Privacy Statement

Customer information on our handling of personal data and your rights in accordance with the General Data Protection Regulation (GDPR) EU 2016/679. 

The careful processing and the protection of your personal data is very important to us. With the General Data  Protection Regulation EU 2016/679 coming into force  on 25 May 2018, we would like to inform you about our  use of your data and your associated rights. 

1.       Contact person and person responsible for the processing of your data

European Depositary Bank SA
3, Rue Gabriel Lippmann, L-5365 Luxembourg
Telefon : (+352) 42 45 45-1
Email: dataprotectionofficer@eudepobank.eu

2.       Data categories and sources of data

European Depositary Bank SA (hereafter the “Bank”, “we“) processes  data directly received from you as part of the business relationship. If necessary, public or other sources can also be used for gathering data. Compliance with the General Data Protection Regulation (GDPR) is the responsibility of the respective source.

Examples of categories of data we process are:

• Personal identification data, such as name, date of birth and contact
• details,
• Electronic identification data,
• Banking and financial data, e.g. information about creditworthiness,
• Professional data, such as employment, educational background, training or qualification information,
• Visual and audio material, such as CCTV-recordings,
• Account opening.

3.       Lawfulness and purpose of the processing

We process your personal data for specific purposes and based on the legitimate basis under Art. 6, para. 1 GDPR..

Based on your consent (Art. 6, para. 1a GDPR) 

Provided that you give your explicit consent for the Bank’s processing of your data under Art. 6, para. 1a, this forms a lawful basis until you  withdraw this consent with future effect, which you always have the right  to do.

Fulfilment of contractual or pre-contractual obligations (Art. 6, para.  1b GDPR) 

As part of our joint business agreement, your data will be processed to  provide services, such as granting of credits, transaction services and  account management. The purposes of the data processing are described in detail in the contracts concluded between you and the Bank as well as  related documents, where additional information can be obtained.

Based on legal or regulatory requirements (Art. 6, para. 1c GDPR) 

Another basis for many of our processing activities are various legal and regulatory requirements that we need to comply with. Institutions such as the European Central Bank, the European Banking

Authority and the Luxembourg supervisory authority Commission de Surveillance du  Secteur Financier (CSSF) specify these obligations.

The processing involved includes for example data to adopt the requirements of the Market for Financial Instruments Directive (MiFID II), payment services (PSD), Know-Your-Customer (KYC), tax data including  tax identification data, data to prevent money laundering and terrorist  financing, data in reference to the client profile, the creditworthiness as well as the experience and knowledge in the securities business.

Based on a legitimate interest assessment (Art. 6, para. 1f GDPR) 

Furthermore, your data can be processed on the basis of legitimate  interest after the completion of a detailed balance of interests.

If the processing purpose permits, your data will be processed anonymously or pseudonymzed.

4.       Profiling and automated decision-making

Pursuant to Art. 22 GDPR, the Bank may use profiling as part of the  business relationship. Profiling may be necessary to comply with legal  requirements, for example in regards to the prevention of money  laundering, terrorist financing and fraud. We can also use scoring to  determine your creditworthiness. Profiling can also be used to address  specific and targeted needs or interests and provide you with the best  possible service.

5.       Third party data processing

The Bank may, at its sole discretion and in compliance with banking  secrecy, appoint third parties to carry out activities and processes  related  to banking transactions, financial services or any other banking services (hereafter referred to as “outsourcing”). This particularly applies to any parent or affiliate company or subsidiary.

It is possible that personal data must be transferred to third parties in  the course of the outsourcing process in compliance with applicable  legal requirements. This transfer is always based on a legitimate basis  (see paragraph 3) and is in compliance with the provisions of the GDPR.  In compliance with legal requirements, data is also being transferred to public authorities and audit firms.

6.       Transfer of data to third countries

Your data may be transferred to third countries if this is required for the fulfilment of your orders or a legal provision. This may be due to legal  requirements (e.g. tax reporting requirements), the fulfilment of your orders or the cooperation with service providers in third countries.

7.       Provision of data

Within the business relationship, each data subject is obliged to provide  all personal data insofar as the Bank must be able to comply with all legal  and regulatory requirements. We particularly refer to the requirements  of the Money Laundering Act, according to which the Bank is legally  obliged to ensure the clear identification and legitimacy of its customers.

Furthermore, all data necessary for the establishment, the execution or the termination of this business relationship must be provided. If this  data is not provided by the customer, the Bank must normally reject the conclusion of a contract or the execution of an order and dissolve the  contractual relationship.

8.       Storage of personal data

The Bank must store all personal data for the entire duration of the contractual relationship with the customer and the legal limitation  periods during which the Bank or the customer requires this information  in order to exercise or defend a legal claim.

All data relevant for the fulfilment of the applicable legal obligations  under company law, accounting requirements or tax obligations shall be stored as long as required by law.

The Luxembourg Code civil and Code de commerce provide for legal limitation periods with a duration between three and thirty years which  will also be taken into consideration in determining the data retention period.

9.       Your rights as a data subject

Right to be informed, to access, to data portability, to restriction of  processing, to rectification, to deletion of your data (Art.15-20 GDPR) 

As a data subject, you have enhanced rights under the GDPR in regards  to which you are welcome to contact the Bank informally at the contact  details listed under point 1.

Individual right to object (Art. 21 GDPR) 

In addition, you have a right to object to the use of your personal data (Art. 21 GDPR) if this takes place on the basis of a balancing of interests  of the Bank (Art. 6 para. 1f GDPR). A right to object also exists if data is processed according to profiling based on this provision (Art. 4 para. 4) or  on the basis of public interest (Art. 6 para. 1e GDPR).

In case of objection, the processing of your data just be discontinued unless the Bank has compelling reasons for the processing or compelling interests that outweigh your interests, rights and freedoms.  A discontinuation of the processing is not mandatory if the processing  is carried out with respect to the establishment, exercise or defence of legal claims.

Right to object against data processing for direct marketing purposes  (Art. 21 GDPR) 

Furthermore, the data subject may at any time object to the processing  of personal data if these are used for direct marketing purposes.

Right to complain (Art. 77 GDPR) 

You have the right, at any time, to lodge a complaint regarding the  processing of your data with a data protection authority, such as the CNPD in Luxembourg.

Version: March 2019