Compliance with the EU GDPR (General Data Protection Regulation)
The EU GDPR aims to synchronize data protection law across the EU Member States and brings in higher data protection standards as well as transparency of personal data gathering and processing for clients. We take your privacy seriously. This privacy notice includes general information on what personal data we gather, what we do with that information, and what rights you have. If you have any questions or comments, please contact us.
‘Personal data’ is any information that relates to an identified or identifiable natural person (rather than to a legal entity, such as a company).
As part of our commitment to protect your personal data transparently, we want to inform you:
- Why and how we gather, use and store your personal data;
- The lawful basis on which your personal data is processed; and
- What your rights and our obligations are about such processing.
2. What types of personal data do we gather?
Yang, Odell and Kostner (“we,” “our,” or “us”) will, depending on the product or service we provide to you (if any), gather and use personal data about you including:
- Personal details such as your full name, I.D. number, date of birth, KYC, phone number physical and electronic address, and family details
- Financial information, including payment and transaction records and information relating to your assets, financial statements, liabilities, taxes, revenues, earnings and investments (including your investment objectives)
- Tax domicile and other tax-related documents and information
- Where applicable, professional information about you, such as your job title and work experience
- Your knowledge of and experience in investment matters
- Details of our interactions with you and the products and services you use
- Any records of phone conversations between you and us
- Where applicable, details of your nomination of a mandate
- Your client or account number
- When you access our Website, data sent by your browser and automatically noted by our server, including date and time of access as well as the sent data volume, your web browser and language, requesting domain, and IP address. When you visit our website, the website will contain additional information about how we use your information while you are visiting that website
- In some cases (where legal), special groups of personal data, such as your political views or affiliations, health information, racial or ethnic origin, religious or philosophical beliefs, and, to the extent legally allowable, information relating to criminal convictions or offenses.
In some instances, we gather this information from public records, public administration or other third-party sources, such as wealth screening services, credit reference agencies, fraud prevention agencies, intermediaries that facilitate data portability.
If appropriate to the products and services we provide to you, we will also gather information about your additional cardholders or account holders, business partners (including other shareholders or beneficial owners), dependents or family members and representatives. In addition, where you are an institutional or corporate client or investor, we will also gather information about your directors, employees or shareholders. Prior to furnishing us with this information, you should give a copy of this Policy Notice to those individuals.
3. On which legal basis and for which purposes do we process personal data?
3.1 Legal basis for processing
Depending on the purpose of the processing activity (see section 3.2), the processing of your personal data will be one of the following:
- Necessary for our legitimate interests, without unduly affecting your interests or fundamental rights and freedoms (see below);
- Necessary for taking steps to enter into or executing a contract with you for the services or products you request, or for carrying out our obligations under such a contract, such as when we use your data for some of the purposes in sections 3.2(a), (b) (c) and (j) below (as well as certain of the data disclosures described in section 4);
- Required to meet our legal or regulatory responsibilities, including when we conduct the checks referred to in section 3.2(a) below and make the disclosures to authorities, regulators and government bodies referred to in sections 3.2(g) and 4 below;
- In some cases, necessary for the performance of a task carried out in the public interest;
- When we use special categories of personal data, necessary for establishing, exercising or defending legal claims or where the processing relates to personal data manifestly in the public domain; and
- In limited circumstances, processed with your consent which we obtain from you from time to time (for instance where required by laws other than the EU GDPR), or processed with your explicit consent in the case of special categories of personal data such as your medical information.
Examples of the ‘legitimate interests’ are:
- Undertaking some of the purposes in sections 3.2(a) to 3.2(k) below;
- Exercising our rights under Articles 16 and 17 of the Charter of Fundamental Rights, including our freedom to conduct business and right to property;
- When we make the disclosures referred to in section 4 below, providing products and services and warranting a consistently high service standard, and keeping our customers, employees and other stakeholders satisfied.
- Meeting our accountability and regulatory requirements around the world,
In each case provided such interests are not overridden by your privacy interests.
To the extent we have obtained your consent to process ordinary personal data in the past in any product-specific terms and conditions for data protection law only, we will no longer rely on such consent, but instead will rely on lawful grounds of compliance with a legal obligation, contractual necessity or legitimate interests (as specified in this notice), and our ability to rely on that consent is hereby waived or extinguished. For the avoidance of doubt, any consent given for any other reason, for instance (and if applicable) e-Privacy (including direct marketing) or banking secrecy, remains unaffected by this paragraph.
Where the personal data we gather from you is needed to meet our legal or regulatory obligations or enter into an agreement with you, if we cannot gather this personal data there is a possibility we may be unable to onboard you as a client or provide products or services to you (in which case we will inform you accordingly).
3.2 Purposes of processing
We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose. In particular, we process personal data for the following purposes:
- Client on-boarding processes, including to verify your identity and assess your application (including the need for guarantees or other securitization tools) if you apply for credit, and to conduct legal and other regulatory compliance checks (for example, to comply with anti-money laundering regulations, and prevent fraud)
- Providing products and services to you and ensuring their proper execution, for instance by ensuring that we can identify you and make payments to and from your accounts under your instructions and the product terms
- Managing our relationship with you, including communicating with you in relation to the products and services you obtain from our business partners and us, handling customer service-related queries and complaints, facilitating debt recovery activities, making decisions regarding credit or your identity, tracing your whereabouts, and closing your account (in accordance with applicable law) if it remains dormant and we are unable to contact you after a period of time
- Helping us to learn more about you as a customer, the products and services you receive, and other products and services you may be interested in receiving, including profiling based on the processing of your personal data, for instance by looking at the types of products and services that you use from us, how you like to be contacted and so on
- Taking steps to improve our products and services and our use of technology, including testing and upgrading of systems and processes, and conducting market research to understand how to develop our existing products and services or learn about other products and services we can provide
- Contacting you for direct marketing purposes about products and services we think will be of interest to you, including those offered by us, and facilitating competitions and promotions
- Meeting our on-going regulatory and compliance obligations (e.g., laws of the financial sector, anti-money-laundering and tax laws), including about recording and monitoring communications, disclosures to tax authorities, financial service regulators and other regulatory and governmental bodies, and investigating or preventing crime
- Ensuring the safety of our customers, employees and other stakeholders
- Undertaking transactional and statistical analysis, and related research
- For our prudent operational management (including credit and risk management, insurance, audit, systems, and products training and similar administrative purposes)
- Any other purposes we notify to you from time to time
4. Who has access to personal data and with whom are they shared?
4.1 Within our company
We usually share personal data within our company to ensure a consistently high service standard and to provide services and products to you.
4.2 Third Parties
When providing products and services to you, we will share personal data with persons acting on your behalf or otherwise involved in the transaction (depending on the type of product or service you receive from us), including, where relevant the following types of companies.
- A party acquiring an interest in, or assuming risk in or in connection with, the transaction (such as an insurer)
- Companies in which you have an interest in securities where such securities are held by the bank for you
- Payment recipients, beneficiaries, account nominees, intermediaries, and correspondent and agent banks
- Clearinghouses, and clearing or settlement systems; and specialized payment companies or institutions such as SWIFT
- Market counterparties
- Upstream withholding agents
- Swap or trade repositories
- Stock exchanges
- Other financial institutions, credit reference agencies or credit bureaus (to obtain or providing credit references)
4.3 Service providers
In some instances, we also share personal data with our suppliers and other business partners who provide services to us, such as IT and hosting providers, marketing providers, communication services and printing providers, debt gathering, tracing, debt recovery, fraud prevention, and credit reference agencies, and others. When we do so, we take steps to ensure they meet our data security standards, so that your personal data remains secure.
4.4 Public or regulatory authorities
If required from time to time, we disclose personal data to public authorities, regulators or governmental bodies, including when required by law or regulation, under a code of practice or conduct, or when these authorities or bodies require us to do so.
If our business is sold to another organization or if it is re-structured, personal data will be shared so that you can continue to receive products and services. We will usually also share personal data with prospective purchasers when we consider selling or transferring part or all of a business. We take steps to ensure such potential purchasers keep the data secure.
If you exercise your right to data portability, we will usually disclose your personal data to an intermediary that facilitates data portability in accordance with applicable law and regulations.
We will disclose personal data where required to exercise or protect legal rights, including ours and those of our employees or other stakeholders, or in response to requests from individuals or their representatives who seek to protect their legal rights or such rights of others.
5. International transfers of personal data
The Recipients referred to in section 4 above can be located outside the European Economic Area. In those cases, except where the relevant country has been determined by the European Commission to provide an adequate level of protection, we require such recipients to comply with appropriate measures designed to protect personal data contained within a binding legal agreement.
6. How long do we store your data?
We will only retain personal data for as long as necessary to fulfill the purpose for which it was gathered or to comply with legal, regulatory or internal policy requirements. To help us do this, we apply criteria to determine the appropriate periods for retaining your personal data depending on its purpose, such as proper account maintenance, facilitating client relationship management, and responding to legal claims or regulatory requests.
7. Your rights
You have a right to ask us to rectify inaccurate personal data we gather and process and the right to request restriction of your personal data pending such a request being considered.
Where we process your personal data on the basis of your consent, you have the right to withdraw that consent at any time. Please also note that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
You have a right to ask us to stop processing your personal data, or to request deletion of your personal data (known as the ‘right to be forgotten’) – these rights are not absolute under the EU GDPR (as sometimes there may be overriding interests that require the processing to continue, for example), but we will consider your request and respond to you with the outcome. When personal data are processed for direct marketing purposes, your right to object extends to direct marketing, including profiling to the extent it is related to such marketing. You may object to direct marketing by emailing us at any time.
Where we process your personal data on the basis of your consent, or where such processing is necessary for entering into or performing our obligations under a contract with you, you may have the right to request your personal data be transferred to you or to another controller (known as the ‘data portability’ right). You also have the right to ask us for a copy of some or all of the personal data we gather and process about you.
In certain circumstances, we may process your personal data through automated decision-making, including profiling. Where this takes place, you will be informed of such automated decision-making that uses your personal data, be given information on the logic involved, and be informed of the possible consequences of such processing. In certain circumstances, you can request not to be subject to automated decision-making, including profiling.
You can exercise the rights set out above using the details in section 8 of this notice.
8. Exercising your rights, and complaints
If you are not satisfied with any aspect of the processing of your personal data by us, we would like to discuss it with you to understand how we can rectify the issue. If you would like to speak to us about our use of your personal data, you can do this by contacting us.
If you are not satisfied with our response, you have the right to make a complaint to the data protection authority in the jurisdiction where you live or work, or in the place where you think an issue concerning your data has arisen.
9. Security Note
We have in place appropriate technical and organizational measures to prevent unauthorized or unlawful access to the personal data you have provided to us. As complete data security cannot be guaranteed for communication via e-mails, instant messaging, and similar means of communication, we would recommend sending any particularly confidential information by an alternative secure means.
10. Changes to personal data
We are committed to keeping your personal data accurate and up to date. Therefore, if your personal data changes, please inform us of the change as soon as possible.