Data protection notice for clients based on the EU General Data Protection Act and the Austrian DataProtection Act

Dear Client

In the following data protection notice, we would like to inform you about the processing of your personal data and what rights you have in relation to such processing under the EU General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (Datenschutzgesetz, DSG). The services and products we are to provide to you or which you have agreed to be provided with essentially determine which data will be processed and how such data will be used. Due to banking secrecy, the bank is obligated to maintain secrecy and protect your privacy; for this reason, it takes a number of technical and organisational measures to ensure data protection for any processing of personal data.

In the context of our business relationship, we need to process personal data which are required for setting up and conducting the business relationship, as well as for complying with the related statutory or contractual obligations and for providing services or executing orders. Without such data, we will generally be unable to commence or maintain a business relationship, handle an order or offer services and products. If you have questions regarding any individual data processing operation, or wish to exercise your rights as described below under Clause 5, please contact the responsible entity:

Controller:

Liechtensteinische Landesbank (Österreich) AG, Hessgasse 1, 1010 Vienna, Austria, Telephone: +43 1 536 16-0

Contact details of the data protection officer:

 Liechtensteinische Landesbank (Österreich) AG, Data Protection Officer, Hessgasse 1, 1010 Vienna, Austria, Telephone: +43 1 536 16-0, E-mail: datenschutz@llb.at

1. Which categories of data areprocessed and what are the sources?

We collect and process personal data we obtain in the context of our business relationship with our clients. Personal data may be processed during any stage of the business relationship, and may differ depending on the group of persons concerned. As a rule, we will process personal data that you make available to us by way of contracts or forms submitted to us, your correspondence and other documents, as well as in connection with using our app. If required for providing our service, we will also process personal data accruing or being transmitted because of your use of our products or services, or personal data we have lawfully obtained from third parties (e.g. from a credit reference agency), from public bodies (e.g. UN and EU sanction lists) or from other companies within LLB Group. Finally, personal data from publicly accessible sources (e.g. records of debtors, land registers, company register and register of associations, the press, the Internet) may also be processed.

Apart from client data, we may, if necessary, also process personal data of third parties involved in the business relationship; for instance, data of authorised agents, representatives, card holders, co-obligors under a loan, guarantors, legal successors or beneficial owners in a business relationship. We would ask you to inform any such third parties of this data protection notice as well. By personal data we understand in particular, but not exclusively, the following categories of data:

Master data

  • Personal particulars (e.g. name, date of birth, nationality)
  • Address and contact details (e.g. physical address, telephone number, e-mail address)
  • Identification data (e.g. passport or ID data) and authentication data (e.g. specimen signature)
  • Data from publicly accessible sources (e.g. tax identification numbers)

Further basic data

  • Information on services and products used (e.g. investment experience and investment profile, consultation records, turnover data in the context of payment transactions)
  • Information on household composition and relationships (e.g. information on spouses or partners and further family details, authorised signatories, legal representatives)
  • Information on financial characteristics and the financial situation (e.g. portfolio number and account number, creditworthiness data, origin of assets)
  • Information on professional and personal background (e.g. professional activity, hobbies, wishes, preferences)
  • Technical data and information regarding electronic communications with the bank (e.g. logging of access operations or changes)
  • Video and audio files (e.g. video recordings or recordings of telephone conversations)
  • Information from your electronic communications with the bank (app, cookies, etc.)

2. What are the purposes of and the legal basis for the processing of your data?

We process personal data in accordance with the provisions of the GDPR and the DSG for the purposes set forth below and based on the following

legal grounds:

  • To perform a contract or to take steps prior to entering into a contract in the context of providing or brokering banking transactions and financial services, and to handle orders. The purposes of data processing depend mainly on the specific service or the specific product (e.g. account, loan, securities, deposits, brokering); inter alia, they  may comprise demand analyses, provision of advice, asset management and asset support, as well as carrying out transactions.
  • To meet legal obligations or to act in the public interest, including without limitation, compliance with statutory and regulatory requirements (e.g. compliance with the GDPR, the DSG, the Banking Act (Bankwesengesetz), due diligence and anti-money laundering provisions, market abuse provisions, tax laws and treaties, controlling and reporting obligations, risk management).
  • To safeguard our own legitimate interests or those of third parties for specified purposes, including without limitation: assessing creditworthiness; creating and realising collateral; pursuing claims; product development; marketing and advertising; business auditing and risk control; reporting; statistics and planning; prevention and clarification of criminal acts; video surveillance to protect the right to determine who shall be allowed or denied access, and to avert danger; recordings of telephone conversations.
  • Based on the consent you gave us for providing and brokering banking transactions and financial services or by placing orders with us; for instance, disclosure of data to group companies, service providers or contract partners of the bank. You have the right to withdraw your consent at any time. This also applies to the withdrawal of consent given to the bank before the GDPR came into effect, i.e. before 25 May 2018. The withdrawal of consent will have future effect only and will not affect the lawfulness of any processing performed before such withdrawal.

We reserve the right to process personal data collected for one of the foregoing purposes also for any other of these purposes, provided this is compatible with the original purpose or permitted or required by legal provisions (e.g. reporting obligations).

3. Who will have access to personal data and for how long will they be stored?

Bodies both within and outside of the bank may obtain access to your data. Within the bank, only such bodies or employees may process your data as require such data for fulfilling our contractual, statutory and regulatory obligations and to safeguard legitimate interests. In compliance with the bank client confidentiality and data secrecy and / or within the scope of intragroup outsourcing (service level agreements), also other group companies, service providers or vicarious agents may obtain access to personal data for these purposes. Such processors may be enterprises providing banking services, distribution agreements, IT services, logistics, printing services, collection services, advice and consulting, as well as sales and marketing services. In this context, further recipients of your data may include other credit and financial services institutions or comparable institutions to which we transmit personal data in conducting our business relationship (e.g. correspondent banks, custodian banks, brokers, stock exchanges, credit agencies).

If a statutory or regulatory obligation applies, your personal data may also be transferred to public bodies and institutions (e.g. supervisory authorities, fiscal authorities, etc.). Data will be transferred to countries outside the EU or EEA (so-called third countries) only if

  • this is required for taking steps prior to entering into a contract or for performing a contract, providing services or handling orders (e.g. execution of payment orders and securities transactions or issuing of a credit card),
  • you gave us your consent (e.g. to have client relationship management performed by a different group company of the bank),
  • the transfer is necessary for important reasons of public interest (e.g. in case of money laundering) or
  • the transfer is required by law (e.g. reporting obligations under tax law).

We will process and store the personal data throughout the term of the business relationship unless it is mandatory to delete certain data at an earlier date. Please bear in mind that our business relationships may be designed to last for many years. In addition, the data retention period is determined by the necessity and purpose of the respective processing. If the data are no longer needed for fulfilling contractual or statutory obligations or for safeguarding our legitimate interests (achievement of purpose) or if a given consent is withdrawn, they will be deleted at regular intervals, unless further processing is necessary due to the contractual or statutory retention periods and documentation requirements or for reasons of preserving evidence for the duration of the applicable statutes of limitation.

4. Is there any automated decision-making including profiling?

In principle, our decisions are not based solely on automated processing of personal data. In case we use these procedures in individual cases, we will inform you separately, in accordance with the statutory requirements. There are business segments where personal data are subjected, at least in part, to automated processing. This is done in order to assess certain personal aspects to the extent we are obligated to by statutory and regulatory requirements (e.g. to prevent money laundering); automated procedures are also used for analysing the demand for services and products, within the scope of granting loans for assessing your creditworthiness and whether you are able to financially bear the risk, as well as within the scope of risk management. The bank reserves the right to use automated procedures, in future, for analysing and assessing client data (including data of any third parties involved) in order to identify key personal characteristics of clients or to forecast developments and draw up client profiles. These serve, above all, for business auditing, for providing bespoke advice, making offers, and for furnishing information which the bank and its group companies may wish to share with clients. In the future, client profiles may also lead to individual decisions being made on an automated basis, for instance to automatically accept and carry out client orders placed via e-banking.

The bank will ensure that an appropriate contact person is available in case the client wants to make a statement regarding an individual automated decision and the possibility of such statement is provided for by law.

5. What data protection rights do you have?

Under the GDPR, you have the following data protection rights in relation to your personal data:

  • Right of access: You can require the bank to provide you with information on whether and to what extent personal data concerning you are being processed (e.g. categories of processed personal data, purpose of processing, etc.).
  • Right to rectification, erasure and restriction of processing: You have the right to obtain the rectification of inaccurate personal data concerning you. Moreover, your personal data have to be erased if these data are no longer needed for the purposes for which they have been collected or processed, if you have withdrawn your consent or if these data are being processed unlawfully. In addition, you have the right to obtain restriction of processing.
  • Right of withdrawal: You have the right to withdraw your consent to the processing of your personal data for one or more specific purposes if said processing has been based on your explicit consent. This also applies to the withdrawal of consent given before the GDPR came into effect, i.e. before 25 May 2018. Please note that the withdrawal will have future effect only. It does not affect any processing performed before the withdrawal. Neither will the withdrawal have any impact on any processing based on other legal grounds.
  • Right to data portability: You have the right to receive the personal data concerning you which you have provided to the controller in a structured, commonly used, machine-readable format, and to have these data transmitted to another controller.
  • Right to object: In individual cases, where processing is carried out in the public interest or to safeguard legitimate interests of the bank or a third party, you are entitled to object to the processing on grounds relating to your particular situation and without any need to meet form requirements. Moreover, you have the right to object, without any need to meet form requirements, to the use of personal data for advertising purposes. If you object to the processing of your personal data for direct marketing, we will stop processing your personal data for this purpose.
  • Right to lodge a complaint: You have the right to lodge a complaint with the competent supervisory authority. You may also turn to a supervisory authority in another EU or EEA member state; for instance, you can lodge your complaint with the supervisory authority competent for your place of residence or work or for the place where the presumed infringement occurred.

The contact details of the competent regulatory authority in Austria are as follows: Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, Austria, Telephone: + 43 1 52 152-0, E-mail: dsb@dsb.gv.at

Requests for information or objections should preferably be made in writing and sent to the data protection officer. The data protection officer is also the contact person for any other data protection matters you may wish to address.

As at: January 2020