Information on the Personal Data Protection of Clients and other Data Subjects
Information pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (hereinafter referred to as the "GDPR Regulation").
in relation to the management of the commitment relationship between you and the Bank and the fulfillment of legal obligations, we process your personal data in the Bank's information systems. We would be glad to provide you with information on the following set of facts and obligations in the processing of your personal data in accordance with the GDPR Regulation.
1. Controller identification data - Who decides on processing of your personal data?
The Controller in relation to your personal data is OTP Banka Slovensko, a.s., Štúrova 5, 813 54 Bratislava, ID 31318916, registered in the Commercial Register of the District Court Bratislava I, Section Sa, Entry no. 335/B, telephone contact: 0850 111 222, e-mail: email@example.com, web site: www.otpbanka.sk (also referred to as the "Bank" or the "Controller"). The Bank processes the personal data for the purposes of the relevant legislation, respectively it determines itself or together with other about purposes and means of processing the personal data of the data subjects.
2. Data Protection Officer - Who oversees the proper processing of the personal data in the Bank?
The Bank has a designated person responsible for the protection of the personal data that monitors, in addition to other established obligations, the compliance of the processing of the personal data in the Bank with the GDPR Regulation, other binding legal provisions on the protection of the personal data and the rules of the controller regarding the protection of the personal data. You can contact Data Protection Officer via e-mail: firstname.lastname@example.org or in writing, by a letter addresses to OTP Banka Slovensko, a.s., Zodpovedná osoba za ochranu osobných údajov, Štúrova 5, 813 54 Bratislava.
3. Purpose of processing of the personal data - Why do we process your personal information
The Bank processes your personal data only to the extent necessary for the purpose. Most processing operations are motivated by the fact that your personal information is necessary to fulfill the legal duty of the controller or is necessary to carry out the contractual relationship with you.
We process your personal data at the Bank for various purposes, including the following areas:
- identifying clients and verifying the identification of clients and their representatives,
- providing the Bank's products and services and the fulfillment of the Bank's obligations under the relevant legislation,
- exercising the rights and the fulfillment of the obligations under the relevant legislation in relation to securities, investment services, contractual relations with securities, the activities of investment service providers and the Central Securities Depository, as well as financial and capital market activities,
- fulfilling the obligations relating to measures against money laundering and terrorist financing,
- exercising the rights and obligations of the controller in connection with the monitoring of premises accessible to the public for the purpose of protecting public order and safety, detecting crime and protecting property or health - camera recordings,
- exercising the rights and the fulfillment of obligations to comply with the rules deriving from the applicable legislation for the controller in respect of the monitoring of the ownership of the assets, the special relationship of conflict of interest or ethical actions,
- exercising the rights and obligations of the controller in relation to the recording and handling of legal requests and requests for cooperation by the authorized entities,
- exercising the rights and fulfillment of the obligations of the controller in connection with the recording and handling of claims/complaints of clients and non-clients of the Bank,
- exercising the rights and the fulfillment of the Bank's responsibilities with regard to registry administration and archiving,
- exercising the rights and the fulfillment of the Bank's obligations in relation to bookkeeping and reporting under the relevant legislation,
- carrying out the control, audit or supervision exercised by the authorized entities,
- exercising the rights and fulfillment of obligations in connection with telephone recording of the course of the transaction and its approval, keeping the client's request and improving the services provided by the Bank,
- proving, enforcing and defending the Bank's legal claims in the context of extrajudicial enforcement and active and passive litigation in relation to the data subjects,
- keeping special lists of persons posing a risk to the controller's property interests (as clients subject to international sanctions or duly failing to fulfill obligations arising from contractual relations with the Bank),
- offering products and services and providing information in the context of direct marketing, and
- processing the biometric characteristics of the client's signature to identify clients
4. Legal basis of processing of personal data - What is the legal basis for the processing of your personal data?
The Bank processes the personal data on the basis of the following legal bases:
- for the purposes referred to in point 3 a) to n) the processing of personal data is necessary to fulfill the legal obligations of the Bank, is necessary under specific regulations, which are:
• Act No. 483/2001 Coll. on banks and on amendment and supplement to certain acts, as amended
• Act No. 297/2008 Coll. on prevention of legalisation of proceeds of criminal activities and terrorist financing and on amendments and supplements to certain acts, as amended
• Act No. 118/1996 Coll., on deposit protection and and on amendment and supplement to certain acts, as amended
• Act No. 492/2009 Coll., on payment services, as amended
• Act No. 129/2010 Coll., on consumer loans and other loans and credits to consumers and on amendment and supplement to certain acts
• Act No. 595/2003 Coll., on income tax
• Act No. 186/2009 Coll., on financial intermediation and financial advice and on amendment and supplement to certain acts
• Act No. 359/2015 Coll., on automatic exchange of information on financial accounts for the administration of taxes and on amendment and supplement to certain acts
• Act No. 90/2016 Coll., on housing loans and on amendment and supplement to certain acts
• Act No. 54/2017 Coll., on the European order for the blocking of accounts and on the amendment of the act of the Slovak National Council no. 71/1992 Coll., on court fees and the fee for extract from the criminal record as amended
• Act No. 266/2005 Coll., on the protection of consumers in respect of distance financial services and on amendment and supplement to certain acts
• Act No. 513/1991 Coll., the Commercial Code as amended
• Act No. 315/2016 Coll., on public sector registers and on amendment and supplement to certain acts, as amended
• Regulation (EU) 2015/847 of the European Parliament and of the Council of May 20, 2015 on the data accompanying transfers of funds and repealing Regulation (EC) 1781/2006
• Act No. 431/2002 Coll., on accounting, as amended
• Act No. 162/1995 Coll., on the cadastre of real estates and the registration of ownership and other rights to real estates (Cadastral Act)
• Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation)
• Act No. 566/2001 Coll., on securities and investment services and on amendment and supplement to certain acts (Securities Act), as amended
• Act No. 160/2015 Coll., the Civil Procedure Code, as amended
• Act No. 161/2015 Coll., the Civil Out-of-Dispute Rules, as amended
• Act No. 233/1995 Coll., on bailiffs and enforcement activities, as amended
• Act no. 301/2005 Coll., the Criminal Code, as amended
• Act No. 7/2005 Coll., on bankruptcy and restructing, as amended
• Act No. 244/2002 Coll., on arbitration proceedings, as amended
• Act No. 335/2014 Coll., on consumer arbitration proceedings, as amended
• Act No. 391/2015 Coll., on alternative consumer dispute resolutions and on amendment and supplement to certain acts
• Act No. 395/2002 Coll., on archives and registries, as amended
• Act No. 432/2015 Coll., on statutory audit, as amended
• Act No. 747/2004 Coll., on financial marker supervision, as amended
- processing of your personal data is necessary for the fulfillment of the contract concluded between you and the Bank - for the purposes of point 3 b), c);
- processing of your personal data is performed based on your consent - for the purposes of point 3 b) o) and p);
- processing of your personal data is necessary to fulfill the Bank's legitimate interest which is:
• protection of property rights and the Bank's rights of the Bank's protected interests - for the purposes of point 3 m) and n)
• performance of customer care, development of business relationships and information about products, innovations, services and offers of various benefits - for the purpose of point 3 o).
5. Recipients and processors - Who do we provide your personal information to?
The Bank provides your personal data in co-operation with entities that are processors responsible for processing the personal data of the data subjects on the basis of a written contract. Similarly, the Bank is required to provide and make available the personal data to other recipients, to third parties and if such an obligation is imposed by the relevant legislation, a directly enforceable EU legally binding act or an international treaty binding on the Slovak Republic. The provided personal data is not disclosed by the Bank.
The Bank provides your personal data, at the group level, to the parent company OTP Bank Nyrt., Nádor u. 16, H-1051 Budapest, Hungary, identification number: Cg. 01-10-041585, which is designated as the controller, in particular on the basis of contractual arrangements of the Group and as the intermediary under a contract for the processing the personal data in order to provide IT support to systems located in the Bank.
The Bank provides your personal data as part of the statutory duty to the entities specified in the applicable legislation in force. Under the applicable laws, the Bank is required to provide your personal information in particular to the following recipients, respectively categories of recipients:
- supervisory authorities and persons authorized to exercise supervision over the Bank, including invited persons under the relevant regulation,
- auditors in the activities provided under the relevant legislation,
- The Deposit Protection Fund and the Guarantee Investment Fund,
- The Central Securities Depository,
- the competent governmental authorities in fulfilling the obligations of the securities trader,
- authorized entities within the meaning of Section 91 (4) of the Act on Banks on the basis of a written request,
- the relevant registry in connection with the assessment of the client's ability to repay the loan in particular the Common Banking Register of Information (“SRBI”) - further information on the processing of the personal data in the SRBI is contained in the Information on the Processing of the Personal Data in the Common Register document,
- other banks and companies in connection with the provision and provision of payment services under the Payment Services Act,
- the competent authority of the Slovak Republic for the purpose of automatic exchange of information on financial accounts for the administration of taxes under a special regulation (FATCA/CRS),
- The National Security Authority in relation to cyber security
- courts, arbitration tribunals and alternative dispute resolution bodies.
In the course of its activity, the Bank uses the services of contractual partners - processors being subject to the Bank's mandate to process your personal data. The categories of processors are as follows:
- companies providing development, management, support and maintenance of banking systems and applications used to provide services and products,
- financial intermediaries with whom the Bank cooperates,
- payment card issuance, management and monitoring and clearing transactions,
- companies providing liquidation and archiving of the Bank's documentation,
- companies providing mail, transport and press services,
- persons and companies providing the Bank with security services,
- companies providing commercial databases,
- asset management and debt recovery companies (for example: executors, collection companies, law firms, etc.)
- auctioning companies executing the lien,
- companies providing marketing activities and satisfaction surveys,
- persons and companies performing translation services and interpreting services for the Bank.
In these cases, we take care of choosing our contractual partners so that they will take reasonable technical, organizational and other measures to protect your personal data, we will assess their reliability and we will have the privacy rules stipulated in the contract.
6. Transfers of personal data - Do we transfer your personal data to any third countries?
The Bank does not transfer personal data to third countries which do not provide an adequate level of protection of personal data, except in cases specified by the applicable law, or where the client identifies as a payee a non-European Union bank for cross-border payments.
7. Personal data storage period - How long do we keep your personal data?
We keep your personal data for as long as the applicable laws and the Bank's registry rules are in force or in the case of the personal data being processed under your consent, for the period you have granted us your consent. The period for which the personal data will be stored vary depending on the specific purpose for which we process your personal information.
The Bank retains your personal data for the duration of the business relationship between you and the Bank, and then for as long as the applicable law and registry rules stipulate archiving time, generally for a maximum of 10 years from the termination of the business relationship and the mutual settlement of all obligations between you and Bank.
In the case of the processing of personal data through camera recordings pursuant to point 3 e) If the completed record is not used for the purposes of the Act on Banks (detection of criminal activity), the Bank shall discontinue the written records immediately after the expiration of thirteen months after the date of their execution.
8. Disclosure of personal data - Is disclosure of your personal data obligatory?
Disclosure of the personal data is mandatory when the processing of personal data is necessary to fulfill the Bank's statutory duty under the law. If you do not provide your personal data to the Bank, the Bank will not be able to fulfill its statutory obligations that will affect your rights under the applicable laws.
Disclosure of the personal data is a contractual requirement if the processing of your personal data is required by the Bank to fulfill a contract that establishes a legally binding relationship between you and the Bank. The possible consequence of the non-disclosure of the personal data is the Bank's inability to comply with this agreement and the possible consequences thereof.
Disclosure of the personal data is voluntary for the purposes of point 3 h), o) and p). The possible consequences of non-disclosure of the personal data are:
- for the purposes of point 3 h) the impossibility of resolving the claim/complaint by the Bank in accordance with the relevant regulations,
- for the purposes of point 3 o) the impossibility of providing information about the Bank's products and services through direct marketing,
- for the purposes of point 3 p) the impossibility to use the client authentication service in digital form.
9. Automated decision making and profiling - Do we make profiling or automated decision making?
In concluding and performing a contract for the provision of services and products, the Bank carries out to its clients automated individual decision-making, including profiling in connection with the following processing activities:
- approval of credit product provision (consumer loan, credit card, overdraft),
- calculation of pre-approved credit card (consumer loan, credit card, overdraft).
The Bank uses automated decision-making, including profiling in the process of providing consumer loans, including a credit card and overdraft - in assessing the client's ability to repay the loan. The automated decision making, including client profiling, consists of assessing personal aspects related to the client, such as the data provided in the credit application, data contained in the relevant registers and internal databases, including the identification of unacceptable records, sociological data and solvency data, the evaluation of which is assigned to the client rating. The result of automated decision making is the decision to provide a loan product or to reject an application for a loan product.
In relation to the automated decision making, including profiling, the Bank has taken measures to protect the rights and freedoms and legitimate interests of the data subjects, in particular:
- the client has the right to human intervention in automated decision making, including profiling by the Bank and
- the right to express its views on the outcome of automated decision-making as well as the right to oppose to such a decision.
Based on special consent to the processing of the personal data for marketing purposes, the Bank processes personal data for these purposes. For the purpose of targeted banking products and services to clients, the Bank uses profiling that is done through the automated processing in the client selection process for the targeted offer. Profiling under this point does not affect the legal status of clients, and the client can obtain Bank products that were not the subject of a targeted offer of bank products.
10. Source of the personal data collection - Where do we get your personal data from?
In the event that you have not provided your personal data to the Bank directly, the Bank will collect your personal data from the following sources:
- third parties providing information about your person (e.g. authorized persons, agents, public authorities, financial institutions, law enforcement agencies, executors, etc.)
- relevant registers and lists established under the applicable legislation (e.g. SRBI, real estate cadastre, sanction lists)
- public resources (e.g. Finstat, Commercial Registry, Trades Registry)
11. Categories of the personal data - Which personal data are we processing?
The personal data processed within individual purposes may be distinguished into the appropriate categories, which are distributed as follows:
- Identification data (for example: title, first name, surname, permanent / temporary residence address, date of birth, birth number, number and type of identity document, photograph, nationality, client number, VAT number)
- Contact details (for example: telephone contact, e-mail, correspondence address),
- Business data (for example: ID, VAT, business name, place of business, registration information in the relevant registry),
- Data on used products and services,
- Socio-demographic data (for example: education, marital status, gender, age, employment and income, number of children, number of household members),
- Economic data (for example: information on repayments, proprietary information, bonity information),
- Transaction data (for example: transaction lists, recipient / payer details, account numbers),
- Biometric signature characteristics,
- Camera and sound recordings,
- Website and bank applications usage data (mobile banking, internet banking), including IP address and used browser information,
- Other data relevant to your engagement with the Bank (for example: information on listing, information on enforcement, bankruptcy and restructuring, information on politically exposed persons)
The scope and list of individual data within the above categories results either from the relevant legislation, from the specific contract or pre-contractual relationship or is given to the client in the consent.
12. Rights of the data subjects - What are your rights with respect to the processing of your personal data?
In connection with the processing of your personal data, you have the following rights:
- the right of access to your personal data (for example, the right to obtain confirmation of whether the Bank processes your data);
- the right to correct your incorrect, incomplete or outdated personal data,
- the right to delete your personal data (under the conditions set forth in the GDPR Regulation, e.g. if your personal data is no longer needed for the purposes for which it was obtained);
- the right to limit the processing of your personal data (under the terms of the GDPR Regulation),
- the right to object to the processing of your personal data (for example, if you have not given your consent);
- the right to the portability of your personal data (subject to the terms and conditions set forth in the GDPR Regulation, e.g if your data is processed under your consent or contract with the Bank and processed by automated means);
- the right to lodge a complaint with the supervisory authority, Personal Data Protection Office of the Slovak Republic, based in Hraničná 12, 820 07 Bratislava, Slovak Republic,
- if your personal data is processed on your consent to the processing of personal data, you have the right to revoke this consent at any time.
If the Bank processes your personal data on a legal basis of legitimate interest, including profiling based on legitimate interest, you have the right to object to such processing. The Bank may further process your personal data on a legitimate interest only if it demonstrates the necessary legitimate reasons for processing that outweigh your interests, rights and freedoms, or the reasons for proving, enforcing or defending legitimate claims.
Your above mentioned rights are further specified in Articles 15 to 21 of the Regulation. You may claim your rights against the Bank by a written application filed in person at a Bank branch addressed to the Bank referred to in point 2 or by electronic means at the address email@example.com.
The Bank reserves the right to take additional measures to identify and verify the identity of the data subject claiming the individual rights. To this end, the Bank is entitled to require, for example, an official verification of the person's signature on request received by post or other additional identification of the data subject.
The Bank is required to deal with your application for rights free of charge no later than one month after its delivery. In the event that your application is manifestly unfounded or inappropriate, in particular for its recurring nature, the Bank may require an appropriate fee taking into account the administrative costs of providing information or refuse to act on request.