Information on data processing

Controller of Personal Data

Erste&Steiermärkische Bank d.d., pin (OIB): HR23057039320 (hereinafter: „Bank”) is the Controller of Personal Data. Depending on the purpose of the processing, the Bank – as the Controller of Personal Data – collects, processes, uses and analyses your personal data.

You can contact the Bank for all questions and rights related to processing of your personal data at erstebank@erstebank.hr, at the headquarters address, the phone number: 0800 7890, in the branch offices, or you can contact the Data Protection Officer at: SZOP@erstebank.hr or at Ivana Lučića 2, Zagreb (attn. Data Protection Officer).

Personal Data

As the Controller of Personal Data, we are well aware of the importance of personal data to each individual; therefore, we attach great importance to the compliance with the relevant regulations. Accordingly, we put in a great deal of effort to maintain and enhance the security of your personal data and privacy.

The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR) introduces higher standards in the field of personal data protection.

In order to understand Data Processing Information you must be familiar with the basic terms, such as personal data and data processing.

A personal data is every data or a combination thereof identifying the identity of a natural person or a means to identifying the natural person; such as name, surname, personal identification number, address details, location, photo, work details, income.

Data processing constitutes every procedure performed on personal data, such as their collection, recording, structuring, storage, modification, review, usage, transfer or deletion.

Which data are collected and processed by the bank?

Personal data are collected by the Bank during its business operations with the aim of establishing business relations with clients and meeting the obligations imposed by the law and other regulations, and it is not possible to establish a business relationship with the Bank without the collection and processing of mandatory data and data for business purposes. In addition, based on your explicit consent, the Bank processes your data in order to provide the best service possible.

Mandatory data

Mandatory data are defined in the regulations and the Bank cannot establish and/or maintain a business relationship in their absence.

They constitute identification data on a valid identification document, and data that the Bank was bound to collect in compliance with the regulations (Anti-Money Laundering and Terrorism Financing Prevention Act, Act on the Administrative Cooperation in The Field of Tax), precisely: name and surname, residential address, Personal Identification Number (OIB), sex, date, place of birth, nationality(ies), identification document type and number, including the name and country of the Issuer and the validity period, as well as the validity period of the residence permit, and the data concerning the tax residence outside Croatia.

If you are operating a business (small businesses or independent professions), then the data from the competent registry, such as: name, registered office address and the company registration number, are mandatory as well.

Data for business purposes

Data for business purposes are the data necessary for establishing and/or executing a business relationship with the bank, depending on the service/product, i.e. the benefit.

Products and services including the bank credit exposure require the data for the credit risk management by the Bank, especially the data referring to the property status, members of the household, income and employment status; and if you are operating a business the required data are: status data, business financial data, data on the creditworthiness and solvency, and the like.

Data for business purposes can also constitute contact details, if they are necessary for the provision of the Bank’s service or product (for example, an e-mail for the Internet banking service or Erste Broker service, and the phone number for informative text messages on the account balances/payment transactions).

Contact details

Contact details are voluntarily submitted data and they are used by the Bank to inform you as soon as possible and in the easiest manner possible about the facts and events significant for the product or service that you are interested in, or which you are already using, and to deliver the information/documents upon your request or enquiry, unless otherwise agreed upon or provided as the Bank’s obligation (for example, the Bank may contact you by phone to inform you that your loan has been granted or that you have an overdraft facility, you may also be informed that you can pick up your identification/authentication card in the branch office, or that someone unauthorised has used your current account card or some other product etc.).

These include the address other than your residential address, phone number, cellphone number, fax number, e-mail; and if you are operating a business, an address other than the registered office address and the name and surname of the contact person, phone number, cellphone number, fax number, e-mail.

How are the data collected and processed by the bank?

Establishing the business relationship and meeting the obligations provided in the regulations

The Bank collects the data directly from the client in the contractual agreement or during the client’s expression of interest for the services and products, during the use of the Bank’s product or service (for example, during the payment transaction) or during any client’s communication with the Bank (for example, while calling the call center). In order to establish a business relationship and to exercise its rights and obligations defined in the regulations, the Bank collects the data from the publicly available registries/records, such as the Unified Account Registry, land registry etc.

The data are processed by the Bank for the purpose of establishing business relations and carrying out transactions (the realisation of the Bank’s products and services), in order to meet its obligations provided by the regulations (by reporting to the government and supervisory authorities, such as the Croatian National Bank, the Croatian Financial Services Supervisory Agency, the Ministry of Finance, the Unified Account Agency managed by the Financial Agency, the State Agency For Deposit Insurance and Bank Resolution, the authorities which the Bank is required to notify pursuant to the International restrictive measures and the European Union decision on the application of international restrictive measures and their implementing regulations, etc.) and in order to exercise or defend legal claims.

Pursuant to the Credit Institutions Act and other relevant regulations, the Bank shall, on its own behalf and on behalf of its group members, manage the credit, liquidity, interest rate, operative and other risks to which it is exposed, or may be exposed, together with its group members; and therefore, the Bank shall collect, exchange and process the necessary data from its group members for that purpose.

Based on the granted consent, the Bank shall process the data contained therein exclusively for the purpose for which the consent was granted. The consent shall be given completely voluntarily, and therefore, giving or withdrawing consent does not affect the contracting of the Bank’s products and services or the realisation of already contracted ones.

The data processing based on consent contributes to the continued improvement of the Bank’s product and service quality, and consequently to the quality of your financial needs management.

The consent may be given for one or more purposes, such as:
(i) the creation of special offers of/recommendations for products, services and possibilities of their use (personalised marketing), in order for you to manage your finances more efficiently as the client. For this purpose the Bank shall process the data based on the product or service usage, such as: the data on the amount, frequency, transaction type and place, bank balance, bank account card usage, and the data on the frequency of visits to the branch office, in order to be able to inform you about the benefits and possibilities of using your bank account, online** banking services or a standing order, the possibilities of contracting a saving product etc. The aforementioned data processing may include the creation of your profile based on the analysis of your personal interests, conduct and location. Such profiling is aimed at anticipating your needs in order for the Bank to act on them in a timely manner with an adequate offer of products, services and recommendations;
(ii) providing periodical information on products and services, benefits, prize contests, news and changes in the operation of the Bank, Erste Group members and business partners (general marketing), so that you would have at your disposal useful information on the Bank’s business operations, products and services;
(iii) the improvement of the Bank’s products and services according to your requests and expectations, based on the information from periodical customer satisfaction enquiries.

******Within the scope of its online banking services, the bank may process biometric data based on voluntary consent. The service may also be arranged under the same terms without the requirement for consent at any of the bank’s branch offices.
Biometric data is personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or dactyloscopic data.
The biometric data processing consent shall be requested by the bank in the event of arranging online banking services (George) through the George mobile app. The consent is required for the process of unique identification of facial images as biometric data by comparing them to images on ID cards.

******Within the scope of its online banking services and for the purpose of client identification, the bank may carry out a video-electronic identification process based on voluntary consent. The identification may be carried out under the same terms without the requirement for consent at any of the bank’s branch offices.
The video-electronic identification shall be carried out by the bank in accordance with the Ordinance on Minimum Technical Requirements, which the means of video-electronic identification must meet.

You may withdraw your consent at any moment and thenceforth the Bank will no longer process your data for the purpose for which consent was given.

The consent may be withdrawn in the same manner in which it was given in any branch office of the Bank. The consent withdrawal does not affect the legitimacy of the processing carried out based on the consent prior to its withdrawal.

Automated individual decision making and profiling

In the business relationship with the client, the Bank shall not use the automated individual decision-making that would produce legal effects with negative consequences for clients pursuant to Article 22 of the General Data Protection Regulation.

For clients using products and services, the Bank has a regulatory obligation, in accordance with the Credit Institutions Act and EU Regulation No. 575/2013, to calculate the behavioural rating reflecting the client's risk on a monthly basis. The calculation is performed by using statistical models based on the available data, inter alia, the data collected from the clients, the data on used products and services and the data on regular settlement of liabilities. The behavioural rating serves as one of the input variables for assessing the credit risk to which the Bank may be exposed, as well as the client's creditworthiness. The decision on the approval, amount and conditions of the credit depends on the behavioural (calculated on a monthly basis) and the application rating (calculated at the time of approval of the new credit exposure).****

Pursuant to the Anti-Money Laundering and Terrorist Financing Act, the Bank shall conduct an analysis of money laundering and terrorism financing risks, and accordingly implement customer due diligence measures while establishing a business relationship and processing periodical transactions.

Based on legitimate interest:

Based on the legitimate interest, the Bank shall make it possible for the clients to contract cash credits/loans in the estimated amount based on the behavioural rating which the Bank is required to calculate as part of its regulatory obligation. The Bank will indicate the possibility of contracting in its branch offices and/or via online banking, and the client will be able to use the credit/loan immediately.****

The client may file a complaint against the aforementioned data processing, whereupon the Bank shall suspend further processing.

Who receives the data from the bank?

The Bank submits your data to third parties for the purpose of complying with the contract concluded with you; for example, to the participants necessary for carrying out the payment or a bank card transaction, to the Central Depository and Clearing Company Inc. (CDCC), to courts, to land registry departments and similar public registries; and for the purpose of complying with the regulatory obligations, e.g. in order to report to the government and supervisory authorities, such as: the Croatian National Bank, the Croatian Financial Services Supervisory Agency, the Ministry of Finance, the Unified Account Agency managed by the Financial Agency, the State Agency For Deposit Insurance and Bank Resolution and its Group’s members for the purpose of meeting risk management requirements.

Some data processing processes are carried out by the Bank using service providers and applying technical and organizational data protection measures, for example, IT service providers, archiving service providers, providers of the service of printing and sending correspondence to clients, credit card transaction processing providers, card and PIN production and personalization service providers. Service providers hired by the Bank as the Data Controller act in relation to personal data as Data Processors and the Bank shall ensure that providers are located within the European Union area or in areas that are covered by the decision on adequacy by the European Commission, thus providing the highest level of protection of client's personal data.

Banking secrecy

In addition to the General Data Protection Regulation, the personal data are also protected through the Bank's commitment to bank secrecy. In accordance with the Credit Institutions Act, the Bank shall keep as a banking secret all the data, facts and circumstances that it has learned on the basis of providing services to clients and performing transactions with an individual client. The Bank shall disclose the data which represent the bank secret exclusively in those cases and to those persons and authorities as determined by the Credit Institutions Act.

Data processing security

The Bank shall implement technical and organizational protection measures to ensure an adequate level of security for the processing of your data.

Keeping personal data

The period of keeping your data is determined by the regulations governing a particular business relationship.

Your rights in relation to your personal data

General Data Protection Regulation provides the following rights in relation to personal data: the right to be informed about the processing of your personal data, the right to correct inaccurate data, the right to delete data if they are no longer required for the exercise of rights and obligations in a business relationship or for the fulfilment of Bank's obligations determined by regulations or for the purpose of obtaining and defending legal requirements, the right to restrict processing, the right to portability and the right to object.

You have the right to file a complaint related to your personal data with the Bank at erstebank@erstebank.hr or vasemisljenje@erstebank.hr, at the headquarters address, at 0800 7890, in the branch offices or you can contact the Data Protection Officer: SZOP@erstebank.hr or at Ivana Lučića 2, Zagreb (attn. Data Protection Officer).

You can also file a complaint to the supervisory body for personal data protection i.e. to the Personal Data Protection Agency (AZOP).

Information on DOR system data processing ***

Pursuant to the General Data Protection Regulation (hereinafter: GDPR), we hereby inform you about the possibility of your data being processed by the DOR system. The DOR system is a data exchange system used by credit and financial institutions (users), which are members of credit institution groups in Croatia, for exchanging data on clients who failed to settle their due obligations on time.

Within the meaning of the GDPR, the users are joint controllers in the DOR system, and the processor is the company Hrvatski registar obveza po kreditima, a limited liability company for business services, Ulica Filipa Vukasovića 1 (hereinafter: HROK).*****

We hereby inform you that, if all of the following prerequisites should be met, as one of the users of the DOR system we shall process your data in the DOR system by exchanging data on your failure to settle due obligations with other users of the system.

General Information

Processing purposes and legal grounds for processing

The processing of your data in the DOR system is based on our legitimate interest, as well as the legitimate interests of all users (in accordance with Art. 6 para. (1) item (f) of the GDPR) to assess clients’ ability to duly settle their obligations in order to reduce and/or avoid the risk of non-performing loans and the over-indebtedness of clients, all for the purpose of improving credit risk management, which is one of our key regulatory obligations.

Cases in which your data will be processed in the DOR system:

  1. once per month when we (and other users) deliver data of all our clients who failed to settle their due obligation on time, according to the criteria for the delivery of your data to the DOR system, described below;
  2. whenever we or any of the other users of the DOR system send a request to the DOR system.

What are the criteria for delivering your data to the DOR system?

The criteria for delivery of delinquency data to the DOR system are:

  1. the due debt amounts to HRK 750 or more, and the settlement of the due obligation is 61 days or more overdue; and
  2. the client does not settle his or her obligations in a timely manner;
    •  or the financial obligation has been cancelled due to the client not settling his or her due obligations; 
    • or a legal claim has been lodged for the financial obligation;
    • or the financial obligation has been recovered by insurance; 
    • or the financial obligation has been sold (sale of receivables).

How, why, and when will your data be exchanged in the DOR system?

Your data will be exchanged in the DOR system whenever one of the DOR system users, including us, sends a request to the DOR system. The result of such a request is generation of a report containing data on the delinquency or a notice, if the DOR system has no records of the delinquency.

A request to the DOR system can be made only in the following cases:

  • prior to entering into a new loan/grant agreement, or with regard to an amendment to an existing loan/grant agreement;
  •  for periodic monitoring and assessing the credit risk of clients who have already signed a loan/grant agreement.

On the basis of DOR system data the users (i) monitor and assess the client’s timeliness in settling existing obligations; and/or (ii) assess the client’s ability to settle their obligations; and/or (iii) assess the client’s creditworthiness.

Which of your data will be processed in the DOR system?
The following data categories will be processed in the DOR system:

  • identification data;
  • client delinquency data indicating the amount and the deadline;
  • data stored in records.

Identification data

  • PIN (OIB);
  • full name.

Delinquency data

  • name of the user who is the creditor for the financial obligation;
  • type of obligation (e.g. current account liability, housing loan liability);
  • obligation status (e.g. delinquent, claimed, cancelled, sold, recovered by insurance);
  • amount and currency of the due and unsettled debt;
  • amount and currency of a not yet payable debt;
  • date of previously listed delinquency data and identification data;
  • date of first delinquency entry in the DOR system;
  • date of end of delinquency in the DOR system;
  • total number of recorded months of delinquency in settling financial obligations;
  • number of months in the most recent period of continuous delinquency in honouring a financial obligation.

Data stored in records

  • data on user requests sent to the DOR system, necessary for record-keeping.

How would you be affected by DOR system data processing?

DOR system data can affect our business decisions concerning our clients, and represent a piece of data which we take into account when making decisions.


On the other hand, DOR system data can warn us about your failure to settle your obligations towards other users and allow us timely and proactive implementation of indebtedness restructuring policies, and timely checking of your settling of your existing obligations, which improves our efficiency in credit risk management.

How long do we retain your personal data?

Data processed in the DOR system are kept for four years, after which they are erased.


Who are the recipients of your personal data?

The recipients of DOR system data are only the DOR system users, specifically those who send a request to the DOR system and based on it receive the data on your delinquency or a notice about your data not being in the DOR system. Indirectly, as a processor in the DOR system, HROK is also one of the recipients.
The current list of DOR system users is published at www.hrok.hr/dor-korisnici.

 

Your rights

In case your data is being processed in the DOR system, you are entitled to exercise the following rights in relation to us, as controllers:

1. Right of access to personal data

Regarding data processed in the DOR system, you can request confirmation as to whether your personal data are being processed, and a copy of personal data in case they are indeed being processed.


2. Right to rectification

If you believe that the data processed in the DOR system are incorrect or incomplete, you can request they be rectified or completed


3. Right to erasure (‘right to be forgotten’)

You can exercise the right to erasure of personal data if any of the following applies:

  • the personal data are no longer necessary for the purpose for which they were collected or otherwise processed;
  • you objected to the processing, and your reasons override our legitimate grounds for the processing (as well as legitimate grounds of other users);
  • the personal data have been unlawfully processed or they have to be erased for compliance with a legal obligation

In case of any of the foregoing, the right to erasure in accordance with the GDPR shall not apply if the processing is necessary for:

  • exercising the right of freedom of expression and information;
  • compliance with a legal obligation which requires processing by Union or Member State law to which the user is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the user;
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with the law;
  • for the establishment, exercise or defence of legal claims.


4. Right to restriction of processing

You can exercise the right to restrict the processing of personal data if any of the following applies:

  • you contest the accuracy of the personal data, for a period enabling the user to verify the accuracy of the personal data; or
  • the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; or
  • the user no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims;
  • you objected to processing pursuant to Article 21 paragraph (1) of the GDPR pending the verification whether the legitimate grounds of the user override your own.


5. Right to object

On grounds relating to your particular situation which override our legitimate interests for the processing in the DOR system (including the legitimate interests of other users), you have the right to object at any time to processing of your personal data.

 

Also, each individual whose personal data are being processed in the DOR system shall have the right to object to processing of their personal data to the supervisory authority, i.e. the Croatian Personal Data Protection Agency.

Any of the above rights can be exercised as described in the chapter Your rights regarding your personal data.

Also, the request for exercising the right of access to personal data can be submitted in writing to the address: HROK d.o.o. Ulica Filipa Vukasovića 1, 10000 Zagreb, provided that your request contains your verified signature (e.g. notarised by a notary public).*****

If you have any questions or remarks regarding the processing of your personal data in the DOR system, you can contact us as described in the chapter The Controller.

Information on the processing of personal data in the basic register system between credit institutions****

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: the Regulation), we are providing you with this information in order to acquaint you with the possible processing of your data in the Basic Register System (hereinafter: the OSR system).


The OSR system is a system for processing and exchanging client details between credit institutions as users of the OSR system (hereinafter: the users) through HROK, namely for the purposes of creditworthiness assessment and credit risk management.


Within the meaning of the Regulation, the users are individual and joint controllers in the OSR system, and the company Hrvatski registar obveza po kreditima d.o.o., Zagreb, Ulica Filipa Vukasovića 1 (hereinafter: HROK) is, depending on the situation, their individual or joint processor.*****


In accordance with Articles 13 and 14 of the Regulation, as our client, we are hereby informing you that we, as one of the users of the OSR system, process your personal data in the OSR system if you have or have had financial liabilities to us (such as a credit or overdraft). We process your data (including your personal data) in the OSR system by exchanging data on your financial liabilities with other participants in the OSR system.

Processing purposes and legal grounds for processing

The purpose of processing and exchanging your personal data in the OSR system between credit institutions as users of the OSR system is to assess your creditworthiness and manage our credit risk towards you if you are our client or if you intend to be one.

The exchange of your data in the OSR system between credit institutions (banks, savings banks and housing savings banks) is based on the compliance with the legal obligation (in accordance with Article 6(1)(c) of the General Data Protection Regulation) contained in Article 321 of the Credit Institutions Act, which regulates the obligation to exchange data and information on clients between credit institutions for the purposes of assessing creditworthiness or managing the credit risk.

What data of yours are processed in the OSR system?

The following categories of your data are processed and exchanged in the OSR system:

  • identification data and
  • data on the existing and settled or otherwise extinguished liabilities

Identification data are:

  • OIB (PIN), name and surname
  • OIB (PIN), name and identification number of the business entity (if you are engaged in a business activity)

Data on the existing and settled or otherwise extinguished liabilities (financial liabilities) of the client are the following:

  • type of liability,
  • total amount of the liability,
  • amount and periodicity of annuity/instalment,
  • regularity in settling liabilities,
  • number of arrears,
  • amount of arrears,
  • number of days of delay.

How, why, and when will your data be processed in the OSR system?

Your data is processed by delivering and storing data in the OSR system and exchanging said data between OSR system users at the request of an individual user in cases where there is an obligation to assess creditworthiness or to manage credit risk.

For said reason, we, as well as other users of the OSR system, submit updated personal data on our clients to the OSR system once a month.

We, as well as other users whenever they have an obligation to assess your creditworthiness or manage credit risk towards you, make a request to exchange all data on your financial liabilities in the OSR system and to combine them in order to draw up a report on the data contained in the OSR system.

If there are no data on your financial liabilities in the OSR system, a notification will be drawn up instead of a report, namely stating that there are no such data of yours in the OSR system.

How would you be affected by OSR system data processing?

The content of the reports drawn up on the basis of the exchange of data on your financial liabilities in the OSR system may have an effect on our business decisions regarding you, namely both those for which your creditworthiness is important, and those we make in relation to the management of credit risk towards you.

How long do we retain your personal data?

Data on financial liabilities that are no more than 4 (four) years old are retained and exchanged in the OSR system. After a financial liability has been fully settled or otherwise extinguished, your data will be kept for a maximum of 4 (four) years from the day when the financial liability was fully settled or otherwise extinguished.



Who are the recipients of your personal data?

The recipients of data from the OSR system are only the users of the OSR system, namely only those who have made a request for data exchange and who thus received a report containing data on your financial liabilities or a notification that the OSR system does not contain data on your financial liabilities. Indirectly, as a processor in the OSR system, HROK is also one of the recipients.


The current list of OSR system users is published on the website www.hrok.hr/osr-korisnici.

Your rights

In case your data are being processed in the OSR system, you are entitled to exercise the following rights in relation to us, as controllers:

1. Right of access to personal data

Regarding the data processed in the OSR system, you can request a confirmation as to whether your personal data are being processed, as well as a copy of your personal data in case they are indeed being processed.

2. Right to rectification

If you believe that the data processed in the OSR system are incorrect or incomplete, you can request they be rectified or completed.

3. Right to erasure (“right to be forgotten”)

You can exercise the right to erasure of personal data if any of the following applies:

  • the personal data are no longer necessary for the purpose for which they were collected or otherwise processed;
  • the personal data have been unlawfully processed or they have to be erased for the purpose of compliance with a legal obligation.

The right to erasure under the Regulation shall not be applied, even if one of the above conditions is met, namely if the processing is necessary for the purpose of exercising the right to freedom of expression and information, for the purpose of complying with a legal obligation requiring the processing under Union law or the law of the Member State to which the user is subject, or for the purpose of performing a task carried out in the public interest, or in the exercise of official authority vested in the user, for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes in accordance with the regulations, as well as for the purpose of establishing, exercising or defending legal claims.

4. Right to restriction of processing

You can exercise the right to restrict the processing of personal data if any of the following applies:

  • you contest the accuracy of the personal data, for a period enabling the user to verify the accuracy of the personal data;
  • the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
  • the user no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims.

5. Right to object

You have the right to object to the processing of your personal data to the supervisory body, i.e. the Croatian Personal Data Protection Agency.

 

Important: If you wish to exercise the above rights as a natural person, please state your OIB (PIN), name and surname when submitting the request for the exercise of your rights. In case you wish to exercise your rights exclusively as a business entity, please state the name of the business activity, as well as the OIB (PIN) and identification number of the business entity on the request.

The above rights can be exercised as described in the chapter Your rights regarding your personal data.

Additionally, you can submit a request for the exercise of the right of access to personal data in writing, to the address HROK d.o.o., Ulica Filipa Vukasovića 1, 10000 Zagreb, provided that the request contains your certified signature (for instance, notarized).*****


If you have any questions or remarks regarding the processing of your personal data in the OSR system, you can contact us as described in the chapter The Controller.


In case of divergence the Croatian original shall prevail.
 

ERSTE&STEIERMÄRKISCHE BANK d.d.,  25 May 2018

*14 August 2018, supplemented with the explanation of the Erste Group members and their business partners regarding the consents, and the data processing of the client’s assignee and legal representative.
**Pursuant to the Act on the Comparability of Fees related to Payment Accounts, Payment Account Switching and Access to Basic Accounts and the Decision on the most represented services related to the payment account of the Croatian National Bank, from 1 November 2018, the “electronic banking services” are called “online banking services”.
*** Supplemented on August 23, 2019 by the Information on DOR system data processing.

**** Complemented with the Information on the processing of personal data in the Basic Register System between credit institutions on May 27, 2020, with the part related to the Bank's regulatory obligation to calculate the client's rating reflecting the client's risk being updated.
***** Amended by updating the registered office address of HROK on August 4, 2020.

******On 28 September 2020 supplemented with information on biometric data processing and the digital video identification process based on consent within the scope of online banking services.