Banque et Caisse d’Epargne de l’Etat, Luxembourg, established and with its head office at 1, Place de Metz, L-2954 Luxembourg (hereinafter “Spuerkeess”), processes the personal data (hereinafter “personal data”) of natural persons in the course of its statutory activities. In its capacity as Data Controller, Spuerkeess is committed to complying with the personal data protection rules which are key to establishing transparency and trust with regard to data subjects.
The purpose of this general personal data protection policy is to describe the manner in which personal data is used and protected by Spuerkeess based on the type of relationship in question
Scope
Spuerkeess’s personal data protection policy applies to all the automated, or non-automated, processing of personal data carried out by Spuerkeess and sets out the principles and guidelines pertaining to its obligations as a “Data Controller” (person who determines the purposes and means of processing personal data) arising from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, which entered into force on 25 May 2018 (hereinafter the “Regulation”).
Data subjects
Spuerkeess processes the personal data of natural persons and legal entities with which it has, had or may have a direct or indirect relationship, namely:
- existing or potential customers who express an interest in Spuerkeess’s services and products,
- assignees, attorneys and any natural persons acting as representatives of Spuerkeess customers,
- guarantors,
- external service providers and subcontractors, and their employees, representatives and contact people,
- visitors,
- users of Spuerkeess’s websites and mobile applications,
- legal representatives, officers and authorised persons of Spuerkeess’s corporate customers,
- beneficial owners and shareholders of Spuerkeess’s corporate customers,
- principals and/or beneficiaries of transactions carried out by Spuerkeess customers,
- job applicants as part of the recruitment process,
- any other natural persons who contact Spuerkeess.
Data collected
The personal data collected is restricted to the data required for the purposes identified by Spuerkeess.
Different categories of personal data are collected:
- personal identification data (e.g. name, date and place of birth, identity card/passport number, address, profession, telephone number, e-mail address, IP address of your computer or mobile device, legal representative, attorney, etc.);
- data on family situations (e.g. family composition);
- banking and financial identification data (e.g. customer number, bank account number, portfolio number, credit card number, TIN (Tax Identification Number) and data relating to the products and services that you have subscribed for);
- data on financial transactions;
- data on your financial position (e.g. income, expenses, loans and assets);
- data, ratios and ratings relating to your investor/borrower profile and other data necessary for sound risk management by Spuerkeess in accordance with the law (e.g. your capacity to repay loans and solvency);
- data on your habits and preferences:
- data on the way in which you use our products and services for which you have subscribed (banking, financial and transaction data);
- data collected in the course of our exchanges with you in our branches, on our websites, via our mobile apps, via our social media accounts, at meetings, during telephone calls, during chats, in emails and during interviews, or collected during user experience (UX) optimisation groups;
- geographical location data (e.g. automated teller machines used and branches visited);
- data on your behaviour and preferences when browsing our websites. Additional information is available in our cookie policy which is available at www.spuerkeess.lu; - data relating to your use of the S-Net banking application:
- data specific to your mobile device (e.g. technical identifiers, connection data);
- financial data (e.g. consultation of account balances and movements, payment data when you carry out financial transactions online);
- data relating to your payment accounts held with other banks which you access via S-Net (in accordance with PSD2, Revised Payment Services Directive);
- data relating to your purchases of banking products and services in S-Net;
- data relating to contact details, images, and messages, including any digitalised documents you exchange with us via S-Net;
- data relating to simulations (e.g. loans, Speedinvest);
- data relating to the MIA tool, a Personal Finance Manager-type tool designed to help you with the day-to-day management of your finances;
- data relating to the use of the Payconiq service integrated in S-Net (e.g. scans of QR codes via your camera, list of contacts in your mobile device). S-Net requests your authorisation to access your list of contacts and shares with Payconiq the phone number of the contact you select in order to carry out a payment);
- documents saved in your safe deposit box in the S-Net Tax Area;
- geolocalisation when you search for the nearest ATM or Spuerkeess branch; - authentication data (e.g. your specimen signature or the biometric data which characterises your signature on a signing pad);
- video and video surveillance (CCTV) recordings made inside and outside our buildings and facilities;
- recordings of certain telephone conversations;
- recordings of face-to-face meetings, chat sessions and video conversations;
- any paper or electronic correspondence;
- the data you have asked us to collect for you (e.g. data on bank accounts and assets held with other banks shared under PSD2);
- the information that Spuerkeess needs to comply with its legal and regulatory obligations (e.g. information processed for the detection of any suspicious or fraudulent activity and data required in connection with anti-money laundering and counter-terrorist financing controls);
- data used to assess a job applicant’s aptitude for a position (e.g. diplomas, professional experience and education).
This data is collected at the following times:
- at onboarding and during the business relationship (e.g. contact with your advisers, updating of your customer data, participation in surveys or user experience (UX) optimisation groups, etc.);
- when you use our applications (e.g. S-Net and S-Net mobile) or browse our websites;
- when you subscribe for a service or publication produced in any form whatsoever by Spuerkeess (e.g. newsletters);
- when you respond to invitations to events organised by Spuerkeess;
- when you are filmed by our surveillance cameras during a visit to our branches or offices and when using an automated teller machine;
- when you add your payment accounts held with other banks to S-Net (in accordance with PSD2);
- when you submit a job application to Spuerkeess. Additional information about the protection of your data in this regard is available at www.mylittlebigstep.lu;
- from the media, the press and/or when you publish data on social media sites to which we provide access;
- from third parties (e.g. public authorities or institutions, establishments that operate professional databases, other financial institutions, partners and subcontractors).
The personal data you disclose to us about third parties (family members, employers, attorneys, representatives, beneficial owners, etc.) is processed in the same way as your personal data, in line with the corresponding purposes and services. It is your responsibility to notify the data subjects accordingly.
In order to fulfil Spuerkeess’s obligations, and to the extent necessary, Spuerkeess may process “special categories of data”, such as data on health, convictions and offences and on the holding of a public office.
Lawful personal data processing conditions and purposes
Spuerkeess collects and processes personal data for specific purposes. It ensures in all cases that personal data is only processed where necessary in relation to the purpose pursued. All processing of personal data carried out by Spuerkeess is based on at least one of the following conditions for lawful data processing:
- legal and regulatory obligations, e.g. processing for the purposes below:
- anti-money laundering and counter-terrorist financing activities;
- regulatory reporting and the automatic exchange of information (e.g. the DAC - Directive on Administrative Cooperation, FATCA - Foreign Account Tax Compliance Act or the CRS - Common Reporting Standard);
- compliance with the requests and requirements of local or foreign authorities;
- laws on international sanctions and embargoes;
- the detection of abnormal or unusual transactions;
- determining your credit risk score and repayment capacity;
- account-keeping. - the performance of a contract, including pre-contractual measures, e.g. processing for the purposes below:
- the provision of services and products;
- the execution and recording of your financial transactions;
- the granting and management of loans;
- the management of S-Net and S-Net Mobile. - Spuerkeess’s legitimate interests, e.g. processing for the purposes below:
- the provision of services and products;
- the management of business relationships with customers, prospective customers, suppliers, subcontractors, partners and other third parties;
- the detection and prevention of fraud and abusive transactions;
- the protection of your assets against fraudulent activities;
- analysis of the use of your account and your use of our services;
- the completion of satisfaction and other surveys;
- the production of internal statistical studies and models with the aim of optimising risk management and improving our product and service offering through commercial actions such as direct marketing, advertising and the management of events for customers;
- improving our websites and mobile apps;
- the management of our operational needs and risk management;
- ensuring the security of property and people;
- ensuring service continuity and IT security;
- the management of any disputes or legal claims and the protection of our rights;
- recruitment management. - consent, e.g. when:
- collecting the biometric data which characterises your signature on a signing pad;
- adding your payment accounts held with other banks to S-Net (in accordance with PSD2). Unless you object (see the "Right to object to certain types of processing (opt-out)" section below), the accounts imported will also be subject to the data processing generally applied to your Spuerkeess accounts, including the categorisation of your transactions;
- the reuse of your data entered or generated in our myTax assistant tool for purposes other than the preparation of your tax declaration, in order to simplify your formalities required to obtain a product and/or service, or to offer you products intended to reduce the amount of tax to pay;
- any other specific processing to which the data subject has consented.
This processing takes account of your interests and fundamental rights.
In some cases, you may have expressed a wish not to have your personal data used but Spuerkeess may nevertheless be obliged to process it and/or retain it for various reasons. In such circumstances, Spuerkeess will continue to process and/or retain the personal data if (i) it is obliged to do so by a law or regulation, (ii) required to do so under an agreement or (iii) Spuerkeess has a legitimate interest in doing so.
Decisions based exclusively on automated processing, including profiling
As a general rule, Spuerkeess does not use decision-making processes based solely on automated processing within the meaning of article 22 of the Regulation. In the event that Spuerkeess occasionally uses such a process, you will be informed in advance and will have the right to ensure that a person is involved in the decision-making.
Spuerkeess may use automated processing so that it can quickly offer you services and products suited to your needs. For example, in the case of an online loan application or an application to amend your credit card limit via S-Net, the system can only approve the application automatically (if pre-defined criteria are met), but any application that cannot be approved in such a way (automatically) will be processed manually if the applicant so wishes.
Spuerkeess may use profiling, i.e. any form of automated processing of personal data that involves using this data to assess certain personal aspects relating to a physical person, including to search for or identify relatively homogeneous categories of persons, in terms of products held and/or banking behaviour, who may be interested in a new product or personalised commercial offering.
In this context, your personal data may be subject to profiling, including in the following circumstances:
- MiFID II has introduced improved investor protections; your investor profile is determined on the basis of a questionnaire that aims to assess your knowledge of financial instruments and market experience, on the basis of which Spuerkeess may offer you investments suited to your profile;
- if you subscribe for the Speedinvest product, your investor profile is determined on the basis of a questionnaire that aims to measure your knowledge of financial instruments and market experience. Investments are then made automatically based on the profile determined;
- when categorising your transactions, calculating your available balances and sending you the commercial recommendations and proposals that are most likely to meet your needs. Such processing makes it possible, for instance, to use the MIA tool, a Personal Finance Manager-type tool designed to help you with the day-to-day management of your finances. MIA analyses income and expenses and puts them into different categories;
- when promoting banking products and services which complement the products and services for which you have already subscribed and as part of marketing actions (newsletters, commercial and informational mailings, invitations to events, participation in competitions, etc.);
- in order to comply with its anti-fraud, anti-money laundering and counter-terrorist financing obligations;
- when assessing your solvency and banking behaviour. This scoring system allows Spuerkeess to determine, for example, the likelihood that a customer will meet his/her loan repayment obligations. The scoring system is based on a defined and proven mathematical and statistical model. It is affected by the customer’s income, expenses, current commitments, profession, employer and loan repayment history, an assessment of the business relationship and information in the public domain. It helps us to make decisions with a view to selling services (e.g. personal loan applications or changes to credit card limits) and to manage risks. With regard to joint online loans, the co-borrower’s expenses/income are also taken into account for the solvency assessment and the scoring.
Right to object to certain types of processing (opt-out)
You have the right to opt out of some of the processing described above, without having to give a reason:
- Opt-out in respect of the categorisation of transactions (also applies to your bank account data for accounts held with other banks which you decide to aggregate into S-Net in the framework of PSD2). Please note, however, that proceeding with the opt-out will prevent you from using certain services, including MIA and online loan applications;
- Opt-out from all commercial actions and communications (mailings, invitations to seminars, competitions, etc.);
- You also have the right not to be subject to decisions based solely on automated processing (see the “Decisions based exclusively on automated processing, including profiling” section). In such circumstances, you may ask for a decision to be reviewed by directly contacting your branch.
This right to object may be exercised at a branch or by sending an S-Net message, e-mail or letter to the following address:
Consent
To the extent that certain personal data processing requires your consent, such processing will not take place until your explicit consent has been obtained. Any consent you give may be withdrawn at any time, on the same terms as those specified for opt-outs.
For example, your consent is required in the event that
- biometric data is collected, such as when you sign on a signing pad in a bank branch.
- further use is made of your data collected via myTax (tax declaration tool).
In accordance with PSD2, your consent will be requested before your payment accounts held with other banks are imported into S-Net.
The lawfulness of processing based on consent granted prior to its withdrawal will not be affected.
Transfer of your data to third parties
Within the limits of its activity and in compliance with applicable laws and regulations, Spuerkeess may transfer personal data to third parties, including:
- the financial institutions and financial professionals with which we cooperate on domestic and international payment transactions, credit transactions and transactions in financial instruments, such as specialised banks and financial companies, brokers, payment and credit card issuers and intermediaries, providers of online payment solutions, clearing houses, stock exchanges, subcustodians, distributors, investment product managers, market counterparties and issuers of the financial instruments that you hold through Spuerkeess, etc.;
- subcontractors, suppliers, counterparties and service providers used by Spuerkeess to optimally provide you with the services that you have subscribed for, such as specialised financial sector providers, insurance companies, tax reporting providers, as well as suppliers who help us with the design and maintenance of our IT tools, the organisation of events, the management of communication with customers and the development and/or management of our products and services, identification and electronic certification bodies, companies whose financial instruments you hold through Spuerkeess, etc.;
- subcontractors, suppliers, counterparties and service providers used by Spuerkeess to comply with legal obligations, such as the bank’s account certification entities and customer reporting entities used when onboarding customers remotely (digital onboarding), administrators of KYC files, MiFIR legal reporting providers, etc.;
- third-party entities that have a connection with our customers, such as entities that carry out banking transactions on our customers’ behalf, beneficiaries, principals, assignees, successors, attorneys, submanagers, managers and investment advisers, etc.;
- any entity carrying on a regulated profession and acting within the scope of the tasks entrusted to it, such as auditors, lawyers, bailiffs, notaries, etc.;
- credit reference agencies, debt collection agencies and investigative agencies;
- persons involved in any disputes concerning specific transactions;
- some partners such as innovators or universities, which process it in connection with their research. Steps are taken to ensure that personal data is transmitted in pseudonymised, aggregated form and the results of the research are anonymous;
- tax, judicial, police, regulatory and administrative authorities, regulators and control and supervisory authorities;
- cloud-computing service providers. Steps are taken to ensure that the data centres used are located within the European Economic Area and that appropriate data encryption is in place for data in transit and at rest;
- other parties with your authorisation or in accordance with your instructions. With your consent and at your request, Spuerkeess may send your personal data to third parties.
Such third parties will themselves be required to comply with legal or contractual personal data protection obligations as data controllers or data processors.
In some jurisdictions, the laws and regulations applicable to (transactions in) financial instruments and similar rights require that the identity of the (in)direct holders or beneficial owners of those instruments and their positions in such instruments be disclosed.
Automatic exchange of tax information
Spuerkeess is legally obliged to identify account holders’ residence for tax purposes, and to make the required annual disclosures to the Luxembourg tax authorities relating to the reportable accounts of persons who are not tax resident in Luxembourg (including US persons as determined by the FATCA (Foreign Account Tax Compliance Act) of 24 July 2015.
The Luxembourg tax authorities will forward this information to the tax authorities of the reportable account holder’s country of tax residence if the regulations concerning the automatic exchange of information so require.
In accordance with the laws and regulations that may be applicable to them under the FATCA regulations and the Common Reporting Standard (CRS), customers are required to provide Spuerkeess with a form on their FATCA and/or CRS status (or any other equivalent forms) as well as any updates to those forms.
Without this tax information, Spuerkeess cannot establish or maintain a business relationship with customers.
Transfer of your data outside the European Economic Area
Your personal data will only be transferred by Spuerkeess outside the European Economic Area (“EEA”) if a legal or regulatory provision so requires, if the transfer is necessary for the performance of an agreement or if you have given your explicit consent thereto. Pursuant to the Regulation, for the non-EEA countries in question, Spuerkeess will ensure that an adequacy decision has been issued by the European Commission or that appropriate guarantees (e.g. standard contractual clauses) have been put in place.
For example:
- In the context of fund transfers and transactions in financial instruments, the data required in order for the transactions to be executed is processed by third parties involved in the transaction (e.g. correspondent banks, stock exchanges, financial messaging service providers, etc.), which may be based outside the EEA.
Period for which your data is stored
Spuerkeess will store your personal data in accordance with its legal obligations and only for as long as is necessary for the purposes pursued by Spuerkeess.
The period for which your data is stored may vary and depends on the nature of the data and the purposes pursued, in addition to the data storage periods imposed by applicable laws and regulations.
Accounting data is stored for a period of ten years from the end of the financial year to which it relates, in accordance with applicable regulations.
For legitimate reasons and depending on the circumstances, Spuerkeess may store data for a longer period as permitted by applicable laws and regulations.
Security of your data
Spuerkeess undertakes to protect and secure your personal data to ensure that it remains confidential and to prevent its destruction, loss, alteration or disclosure.
It has introduced physical, technical, organisational and procedural protective measures to this end:
- Spuerkeess employees are educated about personal data protection through internal training sessions, regular memos, the dissemination of best practices, etc.;
- Spuerkeess guarantees that all the necessary measures to protect personal data are taken from the design phase onwards (“Privacy by Design”), whether in relation to new technological or commercial applications or to existing applications whose functionalities are being expanded, replaced or modified;
- Spuerkeess guarantees, by default, the highest possible level of protection for the personal data that it processes (“Privacy by Default”). By default, only data that is likely to actually be used may be collected and stored. This rule extends to the quantity of personal data, the scope of processing, the data storage period and data accessibility. Special categories of personal data (sensitive data) are subject to enhanced security measures;
- In the event that the processing of personal data is outsourced, Spuerkeess contractually requires its Data Processors to offer the same personal data security guarantees as it imposes on itself;
- Spuerkeess’s Security Policy guarantees a level of personal data protection that is consistent with the Regulation.
All these measures are regularly reviewed and updated.
The confidentiality and security of personal data is also based on best practices adopted by all person involved. We therefore recommend vigilance and precautions, such as installing anti-virus and anti-spyware software, using strictly confidential complex passwords, erasing your online browsing history and, finally, immediately informing Spuerkeess in the event of the loss or theft of your bank cards.
Notification
In the event of a personal data breach, Spuerkeess will promptly report the event to the Luxembourg data protection authority (“Commission Nationale pour la Protection des Données” - CNPD), where possible, within 72 hours of discovering the breach. If the breach affects your personal data and the incident may result in a high risk to your rights and freedoms, Spuerkeess will promptly inform you of such a breach.
Video surveillance and telephone recordings
Spuerkeess reserves the right to use video surveillance inside and outside its buildings and facilities (branches, car parks, automated teller machines, etc.), to ensure your safety and the safety of its employees, and to protect its property and facilities. Video recordings and photos are retained, to serve as proof of an offence or damage, or for the purpose of identifying people (witness, victim, etc.).
Spuerkeess will record and retain the telephone conversations that you have with its agents (e.g. at the “Spuerkeess Direct” Service Centre), to monitor commercial communications and as evidence thereof, to ensure the security of financial transactions, and to comply with certain legal obligations that require such steps to be taken (e.g. MiFID II). These recordings will be retained for a period of 10 years.
It is understood that these recordings will remain protected by professional confidentiality obligations and that they may only be used for the above-mentioned purposes.
Your rights
The Regulation grants you a number of rights over your personal data processed by Spuerkeess:
- the right to access your personal data and, where applicable, obtain a copy of that data;
- the right to request that your personal data be rectified or updated if you believe that it is incomplete or inaccurate;
- the right to have your personal data deleted, unless there is a legitimate reason to justify it being stored;
- the right to object, at any time, to the processing of your personal data, combined with an ability to opt out, unless a legitimate reason prevails over your interests and rights and freedoms;
- the right to request restrictions on the processing of your personal data;
- the right to the portability of certain personal data, i.e. the right to receive it in a structured, commonly used, readable format so that it may be sent to another data controller.
If you wish to exercise any of the above-mentioned rights, you may submit a request by sending an S-Net message, e-mail or letter to the following address:
In the interests of confidentiality and data protection, Spuerkeess must be sure of your identity before it can respond to your request. Any request not submitted via S-Net must therefore be accompanied by a copy of an identity document.
Spuerkeess will endeavour to respond to your request promptly and within one month of receipt of the request. Depending on the complexity of the request and the number of requests submitted to it, Spuerkeess may extend this deadline by two months. You will be notified of any such extension and of the reasons for the delay within one month of receipt of the request.
Spuerkeess reserves the right to reject the request if it is unable to definitively identify you or if it deems the request to be excessive or unfounded. You will be notified of the reasons for its rejection within one month of receipt of the request. Spuerkeess may also require the payment of reasonable fees in the event that a request is unfounded or excessive, especially if it is repetitive in nature.
If you are not satisfied with the way in which your request is handled, you may file a complaint with the CNPD (information is available at www.cnpd.public.lu).
If you are not satisfied with the way in which your personal data is processed, you may submit a complaint by sending an S-Net message, e-mail or letter to the following address:
Review of the policy
This policy is reviewed on an annual basis and is adapted as soon as required by practices or the regulations or in the event of technological advances. Each new version is submitted for approval to Spuerkeess’s Data Protection Committee before publication. We invite you to read this document on our website to ensure that you have the most recent version at all times.