Regulatory news – June 2018

GDPR: an overview | June 26 2018

General Data Protection Regulation (GDPR):

  • In force from 25 May 2018 for all companies processing personal data of EU residents;
  • Strengthening the control of individuals over the processing of their personal data;
  • The possibility for private individuals to request a right of access, rectification, objection and, where appropriate, the deletion of their personal data.

The GDPR was developed to “harmonize data privacy laws in Europe, protect and enhance the privacy of data of all EU citizens and reshape the way organisations treat data privacy in the Union”.

“Processing” includes the collection, organisation, storage, use, consultation, modification, transmission and deletion of data, which may belong to customers, employees or suppliers. This data includes, among other things, customer transaction information, contact details, passport copies, etc.

Consumers have more transparency and control since they are better informed of when and why companies are processing their data and can exercise their individual rights on the basis of this more complete information.

This document aims to explain in a simple and transparent way what personal data OPPORTUNITE Luxembourg S.A. collects and how it is processed. The GDPR is applicable to all past, present and prospective clients and anyone involved in any transaction with OPPORTUNITE Luxembourg S.A. whether in a personal capacity or as a representative of a legal entity (a company manager, agent, legal representative, or operational staff, for example). OPPORTUNITE Luxembourg S.A. is legally obliged to retain personal data about clients, intermediaries and related parties, also fora certain period once the relationship has ended, in compliance with ‘know your customer’ regulations.

‘Personal data’ refers to any information that tells us something about you or that we can link to you. This includes your name, address, date of birth, account number, IP address or information about payments you’ve made from your bank account. By processing we mean everything we can do with this data such as collecting it, recording, storing, adjusting, organising, using, disclosing, transferring or deleting it.

You share personal data with us when you become a customer, register with our online services, complete an online form, sign a contract, use our products and services or contact us through one of our channels.

We also use data that is legally available from public sources such as land registers, commercial registers, registers of association and the media).

What types of data are collected?

The personal data we collect includes:

  • Identification data, such as your name, surname, date and place of birth, ID number, email address and the IP address of your PC or mobile device.
  • Transaction data, such as your bank account number, deposits, withdrawals and transfers related to your account.
  • Financial data, such as invoices, payment behaviour, the value of your property or other assets, financial portfolios, information on your income and the origin of your assets.
  • Socio-demographic data, such as whether you are married.
  • Audio-visual data, such as recordings of phone calls to our services.

Sensitive data

We do not record sensitive data relating to your health, ethnicity, religious or political beliefs unless it is strictly necessary. When we do it is limited to specific circumstances, for example if you instruct us to pay a membership fee to a political party. We are legally obliged to keep a copy of your passport.

What do we do with your personal data?

We only use your personal data for legitimate business reasons. This includes:

  • Administration. When you sign a management mandate, we are legally obliged to collect personal data that verifies your identity (such as a copy of your ID card or passport) and to assess whether we can accept you as a customer. We also need to know your address or phone number to contact you.
  • Product and service delivery. We use information about you to assess whether you are eligible to carry out certain investments.
  • Managing customer relationships. We may ask you for feedback about our products and services and share this with certain members of our staff to improve our relationship. We might also use notes from conversations we have with you online, by telephone or in person to customise products and services for you.
  • Preventing and detecting fraud and data security. We have a duty to protect your personal data and to prevent, detect and contain data breaches. This includes information we are obliged to collect about you, for example to comply with regulations against money laundering, terrorism financing and tax fraud.
  • Internal and external reporting. We process your data for our banking operations and to comply with a range of legal obligations and statutory requirements (anti-money laundering legislation and tax legislation, for example).

Who do we share your data with? Why?

Government authorities

To comply with our regulatory obligations we may disclose data to the relevant authorities, for example to counter terrorism and prevent money laundering.

In some cases, we are obliged by law to share your data with external parties, including:

  • Public authorities, regulators and supervisory bodies such as the central banks of the countries where we operate.
  • Tax authorities may require us to report your assets (e.g. balances on deposit, payment or savings accounts or holdings on an investment account).
  • Judicial/investigative authorities such as the police, public prosecutors, courts and arbitration/mediation bodies on their express and legal request.
  • Lawyers, for example, in case of bankruptcy, notaries, for example, when granting a mortgage, trustees who take care of other parties’ interests, and company auditors.

Financial institutions

When you withdraw cash or make a payment to an account at another bank, the transaction always involves another bank or a specialised financial company which keeps a record of the instructions given and other details.

Service providers

When we use other service providers we only share personal data that is required for a particular assignment. The following is a non-exhaustive list of operations involving service providers:

  • performing certain services and operations;
  • accounting;
  • auditing;

In all of these cases, we ensure the third parties can only access personal data that is necessary for their specific tasks.

Your rights and how we respect them

We respect your rights as a customer to determine how your personal information is used. These rights include:

Right to access information

You have the right to ask us for an overview of your personal data that we process.

Right to rectification

If your personal data is incorrect, you have the right ask us to rectify it.

Right to object to processing

You can object to the use of your personal data for its own legitimate interests. You can do this online, at our offices or by telephone. We will consider your objection and whether processing your information has any undue impact on you that requires us to stop doing so.
You cannot object to us processing your personal data if we are legally required to do so or if it is necessary to fulfil a contract with you.

Right to restrict processing

You have the right to ask us to restrict using your personal data if:

  • you believe the information is inaccurate;
  • we are processing the data unlawfully;
  • we no longer need the data, but you want us to keep it for use in a legal claim;

Right to data portability

You have the right to ask us to transfer your personal data directly to you or to another company. This applies to personal data we process, either with your consent or on the basis of a contract with you. Where technically feasible, we will transfer your personal data.

Right to erasure

You have the right to ask us to erase your personal data if:

  • we no longer need it for its original purpose;
  • you withdraw your consent for processing it;
  • you believe that OPPORTUNITE Luxembourg S.A. unlawfully processes your personal data;
  • a law of the European Union or a member state of the European Union requires OPPORTUNITE Luxembourg S.A. to erase your personal data.

Right to complain

Should you not be satisfied with the way we have responded to your concerns you have the right to submit a complaint to us. If you are still unhappy with our reaction to your complaint, you can contact the personal data protection authority in your country of residence.
In certain cases, we may deny your request. If it’s legally permitted, we will let you know in due course why we denied it.

Your duty to provide data

As financial sector professionals, we are required by law to collect certain information about you. Without this data we may not be able to carry out the management mandate.

How do we protect your personal data?

We apply an internal framework of policies and minimum standards across all our business to keep your data safe. These policies and standards are regularly updated to keep them up to date with regulations and market developments More specifically and in accordance with the law, we take appropriate technical and organisational measures (policies and procedures, IT security etc.) to ensure the confidentiality and integrity of your personal data and the way it’s processed.
In addition, OPPORTUNITE Luxembourg S.A. employees are subject to confidentiality.

How long do we keep your personal data?

We are only allowed to keep your personal data for as long as it’s still necessary for the purpose we initially required it. After this we look for feasible solutions, like archiving it.
When assessing how long to keep personal data, retention requirements might be stipulated by other applicable laws (e.g. anti-money laundering law). Some personal data may be kept as evidence in legal proceedings. However this data will not be actively processed.
Retention periods may depend on circumstances (your data may be archived for up to 10 years after your account has been closed).
Certain data, such as data collected during recorded telephone calls, is kept for shorter periods as required by law.

We may amend this document to remain compliant with any changes in law and/or to reflect how our business processes personal data.
If necessary, you may lodge your complaint with the National Commission for Data Protection (La Commission Nationale pour la Protection des Données) (CNPD, L-4361 Esch-sur-Alzette, 1, avenue du Rock’n Roll, https:// cnpd.public.lu) as well as to the judicial authorities.

Luxembourg, 25 May 2018