We consider the protection of privacy and personal data as one of our primary duties. We deal with personal data solely in accordance with the applicable legislation. Please, read the Principles of Personal Data Processing in Česká spořitelna to find out about the principles which we follow to ensure confidentiality and security of your personal data.
What will you learn about the personal data?
- What kind of data we collect.
- How we handle the data.
- What sources we use for obtaining data.
- For which purposes we use the data.
- To whom we can provide the data.
- Where you can obtain the information on your personal data which we process.
- What are the security options available for everybody.
“Principles of Personal Data Processing in Česká spořitelna” is a generally applicable document concerning the protection and processing of personal data of natural persons (hereinafter the “Data Subject”). Particularities regarding the personal data of job applicants, Česká spořitelna employees and external collaborators of Česká spořitelna are addressed in separate principles of personal data processing.
Information on Data Controller:
Trade name: Česká spořitelna, a.s.
Reg. No.: 452 44 782
DIČ: CZ699001261
Registered office: Prague 4, Olbrachtova 1929/62, Post Code 140 00
Information on Data Protection Officer:
E-mail: poverenec@csas.cz
Information line of Česká spořitelna: 277 207 207
Registered office: Prague 4, Olbrachtova 1929/62, Post Code 140 00
We process your personal data to the extent that is necessary for the provision of service which you are contracting with us. These personal data are split in two groups – personal data that we can process without your consent, and the personal data that cannot be processed unless you grant us your consent.
Purpose of personal data processing for which your consent is required:
- Marketing activities, if you decide to grand us with a consent,
- Non-financial services of our partners,
- Alternative risk assessment, for using TelcoScore service, which provides information about the credibility and trustworthiness of users of cell telephone providers´ services,
- Signature biometrics,
- Voice biometrics,
- Automated decision-making, and
- Handicap
- Storing and reading cookies on your device
- Individual informed consents for a specific service or product (if needed)
For more detailed information on the granted consent with processing of your personal data, please refer to the text of the document in which you grant to us your consent within the process of contracting a service and signing the contract.
Consent to the processing of personal data for a particular purpose is voluntary and you can cancel it anytime.
Purpose of personal data processing for which your consent is not required:
- Compliance with our obligation for the purposes of banking transactions collect and process personal data including birth certificate number, necessary to allow the banking transaction to be executed without the bank incurring undue legal and material risks for the Data Controller, similar processing of personal data about company representatives and about beneficial owners according to AML legislative,
- Compliance with our obligations arising from the talks about closing and filling of concluded contracts,
- Compliance with our obligations imposed by special legislation including the exception for processing of special categories of personal data (e.g.monitoring of areas of the Data Controller and his equipment by using the cameras, recording the calls through the call centres and appropriate units of Data Controller),
- Ensuring protection of our rights and interests protected by law (e.g. when exercising rights before courts, insurance companies, exaction and selling the claims, improving of bank products, services and applications or manner their using), scope of provided personal data is limited to such personal data that are necessary for successful assertion of a claim, and
- Execution of task carried out in the public interest.
In the event that you refuse to disclose to us personal data requested for some of the reasons stated above, it is not possible to provide to you the relevant product, service or other performance for which we require the personal data.
This is the legal basis on which we process your personal data (identification details, contact details, information on creditworthiness and on the use of services), in order to comply especially with the following legislation:
- Act No. 21/1992 Coll., on Banks (this Act lays down the conditions for carrying out the bank activities and requires the banks to mutually exchange information on the facts pertaining to the clients, with the aim of preventing and detecting unlawful conduct),
- Act No. 256/2004 Coll., on Capital Market Undertakings (this Act lays down conditions for provision of investment services by a securities trader),
- Act No. 634/1992 Coll., on Consumer Protection (this Act regulates the credit registers),
- Act No. 257/2016 Coll., on Consumer Credit (this Act regulates the rights and obligations pertaining to provision and brokerage of consumer loans),
- Act No. 370/2017 Coll., on Payment System (this Act regulates the activities of entities that are authorised to provide payment services),
- Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (this Regulation imposes the obligation to prevent constantly changing fraud methods; the requirements of customer athentication should ensure that the client is the legitimate user and therefore is giving consent for the transfer of funds and access to its account information through a normal use of the personalised security credential (on line payment account),
- Act No. 164/2013 Coll., on International Cooperation in Tax Administration (this Act imposes the obligation to exchange with other financial institutions information on persons who are subject to tax liability in another country),
- Act No. 253/2008 Coll., on Selected Measures against Legitimisation of Proceeds of Crime and Financing of Terrorism (this Act imposes the obligation to carry out the due diligence of clients),
- Act No. 69/2006 Coll., on International Sanctions (this Act imposes the obligation to verify that the client is not the subject of international sanctions),
- Act No. 37/2021 Coll., on Registration of beneficial owners,
- Regulation of the European Parliament and Council (EU), e.g. Capital Requirements Regulation No. 575/2013, on Prudential Requirements for Credit Institutions and Investment Firms and amending Regulation (EU) No. 648/2012,
- Regulation (EU) No 596/2014 of the European Parliament and of the Council on market abuse (market abuse regulation),
- Act No. 171/2023 Coll., on the Protection of Whistleblowers,
- Act No. 480/2004 Coll., on Certain Information Society Services.
In certain cases we process your personal data with the aim to protect the rights and legitimate interests of Česká spořitelna as well as those of the entire Česká spořitelna Financial Group and potentially of other third parties. Such processing can be carried out without your consent. Nevertheless, the scope of reasons that authorise us to carry out such processing is limited. Existence of a legitimate interest is always carefully examined.
Examples of personal data processing due to the legitimate interest:
- Security under consideration the obligation to protect the property of the Data Controller, the protection of persons, including appropriate explanation of unlawful act
- Preparation of expert studies, analyses or comparable documents for public with using a large amount of data (summary aggregated statistic information) without option of identification and specific impact on personal data subject
- Customer relationship management – keeping your data about your experience, skills and lifestyle (preference concerning your leisure time) intended to provide to you all services related to the product management or to address all your requirements, your user name on social networks, your IP address, Cookies, wishes and complaints. The reason is to provide you with all services related to product management, and to address your demands, wishes, and complaints etc.
- Sending messages, notifications and confirmations that are utilised for handling your product
- Data processing from web forms or applications, it means mostly the contact details, which you give to us in order to contact you back regarding your interest in a product or service
- Reporting and sharing of personal data with the parent company (Erste Group Bank AG, Am Belvedere 1, A-1100 Vienna, Republic of Austria)
- Data creation of analytical models based on aggregate, anonymised data about products, services and profile data that would be possible to potentially estimate by the statistical methods and further to fulfil the needs of the selected categories of personal data subjects (clients) and to predict the possible damages of the bank´s interest and to take effective measurements against it in time.
We retrieve personal data either from you (subject of data) or from third parties, which represent your interests (your authorised representatives, your legal guardians). Furthermore we retrieve personal data from relevant registries which are established by the law, for example Trade register and justice.cz. For the needs of assessing ability and willingness to repay loans we process data from credit register - Bank register of client information (BRKI), Non-banking register of client information (NRKI) and Central register of credit (Centrální registr úvěrů), Register of Natural Persons (Register NP administered by the SOLUS Association) and the Register of Entrepreneurs and Legal Entities (Register of Entrepreneurs administered by the SOLUS Association).
In special cases and after fulfilling our legal obligations that are given to us by special regulations we can retrieve information from non-public sources such as FAU, the Police and courts of Czech republic.
If you provide us with the personal data of third parties in connection with your situation (in relation to the bank, for instance, a partner, authorized person, collaborating individuals, etc.), it is your obligation to inform them about the initiation of their personal data processing by Česká spořitelna and notify them about these principles.
Identification details
Name, surname, title, Birth ID or date of birth, permanent residence address, proof of identity number (identity card, passport number or number of similar document), signature – for natural person – entrepreneur also the Tax Identification Number and Company ID. This means all the personal data through which we can identify you clearly and unmistakably.
Contact details
Primarily the contact address, telephone number, e-mail address and further detailed information. These are the personal data through which we will be able to contact you.
Information on creditworthiness (ability to repay loans) and trustworthiness
Personal data which are necessary for Česká spořitelna – considering the ČS legal obligation to act with caution when exercising its activity – to allow for carrying out the ČS banking business without undue legal and material risks. Nature and scope of these personal details depend on the character of the banking transaction which is executed or a service which is provided.
Data concerning the use of services
Data indicating which Česká spořitelna services you have contracted and how you utilise them (such as account balances, transaction data, recording of telephone calls and the records of other communication); -data indicating with using electronic equipment by online access to payment services (call and internet banking)/ for the set up the appropriate methodology and model of fraud analyse in real time.
Special categories of personal data
Biometric signature – replaces the hand-written signature of a hard-copy contract and it is executed electronically – by a special stylus on a tablet. Voice biometrics – voice recording and processing of personal data that are associated with the biometric characteristics of your voice so that you can prove your identity in connection with provision of financial services. We protect all these personal data against misuse and they cannot be accessed by any unauthorised person.
Special categories of personal data
Česká spořitelna processes the health data solely in connection with specific products and services, and always only with your consent.
Personal data that you provided to us (about historical and current usage of appropriate electronical equipment) are processed and stored including mode of their usage, the use of separated secure execution environment through the applications installed on the multi- purpose devices for online access to internet and mobile banking and the use of security credentials according to our business conditions. The source data are processed in order to eliminate the attempted fraud, hinder usage of the personalised security credentials by device which was lost, stolen or abused; by performing own verification of the client which is based on knowledge (that, what to know only the clients) and holding (that, what to hold only the client). We fully realize our obligation to protect your confidentiality and integrity of personal security credentials yours as user of payment services.
It is not excluded that we analyse situation by processing submitted transaction, and ask you to give us the access to your data (for example localisation of device, wi-fi, which is connected to). If we do not obtain the access to appropriate data, we do not have enough information to overcome the doubts about possible malware or fraud and we are not able to carry out the payment transaction according to your orders.
Personal data that you provided to us are processed and stored within Česká spořitelna and Česká spořitelna Financial Group. If it required by law, we transfer defined personal data to recipients according to legal obligations. The regulation of personal data protection allows the controller to authorize a processor to process personal data. We carefully select the entities which cooperate with us based on the assurance through which they will ensure technical and organisational protection of the personal data being transferred. Solely the Data Processors can perform the personal data processing for Česká spořitelna, and exclusively under the contract on personal data processing. At the processor or recipient, the same protection of your personal data as in Česká spořitelna is contractually or regulatory guaranteed.
The largest recipients and processors include:
- Banks, to the extent stipulated by the Act No. 21/1992 Coll., on Banks,
- Stock exchanges and intermediaries of securities trading,
- Payment service providers and payment processors in order to provide for transfer of funds and for foreign payment system,
- Providers of postal and communication services and providers of electronic communications,
- Providers of card services for the purpose of payment cards manufacturing and administration,
- Banking and non-banking registers, mobile network operators in order to comply with obligation of responsible lending,
- Collection agencies and law firms in order to recover receivables from loan agreements,
- Executors and auctioneers in order to assert related claims,
- Regulator in order to facilitate supervision of Česká spořitelna activities pursuant to specific law.
- External collaborators of Česká spořitelna and to the providers in order to perform a contract,
- Marketing and research agencies for the purpose of marketing canvassing or survey, and for business, service and product offerings of Česká spořitelna Financial Group member and of the selected business partners.
Provision of certain products (e.g. payment cards) and execution of related services (payment system) which we offer to you necessitates that we transfer your personal data for processing outside the Czech Republic.
In case of transferred personal data to third countries (outside the EU) we ever use the instrument for establishing the addition protection of rights of offended persons is based on appropriate guarantees.
We store your personal data only for the period which is strictly necessary and we archive them in accordance with the statutory period imposed by the legislation for example Act on Banks and Act on Selected Measures against Legitimisation of Proceeds of crime and Financing of Terrorism. These acts stipulate the period for processing the personal data for a period of at least ten years after closing the relationship with client. For longer period we process the personal data of client in cases, in which we have claimed our right by court, by the Police of ČR.
We process the personal data for the duration of contractual relationship or of another legal title which enables us to process your personal data. It means that we have strict internal rules in place which examine the legitimacy of maintain personal details, and that we do not retain the personal data for longer period than the one we are entitled to. Once the legal ground ceases to exist, we erase the relevant personal data.
Personal data which we process with your consent are stored only for the duration of the purpose for which the consent was granted or until the consent is withdrawn.
We process your personal data in a transparent and correct manner and in accordance with the legal requirements. However, at the same time you have the right to contact us at any time in order to obtain information about the procedure of your personal data processing or to exercise the below-stated rights that are related to personal details.
Right to access to personal data
You have the right to obtain the copy of your personal data which Česká spořitelna processes.
Right to rectification of personal data
If you believe that the personal data which we maintain for you are inaccurate or incomplete, you have the right to request from us their update or complementing.
Right to erasure of personal data (right to be forgotten)
You have the right to request from us the erasure of your personal data if they are no longer required for the purpose for which they were processed, in case you withdrew your consent with their processing, if they were processed unlawfully, they must be erased in order to comply with legal obligations, or they have been collected in relation to the offer of information society services.
Right to restriction of personal data processing
You have the right to request restriction of processing in case you are contesting the accuracy of your personal data or if their processing is unlawful, however you oppose the erasure of such personal data, or if you ask us, we can continue processing your selected personal data, even after they are no longer required for the purpose for which you provided them to Česká spořitelna (such as in relation to asserting claims before court for which you need the personal data that we process), or if you objected to the processing whereas it is not clear whether our legitimate interest overrides your legitimate interests.
Right to personal data portability
In case of automated processing of personal data which is based on the concluded contract or on the consent that you granted to us, you shall have the right to the so-called portability of these data that will be provided to you in a structured, commonly used and machine-readable format. When you ask for transfer of your bank account, we will continue in accordance with Act No. 370/2017 Coll., on Payment System.
Right to object to personal data processing
At any time you can object to the processing of personal data, including profiling, which we process due to legitimate interest.
Equally, you can object to the processing in case that we process your personal data for the direct marketing purposes. In such case we will no longer process your personal data for such purpose.
Right to withdraw consent with personal data processing
If you have given us consent with processing of personal details for the purposes that require the consent, you have the right to withdraw your consent at any time. Processing of personal data that has been carried out prior to the consent withdrawal is legitimate.
Automated individual decision-making, incuding profiling
You have the right not to be the subject to a decision based solely on processing including profiling, which produces legal effects concerning you or significantly affects you. You have the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.
When exercising your rights you can contact any point of sale or use electronic communication channels which you utilise for communication with Česká spořitelna.
We will respond to your request related to exercising of your rights, we will respond without undue delay, within limit of 30 days from receiving your request. If necessary, this limit can be prolonged by additional two months. We will always inform you about such extension as well as about our reasons for such prolongation. We will communicate with you in the manner which you prefer (by e-mail, letter).
Right to lodge a complaint with the Supervisory Authority
You have the right to lodge a complaint with the supervisory authority (Office for Personal Data Protection) if you think that the rules of personal data protection were breached during the processing of your personal data.
Office for Personal Data Protection:
Pplk. Sochora 27
170 00 Prague 7
Telephone no.: +420 234 665 111
Should you have any question regarding personal data, you can send your enquiry to e-mail: poverenec@csas.cz or you can use our information line 277 207 207 or any branch.