Data protection notice based on the DIFC Data Protection Law
Applicable to all individuals in contact with the Liechtensteinische Landesbank AG (DIFC Branch) (the «Bank»), such as existing and future clients, suppliers, visitors.
The following data protection notice provides an overview of how personal data held at our Bank may be processed and your rights in relation to this information under the data protection law in the Dubai International Financial Centre («DIFC» which is Law No 5 of 2020 («DPL»). The specific data that will be processed and how data will be used will essentially depend on the services and products that will be provided and / or have been agreed in each case. The Bank is required under bank-client confidentiality rules and under the DPL to protect your privacy and keep your information confidential and will therefore implement a range of technical and organisational measures intended to ensure data security for all processing of personal data.
In the course of our business relationship, we will need to process personal data that are required for the purpose of setting up and conducting the business relationship, meeting applicable statutory or contractual requirements, providing services and executing orders. Without such data we would normally be unable to enter into or to maintain a business relationship, process orders, or offer services and products.
If you have any questions regarding specific data processing activities or wish to exercise your rights, as described under section 5 below, please contact the controller:
Liechtensteinische Landesbank AG (DIFC Branch), Unit C501, Level 5, Burj Daman, DIFC, P.O.Box 507136, Dubai – UAE, Telephone: +971 4 3835000
Contact details of the Data Protection Manager:
Liechtensteinische Landesbank AG (DIFC Branch), Unit C501,
Level 5, Burj Daman, DIFC, P.O.Box 507136, Dubai – UAE,
Telephone: +971 4 3835001
1. Which categories of data will be processed and what are the sources of this information?
We collect and process personal data that we obtain in the course of our business relationship with our clients. Per-sonal data may be processed at any stage of the business relationship and the type of data will vary depending on the group of persons involved. As a general rule, we will process personal data that you provide in the course of submitting agreements, forms, correspondence or other documents to us. We will also process any personal data that may be required for the purpose of providing services, which are generated or transmitted as a result of using products or services, or that we have lawfully obtained from third parties (e.g. credit reference agencies) or public au-thorities (e.g. UNO and EU sanctions lists) or by other companies within the Liechtensteinsiche Landesbank Group. Finally, we may process personal data from publicly available sources (e.g. debtor records, land registers, commercial registers and registers of associations, the press, the Internet).In addition to client data, we may, where appropriate, also process personal data of other third parties involved in the business relationship, including data pertaining to authorized agents, representatives, cardholders, parties jointly and severally liable for credit facilities, guarantors, legal successors or beneficial owners under a business relationship.
If you are dealing with us on behalf of any such third parties, please ensure that such third parties are also aware of this data protection notice.
The personal data we process concerns the following categories of data in particular:
Master data
- Personal details (e.g. name, date of birth, nationality)
- Address and contact details (e.g. physical address, telephone number, e-mail address)
- Identification information (e.g. passport or ID details) and authentication information (e.g. specimen signature)
- Data from publicly available sources (e.g. tax numbers)
Further basic data
- Information on services and products used (e.g. investment experience and investment profile, consultancy minutes, sales data in payment transactions)
- Information about household composition and relationships (e.g. information about spouse or partner and other family details, authorised signatories, statutory representatives)
- Information about the financial characteristics and financial circumstances (e.g. portfolio and account number, credit history information, origin of the assets)
- Information about the professional and personal background (e.g. professional activity, hobbies, wishes, preferences)
- Technical data and information about electronic transactions with the Bank (e.g. access logs or changes)
- Image and sound files (e.g. video recordings, such as obtained via CCTV if you visit our premises, or recordings of telephone calls)
2. For what purposes and on what legal basis will your data be processed?
We process personal data in accordance with the provisions of the DPL and any other applicable privacy legislation for the following purposes and on the following legal basis:
- For the performance of a contract or to take steps prior to entering into a contract in connection with supplying and acting as intermediary in relation to banking and financial services and for the purpose of executing orders. The purposes for which data are processed will depend pri-marily on the specific service or specific product involved (e.g. accounts, loans, securities, deposits, brokerage) and may include, for example, needs analysis, advisory services, wealth and asset management and carrying out transactions.
- For compliance with a legal obligation or in the public interest, including compliance with statutory and regulato-ry requirements (e.g. compliance with the DPL, compli-ance with Dubai Financial Services Authority rules, the Liechtenstein Banking Act if applicable, due diligence and anti-money laundering rules, regulations designed to pre-vent market abuse, tax legislation and tax treaties, monitoring and reporting obligations, and for the purpose of managing risks).
- For the purposes of the legitimate interests pursued by us or by a third party that have been specifically defined, including determining credit ratings, setting up and realizing collateral, pursuing claims, developing products, marketing and advertising, performing business checks and risk management, reporting, statistics and planning, prevent-ing and investigating criminal offences, video surveillance to ensure compliance with house rules and prevent threats, recordings of telephone calls. We may use your personal data for direct marketing purposes but you can tell us not to do this and we stop doing so.
- In reliance on consent given by you for the purpose of supplying and acting as intermediary in relation to bank-ing and financial services or for the purpose of executing orders, including, for example, transferring data to Group companies, service providers or contracting partners of the Bank. You have the right to withdraw your consent at any time. Consent may only be withdrawn with effect for the future and does not affect the lawfulness of data processing undertaken before consent was withdrawn.
We reserve the right to engage in the further processing of personal data, which we have collected for any of the foregoing purposes, for purposes that are consistent with the original purpose or which are permitted or prescribed by law (e.g. reporting obligations).
3. Who will have access to personal data and how long will the data be held?
Parties within and outside the Bank may obtain access to your data. Departments and employees within the Bank may only process your data to the extent required for the purposes described in section 2 above. Other Group com-panies, third party service providers or agents may also have access to personal data for such purposes, subject to compliance with bank-client and data confidentiality requirements.
The categories of processors may include companies supplying banking services, companies operating under distribution agreements and companies supplying IT, logistics, printing, debt collection, advisory, consultancy, distribution and marketing services. In this context, recipients of your data may also include other credit and financial services institutions or similar organisations to which we transfer personal data for the purposes of conducting the business relationship (e.g. correspondent banks, custodian banks, brokers, stock exchanges, information centres).
Public bodies and organisations (e.g. supervisory authori-ties, tax authorities) may also receive your personal data where there is a statutory or regulatory obligation for us to provide it or if we are compelled by the exercise of legal au-thority over us.
Data will only be transferred to territories outside the DIFC (socalled third countries) if
- this is required for the purpose of taking steps prior to entering into a contract, performing a contract, supplying services or executing orders (e.g. executing payment orders and securities transactions or issuing credit cards);
- you have given us your consent (e.g. for client support provided by another Group company of the Bank);
- this is necessary for important reasons of public interest (e.g. anti-money laundering compliance); or
- this is prescribed by law (e.g. tax disclosure obligations) or we are required by a competent authority.
We will only transfer your personal data to a third country if:
- the territory is considered adequate by the DIFC Commissioner of Data Protection; or
- we have ensured that adequate safeguards have been implemented in accordance with the DPL; or
- one of the other grounds under the DPL on which the transfer can be made exists
We process and store your personal data throughout the continuation of the business relationship, unless there is a strict obligation to erase specific data at an earlier date. It is important to note that our business relationships may subsist for many years. In addition, the length of time that data will be stored will depend on whether processing continues to be necessary and the purpose of processing. Data will be erased at regular intervals, if the information is no longer required for the purpose of fulfilling contractual or statutory duties or pursuing our legitimate interests, i.e. the objectives have been achieved, or if consent is withdrawn, unless further processing is necessary by reason of contractual or statutory retention periods or documentation requirements, or in the interests of preserving evidence throughout any applicable statutory limitation periods.
4. Will there be automated decision-making including profiling?
We do not normally make decisions based solely on the au-tomated processing of personal data. We will inform you separately in accordance with the statutory regulations of any intention to use this method in particular circumstances where such decisions may have a legal consequence or meaningful impact on you.
Certain business areas involve the automated processing of personal data at least to a certain extent, where the objective is to evaluate certain personal aspects in line with statutory and regulatory requirements (e.g. money laun-dering prevention), carry out needs analysis in relation to products and services, assess loan affordability and credit standing, or for the purpose of managing risks.
The Bank reserves the right, in future, to analyse and evaluate client data (including the data of any third parties in-volved) by automated means for the purpose of identifying key personal characteristics in relation to clients, predicting developments and creating client profiles. Such data will be used, in particular, to perform business checks, provide customised advice, offer products and services and provide any information that the Bank and its Group com-panies may wish to share with clients. Client profiling may also result in automated individual decision-making in future, for example to enable automated acceptance and ex-ecution of client orders in e-banking.
The Bank will provide a suitable point of contact for clients who have concerns about an automated individual decision, insofar as the law stipulates that such an opportunity to raise concerns must be provided.
5. What data protection rights do you have?
You have the following data protection rights pursuant to the DPL in respect of personal data relating to you:
- Right of access: you may obtain information from the Bank about whether and to what extent personal data concerning you are being processed (e.g. categories of personal data being processed, purpose of processing) and you may obtain a copy of such data.
- Right to rectification, erasure and restriction of processing: You have the right to obtain the rectification of inaccurate or incomplete personal data concerning you. In addition, you may require us to erase your personal data if the data are no longer necessary in relation to the purposes for which they were collected or processed, if you have withdrawn your consent, or if the data have been unlawfully processed. You also have the right to obtain restriction of processing in certain circumstances.
- Right to withdraw consent: You have the right to withdraw your consent to the processing of personal data concerning you for one or more specific purposes at any time, where the processing is based on your consent. Please note that consent may only be withdrawn with effect for the future and does not affect any data processing undertaken prior to withdrawing consent. Moreover, the withdrawal of consent has no effect in relation to data processing undertaken on other legal grounds.
- Right to data portability: you have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machinereadable format, and to transmit those data to another controller, if we are processing such data for the performance of a contract with you or in accordance with your consent and in each case if we are conducting such processing by automated means.
- Right to object: You have the right to object, on grounds relating to your particular situation, without any formal requirements, to the processing of personal data concern-ing you, if such processing is in the public interest or in pursuit of the legitimate interests of the Bank or a third party. You also have the right to object, without any formal requirements, to the use of personal data for marketing purposes. If you object to the processing of your personal data for direct marketing purposes, we will discontinue processing your personal data for this purpose.
- Right to lodge a complaint: You have the right to lodge a complaint with the DIFC Commissioner of Data Protection, which is the supervisory authority responsible for data protection in the DIFC.