Privacy Policy

FL 5480 en C 25062021 9999 Page 1 of 3 LGT Bank Ltd. Herrengasse 12, FL-9490 Vaduz Phone +423 235 11 22 [email protected]www.lgt.li, BIC BLFLLI2X HR No.: 1122356-7, Reg. Office: 9490 Vaduz, VAT No. 50119 UID: CHE-260.887.880 Data privacy notice for natural persons EU General Data Protection Regulation (GDPR) and Data Protection Act (DPA) Applicable to existing and future clients Valid from June 2021 This data privacy notice is intended to provide you with an overview of the processing of the personal data held at LGT and the resulting rights under the provisions of the new GDPR and the DPA. Which data are processed specifically and the way in which they are used depends essentially on the services and products to be provided or agreed. We are committed to protecting your privacy and to a duty of confidentiality, and for this reason we implement a large number of technical and organizational data protection policies in relation to the processing of personal data. Within the context of our business relationships, we are reliant upon compiling and processing personal data that are required for opening and implementing the business relationship and for complying with the related statutory or contractual obligations as well as for providing services or executing orders. Without these data we are generally not in a position to enter into or maintain a business relationship, process an order or offer services and products. The data controller is: LGT Bank Ltd. Herrengasse 12 9490 Vaduz Liechtenstein Phone: +423 235 11 22 E-Mail: [email protected] Should you have any questions or want to exercise your rights, please contact our data protection officer: LGT Group Holding Ltd. Data Protection Officer Herrengasse 12 9490 Vaduz Liechtenstein Phone: +423 235 11 22 E-Mail: [email protected] 1 From which sources does the data originate and what types (categories) of data are processed? We process personal data that we obtain within the context of our business relationships with our clients. Personal data may be processed at every stage of a business relationship and differ according to the group of people concerned. As a basic principle, we process personal data that are made available to us through contracts, forms, correspondence or other documents submitted or with your consent. Insofar as is necessary for the provision of a service, we also process personal data that are generated or transmitted as a result of the use of services and products or that we have duly obtained from third parties (e.g. credit agency), from public agencies (e.g. UN and EU sanctions lists) or from other LGT companies. Finally, personal data from publicly available sources (e.g. lists of debtors, land registers, registers of companies or associations, press, internet) may be processed. In addition to these data, we also process, if applicable, personal data of other natural persons involved in the business relationship, such as for example data of authorized agents, representatives, card holders, codebtors, guarantors, legal successors or beneficial owners of a business relationship. We request that you inform these people about this data privacy notice. We process the following categories of data in particular: - Personal details (e.g. name, date of birth and nationality) - Address and contact details (e.g. physical address, telephone number and e-mail address) - Identification data (e.g. passport or identity card data) and authentication data (e.g. specimen signatures) - Data from public sources and registers (e.g. tax number) - Information relating to used products and services (e.g. investment experience and investor profiles, advisory records and turnover data from payment services) - Information on composition of household and relationships (e.g. information on spouses, partners, family, authorized signatories, business partners in the case of partnerships, majority shareholders, legal representatives) - Information about financial characteristics and on the financial situation (e.g. portfolio and account numbers, creditworthiness data and the origin of assets) - Information about the professional and personal background (e.g. the professional activity, hobbies, wishes and preferences) - Technical data and information about electronic communication with LGT (e.g. access or change logs) - Image and audio data (e.g. video or voice recordings) 2 For what purposes and on what legal bases are your data processed? We process personal data in accordance with the provisions of the GDPR and the DPA for the following purposes and on the following legal bases (Art. 6(1) GDPR): - For performance of a contract or implementation of pre-contractual measures (Art. 6(1)(b) GDPR) within the context of providing and brokering banking transactions and financial services and for processing instructions, the use of applications for internal and external communications in connection with client relationships (via audio, video, screen sharing, chat features), the analysis of client relationships and client requirements, the development of products and services based on the products and services already used or potentially to be used in future and for the purpose of client retention. The purposes for data processing are primarily determined by the specific service or product (e.g. account, loan, securities, deposits, brokerage, payment services) and can include needs analyses, advisory, portfolio management and administration and the execution of transactions, among other things. - For compliance with legal obligations (Art. 6(1)(c) GDPR) or in the public interest (Art. 6(1)(e) GDPR), in particular to comply with statutory or supervisory requirements (e.g. GDPR, DPA, banking law, due diligence, money laundering and market abuse provisions, tax laws and agreements, control and reporting obligations and risk management). NET {#C40#} 22.06.2021 18:18:51 FL 5480 en C 25062021 9999 Page 2 of 3 - To safeguard our legitimate interests or those of third parties (Art. 6 (1)(f) GDPR) for specifically defined purposes, particularly for assessing affordability and creditworthiness, for setting up and realizing collateral, in the context of using applications for internal and external communications in connection with client relationships (via audio, video, screen sharing, chat features), the analysis of client relationships and client requirements and the development of products and services based on the products and services already used or potentially to be used in future, for the purpose of client retention, for establishing and enforcing claims, for advertising and marketing purposes (provided you have not objected to the use of your personal data for these purposes), for compliance with the rights of the data subject (e.g right of information), for the prevention and solution of criminal offenses, for video monitoring in connection with the right to allow or deny access to the premises and the aversion of danger, for documenting discussions, for ensuring IT security and IT operation as well as building and equipment security, for business and risk control, for reporting, for statistical and planning purposes, and for performing Group-wide coordination tasks. - Based on your consent (Art. 6(1)(a) GDPR), which you gave to us for advertising and marketing purposes or within the scope of specific services or instructions. We reserve the right to further process personal data that have been collected for one of the above purposes for the other purposes too if this is consistent with the original purpose or permitted or provided for by law (e.g. reporting obligations). 3 Who obtains access to personal data and for how long is it stored? Bodies both within and outside LGT may obtain access to personal data. Within LGT bodies or employees may process your data only if they require them to comply with our contractual, statutory or supervisory obligations and to protect legitimate interests. Other LGT companies, service providers or vicarious agents may also obtain personal data for these purposes. Such recipients may be companies relating to banking services, distribution agreements, IT services, logistics, printing services, collection, advice and consulting as well as distribution and marketing. Furthermore, recipients of your data in this context may be other banks and financial service institutions or comparable institutions to whom we transfer personal data for implementing the business relationship (e.g. correspondent banks, custodian banks, brokers, stock exchanges, information agencies). Where there is a statutory or supervisory obligation, personal data may also be passed on to public agencies and institutions (e.g. supervisory or tax authorities). Insofar as data are transferred to countries outside the European Union (EU) or the European Economic Area (EEA) (third countries) and the European Commission has not ruled that the country in question offers an adequate level of security, such a data transfer will be carried out using suitable measures (e.g. recognized EU standard data protection clauses) so that compliance with data privacy provisions can be guaranteed. Further information in this regard can be requested from the data protection officer. If the situation does not permit the use of suitable guarantees, data will only be transferred insofar as this is required for the implementation of pre-contractual measures, or for the performance of a contract (e.g. to comply with statutory obligations outside the EU or the EEA based on the chosen service or relevant product), for the performance of services or for the processing of instructions (e.g. to carry out payment instructions and securities transactions or to issue a credit card). Data will also be transferred to third countries insofar as you have given your explicit consent (e.g. in the context of specific services), it is necessary for important reasons of public interest (e.g. preventing money laundering) or it is required by law (e.g. reporting obligations under tax law). We process and store the personal data throughout the duration of the business relationship provided certain data are not subject to shorter, mandatory deletion periods. It should be noted that our business relationships can last for years. In addition, the storage period is determined according to the necessity and purpose of the respective data processing. If the data are no longer required for compliance with contractual or statutory obligations or to safeguard our legitimate interests or those of third parties (achievement of the purpose) or if granted consent is withdrawn, the data are erased periodically, unless further processing or storage is necessary on the basis of contractual or statutory retention periods and obligations of documentation or on the grounds of preserving evidence for the duration of the applicable statute of limitations. 4 Are automated decision-making (including profiling) and data analyses carried out? 4.1 Automated decision-making As a basic principle, our decisions are not based solely on automated processing of personal data. If we do use this type of procedure in individual cases, we shall inform you separately insofar as this is required by law. Personal data is processed at least partly by automated means in certain areas of the business insofar as statutory and regulatory provisions require us to do so (e.g. to prevent money laundering) as well as to assess affordability and creditworthiness when granting loans, in the context of risk management or to conduct a needs analysis. Client profiles may also lead to automated individual decisions, e.g. in order to accept and execute client instructions in online banking by automated means. 4.2 Data analyses Personal data (including data of involved persons) and publicly available data are analyzed and evaluated (including profiling) in order to identify significant personal characteristics of the client, predict developments and draw up client profiles (e.g. through client retention modeling and segmentation). These analyses may be used for the purposes of market research, marketing, advice, sales and risk management and serve in particular to conduct auditing, provide individual advice and develop new, improved or customized products and services as well as for the preparation of attractive offers and interesting information for clients by ourselves or other LGT Group companies. 5 What if we are jointly responsible with other bodies? This data privacy notice also applies to the processing of personal data by other controllers if we collaborate with one or more other controllers (especially LGT companies) within the context of the provision or use of the services and personal data are exchanged with the other controllers on the basis of this collaboration. The other controllers are obliged - to likewise comply with the relevant provisions of the GDPR and provide us with proof of their compliance, - to keep the required records of processing activities, - to take suitable technical and organizational measures to protect personal data, - to conduct a data protection impact assessment if processing is likely to result in a high risk to the rights and freedoms of natural persons, and to notify us thereof where applicable, - to notify us without delay about any data protection violations, - to support us in exercising the rights of affected natural persons and make the relevant information available. We are required to comply with any reporting or notification obligations towards the competent supervisory authority or affected natural persons. We are responsible for enquiries from the affected natural persons in this context. Questions can be addressed to the data protection officer. 6 What data protection rights do you have? You have the following data protection rights with regard to your personal data (Art. 15 to 21 GDPR): 6.1 Right of access You may obtain from us information as to whether and to what extent personal data concerning you are being processed. NET 22.06.2021 18:18:51 FL 5480 en C 25062021 9999 Page 3 of 3 6.2 Right to rectification, erasure and restriction of processing You have the right to obtain without undue delay the rectification of inaccurate or incomplete personal data concerning you. In addition, your personal data must be erased if these data are no longer necessary in relation to the purposes for which they were collected or processed, you have withdrawn your consent or these data are being unlawfully processed. Furthermore, you have the right to obtain restriction of processing. 6.3 Right to revoke You have the right to revoke your consent to the processing of your personal data for one or more specific purposes at any time if the processing is based on your explicit consent. The revocation of consent will only have future effect and does not affect the legality of data processed before the revocation. The revocation also does not have any effect on data processing with another legal basis. 6.4 Right to data portability You have the right to receive your personal data, that you have provided to us in a structured, commonly used and machine-readable format and to have those data transmitted to another controller (e.g. another bank). 6.5 Right to lodge a complaint You have the right to lodge a complaint with the competent supervisory authority1 . The contact details for the competent data protection office in Liechtenstein are: Data Protection Office Liechtenstein Städtle 38 P.O. Box 9490 Vaduz Liechtenstein Phone: +423 236 60 90 E-mail: [email protected] 7 Right to object 7.1 In individual cases If the processing of your personal data is carried out in the public interest or to safeguard our legitimate interests or those of a third party, you have the right to object, on grounds relating to your particular situation, at any time to this processing. 7.2 Direct marketing You have the right to object informally to the use of your personal data for direct marketing purposes at any time. Where you object to this type of processing, we shall no longer process your personal data for such purposes. Requests should ideally be made in writing to the data protection officer, who is also the point of contact for any other data protection issues you may have. We reserve the right to modify this data privacy notice and publish it on our website (see the update date at the top of the data privacy notice). 1 You may also contact another supervisory authority of an EU or EEA Member State, for example in your place of residence or work or at the location of a violation of the data protection regulations.