The present privacy notice (the “Privacy Notice”) details the conditions upon which the Company, as controller, processes personal data about Data Subjects.
1.1 Personal Data Processing Information
1.2.1 Regulation about processing of Personal Data
For the purpose of this article 1.2.1 only, the term Client also includes the potential clients of the Company (prospects).
The Company processes the Personal Data of its Clients in accordance with the Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and any amendments or replacements thereof (the “GDPR”) as well as any complementing or to the law or regulation relating to the protection of Personal Data applicable to the Company.
The provisions of this article 1.2.1 apply to the processing by the Company in a capacity as Controller of Personal Data about (i) all the Clients of the Company who are natural persons, or (ii) where the Client is a legal person, the attorney-in-fact, the beneficial owner, the manager, the representative, the employee and any other proxy such Clients, and (iii) any other individual about whom the Company processes Personal Data (hereinafter referred to as the “Data Subjects”).
In compliance with the principle of transparency, this Private Notice intends to inform Data Subjects about inter alia the processing operations carried out by the Company as Controller as well as about their rights regarding the processing of Personal Data relating to them.
1.2.2 Collection and processing of Personal Data
The Company, as Controller, collects only the personal information which is necessary to fulfil its missions and only as part of its Clients’ service provision and/or for compliance with its legal or regulatory obligations. Personal data is collected from Data Subjects (for example, when entering into a business relationship) and from third parties (for example, depending on the services provided, public authorities, lawyers and/or notaries), including from publicly available sources and subscription databases.
The refusal to disclose Personal Data to the Company and the prohibition to deal with them, remaining at the discretion of the Client, may in certain circumstances be an obstacle to the conclusion of a contract or continuation of a relationship with the Company or to prevent the Client from the use of certain products or services offered by the Company. The Company will inform Data Subjects of such impediment upon the occurrence of such a refusal.
1.2.3 Categories of Personal Data processed by the Company
In the context of its activities and the services it provides to the Clients, the Company generally processes the following non-exhaustive personal information about Data Subjects:
(b) personal details (e.g.: date of birth, gender, marital status) and life and consumption habits (goods and services consumption, special dietary requirements);
(c) education and occupation (e.g. academic curriculum, employer, position, title, place of work);
(d) identification data generated by public services (e.g. passport number, identity card, national register, publication of annual financial statements);
(e) electronic identification data (e.g. email address);
(f) data relating to the Client or Data Subject’s financial situation (e.g. bank account numbers and balance, credit card numbers);
(g) financial transactions records
(h) data relating to the Client or Data Subject’s financial situation (e.g. income, assets and properties, credits, bank account balance, investment preferences);
(i) identification of tax residence and tax identification number;
(j) image and sound (e.g. telephone recordings, pictures on copies of identity documents, video recordings through the CCTV systems installed in the premises of the Company);
(k) any information resulting from checks related to anti-money laundering and counter terrorism financing regulations (“AML/CFT”) and know your customer (“KYC”).
The above categories of data may include special categories of Personal Data, such as information about political opinions, affiliation to unions, religious beliefs and information about criminal conventions and offences.
1.2.4 Legal bases and purposes for the processing of Personal Data
The Company processes Personal Data about Data Subjects according to the services provided to its Clients as well as for the compliance with its legal obligations generally.
Particularly the Company processes Personal Data related to a Data Subject where a processing is necessary:
(a) to take previous steps necessary for the conclusion of the contract and its execution and for the purpose of providing its services to its Clients and performing its obligations according to the contractual terms managing its business relationship with the Client (including account administration, managing payment instructions and deposits, loans and mortgages and related securities, assessment of Client’s solvency and creditworthiness, investment and similar financial transactions) as well as for the need of updating the Client and Data Subject’s information;
(b) for compliance with the legal or regulatory obligations to which the Company is subject, including in particular for the purposes of:
i) complying with the reporting requirements to the competent authorities, whether in terms of taxation or otherwise, whether in terms of taxation or otherwise (such as the OECD Common Reporting Standard for exchange of information (“CRS”), FATCA, the Automatic Exchange of Information (“AEI”) and any exchange of information regime to which the Company is subject from time to time) or legal/regulatory reporting to the supervisory authority, in which case the provision of information to the Company is always mandatory – failure to respond may lead to incorrect or double reporting in this context, Personal Data about Data Subjects will be shared with the Luxembourg tax authorities (and any service provider with which the Company operates) who may turn share the information to foreign tax authorities;
ii) taking measures against money laundering and terrorism financing, including:
- obligation to KYC (Customer Due Diligence (“CDD”) & KYC checks;
- obligations of cooperation with Luxembourg and international authorities;
- record keeping of services and transactions.
c) for satisfying the Company’s or a third party’s legitimate interest, in particular for purposes related to:
i) the Company’s commercial development strategy to offer additional services adapted to the needs of its Clients (including direct marketing in the form of unsolicited commercial communications) and/or meet their specific needs, where appropriate;
ii) securing the premises, communication channels and IT systems used by the Company;
iii) accounting, demonstrating a transaction, managing risks or prevent a fraud.
d) on the basis of the relevant Data Subject’s consent (e.g. for any further processing of Personal Data).
1.2.5 Personal Data relating to third parties
Anyone who as a client or on behalf of a Client communicates to the Company or any of its representatives Personal Data about any Data Subjects must first provide the latter with the information about how the Company processes Personal Data as described in this Privacy Notice. The Company will hence consider that the Data Subjects concerned are informed of the processing of the Personal Data relating to them that the Company may carry out and of the transfer of their Personal Data to certain recipients as described herein, and that, as far as necessary, the Client obtained the Data Subjects’ prior written consent.
1.2.6 Express consent in relation to specific Personal Data Processing
In certain special cases, the Company may request the consent of Data Subjects in relation to specific Personal Data processing operation. The Bank informs Data Subjects that they may withdraw their consent at any time in accordance with, and subject to the limitations of, the applicable laws.
1.2.7 Recording of telephone conversations and electronic communications
188.8.131.52 The phone extensions of the Company used for “commercial or financial transactions” are recorded. In these regards, the Client is informed that the Company may (and in certain circumstances is, in the interest of the Client, obliged by law to), record telephone conversation or electronic communications. Such recordings aim at keeping track of the transactions for evidencing purposes, complying with law and regulations, allowing assistance and investigations by the Company or the competent authorities (including in the case where there exists a dispute between the Client and the Company in relation to a transaction).
184.108.40.206 Nevertheless if the Client (or any Data subject acting on behalf of the Client) has a telephone conversation with an employee of the Company and the subject of this conversation has nothing to do with a “commercial or financial transaction”, then the Client has the option of requesting the said employee to transfer the call to an unrecorded line. In this case, the Client is informed that no order or transaction will be dealt with or even considered by the Company. Finally, the Client may not at any time claim to have transmitted an order or carried out a transaction by phone if he had specifically requested the use of an unrecorded line.
220.127.116.11 The Client is informed that in the event of any dispute between the parties hereto, the recordings may be used as evidence, particularly if, when the account was first opened. The Client requested that a phone call should be considered to be a valid means of communication with regard to the account.
1.2.8 Duration of retention of Personal Data
18.104.22.168 Retention principle
Except stated otherwise, the Company will keep Personal Data as long as, but not more than, necessary or required for satisfying the purposes pursued by the Company as detailed above, the maximum period being either (i) the end of the relationship between the Client and the Company plus the statutory limitation periods applicable for the exercise or defense of a legal claim (périodes de prescriptions légales, such as the commercial period of limitation of 10 years as from the end d of the contractual relationship with a Client or (ii) the end of the legal requirement to keep Personal Data for a certain period of time, even after the termination of the relationship between the Client and the Company, whichever is later.
22.214.171.124 Archiving/record keeping
(a) To ensure compliance with its legal obligation as governed by the 2004 Law, the Company is required to:
- retain information and documents related to CDD for a period of five (5) years after the end of business relationship or After the date of an occasional transaction;
- retain supporting evidence and records of transaction for a period of five (5) years after the end of a business relationship with the Client or after the date of an occasional transaction.
The regulatory authorities may order retention of such information or documents for a further period of five (5) years where the necessity and proportionality of such further retention has been established for the prevention, detection, investigation or prosecution of suspected money laundering or terrorist financing.
(b) To ensure compliance with its legal bookkeeping obligations, the Company keeps its books, accounting documents, correspondence and archives , which may contain Personal Data, in original form or in copies on any medium it deems appropriate, for a period of ten (10) years starting from the end of the financial year to which they relate.
(c) The Company will keep recordings of telephone conversations and electronic communications as long as, but not more than, necessary for the abovementioned purposes (i.e. keeping track of transactions for evidencing purposes, complying with laws and regulations, allowing assistance and investigations by the Company or the competent authorities), the maximum period being either (i) the end of the relationship between the Client and the Company plus the statutory limitation periods applicable for the exercise or defence of a legal claim (périodes de prescrptions légales) or (ii) the end of the legal requirement to keep Personal Data for a certain period of time, even after the termination of the relationship between the Client and the Company, whichever is later. Telephone recordings and electronic communications relating to certain transactions must by law be kept by the Company for a period of five (5) years or pup to seven (7) years if required by the CSSF.
1.2.9 Data Security
The Company uses the physical and technical means to protect the Personal Data of Data Subjects against any attempt of malicious and fraudulent use. The technical solutions used to store and process Personal Data are subject to enhanced surveillance in according to the Company’s security policy and risk-based approach, which remains its priority.
As examples, the technical and organizational safeguards include encryption, anti-virus firewalls, access controls, strict selection of personnel and providers to prevent and detect access, loss or inappropriate disclosures of Data Subject’s Personal Data.
In the event of a security breach that could potentially compromise the protection of the Personal Data of Data Subjects under the control of the Company, the Company will act promptly to identify the cause of such breach and will take remedial measures. Depending on the nature and extent of the problem identified, the Company will inform Data Subjects in accordance with the applicable legal provisions.
1.2.10 Recipients of the Personal Data
The Data Subject’s personal Data may be transferred by the Company to the following categories of recipients, to the extent that the Company deems such disclosure or transmission to be required or necessary for satisfying the aforementioned purposes:
(a) any legal entity which may acquire the Company or certain of its assets in case of a merger and acquisition or restructuring;
(b) the Company’s lawyers, notaries external auditors or bailiffs;
(c) public, governmental, or judicial entities, in Luxembourg or abroad;
(d) Addresses whose interventions is related to the ongoing business of the Company.
The Company may also transfer the Personal Data, by virtue of a legal or regulatory obligation to which the Company is subject, or by virtue of a constraint emanating from a public or judicial authority within the applicable legal limits. In accordance with the legal and regulatory requirements specific to the automatic exchange of information with the countries that have adhered to it, the Company may disclose certain Personal Data relating to the Client’s tax residence status to the Luxembourg tax authorities.
The Luxembourg tax authorities may communicate the data transmitted by the Bank to each competent foreign tax authority in accordance with applicable legal and regulatory requirements. In some jurisdictions, the legal and regulatory requirements applicable to transactions involving financial instruments and similar rights require that the identity of the (in)direct holders or beneficial owners of such instruments and their positions in such instruments be disclosed.
Failure to comply with these obligations may lead to the freezing of financial instruments with all the possible consequences that result from them, such as the impossibility of exercising voting rights, the non-collection of dividends, the impossibility of selling the instruments concerned or any other sanction or restrictive measure, particularly in application of the applicable legal and regulatory provisions to which the Client is also required to comply.
To this purpose, the Client is informed that the Company may be legally required to disclose to the competent authorities the identity of the Client and/or the beneficial owner as well as their positions in said financial instruments.
Any transfer of Personal Data by the Company to a recipient (either acting as Processor or Controller when processing the Personal Data) located outside the European Economic Area (the “EEA”) will be made in accordance with the safeguards provided for under Chapter V of the GDPR.
1.2.11 Data Subject’s rights
Subject to the conditions of the GDPR, any Data Subject may request from the Company any of the following:
126.96.36.199 Right of access
Each data Subject has the right to obtain from the Company confirmation as to whether or not Personal Data concerning the Data Subject are being processed, and, where that is the case, access to the Personal Data and the following information in that regard.
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing.
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source.
(h) the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
188.8.131.52 Right to rectification
The Data Subject has the right to obtain from the Company without undue delay the rectification of inaccurate Personal Data concerning him/her and taking into account the purposes of the processing, the right to have incomplete Personal Data completed.
184.108.40.206 Right to restrict the processing of Personal Data
The right allows the Data Subject to “block” or suppress a specific processing of his Personal Data.
220.127.116.11 Right to erasure
This right enables the Data Subject to request the Company to delete or remove his Personal Data where there is no compelling reason for the continued processing thereof.
18.104.22.168 Right to object
The Data Subject has a right to object, on grounds relating to the Data Subject’s particular situation, at any time to the processing of Personal Data concerning him which is based on satisfying the legitimate interests pursued by the Company. Should this right be exercised, the Company shall no longer process the Personal data, unless the Company demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
22.214.171.124 Right to portability
Data Subjects will also have a right to the portability of their Personal Data, namely the right to receive Personal Data about them or to request the communication to another Controller in a structured format, commonly used and machine readable.
126.96.36.199 Consent withdrawal
Data Subject may at any time withdraw the consent they have given in the cases where the Company will have had to previously require such consent for the processing of Personal Data relating to themselves. The legality of consent-based processing operations carried out prior to such withdrawal will not be affected.
188.8.131.52 Right to be informed
Individual Data Subjects have the right to be informed about the collection and use of their personal data. Individual has a right to be informed after giving the consent as well, meaning that the company should be able to provide the individual with concise, intelligible, easily accessible, free of charge and clearly written information about the processing.
1.2.12 Contact person and exercise of Data Subject’s rights
The Chief Compliance Officer (CCO) is the contact person for all questions regarding the processing and protection of Personal Data.
Data Subjects may submit to the Company a request for the exercise of the aforementioned rights by sending a written request, signed and justifying his identity to the Company, sent by email to:
or by letter to the following address:
ANF Luxembourg SA
Chief Compliance Officer
11, Avenue de la Porte Neuve 1er étage
The Company, through the designated Data Protection Officer, undertakes to process the Client’s request as soon as possible.
The Client is also informed that he is entitled to lodge a complaint with the competent data protection authority, in particular in the Member State of his habitual residence.
In Luxembourg, such authority is:
Commission Nationale de Protection des Données (CNPD)
15, Boulevard du Jazz L-4370 Belvaux
Notwithstanding the foregoing, the Client is informed that according to the provisions of the 2004 Law, the aforementioned right of access to the Personal Data may be limited or postponed by the Company where such measure is necessary for:
- the Company, or anu regulatory authority, or the State Financial Intelligence Unit (Cellule de renseignement financier) to carry out the tasks mentioned in the 2004 Law;
- avoiding obstructing inquiries, official or judicial investigations or proceedings for the purposes of the 2004 Law and to ensure the prevention, investigation and detection of money laundering and terrorist financing is not jeopardized.
1.2.14 Definitions under GDPR (Glossary)
(a) “Personal Data”
Any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated mean, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
The natural or legal person, public authority, service or other body that processes personal data on behalf of the Controller.
A natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed, whether a third party or not. However, public authorities which may receive Personal Data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
(f) “Third party”
A natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorized to process Personal Data.
More specific information in relation to the processing of Personal Data and any updates or changes in relation to this Privacy Notice may be provided to the Client by the Company by any notification letter (including by email) or any other appropriate mean.
The Client shall communicate such updated Privacy Notice to any Data Subject concerned by the processing operations in accordance with this Privacy Notice.