Principles of Processing Customer Data

Effective 15 March 2022

We value all of our customers and respect their right to privacy and protection of their data. We would like our customers to be aware of why and how we use their data, what their rights are and how they can exercise their rights. For this purpose, we have updated our Principles for Processing Customer Data, which provide information on the following questions:

• what kind of Customer Data we use in our activity and the main reasons for using the data (clauses 3.6 and 3.7);
• what are the additional purposes for which we also use Customer Data (clause 3.8);
• what are the rights of natural person Customers (clause 8);
• how can our Customers exercise their rights, including whom can they contact if they have questions (clause 9);
• where are we allowed to obtain information about our Customers (clauses 3.1 and 3.2);
• to whom and on what grounds can we send Customer Data (clause 4);
• how do we protect our Customers’ Personal Data when we send them outside the European Economic Area (clause 5).

1. Terms and definitions. General provisions

   1. Customer for the purposes of these Principles for Processing Customer Data (“Principles”) is a natural person or a legal person who has expressed a desire to use, who is using or who has used LHV services and who is otherwise connected to services provided by LHV.
   2. Customer Data is any sort of information, including banking secrets and personal data known by LHV regarding a Customer.
   3. Processing is any procedure performed with Customer Data, including collection, retention, use and sending of data.
   4. Personal Data are any information on natural person Customers who have been identified or are being identified.
   5. Third Party is any person who is not the Customer, LHV or LHV employee and who, either alone or with a second person, defines the purposes and means for Processing of Customer Data.
   6. LHV is LHV Group, AS LHV Pank, LHV Varahaldus, LHV Finance, LHV Kindlustus and other legal persons in which LHV Group holds, directly or through subsidiaries, over 50% of the shares.
   7. These Principles shall apply insofar as they do not contradict the Service Conditions.
   8. By entering into a customer relationship with LHV or expressing the desire to do so, the Customer agrees to the Processing of Customer Data on conditions and in accordance with procedure set forth in these Principles.

2. General principles

   2. Processing of Customer Data at LHV takes place in accordance with requirements set forth in Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation), the Personal Data Protection Act, other relevant legal acts and the requirements set forth in these Principles. The conditions for Processing of Customer Data may also be described in contracts and other documents related to LHV services.
   3. Based on the requirements of legal acts, and pursuant to the employment contracts and other agreements entered into on the basis thereof, LHV and its employees are obliged to keep Customer Data confidential indefinitely and are liable for violations of the aforementioned obligations. LHV shall allow access to Customer Data only to employees who have received the relevant training. An employee shall have the right to process Customer Data only in the extent necessary for fulfilling the duties of employment assigned to that employee.
   4. LHV shall use authorised processors for Processing of Customer Data. LHV shall in this regard ensure that such data processors process Customer Data only in accordance with instructions from LHV and in conformity with the requirements for data protection.

3. The categories of Customer Data processed by LHV, objectives of Processing and legal basis for Processing

   3. LHV gathers Customer Data mainly from the Customer (e.g. applications and requests, in the course of Customer interaction) and in the course of use of the services by the Customer (e.g. execution of card payments and transfers, forwarding of securities orders, performance of contracts).

   4. LHV also obtains Customer Data from Third Parties, such as:

      1. parties related to the Customer (e.g. policyholder, person submitting the notice of loss, person submitting the credit application or other parties related to the agreement), upon submission of requests and applications;
      2. partners in cooperation and parties involved in provision of services to customers (e.g. SK ID Solutions). We may receive such data above all when customer has granted the cooperation partner prior consent for this purpose or if LHV has a legitimate interest for obtaining the data. We may obtain data above all in the course of provision of service, e.g. during use of payment services, SK ID Solutions transmits to us data related to authentication, including the IP address;
      3. public and private registers (e.g. Population Register, Central Register of Securities, KMAIS information system, register of taxable persons, motor insurance register, register of construction works, Tax and Customs Board, Funded Pension Registry). LHV uses these data mainly for verifying and updating Customer Data, for providing the relevant services to the Customer and for evaluating the Customer’s creditworthiness;
      4. LHV companies, OÜ Krediidiregister, and Creditinfo Eesti AS. LHV uses these data mainly for verifying and updating the Customer’s creditworthiness and risk management, including compliance with obligations stemming from the accounting standards (IFRS 9);
      5. correspondent banks, foreign brokers, payment service providers and other financial service providers, insurance undertakings and insurance agents, healthcare providers and other business partners if the Customer has provided consent to our business partner for this purpose or the sending of data is permitted by legal acts. LHV uses these data mainly for enabling provision of service to Customers (e.g. foreign payments, investment services, payment services, insurance services).

   5. LHV process Customer Data for compliance with legal obligations stemming from legal acts (national laws, supervisory guidelines, regulations and EU legal acts), performance of contracts with Customers and preparing for entering into contracts, e.g. for processing applications submitted by Customers, on the basis of Customer consent and for protection of LHV’s own legitimate interests.

   6. LHV’s legitimate interests are expressed, above all, in furtherance of its own operating activity in offering Customers better services and products, developing its own products, ensuring data and information security, managing debt and ensuring protection against legal disputes.

   7. On the basis of consent for Processing Customer Data, LHV shall ask for consent, e.g., on relevant applications and requests, and allow the Customer to provide its consent voluntarily.

   8. Within the framework of its activities, LHV processes the following categories of Customer Data:

      CATEGORIES OF CUSTOMER DATA	DATA EXAMPLES
      Personal data	name, personal identification code, date of birth, place of birth, age, citizenship, identity document data, facial image, PEP status, residence permit data
      Contact data	e-mail, telephone, address, language of communication
      Tax residence data	TIN code, tax residence, evidence of tax residence
      Right of representation data	birth certificate data, guardianship data, restriction of active legal capacity, authorisation document data
      Third party relationship data	relations with politically exposed persons, relations with successors, relations with other parties involved in the provision of services (e.g. payment counterparty, company, sureties, owners of collateral assets, insured persons and beneficiaries)
      Payment account data	payment transaction data, time of transaction, payment amounts, payment details, account balance, account number, payment counterparties, limits, card transaction data, purpose of account opening, accounts with other banks, data on payments contested, recalled and cancelled, data on payment account operations (e.g. seizure)
      Deposit data	deposited amount, deposit period, customer orders and operations with deposits
      Family data	marital status, number of dependants
      Professional activity data	position, place of work, field of activity, educational background, level of education, employer, length of service, experience in the field
      Debt data	debt amount, debt period, fines for delay, data on debt elimination, data on underlying agreement, payment default data, cause of debt, time of occurrence and elimination of the payment default
      Financial data	incoming payments forecast, income, commitments, previous payment behaviour, transactions effected, agreements concluded and terminated, requests submitted, applications submitted, interest and service fees, breach of agreement, CreditInfo score, data on credit decisions, down payment amount.
      Asset origin data	origin of self-financing, source of funds on the account, documents on transactions on the payment account
      KredEx surety data	study programme, educational institution, duration of the programme, employer's certificate data, data on certificates verifying the status of a veteran of the Defence Forces of Estonia or the National Defence League.
      Collateral data	type of collateral, value of the collateral, description of and technical data on the collateral, location of the collateral, possessor of the collateral
      Data on the Customer's knowledge and experience	investment-related knowledge and experience, investment objective, knowledge of financial instruments, previous experience in financial instruments, investment-related occupation, work experience in the financial sector, planned duration of investment, risk level
      Securities-related data	securities transactions, securities orders, securities data, transaction value, amount, volume, LEI code, securities portfolio data, margin loan collateral data, virtual portfolio data, suspicious transactions
      Alternative investment data	name of investment, amount, purchase price, generated revenue (interest, principal payments), available funds, profit, value
      Customer habits, preferences and satisfaction data	Customer status, activity in the use of services, services and products used, Customer inquiries and complaints, data on campaign conditions (e.g. growth account, income, type of card used)
      Data on official inquiries	data related to inquiries submitted by investigation authorities, notaries, tax authorities, bailiffs, courts, data on claims
      Data on participation in campaigns	prizes won in investment games and other consumer games, participation in LHV campaigns and other LHV consumer games, points collected during campaigns, the alias used for the game, game portfolio data
      Pension data	pension fund data, Customer's pension fund value, applications submitted, pension forecast, retirement age forecast, additional years of pensionable service, pension fund contributions, average yield expected by Customer, 3rd pension pillar data, years of pensionable service, insurance component data
      Customer device data	type of device, device identifier, IP address, location
      Tax data	income based on the income tax return (except for income generated from transfer of assets and taxes paid thereof); payments declared by employer based on TSD; benefits for incapacity for work, unemployment insurance benefits and redundancy benefits, pensions, contributions to the 3rd pension pillar, data on the funded pension based on TSD; dividends and equity-based payments; tax arrears starting from EUR 100
      Book borrowing data	books borrowed, borrowing date, return date, fines for delay
      Bank card data	type of card, term of validity, card status, card number
      Charity organisation data	name of organisation, donation amounts
      Data on recordings	video recordings, call recordings, ATM photos
      Data on offences	data on offences committed, criminal punishment, data on suspicion of offence
      Insurance data	data on insurance coverage, data on the insured object, insurance period, insurance payment amount, insurance contracts concluded and applications submitted, indemnity decisions
      Insured event data	description of the event, time and place of the event, cause of damage, persons damaged, photos and documents on the damaged object, time and place of the trip, route of the trip
      Data concerning health	description of injuries and diseases, description and duration of treatment, diagnoses
      Fund unit data	investment fund, number of units, data on acquisition, redemption and disposal of units
      Alternative investment data (including crypto assets)	crypto asset transactions, crypto asset orders, crypto assets data, crypto transactions value, amount, volume, crypto assets portfolio data

   9. The primary purposes of processing Customer Data, categories of Customer Data and the legal bases for processing Customer Data in LHV have been listed below:

      PURPOSES OF DATA PROCESSING	CATEGORIES OF CUSTOMER DATA	LEGAL BASIS FOR PROCESSING
      Identification	Personal data	legal obligation arising from the Money Laundering and Terrorist Financing Prevention Act; legitimate interest in identifying the customer and hedging risks
      Verification of the identity document, right of representation and accuracy of data	Personal data Right of representation data	Legal obligation arising from the Money Laundering and Terrorist Financing Prevention Act; legitimate interest in verifying the accuracy of data submitted by the customer, and hedging risks agreement
      Application of due diligence measures and monitoring of the business relationship	Personal data Contact data Right of representation data Third party relationship data Payment account data Professional activity data Asset origin data Securities-related data Data on official inquiries Data on offences Customer device data Data on recordings	legal obligation arising from the Money Laundering and Terrorist Financing Prevention Act
      Collection and reporting of tax information	Personal data Tax residence data Contact data Payment account data Securities-related data Deposit data	legal obligation arising from the Tax Information Exchange Act
      Succession-related acts	Personal data Payment account data Securities-related data Debt data Contact data Deposit data Fund unit data Pension data Third party relationship data	agreement; legal obligation arising from the Funded Pensions Act
      Engagement of deposits	Deposit data Personal data	agreement
      Customer relationship management, fulfilment of the Customer notification requirement	Contact data	legal obligations arising from various legal acts (e.g. Securities Market Act, Law of Obligations Act); legitimate interest in customer relationship management performance of the agreement
      Direct marketing, organisation of campaigns, feedback	Contact data Personal data Data on participation in campaigns Debt data Customer habits, preferences and satisfaction data	consent; legitimate interest in the sale of similar products and services, and legitimate interest in telephone sales; legitimate interest in the use of debt data for responsible marketing of credit products to the relevant customer segment (customers of credit products)
      Provision of credit services (disbursement of loans, credit decisions, verification of the KredEx surety conditions, making indicative offers)	Personal data Contact data Financial data KredEx surety data Collateral data Third party relationship data	agreement
      Assessment of the Customer’s creditworthiness and credit risk management	Personal data Family data Professional activity data Financial data Data on offences Debt data Payment account data Collateral data Pension data Third party relationship data Asset origin data Tax data Securities-related data	legal obligation arising from the Creditors and Credit Intermediaries Act and the Law of Obligations Act, and legitimate interest in organising risk management and hedging credit risk use of tax data - consent
      Appraisal of collateral assets	Personal data Collateral data	legal obligation arising from the Creditors and Credit Intermediaries Act and the Credit Institutions Act
      Provision of investment services (execution and transmission of securities orders, enabling access to Baltic analyses, elimination of margin loan positions, pledging of securities, borrowing securities from the Customer, administration of the investment account, enabling use of the virtual portfolio, enabling a more favourable tax rate for US securities transactions, provision of portfolio management services)	Personal data Securities-related data Contact data Family data	agreement; legal obligation arising from the Securities Market Act
      Assessment of suitability and appropriateness in the provision of securities services to the Customer	Personal data Data on the Customer's knowledge and experience Professional activity data Financial data Securities-related data	legal obligation arising from the Securities Market Act and the Commission Delegated Regulation (EU) 2017/565
      Transaction monitoring with regard to characteristics of market abuse and reporting of suspicious transactions	Personal data Securities-related data Professional activity data Payment account data	legal obligation arising from Regulation (EU) No 596/2014 of the European Parliament and of the Council (market abuse regulation)
      Performance of the account administrator function (subscription of securities, cancellations, interest disbursement, acceptance of pension applications, acceptance of funded pension disbursement applications, exchange of information with the central register of securities)	Personal data Contact data Securities data Pension data	legal obligation arising from the Securities Register Maintenance Act, Securities Market Act and Funded Pensions Act
      Provision of the digital pension solution service	Personal data Contact data Pension data	agreement
      Provision of specific pension forecasts for users of the digital pension solution service	Personal data Family data Professional activity data Pension data	consent
      Display of alternative investments in the internet bank	Personal data Alternative investment data	consent
      Enabling the use of the Trader and Broker demo versio Personal data Contact data	consent
      Organisation of seminars	Personal data Contact data	consent; legitimate interest in forwarding seminar materials and inviting previous participants to partake in new seminars
      Provision of payment services (acceptance of payment orders, execution and transmission of payment orders, cash deposits and cash withdrawals, ordering of cards, payment recalls and cancellations, contesting of card transactions, ordering of e-invoices, enabling access to mTasku, enabling card payments, transfer of settlement services, enabling use of the virtual ISIC card, enabling use of proxy payments, provision of the payment initiation service)	Personal data Contact data Payment account data Professional activity data Bank card data	agreement; legal obligation arising from legal acts (e.g. Law of Obligations Act, Regulation (EU) 2015/847 of the European Parliament and of the Council
      Identification and investigation of tax fraud; ensuring information security	Personal data Payment account data Customer device data	legal obligations arising from various legal acts (e.g. Commission Delegated Regulation (EU) 2018/389, guidelines of the Financial Supervision Authority); legitimate interest in ensuring information security and hedging risks
      Enabling use of services provided by payment service providers (e.g. account information services, payment initiation services)	Personal data Payment account data	legal obligation arising from the Law of Obligations Act and the Commission Delegated Regulation (EU) 2018/389
      Enabling use of charity options	Personal data Charity organisation data Payment account data	agreement; transmission of data (personal identification code, donation amount) to the chosen charity organisation - the charity organisation's legitimate interest in applying the tax incentive
      Borrowing of books	Personal data Contact data Book borrowing data	agreement
      Enabling use of Financial Portal	Personal data Contact data	agreement
      Protection of the property of Customers, staff members and LHV	Data on recordings	legitimate interest in protecting property and ensuring physical security
      Debt management	Personal data Contact data Debt data Collateral data	legitimate interest in organisation of debt management and ensuring protection against breach of agreement
      Account seizure, response to inquiries and transmission of payment account information	Personal data Payment account data Data on official inquiries	fulfilment of legal obligations arising from various legal acts (e.g. Money Laundering and Terrorist Financing Prevention Act, Code of Enforcement Procedure)
      Management of the fund unit register, organisation of redemption and issue of fund units	Personal data Contact data Fund unit data	legal obligation arising from various legal acts (e.g. Investment Funds Act, Funded Pensions Act)
      Provision of management company services	Personal data Contact data Fund unit data	agreement
      Provision of insurance services (insurance offers, provision of customer support, provision of insurance services, conclusion of contracts and issue of insurance policies, payment of insurance indemnities)	Personal data Contact data Insurance data Bank card data	agreement
      Ascertaining insurable interest	Personal data Insurance data	legal obligation arising from the Law of Obligations Act, Insurance Activities Act
      Determining the amount of the insurance premium	Insurance data Data on offences Personal data	agreement; legitimate interest in organisation of risk management and risk hedging
      Loss adjustment, including recording of loss events, decision-making	Personal data Contact data Insurance data Insured event data Data concerning health Third party relationship data	agreement; in processing data concerning health, LHV relies on public interest in accordance with subsection 218 (2) of the Insurance Activities Act.
      Submission of information on motor TPL insurance to the Motor TPL insurance registry	Personal data Insurance data Insurance event data	legal obligation arising from the Motor Insurance Act and the statute of the motor insurance register

   10. In addition to the objectives set forth in clause 3.7, LHV also processes Customer Data for the following purposes:

       1. administering the Customer relationship, inspecting and, if necessary, correcting the data submitted by the Customer and enabling access to products and services. Processing takes place for performing the contract or adopting measures prior to conclusion of contract, as well as based on legitimate interest in managing the customer base, improving the services provided to customers, including eliminating technical malfunctions;
       2. exercise of LHV’s rights in connection with legal requirements, substantiation and defence of rights in court or extra-judicially. Processing takes place on the basis of LHV’s legitimate interest, with the purpose of ensuring protection against legal disputes;
       3. hedging of risks and risk management, e.g. to evaluate or inspect the credit portfolio or collateral assets of LHV, or to prepare audits, stress tests or analyses that partially or completely cover the activities of LHV. Processing takes place for performance of the legal obligation set forth in Regulation 575/2013 of the European Parliament and of the Council and on the basis of LHV’s legitimate interest for the purpose of organising risk management;
       4. ensuring physical security and data and information security, and carrying out internal control activities. Processing takes place for performance of a legal obligation set forth in various legal acts, including the Credit Institutions Act, the Financial Supervision Authority’s guidelines and the Creditors and Credit Intermediaries Act, and on the basis of LHV’s legitimate interest for the purpose of organising risk management;
       5. processing of customer complaints. Processing takes place for performance of a legal obligation set forth in various legal acts, including the Credit Institutions Act, the Financial Supervision Authority’s guidelines and the Creditors and Credit Intermediaries Act, and on the basis of LHV’s legitimate interest;
       6. conducting Customer surveys, researching consumer habits. Such data processing takes place on the basis of legitimate interest of LHV to receive feedback from Customers about their satisfaction with the services and products offered by LHV and thus developing existing and new products and services.
       7. for satisfying the burden of proof in the case of potential disputes, LHV may also collect information concerning receipt of letters sent out containing obligatory contents (e.g. letter recipient, time of sending, information on delivery of letter). Processing takes place on the basis of legitimate interest for the purpose of protecting LHV’s interests in legal disputes.

   11. The use of cookies and the relevant data processing is governed by the terms and conditions for use of cookies, published on LHV’s website.

4. Forwarding of customer data

   4. LHV has the right to forward Customer Data to the following Third Parties, and the Customer shall not consider this breach of obligation to maintain confidentiality (including bank secrets):
      1. other LHV companies, who may process the Customer Data specified in clause 3 of the Principles, e.g. for identifying the Customer, updating Customer Data, evaluating the Customer’s expertise, risk management and hedging of risks, and compliance with fiduciary regulations, including capital and liquidity requirements, and assessing creditworthiness. The data are transmitted for the purpose of fulfilling an obligation imposed by law (e.g. risk management, identification), based on legitimate interest (e.g. ensuring data quality when updating customer data) or based on the Customer’s consent;
      2. persons and organisations related to provision of service and performance of agreements concluded with the Customer (e.g. sureties, loan co-recipients, guarantors, collateral owners, insured persons and beneficiaries, successors, merchants, international card organisations, payment intermediaries and other payment service providers, insurance providers and intermediaries, e-invoice issuers, credit intermediaries and credit agents, Central Register of Securities, pledgees, correspondent banks, investment service providers, settlement systems, notaries, providers of translation, communication, IT and postal service, Federation of Estonian Student unions, Bank of Lithuania as the proxy payment registrar, cooperation partners for bank cards). Data (e.g. contract data, Personal Data, payment account data, securities data, bank card data, insurance data, insured event data) are transmitted for the purpose of performing the contract concluded with the Customer, as well as based on the legitimate interest of third parties (e.g. transmitting customer due diligence data on the basis of an inquiry submitted by a correspondent bank);
      3. persons who maintain databases (including Creditinfo Eesti AS or any other person who maintains a register of payment defaults), to whom LHV sends information on the basis of legal acts or concluded contracts for the purpose of applying the principle of responsible lending, as well as to enable Third Parties to evaluate the Customer’s payment history and creditworthiness. The transmitted data consist of data on the customer’s contractual debts in the amount of at least EUR 30 and overdue for at least 45 days. The legal basis for transmission of data is public interest in accordance with section 10 of the Personal Data Protection Act;
      4. the Society for Worldwide Interbank Financial Telecommunication SWIFT (www.swift.com). SWIFT data processing centres are located in European Union member states and the United States of America, as a result of which bank transaction data are retained, including the personal data of the transaction initiator and recipient, regardless of the place where the transaction is conducted, both in the SWIFT-operated processing centre in an EU member state and the United States of America. When conducting a bank transaction, the bank related to the transaction, payment intermediary or SWIFT may be obliged to disclose transaction data, or Customer Personal Data related thereto, to the competent government authority of the relevant country of location in cases specified in the legal acts of the country of location;
      5. Third-party service providers to whom LHV has outsourced activities (e.g. companies engaged in sale and trade in connection with sale of LHV services and establishing identity, other LHV companies in connection with marketing of pension products, performance of functions of account manager, marketing of pension products, server and cloud service providers, mail service providers, monitoring tool service providers, ATM operators, tax fraud detection partners, e-invoicing partners, loss adjustment partners, customer support partners, archiving service providers, debt and leased asset collection partners). In such cases, partners serve as LHV’s processors and shall not have a separate right or legal basis for processing Customer Data. Customer Data is processed on behalf of and under the responsibility of LHV;
      6. LHV consultants or other service providers (e.g. auditors, attorneys). The Customer Data is transmitted to LHV for the purpose of service provision, including for representing LHV in disputes, providing legal advisory services, audit services. The legal basis for transmission of data is LHV’s legitimate interest;
      7. Assign right of claim to a new creditor. The transmitted data contain data on source contracts and debt data, and the data are transmitted on the basis of LHV’s legitimate interest for the purpose of credit risk management;
      8. To other Third Parties, based on the Customer’s voluntary consent. In such cases, the Customer is provided with information on the nature of the consent, contents of the data to be transmitted and the purpose of the transmission of data, before requesting the Customer’s consent.
   5. LHV is obliged to disclose and to convey Customer Data for the purpose of performing obligations arising from legal acts and international and mutual legal assistance (e.g. forwarding data to investigative bodies, notaries, trustees in bankruptcy, the Tax and Customs Board, Financial Intelligence Unit, Financial Supervision Authority, Estonian Motor Insurance Bureau, Estonian Funded Pension Registry).

5. Forwarding Customer Personal Data outside the European Economic Area

   5. As a general rule at LHV, Customer Personal Data are not sent outside the European Economic Area and if this is done, then before any data is sent, the background of the Third Party is verified thoroughly, and measures are applied to ensure secure data transmission including, if possible, measures to accord equivalent protection to Personal Data as those which exist in the European Economic Area.
   6. When sending Customer Personal Data outside the European Economic Area, appropriate protection measures are applied, e.g. forwarding data to a country that in the judgment of the European Commission has a sufficient level of data protection, and forwarding of data to a Third Party in the United States of America which has been certified on the basis of Privacy Shield data protection framework and the use of standard data protection clauses developed by the Commission.
   7. In the absence of appropriate protection measures, LHV is entitled to forward Customer Personal Data outside the European Economic Area in situations where forwarding the data is, for example, necessary for performing a contract between the Customer and LHV or for implementing measures adopted on the basis of Customer’s application (e.g. use of foreign intermediaries for providing investment service, use of correspondent banks for making foreign payments).
   8. If the conducting of an international bank transaction involves a financial institution located in a country with insufficient level of data protection, e.g. a correspondent bank or other payment intermediary, including SWIFT, LHV cannot ensure that the processor processing Customer Data by financial institutions in such countries would have identical obligations to those of LHV and that the identical rights are guaranteed for the Customer at the same level as in the European Economic Area or other country with sufficient level of data protection.
   9. For detailed information on sending of Customer Data outside the European Economic Area, the Customer should contact LHV.

6. Profile analysis and making of automated decisions regarding Customers who are natural persons

   6. Profile analysis is automatic Processing of Personal Data used for evaluating certain personal traits of the Customer – for example, to analyse or forecast the person’s economic situation, personal preferences and interests. LHV uses profile analysis for the purpose of marketing, risk assessment for compliance with the requirements of prevention of money laundering and terrorism financing, assessing the probability of insolvency, transaction monitoring to counter fraud; and automated decisions are used to assess the probability of insolvency and for making certain credit decisions (e.g. hire-purchase, consumer loans). Such data processing takes place either on the basis of legitimate interest of LHV (e.g. direct marketing), performing legal obligations, including on the basis of the Money Laundering and Terrorism Financing Prevention Act and the Regulation no. 575/2013 of the European Parliament and of the Council or, if necessary, on the basis of Customer’s consent.
   7. The profile analysis and automated decisions help LHV offer services more efficiently to Customers and avoid potential mistakes. For such Processing, including when creating segments and profiles, LHV does not gather separate data on the Customer and uses data that are on file for the Customer or data which LHV must gather regarding the Customer based on the requirements set forth in legal acts or for risk management (e.g. payment defaults, information on penalties, international sanctions and other negative information known to LHV).
   8. To prevent infringement of Customer rights, e.g. discrimination in the making of credit decisions, LHV reserves the possibility, when making automated decisions, for Customers to require that the decision made be reviewed in a non-automated manner.

7. Retention of Customers’ Personal Data

   7. LHV shall not process Customers’ Personal Data for longer than necessary for performing the objectives of the Processing, including for complying with the duty, set forth in legal acts, to retain data and for resolving disputes arising from contracts entered into with the Customer or for resolving potential disputes.
   8. In general, LHV shall retain Customers’ Personal Data until the end of the statute of limitations, unless legal acts set forth a direct obligation to retain Customers’ Personal Data for a different term.

8. Customer’s rights in connection with Processing of their data

   8. The Customer has the right:
      1. to receive information on whether LHV will process their Personal Data and if it does process the data, the right to receive a copy of their Personal Data and to demand corrections to their Personal Data if the changes have been made to the data or the data are otherwise inaccurate. The Customer has the opportunity to see their Personal Data e.g. at the bank office of LHV and via Internet bank. The Customer’s right to see their personal data may be limited by legal acts, other persons’ rights to their privacy and LHV’s rights (e.g. protection of business secrets);
      2. to prohibit use of their contact data for sending out offers. For this purpose, the Customer is guaranteed the right upon receiving a marketing communication to unsubscribe from the relevant list; the Customer can also, before receiving offers, contact the relevant LHV company whose Customer they are;
      3. rescind the consent given to LHV for Processing of their Personal Data. After the consent is rescinded, LHV shall no longer process the Customer’s Personal Data for the purpose consented to by the Customer;
      4. to make objections to the Processing of their Personal Data, including performance of profile analysis by LHV, if LHV processes the data on the basis of its legitimate interest. In such a case, LHV has no right to process the Customer’s Personal Data, unless LHV’s interests outweigh the potential restriction of the Customer’s rights (e.g. performance of general legal obligations);
      5. to receive more detailed information on LHV’s legitimate interests in regard to data processing where LHV processes Personal Data on the basis of legitimate interest;
      6. demand cessation of Processing of their Personal Data if the Processing of Customer Data occurs unlawfully, i.e. if LHV lacks a legal basis for Processing of the data;
      7. to demand deletion of their Personal Data, e.g. if LHV lacks the right to process such data or processes the data on the basis of the Customer’s consent and the Customer rescinds consent. The deletion cannot be requested in an extent to which LHV has the right or obligation to process Personal Data (e.g. for complying with a legal obligations, performing a contract, exercising its legitimate interest);
      8. demand restriction of Processing of its Personal Data, e.g. at the time that LHV is evaluating whether the Customer has the right to the deletion of its Personal Data;
      9. to receive a copy of Personal Data they have submitted to LHV and which are being processed on the basis of consent or for performance of contract, in a universal electronically readable format, and if technically possible, forward the data to another service provider.
   9. The Customers may exercise their rights by contacting LHV via the details specified in clause 9.3. LHV shall respond to the demand without undue delay, and no later than one month of receiving the demand. If, prior to responding to the demand, it is necessary to ascertain circumstances, ask for additional details or perform checks, LHV may extend the deadline for responding, notifying the Customer thereof in advance.

9. Protection of Customer rights

   9. AS LHV Pank, LHV Finance, LHV Varahaldus, LHV Kindlustus and LHV Group shall be responsible for processing of Customer Data. The contact details for all these companies are available on the LHV website: www.lhv.ee.
   10. Customers may contact LHV in connection with queries and cancellation of consent, and natural person Customers may, in regard to processing of Personal Data, demand exercise of their rights and lodge complaints in connection with Processing of their Personal Data.
   11. Details for contacting LHV companies: address Tartu mnt 2, 10145 Tallinn, e-mail info@lhv.ee, telephone number 6 800 400.
   12. The contact details for the designated data protection specialist for private customers (natural persons): address: Tartu mnt 2, 10145 Tallinn, e-mail compliance@lhv.ee.
   13. In addition, the Customer has the right to contact the Data Protection Inspectorate (website: www.aki.ee) or a court in their jurisdiction in the event of violation of their rights.

10. Amendment and application of the Principles

    10. LHV has the right to unilaterally amend the Principles at any time, based on the valid legal acts.
    11. LHV shall notify the Customer of amendments to Principles on the website, www.lhv.ee, and/or by communication device agreed on with the Customer at least 1 (one) month in advance, unless the Principles are amended solely on the basis of amendments to legal acts.
    12. The Principles shall be applied in processing of all Customers’ Customer Data, including customer relationships commenced prior to entry into force of the Principles.