As all electronic money institutions we store, process and ensure safety of our customers data. With this article, you will be able to find answers to such questions as: “What data is stored? For how long is my data kept? Is my data safe with your institution? Why are you processing my data? Can you delete all data related to me? Who do you share my data with? Who do I contact to learn more about my data with you? “
What kind of data do we store?
Identification data such as name, surname, personal identification code, date of birth, data regarding the identification document (such as passport or ID card number, date of issuance and expiration date, issuance country, citizenship, copy of the passport or ID card), photograph;
Contact data such as telephone number, email address, the residence address, postal address;
Data related to the services such as the performance of the agreements or the failure thereof, contract number, executed transactions, usage of ATMs, concluded and expired agreements, submitted applications, requests and complaints, interests and service fees, account number, card issuance date and expiration date, card number, postal address for card delivery;
Professional data such as educational or professional career, occupation;
Due diligence information, such as purpose of the business relationship, reasons for opening account, place of birth, source of income, self-declaration of politically exposed person, accounts with other banks; planned monthly turnover, countries for incoming payments, expected outgoing payments types, planned turnover of outgoing payments, countries for outgoing payments;
Data about tax residency such as data about the country of residence for tax purposes, tax identification number, citizenship, tax resident of USA;
Communication data - e-mails, messages, Handset ID;
Location data - Internet Protocol (IP) address.
What is the basis of data processing?
Data processing has been performed on the basis of consent (GDPR Article 6, 1 (a)), contract performance (GDPR Article 6, 1(b)), legal obligation (GDPR Article 6, 1(c)) and legitimate interest (GDPR Article 6, 1 (f)).
Please find below the list of laws the Company uses for legal basis to process data:
Republic of Lithuania Law on the Prevention of Money Laundering and Terrorist Financing
Republic of Lithuania Civil Code
Republic of Lithuania Accounting Law
Republic of Lithuania Law on Payments
Republic of Lithuania Law on Tax Administration
The Order of the Head of Tax Authority of Republic of Lithuania
Republic of Lithuania Law on Electronic Money and Electronic Money Institutions
What is the purpose of data processing?
The Company processes personal data only for specific and necessary purposes, these are:
To comply with legal obligations and verification of identity. To comply with applicable law, for example related to implementing the principles to prevent, discover, investigate and report potential money laundering, terrorist financing;
Provide services and to execute contracts concluded;
Execute transactions on the system and process incoming and outgoing payments;
Prevent misuse of financial services and ensure adequate provisions of services. To authorize and control access to and functioning of digital channels, prevent unauthorized access and misuse of those and to ensure the safety of information based on: performance of an agreement or take steps at the request of the Customer prior to entering into an agreement;
Protect the interests of the Customer and/or the Company and examine the quality of services provided by the Company and for the purpose of providing proof of a commercial transaction based on performance of an agreement or in order to take steps at the request of the Customer prior entering into an agreement or compliance with a legal obligation of the Company or legitimate interests to prevent, limit and investigate any misuse or unlawful use or disturbance of financial services or quality assurance of services, establish, exercise, assign and defend legal claims;
Notify Customer about changes to the services;
Manage Customer relations in general and provide and administer access to financial services offered by the Company;
To improve technical systems, IT infrastructure, customizing the display of the service to the device and to develop services such as by testing and improving technical systems and IT infrastructure;
Administer the Company’s web pages and the App for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes; improve web pages and the App to ensure that content is presented in the most effective manner for you and for your computer;
Improve the Customer’s user experience of services and to develop new products and services.
Who can receive gathered personal data?
The Company transfers personal data to the following data recipients' categories under such legal basis as contract performance with customer and based on legal obligation as well:
authorities (such as law enforcement authorities, tax authorities, supervision authorities);
other banks and financial institutions, providers of payment and other services involved in the performance of a transaction in order to execute transactions on Company’s system;
participants and/or parties related to domestic, European and international payment systems, such as SWIFT;
other persons related to provision of services of the Company such as payment card processing, providers of postal services or analytical services or any other services.
Who can provide personal data?
The Company receives and collects personal data from:
directly from customer;
other financial institutions;
partners or other legal entities, what the Company uses to provide services to customers.
How long is the data stored?
The Company processes personal data not only for contract execution with the customer as mentioned in GDPR Article 6, 1(b), but also for such purpose as complying with legal requirements, as it is mentioned in GDPR Article 6, 1 (c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”
Therefore, the exception for data erasure mentioned in GDPR Article 17, 3(b) applies “Paragraphs 1 and 2 shall not apply to the extent that processing is necessary: <…> for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject.”
The Company obliged by law to store and process the data during the relationship and after the contract termination for the period stated by law. Please find below the laws we take into consideration when evaluate data storage term:
According to the Republic of Lithuania Law on the Prevention of Money Laundering and Terrorist Financing the Company must store your communication data for 5 years after the contract termination;
According to the Republic of Lithuania Accounting Law and Republic of Lithuania Law on Tax Administration the Company must store data about tax residency and identification data during 5 years after the contract is terminated;
According to the Republic of Lithuania Law on the Prevention of Money Laundering and Terrorist Financing the Company must store your personal data submitted for identification, contact, due diligence, data related to the services during 8 years after the contract termination;
According to the Republic of Lithuania Civil Code the prescription time during which a person can defend his violated right by bringing an action is 10 years, therefore the Company must store your personal data (identification data, contact data, data related to the services, professional data, due diligence information, communication data, location data, data about tax residency) during 10 years after contract is terminated.
That means the Company will store most of your personal data during 10 years after the contract termination. In case if during the storage period there is an investigation or prescription or some legal procedures that demand the Company to store data longer, the Company will prolong the data storage period as required by law.
Although this the Company will not store the data more than it is required. After the retention period the data will be destroyed or permanently erased according to the Company internal procedure and the Company will ensure data erasure within data processors used.
What are the limitations?
In accordance with the Law on the Prevention of Money Laundering and Terrorist Financing, Article 24 point 4, customers are not entitled to access their data provided to law enforcement or other supervision authorities.
How do I consent or withdraw my consent for marketing materials?
The Company processed your personal data also based on your consent as mentioned in GDPR Article 6, 1(a), which can be freely withdrawn. In order to withdraw you consent, you can go to the Settings section of your profile in the app and turn subscription to marketing materials off, or contact our support team via chat or at email@example.com
What are my rights?
Please be aware that you still have the right to request access or rectification or erasure of your personal data or restriction of processing or object of processing as well as right to data portability. Please contact us by firstname.lastname@example.org for further information.