Governance, management and control of operating companies in the Nordnet Group are divided between the shareholders at the Annual General Meeting, the Board and the CEO, according to the Swedish Companies Act and the Articles of Association. From 1 July 2007, Nordnet AB (publ) is subjected to the Swedish Corporate Governance Code, available at www.bolagsstyrning.se.
At the 2021 Annual General Meeting, accounting firm Deloitte AB was reappointed auditor for Nordnet AB (publ) and all subsidiaries until the 2022 Annual General Meeting. The job of the auditors is to review the annual accounts, consolidated accounts and accounting, and the management of the Board and CEO. The auditors will report back on their findings on a number of occasions over the year and will be present at the Board meeting to discuss the closing of the accounts. In addition, the auditors have continuous contact with the audit committee.
Authorised public accountant Patrick Honeth of Deloitte is the Principal Auditor for Nordnet AB (publ) since the AGM 2019.
The Nomination Committee shall consist of the Chairman of the Board and three members appointed by the three largest shareholders in Nordnet by votes as of 31 July. The person who represents the largest shareholder by votes is appointed the chairperson of the Nomination Committee unless otherwise determined by the Nomination Committee.
The Nomination Committee of Nordnet AB (publ) prior to the Annual General Meeting 2022 consists of the following representatives in addition to the Chairman of the Board, Tom Dinkelspiel:
- Johan Malm, appointed by E. Öhman J:or Intressenter Aktiebolag
- Björn Fröling, appointed by Premiefinans K. Bolin Aktiebolag
- Frank Larsson, appointed by Handelsbanken Fonder AB
To submit proposals to the Nomination Committee for the upcoming Annual General Meeting, please email email@example.com.
The English version of the articles of association is an in-house translation. In case of any discrepancy between the Swedish version and the English version, the Swedish version shall prevail.
The following principles for the composition and work of the nomination committee in Nordnet AB (publ), reg. no. 559073-6681, (the “Company”) shall be applicable until the General Meeting resolves otherwise.
1. THE COMPOSITION OF THE NOMINATION COMMITTEE
Before the Annual General Meeting, the chairman of the Board shall contact the three shareholders holding the highest percentage of voting rights in the Company as of 31 July and each shareholder will get the opportunity to appoint one representative who together with the chairman of the Board will constitute the nomination committee.
If any of the three shareholders holding the highest percentage of voting rights does not exercise its right to appoint a member, the right to appoint such a member is transferred to the shareholder holding the next highest percentage of voting rights who does not already have the right to appoint a member of the nomination committee.
The chairman of the Board shall convene the nomination committee to its first meeting. The chairman of the nomination committee shall be the member who represents the shareholder holding the highest percentage of voting rights, if not otherwise decided upon by the nomination committee.
The names of the members of the nomination committee shall be announced as soon as the nomination committee has been appointed but no later than six months before the next Annual General Meeting. The nomination committee is appointed for a mandate period commencing at the time its composition is announced until a new nomination committee has been appointed.
If there is a change in the ownership of the Company after 31 July but before the nomination committee’s complete proposals have been published, and if a shareholder, which after this change in ownership becomes one of the three shareholders holding the highest percentage of voting rights in the Company, presents a request to the chairman of the nomination committee regarding joining the nomination committee, this shareholder will after approval of the nomination committee have the right to appoint one additional member of the nomination committee.
If a member appointed by a shareholder leaves the nomination committee during its term or if such a member is unable to fulfil its assignment, the nomination committee shall request the shareholder who has appointed the member to within reasonable time appoint a new member. If the shareholder does not exercise its right to appoint a new member, the right to appoint such member passes to the shareholder holding the following highest percentage of voting rights, who has not already appointed or refrained from appointing a member of the nomination committee. Changes in composition of the nomination committee shall be made public immediately.
2. DUTIES OF THE NOMINATION COMMITTEE
The nomination committee shall perform its duties in accordance with this instruction and applicable rules. In its assignment it is included that the nomination committee shall present proposals regarding the matters below, to be put forward to the Annual General Meeting:
- proposal for number of directors and auditors and, where applicable, deputies of auditors,
- proposal for chairman of the General Meeting,
- proposal for directors of the Board,
- proposal for chairman of the Board,
- proposal for fees payable to the Board, divided between the chairman and the other directors, as well as fees payable for committee work,
- proposal for auditors and, where applicable, deputies of auditors,
- proposal for fees payable to the auditor and
- where considered necessary, proposed amendments to these instructions for the nomination committee.
At other General Meetings than the Annual General Meeting, the proposals of the nomination committee shall include the appointments that shall take place at the meeting.
The proposals of the nomination committee shall be addressed to the Company and sent to the chairman of the Board in due time before the notice to the Annual General Meeting is announced by the Company in order for the Company to comply with paragraph 4.1 in the Swedish Corporate Governance Code regarding appointment of Board of Directors.
The nomination committee shall meet when necessary in order to fulfil its duties, however, at least once a year. Notice to meetings shall be issued by the chairman of the nomination committee. If a member requests that the nomination committee shall convene, that request shall be complied with.
The nomination committee is competent to make decisions if at least two of its members are present. The decisions of the nomination committee are passed by a simple majority of votes cast by members present at the meeting. In the event of tied votes, the chairman has the casting vote.
No fee shall be paid to the members of the nomination committee. However, the Company is responsible for reasonable costs which are associated with the duties of the nomination committee.
5. ATTENDANCE OF THE NOMINATION COMMITTEE AT GENERAL MEETINGS
Representatives of the nomination committee should always attend the Annual General Meeting.
6. CHANGES OF THIS INSTRUCTION
The nomination committee shall continuously evaluate these instructions and its work and submit proposals of such changes of this instruction when considered appropriate.
Adopted at the Extraordinary General Meeting on 10 September 2020
Exposure to risk is a fundamental element of Nordnet’s operations. It is very important to ensure that exposure to risk takes place under controlled forms. Nordnet’s ambition is for its control environment to be permeated by the company’s ethical values and corporate culture. The ethical guidelines are adopted by the Board and communicated to all employees, as are other governance documents in the form of policies, guidelines and instructions with a view to limiting and controlling the company’s risks and risk exposure.
How risk management is conducted is described in the risk management framework. The framework is comprised of a number of steering documents that describe the strategies, processes, procedures, internal regulations, limits, controls and reporting procedures. The risk framework is integrated into the organization and covers all relevant risks.
The Board at Nordnet holds the overall responsibility for ensuring a good internal control of Nordnet’s operations in accordance with the directives, laws and regulations applicable to its business. This responsibility involves ensuring that there are independent functions for the control and management risks and regulatory compliance and that they report on how the operations are conducted in this respect to the Board and the management. Nordnet’s control functions are Risk Control, Compliance and Internal Audit. In assessing the effectiveness of the internal control within Nordnet, the Board primarily relies on the work carried out by the control functions.
Nordnet shall work with risks in accordance with the principles associated with the three lines of defence. The first line of defence is comprised of the operations in the line organization and pertains to all risk management activities done by line management and staff.
The second line of defence is comprised of the risk control and compliance functions. They are independent of the line operations and monitor, control and report the Nordnet’s risks and regulation compliance and shall also support and provide advice to the first line of defence.
The third line of defence is comprised of the internal audit function that carries out independent periodic audits of the governance structure and the system for internal control. Within Nordnet, the internal audit is performed on direct assignment from the Board of Directors by external consultants. Read more about the three lines of defence in the Annual Report of 2019, note 7.
The Internal Capital and Liquidity Assessment process (IKLU) is a continuous process that evaluates the capital and liquidity requirements in relation to Nordnet’s risk profile, plans and global factors. As part of the internal capital assessment, a comprehensive study and analysis is conducted of the risks in the operations. Nordnet is working for the entire organization to be involved in risk analysis. All employees are responsible for identifying risks and increasing their knowledge about these. The IKLU process is part of the organization’s work with risk and requires an active participation of risk owners and the employees concerned.
The risks to which Nordnet is exposed are divided into the following categories:
- Credit risk including concentration risk
- Market risk
- Financing risk/Liquidity risk
- Operational risk
- Risks in the insurance operations
For a description of each one of the above mentioned risks, see the Annual Report of 2019, note 7.
For Nordnet, proper and secure information management is a key element in maintaining trust from customers, authorities, owners and partners. Maintaining this trust and making use of the potential of digitalization requires structured information and IT security work, which is integrated throughout our entire operations. We ensure this by:
- Involvement of Management and the Board in the structure of the security work
- Nordnet’s security controls are evaluated and improved on an ongoing basis
- Nordnet participates in collaboration activities both at the national level and in the Nordic region to strengthen security in society
- There is a process for approving significant changes in the operations
- Our various IT systems are monitored around the clock, all year
- Our staff undergo security training
In order to further strengthen Nordnet’s information and data security, a number of improvement measures were implemented in 2019. For example, we structured the responsibility for systems and trained our systems owners, verified that our critical systems have an appropriate security level and examined our primary suppliers. In 2020, we will work to further improve our monitoring and security for our staff.
In accordance with the Board’s procedures and procedures for the subsidiaries Nordnet Bank AB and Nordnet Pensionsförsäkring AB and the regulations of the Swedish Financial Supervisory Authority, the Board has appointed an independent review function/internal audit, which is directly subordinate to the Board.The internal auditor’s work is based on a Board-approved instruction. Internal auditing shall review and periodically evaluate if the company’s internal controls are appropriate and effective. As at 2018, the function is held by E&Y.
Nordnet places extensive focus on safeguarding our data processing. Based on the General Data Protection Regulation (“GDPR”), we continuously review how we handle personal data both in the operations and support functions, which among other things means that when developing new products or services we conduct an impact assessment regarding the handling of personal data and also have processes to build in data protection in the development of new systems. Our processes also include reviews of suppliers from a security and data privacy perspective where high standards are required from the suppliers in terms of contractual obligations, organizational routines and technical measures, followed by adequate controls.
Data subjects are provided information on our data processing, including information about what personal data we collect, use and retain, what our purposes and legal bases are and how long our processing will be ongoing. We also emphasize the transparency on the data subject’s rights and how to enforce them. In addition, a full set of internal governance documents have been established within Nordnet, which are well maintained and updated in accordance with the privacy area’s development to ensure that personal data are handled correctly. We also have the privacy area as a significant onboarding step for all new staff, followed by regular staff trainings.
Below is a summary of Nordnet’s internal governance and steering documents regarding data privacy. More information about how we handle personal data is available on www.nordnet.se, www.nordnet.dk, www.nordnet.no and www.nordnet.fi.
Personal data means any information regarding an identified or identifiable living natural person. An identifiable person is someone who can be identified, either directly or indirectly, through identifiers.
Information which in itself does not identify a person can be personal data if the information in combination with other information identifies a person, regardless if the data is in its combined state or not.
Processing of personal data means any operation or set of operations which is performed on personal data, whether or not by automated means. This includes, but is not limited to, collection, recording, organization, structuring, storing, use, disclosure, analyzing, combining, or deletion.
Sensitive personal data
Sensitive personal data is explicitly regulated in Article 9 of the GDPR and is formally referred to as “special categories of personal data”, which are racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a person's sex life or sexual orientation. Sensitive data shall as a general rule not be processed if not absolutely necessary and only provided that a legal exemption from the prohibition applies and strict safeguards are implemented.
Integrity sensitive personal data
Certain categories of personal data are more sensitive than other even though they are classified as “special categories” in the GDPR. These categories are commonly describes as “integrity sensitive data” and refers to categories that, due to their sensitivity, should be subject to extra security measures. Such categories include, but are not limited to, social security numbers, criminal offenses, financial information, information on an individual’s private sphere or social relations, information about minors, and description/evaluations of personal attributes.
Profiling and automated decision-making
Profiling means any form of automated processing carried out on personal data with the objective of evaluating personal aspects about a natural person. Profiling involves a series of statistical deductions, creating either predictions about a person’s behavior or an analysis of personal aspects.
Automated decision-making means the ability to make decisions by technological means without human involvement. The GDPR provides a general prohibition on automated decision-making, including profiling, that has a legal or similarly significant effect. Nordnet may only conduct automated decision-making if a legal exemption applies and transparency requirements are met.
Nordnet commits to ensure that the following principles are being followed in every processing activity that Nordnet is responsible for. No processing of personal data shall occur unless these basic principles are met.
Lawfulness and fairness
Processing of personal data is only lawful and fair when based on a valid and approved legal basis. The eligibility of each legal basis depends on the purpose for which Nordnet needs to process personal data. Nordnet has established processes to ensure that no personal data may be processed before the purpose and its legal basis has been determined and subject to legal assessment. Nordnet also has a separate process for assessing legitimate interest as a legal basis, where the weighing of interests are documented to ensure fairness and proportionality. Nordnet’s processing activities upon consent as legal basis are conditioned by an active and explicit consent from each data subject after the provision of relevant information on the processing and their rights.
Nordnet’s data flows are designed to ensure that data subjects have been informed about the data processing in a concise, transparent, intelligible and easily accessible form. Nordnet provides privacy notices on its external websites, which are available to the data subjects at all times, and any updates are communicated through established communication channels with the data subjects
In the event of a data breach incident that is likely to result in a high risk for the data subjects, Nordnet will ensure that affected data subjects are duly notified about the incident in order to enable necessary precautions. Such communication shall be made without undue delay.
Processing of personal data is only allowed if it is processed in a manner that it is compatible with the purposes the data was collected for. The purpose must be specified and explicit. Nordnet keeps records of processing activities which strictly determines each business function’s processing activities – any planned deviation must undergo new assessments and procedures.
Nordnet shall ensure that processing activities only use the personal data necessary in relation to the purposes for which the data is being processed. This means that in each and every set of processing, Nordnet shall make sure that no more personal data than what is absolutely necessary to fulfill the purpose of the specific processing are used. This obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage, and their accessibility.
Nordnet shall take all reasonable steps to ensure that processing activities are performed on correct and relevant data. This means that Nordnet has implemented mechanisms for safe authentication and verification of the information we collect. Nordnet also undertakes to whenever possible and as often as deemed necessary and adequate, follow-up on and update personal information based on public registers (e.g. SPAR, or similar public registers in respective country). Any inaccurate data shall be rectified or deleted without undue delay.
No personal data at Nordnet shall be kept in a form which permits direct or indirect identification of a data subject for longer than what is absolutely necessary for the purpose(s) for which the personal data was initially collected and processed. This means that Nordnet has to remove personal data, either by deleting/destroying it or by anonymizing it, as soon as the purpose has seized to exist. To ensure that personal data are not stored for longer than necessary, Nordnet has introduced specific deadlines and routines for deletion and anonymization.
Security and confidentiality
As a data controller, Nordnet continuously work to ensure that our products and services as well as our internal processes meets the requirements set by privacy regulations. Nordnet commits to always implement leading data protection standards and continuously educate our employees regarding data privacy management. Our security is based on well-established standards for architecture and security that ensures continuous maintenance and improvements in accordance to the ongoing changes of the threat landscape. Audits, vulnerability scans and security tests are an integral parts of Nordnet’s ongoing risk and security management.
Nordnet shall take all reasonable steps to ensure that all processing activities are carried out in a manner which ensures appropriate security of the personal data. Such consideration includes, but is not limited to, the nature, scope, context and purposes of processing, likelihood and severity of the risks posed by the processing activities, cost of implementation, and the current state of art. Examples of security measures are pseudonymization, encryption of personal data and effective access controls. Internal confidentiality, like between departments and staff groups, are regulated by internal policies and access controls.
Nordnet has adopted rigorous processes for every planned processing activity, which include impact and risk assessments to ensure that all risks of security and confidentiality breaches are handled properly. In the event of an occurred data breach incident, e.g. unlawful disclosure or an unintentional loss of personal data, Nordnet has an established procedure for detection, investigation, assessment, mitigation actions and reporting.
Personal data can in rare cases be transferred to and processed in countries outside the EU/EEA-area (so-called third countries). These transfers only occur under the condition that there is an adequate level of protection or that appropriate measures have been taken, e.g. standard contract clauses approved by the EU-commission with supplementary safeguards whenever required to ensure a substantially equivalent level of protection that is guaranteed by the GDPR. Nordnet conducts transfer impact assessments for data transfers to third countries that aren’t subject to the EU Commission’s adequacy decision in order to evaluate whether such level will be met.
In accordance with Article 5(2) of the GDPR, Nordnet is responsible for and shall be able to demonstrate compliance with what has been stated under this section.
The CEO is ultimately responsible for Nordnet’s compliance and for ensuring that Nordnet has the expertise and resources necessary in order to fulfill the objectives and processes stated in this overview. To ensure this, there are internal rules to provide more detailed guidance on professional conduct that are reviewed on a regular basis.
To make sure that Nordnet handles personal data in a compliant manner, all employees must comply with all applicable laws and regulations as well as Nordnet’s internal standards and routines. Every single employee within Nordnet is therefore contributing to the work of ensuring that Nordnet’s processing of personal data is appropriate and compliant, of course with the provision of appropriate trainings, tools and resources for this objective. The legal, security and risk departments are, severally or jointly, involved in privacy related processes and provides support and guidance to all departments.
Nordnet is responsible for handling any data breach incident that occurs in Nordnet’s own operations and throughout the chain of data processors. If the incident is deemed likely to result in a risk for the data subjects, a report will be submitted to the supervisory authority without undue delay and within 72 hours after becoming aware of the incident.
Data Protection Officer (DPO)
Nordnet has appointed a DPO with vast knowledge within the data privacy regulations. The DPO shall perform controls and verifications of Nordnet’s compliance with applicable rules on the privacy area. The DPO shall provide recommendations, e.g. in regards of privacy impact assessments. The DPO also functions as a contact point, not only for the data subjects, but also towards the supervisory authority e.g. in case of a data breach incident or a prior consultation on a planned processing activity.
The DPO reports to the highest level of management and Nordnet has constructed the organization in a way that enables and secures the DPO’s independency in relation to the management so that data protection can remain the DPO’s one and only objective and nothing else.
As a part of Nordnet’s operations, information may be shared with third parties (including usage of third party tools and services), e.g. entities within the Nordnet corporate group, external suppliers, sub-suppliers, trusted partners and also administrative authorities. In respect to this, Nordnet never shares more information than what is strictly necessary for the relevant processing purpose about which information has been provided to the data subjects. Nordnet takes appropriate and relevant contractual, technical and organizational measures to ensure that suppliers, both in and outside of the EU/EEA, handle personal data in a secure and correct manner in compliance with applicable privacy regulations and Nordnet’s privacy and security policies.
Facilitation of data subject rights
Nordnet’s privacy notices provide information to data subjects about their rights under the GDPR, how to enforce them and all relevant contact details in case they have questions, concerns or complaints in regards of Nordnet’s data processing. The remedies available for the data subjects entail both digital (e.g. functions available in logged-in state) and offline (paper forms available on websites) alternatives, where accurate identification and safety standards aren’t compromised.
Nordnet has established guidelines and routines for the handling of data subject rights, with designated departments for every step, in order to ensure that these requests are correctly managed. The data subject rights do not exist without conditions and exemptions as according to the GDPR, so in a situation where a data subject’s request is partially or entirely denied, an accurate explanation must be provided by Nordnet to the data subject with relevant references.