Client Privacy Notice

2. Capitalised terms not defined herein shall have the meaning ascribed to them in FundBank (Europe) S.A.’s general terms and conditions (the “Terms”).

3. The Bank is committed to protecting your privacy and Personal Data. This Client Privacy Notice sets out how and why the Bank collects and processes Personal Data, when we share it with others, and your rights in this respect as Data Subject. For the avoidance of doubt, in the event of any conflict between the terms of this Client Privacy Notice and any other terms of the Terms, this Client Privacy Notice shall prevail in relation to any data protection-related matters.

4. The Bank processes Personal Data in accordance with Data Protection Law. For the purposes of Data Protection Law, this Client Privacy Notice applies when the Bank acts in a capacity as Controller Processing Personal Data about Data Subjects, more particularly Clients who are natural persons or natural persons representing or working for Clients who are legal persons and any of their respective representatives, provided to, or collected by, the Bank and provided to, collected or otherwise obtained by or on behalf of, the Bank, whether from these natural persons or indirectly from other sources (including from public sources). This Client Privacy Notice will continue to produce its effects as applicable after the end of our professional relationships with the relevant Clients.

5. The Bank has established a Data Protection Policy in line with GDPR requirements. A knowledgeable and experienced senior officer within the Bank acts as point of contact for data protection-related matters. If you have any questions about the Processing of your Personal Data or your data protection-related rights, or if you want to exercise those rights, please contact dataprivacy_lux@fundbank.com

6. What Personal Data do we process?

We need to or must collect and process certain Personal Data for the purposes of entering into and maintaining our commercial and contractual relationship with Clients as well as for providing our services. If you do not provide us with such Personal Data, we may not be in a position to enter into, execute or perform our contract with you or provide you with our services. We shall inform you if your refusal to provide certain Personal Data or if the exercise of your legal rights (as further described below) may result in the termination of our contract with you or have other consequences for you.

In the course of our business and for the provision of our services to Clients, the Personal Data that the Bank may process include:

1. 1. As the Bank gathers and processes your Personal Data in order to open your Account and to administer the services under these Terms: your name, contact details such as names, addresses, country(-ies) of residence, tax residence(s), telephone numbers, e-mail addresses, and personal details such as date of birth, gender;
   2. copy and number of identity documents (identity card, passport and or driver’s licence, national identification number, tax identification number, copy of utility bills, authentication data (signature));
   3. status as an ultimate beneficial owner of an entity or as a politically exposed person;
   4. bank and financial details (including bank account numbers and balance), transactions history, income, assets and properties, source of wealth, source of funds, investment preferences;
   5. communications data (telephone conversations, e-mails, etc.);
   6. image and sound (e.g. telephone recordings, pictures of copies of identity documents, video recordings through the CCTV systems installed in the premises of the Bank);
   7. history of professional relationship with us;
   8. any other Personal Data provided to us within the course of your pre-contractual, contractual and commercial relationship with us, including information resulting from know your customer and anti-money laundering and counter terrorism financing (KYC/AML-CTF) checks, and due diligence as required under applicable AML-CTF laws, including in this respect, as applicable, special categories of personal data such as information about criminal convictions and offences; we may collect information and documents relating to Data Subjects connected to you (including the individuals involved into your management or control or individuals purporting to act on your behalf) from third parties you are connected with, such as your other service providers; additionally, we may use information and documents that we collect about a Data Subject’s connection with one entity in the context of other entities concerned;
   9. information the Bank collects or generates for risk management purposes such as Client due diligence data, client risk profiles, data to assess suitability/ appropriateness, Client qualification data, tax data or complaint information;
   10. marketing and sales information (newsletter, documents received, invitations to and participation in events and special activities); and
   11. information available through ‘cookies’ and similar technologies on websites, online portal, mobile applications and in emails to recognize a data subject, to record data subject’s preferences and the identity content that the Bank considers of interest to a data subject.

7. What are the legal bases and Purposes of our Processing?

We collect, use, store, share and otherwise process your Personal Data as follows:

Legal bases	Purposes	Categories of Personal Data (by reference to information referred to under Section 6 above)
The Processing is necessary for us to perform our contract with you or for requested pre-contractual steps	Steps necessary and useful for the entry into of professional relationships with you, the conclusion of contracts with you and their execution, establishing your identity and providing, servicing and administering client accounts, including communicating with you, maintaining appropriate business records (including registers of accountholders), responding to or evaluating any queries or complaints in relation to your account	(a), (b), (c), (d), (e), (f), (h), (i)
	Performance and administration of our professional and contractual relationships with you and, where relevant, provision of our services and execution of the orders requested by you, including opening and management of accounts administration of banking, tracking fees and costs and ancillary services including payment instructions, deposits, loans and related securities, investments and similar financial transactions	(a), (b), (c), (d), (e), (f), (g), (h), (i)
The Processing is necessary to comply with our legal and regulatory obligations and/or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us	Verifying your identity and the source of your wealth and more generally comply with KYC/AML-CTF related obligations and due diligence obligations, including transaction monitoring	(a), (b), (c), (d), (f), (h), (i)
	Crime-detection, prevention, investigation and prosecution, including bribery, anti-corruption, tax evasion	(a), (b), (c), (d), (e), (f), (g), (h), (i)
	Preventing the provision of financial and other services to persons who may be subject to economic or trade sanctions	(a), (b), (c), (d), (e), (f), (g), (h), (i)
	Responding to legal or court requests or requests from regulatory authorities	(a), (b), (c), (d), (e), (f), (g), (h), (i)
	Complying with: regulations governing collective investment schemes mandatory tax or other reporting such as the OECD Common Reporting Standard for exchange of information (CRS), the US Foreign Account Tax and Compliance Act (FATCA), Automatic Exchange of Information (AEI); in this context, Personal Data about Data Subjects will be shared with the Luxembourg tax authorities (and any service provider with which the Bank operates) which may in turn share the information with foreign tax authorities; failure to respond may lead to incorrect or double reporting any reporting and exchange of information regime to which the Bank is subject from time to time legal and regulatory reporting to the relevant supervisory authorities obligations of cooperation with Luxembourg and international authorities	a), (b), (c), (d), (e), (f), (g), (h), (i)
	Record keeping of services and transactions	(a), (b), (c), (d), (e), (f), (g), (h), (i)
The Processing is necessary for our or a third party’s legitimate interests (as listed here) and where your interests do not override these interests	Conducting our business in a responsible and commercially prudent manner	(a), (b), (c), (d), (e), (f), (g), (h), (i), (k)
	Pursuing our corporate and social responsibility objectives	(a), (b), (c), (d), (e), (f), (g), (h), (i), (j)
	For customer service, training and related purposes	(a), (b), (c), (d), (e), (f), (g), (h), (i), (j)
	Ensuring the maintenance of our IT systems or repairing any IT defects or failures; securing communication channels and IT systems	(a), (b), (c), (d), (e), (f), (g), (h), (k)
	Conducting internal or external audits	(a), (b), (c), (d), (e), (f), (g), (h), (i)
	Risk management and prevention of fraud or other criminal activity	(a), (b), (c), (d), (e), (f), (g), (h), (i), (k)
	Where applicable, managing disputes, complaints and litigation concerning you	(a), (b), (c), (d), (e), (f), (g), (h), (i)
	Establishing, exercising or defending legal claims	(a), (b), (c), (d), (e), (f), (g), (h), (i), (k)
	Transferring Personal Data in case of merger, acquisition or other restructuring operations, transfer of rights, assets or liabilities to third parties [(including beneficiaries of security arrangements)], including their legal counsel, financial and other advisors and appointed auditors and due diligence by potential buyers [or beneficiaries].	Only Personal Data necessary for: the performance of the transaction; and/or the continuation of the activity and services by the transferee/assignee; and/or the performance of the security arrangements; and/or the carrying out of the due diligence process.
	Quality control, business and statistical analysis, market research	(a), (b), (c), (d), (e), (f), (g), (h), (i), (j), (k)
	Direct marketing actions and commercial communications, i.e. providing you with information on our products and services and those of our commercial partners	(j)
The Processing is made with your consent (in which case you may withdraw your consent at any time, without this affecting the Processing carried out before such withdrawal and without prejudice to retention or Processing that may be required from us by law)	Personal data for marketing or websites analytics purposes	(j), (k)

 

8. Who do we share Personal Data with?

The international nature of our business, the worldwide location of our customers and service providers and our global organisation of human and information technology resources management entail communications and transfer of information to a wide range of countries, including outside of the European Union (such as the Cayman Islands, United States of America or Australia). In relation to countries that do not offer a similar level of data protection as within the European Union, we have implemented Appropriate Safeguards according to Data Protection Law as mentioned below. Upon your request, we can provide you with more information in respect of transfers outside of the European Union.

In that context, we may share Personal Data with the following Recipients (acting as independent Controllers and/or Processors) to the extent we deem such disclosure or transmission to be necessary or desirable for satisfying the Purposes described above:

1. 1. our parent company FB Financial Holding (Luxembourg) Inc. located in Delaware, United States of America for the purposes of client and service provider/vendor administration and management, and the management and protection of our corporate information technology resources and system; subject always to applicable laws and regulations of the financial sector;
   2. other members of the Bank’s corporate group or the corporate groups of any entities referred to below, as well as affiliates, agents and delegates which are located in various countries in and outside of the European Union for the purposes of outsourcing certain of the Bank’s functions and services, subject always to applicable laws and regulations of the financial sector;
   3. our internal and external auditors and legal or other advisers from time to time located in Luxembourg or abroad;
   4. representatives, agents, officers and/or employees of buyers or potential buyers or beneficiaries or potential beneficiaries of security arrangements, including their legal counsel, financial and other advisors and appointed auditors, in case of (potential) merger, acquisition or other restructuring operations, transfer of rights, assets or liabilities and/or during the due diligence process.
   5. our service providers (including parent company, affiliates and branches, counterparties, intermediaries, nominees, custodians and correspondents such as banks, insurance companies, brokers, organisations involved in money transfers and financial institutions as third-party service providers appointed by the Bank as applicable, screening and other compliance-related service providers, third party information technology service providers), in and outside the EU.
   6. public, governmental, administrative (such as the Administration des contributions directes and the Administration de l’enregistrement, des domaines et de la TVA, the Department for International Tax Cooperation and other foreign tax authorities, the Luxembourg Monetary Authority, the Financial Reporting Authority) or other or judicial entities in Luxembourg or abroad.

9. How long do we keep Personal Data?

We will not keep Personal Data for longer than the time necessary for satisfying the Purposes, subject to the legal periods of limitation (as a principle, 10 (ten) years for commercial matters) and to the situations where applicable laws require or allow Personal Data to be retained for a certain period of time after the termination of the contractual and commercial relationship (such as the legal obligation to keep accounting documents for a period of 10 (ten) years after the end of the financial year to which they relate). Without prejudice to the generality of the foregoing:

1. 1. Personal Data processed for the purpose of client and service provider/vendor administration and management will be kept for a period of 10 (ten) years after the termination of our contract with you;
   2. Personal Data processed for the purposes of contacting you will be kept for a period of 10 (ten) years after the termination of our contract with you;
   3. Personal Data contained in documents related to customer due diligence or supporting evidence and records of transaction which are necessary to identify transactions will be kept for a period of 10 (ten) years after the end of business relationship or after the date of an occasional transaction as applicable; where the regulatory authorities so order, these documents may have to be kept for a further period of five years where the necessity and proportionality of such further retention has been established for the prevention, detection, investigation or prosecution of suspected money laundering or terrorist financing; and
   4. Recordings of telephone conversations and electronic communications will be kept as long as, but not more than, necessary for the abovementioned purposes (i.e. keeping track of transactions for evidencing purposes, complying with law and regulations, allowing assistance and investigations by the Bank or the competent authorities), the maximum period being either (i) the end of the relationship between the Client and the Bank plus the statutory limitation periods applicable for the exercise or defence of a legal claim, or (ii) the end of the legal requirement to keep personal data for a certain period of time, even after the termination of the relationship between the Client and the Bank, whichever is later. Telephone recordings and electronic communications relating to certain transactions must by law be kept by the Bank for a period of 5 years, or up to 7 years if required by the CSSF;

We may keep and process Personal Data about you after the termination of our contractual and commercial relationship for specific purposes such as the compliance with legal obligations or the establishment, exercise or defence of legal claims.

10. What are your rights?

Subject to the conditions of Data Protection Law, you have the right, in certain circumstances and subject to applicable exemptions, in relation to your Personal Data, to:

1. 1. obtain from us confirmation as to whether or not Personal Data relating to you are being processed, and, where that is the case, access to the Personal Data and relevant information in that regard;
   2. obtain from us without undue delay the rectification of inaccurate Personal Data relating to you and, taking into account the purposes of the Processing, have incomplete Personal Data completed;
   3. obtain from us the erasure of Personal Data relating to you, except where we have a legal obligation to keep such Personal Data;
   4. request that your Personal Data should no longer be processed for particular purposes (in certain specific circumstances);
   5. where the legal basis for Processing is consent, withdraw your consent at any time;
   6. on grounds relating to your particular situation, object to the Processing of Personal Data relating to you that we carry out on the basis of the legitimate interest we pursue; in such a situation, we shall stop Processing such Personal Data except if we demonstrate compelling legitimate grounds for the Processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims; and
   7. where relevant, receive Personal Data concerning you which you have provided to us on the basis of the contract with us in a structured, commonly used, machine-readable format, and transmit it to another Controller (in certain specific circumstances).

You can exercise your abovementioned rights by contacting us at dataprivacy_lux@fundbank.com .

You also have the right to lodge a complaint with a Supervisory Authority, in particular in a European member state of your habitual residence, place of work or place of the alleged infringement if you consider that the Processing of Personal Data relating to you infringes the requirements of the GDPR.

11. Consent to Direct Marketing

From time to time, the Bank or any of the affiliates listed above may send you information about other products and services that they offer by letter, telephone, by e-mail or by other reasonable means of communication. You have a right not to receive such information. You have a right to withdraw this consent at any time. However, your withdrawal of consent will not affect the lawfulness of Processing based on consent before your withdrawal.

12. What do we expect from you?

We request that you inform us in writing and without undue delay about changes in the information you provided us about you so that we can keep it up-to-date.

If you provide us with Personal Data not relating to you (e.g. information about your directors, employees or other staff members and/or agents, representatives, beneficial owners, shareholders, family, etc.), you must first inform them about this fact and make sure they acknowledge that we can use such information as set out in this Client Privacy Notice. In particular, you must provide them with the information relating to their rights as Data Subjects. We will consider that these individuals are informed of the Processing of Personal Data relating to them that we may carry out and of the transfer of their Personal Data to third parties as described above, and that, as far as necessary, you have obtained the prior written consent of these Data Subjects.

13. How can you obtain more information?

If you would like to receive more information on how we process Personal Data relating to you, please contact dataprivacy_lux@fundbank.com.

14. How will we update this Client Privacy Notice?

Changes may occur in the way we process information about you. In case these changes require us to update this Client Privacy Notice, we will bring this to your attention and may do so by any means such as by e-mail, letter, hyperlink to our website or otherwise. The latest version will always be available upon request at dataprivacy_lux@fundbank.com.