Privacy Policy

Last Updated: April 8, 2022

Previous version


At AS LHV Pank, we are committed to respecting your privacy. This privacy policy explains how we collect, use and disclose personal data that we receive when providing payment services to or on behalf of our clients (“Client”), when you visit our website, or when you communicate with us on behalf of one of our Clients, prospective clients or as a general contact.

AS LHV Pank (referred to as "we", "us" or "our" in this privacy policy), operating through its United Kingdom branch, is the data controller and is responsible for your personal data.

We’re registered with the UK data protection authority (the Information Commissioner’s Office or ICO) under number ZA555778.

  1. Contacting us

    If you have any questions about this privacy policy, including any requests to exercise your legal rights (including the right to request to opt out of marketing), please contact our customer support team in the United Kingdom using the details set out below:

    AS LHV Pank Customer Support, 1 Angel Court, London, EC2R 7HJ, e-mail: info@lhv.com, phone: +44 20 3005 0150.

    We have also appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy policy. You can contact our DPO using the details set out below.

    Address: Tartu mnt 2, 10145 Tallinn, Estonia

    E-mail: compliance@lhv.ee.

    If you feel that we have not addressed your questions or concerns adequately, you have the right to make a complaint with the Information Commissioner’s Office in the United Kingdom at any time (www.ico.org.uk).

  2. Whose personal data do we process?

    We process personal data relating to employees, directors, board members and other representatives of our Clients and prospective clients (“Client Representatives”) and in respect of visitors to our corporate website, www.lhv.ee.

    Typically, our Clients use our payment service in order that they may themselves provide payment services in the UK to their own underlying customers (“Customers”). This means that we process personal data, including transaction data, relating to these underlying Customers (or their representatives) when necessary for the purpose of processing payments to or from them, at our Clients’ request. The transaction data that we process may also include personal data of the other party involved in the payment transaction (sender or beneficiary).

    We keep all Customer and Client data confidential and implement security and protective measures to it irrespective of whether it is the data of an individual or a company, however this privacy policy provides information about and relates to rights in respect of personal data only.

    Our services are not intended for children and we do not knowingly collect personal data relating to children.

  3. What types of personal data, for what purpose and on which legal grounds do we process it?

    We have set out below, in a table format, a description of the types of personal data that we may collect, the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

    Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

    Purpose of processingType of personal dataLegal basis for processing
    Providing payment services to Clients or their CustomersPayment information and transaction data (e.g. name of payer and payee, payment details, including the sum, transaction explanations, bank account and card details)(a) Necessary for our legitimate interests of performing our contract with the Client to facilitate/provide payment services to the Customer.
    (b) Necessary for Client’s legitimate interests of performing its contract with the Customer
    KYC, anti-money laundering and payment fraud monitoring and screeningPayment information and transaction data (e.g. name of payer and payee, payment details, including the sum, transaction explanations, bank account and card details), Identity Data of Client Representatives (document information, name, contact details, residency), Information about Beneficial Owners of ClientNecessary to comply with a legal obligation
    Data relating to previous criminal convictions and offences, financial sanctions and negative news publishedNecessary to comply with a legal obligation, preventing or detecting unlawful acts and preventing fraud.
    Payment information (names of payer and payee, account numbers, dates of payments, payment sums and transaction description)Legitimate interest of LHV and the Client to prevent and detect fraud and to reduce damage to Customers
    Prevention of fraudCustomer name, account numberLegitimate interest of LHV to check whether the Customer’s name matches the account number and sort code
    Detecting negative news about LHV Clients that might have an adverse effect on its reputationData relating to previous criminal convictions and offences, financial sanctions and negative news publishedNecessary for our legitimate interest of business risk management
    Providing services to existing Clients, administration of business relationship.Identity Data of Client Representatives (first name and last name), contact details of Client Representatives (e-mail, phone number)Performance of a contract with Client
    Marketing, however we only use the contact details of our corporate Clients.Identity Data of Client Representatives (first name and last name), contact details of Client Representatives (e-mail, phone number)Necessary for our legitimate interests of developing our products/services and growing our business
    Risk management, monitoring and investigating to counter fraud (e.g. payment fraud)Data on which website sections are visited by the CustomerLegitimate interest for security risk-management, to counter fraud and resolve disputes in court or extra-judicially
    To use data analytics to improve our website, products/services, marketing, customer relationships and experiencesTechnical Data about users of our corporate website, including [internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website].

    Usage Data includes information about how Client Representatives use our website, products and services.    		Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)

    Cookies:
    Legitimate interest to maintain the functionality of our website – so-called mandatory cookies;Consent – advertising and statistics cookies.
    To make suggestions and recommendations to you about our goods or services that may be of interest to you.Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.Necessary for our legitimate interests (to develop our products/services and grow our business)

    We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

    We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). However we do process information about criminal convictions and offences for the purpose of carrying out anti-money laundering and fraud prevention checks.

  4. What is the source of your personal data that we process?

    The payment information data referred to above is provided to us by our Clients, whose Customers can be either the sender or beneficiary of payments.

    We also collect information about you when you visit our corporate website or when you communicate with us as a business customer, prospective customer or general contact.

    LHV also obtains personal data from Third Parties as set out below.

    4.1 1. We may receive payment information and transaction data, payment recall and potential fraud data from correspondent banks, participants of payment system (including Bacs participants, Faster Payments), Pay.UK, UK Finance, payment service providers and other business partners or from other third parties involved in a payment transaction or from third parties who have been authorised by you to provide transaction data to us.

    4.2 We gather data related to previous criminal convictions and offences, financial sanctions and negative news published from public and private registers. For data gathering we use service providers specialised in the field who are solely acting on our behalf when processing the data.

  5. Do we send your data to anybody else?

    Yes, in order to provide payment services we need to send your data to certain trusted third party companies who provide essential payment system and payment processing services, including participants of Faster Payments.

    We may also send your data to third-party service providers to whom LHV has delegated certain activities e.g. cloud service providers, customer service software provider (Zendesk), fraud prevention and detection partners, banking and payment service trade associations (UK Finance), Pipedrive. LHV is fully responsible for the processing of your data by these service providers.

    Your personal data will only be shared with third parties for the purposes set out in the table above.

    Together with the Society of Worldwide Interbank Financial Telecommunication (SWIFT) we act as joint data controllers in respect of the payments messaging service provided by SWIFT, meaning that we have jointly determined the purpose and measures of this data processing. Please find the details of SWIFT’s responsibilities here and our respective responsibilities here.

  6. Where do we process your data?

    Most of the data processing referred to in this policy is carried out in Estonia, where our head office is located. It is also where your retained personal data will be stored.

    As a general rule, we do not send your personal data outside the European Economic Area, and if this is done, appropriate protection measures are applied, e.g. forwarding data to a country that in the judgment of the European Commission has a sufficient level of data protection or the use of standard data protection clauses developed by the European Commission.

    In the absence of appropriate protection measures, we are entitled to forward your personal data outside the European Economic Area in situations where forwarding the data is, for example, necessary for performing a contract between us or for implementing measures adopted on the basis of your application (e.g. use of correspondent banks for making foreign payments).

    If the conducting of an international bank transaction involves a financial institution located in a country with insufficient level of data protection, e.g. a correspondent bank or other payment intermediary, including SWIFT, we cannot ensure that the processing of your personal data by financial institutions in such countries would have identical obligations to those of us and that the identical rights are guaranteed for you at the same level as in the European Economic Area or other country with sufficient level of data protection.

    Our partners located in third countries to whom we transfer your data:

    • Zendesk, Inc. Located in the United States. We have concluded a data processing agreement with them using the standard contractual clauses approved by the European Commission (Controller to Processor clauses). Zendesk is subject to FISA 702, which is a US internal act regulating foreign intelligence, and some of its sub-processors located in the US are subject to FISA 702 (e.g. AWS). We have impelemented procedures and evaluated that the data they process for us and the processing activities themselves, however, are not in the practical scope of FISA 702.

    For detailed information on sending your personal data outside the European Economic Area, please contact us.

  7. How long do we retain your data?

    As a general rule we retain your data until the end of a limitation period of possible claims. Payment details are never deleted.

  8. Do we use profiling or make automated decisions?

    Profiling is an automated processing of your data used for evaluating certain of your personal traits – for example, to analyse or predict your behaviour, location, movements, economic situation, personal preferences or interests.

    We use profiling in our anti money-laundering and fraud screening and monitoring process. The use of profiling is necessary for us to comply with legal obligations stipulated in different legal acts covering anti money laundering and payment fraud screening. Profiling is also used during negative news screening, which in addition to AML screening also serves the purpose of reputational risk management.

    The profiling that we carry out may result in a decision being made that your payment transaction cannot proceed or we cannot provide you services. However, all such decisions are subject to manual review and no automatic decisions are made based on profiling.

  9. What are your rights in connection to your personal data?

    You have the right to:

    Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

    Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

    Prohibit the further use of your contact details for sending out offers and marketing materials. We only use the contact details of our corporate customers for such purpose and they can choose to opt-out from receiving such materials either by unsubscribing or by contacting us directly before receiving any offers.

    Withdraw your consent for processing your personal data in situations where we process such data on the basis of consent. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.

    Make objections to the processing of your personal data, including profiling, in situations where we process your data on the basis of our legitimate interest. In such case, we have no right to process your personal data any further, unless our interests outweigh the potential restriction to your rights and freedoms or we need to process such data for the establishment, exercise or defense of legal claims.
    You also have the right to request us the legitimate interest assessments.

    Request that we stop processing your personal data if and to the extent such processing occurs unlawfully, i.e. LHV lacks a legal basis for the processing.

    Request deletion of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

    Request restriction of processing your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:

    • If you want us to establish the data's accuracy.
    • Where our use of the data is unlawful but you do not want us to erase it.
    • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
    • You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

    Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

    You may exercise your rights by contacting us via the contact details above. We shall respond to your queries without undue delay, and no later than one month of receiving your request. If, prior to responding, it is necessary to ascertain circumstances, ask for additional details or perform checks, we may extend the deadline for responding, notifying you thereof in advance.

    You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

  10. Linking

    Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

  11. Changes to our Privacy Policy or to your details

    Any changes we may make to this document will be posted on our website and, where appropriate and possible, notified to you by e-mail. Please check back frequently to see any updates or changes to this document.

    It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.