Data protection notice based on the DIFC Data Protection Law

Applicable to all individuals in contact with the Liechtensteinische Landesbank AG (DIFC Branch) (the «Bank»), such as existing and future clients, suppliers, visitors.

The following data protection notice provides an overview of how personal data held at our Bank may be processed and your rights in relation to this information under the data protection law in the Dubai International Financial Centre («DIFC» which is Law No 5 of 2020 («DPL»). The specific data that will be processed and how data will be used will essentially depend on the services and products that will be provided and / or have been agreed in each case. The Bank is required under bank-client confidentiality rules and under the DPL to protect your privacy and keep your information confidential and will therefore implement a range of  technical  and  organisational  measures intended to ensure data security for all processing of personal data.

In the course of our business relationship, we will need to process personal data that are required for the purpose of setting up and conducting the business relationship, meeting applicable statutory or contractual requirements, providing services and executing orders. Without  such  data  we would normally be unable to enter into or to maintain a business relationship, process orders, or offer services and products.

If you have any questions regarding specific data processing activities  or wish to exercise your rights, as described under section 5 below, please contact the controller:

Liechtensteinische Landesbank AG (DIFC Branch), Unit C501, Level  5,  Burj  Daman,  DIFC,  P.O.Box  507136,  Dubai  –  UAE,  Telephone: +971 4 3835000

Contact details of the Data Protection Manager:

Liechtensteinische Landesbank AG (DIFC Branch), Unit C501,
Level 5, Burj Daman, DIFC, P.O.Box 507136, Dubai – UAE, 
Telephone: +971 4 3835001

1. Which categories of data will be processed and what are the sources of this information?

We collect and process personal data that we obtain in the course  of  our  business  relationship  with  our  clients.  Per-sonal  data  may  be  processed  at  any  stage  of  the  business  relationship  and  the  type  of  data  will  vary  depending  on  the  group  of  persons  involved.  As  a  general  rule,  we  will  process  personal  data  that  you  provide  in  the  course  of  submitting  agreements,  forms,  correspondence  or  other  documents  to  us.  We  will  also  process  any  personal  data  that may be required for the purpose of providing services, which  are  generated  or  transmitted  as  a  result  of  using  products or services, or that we have lawfully obtained from third  parties  (e.g.  credit  reference  agencies)  or  public  au-thorities (e.g. UNO and EU sanctions lists) or by other companies  within  the  Liechtensteinsiche  Landesbank  Group.  Finally, we may process personal data from publicly available sources (e.g. debtor records, land registers, commercial reg-isters and registers of associations, the press, the Internet).In addition to client data, we may, where appropriate, also process personal data of other third parties involved in the business relationship, including data pertaining to authorized agents, representatives, cardholders, parties jointly and severally  liable  for  credit  facilities,  guarantors,  legal  successors or beneficial owners under a business relationship.

If  you  are  dealing  with  us  on  behalf  of  any  such  third  parties, please ensure that such third parties are also aware of this data protection notice.

The personal data we process concerns the following categories of data in particular:

Master data

  • Personal details (e.g. name, date of birth, nationality)
  • Address and contact details (e.g. physical address, telephone number, e-mail address)
  • Identification information (e.g. passport or ID details) and authentication information (e.g. specimen signature)
  • Data from publicly available sources (e.g. tax numbers)

Further basic data

  • Information on services and products used (e.g. invest-ment experience and investment profile, consultancy minutes, sales data in payment transactions)
  • Information about household composition and relationships (e.g. information about spouse or partner and other family details, authorised signatories, statutory representatives)
  • Information about the financial characteristics and financial circumstances (e.g. portfolio and account number, credit history information, origin of the assets)
  • Information about the professional and personal background (e.g. professional activity, hobbies, wishes, preferences)
  • Technical data and information about electronic transac-tions with the Bank (e.g. access logs or changes)
  • Image and sound files (e.g. video recordings, such as obtained via CCTV if you visit our premises, or recordings of telephone calls)

2. For what purposes and on what legal basis will your data be processed?

We process personal data in accordance with the provisions of  the  DPL  and  any  other  applicable  privacy  legislation  for  the following purposes and on the following legal basis:

  • For the performance of a contract or to take steps prior to entering into a contract in connection with supplying and acting as intermediary in relation to banking and finan-cial services and for the purpose of executing orders. The purposes  for  which  data  are  processed  will  depend  pri-marily on the specific service or specific product involved (e.g. accounts, loans, securities, deposits, brokerage) and may include, for example, needs analysis, advisory services,   wealth   and   asset   management   and   carrying   out   transactions.
  • For compliance with a legal obligation or in the public in-terest, including compliance with statutory and regulato-ry  requirements  (e.g.  compliance  with  the  DPL,  compli-ance  with  Dubai  Financial  Services  Authority  rules,  the  Liechtenstein Banking Act if applicable, due diligence and anti-money laundering rules, regulations designed to pre-vent market abuse, tax legislation and tax treaties, moni-toring  and  reporting  obligations,  and  for  the  purpose  of  managing risks).
  • For the purposes of the legitimate interests pursued by us or by a third party that have been specifically defined, in-cluding determining credit ratings, setting up and realizing collateral, pursuing claims, developing products, marketing and advertising, performing business checks and risk management, reporting, statistics and planning, prevent-ing and investigating criminal offences, video surveillance to ensure compliance with house rules and prevent threats, recordings  of  telephone  calls.  We  may  use  your  personal  data for direct marketing purposes but you can tell us not to do this and we stop doing so.
  • In reliance on consent given by you for the purpose of supplying and acting as intermediary in relation to bank-ing and financial services or for the purpose of executing orders, including, for example, transferring data to Group companies,  service  providers  or  contracting  partners  of  the Bank. You have the right to withdraw your consent at any time. Consent may only be withdrawn with effect for the future and does not affect the lawfulness of data processing undertaken before consent was withdrawn.

We reserve the right to engage in the further processing of personal data, which we have collected for any of the foregoing  purposes,  for  purposes  that  are  consistent  with  the  original  purpose  or  which  are  permitted  or  prescribed  by  law (e.g. reporting obligations).

3. Who will have access to personal data and how long will the data be held?

Parties  within  and  outside  the  Bank  may  obtain  access  to  your  data.  Departments  and  employees  within  the  Bank  may  only  process  your  data  to  the  extent  required  for  the  purposes  described  in  section  2  above.  Other  Group  com-panies,  third  party  service  providers  or  agents  may  also  have access to personal data for such purposes, subject to compliance with bank-client and data confidentiality requirements.

The  categories  of  processors  may  include  companies  sup-plying banking services, companies operating under distri-bution  agreements  and  companies  supplying  IT,  logistics,  printing,  debt  collection,  advisory,  consultancy,  distribu-tion  and  marketing  services.  In  this  context,  recipients  of  your data may also include other credit and financial ser-vices  institutions  or  similar  organisations  to  which  we  transfer  personal  data  for  the  purposes  of  conducting  the  business relationship (e.g. correspondent banks, custodian banks, brokers, stock exchanges, information centres).

Public  bodies  and  organisations  (e.g.  supervisory  authori-ties,  tax  authorities)  may  also  receive  your  personal  data  where there is a statutory or regulatory obligation for us to provide it or if we are compelled by the exercise of legal au-thority over us.

Data will only be transferred to territories outside the DIFC (socalled third countries) if

  • this is required for the purpose of taking steps prior to entering  into  a  contract,  performing  a  contract,  supplying  services  or  executing  orders  (e.g.  executing  payment  orders and securities transactions or issuing credit cards);
  • you have given us your consent (e.g. for client support provided by another Group company of the Bank);
  • this is necessary for important reasons of public interest (e.g. anti-money laundering compliance); or
  • this is prescribed by law (e.g. tax disclosure obligations) or we are required by a competent authority.

We will only transfer your personal data to a third country if:

  • the territory is considered adequate by the DIFC Commissioner of Data Protection; or
  • we have ensured that adequate safeguards have been implemented in accordance with the DPL; or
  • one of the other grounds under the DPL on which the transfer can be made exists

We  process  and  store  your  personal  data  throughout  the  continuation of the business relationship, unless there is a strict obligation to erase specific data at an earlier date. It is  important  to  note  that  our  business  relationships  may  subsist for many years. In addition, the length of time that data will be stored will depend on whether processing con-tinues to be necessary and the purpose of processing. Data will  be  erased  at  regular  intervals,  if  the information  is  no  longer required for the purpose of fulfilling contractual or statutory  duties  or  pursuing  our  legitimate  interests,  i.e.  the  objectives  have  been  achieved,  or  if  consent  is  with-drawn, unless further processing is necessary by reason of contractual or statutory retention periods or documentation requirements, or in the interests of preserving evidence throughout any applicable statutory limitation periods.

4. Will there be automated decision-making including profiling?

We do not normally make decisions based solely on the au-tomated  processing  of  personal  data.  We  will  inform  you  separately in accordance with the statutory regulations of any intention to use this method in particular circumstances  where  such  decisions  may  have  a  legal  consequence  or  meaningful impact on you.

Certain  business  areas  involve  the  automated  processing  of personal data at least to a certain extent, where the objective  is  to  evaluate  certain  personal  aspects  in  line  with  statutory  and  regulatory  requirements  (e.g.  money  laun-dering  prevention),  carry  out  needs  analysis  in  relation  to  products and services, assess loan affordability and credit standing, or for the purpose of managing risks.

The Bank reserves the right, in future, to analyse and evaluate  client  data  (including  the  data  of  any  third  parties  in-volved) by automated means for the purpose of identifying key  personal  characteristics  in  relation  to  clients,  predicting developments and creating client profiles. Such data will be used, in particular, to perform business checks, provide customised advice, offer products and services and provide any information that the Bank and its Group com-panies may wish to share with clients. Client profiling may also  result  in  automated  individual  decision-making  in  future, for example to enable automated acceptance and ex-ecution of client orders in e-banking.

The Bank will provide a suitable point of contact for clients who have concerns about an automated individual decision, insofar  as  the  law  stipulates  that  such  an  opportunity  to  raise concerns must be provided.

5. What data protection rights do you have?

You have the following data protection rights pursuant to the DPL in respect of personal data relating to you:

  • Right of access:  you  may  obtain  information  from  the  Bank  about  whether  and  to  what  extent  personal  data  concerning  you  are  being  processed  (e.g.  categories  of  personal  data  being  processed,  purpose  of  processing)  and you may obtain a copy of such data.
  • Right to rectification, erasure and restriction of pro-cessing: You have the right to obtain the rectification of inaccurate  or  incomplete  personal  data  concerning  you.  In  addition,  you  may  require  us  to  erase  your  personal  data if the data are no longer necessary in relation to the purposes  for  which  they  were  collected  or  processed,  if  you  have  withdrawn  your  consent,  or  if  the  data  have  been unlawfully processed. You also have the right to ob-tain restriction of processing in certain circumstances.
  • Right to withdraw consent: You have the right to with-draw  your  consent  to  the  processing  of  personal  data  concerning you for one or more specific purposes at any time,  where  the  processing  is  based  on  your  consent.  Please note that consent may only be withdrawn with ef-fect for the future and does not affect any data processing undertaken prior to withdrawing consent. Moreover, the withdrawal of consent has no effect in relation to data processing undertaken on other legal grounds.
  • Right to data portability:  you  have  the  right  to  receive  the personal data concerning you, which you have provid-ed to the controller, in a structured, commonly used and machine-readable format, and to transmit those data to another controller, if we are processing such data for the performance of a contract with you or in accordance with your  consent  and  in  each  case  if  we  are  conducting  such  processing by automated means.
  • Right to object: You have the right to object, on grounds relating  to  your  particular  situation,  without  any  formal  requirements, to the processing of personal data concern-ing you, if such processing is in the public interest or in pur-suit of the legitimate interests of the Bank or a third par-ty.  You  also  have  the  right  to  object,  without  any  formal  requirements,  to  the  use  of  personal  data  for  marketing  purposes. If you object to the processing of your personal data  for  direct  marketing  purposes,  we  will  discontinue  processing your personal data for this purpose.
  • Right to lodge a complaint: You have the right to lodge a complaint with the DIFC Commissioner of  Data  Protection, which is the supervisory authority responsible for data protection in the DIFC.