By accepting our use of cookies, you allow us to improve your experience on our website, so that it is faster, more personalised and more secure. You can change the cookie settings in your browser at any time. Find out more about cookies.

Privacy Policy

25/05/2018

Protection of privacy is a primary consideration for Keytrade Bank Luxembourg.

This Privacy Policy applies to physical persons and aims to explain clearly and simply to you - as a customer, a potential customer, a person connected to a customer or to a potential customer (for example, as a representative of a customer or a beneficial owner of a customer who is a legal entity or of an operation), a visitor on our public site or Transaction Site (together referred as the "Website") or a user of our app - how we collect, use and store your personal data.

This Policy applies both to data which are initially collected when you contact the Bank and data which are later obtained by the Bank (for example, when you subscribe to an additional product or service, or when you update data that you have initially provided).

Your data are currently processed in compliance with the law applicable in Luxembourg, namely, before 25 May 2018, the amended Law of 2 August 2002 on the protection of individuals with regard to the processing of personal data. From 25 May 2018, this will done in compliance with Regulation (EU) No 2016/679 of 27 April 2016 on data protection, known as "the GDPR", any legislative act by the European Union amending the GDPR, and any piece of Luxembourg legislation passed for purposes of application of the GDPR (the legal mentioned above, together the “Data Protection Act”). For more detailed information about data protection from the National Data Protection Commission (https://cnpd.public.lu/fr.html) if you reside in the Grand Duchy of Luxembourg, or from any other competent national data protection authority if you reside in another Member State of the European Union (together, the "Data Protection Authorities").

This policy is regularly updated. Please check our Website regularly to find out which version currently applies.


  1. Who is your data controller?
  2. What do we mean by personal data?
  3. When do we collect these data?
  4. Where do we collect data about you?
  5. In what circumstances are you required to send these data to us?
  6. For what purpose and on what basis do we use your personal data?
    1. Statutory obligations
    2. Contractual relations
    3. Legitimate interests
    4. Consent
    5. Direct marketing
  7. Cookies
  8. Storage period
  9. Data security
  10. Who receives your data? To whom may your data be transferred?
  11. What are your rights?
    1. Right of access and correction
    2. Right to be forgotten
    3. Right to restrict processing
    4. Right to data portability
    5. Right to withdraw your consent
    6. Right of objection
  12. How can you exercise your rights?
  13. Who should you contact if there is a dispute?

1. Who is your data controller?

Your data controller is KEYTRADE BANK LUXEMBOURG, located at Rue Charles Martel 62, 2134 in Luxembourg, registered under number RCS B69935 (the "Bank") +352.450439

Email: compliance@keytradebank.lu

We make every effort to comply with the Data Protection Act, as well as the implementing measures, overseen by the Data Protection Authorities.

For some services, we call upon specialist partners, who work as subcontractors. These partners must comply with our personal data protection policy and must also fulfil their relevant statutory obligations. We strive to ensure that your personal data are protected through appropriate provisions in our contracts with subcontractors, as well as other parties that may help us to process your personal data or that receive your data from us.

2. What do we mean by personal data?

By personal data, we mean not only data that identify you directly, but also data that identify you indirectly.

We generally need to collect the following different types of personal data:

Identification data: your last name, first names, addresses, identity card numbers, e-mail addresses, telephone numbers, log on, IP address, age, sex, date of birth, place of birth, marital status, nationality, etc ;
Biometric data: this is the data used as part of the video identification process
Transaction data: these are any data relating to your bank and stock market transactions: your account numbers, bank communications, withdrawals, transfers relating to your accounts, any defaults on loan repayments to the Bank, etc.;
Financial data: your bills, payslips, income, the value of your personal property or real estate, repayment capacity , the origin of your funds or assets, etc ;
Household composition data: your family situation, details about other members of your household, etc ;
Data relating to your investor profile: your knowledge of financial instruments and your experience with them, as well as your financial situation, including your ability to bear losses, your investment objectives and your risk tolerance ;
Data relating to your activity and your interests when you browse our Website or when you use our mobile apps ;
Data relating to our satisfaction surveys or from your interactions on our dedicated social media pages ;
Audio-visual and electronic data: video surveillance recordings from our branch, telephone recordings from our customer service department or records of e-mail communications;
Data obtained via third parties: from the Luxembourg Trade and Companies Register) data provided by public authorities, etc ;
Data obtained via cookies: For more information, please read our Cookies Policy.

When you, as a legal entity, send us personal data of natural persons (such as for example your agents or economic beneficiaries), you guarantee to us that you have processed, that you will continue to process and that you transfer these data to us in compliance with the Data Protection Act, in particular articles 12, 13 and 14 of the GDPR. In particular, you guarantee that you have sent and read this Privacy Policy to these natural persons prior to the transfer of their personal data to the Bank. You guarantee the Bank against any damages to the persons concerned and against any sanctions that may be taken on the basis of such treatment and transfers.

We do not voluntarily process specific categories of personal data (so-called "sensitive" personal data), namely data relating to a person's health, racial or ethnic origin, political opinions, religion or beliefs, trade union membership or sex life. We would only be able to have indirect access to these sensitive personal data under specific circumstances. For example, when you make a transfer to join a political party or a trade union.

3. When do we collect these data?

When you become a customer or when a customer discloses your data to us ;
When you contact us via one of the channels available to you ;
When you visit one of our branches ;
When you sign up for a new product or service ;
When you take part in a survey, a tutorial, an information session or any other event organized by Keytrade Bank Luxembourg ;
When you use one of our products or services ;
When you log on to our mobile apps or our Website ;
When you fill in one of our forms or sign a contract with the Bank.

4. Where do we collect data about you?

In most cases, you provide us the personal data that we process. However, we do also obtain these data via third parties. In particular, this happens when :

your data are disclosed to us by a customer (for example, because you are a beneficial owner or the representative of a legal entity) ;
your data are disclosed to us by an authorised third party (for example, as part of video identification)
we view data with an authorised third party (for example: publication on Legilux or in the Trade and Companies Register) ;
as part of our legal obligations, we consult some external files.

5. In what circumstances are you required to send these data to us?

You can visit our public site without sharing your identity with us. However, we do use cookies that are intended to make it easier to use our Website, among other things. For more information, please read our Cookies Policy.

If you want to open an account at the Bank or use our services, you will be required to provide us with some information about yourself. We are legally required to request information from you that we need in order to be able to initiate a relationship with us.

You do, of course, have the right to refuse to disclose this information to us, but, should you do this, you will be unable to enjoy our services.

6. For what purpose and on what basis do we use your personal data?

Generally, we use your personal data :

in order to comply with any legal and regulatory dispositions to which the Bank is subject;
as part of the process of executing an onboarding banking services contract or any other contract with the Bank, or when taking pre-contractual measures;
in order to pursue the Bank's legitimate interests, maintaining a balance between these legitimate interests and respect for your privacy,
or;
when we have obtained your consent.

6.1 Statutory obligations

The Bank is bound by a number of legal and regulatory obligations that require us to process your data. These obligations mainly fall within the following legal and regulatory areas :

The obligation to respond to any legitimate request from a public, judicial, prudential supervisory or tax authority, either in Luxembourg or from abroad ;
Administrative and risk management obligations. We calculate risk scores for granting credit (Lombard loan, for example) and we assess your ability to repay. By using risk modelling which uses your personal data, we can assess the risk of you not being able to repay your credit ;
The obligation to help to prevent money laundering and the financing of terrorism, by identifying customers, representatives and beneficial owners, establishing profiles, and monitoring operations and transactions ;
The obligation to comply with legislation on embargoes determined by the competent authorities in Luxembourg or abroad, against individuals, organizations or citizens of some states, for example, by identifying the people and assets involved ;
The obligation to help to fight against tax fraud and evasion, by identifying customers, their accounts and contracts, and by working with the competent authorities ;
The obligation to help to fight against market abuse, by identifying particular information and reporting it to the competent authorities ;
The obligation to protect users of financial products and services, by identifying, for some services, the profile and investor category, and their investment capabilities and objectives ;
The obligation to disclose information about accounts, transactions and their respective beneficiaries or issuers to other financial product or service providers, or payment service providers (for example, payment service initiators and account aggregators).
The obligation to comply with requirements relating to financial or tax reporting, or relating to reporting fraud or incidents ;
The obligation to save and store certain data.

The list of legal and regulatory areas that govern how the Bank must process your data is non-exhaustive and may change.

As part of its statutory obligations relating to fighting against money laundering and the financing of terrorism, to performing a credit check during a credit application and to protecting investors, the Bank carries out automated checks, using external sources or data which are specifically requested from you at that time. These automated checks may possibly result in us refusing you a contract or requesting additional information from you, depending on the case.

For these checks, the Bank uses suitable mathematical or statistical models, using verified data in order to avoid any risk of error. When this occurs, the Bank does not process any sensitive data and strives to avoid any form of discrimination.

6.2 Contractual relations

Before entering into a contract, the Bank may and, in some cases, must obtain and process certain data, in particular, in order to :

respond to your application;
make you aware when the online registration process has not been completed;
take an application further, assess suitability and evaluate the risks linked to any contract;
assess your creditworthiness or possibly the creditworthiness of people connected to you during a credit application.

In addition, the Bank is unable to process applications for specific products or services without obtaining certain data from you beforehand.

For example, if you want acquire a new product or service (for example, KEYPRIVATE, etc.), we will need certain personal data from you in order to assess whether we can provide these products or services to you.

More specifically, in the context of executing contracts, the Bank processes your data as follows :

central management of your different types of accounts ;
management and checking of transactions ;
central management and a 360-degree view of customers ;
management and provision of products and services, including :
  • the sale of financial and investment products;
  • management and granting of credits, by assessing the overall credit risk ;
consolidation and monitoring of reporting on financial and accounting data ;
protecting you and your assets against any fraudulent activity, as a result of identity theft, data leaks or data hacking, for example.

6.3 Legitimate interests

The Bank also processes your data in order to pursue its legitimate interests. For this purpose, the Bank strives to maintain a fair balance between its data processing needs and respect for your rights and freedoms, particularly privacy protection.

Personal data are therefore processed in order to :

prepare studies, (risk, marketing and other) models and statistics, by using anonymization and/or pseudonymization techniques for the individuals involved;
promote products and services provided or promoted by the Bank (see 6.5);
complete in advance data that we already know for existing customers when they apply for additional products or services;
optimizing the performance of our services:
  • We use transaction data in order to get a better understanding of how our services are used, in order to improve them. For example, when you open an account, we measure the time between when your account was opened and the first transaction.
  • We also analyze the results of our marketing activities, so that we can measure how effective our campaigns have been, in order to provide you, the customer, with more appropriate solutions.
  • We analyze the results of surveys conducted on the Bank's customers, statistics, tests and comments left by customers on the Bank's different social media pages (Twitter, Facebook, etc.).
storing evidence;
Training our staff, using telephone recordings from our customer service department;
tracking the Bank's activities, in particular, measuring sales, the number of calls and the number of visits to the Bank's Website, as well as ascertaining the most frequently asked questions by customers, etc.
cookie use: you can find more information about how cookies work and how you can restrict or delete cookies in our Cookies Policy. For more information, please read our Cookies Policy;
protecting assets and people, and combating fraud or attempted hackings, malpractice or other offences: this means that images recorded by our surveillance cameras are only recorded to protect assets and people, and to prevent malpractice, fraud or other offences that could be committed against our customers or the Bank;
establishing, exercising, defending and safeguarding the rights of the Bank and the people that it may represent during recovery or dispute procedures, for example.

6.4 Consent

In some cases, the Bank will only process your personal data if it has specifically obtained your consent to do so.

For example :

The Bank will only send you marketing communications by e-mail or by SMS and will only process your electronic-communications data for this purpose if you have provided specific consent for it to do so as indicated in Article 10.1 of the General Terms and Conditions of the Bank (see also 6.5). Please note: your consent is only required for market communications that are sent electronically. In all cases, we reserve the right to contact you via any channel of communication and, electronically in particular, as part of the process of executing your contract or if the law requires us to do so.
The Bank will only disclose data needed for some payment service providers, such as payment service initiators and account aggregators, to take action, if you have provided your consent.

6.5 Direct marketing

The Bank offers you a wide range of financial products and services and, as a company, it has a legitimate interest in being able to tell you about the products or services that it provides or is promoting. With this in mind, it may need to use your personal data and, in particular, your contact details, in order to send marketing communications to you.

In practice, this means that you may be contacted in the following cases, for example :

about products in which you showed an interest (for example, by registering for an information session or by running a simulation on the product);
when the Bank launches new products or services;
when you have started a subscription process for a product or service and have not completed it.

As part of its direct marketing activities, the Bank may contact you using traditional methods, such as the telephone and ordinary mail. The Bank will only use these traditional methods of communication if you have not exercised your right of objection to your commercial data being used for direct marketing purposes (see 11.5).

The Bank may also contact you electronically (via e-mail, fax or SMS). However, it will only do this when you have provided your consent for it to do so.

Under no circumstances will the Bank disclose your data to third parties so that they can send you marketing communications for their own products and services. Furthermore, the Bank will never process sensitive data for direct marketing purposes.

7. Cookies

Generally speaking, cookies are small data files stored on your computer. They may have different functions, but they are generally used to keep a record of websites that you have visited, which can use them to remember you and your preferences when you visit in the future.

We use cookies on our Website in order to enhance its performance, to enable it to remember your preferences and to bring you information that we think will be interesting or useful to you.

We also use data recorded by cookies to compile statistics for our Website and to ensure that its performance and content are improved.

We may use cookies in order to identify certain patterns in your online behaviour, in order to provide you with content that meets your needs and benefits you.

The use of some of these cookies may therefore constitute processing of your personal data. In such case, and only to the extent that your personal data are processed through these cookies, such processing is subject to this Privacy Policy.

Most web browsers are automatically configured to accept cookies. However, you can configure your web browser to notify you each time a cookie has been sent or to stop it from saving cookies on your hard disk. If you do not accept our cookies, you may notice that our Website will slow down or you may no longer be able to access all of its services.

For more detailed information about using our cookies, please read the Bank's Cookies Policy.

Our Website may contain links to third-party sites, which have terms of use that do not fall within the scope of our Privacy Policy.
We recommend that you read their personal data protection policies carefully, and we will not take any responsibility for the use of your personal data that such third party sites may make.

8. Storage period

We try to not store your personal data for any longer than we need for the processing activity that requires us to collect them. When assessing how long we need to store your personal data, we must also take into account the applicable regulatory requirements (requirements stemming from legislation against money laundering, for example).

More specifically, your personal data as a prospective customer will be stored for a maximum period of two years from the last communication by you to our services or from the last participation in one of our events.

If you are a customer of the Bank, the data that we will have collected as part of our contractual relationship will, in principle, be stored for the duration of this relationship and for a period of 10 years after you close your account. This period may be longer in some cases, for example, when it involves a dispute (until there is an outcome to the dispute).

In case of a new customer relationship established by videoconference:

All personal data held by our authorised service providers are erased by the latter, as soon as the subscription procedure is complete and the complete file has been forwarded to Keytrade Bank Luxembourg;
In order to answer any investigation or complaint without delay, authorised service providers may be required to keep anonymous identification data for a maximum of seven days before the data are transmitted to Keytrade Bank Luxembourg.

Other data, such as data collected using surveillance cameras, are stored for a shorter period (a period of a month for images recorded by surveillance cameras).

9. Data security

We take suitable technical and organizational measures in order to guarantee that your personal data are adequately protected against being lost or accidentally divulged to unauthorized individuals.

We have put in place security technology that complies with international rules and current standards in order to protect your personal data.

You can also help to keep your personal data secure by following these tips:

Use the most recent operating system on your computer and install all of the security updates;
Use the most recent version of your web browser and then install all of the security updates;
Install antivirus software, anti-spyware software and a firewall, and adjust your preferences so that these safeguards are updated regularly;
Do not leave your Device and your log-in details unattended;
Log off the Transaction Site or the app if you are no longer using it;
Keep your codes confidential.
Make sure that you are on the real Keytrade Bank site, using the site address and the certificate: in order to do this, click on the green padlock and check that the certificate:
  • belongs to Keytrade Bank Luxembourg is issued (verified) by Globalsign nv-sa
Only log in from devices that you trust and do not use shared computers/devices for sensitive transactions.
If you don't feel comfortable with a site, do not use it and do not enter any codes/passwords!
Do not open attachments to e-mails that you were not expecting.
E-mails may contain viruses or other unwanted software, even if you know the sender. Make sure that your anti-virus software also scans the attachments to your incoming e-mails. Perhaps activate the e-mail filter on your web browser.
The Bank will never ask you for your account numbers, debit or credit card numbers, passwords or codes via e-mail.

If you contact our customer service department about an issue relating to executing your orders, they will ask you for your bank account details. When using the "Telephone orders" service, they will ask you some personal questions in order to identify you.

10. Who receives your data? To whom may your data be transferred?

Within the Bank, your personal data can only be accessed by people who need to access them for working purposes.
The IT management of our database is outsourced to our sister company, Keytrade Bank S.A. in Brussels according to the provisions of art. 38 of our General Terms and Conditions.
In some cases, we are required by law to disclose your personal data to third parties:
  • to market and regulatory authorities;
  • to the Central Bank of Luxembourg (in cases mentioned by European Regulation no. 2016/867 of 18 May 2016 (the ANACREDIT Regulation))relating to credits that are granted to you ;
  • to public or judicial authorities, such as the police, prosecutors, law courts, etc., within the limits imposed by law ;
  • to lawyers (for example, in relation to the dissolution of a marriage or a bankruptcy), notaries (for example, when it involves a mortgage or inheritance), guardians or provisional administrators, etc ;
In some cases, the Bank calls upon third parties to provide you with services to which you have subscribed or in order to process your personal data, for the purposes of carrying out our contractual relations with you. For example, this can involve :
  • Specialist providers from the financial sector, who must also fulfil their legal obligations as data processors in relation to personal data;
    (For example: Correspondent banking institutions in foreign countries, etc.);
  • Service providers who help us to:
    • Create and maintain our tools;
    • Market our activities, organize events and manage communications with customers;
    • Develop and/or manage our products and services.

In such cases, we ensure that these third parties only have access to the personal data that they need to complete their specific tasks. We also ensure that our data processors commit to treating data securely and confidentially, and to using them as outlined in our instructions.

The recipients of your personal data mentioned above may process your data, under our instructions, for the execution of your contractual relationship with the Bank, or in order to comply with the legal obligations that apply to the Bank. However, it is also possible that such data will be processed by these recipients for their own purposes and/or for compliance with their own obligations. In such case, these recipients are responsible for the processing of your data and the Bank accepts no liability for any damage that may result from such processing.

When we work with data processors or transmit such data to controllers in countries outside the European Economic Area (EEA), the countries concerned have been recognised by the European Union as ensuring adequate protection of personal data. In such cases, we take action (for example, through contractual measures) to guarantee that your personal data are properly secured in the country of destination. In such cases, we take action to guarantee that your personal data are processed with the same level of security as required under the Data Protection Act. You can obtain a copy of the appropriate measures used by contacting us at the following address: compliance@keytradebank.lu.

Under no circumstances will we sell your personal data to third parties.

11. What are your rights?

11.1 Right of access and correction

You have a right of access to your personal data. In particular, the Bank can provide you with:

The categories of personal data which have been processed;
The purposes for which we have collected your data;
The categories of recipients who have received your data from us;
The storage period for your data;
The rationale for using any automated processing on your personal data;
The source of any processed personal data, if it was not collected from you.

If you discover that your data are inaccurate or incomplete, you can ask us to correct them.

We take all necessary measures to ensure that your personal data are correct, up-to-date, complete and relevant, which is why we ask you to keep us informed of any changes (new addresses, new identity cards, acquisition of a new nationality, etc.).

If we correct your data and we have previously shared them with third parties, we will also notify them of these corrections.

11.2 Right to be forgotten

In some specific cases, legislation enables you to have your personal data deleted.

This is particularly the case if the data are no longer needed for the purposes for which we have collected them (for example, because you have disclosed your contact details to us in order to take part in an event which has finished), if we have only processed your data because you provided your consent for us to do so and you decide to withdraw it, or if you object to your data being processed and we have no legitimate reasons which take precedence over yours.

However, the Bank may store your personal data when they are needed for establishing, exercising or defending its rights in court, or for the Bank to comply with its statutory obligations. The Bank will therefore be required to comply with storage periods stipulated by different laws, particularly when the data are for transactions which you have carried out or have been collected as part of our obligations relating to fighting against money laundering and the financing of terrorism (see point 7).

11.3 Right to restrict processing

This particular right of objection enables you to ask the Bank to block your data temporarily in specific cases set out by regulations: the Bank will then no longer be able to process your affected data for a specified time.

You can ask for your data to be blocked:

When the data in question are inaccurate, incomplete, ambiguous or out-of-date, for the amount of time needed to enable us to ensure that your data are accurate;
When collecting, using, disclosing or storing them is prohibited;
When the data are no longer needed for processing purposes;
For the period of time needed by the Bank to assess the merits of an objection request.

If you exercise this right, we will be able store your data, but we will no longer be able to carry out any further processing on them, except when you provide your consent for us to do so, or in order to establish, exercise or defend our rights (or the rights of another person).

11.4 Right to data portability

Thanks to this right, you can ask the Bank to send your personal data to you or to send them directly to another data controller, when this is technically possible for the Bank. This right only applies to data which you yourself have supplied to the Bank and which are automatically processed, on the basis of the contract or when you have provided your consent.

11.5 Right to withdraw your consent

When your data are only being processed because you have provided your consent, you have the right to withdraw this consent at any time. However, withdrawing your consent does not provides the grounds for you to call into question the legality of the processing activity carried out during the period before you withdrew your consent.

11.6 Right of objection

You always have the right to object to your data being used for direct marketing purposes, without any justification and at no expense via email : unsubscribe@keytradebank.lu. If this occurs, your data will no longer be used for this purpose.

Furthermore, you also have the right to object, for reasons relating to your particular circumstances, to any processing of your personal data which has been carried out to further our legitimate interests. However, we will be unable to grant your request if our legitimate interests prevail over yours or if we are required to process your data in order to establish, exercise or defend our rights in court.

12. How can you exercise your rights?

In order to exercise your rights, you can send your dated and signed request to us, together with a readable copy of the front and back of your identity card, with as many specific details as possible:

by mail to :
KEYTRADE BANK - Compliance
62 Rue Charles Martel
L-2134 Luxembourg

Upon receiving your complete request, we will respond to it within 30 calendar days.

If you request any additional copies when exercising your right to access your personal data, we may charge you a reasonable amount for administrative costs.

13. Who should you contact if there is a dispute?

If there is a dispute relating to processing your personal data, you can submit a mediation request to the National Commission for the Protection of Privacy at the following address: 1, Avenue du Rock'n'Roll, L-4361 Esch-sur-Alzette, Grand Duchy of Luxembourg, or with any other competent data protection authority in the Member State of the European Union in which you reside.