Data protection information sheet (Internet)

1. Name and Contact Information of the Controller and of the Company Data Protection Officer
This Privacy Policy applies to data that is processed by:
Controller: Liechtenstein Life Assurance AG (hereinafter: LLA), Industriering 37, 9491 Ruggell, Principality of Liechtenstein
Email: datenschutz@liechtensteinlife.com; Phone: +423 265 34 40; Fax: +423 265 34 41
You can reach our data protection officer at the above address or by email by adding "Data Protection Officer".

2. Collecting and Storing Personal Data and the Nature and Purpose of its Use
a) When visiting the website
When visiting our website www.liechtensteinlife.com, the browser used on your end device automatically sends information to our website’s server. This information is temporarily stored in a so-called log file. The following information will be collected without your assistance and stored until it is automatically deleted.

• Visitors (IP addresses are automatically anonymised),
• Time of access with specification of the time zone,
• Visitor request (HTTP request method, requested file, version of HTTP protocol),
• HTTP status code (server response) and size of the server response,
• Name and URL of the retrieved file,
• Website from which our website is accessed (referrer URL),
• Browser used and, if applicable, the operating system of your computer as well as the name of your access provider,
• Other similar data and information used to avert dangers in the event of attacks on our information technology systems.

The data mentioned will be processed by us for the following purposes:

• To ensure that the website establishes a smooth connection,
• To ensure easy use of our website,
• To optimise the content of our website and the advertising of our website,
• To evaluate system safety and stability, and
• For other administrative purposes.

The legal basis for data processing is Art. 6(1)(1)(f) GDPR. Our legitimate interest arises from the above purposes for data collection. Under no circumstances do we use the collected data for the purpose of identifying you. In addition, we use cookies and analysis services when you visit our website. You will find more detailed information on this under points 4 and 5 of this Privacy Policy.

b) When using our contact options and when applying via the website
Due to legal regulations, our website contains information that enables you to get in touch with us quickly via electronic channels. Where a data subject contacts us by email, the personal data transmitted by the data subject is automatically stored by us. In this respect, processing your data for the purpose of processing an inquiry and establishing contact according to Art. 6(1)(1)(a) GDPR takes place on the basis of your voluntarily consent. This personal data will not be transferred to third parties. The above shall also apply if you as an applicant send us the relevant application documents by electronic means, for example by email. If the applicant is not hired, the application documents will be deleted by us four months after sending the rejection letter, provided that no other legitimate interests on our part conflict with such deletion.

3. Data Transfer
Your personal data will not be transferred to third parties for purposes other than those listed below. We will only transfer your personal data to third parties if:

• you have given your express consent thereto in accordance with Art. 6(1)(1)(a) GDPR,
• the transfer pursuant to Art. 6(1)(1)(f) GDPR is necessary for asserting, exercising or defending legal claims, and there is no reason to assume that you have an overriding legitimate interest in not transferring your data,
• in the event that there is a legal obligation to transfer data pursuant to Art. 6(1)(1)(c) GDPR, and
• this is legally permissible and required for processing a contract with you pursuant to Art. 6(1)(1)(b) GDPR.


4. Cookies
We use cookies on our site. These are small files that are automatically created by your browser and stored on your end device (laptop, tablet, smartphone, etc.) when you visit our website. Cookies do not cause any damage to your end device and do not contain viruses, Trojans or other malware.

Information is stored in the cookie that arises in connection with the specifically used end device. This does not mean, however, that we will gain direct knowledge of your identity.

On the one hand, the use of cookies makes the visitor’s online browsing an easier, more enjoyable experience. As such, we use so-called session cookies that recognise that you have already visited individual pages on our website before. They are deleted automatically upon leaving our website.

We also use temporary cookies to optimise user-friendliness. They are stored on your end device for a defined period of time. If you visit our website again to use our services, the cookies enable us to automatically recognise that you have already visited us before and what you have entered and what settings you have made so that you do not have to repeat them.

On the other hand, we use cookies to record website statistics and to analyse them for the purpose of optimising our offer for you (see point 5). These cookies enable us to automatically recognise that you have already visited our website when you visit it again. These cookies are automatically deleted after a defined period of time.

The data processed by cookies is necessary for the purposes mentioned for safeguarding our legitimate interests and those pursued by third parties pursuant to Art. 6(1)(1)(f) GDPR.

Most browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your computer or a prompt always appears before a new cookie is created. Disabling cookies completely may mean that you cannot use all the features of our website.

5. Analysis Tools, Retargeting and Marketing Cookies
The tracking measures listed below and which we use are carried out on the basis of Art. 6(1)(1)(f) GDPR. With the tracking measures we implement, we want to ensure that our website is designed to meet the visitor’s needs and is continually optimised. We also use tracking measures to record website statistics and to analyse them for the purpose of optimising our offer for you. These interests are to be regarded as justified within the meaning of the aforementioned provision. The respective data processing purposes and data categories can be found in the corresponding tracking tools.

a) Google Analytics
We use Google Analytics, a web analysis service provided by Google Inc. (https://www.google.de/intl/de/about/) (1600 Amphitheatre Parkway, Mountain View, CA 94043, United States; hereinafter “Google”), for the purpose of tailoring our website to meet visitor needs and continuously optimising it. In this context, pseudonymised user profiles are created and cookies (see point 4) are used. The information generated by the cookie about your use of this website such as
• browser type/version,
• used operating system,
• referrer URL (the previously visited page),
• host name of the accessing computer (IP address),
• time of the server request,
are transferred to a Google server in the United States and stored there. The information is used to evaluate the use of the website, to compile reports on website activities and to provide other services related to website and Internet use for market research purposes and to design this website in line with requirements. This information may also be transferred to third parties if this is required by law or if third parties process this data on our behalf. Under no circumstances will your IP address be merged with other Google data. The IP addresses are anonymised so that assigning them is impossible (IP masking).

You may prevent the cookies from being placed by making the appropriate changes to your browser settings; however, please note that this may cause you not to be able to use the full functionality of this website.

You can also prevent the collection of data generated by the cookie and relating to your use of the website (including your IP address) and the processing of this data by Google by downloading and installing a browser add-on (https://tools.google.com/dlpage/gaoptout?hl=en).

As an alternative to the browser add-on, especially for browsers on mobile devices, you can also prevent Google Analytics from collecting data by clicking this link. An opt-out cookie is placed to prevent your data from being collected in the future when you visit this website. The opt-out cookie only works for that browser and only for our website and is placed on your device. If you delete the cookies in that browser, you must place the opt-out cookie again.

Further information on data protection in connection with Google Analytics can be found under Google Analytics Help (https://support.google.com/analytics/answer/6004245?hl=en).

b) Facebook Pixel
We also use the Facebook Pixel from Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, United States (“Facebook”) as part of our website. It allows us to track the actions of users after they have seen or clicked on a Facebook ad. This allows us to measure the effectiveness of Facebook ads for statistical and market research purposes. The data collected in this way is anonymous for us, i.e. we do not see individual users’ personal data. This data is, however, stored and processed by Facebook, about which we will inform you accordingly depending on what we know. Facebook may link this information to your Facebook account and may also use it for its own promotional purposes in accordance with Facebook's Data Policy (https://www.facebook.com/about/privacy/).

We also use Facebook’s remarketing or “Custom Audience” feature. This allows us to place individualised, interest-based ads for visitors of our website when they are on Facebook or its affiliates. Facebook uses cookies to carry out a website usage analysis. This collects visitor traffic to the website and anonymous data about the use of the website.

c) LinkedIn Pixel
We use the analysis and conversion tracking technology of the LinkedIn platform on our website. This is a service provided by LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, United States. Through LinkedIn's technology, you will be able to see more relevant ads based on your interests. LinkedIn also provides us with aggregated and anonymous reports of advertising activity and information about how you interact with our website. Further information on LinkedIn’s data protection can be found here: https://www.linkedin.com/legal/privacy-policy#choices-oblig. You may opt-out of LinkedIn’s analysing your usage patterns and displaying interest-based recommendations by clicking on the “Opt out on LinkedIn” (for LinkedIn members) or “Opt out” (for other users) box at the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

d) AdRoll:
Our website uses the retargeting technology AdRoll (AdRoll, 972 Mission St, 3rd Floor, San Francisco, CA 94103, United States). It enables us to specifically address visitors of our website with interest-related advertising by means of a cookie-based analysis of previous user behaviour. No personal data is stored for this. Retargeting technology is used in compliance with the applicable statutory data protection regulations. You can read more about AdRoll's privacy policy and the OptOut option of the anonymous analysis of your web surfing here: http://www.adroll.com/about/privacy.

e) Salesforce Pardot
We use the Pardot Marketing Automation System (“Pardot”) of Pardot LLC, 950 E. Paces Ferry Rd. Suite 3300 Atlanta, GA 30326, United States on our website. This tool collects and uses purely anonymous data to evaluate user website behaviour and to improve the user experience and the offers on the website. You can find out more about the tool here: https://www.salesforce.com/de/pardot. When you visit our website, Pardot records your click path and creates an individual user profile using a pseudonym. For this, cookies are used, which enable your browser to be recognised. A personal identification cannot be made by us through Pardot’s data collection alone.

f) Typeform
We use the tool Typeform of Typeform S.L., Carrer Bac de Roda, 163, 08018 Barcelona. This tool is used for designing user surveys in an attractive way. Information on data protection can be found here: https://admin.typeform.com/to/dwk6gt


6. Social Media Plug-Ins
We use social media plug-ins from the social networks Facebook, Instagram, LinkedIn and YouTube on our website on the basis of Art. 6(1)(1)(f) GDPR so as to increase awareness of our company. The underlying advertising purpose is to be regarded as a legitimate interest within the meaning of GDPR. The responsibility for the data protection-compliant operation must be guaranteed by each provider. We integrate these plug-ins through the so-called double-click method in order to protect visitors of our website in the best possible way.

a) Facebook
Social media plugins from Facebook are used on our website to make its use more personal. For this we use the "LIKE" or "SHARE" button. This is an offer from Facebook.

If you use a page on our website that contains such a plugin, your browser establishes a direct connection with the Facebook servers. The content of the plugin is transmitted directly from Facebook to your browser, which integrates it into the website.

By integrating the plugins, Facebook receives the information that you have used the corresponding page of our website, even if you do not have a Facebook account or are not logged in to Facebook. This information is transmitted directly from your browser to a Facebook server in the US and is stored there.

If you are logged in to Facebook, Facebook can assign your visit to our website directly to your Facebook account. If you interact with the plugins, for example by pressing the "LIKE" or "SHARE" button, the corresponding information is also transmitted directly to a Facebook server and is stored there. The information is also published on Facebook and displayed to your Facebook friends.

Facebook may use this information for the purpose of advertising, market research and tailoring Facebook Pages to meet your needs. To this end, Facebook creates usage, interest and relationship profiles, e.g. to evaluate your use of our website with regard to the advertisements displayed to you on Facebook, to inform other Facebook users about your activities on our website and to provide other services associated with the use of Facebook.

If you do not want Facebook to associate the information collected through our website with your Facebook account, you must log out of Facebook before visiting our website.

The purpose and scope of the data collection and the further processing and use of the data by Facebook as well as your rights in this regard and setting options to protect your privacy can be found in the data protection notice of Facebook (https://www.facebook.com/about/privacy/) of Facebook.

b) Instagram
Our website also uses Social Plugins ("Plugins") from Instagram, operated by Instagram LLC, 1601 Willow Road, Menlo Park, CA 94025, USA ("Instagram").

The plugins are marked with an Instagram logo, for example in the form of an "Instagram camera".

When you visit a page on our website that contains such a plugin, your browser establishes a direct connection to Instagram's servers. The content of the plugin is transmitted by Instagram directly to your browser and integrated into the page. This integration informs Instagram that your browser has accessed the appropriate page on our site, even if you do not have an Instagram profile or are not logged into Instagram.

This information is transferred directly from your browser to an Instagram server in the US and is stored there. If you are logged in to Instagram, Instagram can directly associate your visit to our website with your Instagram account. If you interact with the plugins, for example by pressing the "Instagram" button, this information is also sent directly to an Instagram server where it is stored.

The information will also be published to your Instagram account and displayed to your contacts. If you do not want Instagram to associate the data collected through our website directly with your Instagram account, you must log out of Instagram before visiting our website. For more information, see Instagram's Privacy Policy (https://help.instagram.com/155833707900388).

c) LinkedIn
Our website also uses Social Plugins ("Plugins") from LinkedIn. LinkedIn is operated by LinkedIn Corporation, 2029 Stierlin Court Mountain View, CA 94043, USA. For privacy matters outside the United States, the responsible entity is LinkedIn Ireland, Privacy Policy Issues, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

Each time you access our website, which is equipped with a LinkedIn component (LinkedIn plug-in), this component causes the browser you are using to download a corresponding display of the LinkedIn component. More information about LinkedIn plug-ins can be found at https://developer.linkedin.com/plugins. As part of this technical process, LinkedIn will know which specific subpage of our website you are visiting.

If you are logged in to LinkedIn while using our website, LinkedIn recognizes which specific page of our website you are visiting, each time you visit our website and for the entire duration of your stay on our website. This information is collected by the LinkedIn component and assigned to this LinkedIn account by LinkedIn. If you click on a LinkedIn button integrated on our website, LinkedIn assigns this information to this LinkedIn user account and saves it.

LinkedIn receives information via the LinkedIn component that you have visited our website whenever you are logged in to LinkedIn while accessing our website, regardless of whether you click on the LinkedIn component or not. If you do not want LinkedIn to receive this information, please log out of your LinkedIn account before accessing our website.

You can unsubscribe from LinkedIn's email messages, text messages, targeted ads, and manage ad settings at https://www.linkedin.com/psettings/guest-controls. LinkedIn also uses partners such as Quantcast, Google Analytics, BlueKai, DoubleClick, Nielsen, Comscore, Eloqua and Lotame who can set cookies. Such cookies may be declined at https://www.linkedin.com/legal/cookie-policy. LinkedIn's current privacy policy can be found at https://www.linkedin.com/legal/privacy-policy. LinkedIn's cookie policy is available at https://www.linkedin.com/legal/cookie-policy

d) YouTube
We have integrated components from YouTube on this website. The operating company of YouTube is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

By opening a website with an integrated YouTube component (YouTube video), your Internet browser is automatically prompted to download it. More information about YouTube can be found at https://www.youtube.com/yt/about/de/. As part of this technical process, YouTube and Google obtain information about which specific subpage of our website you are visiting.

If you are logged in to YouTube while using our website, YouTube recognizes which specific subpage you are visiting by accessing a subpage of our website that contains a YouTube video. This information is collected by YouTube and Google and assigned to the specific YouTube account. If you do not wish that this information is transmitted to YouTube and Google, please log out of your YouTube account before you visit our website.

The data protection regulations published by YouTube - available at https://www.google.de/intl/de/policies/privacy/ - provide information about the collection, processing and use of personal data by YouTube and Google.

7. Rights of the Data Subject
You can request information on the personal data stored about you in accordance with Article 15 GDPR using the above address. Under certain circumstances, you may also request that your data be rectified in accordance with Article 16 GDPR or erased in accordance with Article 17 GDPR. The restrictions laid down in Articles 53 and 54 of the Data Protection Act (DSG) apply to the right of access and the right of erasure.

You may also have a right to restrict the processing of your data pursuant to Article 18 GDPR and a right to have the data that you provided be handed to you in a structured, commonly used and machine-readable format pursuant to Article 20 GDPR.

In accordance with Article 7(3) GDPR, you may withdraw your consent that you have given us at any time. The consequence for the future is that we are no longer allowed to continue processing your data, which is based on this consent.

You also have the option of contacting our data protection officer to lodge a complaint regarding data protection issues or a data protection authority in accordance with Article 77 GDPR in conjunction with Article 55 DSG. The data protection authority responsible for us is: Datenschutzstelle, Städtle 38, Postfach 684, 9490 Vaduz, Principality of Liechtenstein; Phone: +423 236 60 90; Email: info.dss@llv.li.

8. Right to Object
You have a right to object pursuant Article 21(1) GDPR to the processing of personal data concerning you which is based on Article 6(1)(e) (data processing in the public interest) or (f) (data processing on the basis of weighing of interests) on grounds relating to your particular situation, and a right to object pursuant to Article 21(2) GDPR to the processing of your personal data for direct marketing purposes. You can send the above objection using the contact information provided without any formal requirements.

9. Data Security
We use the common SSL (Secure Socket Layer) method in connection with the highest level of encryption supported by your browser. As a rule, this is a 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can tell whether an individual page of our website is transmitted in an encrypted form by a locked key or lock symbol in the status bar of your browser. We also use suitable technical and organisational security measures to protect your data from accidental or intentional manipulation, partial or complete loss, destruction or from unauthorised access by third parties. We continuously improve our security measures according to technological developments.

10. Updates to this Privacy Policy
This Privacy Policy is valid as of May 2018. Because we continuously develop our website and what it offers and due to any changed legal or official requirements, it may be necessary to amend this Privacy Policy. You can call up the current Privacy Policy at any time on the website at https://www.liechtensteinlife.com/impressum-und-datenschutz and print it out.

Data protection information sheet (customer)

We will inform you about the processing of your personal data by Liechtenstein Life Assurance AG (hereinafter “Liechtenstein Life Assurance AG” or “we”) and your rights under the data protection law with these instructions.

Responsible for data processing Liechtenstein Life Assurance AG, Industriering 37, 9491 Ruggell, Principality of Liechtenstein; telephone +4232653440; fax: +4232653441; e-mail address: info@liechtensteinlife.com.

You can reach our data protection officer by mail at the above address, by adding "Data Protection Officer".

Categories of personal data and the collection
We process the personal data that we have received from you as part of our business relationship. We also process – if required in order to provide our service – personal data that we have been entrusted to receive and will be entrusted to receive in future (e.g. for implementing orders, for fulfilling contracts, for debt collection, in or for factoring or based on the consent you have given) from other companies or other third parties (e.g. from cooperation partners, insurance brokers, database providers or credit reporting agencies). On the other hand, we process personal data that we have been entrusted to obtain and process from publicly available sources (e.g. records of debtors, trade and association registers, press, media).

We only collect personal data without involving the data subjects if it is unacceptable or unreasonable to collect it directly or a business secret would be violated in accordance with Article 104 of the Liechtenstein Insurance Supervision Act. In this case, we ask that you inform the relevant persons of the data retention. This may, for example, be an policyholder or a proxy.

Relevant personal data are personal details (name, address and other contact details, date of birth, place and country of birth, nationality, profession), verification data (e.g. identification data), authentication data (e.g. specimen signature) and tax data (e.g. tax identification number, tax domicile). We also process special categories of personal data (e.g. your health data). This may also include order data (e.g. payment order), data from fulfilling our contractual obligation, information on your financial situation (e.g. creditworthiness data, scoring/rating data, income data, data on the origin of assets, account data with lending institutions, data on living expenses and income), register data, data on your use of the telemedia we offer (e.g. time you accessed our websites, apps or newsletters, pages selected by us or entries) and other data similar to the aforementioned categories.

Purposes and legal bases of data processing
We process your personal data in compliance with the EU Data Protection Basic Regulation (DSGVO), the Data Protection Act (DSG), the provisions of the Insurance Contract Act (Versicherungsvertragsgesetz) relevant to data protection and all other relevant laws.

If you submit an application for insurance cover, we need the information you provide in this connection to prepare a needs analysis, provide advice, conclude the insurance contract and assess the risk we are to assume. If the insurance contract is concluded, we process this data for the purpose of carrying out the contractual relationship, e.g. for policy issuing or invoicing, the execution of your orders as well as all activities necessary for the operation and administration of an insurance company. For example, we need information about the loss in order to be able to check whether an insured event has occurred and how much the loss is. Your details are also required in the event of a claim in order to establish the existence of insurance cover and the existence of the insured event.

The conclusion or implementation of the insurance contract is not possible without processing your personal data.
In addition, we need your personal data to compile insurance-specific statistics, e.g. for the development of new tariffs or to comply with supervisory regulations. We use the data of all existing contracts with Liechtenstein Life Assurance Ltd. to examine the entire client relationship, for example, to advise on contract adjustments, contract amendments, decisions of goodwill or to provide comprehensive information.

The legal basis for this processing of personal data for pre-contractual and contractual purposes is Article 6 paragraph 1 b) DSGVO. Insofar as special categories of personal data are required for this purpose (e.g. your health data when concluding a life insurance contract), we will obtain your consent in accordance with Article 9 paragraph 2 a) in conjunction with Article 7 DSGVO. If we compile statistics with these categories of data, this is done on the basis of Article 9 paragraph 2 j) DSGVO.

We also process your data in order to protect the legitimate interests of ourselves or third parties. The legal basis for this is Article 6 paragraph 1 f) DSGVO. This may in particular be necessary:

• to guarantee IT security and IT operations,
• for consultation of and data exchange with credit agencies (e.g. CRIF, Boniversum) to determine credit or default risks and current addresses;
• for checking and optimising procedures for needs analysis and direct customer contact;
• for business management measures and the further development of services and products;
• for asserting legal claims and defending in legal disputes;
• for advertising for our own insurance products and for other products of our cooperation partners as well as for market and opinion surveys, provided that you have not objected to the use of your data and that all other legal requirements are met;
• for the prevention and clarification of criminal offences; in particular, we use data analyses to detect indications that may point to insurance abuse.

We also process your data on the basis of Article 6 Paragraph 1 Letter a) DSGVO, insofar as you have given us your consent to process personal data for specific purposes (e.g. passing on of data, obtaining information, release from the obligation of secrecy or business secrecy). A given consent can be revoked at any time. This also applies to the revocation of declarations of consent that were issued to us prior to the validity of the DSGVO, i.e. before 25 May 2018. Please note that the revocation is only effective for the future. Processing that took place before the revocation is not affected. In principle, consent is indispensable for the processing of applications and for the conclusion, implementation and termination of the insurance contract. Without consent, it will generally not be possible to process the application or to conclude and execute the insurance contract.

In addition, we process your personal data to fulfil legal obligations such as [Text Wrapping Break]z. e.g. supervisory and regulatory requirements, commercial and tax law retention and control obligations, reporting obligations, our duty to advise, fraud and money laundering prevention, and risk assessment and management. In this case, the legal basis for the processing is the respective legal regulations (e.g. based on the Insurance Supervision Act, Due Diligence Act, FATCA Act, AIA Act, tax laws, requirements of the supervisory authorities) in conjunction with Article 6 paragraph 1 c) DSGVO.

Should we wish to process your personal data for a purpose not mentioned above, we will inform you of this in advance in accordance with the statutory provisions.

Categories of recipients of the personal data
Within Liechtenstein Life Assurance AG, those offices that need your data to fulfil their contractual and legal obligations will receive it. Order processors employed by us (Article 28 DSGVO) may also receive data for these purposes. These are companies in the categories of IT services, software engineering, logistics, printing services, communication, payment service providers, financing, debt collection, consultancy and advisory services, assistants, sales and marketing, as well as information and address research. We may only pass on information about you if this is permitted or required by law, if you have given your consent or if we are authorised to provide information. Under these conditions, recipients of personal data may be, for example:

Reinsurer
We insure risks assumed by us with special insurance companies (reinsurers). For this purpose, it may be necessary to transfer your contract and, if applicable, claims data to a reinsurer so that the reinsurer can form its own opinion of the risk or the insured event. In addition, it is possible that the reinsurer, due to its special expertise, will support us in the risk or benefit assessment as well as in the evaluation of procedures. We will transmit your data to the reinsurer only to the extent necessary for the fulfilment of our insurance contract with you or to the extent necessary to protect our legitimate interests.

Insurance intermediaries
Insofar as you are advised by an insurance agent with regard to your insurance contracts, your agent processes acquisition and consulting data as well as the application, contract and claims data required for the conclusion and implementation of the contract. We also transmit this data to the intermediaries looking after you, insofar as they need the information for your support and advice in your insurance and financial services matters.

Factorer
If necessary, we sell receivables from us to you and receivables assumed by us from you to factorers (e.g. reinsurers, credit institutions, factoring institutes, funds). For this purpose, it may be necessary to transmit your contract data to the factor so that he can form his own opinion about the collection risk. We only transfer your data to the factoring company to the extent necessary for the fulfilment of the contractual relationship or to the extent necessary to protect our legitimate interests.

Credit inquiry agencies
We use databases provided by credit agencies to comply with our legal obligations under the Due Diligence Act to combat money laundering, terrorist financing, bribery, corruption and organized crime for comparison with, for example, sanctions lists and Politically Exposed Persons. For this purpose we use the World-Check service offered by Thomson Reuters. You can find more information on its activities at https://risk.thomsonreuters.com/en/terms-of-business/world-check-privacy-statement.html#faqs.

In addition, to the extent necessary to protect our legitimate interests, we transmit your data (name, address and, if applicable, date of birth) to credit agencies (CRIF AG, Hagenholzstrasse 81, 8050 Zurich, Switzerland - CRIF - as well as Creditreform Boniversum GmbH, Hellersbergstrasse 11, 41460 Neuss, Germany - Boniversum -) for the purpose of credit assessment and to obtain information for the assessment of the risk of non-payment based on mathematical-statistical procedures using address data and payment experience. More detailed information on the activities of the above credit agencies can be found in the information sheet pursuant to Art. 14 DSGVO at

• for CRIF: https://www.crif.ch/media/405792/ch-informationen_dsgvo_de.pdf
• for Boniversum: https://www.boniversum.de/eu-dsgvo/informationen-nach-eu-dsgvo-fuer-verbraucher/

can be inspected. You can also request the information from the contact information above.

Companies of the group
Specialised companies or divisions of our group of companies perform certain data processing tasks centrally for the companies affiliated in the group. Thus, data may only be stored once, even if you use services from different companies in the group. For example, personal data, legitimation data, master data (e.g. bank details, contract number, tax ID) and comparable identification data can be viewed by companies in the group. In this way, incoming communication can always be assigned to the responsible contact person. In cases of doubt, incoming payments can also be posted correctly without further inquiry.

Data can be transferred between the following companies of our group: the prosperity company AG, prosperity solutions AG, prosperity.brokershome AG and cashyou AG each with registered office in Ruggell/Liechtenstein and prosperity services GmbH with registered office in Berlin/Germany.

External service providers
We sometimes use external service providers to fulfil our contractual and legal obligations.

A list of the above-mentioned recipients with whom we have a business relationship that is not only temporary can be found in the current version of our list of service providers on our homepage under the heading "Data Protection". If you require further information, please contact the person responsible at the above address.

Further recipients
In addition, we may transfer your personal data to other recipients, such as authorities for the purpose of fulfilling statutory notification and control obligations (e.g. social security institutions, financial authorities, law enforcement agencies, supervisory authorities (e.g. BaFin, FMA, FINMA, EIOPA), customs, Financial Intelligence Unit, Retirement Assets Allowance Office). We also transfer your personal data to credit institutions for the purpose of processing payment transactions. Other data recipients may be those entities for which you have given us your consent to transfer data or for which you have released us from the obligation of confidentiality (e.g. health insurance companies, doctors, hospitals).

Data exchange with your former insurer
In order to be able to check your details when the insurance contract is concluded (e.g. in order to take along a policy reserve) or your details when the insured event occurs and to supplement them if necessary, personal data may be exchanged with the previous insurer you have named to the extent necessary for this purpose.

Duration of data storage
We delete your personal data as soon as they are no longer required for the above-mentioned purposes. Personal data may be retained for the time during which claims can be made against us (statutory limitation period of three or up to thirty years). We also store your personal data to the extent that we are legally obliged to do so. Corresponding obligations to provide evidence and to retain data result, among other things, from the Personal and Company Law, the Tax Act and the Due Diligence Act. The storage periods thereafter are up to ten years.

Rights of affected persons
You can request information about the data stored about you in accordance with Article 15 DSGVO at the above address. In addition, under certain circumstances you can request correction in accordance with Article 16 DSGVO or deletion of your data in accordance with Article 17 DSGVO. You may also have a right to restrict the processing of your data in accordance with Article 18 DSGVO and a right to have the data provided by you in a structured, common and machine-readable format in accordance with Article 20 DSGVO.

Furthermore, there is a right of revocation according to Article 7 paragraph 3 DSGVO with regard to your granted consent to the processing of your personal data. You also have a right of objection under Article 21 paragraph 1 DSGVO to the processing of your personal data on the basis of Article 6 paragraph 1 letter e (data processing in the public interest) or letter f (data processing based on a balancing of interests) and a right of objection under Article 21 paragraph 2 DSGVO to the processing of your personal data for the purpose of direct marketing. You may send any of the above revocation or objection to our above-mentioned contact details without any formality.



Obligation to provide personal data
Within the scope of our business relationship, you only have to provide us with the personal data that is necessary for the commencement and establishment, implementation and termination of a business relationship, that we need to exercise our legitimate interests or that we are legally obliged to collect. Without this data, we will generally have to refuse to conclude the insurance contract or execute the order, or we will no longer be able to execute an existing insurance contract and may have to terminate it.

In particular, we are obliged under the provisions of money laundering law to identify you before establishing the business relationship, for example, by means of your identity document, and to record your name, place of birth, date of birth, country of birth, nationality and residential address and to record the identity document electronically. In addition, we have to record further details for a business profile, such as tax identification number, tax domicile, profession and origin of the assets used for premium/contribution payments. In order for us to comply with these legal obligations, you are required by the Due Diligence Act to provide us with the necessary information and documents and to notify us immediately of any changes that arise during the course of the business relationship. If you do not provide us with the necessary information and documents, we may not commence or continue the business relationship you have requested.

Right of complaint
You have the opportunity to lodge a complaint regarding data protection issues with our data protection officer or, pursuant to Article 77 of the DSGVO, with a data protection supervisory authority. The data protection supervisory authority responsible for us is: Data Protection Office, Städtle 38, P.O. Box 684, 9490 Vaduz, Principality of Liechtenstein; telephone +423 236 60 90; e-mail address info.dss@llv.li.

Transfer of data to a third country
If we transfer personal data to service providers outside the European Economic Area (EU and EEA), the transfer will only take place if the third country has been confirmed by the EU Commission as having an adequate level of data protection or if other appropriate data protection guarantees (e.g. binding internal company data protection regulations or EU standard contract clauses) are in place, unless the transfer is required by law or ordered by authorities or courts. We currently transfer personal data to service providers outside the EU in Bermuda, the USA and Switzerland. The EU Commission decided on July 12, 2016, and July 26, 2000, respectively, for the last two, that personal data are protected there in the same way as in the European Union. In addition, in the context of remote maintenance of standard IT components and systems for troubleshooting or maintenance purposes, it cannot be ruled out in individual cases that an IT service provider from a third country (e.g. USA) may in rare cases gain controlled and limited access to personal data or that the possibility of access, which is often only theoretical, cannot be ruled out.

If required by law, we will inform you separately about the transfer of data.

Automated individual case decisions
On the basis of the risk information you provide, which we ask you about when you submit your application, we can also make fully automated decisions, for example on the conclusion or termination of the insurance contract, possible risk exclusions or the amount of the insurance premium you have to pay. On the basis of your information on the insured event, the data stored on your insurance policy and any information received from third parties in this regard, we can also decide fully automatically on our obligation to pay benefits. In the case of fully automated decisions, these are based on rules for the weighting of the information previously determined by us.

Duty to provide personal data
In accordance with the provisions of the law on due diligence and money laundering and the regulations on the automatic exchange of information in tax matters (AIA) and the Foreign Account Tax Compliance Act (FATCA), we are obliged to identify the contracting party and the beneficial owner by means of an identification document before conclusion of the contract, to record the name, first name, place of birth, date of birth, nationality, residential address, tax residence and the tax identification number. In order to comply with our legal obligation, you must provide us with this relevant information and documents and notify us immediately of any changes in this respect that arise in the course of the business relationship. If you fail to do so, we may not conclude or continue an insurance contract with you.

Legal notifications
Due to legal requirements, we may be obliged to report data on the insurance contract, the contractual partner and the beneficial owner of the insurance contract as well as the personal and tax data on these persons to state authorities. These reports may include:

FATCA notifications
The FATCA agreement concluded between the Principality of Liechtenstein and the United States of America to promote tax honesty aims to ensure that all accounts held abroad by US taxpayers are actually taxed in the USA. The agreement implements the Foreign Account Tax Compliance Act (FATCA). Through our notification to the Liechtenstein tax authorities, the US tax authorities obtain knowledge of the data and accounts of persons subject to taxation in the USA or persons with a connection to the USA.

AIA notifications
The Principality of Liechtenstein participates in the electronic exchange of tax data based on the OECD standard (AIA). As a result, Liechtenstein financial institutions are obliged to provide their national tax authorities with information on their foreign clients and their financial accounts, whose countries also participate in AIA. The tax authorities of these foreign clients thus receive information on their financial accounts.

Notification of contributions made for basic pension
In the case of basic pension insurance policies (Rürup pensions) with reference to Germany, in accordance with the German Income Tax Act, we submit an annual notification to the German Pension Insurance Association and the Federal Central Tax Office there regarding the amount of contributions paid and refunded in the respective contribution year, stating the personal details, contract and tax data.

Notification of pension payments
In the case of pension payments with reference to Germany, we will, in accordance with the German Income Tax Act, send an annual notification to the German Pension Insurance Federation (Pension Benefit Notification) regarding the amount of the pension paid in the respective contribution year, stating the personal details, contract and tax data. We also transmit the same data to the German statutory health insurance fund of the pension recipient in accordance with German Social Security Code V.

Notification of conclusion of contract
In the case of insurance contracts brokered by brokers based in Germany with a reference to Germany, we will notify you of the conclusion of the contract in accordance with the German Income Tax Act to the Federal Central Tax Office there, stating the personal details, contract and tax data.

Update of this leaflet
This data processing information sheet may be adapted at a later date due to changes, e.g. in legal requirements. You will find the latest version of the information sheet and the service providers with whom we have a business relationship that is not only temporary in nature on our homepage under the heading "Data Protection".

Consent
By concluding an insurance contract with us, you agree to the contents of this data processing information sheet and give us your consent to the corresponding use of your data. You will find the current version of our data processing information sheet on the Internet on our homepage under the heading "Data Protection".

If you have any questions regarding this data protection notice, please contact the person responsible at the above-mentioned contact details.

Information sheet on data protection (applicants)

We will inform you about the processing of your personal data by Liechtenstein Life Assurance AG (hereinafter “Liechtenstein Life Assurance AG” or “we”) and your rights under the data protection law with these instructions.

Responsible for data processing Liechtenstein Life Assurance AG, Industriering 37, 9491 Ruggell, Principality of Liechtenstein; telephone +4232653440; fax: +4232653441; e-mail address: info@liechtensteinlife.com.

You can reach our data protection officer by mail at the above address, by adding "Data Protection Officer".

Categories of personal data and the collection thereof
We process the personal data that we have received from you as part of our business relationship. We also process – if required in order to provide our service – personal data that we have been entrusted to receive and will be entrusted to receive in future (e.g. for implementing orders, for fulfilling contracts, for debt collection, in or for factoring or based on the consent you have given) from other companies or other third parties (e.g. from cooperation partners, insurance brokers, database providers or credit reporting agencies). On the other hand, we process personal data that we have been entrusted to obtain and process from publicly available sources (e.g. records of debtors, trade and association registers, press, media).

We only collect personal data without involving the data subjects if it is unacceptable or unreasonable to collect it directly or a business secret would be violated in accordance with Article 104 of the Liechtenstein Insurance Supervision Act. In this case, we ask that you inform the relevant persons of the data retention. This may, for example, be an policyholder or a proxy.

Relevant personal data are personal details (name, address and other contact details, date of birth, place and country of birth, nationality, profession), verification data (e.g. identification data), authentication data (e.g. specimen signature) and tax data (e.g. tax identification number, tax domicile). We also process special categories of personal data (e.g. your health data). This may also include order data (e.g. payment order), data from fulfilling our contractual obligation, information on your financial situation (e.g. creditworthiness data, scoring/rating data, income data, data on the origin of assets, account data with lending institutions, data on living expenses and income), register data, data on your use of the telemedia we offer (e.g. time you accessed our websites, apps or newsletters, pages selected by us or entries) and other data similar to the aforementioned categories.

Purposes and legal bases of data processing
We process your personal data in accordance with the EU General Data Protection Regulation (GDPR), the Liechtenstein Data Protection Act (DPA) as well as other relevant laws.

Your data is required in order to carry out and process the application procedure and to assess whether you are suitable for the relevant position. It is necessary to process your applicant data in order to be able to make a decision on entering into an employment relationship. The primary legal basis for this is Art. 6(1b) GDPR.

If required, we will also process your data based on Art. 6(1f) GDPR to protect our legitimate interests or those of third parties (e.g. authorities).

We process data for statistical purposes (e.g. number of applications, assessment of recruitment channels). Statistics are only drawn up for your own purposes.

We also process personal data that we have been entrusted to obtain from publicly available sources (e.g. professional social networks).

Your applicant data is always treated as confidential. If we want to process your personal data for a purpose not specified above, we will inform you of this beforehand if you do not have this information already (Article 13(4) GDPR) or information is not legally required (Art. 13(4) and 14(5) GDPR). Special categories of personal data (e.g. health data) are only processed with your consent according to Art. 9(2a) GDPR if permission is granted under relevant legislation such as Art. 9(2b) GDPR.

Categories of personal data recipients
People within Liechtenstein Life Assurance AG and group who require data to reach a decision on an appointment and to meet contractual and statutory obligations will receive it. Processors employed by us (Article 28 GDPR) may also receive data for these purposes. These are companies in the categories of IT services, software engineering, logistics, printing services, communications, payment service providers, advising and consulting, assistors, insurance as well as information. We may only pass on information about the data if statutory provisions permit or require this, you have given your consent or we are authorised to provide information. Under these conditions, recipients of personal data may include:

Group companies
Specialist companies or divisions of our group perform specific data processing tasks centrally for the affiliated companies in the group. This means that personal data, verification data, master data (e.g. bank account) and similar identification data can be viewed for companies in the group. This makes it possible for incoming communications to always be assigned to the responsible contact person.

Data may be transferred between the following companies in our group: the prosperity company AG, prosperity solutions AG, prosperity.brokershome AG and cashyou AG each with their registered office in Ruggell/Liechtenstein and prosperity services GmbH with its registered office in Berlin

External service providers
We sometimes use the services of external service providers to meet our contractual and statutory obligations.

Such a recipient, with which there are not only temporary business relationships, is Personio GmbH with its registered office in Munich/Gtermany. Please contact the responsible persons for further information using the address provided above.

Other recipients
We can also transfer personal data to other recipients including authorities for meeting statutory reporting and control obligations (e.g. social insurance agencies, financial authorities, supervisory authorities (e.g. BaFin, FMA, FINMA, EIOPA)). We also transfer personal data to lending institutions to process payment transactions. Other data recipients include authorities which you have given your consent for us to transfer data to and for which you have released us from the duty of confidentiality (e.g. AVAD).

Retention period
We delete your personal data as soon as it is no longer required for it to be stored for the aforementioned purposes. If an employment relationship is not established, we will delete your data after 3 months. This does not apply if statutory provisions preclude this deletion or the further retention is required for the purpose of giving evidence or you have given your consent to the extended storage of this data.

Rights of the data subject
You can request information on the personal data stored about you in accordance with Article 15 GDPR using the above address. Under certain circumstances, you may also request that your data be rectified in accordance with Article 16 GDPR or erased in accordance with Article 17 GDPR. You may also have a right to restrict the processing of your data pursuant to Article 18 GDPR and a right to have the data that you provided be published in a structured, commonly used and machine-readable format pursuant to Article 20 GDPR.

There is also a right of revocation according to Article 7(3) GDPR in relation to the consent you have given to process personal data. You also have a right, pursuant to Article 21(1) GDPR, to object to the processing of personal data based on Article 6(1)(e) (data processing in the public interest) or (f) (data processing on the basis of weighing up interests). You can send the above revocation or objection to the contact information provided without any formal requirements.

Obligation to provide personal data
In the context of your application, you must provide personal data that is required to complete the application process and assess your suitability. Without this data, we will be unable to complete the application process and make a decision on whether to enter into an employment relationship. You can ask us what personal data has to be provided in each case to complete the application process and assess your suitability.

Right of complaint
You have the option of contacting our data protection officer to lodge a complaint regarding data protection issues or a data protection authority in accordance with Article 77 GDPR. The data protection authority responsible for us is: Datenschutzstelle (Data Protection Authority), Städtle 38, Postfach 684, 9490 Vaduz, Principality of Liechtenstein; telephone +423 236 60 90; e-mail address info.dss@llv.li.

Data transfer to a third country
If we transfer personal data to service providers outside the European Economic Area (EU and EEA), the transfer is only carried out if the third country has been confirmed to have an appropriate level of data protection by the EU Commission or there are other appropriate data protection guarantees (e.g. binding internal company data protection requirements or EU standard contract clauses) unless the transfer is prescribed by law or arranged officially or judicially. We currently transfer personal data to service providers outside the EU in Switzerland. The EU Commission decided that personal data will protected in the same way for Switzerland as it is in the European Union on 26 July 2000. In addition, it cannot be ruled out that an IT service provider from a third country (e.g. the USA) receives controlled and restricted access to personal data as part of remote maintenance of standard IT components and system for troubleshooting or maintenance on a case-by-case basis and the often only theoretical access option cannot be ruled out.

If it is stipulated by law, we will inform you separately of the data transfer so that you can inform the data subjects.

Automated individual case decisions
We will provide you with further details on this here or in a different context in due course.

Update of this leaflet
This leaflet for data processing may be amended at a later date as a result of changes, e.g. to legal provisions. You can find the latest version of the leaflet and the service providers, to which not only temporary business relationships exist, at www.liechtensteinlife.com/Datenschutz.

Consent
By sending us an application, you have accepted the content of this data processing leaflet and are giving us your consent to use your data and the data of data subjects which you have provided us with accordingly. The current version of our leaflet on data processing can be found on the Internet at www.liechtensteinlife.com/Datenschutz.

If you have any questions regarding this data protection notice, please contact the person responsible at the above-mentioned contact details.

Data protection information sheet (intermediary)

With this notice we inform you about the processing of your personal data by Liechtenstein Life Assurance AG (hereinafter referred to as "Liechtenstein Life Assurance AG" or "we") and the rights you are entitled to under data protection law.

Person responsible for data processing Liechtenstein Life Assurance AG, Industriering 37, 9491 Ruggell, Principality of Liechtenstein; phone +4232653440; fax +4232653441; e-mail address: info@liechtensteinlife.com.

You can reach our data protection officer by mail at the above address with the addition "Data Protection Officer".

Categories of personal data and their collection
We process personal data that we receive from you in the course of our business relationship. In addition, we process - insofar as necessary for the provision of our services - personal data which we have received and will receive in the future from other companies or other third parties (e.g. from cooperation partners, insurance brokers, insurance consultants, database providers or credit agencies) in a permissible manner (e.g. for the execution of orders, for the fulfilment of contracts, for debt collection, in or for factoring or on the basis of a consent given by you). On the other hand, we process personal data that we have permissibly obtained and may process from publicly accessible sources (e.g. lists of debtors, commercial and association registers, press, media).

We collect personal data without the involvement of the person concerned only if direct collection would be unreasonable or disproportionate or would violate the business secrecy pursuant to Article 104 of the Liechtenstein Insurance Supervision Act. In this case, we ask you to inform the persons concerned about the data storage. This may be an insured person or a deputy, for example.

Relevant personal data are personal details (name, address and other contact details, date of birth, place and country of birth, nationality, profession), legitimation data (e.g. identity card data), authentication data (e.g. specimen signature) and tax data (e.g. tax identification number, tax domicile). Furthermore, we process special categories of personal data (e.g. your health data). Furthermore, this can also be order data (e.g. payment order), data from the fulfilment of our contractual obligations, information about your financial situation (e.g. creditworthiness data, scoring/rating data, income data, data on the origin of assets, account data at credit institutions, data on lifestyle inputs and outputs), register data, data on your use of our offered telemedia (e.g. time of access to our websites, apps or newsletters, pages selected by us or entries) and other data comparable to the categories mentioned.

Purposes and legal bases of data processing
We process your personal data in compliance with the EU Data Protection Basic Regulation (DSGVO), the Data Protection Act (DSG), the provisions of the Insurance Contract Act (Versicherungsvertragsgesetz) relevant to data protection and all other relevant laws.

If you submit an application for insurance cover, we need the information you provide in this connection to prepare a needs analysis, provide advice, conclude the insurance contract and assess the risk we are to assume. If the insurance contract is concluded, we process this data for the purpose of carrying out the contractual relationship, e.g. for policy issuing or invoicing, the execution of your orders as well as all activities necessary for the operation and administration of an insurance company. For example, we need information about the loss in order to be able to check whether an insured event has occurred and how much the loss is. Your details are also required in the event of a claim in order to establish the existence of insurance cover and the existence of the insured event.

The conclusion and implementation of the broker connection are not possible without processing the personal data of natural persons.
We also require the personal data to compile sales-related statistics, e.g. for the development of new commission systems or to meet regulatory requirements. We use the data of all existing contracts with Liechtenstein Life Assurance AG to assess the overall customer relationship.

The legal basis for this processing of personal data for pre-contractual and contractual purposes is Article 6 (1) (b) GDPR.

We will also process the data to protect our legitimate interests and those of third parties. The legal basis for this is Article 6(1f) GDPR. This may be particularly necessary:

• to guarantee IT security and IT operation,
• for consulting and exchanging data with credit reporting agencies (e.g. AVAD, Creditreform) to determine credit and default risks and current counterparties;
• to assess and improve requirement assessment procedures and address business partners directly;
• for business management measures and measures for developing services and products;
• to safeguard and assert legal claims and settle legal disputes;
• for advertising our own insurance products and other products from our cooperation partners as well as for market and opinion surveys provided you have not objected to your data being used and all other legal requirements are met;
• to prevent and resolve criminal offences; we mainly use data analyses to identify indications that may suggest brokerage fraud;
• for the insurance of payment default risk.

We also process your data based on Article 6, Para. 1(a) GDPR provided that you or the data subject have given us your consent to process personal data for particular purposes (e.g. transferring data, obtaining information, releasing from the confidentiality obligation). You have the right to revoke your consent at any time. This also applies to revoking declarations of consent that have been granted to us before the application of the GDPR, i.e. before 25 May 2018. Please note that the revocation will only apply in the future. Processing that is carried out before the revocation is not affected by this. The consent for processing the connection request and for the completion, implementation and termination of the contract for the connection is essential. The processing of the request and the conclusion and implementation of the contract is not possible without this consent.

We also process personal data to meet legal obligations such as supervisory and regulatory requirements, commercial and fiscal storage and monitoring obligations, reporting obligations, our duty to provide support, fraud prevention as well as the assessment and management of risks. The statutory regulations (Insurance Supervision Act, tax laws, supervisory authority requirements) are used as a legal basis for processing in this case in conjunction with Article 6(1c) GDPR.

If we want to process personal data for a purpose not specified above, we will inform you of this beforehand in accordance with the legal provisions so that you can inform the data subjects.

Categories of recipients of the personal data
People within Liechtenstein Life Assurance AG who require data to meet contractual and statutory obligations will receive it. These are companies in the categories of IT services, software engineering, logistics, printing services, communications, payment service providers, financing, collection, advising and consulting, assistors, insurance, sales and marketing as well as information and address research. Under these conditions, recipients of personal data may include:

Insurers
We insure risks relating to the repayment obligation for advance commission payments or purchase price payments we have assumed with special insurance companies. It may be necessary here to transfer your contract data to a insurer so that he can form his own impression of the risk or the insurance case. We only transfer your data to the insurer if this is required to fulfil our contract with you or to the extent required to protect our legitimate interests.

Insurance brokers
If you are supported by another (sub-)insurance broker with the insurance contracts you have brokered, this broker will process acquisition and consulting data and the application, contract and invoicing data required to conclude and fulfil the contract.

Factorers
We sell our claims against you and claims we have taken over against you to factorers (e.g. insurers, lending institutions, factoring institutions, funds). It may be necessary here to transfer your contract data to a factorer so that he can form his own impression of the collection risk. We only transfer this data to the factorer if this is required to fulfil the contractual relationship or to the extent required to protect our legitimate interests.

Credit reporting agencies
If necessary in order to protect our legitimate interests, we will transfer data (name, address and date of birth) to credit reporting agencies (Auskunftsstelle über Versicherungs-/Bausparkassenaussendienst und Versicherungsmakler in Deutschland e.V., Veritaskai 2, 21079 Hamburg, Germany - AVAD - and Verband der Vereine Creditreform e.V., Hellersbergstraße 12, 41460 Neuss, Germany - Creditreform -). for the purpose of the credit assessment and obtaining information to assess the payment default risk based on mathematical and statistical methods using address data and payment records. You can find more information on the activities of the aforementioned credit reporting agencies in the information sheet in accordance with Art. 14 GDPR at

• for AVAD: https://www.avad.de/avadDs.htm
• for Creditreform: https://www.creditreform.de/eu-dsgvo.html

can be inspected. You can also request the information by using the aforementioned contact information.

Companies of the group
Specialised companies or divisions of our group of companies perform certain data processing tasks centrally for the companies affiliated in the group. Thus, data may only be stored once, even if you use services from different companies in the group. For example, personal data, legitimation data, master data (e.g. bank details, contract number, tax ID) and comparable identification data can be viewed by companies in the group. In this way, incoming communication can always be assigned to the responsible contact person. In cases of doubt, incoming payments can also be posted correctly without further inquiry.

Data can be transferred between the following companies of our group: the prosperity company AG, prosperity solutions AG, prosperity.brokershome AG and cashyou AG each with registered office in Ruggell/Liechtenstein and prosperity services GmbH with registered office in Berlin/Germany.

External service providers
We sometimes use external service providers to fulfil our contractual and legal obligations.

A list of the above-mentioned recipients with whom we have a business relationship that is not only temporary can be found in the current version of our list of service providers on our homepage under the heading "Data Protection". If you require further information, please contact the person responsible at the above address.

Further recipients
We can also transfer personal data to other recipients including authorities for meeting statutory reporting and control obligations (e.g. social insurance agencies, financial authorities, law enforcement authorities, supervisory authorities (e.g. BaFin, FMA, FINMA, EIOPA)). Other data recipients include authorities which you have given your consent for us to transfer data to and for which you have released us from the duty of confidentiality (e.g. AVAD).

Duration of data storage
We delete your personal data as soon as they are no longer required for the above-mentioned purposes. Personal data may be retained for the time during which claims can be made against us (statutory limitation period of three or up to thirty years). We also store your personal data to the extent that we are legally obliged to do so. Corresponding obligations to provide evidence and to retain data result, among other things, from the Personal and Company Law, the Tax Act and the Due Diligence Act. The storage periods thereafter are up to ten years.

Rights of affected persons
You can request information about the data stored about you in accordance with Article 15 DSGVO at the above address. In addition, under certain circumstances you can request correction in accordance with Article 16 DSGVO or deletion of your data in accordance with Article 17 DSGVO. DYou may also have a right to restrict the processing of your data in accordance with Article 18 DSGVO and a right to have the data provided by you in a structured, common and machine-readable format in accordance with Article 20 DSGVO.

Furthermore, there is a right of revocation according to Article 7 paragraph 3 DSGVO with regard to your granted consent to the processing of your personal data. You also have a right of objection under Article 21 paragraph 1 DSGVO to the processing of your personal data on the basis of Article 6 paragraph 1 letter e (data processing in the public interest) or letter f (data processing based on a balancing of interests) and a right of objection under Article 21 paragraph 2 DSGVO to the processing of your personal data for the purpose of direct marketing. You may send any of the above revocation or objection to our above-mentioned contact details without any formality.



Obligation to provide personal data
In the context of our business relationship, you must only provide personal data of natural persons that is required to commence and establish, conduct and terminate a business relationship that we require to exercise legitimate interests or that we are legally obligated to collect. Without this data, we will usually have to refuse to conclude the contract, or will no longer be able to implement an existing contract and will have to terminate it.

Right of complaint
You have the opportunity to lodge a complaint regarding data protection issues with our data protection officer or, pursuant to Article 77 of the DSGVO, with a data protection supervisory authority. The data protection supervisory authority responsible for us is: Data Protection Office, Städtle 38, P.O. Box 684, 9490 Vaduz, Principality of Liechtenstein; telephone +423 236 60 90; e-mail address info.dss@llv.li.

Data transfer to a third country
If we transfer personal data to service providers outside the European Economic Area (EU and EEA), the transfer will only take place if the third country has been confirmed by the EU Commission as having an adequate level of data protection or if other appropriate data protection guarantees (e.g. binding internal company data protection regulations or EU standard contract clauses) are in place, unless the transfer is required by law or ordered by authorities or courts. We currently transfer personal data to service providers outside the EU in Bermuda, the USA and Switzerland. The EU Commission decided on July 12, 2016, and July 26, 2000, respectively, for the last two, that personal data are protected there in the same way as in the European Union. In addition, in the context of remote maintenance of standard IT components and systems for troubleshooting or maintenance purposes, it cannot be ruled out in individual cases that an IT service provider from a third country (e.g. USA) may in rare cases gain controlled and limited access to personal data or that the possibility of access, which is often only theoretical, cannot be ruled out. Daneben ist es im Rahmen der Fernwartung von Standard-IT-Komponenten und -Systemen zur Fehlerbehebung oder Wartung im Einzelfall nicht auszuschliessen, dass ein IT-Dienstleister aus einem Drittland (z. B. USA) in seltenen Fällen gesteuert und begrenzt Einsicht in personenbezogene Daten erhält bzw. sich die oft nur theoretische Zugriffsmöglichkeit nicht ausschliessen lässt.

If it is stipulated by law, we will inform you separately of the data transfer so that you can inform the data subjects.

Automated individual case decisions
We will provide you with further details on this here or in a different context in due course.

Update of this leaflet
This data processing information sheet may be adapted at a later date due to changes, e.g. in legal requirements. You will find the latest version of the information sheet and the service providers with whom we have a business relationship that is not only temporary in nature on our homepage under the heading "Data Protection".

Consent
By concluding an contract with us, you agree to the contents of this data processing information sheet and give us your consent to the corresponding use of your data. You will find the current version of our data processing information sheet on the Internet on our homepage under the heading "Data Protection".

If you have any questions regarding this data protection notice, please contact the person responsible at the above-mentioned contact details.