Principles of Processing Customer Data

Effective 25 May 2018

We value all of our customers and respect their right to privacy and protection of their data. We would like our customers to be aware of why and how we use their data, what their rights are and how they can exercise their rights. For this purpose, we have updated our Principles for Processing Customer Data, which provide information on the following questions:

  • what kind of Customer Data we use in our activity and the main reasons for using the data (clause 3.6);
  • what are the additional purposes for which we also use Customer Data (clause 3.7);
  • what are the rights of natural person Customers (clause 8);
  • how can our Customers exercise their rights, including whom can they contact if they have questions (clause 9);
  • where are we allowed to obtain information about our Customers (clauses 3.1 and 3.2);
  • to whom and on what grounds can we send Customer Data (clause 4);
  • how do we protect our Customers’ Personal Data when we send them outside the European Economic Area (clause 5).
  1. Terms and definitions. General provisions.

    1. Customer for the purposes of these Principles for Processing Customer Data (“Principles”) is a natural person or a legal person who has expressed a desire to use, who is using or who has used LHV services and who is otherwise connected to services provided by LHV.
    2. Customer Data is any sort of information, including banking secrets and personal data known by LHV regarding a Customer.
    3. Processing is any procedure performed with Customer Data, including collection, retention, use and sending of data.
    4. Personal Data are any information on natural person Customers who have been identified or are being identified.
    5. Third Party is any person who is not the Customer, LHV or LHV employee and who, either alone or with a second person, defines the purposes and means for Processing of Customer Data.
    6. LHV is AS LHV Group, AS LHV Pank, AS LHV Varahaldus, AS LHV Finance and other legal persons in which AS LHV Group holds, directly or through subsidiaries, over 50% of the shares.
    7. These Principles shall apply insofar as they do not contradict the Service Conditions.
    8. By entering into a customer relationship with LHV or expressing the desire to do so, the Customer agrees to the Processing of Customer Data on conditions and in accordance with procedure set forth in these Principles.
  2. General principles

    1. Processing of Customer Data at LHV takes place in accordance with requirements set forth in Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation), the Personal Data Protection Act, other relevant legal acts and the requirements set forth in these Principles. The conditions for Processing of Customer Data may also be described in contracts and other documents related to LHV services.
    2. Based on the requirements of legal acts, and pursuant to the employment contracts and other agreements entered into on the basis thereof, LHV and its employees are obliged to keep Customer Data confidential indefinitely and are liable for violations of the aforementioned obligations. LHV shall allow access to Customer Data only to employees who have received the relevant training. An employee shall have the right to process Customer Data only in the extent necessary for fulfilling the duties of employment assigned to that employee.
    3. LHV shall use authorised processors for Processing of Customer Data. LHV shall in this regard ensure that such data processors process Customer Data only in accordance with instructions from LHV and in conformity with the requirements for data protection.
  3. The categories of Customer Data processed by LHV, objectives of Processing and legal basis for Processing

    1. LHV gathers Customer Data mainly from the Customer (e.g. applications and requests, in the course
      of Customer interaction) and in the course of use of the services by the Customer (e.g. execution of
      card payments and transfers, forwarding of securities orders, performance of contracts).

    2. LHV also obtains Customer Data from Third Parties, such as:

      1. public and private registers (e.g. Population Register, Central Register of Securities, KMAIS
        information system). LHV use these data mainly for verifying and updating Customer Data and for
        evaluating the Customer’s creditworthiness;
      2. LHV companies, OÜ Krediidiregister, and Creditinfo Eesti AS. LHV uses these data mainly for
        verifying and updating the Customer’s creditworthiness and risk management, including compliance
        with obligations stemming from the accounting standards (IFRS 9);
      3. correspondent banks, foreign brokers and other business partners if the Customer has provided
        consent to our business partner for this purpose or the sending of data is permitted by legal acts.
        LHV uses these data mainly for enabling provision of service to Customers (e.g. foreign payments
        and investment services).
    3. LHV process Customer Data for compliance with legal obligations stemming from legal acts (national laws, supervisory guidelines, regulations and EU legal acts), performance of contracts with Customers and preparing for entering into contracts, e.g. for processing applications submitted by Customers, on the basis of Customer consent and for protection of LHV’s own legitimate interests.

    4. LHV’s legitimate interests are expressed in furtherance of its own operating activity in offering Customers better services and products, developing its own products, ensuring data and information security and performance of general legal obligations set forth in legal acts.

    5. On the basis of consent for Processing Customer Data, LHV shall ask for consent, e.g., on relevant applications and requests, and allow the Customer to provide its consent voluntarily.

    6. The following is a list of the types of Customer Data, the main purposes for which LHV processes Customer Da and the legal grounds for Processing:

      TYPES OF CUSTOMER DATAPURPOSES OF DATA PROCESSINGLEGAL GROUNDS FOR PROCESSING
      Personal Data (e.g. name, personal identification code, date of birth, data on the identity document)1) identification of customer1) legal obligation stemming from the Money Laundering and Terrorism Financing Prevention Act
      Contact details (e.g. telephone, email, address, language of contact)2) customer interaction. 3) direct marketing2) performing contract with the Customer and drafting the agreement; 3) consent/legitimate interest for marketing similar products and services
      Data on tax residency (e.g. country of location, taxpayer identification number, citizenship)4) gathering and reporting tax-related information4) legal obligation arising from Tax Information Exchange Act
      Data on family and area of activity (e.g. marital status, number of dependents, profession, education, data on employer)5) evaluating the customer’s creditworthiness5) legal obligation arising from the Creditors and Credit Intermediaries Act and legitimate interest for compliance with requirements for evaluating creditworthiness (pursuant to the Law of Obligations Act and Financial Supervision Authority guidelines)
      Financial data (e.g. forecasted receipts, income, obligations, data on collateral and security, payment history, indebtedness, transactions conducted, contracts concluded and/or ended, applications filed, requests, interest paid and received, service fees, breach of contract)6) evaluating the Customer’s creditworthiness;
      7) evaluation of appropriateness and suitability of product, service and securities offered to the Customer
      6) legal obligation arising from the Creditors and Credit Intermediaries Act
      7) legal obligation arising from the Securities Market Act
      Data on the Customer’s trustworthiness and origin of assets (e.g. data on payment history, data on connections to money laundering, terrorism financing or organised crime, data on employer, transaction partners, beneficial ownership, income sources, data on business activity, related persons, whether the Customer is a politically exposed person)8) compliance with due diligence requirementsc8) legal obligation stemming from the Money Laundering and Terrorism Financing Prevention Act
      Data on the Customer’s expertise (e.g. the Customer’s investment knowledge and experiences, educational attainment, profession, investment goal)9) evaluating the appropriateness and suitability of product, service and securities offered to the Customer and assessing the Customer’s expertise9) legal obligation arising from the Securities Market Act
      Data related to securities (e.g. securities transactions and transaction orders, quantity of securities, transaction volumes, transaction value, LEI code, pension data)10) transaction monitoring with regard to characteristics of market abuse and reporting of suspicious transactions
      11) ensuring exchange of information with the Central Registry of Securities, performing functions of account manager
      10) legal obligation arising from Regulation no. 596/2014 of the European Parliament and of the Council (market abuse regulation)
      11) legal obligations arising from the Securities Register Maintenance Act
      Data on the Customer’s habits, preferences and satisfaction (e.g. Customer status, data on active use of Services, Services used, Customer’s queries and complaints)12) development of products and services12) legitimate interest for developing new products and services and improving existing products (e.g. correcting errors, developing greater ease of use for more actively used services)
      Data on the Customer’s segment (e.g. age demographic)13) direct marketing, organising campaigns13) legitimate interest for promoting commercial activity and making offers suitable for Customers, such as for marketing pension products
      Data obtained in the course of performing obligations arising from legislation (e.g. data arising from inquiries made by investigative bodies, notaries, tax authority, courts, inquiries made by court bailiffs)14) cooperation with supervisory authorities and other public sector institutions, implementation of required measures, such as impounding accounts14) compliance with legal obligations stemming from various acts, such as the Credit Institutions Act and Money Laundering and Terrorism Financing Prevention Act
      Data related to participation in consumer games and campaigns (e.g. data on prizes won in investment games and other consumer games and points collected in campaigns)15) compliance with campaign terms (e.g. payouts of amounts won)
      16) direct marketing (e.g. sending an invitation to participants in the Börsihai/Stock Market Shark game to take part next year)
      15) performing contract concluded with the Customer
      16) legitimate interest in marketing the same or similar service
      Data on Website sections visited by the Customer17) risk management, monitoring and investigating to counter fraud (e.g. payment fraud)17) legitimate interest for security risk management, to counter fraud and resolve disputes in court or extrajudicially
    7. In addition to the objectives set forth in clause 3.6, LHV also processes Customer Data for the following purposes:

      1. administering the Customer relationship, inspecting and, if necessary, correcting the data submitted by the Customer and enabling access to products and services. Processing takes place for performing the contract or adopting measures prior to conclusion of contract;
      2. exercise of LHV’s rights in connection with legal requirements, substantiation and defence of rights in court or extra-judicially and proceedings on debts. Processing takes place on the basis of LHV’s legitimate interest and for the purpose of performance of a contract;
      3. provision of services, including execution of card payments and transfers and securities transactions. Processing takes place for the purpose of performance of contract;
      4. hedging of risks and risk management, e.g. to evaluate or inspect the credit portfolio or collateral assets of LHV, or to prepare audits, stress tests or analyses that partially or completely cover the activities of LHV. Processing takes place for performance of the legal obligation set forth in Regulation 575/2013 of the European Parliament and of the Council and on the basis of LHV’s legitimate interest;
      5. ensuring physical security and data and information security, including recording of interactions with Customers and use of security cameras. Processing takes place for performance of a legal obligation set forth in various legal acts, including the Credit Institutions Act, the Financial Supervision Authority’s guidelines and the Creditors and Credit Intermediaries Act, and on the basis of LHV’s legitimate interest;
      6. processing of customer complaints. Processing takes place for performance of a legal obligation set forth in various legal acts, including the Credit Institutions Act, the Financial Supervision Authority’s guidelines and the Creditors and Credit Intermediaries Act, and on the basis of LHV’s legitimate interest;
      7. conducting Customer surveys, researching consumer habits. Such data processing takes place on the basis of legitimate interest of LHV to receive feedback from Customers about their satisfaction with the services and products offered by LHV and thus developing existing and new products and services.
  4. Forwarding of customer data

    1. LHV has the right to forward Customer Data (not including special types of Personal Data) to the following Third Parties, and the Customer shall not consider this breach of obligation to maintain confidentiality (including bank secrets):
      1. other LHV companies, who may process the Customer Data specified in clause 3 of the Principles, e.g. for evaluating the Customer’s expertise, risk management and hedging of risks, and compliance with fiduciary regulations, including capital and liquidity requirements, and assessing creditworthiness;
      2. persons and organisations related to provision of service and performance of agreements concluded with the Customer (e.g. sureties, loan co-recipients, guarantors, collateral owners, merchants, international card organisations, payment intermediaries, insurance providers and intermediaries, e-invoice issuers, credit intermediaries and credit agents, ATM operators, Central Register of Securities, pledgees, correspondent banks, settlement systems, notaries, providers of translation, communication, IT and postal service);
      3. persons who maintain databases (including Creditinfo Eesti AS or any other person who maintains a register of payment defaults), to whom LHV sends information on the basis of legal acts or concluded contracts for the purpose of applying the principle of responsible lending, as well as to enable Third Parties to evaluate the Customer’s payment history and creditworthiness;
      4. other credit and financing institutions, financial service intermediaries and trading venues both in Estonia and abroad, on the basis of queries from such institutions, for provision to the Customer of service desired by the Customer or for assessing the trustworthiness and risk of the Customer or person related thereto;
      5. the Society for Worldwide Interbank Financial Telecommunication SWIFT (www.swift.com). SWIFT data processing centres are located in European Union member states and the United States of America, as a result of which bank transaction data are retained, including the personal data of the transaction initiator and recipient, regardless of the place where the transaction is conducted, both in the SWIFT-operated processing centre in an EU member state and the United States of America. When conducting a bank transaction, the bank related to the transaction, payment intermediary or SWIFT may be obliged to disclose transaction data, or Customer Personal Data related thereto, to the competent government authority of the relevant country of location in cases specified in the legal acts of the country of location;
      6. Third-party service providers to whom LHV has delegated activity (e.g. companies engaged in sale and trade in connection with sale of LHV services and establishing identity, other LHV companies in connection with marketing of pension products, performance of functions of account manager, marketing of pension products);
      7. LHV consultants or other service providers (e.g. auditors), if the Customer Data are necessary for them to provide quality service to LHV;
      8. right to assign right of claim to a new creditor;
      9. to other Third Parties, if the Customer is in breach of contract (e.g. to provider of debt collection service, person involved in collection of leasing assets).
    2. LHV is obliged to disclose and to convey Customer Data for the purpose of performing obligations arising from legal acts and international and mutual legal assistance (e.g. forwarding data to investigative bodies, notaries, trustees in bankruptcy, the Tax and Customs Board, Financial Intelligence Unit, Financial Supervision Authority).
  5. Forwarding Customer Personal Data outside the European Economic Area

    1. As a general rule at LHV, Customer Personal Data are not sent outside the European Economic Area and if this is done, then before any data is sent, the background of the Third Party is verified thoroughly, and measures are applied to ensure secure data transmission including, if possible, measures to accord equivalent protection to Personal Data as those which exist in the European Economic Area.
    2. When sending Customer Personal Data outside the European Economic Area, appropriate protection measures are applied, e.g. forwarding data to a country that in the judgment of the European Commission has a sufficient level of data protection, and forwarding of data to a Third Party in the United States of America which has been certified on the basis of Privacy Shield data protection framework and the use of standard data protection clauses developed by the Commission.
    3. In the absence of appropriate protection measures, LHV is entitled to forward Customer Personal Data outside the European Economic Area in situations where forwarding the data is, for example, necessary for performing a contract between the Customer and LHV or for implementing measures adopted on the basis of Customer’s application (e.g. use of foreign intermediaries for providing investment service, use of correspondent banks for making foreign payments).
    4. If the conducting of an international bank transaction involves a financial institution located in a country with insufficient level of data protection, e.g. a correspondent bank or other payment intermediary, including SWIFT, LHV cannot ensure that the processor processing Customer Data by financial institutions in such countries would have identical obligations to those of LHV and that the identical rights are guaranteed for the Customer at the same level as in the European Economic Area or other country with sufficient level of data protection.
    5. For detailed information on sending of Customer Data outside the European Economic Area, the Customer should contact LHV.
  6. Profile analysis and making of automated decisions regarding Customers who are natural persons

    1. Profile analysis is automatic Processing of Personal Data used for evaluating certain personal traits of the Customer – for example, to analyse or forecast the person’s economic situation, personal preferences and interests. LHV uses profile analysis for the purpose of marketing, risk assessment for compliance with the requirements of prevention of money laundering and terrorism financing, assessing the probability of insolvency, transaction monitoring to counter fraud; and automated decisions are used to assess the probability of insolvency and for making certain credit decisions (e.g. hire-purchase, consumer loans). Such data processing takes place either on the basis of legitimate interest of LHV (e.g. direct marketing), performing legal obligations, including on the basis of the Money Laundering and Terrorism Financing Prevention Act and the Regulation no. 575/2013 of the European Parliament and of the Council or, if necessary, on the basis of Customer’s consent.
    2. The profile analysis and automated decisions help LHV offer services more efficiently to Customers and avoid potential mistakes. For such Processing, including when creating segments and profiles, LHV does not gather separate data on the Customer and uses data that are on file for the Customer or data which LHV must gather regarding the Customer based on the requirements set forth in legal acts (e.g. payment defaults).
    3. To prevent infringement of Customer rights, e.g. discrimination in the making of credit decisions, LHV reserves the possibility, when making automated decisions, for Customers to require that the decision made be reviewed in a non-automated manner.
  7. Retention of Customers’ Personal Data

    1. LHV shall not process Customers’ Personal Data for longer than necessary for performing the objectives of the Processing, including for complying with the duty, set forth in legal acts, to retain data and for resolving disputes arising from contracts entered into with the Customer or for resolving potential disputes.
    2. In general, LHV shall retain Customers’ Personal Data until the end of the statute of limitations, unless legal acts set forth a direct obligation to retain Customers’ Personal Data for a different term.
  8. Customer’s rights in connection with Processing of their data

    1. The Customer has the right:
      1. to receive information on whether LHV will process their Personal Data and if it does process the data, the right to receive a copy of their Personal Data and to demand corrections to their Personal Data if the changes have been made to the data or the data are otherwise inaccurate. The Customer has the opportunity to see their Personal Data e.g. at the bank office of LHV and via Internet bank. The Customer’s right to see their personal data may be limited by legal acts, other persons’ rights to their privacy and LHV’s rights (e.g. protection of business secrets);
      2. to prohibit use of their contact data for sending out offers. For this purpose, the Customer is guaranteed the right upon receiving a marketing communication to unsubscribe from the relevant list; the Customer can also, before receiving offers, contact the relevant LHV company whose Customer they are;
      3. rescind the consent given to LHV for Processing of their Personal Data. After the consent is rescinded, LHV shall no longer process the Customer’s Personal Data for the purpose consented to by the Customer;
      4. to make objections to the Processing of their Personal Data, including performance of profile analysis by LHV, if LHV processes the data on the basis of its legitimate interest. In such a case, LHV has no right to process the Customer’s Personal Data, unless LHV’s interests outweigh the potential restriction of the Customer’s rights (e.g. performance of general legal obligations);
      5. demand cessation of Processing of their Personal Data if the Processing of Customer Data occurs unlawfully, i.e. if LHV lacks a legal basis for Processing of the data; 8.1.6. to demand deletion of their Personal Data, e.g. if LHV lacks the right to process such data or processes the data on the basis of the Customer’s consent and the Customer rescinds consent. The deletion cannot be requested in an extent to which LHV has the right or obligation to process Personal Data (e.g. for complying with a legal obligations, performing a contract, exercising its legitimate interest);
      6. demand restriction of Processing of its Personal Data, e.g. at the time that LHV is evaluating whether the Customer has the right to the deletion of its Personal Data;
      7. to receive a copy of Personal Data they have submitted to LHV and which are being processed on the basis of consent or for performance of contract, in a universal electronically readable format, and if technically possible, forward the data to another service provider.
    2. The Customers may exercise their rights by contacting LHV via the details specified in clause 9.3. LHV shall respond to the demand without undue delay, and no later than one month of receiving the demand. If, prior to responding to the demand, it is necessary to ascertain circumstances, ask for additional details or perform checks, LHV may extend the deadline for responding, notifying the Customer thereof in advance.
  9. Protection of Customer rights

    1. AS LHV Pank, AS LHV Finance, AS LHV Varahaldus and AS LHV Group shall be responsible for processing of Customer Data. The contact details for all these companies are available on the LHV website: www.lhv.ee.
    2. Customers may contact LHV in connection with queries and cancellation of consent, and natural person Customers may, in regard to processing of Personal Data, demand exercise of their rights and lodge complaints in connection with Processing of their Personal Data.
    3. Details for contacting LHV companies: address Tartu mnt 2, 10145 Tallinn, e-mail info@lhv.ee, telephone number 6 800 400.
    4. The contact details for the designated data protection specialist for private customers (natural persons): address: Tartu mnt 2, 10145 Tallinn, e-mail compliance@lhv.ee.
    5. In addition, the Customer has the right to contact the Data Protection Inspectorate (website: www.aki.ee) or a court in their jurisdiction in the event of violation of their rights.
  10. Amendment and application of the Principles

    1. LHV has the right to unilaterally amend the Principles at any time, based on the valid legal acts.
    2. LHV shall notify the Customer of amendments to Principles on the website, www.lhv.ee, and/or by communication device agreed on with the Customer at least 1 (one) month in advance, unless the Principles are amended solely on the basis of amendments to legal acts.
    3. The Principles shall be applied in processing of all Customers’ Customer Data, including customer relationships commenced prior to entry into force of the Principles.