This Notice applies to all digital services such as websites, online applications and mobile apps (hereinafter referred to as «Digital Services») of Liechtensteinische Landesbank AG, Städtle 44, 9490 Vaduz, Liechtenstein (hereinafter referred to as «LLB»).

We reserve the right to amend the Privacy Notice without prior notice in response to changed circumstances (e.g. legal situation, range of services, data processing). Changes apply from the point of publication in our Digital Services. Our Digital Services may contain links to other providers («Third-party Providers») inside and outside of LLB, which are not covered by this Privacy Notice. The terms and privacy policies of the respective Third-party Providers apply to any linked digital services and content. We do not assume any liability in connection with linked digital services offered by Third-party Providers.

Furthermore, the General Privacy Notice for Clients and Prospective Clients also applies to clients and prospective clients.

The personal data of users of our Digital Services is processed only for the purposes listed below and if there is a legal basis for doing so (in the sense of the GDPR). Only the personal data actually necessary for performing and transacting our assignments and services or that have been voluntarily provided to us are collected.

I. Name and address of the controller and the data protection officer

The data controller within the meaning of the General Data Protection Regulation (GDPR) is:

Liechtensteinische Landesbank AG, Städtle 44, 9490 Vaduz, Liechtenstein
Tel.: +423 236 88 11 / Email: llb@llb.li

The data protection officer for Liechtensteinische Landesbank AG can be reached at the following address:

Liechtensteinische Landesbank AG
z. Hd. Datenschutzbeauftragter
Städtle 44
9490 Vaduz
Tel.: +423 236 88 11 / Email: datenschutz@llb.li

II. Description and scope of data processing

1. Provision of the Digital Services

Our Digital Services collect various general data and information every time an individual or automated system accesses them.

This is done via our own server and our own network infrastructure. Access and connection data are required and processed to ensure a secure connection during use, to ensure the functionality of the Digital Services and (specifically in online and mobile banking) to document accesses and transactions. 

This general data and information is saved in the log files of our servers. The following are collected:

• Date and time the Digital Service was accessed
• An internet protocol address (IP address)
• Reason for accessing (files accesses, paths accessed)
• The operating system used by the accessing system
• The browser types and versions used
• Applicable permissions for access
• Other similar data and information that will serve to avert risks in the event of any attacks on our IT systems

The legal basis for the temporary storage of data and log files is Art. 6(1)(f) GDPR.

Furthermore, where registered users (e.g. customers in online banking, prospective customers in the registration process, etc.) use our Digital Services, other data and information necessary for providing services and processing orders is generated. This is processed and stored in line with the statutory provisions.

The legal basis for the temporary storage of data and log files is Art. 6(1)(b) and (c) GDPR.

2. Analysis, tracking and marketing

To better understand the usage behaviour of users of our Digital Service, we register analysis and tracking data within our Digital Services.

We declare the various different data types and how these are used and ask the users of our Digital Services for active consent prior to the processing. To do this, we display options for privacy settings.  If consent is not granted, analysis data will be evaluated anonymously for the individual session and no tracking data will be processed.

The consent may be revoked at any time in the (privacy) settings of the Digital Services. 

To record analysis data, we use Piwik PRO (operator contact details: Piwik PRO SA, ul. św. Antoniego 2/4, 50-073 Wrocław, Poland).

If users of our Digital Services have consented to the processing of usage data for the purposes of analysis, the following applies:

• We do not draw any conclusions regarding usage behaviour when using the data and information registered. The data cannot be assigned to any specific person because the IP addresses are shortened. Individual users are therefore anonymised for the analysis. Users are, however, differentiable.
• The findings are used to optimise the Digital Services and make targeted adjustments.
• The data is held on servers in the European Union.

We use Salesforce (operator contact details: SFDC Ireland Limited, Dublin 18, Ireland) to process data for marketing purposes (newsletter, marketing automation).

If users of our Digital Services have consented to the processing of data for marketing automation, the following applies:

• When using the obtained data and information, we do not draw any conclusions with regard to the data subject to send personalised advertising. The data obtained will be collated with other personal data from our Customer Relationship Management tool and our bank systems to this end.
• Doing so requires us to transmit this data to our Salesforce Cloud. In Salesforce, this personal data is encrypted and can be viewed only by those authorised to do so.
• The data is held on servers in the European Union.

To process data for remarketing (advertising cookies), we link data from our online services to marketing platforms provided by Google, Facebook and LinkedIn.

Operator contact details

• Google: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
• Meta: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
• LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2 Ireland
• AppsFlyer Ltd, 85 Medinat Hayehudim St. Herzliya, Israel, on the basis of Art. 6 (1) (f) GDPR

We also use the AppsFlyer analytics service provided by AppsFlyer Ltd, 85 Medinat Hayehudim St. Herzliya, Israel, on the basis of Art. 6 (1) (f) GDPR. We use the AppsFlyer service to measure the success of our campaigns. We receive the information from AppsFlyer in aggregated form.

AppsFlyer receives information from the data transmitted to the servers by the SDKs (Software Development Kit) in a mobile end-user application. The data collected by the SDK contains information such as IP addresses (anonymised), browser, platform, SDK version, anonymised user ID, time key, developer key, application version and device identifiers (such as Identifier For Advertisers), Google advertising ID, device model, device manufacturer, operating system version, in-app events and network status (WLAN/3G). The end user data collected by the AppsFlyer platform is representative for us to analyse our applications.

If users of our Digital Services have consented to the processing of data for remarketing, the following applies:

• When using the data and information collected, we do not draw any conclusions with regard to the data subject in order to display personalised advertising on other websites/apps tailored to the user’s interests. These cookies may be managed on our behalf by certain Third-party Providers, but not used.
• The data collected is combined with other personal data from large advertising platforms for this purpose. Doing so requires transmission to our partners for social media, advertising and analysis.
• These partners also include Google LLC, which is based in the USA and processes data there. The European Court of Justice has not certified the USA as guaranteeing an adequate level of data protection. There is the specific risk that your data will be accessed by the US authorities for monitoring and surveillance purposes or exposed to data retention with no effective legal remedies available against this.
• This will see your data processed outside of the European Union and our ongoing use.

The legal basis for the temporary storage of data and log files is Art. 6(1)(a) and (f) GDPR. The legitimate interest is derived from the purposes for collecting data listed above.

The data is deleted as soon as it is no longer necessary to fulfil the purpose for which it was collected. 

Anonymised usage data is stored and processed for ten years.

The personal data of prospective clients and clients is stored for the duration of the business relationship. The process of erasure will be started after this.

The personal data of prospective clients and clients is stored in line with statutory retention and/or limitation periods.

3. Cookies & local memory

To establish a secure technical connection, respect your decisions regarding privacy and offer technical functions or convenience settings, in our Digital Services we use cookies or other methods to save information on the device of the user. 

This allows us to identify your browser again when you next visit and adopt the settings from your last visit (e.g. language, most recently viewed content, temporarily saved form inputs etc.). Privacy settings have a significant influence on what information is stored locally.

Locally saved information is largely reduced as far as scale and storage duration are concerned and, where possible and reasonable, encrypted. 

Cookies are small files created by your browser and saved on your end device (laptop, tablet, smartphone, etc.) if you use our Digital Services. The cookies are stored until they expire or you delete them.

If you would rather prevent this, you can configure your browser to inform you of the setting of cookies and you can allow these on a case-by-case basis. However, please note that disabling some cookies may result in your being unable to use all of the features of our website.

You will find details of the cookies used in the privacy policies of each Digital Service.

The legal basis for data processed by cookies is Art. 6(1)(f) GDPR.

4. Contact form

If you fill in a contact form, send us an email or another electronic message, your details will be saved to process the enquiry and any potential associated questions, and used only within the scope of the enquiry.

The legal basis for the processing of your enquiry is Art. 6(1)(a) or (b) GDPR.

5. Newsletter

If you register for our newsletter, we will immediately send an email containing a hyperlink to the email address provided. By clicking on the link, you confirm your registration for the newsletter (double opt-in process). If registration is not confirmed within ten days, we will delete the email address from our temporary list and registration will be abandoned.

If you confirm your newsletter registration, you are consenting to the storage of your email address, including the date of registration, IP address and the list name of the selected newsletter. We will use your email address and the simultaneously obtained personal data, such as your name and email address, solely to manage and send the newsletter selected by you at the intervals indicated by you when you registered.

Our newsletters do not contain any visible or hidden counters, third-party adverts or links to external sites which are not directly connected with the content of our newsletter.

The legal basis for sending a newsletter to you is Art. 6(1)(a) GDPR. You can revoke your consent to this at any time. 

Each newsletter contains a notice explaining how you can unsubscribe from the newsletter.

6. Social plugins

We do not use any social plugins within our Digital Services. Social media platforms can only use tracking if you go to said platform from our page.

III. Data security

During website visits, we use the common Hypertext Transfer Protocol Secure (HTTPS) procedure in conjunction with the highest SSL/TLS encryption level supported by your browser. You can tell whether an individual page of our website is encrypted if you see a closed padlock symbol in your browser’s address bar.

Furthermore, we also use additional technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or full loss, destruction or against unauthorised third-party access. Our security measures are continually optimised in line with technological advances.

IV. Your rights

You have the following privacy rights under the GDPR with regard to your personal data:

• Right to information: You can demand information from the bank, at any time, as to whether and to what extent your personal data is being processed (e.g. categories of personal data, processing purpose etc.).
• Right to rectification, erasure and restriction of processing: You have the right to demand that incorrect or incomplete personal data relating to you be rectified. Furthermore, your personal data must be deleted if the data is no longer necessary for the purposes for which it was obtained or processed, you have revoked your consent, or the data is being unlawfully processed. You also have the right to demand that processing be restricted.
• Right of revocation: You have the right to revoke your consent to the processing of your personal data for one or more specific purposes at any time, if said processing is based on your express consent. Please note that this revocation applies to the future only. It will not affect any processing that has taken place before you withdrew your consent. Furthermore, the revocation has no bearing on data processing undertaken on other legal grounds.
• Right to data portability: You have the right to obtain your personal data provided to the controller in a structured, standard and machine-readable format, and to have this data sent to another controller.
• Right to object: Under certain circumstances, you may be entitled to informally object to data processing for reasons arising from your specific situation where said processing is in the public interest or to protect the legitimate interests of the bank or a third party. You are also entitled to informally object to the use of personal data for advertising purposes. If you object to the processing of your personal data for direct advertising, we will stop using your personal data for this purpose.
• Right to complain: You are entitled to lodge a complaint with the relevant Liechtenstein regulatory authority. You may also refer to another regulatory authority of an EU or EEA member state, for instance at your place of residence or work or at the place of the alleged violation.
  You can exercise these rights using the contact address given in chapter I, unless described otherwise.

Last updated: July 2022