Customer information on our handling of personal data and your rights in accordance with the General Data Protection Regulation (GDPR) EU 2016/679.
The careful processing and the protection of your personal data is very important to us.
1. Contact person and person responsible for the processing of your data
The Data Protection Officer
European Depositary Bank SA
3, Rue Gabriel Lippmann
Telefon : (+352) 42 45 45-1
2. Types of personal information we collect
European Depositary Bank SA (hereafter the “Bank” or “we“) processes data directly received from you as part of the business relationship. If necessary, public or other sources can also be used for gathering data. Compliance with the General Data Protection Regulation (GDPR) is the responsibility of the respective source.
Examples of categories of data we process are:
- Personal identification data, such as name, date of birth and contact details;
- Electronic identification data;
- Banking and financial data, e.g. information about creditworthiness, including billing address, bank account numbers, instruction records, transaction details, counterparty details, and specimen signatures;
- Professional data, such as employment, educational background, training or qualification information;
- Visual and audio material, such as CCTV-recordings; and
- Information required by the Bank to meet legal and regulatory requirements in respect of anti-money laundering legislation, including personal details such as gender, date of birth, passport number(s), other government issued number(s), nationality, images of passports and driving licences, signatures, occupation, source of funds and source of wealth and criminal records.
3. How we get the personal information and why we have it
We process your personal data for specific purposes and based on the legitimate basis under Art. 6, para. 1 GDPR.
Based on your consent (Art. 6, para. 1a GDPR)
Provided that you give your explicit consent for the Bank’s processing of your data under Art. 6, para. 1a, this forms a lawful basis until you withdraw this consent with future effect, which you always have the right to do.
Fulfilment of contractual or pre-contractual obligations (Art. 6, para. 1b GDPR)
As part of our joint business agreement, your data will be processed to provide services, such as granting of credits, transaction services and account management. The purposes of the data processing are described in detail in the contracts concluded between you and the Bank as well as related documents, where additional information can be obtained.
Based on legal or regulatory requirements (Art. 6, para. 1c GDPR)
Another basis for many of our processing activities are various legal and regulatory requirements that we need to comply with. Institutions such as the European Central Bank, the European Banking Authority and the Luxembourg supervisory authority – the Commission de Surveillance du Secteur Financier (CSSF) specify these obligations.
- using the data to adopt the requirements of the Market for Financial Instruments Directive (MiFID II);
- for payment services (PSD);
- for Know-Your-Customer (KYC) purposes;
- using tax data including tax identification data, to prevent money laundering and terrorist financing; and
- using data in reference to the client profile and the creditworthiness of clients as well as the experience and knowledge in the securities business.
Based on a legitimate interest assessment (Art. 6, para. 1f GDPR)
Furthermore, your data can be processed on the basis of legitimate interest after the completion of a detailed balance of interests.
- For client research and management, and to improve the quality of services; provided you have not objected to the use of your data;
- Assertion of legal claims and legal defence in the case of legal disputes;
- To ensure IT security, protect and monitor use of IT systems;
- Prevention and investigation of crimes;
- CCTV at the Bank’s premises;
- Measures for business management and further development of services and products; and
- Risk management within the Bank.
If the processing purpose permits, your data will be processed anonymously or pseudonymiseed.
4. How we store your personal information
The Bank must store all personal data for the entire duration of the contractual relationship with the customer and the legal limitation periods during which the Bank or the customer requires this information in order to exercise or defend a legal claim.
All data relevant for the fulfilment of applicable legal obligations shall be stored as long as required by law.
The Luxembourg Code civil and Code de commerce provide for legal limitation periods with a duration of between three and thirty years which will also be taken into consideration in determining the data retention period.
5. Profiling and automated decision-making
Pursuant to Art. 22 GDPR, the Bank may use profiling as part of the business relationship. Profiling may be necessary to comply with legal requirements, for example in regards to the prevention of money laundering, terrorist financing and fraud. We can also use scoring to determine your creditworthiness. Profiling can also be used to address specific and targeted needs or interests and provide you with the best possible service.
6. Third party data processing
The Bank may, at its sole discretion and in compliance with banking secrecy, appoint third parties to carry out activities and processes related to banking transactions, financial services or any other banking services (hereafter referred to as “outsourcing”). This particularly applies to any parent or affiliate company or subsidiary.
It is possible that personal data must be transferred to third parties in the course of the outsourcing process in compliance with applicable legal requirements. This transfer is always based on a legitimate basis (see paragraph 3) and is in compliance with the provisions of the GDPR. In compliance with legal requirements, data is also being transferred to public authorities and audit firms.
7. Transfer of data to third countries
Your data may be transferred to third countries if this is required for the fulfilment of your orders or to satisfy a service contract with the Bank (where processors are engaged in third countries) or to satisfy a legal provision (e.g. tax reporting requirements).
8. Provision of data
Within the business relationship, each data subject is obliged to provide all personal data insofar as to enable the Bank to comply with all legal and regulatory requirements. We particularly refer to the requirements of the Money Laundering Act, according to which the Bank is legally obliged to ensure the clear identification and legitimacy of its customers.
Furthermore, all data necessary for the establishment, the execution or the termination of a business relationship must be provided. If this data is not provided by the customer, the Bank must normally reject the conclusion of a contract or the execution of an order and dissolve the contractual relationship.
9. Your rights as a data subject
Right to be informed, to access, to data portability, to restriction of processing, to rectification, to deletion of your data (Art.15-20 GDPR)
As a data subject, you have enhanced rights under the GDPR in regards to which you are welcome to contact the Bank informally at the contact details listed under point 1.
Individual right to object (Art. 21 GDPR)
In addition, you have a right to object to the use of your personal data (Art. 21 GDPR) if this takes place on the basis of a balancing of interests of the Bank (Art. 6 para. 1f GDPR). A right to object also exists if data is processed according to profiling based on this provision (Art. 4 para. 4) or on the basis of public interest (Art. 6 para. 1e GDPR).
In the case of objection, the processing of your data will be discontinued unless the Bank has compelling reasons for the processing or there are compelling interests that outweigh your interests, rights and freedoms. A discontinuation of the processing is not mandatory if the processing is carried out with respect to the establishment, exercise or defence of legal claims.
Right to object against data processing for direct marketing purposes (Art. 21 GDPR)
Furthermore, the data subject may at any time object to the processing of personal data if it is used for direct marketing purposes.
10. How to complain
If you have any concerns about our use of your personal data, you can make a complaint to us at firstname.lastname@example.org (or using the contact details at the beginning of this notice).
You can also to complain to the National Data Protection Commission (Commission Nationale pour la Protection des Données – CNPD) or your local data protection authority if you are unhappy with how we have used your data.
11. Changes to this privacy notice
We reserve the right to update this privacy notice at any time. We may also notify you in other ways from time to time about the processing of your personal information.
If you have any questions about this privacy notice, please contact email@example.com.
(Updated: May 2021)