Customer information on our handling of personal data and your rights in accordance with the General Data Protection Regulation (GDPR) EU 2016/679.
The careful processing and the protection of your personal data is very important to us. With the General Data Protection Regulation EU 2016/679 coming into force on 25 May 2018, we would like to inform you about our use of your data and your associated rights.
1. Contact person and person responsible for the processing of your data
European Depositary Bank SA
3, Rue Gabriel Lippmann, L-5365 Luxembourg
Telefon : (+352) 42 45 45-1
2. Data categories and sources of data
European Depositary Bank SA (hereafter the “Bank”, “we“) processes data directly received from you as part of the business relationship. If necessary, public or other sources can also be used for gathering data. Compliance with the General Data Protection Regulation (GDPR) is the responsibility of the respective source.
Examples of categories of data we process are:
- Personal identification data, such as name, date of birth and contact
- Electronic identification data,
- Banking and financial data, e.g. information about creditworthiness,
- Professional data, such as employment, educational background, training or qualification information,
- Visual and audio material, such as CCTV-recordings,
- Account opening.
3. Lawfulness and purpose of the processing
We process your personal data for specific purposes and based on the legitimate basis under Art. 6, para. 1 GDPR..
Based on your consent (Art. 6, para. 1a GDPR)
Provided that you give your explicit consent for the Bank’s processing of your data under Art. 6, para. 1a, this forms a lawful basis until you withdraw this consent with future effect, which you always have the right to do.
Fulfilment of contractual or pre-contractual obligations (Art. 6, para. 1b GDPR)
As part of our joint business agreement, your data will be processed to provide services, such as granting of credits, transaction services and account management. The purposes of the data processing are described in detail in the contracts concluded between you and the Bank as well as related documents, where additional information can be obtained.
Based on legal or regulatory requirements (Art. 6, para. 1c GDPR)
Another basis for many of our processing activities are various legal and regulatory requirements that we need to comply with. Institutions such as the European Central Bank, the European Banking
Authority and the Luxembourg supervisory authority Commission de Surveillance du Secteur Financier (CSSF) specify these obligations.
The processing involved includes for example data to adopt the requirements of the Market for Financial Instruments Directive (MiFID II), payment services (PSD), Know-Your-Customer (KYC), tax data including tax identification data, data to prevent money laundering and terrorist financing, data in reference to the client profile, the creditworthiness as well as the experience and knowledge in the securities business.
Based on a legitimate interest assessment (Art. 6, para. 1f GDPR)
Furthermore, your data can be processed on the basis of legitimate interest after the completion of a detailed balance of interests.
If the processing purpose permits, your data will be processed anonymously or pseudonymzed.
4. Profiling and automated decision-making
Pursuant to Art. 22 GDPR, the Bank may use profiling as part of the business relationship. Profiling may be necessary to comply with legal requirements, for example in regards to the prevention of money laundering, terrorist financing and fraud. We can also use scoring to determine your creditworthiness. Profiling can also be used to address specific and targeted needs or interests and provide you with the best possible service.
5. Third party data processing
The Bank may, at its sole discretion and in compliance with banking secrecy, appoint third parties to carry out activities and processes related to banking transactions, financial services or any other banking services (hereafter referred to as “outsourcing”). This particularly applies to any parent or affiliate company or subsidiary.
It is possible that personal data must be transferred to third parties in the course of the outsourcing process in compliance with applicable legal requirements. This transfer is always based on a legitimate basis (see paragraph 3) and is in compliance with the provisions of the GDPR. In compliance with legal requirements, data is also being transferred to public authorities and audit firms.
6. Transfer of data to third countries
Your data may be transferred to third countries if this is required for the fulfilment of your orders or a legal provision. This may be due to legal requirements (e.g. tax reporting requirements), the fulfilment of your orders or the cooperation with service providers in third countries.
7. Provision of data
Within the business relationship, each data subject is obliged to provide all personal data insofar as the Bank must be able to comply with all legal and regulatory requirements. We particularly refer to the requirements of the Money Laundering Act, according to which the Bank is legally obliged to ensure the clear identification and legitimacy of its customers.
Furthermore, all data necessary for the establishment, the execution or the termination of this business relationship must be provided. If this data is not provided by the customer, the Bank must normally reject the conclusion of a contract or the execution of an order and dissolve the contractual relationship.
8. Storage of personal data
The Bank must store all personal data for the entire duration of the contractual relationship with the customer and the legal limitation periods during which the Bank or the customer requires this information in order to exercise or defend a legal claim.
All data relevant for the fulfilment of the applicable legal obligations under company law, accounting requirements or tax obligations shall be stored as long as required by law.
The Luxembourg Code civil and Code de commerce provide for legal limitation periods with a duration between three and thirty years which will also be taken into consideration in determining the data retention period.
9. Your rights as a data subject
Right to be informed, to access, to data portability, to restriction of processing, to rectification, to deletion of your data (Art.15-20 GDPR)
As a data subject, you have enhanced rights under the GDPR in regards to which you are welcome to contact the Bank informally at the contact details listed under point 1.
Individual right to object (Art. 21 GDPR)
In addition, you have a right to object to the use of your personal data (Art. 21 GDPR) if this takes place on the basis of a balancing of interests of the Bank (Art. 6 para. 1f GDPR). A right to object also exists if data is processed according to profiling based on this provision (Art. 4 para. 4) or on the basis of public interest (Art. 6 para. 1e GDPR).
In case of objection, the processing of your data just be discontinued unless the Bank has compelling reasons for the processing or compelling interests that outweigh your interests, rights and freedoms. A discontinuation of the processing is not mandatory if the processing is carried out with respect to the establishment, exercise or defence of legal claims.
Right to object against data processing for direct marketing purposes (Art. 21 GDPR)
Furthermore, the data subject may at any time object to the processing of personal data if these are used for direct marketing purposes.
Right to complain (Art. 77 GDPR)
You have the right, at any time, to lodge a complaint regarding the processing of your data with a data protection authority, such as the CNPD in Luxembourg.
Version: March 2019