Legal Information

Legal Information

Deposits of natural persons and some legal entities in ČSOB, a.s. and ČSOB Stavebná sporiteľňa, a.s. are protected in accordance with the Act no. 118/1996 Coll. on the protection of bank deposits and amending certain other acts. In case they become inaccessible, compensation will be provided from the sources of the Deposit Protection Fund, the maximum compensation in line with the EU legislation amounts to EUR 100,000.

Memorandum on personal data protection

The protection of our clients’ privacy in processing of personal data is of utmost importance to us. We process your personal data in accordance with the applicable legal regulations and protect them to the greatest possible extent taken into account the technical level of the resources we use.

This Memorandum on Personal Data Protection (hereinafter referred to as the “Memorandum”) will provide you with the information on how we treat your personal data, how to contact us if you have any question regarding the processing of your personal data, and also other important information on how we at ČSOB process personal data of our clients and visitors of the websites www.csob.sk and www.csobleasing.sk.

We recommend that you read the information contained in this Memorandum carefully. Any changes to the conditions of personal data protection will be published on our websites as updates of this Memorandum. This is how we ensure that you are kept informed on the conditions under which we process your personal data.

As a rule, the provisions regarding personal data protection are regulated also in the contractual documentation and the terms and conditions you receive at the time of establishment of the contractual relationship with ČSOB or at the time of provision of a particular product or service. Therefore, we recommend that you pay due attention to the above mentioned documents as well.

1. About us – the ČSOB Financial Group

We are one of the biggest banking and insurance groups in Slovakia. We offer our clients a wide portfolio of products and services, in particular account keeping, loan- and leasing-based property funding, various types of insurance, invalidity and retirement financial security products, mortgage loans and building savings accounts to raise funds for housing, collective investments and asset management, as well as services connected with trading shares on financial markets. Our financial group is part of the KBC Group NV international banking and insurance group.

The KBC Group is an integrated banking and insurance group that focuses mainly on natural persons, small and medium enterprises, as well as the private banking sector. The Group is mainly active on its domestic market in Belgium, but also in the Czech Republic, Slovakia, Bulgaria, Hungary, and Ireland, and to the limited extent in several other countries.

2. Processing your data within ČSOB

We process your data in compliance with several legal regulations. The general legal regulation of the European Union governing the personal data protection is Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (hereinafter referred to as the “GDPR”).

However, there are many other regulations complementing or clarifying GDPR in relation to personal data which apply to the financial industry. These include Act No. 483/2001 Coll. on Banks and on amendments of and supplements to certain acts (hereinafter referred to as the “Act on Banks”), Act No. 492/2009 Coll. on Payment Services and on amendments of and supplements to certain acts (implementing PSD 2 Directive), Act No. 351/2011 Coll. on Electronic Communications (and the e-Privacy Regulation being prepared), the Act on Cybernetic Security or Act No. 39/2015 Coll. on Insurance Industry and on amendments of and supplements to certain acts as amended (hereinafter referred to as the “Act on Insurance Industry”).

ČSOB Group Data Protection Officer:

ČSOB Group Data Protection Officer is responsible for personal data protection within ČSOB. In relation to personal data protection, ČSOB Data Protection Officer acts in the name of all members of ČSOB. The Data Protection Officer will answer all your questions related to the processing of your personal data, the obligations imposed on the members of ČSOB by the respective legal regulations governing personal data protection, and any questions regarding information contained in this Memorandum.

You may contact the Group Data Protection Officer using the following contact details:

  • e-mail address: dpo@csob.sk,
  • write to the address: Československá obchodná banka, a.s., Žižkova 11, Bratislava 811 02.

3. Who is the controller of your data?

The following ČSOB companies are Controllers of the processed personal data:

Československá obchodná banka, a.s.

with its registered office: Žižkova 11, Bratislava 811 02, ID No.: 36 854 140, registered with the Commercial Register of District Court Bratislava I, Section: Sa, File No.: 4314/B.

ČSOB Poisťovňa, a.s.

with its registered office: Žižkova 11, Bratislava 811 02, ID No.: 31 325 416, registered with the Commercial Register of District Court Bratislava I, Section: Sa, File No.: 444/B.

ČSOB stavebná sporiteľňa, a.s.

with its registered office: Žižkova 11, Bratislava 811 02, ID No.: 35 799 200, registered with the Commercial Register of District Court Bratislava I, Section: Sa, File No.: 2590/B.

ČSOB Leasing, a.s.

with its registered office: Panónska cesta 11, Bratislava 852 01, ID No.: 35 704 713, registered with the Commercial Register of District Court Bratislava I, Section: Sa, File No.: 1220/B.

ČSOB Leasing poisťovací maklér, s.r.o.

with its registered office: Panónska cesta 11, Bratislava 852 01, ID No.: 35 887 222, registered with the Commercial Register of District Court Bratislava I, Section: Sro, File No.: 31861/B.

KBC Asset Management NV, pobočka zahraničnej správcovskej spoločnosti

with its registered office: Žižkova 11, Bratislava 811 02, ID No.: 47 243 929, registered with the Commercial Register of District Court Bratislava I, Section: Po, File No.: 2159/B.

The controller of your data is always the ČSOB company which you provided or which acquired the data from you for the specific purpose of processing. Your data are usually administered by the ČSOB company where you are a client. If you have products with several members of ČSOB, the respective member primarily administers the data which concern its product. If the purpose or conditions of personal data processing result from the legislation, the controller is the member of ČSOB designated by the respective law to fulfil the purpose of processing.

If you have given us your consent to process your personal data for the purpose of marketing activities and/or consumer competition, all members of ČSOB named in the consent will be the controller of your personal data for the above purpose of processing. In this case, the members of ČSOB act as the joint controllers, i.e. they jointly determine the conditions and purpose of processing of your data in accordance with your consent. The joint controllers are jointly responsible for processing of your data to the extent in which they participate in the respective processing.

The controller of your personal data obtain, collect and otherwise process these data and is responsible for their correct and lawful processing. You, as the data subject, may exercise your rights against the controller as set forth in Clause 11 of this Memorandum. In some circumstances, the ČSOB companies may act as the processor for other controllers. Typical are the cases where the client negotiates the contract with several companies within the ČSOB Group or for example when the ČSOB Bank mediates an insurance product for you in the ČSOB Poistovňa or other product from the ČSOB Group.

4. Which of your data do we process?

Personal data mean any data which allows identification of a particular natural person. It means that the personal data include more than only the indicators such as name, surname or date of birth. GDPR defines personal data as any information identifying a natural person. Each natural person the personal data relates to is considered to be the data subject having the respective rights to the personal data.

In ČSOB, we only process the personal data necessary to enable us to provide professional services. The scope of the data is given by the generally binding legal regulations. If we process your personal data on the basis of your consent, the list or the scope of the data is defined in the consent itself, with the details necessary to fulfil the purpose for which the personal data are processed.

The processed data include in particular the following categories of personal data:

  • Identification and contact data: in particular title, name, surname, permanent residence address, temporary residence address, correspondence address, birth registration number (if assigned), date of birth, place of birth, citizenship, type and number of identity document, identity document validity, contact phone number, fax number, and e-mail address. Your identification data form the part of each contract you conclude with us. We collect these data to the extent as laid down by the legislation, in particular by the Act on Banks, Act on Insurance Sector, the Act on Home Savings, or the Commercial Code.
  • Data on products and services: we also process the data obtained in introduction and use of products and services of ČSOB. In addition, we also collect the information regarding the devices from which you access our services electronically. This helps us to optimise our platforms and their further development and to increase the level of security. These data include in particular, but are not limited to, IP address, information regarding the Internet browser, and hardware.
  • Transaction data: data on received and sent payments, such as details of the payment recipient.
  • Communication and interaction data: these data include, inter alia, the data from using of web applications, as well as the data from our communication through the respective point of contacts.
  • Profile data: to be able to offer you the products and services satisfying your needs, we process the data such as age, gender, education, residence, family status, and occupation.
  • Geo-location data: these data serve in particular to improve our products and services to provide the most suitable offers based on your location. These data are also used to prevent fraudulent conduct. They are processed for example when you use our ČSOB SmartBanking application, ATMs, or in execution of individual transactions.
  • Health data: for the purpose of life insurance and clearance of health-related insured benefits it is necessary for us to have the data on your health condition as well.
  • Biometric data: biometric data means of natural person identifying the natural person’s biological or physiological feature or characteristics on the basis of which such a person is uniquely and unmistakably identifiable. Biometric data is in particular a fingerprint or biometric signature. At some of POSs of ČSOB we offer you the option to conclude the contract using the biometric signature or to access your safety box using a fingerprint. These data are used for unique identification of you and we protect your data through security devices in compliance with the legal regulations and information security requirements.

5. Why do we process your data?

We process your data to the necessary extent and the majority of cases is reasoned by the fact that we need these data to provide the required product or service. Provision of your data to our company on the basis of the granted consent is voluntary. This mainly relates to processing of your data for marketing purposes. However, there are also cases when we ask you to provide the data in the absence of which we are not able to provide the respective product or service. It is when your data are necessary for conclusion and performance of the contract, fulfilment of the obligations arising to ČSOB from the legal regulations or for your legitimate interests.

ČSOB processes your personal data for the following purposes:

Identification and authentication of client

To offer you our products and services, we need to identify you. Under the Act on Prevention against Legalisation of Proceeds of Crime, we are obliged to identify our clients. We also require your identification when you exercise your rights to personal data. We further process your personal data for the purpose of identification and authentication on the basis of the obligations arising to us from special legal regulations, such as in particular the Act on Banks, the Act on Insurance Sector and the Act on Prevention against Legalisation of Proceeds of Crime referred to above.

Preparation of a contract at the client’s request

To enter into the contract with you, we need your personal data the scope of which depends on the particular product the respective contract relates to. For instance, for some insurance products we need to know the details of your health condition and when concluding the contract on a mortgage product we will need the data on your income and overall creditworthiness. Until the contract is signed, we process the obtained data to draw up the contract at your request. Once the contract is signed, we process your data in connection with the performance of the conditions under the concluded contract.

The use of products and services

When you use the products and services you have within ČSOB, your personal data are processed. It refers in particular to your identification data, data on the product itself you use, or the data from your mobile device provided you our application. The reason why we process your data for this purpose is the performance of the contract you have concluded with us for the respective product.

Sending service messages

We send you important information related to our products and services in the form of service messages on a regular basis. By doing so, we can ensure that you receive the necessary information and you have them when needed. By processing your contact data for this purpose, we perform our obligations arising from the concluded contract.

Management of relationships with clients

We respect your interests and preferences. We endeavour to achieve a comprehensive overview of the products and services you use the most and of your wishes. We want to meet your requirements received at the branches, on our customer lines, or through our websites and applications to the maximum possible extent. In this case we process your personal data on the basis of our legitimate interest in the processing.

Simulation of products and services

We provide you with the simulation of some products and services in order to provide you, through an illustrative example, with the information on the price and other conditions of the selected product. For example, by using the consumer loan calculator you can calculate the amount of monthly instalment. By using these calculators, we can help you choose the product that is the most suitable for you.

Comfort in electronic channels

You can use many of our products and services electronically through our websites where you enter your data in the web forms. For your comfort we store your data which you have entered in the web forms for a limited time in case you need them for future reference. The reason why we do so is that we have the legitimate interest in your convenience and your satisfaction.

Marketing

In ČSOB we want to bring the solutions that suit your needs. We do not want to bother you with offers that are not relevant for you. To be able to prepare the offer suitable for you, we need to know your needs and preferences. For this purpose, we use analysis and assessment of your data on products and services and profile data. Within marketing activities, we send you our offers by means of various forms, such as SMS, via e-mail, by phone, via mobile applications or in writing. We process your personal data for the purpose of direct marketing on the basis of your consent.

Development of analytical models

To become familiar with and satisfy your needs and wishes, we analyse the data on products and services and profile data on aggregate level. It means that we combine, compare and analyse the data. The result of these analyses are analytical models through which we endeavour to select the best offer for you.

Security

For security reasons, our business premises are monitored by CCTV systems. The CCTV systems have been installed in order to protect individuals and property against any unlawful acts, but in particular to prevent and clarify any robberies, theft, vandalism and fraudulent activities. We ensure security thought the system of adopted technical and organisational measures which, in addition to the recordings of CCTV systems, include also management of cybernetic security, access authorisations, and checking of persons entering the premises of ČSOB. Data processing for the purpose of security is permitted by the respective legislation as the protection of our rights and legal interests.

Fraud control and prevention

The activities we perform require that we pay attention to prevention, detection and investigation of fraudulent activities. In doing so we use the data that can indicate a potential fraud – e.g. the data regarding the executed transactions, geo-location data or information on the stolen documents. We process your data for the purpose of control and prevention of frauds in accordance with the respective legal regulations due to the prudential business and in order to protect our rights and legitimate interests.

Control and prevention of money laundering and terrorist financing, embargos

Money laundering means illegal activities we endeavour to avoid by analysing your identification data, transaction data, and other data in accordance with the Act on Prevention of Legalisation of Proceeds from Crime. We process the personal data for the above purpose on the basis of the respective legal regulations.

Market abuse control and prevention

This involves prevention, detection and investigation of market abuse. According to the respective legal regulations we are obliged to detect any non-compliance with the Act on Protection of Competition which could damage other clients or our Group.

Credit and insurance risk management

Within the respective purpose, we assess the risk associated with providing of loan and insurance products. We mainly asses your ability to repay the selected product or specify the probability of the insured event. According to the Act on Banks and other legal regulations, we are obliged to act with prudence and assess all risks carefully. To achieve this purpose, your data which we obtain both from internal databases and from loan registers are helpful.

Accounting and taxes

As the regulated entities, individual members of ČSOB are subject to tax and accounting obligations arising from the respective legal regulations. In order to meet these obligations, we process your data.

Inspection and prevention of non-compliance with MiFID and IDD regulation

MiFID introduces the regulation regime for providing of investment services. In this context, we carry out control, prevention and investigation of compliance with the MiFID requirements. According to the mentioned Directive, we are obliged to ascertain your data through an investment questionnaire, process your instructions and data regarding executed transactions. The aim of all our activities is to offer you the investment product which is the best for you.

Internal administration and reporting

Within this purpose we process your personal data for planning, assessment of effectiveness of our activities and their re-organisation. For instance, we assess the work load of our branches, successful sale of our products or other parameters of our activities. For this purpose, we aggregate the processed data, i.e. we aggregate them into larger sets of data containing the aggregate figures that can no longer be linked to a particular person. We prepare internal reports on the basis of the legitimate interest in such processing. In addition, according to the respective legal regulations, we are obliged to prepare various statements – e.g. for the needs of regulators and other competent authorities.

Disputes

There are cases where we are forced to enforce our claims before courts – it relates in particular to outstanding receivables from the credit, insurance or leasing products. In this case we process your personal data to the extent necessary for the respective claim in order to protect our rights and interests protected by law. It includes mainly your basic identification data, data from the contract or the data on how you used our products and services.

Historical, statistical and research purposes

Personal data are contained both in hard copies and in electronic documents which we store in line with the respective archiving rules and records retention policy. This obligation results in particular from the Act on Archives and Registries which regulates the conditions of storing and administration of archival documents.

Research and development of products and services

We want our products to be interesting, easily available and user-friendly for our clients. Therefore, we also use your data on how you use our products and services in order to improve them and create new functionalities for you.

Software testing

In some cases, it is not possible to introduce a new software effectively to our banking systems without testing also the data of our clients. This occurs only in exceptional cases where we have the strict procedures put in place to maintain the security and integrity of your data in our banking systems.

Within the aforementioned purposes, in ČSOB we also have some legitimate interests that form the basis for processing of your personal data. In this regard, ČSOB makes sure that affecting your privacy is kept at minimum and the balance between the legitimate interests of ČSOB and potential impact on your privacy is not disturbed. If, despite our efforts, you have any objections to the processing of these data, you may exercise your right to object to the processing of your data.

On the basis of the legitimate interest we process your personal data for the following purposes:

  • management of relationships with customers,
  • comfort in electronic channels,
  • security,
  • control and prevention of frauds,
  • development of analytical models,
  • internal administration and reporting,
  • disputes,
  • development and research of products and services
  • software testing.

When are you obliged to provide us your data?

The obligation to provide us with your personal data relates in particular to your identification data and contact data for the purpose of identification, conclusion of a contract, and performance of the obligations under the Act on Prevention of Legalisation of Proceeds from Crime and other special legal regulations. Depending on the type of product, in connection with conclusion of the contract we also need your social and demographic data or data on the use of product and services.

You provide us the personal data we process on the basis of your consent voluntarily. If you do not provide is your data, we are not able to provide you the respective product or service to which we require your data.

6. Profiling and automated processing of your data

Profiling of your data means that we use your personal data to evaluate some aspects related to you – e.g. financial situation, reliability or behaviour. In practice it means for example evaluation of your creditworthiness in case you apply for a loan or leasing product. The ČSOB Poisťovňa may also process your data with the aim of analysing the insurance risk and identifying the potential insurance fraud.

In certain circumstances, processing of your data can meet the characteristics of the automated individual decision-making. It means the cases where your personal data are processed by automated means, i.e. by using different algorithms or calculations without any human intervention, and the result of such calculation may be the decision related to you which produces significant legal effects on you. You have the right to object to this type of processing of your data.

The automated individual decision-making is used in the ČSOB Financial Group by the ČSOB Bank when it assesses the clients’ risk profiles under the Act on Prevention of Legalisation of Proceeds from Crime and the overdraft to your account. Overdraft is a type of loan product and the process of its approval consists in selection of clients and subsequent calculation of maximum amount of loans that can be provided by the bank to such clients in a simplified process, i.e. without demonstrating their income. In this case, automated individual decision-making means that the bank asses the data on client’s payment discipline and transactions on the client’s accounts and on the basis of this assessment, the automated system calculates the amount of credit line (the amount of overdraft) which can be provided to the client by the bank. The legal effect for the client is the specification of maximum amount of funds on the basis of the selected set of data.

When assessing the client’s risk profile under the Act on Prevention of Legalisation of Proceeds from Crime, the Bank assesses the data on potential risk posed by the client, i.e. the data on the client’s activities in using banking products, data from public registers, data on assets and liabilities of the client, and other data in accordance with the respective legal regulations. On the basis of the assessed data, the Bank sets the client’s risk profile which directly affects, either positively or negatively, the conditions under which the products and services are provided by the Bank.

The right to object to automated individual decision-making, including profiling, is not applied if we are obliged to perform automated individual decision-making under the respective legislation. We act in compliance with the Act on Prevention of Legalisation of Proceeds from Crime, MiFID Directive and other regulations the aim of which is to ensure responsible providing of credit products and other products so that the clients do not become over-indebted. In these cases, the automated individual decision-making is used to protect consumers and to fulfil the statutory obligations of the financial institutions.

7. How do we protect your data?

Your rights as the affected person in the course of personal data processing are regulated in Section 28 of the Act on Personal Data Protection.

ČSOB applies strict rules which regulate the conditions under which our employees or other entitled persons have access to your personal data and which personal data they may use. We do not transfer your personal data outside ČSOB, with the exception of those cases where we have your consent to do so or where we are authorised to do so according to the respective legislation.

We process personal data using both manual and automated means of processing within our information systems that are secured and protected in accordance with the respective security standards and regulations regarding personal data protection. Our employees have the strictly regulated access rights to individual systems in which personal data of our clients are processed and each access is monitored and reviewed. All accesses and management procedures are fully in compliance with the system of standards for information security and cyber security under ISO 27000 standard.

Taking into account the development of technologies, digitisation of products and services, and long-term development of information technology in ČSOB, we pay particular attention to strict compliance with the personal data protection rules. We protect your personal data against loss, damage and misuse. The protection of your personal data is ensured to the maximum possible extent corresponding to the level of available technical resources. In accordance with GDPR we have put in place in ČSOB the system of standardly and specifically designed protection of personal data.

Data protection by default means that we follow the principles of data minimisation – i.e. we process only the scope of data necessary to achieve the purpose of processing; in our systems we have introduced the minimisation of data storing by setting the period of processing of the data upon expiry of which the purpose of processing ceases to exist; we limit the purpose of data proceeding– i.e. we process the data for the declared purposes of processing only and we do not process the data for any other purpose.

Data protection by design means that we have implemented in our key processes the basic privacy protection principles. It mainly includes the internal policies regulating the processes, security of information systems in end-to-end cycle or transparency in the personal data processing. Before each processing of your personal data that could pose a higher risk to your rights, we perform the detailed assessment of the risks and effects on your privacy the result of which we take into account in developing and implementing of the respective processes, procedures or design and development of our products.

8. Recipients of your data

Your personal data are not disclosed outside ČSOB, except for the cases when it results from the consent you gave us or from the respective legal regulation. As in providing of our products and services we act as a single financial group, your personal data are processed primarily within the ČSOB Group.

In our activities we cooperate also with external entities which provide us various services necessary for achieving of the purposes of data processing. In this context, we cooperate mainly with our suppliers and external agents through which we sell our products.

Personal data sharing within ČSOB:

Your personal data are shared among individual members of the ČSOB Financial Group in two cases. Your personal data are shared among the members of the ČSOB Financial Group on the basis of your consent to the processing of personal data for marketing purpose and/or consumer competitions, since we in ČSOB obtain such consent on behalf of all members of our Group. This means that in this case we act as the joint controllers as we jointly define the purpose and conditions of personal data sharing.

In this case sharing of your personal data means that your personal data provided to a single or several members of the ČSOB Financial Group may be provided to the remaining members of the ČSOB Financial Group. Data are shared under the conditions specified in the consent granted by you, i.e. they are provided to the extent and for the purpose for which such consent was granted. More information on the Group consent and your rights can be found in Chapter 10 of this Memorandum.

The other case where we share your personal data within ČSOB is when we provide you the services which are associated with provision of our products and services. Our goal is to provide you a simpler and faster service across the ČSOB Financial Goal, to take your preferences more into account and offer you only the relevant products and services provided within the entire Group. When sharing your personal data among members of the ČSOB Financial Group, we make sure that we observe all requirements of the personal data protection, protection of bank secrecy under the Act on Banks and other legal regulations so that all your data are secure within the ČSOB Financial Group.

Supplies and business partners:

We procure some of our activities through our suppliers, however, in some cases these suppliers may process your personal data as well. When selecting our suppliers, we pay due attention to ensure sufficient security of your data and conclude with suppliers the contracts on processing of personal data which regulate all conditions of processing and protection of your personal data between ČSOB as the controller and supplier as the processor.

The selected suppliers provide us also with cloud solutions to increase the productivity and effectivity, internal cooperation and sharing and creation of information in ČSOB. With the aim to protect the data shared within the cloud solutions, we use advanced technical and software tools for data encryption so that the protection and integrity of the shared data are preserved. When using the cloud solutions, we do not cooperate with suppliers who are not able to provide the sufficient standards of security of processed data.

Further, we also cooperate with a network of financial agents and advisers through which we sell our products. With these entities we conclude the contracts on processing of personal data as they process your data as processors for us, in particular your identification data and the data on products and services.

Our suppliers and business partners are in particular:

  • IT services providers, including cloud solutions,
  • marketing agencies,
  • records retention and archiving services providers,
  • providers of printing and postal services,
  • lawyers and entities used to recover our claims and receivables,
  • financial agents and advisors,
  • sales agents and intermediaries.

KBC Group:

The ČSOB Group is one of the members of the KBC international banking and insurance group. For this reason, our shareholders and members of the KBC Group are recipients of data. The data are shared in particular in connection with reporting and compliance with the prudential principles. The data between ČSOB and KBC are processed solely within the territory of the European Union and in compliance with the international standards of personal data protection. You can find more information on the KBC Group on https://www.kbc.com/en/ourstructure.

Registers:

In connection with the assessment of natural person’s ability to repay loans, verification of their creditworthiness, trustworthiness and payment history, your personal data may be processed in the following registers: Joint Banking Information Register (hereinafter referred to as “JRBI”) and Non-Banking Client Information Register (hereinafter referred to as “NRCI”).

JRBI is operated by the company Slovak Banking Credit Bureau, s.r.o., with its registered office at Mlynské nivy 14, 821 09 Bratislava. NRCI is operated by the company Non-Banking Credit Bureau, ZZPO, with its registered office at Mlynské nivy 14, 821 09 Bratislava. More information on JRBI and NRCI registers can be found on the website www.sbcb.sk.

More information on the processing of personal data and cooperation during exchange of information processed in JRBI and NRCI registers is contained in Annex No. 1 hereof.

 

Another register is the Register of Insured Events established under the Act on Insurance Industry, operated by the Slovak Association of Insurance Agencies. This register is used for registration of the insured events and as a preventive tool in combatting insurance frauds. The scope of data processed in the register is defined by the Act on Insurance Industry.

The Register of Liability Insurance kept by the Slovak Insurers’ Bureau established under Act No. 381/2001 Coll. on Compulsory Contractual Motor Vehicle Third Party Liability Insurance and on amendments of and supplements to certain acts in order to provide the injured parties with the information on how they can exercise and settle their rights for damages.

As to investment products, your personal data are provided to the Central Securities Depository for the purpose of registration of the bookentry investment instruments under the Act on Securities.

Funds:

Your personal data are in the cases laid down by the special legal regulations disclosed to legal entities which under the legal regulations are authorised to perform the defined activities. These entities include for example the State Housing Development Fund intended for financing and reconstruction of real properties or the Deposit Protection Fond which ensures protection of funds deposited with the banks.

Orgány poverené výkonom dohľadu:

Supervisory authorities:

In connection with the control or supervision your personal data can be disclosed to the regulators, i.e. the authorities that by operation of law supervise our activities – e.g. the National Bank of Slovakia, European Central Bank, Office for Protection of Personal Data, etc. Recovery of claims and exercising of rights:

As regards recovery of our claims and rights we disclose your personal data to the competent courts, enforcement officers, public notaries, law firms, court experts, or other entities authorised to recover the claims or exercise the rights.

Payment system entities:

SWIFT, SEPA, payee’s bank, correspondent banks.

Public administration authorities:

The special legal regulations govern providing of personal data to the entities we are obliged to provide the data under the respective legal regulations.

Public authorities – public administration authorities, courts, prosecutor’s office, law enforcement authorities.

Financial administration.

Other authorities, institutions and entities:

Social Insurance Agency, health insurance agencies, assessment physicians, archive, audit.

Cross-border transfer of personal data:

Your personal data may be subject to cross-border transfer to the countries within the European Union as well as to the countries that provide adequate level of protection in compliance with the provisions of the respective legal regulations. We do not transfer the personal data of our clients to third countries that do not guarantee the adequate level of personal data protection, unless it is agreed in the particular type of business or when it results from the nature of the business.

For international system of payments, the ČSOB Financial Group uses the services of S.W.I.F.T. – Society for worldwide financial telecommunication s.c., Avenue Adèle 1, B-1310 La Hulpe, Belgium.

SWIFT company performs the cross-border system of payments through a worldwide network in which the messages on financial transactions are exchanged between banks and other financial institutions electronically. In connection with the cross-border system of payments, the clients’ data contained in payment orders (title, name, surname, address, account number, amount, and purpose of payment) are provided to the SWIFT company which subsequently provides them to the financial instruction of the payment recipient.

To protect the processed data, the transferred data are temporarily stored in two operational centres of SWIFT in Europe and the USA. In relation to the adequacy of protection of personal data transmitted to the USA, the European Commission has introduced the “EU – U.S. Privacy Shield”. Any personal data may be transmitted to the USA only on the basis of the European Commission EU – U.S. Privacy Shield decision and in compliance with the conditions laid down by the Act on Protection of Personal Data.

9. Where did we obtain your data from?

Depending on the particular circumstances, we process the personal data we have received from you or the data you have created by your activity. In some cases, we obtain your personal data also otherwise than directly from you. In ČSOB we use the following sources of personal data of data subjects:

  • personal data provided directly by the data subject,
  • personal data created by ČSOB,
  • personal data obtained from the members of the ČSOB Group or KBC Group – sharing of personal data of clients within the Group in order to simplify providing of services and internal reporting,
  • personal data obtained from third party – e.g. in the form of databases of third parties,
  • personal data obtained from publicly available registers – e.g. Commercial Register, Trade Register, Land Registry, register of debtors, etc.,
  • personal data from payment transactions – mainly the data on payer and payee within the system of payments.

10. How long do we process your data?

We keep and protect your personal data for the period stipulated by the applicable legal regulations, or in case of personal data processed on the basis of your consent, for as long as your consent has been granted. The period of retention depends on the particular purpose for which we process the personal data. The defined data retention period for the respective purpose respects the principle of minimisation of data retention which ensures that we process the data for the necessary period of purpose of data processing only.

We process the personal data processed for the purpose of client identification in connection with the providing of products and services in ČSOB throughout the period of the contractual relationship and then for the period of 10 years after its termination. The aforementioned period results also from other legal regulations under which we process your data, in particular from tax regulations, regulations on securities, MiFID, protection of competition, etc.

If we process your personal data on the basis of the consent for marketing purposes in providing the products and services of members of the ČSOB Financial Group and/or for the purposes of evaluation and identification of winners and competitors in consumer competitions, each member of the ČSOB Financial Group will process your personal data as long as you are the client of the ČSOB Financial Group and 5 years after termination of all contractual relationships between you and members of the ČSOB Financial Group. If no contractual relationship is concluded between you and a member of the ČSOB Financial Group, your personal data will be processed by each member of the ČSOB Financial Group for the period of 12 months from the date when you gave your consent.

In case of personal data processing through camera recordings, e.g. under Section 93a (7) of the Act on Banks, if the recording made is not used for the purposes as laid down by the Act on Banks (to reveal criminal activities), we are under the obligation to destroy the recordings without undue delay upon expiry of thirteen months after the respective recording is made.

11. What are your rights?

You have the right of access to your data

You have the right to request from us the confirmation as to whether or not we process your personal data, and, if that is the case, you have the right to obtain access to the personal data and the following information:

  • the purposes of the processing,
  • the categories of personal data,
  • the recipients of your data,
  • the data processing period,
  • information on the source from which we obtained your personal data.

In case that we process your personal data, you have also the right to access such personal data and the right to obtain a copy of your personal data. If we require to obtain the access to and/or a copy of your data, you need to explicitly state this fact in your request. If you request more copies, we can change a fee for this service. You receive the transaction data from us in the form of statement to the respective product (e.g. a statement of account).

You have the right to rectification of your data

It can happen that some of your data we have is not or is no longer accurate. However, without your assistance we can do nothing. For this reason, it is important that you notify us of any change related to your personal data without undue delay and document the respective changes. As the data subject you are responsible for accuracy, timeliness, completeness and veracity of personal data you provided to the ČSOB Financial Group.

As our client you have the right for rectification of your inaccurate and obsolete personal data in our information systems. If you learn of any inaccurate or obsolete information we have in respect of you, do not hesitate to contact us.

You have the right to object to the processing of your personal data

If you do not agree with processing of your personal data in specific cases, you have the right to object to such processing. In case you wish to exercise your right to object, it is necessary that you include in your request the grounds and enclose the respective documentation justifying your claims. The detailed specification of your claim is necessary for us to assess justification and eligibility of your request. After receipt of your request we are obliged to demonstrate compelling legitimate grounds for the processing of your data which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

If you do not want us to use your personal data for direct marketing, including profiling, you can change your marketing preferences so that we no longer use your data for this purpose.

You have the right to request restriction of processing of your data

If you believe that there is no longer the reason to process your personal data, you have the right to request to block your data. In case that the conditions for restriction of processing of your data under GDPR are fulfilled, ČSOB is obliged to restrict the processing within the reasonable period under Article 12 GDPR.

You have the right to refuse fully automated processing of your data

You have the right to refuse the decision of ČSOB made under the following conditions:

  • the decision is based solely on automated decision which may include processing – i.e. it is not a human decision; and also
  • the decision produces the legal effects on you; and also
  • these legal effects concern you or significantly affect you.

The aim of this right is to ensure that these types of decisions are made either on the basis of your explicit consent, on the basis of special regulation, or on the basis of performance of the contract. Automated individual decision-making, including profiling, is commonly used in the financial industry with the aim to protect consumers and ensure compliance with the legislation – in particular with the Act on Prevention of Legalisation of Proceeds of Crime, the Act on Securities or the Act on Consumer Loans. The purpose of the above legislation is to ensure responsible providing of credits/loans and also avoid any suspicious or fraudulent transactions in the financial market. In these cases, we are entitled to make decisions falling within the automated individual decision-making and the data person’s right to object to this procedure will not apply.

You have the right to erasure your data

If you believe that some data on your person are unlawfully processed by us, you have the right to request that we erasure the respective data. In case you wish to exercise your right to erasure of data, it is necessary that you include the reasons in your request and enclose also the respective documentation justifying your claims. Only the processing found unlawful by the final decision of court or the Office for Personal Data Protection is deemed to be unlawful processing. The detailed specification of your claim is necessary for us to assess justification and eligibility of your request.

You have the right to transmit your data

You have the right to receive your personal data you provided us electronically in a structured form. You have the right to request that we transmit your data to another entity which you will specify in the request. The right to transmit your personal data applies in cases where we process your personal data:

  • by automated means, i.e. electronically,
  • based on a contract or on your consent,
  • which you provided to ČSOB by yourselves.

The aforesaid right does not apply to personal data we process on the basis of the obligation imposed by law. The right to transit the data covers only the data you provided us. The observed data, i.e. the data which have been generated in our systems based on your activity and have been processed to the certain extent, are not considered to be the provided data. The observed data include in particular the transaction data, i.e. the data on the executed transactions. You have access to these data through the statement of account to the respective product within which the transactions were executed.

How can you exercise the above rights to personal data?

You can exercise your rights to personal data only after you are successfully identified. Without successful verification of your identification we are not obliged to act on the request. If we exercise your rights without sufficient identification, it could result in unauthorised access to your personal data and infringement of your rights. If you are our client, we will identify you to the necessary extent using the procedures put in place.

You can exercise your rights to personal data with the ČSOB Financial Group as follows:

  • personally at ČSOB branches – you can visit any of our branches where the branch employees will help you fill out the request for exercising of rights to personal data;
  • through bound agents of ČSOB Poisťovňa – if you are the client of ČSOB Poisťovna, you can contact your agent who will help you to fill out the request and ensure that it is delivered to the respective department of ČSOB which will deal with your request;
  • by mail or personally at ČSOB registry – the form of request for exercising of rights to personal data is also available on our website www.csob.sk. After entering the respective data, it is necessary that you verify your signature with a public notary before sending the request by mail to allow us to identify you after receipt of the document. Without a notary’s verification of your signature, your written request will not be accepted and we will have to contact you and request that you file the request with the signature verified by the public notary. The filled out and signed request can be also filed personally at our registry at the registered office of ČSOB at Žižková ulica 11 in Bratislava.

You are obliged to state all necessary information in the request and provide for the annexes necessary for handling your request and for assessing your claim regarding personal data processing. If your request is incomplete, we will contact you in order to add the necessary details in the request.

ČSOB will handle your request within one month of receipt of the request. The period may be extended by two further months where necessary, taking into account the complexity and number of requests. ČSOB informs the data subject of any such extension within one month of receipt of the request, together with the reasons for delay. The requesting person will be notified of the extension of the period using the same method the requesting person has chosen for delivery of the response to the request.

Information required within the above request are provided free of charge. In case that the request is manifestly unfounded or excessive, in particular because of its repetitive character, ČSOB may either: i) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or ii) refuse to act on the request.

The right to withdraw consent

You have the right to withdraw the consent you gave us at any time. Providing your personal data on the basis of the consent is voluntary; we cannot force you into the provision of your consent to processing of your personal data and you are entitled to refuse to provide your personal data. The withdrawal of consent shall not affect processing of your personal data which took place at the time when the respective consent was valid. We may continue in using your contact details for other legitimate interests non-related to marketing – e.g. we may send you service messages to your products.

If you have given us your consent to process your personal data for the marketing purposes and/or for the purpose of consumer competitions, we are entitled to inform you on the offer of products and services, promotions and competitions using various forms, i.e. in writing, by telephone, by SMS, e-mail and Internet, or through the offer in ČSOB SmartBanking applications.

Thanks to your consent we can better recognize your preferences and offer you products best-suited for you. We can use your personal data also for profiling thanks to which we send you the offers which suit your needs best.

If you do not want to receive information on the current offer through marketing activities, you can contact us regarding the change of your marketing preferences. You can refuse receiving the newsletters directly using the communication channel through which you received them. If you do not want us to contact you through the chosen communication channels – e.g. SMS or e-mail, you can contact us and change the limitation as to contacting you through the communication channels chosen by you. You may withdraw the consent to the processing of your personal data for marketing purposes as such in writing or change the consent electronically in some on-line products. You can also make any change in the consent to the processing of your personal data at our branches

.

We draw your attention to the fact that we will make any change related to your consent or refusal of the consent to processing of the personal data for marketing purposes in our systems within 10 working days after the day when you confirmed that you are interested/are not interested in contacting for marketing purposes. So we can still continue to contact you even after withdrawal of the consent until the 10-day period for performance of the necessary changes in our systems expires.

You may withdraw the consent to the processing of cookies following the procedure described on the respective websites that collect cookies.

Right to lodge a complaint with a supervisory authority.

If you consider that your personal data rights have been infringed or that the conditions of processing of your data have been breached, you have the right to lodge a complaint with the following supervisory authority:

Úrad na ochranu osobných údajov SR
Hraničná 12
820 07 Bratislava 27

We are fully aware of seriousness and timeliness of the topic of personal data protection and therefore we summarised in this Memorandum how we treat your personal data and for what reason we use them. By this document we want to assure you that we treat personal data with confidentiality and respect, adhering to the applicable legislation, and using the available technological protection.

If you have any questions related to personal data protection to which you did not find the answer in this document, feel free to write us to dpo@csob.sk.