Customer information on our handling of personal data and your rights in accordance with the General Data Protection Regulation EU 2016/679 (GDPR) and privacy and data protection-related European and national legislations and regulations.
The careful processing and the protection of your Personal Data is very important to us. This privacy statement defines how European Depositary Bank S.A., along with its branches, European Depositary Bank Dublin Branch and European Depositary Bank Malta Branch, and its subsidiary, EDB Custodial Services Limited (together “EDB”, the “Bank” or “we”) collects and processes Personal Data relating to individual establishing a relationship with the Bank (the “Customers”, “you” or “your”).
The capitalized terms which are not specifically defined in this privacy statement must have the definition attributed to them in the GDPR.
- Contact person and person responsible for the processing of your Personal Data
The Data Protection Officer
European Depositary Bank SA
3, Rue Gabriel Lippmann, L-5365 Luxembourg
Telephone : (+352) 42 45 45-1
- Bank´s undertaking to protect Customer´s Personal Data
The Bank is committed to safeguarding and protecting the customer’s Personal Data and maintaining appropriate security to protect any Personal Data provided to it from improper or accidental disclosure, use, access, loss, modification or damage. The Bank will take all steps reasonably necessary to ensure that the customer’s Personal Data is treated securely and in accordance with applicable law and regulations and the Bank’s internal policies and standards.
- Types of personal information we collect
EDB processes Personal Data directly received from you as part of our relationship. If necessary, public or other sources can also be used for gathering Personal Data (see paragraph 6). Compliance with GDPR is the responsibility of the respective source.
Examples of categories of Personal Data we process are:
- Personal identification data, such as name, date of birth, contact details, e-mail address, country of residence nationality, tax and social identification number, identity card, passport, driving license;
- Electronic identification data;
- Banking and financial data, e.g. information about creditworthiness, including billing address, bank account numbers, financial situation (including bank account balance), ability to bear loss, investment objectives or preferences, instruction records, transaction details, counterparty details, and specimen signatures;
- Professional data, such as employment, educational background, training or qualification information;
- Visual and audio material and records , pictures; and
- Information required by the Bank to meet legal and regulatory requirements in respect of anti-money laundering and the fight against terrorist financing legislation (“KYC/AML”), including personal details such as gender, date of birth, passport number(s), other government issued number(s), nationality, images of passports and driving licences, signatures, occupation, source of funds and source of wealth and criminal records.
- How we get the personal information and why we have it
We process your Personal Data for specific purposes and based on the legitimate basis under Art. 6, para. 1 GDPR.
Based on your consent (Art. 6, para. 1a GDPR)
Provided that you give your explicit consent for the Bank’s processing of your Personal Data under Art. 6, para. 1a, this forms a lawful basis until you withdraw this consent with future effect, which you always have the right to do.
Fulfilment of contractual or pre-contractual obligations (Art. 6, para. 1b GDPR)
Your Personal Data may be processed to fulfil a contractual (including contract obligations as referred to in the Bank´s General Terms and Conditions) or pre-contractual obligations necessary to provide joint business agreement, execute contract services, satisfy a service requests from the Customer or perform operations in accordance with the Customer instructions, including without being limited to: services and operations relating to account administration, handling of orders, processing of transfers, payments and deposits, collection of bank cheques, loans and mortgages, investments and any other similar transactions and banking services, management of payments instruments, management of investments, subscription to investment vehicles, brokerage, estate planning, management of insurances, communication with the customer, evaluation of the Customer’s financial needs, monitoring of the Customer´s financial situation including assessment of his creditworthiness and solvency and generally for conducting a business relationship with the Customer.
The purposes of the data processing are described in detail in the service agreements and/or contract documentation concluded between you and the Bank as well as related documents, where additional information can be obtained.
Based on legal or regulatory requirements (Art. 6, para. 1c GDPR)
Another basis for many of our processing activities are various legal and regulatory requirements that we need to comply with. Institutions such as the European Central Bank, the European Banking Authority and the Luxembourg supervisory authority – the Commission de Surveillance du Secteur Financier (CSSF) specify these obligations.
- using the Personal Data to adopt the requirements of the Market for Financial Instruments Directive (MiFID II);
- for payment services (PSD);
- for Know-Your-Customer (KYC) purposes;
- using tax data including tax identification data, to prevent money laundering and terrorist financing (AML/CFT);
- using Personal Data in reference to the client profile and the creditworthiness of clients as well as the experience and knowledge in the securities business;
- for compliance with request from local or foreign regulatory enforcement authorities (such as the Luxembourg Tax Authority (Administration des contributions directes) or the US Internal Revenue Service (IRS)) as well as for identification and reporting requirements such as the Common Reporting Standard (CRS), the Foreign Account Tax and Compliance Act (FATCA), the Qualified Intermediary Agreement (QI), and the Automatic Exchange of Information (AEI)
Based on a legitimate interest assessment (Art. 6, para. 1f GDPR)
Furthermore, your Personal Data can be processed on the basis of legitimate interest after the completion of a detailed balance of interests.
- For client research and management, and to improve the quality of services; provided you have not objected to the use of your Personal Data;
- Risk management;
- Assertion of legal claims and legal defence in the case of legal disputes;
- To ensure IT security, protect and monitor use of IT systems;
- Global overview of Customers and evaluation of Customers´needs;
- Prevention and investigation of crimes;
- Measures for business management and further development of services and products; and
- Risk management within the Bank.
If the processing purpose permits, your Personal Data will be processed anonymously or pseudonymised.
- How we store your personal information
The Bank only stores Personal Data for a period which shall not exceed that necessary to achieve the purposes for which the Personal Data were collected.
The Bank must store all Personal Data for the entire duration of the contractual relationship with the Customer and the legal limitation periods during which the Bank or the Customer requires this information in order to exercise or defend a legal claim.
All Personal Data relevant for the fulfilment of applicable legal obligations shall be stored as long as required by law. The Bank may as well store Personal Data to allow the establishment, exercise or defence of actual or potential legal claims in court or out-of-court proceedings, and/or to answer regulatory request and audits.
The Luxembourg Code civil and Code de commerce provide for legal limitation periods with a duration between three and thirty years which will also be taken into consideration in determining the data retention period.
- Sources of Personal Data
The Bank may indirectly obtain Personal Data related to its Customers from the following sources:
- Bank’s services providers;
- Databases made publicly available by third parties;
- Public authorities, administrations, governmental agencies, public registers;
- Internet sources;
- Intermediaries, agents;
- Bank’s group of companies (Apex Group Ltd referred to as “Apex”), which includes affiliates and subsidiaries that are of Apex network of companies.
The Bank only communicates Personal Data collected to the relevant categories of internal and/or external recipients to fulfill the related purposes, including the following, without being limited to:
- The Bank’s responsible internal departments or employee(s) in charge;
- Bank´s Apex affiliates and subsidiaries
- The Apex´s and Bank’s IT and other technologies service providers including without being limited to: identity management, website hosting and management, data analysis and back-up, security and storage services;
- Governmental, judicial, supervisory bodies and authorities;
- Public or authorized third parties, such as legal counsels, notaries, advisors, auditors;
- The Bank’s sub-contractors and specialised external service providers
- Profiling and automated decision-making
Pursuant to Art. 22 GDPR, the Bank may use profiling as part of the business relationship. Profiling may be necessary to comply with legal requirements, for example in regards to the prevention of money laundering, terrorist financing and fraud. We can also use scoring to determine your creditworthiness. Profiling can also be used to address specific and targeted needs or interests and provide you with the best possible service.
- Third party Personal Data processing
The Bank may, at its sole discretion and in compliance with banking secrecy, appoint third parties to carry out activities and processes related to banking transactions, financial services or any other services (hereafter referred to as “outsourcing”). This particularly applies to any parent or affiliate company or subsidiary, in this regard Apex´s service providers are legally obliged to follow express instructions in respect of their use of your Personal Data and shall comply with appropriate security measures to protect that information
It is possible that Personal Data must be transferred to third parties in the course of the outsourcing process in compliance with applicable legal requirements. This transfer is always based on a legitimate basis (see paragraph 4 and 10) and is in compliance with the provisions of the GDPR. In compliance with legal requirements, data is also being transferred to public authorities and audit firms.
The Bank seeks to reach data protection agreements or similar binding acts for its outsourcing, when necessary and applicable.
- Transfer of Personal Data to third countries
Your Personal Data may be transferred to third countries outside of the European Economic Area (“EEA”) to the extent possible and with due compliance with the GDPR and the applicable legislation and regulation, and only if this is required for the fulfilment of your orders or to satisfy a service contract with the Bank (where processors are engaged in third countries) or to satisfy a legal provision (e.g. tax reporting requirements). The Bank seeks to ensure an appropriate level of protection for transfer of Personal Data to recipients based outside of the EEA and only when one of the following requirements applies:
- The transfer is based on an adequacy decision of the European Commission;
- The transfer is subject to appropriate safeguards, such as, but not limited to, binding corporate rules, standard data protection clauses adopted by the European Commission, standard data protection clauses adopted by a supervisory authority;
- The transfer is based on one or more of the derogations for specific situations, such as, but not limited to, your explicit consent, the performance of a contract between you and the bank, the establishment, exercise or defence of legal claims, or for important reasons of public interest;
- The transfer is based on a judgment of a court or tribunal or any decision of an administrative authority provided that it is agreed on an international mutual legal assistance treaty.
Customer is made aware that within the framework of payment transactions and the lending business, Personal Data may be processed both by the Bank, some of the units in its holding group and specialised external service providers which the Bank uses in executing payment orders such as Society for Worldwide Interbank Financial Telecommunication (SWIFT), Target, Single Euro Payments Area (SEPA). This processing will be carried out in local computer centers across Europe and in the United States of America (USA) in accordance with local laws and regulations. Therefore, foreign authorities may, in accordance with local legislation, obtain access to the Personal Data held in such local computer centers, e.g. for the purpose of fighting terrorism.
- Provision of Personal Data
Within the business relationship, each data subject is obliged to provide all Personal Data insofar as to enable the Bank to fulfill the purposes set out in paragraph 4 and particularly to comply with all legal and regulatory requirements. We particularly refer to the requirements of the amended law of 12 November 2004 on the fight against money laundering and terrorist financing (the “Money Laundering Act”), according to which the Bank is legally obliged to ensure the clear identification and legitimacy of its Customers.
Furthermore, all Personal Data necessary for the establishment, the execution or the termination of a business relationship must be provided. If such Personal Data is not provided by the Customer or if the Customer fails to provide with due declarations or answers questions directed to the Customer, , the Bank must be compelled to reject the conclusion of a contract or the execution of an order and dissolve the contractual relationship.
In order to allow for the prompt handling of the Bank’s business, Customer´s Personal Data needs to be regularly updated. The Customer undertakes to communicate any changes in his Personal Data to the Bank without delay and to provide the Bank on request with all such information as the Bank shall need for the purposes of handing the business relationship in an efficient way and in conformity with the law. To the extent permitted by applicable law, and except in case of gross negligence or willful misconduct, the Bank shall not be responsible for any losses arising from any inaccurate, inauthentic, deficient or incomplete Personal Data or sensitive Personal Data provided to it.
The Bank may also process Personal Data related to natural persons other than the Customer. In such case, the Customer will inform such other persons whose Personal Data he disclosed to the Bank, as the case might be, about the fact that the Bank may process Personal Data and, where required, procure the necessary consent or the applicable legal basis to such processing of Personal Data as required by applicable law
- Your rights as a data subject
Right to be informed, to access, to data portability, to restriction of processing, to rectification, to deletion of your Personal Data
As a data subject, you have the enhanced rights below under the GDPR – to the limits of their applicability - in regards to which you are welcome to contact the Bank informally at the contact details listed under paragraph 1:
- The right to request access and to obtain copies of your Personal Data processed by the Bank (Art. 15 GDPR);
- The right to request the rectification or correction of incomplete or incorrect Personal Data concerning you (Art. 16 GDPR);
- The right to require the deletion of your Personal Data (Art. 17 GDPR);
- The right to require the restriction or the limitation of the processing of your Personal Data (Art. 18 GDPR);
- The right to receive the Personal Data concerning you in a structured, commonly used and machine readable format and to have such Personal Data transmitted to another Controller (Art. 20 GDPR);
- The right not to be subject to a decision based solely on automated individual decision-making, including profiling (Art. 22 GDPR).
Individual right to object (Art. 21 GDPR)
In addition, you have a right to object to the processing of your Personal Data (Art. 21 GDPR) if this processing takes place on the basis of a balancing of interests of the Bank (Art. 6 para. 1f GDPR). A right to object also exists if data is processed according to profiling based on this provision (Art. 4 para. 4) or on the basis of public interest (Art. 6 para. 1e GDPR).
In the case of objection, the processing of your Personal Data will be discontinued unless the Bank has compelling reasons for the processing or there are compelling interests that outweigh your interests, rights and freedoms. A discontinuation of the processing is not mandatory if the processing is carried out with respect to the establishment, exercise or defence of legal claims.
Right to object against data processing for direct marketing purposes (Art. 21 GDPR)
Furthermore, the data subject may at any time object to the processing of Personal Data if it is used for direct marketing purposes.
Right to withdraw consent (Art. 7 GDPR)
The customer may at any time withdraw his consent to the processing of his Personal Data which is based on such consent and he has the right to object to the pro- cessing of such Personal Data upon legitimate grounds, save where otherwise provided by law. If the customer withdraws his consent, this will not affect the lawfulness of the processing of the Personal Data before the with- drawal. By exercising these rights, the processing may no longer involve the relevant Personal Data, and this may constitute an obstacle to the continuation of the bu- siness relationship between the Bank and the customer. In this event, the Bank would be entitled to terminate the business relationship, as provided for in the Bank’s General Terms and Conditions
- How to complain
If you have any concerns about our use of your Personal Data, you can make a complaint to us at firstname.lastname@example.org (or using the contact details at the beginning of this notice).
You can also to complain to the National Data Protection Commission (Commission Nationale pour la Protection des Données – CNPD) or your local data protection authority if you are unhappy with how we have used your Personal Data.
Changes to this privacy notice
We reserve the right to update this privacy notice at any time. We may also notify you in other ways from time to time about the processing of your personal information.
If you have any questions about this privacy notice, please contact:
Updated: September 2023