This data retention policy (“Data Retention Policy”) describes how Luminor defines retention periods for certain types of Personal Data and sets out an example summary of retention periods applicable to the Luminor Group on a general level. Specific retention periods of your Personal Data might also be described in contracts, in other service‑related documents and on Luminor‘s website.
We must ensure that we process your Personal Data for no longer than is necessary to achieve the purpose(s) for which the Personal Data are processed and to delete or anonymize the Personal Data once the purpose has been achieved. Personal Data will be processed by Luminor as long as the business relationship with you exists and very often, also for a time period thereafter as there are purposes why Luminor is obliged under the law or has rights to keep the data (i.e. legitimate interest). The retention periods define as to when Luminor can no longer have the legal basis to keep the Personal Data. After the expiry of the retention period, Personal Data will be either deleted or anonymized. Anonymization is an irreversible process by which Personal Data is transformed into a non‑personal format. While Personal Data will be deleted or anonymized in our IT systems, a back‑up copy may still exist for some time to ensure that the technical environment can be restored in the event of a physical or technical incident.
We will process and store your Personal Data as long as it is necessary for the performance of our contractual obligations. If Personal Data is no longer required for the performance of our contractual obligations, it will be deleted or anonymized, unless any further processing (for a limited time) is necessary for the following purposes:
- Performance of statutory obligations. Some laws provide for a defined, usually minimum, retention periods, during which, the obtained Personal Data must be stored. Such retention periods usually range from 2 to 10 years. These are the main laws, applicable to Luminor and impacting our data retention periods:
- Directive (EU) 2015/849 (“Anti‑money laundering Directive”) and implementing local legal acts;
- Directive (EU) 2015/2366 (“PSD2 Directive”) and implementing local legal acts;
- Directive 2014/17/EU (“Mortgage Credit Directive”) and implementing local legal acts;
- Directive 2008/48/EC (“Consumer Credit Directive”) and implementing local legal acts;
- Directive 2014/65/EU (“MiFID II Directive”) and implementing local legal acts;
Where different legal acts provide different retention periods for the same data (especially this is relevant for such common data like name, surname, personal ID of customers), it will be kept for the longest applicable period. The most common retention period is based on the Anti‑money laundering Directive and respective implementing local legal acts which require to keep customer related information, including all information received through “Know Your Customer” questionaries, communication history as well as information about transactions. In Latvia and Estonia, we will keep this information for five years and in Lithuania for eight years after terminating all business relationships with you. If requested by authorities, these retention periods can be extended.
- Preservation of evidence within the scope of statutes of limitations. Where Personal Data retention is not needed to perform our contractual obligations or comply with applicable legal requirements, we may still keep the data where we have a legitimate interest to do so. In such cases, Luminor analyzes how long the Personal Data is needed to protect such legitimate interest. An example of retention of your Personal Data based on Luminor’s legitimate interests is when we need to preserve evidence (i.e. to protect our rights in litigation, to prove existence of right to check information about private individuals in certain public or private data registers, etc.). For that purpose, Luminor retains certain documents and data in systems containing Personal Data and archives (in case of physical documents) in order to retain any evidence for a period during which a potential investigation/lawsuit could be initiated. Laws provide for different statutory limitation periods for initiating a claim and this depends on the type of claim and when it is instituted. For instance, the most commonly applicable and the longest period of statutory limitation is 10 years.
Another example relates to the CCTV recordings which we use to prevent crime or to support investigation of those. Not always are the financial crimes being noticed at the moment of their occurrence. Therefore, retention period for such CCTV recordings is defined for 90 days which can be prolonged in the interests of a concrete investigation.
If you, as a data subject, wish to have detailed information on the exact retention periods for your Personal Data processed by us, or if you have any questions about retention periods determined by Luminor, Luminor encourages you to contact us by e‑mail.
Contact details are following:
Data protection officer in Lithuania
Data protection officer in Latvia
Data protection officer in Estonia
You may also contact Luminor using other contact channels as provided on Luminor’s webpages.