Personal data protection

The operator is the company Tatra banka, a.s., ID number: 00 686 930, registered office: Hodžovo námestie 3, 811 06 Bratislava, registered in the Commercial Register of the City Court Bratislava III, section: Sa, insert number: 71/B, contact: DIALOG Live, *1100 / 0800 00 1100 / +421 2 5919 1000 (hereinafter referred to as "Tatra banka").

Ensuring the protection of your personal data is very important to us, and therefore, when processing personal data, we strictly ensure compliance with applicable legal regulations, especially the principles and requirements arising from the GDPR. We have set appropriate technical and organizational measures that contribute to ensuring the protection of the processed personal data of our clients.

In case of any questions related to the processing of your personal data, please contact our DPO (Data Protection Officer), who is entrusted with the supervision of the processing of personal data in our company. You can contact the DPO by email at [email protected] or in writing at the address: DPO, Tatra banka, a. s., Hodžovo námestie 3, 811 06 Bratislava 1.

GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Data subject - Natural person whose personal data are processed. It is a person who can be identified directly or indirectly, especially with reference to the identifier such as name, identification number, online identifier or one or several elements specific for physical, physiological, genetic, mental, economic, cultural or social identify of this natural person.

Client - Person with whom Tatra banka, in performing its banking activities, entered into transaction, where a bank transaction means formation, change or termination of contractual relationships between the client and Tatra banka. The Clients also means a person with whom Tatra banka discussed an execution of transaction, although this transaction was not executed , the person who ceased to be a client of Tatra banka, a person providing security and the representative of a client who concluded a banking transaction on behalf of the client or negotiated such conclusion. For the purposes of this document, the Client is also a beneficiary defined by AML Act.

Processing - Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Anti Money Laundering - Prevention of legalization of proceeds from criminal activity and financing of terrorism.

Client filing system - Organised set of personal data processed by Tatra banka for the following purpose: Provision of banking services, financial and related services, identification of Tatra banka clients and identification of Tatra banka contract partners* (*Contract partner is an entity Tatra banka cooperates with at receiving payment means in the extent in which it could not be considered as the Client under other circumstances).

Marketing filing system - Organised set of personal data processed by Tatra banka for the following purpose: Informing about products, innovations and services provided by Tatra banka in connection with obtaining benefits from Tatra banka.

Controller - Any person who, alone or together with other parties, determines the purposes and means of personal data processing and processes personal data on their behalf. For purposes hereof the controller is Tatra banka.

Processor - Any person who processes personal data on behalf of the controller on basis of authorisation
in compliance with Article 28 GDPR.

Act on Banks Act
No. 483/2001 Coll. on Banks.

AML Act
No. 297/2008 Coll. on the Prevention of Legalization of Proceeds of Criminal Activity and Terrorist Financing on Amendments and supplements to Certain Acts as amended.

Act on Securities
Act No. 566/2001 Coll. on Securities and Investment Services

Act on Collective Investment
Act No. 203/2011 Coll. on Collective Investment

Act on Payment Services
Act No. 492/2009 Coll. on Payment Services

Act on Financial Intermediation and Financial Counselling
Act No. 186/2009 Coll. Financial Intermediation and Financial Counselling

Act  on Accounting
Act No. 431/2002 Coll. on Accounting

Personal data are any information related with the identified or identifiable natural person who can be determined directly or indirectly, especially by referring to the identifier such as name, identification number, localisation data, online identifier or by referring to one or several elements specific for physical, physiological, genetic, mental, economic, cultural or social identity of the respective natural person.

Tatra banka processes only those personal data which are required for achieving the particular processing purposes. Personal data are processed always for the pre-determined and legitimate purpose while it would not be possible to achieve such purpose without processing of the respective data.

Provision of the respective data is a legal requirement of yours and no banking transaction can be executed without them being provided in case of processing of personal data on legal grounds determined by legal regulations such as in case of processing for purpose of provision of banking services, financial and related services, identification of bank´s clients and identification of bank’s contract partners. Hence, non-execution of a transaction results from non-provision of the respective data.

Provision of data by the Client is voluntary in case of processing of personal data based on Client's consent, such as in case of processing in terms of the Marketing filing system. With the aim to adjust the offer of products and services directly to your requirements, Tatra banka evaluates information processed about you in order to provide you with a targeted offer and this way eliminate sending of non-targeted marketing offers. Granting the approval is voluntary. If you decide not to grant the approval, Tatra banka will not be allowed to send you
marketing information or offers in this particular case.

Recording telephone calls at DIALOG Live
Tatra banka records all telephone calls executed via DIALOG Live. Personal data obtained in this way are processed in the filing systems of the bank – Client filing system and Marketing filing system, and that for purposes determined for the respective filing systems.

Tatra banka's activities include processing of various categories of personal data which differ depending on the purpose of processing and nature of the particular processing activity. Such personal data categories are as follows:

In case of Client filing system:

• Identification data (for instance name, surname, date of birth, birth identification number, data from theidentification document, nationality, identification document photography, client number, product number),
• Contact data (for instance permanent/temporary residence address, e-mail address, telephone number),
• Data about the utilised products and services (e.g. data about the utilised products and services, data related with processing of your suggestions),
• Sociological and demographic data (for instance age, sex, family status, education, number of persons in household, information about income, type of employment, information related to politically exposed person),
• Economic data (for instance data about ownership of movable and immovable objects, data about total revenues or regular household costs, data about the type of housing),
• Data whether the Client or potential client is in a special relationship with the bank,
• Data about classification of the Client in the register pursuant to § 92 par. 7 Act on Banks or about classification of the Client in other similar register,
• Transaction data (for instance data about the executed transactions, data about beneficiaries and senders, data about utilisation of payment means),
• Geolocation data (for instance data about the place of transaction execution, data which identify device by means of which the transaction was executed, data about the place where the payment card was used),
• Data required for monitoring of secure utilisation of products and services (for instance IP address of the used device, data about the used device and browser),
• Biometric data (for instance voice, face or signature identification),
• Video and audio recordings (for instance camera recordings executed at conclusion of transactions, recordings of telephone calls executed by means of DIALOG Live),
• Copies of documents including identification documents (and photographs from the respective documents),
• Data related with utilisation of our websites and applications (for instance cookies),
• Other relevant data (for instance data about execution proceedings, bankruptcy proceedings, personal bankruptcy, data related with meeting your contract duties and obligations, data about your payment discipline, data from credit registers, data about inclusion in the list of clients the international sanctions relate to).

In case of Marketing filing system:

• Data related with utilisation of websites and applications (for instance cookies),
• Data ensuing from activities on social networks,
• Relevant data processed about you in the Client filing system including geolocation data (for instance data about the place of transaction execution, data which identify device by means of which the transaction was executed, data about the place where the payment card was used).

The number of personal data categories set forth herein represents a full and complex account of all personal data categories which can be considered in terms of the particular purpose of processing at provision of the comprehensive scope of banking products and services in all states of a contract relationship. Individual account of personal data categories for individual clients will therefore be just a sub-group of this account.

Tatra banka processes your personal data always for the pre-determined and legitimate purpose of processing while respective legal grounds for such processing must always exist. Tatra banka would like to assure you that your personal data are never further processed for purposes which are incompatible with the originally determined purposes of processing.

Tatra banka's activities might include processing of your personal data for the processing purposes as follows:

Providing banking services, financial and related services, identification bank clients and identification of contract partners of the bank

This purpose includes especially:

• Identification of clients,
• Conclusion of contract relationships with the Client including pre-contract relationships,
• Maintenance of contract relationships including changes and termination of contract relationships,
• Acceptance and processing of suggestions and complaints of Clients,
• Relationship management,
• Protection and seeking the rights of Tatra banka towards Clients,
• Meeting Tatra banka's obligations in the field of AML,
• Activities related with performance of the tasks and obligations of Tatra banka pursuant to valid legal regulations,
• Maintenance of separate records of Clients who do not meet their obligations ensuing from the contract relationships with the bank duly and on time, Clients who have committed action considered by the bank as unusual business transaction and Clients the international sanctions relate to,
• Maintenance of the list of persons with a special relationship with Tatra banka,
• Activities related with meeting the archive duties.
• Informing and providing awareness of clients in connection with the impact of their financial activities on sustainability and environment

In this case, your personal data are processed in the scope required in order to observe the legal obligations of Tatra banka, with the Article 6, par. 1, letter c) GDPR being a legal base for the processing, and hence the processing is required to meet the legal obligations. The legal regulations to be observed are especially the following:

• Act on Banks,
• AML Act,
• Act on Securities,
• Act on Collective Investment,
• Act on Payment Services,
• Act on Deposit Protection,
• Act on Consumer Loans and Other Credits and Borrowings for Consumers,
• Act on Home Loans,
• Act on Financial Intermediation,
• Act on Insurance Services.

Pursuant to §93a par. 9 of the Act on Banks Tatra banka for the purposes of ascertaining, verifying and checking the identification of clients and their representatives, for the purposes of concluding and carrying out transactions with clients, for other purposes according to §93a par. 3, as well as for the purposes of updating the data already stored by Tatra banka about clients and their representatives, Tatra banka is entitled to obtain data according to §93a par. 1. The bank has decided to proceed in accordance with the aforementioned provision and to update the data whenever it is technically possible from the bank's point of view. The bank will update it whenever there is a change in the client's identity card and thus the data entered in it. The bank informs the client about the implementation of the change through the electronic means of communication that the client has chosen for communication. 

Tatra banka may proceed to processing of your personal data in cases when the scope of personal data set
forth by the legal regulations set forth herein is not sufficient for achieving the determined purpose of processing,
also under the following legal grounds:

• if it is necessary for performance of the contract concluded between you and Tatra banka including precontract relationships pursuant to Article 6 par. 1 b) GDPR,
• if you have granted consent to processing of your personal data for the particular purpose/purposes pursuant to Article 6 par. 1 a) GDPR,
• if you have granted consent to processing of your personal data for the particular purpose/purposes pursuant to Article 9 par. 2 a) GDPR,
• if processing is necessary for proving, claiming or justification of legal claims pursuant to Article 9 par. 2 f) GDPR.

Your personal data might also be processed if it is required for the purposes of the legitimate interests of Tatra banka or a third party, and that pursuant to Article 6 par 1, letter f) GDPR. Such legitimate interests are:

• Tatra banka is obligated to proceed with expert care in terms of its activities and in connection therewith has legitimate interest in prevention against criminal activity or other illegal action which can cause damage or harm reputation of the bank or any other detriment, or against action which can negatively impact the activity of the bank or put its employees or other data subjects in danger, and for this purpose it is entitled to keep the list of persons with potential risk while this processing may lead to termination of the contract relationship or rejection of transaction execution.
• Tatra banka as a significant banking institution providing financial and related services to a large number of clients is aware of its social responsibility in the area of protection of the environment and support of sustainability and has a legitimate interest in the related provision of information and creation of client awareness in the field of sustainable behaviour and support of the environment, and that especially in form of providing information to clients about the impact of their financial activities on the environment. In terms of this legitimate interest, the bank evaluates client transactions and tries to provide them with the best possible overview about the impact of their individual transactions on the environment in the form of providing information about the volume of produced CO2. Such processing aims to positively affect the behaviour of bank's clients towards a responsible utilisation of natural resources.

Execution of video and audio recordings

In compliance with Section 38a (2) Act on Banks, Tatra banka is obligated to monitor using a camera monitoring security system with a 24-hour recording in the quality, which allows to distinguish persons and premises where contact with clients and also manipulation with cash is executed. Premises are monitored in such manner for instance at bank's branches. Tatra banka stores such executed recordings with are reference to Section 93a (7) Act on Banks for the period of 13 months after their making.

According to Section 93a (7) Act on Banks: The premises of banks, foreign bank branches, and Národná banka Slovenska, as well as automated teller machines and currency exchange machines located outside the premises of banks and foreign bank branches, may be monitored using video cameras or sound recording equipment even where there is no notice that the area is under surveillance; 88ia the recordings may be used to reveal criminal acts, detect and search for the perpetrators, and in particular to ensure effective protection against money laundering and terrorist financing, to uncover illegal financial operations, judicial proceedings, criminal proceedings, misdemeanour proceedings, and to supervise the discharge of obligations imposed by law on banks and foreign bank branches. 88ia Any such video or audio recording made by a bank, foreign bank branch or Národná banka Slovenska shall be handed over without delay to the authority mentioned in Section 91(4)(b), (g), (o) and (p), if it so requests. If a recording is not used for these purposes, then it shall be destroyed without delay by the person who made it, after the expiration of thirteen months after its making".

Tatra banka has a legitimate interest, in compliance with Article 6 par. 1 (f) GDPR, to protect the property, rights and interests of Tatra banka and other parties protected by law, which results in the monitoring of ATMs and their immediate surroundings by the security system with a 24-hour recording in the quality, which allows to distinguish the person. The purpose of such processing is: Protection of property, rights and interests of Tatra banka and other arties protected by law. Tatra banka stores such executed recordings for the period of 15 days.

In connection with the monitoring of ATMs and their immediate surroundings based on a legal ground, which is the justified interest of Tatra banka, the affected person is entitled, in compliance with the Article 21 (1) GDPR, to object against such processing. Further information about your rights as the affected person, including the right of objection are available in Clause 13 Information Memorandum of Personal Data Protection.

Marketing

Tatra banka processes your personal data on legal grounds of your prior voluntary consent or under legitimate interests of Tatra banka for purposes of informing about products, innovations and services provided by Tatra banka, and also in connection with obtaining advantages by Tatra banka including creation of offers for such advantages at utilisation of profiling.

In case you have granted your consent to processing of your personal data for the purpose set forth herein to Raiffeisen Group, your personal data may be processed (i) by entities with direct or indirect property interest in Tatra banka, (ii) by entities in which Tatra banka has direct or indirect property interest, (iii) by entities in which the entity with property interest in Tatra banka has direct or indirect property interest, (iv) by entities having direct or indirect property interest in the entity with property interest in Tatra banka. For purposes of this document these are especially the following entities:

• Doplnková dôchodková spoločnosť Tatra banky, a. s., seated at Hodžovo námestie 3, 811 06 Bratislava, Company ID No: 36291111,
• Tatra Asset Management, správ. spol. a. s., seated at Hodžovo námestie 3, 811 06 Bratislava, Company ID No: 35742968,
• Tatra Leasing, s. r. o., seated at Hodžovo námestie 3, 811 06 Bratislava, Company ID No: 31326552.

Tatra banka has legitimate interest in taking care for its Clients and developing business relations with its Clients, and hence informing them about its products, innovations, services or offers of various benefits. In relation thereto Tatra banka can contact you yet without your prior consent while it will inform you of such processing of your personal data and instructs you about your rights, especially about the right to object to processing of your personal data. Naturally, this is not the case if you have expressed your disapproval of such contact or if you object it.

Further information about your rights as the affected person, including the right of objection against processing in the legitimate interest are available in Clause 13 Information Memorandum of Personal Data Protection.

Tatra banka may communicate with you for the above purpose by means of automatic calling system, telephone, e-mail, text message or via other means of distance communication.

With the aim to adjust the offer of products and services directly to your requirements, Tatra banka evaluates information processed about you in order to provide you with a targeted offer and this way eliminate sending of non-targeted marketing offers.

For the purposes set forth in this section, the Client also means a person with whom Tatra banka discussed or wishes to discuss an execution of transaction, although this transaction was not executed, the person who ceased to be a client of Tatra banka, a person providing security and the representative of a client who concluded a banking transaction on behalf of the client or negotiated such conclusion.

Pursuant to Article 4 Clause 14 GDPR, biometric data are “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data“. Biometric data belong to a specific category of personal data whereof processing is subject to separate
requirements, especially in the area of legal grounds of processing or meeting other terms and conditions pursuant to GDPR.

Biometric data are processed also in terms of Tatra banka's activity as part of the Client filing system. The scope of processing includes the following personal data:

• Biometric voice characteristics
  Tatra banka is entitled to process biometric characteristics of your voice pursuant to § 93a par. 2 Act on Banks. Hence, the legal ground form processing in this case is the law.
• Biometric face characteristics
  Tatra banka can process biometric characteristics of your face in order to maintain or increase the level of security and unique identification of clients and avoid damages caused to the clients by third parties by taking their identity, and to simplify execution of banking transactions. However, such processing is done only on legal basis of consent and in case it is not granted, such processing will not be done. Client’s consent is the legal basis for processing.
• Biometric signature characteristics
  Tatra banka can process biometric characteristics of your signature in order to maintain or increase the level of security and unique identification of clients and avoid damages caused to the clients by third parties by taking their identity, and to simplify execution of banking transactions. However, such processing is done on legal basis of consent and in case it is not granted, such processing will not be done.
  
  Within the purpose being: the provision of banking services, financial and related services, identification of Tatra banka clients and identification of Tatra banka contract partners, certain banking operations involving the processing of the biometric characteristics of a signature on the legal basis referred to in Article 9 par. 2 f) GDPR and, therefore, where the processing is necessary for the establishment, exercise or defence of legal claims.  Such cases include, for example, the signature of the client or those of the client’s authorised persons on an electronic document executed in connection with making a cash deposit or carrying out a foreign exchange operation.

Based on changes executed in the legal order related to GDPR it is necessary, following the change of legal
definition, to consider yet the current authentic signature in digitalised form as signature containing the biometric
signature characteristics.

Automated decision making including profiling belongs to the processing operations which are worth special attention, executed by the Client filing system.

Processing of a request for provision of a banking service results in automated decisions made on basis of profiling. Profiling of a Client considers the data obtained by Tatra banka at the time of request and also data registered by Tatra banka in terms of previous Client's history in Tatra banka, as well as data obtained in compliance with valid legal regulations from external resources and the system executes automated decisions on basis of these data. The bank considers several data at profiling, which can impact the decision regarding the request both positively and negatively. The data which are considered are data about potential Client risk rate, Client's assets and liabilities with Tatra banka, Client's payment discipline, regularity of utilisation of banking products and data the bank obtains from the Client at the time when conclusion of the given transaction is negotiated.

Tatra banka evaluates the respective data in regular intervals and estimates the risk profile of the Client based on these data. In case of a Client with no previous history in Tatra banka the bank evaluates the data obtained from the Client's request and data obtained in compliance with the valid legal regulations from external resources. The request is considered at the automated decision making on basis of the obtained risk profile of the Client.

This decision may affect automatic request refusal, maximum approved amount of individual loans, possibility of provision of individual products, maximum maturity of the requested product and the LTV threshold. Client's risk profile as such has direct impact on the proposal of conditions by the bank and it basically applies that the better the Client's risk profile, the better the conditions for the Client suggested by the bank.

The data set forth herein and also data about behaviour of clients at payment delay can be used for the process of decision making regarding the optimum recovery process and can affect selection of the loan recovery or restructuring strategy. Data can also be used for the activities for the purpose of avoiding the delay of the client.

In case of automated decision making including profiling pursuant to Article 22 GDPR at processing of your request for a banking product, you will be entitled to human intervention by Tatra banka on your own standpoint and also to object the decision adopted on basis of automated decision making including profiling.

Automated decision making happens:

• when a loan transaction conclusion is negotiated,
• when the amount of optional overdraft which belongs to the current account of a client is reviewed.

Your data may be provided and made available for the respective registers in connection with consideration of
Client's ability to repay the loan:

• Slovak Banking Credit Bureau (hereinafter referred to as “SBCB“) created pursuant to § 92a par. 1 Act on Banks as the common banking register the provider whereof is Slovak Banking Credit Bureau, s. r. o., Company ID No: 35869810 seated at Mlynské nivy 14, 821 09 Bratislava (hereinafter referred to as “SBCB”), established as a joint venture of auxiliary banking services in compliance with § 92a par. 2 Act on Banks. The legal ground for processing of personal data in the SBCB is Article 6 par. 1.c) GDPR jointly with Article 6 par. 2 GDPR, as well as the Act on Banks. Personal data categories and purpose of personal data processing in the SBCB is determined by the Act on Banks. Provision of personal data is executed pursuant to the Act on Banks.
• Slovak Banking Credit Bureau, section Register of Consumer Loans Data is a register pursuant to § 7 par. 3 and § 7 par. 9 Act on Consumer Loans and register pursuant to § 8 par. 20 Act on Home Loans, in the scope pursuant to § 7 par. 9 Act on Consumer Loans (hereinafter referred to as the “Register”). The bank is obligated to provide the data to the Register and obtain the data from the Register without Client´s consent in compliance with the Act on Consumer Loans and Act on Home Loans. The legal ground for processing of personal data in the Register is Article 6 par. 1 c) GDPR, Act on Consumer Loans and Act on Home Loans. Categories of personal data processed in the Register are determined by the Act on Consumer Loans and Act on Home Loans while the purpose of personal data processing in the Register is provision of consumer loans and/or housing loans and consideration of the ability of the consumer to repay the consumer loan and/or housing loan. Provision of personal data in these cases is a legal requirement. Comprehensive information in terms of Article 14 GDPR about personal data processing in the SBCB and Register form the contents of Annex 1 hereof.

Tatra banka shall not provide your personal data to other entities, except for the cases in which you have granted your consent or written instruction to Tatra banka for such provision of data or if other legal ground for provision of your personal data to other entities exists, for instance in case of performance of the legal obligation of Tatra banka as the controller. Provision of your personal data to other entities in terms of performance of the legal obligation can be executed in the environment of Tatra banka only in cases set under the Act on Banks. In accordance with the Act on Banks, Tatra banka is obligated to provide personal data of its client without client's consent to the National Bank of Slovakia, to persons authorised to perform banking supervision including the invited persons and persons specified in § 6 par. 7 and § 49 par. 2 Act on Banks, resolution board for purposes of its function pursuant to the Act on Banks or a separate regulation, to auditors for the activities specified in the Act on Banks or separate act and to the Deposit Protection Fund for meeting the tasks pursuant to the separate
regulation.

Tatra banka is obligated to provide your personal data pursuant to § 91 par. 4 Act on Banks, it is also obligated to provide your personal data to the following entities based on a written request:

• court including notary public as commissioner,
• law enforcement authority or court,
• tax authority, customs authority or tax administrator,
• National Audit Office,
• bailiff authorised to perform the execution pursuant to a separate regulation or the Slovak Chamber of Executors Chamber of Executors,
• respective state administration authority,
• criminal police and financial police services of the Police Force,
• Ministry at the execution of control appointed under a separate legal regulation,
• trustee or preliminary trustee in bankruptcy or restructuring procedure, settlement procedure or procedure on discharge of debits, or supervisory trustee who executes supervisory administration,
• respective state authority in terms of execution of resolution,
• National Security Authority, Slovak Information Service, Military Intelligence and Police Force,
• Office for Personal Data Protection,
• Supreme Audit Office of the SR
• Judicial treasury,
• Slovak Information Service,
• Military Intelligence,
• Agency for provision of assistance to clients in the scope required for verification of data concerning repayment of loan obligations and financial and property situation of clients asking for being registered or registered for the programme of assistance to clients who have lost the ability to repay home loans in consequence of the economic crisis,
• Financial Administration Criminal Office,
• Ministry in connection with the application of international sanctions pursuant to separate regulation,respective court in the scope required for meeting the tasks upon identification of the end user of benefits and maintenance of the register of public sector partners pursuant to a separate regulation,
• bank or branch of foreign bank for purposes of verification of information pursuant to § 27c par. 2 and § 27d par. 3 second sentence of the Act on Banks,
• Antimonopoly Office of the Slovak Republic,
• Financial Directorate of the Slovak Republic,
• Social Insurance company.

Tatra banka may also provide personal data to other entities without your consent in terms of meeting the legal
duties:

• in the area of providing and securing payment services pursuant to the Act on Payment Services,
• in the area of protection against legalisation of incomes from criminal activities and financing of terrorism pursuant to the AML Act,
• in connection with reporting to the law enforcement authorities about suspicion that a crime is being prepared, being committed or was committed,
• in connection with the reporting duty to the respective authority of the Slovak Republic for the purpose of automatic exchange of information about financial accounts for purposes of tax administration pursuant to a separate regulation (FATCA, CRS),
• in connection with consideration of the ability to repay a consumer loan pursuant to the Act No. 129/2010 on Consumer Loans and Other Credits and Loans for Consumers and on amendments to certain laws as amended,
• in connection with meeting the reporting duty towards the National Security Authority in the field of cybersecurity pursuant to the Act No. 69/2018 Coll. on Cybersecurity.

Also please note that Tatra banka and entities from the Raiffeisen Group have legitimate interest in mutual sharing of personal data processed in the Client filing system which can lead also to cross-border transfer of data, and that in terms of:

• protection against legalisation of incomes from criminal activities and financing of terrorism,
• meeting the duties connected with the execution of banking activities at the level of the Raiffeisen Group,
• in connection with consideration of financial standing and credibility of clients.

Tatra banka and its subsidiaries act as a set of entities subject to supervision on a consolidated basis and fulfill selected legal obligations jointly and in cooperation with each other.

In connection with the above, we inform you that Tatra banka, as well as Tatra banka's subsidiaries, have a legitimate interest in the consistency of the data of clients who are clients of Tatra banka and at the same time clients of Tatra banka's subsidiaries, as well as in keeping the processed personal data up-to-date, therefore Tatra the bank as an operator, which is authorized on the basis of §93a par. 9 of the Banking Act, even without the consent of the persons concerned, to obtain data recorded in the register of natural persons and data kept in the register of identity cards, may provide such current personal data for the purpose of updating already processed personal data to other subsidiaries of Tatra banka.

Tatra banka's subsidiaries for this purpose are:

• Supplementary pension company Tatra banka, a. s., with registered office at Hodžovo námestie 3, 811 06 Bratislava, ID number: 36291111,
• Tatra Asset Management, admin. spol. a. s., with registered office at Hodžovo námestie 3, 811 06 Bratislava, ID number: 35742968,
• Tatra Leasing, s. r. o., with registered office at Hodžovo námestie 3, 811 06 Bratislava, ID: 31326552.

In connection with mutual sharing on legal grounds, which is the legitimate interest of Tatra banka, the affected person can object against such processing in compliance with Article 21 par. 1 GDPR. Further information about your rights as the affected person, including the right of objection are available in Clause 13 Information Memorandum of Personal Data Protection. 

As part of the provision of selected banking services, Tatra banka cooperates with selected third parties, such mutual relationship being defined as a relationship between two individual controllers. These are cases where such cooperation is necessary for the provision of both the bank’s services as well as the services of the third party. Such third parties are, for example:

• APPLE DISTRIBUTION INTERNATIONAL in providing the Apple Pay service
• Diagnose.me, a.s. in operating the website www.diagnose.me

Tatra banka does not publish your personal data.

Processors

Tatra banka may process your personal data in certain cases also by means of its processors. Processor is an entity authorised by Tatra banka to process personal data in compliance with the Article 28 GDPR. Authorisation for processing of your personal data by an processor does not require your consent or other legal ground such as in case of provision of data to other controllers. In such case the processor processes your personal data on behalf of Tatra banka as the controller.

Processing of personal data by means of an processor has no negative impact on performance and application of your rights as the data subject determined in Chapter III GDPR while the client can apply the respective rights with Tatra banka as the controller also directly with the particular processor which processes your personal data.

Tatra banka wants to assure you that it only uses the processors providing appropriate technical, organisational and other measures so that processing meets the GDPR requirements and protection of rights of the data subject is provided in full extent.

Tatra banka uses the following categories of processors at processing of your personal data:

• companies which provide or execute financial and related services,
• companies which provide payment services and monitoring of payment services,
• companies which execute customer satisfaction surveys,
• companies which provide marketing activities,
• companies which provide print services and services of mass correspondence,
• companies which execute maintenance of registry records pursuant to separate regulations,
• companies which provide administrative services connected with delivery of petitions at the cadastral division of the respective district authorities and execution of other activities related with presenting a proposal for entering a record of mortgage in the Land Registry,
• companies which provide retention activities,
• companies which provide recovery and maintenance of receivables,
• companies which provide execution of mortgage by means of public auction.

Transfer of personal data to third countries

Personal data are not the subject of cross-border transfer to third countries that do not ensure an adequate level of personal data protection except for the cases specified by valid legal regulations or specific situations when the Client must be notified of such transfer in advance.

Processing of personal data using cloud solutions

When processing personal data, cloud solutions or solutions of a similar technical nature are used in many cases. The use of such solutions is, for example, in many cases required as part of the implementation of state-of-the-art software tools, or improves efficiency and cost-effectiveness. Last but not least, such solutions also help maintain the integrity of the processed data and contribute towards the security of processing.

Depending on the type of processing activities, in such processing the providers of cloud or similar services act mainly as processors in accordance with Article 28 of the GDPR. In selecting its partners and in the course of the processing activities, Tatra banka is very careful to avoid any risk of data security breach or any negative impact on the rights of data subjects. Tatra banka also consistently makes sure to select only partners who have demonstrably implemented appropriate technical and organisational measures to ensure the level of security pursuant to point (c) Article 28 par.3 c) and Article 32 of the GDPR, so that the processing is performed in compliance with the valid legal regulations, in particular the GDPR, and to ensure protection of the rights of data subjects.

In such processing, personal data are not transferred to third countries which do not guarantee an adequate level of protection under the GDPR

In certain situations where two or more controllers jointly determine the purposes and means of processing, the processing of personal data may be performed through joint controllers in accordance with Article 26 of the GDPR.

Such joint operators are also Tatra banka and the Tatra banka Foundation in the processing of personal data for the purpose of documenting, supporting and promoting the public benefit activities of Tatra banka and the Tatra banka Foundation and informing the public about these activities. These joint controllers have a legitimate interest in documenting, preserving and informing the public about the activities of the Tatra banka Foundation and Tatra banka, which serve to support the public benefit purpose. Within the purpose of the processing, records may be made in a form allowing individual identification of the data subject.

The information contained in this information memorandum, in particular the information concerning the data subject’s rights set out in the Clause 13 (including the right to object against the processing in the legitimate interest), as well as the contact details of the Controller, shall apply mutatis mutandis to the processing of personal data by joint controllers.

Tatra banka shall retain your data in a form enabling your identification for the period necessary to achieve the
purpose of personal data processing.

If your personal data are being processed with your consent, Tatra banka will store personal data after the
consent is revoked or its validity expires only for the period required to demonstrate, apply or defend legal claims
of Tatra banka. This also applies in case of processing under the contract.
If your personal data are being processed in terms of performance of the legal obligation of Tatra banka, the
respective legal regulations specify the period during which Tatra banka is obligated to store your personal data
and related documents. Such legal regulations include especially:

• Act on Banks, which stipulates that Tatra banka is obligated to store and protect against damage, change, destruction, loss, theft, disclosure, misuse and unauthorised access the data and copies of data proving client's identity and documents about detecting ownership of the means utilised by the client for the transaction and contracts and other documents about the executed transactions for the period of at least five years after the transaction terminated.
• AML Act, which stipulates that Tatra banka is obligated to store during the period of five years:
  - after the contract relationship with the client terminated: data and written documents obtained in connection with care provided for the client and in connection with detecting unusual business transaction,
  - after the execution of transaction: all data and written documents about the client.
• Act on Collective Investment, which stipulates the obligation to store identification or copies of documents about proving identity of investors and clients and documents about detecting ownership of the means utilised by investors and clients and executed transaction for the period of at least ten years after the transaction terminated (§ 55 Clause 5).
• Act on Securities, which stipulates the obligation to store and protect against damage, change, destruction, loss, theft, disclosure, misuse and unauthorised access the data and copies of data proving client's identity and documents about detecting ownership of the means utilised by the client for the transaction and contracts and other documents about the executed transactions for the period of at least ten years after the transaction terminated (§ 73 Clause 6).
• Act on Supplementary Pension Saving, which stipulates the obligation to store records and other documents related to the managed supplementary pension funds and provided services for the period of at least five years after termination of management of the supplementary pension fund the documents and beneficiary recipients for the period of at least five years after disclosure of the participation contract (§ 31 Clause 3).
• Act on Financial Intermediation, which stipulates the period for storing documentation for the period of at least ten years after commencement of validity of the contract on provision of financial service and the period of at least five years after termination of the contract on provision of financial consulting (§ 36).
• Act No. 431/2002 Coll. on Accounting, based on which the bank is obligated to keep and protect your personal data and related documents, which form part of the accounting documentation in the course of ten years following the year the accounting documentation relates to.

If your personal data have been processed based on your consent, Tatra banka will keep the personal data after the consent is revoked or after the consent validity period has expired for only such period, which is required to prove the application or defending the legal claims of Tatra banka. It also applies in case of processing based on a contract or legitimate interest. After the purpose of processing ends, a part of the processing purpose entitled “Archiving for the needs of protection of the provider's rights and proving, application or defending the legal claims, as well as providing collaboration to the respective authorities” is fulfilled. The legal base for processing under which the respective personal data were obtained, remains valid yet in such case.

In terms of the archiving period/storage period, personal data are being processed especially:

• in the manner stipulated by the respective legal regulation imposed on the bank,
• in connection with the communication of the bank towards the public authorities in terms of the protection of bank's rights,
• in connection with the protection of the rights and the right of bank's protected interests, for instance in terms of an internal analysis or internal investigation,
• in connection with the entries and other related communication with the respective authorities in terms of proving, application or defending the legal claims,
• in connection with the handling of collaboration provided to the public authorities in compliance with the legally defined conditions.

We adopt technical and organisational measures with the aim to protect your personal data against intentional or neglectful deletion, loss or change and unauthorised accession of your personal data.

Tatra banka employees, as well as Tatra banka contract partners who process personal data on behalf of Tatra banka are bound by the obligation of secrecy which lasts yet after the contract relationship terminates.

In connection with processing of personal data you have the right to file a compliant to the Office for Personal Data Protection of the Slovak Republic, Hraničná 12, 820 07 Bratislava, Slovak Republic.

You have the right to correct the personal data related to you that are incorrect or to complete the personal data that are incomplete. Please do not hesitate to contact us in case you find out that the data we process in relation to you are incorrect or incomplete.

If your personal data are being processed based on the consent pursuant to Article 6 par. 1 GDPR or pursuant to Article 9 par. 2 GDPR, you are entitled to withdraw this consent at any time. However, withdrawal of consent has no impact on lawfulness of processing resulting from consent before its withdrawal.

Right to object to processing of your personal data

As the data subject, you have the right to object to processing of your personal data if the processing is being carried out on the legal grounds of the legitimate interests of Tatra banka, including objecting to profiling based on legitimate interests. Tatra banka may further process your personal data on grounds of legitimate interests only in case it proves the existence of inevitable legitimate grounds for processing which prevail over your interests, rights and freedom, or grounds for demonstrating, application or defending of legal grounds.

You are entitled to object to processing of your personal data at any time for purposes of direct marketing including profiling in the extent in which it is related to such direct marketing, and that in case of processing on legal grounds of legitimate interests of Tatra banka. If you object to processing for purposes of direct marketing, Tatra banka will not further process your personal data for purposes of direct marketing. As the data subject you are entitled to access your personal data. In case of meeting the terms and conditions defined by GDPR you can apply for a statement of your personal data which we process about you. In certain circumstances you can apply for restriction of processing, transfer of your personal data and you are also entitled to deletion of your personal data.

You can exercise your rights in writing, by telephone via our DIALOG Live service, by e-mail sent to [email protected] or in person at any branch. Tatra banka may ask you to provide additional information required for verification of your identity.

Slovak Banking Credit Bureau (hereinafter referred to as “SBCB”) created pursuant to § 92a par. 1 Act on Banks as the common banking register the provider whereof is Slovak Banking Credit Bureau, s. r. o., Company ID No: 35869810 seated at Mlynské nivy 14, 821 09 Bratislava (hereinafter referred to as “SBCB”), established as a joint venture of auxiliary banking services in compliance with § 92a par. 2 Act on Banks. Contact data of the responsible person specified by the provider are Mlynské nivy 14, 821 09 Bratislava, [email protected]. Slovak Banking Credit Bureau, “SBCB” – section Consumer Loans Register pursuant to the Act No. 129/2010 Coll. on Consumer Loans and Other Credits and Loans for Consumers is a register pursuant to § 7 par. (3) Act on Consumer Loans and register pursuant to § 8 par. (20) Act on Home Loans, in the scope pursuant to § 7 par. (9) Act on Consumer Loans (hereinafter referred to as the “Register”). The Bank is obligated to provide data to the Register and obtain data from the Register without consent of the Client pursuant to the Act on Consumer Loans and Act on Home Loans.

Categories of personal data and purpose of processing of personal data in the SBCB is stipulated by the Act on Banks.

Categories of personal data which are processed in the Register and purpose of processing of these data are determined by the Act on Consumer Loans and Act on Home Loans.

The legal grounds for processing of personal data in SBCB is Article 6 par. 1., letter c) Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “Regulation”), in connection with Article 6 par. 2 Regulation, as well as the Act on Banks.

The legal grounds for processing of data in the Register is Article 6 par. 1., letter c) Regulation, Act on Consumer Loans and Act on Home Loans.

Personal data processed both in SBCB and the Register come from banks and branches of foreign banks. The period of personal data processing and storage is determined for the period of duration of the obligations and 5 years after termination of all obligation of the Client¹ towards the bank in relation to the particular loan contract², and in case no loan contract is concluded, 5 years after having granted the consent. Personal data are subsequently classified for pre-archiving care in compliance with the generally binding legal regulations. SBCB processes personal data via CRIF S. p. A. seated at Via M. Fantin 1-3, 401 31 Bologna, Italy.

Another processor of SBCB is CRIF – Slovak Credit Bureau, s. r. o., seated at Mlynské nivy 14, 821 09, Bratislava.

The personal data processed in SBCB are made available to banks and branches of foreign banks and by means of Non-Banking Credit Bureau, interest association of legal entities, Company ID No: 42053404, seated at Mlynské nivy 14, 821 09 Bratislava (hereinafter referred to as “NBCB”) also to the authorised users of Non- Banking Credit Bureau specified on www.nbcb.sk.

The personal data processed in the Register may be made available pursuant to § 7 par. 6 and Act on Consumer Loans and respective provisions of the Act on Home Loans also to banks, foreign banks and branches of foreign banks and other creditors defined pursuant to these legal regulations. The list of creditors, banks, foreign banks and branches of foreign banks pursuant to the Act on Consumer Loans is specified on www.nbs.sk.

Personal data processed in SBCB and the Register are provided to the National Bank of Slovakia and other entities pursuant to the respective provisions of the Act on Banks and Act on Consumer Loans and Act on Home Loans.

Personal data processed in SBCB and the Register are neither published nor provided to third countries.

More information regarding SBCB and the Register and services provided by these entities is available in the SBCB Client Centre, seated at Mlynské nivy 14, 821 09 Bratislava, tel.: +421 2 5920 7515, e-mail: [email protected].

Instruction on the rights of the data subject at processing of personal data:
A client as the data subject is entitled to request the following from the controller:
a) confirmation whether personal data about the client are processed in SBCB and/or the Register,
b) general information about processing of personal data in the filing system,
c) information about the source the personal data for processing have been obtained from,
d) list of personal data of the client which form the scope of processing,
e) correction of the personal data,
f) deletion of the personal data:
- which are no longer required for the purposes they have been obtained or otherwise processed for,
- in case the personal data have been processed unlawfully,
- if the reason for deletion is having met the legal obligation,
g) restriction of processing of personal data.

The data subject is equally entitled to file a motion for opening proceedings pursuant to § 100 Act on Personal Data Protection. More specific conditions for the application of the rights of the data subjects are regulated in Chapter III Regulation.

¹Fur purposes of this information, a client is a natural person the bank has concluded a loan contract with, a person providing the
client's obligation from the loan contract, as well as a natural person applying for conclusion of a loan contract with the bank.
²A loan contract is any contract concluded between the bank and client or any legal action of the bank or client following which the
bank incurs or might incur the right to refund of financial means provided to the client, including a contract on consumer loan.