Information requirements concerning GDPR

How we handle your information and your associated rights – Information in accordance with Articles 13, 14 and 21 of the EU’s General Data Protection Regulation (GDPR) –

Dear Customers,

the following describes how we process your personal information and your associated claims and rights in accordance with data-protection regulations.

The specific data that is processed and the manner in which it is used depends largely on the requested and/or agreed services.

1. Who is responsible for data processing and whom can I contact?

The responsible entity is:

IPConcept (Luxemburg) S.A.
4, rue Thomas Edison
L-1445 Strassen, Luxembourg

Postal address
IPConcept (Luxemburg) S.A.
4, rue Thomas Edison
L-1445 Strassen, Luxembourg

Tel.: +352 260 248-1
Fax: +352 260 248-4955

You may contact our operational data-protection officer at:

IPConcept (Luxemburg) S.A.
Data Protection Officer
4, rue Thomas Edison
L-1445 Strassen, Luxembourg

Postal address
IPConcept (Luxemburg) S.A.
Data Protection Officer
4, rue Thomas Edison
L-1445 Strassen, Luxembourg

Tel.: +352 44 903 1
Fax: +352 44 903 2001

2. Which sources and information do we use?

We process personal information that we receive from you during the normal course of business contact and relationships. In addition, we also process – to the extent necessary for the provision of our services – personal information that we receive from other companies of the FinanzGruppe Volksbanken Raiffeisenbanken cooperative or from other third parties as permitted by us (e.g. for completing orders, fulfilling contracts, or on the basis of consent granted by you). In addition, we process personal information that we have legally obtained from publicly accessible sources (e.g. lists of debtors, land registers, commercial and company registers, the press, the media) and are permitted to process information.

Relevant personal information includes personal details (name, address and other contact information, date and place of birth and nationality) verification data (e.g. identification data), and authentication data (e.g. signature sample). This may also include order data (e.g. payment orders, transferable security orders), data from the fulfilment of our contractual obligations (e.g. transactional data in monetary transactions, credit limits, product data [e.g. investment, credit and deposit transactions]), information on your financial situation (e.g. creditworthiness data, scoring/rating data, origin of assets), promotional and sales data (including promotional scores), documentation data (e.g advisory logs), register data, data on your use of our offered telemedia (e.g. time when our websites, apps or newsletters are retrieved, our pages that are clicked and/or entries), as well as data comparable to said categories.

3. Why do we process your information (purpose of processing) and what is the legal foundation?

We process personal information in accordance with the stipulations of the EU’s General Data Protection Regulation (GDPR) and respectively applicable national law.

3.1 Fulfilling contractual obligations (Article 6, paragraph 1b of GDPR)

Personal information (Article 4 No. 2 of GDPR) is processed for the purpose of conducting and brokering banking transactions, financial services, as well as insurance and real estate transactions. This is done, in particular, so we can carry out our contracts or pre-contractual measures with you and complete our orders, as well as all activities required for operating and managing a credit and financial institution.

The reasons for processing information are based primarily on the specific product (e.g. accounts, loans, transferable securities, investments, brokering, online banking, fund services) and may comprise, among other things, requirements analyses, consultancy, asset management and conducting transactions.

Additional details on the purpose of data processing may be obtained from the respective contract documents and terms of business.

3.2 Within the framework of balancing interests (Article 6, paragraph 1f of GDPR)

If necessary, we process your data, beyond actually fulfilling the contract, in order to observe our legitimate interests or those of third parties, for example in the following cases:

  • Consulting and exchanging data with information offices for the purpose of determining creditworthiness and/or default risks and the requirement for the seizure-protection account or basis account;
  • Examining and optimising processes for analysing requirements and direct communication with customers;
  • Undertaking promotional measures or market and opinion research, unless you have objected to the use of your data;
  • Asserting legal claims and defence during legal disputes;
  • Guaranteeing IT security and the bank’s IT operations;
  • Preventing and investigating criminal acts;
  • Video monitoring to collect evidence of criminal acts or to document withdrawals and deposits at deposit/withdrawal locations. They therefore serve to protect customers and employees and to assert domestic authority.
  • Building and investment security measures (e.g. access controls);
  • Measures for securing domiciliary rights;
  • Business management measures and development of services and products.

3.3  Based on your consent (Article 6, paragraph 1a of GDPR)

If you have granted us your consent to process personal information for specific purposes (e.g. forwarding data within association/group, evaluating monetary transactions for marketing purposes), this processing will be considered legal based on your consent. Once granted, consent can be retracted at any time. This also applies to the retraction of declarations of consent submitted to us before the GDPR entered into force, i.e. before 25 May 2018.

Please note that retraction will have effect only for the future. Information processed before the retraction will not be affected.

3.4 Based on legal requirements (Article 6, paragraph 1c of GDPR) or in the public’s interest (Article 6, paragraph 1e of GDPR)

Additionally, as a bank we are subject to a variety of legal obligations, i.e. statutory requirements as well as bank supervision requirements (e.g. those of the European Central Bank, European Bank Supervision, Commission de Surveillance du Secteur Financier, the Banque Centrale du Luxembourg, the Deutsche Bundesbank and the German Federal Financial Supervisory Authority). The purposes of processing include, among other things, creditworthiness verification, identity and age verification, prevention of fraud and money laundering, fulfilment of tax control and notification obligations, as well as evaluation and management of risks.

4. Who receives my information?

Within the bank, the information will be received by persons and departments who need it in order to fulfil our contractual and statutory obligations. Entities contracted by us to perform processing (Article 28 of GDPR) may also receive information for the stated purposes. These are companies in the categories of credit and financial services, IT services, logistics, printing services, telecommunications, collections, advisory and consulting, and sales and marketing.

With respect to forwarding data to recipients outside the bank, it shall be noted that we are bound, in accordance with the pertinent statutory stipulations and/or by the General Terms and Conditions agreed between you and us, to confidentiality of all customer-related facts and valuations of which we receive knowledge (bank secrecy). We may forward information on you only if statutory stipulations provide for this, if you have consented to this, or if we are authorized to grant a bank inquiry. Under these conditions, recipients of personal information may be, for example:

Public entities and institutions (e.g. Deutsche Bundesbank, German Federal Financial Supervisory Authority, Commission de Surveillance du Secteur Financier, Banque Centrale du Luxembourg, European Supervisory Authority, European Central Bank) in the presence of a statutory or official obligation.

Other credit and financial services institutions or comparable organizations to whom we transmit personal information for the purpose of managing the business relationship with you (depending on contract: e.g. companies of the FinanzGruppe Volksbanken Raiffeisenbanken cooperative, correspondence banks, depository banks, stock exchanges and information offices).

Additional recipients of information may be the entities for whom you grant consent to transfer information and/or for which you have released us from bank secrecy in accordance with an agreement or consent.

5. How long will my information be saved?

If necessary, we process and save your personal information for the duration of our business relationship, which may also include, for example, initiation and conclusion of a contract. Within this context, it shall be noted that our business relationships may last for many years.

In addition, we are subject to statutory and regulatory retention and documentation obligations. The retention and/or documentation periods specified there can be up to ten years after creation or five years after termination of the business relationship.

The length of time that information is saved also depends on legal limitations which may, in individual cases, be up to 30 years.

6. Is information transferred to a third country or to an international organization?

Information is transmitted to third countries (countries outside the European Economic Area (EEA) only if this is necessary for completing the orders (e.g. monetary and transferable securities orders), if legally required, or if you have given us your consent. You will be informed of the details separately if legally required.

7. What data protection rights do I have?

Every affected person has the right to:

  • Notification in accordance with Article 15 of the GDPR,
  • Corrections in accordance with Article 16 of the GDPR,
  • Deletion in accordance with Article 17 of the GDPR,
  • Processing restrictions in accordance with Article 18 of the GDPR
  • Information transferability from Article 20 of the GDPR
  • the right to complain to a data protection supervisory authority in accordance with Article 77 of the GDPR

8. Is there an obligation to provide information?

Within the framework of our business relationship, you must provide only the personal information required for the foundation, execution and termination of a business relationship or the information we are legally obligated to collect. Without this information, we must normally refuse to conclude a contract or complete an order, or we may no longer carry out an existing contract or will be required to terminate an existing contract.

Before entering into a business relationship, we are obligated in particular, in accordance with money laundering regulations, to identify you using e.g. your personal identification and must obtain, at least, your name, place of birth, date of birth, nationality and physical address. In order for us to be able to comply with this legal obligation, you must, in accordance with the applicable regulations for the prevention of money laundering and terrorism financing, provide us with the required information and documents and notify us of any changes throughout the course of the business relationship. If you do not provide us with the necessary information and documents, we will not be able to enter into the business relationship that you request.

9. To what extent are decisions automated in individual cases?

In accordance with Article 22 of the GDPR, we never use fully automated decision-making to create and carry out a business relationship. If, in individual cases, we use this method we will inform you of this separately to the extent legally required.

10. To what extent is my data used for profiling purposes (scoring)?

We sometimes process your information automatically with the objective of evaluating certain personal aspects (profiling). We use profiling in the following cases, for example:

Due to legal and regulatory requirements, we are obligated to combat money laundering, terrorism financing and crimes that threaten assets. Information is evaluated for this purpose (in monetary transactions, among others). These measures also serve to protect you.

We use evaluation instruments in order to inform you and advise you on specific products. This enables needs-based communication and promotion, including market and opinion research.


Information about your right of objection in accordance with Article 21 of the GDPR

1. You have the right, for reasons arising from your particular situation, to object to the processing of personal information affecting you that occurs based on Article 6, paragraph 1e of the GDPR (data processing in the public interest) and Article 6, paragraph 1f of the GDPR (data processing based on a balancing of interests); this applies also to profiling supported by this stipulation pursuant to Article 4 No. 4 of the GDPR, which we use for evaluating creditworthiness and for promotional purposes.

If you submit an objection, your personal information will no longer be processed unless we can document urgent protection-relevant reasons for processing that override your interests, rights and freedoms or if processing serves the assertion, exercising, or defence of legal claims.

2. We do, in individual cases, process your personal information in order to perform direct promotions. You have the right to submit, at any time, an objection to the processing of your associated personal information for the purpose of such promotion; this applies also to profiling if it is in connection with such direct promotion.

If you object to your information being processed for the purpose of direct promotions, your personal information will no longer be used for these purposes.

Your objection can be made informally and should be directed, whenever possible, to:

IPConcept (Luxemburg) S.A.
4, rue Thomas Edison
L-1445 Strassen, Luxembourg

Postal address

IPConcept (Luxemburg) S.A.
4, rue Thomas Edison
L-1445 Strassen, Luxembourg

Tel.: +352 260 248-1
Fax: +352 260 248-4955