Personal Data Processing

• personal identification data, such as name, surname, date of birth, personal identification number, identity document data,
• contact information – telephone number, e-mail address, residential address,
• financial and transaction data – bank account number, transactions, income and expenses, loans, liabilities, property rights, employment data,
• personal voice password, other means of personal identification and information provided by the person via telephone to clarify or receive a service or obtain information – which the Bank processes to ensure the quality of this service and to prevent or mitigate risks.

In order to provide the Bank’s daily services, the legal basis for data processing is the performance of a mutually concluded agreement or the implementation of measures prior to the conclusion of an agreement initiated by the data subject (customer or potential vs. prospective customer), as well as the fulfillment of a legal obligation when, in accordance with regulatory enactments, the Bank must perform certain actions, for example, provide information to state or supervisory authorities. We process data on the basis of Article 6(1)(b) of the General Data Protection Regulation (processing is necessary for the conclusion or performance of a contract to which the data subject is party) for the conclusion or performance of a contract to which the data subject is party) and (c) (processing is necessary for compliance with a legal obligation to which the controller is subject) of Article 6(1) of the General Data Protection Regulation, in accordance with the Credit Institutions Act, the Account Register Law, the Consumer Rights Protection Law, the Civil Law on Obligations, the Electronic Identification of Natural Persons Law, and other binding regulatory enactments.

Information provided by the customer or potential customer or their legal representative (data subject), as well as information obtained from registers in accordance with the procedure established by regulatory enactments.

VISA, MasterCard, supervisory authority, tax administration; sworn bailiffs, sworn notaries; Account register; other financial institutions – in accordance with the procedure established by regulatory enactments; if applicable – debt collection service providers, law enforcement authorities.

Personal data is not intended to be transferred outside the EU or the EEA.

Personal data is stored for as long as necessary for the purpose for which it was collected – i.e., at least for the duration of the mutually concluded agreement, if the term is not specifically defined, or in accordance with the terms specified in regulatory enactments. Usually, customer information is retained for 10 years after the termination of the business relationship in order to protect the interests of the Bank and/or the customer in the cases specified in the Civil Law.  

• personal data – identification data of the customer, customer’s representative, guarantor, pledgor, namely: name, surname, date of birth, personal identification number, identity document data,
• contact information – telephone number, e-mail address, residential address,
• information necessary for assessing creditworthiness (credit obligations and other data characterizing credit history) and making the right decision,
• information about family status, spouse, number of dependents; education-related information; monthly income and expenses of the person or household,
• financial and transaction data – bank account number, transactions, income, liabilities and their type, amount of debt and other information related to payment delays; information about property (and/or collateral) and data related to social support,
• personal voice identification and information provided by the person over the phone to clarify or receive a service or obtain information,
• depending on the type of financing (credit) service and the specific situation, as well as the person’s role in the financing process, data related to employment and professional orientation may be processed.

We process personal data in accordance with at least the following regulatory acts to ensure a fair and responsible lending (financing) process. Specifically, the Credit Institutions Law, the Credit Register Law, the Credit Information Bureau Law, the Consumer Rights Protection Law, the Civil Law on Obligations,  Article 6(b) of the General Data Protection Regulation (processing is necessary for the conclusion or performance of a contract to which the data subject is party), subparagraphs (c) (processing is necessary for compliance with a legal obligation to which the controller is subject) and (e) (processing is necessary for the performance of a task carried out in the public interest) of Article 6 of the General Data Protection Regulation,  the Law on Electronic Identification of Natural Persons, the Law on the Prevention of Money Laundering and Terrorism and Proliferation Financing (hereinafter – NILLTPFN), the Bank of Latvia’s Regulations No. 265 of 18 December 2023 “Credit Risk Management Regulations”, Cabinet of Ministers Regulation No. 691 of 25 October 2016 “On Consumer Credit”, Bank of Latvia Regulation No. 160 of 18 January 2018 “Credit Register Regulations”.

From the person (data subject), as well as from public and other registers in accordance with the procedure established by regulatory enactments and contractual arrangements.

In cases specified by regulatory enactments – law enforcement authorities, courts, sworn bailiffs, the Credit Register, credit information bureaus; other financial institutions; related service providers (e.g., insurance companies, collateral appraisers, notaries, etc.) in accordance with the client’s instructions; if applicable, debt collection service providers.

Personal data will not be transferred outside the EU or EEA.

Personal data is retained for as long as necessary for the purpose for which it was collected – usually 10 years after the termination of the business relationship, while in the case of civil claims, the period may be extended until the case is resolved. In order to comply with obligations related to the prevention of money laundering and terrorist and proliferation financing in accordance with regulatory enactments, the retention period for personal data is 5 years in accordance with the procedure laid down in regulatory enactments – longer.

• personal identification data, such as name, surname, date of birth, personal identification number, identity document data, and others,
• contact information – phone number, email address, residential address,
• financial and transaction data – bank account number, transactions, income, loans, liabilities, property rights,
• personal voice password, other means of personal identification and information provided by the person via telephone to clarify or receive a service or obtain information, The Bank processes this data in accordance with regulatory enactments, as well as to ensure the quality of this service and to prevent or mitigate risks,
• information and data related to a person’s professional activities.

To fulfill the terms of a contract to which the data subject is a party, as well as in compliance with the legal obligation of the controller specified in regulatory enactments,  the processing of personal data for the purpose of achieving the objective is carried out in accordance with Article 6(1)(b) of the General Data Protection Regulation (processing is necessary for the performance of a contract to which the data subject is party conclusion or performance of a contract), (c) (processing is necessary for compliance with a legal obligation to which the controller is subject) in accordance with the Credit Institutions Law, the Civil Law on Obligations, the Financial Instruments Market Law, the Securitization Law, the Covered Bonds Law, the Deposit Guarantee Law, the Credit Institutions and Investment Brokerage Companies Recovery and Resolution Law, the Electronic Identification of Natural Persons Law, and other related regulatory enactments.

From information provided by the initial customer (data subject), from information obtained from registers in accordance with the procedure established by regulatory enactments.

In cases specified by regulatory enactments, possible recipients of personal data are supervisory authorities; other financial institutions; depositories; legal entities belonging to the Signet Bank AS group; law enforcement authorities and debt collection service providers, if applicable.

Personal data is not intended to be transferred outside the EU or EEA.

10 years after the termination of the business relationship; in the case of civil claims, the period may be extended until the case is resolved.

• personal identification data, such as name, surname, date of birth, personal identification number, identity document data,
• contact information – telephone number, e-mail address, residential address,
• contact persons and contact details of cooperation partners to ensure business continuity and crisis management,
• information related to a specific Bank service and its suitability, which is necessary for making a correct and responsible decision,
• financial and transaction data – bank account number, transactions, income, loans, liabilities and their type, amount of debt; property rights, field of employment and data related to employment or social support,
• customer due diligence information in accordance with the procedure established by regulatory enactments, including information on the origin of funds,
• information that allows verification of compliance with national and international sanctions;
• information on the status of politically exposed persons,
• information on business activities and data on business partners.

We process personal data in accordance with at least the following regulatory acts, namely, the Credit Institutions Law, Part IV of the Civil Law “Laws of Obligations,” Article 6(c) of the General Data Protection Regulation (to fulfill a legal obligation applicable to the controller) and (e) (to perform a task carried out in the public interest) of Article 6 of the General Data Protection Regulation, the NILLTPFN Law, the Consumer Rights Protection Law, the Electronic Identification of Natural Persons Law, and the International and Latvian National Sanctions Law.

Information submitted by individuals (data subjects); information obtained from registers in accordance with the procedure established by regulatory enactments; publicly available information.

In cases specified by regulatory enactments – law enforcement agencies, control and supervisory institutions; external auditors and inspectors; the Financial Intelligence Unit, other financial institutions; legal entities belonging to the Signet Bank AS group.

Personal data is not intended to be transferred outside the EU or EEA.

Customer transaction information is retained for 10 years after the termination of the transaction relationship; in the case of civil claims, the period may be extended until the case is resolved.

In order to comply with obligations related to the prevention of money laundering and terrorist and proliferation financing in accordance with regulatory enactments, the personal data storage period is 5 years after the termination of the transaction relationship, but in cases and in accordance with the procedure specified in regulatory enactments – longer.

• a person’s appearance, gait, and movement,
• a person’s means of access and related information.

Article 6(1)(c) of the General Data Protection Regulation (to comply with a legal obligation to which the controller is subject) and Article 6(1)(b) (processing is necessary for the performance of a contract to which the data subject is party) and (f) (processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party), Credit Institutions Act, Security Activities Act.

Recordings from stationary video surveillance cameras; records of registration events in the access control system.

In cases specified by regulatory enactments – law enforcement authorities, insurance service providers.

Personal data will not be transferred outside the EU or EEA.

Personal data is stored on technical equipment for the period specified in internal regulatory acts, in accordance with the recommendations of the supervisory authority.

• personal identification data, such as: name, surname, date of birth, personal identification number,
• contact information – telephone number, e-mail address, residential address,
• employment information (professional experience) and information about education,
• certificates of training and certification related to job duties,
• mandatory health checks and information about incapacity for work,
• in cases specified by regulatory enactments – information about the person’s criminal record,
• within the framework of organized events – a photograph or video image of the person,
• other information, if necessary for establishing or maintaining legal employment relations.

Article 6(a) of the General Data Protection Regulation (the data subject has given consent to the processing of his or her personal data for one or more specific purposes), (c) (for compliance with a legal obligation to which the controller is subject) and (f) (processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party) Article 9(b) (processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment, social security and social protection law); Labor Law, Articles 24, 25, 34-5 of the Credit Institutions Law, other binding regulatory enactments.

From individuals – employees or job applicants; from public registers, in accordance with the provisions of regulatory enactments.

State Revenue Service; State Social Insurance Agency; in cases specified by regulatory enactments – supervisory and control authorities; health insurance company – in accordance with contractual obligations; law enforcement authorities – if applicable.

Personal data is not transferred outside the EU or EEA.

In accordance with the processing purpose to be achieved and in accordance with the personal data retention period specified in regulatory enactments in the field of employment; information submitted by job applicants – 12 months or until the end of the initiated legal proceedings.

• information provided or confirmed by the person during consent, such as name, surname, e-mail address,
• information received during customer surveys conducted for this purpose, such as company, place of work, region represented,
• information about products used, for the preparation of personalized offers,
• information provided by individuals during promotions, lotteries, or prize draws,
• individuals’ electronic identification data, such as IP address during a website session,
• communication on social media platforms, such as LinkedIn, Instagram, or others.

Article 6(a) of the General Data Protection Regulation (the data subject has given consent to the processing of his or her personal data for one or more specific purposes), subparagraph (f) (processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party); Consumer Rights Protection Law, Information Society Services Law.

From the person, i.e., information provided by the data subject.

Supervisory and control authorities; social media platforms; law enforcement authorities – if applicable.

Personal data is not intended to be transferred outside the EU or EEA.

Until consent is withdrawn; in addition, in the case of legitimate interests, the data subject is informed of the relevant data retention period.

• a person’s voice, intonation, and speech,
• information or questions presented during a conversation,
• name,
• a person’s transaction information,
• issued identification data,
• other information provided by a person during a conversation.

Article 6(c) (to comply with a legal obligation to which the controller is subject) and (f) (processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party) of the General Data Protection Regulation; Article 124 of the Financial Instruments Market Law; Article 76 of Commission Delegated Regulation (EU) 2017/565 of 25 April 2016.

Information provided by the data subject (including customers or employees) during conversations.

Data processor with whom a contract has been concluded for the provision of call center services; supervisory authorities; law enforcement authorities – if applicable.

Personal data is not intended to be transferred outside the EU or EEA.

• to ensure compliance with the requirements for the storage of supporting documents relating to telephone call recordings for up to 7 years,
• to ensure quality control of the service provided – 14 days.

• personal identification data – name, surname, date of birth, personal identification number, identity document data, etc.,
• personal contact information – telephone number, email address, registered address,
• personal financial and transaction data – bank account number, transactions, sustainability preferences, planned investment term, purpose, target return, risk profile,
• personal employment and income data – employment data, income, expenses, liabilities, property rights, financial resources,
• data related to the person’s professional activities – education, knowledge of financial instruments and risks, status of “professional client” or “eligible counterparty”, status of politically exposed person, whether the person is included in the list of insiders of any issuer (register) of an issuer whose financial instruments are traded on regulated markets,
• data necessary for customer due diligence – data necessary to perform customer due diligence, prevent or mitigate the consequences of criminal offenses, and analyse risks.

Personal data processing is carried out in accordance with Article 6(1)(b) of the General Data Protection Regulation (processing is necessary for the conclusion or performance of a contract to which the data subject is party) and Article 6(1)(c) (processing is necessary for compliance with a legal obligation to which the controller is subject) and Article 6(1)(d) (processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular the data subject’s rights and freedoms with regard to the free movement of such data). ) and (c) (processing is necessary for compliance with a legal obligation to which the controller is subject) of the General Data Protection Regulation, in accordance with the Investment Management Companies Act, the Civil Law on Obligations, LB Regulation No. 373 of 16 December 2024 “Regulations on the Internal Control System of Investment Management Companies” and other related regulatory enactments.

Information provided by the customer (data subject), information obtained from registers in accordance with the procedure established by regulatory enactments, as well as publicly available information.

The customer (data subject) when requesting information about themselves; parent company Signet Bank, AS; depositary Nasdaq CSD SE; where applicable, supervisory authorities; law enforcement authorities.

Personal data is not intended to be transferred outside the EU or EEA.

Personal data is retained for as long as necessary for the purpose for which it was collected, in accordance with the terms specified in regulatory enactments. Usually, customer information is retained for 10 years after the termination of the business relationship in order to protect the legitimate interests of Signet Asset Management Latvia IPS or the customer in the cases specified in the Civil Law.  However, in order to comply with obligations related to the prevention of money laundering and terrorist and proliferation financing in accordance with regulatory enactments, the retention period for personal data is 5 years after the termination of the business relationship.