The following data protection information gives an overview of how Turicum Private Bank Limited (herein after referred to as ‘Turicum’ or ‘the Bank’) collects and processes your data and of your rights according to Data Protection legislation. Details on what data will be processed and which method will be used by the Bank depend significantly on the services applied and agreed upon. It is important to note that the Bank adopts data protection principles, policies and processes by design and by default.
Who is responsible for data processing and how can I contact them?
Turicum is responsible for gathering, storing and processing personal data in accordance with Data Protection legislation (European General Data Protection Regulation ‘GDPR’). If you have any questions concerning Data Protection you can contact the ‘Data Protection Officer’ at the Bank:
Turicum Private Bank Limited
Data Protection Officer
315 Main Street
What is personal data?
In accordance with GDPR, ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal data does not include data where the identity has been removed. Relevant data is personal information (e.g. name, address and other contact details, date and place of birth, and nationality, fiscal details), identification data (e.g. ID card details), and authentication data (e.g. sample signature). Furthermore, this can also be order data (e.g. payment order), data from the fulfillment of our contractual obligations (e.g. sales data in payment transactions), information about your financial situation (e.g. income, expenses, assets and liabilities, origin of assets), marketing and sales data (including advertising scores), documentation data (e.g. consultation protocol), and other data similar to the categories mentioned.
Special category of personal data means information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data. Such special category of personal data requires higher levels of protection and justification for collecting, storing and using this type of personal data. The Bank will only use sensitive personal data in accordance with GDPR principles and for the purposes of delivering the agreed service. For example, if the Bank learns of a client suffering mental health issues, in effect the Client will no longer have capacity to operate the account due to the loss of mental capacity. Equally, if the Bank learns of a client becoming politically active to the extent of holding public office, this may trigger the need for additional information in order to assist in risk profiling.
What type of information do we collect?
Turicum will collect and use your information, including:
- Personal details such as your name, title, identification number, gender, date and place of birth, address, marital status, dependants (name and age), relations, nationality, fiscal details, KYC documents (including a copy of your national identity card or passport), and contact details (telephone numbers, email, address);
- Personal details (as per above) of any agent or attorney acting on behalf of the client;
- Financial information, including details of investment holdings, investment strategy, investment risk profile (risk ability and risk tolerance), transaction data, account number, balances, payment and transaction records and information about your assets, liabilities, income, expenses and future financial plans, including source of wealth and source of funds;
- Professional details, such as your job title and work experience, and your knowledge of and experience in investment matters;
- Publicly available information on criminal convictions and offences to prevent or detect crime and for anti-fraud purposes;
- Details of our interactions with you and the products and services you use with a view to establishing relevant facts (including without limitation, any records of the phone calls between you and the Bank, emails, meeting notes, letters);
When you visit the Turicum Website, our web server automatically records details about your visit (for example, your IP address, the web site from which you visit us, the type of browser software used, the Turicum Website pages that you actually visit including the date and the duration of your visit). Cookies are set to expire once you have closed your browser session. These cookies do not track where you have been on the internet and do not gather information about you that could be used for marketing purposes.
- In some cases, depending on the product or service we provide to you, sensitive personal data, such as political opinions or affiliations, health information, racial or ethnic origin, religious or philosophical beliefs, and, to the extent legally possible, information relating to offences committed or alleged to be committed.
If relevant to the products and services we provide to you, we may also collect information about your additional card holders or account holders, business partners (including other shareholders or beneficial owners), dependants or family members, representatives, and agents. Before providing Turicum with this information, you should provide a copy of this notice to those individuals.
What sources of data do we use?
Turicum will process personal data obtained directly from our clients in the context of our business relationship (e.g. Account opening and account maintenance). We also obtain, insofar as necessary to provide our service, personal data obtained from publicly accessible sources, (e.g. commercial and association registers, press, internet) or that is legitimately transferred to us by other companies or from other third parties authorised to act on behalf of a Client (e.g. company managers, professional trustees, investment managers).
What do we process your personal data for and on what legal basis?
The Bank will process personal data in accordance with the provisions of GDPR as follows:
For fulfilment of contractual obligations (Article 6, paragraph 1b GDPR)
Data is processed in order to provide banking business and financial services in the context of carrying out our contracts with our clients or to carry out pre-contractual measures that occur as part of a request. The purposes of data processing are primarily in compliance with the specific product (e.g. bank account, credit, securities, deposits, client referral) and can include needs assessments, advice, asset management and support, as well as carrying out transactions. You can find other details about the purposes of data processing in the relevant contract documents and terms and conditions.
In the context of balancing interests (Article 6, paragraph 1f GDPR)
Where required, we process your data beyond the actual fulfilment of the contract for the purposes of the legitimate interests pursued by us or a third party. For example:
– Reviewing and optimizing procedures for needs assessment for the purpose of direct client discussions
– Marketing or market and opinion research, unless you have objected to the use of your data
– Asserting legal claims and defence in legal disputes
– Guarantee of a bank’s IT security and IT operation
– Prevention and clarification of crimes
– Video surveillance to protect the right of owner of premises to keep out trespassers, for collecting evidence in hold-ups or fraud, or to prove availability and deposits, e.g. at ATMs
– Measures for building and site security (e.g. access controls)
– Measures for ensuring the right of owner of premises to keep out trespassers
– Measures for business management and further development of services and products
– Risk control at the Bank.
In addition, the Bank obtains personal data from publicly available sources for client acquisition purposes (e.g. For fraud detection and anti-money laundering purposes).
As a result of your consent (Art. 6 para. 1a GDPR)
As long as you have granted us consent to process your personal data for certain purposes (e.g. analysis of trading activities for marketing purposes), this processing is legal on the basis of your consent. Consent given can be withdrawn at any time. This also applies to withdrawing declarations of consent that were given to us before the GDPR came into force, i.e. before May 25, 2018. Withdrawal of consent does not affect the legality of data processed prior to withdrawal.
Due to statutory provisions (Article 6, paragraph. 1c GDPR) or in the public interest (Article 6, paragraph 1e GDPR)
As a bank, Turicum is subject to various legal obligations, such as, for example, the Gibraltar Banking Act, Market in Financial Instruments regulations, Collective Investment Schemes regulations, Anti-Money Laundering regime, Common Reporting Standards for Automatic Exchange of Information and various other Gibraltar Financial Services Commission regulatory requirements. Purposes of processing include identity and age checks, fraud and money laundering prevention, fulfilling control and reporting obligations under investment and fiscal laws, and measuring and managing risks within Turicum. In pursuance of the Bank’s legal obligations, the Bank may involve the use of agents or third parties to process personal data. This includes, the use of information relating to criminal convictions and offences for the purposes of preventing and detecting crime and anti-fraud purposes, including the making of suspicious activity reports to the appropriate Authority. The Bank will also process publicly available information on criminal convictions and offences as part of the Bank’s onboarding process and ongoing monitoring obligations.
Who do we provide your data to?
Within the bank, every department that requires your data to fulfil our contractual and legal obligations will have access to it. Service providers appointed by us can also receive access to data for the purposes given, if they maintain banking confidentiality (e.g. auditors, insurers, professional advisers). These are companies in the categories of banking services, IT services, Fraud Prevention Agencies, logistics, printing services, telecommunications, collection, advice and consulting.
With regard to transferring data to recipients outside the bank, we may pass on information about you only if legal provisions demand it, if you have given your consent (e.g. to process a financial transaction you have ordered us), or if we have been authorized to issue a bank inquiry. Under these requirements, recipients of personal data can be, for example:
- Public entities and institutions (e.g. Gibraltar Financial Services Commission (e.g. transaction data which is routed via an agent ), Gibraltar Regulatory Authority (e.g. data protection breaches), Gibraltar Financial Intelligence Unit (e.g. Suspicious Activity Reports), Gibraltar Finance Centre (e.g. fiscal details, balances and interest for onwards transmission to relevant foreign tax authority), other financial authorities, including criminal prosecution authorities) upon providing a legal or official obligation.
- Other credit and financial service institutions or comparable institutions to which we transfer your personal data in order to carry out a business relationship with you (depending on the contract, e.g. correspondent banks, custodian banks, brokers, stock exchanges, information offices).
Other recipients of data can be any person for which you have given us your consent to transfer data or for which you have released us from banking confidentiality by means of a declaration or consent.
It should also be noted that data may be ultimately transferred to a third country or International organisation outside of Gibraltar and the EU as long as:
– It is necessary for the purpose of carrying out your orders (e.g. payment and securities orders)
– It is required by law (e.g. reporting obligations under fiscal law or investment laws), or
– You have granted us your consent
Processing of personal data will include transferring personal data to persons other than the Bank, for the purposes of providing the requested services. Recipients are located in Gibraltar, UK, Luxembourg, Ireland, and other countries in the European Economic Area (EEA). The Bank may also transfer personal data to recipients in countries outside the EEA, such as Switzerland. If the Bank transfers personal data outside the EEA, it will take all reasonable measure to ensure that privacy rights continue to be protected in accordance with applicable law.
Please contact us if you would like information on the specific safeguards applied to the export of your information (Article 13, paragraph 1f GDPR).
For how long will my data be stored?
Turicum will process and store your personal data for as long as it is necessary in order to fulfil our contractual and statutory obligations.
If the data is no longer required in order to fulfil contractual or statutory obligations, it is deleted, unless its further processing is required – for a limited time – for the following purposes:
- Fulfilling obligations to preserve records according to commercial, criminal and tax law; and
- As a bank we can face legal holds, which require us to keep records for an undefined period of time.
The majority of client records are kept for 10 years from the date of closure of a relationship. This includes records such as telephone recordings and electronic communication.
Records for prospective clients will be kept for 5 years, save in the case of a complaint where the records shall be kept for 10 years from the date of resolution of a complaint.
What data privacy rights do I have?
Every data subject (Client), depending on circumstances and the nature of services provided, has the right to:
– Be informed according to Article 13 and 14 of GDPR.
– Access according to Article 15 of GDPR. This will enable the Client to receive a copy of the personal data held by the Bank.
– Rectification according to Article 16 of GDPR. This allows for correction of personal data, where data held is inaccurate or out of date.
– Erasure according to Article 17 of GDPR. This enables to delete or remove personal data where there are no longer grounds for maintaining or processing personal data.
– Restrict processing according to Article 18 of GDPR. This enables a Client to suspend processing of personal data if for example accuracy needs to be established.
– Object according to Article 21 of GDPR. This enables a Client to suspend processing of personal data if for example accuracy needs to be established.
– Data portability according to Article 20 of GDPR. This is a request to transfer personal data to another party.
– Furthermore, there is also a right to lodge a complaint with the Gibraltar Regulatory Authority, Eurotowers 4, 1 Europort Road, Gibraltar, which is the relevant supervising authority for the purposes of Data Protection (Article 77 of GDPR).
– Any request by a data subject to seek rectification, erasure or restrictions on processing will be confirmed by the Bank.
– You can withdraw consent granted to us for the processing of personal data at any time. This also applies to withdrawing declarations of consent that were made to us before the GDPR came into force, i.e. before May 25, 2018.
– It is important that the records we hold about a client are accurate and current. It is, therefore, imperative that personal data changes are notified to the Bank during the course of the relationship.
– No fee is usually required to access your personal data. However, the Bank may charge a reasonable fee if the request for access is clearly unfounded or excessive. In such circumstances, the Bank may refuse to comply with the request.
Is the client obliged to provide personal data?
In the context of our business relationship, you must provide all personal data that is required for accepting and carrying out a business relationship and fulfilling the accompanying contractual obligations or that we are legally obliged to collect. Without this data, the Bank, in principle, is not in a position to provide services to you.
In particular, anti-money laundering regulations require the Bank to identify you on the basis of your identification documents before establishing a business relationship and to collect and put on record name, place and date of birth, nationality, address and identification details for this purpose. In order for us to be able to comply with these statutory obligations, you must provide us with the necessary information and documents in accordance with the Anti-Money Laundering legislation, and to immediately disclose any changes over the course of the business relationship. If you do not provide us with the necessary information and documents, we cannot enter into or continue the business relationship you desire.
Equally, the Bank has other legal obligations, such as for example, in relation to Common Reporting Standards Automatic Exchange of Information and the Market in Financial Instruments transaction reporting. Without relevant personal data in these fields, the Bank would be unable to fulfil its legal obligations and would, therefore, not provide the services requested.
Does the Bank adopt automatic decision-making processes?
In establishing and carrying out a business relationship, Turicum generally does not use any automated decision-making pursuant to Article 22 of GDPR. If we use this procedure in individual cases, we will inform you of this separately, as long as this is a legal requirement.
Will profiling take place?
We process some of your data automatically, with the goal of assessing certain personal aspects (profiling). We use profiling for the following cases, for instance:
- Due to legal and regulatory requirements, Turicum is required to combat money laundering, terrorism financing, and offenses that pose a danger to assets and the financial system generally. The Bank, therefore, regularly screens client names against various critical names pools, such as for example, EU and UN Sanction Lists. Data screening is also performed on payment transactions for similar purposes. At the same time, it should be noted that these measures also serve to protect you.
- The Bank uses assessment tools in order to be able to specifically notify you and advise you regarding investment transactions and your overall portfolio. These allow communications and marketing to be tailored as needed – including market and opinion research.
The Bank has put in place appropriate technical and organisational measures to prevent unauthorised or unlawful access to the personal data you have provided to us. As complete data security cannot be guaranteed for communication via e-mails, instant messaging, and similar means of communication, we would recommend sending any particularly confidential information by an alternative secure means.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Changes to this Privacy Statement
We reserve the right to amend or update
this Privacy Statement at any time and we will notify you either in writing or
by updating this Privacy Statement on our website at: www.turicum.com/privacy.php