The GDPR came into force across European Union (EU) member states on 25 May 2018 and applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the EU regardless of whether the processing takes place in the EU or not.
What is personal data?
Personal data means any information relating to a natural person, (a ‘data subject’) who can be identified, directly or indirectly, by reference to an identifier such as a name, place and date of birth, contact details, bank account details or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
What is processing?
When we collect, record, store, transfer or use in any way for any purpose or erase your personal data we are processing it.
What personal data do we collect and why?
In order for ECOVIS to provide services to its clients, run its business and discharge regulatory and legal obligations it needs to process the personal data of its clients, employees and other third parties. Without processing this personal data, we may not be in a position to provide our services and administer our business.
The personal data we need to collect will depend on the services that we provide to you. Please see our Privacy Notice to you. In general ECOVIS usually collects:
photographic ID and other documents to verify both your identity, place and date of birth and residential address, source of wealth and source of funds for a transaction in order to satisfy anti-money laundering, counter-terrorist financing and anti-tax avoidance regulations (AML); failure to provide these may mean that we are unable to establish or continue in a business relationship with you or an entity connected to you;
your contact details, including but not limited to, telephone numbers, address and email addresses in order to communicate with you;
background checks as part of our AML screening process or to perform client acceptance and continuance procedures and suspicious transaction reporting. We may also conduct criminal background checks as part of the legal service offered to you;
where, as part of our services to you, we remit or receive funds or instruct such fund transfers, we will collect your bank details. Similarly, if you are an employee or otherwise provide services to ECOVIS we may collect your bank and payment details.
Where we collect additional personal data, you will be informed of that at the time we collect it, together with the reasons for the collection. Where we later process your personal data for reasons not already communicated to you, we will notify you in advance.
We usually collect personal information about you from you directly but in certain circumstances we may collect personal data on you from other sources such as third parties, your advisors, or from publically or privately available records. In particular we use third party AML and fraud prevention services to verify your identity and address details.
How do we use personal information?
We process personal data primarily for the purpose of providing you, or an entity to which you are connected, with contracted services. Where you provide a service to ECOVIS we will process contact details of your representatives, agents or employees in order to communicate with you or them. In addition to this we may use your information for the following purposes:
to meet a legal or regulatory requirement, or where the processing is in the public interest;
to communicate with you regarding the services we provide to you;
to advise you of changes that may affect you that we feel are in your best interests;
for reasonable administrative and accounting purposes in the normal course of managing our business, and to carry out internal administration such as to make time-recordings against the client name or to copy, scan and save documentation, including to manage risks and litigation;
if we believe that we have a legitimate interest;
we believe that you have a legitimate interest and refraining from using your personal data could have a negative impact on you.
Storing and deleting your personal data
We have strict security and confidentiality procedures covering the storage and disclosure of your personal information in order to safeguard it, prevent unauthorised access and to comply with data protection laws. The personal data that we hold will be retained and stored for a period of time after our relationship with you has ended. The length of the storage period is determined by Luxembourg laws. We will delete your personal data once it is no longer required for the processing purposes for which we have collected your data. Please note that we may be required by AML regulations to retain personal data processed for our due diligence on you and your financial transactions history for a minimum period of five years after our business relationship ends. Where regulatory requirements require us to keep your personal data for a longer period, we will do so. After the storage period has expired, we shall securely destroy all of your personal data, except where such data is required in litigation, or has been requested by a supervisory body or other law enforcement agency, or where you or other data subjects concerned have requested that this data be retained (and paid an appropriate fee for such retention).
Your right to access and correct your personal data
You also have a right to require that any inaccurate personal data that we hold on you is corrected. If you find that any of your personal data is incorrect, please email us or write to us at the address below and we will correct it without delay.
For further information on your rights, including the “right to be forgotten” or if you wish to exercise your right to make a complaint to a regulatory authority please click here.
Sharing and transferring your personal data
We will never sell your personal data. Personal data is exclusively hosted in servers located in Luxembourg. To the extent permitted or required by the applicable Luxembourg laws, ECOVIS may disclose personal data to any recipients if they are concerned by the purpose(s) referred to above and, when such recipients process the personal data on behalf of ECOVIS, if they are bound by commitments substantially equivalent to those of ECOVIS as expressed in this notice ECOVIS will not share, disclose or transfer your personal data outside the EU/EEA otherwise than to countries that are subject to an adequacy decision of the European Commission or, in the absence of adequacy decisions, in order to perform the services agreed in our contract, so long as there are appropriate safeguards in place to protect your data to GDPR-compliant standards. We take all reasonable steps to ensure that personal data transfers are kept confidential and secure as required by data protection laws.
Changes to this Data Protection Policy
We will place any update to this policy on this page of our website.
How to contact us
If you have any questions or concerns about personal data or this policy or you wish to make a complaint about how we have processed your personal data, please contact us by email at email@example.com or by writing to us at the following address: ECOVIS Luxembourg, S.à r.l. 56, rue Charles Martel L-2134 Luxembourg