Regulatory Information

Protection of your personal data: our commitment

We are committed to respecting your privacy and protecting the data you share with us when subscribing to products and/or services and throughout your discussions with our advisers. This strong commitment is reflected in our security and personal data management charter and our personal data protection policy.

Banque Transatlantique Luxembourg SA (hereinafter the “Bank” or “we”) places great importance on protecting your privacy

This statement is intended for natural persons, current or potential customers of the Bank as well as all other natural persons (contact persons, guarantors, legal representatives, beneficial owners, etc.) (hereinafter the “people concerned” or “you”).

It is meant to inform you about how we process your personal data (“your data”) and of your rights in this respect. The processing of your personal data encompasses its collection, usage and storage.

This statement also contains more information about your privacy rights and how you can exercise them.

We will always be transparent with you and are committed to using your personal data only to the extent we actually need. Banque Transatlantique Luxembourg in fact ensures that only appropriate and relevant data for the purposes pursued are collected, processed and stored.

Data Controller

The data controller is:
The Data Protection Officer (DPO)
Banque Transatlantique Luxembourg SA
17, côte d’Eich L 2018 Luxembourg.

In his capacity as data controller, s/he is responsible to you for how your personal data are processed in accordance with applicable regulations, even if we use subcontractors.

Personal Data

The Bank processes various types of personal data for many reasons. Below you will find information on the main categories of data processed as well as the purposes and legal basis for the processing.

You are clearly not legally required to provide us with personal data. The Bank nevertheless draws your attention to the fact that if you refuse to communicate this data, this refusal may prevent the commencement of contractual relations, change the nature of contractual relations or influence the management of contractual relations.

The data we need to process to execute the contract between us or pre-contractual steps taken at your request

The Bank must process certain data in order to be able to decide whether or not a contract can be entered into or in order to be able to perform a contract. The following data are therefore processed for the purposes of managing pre-contractual and contractual relationships and performing our services (e.g. execution of transactions, sending of letters, management of your cash and securities accounts, your payments, your loans, monitoring of collateral, life insurance distribution, etc.):

  • Your personal identifying information: surname, first name, gender, date and place of birth, secure identifiers used for payment services or your login to our customer zone on our website.
  • Your contact details: landline / mobile phone number, email address, home address, physical address other than home address, IP address, login data to our customer zone on our website / application.
  • Data related to your personal (particularly civil status), family (particularly matrimonial property regime), professional, tax situation
  • Data pertaining to your transactions, products and services: data relating to your bank transactions (account number, amount, beneficiary movements on the account, etc.), data relating to your products and services provided, use of digital tools (e-banking, applications), data related to the performance of your loan, your investment services and your life insurance
    The Bank must sometimes transmit certain personal data to an intermediary or counterparty (e.g. a broker or custodian or insurance company).
  • Data pertaining to the analysis of your situation prior to loan approval: notwithstanding our legal obligations in terms of credit and establishing the risk of our business (see below), we are required to assess your repayment capacity and solvency prior to loan approval (unregulated or regulated). To this end, we will analyse whatever data we consider relevant (notice of assessment, balance sheets, income, outgoings, expenses, etc.) and we may for example decide a loan approval based on your credit history and/or using risk scores based on your answers and profile. This decision will, nevertheless, also be based on the evaluation of other factors by our teams (this is not therefore a wholly automated decision)

The data we need to process to comply with one of our legal obligations

The Bank is required to comply with its legal obligations. Below are the primarily legal reasons the Bank is required to process your personal data:

  • Data related to payment transactions: whether you are a payee or payer in a payment transaction, we are required to disclose your identity to the initiating / receiving payment institutions in most cases;
  • Data related to the implementation of the MiFID II regulations:
    We must, in particular, classify you in a customer category (professional or retail) and establish your investor or policyholder profile if advice is provided by collecting information on your knowledge and experience, financial situation and investment objectives in order to offer you a service/product that is appropriate or tailored to your situation.
    We are also required to record any telephone conversation or electronic communication that may result in the transmission of an order to buy or sell financial instruments, for the purposes of providing parties with proof of this order.
  • Data on transactions on a regulated or unregulated market:
    We are required (also at the level of the Group to which the Bank belongs) to prevent, detect and, where appropriate, notify the competent authorities of (attempted) insider dealing and market manipulation (see European Regulation “MAR” No. 596/2014). For this purpose, we specifically process your declaration regarding the possession or non-possession of inside information and the reasons backing this up.
  • We are also required to report to the competent authority the transactions in financial instruments that we execute on your behalf in order to increase financial market reliability and transparency (see MiFIR Regulation no. 600/2014).
  • Personal identifying and transactional data pertaining to our tax obligations
    We process some of your data (in particular the tax identification number and country of tax residence, list of assets of the deceased customer) to make the compulsory tax deductions or the reports for which we are responsible (for example, payment of withholding tax or communication of the assets of a deceased customer to the tax authorities), in particular provided for under international agreements for mutual assistance and the exchange of information in tax matters. The Bank is therefore required to answer questions from the tax authorities or to spontaneously exchange information within the framework of tax legislation (in particular the Foreign Account Tax Compliance Act (FATCA), the Common Reporting Standard (CRS))).
  • Data specifically linked to your consumer credit or mortgage loan:
    Before the contract is concluded we are required to verify the identity of the borrowing customer and to assess their creditworthiness. This assessment is based on necessary, sufficient and proportionate information on the borrower’s income and expenditure as well as other economic and financial criteria that we must determine. This information is obtained from relevant internal or external sources.
    This “credit” data will only be processed for the purposes of assessing your financial situation and your solvency as a borrower or as a person acting as surety, for loan approval or management.
  • Data on dormant deposits: we have an obligation to identify the beneficiaries / holders of dormant life insurance policies and dormant accounts.
  • Data processed in connection with oversight of our business: as a credit institution, we are required to process some of your data for the purposes of detecting and preventing potential risks to our business (also at Group level). These include, but are not limited to, credit risks, counterparty risks, market risks, information management and legal compliance risks, or risk of fraud by employees, customers and/or suppliers, or the risk of unethical behaviour or misconduct by employees.
    We must also prepare and provide reports and respond to any investigations by Bank’s supervisory authorities.
  • Data processed in connection with court orders: we process some of your data (e.g. bank balances, assets) for the purposes of complying with any court decision or request (civil or criminal).
    The Bank is also required to answer questions from the judicial authorities in the context of criminal proceedings.

The data we process as part of a public interest mission

  • Data related to our obligations regarding the prevention of money laundering and terrorist financing (in particular the 4th Anti-Money Laundering Directive, EU Directive 2015/849):
    We are required to use all possible means of preventing, detecting and where appropriate reporting money laundering or terrorist financing transactions to the competent authorities. To this end, we must:
    • identify you, as a customer, representative or beneficial owner (for life insurance we must also identify the beneficiary if s/he is determined); to do so we collect a copy of your identity papers.
    • determine your profile in terms of “money laundering risk” and place you into a risk category in line with our customer acceptance policy; to do this we collect data on your business sector, the state and origin of your wealth (savings, succession, real estate sale, etc.), and your possible situation as a “politically exposed person”;
    Group entities of which the Bank is a member may also exchange information and centralise your data in order to be able, at Group level, to establish your consolidated risk profile and establish and implement a coherent customer acceptance and monitoring policy.
  • Data related to our obligations regarding the combating of terrorism and legislation on embargoes (see in particular legislation on embargoes, in particular EU Regulations 2580/2001 and 881/2002):
    We must compare customer, beneficiary and payer data against sanction lists. Transactions are also monitored. In some cases, underlying documents are requested and transactions may be blocked.

The data we process in order to protect our legitimate interests

In addition to the above circumstances that allow us to process your data, we may also process them based on our legitimate interests as a company.

In this case, we ensure a balance between our interests and your rights (for example, we believe it is legitimate to establish your customer profile to offer you products that are suited to your situation, which is in your interest as well). You may at any time object to processing based on our legitimate interests provided we do not have compelling reasons to continue the processing.

  • video surveillance images: the Bank reserves the right to equip its publicly accessible buildings with video surveillance systems identified by signs. CCTV images are processed for the security of property and people, prevention of abuse, fraud and other offences of which you or we may be victims.
  • Recording of electronic communications / telephone communications: notwithstanding our legal obligation to record in the event of a transaction involving a financial instrument (see above, pursuant to MiFID II), we may record a telephone / electronic communication (fax, e-mail, e-banking message, etc.) including the relevant content and traffic data (e.g. time of receipt of the fax) sent in the course of our services.
    This data is processed for the purposes of providing proof of transactions (for you or the supervisory and/or judicial authorities), the prevention of abuse and fraud, and the quality control of the service we provide to you.
  • Your customer profile: based on an analysis of your transactions, products and services provided, your financial situation (income, assets, expenses, commitments, etc.) and your family situation (family composition for example), business sector, we draw up a customer profile for marketing purposes to offer you, possibly by email, the products or services most likely to interest you (see section VIII).
  • Some of the above data are analysed and used by the Bank for statistical purposes and developing risk models (where applicable, at the level of the Group to which the Bank belongs). These statistics essentially allow us to make strategic choices for the Bank (or the Group) and to analyse customers, fraud, processes and risks in general.
  • Some of the above data are analysed and used by the Bank for testing, staff training and quality control purposes. For example, we can use your customer profile as a model for organizing internal training or optimizing our services.
  • Personal data may also be used for the administration, risk management and control of the Group’s organisation (such as compliance, prevention of money laundering, related investigations, investor protection, etc., risk management, complaint management, internal audit and external audit, etc.).
  • A limited amount of personal data may be automatically stored in the course of your visit to our website or on the mobile application for statistical purposes and in order to monitor and improve the quality of service provided to you.

The data processing we perform based on your consent (see section VIII)

If you authorise us (see section VIII), we will use your personal data for marketing purposes to:

  • offer you, possibly by e-mail or other electronic / telephone manner, products / services promoted by companies in the Group to which the Bank belongs.
  • send you, possibly by email or otherwise electronically, information about the Bank, economic and financial communications and invite you to conferences or events.

Collection of your personal data

We typically collect your data directly from you through forms. However, we sometimes consult external sources to collect certain data for the above-mentioned purposes (this is particularly the case for the Trade and Companies Register or their equivalents to confirm the powers of representation of managers or directors of legal persons).

We also monitor the media, particularly online, information websites or customer websites or third-party databases (third-party detection tools on regulatory lists, internet search engine, etc.) to inform us about the potential risks associated with a customer in the context of our public interest mission to prevent money laundering, combat terrorism and comply with our embargo obligations (see above).

We also collect certain data pertaining to family members of some customers from these same customers as part of the loan origination or monitoring process, only to the extent that this information is necessary to assess credit risk.

Access to your personal data

Who has access to your data?

  • The Bank: only those persons who have been authorized to do so and for whom your data is relevant to the performance of their duties will have access to them (e.g. services that execute transactions and detect fraud).
  • The personal information we hold is confidential and is not, under any circumstances, sold to third parties for any purpose. The Bank is required to comply with its duty of discretion as well as privacy regulations.
  • The entities associated with and belonging to the Group including the Bank, in Luxembourg or abroad, as required by anti-money laundering legislation, in connection with the administration, risk management (particularly credit risk) and control of the Group’s organization.
  • Autonomous entities that process your data for the purposes and using means they determine ("joint controllers"): this may be banks of the beneficiary of one of your payments, for example.
  • Tax, court or regulatory authorities, on the basis of a legal obligation.
  • Our subcontractors. They can only act on the basis of our instructions and are directly obliged to comply with the obligations laid down in applicable data protection regulations (in particular confidentiality and security), in the same way as we do.
  • Subcontractors within the Group: for the purposes of IT management, the Bank works in particular with subcontractors within the Group to which it belongs.
  • Sub-contractors for the financial sector: for certain processing / transactions, the Bank uses specialist third parties. These are notably (sub-)custodians of financial instruments, which are subject to their local financial regulations.
  • Other subcontractors: the Bank may also use other subcontractors such as lawyers and other consultants, ICT service providers, etc.

    • Where can your data be transferred?

    • Data circulating within the Group to which the Bank belongs does not in principle leave the European Economic Area (EEA) territory.
    • Certain data may be transferred to subcontractors or joint controllers outside the EEA. In this case, the Bank will ensure that these are either countries covered by an adequacy decision by the European Commission (i.e. they offer an equivalent level of protection to EEA member countries) and failing that, the Bank will take appropriate guarantees.

Our guarantees

Because the confidentiality and integrity of personal data are essential to maintaining your trust, we ensure their security.

We have therefore put in place procedures to verify and certify our tools, intended to protect all your data against malicious use.

As IT security is at the core of our business, our specialist teams are continually mobilised to ensure the maximum protection of your data, in all arms of our business. All necessary precautions are taken to ensure the security and confidentiality of your personal data, in particular to prevent their loss, alteration, destruction or access by unauthorised third parties.

Your rights

We are happy to handle any requests you may send us regarding the exercise of your personal data rights.

Right of access to your data

You have the right to at any time obtain information on the processing of your data and to obtain, free of charge, a copy of your personal data held by the Bank.

Right of rectification of your data

You can obtain the rectification of inaccurate data or complete incomplete data (for example, in the event of a change in email address).

Right of erasure of your data and the right to restriction of processing of your data

In certain circumstances, you may ask us to:

  • delete the data that we process (for example, the profile we have built up on your family status to offer you new products).
  • suspend or restrict the processing of your data, for example, when we process your data in the legitimate interest of the Bank (e.g. staff training) or if you dispute the accuracy of some of your data, the time required to verify it.

Right to portability of your data

In certain circumstances, you may ask us to transfer the data you have provided us (e.g. data from your bank transactions) that we have processed in performance of our contract or on the basis of your consent, to you or directly to a third party if technically possible (e.g. you can obtain the transfer of the statement of your transactions in a file).

Right to object to the processing of your data, particularly in the case of direct marketing

You can at any time object to the processing of your data :

  • or prospecting or marketing purposes
  • for the Bank’s legitimate interests (for example, for internal training purposes) unless we have legitimate and compelling reasons not to accept (for example, in the case of CCTV since it is used to protect goods and people other than you or in the case of recordings to enable us to defend ourselves in the event of a dispute).

Exceptions to your rights pertaining to the prevention of money laundering and terrorist financing

Regarding the data on you we must process pursuant to anti-money laundering and anti-terrorism regulations.

Implementation of your rights

You may at any time obtain more information on your data protection rights and exercise your above-mentioned rights, free of charge, by contacting our DPO.

When you exercise your rights, the Bank is obliged to strictly verify your identity in order to avoid another person exercising your rights on your behalf. You may therefore be asked to provide a copy of your identity papers.

Right to lodge a complaint with the data protection authority

If you are not satisfied with how we process your data or how we allow you to exercise your rights, you may lodge a complaint with the National Data Protection Authority (www.cnpd.lu).

Storage period of your data

We generally limit the storage of your data to the strict minimum and erase it as soon as the reason for the collection no longer exists.

Data processed due to a legal obligation

The data we are required to process by law shall be retained for the period required under applicable law.

Data processed to ensure the performance of the contract

We keep the data for 10 years from the end of the contract or the execution of the transaction, insofar as challenges may be submitted within this period. This period may be extended if a dispute persists after this period.

Data processed in the Bank’s legitimate interests

  • Video surveillance: video images are stored for up to one month. This period may be extended if the images are to be used as evidence of transactions or breaches.
  • Electronic / telephone communications: data relating to electronic / telephone communications and the content thereof may be retained until the end of the period in which the underlying transaction may be challenged in court.

If you have authorised us to do so, the Bank may use your data for the purpose of offering you banking, financial or insurance products, or other products promoted by the Bank, newsletters, quarterly reviews, by email or other electronic means (if you accept this method of communication) and by post.

You may in any case object at any time free of charge to the processing of your data for direct marketing purposes, whether by post, email or any other electronic means.

The Bank may amend this statement. The latest version can be found on the Bank’s website.

The Bank will notify you of any changes on its website, by email or any other electronic means of communication.