UniCredit International Bank (Luxembourg) S.A. hereafter “Bank”.
A. Data protection, personal data
The Bank collects, processes and stores personal data (as defined below) in relation to the “Client” (the client him/herself or, if the client is a legal person, the investors, shareholders, the ultimate beneficial owners, the officers, the authorised representatives, and any other data subject related to the client, together the “Data Subjects”) in compliance with any data protection law applicable in Luxembourg and in particular the law of 2 August 2002, as modified, and as from 25 May 2018, the Regulation (EU) 2016/679 of 27 April 2016 (“GDPR”) (together the “Luxembourg Data Protection Legislation”). In this respect, the Bank acts as data controller, the contact details of which are indicated in section 23 of these General Terms and Conditions.
Categories of Personal Data
Data that may be processed by the Bank and transferred to the recipients (as defined below) comprise:
i. name, address, contact details, nationality, main business activity, photograph, civil status and family, occupation and work history, hobbies, public life-related information, financial situation, credit-related information, account information, telephone conversations and any type of electronic communications such as letters, emails and fax messages, tax identification number and any related tax information, national identification number, authenticating data, MiFID identifier, financial objectives, knowledge and experience in financial investment services, credit products and in any product or service offered by the Bank to the client and the Data Subjects and any other information that has been provided by the client or the Data Subjects;
ii. transactions performed in the Client’s account with the Bank or contemplated transactions, contracts entered into with the Bank and any other information related to the client’s banking relationship with the Bank;
iii. any information relating to the Client or the Data Subjects resulting from the KYC/AML checks carried out by the Bank pursuant to the modified law of 12 November 2004 relating to the fight against money laundering and terrorist financing;
iv. any information relating to the Client or the Data Subjects that may identify, directly or indirectly, the Client or the Data Subjects.
(together the “Personal Data”).
The Bank will process (including but not limited to collect, use, store, transfer) Personal Data
i. for the performance of the contracts entered into between the Client and the Bank and the provision of the services subscribed by the Client
ii. or to take steps at the request of the Client prior to entering into a contract
iii. or for compliance with legal and regulatory obligations to which the Bank is subject (including but not limited to the obligations arising under the law of 18 December 2015 relative to the automatic exchange of information regarding the financial accounts in the field of taxation, under the law of 24 July 2015 relative to the Foreign Account Tax Compliance Act (FATCA), as modified, and under the MiFID Regulations)
iv. or for the performance of a task carried out in the public interest, namely carrying out monitoring measures with respect to the Client pursuant to the modified law of 12 November 2004 relative to the fight against money laundering and terrorist financing
v. or for satisfying the Bank’s legitimate interests, such as seeking maximum efficiency (including administrative, organizational and IT efficiency) in the internal organization of the Bank and the group of companies to which the Bank belongs (“UniCredit Group”), supporting efficient and effective management of the UniCredit Group and performing contracts in the interest of the Client’s investors, shareholders and ultimate beneficial owners
vi. vi. or, as far as necessary, on the basis of the Client’s consent.
The Bank shall process (including but not limited to collect, use, store, transfer) the Personal Data for the purposes of:
i. providing the services requested by the Client and carrying out the tasks in relation to these services: processing the Client’s payment instructions, assessing and accepting the Client and managing client relationships, managing accounts, loans, investment services and related products and services, executing transactions of any kind; entering into and executing agreements with the Client, developing commercial offers;
ii. preventing misuse and fraud, demonstrating business transactions and communications; managing transactions surveillance and monitoring and complying with reporting obligations;
iii. conducting a risk assessment as prescribed by applicable legal provisions by collecting and archiving required documentary evidence regarding the identity and business activity; conducting a risk management control and global supervision of risk exposure on a real-time basis;
iv. securing communication channels; enabling the Client to make use of a state-of-the-art IT system for its banking operations;
v. performing analysis and establishing statistics and tests with respect to Personal Data;
vi. managing risks, disputes, collections, debt recovery, complaints and litigations.
(together the “Purposes”).
Recipients of Personal Data
The Personal Data is or may be transmitted to the following recipients (the “Recipients”) by the Bank and its directors, officers, employees and agents (the “Authorized Persons”) to the extent that the Bank and the Authorized Persons deem such disclosure or transmission to be necessary or desirable for satisfying the Purposes:
i. the UniCredit Group: All companies of the UniCredit Group have agreed to the Binding Corporate Rules.
ii. The Client may also obtain a copy of the Binding Corporate Rules or, should the Binding Corporate Rules not apply to a specific situation, any other document demonstrating the existence of appropriate safeguards, by contacting the Bank (please refer to the Bank’s contact details indicated in section 23 of these General Terms and Conditions) or, otherwise, to the email address that might be specified from time to time by the Bank to the Client);
iii. the Bank’s lawyers, notaries, bailiffs, external auditors and advisors;
iv. third-party service providers that provide IT or other services to the Bank that may be located in countries outside of the European Union for which the European Commission did or did not render adequacy decisions. Depending on the situation, the Bank will enter with the concerned third-party service providers into the relevant contractual clauses or the standard data protection clauses that would be required under the Luxembourg Data Protection Legislation and ensure that the third-party service providers comply with the Bank’s instructions;
v. public, governmental, administrative or judicial entities in Luxembourg (such as the Administration des contributions directes, the Commission de Surveillance du Secteur Financier, the Commission Nationale Pour la Protection des Données) or abroad (such as the European Central Bank).
vi. This list may be updated from time to time and the Client will be duly informed.
Transmission by the Client of Personal Data related to other Data Subjects
Clients engaging in business with the bank will be asked to confirm and warrant to the Bank that:
i. any Data Subject related to the Client has been informed of the processing of Personal Data carried out by the Bank and of the transfer of that Personal Data to the Recipients as described in these General Terms and Conditions;
ii. as far as necessary, the Client has received the Data Subjects’ prior written consent in this regard;
iii. the Client will inform and request as far as necessary the prior written consent of any new Data Subject regarding the processing and transfer of their Personal Data by the Bank.
The Client will be asked to unconditionally and irrevocably agree to indemnify and hold harmless the Bank from and against any and all liabilities resulting from, and/or arising in connection with any claim against the Bank for non-compliance for any reason with the aforementioned obligation to inform and obtain the consent of any of the Data Subjects related to the Client.
Rights of Data Subjects
Subject to the conditions of the Luxembourg Data Protection Legislation, the Client and any Data Subject have: (i) a right to access their Personal Data and may ask for a rectification thereof in cases where such Personal Data are inaccurate and incomplete (including when these Personal Data are transferred to a third party including a public or governmental entity such as the Administration des contributions directes in Luxembourg), (ii) the right to request from the Bank erasure of their Personal Data or restriction of processing of the Personal Data or to object to the processing of the Personal Data by the Bank, in particular for marketing purposes, or (iii), where relevant, as from 25 May 2018, to request the portability of their Personal Data. The Bank may be contacted in this regard by the Client or any Data Subject at the address mentioned in section 23 of these General Terms and Conditions or at the following email address, firstname.lastname@example.org. The Client and the Data Subjects also have the right to lodge a complaint with the appropriate supervisory authority (the Commission Nationale pour la Protection des Données in Luxembourg).
The Client and in general any Data Subject may at its discretion refuse to communicate certain Personal Data to the Bank, thereby precluding the Bank from using such Personal Data. However, such refusal or preclusion may be an obstacle to the entry into or to the continuation of the relationship between the Bank and the Client. The Bank will inform the Client in the event the communication of Personal Data would become mandatory under certain circumstances.
All Personal Data related to the Client shall not be retained for longer than the time required for satisfying the Purposes, subject to the legal periods of limitation and to the situations where the applicable laws require that the Personal Data be retained for a certain period of time after the termination of the relationship. Consequently, the Client is informed that his/her Personal Data may be processed by the Bank or the Recipients after the termination of the banking relationship between the Client and the Bank, only for specific purposes, such as the compliance with legal obligations or the establishment, exercise or defense of legal claims, or historical or statistical purposes which the client accepts.
In case of credit transfers, Personal Data are processed by the Bank and specialized companies, such as SWIFT (Society for Worldwide Interbank Financial Telecommunication). Personal Data may also be processed and transferred by data processing centers in other European countries and in the United States. As a consequence, US authorities may, within the scope of fighting terrorism, request access to the Personal Data held in such processing centers. By issuing a credit transfer order or another order, the Client gives his or her authorization that all data and information (including Personal Data) required for the proper execution of the order may also be processed outside Luxembourg.
Likewise, to the extent that the Bank shall be legally required to obtain the Client’s consent with regard to certain types of processing, the Client will be invited to complete and sign a declaration of consent. In case the Client does not agree to sign the declaration of consent – where required – or refuses to communicate certain Personal Data or instructs the Bank to restrict or stop Personal Data processing or to erase Personal Data, thereby making it difficult, in the Bank’s opinion, to continue the banking relationship, either the Client, without prior notice, or the Bank, with the prior notice foreseen in article 21 of these General Terms and Conditions, may (without being obliged to) terminate the banking relationship.
More specific information in relation to the processing of Personal Data and any updates or changes in relation thereto may be provided to the Client via the website of the Bank, by a notification letter or notification in the statements of accounts. The Client is invited to access regularly such website in order to be duly informed of the relevant changes.
B. Recording telephone conversations
The Client is hereby informed and specifically agrees (by acknowledging and agreeing to these General Terms and Conditions) that the Bank may record telephone conversations held with him or her. In the event of a dispute, these recordings shall have the same value in evidence as a written document.