General
The purpose of this privacy policy is to set out in a simple and transparent way what personal data Bank GPB International S.A. (the “Bank”) processes about each of its clients (a “Client”) and how the Bank processes it. It applies to the following persons: (i) our current and former Clients; (ii) any person involved in any transaction with the Bank; (iii) the counterparties of the Bank; and/or (iv) the agents, representative or other affiliates of our clients. If you do not form a part of any of these groups, the Bank will follow special rules with respect to processing your personal data which would be provided to you on demand.
Personal data includes any information relating to an identified or identifiable natural person that is processed by the Bank. Processing includes any activity with your personal data which you provide to the Bank when you become a Client or engage the Bank in connection with any transactions. The law requires that the Bank shall verify the information provided by the Client. Further, such verification may also be required to ensure security of the Bank and/or develop its business. Accordingly, the Bank also processes your data available from various public sources (e.g., Internet, world press, news, and other publicly available media), specialised AML/CTF and security service providers (e.g., WorldCheck, LexisNexis, Factiva) and/or legitimately provided by other member of Gazprombank group, when working on group-related matters or Clients.
By entering into the relationship with the Bank or approaching the Bank in connection with the same matter, each Client acknowledges and agrees that his personal data will be processed by the Bank for the purposes of performing transactions on the accounts, granting loans, takings deposits, entering into the transactions with respect to the financial instruments, providing general financial assistance, monitoring the client base to develop or promote its banking services, as well as complying with the obligations of the Bank under applicable law.
Categories of personal data
The personal data which the Bank processes may include the following information and documents on the Client and, where applicable, the Client’s representatives, agents, officers, related parties, transaction counterparties and beneficial owners:
-
personal identification data or contact information, including surname, name, pseudonym, family composition, domicile, address, gender, marital status, or relationship with other persons, nationality, the date and place of birth, profession-related information (including, job title, cadre level, fiscal (tax) status), identification number (if any), origin of funds (in case of legal persons: corporate name, address of registered office, registration number with the relevant corporate registry, date and place of incorporation, nationality, legal form, shareholder structure);
-
information on identification documents: issuance numbers, date and place of issuance, duration of validity and copies of such documents (in case of legal persons: deed and articles of incorporation, excerpts from corporate registry, shareholder register);
-
account numbers and transactions on accounts;
-
images of ID cards and images of other KYC identifiers;
-
tax domicile and other tax-related documents and information;
-
information with respect to the accounts and the assets held with the Bank and transactions carried out by the Bank for the Client;
-
the Client’s investment objectives, financial situation and knowledge and experience in investment matters;
-
electronic identification data (e.g., email, IP, Bloomberg addresses and other similar identifiers, electronic signature, etc.);
-
the data with respect to the Client’s financial status (e.g., salary, assets, liabilities, expenses, income, wealth, assets and liabilities, credit history);
-
credit profiles, MIFID profiles, any questionnaires (including comment fields);
-
information about the counterparties with whom the Client is dealing;
-
transactions performed in the Client’s account with the Bank or other financial institutions or contemplated transactions, contracts entered into with the Bank and the terms of such transactions (including, for example, amortization schedule, payment schedule, fees and commissions, etc.);
-
insurance related data;
-
information about any counter-parties, delegates, service providers or agents of the Client and/or any other third parties involved into the transactions of the Client;
-
telephone recordings; and
-
any other information that may be required for the execution of any transaction instructed by the Client, the proper identification of the Client and his sources of wealth prior to entering into relationship or compliance with any legal obligations of the Bank.
Purposes of the processing
The Bank processes personal data of the Client to ensure the continuing provision of the services to the Client and/or on-going compliance with the Bank’s obligations under laws and regulations applicable to the Bank and/or the legitimate interests of the Bank, including for the purpose of:
-
completing pre-contractual KYC-checks with respect to the Client (legal obligation);
-
performance of the banking transactions requested by the Client or other on-going implementation, administration and management of the contractual relationship between the Bank and the Client and dealing with any other matters (performance of a contract);
-
building up or expanding relationship with the Client (legitimate interests);
-
marketing, research (including, any statistical and scientific analyses of the Bank’s client base and preferences) and any other similar matters (legitimate interests);
-
with respect to any asset-backed, commodity or other similar financing, the tracking or other type of monitoring of the relevant assets of the Client (performance of a contract);
-
any internal management matters (including, any reporting, analysis of the development of the Bank, any business controls, any investigations, controls, etc.) (mainly, legal obligation, in limited circumstances – legitimate interests);
-
safety, health and security matters (including, the installation of any CCTVs and other similar cameras and security systems) and the authentication of the Client or any third-parties (legitimate interests);
-
management of the Bank’s IT infrastructure (including, any encryption or decryption of any Client-related information) (legitimate interests);
-
compliance with laws and regulations, acts, decisions, recommendations or inquiries of the courts, regulators or any other officials or agencies, compliance with banking specific rules and regulations (including, any non-binding guidelines, best practices or similar standards) in various sectors, including: tax, anti-money laundering, anti-terrorist, crime, detection or prevention of fraud, market abuse or any other similar matters (legal obligation);
-
any dispute resolution and litigation matters (performance of a contract);
-
any tax, regulatory or other similar inquiries from any official bodies (legal obligation);
-
risk management of the Bank (legal obligation);
-
exchange of information between the Bank and other members of Gazprombank group (legal obligation and legitimate interests); and/or
-
operation of Bank’s website (legitimate interests and consent); and/or
-
various matters related to human resources management (various grounds); and/or
-
any other matters where the processing of such personal data is necessary or desirable to ensure the on-going provision of banking services to the Client, the status of the Bank as a regulated credit organisation.
Lawful basis for the processing
The Bank mainly processes the personal data in connection with the entry into and execution of the banking transactions of the Client and/or the compliance with the legal obligations of the Bank and/or the legitimate interests of the Bank. The legitimate interests of the Bank are those interests which are inherently linked to the functioning and development of the Bank as a regulated credit institution and include, for example: (i) safety, health and security matters, fraud and other crime prevention; (ii) security of Bank’s information systems and clients’ information; (iii) data exchange with other affiliates of Gazprombank group; (iv) organisation of internal matters (including, certain employees’ related matters); (v) building up or expanding relationships with the Clients, marketing activities; and (vi) development of the Bank’s products and/or services. More specifically the legal basis for each purpose of personal data processing is set out in section above.
In limited circumstances mainly related to the operation of human resources department and its website, the Bank relies on consent. Where the Bank relies on consent to process personal data, each relevant data subject is informed of such basis. Each relevant data subject can withdraw her(his) consent at any time by a notice to the DPO or the relevant contact within the Bank.
Third-parties' personal data
The Client shall inform all of its agents, delegates, managers, employees, attorneys, service providers or other agents, shareholders or beneficial owners and other natural persons related to the Client of the contents of this privacy policy and by providing the relevant information to the Bank confirms that the relevant persons have been informed of this privacy policy.
Other processors
With respect to its Clients and counterparties, the Bank is required to conduct regular KYC, KYT and other similar back-ground checks by reference to specialised service providers (such as, Thomson Reuters, World-Check database, Factiva database, or any other similar services or databases), publicly available information as set out in various registers, press and Internet. In exceptional circumstances, the Bank may request the opinion of its Group’s security department with respect to the Client and/or any persons related to the Client. The Client acknowledges and agrees that the Bank will obtain information in accordance with the procedures set out in this paragraph without any further notice to, or consent of, the Client.
Profiling
Certain regulatory requirements (e.g., assessment of suitability of certain financial instruments for the Client) require the introduction of scoring systems. An officer of the Bank, however, would be usually involved in any decisions with respect to the Client and the Client could always approach his designated relationship manager with a request for clarifications. As a result, the Bank does not believe that any decision of the Bank which may affect the Client is a result of a purely automated process.
Recipients of personal data
The Client’s personal data may be disclosed or transferred by the Bank without any further notification to, or consent of, the Client to: (i) any person to whom disclosure is required to be made (1) by applicable law or court order, (2) pursuant to the rules or regulations of any government, supervisory, taxation or regulatory body or any stock-exchange, (3) in connection with any legal or arbitration proceedings or investigations; (ii) to any affiliates of the Bank (including, for the avoidance of doubt, the sole shareholder of the Bank, “Gazprombank” (Joint – stock Company); (iii) to the officers, directors, employees, auditors, professional advisers, other financial institutions, issuance companies, credit card issuers, IT and telecommunication companies, payment services providers and other service providers, outsourcing companies or data processors of: (A) the Bank or (B) any of its affiliates or (C) any sub-contractors or (D) affiliates of such entities; (4) in connection with any corporate reorganisation or restructuring of the Bank; or (5) to any third parties to the extent that the Bank or any of its affiliates or their agents or service providers deem such disclosure or transfer to be necessary or desirable for the carrying out of its duties, obligations, commitments and activities whether arising under any contract or by operation of law or the legitimate interest of the Bank. Without limiting the generality of the foregoing, the Bank outsources the IT processing of its financial operations to a third-party service provider (currently, Avaloq Sourcing (Switzerland & Liechtenstein) Ltd.) and retains its right to change such service provider at any time without further notice to, or consent of, the Client.
Any transfer of personal data outside of the EEA is subject to appropriate safeguards as required under Luxembourg law.
Security
The Bank has implemented (or ensured that the processors of personal data of the Bank’s clients have implemented) appropriate, and commercially reasonable, technical, physical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and all other unlawful forms of processing.
Retention periods
Most of the personal data will be subject to the retention period of 10 years, being equal to the relevant statute of limitations in Luxembourg. Employees’ or prospective employees’ data is retained within the minimum time periods set out in law.