Privacy policy in the TABI Children's mobile application

in the sense of Article 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons in the processing of personal data and on the free movement of such data, which repeals Directive 95/46/EC (GDPR).

Introduction

This document presents special information on the processing of personal data when using mobile application TABI and supplements the Information Memorandum on the Protection of Personal Data, which is published on the website of Tatra banka in the Privacy Protection/GDPR section and which forms the main and comprehensive information on the processing of personal data in the sense of Article 13 and 14 GDPR (the "Information Memorandum"). This document does not replace the Information Memorandum itself, but complements and clarifies it, in matters not regulated or only partially regulated by this document, as well as for the interpretation of relevant concepts, it is therefore necessary to take the Information Memorandum into account.

The issue of cookies/advertising identifiers and other requirements according to the law §109 par. 8 no. 452/2021 Coll. on electronic communications is regulated by a separate document entitled Principles for the use of cookies - privacy protection rules.

Operator

Tatra banka, a.s., ID number: 00 686 930, registered office: Hodžovo námestie 3, 811 06 Bratislava 1, registered in the Commercial Register of the District Court Bratislava I, section: Sro, insert number: 71/B, contact: DIALOG Live, *1100 / 0800 00 1100 / +421 2 5919 1000 (hereinafter referred to as "Tatra banka"), e-mail address: tatrabanka@tatrabanka.sk, website: www.tatrabanka.sk.

Ensuring the protection of your personal data is very important to us, and therefore, when processing personal data, we strictly pay attention to compliance with applicable legal regulations, in particular compliance with the principles and requirements arising from the GDPR and related legislation. In this context, we have set up appropriate technical and organizational measures that contribute to ensuring the protection of the processed personal data of our clients.

Responsible person

In case of any questions, suggestions or in case of exercising rights related to the processing of your personal data, you can contact the DPO (Data Protection Officer), who is entrusted with the supervision of the processing of personal data in Tatra banka. You can contact the DPO by email at dpo@tatrabanka.sk or in writing at the address: DPO, Tatra banka, a. s., Hodžovo námestie 3, 811 06 Bratislava 1.

Mobile application

The bank is the owner and operator of the mobile applications listed below, when using which personal data is processed:

• TABI: Children's banking application
  • Google Play
  • App Store

The basic prerequisite for the full use of the TABI application is the existence of a relevant legal relationship between Tatra banka and the client, the subject of which is the provision of banking products or related services (e.g. the agreement on the allocation and principles of the use of identification, authentication and authorization means). In addition, some functionality of the mobile application may be subject to the conclusion of a separate contract or may be subject to specific terms and conditions.

In order for Tatra banka to be able to fulfill the relevant obligations resulting from such contractual relationships or conditions, it is necessary that the processing of personal data also takes place through mobile application.

Purpose and legal basis of personal data processing

Tatra banka always processes your personal data only for a pre-defined and legitimate purpose of processing, while there must always be an appropriate legal basis for such processing. Tatra banka never processes personal data for purposes incompatible with the originally determined processing purposes.

Within the TABI mobile application, personal data is processed primarily for the purpose of:

Providing access to the Game part of Tatra banka's Children's mobile application and related services

Tatra banka processes your personal data on the legal basis of pre-contractual relations and performance of the contract in the form of the Terms of Use of the Tatra banka Children's mobile application in accordance with Article 6 par. 1 letter b) GDPR.

The stated purpose includes in particular:

• Access to games and to the educational part
• Providing support to the player and motivating him (e.g. sending notifications about the progress of the game)
• Improving the quality of games

In order to provide the best gaming experience as well as to adapt the game content to the player, the player can choose a profile or so-called the avatar that best suits him personally and is closer to his interests. In case the player cannot decide which avatar to choose, he can help himself with the available questions. Based on the answers, an avatar will be assigned to him. The choice of avatar is voluntary, the player can choose a general profile without setting an avatar or at any time during the game can change the avatar or choose a general profile.
Publication of game scores
Your game score in the scope of the nickname (nickname), the score achieved, the overall ranking in the game can also be published by other players within the Game section of the Tatra banka Children's mobile application on the player board "Leader board", but only on the basis of your prior consent.

Education and relationship development

Tatra banka has a legitimate interest in educating children in the area of financial literacy, raising awareness of a responsible approach to personal finances, perceiving their needs and requirements, and therefore in informing them about products, innovations, services and possibly about offers of various benefits. Part of the development of relations with the Child may also include information about events, seminars, workshops, or competitions organized by Tatra banka and in which the Child might be interested. In this context, Tatra banka may contact you even without your prior consent, while you have the right to object to such processing. Further information about your rights as a data subject, including the right to object to processing based on a legitimate interest, can be found in point 9 of the Personal Data Protection Information Memorandum.
Tatra banka can communicate with you for the above-mentioned purpose by means of an automatic telephone call system, telephone, e-mail, SMS or other means of long-distance communication.
In order to adapt the offer of products and services directly for you, Tatra banka evaluates the information it processes about you so that it can provide you with a targeted offer and thus limit the sending of unsolicited offers.
For the purposes defined in this point, a person who has stopped using the Children's mobile application for a period of 6 months from the end of using the Children's mobile application is also considered a Child.

Provision of banking services, financial and related services, identification of the bank's clients and identification of the bank's contractual partners

The stated purpose includes, in relation to mobile application, in particular:

• client identification,
• concluding contractual relations with the client, including pre-contractual relations,
• management of contractual relations, including implementation of changes and their termination,
• receiving and handling client suggestions and complaints,
• fulfillment of Tatra banka's obligations in the area of AML,
• other processing activities described in the Information Memorandum.

In this case, personal data are primarily processed to the extent necessary to fulfill Tatra banka's legal obligations, while the legal basis for processing here is Article 6, paragraph 1 font. c) GDPR, and thus the processing is necessary to fulfill legal obligations.

Tatra banka may process personal data in cases where the scope of personal data determined by the aforementioned legal regulations is insufficient to achieve the defined purpose of processing, also on the basis of the following legal bases:

• if it is necessary for the performance of the contract concluded between the client and Tatra banka, including pre-contractual relations in accordance with Article 6 par. 1 letter b) GDPR,
• if the client has given his consent to the processing of his personal data for a specific purpose/purposes in accordance with Article 6 par. 1 letter a) GDPR.

Personal data may also be processed in connection with the mobile application, if it is necessary for the purposes of legitimate interests pursued by Tatra banka or a third party, in accordance with Article 6 para. 1 letter f) GDPR. Such legitimate interests are:

• Tatra banka is obliged to proceed with professional care within the framework of its activities and in this context has a legitimate interest in preventing criminal activity or other illegal actions that may cause damage or endanger its reputation, or cause any other harm, or prevent actions that may negatively affect the bank's activities or endanger its employees or other affected persons, and for this purpose it is entitled to keep a list of persons with potential risk, while the consequence of such processing may be the termination of the business relationship or the refusal to carry out the transaction.

Scope of data processed in the mobile application

The processing of personal data in the mobile application still takes place to the extent specified in the Information Memorandum, but it has certain specifics within it:
The mobile application for selected functions also acquires some of the so-called "personal and sensitive information" or access to selected components of the mobile device. This data is essential for the proper functioning of the mobile application and to ensure the protection of the finances and personal data of the Child/client against fraud, but also to increase the comfort of the Child/client when using the Bank's applications and services. For the purposes of this part as well as the following parts of this document, the client also means the Child, or Player.

TABI applications for correct, safe and comfortable use may require access to:

• Camera - scanning QR codes - for example, when activating the banking part of the application
• Location – due to increased security and prevention of illegal actions
• Phone status - to increase security and prevent illegal actions
• Alerts / Notifications – to notify users about, for example, completed transactions. As part of the prevention of fraud and other illegal actions, the bank may collect and share and, in connection with this, process information about the end device of the application user to the extent:

1. Device model - device manufacturer, serial number, UUID of the device, Root Status of the device
2. Device operating system
3. Network – IP and MAC address of Wifi / end device

Provision of data to other entities

Tatra banka does not provide personal data processed within the TABI mobile application to other entities, except in cases where Tatra banka has been granted consent, a written instruction for such provision, or if there is another legal basis for providing personal data to another entity, for example, in the case of the fulfillment the legal obligation of Tatra banka as an operator.
Further details about which entities and in which cases personal data may be provided even without the consent of the Child/client are contained in the Information Memorandum.

Transfer of personal data to third countries

Personal data are not subject to cross-border transfer to third countries that do not provide an adequate level of personal data protection, with the exception of cases specified by applicable legal regulations or special situations, when the client must be informed in advance about such a transfer.

Processing of personal data through cloud solutions

When processing personal data, cloud solutions are also used in certain cases, or services of a similar technical nature. The use of such solutions is, for example, necessary in many cases as part of the implementation of the most modern software tools, or their use contributes to efficiency and economy. Last but not least, such solutions also contribute to maintaining the integrity of the processed data and contribute to the security of the processing.

In such processing, cloud providers, or similar services, depending on the type of processing activity, primarily in the position of intermediaries in accordance with Article 28 of the GDPR, while Tatra banka, when selecting the relevant partner as well as during the processing, consistently ensures that the processing of personal data does not increase the risk of data security breaches or negative impact on rights of affected persons. Tatra banka also consistently ensures that the relevant partner has demonstrably adopted adequate technical and organizational measures with the aim of ensuring the level of security in the sense of Article 28 para. 3 letters. c) and Article 32 of the GDPR so that the processing meets the requirements of applicable legislation, in particular the GDPR, and to ensure the protection of the rights of data subjects.

During such processing, personal data is not transferred to third countries that do not guarantee an adequate level of protection in the sense of the GDPR.

Period of storage of personal data

Tatra banka stores your data in a form that enables your identification for no longer than is necessary to achieve the purpose for which the personal data is processed.

If personal data is processed within the framework of the fulfillment of Tatra banka's legal obligation, the relevant legal regulations determine in more detail the period during which Tatra banka is obliged to store your personal data and related documentation. More detailed information on legal regulations and deadlines is contained in the Information Memorandum.

Your rights in connection with the processing of personal data

As a data subject, you have the right to correct incorrect personal data concerning you or to complete incomplete personal data. If you find that we are processing incorrect or incomplete data about you, please do not hesitate to contact us.

If your personal data is processed on the basis of consent in the sense of Article 6 par. 1 GDPR or in the sense of Article 9 para. 2 GDPR, you have the right to withdraw this consent at any time. However, withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

The right to object to the processing of your personal data

As a data subject, you have the right to object to the processing of your personal data if the processing takes place on the legal basis of legitimate interests of Tatra banka, including objection to profiling based on legitimate interests. Tatra banka may further process your personal data for legitimate interests only if it demonstrates necessary legitimate reasons for processing that outweigh your interests, rights and freedoms, or reasons for proving, exercising or defending legal claims.

As a data subject, you have the right to access your personal data. If the conditions defined by the GDPR are met, you can ask us for a statement of your personal data that we process about you. In certain circumstances, you can request the restriction of processing, the transfer of your personal data and you also have the right to request the erasure of your personal data. However, it is important to note that in certain cases your rights may be limited, for example in connection with the existence of a legal obligation or in the event that there could be a negative impact on the rights of other persons at the same time.

You can exercise your rights in writing, by phone via the DIALOG Live service, by e-mail at dpo@tatrabanka.sk or in person at a branch. Tatra banka may ask you to provide additional information necessary to confirm your identity.

In connection with the processing of personal data, you have the right to file a complaint, or motion to initiate proceedings pursuant to § 100 of Act No. 18/2018 Coll. on the protection of personal data of the Office for the Protection of Personal Data of the Slovak Republic, Hraničná 12, 820 07 Bratislava, Slovak Republic.