Principles of Processing Customer Data

Effective as of 08.05.2015

  1. General provisions, terms and definitions

    1. Customer Data − any information (including information subject to banking secrecy) available to LHV Group Estonian companies on the Customer (personal data, contact data, transaction data, etc.).
    2. Processing of Customer Data – any operation conducted with Customer Data (including collection, recording, reorganisation, preservation, modification, publication, access control, submission of inquiries, extracts, use, forwarding, cross-use, deletion, etc.).
    3. Customer Relationship – a legal relationship between an LHV Group Estonian company and the Customer, established when the Customer uses the Service or contacts an LHV Group Estonian company for the purpose of using the Service.
    4. Customer – a natural or legal person who is currently using, has used in the past, or has expressed his or her intention to use the Services rendered by LHV Group Estonian companies.
    5. Third Party − any person who is not the Customer, an LHV Group Estonian company or its staff member. 1. LHV Group company − AS LHV Group, AS LHV Pank, AS LHV Varahaldus, AS LHV Finance and other legal persons, where more than 50% of the shares are directly or indirectly, via subsidiaries, held by AS LHV Group or where LHV Group holds dominant influence or control through other means.
    6. LHV Group Estonian company – an LHV Group company which is based in Estonia. A foreign branch of an LHV Group Estonian company is not considered an LHV Group Estonian company.
    7. Service – a service provided to the Customer by an LHV Group Estonian company, including use of the LHV financial portal, management of pension funds, etc.
    8. Authorised processor – a person, who processes Customer Data on behalf of an LHV Group Estonian company. The list of authorised processors and their contact data has been published on the LHV website at lhv.ee/en. The list of authorised processors and their contact data shall be updated within a reasonable period of time, no later than in 30 days after the corresponding change. Instead of using the website, an LHV Group Estonian company shall have the right to notify the Customer of the authorised processor of the Customer’s personal data in the contract, in the application form or via other lawful means.
    9. These Principles of Processing Customer Data (hereinafter the Principles) shall apply insofar as they do not contradict the Service Conditions.
    10. By entering into or expressing his or her intention to enter into a Customer Relationship with an LHV Group Estonian company, the Customer shall grant the corresponding LHV Group Estonian company consent to the processing of the Customer Data under the conditions and pursuant to the procedure provided in these Principles.
  2. General principles of processing Customer Data

    1. The processing of Customer Data in LHV Group Estonian companies shall be governed by the Personal Data Protection Act, Credit Institutions Act, Money Laundering and Terrorist Financing Prevention Act, Estonian Central Register of Securities Act, other relevant legal acts and these Principles.
    2. LHV Group Estonian companies shall apply IT and other necessary security measures to protect Customer Data and monitor the processing of Customer Data.
    3. Staff members of LHV Group Estonian companies are obliged, under valid legal acts and the employment contract or other similar contract concluded with the particular staff member, to maintain the confidentiality of Customer Data (including data subject to banking secrecy) indefinitely, and shall be held responsible for any breach of this obligation. LHV Group Estonian companies shall permit access to Customer Data only to staff members trained accordingly. Staff members shall have the right to process Customer Data only within the limits of the duty assigned.
    4. As a rule, LHV Group Estonian companies shall demand from the persons to whom Customer Data are forwarded or disclosed under the Principles strict adherence to the security and confidentiality rules established by the LHV Group Estonian company.
    5. LHV Group Estonian companies shall process Customer Data in the minimum extent required for performing the concluded contracts, enhancing customer service and achieving the objectives set forth in clause 4 of the Principles.
  3. Categories of Customer Data

    1. LHV Group Estonian companies shall process all Customer Data obtained on the Customer in the course of the Customer Relationship. The main categories of Customer Data processed are the following:
      1. Customer's personal data (including name, personal identification code, date of birth, place of birth, identity document data, residence, tax residence and citizenship, language of communication, etc.), including data on the Customer’s field of activity (including level of education, educational institution, profession, job position, etc.);
      2. Customer’s contact data (including address, telephone number, fax number, e‑mail address, etc.);
      3. data on the transactions and contracts concluded by the Customer (including transactions concluded, contracts entered into and/or expired, applications and petitions submitted, interest paid and received, service fees, breach of contract, etc.);
      4. Customer’s financial data (including income, assets, liabilities, payment behaviour, related parties, etc.);
      5. data on the origin of the Customer’s assets (including data on the employer, transaction partners, commercial activities, beneficial owners, etc.);
      6. data on the Customer’s expertise and previous experience gained on the financial market (including the customer’s investment knowledge and experience);
      7. data on the Customer’s reliability (e.g. data on payment behaviour, damage caused to LHV Group companies or Third Parties, involvement in money laundering, terrorist financing or organised crime);
      8. data obtained in the course of performance of obligations imposed by law (e.g. data on inquires made by investigation authorities, notaries, tax authority, court, bailiffs, etc.);
      9. data on the Customer’s habits, preferences and satisfaction (e.g. data on the frequency of use of the Services, the range of Services used, complaints filed, etc.);
      10. data on the Customer segment (e.g. age group, etc.);
      11. data on participation in consumer games and campaigns (e.g. data on prizes won in investment games and other consumer games, points collected in campaigns, etc.);
      12. data on Website sections visited by the Customer.
  4. Purpose of the processing of Customer Data

    1. LHV Group Estonian companies shall have the right to process, for the purpose of establishing a Customer Relationship, performing a contract concluded with the Customer or exercising due diligence required by law, any Customer Data received directly from the Customer or from public databases (including data published on the Internet) or from Third Parties, provided that such a communication of Customer Data is lawful by nature.
    2. LHV Group Estonian companies shall have the right to process Customer Data, including to exchange Customer Data with Estonian-based or foreign credit institutions, financial institutions and financial intermediaries (international card organisations, settlement systems, etc.) for the purpose of risk assessment and risk management as well as for the application of the responsible lending principle.
    3. In addition, LHV Group Estonian companies shall process Customer Data within the extent allowed by law for the following purposes:
      1. to decide whether or not, and under which conditions to provide the Service to the Customer (in such cases, Customer Data may be processed even before the provision of the Service or entry into the contract);
      2. to identify the Customer in the establishment of a Customer Relationship;
      3. to perform, or to ensure the performance of a contract concluded between the Customer and an LHV Group Estonian company, or to exercise the rights arising from a contract concluded with the Customer or a related contract, or to seek protection against violated or disputed rights (e.g. communication of data to court or to a person representing an LHV Group Estonia company);
      4. to evaluate the Customer’s creditworthiness (e.g. for the purpose of entering into a loan agreement, applying the responsible lending principle) or reliability (e.g. for the purpose of exchanging data on previous payment behaviour with other credit institutions before passing a credit decision);
      5. to qualify the Customer for the provision of investment services and assessing the Customer's expertise with regard to the Services provided by LHV Group Estonian companies, as well as to offer the Customer the suitable Services rendered by LHV Group Estonian companies;
      6. to prevent money laundering and terrorist financing and to fulfil the obligations arising from both international and national legal acts (including the Tax Information Exchange Act) as well as international treaties signed and ratified by the Republic of Estonia (including collection of data, exchange of data and communication of data to investigation authorities, notaries, tax authorities);
      7. to reduce or prevent risks (e.g. to evaluate or inspect the credit portfolio or collateral assets of LHV Group companies, or to prepare audits, stress tests or analyses that partially or completely cover the activities of LHV Group companies) and to prevent any damage to LHV Group companies;
      8. to conduct statistical surveys and analyses of customer groups, market shares of products and services and other financial indicators, as well as to prepare reports and manage risks;
      9. to build on existing Services and develop new Services, including to establish service fees as well as to inspect, develop or maintain the IT systems and programs of LHV Group companies;
      10. to inspect and, if necessary, correct the Customer Data submitted by the Customer;
      11. to send to the Customer advertisements and offers of the products and services of LHV Group companies and carefully selected Third Parties;
      12. to organise consumer games or campaigns;
      13. to better understand the Customer’s expectations (e.g. surveys of consumption behaviour, market research, customer polls, etc.).
  5. Communication of customer data to third parties

    1. LHV Group Estonian companies shall have the right to communicate Customer Data to:
      1. other LHV Group companies, who are authorised to process Customer Data in the extent provided in clause 3 of these Principles and for the purposes specified in clause 4 of these Principles;
      2. individuals and organisations related to the provision of Services and performance of the contract concluded with the Customer (e.g. sureties, co-borrowers, guarantors, owners of collateral, international card organisations, payment intermediaries, insurers and insurance brokers, notaries, translation, communication, IT and postal service providers, etc.);
      3. database administrators (including AS Krediidiinfo or any other administrator of the register of payment defaults) to whom LHV Group Estonian companies communicate information under the law or contract for the purpose of applying the responsible lending principle as well as for allowing Third Parties to evaluate the Customer’s payment behaviour and creditworthiness;
      4. other Estonian-based or foreign credit institutions, financial institutions and financial intermediaries on the basis of their corresponding inquiry, for the purpose of providing the Services requested by the Customer, or for the purpose of determining the reliability of or the risks associated with the Customer or a related party;
    2. Society for Worldwide Interbank Financial Telecommunication (SWIFT; www.swift.com);
      1. consultants or other service providers of LHV Group Estonian companies (e.g. auditors), if the Customer Data are required for providing high-quality services to LHV Group Estonian companies, and provided that these persons adhere to the organisational, physical and IT requirements established by LHV Group Estonian companies for maintaining the confidentiality of and protecting the Customer Data;
      2. service providers to whom an LHV Group Estonian company has partially or completely assigned its activities under the conditions set forth in legal acts, and provided that these persons adhere to the organisational, physical and IT requirements established by LHV Group Estonian companies for maintaining the confidentiality of and protecting the Customer Data;
      3. authorised processors;
      4. new creditors upon assignment of the right of claim;
      5. other Third Parties, if the Customer is in breach of contract (e.g. debt collection service providers).
    3. LHV Group Estonian companies are obliged to publish and disclose Customer Data for fulfilment of the obligations imposed by legal acts (e.g. disclosure of data to investigation authorities, notaries, trustees in bankruptcy, Tax and Customs Board, Financial Intelligence Unit, Financial Supervision Authority).
    4. LHV Group Estonian companies are entitled to use Third Parties (e.g. correspondent banks, international card organisations, settlement systems, foreign administrators) in the performance of contracts concluded with Customers (e.g. card transactions, cross-border payments, securities transactions), and to make Customer Data available to these parties. These persons shall be authorised to process Customer Data in accordance with the laws of their country of residence.
    5. The Customer is aware of and shall agree to the following:
      1. LHV Group Estonian companies shall have the right to submit Customer Data to the register of payment defaults, if the Customer has failed to appropriately fulfil his or her financial obligation to LHV Group companies, delaying fulfilment of the obligation for more than 45 days. Information on the Customer's payment defaults shall be published in the register of payment defaults, with the Customer Data, which are submitted to the registrar, allowed to be processed by all those who have become members of the register or are otherwise authorised to access the register. Information on the Customer Data processed in the register of payment defaults kept by AS Krediidiinfo, as well as the terms and conditions and extent of processing and forwarding of the data, are available for the Customer at www.krediidiinfo.ee. The terms and conditions and extent of processing and forwarding of the data in other databases to which LHV Group Estonian companies submit information on the Customer’s payment defaults are available at www.lhv.ee;
      2. LHV Group Estonian companies shall submit Customer Data to registrars of public databases (e.g. population register) as an inquiry, for the purpose of comparing Customer Data against the data available in the database, ensuring that the Customer Data are correct and updated, or for obtaining additional information on the Customer;
      3. The SWIFT data processing centres are located in European Union Member States and the United States of America. Consequently, the data on bank transactions, including the personal data of the payer and the payee, shall be processed in the processing centres of EU Member States or the USA, regardless of the place where the transfer is initiated;
      4. Upon execution of bank transactions, the bank involved in the transaction, the payment intermediary or SWIFT may be obliged to disclose the transaction data and the related personal data on the Customer to the competent authority in the country of residence in the cases provided by the laws of the particular country;
      5. Where an international bank transaction involves a financial institution located in a country with an insufficient level of data protection – e.g. a correspondent bank or another payment intermediary − LHV Group Estonian companies cannot ensure that the data processors of financial institutions located in such countries are subjected to obligations similar to those established for LHV Group Estonian companies, and that the Customer is provided with rights equal to those established for data processing in EU Member States or other countries with a sufficient level of data protection.
  6. Processing of Customer Data for direct marketing purposes

    1. The Customer shall have the right to notify LHV Group Estonian companies at any time of his or her wish to not receive further personal offers and advertisements. The information on how to cancel further personal offers and advertisements shall be attached to the offer or advertisement and/or made available via the Internet bank. Where the Customer wishes to block future personal offers from LHV Group Estonian companies prior to receiving any offers or advertisements, the corresponding application shall be filed with the LHV Group Estonian company rendering the Service to the Customer, by using the contact data specified in clause 9.4.
    2. General information and background information on services rendered by LHV Group companies, as well as information related to the performance of the contract concluded (e.g. information on the expiry of the bank card, outstanding payables, etc.) shall not be considered personal offers and advertisements. The Customer shall not, as a rule, have the option of blocking such information.
  7. Recording of Customer Data

    1. LHV Group Estonian companies shall have the right to record any orders placed by means of communication (e.g. telephone, e‑mail, chat, Internet bank) and operations conducted by the Customer, and to use the recordings for verification and/or reproduction of orders or other operations as well as for other purposes specified in clause 5 of the Principles.
    2. For the purposes of protecting the assets of LHV Group Estonian companies and the Customer, as well as for securing physical safety of staff members and customers of LHV Group Estonian companies, LHV Group Estonian companies shall have the right to use surveillance equipment to monitor the premises and the immediate vicinity (including people) of LHV Group companies, and to make a digital recording thereof.
    3. The recordings produced by the surveillance equipment may be used for the protection of the rights and fulfilment of the obligations of LHV Group companies, as well as for verifying the operations conducted by the Customer and/or demonstrating unlawful behaviour and/or proving any damage caused to LHV Group companies. LHV Group Estonian companies are obliged to disclose such recordings pursuant to the procedure and within the scope provided by law – above all, to pretrial investigation authorities in case of a criminal offence, to court and to other competent authorities.
  8. Changes in Customer Data. Termination of the processing of Customer Data

    1. The Customer is obliged to immediately inform LHV Group Estonian companies of any changes, compared to the Customer Data specified in contracts or other documents submitted to LHV Group Estonian companies. LHV Group Estonian companies shall have the right to request documents verifying the change in Customer Data (e.g. change of the person’s name), and the Customer shall have the obligation to submit such documents.
    2. LHV Group Estonian companies shall check the correctness and completeness of the Customer Data on a regular basis (e.g. via the Internet bank, at face-toface meetings).
    3. The Customer shall have the right to review the Customer Data at the service points of LHV Group Estonian companies or via the Internet bank. The Customer shall inform LHV Group Estonian companies of any inaccuracies in the Customer Data gathered by LHV Group Estonian companies.
    4. Where the Customer finds that the processing of his or her Customer Data is prohibited by law, a contract concluded with the Customer or the Principles, the Customer shall have the right to demand termination of the processing, publication and/or making available of the Customer Data, and/or deletion of the Customer Data collected.
    5. LHV Group Estonian companies shall process Customer Data as long as required for achieving the purpose of the processing of Customer Data, or for fulfilling the obligations arising from legal acts.
  9. Protection of the Customer’s rights

    1. Where the Customer finds that the processing of Customer Data violates his or her rights, the Customer shall have the right to demand termination of the violation from the LHV Group Estonian company in violation of the Customer’s rights.
    2. Where the Customer's rights are violated, the Customer shall also have the right to contact the Data Protection Inspectorate or the competent court.
    3. Where the competent authority finds that the Customer's rights have been violated by the processing of the Customer Data, the Customer shall have the right to demand compensation for the damage caused.
    4. The Customer should contact the following persons for more detailed explanations on the processing of Customer Data, and for filing a complaint:
      1. matters concerning pension funds and investment funds: AS LHV Varahaldus, registry code: 10572453, address: Tartu mnt 2, 10145 Tallinn, e‑mail: info@lhv.ee, telephone: 6 800 400.
      2. matters concerning hire-purchase services: AS LHV Finance, registry code: 12417231, address: Tartu mnt 2, 10145 Tallinn, e‑mail: info@lhv.ee, telephone: 6 800 400.
      3. matters concerning bank services and all other matters: AS LHV Pank, registry code: 10539549, address: Tartu mnt 2, 10145 Tallinn, e‑mail: info@lhv.ee, telephone: 6 800 400.
  10. Amendment and application of the Principles

    1. LHV Group Estonian companies shall have the right to unilaterally amend the Principles in accordance with the valid laws at any time.
    2. LHV Group Estonian companies shall inform the Customer of the amendment of the Principles via the website www.lhv.ee and/or the communication channel agreed with the Customer at least 1 (one) month before the entry into force of the amendments, except where the amendment of the Principles is triggered by the amendment of the law.
    3. The Principles shall be applied to the processing of the Customer Data of all Customers, as well as to Customer Relationships established prior to the entry into force of the Principles.