Personal Data

When you open an account, seek a loan, or use other banking services, your bank asks for personal information—such as your name, address, ID, income, and assets. Here’s why:

• Customer Due Diligence: Banks must verify who you are—this is part of anti‑money laundering and fraud prevention rules.
• Service Tailoring: The data helps tailor products and advice that suit your personal goals and situation.
• Legal Compliance: Regulations require banks to collect and report certain information.

Your Rights Under Data Protection Rules

1. Transparency

You have the right to know:

• What data is collected.
• Why it’s needed.
• How long it will be kept.
• Who might see it.

This information must be provided clearly before or at the time your personal data is first collected.

2. Access and Rectification

You can:

• Request a copy of the personal data held by your bank.
• Ask for corrections if any information is inaccurate or incomplete.

3. Restriction or Objection

Under GDPR, you have the right to:

• Request a restriction on how your data is used, and be notified before any such restriction is lifted.
• Object to certain types of processing, such as direct marketing.

Banks must stop processing your data unless they have compelling legal grounds.

4. Erasure (“Right to be Forgotten”)

You can request the deletion of your personal data, unless the bank needs it for essential legal reasons, when:

• It is no longer needed,
• You withdraw your consent,
• You object to the processing,
• The data is processed unlawfully,
• Or the law requires its deletion.

5. Data Portability

You have the right to:

• Request the personal data you provided to your bank in a usable, machine-readable format.
• Have your data sent directly to another service provider, where technically possible.

Enhanced Protection Under GDPR

As of May 2018, banks in Luxembourg are bound by GDPR, ensuring strong safeguards for your personal data:

• Purpose limitation: Your data is solely used for specific, legitimate purposes.
• Proportionality: Banks only collect what is strictly necessary for the intended purpose.
• Data minimisation & retention: Personal data isn’t kept longer than needed.

• Security: Banks implements strong security measures to protect your data.
• Accountability: Banks must demonstrate compliance with data protection laws.
• Breach notification: You’re informed if your data is accidentally disclosed.

Sharing Data with Third Parties

Your bank might have to share your data—e.g., with regulators like the CSSF (the national supervisory authority for the financial sector) or Cellule de Renseignement Financier (FIU – responsible for receiving, analysing and transmitting reports of suspected money laundering, terrorist financing and other financial offences.) or third party providers for specific services. But this sharing is strictly regulated under GDPR and national laws.