Valid from: May 2018 (version 31.07.2019)
Personal data are data such as your name, address, nationality, e-mail address etc. through which your personal identification is possible.
REAL guarantees that all personal data are handled on a strictly confidential basis and are only used for the agreed purpose (refer to section 6 below) or insofar as another legal basis exists in terms of the General Data Protection Regulation (GDPR). For this purpose, we apply a variety of technical and organisational measures.
2. Application of the data protection legislation / the General Data Protection Regulation «GDPR»
3. Who is responsible for data processing?
REAL Trust and Consulting Establishment
Tel.: +423 232 02 02
Fax: +423 232 02 04
Any questions about data protection are to be submitted to the company’s data protection officer:
Tel.: +423 232 02 02
4. What types of personal data are collected?
Insofar as services from REAL are used, for the completion of pre-contractual measures, or for the fulfilment of any associated legal obligations, personal data are collected, such as the following:
- First name, surname,
- Postal and e-mail address,
- Telephone numbers,
- Date of birth,
- Place of birth,
- Passport and/or identity card information
- Details about your family circumstances,
- Tax identification number,
- Bank details,
- Information from your curriculum vitae such as your education, profession, business activity, etc.,
- Other data from sources that are accessible to the general public, such as from Worldcheck, the commercial register, the Internet,
- Data regarding any correspondence conducted with you,
- Server log files: browser type and browser version, the operating system used, referrer URL, IP address/host name of the accessing computer, time of the server query.
5. Your personal data will be collected in a variety of ways, for example:
- From information that you provide to us when you meet us in person,
- From information about you which is provided to us by your company or by an intermediary,
- If you communicate with us by telephone, fax, e-mail or using other methods; in this context, we are able to monitor, rECOrd and store such communication,
- If you fill out forms at a customer onboarding event or a later point in time (or we fill them out on your behalf),
- Information transferred to us by your agent, consultants, intermediaries, custodians, asset managers, etc.
At a customer onboarding event or at a later point in time, personal data can also be processed by other persons who partake in the business relationship, if such processing is necessary for entering into said relationship, such as data from authorised agents, representatives, the legal heirs of the beneficial owner, etc.
Personal data can also be processed from publicly accessible sources (for example, the land register or commercial register, the press, media, the internet, Worldcheck, etc.), or also in cases in which such data are passed on by other group companies, public authorities or institutions, from your personal environment such as your family or legal advisers, or other third parties to REAL.
Certain data are processed when you visit our website. Please read more about this in section 11 et seq.
6. The purpose, scope and justification of use of your personal data
The processing of this data takes place
on the basis of point (b) of Art. 6(1) GDPR «for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract», such as
- To enter into service contracts with you, such as a founding charter, mandate agreement, asset management agreement, etc.,
To identify you as our customer, cooperation partner, etc.,
To conduct necessary correspondence with you or with third parties,
To bill you for the services that we provide you with,
To offer you customized services or to develop such services further,
To process your application in view of possible employment.
The processing of your data takes place on the basis of point (c), Art. 6(1) GDPR «for compliance with a legal obligation», in order to
- Comply with the applicable laws and compliance regulations (such as FATCA, AIA and due diligence obligations) or
on the basis of point (a) of Art. 6(1) GDPR «Consent»,
- Insofar as you have given us your consent to the data processing and there is no withdrawal, for example, if you send us your application documentation as you want to apply for a job in our organisation.
The processing of such data takes place on the basis of point (f) of Art. 6(1) GDPR «for the purposes of the legitimate interests pursued by the controller or by a third party», such as
- To respond to enquiries lodged by a court or authorities, to assert, exercise or defend legal claims, or to comply with the statutory retention requirements,
- To assess statistics concerning access to our website, and to improve the functionality of our website on an ongoing basis. Please read more about this in section 11 et seq.
7. Recipients of personal data
Within our company, employees are only allowed to process your data if they require it for the fulfilment of our contractual, statutory and regulatory obligations, or for the purposes of the legitimate interests (in this respect, see section 6).
Data can also be transferred to third parties under the same conditions insofar as this is necessary for the provision of our service. These include, in particular:
- Group companies,
- Services companies such as banks and asset management companies,
- Professional consultants such as tax consultants, lawyers, auditors,
- Public authorities, governmental organisations, courts,
- Your authorised agents and representatives,
- Service providers, suppliers and auxiliary persons (e.g. hosting providers, IT service providers, etc.),
- Service providers which operate and provide the IT applications that we use (e.g. Google Analytics, etc.).
A corresponding transfer of data is based either on a legal obligation (e.g. transfer of data in the course of the automatic exchange of information), the fulfilment of a contract (e.g. asset manager, tax consultant abroad), the fulfilment of a legal obligation by the responsible party, consent on your part, public interest, or on the basis of legitimate interest on our part, unless your interests or fundamental rights and freedoms with regard to the protection of personal data prevail.
8. Cross-border processing
The recipients may be located in Liechtenstein or abroad. We kindly inform you that we can exchange personal data within our group companies or transfer data to countries in which service providers, from whom we acquire services, are located (e.g. Microsoft).
In the case of recipients which are external to our company within the EU/EEA, or in countries with the appropriate data protection regulations, such as Switzerland, we ensure data protection to the extent that we – where necessary and required – conclude processing agreements with the service provider. If we transfer personal data to third countries without the appropriate statutory data protection arrangements, we ensure an adequate level of protection according to the statutory requirements by agreeing to standard EU contractual clauses or applying other means, such as Binding Corporate Rules or the US Privacy Shield.
9. Duration of storage and erasure of data
REAL will only process and store your personal data for as long as this is necessary and legally permitted to achieve the purpose of the contract, for the purposes of verification and security, and for the fulfilment of the statutory retention requirements.
According to the SPG (Liechtenstein Due Diligence Act) and PGR (Liechtenstein Persons and Companies Act), we are subject to a retention period of 10 years (Due Diligence Act, SPG, LR 952.1; Persons and Companies Act, PGR, LR 216.0). In addition, personal data will also be stored until the end of any legal disputes in which the data may be required as evidence.
10. According to the GDPR, you have the following rights (Art. 12-23 GDPR):
Right of access: you have the right, at any time and free of charge, to obtain information about the origin, categories and the recipients to whom your data will be disclosed, the duration of its storage, the existence of automated decision-making including profiling, and the purposes for which your personal data are to be processed.
REAL will refrain from using your data for either direct advertising or for other marketing purposes. Furthermore, it will not engage in automated decision-making, including profiling.
Right to rectification: you have the right to rectification of incorrect personal data. This also includes the right to request the completion of personal data that are incomplete.
Right to erasure: under certain circumstances (refer to Art. 17 GDPR), you have the right to the erasure of your personal data.
Right to the restriction of processing: under certain circumstances (refer to the requirements of Art. 18 GDPR), you have the right to request the restriction of the processing of your personal data.
Right to data portability: this is the right for you to receive your personal data in a machine readable format, which you can then transfer to another company.
Right to withdraw consent: you have the right to withdraw your consent, which means you can withdraw your consent to the processing of your personal data. The withdrawal of consent does not affect the lawfulness of the processing up to the time of the withdrawal.
At this point, reference is made to the fact that such withdrawal may mean that REAL is no longer able to fulfil the contract and/or is no longer able to offer any further services.
Right to object: insofar as your personal data are processed pursuant to point (f) of Art. 6(1), GDPR on the basis of legitimate interests, according to Art. 21 GDPR, you have the right to submit an objection to the processing of your personal data insofar as appropriate reasons exist, resulting from your particular situation.
You can make use of your right to withdraw consent and your right to object by sending an e-mail to the following contact: firstname.lastname@example.org.
Right to lodge a complaint: You have the right to lodge a complaint with the responsible data protection supervisory authority. In this respect, please refer to www.datenschutzstelle.li.
Please note that these rights can only be granted to the extent that this is not prevented by any statutory obligations regarding storage and retention and/or other regulatory obligations from public authorities or offices.
11. Provision of our website
As soon as you visit our website, our web server automatically collects server log files, i.e. data and information from the computer system of the accessing computer. In this context, the following data are collected:
- Browser type and browser version,
- Operating system in use,
- Referrer URL
- IP address/host name of the accessing computer,
- Time of the server request.
We are unable to associate this data with a specific person. This information will be analysed for website access statistics and stored on a long-term basis.
Cookies are small files that are created automatically by your browser and stored on your end device (laptop, tablet PC, smart phone, etc.) whenever you visit our site. The cookies are stored on your end device until you delete them. This enables us to recognise your browser upon your next visit.
The legal basis for the processing of data via cookies is point (f) of Art. 6(1) GDPR.
Cookies remain valid for an undetermined period until you erase the cookies on your device(s) and they are subsequently erased by your browser.
13. Google Analytics
The information which they contain regarding the visitor’s Internet use and use of the website can be processed and evaluated by Google. If necessary, the data collected by Google will be transferred by Google to countries outside of the EU and the EEA, to the USA in particular. However, Google has agreed to comply with the Privacy Shield Framework. You can find out more about your rights at http://ec.europa.eu/justice/dataprotection/document/citizens-guide_en.pdf.
We ensure that your IP address is anonymized before it is transferred to Google.
The legal basis for the use of Google Analytics is point (f) of Art. 6(1) GDPR.
14. Data protection regarding job applications
We process the personal data of applicants during the recruitment process. In the event of an appointment, the personal data of the candidate will be processed for the purposes of the implementation of the employment relationship. By contrast, REAL will erase all the application documents of a candidate within three months of the candidate being rejected, insofar as the erasure is not opposed due to legitimate interests on our part, such as the need to hold onto documentation for possible legal proceedings.
In submitting your application, you agree to the processing of personal data such as your name, title, address, telephone number, date of birth, education, work experience, salary expectations and any data and images that may be contained in the covering letter, curriculum vitae, letter of motivation, certificates or other documentation which is sent to us for recruitment purposes.
Your data will not be forwarded to third parties without your consent.
The legal basis for the data processing is point (a) of Art. 6(1) GDPR (Consent) and point (b) (required for the fulfilment of the contract) of the GDPR.
15. Data security
REAL takes technical measures in order to ensure data security, in particular to protect your personal data against risks during the transfer of data and to protect it against access by third parties. These measures are updated regularly in accordance with technological standards.
In particular, REAL applies additional appropriate technical and organisational security measures in order to protect your data against accidental or deliberate manipulation, partial or complete loss, destruction or unauthorised access by third parties. Our security measures are subject to continuous improvement in line with technological developments.
Apart from the above, please note that the transfer of data over the Internet (e.g. during communication via e-mail) may have security vulnerabilities. The complete protection of data against access by third parties is not possible.