LGT Bank Ltd.
Herrengasse 12, FL-9490 Vaduz
Phone +423 235 11 22
[email protected], www. Igt.li, BIC BLFLLI2ZX
HR No.: 1122356-7, Reg. Office: 9490 Vaduz, VAT No. 50119
UID: CHE-260.887.880
Data privacy notice for natural persons
EU General Data Protection Regulation (GDPR) and Data Protection Act (FADP)
Applies to contractual partners, service providers and suppliers
Valid from June 2021
This data privacy notice is intended to provide an overview of the
processing of the personal data held at LGT and the resulting rights under
the provisions of the GDPR and the FADP. Which data in particular is
processed and the way in which it is used depends essentially on the
relevant agreed services. We are committed to protecting privacy and to
confidentiality. For this reason, we implement a number of technical and
organizational data protection measures relating to the processing of
personal data.
Within the context of our business relationship, we need to collect and
process the personal data which is required for establishing and
conducting the business relationship as well as for complying with the
associated statutory and contractual obligations. Without this data, we
are generally not in a position to enter into or maintain a business
relationship.
Should affected natural persons have any questions about individual types
of data protection or wish to exercise their rights, they can contact the
following bodies:
Data protection officer for the LGT Group companies:
LGT Group Holding Ltd.
Data Protection Officer
Herrengasse 12
9490 Vaduz
Liechtenstein
Phone: +423 235 11 22
E-mail: [email protected]
Controller or body with which a business relationship exists:
LGT Bank Ltd.
Herrengasse 12
9490 Vaduz
Liechtenstein
Phone: +423 235 11 22
E-mail: [email protected]
LGT Financial Services Ltd.
Herrengasse 12
9490 Vaduz
Liechtenstein
Phone: +423 235 24 44
E-mail: Igt. [email protected]
LGT Group Holding Ltd.
Herrengasse 12
9490 Vaduz
Liechtenstein
Phone: +423 23511 22
E-mail: [email protected]
1 From which sources does the data originate and what types
(categories) of data are processed?
We process personal data which we have received in the context of
our business relationships (e.g. via contracts, forms, business cards,
correspondence or other documents or on the basis of consent from
affected natural persons). Where necessary for conducting a business
relationship, we also process personal data that is generated through the
provision or use of services or which we have obtained legitimately from
third parties, public agencies or other LGT Group companies. Personal
data from publicly available sources (e.g. the press or the internet) may
also be processed.
Personal data may be processed at any stage of a business relationship
and differ depending on the type of business relationship.
The data we process includes in particular the personal data of natural
persons involved in the business relationship, such as representatives,
employees and authorized agents, for example. We ask you to inform
these people about this data privacy notice.
We process the following categories of data in particular:
- Personal details (e.g. name, date of birth and nationality)
- Address and contact details (e.g. physical address, telephone number
and e-mail address)
- Identification data (e.g. passport or identity card data) and
authentication data (e.g. specimen signatures)
- Data from public sources and registers (e.g. the commercial register)
- Information relating to products and services used (e.g. investment
experience and investor profile, advisory records and turnover data
from payment services)
- Information about financial characteristics and on the financial
situation (e.g. portfolio and account numbers, creditworthiness data
and the origin of assets)
- Information on the professional and personal background (e.g.
professional activity, hobbies, desires, preferences)
- Technical data and information about electronic communication with
LGT (e.g. access or change logs)
- Image and audio data (e.g. video or voice recordings)
2 For what purposes and on what legal basis is personal data
processed?
We process personal data in accordance with the provisions of the GDPR
and the DPA for the following purposes and on the following legal bases
(Art. 6(1) GDPRY):
- For the fulfillment of a contract or to take steps prior to entering into
a contract (Art. 6(1)(b) GDPR) within the context of providing or using
services and using applications for internal and extemal
communications in connection with business relationships (via audio,
video, screen sharing, chat features). The purposes of data processing
are primarily determined by the specific service.
- For compliance with a legal obligation (Art. 6(1)(c) GDPR) or in the
public interest (Art. 6(1)@) GDPR), in particular to comply with
statutory or supervisory requirements (e.g. GDPR, DPA, banking law,
due diligence, money laundering and market abuse provisions, tax
laws and agreements, control and reporting obligations and risk
management).
- To safeguard our legitimate interests or those of third parties (Art 6
(1)f) GDPR) for specifically defined purposes, particularly for
checking affordability and creditworthiness, for setting up and
realizing collateral, in the context of using applications for internal
and external communications in connection with business
relationships (via audio, video, screen sharing, chat features), for
product development, for advertising and marketing purposes
(provided the natural persons concerned have not objected to the
use of their personal data for these purposes), for compliance with
the rights of the data subject (e.g. right of information), for the
prevention and solving of criminal offenses, for video monitoring in
connection with the right to allow or deny access to the premises and
with the aversion of danger, for documenting discussions, for
ensuring IT security and IT operation as well as building and
equipment security, for the assertion and enforcement of legal
claims, for business and risk control, for reporting, for statistical and
planning purposes, and for performing Group-wide coordination
tasks.
- On the basis of consent (Art. 6 (1)@) GDPR) granted to us by the
natural persons concerned for advertising and marketing purposes or
certain other purposes.
With regard to processing personal data collected for one of the above
purposes, we reserve the right to also continue processing it for the other
purposes if this is consistent with the original purpose or permitted or
stipulated by law.
3 Who obtains access to personal data and for how long is it
stored?
Personal data may be accessed by the internal and external bodies which
require the data to provide or use the services and to comply with our
contractual and statutory obligations. Within LGT, bodies or employees
may only process personal data if they require it to comply with our
contractual, statutory and supervisory obligations and to protect
legitimate interests. Other LGT Group companies, service providers or
vicarious agents may also obtain personal data for these purposes. Such
recipients may be companies relating to banking services, distribution
agreements, IT services, logistics, printing services, collection, advice and
consulting as well as distribution and marketing. Recipients of the data in
this context may also include banks and financial service institutions
or comparable institutions to which we transfer personal data for
conducting the business relationship (e.g. correspondent banks, custodian
banks, brokers, stock exchanges or information agencies).
Where there is a statutory or supervisory obligation, personal data may
also be passed on to public agencies or institutions (e.g. supervisory or
tax authorities).
Insofar as data is transferred to countries outside the European Union (EU)
or the European Economic Area (EEA) (third countries) and the European
Commission has not determined that the country in question offers an
adequate level of security, such a data transfer will be carried out using
suitable measures (e.g. recognized EU standard data protection clauses)
so that compliance with data privacy provisions can be guaranteed.
Further information in this regard can be requested from the data
protection officer. If the situation does not permit the use of suitable
guarantees, data will only be transferred insofar as this is required for the
implementation of pre-contractual measures, to fulfill a contract or for
the performance or use of services, the natural persons concerned have
given their explicit consent, it is necessary for important reasons of public
interest (e.g. preventing money laundering) or it is required by law (e.g.
reporting obligations under tax law).
We process and store the personal data throughout the duration of the
business relationship unless shorter mandatory deletion periods apply for
specific types of data. It should be noted that our business relationships may
last for years. In addition, the storage period is determined by the necessity
and purpose of the respective data processing. If the data is no longer
required for compliance with contractual or statutory obligations or to
safeguard our legitimate interests (achievement of the purpose) or if
granted consent is withdrawn, the data is deleted periodically unless
further processing or storage is necessary due to contractual or statutory
retention periods or documentation obligations or to preserve evidence
for the duration of the applicable statute of limitations.
4 Is automated decision-making and/or profiling carried out?
In principle, our decisions are not based exclusively on automated processing
of personal data. If we do use such procedures in individual cases, we
inform thereof separately insofar as this is required by law.
There are business areas in which personal data is processed at least partly
by automated means. The objective of this is to evaluate certain personal
aspects insofar as we are obliged to do so by statutory and regulatory
requirements (e.g. to prevent money laundering), to conduct needs
analyses for services as well as for risk management.
Personal data (including data of third parties concerned) may be analyzed
and evaluated in order to identify significant personal characteristics of
the contracting party or predict developments and draw up client profiles.
This may prove useful in particular for the purposes of audits, the
provision of individual advice and the preparation of offers and
information that we and LGT Group companies may choose to provide.
Profiles may also lead to automated individual decisions, e.g. in order to
accept and execute online banking instructions automatically.
5 What if we are jointly responsible with other data processors?
This data privacy notice also applies to the processing of personal data by
other controllers if we collaborate with one or more other controllers
(especially LGT Group companies) within the context of the provision or
use of the services and exchange personal data with the other controllers
on the basis of this collaboration.
These other controllers are obliged:
- to likewise comply with the relevant provisions of the GDPR and
provide us with proof of their compliance,
- to keep the required records of processing activities,
- to take suitable technical and organisational measures to protect
personal data,
- toconduct a data protection impact assessment if processing is likely
to result in a high risk to the rights and freedoms of natural persons,
and to notify us thereof where applicable,
- to notify us without delay about any data protection violations,
- tosupport us in exercising the rights of affected natural persons and
make the relevant information available.
We are required to comply with any reporting or notification obligations
towards the competent supervisory authority or affected natural persons.
We are responsible for handling enquiries by affected natural persons in
this context. These enquiries may be addressed to the data protection
officer.
What data protection rights are there?
Affected natural persons have the following data protection rights with
regard to their personal data (Arts. 15-21 GDPR):
Right of information
Affected natural persons may demand information from us about
whether and to what extent their personal data is being processed
(e.g. categories of the processed personal data or the purpose of
processing).
Right to rectification, erasure and restriction of processing
Affected natural persons have the right to demand the rectification of
inaccurate or incomplete personal data about them without delay. In
addition, personal data must be erased if it is no longer required for
the purposes for which it was collected or processed, if consent has
been withdrawn or the data is being processed unlawfully.
Furthermore, affected natural persons have the right to demand a
restriction of processing.
Right of withdrawal
Affected natural persons have the right at any time to withdraw their
consent to the processing of their personal data for one or more
specific purposes if processing is based on their explicit consent. The
revocation of consent will only have future effect and does not affect
the legality of data processed before the revocation. Furthermore,
revocation does not have any effect on data processing conducted
on other legal grounds.
Right to data portability
Affected natural persons have the right to receive any personal data
about them which has been provided to us. This must be given to
them in a structured, standard and machine-readable format. They
furthermore have the right to have this data transferred to another
controller.
6.5 Right to lodge a complaint
Affected natural persons have the right to lodge a complaint with
the competent supervisory authority’.
The contact details for the competent data protection office in
Liechtenstein are:
Data Protection Office Liechtenstein
Stadtle 38
P.O. Box
9490 Vaduz
Liechtenstein
Phone: +423 236 60 90
E-mail: [email protected]
7 Right to object
In individual cases
If personal data is processed in the public interest or to safeguard the
legitimate interests of LGT or a third party, affected natural persons
have the right to object to such processing at any time on grounds
relating to their particular situation.
~
7.2 Direct marketing
Affected natural persons have the right to object informally to the
use of their personal data for direct marketing purposes. In the
event of objection to this type of processing, we no longer process
the relevant personal data for this purpose.
Requests should ideally be made in writing to the data protection officer,
who is also the point of contact for all other data protection-related
issues.
We reserve the right to modify this data privacy notice and publish it on
our website (see the update date at the top of this data privacy notice).
"You may also contact another supervisory authority of an EU or EEA Member State, for example in your place or residence or work or at the
location of a violation of the data protection directive.