on the basis of the EU General Data Protection Regulation and FL Data Protection Act
July 18, 2018, entered into force on July 18, 2018 | Release: May 1, 2019
DATA PROTECTION NOTICE
on the basis of the EU General Data Protection Regulation and FL Data Protection Act
The following data protection notice (hereinafter referred to as «data protection notice») applies to natural persons in the European Union and in the European Economic Area (EEA). The data protection notice is addressed mainly to existing and potential clients of the LEGIRA Consulting Group GmbH (hereinafter referred to as «LEGIRA»).
The data protection notice provides an overview of how personal data held at LEGIRA are processed and of your rights in relation to this information under the EU General Data Protection Regulation, Regulation (EU) 2016/679 of the European Parliament and Council of the European Union of 27 April 2016, (GDPR) and the Liechtenstein Data Protection Act (DPA). The specific data that will be processed and how data will be used will essentially depend on the services and products that will be provided and/or have been agreed in each case. LEGIRA is required to protect your privacy and keep your information confidential and will therefore implement a range of technical and organisational measures to ensure data security for all processing of personal data.
In the course of our business relationship, we will need to process personal data that are required for the purpose of setting up and conducting the business relationship, meeting applicable statutory or contractual requirements, providing services and executing orders. Without such data we would normally be unable to enter into or to maintain a business relationship, process orders, or offer services and products.
If you have any questions regarding specific data processing activities or wish to exercise your rights, as described below, please contact the data protection officer of the LEGIRA Consulting Partners GmbH at email@example.com.
Which categories of data will be processed and what are the sources of this information?
We collect and process personal data that we obtain in the course of our business relationship with our clients. Personal data may be processed at any stage of the business relationship and the type of data will vary depending on the group of persons involved.
As a general rule, we will process personal data that you provide in the course of submitting agreements, forms, correspondence or other documents to us. We will also process any personal data which may be required for the purpose of providing services, which are generated or transmitted as a result of using products or services, or which we have lawfully obtained from third parties (e.g. trust company) or public authorities (e.g. UNO and EU sanctions lists). Finally, we may process personal data from publicly available sources (e.g. debtor records, land registers, commercial registers and registers of associations, the press, the Internet).
In addition to client data, we may, where appropriate, also process personal data of other third parties involved in the business relationship, including personal data pertaining to authorised agents, representatives (including boardmembers of asset holding vehicles), legal successors, beneficial owners as well as beneficiaries of asset holding vehicles under a business relationship. If personal data of third parties («third person») are made available for processing we assume that the person providing us with the data is legally entitled to disseminate this information.
By personal data we understand the following categories of data in particular:
- Personal details (e.g. name, date of birth, nationality)
- Address and contact details (e.g. physical address, telephone number, e-mail address)
- Identification information (e.g. passport or ID details) and authentication information (e.g. specimen signature)
- Data from publicly available sources (e.g. tax numbers, marital status)
Further basic data
- Information on services and products used (e.g. investment experience and investment profile, consultancy minutes, data regarding executed transactions)
- Information about household composition and relationships (e.g. information on spouse or partner and other family details, authorised signatories, statutory representatives)
- Information about financial characteristics and financial circumstances (e.g. portfolio and account number, origin of the assets)
- Information about professional and personal background (e.g. professional activity, hobbies, wishes, preferences)
- Technical data and information about electronic transactions with LEGIRA Consulting Partners GmbH (e.g. access logs or changes)
- Image and sound files (e.g. video recordings or recordings of telephone calls)
LEGIRA does not process personal data which reveal race and ethnicity , political opinion, religious or philosophical beliefs or trade union membership . Further excluded data are genetic data, biometric data for unequivocal identification of natural persons, data on the state of health, the sex life and sexual orientation of natural persons (Article 9 paragraph 1 of GDPR).
For what purposes and on what legal basis will your data be processed?
We process personal data in accordance with the provisions of the GDPR and the DPA for the following purposes and on the following legal basis:
- For the performance of a contract or to take steps prior to entering into a contract in connection with supplying, and acting as intermediary in relation to, legal advice, financial advice, asset management, tax advice and further financial services which can be rendered by LEGIRA as well as, in particular, the for-mation and administration of private, commercial and charitable asset holding vehicles. The purposes for which data are processed will depend primarily on the specific service/order/directive or specific product involved, particularly, but not only, needs analysis, advisory services, maintaining and performing administrative tasks relating to customer relationship, wealth and asset management and carrying out transac-tions.
- For compliance with legal obligations or in the public interest, including compliance with statutory and regulatory requirements (e.g. compliance with the GDPR, the DPA, the Asset Management Act, due diligence and anti-money laundering rules, regulations designed to prevent market abuse, tax legislation and tax treaties, monitoring and reporting obligations, and for the purpose of managing risks). Should the indispensable data not be provided to us, we are obligated to fulfill our regulatory duties and may end the business relationship if necessary.
- For the purposes of the legitimate interests pursued by us or by a third party that have been specifically defined. Examples: developing products, marketing and advertising, performing business checks and risk management, reporting, statistics and planning, preventing and investigating criminal offences, video surveillance to ensure compliance with house rules and prevent threats, recordings of telephone calls, transmission of customer’s and employee’s master data within the companies of LEGIRA as well as to asset holding vehicles managed by LEGIRA, meeting third person’s obligations insofar necessary for complying a contractual duty or for the legitimate and overwhelming interest of the involved persons,
- In reliance on consent given by you for the purpose of supplying, and acting as intermediary in, financial services or for the purpose of executing orders, including, for example, transferring data to Group com-panies, service providers or contracting partners of LEGIRA. You have the right to withdraw your consent at any time. This also applies to declarations of consent provided to LEGIRA before the GDPR took effect, i.e. prior to July 20, 2018. Consent may only be withdrawn with effect for the future and does not affect the lawfulness of data processing undertaken before consent was withdrawn.
We reserve the right to engage in the further processing of personal data which we have collected for any of the foregoing purposes, including any other purposes that are consistent with the original purpose or which are permitted or prescribed by law (e.g. reporting obligations).
Who will have access to personal data and how long will the data be held?
Persons within and outside LEGIRA may obtain access to the data.
Access within LEGIRA Consulting Partners GmbH
You recognise and accept that personal data are processed within LEGIRA with regard to maintaining, performing and managing business relationships and by the employees of the LEGIRA (in particular also electronically).
Employees within LEGIRA may only process your data, if these are required for discharging (pre-)contractual, statutory and/or regulatory duties and pursuing legitimate interests.
Transfer to recipients at the EU/EEA
Subject to compliance with regulatory requirements it may be necessary for other (third) persons, companies, asset holding vehicles, service providers (including processors) or agents to obtain and process personal data from LEGIRA.
The categories of processors may include companies operating under asset management services and distribution agreements as well as companies supplying IT, logistics, printing, advisory, consultancy, distribution and marketing services. In this context, recipients of your data may also include other financial services institutions or similar organisations to which we transfer personal data due to contractual or statutary duties for the purposes of constituting and/or conducting a business relationship (e.g. custodian banks, brokers, stock exchanges, information centres).
In this regard, LEGIRA is – each separately and without express written consent — entitled to transmit personal information wholly or in part to chosen contractual partners. The transmission and processing of personal data takes place in accordance with statutary, regulatory and data protection specifications.
In addition public bodies and organisations (e.g. supervisory authorities, tax authorities, commercial register and other public authorities and the like) may also obtain your personal data if there is a statutory or regulatory obligation.
Transfer to recipients at third countries
Data will only be transferred to countries outside the EU or EEA (so-called third countries) if
- there is an adequacy decision of the (EU) Commission pursuant to Article 45 paragraph 3 of GDPR or the recipient is a company registered at the US Department of Commerce’s Privacy Shield,
- there is a appropriate safeguard puruant to Article 46 of GDPR,
- this is required for the purpose of taking steps prior to entering into a contract or performing a contract between you and a LEGIRA Consulting Partners GmbH (e.g. executing securities transactions, supplying services or executing orders),
- this is necessary for the conclusion or performance of a legal transaction concluded in the interest of a LEGIRA Conslting Partners administrated asset holding verhicle;
- this is necessary for the conclusion or performance of a contract concluded in your interest between a LEGIRA Consulting Partners GmbH and another natural or legal entity;
- this is necessary for the estblishment, exercise or defence of legal claims;
- this is necessary for important reasons of public interest (e.g. anti-money laundering compliance); or
- this is prescribed by law (e.g. reporting obligations for transactions).
We process and store your personal data throughout the continuation of the business relationship, unless there is a strict obligation to erase specific data at an earlier date. It is important to note that our business relationships may subsist for many years. In addition, the length of time that data will be stored will depend on whether processing continues to be necessary and on the purpose of processing. Data will be erased at regular intervals, if the information is no longer required for the purpose of fulfilling contractual or statutory duties or pursuing our legitimate interests, i.e. the objectives have been achieved, or if consent is withdrawn, unless further processing is necessary by reason of contractual or statutory retention periods or documentation requirements, or in the interests of preserving evidence throughout any applicable statutory limitation periods.
In accordance with statutory requirements we are obligated to store data for a period of 10 years, unless it appears to us that a longer data retention period is necessary, in accordance with GDPR Article 6 paragraph 1 point c, and in relation to data retention and documentation requirements in compliance with fiscal, corporate or regulatory law (e.g. Person and Company Law (PGR), Due Diligence Act (SPG), Liechtenstein tax law (SteG)), or unless you have consented to a longer period of data retention in line with GDPR Article 6, paragraph 1, point a. Processing and storage of data may also be prolonged for the purpose of conserving evidence.
Will there be automated decision-making including profiling?
We do not make decisions based solely on the automated processing of personal data. We will inform you separately in accordance with the statutory regulations of any intention to use this method in particular circumstances.
Certain business areas involve the automated processing of personal data at least to a certain extent, where the objective is to evaluate certain personal factors in line with legal requirements, carry out needs analysis in relation to products and services or for the purpose of managing risks.
LEGIRA reserves the right, in future, to analyse and evaluate client data (including the data of any third parties involved) by automated means for the purpose of identifying key personal characteristics in relation to clients or predicting developments. Such data will be used, in particular, to perform business checks, provide customised advice, offer products and services and provide any information that the LEGIRA may wish to share with clients.
Data and information are automatically gathered from computers which access our website. In particular, the user’s browser and browser version, the operating system, internet provider, IP address, the date and time of access and the website from which access was gained are recorded.
Mailing and downloading of LEGIRA publications
We produce various publications. These publications are mailed automatically only to recipients who have expressly requested the service and duly subscribed.
What data protection rights do you have?
You have the following data protection rights pursuant to the GDPR in respect of personal data relating to you:
- Right of access: you may obtain information from LEGIRA about whether and to what extent personal data concerning you are being processed (e.g. categories of personal data being processed, purpose of processing).
- Right to rectification, erasure and restriction of processing: You have the right to obtain the rectification of inaccurate or incomplete personal data concerning you. In addition, your personal data must be erased if the data are no longer necessary in relation to the purposes for which they were collected or processed, if you have withdrawn your consent, or if the data have been unlawfully processed. You also have the right to obtain restriction of processing.
- Right to withdraw consent: You have the right to withdraw your consent to the processing of personal data concerning you for one or more specific purposes at any time, where the processing is based on your explicit consent. This also applies to declarations of consent provided before the GDPR took effect, i.e. prior to July 20, 2018. Please note that consent may only be withdrawn with effect for the future and does not affect any data processing undertaken prior to withdrawing consent. Moreover, the withdrawal of consent has no effect in relation to data processing undertaken on other legal grounds. Excersising the revocation right the legal validity of the other regulations shall still remain unaffected.
- Right to data portability: you have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format, and to transmit those data to another controller.
- Right to object: You have the right to object, on grounds relating to your particular situation, without any formal requirements, to the processing of personal data concerning you, if such processing is in the public interest or in pursuit of the legitimate interests of LEGIRA or a third party. You also have the right to object, without any formal requirements, to the use of personal data for marketing purposes. If you object to the processing of your personal data for direct marketing purposes, we will discontinue processing your personal data for this purpose.
- Right to lodge a complaint: You have the right to lodge a complaint with the relevant Liechtenstein supervisory authority. You may also lodge a complaint with another supervisory authority in an EU or EEA member state, e.g. your place of habitual residence, place of work or the place in which the alleged breach took place.
LEGIRA Consulting Partners GmbH is subject to strict statutory and/or professional confidentiality obligations. We draw your attention to the fact that these confidentiality obligations restrict your right to information, access and/or notification can as a consequence restrict the exercise of your rights in specific cases.
The contact details for the data protection authority in Liechtenstein are set out below:
Liechtenstein Data Protection Office
Städtle 38, P. O. Box 684
Telephone: + 423 236 60 90
You should submit any requests for access or raise any objections in writing with the Data Protection Officer. The Data Protection Officer is also the appropriate point of contact for any other data protection matters.
We reserve the right unilaterally to adapt this data protection notice, from time to time, to the relevant legislation and/or facutal amendments or following recommendations by the data protection authority. The currently applicable version can be viewed on and downloaded from our website www.legira.li.