for private individuals based on the EU General Data Protection Regulation (GDPR) and Data Protection Act (DPA)
The following data privacy notice is intended to provide you with an overview of the processing of the personal data held at our company and the resulting rights under the new General Data Protection Regulation of the EU (GDPR) and the Data Protection Act (DPA). Which data are processed specifically and the way in which they are used depends essentially on the services and products to be provided or agreed. Our company is legally committed to protecting your privacy and to a duty of confidentiality and for this reason implements a large number of technical and organisational data protection policies in relation to all data processing operations of personal data.
Within the context of our business relationship we are reliant upon processing personal data which are required for opening and implementing the business relationship and for complying with the related statutory or contractual obligations as well as for providing services or executing orders. Without these data we will generally not be in a position to enter into or maintain a business relationship, process an order or offer services and products.
Should you have any questions about particular data processing or want to exercise your rights, as described below under point 5, please contact:
CIIM The Compound Interest Investment Management AG
Tel.: +423 262 4111
1 Which data are processed (categories of data) and from which sources do they originate (source)?
We collect and process personal data that we obtain within the context of our business relationship with our clients. Personal data may be processed at every stage of a business relationship and differ according to the group of people concerned.
As a basic principle, we process personal data that are made available to us by you through contracts, forms, your correspondence or other documents submitted. Insofar as is necessary for the provision of a service, we also process personal data that are generated or transmitted as a result of the use of products or services or that we have duly obtained from third parties (e.g. a trust company), from public agencies (e.g. UN and EU sanctions lists). Finally, personal data from publicly available sources (e.g. registers of companies for associations, press, internet) may be processed.
In addition to client data, we also process, if applicable, personal data of other third parties involved in the business relationship, such as for example data of authorised agents, representatives, legal successors or beneficial owners of a business relationship. We request that you also inform possible third parties of this data privacy notice.
Personal data concerns the following categories of data in particular:
1.1 Master data
- Personal details (e.g. name, date of birth, nationality)
- Address and contact details (e.g. physical address, telephone number, e-mail address)
- Identification information (e.g. passport or ID details) and authentication information (e.g. specimen signature)
- Data from publicly available sources (e.g. tax numbers)
1.2 Further basic data
- Information on services and products used (e.g. investment experience and investment profile, consultancy minutes, data concerning effected transactions)
- Information about household composition and relationships (e.g. information about spouse or partner and other family details, authorised signatories, statutory representatives)
- Information about the financial characteristics and financial circumstances (e.g. portfolio and account number, origin of the assets)
- Information about the professional and personal background (e.g. professional activity, hobbies, wishes, preferences)
- Technical data and information about electronic transactions with the Asset Management Company (e.g. access logs or changes)
- Image and sound files (e.g. video recordings or recordings of telephone calls
2 For what purposes and on what legal basis will your data be processed?
We process personal data in accordance to the provisions of the GDPR and the DPA for the following purposes and on the following legal bases (Art. 6 (1) GDPR):
- For the performance of a contract or in order to take steps prior to entering into a contract within the context of providing and brokering portfolio management services, investment advisory and other financial services, which may be provided by an asset management company. The purposes for data processing are primarily deter-mined by the specific service or product (e.g. securities) and can include needs analyses, advisory, portfolio management and administration and the execution of transactions, among other things.
- For compliance with a legal obligation or in the public interest, in particular to adhere to statutory and supervisory requirements (e.g. to adhere the GDPR, the DPA, the asset management act, due diligence and anti-money laundering provisions, market abuse provisions, tax laws and agreements, control and reporting obligations, risk management. Should you not make the necessary data available to us, we have to fulfil respective regulatory duties and might be forced to cease the business relationship.
- For the purposes of the legitimate interests pursued by us or a third party for specifically defined purposes, in particular for deter-mining product development, marketing and advertising, business and risk control, reporting, statistic and planning, prevention and solution of criminal offences, video monitoring to allow or deny access to the premises and the aversion of danger, telephone recordings.
- Based on your consent, which you gave to us in order to provide portfolio management services or on the basis of instructions, such as for example the disclosure of data to service providers or contracting parties of the asset management company. You have the right to withdraw your consent at any time. This shall also apply to the withdrawal of declarations of consent that we received before the application of the GDPR, i.e. before 25 May 2018. The withdrawal of consent shall only be effective for the future and shall not affect the lawfulness of data processed before the withdrawal of consent.
We reserve the right to further process personal data that have been collected for one of the above purposes for the other purposes too if this is consistent with the original purpose or permitted or provided for by law (e.g. reporting obligations).
3 Who will have access to personal data and how long will the data be held?
Bodies both within and outside the CIIM AG may obtain access to your data. Within the CIIM AG, only bodies or employees may process your data if they required them to comply with our contractual, statutory and supervisory obligations and to protect legitimate interests. Based on the respective legal provisions, other companies, service providers and vicarious agents may also obtain personal data for these purposes. Processors may be companies in the categories portfolio management services, distribution agreements, IT services, logistics, printing services, advisory and consulting, and distribution and marketing. Furthermore, recipients of your data in this context may be other banks and financial service institutions to whom we transfer personal data for implementing the business relationship (e.g. custodian banks, brokers, stock exchanges, information agencies).
Where there is a statutory or supervisory obligation, public agencies and institutions (e.g. supervisory authorities and tax authorities) may also receive your personal data.
Data will only be transferred to countries outside the EU or EEA (so-called third countries) if
- for the implementation of pre-contractual measures or for the performance of a contract, the provision of services or processing of orders (e.g. execution of securities transactions)
- you have given us your consent (e.g. for client services by another company)
- it is necessary for important reasons of public interest (e.g. on the basis of money laundering prevention) or
- is required by law (e.g. transaction reporting obligations).
However, these are solely countries, of which the EU-Commission has determined having an adequate data protection standard or we take measures in order to ensure that all recipients have an adequate data protection standard. Where applicable, we conclude standard contractual clauses for this purpose, which in this case are available upon request.
We process and store the personal data throughout the duration of the business relationship provided certain data are not subject to shorter retention periods. It should be noted that our business relationships can last for years. In addition, the storage period is determined according to the necessity and purpose of the respective data processing. If the data are no longer required for compliance with contractual or statutory obligations or to safeguard our legitimate interests of those of third parties (achievement of the purpose) or if granted consent is with-drawn, they are erased periodically, unless further processing or storage is necessary on the basis of contractual or statutory retention periods and obligations of documentation or on the grounds of preserving evidence for the duration of the applicable statute of limitations.
4 Is automated decision-making, including profiling, carried out?
As a basic principle, our decisions are not based solely on automated processing of personal data. If we do use these types of procedure in individual cases, we shall inform you separately, according to the provisions by law.
Certain business areas involve the automated processing of personal data at least to a certain extent, where the objective is to evaluate certain personal aspects in line with statutory and regulatory requirements (e.g. money laundering prevention), carry out needs analysis in relation to products and services or for the purpose of managing risks.
The Asset Management Company reserves the right, in future, to analyse and evaluate client data (including the data of any third parties involved) by automated means for the purpose of identifying key personal characteristics in relation to clients, predicting developments and creating client profiles. Such data will be used, in particular, to perform business checks, provide customised advice, offer products and services and
provide any information that the Asset Management Company may wish to share with clients.
5 Which data protection rights do you have?
You have the following data protection rights with regard to your personal data (Art. 15 to 21 GDPR):
- Right of access: You may obtain from us information as to whether and to what extent personal data concerning you are being pro-cessed (e.g. categories of personal data concerned, purpose of processing etc.).
- Right to rectification, erasure and restriction of processing: You have the right to obtain the rectification of inaccurate or incomplete personal data concerning you. In addition, your personal data must be erased if these data are no longer necessary in relation to the purposes for which they were collected or processed, you have withdrawn your consent or these data are being unlawfully pro-cessed. Furthermore, you have the right to obtain restriction of processing.
- Right of withdrawal: You have the right to withdraw your consent for the processing of your personal data for one or more specific purposes at any time if processing is based on your explicit consent. This shall also apply to the withdrawal of declarations of consent that were submitted before the application of the GDPR, i.e. before 25 May 2018. Please note that the withdrawal of consent is only effective for the future. Processing that was carried out before the withdrawal is not affected. The withdrawal does not have any effect on data processing based on other legal bases either.
- Right to data portability: You have the right to receive your personal data, which you have provided to us, in a structured, commonly used and machine-readable format and to have those data transmitted to another controller.
- Right to object: You have the right to object the processing of personal data, which takes place based on Art. 6 (1) lit. f DGPR, on grounds relating to your particular situation, at any time to this processing. We no longer process the personal data in case of an objection, unless we can prove compelling reason for the pro-cessing, which outweigh the interests, rights, freedoms of the related person, or which serve the assertion, exercise or defence of legal rights. In addition, you have the right to object informally to the use of personal data for marketing purposes. Where you object the processing of your personal data for direct marketing purposes, we shall no longer process your personal data for such purposes.
- Right to lodge a complaint: You have the right to lodge a complaint with the competent Liechtenstein supervisory authority. You may also contact another supervisory authority of an EU or EEA member state, for example in your habitual residence, place of work or the place of the suspected infringement.
The contact details for the competent supervisory authority responsible in Liechtenstein are:
Liechtenstein Data Protection Authority
Städtle 38, P.O. Box
Principality of Liechtenstein
Telephone: +423 236 60 90
Information or objection requests should be made in writing to us. We will also assist you in any other data protection issues you may have.