Personal data protection

The purpose of this document is to inform you about the processing of your personal data in Komerční banka, a.s. and about your rights relating to your personal data. We want you to know what kind of personal data we collect, what we do with it, and what we use it for. You can also find information on the sources we obtain this data from, as well as learning who we can provide this data to.

We always process your personal data transparently, fairly and lawfully, and to the extent required for a given purpose. We securely retain your personal data for the period that is strictly necessary, in compliance with the time limits defined by legislation and other regulations. If the bank has a legitimate interest, we can decide for ourselves how long we will retain your data. We only process the personal data of persons aged under 18 if a child’s legal representative is acting on the child’s behalf.

We recommend that you familiarise yourself with the information contained in this document. In addition to the above, we try to ensure that this document is as up to date as possible, and if there are any changes in how your personal data is processed and retained, they will be incorporated into this document as soon as possible.

If you do not agree with how your personal data is processed in Komerční banka, a.s. you can exercise your rights and contact the authority that oversees your privacy and protects your personal data:

Office for Personal Data Protection
address: Hraničná 12, 820 07 Bratislava 27
tel.: + 421 232 313 214, + 421 232 313 211
website: https://www.dataprotection.gov.sk/

or

Office for Personal Data Protection
address: Pplk. Sochora 27, 170 00 Praha 7
tel.: +420 234 665 111
website: www.uoou.cz

The controller of your personal data is Komerční banka, a.s. (“KB” or “Komerční banka”).

Contact information (in Slovakia):

Komerční banka, a. s., branch of foreign banky
Hodžovo námestie 1A
P.O.BOX 137
810 00 Bratislava
Slovak Republic

Contact information for the Data Protection Officer (DPO):

You can contact the DPO by e-mail osobne_udaje@koba.sk or by writing to the following address:

KB collects and uses your personal data, and it is responsible for ensuring that your data is processed correctly and lawfully. You can also assert your rights regarding Komerční banka as the controller of your personal data, as explained below.

We can only process your personal data within a specific scope, and provided that at least one of the following conditions is satisfied:

1. your gave us your consent to process your personal data for one or more specific purposes (see What kinds of consent do we have in Komerční banka?);
2. processing is necessary for the performance of a contract;
3. processing is necessary for compliance with Komerční banka’s legal obligations This is data we primarily have to collect, evaluate and retain for a period specified by law to satisfy our obligations under the legislation. This includes archiving, in compliance with laws governing our business, obtaining and evaluating data to satisfy our obligations in preventing money laundering and terrorist financing (e.g. KYC, Know Your Client), and other relevant laws;
4. processing is necessary for Komerční banka’s legitimate interests, except where such interests are overridden by the data subject’s interests or fundamental rights and freedoms, which require the protection of the subject’s personal data;
5. processing is carried out in accordance with other legal bases that only apply exceptionally to Komerční banka. Processing is necessary in order to protect your vital interests, or for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller.

When providing products and services to legal persons, we also obtain and process personal data on natural persons who are authorised to represent the bank’s clients, as well as on other natural persons whose personal data is processed in direct connection with conducting of their activities, and which the bank must process or is entitled to process for its own purposes.

This primarily concerns the registered owners and beneficial owners, persons authorised to view or dispose of funds on clients’ accounts (including holders of business payment cards), persons providing collateral, and other natural persons connected with these subjects. We obtain personal data primarily from our clients or their representatives, from publicly accessible sources, and also from specialised databases maintained by third parties.

This involves mostly basic and descriptive subjects’ data, i.e. their identification and contact data, their role and position in a company, their area of interest, scans of documents, information on links with other subjects, and information required by the legislation, especially the laws on money laundering, taxation and the provision of payment and investment services, and any other regulations the bank has to comply with when conducting its business.

We acquire and process mostly the following personal data:

• When providing products and services to clients, for the controller’s legitimate interests. We process data for the duration of a product or service provided to a legal person.
• When satisfying our obligations to prevent money laundering, in compliance with our legal obligations as the controller. We process data for the period specified in the applicable legislation. For these purpose we process scans of identity documents in the Czech and Slovak Republic based on the fulfilment of legal obligation.
• During the automatic exchange of information on financial accounts (CRS, FATCA). We process data for a period of ten years following the end of the calendar year in which notification was sent to the relevant tax authority.
• When maintaining and developing our relationship with our clients, for the controller’s legitimate interests. We process data for the duration of a product or service provided to a client.
• When defending legal claims, for the controller’s legitimate interests. We process data for the duration of a product or service provided to a legal person, and after the termination of the product or service for a period of eighteen years in the Czech Republic and ten years in Slovakia.

You can find more detailed information regarding the purpose of processing your data in the following chapter.

If there is more than one reason for the processing of your personal data, we always do so only to the extent required for a given purpose. The main aim of this processing is to enable us to provide you our services and customer care associated with delivery of our products and services that you actively use or consider to use.

We set out the main categories of our purposes below.

Providing products and services

• Discussing a product or service

As part of discussing a product or service, we will process the data you provide through these channels to facilitate your interest in the product or service, and we will contact you as part of discussing the product or service.

• Concluding a contract on a product or service

If you decide that the product or service you discussed with us is suitable for you, we are obliged to ascertain your personal identification data and collect and retain any other data needed to draw up the relevant contract for the product or service. For credit and investment products, we will require a larger set of data from you, and shall be the subject of further processing.

• Servicing a product or service

So that we can ensure the quality of the products and services you use, we are obliged to retain, update and process the relevant data. Based on our legitimate interest we are also obliged to provide you with this information through the channels you have selected for these products and services, i.e. at our point of sale and through our direct banking channels. If you also decide to use direct banking channels for servicing these products and services, we collect information on your IP address, etc. We record and evaluate this data so that we can minimise any risks related to the misuse of these direct channels.
If necessary, we will inform you – via SMS, e-mail, messages in our direct channels or another standard way – of any events concerning your products and services together with change of your banking advisor, etc.

In this case, the legal basis for processing your personal data is the fulfillment of controller’s legitimate interests. To safeguard our legal claims, we will continue to retain this personal data after the product or service has ended – for more details see How long do we retain your data?

Safeguarding our legal claims

We also process your personal data, including your communications history and information about products and services, to the extent required for any legal claims or potential legal claims against you, especially on the basis of your contractual relationship with us. We also use third parties for debt recovery.
The legal basis for presented processing is the protection of our legitimate interests.

Preventing, checking, detecting and investigating fraud, and preventing money laundering

We also use your personal data to check for and prevent any potentially unethical or fraudulent conduct. We are bound by the legislation that stipulate the obligation to act with due professional care in matters concerning the prevention, detection and investigation of such conduct. To this end we also collect your personal data and data on the products and services you use. We can then create indicators based on this data that help prevent potential fraud and allow for better protection of your money. This may involve for instance information on the theft of your ID card or credit card, or data on the country where you normally use your direct banking channels.
The legal basis for such processing is compliance with our legal obligation as the controller.

Tax and accounting requirements

We also collect and process your personal data to comply with our legal obligations as the controller with regard to the state and the regulatory authorities. We are obliged to do so by the Accounting Act, the VAT Act and many other regulations, including the laws derived from the agreement on implementation of the US Foreign Account Tax Compliance Act (FATCA). We also transfer all of this mandatory information within KB’s Financial Group.
We process and transfer this data to comply with our legal obligation as the controller, and in our legitimate interest.

Protecting against market abuse

The legislation also obliges us to check compliance with the Capital Market Undertakings Act and prevent its abuse, which could harm our other clients or our KB Group. We process your personal data for this reason too.
The legal basis for above mentioned processing is the compliance with our legal obligations as the controller and our legitimate interest.

Prevention and control for investment products

In compliance with the regulatory requirements, we also collect and retain records of all communications with you concerning investment products (e.g. recordings of telephone calls, minutes from meetings, e-mail communication, Skype calls and messages, etc.). In line with the regulatory requirements for reporting your transactions, we collect data on your instructions and your transactions with investment instruments.
The legal basis for such processing is compliance with our legal obligation as the controller.

The company’s internal needs and reporting

Our employees may process your personal data for the company’s internal needs, e.g. for reporting on the efficiency of our services.
The legal basis for such processing is our legitimate interest.

Assessing credit risk

To minimise risk, the bank keeps records of persons who have provided false information, experienced difficulties paying their debts, etc.
The legal basis for such processing is compliance with our legal obligation as the controller, and also our legitimate interest.

Regulatory reporting

Your personal data and information on selected products and services are being used for regulatory reporting. Based upon this data we conduct our internal reporting, and at the same time we are obliged to transfer information on certain products and services to the regulator.
The basis for such processing is compliance with our legal obligation as the controller.

Debt recovery and factoring

If you have problems repaying any loans we have provided, our primary objective is to resolve these problems with you efficiently and to our mutual satisfaction. Sometimes, it might not be possible to resolve aforementioned problems amicably. In these situations we have to use the personal data we have recorded on you, and in some cases we may also use data, especially contact data, from publicly accessible sources such as social networks, etc., so that we can contact you. Under certain circumstances (you fail to respond, you are unreachable, you have no interest in resolving the situation, etc.) we may have to transfer your debts to a company that specialises in debt recovery. In such cases we will provide the relevant personal data to the company, together with any other relevant data concerning the debt in question. We also transfer this data if we decide to assign the debt.
The basis for processing and transferring the relevant data is our legitimate interest.

Marketing as a legitimate interest

As part of marketing as a legitimate interest, we carry out basic analyses of your data concerning your use of our products and services. At the same time this legitimate interest allows us to segment our clients in order to choose the most important form of servicing and offer suitable products and services, and it also allows us to find out clients’ opinions. You may object to marketing as a legitimate interest.

Data retention periods differ depending on particular purpose for which we are processing personal data. Set data retention period for particular purpose respects storage limitation principle, that ensures processing of data only for the time that is necessary for the purposes for which the data are processed. There are two main reasons why we process and retain your data, and related to these reasons are the time limits for which we need to retain your data:

• data retention for the time required by relevant applicable laws – e.g. Act on Banks (5 years from termination of banking transaction), VAT Act and Tax Administration Act (10 years), AML Act (5 years), Accounting Act (10 years) etc.
• a legitimate interest concerning claims, complaints, litigation, etc. – at least five years following the ceasing of provision of the product or service to our clients.

We keep your personal data for the period of time set out by relevant applicable laws and KB’s Code of File Cabinet and KB’s File Cabinet Plan, respectively for the time period for which you gave us your consent.

Regulácia ochrany osobných údajov umožňuje, aby prevádzkovateľ poveril spracúvaním osobných údajov sprostredkovateľa. Sprostredkovateľom je každý subjekt, ktorý na základe zvláštneho zákona alebo poverenia, resp. splnomocnenia prevádzkovateľom, spracúva osobné údaje v mene prevádzkovateľa. V týchto prípadoch je zmluvne, ako aj predpismi garantovaná rovnaká ochrana vašich údajov ako zo strany spoločnosti Komerční banka. Medzi najvýznamnejších sprostredkovateľov, ktorých spoločnosť Komerční banka využíva na spracúvanie osobných údajov, patria:

• IT providers
• companies that archive personal data
• companies and persons providing legal services
• companies and persons working in debt recovery
• mail services and couriers

Other processors

Exchanging information and tax issues

Under international agreements such as FATCA, etc., we are obliged to provide data on our clients to the Financial Administration of the Slovak Republic. For more information on these agreements, please visit e.g. https://www.financnasprava.sk.

On request and without consent

A range of public authorities may request information on our clients. They include the law enforcement authorities, the courts, the court executors, the Czech National Bank, the Slovak National Bank or health insurance companies. However, we only provide this data in situations where we are legally obliged to do so.

In Komerční banka we always try to be as transparent as possible, which is why we think it’s important that you know how we process your personal data. Komerční banka is processing the following basic categories of data.

Basic data

Identification data

In case of legal persons this includes mainly basic identification data such as the business name, company number, tax registration number, etc.; in case of natural persons it is the subject’s name, surname, birth registration number, date of birth, type and number of identity card.

Contact data

This includes all of the subject’s addresses – e.g. permanent place of residence, correspondence addresses, and for entrepreneurs their company’s address, and the subject’s contact data, e.g. telephone numbers, e-mail addresses, social network addresses, data boxes, etc.

Descriptive data

KYC – Know Your Client data

This includes mostly information required by relevant laws for the purpose of risk assessment of money laundering and financing of terrorism, e.g. whether the particular natural person is a politically exposed person or not.

Tax residence

This includes data on your tax residence, i.e. where you are obliged to pay tax.

Non-financial business characteristics of a client

This includes information on suppliers and customers, the client’s business strategy, information on any group of connected clients, information on the market environment and situation in the sector, business risks, etc.

Data on products

Data for financing products

This includes the personal data of debtors and co-debtors, information on the parameters of a credit transaction, the identification and value of collateral, etc.

Data for investment banking products

This includes the personal data of the holders and managers, contract numbers, the level of investment, the order book, information on transactions, etc.

Data for day-to-day banking products

This includes the personal data of the holders and managers, contract numbers, payment card numbers including security data, information on transactions, the sales channels used, etc.

Data from public registers

This includes sanctions lists for persons linked with terrorism as well as lists for persons on international watch lists who are subject to international sanctions, the insolvency register, the bankruptcy register, the central debt collection register, registers of invalid and stolen documents, the register of groups of connected clients, information from the land register, etc.

Information from the internet, social media and social networks

This includes the IP address, cookies, the identification of the device used, information on web browsers, your profile on social networks, etc.

Electronic communication means for authentication and authorisation

This includes data on electronic communication means that are mainly used for authentication, i.e. to verify your identity. Data that comes under this category includes your digital signature, your digital certificate, or the user name you ordinarily use to log into applications, or your device’s serial and manufacturing numbers (MAC address), etc.

Records from banking machines and applications

This includes identification data from communication channels or logs from monitoring banking applications.

Records of data subjects’ links with products and services

This includes mostly information on business relations e.g. between supplier and customer, etc.

Data we neither collect nor process

Special categories of personal data

This is a special type of data that includes information on your race, ethnicity, trade union membership, any health problems, and sexual orientation. It also includes data related to genetic and biometric information. Komerční banka does not collect this data.

You have the right to ask us for information on your personal data that we process, the purpose and nature of processing your personal data, and the recipients of personal data.
If you discover or believe that our processing your personal data is contrary to the protection of your personal and private life, or in violation of the legislation, you are entitled to ask us for an explanation, or to ask Komerční banka to remedy the undesirable situation.
If we are in breach of our obligations, you also have the right to ask the Office for Personal Data Protection to take remedial measures.

A list of your rights:

• The right of access to personal data
  • This right allows you to ask us for a printout of the personal data the bank keeps on you. Komerční banka is obliged to produce this printout for you, including information on:
    • the purposes for which the personal data are being processed;
    • the planned processing period;
    • the source of the personal data;
    • any recipients to which Komerční banka provides these personal data.
• The right to data portability
  • This right gives you the option of asking Komerční banka for personal data concerning you which you have personally provided to Komerční banka. Komerční banka will agree with you the format and means for transferring the data. It will transfer the data to you or another controller you specify, in a machine-readable format.
• The right to erasure of personal data
  • This right entitles you to ask Komerční banka to erase all of your personal data. Your personal data can only be erased if there are no other reasons why Komerční banka is obliged to retain your personal data (the performance of a contract, legal requirements, etc.).
• The right to rectification of personal data
  • On the basis of information from you, Komerční banka will rectify inaccurate personal data without undue delay, or will supplement any incomplete personal data if a specific processing purpose requires it.
• The right to restriction of processing. The restriction of processing personal data, in response to a request or an objection
  • If you request the restriction of processing, and there are no technical or other reasons why your request cannot be granted, Komerční banka will restrict such processing.
• The right not to be subject to automated individual decision-making with legal or similar effects, including profiling
  • At your request, Komerční banka will exclude you from all processing it performs solely automatically. If such processing is necessary for the provision of a contract, Komerční banka will give you the option of discussing the results of such processing with a banking advisor to identify an alternative and more acceptable solution.
• The right to object in cases where we process your data on the basis of our legitimate interest
  • You have the right to object to all processing that Komerční banka carries out on the basis of its legitimate interest as the controller. Accepting your objection means that Komerční banka will stop processing your personal data for all the purposes contested in your objection.

Komerční banka treats all of the above rights in the same way, and always tries to satisfy your requirements.
Komerční banka has a period of 30 days to process your request.
You will be informed by a cover letter when Komerční banka has finished processing your request. You can exercise your rights by a letter addressed to Komerční banka and sent by the Post, personally at our point of sale or by e-mail.

When exercising above mentioned rights, Komerční banka may need your cooperation to identify you. You can exercise your rights on your own behalf or on behalf of someone you represent on the basis of power of attorney or other form of authorisation.

If you have any questions, please call Komerční banka’s Infoline on 0800 118 100,go to www.koba.sk/osobneudaje or write to us at osobne_udaje@koba.sk.

Alternatively, please contact our Data Protection Officer (DPO), who is responsible for supervising the processing of personal data in Komerční banka.

You can contact the DPO by e-mail osobne_udaje@koba.sk or by writing to the following address:

Office of the Data Protection Officer
Hodžovo námestie 1A
P.O.BOX 137
810 00 Bratislava
Slovak Republic

Komerční banka is the parent company of KB’s Financial Group, and it is a member of the Société Générale international financial group.

In Slovakia, Komerční banka, a. s. serves corporate clients through a branch, Komerční banka, a.s., pobočka zahraničnej banky, as well as through the other daughter companies of the KB’s Group (SGEF, ALD, ESSOX).

KB ranks among the leading banking institutions in the Czech Republic, as well as in Central and Eastern Europe. It is a universal bank providing a wide range of services in retail, corporate and investment banking. Member companies of KB’s Financial Group provide additional specialised financial services such as pension schemes and building society schemes, leasing, factoring, consumer lending and insurance. These are available through KB’s branch network, its direct banking channels and its subsidiaries’ own sales networks.

KB’s Financial Group

Czech subsidiaries	Address	Company No
Modrá pyramida stavební spořitelna, a.s.	Bělehradská 128/222,120 21 Prague 2	60192852
Komerční pojišťovna, a.s.	Karolinská 1/650, 186 00 Prague 8	63998017
KB Penzijní společnost, a.s.	náměstí Junkových 2772/1, Stodůlky, 155 00 Prague 5	61860018
SG Equipment Finance Czech Republic s.r.o.	náměstí Junkových 2772/1, Stodůlky, 155 00 Prague 5	61061344
ESSOX s.r.o.	F. A. Gerstnera č.ev. 52, České Budějovice 7, 370 01 České Budějovice	26764652
Factoring KB, a.s.	náměstí Junkových 2772/1, Stodůlky, 155 00 Prague 5	25148290
Protos, uzavřený investiční fond, a.s.	Dlouhá 713/34, Staré Město, 110 00 Prague 1	27919871
KB Real Estate, s.r.o.	Václavské náměstí 796/42, Nové Město, 110 00 Prague 1	24794015
VN 42, s.r.o.	Václavské náměstí 796/42, Nové Město, 110 00 Prague 1	02022818
STD2, s.r.o.	Václavské náměstí 796/42, Nové Město, 110 00 Prague 1	27629317
Subsidiaries in other countries
Bastion European Investments S.A.	Rue Des Colonies, 11 1000 Brusel, Belgium	BE0877.881.474

The Société Générale Group

Since October 2001 Komerční banka has been part of Société Générale’s international retail banking group. Société Générale is one of the largest financial services groups in Europe.

Société Générale has been playing a vital role in the economy for the last 150 years. It operates in 67 countries with over 147 000 employees. The Société Générale Group serves 31 million clients throughout the world, and its teams offer advice and services to individual, corporate and institutional customers in three core businesses:

• retail banking in France with the Société Générale branch network, Credit du Nord and Boursorama, offering a comprehensive range of multichannel financial services on the leading edge of digital innovation;
• international retail banking, insurance and financial services for companies with a presence in emerging markets and leading specialised businesses;
• corporate and investment banking, private banking, asset management and securities services, with recognised expertise, top international rankings and integrated solutions.

We conduct the processing of your personal data in accordance with the relevant applicable laws, in particular with the Personal Data Protection Act, Act on Banks, AML Act.

The most important generally binding legal regulations in the field of / or in close connection with the personal data protection in the Slovak republic:

FATCA	Notification of Ministry of Foreign and European Affairs of the Slovak Republic No. 48/2016 Coll., on conclusion of the Agreement between the United States of America and the Slovak Republic to Improve International Tax Compliance and to Implement FATCA on July 31 2015, Act No. 442/2012 Coll. on International cooperation in Tax Administration, Act No. 359/2015 Coll. on Automatic Exchange of Information about Financial Accounts for Tax Administration Purposes	obligation of the bank in regard of the control of compliance with tax liabilities
MiFID	Directive 2014/65/EU of the European Parliament and of the Council on markets in financial instruments	common regime for investment services within the EU
Market Abuse Regulation	Regulation (EU) 596/2014 of the European Parliament and of the Council on the market abuse and Directive 2014/57/EU of the European Parliament and of the Council on criminal sanctions for market abuse	market manipulation
Civil Code	Act No. 40/1964 Coll. – the Civil Code, as amended	protection of privacy
GDPR	Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data	protection of personal data within the EU, valid from May 25 2018
Act on Banks	Act No. 483/2001 Coll. on Banks, as amended	banking operation
VAT Act and Tax Administration Act	Act No. 222/2004 Coll. on Value Added Tax and Act No. 563/2009 Coll. on the Tax Administration (Tax Code), as amended	processing of tax data
Act on International cooperation in Tax Administration	Act No. 442/2012 Coll. on International cooperation in Tax Administration, as amended	international exchange of information in the tax area
Personal Data	Act No. 18/2018 Coll. on Personal Data Protection Act, as amended	protection of personal data
Protection Act	Protection Act, as amended
Accounting Act	Act No. 431/2002 Coll. on Accounting	processing of the accounting data
AML Act	Act No. 297/2008 Coll. on Anti-Money Laundering and Anti-Terrorist Financing, as amended	identification and control of clients
Payment Services Act	Act No. 492/2009 Coll. on Payment Services, as amended	protection of data from users of payment services