The purpose of this privacy statement is to set out, in a straightforward and transparent manner, which personal data Bank GPB International S.A. (the “Bank”) processes about each of its clients (a “Client”) and how the Bank processes it. It applies to the following persons: (i) our current and former Clients; (ii) any person involved in any transaction with the Bank; (iii) the counterparties of the Bank and/or (iv) our clients’ agents, representatives and other affiliates. If you do not fall into one of these categories, the Bank will follow special rules with respect to processing your personal data, which will be provided to you on demand.
Personal data includes any information relating to an identified or identifiable natural person that is processed by the Bank. Processing includes any activity with your personal data which you provide to the Bank when you become a Client or engage the Bank in connection with any transactions. The law requires that the Bank shall verify the information provided by the Client. Further, such verification may also be required to ensure security of the Bank and/or develop its business. Accordingly, the Bank also processes your data available from various public sources (e.g., Internet, world press, news, and other publicly available media), specialised AML/CTF and security service providers (e.g., WorldCheck, LexisNexis, Factiva) and/or legitimately provided by other member of Gazprombank group, when working on group-related matters or Clients.
By entering into a relationship with the Bank or approaching the Bank in connection with the same matter, each Client acknowledges and agrees that his personal data will be processed by the Bank for the purposes of performing transactions on the accounts, granting loans, takings deposits, entering into transactions with respect to financial instruments, providing general financial assistance, monitoring the client base to develop or promote its banking services, and complying with the obligations of the Bank under applicable law.
Categories of personal data
The personal data which the Bank processes may include the following information and documents on the Client and, where applicable, the Client’s representatives, agents, officers, related parties, transaction counterparties and beneficial owners:
- personal identification data or contact information, including surname, first name(s), pseudonym, family composition, domicile, address, gender, marital status, or relationship with other persons, nationality, date and place of birth, professional information (such as job title, executive level, fiscal (tax) status), identification number (if any), origin of funds (in case of legal persons: : corporate name, address of registered office, registration number with the relevant corporate registry, date and place of incorporation, nationality, legal form, shareholder structure);
- information on identification documents: issuance numbers, date and place of issuance, duration of validity and copies of such documents (in case of legal persons: deed and articles of incorporation, excerpts from corporate registry, shareholder register);
- account numbers and transactions on accounts;
- images of ID cards and images of other KYC identifiers;
- tax domicile and other tax-related documents and information;
- information with respect to the accounts and the assets held with the Bank and transactions carried out by the Bank for the Client;
- the Client’s investment objectives, financial situation and knowledge and experience in investment matters;
- electronic identification data (e.g., email, IP, Bloomberg addresses and other similar identifiers, electronic signature, etc.);
- data relating to the Client’s financial status (e.g., salary, assets, liabilities, expenses, income, wealth, assets and liabilities, credit history);
- credit profiles, MIFID profiles, any questionnaires (including comment fields);
- information about the counterparties with whom the Client is dealing;
- transactions performed in the Client’s account with the Bank or other financial institutions or planned transactions, contracts entered into with the Bank and the terms of such transactions (including, for example, amortization schedule, payment schedule, fees and commissions, etc.);
- insurance related data;
- information about any counterparties, representatives, service providers or agents of the Client and/or any other third parties involved into the transactions of the Client;
- telephone recordings; and
- any other information that may be required for the execution of any transaction instructed by the Client, the proper identification of the Client and his sources of wealth prior to entering into relationship or compliance with any legal obligations of the Bank.
Purposes of the processing
The Bank processes personal data of the Client to ensure the continuing provision of the services to the Client and/or on-going compliance with the Bank’s obligations under the laws and regulations applicable to the Bank and/or the legitimate interests of the Bank, including for the purpose of:
- completing pre-contractual KYC-checks with respect to the Client (legal obligation);
- performance of the banking transactions requested by the Client or other on-going implementation, administration and management of the contractual relationship between the Bank and the Client and dealing with any other matters (performance of a contract);
- building up or expanding relationship with the Client;
- marketing, research (including, any statistical and scientific analyses of the Bank’s client base and preferences) and any other similar matters (legitimate interests);
- with respect to any asset-backed, commodity or other similar financing, the tracking or other type of monitoring of the relevant assets of the Client (performance of a contract);
- any internal management matters (including, any reporting, analysis of the development of the Bank, any business controls, any investigations, controls, etc.) (mainly, legal obligation, in limited circumstances – legitimate interests);
- safety, health and security matters (including, the installation of any CCTVs and other similar cameras and security systems) and the authentication of the Client or any third-parties (legitimate interests);
- management of the Bank’s IT infrastructure (including, any encryption or decryption of any Client-related information) (legitimate interests);
- compliance with laws and regulations, acts, decisions, recommendations or inquiries of the courts, regulators or any other officials or agencies, compliance with banking specific rules and regulations (including, any non-binding guidelines, best practices or similar standards) in various sectors, including: tax, anti-money laundering, anti-terrorist, crime, detection or prevention of fraud, market abuse or any other similar matters (legal obligation);
- any dispute resolution and litigation matters (performance of a contract);
- any tax, regulatory or other similar inquiries from any official bodies (legal obligation);
- risk management of the Bank (legal obligation);
- exchange of information between the Bank and other members of Gazprombank group (legal obligation and legitimate interests); and/or
- operation of Bank’s website (legitimate interests and consent); and/or
- various matters related to human resources management (various grounds);and/or
- any other matters where the processing of such personal data is necessary or desirable to ensure the on-going provision of banking services to the Client, the status of the Bank as a regulated credit organisation.
Lawful basis for the processing
The Bank mainly processes the personal data in connection with the entry into and execution of the banking transactions of the Client and/or the compliance with the legal obligations of the Bank and/or the legitimate interests of the Bank.
The legitimate interests of the Bank are those interests which are inherently linked to the functioning and development of the Bank as a regulated credit institution and include, for example: (i) safety, health and security matters, fraud and other crime prevention; (ii) security of Bank’s information systems and clients’ information; (iii) data exchange with other affiliates of Gazprombank group; (iv) organisation of internal matters (including, certain employees’ related matters); (v) building up or expanding relationships with the Clients, marketing activities; and (vi) development of the Bank’s products and/or services. More specifically the legal basis for each purpose of personal data processing is set out in section above.
In limited circumstances mainly related to the operation of human resources department and its website, the Bank relies on consent. Where the Bank relies on consent to process personal data, each relevant data subject is informed of such basis. Each relevant data subject can withdraw her(his) consent at any time by a notice to the DPO or the relevant contact within the Bank.
Third-parties' personal data
The Client shall inform all of its agents, delegates, managers, employees, attorneys, service providers or other agents, shareholders or beneficial owners and other natural persons related to the Client of the contents of this privacy statement and by providing the relevant information to the Bank confirms that the relevant persons have been informed of this privacy statement.
With respect to its Clients and counterparties, the Bank is required to conduct regular KYC, KYT and other similar back-ground checks by reference to specialised service providers (such as, Thomson Reuters, World-Check database, Factiva database, or any other similar services or databases), publicly available information as set out in various registers, press and the Internet. In exceptional circumstances, the Bank may request the opinion of its Group’s security department with respect to the Client and/or any persons related to the Client. The Client acknowledges and agrees that the Bank will obtain information in accordance with the procedures set out in this paragraph without any further notice to, or consent of, the Client.
Certain regulatory requirements (e.g., assessment of suitability of certain financial instruments for the Client) require the introduction of scoring systems. An officer of the Bank, however, would be usually involved in any decisions with respect to the Client and the Client could always approach his designated relationship manager with a request for clarifications. As a result, the Bank does not believe that any decision of the Bank which may affect the Client is a result of a purely automated process.
Recipients of personal data
The Client’s personal data may be disclosed or transferred by the Bank without any further notification to, or consent of, the Client to: (i) any person to whom disclosure is required to be made (1) by applicable law or court order, (2) pursuant to the rules or regulations of any government, supervisory, taxation or regulatory body or any stock-exchange, (3) in connection with any legal or arbitration proceedings or investigations; (ii) to any affiliates of the Bank (including, for the avoidance of doubt, the sole shareholder of the Bank, “Gazprombank” (Joint – stock Company); (iii) to the officers, directors, employees, auditors, professional advisers, other financial institutions, issuance companies, credit card issuers, IT and telecommunication companies, payment services providers and other service providers, outsourcing companies or data processors of: (A) the Bank or (B) any of its affiliates or (C) any sub-contractors or (D) affiliates of such entities; (4) in connection with any corporate reorganisation or restructuring of the Bank; or (5) to any third parties to the extent that the Bank or any of its affiliates or their agents or service providers deem such disclosure or transfer to be necessary or desirable for the carrying out of its duties, obligations, commitments and activities whether arising under any contract or by operation of law or the legitimate interest of the Bank. Without limiting the generality of the foregoing, the Bank outsources the IT processing of its financial operations to a third-party service provider (currently, Avaloq Sourcing (Switzerland & Liechtenstein) Ltd.) and retains its right to change such service provider at any time without further notice to, or consent of, the Client.
Any transfer of personal data outside of the EEA is subject to appropriate safeguards as required under Luxembourg law.
The Bank has implemented (or ensured that the processors of personal data of the Bank’s clients have implemented) appropriate, and commercially reasonable, technical, physical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and all other unlawful forms of processing.
Most of the personal data will be subject to the retention period of 10 years, being equal to the relevant statute of limitations in Luxembourg. Employees’ or prospective employees’ data is retained within the minimum time periods set out in law.
Where the Bank transfers personal data outside the EU, the Bank ensures that the relevant jurisdiction is either deemed an equivalent jurisdiction for the purpose of data protection by the European Commission or relies on standard data protection clauses approved by the European Commission.
Cookies on the bank's website
Cookies are files placed on your device when you access our websites (e.g. https://www.gazprombank.lu/ ; https://payplus.gazprombank.lu/tpgui etc.) with the relevant information related to your visit. We use the following cookies: (i) cookies necessary to make the website operational and to identify your hardware and software; (ii) statistical cookies to count the number of users and collect other information related to the use of the content on the website; (iii) performance cookies which purpose is to test functionalities and improve the quality of the website; and (iv) tracking cookies to understand your interests and preferences and customize our services to your needs. The Bank will store this information for a period which will depend on the type of a cookie, but no longer than is necessary to achieve its purpose. The information obtained through cookies may be sent to the recipients set out in this privacy statement or to the service providers which assists us in the operation and maintenance of our website and the cookies.
If you wish, you could always disable the application of cookies. For more information please consult the web-site of your internet service provider or contact us at the email set out in this privacy statement.
The Client has the following rights with respect to his(her) personal data: (i) a right to be informed as to the rules and procedures of the Bank related to the processing of the personal data; (ii) a right of access to the personal data; (iii) a right to rectify the personal data or object to, or restrict, the processing of personal data in the circumstances when such personal data is incorrect or is not processed in accordance with Luxembourg data protection laws; (iv) a right to object to any direct marketing communication or any automated decision or profiling (if any); and (v) a right of portability of your data.
The exercise of the above rights may be subject to legal restrictions and, accordingly, should you wish to exercise any of such rights we will always assess your situation and provide you with a reasoned response. In exceptional circumstances set out in law, we may charge you a fee in respect of your request.
To exercise any of the above rights, please complete the form attached to our privacy statement and either: (i) send it to your relationship manager by any authorised method of communication; or (ii) by email to DPO@gazprombank.lu; or (iii) by post to BANK GPB INTERNATIONAL S.A., Le Dôme, 15, rue Bender, L-1229 Luxembourg, Atten.: DPO. Please indicate in the subject line “Data Protection Officer – Exercise of Data Subject Rights Request” and attach a copy of your valid ID.
In case the Client is not satisfied with the Bank's feedback with respect to his(her) inquiry, the Client may refer his(her) matter to the Luxembourg National Commission for Data Protection (https://cnpd.public.lu).