Privacy policy for clients
Dear Client
The following privacy policy is intended to provide you with an overview of the processing of your personal data and your associated rights under the provisions of the General Data Protection Regulation (GDPR) and the Data Protection Act (Datenschutzgesetz, DSG) at:
- LMM Investment Controlling Ltd., Zollstrasse 32, 9490 Vaduz, Liechtenstein (head office)
- LMM Investment Controlling Ltd., Vienna Branch, Tegetthoffstrasse 7, 1010 Vienna, Austria
- LMM Investment Controlling GmbH, Opernturm, Bockenheimer Landstrasse 2–4, 60306 Frankfurt am Main, Germany (hereinafter referred to as “LMM”)
Particulars of which data is processed and how it is used depend to a large extent on the services to be provided or those agreed upon in each case. For all processing of personal data, LMM takes a variety of technical and organisational data protection precautions to safeguard your privacy.
As part of our business relationship, we need to process personal data that is required to establish and maintain the business relationship, to fulfil the associated statutory or contractual obligations and to provide services (Article 6(1)(b) of the GDPR). Without this data, we generally will not be able to enter into or maintain a business relationship or offer services.
If you have any questions regarding specific data processing operations or wish to exercise your rights as described in section 5 below, please contact the controller at the following address:
LMM Investment Controlling Ltd.
Zollstrasse 32
Postfach 174
9490 Vaduz
Liechtenstein
T +423 235 07 90
Contact details of the data protection officer:
LMM Investment Controlling Ltd.
Data protection officer
Zollstrasse 32
Postfach 74
9490 Vaduz
Liechtenstein
1. What kinds of data are processed (data categories) and where does the data come from (origin)?
We collect and process personal data that we receive in the context of our business relationship with clients. Personal data may be processed at any stage of the business relationship and may differ according to the persons involved.
We generally process personal data that you provide to us through agreements, submitted contracts, forms, your correspondence and other documents. If required for the provision of services, we also process personal data that is generated or transmitted through the use of services or that we have lawfully obtained from third parties (e.g. a trust company) or public authorities. Finally, personal data from publicly accessible sources (e.g. commercial and association registers, press publications, Internet) may also be processed.
In addition to processing client data, we may also process personal data of third parties involved in the business relationship, such as the data of (additional) authorised agents, representatives, legal successors or beneficial owners in a business relationship. LMM assumes that its contracting partners are entitled to disclose and communicate the data of third parties. Please also inform any relevant third parties about this privacy policy.
We consider personal data to encompass the following data categories in particular:
Master data
- Personal details (e.g. name, date of birth, nationality)
- Address and contact data (e.g. physical address, telephone number, e-mail address)
- Identification data (e.g. passport or identity card data) and authentication data (e.g. specimen signature)
- Data from publicly accessible sources
Additional basic data
- Information on services and products used (e.g. investment experience and profile, records of consultation, data regarding executed transactions)
- Information on household composition and relationships (e.g. information on spouses or life partners and other family details, authorised signatories, legal representatives)
- Information on financial attributes and the financial situation (e.g. portfolio and account number)
- Information on a person’s professional and personal background (e.g. professional activity, desires, preferences)
- Technical data and information on electronic communication with LMM (e.g. records of access and changes)
- Image and sound files (e.g. video and telephone recordings)
2. For what purposes and on what legal basis is your data processed?
We process personal data in accordance with the provisions of the GDPR and the DSG for the following purposes and on the following legal bases:
- To perform a contract or take steps prior to entering into a contract as part of providing services. The purposes for which data is processed depend primarily on the specific service provided and may include, but are not limited to, the monitoring and control of investments and reporting on investments as well as needs analysis and consulting.
- To fulfil legal obligations, in particular to comply with statutory requirements (e.g. compliance with the GDPR and the DSG).
- To safeguard our legitimate interests or those of third parties for specifically defined purposes, in particular for the assessment of product development, marketing and advertising, business audits and risk management, reporting, statistics and planning, video surveillance to safeguard rights to control who can enter and stay at the premises, and prevent threats.
- On the basis of any consent you have given us for the provision of services. You have the right to withdraw your given consent at any time. This also applies to the withdrawal of declarations of consent provided to LMM before the GDPR took effect. Withdrawal of consent is only effective for the future and does not affect the lawfulness of data processed until the consent is withdrawn.
We reserve the right to process personal data collected for one of the above purposes also for other purposes, if this is consistent with the original purpose.
3. Who has access to personal data and how long is personal data stored?
Your data may be accessed by parties both inside and outside LMM. Within LMM, your data may only be processed by offices and employees who need it to fulfil our contractual and legal obligations and to safeguard legitimate interests. Subject to compliance with the relevant legal provisions, other companies, service providers or vicarious agents may also receive personal data for these purposes. External processors may be companies active in the areas of distribution agreements, IT services, logistics, printing services, advisory and consulting services, sales and marketing. In this context, your data may also be received by other financial services institutions or similar institutions to which we transmit personal data for the purpose of maintaining the business relationship (e.g. custodian banks, asset managers, information centres).
Data is only transmitted to countries outside the EU or EEA (so-called third countries) if
- this is for the purpose of taking steps prior to entering into a contract, performing a contract or providing services; or
- if you have given us your consent for this.
We process and store personal data for the entire duration of the business relationship, except where shorter mandatory deletion obligations apply to certain data. It should be noted that our business relationships may last for years. The duration of storage is also determined by the necessity and purpose of the data processing in question. If data is no longer required to fulfil contractual or legal obligations or to safeguard our legitimate interests (purpose has been achieved) or if the consent given is withdrawn, the relevant data is erased at regular intervals, unless further processing is necessary due to contractual or statutory retention periods and documentation obligations, or for reasons of preserving evidence throughout any applicable statutory limitation periods.
4. Is an automated decision-making process in place, including profiling?
Our decisions are generally not based on the solely automated processing of personal data. Should we use such procedures in individual cases, we will inform you separately in accordance with the legal requirements.
5. What data protection rights do you have?
With regard to your personal data, you are entitled to the following data protection rights under the GDPR:
Right of access to information: You may request information from LMM as to whether, and to what extent, personal data concerning you are being processed.
Right to rectification, erasure and restriction of processing: You have the right to request the rectification of any inaccurate or incomplete personal data concerning you. In addition, your personal data must be erased if this data is no longer necessary for the purposes for which it was collected or processed, if you have withdrawn your consent, or if this data has been processed unlawfully. You also have the right to request that processing be restricted or that data be erased.
Right to withdraw consent: You have the right to withdraw your consent to the processing of your personal data for one or more specific purposes at any time if the processing is based on your explicit consent. This also applies to the withdrawal of declarations of consent provided before the GDPR took effect. Please note that consent may only be withdrawn with effect for the future. Processing that took place before consent is withdrawn is not affected by this. Withdrawal of consent also has no influence on data processing performed on another legal basis.
Right to data portability: You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit this data to another controller.
Right to object: You have the right to object, without any specific formal requirements, to data processing in individual cases, on grounds relating to your particular situation, provided that such processing is performed in the public interest or to safeguard the legitimate interests of LMM or a third party. In addition, you have the right to object, without any specific formal requirements, to the use of personal data for marketing purposes. If you object to the processing of your personal data for direct marketing activities, we will no longer process your personal data for this purpose.
Right to lodge a complaint: You have the right to lodge a complaint with the competent Liechtenstein supervisory authority if you believe that your data is subject to improper processing. You may also lodge a complaint with another supervisory authority in an EU or EEA Member State, for example at your place of habitual residence or work or at the place where the alleged infringement occurred.
The contact details of the responsible Data Protection Office in Liechtenstein are as follows:
Datenschutzstelle Liechtenstein
Staedtle 38
9490 Vaduz
Liechtenstein
T+ 423 236 60 90
You should preferably submit any requests for access or raise any objections in writing with the Data Protection Officer. The Data Protection Officer is also the appropriate point of contact for any other data protection matters.
Privacy policy for clients (PDF)
Date: November 2019