The information provided in this document aims to provide an overview on how we process personal data and to acquaint you with your rights regarding the processing of personal data. The information refers to clients, potential clients and other natural persons whose personal data Zagrebačka banka d.d. collects on any legal basis (e.g. guarantors, joint and several debtors, lien debtors, proxy holders, custodians, heirs, representatives of minors).
I. WHO IS A PERSONAL DATA CONTROLLER?
Zagrebačka banka d.d., member of the UniCredit Group, OIB (PIN): 92963223473, with company headquarters at Trg bana Josipa Jelačića 10, 10000 Zagreb, Republic of Croatia, e-mail: zaba@unicreditgroup.zaba.hr, phone: 01 3773 333 (hereinafter: Bank).
II. WHAT IS PERSONAL DATA AND HOW DOES THE BANK COLLECT PERSONAL DATA?
Personal data is any data or combination thereof relating to an individual whose identity has been or can be established (hereinafter: data subject), such as name, surname, personal identification number, address data, photograph, account number, income data, biometric data such as the speed of signing, pen pressure and stroke length when signing.
The Bank collects data:
(a) first of all, directly from the data subject during any kind of communication with the Bank (verbal or written). The most common example for such a way of collecting data is to submit a request for contracting a particular service or product of the Bank, whereby we collect data through prescribed requests and forms (e.g. through requests for contracting credit products, application forms for card products and KYC questionnaires).
We also collect data during any communication with the data subject in the branch office, via web portals, direct communication channels and when resolving complaints, etc.
(b) resulting from the processing of any data during the provision of banking and financial services, as well as the contracting services of the Bank's contractual partners' products and services, such as data on transactions, personal consumption and interests;
(c) from third parties under a legal obligation or other legal basis, as well as from publicly available sources (e.g. Single Register of Accounts), all in accordance with the applicable regulations and taking into account exceptions. If personal data are collected from third parties, the data subject shall have the right to be informed by the Bank in accordance with Article 14 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as General Data Protection Regulation);
d) from the members of the Zagrebačka banka Group and the members of the UniCredit Group (www.zaba.hr/home/o-nama/o-nama/struktura) to which the Bank belongs for the purpose of managing business risks, namely credit, liquidity, interest rate, operational and other risks to which the Bank and its members are exposed or may be exposed.
When collecting personal data, the Bank is guided by the principle of collecting the minimum required number of personal data for a particular purpose. A prerequisite for any collection of personal data of data subjects is the existence of an appropriate legal basis.
III. HOW AND FOR WHAT PURPOSES DOES THE BANK PROCESS THE COLLECTED PERSONAL DATA?
In order for the Bank to be able to provide a service to the data subject, the Bank processes personal data in accordance with the provisions of the General Data Protection Regulation, as well as the Act on the Implementation of the General Data Protection Regulation.
Personal data of the data subject shall be processed when any of the following conditions of the lawfulness of the processing are met:
a. Processing is necessary for the fulfilment of legal obligations of the Bank or other purposes determined by the law (e.g. Anti-Money Laundering and Terrorist Financing Act or Act on Administrative Cooperation in the Field of Taxation regulating the implementation of the Agreement between the Government of the Republic of Croatia and the Government of the United States of America on improving international tax compliance and the implementation of FATCA), as well as acting in accordance with individual acts adopted by the relevant institutions of the Republic of Croatia or other bodies on whose order the Bank is obliged to act on the basis of legal or other regulations. The processing of such personal data is a legal obligation and the Bank may refuse to enter into a contractual relationship or provide a contracted service, or terminate the existing business relationship in the event that the data subject fails to deliver the legally required data.
b. Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract. The provision of personal data for this purpose is mandatory. If the data subject refuses to provide any of the data necessary for the conclusion and execution of the contract to which the data subject is a party, including personal data collected for risk management purposes in the manner and to the extent prescribed by the relevant laws and by-laws, it is possible that the Bank will not be able to provide certain services and may therefore refuse to establish a contractual relationship.
c. Processing is necessary to fulfil the legitimate interests of the Bank or the members of the Group and the members of the UniCredit Group or third parties
The legitimate interest implies processing for the purpose of:
When processing personal data of the data subject on the basis of legitimate interest, the Bank shall always take into account the interests and fundamental rights and freedoms of the data subject and take into account that his/her interests do not prevail over the interests of the Bank on which the processing of personal data is based, in particular where the data subject is a child.
d. The data subject has given consent to the processing of his or her personal data for one or more specific purposes
The Bank will request consent for the following purposes:
Consents are voluntary and the data subject may at any time withdraw previously given consents and has the right to object to the processing of personal data for marketing, market research and biometric signature verification and/or biometric identification purposes. In that case, the personal data relating to him or her will not be processed for that purpose, which does not affect the lawfulness of the processing of personal data on the basis of consent prior to its withdrawal. The Bank shall not refuse the conclusion or execution of a contract if the data subject refuses or withdraws consent. All the aforementioned consents may be revoked in any branch office of the Bank, and the consents given for marketing and market research purposes, except in the branch office of the Bank, may also be revoked through direct channels, i.e. e-zaba and m-zaba services.
IV. DOES THE BANK IMPLEMENT AUTOMATED DECISION-MAKING AND PROFILING?
In relation to the business relationship with the data subject, the Bank shall not implement automated individual decision-making that would produce legal effects with negative consequences for the data subject pursuant to Article 22 of the General Data Protection Regulation:
In some cases, the Bank applies automated decision-making, including profiling for the purpose of assessing the conclusion or execution of contracts between the data subject and the Bank, for example making automated decisions in the process of assessing the risk of the data subject in accordance with the Credit Institutions Act and EU Regulation No. 575/2013 (e.g. granting of credit based on the application assessment of credit exposures) and in accordance with the Anti-Money Laundering and Terrorist Financing Act, when developing the money laundering risk analysis model. In the case of automated decision-making, the data subject has the right not to be subject to a decision based solely on automated processing, that is, the data subject has the right to request human intervention from the Bank in order to express his or her position and challenge the decision.
In doing so, the data subject, in accordance with Article 22 of the General Data Protection Regulation, shall not be entitled to request that the decision does not apply to him/her if the decision is necessary for the conclusion or execution of the contract, based on consent or authorised by the law of the Union or the Republic of Croatia.
V. HOW LONG DOES THE BANK KEEP PERSONAL DATA?
The bank shall store personal data as long as it is necessary for the performance of contractual and legal obligations. A special internal act sets deadlines for storing documents and data processed by the Bank in its operations.
The Bank keeps personal data for as long as it is determined by a specific regulation that the Bank is obliged to apply in its operations (e.g. Anti-Money Laundering and Terrorist Financing Act, the Credit Institutions Act, etc.), i.e. no longer than is necessary for achieving the purpose for which the data are processed. As a credit institution, the Bank applies the Credit Institutions Act in its operations, which stipulates that the data of the data subject shall be kept for at least 11 years, following the end of the year in which the contractual relationship ceased to exist. In exceptional cases, it is possible that data may be processed longer when necessary for other justified purposes (e.g. for the purposes of judicial proceedings and other legal proceedings, etc.), whereby the data storage periods may be extended. In situations where there is no prescribed storage period for individual data processing, the Bank, as the data controller, shall define the storage period and the data is always kept for as long as minimally required to achieve the purposes for which they are processed.
VI. IS PERSONAL DATA SHARED WITH THIRD PARTIES?
The Bank shares data with third parties based on:
a) data subject's consent, or
b) the execution of the contract in which the data subject is a party, or
c) the provisions of laws and by-laws.
Personal data will be shared with certain third parties which the Bank is legally obligated to share data with, such as the Financial Agency, Ministry of Finance – Office for the Prevention of Money Laundering, Tax Authority, other institutions in the Republic of Croatia and EU –which the Bank is authorized or obligated to share personal data with in line with existing laws and other relevant regulations that regulate banking business (for example, the Anti-Money Laundering Act or the Act on Administrative Cooperation in the Field of Taxes). Data subject's personal data may also be shared with persons that the Bank has a contract with and/or to whom the Bank entrusted the processing of its data subject's data (data processors in accordance with Article 28 of the General Data Protection Regulation) for the purpose of providing certain services.
For example, this includes providers of postal services, document processing services, logistics services, IT and telecommunication services, consulting services, sales and marketing services, and debt collection agencies/companies, as well as law firms, members of UniCredit Group, or UniCredit's superior credit institution for the purpose of managing risk at the level of a group of undertakings.
We want to stress that these persons who, due to the nature of the job they perform with the Bank or for the Bank, have access to private data are equally obligated to protect that data as a banking secret in line with the Credit Institutions Act and other regulations that regulate confidentiality of data.
Specifics related to the purpose of processing personal data, recipients or categories of recipients, legal basis for the processing of personal data and the sharing of personal data with other recipients are described in more detail in specific documents such as the questionnaires based on which the Bank collects certain data and applications and contracts for using certain bank services or products.
Additionally, the Bank may transfer data outside the European Economic Area (hereinafter: third countries) only:
In every case, the transfer of personal data to a third country or international organisation may only happen when the European Commission decides that the third country, field of work or one or more sectors within that third country or the international organisation in question ensure the appropriate level of protection of data subject's personal data.
VII. WHAT ARE DATA SUBJECT'S RIGHTS?
Every data subject whose personal data the Bank processes as a data controller has the following rights:
(1) Right to access the data (in accordance with Article 15 of the General Data Protection Regulation) – allows the data subject to find out whether their personal data are processed, i.e., they have the right to receive confirmation from the Bank about whether their personal data are processed, the purposes of processing, the categories of personal data, recipients or categories of recipient, the envisaged period for which the personal data will be stored and similar.
(2) Right to rectification of data (in accordance with Article 16 of the General Data Protection Regulation) – allows the data subject to request a rectification of inaccurate or incomplete data concerning him or her.
(3) Right to erasure (in accordance with Article 17 of the General Data Protection Regulation) – allows the data subject to request erasure of personal data, where the Bank is not allowed to erase data subject's personal data if processing is necessary (for example, for compliance with the legal obligation to store data or for the establishment, exercise or defence of legal claims).
(4) Right to restriction of processing (in accordance with Article 18 of the General Data Protection Regulation) – allows the data subject to request the restriction of processing of personal data when the data subject is contesting the accuracy of personal data; when the data subject believes that the processing is unlawful and opposes the erasure of the personal data, requesting the restriction of their use instead; and in cases when the data subject has submitted an objection to the processing and is awaiting confirmation whether the controller's legitimate interests override those of the data subject.
(5) Right to data portability (in accordance with Article 20 of the General Data Protection Regulation) – allows the data subject to transmit personal data to another controller. It should be noted that the right to data portability applies only to data that the data subject himself/herself provided to the Bank.
(6) Right to object (in accordance with Article 21 of the General Data Protection Regulation) – allows the data subject to submit an objection to the processing of their personal data if the processing is performed for the public interest or is necessary for the purpose of the Bank's legitimate interest (including profiling) or if the data subject's data is processed for direct marketing purposes. The Bank will refrain from further processing of data subject's personal data, unless it demonstrates compelling legitimate grounds for the processing (grounds which override the interests, rights and freedoms of the data subject) or unless the processing is necessary for the establishment, exercise or defence of legal claims.
(7) Right to lodge a complaint with a supervisory authority (in accordance with Article 77 of the General Data Protection Regulation) – i.e., with the Croatian Personal Data Protection Agency.
VIII. HOW CAN DATA SUBJECTS EXERCISE THEIR RIGHTS?
You can exercise your rights by visiting any of the Bank's branch offices or via the e-branch office if you use e-zaba. You can also access the Bank's e-branch office by using m-zaba if you are a user of both m-zaba and e-zaba. The precondition for exercising your rights is only your unambiguous identification.
The Bank will notify you about actions it has undertaken without needless delay, and no later than one month from receiving the request. In exceptional circumstances, this period may be extended by an additional two months, taking into account the complexity and number of requests, which the Bank is obligated to notify you about.
Data subjects may reach out to the Bank's employees at any of the Bank's branch offices or to the Data Protection Officer who can be contacted in written at: Zagrebačka banka d.d., Data Protection Officer, 10 Josip Jelačić Square, 10000 Zagreb; or by e-mail at: sluzbenik.za.zastitu.osobnih.podataka@unicreditgroup.zaba.hr.