Transfer of your data to third countries
Version 2: updated October 1 2025
We are committed to ensuring the security of your personal data. For this reason, we prioritize that our main data hosting lies within the EEA, leveraging on data centres with robust security measures. To the extent we transfer your personal data to a business partner outside the EEA, we are committed to ensure that our transfer of your personal data is conducted in accordance with GDPR Chapter V.
We have suppliers in countries that appear on the European Commission's list of safe third countries (countries that have received an adequacy decision).
As part of our operations, we may in a few cases transfer your data to recipients who are located in an unsafe third country (not subject to an adequacy decision from the European Commission). In these cases, we generally apply Standard Contractual Clauses with appropriate supplementary measures implemented when necessary to ensure that the transfers are subject to appropriate safeguards under the GDPR.
Where relevant to the context of our engagements with you and processing of your personal data, your information is transferred to our IT partner Infosys in India for the provision of agreed services to Danske Bank. We have documented that we have no reason to believe that the relevant legislation will be interpreted or applied in practice in a way that would affect the transferred personal data or compromise the protection required under the GDPR.
Your personal data may also be transferred to an unsafe third country in support cases where an emergency makes it necessary for us to utilize support outside the EEA to obtain what is known as 'follow the sun support' from our vendors’ specialised employees located in various countries. Such transfers, i.e. remote view/screen sharing access, only occurs when absolutely necessary. Support requests and remote access typically do not include your personal data. However, if unresolved issues require vendor support involvement, Danske Bank employees may, in exceptional circumstances, determine that sharing a screen shot containing your personal data or engaging in video calls where vendors can view your personal data is necessary during the support process, although your personal data is not the main focus in the support procedure.
Safe Third Countries
When we transfer your personal data to parties in countries where the European Commission has decided that the country ensures an adequate level of protection, we rely on the applicable adequacy decision as the basis for the transfer.
You can find the list of safe third countries and the adequacy decisions on EU Commission’s website.
To the extent, we transfer your personal data to parties located in the United States, we rely on the EU-US Data Privacy Framework (DPF) to certified parties as the basis for the transfer.
You can find details regarding the EU-US Data Privacy Framework here.
Standard Contractual Clauses or Binding Corporate Rules
If we transfer your personal data to recipients who are located in a third country that is not subject to an adequacy decision from the European Commission, we rely on the European Commission’s standard contractual clauses (also known as SCCs) or our business partner’s binding corporate rules (also known as BCRs), together with implementation of adequate supplementary measures to ensure that your personal data receives an essentially equivalent level of protection to that guaranteed in the EEA.
You can find the SCCs here
and the and BCRs here.
Derogations under GDPR article 49
We may also on an ad hoc basis transfer your personal data to parties outside the EEA based on the specific scenarios set out in GDPR art. 49, for example if you wish to transfer money to a country outside the EEA and there is no applicable adequacy decision, nor any SCCs/BCRs in place.
Overview of third countries
Here you can see an overview of the third countries outside the EEA where we and our subcontractors process your personal data:
Safe third countries (countries that have received an adequacy decision): Argentina, Canada, Israel, Japan, New Zealand, Switzerland, United Kingdom and United States1.
Other third countries: Australia, Bahrain, Brazil, Canada (non-PIPEDA covered recipients), Chile, Colombia, Costa Rica, Egypt, Hong Kong, India, Indonesia, Japan (non-APPI covered recipients), Kenya, Malaysia, Mexico, Nigeria, Panama, Peru, Philippines, Serbia, Singapore, South Africa, South Korea, Taiwan, Thailand, Ukraine, United Arab Emirates, United States (non-DPF certified recipients) and Vietnam.
The list of countries mentioned above is not exhaustive due to the global service model provided by some of our vendors. We update the list on an ongoing basis every 3rd month. If you wish to see the current list of specific countries involved, please visit our IT vendors respective websites for further information:
You can read more about how we process your data in our Privacy Notice located at the bottom of the page.
1Canada (PIPEDA-covered recipients), Japan (APPI-covered recipients), and the USA (EU-U.S. Data Privacy Framework certified recipients) are considered adequate for data protection within their respective specified sectors. The adequacy decisions can be found on EU Commission’s website.
