Principles of Personal Data Processing in Česká spořitelna, a.s.

Protecting your privacy and personal data is our paramount responsibility.

We consider the protection of privacy and personal data as one of our primary duties. We deal with personal data solely in accordance with the applicable legislation. Please, read the Principles of Personal Data Processing in Česká spořitelna to find out about the principles which we follow to ensure confidentiality and security of your personal data.

What will you learn about the personal data?

  • What kind of data we collect.
  • How we handle the data.
  • What sources we use for obtaining data.
  • For which purposes we use the data.
  • To whom we can provide the data.
  • Where you can obtain the information on your personal data which we process.
  • What are the security options available for everybody.

“Principles of Personal Data Processing in Česká spořitelna” is a generally applicable document concerning the protection and processing of personal data of natural persons (hereinafter the “Data Subject”). Particularities regarding the personal data of job applicants, Česká spořitelna employees and external collaborators of Česká spořitelna are addressed in separate principles of personal data processing.

Information on Data Controller:

Trade name: Česká spořitelna, a.s.
Reg. No.: 452 44 782
DIČ: CZ699001261
Registered office: Prague 4, Olbrachtova 1929/62, Post Code 140 00

Information on Data Protection Officer:

Jiří Januška
Phone no.: + 420 703 481 616 (workdays 9:00–15:00)
Charge-free information line of Česká spořitelna: 800 207 207 (other days and hours)
Registered office: Prague 4, Olbrachtova 1929/62, Post Code 140 00


We process your personal data to the extent that is necessary for the provision of service which you are contracting with us. These personal data are split in two groups – personal data that we can process without your consent, and the personal data that cannot be processed unless you grant us your consent.

Purpose of personal data processing for which your consent is required:

  • Marketing activities,
  • Non-financial services of our partners,
  • Alternative risk assessment,
  • Signature biometrics,
  • Voice biometrics,
  • Automated decision-making, and
  • Handicap

For more detailed information on the granted consent with processing of your personal data, please refer to the text of the document in which you grant to us your consent within the process of contracting a service and signing the contract.

Consent to the processing of personal data for a particular purpose is voluntary and you can cancel it anytime.

Purpose of personal data processing for which your consent is not required:

  • Compliance with our obligation for the purposes of banking transactions collect and process personal data including birth certificate number, necessary to allow the banking transaction to be executed without the bank incurring undue legal and material risks for the Data Controller, similar processing of personal data about company representatives and about beneficial owners according to AML legislative,
  • Compliance with our obligations arising from the talks about closing and filling of concluded contracts,
  • Compliance with our obligations imposed by special legislation including the exception for processing of special categories of personal data (monitoring of areas of the Data Controller and his equipment by using the cameras, recording the calls through the call centres and appropriate units of Data Controller),
  • Ensuring protection of our rights and interests protected by law (e.g. when exercising rights before courts, insurance companies, exaction and selling the claims, improving of bank products, services and applications or manner their using), scope of provided personal data is limited to such personal data that are necessary for successful assertion of a claim, and
  • Execution of task carried out in the public interest.

In the event that you refuse to disclose to us personal data requested for some of the reasons stated above, it is not possible to provide to you the relevant product, service or other performance for which we require the personal data.

This is the legal basis on which we process your personal data (identification details, contact details, information on creditworthiness and on the use of services), in order to comply especially with the following legislation:

  • Act No. 21/1992 Coll., on Banks (this Act lays down the conditions for carrying out the bank activities and requires the banks to mutually exchange information on the facts pertaining to the clients, with the aim of preventing and detecting unlawful conduct),
  • Act No. 256/2004 Coll., on Capital Market Undertakings (this Act lays down conditions for provision of investment services by a securities trader),
  • Act No. 634/1992 Coll., on Consumer Protection (this Act regulates the credit registers),
  • Act No. 257/2016 Coll., on Consumer Credit (this Act regulates the rights and obligations pertaining to provision and brokerage of consumer loans),
  • Act No. 370/2017 Coll., on Payment System (this Act regulates the activities of entities that are authorised to provide payment services),
  • Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (this Regulation imposes the obligation to prevent constantly changing fraud methods; the requirements of customer athentication should ensure that the client is the legitimate user and therefore is giving consent for the transfer of funds and access to its account information through a normal use of the personalised security credential (on line payment account),
  • Act No. 164/2013 Coll., on International Cooperation in Tax Administration (this Act imposes the obligation to exchange with other financial institutions information on persons who are subject to tax liability in another country),
  • Act No. 253/2008 Coll., on Selected Measures against Legitimisation of Proceeds of Crime and Financing of Terrorism (this Act imposes the obligation to carry out the due diligence of clients),
  • Act No. 69/2006 Coll., on International Sanctions (this Act imposes the obligation to verify that the client is not the subject of international sanctions) and Regulation of the European Parliament and Council (EU), e.g. Capital Requirements Regulation No. 575/2013, on Prudential Requirements for Credit Institutions and Investment Firms and amending Regulation (EU) No. 648/2012.

In certain cases we process your personal data with the aim to protect the rights and legitimate interests of Česká spořitelna as well as those of the entire Česká spořitelna Financial Group and potentially of other third parties. Such processing can be carried out without your consent. Nevertheless, the scope of reasons that authorise us to carry out such processing is limited. Existence of a legitimate interest is always carefully examined.

Examples of personal data processing due to the legitimate interest:

  • Simulation of products and services in order to help you choosing the most advantageous product, to take under consideration your real need and do not flood you by unnecessary offers
  • Preparation of contract on your request – collecting and processing the personal information required to draft a contract with you,,
  • Security under consideration the obligation to protect the property of the Data Controller, the protection of persons, including appropriate explanation of unlawful act
  • Customer relationship management - keeping your data about your experience, skills and lifestyle ( preference concerning your leisure time) intended to provide to you all services related to the product management or to address all your requirements, wishes and complaints, etc
  • Sending messages, notifications and confirmations that are utilised for handling your product
  • Reporting and creation of analytical models based on anonymised and aggregate personal data and their sharing with the parent company (Erste Group Bank AG, Am Belvedere 1, A-1100 Vienna, Republic of Austria)
  • Analyses of your profile data and of the products and services details (including mode of using them) with the aim of:
    - Setting up suitable parameters of your account,
    - Assessing credit and insurance risks,
    - Offering appropriate investment product (such as investment in share certificates),
    - Preventing and detecting fraudulent conduct, preventing incompatibility with the legislation,
    - Preventing money laundering and financing of terrorism, enforcing embargos,
    - Compliance with the Bank´s legal duties towards regulatory and state authorities,
    - Processing of surveillance camera footage in order to eliminate fraudulent conduct and to pursue protection of persons and property,
    - Testing of software changes,
    - Research & development of products/services, and market development analyses,
    - Processing analyses of aggregate (anonymised) data for historical, statistical and scientific purposes.

We retrieve personal data either from you (subjekt of data) or from third parties, wich represent your interests (your authorised representatives, your legal guardians). Further more we retrieve personal data from relevant registries wich are established by the law, for example Trade register and For the needs of assessing ability and willingness to repay loans we process data from credit register - Bank register of client information (BRKI), Non-banking register of client information (NRKI) and Central register of credit (Centrální registr úvěrů).

In special cases and after fulfiling our legal obligations that are given to us by special regulations we can retrieve information from non-public sources such as FAU, the Police and courts of Czech republic.

Identification details

Name, surname, title, Birth ID or date of birth, permanent residence address, proof of identity number (identity card, passport number or number of similar document), signature – for natural person – entrepreneur also the Tax Identification Number and Company ID. This means all the personal data through which we can identify you clearly and unmistakably.


Contact details

Primarily the contact address, telephone number, e-mail address and further detailed information. These are the personal data through which we will be able to contact you.


Information on creditworthiness (ability to repay loans) and trustworthiness

Personal data which are necessary for Česká spořitelna – considering the ČS legal obligation to act with caution when exercising its activity – to allow for carrying out the ČS banking business without  undue legal and material risks. Nature and scope of these personal details depend on the character of the banking transaction which is executed or a service which is provided.


Data concerning the use of services 

Data indicating which Česká spořitelna services you have contracted and how you utilise them (such as account balances, transaction data, recording of telephone calls and the records of other communication). Data indicating with using electronic equipment by online access to payment services (call and internet banking)/ for the set up the appropriate methodology and model of fraud analyse in real time.


Special categories of personal data

Biometric signature – replaces the hand-written signatureof a hard-copy contract and it is executed electronically – by a special stylus on a tablet. Voice biometrics – voice recording and processing of personal data that are associated with the biometric characteristics of your voice so that you can prove your identity in connection with provision of financial services. We protect all these personal data against misuse and they cannot be accessedby any unauthorised person.


Special categories of personal data

Česká spořitelna processes the health data solely in connection with specific products and services, and always only with your consent.


Personal data that you provided to us (about historical and current usage of appropriate electronical equipment) are processed and stored including mode of their usage, the use of separated secure execution environment through the applications installed on the multi- purpose devices for online access to internet and mobile banking and the use of security credentials according to our business conditions. The source data are processed in order to eliminate the attempted fraud, hinder usage of the personalised security credentials by device which was lost, stolen or abused; by performing own verification of the client which is based on knowledge (that, what to know only the clients) and holding (that, what to hold only the client). We fully realize our obligation to protect your confidentiality and integrity of personal security credentials yours as user of payment services.

It is not excluded that we analyse situation by processing submitted transaction, and ask you to give us the access to your data (for example localisation of device, wi-fi, which is connected to). If we do not obtain the access to appropriate data, we do not have enough information to overcome the doubts about possible malware or fraud and we are not able to carry out the payment transaction according to your orders.

Personal data that you provided to us are processed and stored within Česká spořitelna and Česká spořitelna Financial Group. If the processing of personal data is based on your consent and the legitimate interests and purposes of Česká spořitelna stated above, your personal data can be processed by external collaborators of Česká spořitelna and by the providers. We carefully select the entities which cooperate with us based on the assurance through which they will ensure technical and organisational protection of the personal data being transferred. Solely the Data Processors can perform the personal data processing for Česká spořitelna, and exclusively under the contract on personal data processing.

To that effect, Česká spořitelna can provide personal data for the legitimate purposes to the below-stated recipients:

  • Companies that operate within Česká spořitelna Financial Group
    • Česká spořitelna – penzijní společnost, a.s. (ID Reg. No.: 61672033),
    • Erste Leasing, a.s. (ID Reg. No.: 16325460),
    • Erste Grantika Advisory, a.s. (ID Reg. No.: 25597001),
    • Factoring České spořitelny, a.s. ((ID Reg. No.: 25629352),
    • MOPET CZ a.s. (ID Reg. No.: 24759023),
    • REICO investiční společnost České spořitelny, a.s. (ID Reg. No.: 27567117),
    • Stavební spořitelna České spořitelny, a.s. (ID Reg. No.: 60197609),
    • s Autoleasing, a.s. (ID Reg. No.: 27089444),
    • Investičníweb s.r.o. (ID Reg. No.: 25738607),
    • Erste Asset Management GmbH, Am Belvedere 1, A-1100 Vienna, Republic of Austria (FN 102018b),
    • Erste Group Bank AG, Am Belvedere 1, A-1100 Vienna, Republic of Austria (FN 33209m),
  • Banks, to the extent stipulated by the Act No. 21/1992 Coll., on Banks,
  • Eexternal collaborators of Česká spořitelna and to the providers in order to perform a contract,
  • Marketing and research agencies for the purpose of marketing canvassing or surveys, and for business, service and product offerings of  Česká spořitelna Financial Group members and of the selected business partners,
  • Stock exchanges and intermediaries of securities trading,
  • Payment service providers and payment processors in order to provide for transfer of funds and for foreign payment system,
  • Providers of postal and communication services and providers of electronic communications,
  • Providers of card services for the purpose of payment cards manufacturing and administration,
  • Banking and non-banking registers, mobile network operators in order to comply with obligation of responsible lending,
  • Collection agencies and law firms in order to recover receivables from loan agreements,
  • Executors and auctioneers in order to assert related claims,
  • Regulator in order to facilitate supervision of Česká spořitelna activities pursuant to specific law.


Provision of certain products (payment cards) and execution of related services (payment system) which we offer to you necessitates that we transfer your personal data for processing outside the Czech Republic. Also some of your use technologies are your basic server outside of the Czech Republic for example Adobe Systems Software Ireland Limited. Such transfers namely pertain to the cloud-based services (data repository) of the relevant providers.

In case of transferred personal data to third countries (outside the EU) we ever use the instrument for establishing the addition protection of rights of offended persons; such transfer is always carried out in accordance with legal requirements (standard agreement clauses; you can see them on sides of Office for Personal Data Protection) or binding corporate rules for example MasterCard.


We store your personal data only for the period which is strictly necessary and we archive them in accordance with the statutory period imposed by the legislation for example Act on Banks and Act on Selected Measures against Legitimisation of Proceeds of crime and Financing of Terrorism. These acts stipulate the period for processing the personal data for a period of at least ten years after closing the relationship with client. For longer period we process the personal data of client in cases, in which we have claimed our right by court, by the Police of ČR.

We process the personal data for the duration of contractual relationship or of another legal title which enables us to process your personal data. It means that we have strict internal rules in place which examine the legitimacy of maintain personal details, and that we do not retain the personal data for longer period than the one we are entitled to. Once the legal ground ceases to exist, we erase the relevant personal data.

Personal data which we process with your consent are stored only for the duration of the purpose for which the consent was granted.

We process your personal data in a transparent and correct manner and in accordance with the legal requirements. However, at the same time you have the right to contact us at any time in order to obtain information about the procedure of your personal data processing or to exercise the below-stated rights that are related to personal details.


Right to access to personal data

You have the right to obtain the copy of your personal data which Česká spořitelna processes.

Right to rectification of personal data

If you believe that the personal data which we maintain for you are inaccurate or incomplete, you have the right to request from us their update or complementing.


Right to erasure of personal data (right to be forgotten)

You have the right to request from us the erasure of your personal data if they are no longer required for the purpose for which they were processed, in case you withdrew your consent with their processing, if they were processed unlawfully, they must be erased in order to comply with legal obligations, or they have been collected in relation to the offer of information society services.


Right to restriction of personal data processing

You have the right to request restriction of processing in case you are contesting the accuracy of your personal data or if their processing is unlawful, however you oppose the erasure of such personal data, or if you ask us, we can continue processing your selected personal data, even after they are no longer required for the purpose for which you provided them to Česká spořitelna (such as in relation to asserting claims before court for which you need the personal data that we process), or if you objected to the processing whereas it is not clear whether our legitimate interest overrides your legitimate interests.


Right to personal data portability

In case of automated processing of personal data which is based on the concluded contract or on the consent that you granted to us, you shall have the right to the so-called portability of these data that will be provided to you in a structured, commonly used and machine-readable format. When you ask for transfer of your bank account, we will continue in accordance with Act No. 370/2017 Coll., on Payment System.


Right to object to personal data processing

At any time you can object to the processing of personal data, including profiling, which we process due to legitimate interest.

Equally, you can object to the processing in case that we process your personal data for the direct marketing purposes. In such case we will no longer process your personal data for such purpose.


Right to withdraw consent with personal data processing

If you have given us consent with processing of personal details for the purposes that require the consent, you have the right to withdraw your consent at any time. Processing of personal data that has been carried out prior to the consent withdrawal is legitimate.


automatizace icon

Automated individual decision-making, incuding profiling

You have the right not to be the subject to a decision based solely on processing including profiling, which produces legal effects concerning you or significantly affects you. You have the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

When exercising your rights you can contact any point of sale or use electronic communication channels which you utilise for communication with Česká spořitelna.

We will respond to your request related to exercising of your rights, we will respond without undue delay, within limit of 30 days from receiving your request. If necessary, this limit can be prolonged by additional two months. We will always inform you about such extension as well as about our reasons for such prolongation. We will communicate with you in the manner which you prefer (by e-mail, letter).


Right to lodge a complaint with the Supervisory Authority

You have the right to lodge a complaint with the supervisory authority (Office for Personal Data Protection) if you think that the rules of personal data protection were breached during the processing of your personal data.

Office for Personal Data Protection
Pplk. Sochora 27
170 00 Prague 7
Telephone no.: +420 234 665 111


Should you have any question regarding personal data, you can send your enquiry to e-mail: or you can use the telephone number 703 481 616 (not designated for information SMS), on workdays from 9 to 15 o´clock; on other days and hours you can also contact us at our charge-free information line 800 207 207 or at any branch.

Where else you can turn