Principles of Processing Customer Data

Effective 23 September 2019

We value all of our customers and respect their right to privacy and protection of their data. We would like our customers to be aware of why and how we use their data, what their rights are and how they can exercise their rights. For this purpose, we have updated our Principles for Processing Customer Data, which provide information on the following questions:

  • what kind of Customer Data we use in our activity and the main reasons for using the data (clause 3.6);
  • what are the additional purposes for which we also use Customer Data (clause 3.7);
  • what are the rights of natural person Customers (clause 8);
  • how can our Customers exercise their rights, including whom can they contact if they have questions (clause 9);
  • where are we allowed to obtain information about our Customers (clauses 3.1 and 3.2);
  • to whom and on what grounds can we send Customer Data (clause 4);
  • how do we protect our Customers’ Personal Data when we send them outside the European Economic Area (clause 5).
  1. Terms and definitions. General provisions.

    1. Customer for the purposes of these Principles for Processing Customer Data (“Principles”) is a natural person or a legal person who has expressed a desire to use, who is using or who has used LHV services and who is otherwise connected to services provided by LHV.
    2. Customer Data is any sort of information, including banking secrets and personal data known by LHV regarding a Customer.
    3. Processing is any procedure performed with Customer Data, including collection, retention, use and sending of data.
    4. Personal Data are any information on natural person Customers who have been identified or are being identified.
    5. Third Party is any person who is not the Customer, LHV or LHV employee and who, either alone or with a second person, defines the purposes and means for Processing of Customer Data.
    6. LHV is AS LHV Group, AS LHV Pank, AS LHV Varahaldus, AS LHV Finance and other legal persons in which AS LHV Group holds, directly or through subsidiaries, over 50% of the shares.
    7. These Principles shall apply insofar as they do not contradict the Service Conditions.
    8. By entering into a customer relationship with LHV or expressing the desire to do so, the Customer agrees to the Processing of Customer Data on conditions and in accordance with procedure set forth in these Principles.
  2. General principles

    1. Processing of Customer Data at LHV takes place in accordance with requirements set forth in Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation), the Personal Data Protection Act, other relevant legal acts and the requirements set forth in these Principles. The conditions for Processing of Customer Data may also be described in contracts and other documents related to LHV services.
    2. Based on the requirements of legal acts, and pursuant to the employment contracts and other agreements entered into on the basis thereof, LHV and its employees are obliged to keep Customer Data confidential indefinitely and are liable for violations of the aforementioned obligations. LHV shall allow access to Customer Data only to employees who have received the relevant training. An employee shall have the right to process Customer Data only in the extent necessary for fulfilling the duties of employment assigned to that employee.
    3. LHV shall use authorised processors for Processing of Customer Data. LHV shall in this regard ensure that such data processors process Customer Data only in accordance with instructions from LHV and in conformity with the requirements for data protection.
  3. The categories of Customer Data processed by LHV, objectives of Processing and legal basis for Processing

    1. LHV gathers Customer Data mainly from the Customer (e.g. applications and requests, in the course
      of Customer interaction) and in the course of use of the services by the Customer (e.g. execution of
      card payments and transfers, forwarding of securities orders, performance of contracts).

    2. LHV also obtains Customer Data from Third Parties, such as:

      1. public and private registers (e.g. Population Register, Central Register of Securities, KMAIS information system, register of taxable persons). LHV use these data mainly for verifying and updating Customer Data and for evaluating the Customer’s creditworthiness;
      2. LHV companies, OÜ Krediidiregister, and Creditinfo Eesti AS. LHV uses these data mainly for verifying and updating the Customer’s creditworthiness and risk management, including compliance with obligations stemming from the accounting standards (IFRS 9);
      3. correspondent banks, foreign brokers, payment service providers and other financial services providers, as well as other business partners, if the Customer has provided consent to our business partner for this purpose or the sending of data is permitted by legal acts. LHV uses these data mainly for enabling provision of service to Customers (e.g. foreign payments, investment services and payment services).
    3. LHV process Customer Data for compliance with legal obligations stemming from legal acts (national laws, supervisory guidelines, regulations and EU legal acts), performance of contracts with Customers and preparing for entering into contracts, e.g. for processing applications submitted by Customers, on the basis of Customer consent and for protection of LHV’s own legitimate interests.

    4. LHV’s legitimate interests are expressed in furtherance of its own operating activity in offering Customers better services and products, developing its own products, ensuring data and information security and performance of general legal obligations set forth in legal acts.

    5. On the basis of consent for Processing Customer Data, LHV shall ask for consent, e.g., on relevant applications and requests, and allow the Customer to provide its consent voluntarily.

    6. The following is a list of the types of Customer Data, the main purposes for which LHV processes Customer Da and the legal grounds for Processing:

      Profile Data (e.g. name, personal identification code, date of birth, data on the identity document)1. identification of Customer1. legal obligation stemming from the Money Laundering and Terrorism Financing Prevention Act
      Contact details (e.g. telephone, email, address, language of contact)2. Customer interaction3. direct marketing
      2. performing contract with the Customer and drafting the agreement3. consent/legitimate interest for marketing similar products and services
      Data on tax residency (e.g. country of location, taxpayer identification number, citizenship)4. gathering and reporting tax-related information4. legal obligation arising from Tax Information Exchange Act
      Data on family and area of activity (e.g. marital status, number of dependents, profession, education, data on employer)5. evaluating the customer’s creditworthiness5. legal obligation arising from the Creditors and Credit Intermediaries Act and legitimate interest for compliance with requirements for evaluating creditworthiness (pursuant to the Law of Obligations Act and Financial Supervision Authority guidelines)
      Financial data (e.g. forecasted receipts, income, obligations, data on collateral and security, payment history, indebtedness, transactions conducted, contracts concluded and/or ended, applications filed, requests, interest paid and received, service fees, breach of contract, Credit Info score in case of evaluating Customer’s creditworthiness)6. evaluating the Customer’s creditworthiness6. legal obligation arising from the Creditors and Credit Intermediaries Act and legitimate interest for organisation of risk management and mitigation of credit risk
      7. evaluation of appropriateness and suitability of product, service and securities offered to the Customer7. legal obligation arising from the Securities Market Act
      Information on the previously submitted credit applications and credit decisions made at LHV – for Finance products, applications and decisions dating back up to 90 days, for Bank loan products, applications and decisions dating back up to 15 years from the end of Customer relationship (e.g. information on the family and line of business, financial data, data on the performance of loan agreements, data on credit decisions)8. assessment of the Customer’s creditworthiness8. legitimate interest for the organisation of risk management and mitigation of credit risk, characteristics of loan products considered for the length of the period (incl. amounts to be granted) and LHV’s risk appetite
      Data on the Customer’s trustworthiness and origin of assets (e.g. data on payment history, data on connections to money laundering, terrorism financing or organised crime, on previous penalties and pending proceedings, data on employer, transaction partners, beneficial ownership, income sources, data on business activity, related persons, whether the Customer is a politically exposed person)9. compliance with due diligence requirements9. legal obligation stemming from the Money Laundering and Terrorism Financing Prevention Act
      10. assessment of the Customer’s creditworthiness and credit risk management10. legitimate interest for credit risk management and assessment of concentration of exposures
      Data on the Customer’s expertise (e.g. the Customer’s investment knowledge and experiences, educational attainment, profession, investment goal)11. evaluating the appropriateness and suitability of product, service and securities offered to the Customer and assessing the Customer’s expertise11. legal obligation arising from the Securities Market Act
      Data related to securities (e.g. securities transactions and transaction orders, quantity of securities, transaction volumes, transaction value, LEI code, pension data)12. transaction monitoring with regard to characteristics of market abuse and reporting of suspicious transactions12. legal obligation arising from Regulation no. 596/2014 of the European Parliament and of the Council (market abuse regulation)
      13. ensuring exchange of information with the Central Registry of Securities, performing functions of account manager13. legal obligations arising from the Securities Register Maintenance Act
      Data on the Customer’s habits, preferences and satisfaction (e.g. Customer status, data on active use of Services, Services used, Customer’s queries and complaints)14. development of products and services14. legitimate interest for developing new products and services and improving existing products (e.g. correcting errors, developing greater ease of use for more actively used services)
      Data on the Customer’s segment (e.g. age demographic)15. direct marketing, organising campaigns15. legitimate interest for promoting commercial activity and making offers suitable for Customers, such as for marketing pension products
      Data obtained in the course of performing obligations arising from legislation (e.g. data arising from inquiries made by investigative bodies, notaries, tax authority, courts, inquiries made by court bailiffs)16. cooperation with supervisory authorities and other public sector institutions, implementation of required measures, such as impounding accounts16. compliance with legal obligations stemming from various acts, such as the Credit Institutions Act and Money Laundering and Terrorism Financing Prevention Act
      Data related to participation in consumer games and campaigns (e.g. data on prizes won in investment games and other consumer games and points collected in campaigns, name, username used in the game, game portfolio data)17. compliance with campaign terms (e.g. payouts of amounts won)17. performing contract concluded with the Customer
      18. allowing for the monitoring of game results18. justified interest in the allowing for the observation of game results (for example Börsihai/Stock Market Shark) by participants in the game, and the marketing of the organised game
      19. direct marketing (e.g. sending an invitation to participants in the Börsihai/Stock Market Shark game to take part next year)19. legitimate interest in marketing the same or similar service
      Data on Website sections visited by the Customer20. risk management, monitoring and investigating to counter fraud (e.g. payment fraud)20. legitimate interest for security risk management, to counter fraud and resolve disputes in court or extrajudicially
      Data on Kredex guarantee target group (e.g. data on Customer’s education – school, curriculum, status, start/end date; proof of employment, proof of being a veteran of Defence Forces or Defence League, tenancy contract data, birth certificate data of an underaged child)21. verification of Kredex guarantee terms21. drafting the agreement, performing contract with the Customer
      Pension data (e.g. income, data from the pension funds, filed applications, contact information, estimated pension)22. performing the tasks of the account manager22. legal obligation arising from the Securities Register Maintenance Act
      23. providing the digital pension solution service23. consent
      Additional pension data (e.g. number of kids, working experience, insurance shares, estimated time of retirement, additional pension eligible years, monthly payments deposited, average rate of return expected by the Client, III pension pillar data, pension years)24. offering users of the digital pension solution service more accurate estimates regarding their pension24. consent
      Client’s mobile device data (type of device, device identifier)25. ensuring the safety of the digital pension solution service25. legitimate interest in ensuring the security of the service, identifying and correcting possible failures
      Alternative investment data (e.g. name of the investment, quantity, acquisition price, income received (interest, principal payment), sufficient funds balance, profit, value)26. Displaying the Client’s investments in the internet bank26. consent
      Data on interest payments on LHV bonds (e.g. bond, name, personal identification code, contact information, securities and investment account, account manager, interest payment amounts)28. withholding of income tax on LHV bonds (calculation of interest payments and execution of payments)28. consent
      28. use of contact information to meet notification requirements arising from law to LHV bond investors28. legitimate interest in meeting the notification requirements arising from law to LHV bond investors
      Tax data – income on the basis of income tax return (except for the income gained from the transfer of assets and the taxes paid on it); payments declared by the employer on the basis of TSD; benefit for incapacity for work, unemployment insurance benefit and redundancy benefit, pensions, contributions into 3rd pension pillar, data on the funded pension based on TSD; dividends and payments made from shareholders’ equity; tax debt starting from 100 €29. assessment of the Customer’s creditworthiness29. consent (one-time consent for data inquiry from the Tax and Customs Board)
      30. maintaining the credit file30. legal obligation arising from the Creditors and Credit Intermediaries Act
      Technical data on use of the website and mobile app (e.g. IP-address, data on logging into the internet bank and operations made in the internet bank, type and version of browser31. monitoring of payment fraud and ensuring information security31. legal obligations arising from the Payment Institutions and E-money Institutions Act and Delegated Regulation (EU) No. 389/2018
      32. development of the web environment and products and services, elaboration of marketing campaigns, improvement of customer experience (data is used in a depersonalised form)32. legitimate interest for the improvement and more efficient organisation of own business and improvement of user convenience. Data is used in a depersonalised form
      Payment data (e.g. name of the remitter and beneficiary, size of payment, payment description, account number, ID code, address, card transaction data)33. provision of payment and settlement services, incl. recalling and cancelling payments and disputing card transactions33. performance of a contract signed with the Customer
      34. monitoring of payment fraud34. legal obligations arising from the Payment Institutions and E-money Institutions Act and Delegated Regulation (EU) No. 389/2018
      35. allowing for the use of payment services (for example, account information service, payment initiation service) offered by payment service providers35. legal obligations arising from the Law of Obligations Act and Delegated Regulation 2018/389 of the European Commission
      Debt data (e.g. personal data, contact data, debt data, data on the underlying contract, data on the last payment)36. debt administration, incl. assignment of claims36. legitimate interest for the enforcement of claims and credit risk management
      Data on payment default (e.g. personal data, date when the payment default emerged and ended, debt amount, origin of debt)37. disclosure of the details of debts amounting to at least 30 euros and overdue for 45 days in the credit registers (CreditInfo AS and Krediidiregister OÜ)37. legitimate interest of LHV and third persons for the disclosure of payment default aimed at enabling the use of such information for the assessment of creditworthiness and other similar purpose
      Data on lending books (e.g. personal data, contact data, default interest, data on lending – books, date of lending and returning)38. lending of books to Customers38. performance of a contract signed with the Customer
    7. In addition to the objectives set forth in clause 3.6, LHV also processes Customer Data for the following purposes:

      1. administering the Customer relationship, inspecting and, if necessary, correcting the data submitted by the Customer and enabling access to products and services. Processing takes place for performing the contract or adopting measures prior to conclusion of contract;
      2. exercise of LHV’s rights in connection with legal requirements, substantiation and defence of rights in court or extra-judicially and proceedings on debts. Processing takes place on the basis of LHV’s legitimate interest and for the purpose of performance of a contract;
      3. provision of services, including execution of card payments and transfers and securities transactions. Processing takes place for the purpose of performance of contract;
      4. hedging of risks and risk management, e.g. to evaluate or inspect the credit portfolio or collateral assets of LHV, or to prepare audits, stress tests or analyses that partially or completely cover the activities of LHV. Processing takes place for performance of the legal obligation set forth in Regulation 575/2013 of the European Parliament and of the Council and on the basis of LHV’s legitimate interest;
      5. ensuring physical security and data and information security, including recording of interactions with Customers and use of security cameras. Processing takes place for performance of a legal obligation set forth in various legal acts, including the Credit Institutions Act, the Financial Supervision Authority’s guidelines and the Creditors and Credit Intermediaries Act, and on the basis of LHV’s legitimate interest;
      6. processing of customer complaints. Processing takes place for performance of a legal obligation set forth in various legal acts, including the Credit Institutions Act, the Financial Supervision Authority’s guidelines and the Creditors and Credit Intermediaries Act, and on the basis of LHV’s legitimate interest;
      7. conducting Customer surveys, researching consumer habits. Such data processing takes place on the basis of legitimate interest of LHV to receive feedback from Customers about their satisfaction with the services and products offered by LHV and thus developing existing and new products and services.
  4. Forwarding of customer data

    1. LHV has the right to forward Customer Data (not including special types of Personal Data) to the following Third Parties, and the Customer shall not consider this breach of obligation to maintain confidentiality (including bank secrets):
      1. other LHV companies, who may process the Customer Data specified in clause 3 of the Principles, e.g. for evaluating the Customer’s expertise, risk management and hedging of risks, and compliance with fiduciary regulations, including capital and liquidity requirements, and assessing creditworthiness;
      2. persons and organisations related to provision of service and performance of agreements concluded with the Customer (e.g. sureties, loan co-recipients, guarantors, collateral owners, merchants, international card organisations, payment intermediaries, insurance providers and intermediaries, e-invoice issuers, credit intermediaries and credit agents, ATM operators, Central Register of Securities, pledgees, correspondent banks, settlement systems, notaries, providers of translation, communication, IT and postal service);
      3. persons who maintain databases (including Creditinfo Eesti AS or any other person who maintains a register of payment defaults), to whom LHV sends information on the basis of legal acts or concluded contracts for the purpose of applying the principle of responsible lending, as well as to enable Third Parties to evaluate the Customer’s payment history and creditworthiness;
      4. 4.1.4. other credit and financing institutions, payment service providers, financial service intermediaries and trading venues both in Estonia and abroad, on the basis of queries from such institutions, for provision to the Customer of service desired by the Customer or for assessing the trustworthiness and risk of the Customer or person related thereto;
      5. the Society for Worldwide Interbank Financial Telecommunication SWIFT ( SWIFT data processing centres are located in European Union member states and the United States of America, as a result of which bank transaction data are retained, including the personal data of the transaction initiator and recipient, regardless of the place where the transaction is conducted, both in the SWIFT-operated processing centre in an EU member state and the United States of America. When conducting a bank transaction, the bank related to the transaction, payment intermediary or SWIFT may be obliged to disclose transaction data, or Customer Personal Data related thereto, to the competent government authority of the relevant country of location in cases specified in the legal acts of the country of location;
      6. Third-party service providers to whom LHV has delegated activity (e.g. companies engaged in sale and trade in connection with sale of LHV services and establishing identity, other LHV companies in connection with marketing of pension products, performance of functions of account manager, marketing of pension products);
      7. LHV consultants or other service providers (e.g. auditors), if the Customer Data are necessary for them to provide quality service to LHV;
      8. right to assign right of claim to a new creditor;
      9. to other Third Parties, if the Customer is in breach of contract (e.g. to provider of debt collection service, person involved in collection of leasing assets).
    2. LHV is obliged to disclose and to convey Customer Data for the purpose of performing obligations arising from legal acts and international and mutual legal assistance (e.g. forwarding data to investigative bodies, notaries, trustees in bankruptcy, the Tax and Customs Board, Financial Intelligence Unit, Financial Supervision Authority).
  5. Forwarding Customer Personal Data outside the European Economic Area

    1. As a general rule at LHV, Customer Personal Data are not sent outside the European Economic Area and if this is done, then before any data is sent, the background of the Third Party is verified thoroughly, and measures are applied to ensure secure data transmission including, if possible, measures to accord equivalent protection to Personal Data as those which exist in the European Economic Area.
    2. When sending Customer Personal Data outside the European Economic Area, appropriate protection measures are applied, e.g. forwarding data to a country that in the judgment of the European Commission has a sufficient level of data protection, and forwarding of data to a Third Party in the United States of America which has been certified on the basis of Privacy Shield data protection framework and the use of standard data protection clauses developed by the Commission.
    3. In the absence of appropriate protection measures, LHV is entitled to forward Customer Personal Data outside the European Economic Area in situations where forwarding the data is, for example, necessary for performing a contract between the Customer and LHV or for implementing measures adopted on the basis of Customer’s application (e.g. use of foreign intermediaries for providing investment service, use of correspondent banks for making foreign payments).
    4. If the conducting of an international bank transaction involves a financial institution located in a country with insufficient level of data protection, e.g. a correspondent bank or other payment intermediary, including SWIFT, LHV cannot ensure that the processor processing Customer Data by financial institutions in such countries would have identical obligations to those of LHV and that the identical rights are guaranteed for the Customer at the same level as in the European Economic Area or other country with sufficient level of data protection.
    5. For detailed information on sending of Customer Data outside the European Economic Area, the Customer should contact LHV.
  6. Profile analysis and making of automated decisions regarding Customers who are natural persons

    1. Profile analysis is automatic Processing of Personal Data used for evaluating certain personal traits of the Customer – for example, to analyse or forecast the person’s economic situation, personal preferences and interests. LHV uses profile analysis for the purpose of marketing, risk assessment for compliance with the requirements of prevention of money laundering and terrorism financing, assessing the probability of insolvency, transaction monitoring to counter fraud; and automated decisions are used to assess the probability of insolvency and for making certain credit decisions (e.g. hire-purchase, consumer loans). Such data processing takes place either on the basis of legitimate interest of LHV (e.g. direct marketing), performing legal obligations, including on the basis of the Money Laundering and Terrorism Financing Prevention Act and the Regulation no. 575/2013 of the European Parliament and of the Council or, if necessary, on the basis of Customer’s consent.
    2. The profile analysis and automated decisions help LHV offer services more efficiently to Customers and avoid potential mistakes. For such Processing, including when creating segments and profiles, LHV does not gather separate data on the Customer and uses data that are on file for the Customer or data which LHV must gather regarding the Customer based on the requirements set forth in legal acts or for risk management (e.g. payment defaults, information on penalties, international sanctions and other negative information known to LHV).
    3. To prevent infringement of Customer rights, e.g. discrimination in the making of credit decisions, LHV reserves the possibility, when making automated decisions, for Customers to require that the decision made be reviewed in a non-automated manner.
  7. Retention of Customers’ Personal Data

    1. LHV shall not process Customers’ Personal Data for longer than necessary for performing the objectives of the Processing, including for complying with the duty, set forth in legal acts, to retain data and for resolving disputes arising from contracts entered into with the Customer or for resolving potential disputes.
    2. In general, LHV shall retain Customers’ Personal Data until the end of the statute of limitations, unless legal acts set forth a direct obligation to retain Customers’ Personal Data for a different term.
  8. Customer’s rights in connection with Processing of their data

    1. The Customer has the right:
      1. to receive information on whether LHV will process their Personal Data and if it does process the data, the right to receive a copy of their Personal Data and to demand corrections to their Personal Data if the changes have been made to the data or the data are otherwise inaccurate. The Customer has the opportunity to see their Personal Data e.g. at the bank office of LHV and via Internet bank. The Customer’s right to see their personal data may be limited by legal acts, other persons’ rights to their privacy and LHV’s rights (e.g. protection of business secrets);
      2. to prohibit use of their contact data for sending out offers. For this purpose, the Customer is guaranteed the right upon receiving a marketing communication to unsubscribe from the relevant list; the Customer can also, before receiving offers, contact the relevant LHV company whose Customer they are;
      3. rescind the consent given to LHV for Processing of their Personal Data. After the consent is rescinded, LHV shall no longer process the Customer’s Personal Data for the purpose consented to by the Customer;
      4. to make objections to the Processing of their Personal Data, including performance of profile analysis by LHV, if LHV processes the data on the basis of its legitimate interest. In such a case, LHV has no right to process the Customer’s Personal Data, unless LHV’s interests outweigh the potential restriction of the Customer’s rights (e.g. performance of general legal obligations);
      5. demand cessation of Processing of their Personal Data if the Processing of Customer Data occurs unlawfully, i.e. if LHV lacks a legal basis for Processing of the data; 8.1.6. to demand deletion of their Personal Data, e.g. if LHV lacks the right to process such data or processes the data on the basis of the Customer’s consent and the Customer rescinds consent. The deletion cannot be requested in an extent to which LHV has the right or obligation to process Personal Data (e.g. for complying with a legal obligations, performing a contract, exercising its legitimate interest);
      6. demand restriction of Processing of its Personal Data, e.g. at the time that LHV is evaluating whether the Customer has the right to the deletion of its Personal Data;
      7. to receive a copy of Personal Data they have submitted to LHV and which are being processed on the basis of consent or for performance of contract, in a universal electronically readable format, and if technically possible, forward the data to another service provider.
    2. The Customers may exercise their rights by contacting LHV via the details specified in clause 9.3. LHV shall respond to the demand without undue delay, and no later than one month of receiving the demand. If, prior to responding to the demand, it is necessary to ascertain circumstances, ask for additional details or perform checks, LHV may extend the deadline for responding, notifying the Customer thereof in advance.
  9. Protection of Customer rights

    1. AS LHV Pank, AS LHV Finance, AS LHV Varahaldus and AS LHV Group shall be responsible for processing of Customer Data. The contact details for all these companies are available on the LHV website:
    2. Customers may contact LHV in connection with queries and cancellation of consent, and natural person Customers may, in regard to processing of Personal Data, demand exercise of their rights and lodge complaints in connection with Processing of their Personal Data.
    3. Details for contacting LHV companies: address Tartu mnt 2, 10145 Tallinn, e-mail, telephone number 6 800 400.
    4. The contact details for the designated data protection specialist for private customers (natural persons): address: Tartu mnt 2, 10145 Tallinn, e-mail
    5. In addition, the Customer has the right to contact the Data Protection Inspectorate (website: or a court in their jurisdiction in the event of violation of their rights.
  10. Amendment and application of the Principles

    1. LHV has the right to unilaterally amend the Principles at any time, based on the valid legal acts.
    2. LHV shall notify the Customer of amendments to Principles on the website,, and/or by communication device agreed on with the Customer at least 1 (one) month in advance, unless the Principles are amended solely on the basis of amendments to legal acts.
    3. The Principles shall be applied in processing of all Customers’ Customer Data, including customer relationships commenced prior to entry into force of the Principles.