Go to page content

Data protection notice

NSF Services Trust reg.

Information about the processing of your data

NSF Services Trust reg. places a high priority on personal data protection. We inform you herein about the processing of your personal data pursuant to Art. 12ff. of the General Data Protection Regulation (hereinafter: GDPR).

We process your data in accordance with the legal requirements regarding data protection, with particular attention being paid to the principles of transparency, the necessity of the data and data minimisation.

With the following data protection notice, we would like to clarify which types of your personal data (hereinafter also abbreviated as “data”) we process for which purposes and to what extent. The data protection notice applies to all personal data processing carried out by us.

Who is responsible for the data processing?

NSF Services Trust reg.
Meierhofstrasse 5
FL-9490 Vaduz
Principality of Liechtenstein

Telephone: +423–237 11 11

Email address: office@nsf.li

Any questions about data protection?

If you have any questions concerning data protection with regard to our firm or our website, you can contact our data protection officer: datenschutz@nsf.li

Disclosure of data to third parties

For certain technical data processing processes, we rely on the support of external service providers who have access to your personal data in order to provide these services. These service providers are carefully chosen and meet high data protection and data security standards. They are bound to strict confidentiality and only process data on our behalf and in accordance with our instructions. In such cases, we comply with the legal requirements and in particular conclude corresponding contracts or agreements that serve to protect your data with the recipients of your data.

We work together with companies and other parties that have particular expertise in specific fields or certain specialist subjects (e.g. tax advisors, lawyers, consulting firms, logistics providers). These parties are either subject to a professional duty of confidentiality or are bound to confidentiality by us. Insofar as disclosure of personal data to these parties should be necessary, the legal basis for this depending on the content of the collaboration in question is Article 6 (1) 1 (b) or (f) GDPR.

Apart from in the cases explained in this privacy policy, we only share your data with third parties without your express consent if we are required to do so by law or an administrative or judicial order.

Data processing in third countries

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or the processing takes place in the context of using the services of third parties or disclosing or transferring the data to other persons, offices or companies, this only occurs in accordance with the legal requirements.

Subject to express consent or contractually or legally required transfer, we only process or have the data processed in third countries with a recognised level of data protection, contractual obligations through so-called standard protection clauses of the EU Commission, the existence of certifications or binding internal data protection regulations (Art. 44 to 49 GDPR, EU Commission information page: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).

Security

We have taken comprehensive technical and organisational provisions to protect your personal data from unauthorised access, misuse, loss and other outside interference. To this end, we regularly check our security measures and bring them into line with the state of the art.

In particular, the measures include safeguarding the confidentiality, integrity and availability of data by controlling the physical and electronic access to the data, as well as access to, input, disclosure, safeguarding the availability and separation of the data. In addition, we have established procedures to ensure respect for data subjects’ rights, the erasure of data and a rapid response to data threats. Moreover, we take personal data protection into account as early as the development or choice of hardware, software and procedures, in accordance with the principle of data protection, through privacy by design and privacy by default.

Your rights

You have the following rights with regard to your personal data, which you may exercise with us:

  • Right of access (Art. 15 GDPR),
  • Right to rectification (Art. 16 GDPR) or erasure (Art. 17 GDPR),
  • Right to restriction of processing (Art. 18 GDPR),
  • Right to object to the processing (Art. 21 GDPR),
  • Right to withdraw your consent (Art. 7 (3) GDPR),
  • Right to receive the data in a structured, commonly used and machine-readable format (“data portability”) and the right to transmit those data to another controller, when the conditions of Art. 20 (1) (a, b) GDPR are met (Art. 20 GDPR).

You can exercise your rights by notifying the responsible company or the data protection officers that we have appointed.

You also have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data performed by us (Art. 77 GDPR).

The contact details of the competent data protection body in Liechtenstein are as follows:

Data protection body Liechtenstein

Städtle 38
Postfach 684
FL – 9490 Vaduz
+423 236 60 30
info.dss@llv.li

Changes to this privacy policy

Both technology and, of course, the interpretation of rules and regulations are occasionally subject to change over time. As a result, we expressly reserve the right to amend this data protection notice.

Hereinafter we inform you about the processing of your personal data with the information relevant to you.

Data protection for clients

We process personal data if this is required to establish client relationships and execute and handle briefs.

Who is a data subject?

  • clients and their employees and members of executive bodies (board members, chief executive officer)
  • third parties, whose personal data are required for establishing the contractual relationship or handling the client. these include, among others, indirect and direct associates of the client, business and contract partners as well as advisors of the client, (potential) opponents in a legal dispute and their legal advisors, as well as respectively the employees and members of executive bodies of the named persons and parties
  • employees of authorities and courts
  • witnesses and experts

Which personal data are processed?

We process the following categories of personal data, if they are necessary for establishing or handling the client relationship:

  • contact information, in particular first name and surname, any title, address, telephone number, email address
  • identification documents, among others, copies of passport or ID cards, utility bills, tax data, death certificates, authentication data
  • professional information, nationality
  • information on income and assets
  • information in accordance with due diligence, such as identification of economic beneficiaries, contracting parties, profile of the business relationship with information about the professional and personal background, World-Check data, clarifications in accordance with the Due Diligence Act
  • information on the fiscal situation (FATCA, AEOI reporting)
  • data on transaction and accounting information
  • other personal data that are required in the context of processing in order to provide an assessment and legal appraisal of the facts and appropriate legal advice and representation of the client, such as corporate documents, bank records, correspondence, board decisions, statutes, by-laws, certificates, contracts of mandate, signing authorisations
  • accounting data such as transaction and accounting information

Where does the data come from?

If we do not receive personal data directly from the data subjects (e.g. during meetings or in the context of correspondence with contact persons at the client), the data comes from the following sources:

  • clients
  • courts and authorities (e.g. in the context of document inspection and/or information)
  • other third parties (e.g. banks, asset managers, auditors, parties to the proceedings, witnesses, etc.)
  • internal background and due diligence clarifications
  • publicly available sources (public register, internet searches)

For which purposes are the personal data processed?

We process data in connection with handling cases for the following purposes:

  • activities pursuant to the Lawyers’ Act, Trustee Act, and personal and corporate law
  • fulfilling legal provisions (e.g. in accordance with the Due Diligence Act) to identify the client and the economic beneficiaries associated with the client. The legal basis for this processing is Art. 6 (1) 1 (c) GDPR.
  • examining potential conflicts before accepting a brief
  • assessment and legal appraisal of the facts
  • client advice and representation
  • correspondence with clients, authorities, courts and other parties concerned
  • invoicing
  • processing and asserting other claims from the client relationship.

The legal basis for this processing, insofar as the client’s personal data are processed, is Art. 6 (1) 1 (b) GDPR; furthermore Art. 6 (1) 1 (f) GDPR. The legal basis for the processing of specific categories of personal data is Art. 9 (2) (f) or (a) GDPR.

To whom are personal data transferred?

If it is required to handle a brief, we transfer personal data to the following recipients:

  • clients
  • authorities (e.g. supervisory or fiscal authorities)
  • courts
  • other third parties. These include, among others, indirect and direct associates of the client, business and contract partners as well as advisors of the client (e.g. tax advisors, management consultants), external service providers such as banks, asset managers, brokers, trust companies or auditors, (potential) opponents in a legal dispute and their legal advisors

In specific cases, data are also transferred to recipients in third countries outside the European Union or the European Economic Area for which the European Commission has not formally determined the existence of an adequate level of data protection pursuant to Art. 46 GDPR. If the transfer is not required for the establishment, exercise or defence of legal claims (Art. 49 (1) 1 (e) GDPR) and there are no other grounds for transfer pursuant to Art. 49 (1) GDPR, appropriate safeguards are provided for personal data protection at the recipient, habitually in the form of data protection contracts on the basis of so-called standard privacy clauses pursuant to Art. 46 (2) (c) GDPR.

How long are personal data stored?

Personal data are processed and stored for the duration of the valid business relationship, provided there are no special shorter data erasure periods. After the end of the business relationship, these data are kept for at least ten years due to legal provisions (including the Civil Code, Persons and Companies Act, Due Diligence Act). Longer data storage occurs solely on the basis of legal or contractual data retention obligations or for evidence purposes within the statute of limitation.

Data protection for business partners

We process personal data in the context of collaboration with service providers, suppliers and other business partners (hereinafter “business partners”).

Who is a data subject?

We process data from business partners and their employees.

Which data are processed?

We process the following categories of personal data, if they are necessary for establishing or conducting contractual relations with the business partner:

  • contact information, in particular first name and surname, any title, address, telephone number, email address,
  • professional information,
  • bank details

What are the sources of the data we process?

If we do not receive personal data directly from the data subjects (e.g. in the context of correspondence with contact persons at the business partner), the data routinely comes from the business partner as the employer of the data subjects.

For which purposes are the data processed?

We process the data to establish, conduct and execute the contractual relationship with the business partner. The legal basis for this processing, insofar as the business partner’s personal data are processed, is Art. 6 (1) 1 (b) GDPR; furthermore Art. 6 (1) 1 (f) GDPR.

How long are personal data stored?

Personal data are processed and stored for the duration of the valid business relationship, provided there are no special shorter data erasure periods. After the end of the business relationship, these data are kept for at least ten years due to legal provisions. Longer data storage occurs solely on the basis of legal or contractual data retention obligations or for evidence purposes within the statute of limitation.

Data protection for website visitors

Which data are processed on visiting our web pages?

On accessing the individual pages of the website in this sense only access data are transferred to our provider, so that the website can be displayed to you. They are the following data:

  • browser type / browser version,
  • operating system used,
  • language and version of browser software,
  • hostname of the accessing terminal,
  • IP address,
  • website from which the request has come,
  • content of the request (specific page),
  • data and time of the server request,
  • access status/HTTP status code,
  • referrer URL (the previously visited page),
  • data volume transferred,
  • time zone difference to Greenwich Mean Time (GMT).

We use these data to be able to make the website accessible, potentially identify and solve any technical problems and prevent misuse of the offering and prosecute if necessary. In addition, we use these data in anonymised form, i.e. without the possibility of identifying the user, for statistical purposes and to improve the web pages. The legal basis for processing personal usage data is Article 6 (1) 1 (f) GDPR.

How are cookies used?

We use cookies on our website. Cookies are small text files that are stored on the user’s data carrier and exchange certain settings and data with our system via the browser. A cookie normally contains the name of the domain from which the cookie data were sent and information on the age of the cookie and an alphanumerical identifier. The information stored in the cookies is not used to identify the user and is not combined with other personal data stored about the user. 

The cookies used enable coverage analysis, i.e. evaluating visitor traffic to our website and may include visitor behaviour or interests.

With the help of coverage analysis, we can for example identify which content is used most or invites reuse. We can also understand which areas require optimisation.

In addition to web analysis, we can also use test procedures, e.g. to test and optimise different versions of our online offering or its components.

For these purposes, so-called user profiles may be created and stored in a file (so-called “cookie”) or similar procedures with the same purpose may be used. This information may include, for example, content viewed, web pages visited and elements and technical data used there, such as the browser used, computer system used and information on times of use.

Users’ IP addresses are also stored. However, we use an IP-masking procedure (i.e. pseudonymisation by shortening the IP address) to protect users. In general, within the framework of web analysis, A/B testing and optimisation, no plain user data (such as email addresses or names) are stored, but pseudonyms. This means that we, as well as the providers of the software used, do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.

User data are processed on the basis of our legitimate interests (i.e. interest in efficient, cost-efficient and recipient-friendly services) pursuant to Art. 6 (1) (f) GDPR.

Services and service providers used

Matomo: 

On this website, we use “Matomo” software, a service from the provider InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand.

Website: www.matomo.org; data erasure: The cookies have a maximum retention period of 13 months.

You can object to the processing. Your right to object is based on grounds relating to your particular situation. We will no longer process your data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or if the processing is for the establishment, exercise or defence of legal claims (Art. 21 (1) GDPR). In the event of your justified objection, we will examine the situation and either stop or adapt the data processing or point out to you our compelling legitimate reasons on the basis of which we will continue the processing.

How do we use social plug-ins?

So-called social plug-ins (“plug-ins”) from social networks are used on our websites. For data protection reasons, we have deliberately chosen not to use direct plug-ins from social networks on our websites. Instead, we use the so-called “wrapper” solution. In this way, you can determine whether and when data are transferred to the operators of the respective social networks. Therefore in principle, when you visit our websites, no data are automatically transferred to social networks such as LinkedIn. Only when you actively click the respective button does your internet browser connect to the servers of the respective social network, i.e. by clicking the respective button (e.g. share) you consent (Art. 6 (1) (a) GDPR) to your Internet browser establishing a connection to the servers of the respective social network and transferring usage data to the respective operator of the social network.

The plug-in provider stores the data collected about you as usage profiles and uses them for the purposes of advertising, market research and/or the needs-based design of their website. Such an evaluation takes place, in particular (even for users who are not logged in) to provide needs-based advertising and in order to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, although you must contact the respective plug-in provider to exercise this right. Via the plug-ins, we offer you the opportunity to interact with social networks and other users so that we can improve our offering and make it more interesting for you as a user.

Services and service providers used:

  • LinkedIn plug-ins and content: 

LinkedIn plug-ins and content- This may include content such as images, videos or text and buttons, with which users can share the content of this online offering on LinkedIn. Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland;

website: https://www.instagram.com; privacy policy: https://www.linkedin.com/legal/privacy-policy; opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Google Web Fonts

To ensure a consistent presentation, we use typefaces from Google Fonts provided by Google. However, these are installed locally and there is no connection to Google’s servers.

How are data that you enter in a contact form processed?

On our website, there is the option to contact us via a form. You must state your form of address (Ms/Mr), first name and surname, country, language, email address and a message. You may also voluntarily state your title, company and telephone number.

Personal data transferred to us in this context are solely used to handle the inquiry in question.

The legal basis for the processing is Art. 6 (1) 1 (f) GDPR or Art. 6 (1) 1 (b) GDPR if the purpose of the contact is to conclude a contract.

We only process personal data from the input mask to process the contact. In the case of contact via e-mail, this also comprises the required legitimate interest in processing the data. The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.

The legal basis for processing the data is Article 6 (1) 1 (b) GDPR.

You can object to the processing. Your right to object is based on grounds relating to your particular situation. We will no longer process your data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or if the processing is for the establishment, exercise or defence of legal claims (Art. 21 (1) GDPR). In the event of your justified objection, we will examine the situation and either stop or adapt the data processing or point out to you our compelling legitimate reasons on the basis of which we will continue the processing.

What happens if you subscribe to a newsletter?

On our website, users have the option of subscribing to a newsletter and giving consent to the processing of personal data required for this purpose. To sign up for the newsletter, the user must provide their email address, first and surname and the form of address to which the newsletter should be sent. Further information may be provided voluntarily. These data are solely used to send the newsletter and shall not be passed on to third parties. The legal basis for processing the data is Article 6 (1) 1 (a) GDPR. The user has the right to withdraw their consent at any time without affecting the legitimacy of the processing carried out on the basis of the consent before the withdrawal. In this case, they no longer receive the newsletter. The purpose of the processing is direct marketing (by email or post)

On registration, the IP address of the accessing system and the date and time of the registration as well as the email verification are also collected. These data are solely processed for the purpose of being able to retrace potential misuse of an email address. The legal basis for processing the data described above is Article 6 (1) 1 (f) GDPR.

The subscribed newsletters contain so-called tracking pixels. A tracking pixel is a miniature graphic embedded in emails in HTML format. The embedded tracking pixel enables us to identify whether and when the newsletter was opened by the recipient and which links in the newsletter were clicked by the recipient. The data collected in the tracking pixels contained in the newsletters are anonymously stored and processed for statistical purposes in order to optimise the newsletter distribution and adapt the content of future newsletters even better to the recipient’s interests.

In principle, our newsletter registration makes use of a so-called double opt-in procedure. This means that, after signing up, you receive an email in which you are asked to confirm your registration. This confirmation is necessary so that no one can sign up with someone else’s email address. Please note that you can object to the receipt of direct marketing and data processing for the purposes of direct marketing at any time. In this regard, you have a general right to object without stating grounds (Art. 21 (2) GDPR). After exercising your right to object, we will erase your data in connection with existing customer advertising. To this end, click the unsubscribe link in the email in question or send us your objection. You can also prevent tracking by deactivating image display in your email program by default. In this case, the newsletter is not fully displayed and you may not be able to use all the features. If you manually activate image display, the abovementioned tracking occurs.

Services and service providers used:

Mailchimp: Email marketing platform; service provider: “Mailchimp” – Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA; website: https://mailchimp.com; privacy policy: https://mailchimp.com/legal/privacy/.

How long are your personal data stored?

Unless longer periods of storage are required by law, personal data concerning visitors to our website are erased if such data are no longer required for the purposes described in this data protection notice. Usage data are regularly stored for a period of 30 days. Cookies are stored for 30 days for the specified purposes. As before, you can independently erase cookies via your browser. Data entered in contact forms are erased as soon as the relevant inquiry has been fully processed. We store newsletter order data until any cancellation of the newsletter.

Are external hosting services used?

In order to be able to provide our online offering securely and efficiently, we use the services of an external web hosting provider, from whose servers the online offering can be accessed. We may use infrastructure and platform services, computer capacity, storage capacity, database services, security services and technical maintenance services for these purposes. In this respect, all data that are required to operate and use our website are processed.

The data processed within the framework of the provision of the hosting offering may include all information relating to the users of our online offering that is collected within the scope of use and communication. This routinely includes the IP address, which is necessary in order to be able to deliver the contents of online offerings to browsers, and all entries made within our online offering or from websites.

We use external hosting services to run this website. By using external hosting services, we aim to make our website available in an efficient and secure manner. The legal basis for the processing is Art. 6 (1) 1 (f) GDPR.

You can object to the processing. Your right to object is based on grounds relating to your particular situation. We will no longer process your data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or if the processing is for the establishment, exercise or defence of legal claims (Art. 21 (1) GDPR). In the event of your justified objection, we will examine the situation and either stop or adapt the data processing or point out to you our compelling legitimate reasons on the basis of which we will continue the processing.

Data protection for job applicants

The application procedure presupposes that applicants provide us with the data necessary for their assessment and selection. The information required can be found in the job description or, in the case of online forms, in the information contained therein.

Legal basis

The legal basis for the processing is Art. 6 (1) (b) GDPR on the initiation or execution of contractual relationships. Furthermore, we may process your personal data if this is required to fulfil legal obligations (Art. 6 (1) (c) GDPR) or defend legal claims asserted against us. The legal basis thereof is Art. 6 (1) (f) GDPR.

Which data are concerned?

In principle, the required information includes personal information such as name, address, a contact option and proof of the qualifications required for a particular position. On request, we will additionally be happy to inform you which information is required.

Applicants can send us their applications by email to an address set up specifically for this purpose. Please note, however, that emails on the internet are generally not sent in encrypted form. As a rule, emails are encrypted during transport but not on the servers from which they are sent and received. We can therefore accept no responsibility for the transmission path of the application between the sender and the reception on our server.

Applicants are welcome to contact us about how to submit their application or send it to us by post.

Sources of data

We process personal data that we receive from you by post or email within the framework of initial contact or your application or that you convey to us by email/post.

Automated decision-making

We do not perform any automated evaluation of your data (Art. 22 GDPR). Should such methods be used in specific cases, we will inform the data subjects to the extent provided by law.

Data recipients

We pass on your personal data within our company solely to the divisions and persons who require these data to fulfil the contractual and legal obligations or pursue our legitimate interest.

Data retention period / erasure:

In the event of a successful application, the data provided by the applicants may be further processed by us for the purposes of the employment relationship. Otherwise, if the application for a job offer is unsuccessful, the applicants’ data are erased. Applicants’ data are also erased if an application is withdrawn, to which applicants are entitled at any time. Subject to a justified withdrawal by the applicants, the erasure will take place at the latest after the expiry of a period of six months, so that we can answer any follow-up questions regarding the application and comply with our duty of proof under the regulations on equal treatment of applicants.

Right to object

If the processing of your personal data takes place to protect legitimate interests in accordance with Art. 6 (1) (f) GDPR, you have the right pursuant to Art. 21 GDPR to object to the processing of this data at any time on grounds relating to your particular situation. We will then no longer process this personal data, unless we can demonstrate compelling legitimate grounds for the processing. These must override your interests, rights and freedoms, or the processing must be for the establishment, exercise or defence of legal claims.