Definitions

Controller

The Controller of your Personal Data is the Luminor Group entity to which you have submitted your Personal Data because of a contractual or pre-contractual relationship or which Services you (or the legal entity or arrangement you are considered to be the ultimate beneficiary owner of) intend to use.

Customer

A natural person who uses, has used or has expressed the intent to use a Service.

GDPR

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Luminor Group

All Luminor group entities directly or indirectly controlled by holding company Luminor Group AB, registered in the Kingdom of Sweden, org. No 559072-8316, including but not limited to: Luminor Bank AS and it’s branches; Luminor Kindlustusmaakler OÜ; Luminor Liising AS; Luminor Pensions Estonia AS; Luminor investicijų valdymas UAB; Luminor Lizingas UAB; Luminor Līzings, SIA; Luminor Līzings Latvija, SIA; Luminor Finance, SIA; Luminor Asset Management, IPAS; Luminor Latvijas atklātais pensiju fonds, AS; the full list of Luminor group entities and their contact details is available here.

Luminor

Any legal entity or branch belonging to the Luminor Group.

Personal Data

Any information directly or indirectly related to an identified or identifiable Customer or other natural person whose data is processed according to this Privacy Policy and applicable laws (for example, an ultimate beneficiary owner of the customer as a legal entity).

Processing

Any operation carried out with Personal Data (including collection, recording, storing, alteration, grant of access to, making enquiries, transfer, etc.).

Service

Any service offered or provided by Luminor.


I. General information

When does this Privacy Policy apply?

This Privacy Policy applies when you use, have used or have expressed an intention or interest to use Luminor’s services. It also applies when you are related to any of the Services indirectly (for example, as a collateral provider, an insured person in an insurance agreement or a representative of corporate or private customers, direct underlying or ultimate beneficial owner, shareholder, signatory, contractual counterparty, other person who has or had business relationships with Luminor). It also applies in cases when the relationship has been established before this Privacy Policy has entered into force, and when you have provided and/or Luminor has obtained your Personal Data.

Which of my Personal Data are processed?

The exact scope of Personal Data being processed depends on the types of Services or relationship with Luminor. Luminor’s core activities involve providing financial and insurance products and Services. This includes accounts and payment services, loans and leasing, electronic banking services, savings and investment products and services, including pension funds as well as insurance. Luminor also offers selected real estate-related financial services. We process your Personal Data to provide and improve these Services. Additionally, Luminor processes the Personal Data of its corporate, private customers’ and vendors’ representatives. Personal Data we collect and process includes:

  • identification data such as name, surname, middle name, personal identification number (national ID number, customer ID, employee code, internet bank ID), date of birth, tax identification number, country of birth, gender, citizenship, passport data, photograph;
  • contact data such as residence address or address for communication purposes, postal address, telephone number (for example, landline and mobile number), email address, language of communication;
  • digital identification data such as Internet bank ID, mobile bank ID, social media or Skype personal ID;
  • financial data such as monthly salary and other regular or irregular income, financial liabilities, source of income (funds), data about transactions, property, debts, bank account, card information, credit history data;
  • occupation (employment) data such as data about employer / previous employer, occupation, working experience, education, professional certificates;
  • family data such as marital status, dependants and / or family members;
  • location data (transaction place, IP address, login place), login of internet usage;
  • special category data such as data about criminal convictions, legal capacity (in special cases);
  • other data:
    • data about the participation in companies and other types of legal entities, data about managers and other persons having decisive votes or representatives of the companies using or intending to use Services, as well as their ultimate beneficiary owners’ information and contact details of the representatives of the companies using or intending to use Services;
    • information on social security contributions and insurance, information on payable pension/ allowance/ indemnification;
    • legal proceedings (type);
    • correspondence records (type, date, tracking ID);
    • risk profiling and classification (risk type, risk class);
    • video surveillance data such as video records captured at ATMs and Customer service units;
    • voice records data such as voice records of phone or Skype or other Internet based calls;
    • data concerning the applicability of any sanctions, including data regarding any relevant business dealing or activities, including any adverse media coverage that is available.

We do not process sensitive data related to your health, ethnicity, or religious or political beliefs unless required by law or in specific circumstances where, for example, you reveal such data while using Services (e.g. in payments details).

We only collect data about children if they use a Luminor Service or if you provide us with information about your own children in relation to a Service you use.

How does Luminor collect my Personal Data?

Generally, Luminor receives Personal Data directly from the person to whom the data relates to. For example, when you:

  • apply for Services (for example, open an account or apply for a loan or leasing);
  • use Services (for example, use your credit or debit card or deposit money);
  • make contributions to Luminor pension funds;
  • contact Luminor (for example, visit our website or internet bank, contact us via phone or other means of distance communication), fill in a form on our websites or leave your contact information with Luminor for whatever reason;
  • visit our websites, use our internet bank or phone app.
In some instances, Luminor obtains Personal Data from persons other than the data subject (e.g. you). This is the case, for instance, when a parent applies for a service that involves a child, or when legal entities apply for services that involve their employees or when one spouse provides Personal Data about another, or when according applicable laws information related to financial obligations and incomes of a household has to be obtained and evaluated. In such instances, we require that such data subjects are informed about the disclosure of their Personal Data to Luminor and the purpose of such Personal Data Processing. Furthermore, in such instances we require that when you are providing Personal Data about a data subject other than yourself you introduce such data subjects to our Privacy Policy.

Personal Data can also be provided to Luminor by third parties on the request of a potential customer. For example, real estate brokers or car dealers may send your Personal Data to Luminor if so requested by you.

Personal data can also be received by Luminor when we are signing various agreements where a counterparty or a representative of a counterparty is not necessarily a Customer (e.g. mortgage agreement, warranty agreement, agreement concluded with a legal entity, where contact persons or representatives’ data are indicated).

Within the Luminor Group, all Luminor entities have access to Personal Data disclosed to Luminor insofar as such access is necessary for administrative purposes or covered by Luminor’s legitimate interests.

When we have a legitimate interest (which entails the mitigation of our risks depending on the type of service you procure from us, risk assessment activities, etc.) we also collect your Personal Data from other external sources, such as credit bureaus, public and private registers or other companies or state institutions, including information from databases of third-party service providers and publicly available sources, such as media sources, search engines which may include automated data processing means or artificial intelligence solutions.

Does Luminor use cookies?

Yes, Luminor uses cookies, which are small text files placed on your computer, smartphone or other device in order to improve the website functionality and facilitate better user experience. Luminor’s Cookie Policy is available at www.luminor.ee/en/using-online-banking-safely.

What does it mean when Luminor refers to other Controller and it’s Privacy Policies?

Where Luminor transfers your Personal Data to another controller either because of a nature of Service (e.g. information on payment is transferred to receiver’s payment institution; information about holder of a financial instrument is transferred to central securities depository or custodian of financial instruments, etc.), due to requirements of applicable laws or when Luminor has other legal ground for such transfer, for further processing privacy policies of such other Controllers may apply. Our agreements with such Controllers may require us to provide a link to their privacy policies or similar documents.


II. Why does Luminor collect and process my Personal Data?

Providing Services

The first and foremost reason why we need your Personal Data is for providing our Services. Any data processing for the fulfilment of the purposes indicated herein is foremost conducted for the conclusion, fulfilment, and ensuring the fulfilment, of any agreements under which our Services are provided.
 
There will be Personal Data which we will always need without regard to what Service you choose, such as your identification information or contact information, preferences of communication language, etc. But some Services, because of their nature, will require more information. For example, in the case of any type of loan or leasing, we will need information about your income and household as well as information about other liabilities. If you are applying for or have a mortgage loan, we also will need information about property, including information about its insurance. We also need specific data if you would like to apply for or are using investment products. In such cases, for example, we need to know and evaluate your overall investment experience and knowledge about these products and services to offer you suitable products and services or advise you to reconsider, when we think your choice might be too risky taking into account your personal circumstances.

Most of the data we will ask for and receive from you. However, some we receive from other sources. Information about your liabilities we will obtain from credit registers or other similar public sources. See more.

Protecting the interests of depositors

Financial services are related to various risks, and we are obliged to manage those risks to ensure the sustainability of our business model and protect the interest of depositors and society in general.

This means we monitor issued loans and the performance of those loans, and learn from our history (previously issued loan history) in order to improve our credit assessment process. In addition, we may also obtain updated information from credit registers and similar public external sources. See more.

Fulfilling requirements set in laws and regulations

Banking is a highly regulated industry, which means that in order to provide Services to you, we need to comply with many regulations. Therefore, we need to collect explicit identification information, but in certain cases, we need to collect additional personal information. For example, to follow all anti-money-laundering requirements, we need to know information about your source(s) of income, whether you are a politically exposed person or related to one and your tax residency country. Most of that information we collect from you in the so-called Know Your Customer questionnaires. We are obliged to obtain Personal Data about you even if you are not directly our customer but the ultimate beneficiary or the owner of the corporate entity (e.g. company) which is our customer. Moreover, we are required to monitor your transactions and investigate if their pattern deviates from information provided by you earlier and, if needed, ask for additional information (e.g. agreement or other document proving source of unexpected income).
 
Depending on the changes in the regulatory framework under which we operate, we may need to process your Personal Data for the fulfilment of new requirements set place in laws and regulation. For example, we also need to process your Personal Data in order to make sure that we fulfil all the requirements deriving from applicable sanction-related regulations, e.g. verify that you are not a sanctioned person, that your business operation do not involve sanctioned persons, that you are not under the investigation of any relevant authorities, etc. Persons who are identified as higher-risk clients, might be subject to enhanced Know Your Customer measures and additional Personal Data might be asked from them or acquired about them.
 
We must also report to public authorities, like the state revenue service, social security institutions, central banks or other financial sector supervisory authorities. Exact scope of reported Personal Data will depend on which law(s) or regulatory requirements we are fulfilling. If you have deposits (including funds in current account(s)) or investment products, we may be obliged to report to the tax authorities about account balance(s) and interests paid; in the case of a loan, we will be obliged to report data about your loan (e.g. financial obligation(s)).
 
Most of the data we will receive from you, but we will also use third party registers or other sources. See more.

Improving services and being relevant to you

We want to offer Services and provide information which are relevant to you. We improve our Services constantly, and thus customer data and input is very important. We also want you to know about our new or improved Services. We analyse our Customers’ data to develop and offer additional Services, perform Customer surveys, conduct market analysis and compile statistics, and organize games or campaigns to improve your experience while using our Services.

Ensuring security

Financial services are exposed to criminal activities. To mitigate those risks we perform data processing – video recordings, transaction monitoring, ensuring our IT system security.
 
The foregoing processing activities are mainly conducted to be compliant with relevant laws and regulations and for exercising our legitimate interest, which mainly include reducing any risks to our systems and identifying any discrepancies in databases. Based on the relevant need, all the applicable security measures are tested and renewed from time to time.

Ensuring the continuous business activities of Luminor

We may process, and respectively share your Personal Data for the said processing purposes with third persons, in order to be able to continuously provide the Services, currently and in the future, and further develop and enhance such Services, for example, for being able to raise funds, rate our business operations, guarantee our obligations, complying with requirements to which our shareholders are subject, etc. The foregoing processing activities are based on our legitimate interests, which are entailed in the processing purposes described previously.

Business transfer

We may process your Personal Data for the purposes of transactions related to the transfer of Luminor’s business or shares to the extent which is necessary for the pre-contractual engagements and conclusion or ensuring the conclusion of the relevant transactions. The foregoing processing is based on our legitimate interests which consist mainly of our need to ensure the consistency of our business and the continues provision of our Services.


III. Advertising and direct marketing

Who receives Luminor’s advertising and direct marketing communications?

Our advertising and direct marketing communications (e.g. about our Services and related campaigns) are sent to Customers who have consented to receiving direct marketing and advertising offers from Luminor. Such Customers receive Luminor newsletters and direct marketing communications via their preferred means of communication. Luminor may market its Services to the existing Customers on the ground of legitimate interest.

How do I give a consent to receive advertising and direct marketing?

Customers can give consent to receive advertising and direct marketing communications by signing a direct marketing consent form or by requesting direct marketing communications under the agreements they conclude with us. Customers who have already been receiving our direct marketing messages will continue to receive such communications after the GDPR’s entry into force.

What kind of advertising and direct marketing activities does Luminor perform?

Luminor sends newsletters and direct marketing communications. Services and products may be also promoted during various customer events organised by Luminor.

Can I object to the use of my Personal Data for direct marketing purposes?

Customers have the right to object to the processing of their Personal Data for direct marketing purposes at any time and free of charge. To exercise this right, please contact the Luminor entity whose marketing material you no longer wish to receive. Customers can also opt out of receiving the newsletter or any other advertising and marketing communications using the link provided in the e-mail message or following other instructions as provided in such direct marketing communication.


IV. Sharing and protection of my Personal Data

Who can access my Personal Data?

Only persons entitled to do so within Luminor or third parties engaged by Luminor or with whom Luminor cooperates in provision of Services (e.g. insurance companies where insurance policies are offered through Luminor, insurance brokers where they help you to insure property as required under agreement with Luminor, car dealers and/or car manufacturers where Luminor provides leasing Services, etc.) or other parties as requested or permitted by law can access your Personal Data. In cases where Personal Data Processing is carried out on behalf of Luminor by a third party, Luminor engages only third parties providing sufficient guarantees to implement appropriate technical and organisational measures in such manner that Processing will meet the requirements of the GDPR and applicable laws and ensure the protection of your rights.
 
Processing activities by third-party processors shall always be governed by a Privacy & Data Processing Agreement or other specific terms agreed upon by Luminor and such third party processor.

With whom may my Personal Data be shared?

The nature of Services provided requires us to share Customers' Personal Data to run our everyday business — to process transactions, maintain customer accounts, and report to public institutions.

We may disclose your Personal Data to:

  • Luminor shareholders (direct or indirect), in case the sharing is required by the regulatory enactments governing the activities of the shareholders or where the foregoing disclosure is based on the legitimate interests of the shareholders which includes the need to ensure that Luminor complies with the regulatory requirements to which its shareholders are subject;
  • Luminor group entities (for administrative and marketing purposes);
  • Luminor cooperation partners, with whom Luminor offers co-branded products and Services (for providing such Services and products as well as for marketing and advertising such products);
  • state institutions and other entities performing functions delegated to them by law;
  • authorized auditors, legal and financial advisers;
  • Personal Data processors and their sub-processors engaged by Luminor who process your Personal Data on behalf of Luminor, e.g. to assist Luminor in providing Services, fulfilling its obligations deriving from applicable laws and regulation, improving its systems, etc.;
  • any entity who is involved in the provision of Services to you, including entities involved for the fulfilment of your transactions (for example, correspondent banks, financial institutions, insurance companies, financial intermediaries, brokers, participants of, or parties to, payment, clearing or settlement systems, exchanges and other);
  • any entity who provides or intends to provide financing to Luminor, is involved in the provision of any type of financing (including by way of loan, public offering, issuing of any type of financial instruments, securities, notes, bonds), including entities arranging, structuring, organising, guaranteeing such financing or providing supporting services in connection with any of the aforementioned and their advisors. The foregoing disclosure is based on the legitimate interests of Luminor, and the financers, having the purpose ofensuring the consistency of our business and the continued provision of our Services, including the necessary financing for offering our Services;
  • any rating agency for the purpose of acquiring  rating to Luminor or any financial instruments issued by Luminor. The foregoing disclosure is based on the legitimate interests of Luminor  having the purpose of ensuring the consistency of our business and the continued provision of our Services, including the necessary financing for offering our Services;
  • credit and financial institutions, credit bureaus, financial services brokers and insurance service providers;
  • managers of public registers;
  • debt collection companies, credit bureaus and other third parties to which Luminor may assign, pledge or transfer its rights and obligations;
  • a third party to the extent necessary for Luminor in order to protect or enforce its rights and legitimate interests, in particular upon breach of any obligations by the Customer, unless provided otherwise in the applicable law;
  • any person to whom the disclosure of Personal Data is required or allowed under the legislation applicable to Luminor or the activities of Luminor.

Data may also be transferred outside the European Union and European Economic Area (EU/EEA) in some cases, for example, when the Personal Data processor engaged by Luminor is located outside the EU/EEA and such data transfer is necessary to provide Service or when requested by a Customer. Data may be transferred outside the EU/EEA only when Luminor ensures appropriate safeguard measures as required by the GDPR and there is a legal ground for such transfer.

The list of our Personal Data processors is available at /en/terms-and-conditions. This list can be changed without separate notice.

How does Luminor protect my Personal Data?

To protect your Personal Data from unauthorized access, unlawful Processing or disclosure, accidental loss, modification or destruction, we use appropriate measures that comply with applicable laws. These measures include technical measures, such as the selection and configuration of appropriate computer systems, securing relevant connections, and protection of data and files, as well as organizational measures, such as limiting access to these systems, files and facilities, careful selection and monitoring of hosting service providers.


V. Your rights in relation to Personal Data processing

What are my rights?

Luminor is dedicated to ensuring that Personal Data Processing is fair and transparent and all persons’ rights arising under applicable laws are always ensured. In particular, you have:

  • the right to access the Personal Data Luminor processes about you. Upon your request, Luminor shall:
    • confirm as to whether or not Personal Data relating to you are being processed and provide information as to the purposes of the Processing, the categories of Personal Data concerned, and the recipients or categories of recipients to whom the Personal Data are disclosed;
    • communicate to you about the Personal Data undergoing Processing and about any available information as to their source;
    • provide to you knowledge of the logic involved in any automated processing of Personal Data concerning you in the case of automated decisions.
  • the right to request us to rectify any inaccurate Personal Data;
  • when Processing of Personal Data is based on consent, you have the right to withdraw consent at any time, without affecting the lawfulness of Processing based on consent before its withdrawal;
  • the right to receive the Personal Data Processed in a structured, commonly used and machine-readable format and the right to transmit the Personal Data to another controller under certain conditions;
  • under certain circumstances, you shall have the right to request erasure or restriction of Processing of the Personal Data;
  • the right to object to the Processing of the Personal Data for specific purposes and under certain conditions;
  • you also have a right to lodge a complaint with a supervisory authority – in Estonia to the Data Protection Inspectorate; in Lithuania to the State Data Protection Inspectorate; in Latvia to the Data State Inspectorate.


VI. How long Luminor retains Personal Data

How long is my Personal Data retained by Luminor?

Personal data is retained in accordance with the applicable laws and no longer than is necessary. Personal data retention periods are determined by Luminor and depend on the specific contract and basis of Personal Data Processing. For more detailed information on some retention periods and the principles for how we determine specific retention periods for your Personal Data processed by us, please follow this link.


VII. Profiling and automated decision making

What is profiling and automated decision making?

Profiling is Customer segmentation by evaluating the personal aspects relating to a natural person in order to apply a relevant service model or tailored marketing offers or perform risk assessment for anti-money laundering purposes.
 
Automated decision making is a form of decision making under which a certain decision regarding a person is made using automated means.

What does Luminor use profiling and automated decision making for?

Luminor uses profiling to prepare analyses for Customer advice, for direct marketing purposes, profiling supports automated decision-making such as credit assessments, for risk management and for transaction monitoring to counter fraud, including automated collection of data from databases and making preliminary assessments and conclusions whether you are eligible for our Services taking into account the relevant laws and regulations that apply to us and our internal procedures.. Luminor uses profiling based on the following legal grounds:

  • compliance with a legal obligation. Luminor may process Personal Data and evaluate personal aspects if Luminor must perform risk assessment for anti-money laundering purposes;
  • consent from the Customer or in some limited cases also on the ground of legitimate interest. Luminor may use profiling to evaluate the Customer’s need, develop its Services, and provide more relevant and just-in-time Service offers. The legitimate interests for implementing the automated decision making means are as follows: automated decision-making processes are implemented for a smooth servicing process and for ensuring that we are able to comply with our legal obligations, taking into account the vast amount (in quality and quantity) of data to be processed for ensuring the timely and full compliance with our obligations deriving from applicable legislative acts and laws.

Do I have a right to choose if I want to be subject to a decision based on automated processing, including profiling?

Luminor may make a decision with respect to the Customer, including but not limited to making an assessment about the creditworthiness of the Customer based solely on automated processing of the Personal Data.
 
In such a case, the Customer has a right not to be subject to a decision based solely on automated processing, including profiling. Such right may be executed by the Customer if, based on the automated decision, Luminor has refused to enter into the contract or provide Services. Upon your request solely automated decision will be revised by Luminor employees.
 
More detailed descriptions of processes which include automated decision making can be found here.


VIII. Final provisions

Legal statement and validity

This Privacy Policy is not designed to form a legally binding contract between Luminor and the Customer – instead, it is a guide on our Personal Data protection standards. As we are constantly working on improving and developing our Services and websites we may change this Privacy Policy from time to time. We will not reduce your rights as a result of such changes. In the case of material changes and where we think it is relevant, we shall notify you via Luminor’s website, by post, via e-mail or internet bank messages or in another manner as chosen by us, not later than 1 (one) month prior to such amendments entering into force. The Privacy Policy shall also be available on request at customer service units.

Any questions?

If you have any questions or concerns regarding how Luminor processes Personal Data about you, or if you wish to exercise any of your rights, Luminor encourages you to contact us via telephone or e-mail or in writing to contact page.
 
Contact details for any privacy related questions are following:

Data protection officer in Lithuania
dataprotectionLT@luminorgroup.com
 
Data protection officer in Latvia
dataprotectionLV@luminorgroup.com
 
Data protection officer in Estonia
dataprotectionEE@luminorgroup.com