TERMS AND ABBREVIATIONS
Client (as a Data subject) – a natural person who has been using or has expressed willingness to use Services provided by the Company (Potential client).
Company (as a Controller)– Dukascopy Europe IBS AS, registered in the Commercial Register of the Republic of Latvia under registration No.40003344762, registered office: Lacplesa street 20A - 1, Riga, LV-1011, Latvia.
Controller – a body (the Company) that determines the means and purpose of Personal data processing.
Data subject – an identified or identifiable natural person (Client, Client’s representative, employee).
DPO – Data Protection Officer.
Dukascopy Group – Dukascopy Bank SA incorporated in Swiss Confederation, as well as its representative office “Dukascopy Bank SA” and Dukascopy Europe IBS AS both incorporated in the Republic of Latvia.
EEA – European Economic Area.
EU – European Union.
GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Personal data – any information related to an identified or identifiable natural person (Data subject).
Processing – any actions and operations performed on Personal data, such as collection, recording, storage, use, transfer, erasure etc.
Profiling – any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s economic situation, reliability, behaviour, location or movements, and perform Client due diligence
Services – any services offered to Clients and other natural persons and legal entities by the Company.
AMLTPF – Law on the Prevention of Money Laundering and Terrorism and Proliferation Financing of the Republic of Latvia.
The goal of this Policy is to inform Data subjects who use or are willing to use the Services on the Processing carried out by the Controller, i.e. the Company and Dukascopy Group, and to ensure necessary data protection rules and mechanisms.
PERSONAL DATA CATEGORIES PROCESSED BY THE COMPANY
The Company may collect and process information listed under the following Personal data categories for the purposes specified under Section 4:
- general identification data – name, surname, date of birth, personal identity number, gender, copy of the Client’s identity document (passport, identification card, driver’s license etc.), photographs, and other related data;
- contact details – residence address and correspondence address (if not the same), phone number, e-mail address and other related data (if necessary);
- financial data – bank account information, origin of funds and assets, income and its stability, transactional data, investment goals, risk tolerance, tax identification number (TIN), country of taxation and other related data;
- information on education and economic activity – level of education, place and area of employment, previous places of employment, economic/commercial activity, experience in investing and other related data;
- information on related persons – authorized persons or representatives, relatives, whether persons closely related to Clients may be classified as politically exposed persons (PEPs) in accordance with AMLTPF law, and other related data;
- information on use of services and their relation to Clients’ preferences and habits – information on services used, personal settings, IP address, preferred language, surveys, contests and campaigns in which Clients have participated;
- data related to criminal convictions and offences – data on the criminal record related to criminal offences of Clients, Potential clients, beneficial owners and representatives thereof;
- audio/video data – video surveillance cameras’ footage, phone conversation recordings, video and audio recordings made during the video identification (VI) process.
- Please note that the list above is not exhaustive and upon necessity the Company may request, collect and process other Personal data required in accordance with relevant legal enactments.
- The Company may collect and process information listed under the following Personal data categories for the purposes specified under Section 4:
LEGAL BASIS AND PURPOSES FOR PERSONAL DATA PROCESSING
The Company processes Personal data if at least one of the following legal bases is applicable:
- The Processing is necessary to enter into and perform a Distance agreement with the Data subject;
- The Processing is necessary for the Company to comply with a legal obligation to which the Company is subject as a Controller;
- The Processing is necessary for legitimate interests pursued by the Company or a third party;
- The Data subject has given clear consent for the Company to process their Personal data for one of the purposes indicated in Section 4.2., and such consent shall be freely given and easy to withdraw.
The Company processes Personal data for the following purposes:
- to provide Services;
- to send administrative information, including updates on policies and changes to agreement terms;
- to send information about Services, products, educational materials, upcoming events and other related information that may be useful to the Client in relation to received Services and for educational purposes;
- to assess and mitigate risks related to money laundering and terrorism and proliferation financing, as well as transaction-related risks;
- o comply with legal obligations and/or government authorities’ requests
- in relation to legal claims related to the Company’s legitimate interests;
- to provide additional or supportive services.
- The Company processes Personal data if at least one of the following legal bases is applicable:
AUTOMATED DECISION-MAKING AND PROFILING
Automated decision-making and profiling are used by the Company during Client Personal data processing to create Client risk profiles, perform Client due diligence and monitor transactions to counter money laundering and terrorism and proliferation financing. Based on the results of the aforementioned processes, the Company’s employees make individual decisions for each Client.
Decisions made based on automated decision-making are a substantial part of entering into, or performance of, a Distance agreement between the Client and the Company, and comply with the legal enactments the Company is subject to as a Controller
TRANSFER OF PERSONAL DATA TO THIRD PARTIES
- Clients’ Personal data is stored and processed by the Company, Dukascopy Group and its cooperation partners within the EU, the EEA and the Swiss Confederation.
The Company reserves the right to disclose Clients’ Personal data to the following entities insofar as such data is necessary for the performance of their delegated functions and there is an adequate legal basis for a lawful disclosure of Personal data:
- to selected and designated third parties, including Dukascopy Group providers that perform services on behalf of Dukascopy Group under a written agreement, which ensures proper safeguards and limitations with regards to Processing. This may include companies providing IT, audit, identity verification, marketing, translation and/or due diligence services, data analysis, cloud service providers and others;
- within Dukascopy Group;
- to government, regulatory or other law enforcement agencies/authorities in cases specified by law and regulatory enactments.
TRANSFER OF PERSONAL DATA OUTSIDE THE EU/EEA
Personal data may be transferred by the Company outside the EU, the EEA and/or the Swiss Confederation only when appropriate security measures have been taken and if at least one of the following applies:
- Personal data transfer is required under the laws and regulatory enactments being in force in the EU;
- Personal data transfer is necessary for the Company to enter into or perform an agreement with Clients for the provision of Services;
- In other cases, where the Client has given express consent to the Processing outside the EU, the EEA and/or the Swiss Confederation.
- Personal data may be transferred by the Company outside the EU, the EEA and/or the Swiss Confederation only when appropriate security measures have been taken and if at least one of the following applies:
Each Client has the following rights:
- the right to access their Personal data that is processed by the Company upon written request. However, if the Client’s request to access Personal data is excessive and/or repetitive, the Company may charge a reasonable fee based on administrative costs of preparing a copy of the Personal data undergoing Processing. If the aforementioned right to obtain a copy is restricted by the law due to the protection of rights and freedoms of other Clients, the Company may refuse to provide such information;
- the right to obtain rectification of inaccurate, incorrect or incomplete Personal data concerning themselves without undue delay from the Company;
- the right to request erasure (the right to be forgotten) of their Personal data undergoing processing in the Company. However, such request may not be fully satisfied if the processing of Personal data requested to be erased is necessary for execution of a Distance agreement or compliance with a legal obligation required by EU law or laws of the Republic of Latvia, e.g. AMLTPF. The Company will inform the Client if the complete erasure of the Client’s Personal data cannot be ensured, as well as explain the reasons for the decline and possible actions the Company will be able to take in each individual case;
- the right to restrict processing of their Personal data. Any such request shall be evaluated by the Company in order to determine whether such request contradicts other legal grounds of processing that the Company shall comply with;
- he right to data portability, i.e. Clients shall receive their Personal data in a structured, commonly used and machine-readable format and transmit it to another controller if the Processing is based on consent or on a Distance agreement and is carried out by automated means. Such requests shall not adversely affect rights and freedoms of other Clients of the Company;
- the right to withdraw consent for Processing for direct marketing purposes at any time;
- the right to be informed about automated individual decision-making, including profiling;
- the right to lodge a complaint with the personal data protection supervisory authority of the Republic of Latvia, i.e. the Data State Inspectorate of the Republic of Latvia, if the Client has any legal complaints that cannot be resolved during the negotiation process with the Company and its DPO through the contact details indicated in Section 12.
- All aforementioned rights shall be exercised in good faith and on a written request basis.
- Each Client has the following rights:
The Client agrees not to hold the Company, Dukascopy Group and its employees and affiliates liable for losses of any kind, including financial, suffered by the Client while using the Client’s Personal data, e.g. login details, by a third party (either communicated by the Client or obtained in an abusive/fraudulent manner from the Client). The Client shall be liable of any such Personal data disclosure to unauthorized third parties.
PERSONAL DATA RETENTION PERIOD
- The period of Personal data retention depends on the purpose of Processing specified by the Company, but it shall be stored no longer than reasonably required for such Processing.
- In determining the period of Personal data retention and Processing, the Company takes agreements with Clients and contractual obligations, the legitimate interest of the Company and relevant legal enactments into account.
- the Company generally stores the Client’s Personal data for 5 (five) years after the termination of the business relationship with the Client, unless otherwise provided by the applicable laws and regulations
Should Clients have any questions or inquiries regarding the Policy, Clients may contact the Company’s 24/7 client support by phone: +371 67 399 000, +371 67 399 039 or by e-mail: [email protected], as well as the Company’s DPO by e-mail: [email protected] or by sending a letter to: Dukascopy Europe IBS AS Data Protection Officer, 20a-1 Lacplesa street, Riga, LV-1011, Latvia.
The Company reserves the right to amend the Policy unilaterally at any time without prior notice to the Client. The Company shall use its website to inform the Client about any amendments to the Policy by posting the text of the Policy, whereas the Client undertakes to review the Company’s website regularly to check the Policy’s updates.