Privacy policy in mobile applications

in the sense of Article 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons in the processing of personal data and on the free movement of such data, which repeals Directive 95/46/EC (GDPR).

Introduction

This document presents special information on the processing of personal data when using mobile applications and complements the Information Memorandum on the Protection of Personal Data, which is published on the website of Tatra banka in the Privacy Protection/GDPR section and which forms the main and comprehensive information on the processing of personal data in the sense of Article 13 and 14 GDPR (hereinafter referred to as the "Information Memorandum"). This document does not replace the Information Memorandum itself, but complements and clarifies, in matters not regulated or only partially regulated by this document, as well as for the interpretation of relevant terms, it is therefore necessary to take the Information Memorandum into account.

The issue of cookies/advertising identifiers and other requirements according to the law §109 par. 8 no. 452/2021 Coll. on electronic communications is regulated by a separate document entitled Principles for the use of cookies - privacy protection rules.

Operator

Tatra banka, a.s., ID number: 00 686 930, registered office: Hodžovo námestie 3, 811 06 Bratislava 1, registered in the Commercial Register of the Bratislava I District Court, section: Sro, file number: 71/B, contact: DIALOG Live, *1100 / 0800 00 1100 / +421 2 5919 1000 (hereinafter referred to as "Tatra banka"), e-mail address: tatrabanka@tatrabanka.sk, website: www.tatrabanka.sk

Ensuring the protection of your personal data is very important to us, and therefore, when processing personal data, we strictly ensure compliance with applicable legal regulations, and above all compliance with the principles and requirements arising from the GDPR and related legal regulations. In this context, we have set appropriate technical and organizational measures that contribute to ensuring the protection of the processed personal data of our clients.

Responsible person

In case of any questions, suggestions or in the case of exercising rights related to the processing of your personal data, you can contact the DPO (Data Protection Officer), who is entrusted with the supervision of the processing of personal data in Tatra banka. You can contact the DPO by email at dpo@tatrabanka.sk or in writing at the address: DPO, Tatra banka, a. s., Hodžovo námestie 3, 811 06 Bratislava 1.

Mobile applications

The bank is the owner and operator of the mobile applications listed below, when using which personal data is processed:

• Tatra banka
  • https://play.google.com/store/apps/details?id=sk.tb.ib.tatraandroid&hl=sk&gl=US
  • https://apps.apple.com/sk/app/tatra-banka/id397756796?l=sk
  • https://appgallery.huawei.com/#/app/C103952805
• Čítačka
  • https://play.google.com/store/apps/details?id=sk.tb.emv.mobile
  • https://apps.apple.com/sk/app/%C4%8D%C3%ADta%C4%8Dka/id527137143
  • https://appgallery.huawei.com/#/app/C101389519
• TB VIAMO
  • https://play.google.com/store/apps/details?id=sk.tb.viamo
  • https://apps.apple.com/sk/app/tatra-banka-viamo/id644270145
• Business banking TB
  • https://play.google.com/store/apps/details?id=sk.tb.businessbanking
  • https://apps.apple.com/sk/app/business-banking-tb/id1512913301
• TB POS
  • https://play.google.com/store/apps/details?id=sk.tb.pos.tatrabanka
• Raiffeisen Banka SK
  • https://play.google.com/store/apps/details?id=sk.raiffeisen.ib.androidwrapper
  • https://apps.apple.com/sk/app/raiffeisen-bank-sk/id1239314086
• AllExclusive
  • https://play.google.com/store/apps/details?id=sk.qbsw.mprivate
  • https://apps.apple.com/sk/app/allexclusive/id990167719

The basic prerequisite for the full use of Tatra banka's mobile applications is the existence of an appropriate legal relationship between Tatra banka and the client, the subject of which is the provision of banking products or related services (e.g. the agreement on the allocation and principles of the use of identification, authentication and authorization means). In addition, some functionalities of the mobile applications may be subject to the conclusion of a separate contract or may be subject to specific terms and conditions.

In order for Tatra banka to be able to fulfill the relevant obligations arising from such contractual relationships or conditions, it is necessary that the processing of personal data also takes place through mobile applications.

Purpose and legal basis of personal data processing

Tatra banka always processes your personal data only for a pre-defined and legitimate purpose of processing, while there must always be an appropriate legal basis for such processing. Tatra banka never processes personal data for purposes incompatible with the originally determined purposes of processing.

As part of Tatra banka's mobile applications, personal data is processed primarily for the purpose of:

Provision of banking services, financial and related services, identification of the bank's clients and identification of the bank's contractual partners

The stated purpose includes, in relation to mobile applications, in particular:

• client identification,
• concluding contractual relations with the client, including pre-contractual relations,
• management of contractual relations, including implementation of changes and their termination,
• receiving and processing clients' suggestions and complaints,
• fulfillment of Tatra banka's obligations in the area of AML,
• activities related to the fulfillment of Tatra banka's tasks and obligations according to applicable legal regulations,
• informing and creating awareness among clients regarding the impact of their financial activities on sustainability and the environment
• other processing activities described in the Information Memorandum.

In this case, personal data are primarily processed to the extent necessary to fulfill Tatra banka's legal obligations, while the legal basis for processing here is Article 6, paragraph 1 letter c) GDPR, and thus the processing is necessary to fulfill legal obligations.

Tatra banka may process personal data in cases where the scope of personal data determined by the aforementioned legal regulations is insufficient to achieve the defined purpose of processing, also on the basis of the following legal bases:

• if it is necessary for the performance of the contract concluded between the client and Tatra banka, including pre-contractual relations in accordance with Article 6, paragraph 1 letter b) GDPR,
• if the client has given consent to the processing of his personal data for a specific purpose/purposes in accordance with Article 6 par. 1 letter a) GDPR,
• if the client has given consent to the processing of his personal data for a specific purpose/purposes in accordance with Article 9 par. 2 letters a) GDPR,
• if the processing is necessary for proving, exercising or defending legal claims in accordance with Article 9 par. 2 letters f) GDPR.

Personal data may also be processed in connection with mobile applications, if it is necessary for the purposes of legitimate interests pursued by Tatra banka or a third party, in accordance with Article 6 para. 1 letter f) GDPR. Such legitimate interests are:

• Tatra banka is obliged to proceed with professional care in the course of its activities and in this context has a legitimate interest in preventing criminal activity or other illegal actions that may cause damage or endanger its reputation, or cause any other harm, or prevent actions that may negatively affect the bank's activities or endanger its employees or other affected persons, and for this purpose it is entitled to keep a list of persons with potential risk, while the consequence of such processing may be the termination of the business relationship or the refusal to carry out the transaction.
• Tatra banka, as a major banking institution providing financial and related services to a large number of clients, perceives its social responsibility in the area of environmental protection and support of sustainability, while it has a legitimate interest in related information and creating awareness of clients in the area of sustainable behavior and support of environmental protection, especially in the form of informing clients about the impact of their financial activities on the environment. As part of the stated legitimate interest, the bank evaluates client transactions and tries to provide clients with the best possible overview of the impact of their individual transactions on the environment in the form of information on the amount of CO2 produced. Such processing aims to positively influence the behavior of its clients towards the responsible use of natural resources.

Marketing

For the purposes of informing about products, innovations and services provided by Tatra banka, as well as in connection with obtaining benefits from Tatra banka, including creating offers of such benefits when using profiling, Tatra banka processes your personal data on the legal basis of your previously voluntarily granted consent or on the basis of authorized interests of Tatra banka.

In the event that you have given consent to the processing of your personal data for the above-mentioned purpose to the Raiffeisen Group, your personal data may be processed by (i) persons who have a direct or indirect ownership interest in Tatra banka, (ii) persons over whom it has a direct or indirect equity participation of Tatra banka, (iii) persons in whom a person with an equity interest in Tatra banka has a direct or indirect equity interest, (iv) persons having a direct or indirect equity interest in a person with an equity interest in Tatra banka. For the purposes of this document, they are mainly:

• Supplementary pension company Tatra banka, a. s., with registered office at Hodžovo námestie 3, 811 06 Bratislava, ID number: 36291111,
• Tatra Asset Management, admin. spol. a. s., with registered office at Hodžovo námestie 3, 811 06 Bratislava, ID number: 35742968,
• Tatra Leasing, p. r. o., with registered office at Hodžovo námestie 3, 811 06 Bratislava, ID: 31326552.

Tatra banka has a legitimate interest in taking care of its Clients and developing business relations with them, and thus in informing them about its products, innovations, services and possibly about offers of various benefits. In this context, Tatra banka may contact you even without your prior consent, while informing you about such processing of your personal data and educating you about your rights, especially the right to object to the processing of your personal data. This, of course, does not apply if you have expressed your disagreement with such addressing or if you object to it.

Further information on your rights as a data subject, including the right to object to processing based on a legitimate interest, can be found below.

Tatra banka can communicate with you for the above-mentioned purpose by means of an automatic telephone call system, telephone, e-mail, SMS or other means of long-distance communication.

In order to adapt the offer of products and services directly for you, Tatra banka evaluates the information it processes about you so that it can provide you with a targeted offer and thus limit the sending of unaddressed marketing offers.

Scope of data processed in mobile applications

The processing of personal data in mobile applications still takes place within the scope specified in the Information Memorandum, but it has certain specificities within it:

Mobile applications for selected functions also receive some of the so-called "personal and sensitive information" or access to selected components of the mobile device. This data is essential for the proper functioning of mobile applications and for ensuring the protection of the client's finances and personal data against fraud, but also for increasing the client's comfort when using the Bank's applications and services.

Applications for correct, safe and comfortable use may require access to:

• Camera - scanning payment QR codes, vouchers or IBAN. Scanning of the National ID card for the purposes of its update, identity verification in the process of activating the Reader application, or in selected sales processes.
• Location – for the purpose of searching for the nearest branch or ATM or other point of contact (for example, for the MY Benefit service), as well as for the purpose of increasing security and preventing illegal actions.
• Contacts – for the purposes of contacting the bank directly from the application, sending money to a phone number
• Phone status - to increase security and prevent illegal actions
• Photos and videos, Files and documents - for the purpose of importing invoices with payment information (in the form of QR codes) or other documents necessary for selected banking processes.
• Notifications / Reports - for notifying users about, for example, completed transactions
• Device biometrics - for logging into mobile applications (fingerprint / TouchID / FaceID). The bank does not have access to any biometric data in this case. The said data remains processed only through your mobile device, which evaluates whether the biometric data registered in the secure storage of the terminal device match those used to log in to the Bank's mobile application.*

* Biometric data processed by the Bank – used for selected functionalities of the Bank's mobile applications (eg activation of the Reader mobile application using facial biometrics). In this case, the Bank, based on your consent, compares the biometric characteristics of the scanned face against the photo on your identification document and/or the photo from the ID card register.

As part of the prevention of fraudulent and other illegal actions, the bank may collect and share and, in connection with this, process information about the end device of the application user within the scope of:

1. Device model - device manufacturer, serial number, UUID of the device, Root Status of the device
2. Device operating system
3. Network – IP and MAC address of Wifi / end device
4. Information about installed applications on the user's end device - to identify malicious applications on the user's device.

Provision of data to other entities

Tatra banka does not provide personal data of clients processed within mobile applications to other entities, except in cases where the client has given Tatra banka consent or written instruction for such provision, or if there is another legal basis for providing personal data to another entity, for example, in the case of fulfillment the legal obligation of Tatra banka as an operator.

Further details on which entities and in which cases personal data may be provided even without the client's consent are contained in the Information Memorandum.

Transfer of personal data to third countries

Personal data are not subject to cross-border transfer to third countries that do not provide an adequate level of personal data protection, with the exception of cases specified by applicable legal regulations or special situations where the client must be informed in advance about such a transfer.

Processing of personal data through cloud solutions

When processing personal data, cloud solutions are also used in certain cases, or services of a similar technical nature. The use of such solutions is, for example, necessary in many cases as part of the implementation of the most modern software tools, or their use contributes to efficiency and economy. Last but not least, such solutions also contribute to maintaining the integrity of the processed data and contribute to the security of the processing.

In such processing, cloud providers, or similar services, depending on the type of processing activity, primarily in the position of intermediaries in accordance with Article 28 of the GDPR, while Tatra banka, when selecting the relevant partner as well as during the processing, consistently ensures that the processing of personal data does not increase the risk of a breach of data security or a negative impact on rights of affected persons. Tatra banka also consistently ensures that the relevant partner has demonstrably adopted appropriate technical and organizational measures in order to ensure the level of security in accordance with Article 28, paragraph 3 letters c) and Article 32 of the GDPR so that the processing meets the requirements of applicable legislation, in particular the GDPR, and to ensure the protection of the rights of data subjects.

With such processing, personal data is not transferred to third countries that do not guarantee an adequate level of protection in accordance with the GDPR.

Period of storage of personal data

Tatra banka stores your data in a form that enables your identification for no longer than is necessary to achieve the purpose for which the personal data is processed.

If personal data is processed within the framework of the fulfillment of Tatra banka's legal obligation, the relevant legal regulations determine in more detail the period during which Tatra banka is obliged to store your personal data and related documentation. More detailed information on legal regulations and deadlines is contained in the Information Memorandum.

Automated decision making and profiling

In the process of processing a request for the provision of a banking service, automated decisions are made based on profiling. As part of client profiling, data obtained by Tatra banka at the time of the request are taken into account, as well as data recorded by Tatra banka as part of the client's previous history in Tatra banka, as well as data obtained in accordance with valid legal regulations from external sources, and based on them, the system makes automated decisions . During profiling, the bank takes into account several data that can positively or negatively influence the decision on the application. Data on the possible riskiness of the client, his assets and liabilities in Tatra banka, payment discipline, regular use of bank products, as well as data that the bank obtains from the client at the time of negotiating the conclusion of the transaction are taken into account. Tatra banka evaluates these data at regular intervals and evaluates the client's risk profile based on them. In the case of a client with no previous history in Tatra banka, Tatra banka evaluates the data obtained from the client at the time of application, as well as data obtained in accordance with valid legal regulations from external sources.

Based on the acquired risk profile of the client, the application is assessed during automated decision-making. This decision may affect the automatic rejection of the application, the maximum approved amount of individual loans, the possibility of providing individual products, the maximum maturity of the requested product and the ratio of the amount of the loan to the value of the property (LTV). The client's risk profile itself has a direct impact on the bank's proposal of conditions, while in principle it is true that the better the client's risk profile in the bank, the better the conditions proposed by the bank can be.

The above-mentioned data, as well as specifically data on the behavior of clients during the delay, can be used to decide on the optimal recovery process and can have an impact on the choice of recovery strategy or loan restructuring. It can also be used in the implementation of activities for the purpose of preventing the occurrence of client delays. In the event that during the processing of your request for a banking product, automated decision-making will occur, including profiling in accordance with Article 22 of the GDPR, you have the right to human intervention on the part of Tatra banka, the right to your opinion, as well as the right to challenge the decision made on the basis of automated decision-making, including profiling.

Automated decision-making occurs when:

• negotiations on concluding a credit deal,
• reassessing the amount of optional overdraft belonging to the client's current account.

Data processing in credit registers

As part of the mobile applications, especially in connection with the negotiation of closing the deal, personal data may also be processed in credit registers.

The operator of the information system of the Joint Register of Bank Information is the company Slovak Banking Credit Bureau, s.r.o., IČO: 35 869 810, with its registered office at Mlynské Nivy 14, 821 09 Bratislava (hereinafter referred to as "SBCB").

The joint register of bank information (hereinafter referred to as "SRBI") is created in accordance with the provisions of §92a par. (1) of the Banking Act.

Joint register of bank information, "SRBI" - part Register of consumer loans pursuant to Act no. 129/2010 Coll. on consumer credits and on other credits and loans for consumers, in accordance with later regulations, is the register according to § 7 par. (3) Act on consumer loans and the register according to § 8 par. (20) of Act no. 90/2016 Coll. on housing loans, to the extent according to § 7 par. (9) of the Consumer Credit Act (hereinafter referred to as the "Register"). In accordance with the Act on Consumer Credit and the Act on Home Loans, Tatra banka is obliged to provide data to the Register and obtain data from the Register without the bank's client's consent.

The categories of personal data processed about you are determined by Act no. 483/2001 Coll. on banks, as amended. The purpose of processing personal data in SRBI is the preparation, conclusion and execution of transactions with clients, documenting the activities of banks in accordance with the Banking Act and carrying out mutual information between banks for the purpose of checking the creditworthiness, trustworthiness and payment discipline of bank clients in accordance with § 92a par. (1) of the Act on Banks.

The categories of personal data processed about you in the Register are determined by the Act on Consumer Credit and the Act on Home Loans. The purpose of processing personal data in the Registry is to provide consumer loans and assess the consumer's ability to repay the consumer loan as defined by the Act on Consumer Credit and the Act on Housing Loans.

The legal basis for the processing of your personal data in SRBI is Art. 6 par. 1., letter c) (fulfilment of legal obligation) GDPR.

The legal basis for processing your personal data in the Registry is Art. 6 par. 1., letter c) GDPR (fulfilment of legal obligation).

The source from which your personal data processed in SRBI and in the Registry comes from banks and branches of foreign banks.

The period of processing and storage of personal data is determined for the duration of obligations and 5 years after the termination of all your obligations as a client to the bank in relation to a specific credit agreement, or, in the case of SRBI, 5 years following the date of submission of your request to the bank to conclude a credit agreement , if it is not closed. Subsequently, your personal data will be included in pre-archival care in accordance with generally binding legal regulations.

SBCB processes your personal data through an intermediary, CRIF S.p.A. with registered office at Via M. Fantin 1-3, 40131 Bologna, Italy.

Another intermediary of SBCB is the company CRIF – Slovak Credit Bureau, s.r.o., with registered office at Mlynské Nivy 14, 821 09, Bratislava.

Personal data processed about you in SRBI are made available to banks and branches of foreign banks and through the Non-Banking Credit Bureau, interest association of legal entities, IČO: 42 053 404, with registered office at Mlynské Nivy 14, 821 09 Bratislava (hereinafter "NBCB") and authorized users of the Non-Bank Register of Client Information, regularly published on the website www.nbcb.sk.

Personal data processed about you in the Register may be made available to banks, foreign banks and branches of foreign banks and other credit entities defined by these legal regulations in accordance with § 7 paragraph 6 and the Act on Consumer Credit and the relevant provisions of the Act on Home Loans. The list of creditors, banks, foreign banks and branches of foreign banks in accordance with the Consumer Credit Act is available at www.nbs.sk.

Personal data processed about you in SRBI and the Register are provided to the National Bank of Slovakia and other entities in accordance with the relevant provisions of the Act on Banks and the Act on Consumer Credit and the Act on Home Loans.

Your personal data processed in SRBI and the Registry are not published or provided to third countries.

Your rights in connection with the processing of personal data

As a data subject, you have the right to correct incorrect personal data concerning you or to complete incomplete personal data. If you find that we are processing incorrect or incomplete data about you, please do not hesitate to contact us.

If your personal data is processed on the basis of consent in accordance with Article 6 par. 1 GDPR or in accordance with Article 9 par. 2 GDPR, you have the right to revoke this consent at any time. However, withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

The right to object to the processing of your personal data

As a data subject, you have the right to object to the processing of your personal data if the processing takes place on the legal basis of legitimate interests of Tatra banka, including objection to profiling based on legitimate interests. Tatra banka may further process your personal data for legitimate interests only if it demonstrates necessary legitimate reasons for processing that outweigh your interests, rights and freedoms, or reasons for proving, exercising or defending legal claims.

You have the right to object at any time to the processing of your personal data for the purposes of direct marketing, including profiling to the extent that it is related to such direct marketing, in the event that the processing takes place on the legal basis of the legitimate interests of Tatra banka. If you object to processing for direct marketing purposes, Tatra banka will not process your personal data for direct marketing purposes.

As a data subject, you have the right to access your personal data. If the conditions defined by the GDPR are fulfilled, you can ask us for a statement of your personal data that we process about you. In certain circumstances, you can request the restriction of processing, the transfer of your personal data, and you also have the right to request the deletion of your personal data. However, it is important to note that in certain cases your rights may be limited, for example in connection with the existence of a legal obligation or in the event that there could be a negative impact on the rights of other persons at the same time.

You can exercise your rights in writing, by phone via the DIALOG Live service, by e-mail at dpo@tatrabanka.sk or in person at a branch. Tatra banka may ask you to provide additional information necessary to confirm your identity.

In connection with the processing of personal data, you have the right to file a complaint, or motion to initiate proceedings pursuant to § 100 of Act no. 18/2018 Coll. on the protection of personal data of the Personal Data Protection Office of the Slovak Republic, Hraničná 12, 820 07 Bratislava, Slovak Republic.