Rules for Processing Personal Data at Česká spořitelna, a.s.

Protecting your privacy and personal data is our paramount responsibility.

We consider the protection of privacy and personal data as one of our primary duties. We deal with personal data solely in accordance with the applicable legislation. Please, read the Principles of Personal Data Processing in Česká spořitelna to find out about the principles which we follow to ensure confidentiality and security of your personal data.

What will you learn about the personal data?

  • What kind of data we collect
  • How we handle the data
  • What sources we use for obtaining data
  • For which purposes we use the data
  • To whom we can provide the data
  • Where you can obtain the information on your personal data which we process and what are the security options available for everybody

“Principles of Personal Data Processing in Česká spořitelna” is a generally applicable document concerning the protection and processing of personal data of natural persons (hereinafter the “Data Subject”). Particularities regarding the personal data of job applicants, Česká spořitelna employees and external collaborators of Česká spořitelna are addressed in separate principles of personal data processing.

Information about the personal data controller:

Name: Česká spořitelna, a.s.
ID No.: 452 44 782
Tax ID No.: CZ699001261
Registered office: Olbrachtova 1929/62, 140 00 Prague 4

Information about the personal data protection trustee:

Jiří Januška
E-mail: poverenec@csas.cz
Tel.: +420 703 616 (weekdays 9:00 a.m. – 3:00 p.m.); Česká spořitelna’s toll-free info line: 800 207 207 (all other days and times)
Registered office: Olbrachtova 1929/62, 140 00 Prague 4

 

We process your personal data only to the extent strictly necessary to provide the respective service you are arranging with us. We divide personal data into two groups: personal data that we can’t process without your consent and personal data that we can process without your consent.  

Personal data processing where we require your consent

  • Marketing,
  • nonfinancial services provide by our partners,
  • alternative risk assessment,
  • signature biometrics,
  • voice biometrics,
  • automated decision-making,
  • handicap.

For more detailed information on the granted consent with processing of your personal data, please refer to the text of the document in which you grant to us your consent within the process of contracting a service and signing the contract.

Consent to the processing of personal data for a particular purpose is voluntary.

Personal data processing where we don’t require your consent:

  • Compliance with our obligation for the purposes of banking transactions collect and process personal data including birth certificate number, necessary to allow the banking transaction to be executed without the bank incurring undue legal and material risks for the Data Controller,
  • Compliance with our obligations arising from the talks about closing and filling of concluded contracts,
  • Compliance with our obligations imposed by special legislation including the exception for processing of special categories of personal data (monitoring of areas of the Data Controller and his equipment by using the cameras, recording the calls through the call centres and appropriate units of Data Controller),
  • Ensuring protection of our rights and interests protected by law (e.g. when exercising rights before courts, insurance companies, exaction and selling the claims, improving of bank products, services and applications or manner their using), scope of provided personal data is limited to such personal data that are necessary for successful assertion of a claim, and
  • Execution of task carried out in the public interest.

In the event that you refuse to disclose to us personal data requested for some of the reasons stated above, it is not possible to provide to you the relevant product, service or other performance for which we require the personal data.

This is the legal basis on which we process your personal data (identification details, contact details, information on creditworthiness and on the use of services), in order to comply especially with the following legislation:

  • Act No. 21/1992 Coll., on Banks (this Act lays down the conditions for carrying out the bank activities and requires the banks to mutually exchange information on the facts pertaining to the clients, with the aim of preventing and detecting unlawful conduct),
  • Act No. 256/2004 Coll., on Capital Market Undertakings (this Act lays down conditions for provision of investment services by a securities trader),
  • Act No. 634/1992 Coll., on Consumer Protection (this Act regulates the credit registers),
  • Act No. 257/2016 Coll., on Consumer Credit (this Act regulates the rights and obligations pertaining to provision and brokerage of consumer loans),
  • Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (this Regulation imposes the obligation to prevent constantly changing fraud methods; the requirements of customer athentication should ensure that the client is the legitimate user and therefore is giving consent for the transfer of funds and access to its account information through a normal use of the personalised security credential (on line payment account),
  • Act No. 164/2013 Coll., on International Cooperation in Tax Administration (this Act imposes the obligation to exchange with other financial institutions information on persons who are subject to tax liability in another country),
  • Act No. 253/2008 Coll., on Selected Measures against Legitimisation of Proceeds of Crime and Financing of Terrorism (this Act imposes the obligation to carry out the due diligence of clients),
  • Act No. 69/2006 Coll., on International Sanctions (this Act imposes the obligation to verify that the client is not the subject of international sanctions) and Regulation of the European Parliament and Council (EU), e.g. Capital Requirements Regulation No. 575/2013, on Prudential Requirements for Credit Institutions and Investment Firms and amending Regulation (EU) No. 648/2012.

In certain cases we process your personal data with the aim to protect the rights and legitimate interests of Česká spořitelna as well as those of the entire Česká spořitelna Financial Group and potentially of other third parties. Such processing can be carried out without your consent. Nevertheless, the scope of reasons that authorise us to carry out such processing is limited. Existence of a legitimate interest is always carefully examined.

Examples of personal data processing due to the legitimate interest:

  • Simulating products and services in order to help you choosing the most advantageous product, to take under consideration your real need and do not flood you by unnecessary offers
  • Preparing contracts based on your request – collecting and processing the personal information required to draft a contract with you,
  • Security under consideration the obligation to protect the property of the Data Controller, the protection of persons, including appropriate explanation of unlawful act
  • Customer relationship management intended to provide to you all services related to the product management or to address all your requirements, wishes and complaints, etc
  • Sending messages, notifications and confirmations that are utilised for handling your product
  • Reporting and creation of analytical models based on anonymised and aggregate personal data and their sharing with the parent company (Erste Group Bank AG, Am Belvedere 1, A-1100 Vienna, Republic of Austria)
  • Analyses of your profile data and of the products and services details (including mode of using them) with the aim of:
    - Setting up suitable parameters of your account,
    - Assessing credit and insurance risks,
    - Offering appropriate investment product (such as investment in share certificates),
    - Preventing and detecting fraudulent conduct, preventing incompatibility with the legislation,
    - Preventing money laundering and financing of terrorism, enforcing embargos,
    - Compliance with the Bank´s legal duties towards regulatory and state authorities,
    - Processing of surveillance camera footage in order to eliminate fraudulent conduct and to pursue protection of persons and property,
    - Testing of software changes,
    - Research & development of products/services, and market development analyses,
    - Processing analyses of aggregate (anonymised) data for historical, statistical and scientific purposes.

We retrieve personal data either from you (subjekt of data) or from third parties, wich represent your interests (your authorised representatives, your legal guardians). Further more we retrieve personal data from relevant registries wich are established by the law, for example Trade register and justice.cz. For the needs of assessing ability and willingness to repay loans we process data from credit register - Bank register of client information (BRKI), Non-banking register of client information (NRKI) and Central register of credit (Centrální registr úvěrů).

In special cases and after fulfiling our legal obligations that are given to us by special regulations we can retrieve information from non-public sources such as FAU, the Police and courts of Czech republic.

Identification

Name, surname, title, birth registration number or date of birth, address of permanent residence, number of identity card (personal ID card, passport or other similar document), signature and, in the case of natural persons (businesses), tax identification number and company identification number, i.e., all personal data that identifies you clearly and unmistakably.

 

Contact data

Particularly contact address, phone number, email address and other similar information. This is information that we need in order to contact you.

 

Credit rating (ability to make payments) and credibility

Personal information that is required by Česká spořitelna – with regard to its statutory obligation to act prudently – to execute a banking transaction without unreasonable legal and material risk. The nature and scope of such personal data depends on the nature of the banking transaction executed or service provided.

 

Data concerning the use of services 

Data indicating which Česká spořitelna services you have contracted and how you utilise them (such as account balances, transaction data, recording of telephone calls and the records of other communication). Data indicating with using electronic equipment by online access to payment services (call and internet banking)/ for the set up the appropriate methodology and model of fraud analyse in real time.

 

Special categories of personal data

Biometric signature – used in place of your hand signature on a paper contract and made electronically using a special pen and tablet. Voice biometrics – voice recordings and personal data processing linked to the biometric characteristics of your voice to allow you to prove your identity in connection with the provision of financial services. We protect such personal data against misuse and allow no unauthorised person access to it.

 

Special categories of personal data

Česká spořitelna processes health related information only for specific products and services and only with your consent.

Personal data that you provided to us (about historical and current usage of appropriate electronical equipment) are processed and stored including mode of their usage, the use of separated secure execution environment through the applications installed on the multi- purpose devices for online access to internet and mobile banking and the use of security credentials according to our business conditions. The source data are processed in order to eliminate the attempted fraud, hinder usage of the personalised security credentials by device which was lost, stolen or abused; by performing own verification of the client which is based on knowledge (that, what to know only the clients) and holding (that, what to hold only the client). We fully realize our obligation to protect your confidentiality and integrity of personal security credentials yours as user of payment services.

It is not excluded that we analyse situation by processing submitted transaction, and ask you to give us the access to your data (for example localisation of device, wi-fi, which is connected to). If we do not obtain the access to appropriate data, we do not have enough information to overcome the doubts about possible malware or fraud and we are not able to carry out the payment transaction according to your orders.

We process and retain the personal information that you provide to us within Česká spořitelna and the Banking Group. If personal data processing is based on your consent or Česká spořitelna’s legitimate interests, your personal data may be processed by Česká spořitelna’s external partners and suppliers. We choose the entities that work with us carefully based on guarantees that ensure the technical and organisational protection of the personal data transferred by us. Personal data may be processed by Česká spořitelna only by processors based exclusively on a personal data processing agreement.

In this respect, Česká spořitelna may, in justified instances, provide personal data to these recipients:

  • Companies within the Banking Group
    • Česká spořitelna – penzijní společnost, a.s. (ID No.: 61672033),
    • Energie ČS, a.s. (ID No.: 24256692),
    • Erste Leasing, a.s. (ID No.: 16325460),
    • Erste Grantika Advisory, a.s. (ID No.: 25597001),
    • Factoring České spořitelny, a.s. ((ID No.: 25629352),
    • MOPET CZ a.s. (ID No.: 24759023),
    • Realitní společnost České spořitelny, a.s. (ID No.: 26747294),
    • REICO investiční společnost České spořitelny, a.s. (ID No.: 27567117),
    • Stavební spořitelna České spořitelny, a.s. (ID No.: 60197609),
    • s Autoleasing, a.s. (ID No.: 27089444),
    • VĚRNOSTNÍ PROGRAM IBOD, a.s. (ID No.: 01818121),
    • Investičníweb s.r.o. (ID No.: 25738607),
    • Erste Asset Management GmbH, Am Belvedere 1, A-1100 Vídeň, Rakouská republika (FN 102018b),
    • Erste Group Bank AG, Am Belvedere 1, A-1100 Vídeň, Rakouská republika (FN 33209m),
  • Banks in the scope set out in Act No. 21/1992 Coll., on banks
  • Česká spořitelna’s external partners and suppliers for the purpose of performing a contract,
  • Marketing and research agencies for marketing or marketing surveys and offers of business, services and products of the Banking Group and designated business partners,
  • Stock exchanges and securities dealers>
  • Payment service providers and payment processors to arrange transfers of funds and execute international payments,
  • Postal and (electronic) communication services providers,
  • Card service providers for the purpose of producing and managing payment cards
  • Bank- and non-bank registers (credit bureaus), mobile phone operators, for the purpose of fulfilling the responsible lending obligation and enforcing receivables under credit/loan agreements,
  • Executors and auctioneers for the purpose of exercising related claims
  • Regulator for the purpose of supervision over Česká spořitelna’s operations according to a special law

 

We store your personal data only for the period which is strictly necessary and we archive them in accordance with the statutory period imposed by the legislation for example Act on Banks and Act on Selected Measures against Legitimisation of Proceeds of crime and Financing of Terrorism. These acts stipulate the period for processing the personal data for a period of at least ten years after closing the relationship with client. For longer period we process the personal data of client in cases, in which we have claimed our right by court, by the Police of ČR.

We process the personal data for the duration of contractual relationship or of another legal title which enables us to process your personal data. It means that we have strict internal rules in place which examine the legitimacy of maintain personal details, and that we do not retain the personal data for longer period than the one we are entitled to. Once the legal ground ceases to exist, we erase the relevant personal data.

Personal data which we process with your consent are stored only for the duration of the purpose for which the consent was granted.

We store your personal data only for the period which is strictly necessary and we archive them in accordance with the statutory period imposed by the legislation for example Act on Banks and Act on Selected Measures against Legitimisation of Proceeds of crime and Financing of Terrorism. These acts stipulate the period for processing the personal data for a period of at least ten years after closing the relationship with client. For longer period we process the personal data of client in cases, in which we have claimed our right by court, by the Police of ČR.

We process the personal data for the duration of contractual relationship or of another legal title which enables us to process your personal data. It means that we have strict internal rules in place which examine the legitimacy of maintain personal details, and that we do not retain the personal data for longer period than the one we are entitled to. Once the legal ground ceases to exist, we erase the relevant personal data.

Personal data which we process with your consent are stored only for the duration of the purpose for which the consent was granted.

We process your personal data transparently, properly and according to the law. At the same time, however, you have the right to request information from us about the procedure we use to process personal data or for the purpose of exercising the rights below related to personal data.

 

Right to access personal data

You have the right to request a copy of your personal data being processed by Česká spořitelna.

 

Right to to rectification of personal data

If you believe that the personal data which we maintain for you are inaccurate or incomplete, you have the right to request from us their update or complementing.

 

Right to erasure of personal data (right to be forgotten)

You have the right to request from us the erasure of your personal data if they are no longer required for the purpose for which they were processed, in case you withdrew your consent with their processing, if they were processed unlawfully, they must be erased in order to comply with legal obligations, or they have been collected in relation to the offer of information society services.

 

Right to restrict the processing of your personal data

You have the right to request that the processing of your data be restricted if you deny the accuracy of your personal data or its processing is unlawful but refuse to have such personal data deleted; alternatively, if you so request, we can process such personal data even after it is not longer necessary for the purpose that you provided it to Česká spořitelna (e.g., in connection with exercising claims at court if you require from us the personal data processed by us) or you raised an objection against processing, whereas it’s not clear whether our personal legitimate interests take precedence over your legitimate interests.

 

Right to personal data portability

In the case of automated personal data processing based on a concluded contract or consent granted to us by you, you have the right to the portability of data, which will be provided in a structured, commonly used and machine-readable format.

 

Right to object to personal data processing

At any time you can object to the processing of personal data, including profiling, which we process due to legitimate interest.

Equally, you can object to the processing in case that we process your personal data for the direct marketing purposes. In such case we will no longer process your personal data for such purpose.

 

Right to withdrow the consent of processing of your personal data

If you have granted us consent to process your personal data for purposes that require your consent, you have the right to revoke such consent at any time. Personal data processing that occurred before you revoked consent is lawful.

To exercise your rights, you may visit any point of sale or use electronic communications channels that you use in your communications with Česká spořitelna.

We will respond without undue delay to your requests that pertain to exercising your rights, but no longer than within 30 days of receiving your request. This deadline may be extended by another two months if necessary. We will always inform you about such extension and the reasons that led us to it. We will communicate with you in the way you prefer (e-mail, post).

 

Right to lodge a complaint with the supervisory authority

You have the right to lodge a complaint with the supervisory authority (Office for Personal Data Protection) if you believe that personal data protections rules have been breached in connection with the processing of your personal data.

Office for Personal Data Protection
Pplk. Sochora 27
170 00 Prague 7
tel: +420 234 665 111

 

If you have any questions related to personal data, you can send them by email to poverenec@csas.cz or call tel.: 703 481 616 (not to be used for SMS messages) during business hours from 9 a.m. to 3 p.m., or our toll-free info line 800 207 207 on all other days and times. You can also stop by one of our branches.

Where else you can turn

×
George
Česká spořitelna
Bankovnictví budoucnosti.
Stáhnout