Skip to main content
Home Nordic Credit Rating

Main navigation

  • Home
  • Our offerings
  • Ratings & Research
  • Governance & Policies
  • About us
  • Careers
  • Contact

Privacy policy

Nordic Credit Rating AS (NCR) is committed to protecting your personal data and upholding your individual rights under data protection laws. While our business model is primarily business-to-business and does not rely on extensive personal data processing, data protection is a key aspect of our operations.

1. Data Controller Information
Nordic Credit Rating AS acts as a data controller in relation to the personal data we process. If you have any questions or concerns about how we handle your personal data, you may contact us using the details below:

  • Email: compliance@nordicreditrating.com
  • Phone: +46 70 205 34 53 (Andreas Kindahl; Compliance Officer; Sweden)
  • Mail: Nordic Credit Rating AS, Data Protection, Postboks 1519 Vika, 0117 Oslo, Norway

For more information about your data protection rights, you may also contact your local data protection authority.     

2. What Personal Data We Collect and Why
What types of personal data does NCR collect?
Nordic Credit Rating AS (NCR) is a business-to-business organisation. We collect limited personal data in connection with our contractual relationships and service delivery. The personal data we may collect includes:

  • Contact information: name, company address, email address, phone number, and postal address.
  • Professional or legal information: Ownership information or positions in legal entities, as derived from public sources or communications with you. 

We do not process sensitive personal data (such as health, biometric, or racial/ethnic data) and request that you do not provide such data to us.
Where do we obtain the data?
We collect personal data from the following sources:

  • Directly from individuals involved in the customer relationship (e.g., through email correspondence or contract negotiations).
  • From publicly available sources, such as:
    • Official business registers,
    • Tax authorities,
    • Company ownership databases,
    • Other regulatory bodies relevant to our credit rating activities.

We limit the use of third-party data to what is necessary for the delivery of our services and our legal or regulatory obligations.

Why do we collect and process personal data? 

We typically process personal data for the following purposes and legal bases:

  • Performance of a contract (GDPR Article 6(1)(b))
    • To set up, verify, and manage customer agreements.
    • To deliver our credit rating services.
    • To communicate with customer representatives during the relationship.
  • Compliance with legal obligations (GDPR Article 6(1)(c))
    • For bookkeeping, invoicing, and audit requirements.
    • For fulfilling obligations to tax authorities or regulatory bodies.
    • To comply with requirements under applicable credit rating agency regulations.
  • Legitimate interests (GDPR Article 6(1)(f))
    • To promote and market our services to existing or prospective clients. You may opt out of receiving marketing communications at any time. 

3. Automated decision-making
NCR does not engage in any form of automated decision-making, including profiling, as defined in Article 22 of GDPR. All decisions involving personal data are reviewed and made by human personnel.

4. Sharing Your Personal Data and Data Transfers
We may share your personal data with third parties where necessary to fulfil our contractual, legal, or regulatory obligations.

  • Public authorities and regulators, such as the European Securities and Markets Authority (ESMA), tax authorities, or law enforcement agencies, when required by law.
  • Service providers and data processors who support our operations, such as providers of IT systems, data hosting, maintenance, or other technical support services.

All such third parties are contractually bound to act in accordance with applicable data protection laws and to process personal data only on our documented instructions. They are also subject to confidentiality and security obligations.

Where personal data is transferred to service providers or partners located outside the European Economic Area (EEA), we ensure that such transfers are subject to appropriate safeguards, such as Standard Contractual Clauses approved by the European Commission, to ensure your data remains protected in accordance with GDPR requirements.

We do not share personal data with third parties for marketing or for any unrelated purposes.  

We remain responsible for any processing of personal data carried out on our behalf. 

5. How We Protect Your Personal Data
Safeguarding personal data is a core priority for NCR. We have implemented appropriate technical and organisational measures in line with Article 32 of the GDPR to ensure a level of security appropriate to the risk. Our internal control framework, IT systems, and business processes are designed to uphold the following key principles:

  • Confidentiality: We protect personal data against unauthorized access, loss, or misuse through access controls, encryption, and secure communications.
  • Integrity: We ensure the accuracy and completeness of personal data by applying validation checks and audit controls within our systems and workflows.
  • Availability: We maintain the availability of personal data through secure and resilient infrastructure, including backup and disaster recovery procedures.

All staff handling personal data receive training on data protection and information security, and our safeguards are reviewed periodically to address emerging risks and regulatory expectations.

6.    Your privacy rights
Under GDPR, you have a range of rights relating to your personal data. These rights are designed to give you control over how your data is used. Please note that some rights may be subject to limitations where required by other legal or regulatory obligations.

Your rights include:

  • Right of access: You have the right to request information about whether we process your personal data, and to receive a copy of the data we hold about you (Article 15 in the GDPR).
  • Right to rectification: You may request correction of inaccurate or incomplete personal data (Article 16).
  • Right to erasure ("right to be forgotten"): In certain circumstances, you have the right to request that we delete your personal data (Article 17), such as when:
    • The data is no longer needed for the purpose it was collected or processed for.
    • You withdraw consent (where applicable).
    • You object to processing based on legitimate interests and no overriding grounds exist.
    • The data was processed unlawfully.
    • Deletion is required to comply with a legal obligation.
  • Right to restrict processing: You have the right to request that we limit how we use your personal data in certain cases (Article 18), for example, while we are verifying its accuracy or if processing is unlawful but object to deletion.
  • Right to data portability: You have the right to receive the personal data you provided to us in a structured, commonly used, and machine-readable format, and to have it transmitted to another controller where technically feasible (Article 20).   
  • Right to object: You have the right to object, on grounds relating to your situation, to the processing of your personal data where the legal basis is our legitimate interest (Article 6(1)(f) of the GDPR). If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defence of legal claims.
  • Right to lodge a complaint: If you believe that your personal data has been processed in a manner that does not comply with applicable data protection laws, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) or with the data protection authority in your country of residence or place of work. 

To exercise any of these rights, please contact us using the details provided in section 1 of this policy.

7. Cookies
Our website uses cookies only to ensure the proper functioning and performance of the site, such as remembering user preferences. We do not use cookies for marketing purposes.

Where legally required, you will be given the option to manage your cookie preferences when you visit our website. For more information about the specific cookies we use, please contact us directly.

8. How Long We Keep Your Personal Data 
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to meet contractual obligations, legal requirements, and regulatory expectations under the Credit Rating Agency Regulation and national laws. 

Once data is no longer needed for these purposes, it is securely deleted or anonymised in accordance with our data retention policy.

If you would like more information about specific retention periods, please contact us using the details in Section 1.

9. Personal Data Breaches
We take data security seriously and have implemented appropriate technical and organisational measures to protect personal data.

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority in accordance with GDPR Article 33. Where required, we will also inform affected individuals without undue delay, typically via email, as per Article 34.

10. Updates to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, regulatory requirements, or applicable law.

All updates will be published on our website. 

Off