Luminor Group Privacy policy

The Controller of your Personal Data is the Luminor Group entity to which you have submitted your Personal Data because of a contractual or pre-contractual relationship or which Services you (or the legal entity or arrangement you are considered to be the ultimate beneficiary owner of) intend to use and/or which determines the purposes and means of the processing of Personal Data.

You may find contact details of all Luminor Group entities here.

A natural person who uses, has used or has expressed the intent to use a Service.

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

All Luminor group entities directly or indirectly controlled by holding company Luminor Holding AS, registered in the Republic of Estonia, reg no 14723133.

Any legal entity or branch belonging to the Luminor Group.

Any information directly or indirectly related to an identified or identifiable Customer or other natural person whose data is processed according to this Privacy Policy and applicable laws.

Any operation carried out with Personal Data (including collection, recording, storing, alteration, grant of access to, making enquiries, transfer, etc.).

Any service offered or provided by Luminor.

This Privacy Policy applies when you:

• use, have used or have expressed an intention or interest to use Luminor’s Services;
• visit Luminor’s websites;
• are related to any of the Services indirectly (for example, as spouse of a Customer, a collateral provider, an insured person in an insurance agreement, your data has been provided to us by a Customer etc.);
• are representative of a Customer (either entity or private individual);
• are direct underlying or ultimate beneficial owner, shareholder of corporate Customer;
• are representative of any third person having legal relationship with Luminor (for example a representative of a company which provides Luminor services or sells goods), or;
• provided your Personal Data or your Personal Data has been obtained by Luminor due to any other reasons, not mentioned above (e.g. personal data about third parties in the documents which have been provided to Luminor by the Customer).

The exact scope of Personal Data being processed depends on the types of Services you have in Luminor or your relationship with Luminor. Personal Data we collect and process includes:

• Personal identification data such as name, surname, personal identification number, date of birth, photo in provided personal identification document, examples of signature and other data in an identity document which is provided to us;
• Contact information data such as residence address or other address for communication purposes, telephone number, email address, preferred communication language; social media contact data (e.g. skype address, personal webpage address, Twitter, Facebook, LinkedIn contact data etc.);
• Digital identification data such as Internet bank ID, Unique Device Number (e.g. International Mobile Equipment Identity), passwords which you use to access our systems (when applicable);
• Data related to Luminor Services you use such as what type of services you use in Luminor; your assets you keep with Luminor; your obligations to Luminor; your account and card number, your opinion and evaluation of Luminor Services; all data in contracts you concluded with Luminor or which you provide to Luminor during validity term of such contracts; creditworthiness assessment data; your communication with Luminor; logs of your activity while using Luminor applications, internet banking system or ATM’s, payment card data, etc;
• Financial data such as monthly salary and other income, financial liabilities, source of income (funds), data about transactions, debts, and credit history data;
• Employment (occupation) data such as data about your employer / previous employer, occupation, working experience, education, professional certificates;
• Family data such as marital status, dependants and / or family members;
• Location data such as transaction place, IP address, login place), login of internet usage;
• Property data such as financial assets and other property;
• Special category data:
  - biometrical data, i.e. physical, or behavioral characteristics resulting from specific technical processing used during remote identification which confirms the unique identification of a person;
  - data about criminal convictions (if you provide such data or such data is obtained from third persons);
  - data about legal capacity;
  - data on belonging to political party (collected as part of “Know your customer” process).
• Cookies (only where specific cookie is considered to be a personal data, i.e. when it allows to identify specific user, see more details in our Cookie policy);
• Other data:
  - data about the participation in companies and other types of legal entities, data about managers and other persons having decisive votes or representatives of the companies using or intending to use Services, as well as their ultimate beneficiary owners’ information and contact details of the representatives of the companies using or intending to use Services;
  - information on social security contributions and insurance, information on payable pension/ allowance/ indemnification;
  - any data obtained through inquiries from law enforcement agencies, notaries, tax authorities, courts and bailiffs or other competent authorities or any data obtained as a result of any litigation procedures;
  - any data obtained in any correspondence (written correspondence, e-mails);
  - risk profiling and classification data (risk type, risk class);
  - data concerning the applicability of any sanctions, including data regarding any relevant business dealing or activities, including any adverse media coverage that is available;
  - Data in insurance policies where Luminor is beneficiary.
• Visual and audio data such as:
  - video surveillance data (video records or images captured where video surveillance cameras are installed);
  - voice and / or video records data such as voice records of phone or Teams or other Internet based calls where you or Luminor chooses to interact using remote communication means;
  - photography which you have shared with us or which have been taken during events organised or sponsored by Luminor, etc.

We usually do not process sensitive data related to your health, ethnicity, or religious or political beliefs unless required by law or in specific circumstances where, for example, you reveal such data while using Services (e.g. in payments details) or such data is obtained from third persons (e.g. information is received from law enforcement institutions).

We only collect data about minors if they use Luminor Service or if you provide us with information about your own children in relation to a Service you use.

We use your biometric data for remote identification of your personal identity only where you have explicitly given us the consent to use such identification method.

If you exercise right of access under GDPR Art. 15 (see more “What are my rights?) we will provide you with detailed answer what Personal Data about you Luminor possesses.  

Generally, Luminor receives Personal Data:

• directly from you when you apply or use our Services, contact Luminor (for example, visit our website or internet bank, contact us via phone or other means of distance communication), fill‑in forms on our websites, mobile applications or leave contact information with Luminor for whatever reason;
• from persons other than the data subject (for example one spouse provides Personal Data about another; parent applies for a service that involves a child and provides child’s personal data; Personal Data is provided by authorised representative; data about shareholders and ultimate beneficial owners are provided by corporate Customer; etc.);

• from other financial service providers (banks, payment service providers, ATM network operators etc.) when Personal Data is obtained as a result of a service (for example: Personal Data about payer obtained with payment order; Luminor provides account information or payment initiation services to you and obtains your Personal Data from other payment service provider; etc.);
• from insurance companies or insurance brokers (when you have obligation to insure property in favor of Luminor and such insurance companies or insurance brokers informs us if such obligation is duly performed); 
• from our cooperation partners where due to your request they mediate in Service provision (for example car dealer provides your Personal Data where you apply for a leasing and fill‑in relevant application in such dealer’s office) or where such cooperation partners has obtained consent from you to share your Personal Data with us or has other legal grounds to share your Personal Data with us;
• as a result of contractual relation with third parties (for example representative’s and other contact person’s data is obtained, while concluding services agreement with such third party, etc.); 
• from other external sources, such as public and private registers, credit bureaus (e.g. “Creditinfo”), other companies (for example insurance companies) or state institutions, including information from databases of third‑party service providers and publicly available sources, such as media sources. See more.
• from law enforcement agencies and other competent authorities as a result of inquiries, investigations, etc.;
• from another Luminor entity, when several Luminor entities are directly or indirectly involved into Service provision to you;
• while capturing visual data with our security cameras;
• while recording phone conversation or video meetings, where Services are provided remotely.

We can also combine the information we obtained about you from various sources (for example creditworthiness assessment is prepared by combining data received from number of external registers and directly from you).

We need your Personal Data to provide Services to you or the company or person which you are representing. We will not be able to serve you, to conclude agreements, grant you accesses to our systems or contact you etc. if we will not have your Personal Data. Please note, that some Personal Data we request to provide in order to fulfill legal requirements (e.g. Anti‑money laundering requirements). If you refuse, we may not be allowed to offer certain products or services to you.

You can refuse to provide your Personal Data where we ask for your consent. In such cases if you don’t consent, we will still be able to provide you with alternative solution.

Yes, Luminor uses cookies in order to improve the website functionality and facilitate better user experience. Luminor’s Cookie Policy is available here.

Usually Luminor receives and uses your Personal Data only if and to the extent that at least one of the following applies:

• You intend to enter into or have entered into an agreement with us;
• You have given consent to process Personal Data; 
• We process Personal Data where it is a legal obligation under applicable legal acts;
• We have a legitimate interest to process your Personal Data.

Occasionally legal basis for Personal Data processing might be other legal grounds provided in GDPR Art 6 part 1, subparagraph d) and e). 

To protect your Personal Data from unauthorized access, unlawful Processing or disclosure, accidental loss, modification or destruction, we use appropriate measures that comply with applicable laws. 

These measures include technical measures, such as the selection and configuration of appropriate computer systems, securing relevant connections, and protection of data and files, as well as organizational measures, such as limiting access to these systems, files and facilities, careful selection and monitoring of hosting and other IT services providers, constant training of Luminor staff.

The first and foremost purpose why we need your Personal Data is for providing our Services. This includes:

• taking steps prior to conclusion, conclusion, fulfilment, and ensuring the fulfilment, of any agreements under which our Services are provided to you; 
• creditworthiness assessment and subsequent monitoring (relevant to lending services); 
• managing our relationship with you;
• providing and administering your access to Services and our relevant systems; 
• execution of your orders (e.g. national and international credit transfer, execution of investment orders and other services);
• related records keeping (e.g. copies of agreements and related contractual documentation, records in IT systems).

We analyse our Customers’ data to develop improve and offer additional Services. This includes:

• performing Customer surveys;
• conducting market and behavioral analysis and compiling statistics;
• organizing customer events, promotion campaigns;
• services development, new services creation.

We want to inform you about our Services and propose new Services, which we think may be relevant to you.

We also want to interact with you on social network platforms, use advertising possibilities offered by social network platforms in order to reach out our target audiences.

Where you represent another entity or person or act as a contact person Luminor will need to verify your representation rights and further keep related documents including representative’s Personal Data for our records.

Financial services are related to various risks, and we are obliged to manage those risks to ensure the sustainability of our business model and protect the interest of our various stakeholders: depositors, investors, shareholders and society in general. This includes:

• loans performance monitoring;
• customer risk modelling and scoring;
• transactions monitoring;
• fraud prevention;
• capital adequacy calculations;
• other activities related to management of credit, operational, market, and liquidity risks.

The financial services sector is heavily regulated, which means that in order to provide Services to you, we need to comply with many regulations in all jurisdictions in which Luminor operates and process Personal Data as required under such legal acts. Here are just some most common examples of Personal Data processing due to legal obligations:  

• Implementation of “Know Your Customer” requirements, including collection of information about ultimate beneficial owners, preventing, detecting, and investigating money laundering, terrorist financing, and fraud; 
• Implementation of International Sanctions against persons or companies; 
• Creditworthiness assessment and other related activities to ensure responsible lending; 
• Reporting to tax authorities, police authorities, other law enforcements authorities, supervisory authorities;
• Implementation of payment service requirements and obligations;
• Prevention of mis-selling where customers are offered products that are not suitable for their needs or assessment of investment knowledge in financial instruments;
• Implementation of bookkeeping or record keeping requirements;
• Other obligations related to service or product specific legislations, for example securities, funds, collateral, insurance or mortgage legislation.

Financial services are exposed to criminal activities. To mitigate those risks we perform data processing – video recordings, transaction monitoring, ensuring our IT systems integrity.

We are also performing background checks of representatives of our suppliers or service providers where such representatives need to access controlled premises in Luminor or get access to our IT systems.

The foregoing processing activities are mainly conducted to be compliant with relevant laws and regulations and for exercising our legitimate interest, which mainly include reducing any risks to our systems and identifying any discrepancies in databases, ensuring security in our premises. Based on the relevant need, all the applicable security measures are tested and renewed from time to time.

Even after termination of agreement with you we will process your Personal Data in order to protect our legitimate interests. This may include:

• asserting legal claims and defense in legal disputes;
• debts collection;
• selling claims against overdue debts;
• keeping copies of contractual documentation and correspondence with you for archiving purposes.

We may process, and respectively share your Personal Data for the said processing purposes with third persons, in order to be able to continuously provide the Services, currently and in the future, and further develop and enhance such Services, for example, for being able to raise funds, rate our business operations, guarantee our obligations, complying with requirements to which our shareholders are subject, etc.

We may process your Personal Data for the purposes of transactions related to the transfer of Luminor’s business or shares, implementation of other corporate actions, like mergers, acquisitions, spin‑off’s to the extent which is necessary for the pre‑contractual engagements and conclusion or ensuring the conclusion of the relevant transactions. The foregoing processing is based on our legitimate interests which consist mainly of our need to ensure the consistency of our business and the continues provision of our Services.

The nature of Services provided requires us to share Customers' Personal Data to run our everyday business — to process transactions, maintain customer accounts, report or respond to public institutions.

We may disclose your Personal Data to:

• Luminor shareholders (direct or indirect), in case the sharing is required by the regulatory enactments governing the activities of the shareholders or where the disclosure is based on the legitimate interests of the shareholders which includes their risk management purposes and need to ensure that Luminor complies with the regulatory requirements;
• Luminor group entities (for administrative and marketing purposes, to the extent it is needed to provide Services, develop Service, to comply with any mandatory requirement, etc.);
• other credit and financial institutions (e.g. when it is necessary to execute your orders or where information is shared to the extent required under anti‑money laundering legislation, or where you have agreed);
• other payment service providers offering payment initiation or account information services upon their request as required by the laws or where you have provided your consent;
• Luminor cooperation partners, with whom Luminor offers co‑branded products and Services (for providing such Services and products as well as for marketing and advertising such products);
• a public authority, a public law body or an entity fulfilling public law functions for purposes of fulfilling of its functions (including bailiffs and notaries);
• authorized auditors, legal and financial advisers of Luminor Group;
• any entity who is directly or indirectly involved in the provision of Services to you and their sub‑contractors, including entities involved for the fulfilment of your transactions (for example, correspondent banks, financial institutions, insurance companies, payment services providers, ATM network operators, financial intermediaries, car vendors, brokers, participants of, or parties to, payment, clearing or settlement systems, exchanges and other);
• any entity who provides or intends to provide financing to Luminor, is involved in the provision of any type of financing (including by way of loan, public offering, issuing of any type of financial instruments, securities, notes, bonds), including entities arranging, structuring, organising, guaranteeing such financing or providing supporting services in connection with any of the aforementioned and their advisors;
• any rating agency for the purpose of acquiring rating to Luminor or any financial instruments issued by Luminor;
• a registrar of a database or register (including but not limited to commercial and company registers, credit register and registers of securities);
• to any party providing collection or debt enforcement services to Luminor, credit bureaus and other third parties to which Luminor may assign, pledge or transfer its rights and obligations or where Luminor is disclosing information about outstanding debts;
• a third party to the extent necessary for Luminor in order to protect or enforce its rights and legitimate interests, in particular upon breach of any obligations by the Customer, unless provided otherwise in the applicable law;
• any person to whom the disclosure of Personal Data is required or allowed under the legislation applicable to Luminor or the activities of Luminor or according to the agreement concluded with you;
• to any person, where you have consented to such disclosure.

In cases where Personal Data Processing is carried out on behalf of Luminor by a third party, Luminor engages only third parties providing sufficient guarantees to implement appropriate technical and organisational measures in such manner that Processing will meet the requirements of the GDPR and applicable laws and ensure the protection of your rights.

Processing activities by third‑party processors shall always be governed by a Privacy & Data Processing Agreement or other specific terms agreed upon by Luminor and such third party processor.

Most of Customers’ Personal Data in Luminor is stored and processed in servers within the European Union and European Economic Area (EU/EEA) however in some cases, for example, when the Personal Data processor/sub‑processor engaged by Luminor is located outside the EU/EEA there may be a need to transfer certain Personal Data outside EU/EEA or make Personal Data accessible from outside EU/EEA and such data transfer is necessary to provide Service or when requested by a Customer.

Data may be transferred outside the EU/EEA only when Luminor ensures appropriate safeguard measures as required by the GDPR and there is a legal ground for such transfer.

Upon request, the Customer can receive further details on Personal Data transfers to countries outside of the EU/EEA.

We retain your Personal Data no longer as needed for a particular purpose or purposes for which Personal Data was collected. 

We will always store Personal Data collected while preparing to enter into agreement with you or while performing such agreement at least until the expiry of such agreement. Further to protect our legitimate interests usually we may store the data for ten (10) years after termination of the agreement.

Applicable laws (for example laws regulating anti‑money laundering obligations) may require us to store your Personal Data for a specific term, in which case we will always follow it.

For more detailed information on some retention periods and the principles for how we determine specific retention periods for your Personal Data processed by us, please follow this link.

Yes, you can at any time. If you recall your consent we will stop further Processing of your Personal Data and delete it, unless we have other legal ground to keep it.

The most convenient way is to change your preferences in Luminor internet bank. Another alternative is to contact us in any customer service unit.

Please note, that depending on the way how you approached us and how many Luminor entities your consent relates to it may take up to four working days for us to update our systems and align them across all Luminor entities (where not explicitly provided otherwise, your consent applies for all Luminor entities, so in certain situations we may need to change your preferences across several different IT systems owned by several Luminor entities). 

Luminor sends newsletters and direct marketing communications including communication via e‑mail and phone. Services and products may be also promoted during various customer events organised by Luminor or its partners.

Yes, you have such right. Upon receipt of your refusal we will register changes in our systems and we will stop further processing for this purpose.

Yes, you can select preferred channel and later change preferences in Luminor internet bank. 

You can opt‑out from direct marketing messages which you receive via e‑mail by pressing a link present in such message.

Please note, that after opt‑out you will still continue to receive any communication, which is not marketing material (e.g. notices and reminders under agreements, communications which Luminor sends because of legal requirements).

Profiling is Customer segmentation by evaluating the personal aspects relating to a natural person in order to apply a relevant service model or tailored marketing offers or perform risk assessment for anti‑money laundering purposes.

Automated decision making is a form of decision making under which a certain decision regarding a person is made using automated means. 

Luminor uses profiling to prepare analyses for Customer advice, for direct marketing purposes, profiling supports automated decision‑making such as credit assessments, for risk management and for transaction monitoring to counter fraud, including automated collection of data from databases and making preliminary assessments and conclusions whether you are eligible for our Services taking into account the relevant laws and regulations that apply to us and our internal procedures. Luminor uses profiling based on the following legal grounds:

• compliance with a legal obligation. Luminor may process Personal Data and evaluate personal aspects if Luminor must perform risk assessment for anti‑money laundering purposes;
• explicit consent from the Customer or in some limited cases also on the ground of legitimate interest. Luminor may use profiling to evaluate the Customer’s need, develop its Services, and provide more relevant and just‑in‑time Service offers. The legitimate interests for implementing the automated decision making means are as follows: automated decision‑making processes are implemented for a smooth servicing process and for ensuring that we are able to comply with our legal obligations, taking into account the vast amount (in quality and quantity) of data to be processed for ensuring the timely and full compliance with our obligations deriving from applicable legislative acts and laws.

Luminor may make a decision with respect to the Customer, including but not limited to making an assessment about the creditworthiness of the Customer based solely on automated processing of the Personal Data.

In such a case, the Customer has a right not to be subject to a decision based solely on automated processing, including profiling. Such right may be executed by the Customer if, based on the automated decision, Luminor has refused to enter into the contract or provide Services. Upon your request, an automated decision will be reviewed by Luminor employees.

More detailed descriptions of processes which include automated decision making can be found here.

Luminor is dedicated to ensuring that Personal Data Processing is fair and transparent and all persons’ rights arising under applicable laws are always ensured. In particular, you have:

• Right of access (GDPR Art 15). You have the right to access the Personal Data Luminor processes about you. Upon your request, Luminor shall:
  - confirm as to whether or not Personal Data relating to you are being processed and provide information as to the purposes of the Processing, the categories of Personal Data concerned, and the recipients or categories of recipients to whom the Personal Data are disclosed;
  - communicate to you about the Personal Data undergoing Processing and about any available information as to their source;
  - provide to you knowledge of the logic involved in any automated processing of Personal Data concerning you in the case of automated decisions.
• Right to rectification (GDPR Art 16). You have the right to request us to rectify any inaccurate or incomplete Personal Data Luminor processes about you;
• Right to erasure (GDPR Art 17). You have the right to request erasure of Processing of the Personal Data, if:
  - Personal Data is no longer necessary for purposes, for which it was collected;
  - You have withdrawn a consent, where Personal Data was processed only on the ground of consent;
  - You have objected to the processing under GDPR Article 21 (1) and there are no overriding legitimate grounds for the processing or where you objected to processing of your Personal Data for the purposes of direct marketing;
  - we do not have a legal ground to process your data;
  - the personal data have to be erased for compliance with a legal obligation.
• Right to restriction of processing (GDPR Art 18). You have the right to request us restrict further processing of your Personal Data if:
  - You contest the accuracy of your personal information;
  - the processing of your Personal Data is unlawful;
  - You have objected to the processing under GDPR Article 21 (1) – until it would be determined if legitimate interests to process Personal Data outweigh your interests. 
• Right to data portability (GDPR Art 20). You have the right to receive the Personal Data Processed in a structured, commonly used and machine‑readable format and the right to transmit the Personal Data to another controller. This right you have in respect of your Personal Data, which Luminor obtained from you and processes on the basis of your consent or due to a contract fulfilment or processes automatically;
• Right to object (GDPR Art 21). You have the right to object the processing of your Personal Data, where legal basis for such processing is either legitimate interest or public interest. If we receive such request from you we either have to stop further processing or respond to you in written and explain reasons why we do not comply with your request. Also, we may still process your Personal Data to an extent this is necessary for establishment, exercise or defense of our legal claims;
• Right to object to fully automated decision‑making (GDPR 22). It is prohibited to make any decisions regarding you, which have legal or similar effects using solely automated means of Personal Data processing unless:
  - it is necessary in order to enter into or to perform an agreement with you;
  - we are following a legal requirement putting on us a legal obligation to process your Personal Data using such automated means, or;
  - we receive your explicit consent.
  Where we are allowed to process your Personal Data using automated means You have the right to contest such decision and ask it to be revised by our staff (this does not applies where such processing is happening due to a legal requirement).
• Right to withdraw a consent (GDPR Art 7 (3)) when Processing of Personal Data is based on consent, you have the right to withdraw consent at any time, without affecting the lawfulness of Processing based on consent before its withdrawal. You may recall your consent:
  - by providing a written request in any customer service unit;
  - by changing your preferences in internet bank.
• Right to lodge a complaint. You also have a right to lodge a complaint with a supervisory authority:
  - in Estonia to the Data Protection Inspectorate (website: aki.ee); 
  - in Latvia to the Data State Inspectorate (website: dvi.gov.lv).
  - in Lithuania to the State Data Protection Inspectorate (website: vdai.lrv.lt).

You should submit your request either in any customer service unit or via internet bank e‑mail. This is necessary, because we need to establish your identity and make sure that we are responding to you.

We will carefully examine your request and provide a written reply as soon as possible, but no later than within one month of receipt of your request. In some cases, this period may be extended by two further months, taking into account the complexity of your request. In such case we will inform you about extension and the reasons for it.

Where you have requested copy of your Personal Data (see Right to data portability) such copy will be sent via e‑mail in encrypted format.

This Privacy Policy is not designed to form a legally binding contract between Luminor and the Customer – instead, it is a guide on our Personal Data protection standards. As we are constantly working on improving and developing our Services and websites we may change this Privacy Policy from time to time. We will not reduce your rights as a result of such changes. In the case of material changes and where we think it is relevant, we shall notify you via Luminor’s website, by post, via e‑mail or internet bank messages or in another manner as chosen by us, not later than 1 (one) month prior to such amendments entering into force. The Privacy Policy shall also be available on request at customer service units.

If you have any questions or concerns regarding how Luminor processes Personal Data about you, or if you wish to exercise any of your rights, Luminor encourages you to contact us via telephone or e‑mail or in writing.

Contact details for any privacy related questions are following:

• Data protection officer in Lithuania dataprotectionLT@luminorgroup.com
• Data protection officer in Latvia dataprotectionLV@luminorgroup.com
• Data protection officer in Estonia dataprotectionEE@luminorgroup.com