lhv.com privacy policy — score 62/100 (medium risk)
Laatst geanalyseerd
De rapportinhoud (samenvatting, bevindingen, citaten) is in het Engels gegenereerd en niet gelokaliseerd.
LHV Bank Limited · lhv.com
Rapportdetails
medium risicoLHV Bank collects a sweeping range of personal and financial data, shares it widely with fraud prevention agencies and payment intermediaries, and relies heavily on legitimate interest for marketing and analytics — but it does cover GDPR rights and uses manual review for profiling decisions.
LHV Bank Limited's privacy policy is typical of a UK-based financial institution with extensive regulatory obligations (AML, KYC, fraud prevention). It is transparent about its data sharing with CRAs and Fraud Prevention Agencies and discloses joint controller arrangements with AS LHV Pank and SWIFT. However, it relies broadly on legitimate interest for purposes like marketing, analytics, and negative news screening; provides no specific retention periods; disclaims responsibility for certain international transfers; and is entirely silent on AI/model training. The policy is detailed but leaves several critical gaps that weaken user confidence.
Beoordeling per categorie
Uitsplitsing van het beleid over belangrijke compliancegebieden. Goed = sterk, redelijk = gemengd, slecht = zorgwekkend.
The policy states it takes reasonable steps to limit processing to what is necessary, but the categories collected are extremely broad including content/advertising interaction data, social media monitoring, and professional history.
The policy is detailed with a purpose-by-purpose legal basis table, but critical details like specific retention periods and the full list of processors are absent or referenced only externally.
Data flows to a wide array of third parties including CRAs, Fraud Prevention Agencies, SWIFT as joint controller, cloud providers, advertising providers, and payment system participants — with significant downstream consequences for data subjects.
SCCs are used for non-adequate jurisdiction transfers, but the policy warns that correspondent banks in low-protection countries may not offer equivalent safeguards and disclaims responsibility for direct transfers to non-EEA LHV Group entities.
The policy is completely silent on whether personal data is used for AI or model training purposes, with no opt-out mechanism mentioned.
All standard GDPR rights are clearly listed including the right to request legitimate interest assessments, with a one-month response deadline and no fee for access requests.
Belangrijkste bevindingen
Opvallende clausules, problemen of positieve praktijken (kritiek eerst)
Fraud Prevention Agencies can hold data for up to six years with significant consequences
The Fraud Prevention Agency Policy states that if you are considered a fraud or money laundering risk, your data can be held for up to six years, and this 'may result in others refusing to provide services, financing or employment to you.' This is a high-impact data sharing arrangement with limited individual recourse.
No specific data retention periods disclosed
Section 12 states data is retained 'only for as long as they are needed in connection with a lawful purpose' but provides no concrete retention schedules or timeframes, making it impossible for data subjects to understand how long their data persists.
Broad reliance on legitimate interest for marketing and analytics
Section 6 lists legitimate interest as the legal basis for marketing to corporate clients, data analytics to improve products/services/website, and making suggestions/recommendations about goods/services. The balancing test outcomes are not disclosed beyond a generic statement that legitimate interests are 'not overridden.'
Disclaimer of responsibility for direct transfers to non-EEA LHV Group entities
Section 8 states: 'when you transfer any Personal Data directly to any LHV Group entity established outside the EEA or the UK (as applicable), we are not responsible for that transfer of your Personal Data.' This attempts to sidestep controller accountability for intra-group transfers.
Two-week delay for marketing unsubscribe requests
Section 17 states 'it may take up to 2 weeks to process your unsubscribe request during which time you may continue to receive communications from us,' which is an unreasonably long delay for an automated opt-out mechanism.
Content and advertising data collection includes granular interaction tracking
Section 5 lists 'mouse hover, mouse clicks, any forms you complete in whole or in part' and 'any touchscreen interactions' as content and advertising data that is processed, which goes beyond what is typically necessary for a banking service.
Joint controller arrangement with SWIFT not fully detailed in-policy
Section 7 discloses that LHV and SWIFT act as joint controllers for the payments messaging service but directs users to an external link for SWIFT's responsibilities, making it difficult to understand the full arrangement within the policy itself.
Samenvatting voor de gebruiker
Your financial and personal data is shared with many third parties including credit reference and fraud prevention agencies who can hold it for up to six years. You can object or request deletion, but the bank's broad legitimate interest claims and lack of clear retention limits mean your data may persist longer than expected.
Nalevingshouding
LHV Bank demonstrates awareness of GDPR/UK GDPR obligations — it appoints a DPO, describes legal bases, and references SCCs for transfers. However, the absence of specific retention periods, the broad legitimate interest reliance for marketing, and the disclaimer of responsibility for direct transfers to non-EEA LHV Group entities are compliance weaknesses that regulators could scrutinize.
EU-overdrachten
Data is primarily processed in the UK and Estonia. Transfers outside the EEA/UK use Standard Contractual Clauses, but the policy explicitly warns that correspondent banks in countries with insufficient data protection may not guarantee equivalent rights, and disclaims responsibility for direct transfers by users to non-EEA LHV entities. This is a notable gap.
Gedetecteerde signalen
Specifieke gegevens en praktijken geïdentificeerd in de tekst
Bewijsfragmenten
Directe citaten uit het beleid ter ondersteuning van deze bevindingen
We take every reasonable step to ensure that your Personal Data are only retained for as long as they are needed in connection with a lawful purpose.
if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years
when you transfer any Personal Data directly to any LHV Group entity established outside the EEA or the UK (as applicable), we are not responsible for that transfer of your Personal Data
it may take up to 2 weeks to process your unsubscribe request during which time you may continue to receive communications from us
records of your interactions with our online advertising and content, records of advertising and content displayed on pages displayed to you, and any interaction you may have had with such content or advertising (e.g., mouse hover, mouse clicks, any forms you complete in whole or in part)
Ontbreekt of onduidelijk
- Specific data retention periods for each processing purpose
- AI or machine learning model training policy and opt-out mechanism
- Complete list of processors and sub-processors
- Detailed legitimate interest balancing tests
- Cookie policy details (referenced but not included)
- Data breach notification procedures
- Data Protection Impact Assessment summaries
Vragen om te stellen
- What are the specific retention periods for each category of personal data and processing purpose?
- Where can we obtain the complete and current list of sub-processors and third-party recipients?
- Has a legitimate interest balancing test been documented for marketing to corporate clients and for data analytics, and can it be shared upon request?
- What safeguards specifically apply when personal data is transferred to correspondent banks in countries without adequate data protection?
- Is any personal data used for training AI models, machine learning systems, or algorithm development, and if so, is there an opt-out?
- How does LHV Bank ensure that the two-week unsubscribe delay is proportionate and compliant with the right to object to direct marketing?
- What specific manual review processes are in place before profiling-based decisions (e.g., blocking a payment) take effect?
Deel deze analyse
Iedereen met deze link kan het resultaat hierboven bekijken.
Gebouwd door DentroChat
100% Europese AI-chat voor iedereen
Chat met AI, werk met bestanden, genereer afbeeldingen en zoek op het web. Gegevens blijven in Europa.