Effective as of 26 November 2019
The Controller of your Personal Data is the Luminor Group entity to which you have submitted your Personal Data because of a contractual or pre-contractual relationship or which Services you (or the legal entity or arrangement you are considered to be the ultimate beneficiary owner of) intend to use.
A natural person who uses, has used or has expressed the intent to use a Service.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
All Luminor group entities directly or indirectly controlled by holding company Luminor Holding AS, registered in the Republic of Estonia, reg no 14723133, including but not limited to: Luminor Bank AS and its branches; Luminor Liising AS; Luminor Pensions Estonia AS; Luminor investicijų valdymas UAB; Luminor Lizingas UAB; Luminor Līzings, SIA; Luminor Līzings Latvija, SIA; Luminor Finance, SIA; Luminor Asset Management, IPAS; Luminor Latvijas atklātais pensiju fonds, AS; the full list of Luminor group entities and their contact details is available here.
Any legal entity or branch belonging to the Luminor Group.
Any operation carried out with Personal Data (including collection, recording, storing, alteration, grant of access to, making enquiries, transfer, etc.).
Any service offered or provided by Luminor.
The exact scope of Personal Data being processed depends on the types of Services or relationship with Luminor. Luminor’s core activities involve providing financial and insurance products and Services. This includes accounts and payment services, loans and leasing, electronic banking services, savings and investment products and services, including pension funds as well as insurance. We process your Personal Data to provide and improve these Services. Additionally, Luminor processes the Personal Data of its corporate, private customers’ and vendors’ representatives. Personal Data we collect and process includes:
We do not process sensitive data related to your health, ethnicity, or religious or political beliefs unless required by law or in specific circumstances where, for example, you reveal such data while using Services (e.g. in payments details).
We only collect data about children if they use a Luminor Service or if you provide us with information about your own children in relation to a Service you use.
We use your biometric data for remote identification of your personal identity only where you have explicitly given us the consent to use such identification method.
Generally, Luminor receives Personal Data directly from the person to whom the data relates to. For example, when you:
Where Luminor transfers your Personal Data to another controller either because of a nature of Service (e.g. information on payment is transferred to receiver’s payment institution; information about holder of a financial instrument is transferred to central securities depository or custodian of financial instruments, etc.), due to requirements of applicable laws or when Luminor has other legal ground for such transfer, for further processing privacy policies of such other Controllers may apply. Our agreements with such Controllers may require us to provide a link to their privacy policies or similar documents.
The first and foremost reason why we need your Personal Data is for providing our Services. Any data processing for the fulfilment of the purposes indicated herein is foremost conducted for the conclusion, fulfilment, and ensuring the fulfilment, of any agreements under which our Services are provided.
There will be Personal Data which we will always need without regard to what Service you choose, such as your identification information or contact information, preferences of communication language, etc. But some Services, because of their nature, will require more information. For example, in the case of any type of loan or leasing, we will need information about your income and household as well as information about other liabilities. If you are applying for or have a mortgage loan, we also will need information about property, including information about its insurance. We also need specific data if you would like to apply for or are using investment products. In such cases, for example, we need to know and evaluate your overall investment experience and knowledge about these products and services to offer you suitable products and services or advise you to reconsider, when we think your choice might be too risky taking into account your personal circumstances.
Most of the data we will ask for and receive from you. However, some we receive from other sources. Information about your liabilities we will obtain from credit registers or other similar public sources. See more.
Financial services are related to various risks, and we are obliged to manage those risks to ensure the sustainability of our business model and protect the interest of depositors and society in general.
This means we monitor issued loans and the performance of those loans and learn from our history (previously issued loan history) in order to improve our credit assessment process. In addition, we may also obtain updated information from credit registers and similar public external sources. See more.
Banking is a highly regulated industry, which means that in order to provide Services to you, we need to comply with many regulations. Therefore, we need to collect explicit identification information, but in certain cases, we need to collect additional personal information. For example, to follow all anti-money-laundering requirements, we need to know information about your source(s) of income, whether you are a politically exposed person or related to one and your tax residency country. Most of that information we collect from you in the so-called Know Your Customer questionnaires. We are obliged to obtain Personal Data about you even if you are not directly our customer but the ultimate beneficiary or the owner of the corporate entity (e.g. company) which is our customer. Moreover, we are required to monitor your transactions and investigate if their pattern deviates from information provided by you earlier and, if needed, ask for additional information (e.g. agreement or other document proving source of unexpected income).
Depending on the changes in the regulatory framework under which we operate, we may need to process your Personal Data for the fulfilment of new requirements set place in laws and regulation. For example, we also need to process your Personal Data in order to make sure that we fulfil all the requirements deriving from applicable sanction-related regulations, e.g. verify that you are not a sanctioned person, that your business operation do not involve sanctioned persons, that you are not under the investigation of any relevant authorities, etc. Persons who are identified as higher-risk clients, might be subject to enhanced Know Your Customer measures and additional Personal Data might be asked from them or acquired about them.
We must also report to public authorities, like the state revenue service, social security institutions, central banks or other financial sector supervisory authorities. Exact scope of reported Personal Data will depend on which law(s) or regulatory requirements we are fulfilling. If you have deposits (including funds in current account(s)) or investment products, we may be obliged to report to the tax authorities about account balance(s) and interests paid; in the case of a loan, we will be obliged to report data about your loan (e.g. financial obligation(s)).
Most of the data we will receive from you, but we will also use third party registers or other sources to collect relevant personal data about you or to verify data provided by you. See more. We may use services of third parties to check such external data sources on our behalf (in such cases such third parties will process Personal Data according to our instructions and only to the extent allowed to Luminor itself).
We want to offer Services and provide information which are relevant to you. We improve our Services constantly, and thus customer data and input is very important. We also want you to know about our new or improved Services. We analyse our Customers’ data to develop and offer additional Services, perform Customer surveys, conduct market analysis and compile statistics, and organize and invite you to games, campaigns and other customer events to improve your experience while using our Services.
Financial services are exposed to criminal activities. To mitigate those risks we perform data processing – video recordings, transaction monitoring, ensuring our IT system security.
The foregoing processing activities are mainly conducted to be compliant with relevant laws and regulations and for exercising our legitimate interest, which mainly include reducing any risks to our systems and identifying any discrepancies in databases. Based on the relevant need, all the applicable security measures are tested and renewed from time to time.
We may process, and respectively share your Personal Data for the said processing purposes with third persons, in order to be able to continuously provide the Services, currently and in the future, and further develop and enhance such Services, for example, for being able to raise funds, rate our business operations, guarantee our obligations, complying with requirements to which our shareholders are subject, etc. The foregoing processing activities are based on our legitimate interests, which are entailed in the processing purposes described previously.
We may process your Personal Data for the purposes of transactions related to the transfer of Luminor’s business or shares to the extent which is necessary for the pre-contractual engagements and conclusion or ensuring the conclusion of the relevant transactions. The foregoing processing is based on our legitimate interests which consist mainly of our need to ensure the consistency of our business and the continues provision of our Services.
Our advertising and direct marketing communications (e.g. about our Services and related campaigns) are sent to Customers who have consented to receiving direct marketing and advertising offers from Luminor. Such Customers receive Luminor newsletters and direct marketing communications via their preferred means of communication. Luminor may market its Services to the existing Customers on the ground of legitimate interest.
Customers can give consent to receive advertising and direct marketing communications by signing a direct marketing consent form or by requesting direct marketing communications under the agreements they conclude with us. Customers who have already been receiving our direct marketing messages will continue to receive such communications after the GDPR’s entry into force.
Luminor sends newsletters and direct marketing communications. Services and products may be also promoted during various customer events organised by Luminor or its partners.
Customers have the right to object to the processing of their Personal Data for direct marketing purposes at any time and free of charge. To exercise this right, please contact the Luminor entity whose marketing material you no longer wish to receive. Customers can also opt out of receiving the newsletter or any other advertising and marketing communications using the link provided in the e-mail message or following other instructions as provided in such direct marketing communication. Customers who uses internet bank may also change their selected preferences in the system.
Only persons entitled to do so within Luminor or third parties engaged by Luminor or with whom Luminor cooperates in provision of Services (e.g. insurance companies where insurance policies are offered through Luminor, insurance brokers where they help you to insure property as required under agreement with Luminor, car dealers and/or car manufacturers where Luminor provides leasing Services, etc.) or other parties as requested or permitted by law or where you agreed to such access (e.g. payment service providers offering payment initiation or account information services to which certain information must be disclosed upon their request which is based on your agreement with such payment service providers as regulated by EU Second Payment Services Directive and implementing national laws) can access your Personal Data. In cases where Personal Data Processing is carried out on behalf of Luminor by a third party, Luminor engages only third parties providing sufficient guarantees to implement appropriate technical and organisational measures in such manner that Processing will meet the requirements of the GDPR and applicable laws and ensure the protection of your rights.
Processing activities by third-party processors shall always be governed by a Privacy & Data Processing Agreement or other specific terms agreed upon by Luminor and such third party processor.
The nature of Services provided requires us to share Customers' Personal Data to run our everyday business — to process transactions, maintain customer accounts, and report to public institutions.
We may disclose your Personal Data to:
Data may also be transferred outside the European Union and European Economic Area (EU/EEA) in some cases, for example, when the Personal Data processor engaged by Luminor is located outside the EU/EEA and such data transfer is necessary to provide Service or when requested by a Customer. Data may be transferred outside the EU/EEA only when Luminor ensures appropriate safeguard measures as required by the GDPR and there is a legal ground for such transfer.
The list of our Personal Data processors is available at /en/terms-and-conditions. This list can be changed without separate notice.
To protect your Personal Data from unauthorized access, unlawful Processing or disclosure, accidental loss, modification or destruction, we use appropriate measures that comply with applicable laws. These measures include technical measures, such as the selection and configuration of appropriate computer systems, securing relevant connections, and protection of data and files, as well as organizational measures, such as limiting access to these systems, files and facilities, careful selection and monitoring of hosting service providers.
Luminor is dedicated to ensuring that Personal Data Processing is fair and transparent and all persons’ rights arising under applicable laws are always ensured. In particular, you have:
Personal data is retained in accordance with the applicable laws and no longer than is necessary. Personal data retention periods are determined by Luminor and depend on the specific contract and basis of Personal Data Processing. For more detailed information on some retention periods and the principles for how we determine specific retention periods for your Personal Data processed by us, please follow this link.
Profiling is Customer segmentation by evaluating the personal aspects relating to a natural person in order to apply a relevant service model or tailored marketing offers or perform risk assessment for anti-money laundering purposes.
Automated decision making is a form of decision making under which a certain decision regarding a person is made using automated means.
Luminor uses profiling to prepare analyses for Customer advice, for direct marketing purposes, profiling supports automated decision-making such as credit assessments, for risk management and for transaction monitoring to counter fraud, including automated collection of data from databases and making preliminary assessments and conclusions whether you are eligible for our Services taking into account the relevant laws and regulations that apply to us and our internal procedures.. Luminor uses profiling based on the following legal grounds:
Luminor may make a decision with respect to the Customer, including but not limited to making an assessment about the creditworthiness of the Customer based solely on automated processing of the Personal Data.
In such a case, the Customer has a right not to be subject to a decision based solely on automated processing, including profiling. Such right may be executed by the Customer if, based on the automated decision, Luminor has refused to enter into the contract or provide Services. Upon your request solely automated decision will be revised by Luminor employees.
More detailed descriptions of processes which include automated decision making can be found here.
If you have any questions or concerns regarding how Luminor processes Personal Data about you, or if you wish to exercise any of your rights, Luminor encourages you to contact us via telephone or e-mail or in writing to contact page.
Contact details for any privacy related questions are following:
Data protection officer in Lithuania
Data protection officer in Latvia
Data protection officer in Estonia