider, legal counsel and accountants.
Our agreements with these service providers are strictly governed and include Data Processing Agreements that set out requirements for security and use of personal data.
- Transfer of personal data to other countries
In some cases, we may transfer personal data to countries outside the EU and EEA. We only transfer personal data to countries outside the EU and EEA that the European Commission considers providing an adequate level of protection or to subcontractors who have committed to protecting your personal data through the EU’s standard contractual clauses. Where necessary, we have implemented additional technical and organisational measures to achieve an adequate level of protection.
- Your Rights
You have the following rights in respect of the personal data processed about you:
- Access your personal data: You have the right to access the personal data processed by REQ. This includes a copy of the data and information about how we process your personal data.
- Rectification: You have the right to request that personal data be corrected if they are incomplete or incorrect.
- Erasure: You have the right to request REQ to delete personal data on you in certain situations. The right to erasure does not apply if REQ needs the data to fulfil the purpose for which the data was collected or because processing is necessary to fulfill a legal obligation or to establish, exercise, or defend a legal claim.
- Restricted processing: If you dispute the accuracy of the personal data REQ processes, you believe the processing is unlawful, or you believe the processing is no longer necessary to achieve the purpose of the processing, you have the right to request that the processing be restricted. The same applies if you have objections to the processing.
- Withdraw consent: If the processing of personal data is based on consent, you have the right to withdraw your consent at any time.
- Object to processing: You can object to the processing of personal data if the processing in based on REQ’s legitimate interest, including direct marketing and profiling in connection to such marketing.
- Data portability: You have the right to receive the personal data you have provided to REQ in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller, if the processing is based on consent or contract, and is carried out by automated means.
- Complain: If you believe that our processing of your personal data is in violation of GDPR, you have the right to file a complaint with the Norwegian Data Protection Authority (“Datatilsynet”). Contact information and procedures are available at datatilsynet.no.
- How We Use Cookies
We use cookies on our websites. These help us customise the content specifically to you. The use of cookies is further described in our Cookie Declaration.
- Contact Us
If you have any questions regarding this privacy policy or wish to exercise your right, you may contact us at post@req.no.
We will respond to your inquiry as soon as possible and are committed to providing you with feedback within 30 days.