Erste&Steiermärkische Bank d.d., OIB (Personal Identification Number): HR23057039320 (hereinafter: „Bank”) is the Controller of Personal Data. Depending on the purpose of the processing, the Bank – as the Controller of Personal Data – collects, processes, uses and analyses your personal data.
You can contact the Bank for all questions and rights related to processing of your personal data at firstname.lastname@example.org, at the headquarters address, the phone number: 0800 7890, in the branch offices, or you can contact the Data Protection Officer at: SZOP@erstebank.hr or at Ivana Lučića 2, Zagreb (attn. Data Protection Officer).
As the Controller of Personal Data, we are well aware of the importance of personal data to each individual; therefore, we attach great importance to the compliance with the relevant regulations. Accordingly, we put in a great deal of effort to maintain and enhance the security of your personal data and privacy.
The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR) introduces higher standards in the field of personal data protection.
In order to understand Data Processing Information you must be familiar with the basic terms, such as personal data and data processing.
A personal data is any data or a combination thereof identifying the identity of a natural person or a means to identifying the natural person; such as name, surname, personal identification number, address details, location, photo, work details, income.
Data processing constitutes every procedure performed on personal data, such as their collection, recording, structuring, storage, modification, review, usage, transfer or deletion.
Which data are collected and processed by the bank?
Personal data are collected by the Bank during its business operations with the aim of establishing business relations with clients and meeting the obligations imposed by the law and other regulations, and it is not possible to establish a business relationship with the Bank without the collection and processing of mandatory data and data for business purposes. In addition, based on your explicit consent, the Bank processes your data in order to provide the best service possible.
Mandatory data are defined in the regulations and the Bank cannot establish and/or maintain a business relationship in their absence.
They constitute identification data on a valid identification document, and data that the Bank was bound to collect in compliance with the regulations (Anti-Money Laundering and Terrorism Financing Prevention Act, Act on the Administrative Cooperation in The Field of Tax), precisely: name and surname, residential address, Personal Identification Number (OIB), gender, date, place of birth, nationality(ies), identification document type and number, including the name and country of the Issuer and the validity period, as well as the validity period of the residence permit, and the data concerning the tax residence outside Croatia.
If you are operating a business (craft companies or free professions), then the data from the competent registry, such as: name, registered office address and the company registration number, are mandatory as well.
Data for business purposes
Data for business purposes are the data necessary for establishing and/or executing a business relationship with the bank, depending on the service/product contracted or used as well as those required to manage the risks arising from those business relationships, which the Bank must manage in accordance with its regulatory obligations (e.g., credit risk, money laundering and terrorism financing risk and other operational risks).*9
Products and services including the bank credit exposure require the data for the credit risk management by the Bank, especially the data referring to the property status, members of the household, income and employment status; and if you are operating a business the required data are: status data, business financial data, data on the creditworthiness and solvency, and the like.
Data for business purposes can also constitute contact details, if they are necessary for the provision of the Bank’s service or product (for example, an e-mail for the Internet banking service or Erste Broker service, and the phone number for informative text messages on the account balances/payment transactions).
Contact details are voluntarily submitted data and they are used by the Bank to inform you as soon as possible and in the easiest manner possible about the facts and events significant for the product or service that you are interested in, or which you are already using, and to deliver the information/documents upon your request or enquiry, unless otherwise agreed upon or provided as the Bank’s obligation (for example, the Bank may contact you by phone to inform you that your loan has been granted or that you have an overdraft facility, you may also be informed that you can pick up your identification/authentication card in the branch office, or that someone unauthorised has used your current account card or some other product etc.).
These include the address other than your residential address, phone number, cellphone number, fax number, e-mail; and if you are operating a business, an address other than the registered office address and the name and surname of the contact person, phone number, cellphone number, fax number, e-mail.
How are the data collected and processed by the bank?
Establishing the business relationship and meeting the obligations provided in the regulations
The Bank collects the data directly from the client in the contractual agreement or during the client’s expression of interest for the services and products, during the use of the Bank’s product or service (for example, during the payment transaction) or during any client’s communication with the Bank (for example, while calling the call center). In order to establish a business relationship and to exercise its rights and obligations defined in the regulations, the Bank collects the data from the publicly available registries/records, such as the Unified Account Registry, land registry etc.
The data are processed by the Bank for the purpose of establishing business relations and carrying out transactions (the realization of the Bank’s products and services), in order to meet its obligations provided by the regulations (by reporting to the government and supervisory authorities, such as the Croatian National Bank, the Croatian Financial Services Supervisory Agency, the Ministry of Finance, the Unified Account Agency managed by the Financial Agency, the State Agency For Deposit Insurance and Bank Resolution, the authorities which the Bank is required to notify pursuant to the International restrictive measures and the European Union decision on the application of international restrictive measures and their implementing regulations, etc.) and in order to exercise or defend legal claims.
Pursuant to the Credit Institutions Act and other relevant regulations, the Bank shall, on its own behalf and on behalf of its group members, manage the credit, liquidity, interest rate, operative and other risks to which it is exposed, or may be exposed, together with its group members; and therefore, the Bank shall collect, exchange and process the necessary data from its group members for that purpose.
Based on consent
Based on the given consent, the Bank shall process the data contained therein exclusively for the purpose for which the consent was given. The consent shall be given completely voluntarily, and therefore, giving or withdrawing consent does not affect the contracting of the Bank’s products and services or the realization of already contracted ones.
The data processing based on consent contributes to the continued improvement of the Bank’s product and service quality, and consequently to the quality of your financial needs’ management.
The consent may be given for one or more purposes, such as:
(i) the creation of special offers of/recommendations for products, services and possibilities of their use (personalized marketing), in order for you to manage your finances more efficiently as the client. For this purpose, the Bank shall process the data based on the product or service usage, such as: the data on the amount, frequency, transaction type and place, bank balance, bank account card usage, and the data on the frequency of visits to the branch office, in order to be able to inform you about the benefits and possibilities of using your bank account, online*2 banking services or a standing order, the possibilities of contracting a saving product etc. The aforementioned data processing may include the creation of your profile based on the analysis of your personal interests, conduct and location. Such profiling is aimed at anticipating your needs in order for the Bank to act on them in a timely manner with an adequate offer of products, services and recommendations;
(ii) providing periodical information on products and services, benefits, prize contests, news and changes in the operation of the Bank, Erste Group members and business partners2 (general marketing), so that you would have at your disposal useful information on the Bank’s business operations, products and services;
(iii) the improvement of the Bank’s products and services according to your requests and expectations, based on the information from periodical customer satisfaction enquiries.
*6 Within the scope of its online banking services, the bank may process biometric data based on voluntary consent. The service may also be arranged under the same terms without the requirement for consent at any of the bank’s branch offices.
Biometric data is personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or dactyloscopic data.
The biometric data processing consent shall be requested by the bank in the event of arranging online banking services (George) through the George mobile app. The consent is required for the process of unique identification of facial images as biometric data by comparing them to images on ID cards.
*6 Within the scope of its online banking services and for the purpose of client identification, the bank may carry out a video-electronic identification process based on voluntary consent. The identification may be carried out under the same terms without the requirement for consent at any of the bank’s branch offices.
The video-electronic identification shall be carried out by the bank in accordance with the Ordinance on Minimum Technical Requirements, which the means of video-electronic identification must meet.
You may withdraw your consent at any moment and thenceforth the Bank will no longer process your data for the purpose for which consent was given. The consent may be withdrawn in the same manner in which it was given in any branch office of the Bank. The consent withdrawal does not affect the legitimacy of the processing carried out based on the consent prior to its withdrawal.
Automated individual decision making and profiling
In the business relationship with the client, the Bank shall not use the automated individual decision-making that would produce legal effects with negative consequences for clients pursuant to Article 22 of the General Data Protection Regulation.
For clients using products and services, the Bank has a regulatory obligation, in accordance with the Credit Institutions Act and EU Regulation No. 575/2013, to calculate the behavioral rating reflecting the client's risk on a monthly basis. The calculation is performed by using statistical models based on the available data, inter alia, the data collected from the clients, the data on used products and services and the data on regular settlement of liabilities. The behavioral rating serves as one of the input variables for assessing the credit risk to which the Bank may be exposed, as well as the client's creditworthiness. The decision on the approval, amount and conditions of the credit depends on the behavioral (calculated on a monthly basis) and the application rating (calculated at the time of approval of the new credit exposure).*4
Pursuant to the Anti-Money Laundering and Terrorist Financing Act, the Bank shall conduct an analysis of money laundering and terrorism financing risks, and accordingly implement customer due diligence measures while establishing a business relationship and processing periodical transactions.
Based on legitimate interest:
Based on the legitimate interest, the Bank shall make it possible for the clients to contract cash credits/loans in the estimated amount based on the behavioral rating which the Bank is required to calculate as part of its regulatory obligation. The Bank will indicate the possibility of contracting in its branch offices and/or via online banking, and the client will be able to use the credit/loan immediately.*4
Based on the legitimate interest, the Bank shall collect and process mandatory contact details, at least one of the data of the client’s choice: telephone number and/or mobile phone number and/or e-mail for the purpose of fast and efficient communication of the Bank with its clients, for new and existing clients which are entering into agreements with the Bank related to the Bank’s products such as accounts, deposits and credit products, or contracting changes to already concluded agreements, in order to improve the process of conducting measures and actions for effective management of operational and credit risks, which is one of the Bank’s key regulatory obligations.*9
The client may file a complaint against the aforementioned data processing, whereupon the Bank shall suspend further processing.
Who receives the data from the bank?
The Bank submits your data to third parties for the purpose of complying with the contract concluded with you; for example, to the participants necessary for carrying out the payment or a bank card transaction, to the Central Depository and Clearing Company Inc. (CDCC), to courts, to land registry departments and similar public registries; and for the purpose of complying with the regulatory obligations, e.g. in order to report to the government and supervisory authorities, such as: the Croatian National Bank, the Croatian Financial Services Supervisory Agency, the Ministry of Finance, the Unified Account Agency managed by the Financial Agency, the State Agency For Deposit Insurance and Bank Resolution and its Group’s members for the purpose of meeting risk management requirements.
Some data processing processes are carried out by the Bank using service providers and applying technical and organizational data protection measures, for example, IT service providers, archiving service providers, providers of the service of printing and sending correspondence to clients, credit card transaction processing providers, card and PIN production and personalization service providers. Service providers hired by the Bank as the Data Controller act in relation to personal data as Data Processors and the Bank shall ensure that providers are located within the European Union area or in areas that are covered by the adequacy decision by the European Commission, thus providing the highest level of protection of client's personal data.
Data related to assignees, legal representatives and real owners of legal persons
The Bank shall collect and process the identification data from the valid identification document and the data that the Bank is required to collect in accordance with regulations (Anti-Money Laundering and Terrorist Financing Prevention Act) for the client's assignee, legal representative of the juvenile client / person under the custody and the legal representative of the legal person as follows: name and surname, residential address, identification number, date, place and country of birth, name and number of identification document with the name and country of the issuer and citizenship(s).
The Bank shall collect and process the identification data from the valid identification document and the data that the bank is obliged to collect in accordance with the regulations (Anti-Money Laundering and Terrorist Financing Prevention Act, Act on Administrative Cooperation in the Field of Taxation) for the real owner of the client who is a legal person and a person performing business activities as follows: name and surname, residential address, identification number, date, place and country of birth, name and number of identification document with the name and country of the issuer and data related to tax residence outside of the Republic of Croatia.
Without the aforementioned data, the Bank is unable to realize business relationships through an assignee or a legal representative or a business relationship with a legal person or a person performing a business activity.
In addition to the General Data Protection Regulation, the personal data are also protected through the Bank's commitment to banking secrecy. In accordance with the Credit Institutions Act, the Bank shall keep as a banking secret all the data, facts and circumstances that it has learned on the basis of providing services to clients and performing transactions with an individual client. The Bank shall disclose the data which represent the banking secret exclusively in those cases and to those persons and authorities as determined by the Credit Institutions Act.
Data processing security
The Bank shall implement technical and organizational security measures to ensure an adequate level of security for the processing of your data.
Keeping personal data
The period of keeping your data is determined by the regulations governing a particular business relationship.
Your rights in relation to your personal data
General Data Protection Regulation provides the following rights in relation to personal data: the right to be informed about the processing of your personal data, the right to correct inaccurate data, the right to delete data if they are no longer required for the exercise of rights and obligations in a business relationship or for the fulfilment of Bank's obligations determined by regulations or for the purpose of obtaining and defending legal requirements, the right to restrict processing, the right to portability and the right to object.
You can also file a complaint to the supervisory body for personal data protection i.e. to the Croatian Personal Data Protection Agency (AZOP).
Information on the processing of personal data in the basic register system between credit and financial institutions*7
In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: the Regulation), we are providing you with this information in order to acquaint you with the possible processing of your data in the Basic Register System (hereinafter: the OSR system).
The OSR system is a system for processing and exchanging client details between credit and financial institutions as users of the OSR system (hereinafter: the users) through HROK, namely for the purposes of creditworthiness assessment and/or credit risk management.*7
Within the meaning of the Regulation, the users are individual and joint controllers in the OSR system, and the company Hrvatski registar obveza po kreditima d.o.o., Zagreb, Ulica Filipa Vukasovića 1 (hereinafter: HROK) is, depending on the situation, their individual or joint data processor.
In accordance with Articles 13 and 14 of the Regulation, as our client and the debtor, co-debtor and/or guarantor, we are hereby informing you that we, as one of the users of the OSR system, process your personal data in the OSR system if you have or have had a financial liability to us (such as a credit, overdraft, or credit card debt, etc.). We process your data (including your personal data) in the OSR system by exchanging data on your financial liabilities with other participants in the OSR system.*7
Processing purposes and legal grounds for processing
The purpose of processing and exchanging your personal data in the OSR system between credit and financial institutions as users of the OSR system is to assess your creditworthiness and/or manage our credit risk towards you if you are our client or if you intend to be one.*7
The exchange of your data in the OSR system
a) between credit institutions (banks, savings banks and building societies) is based on the compliance with the legal obligation (in accordance with Article 6(1)(c) of the Regulation) contained in Article 321 of the Credit Institutions Act, which regulates the obligation to exchange data and information on clients between credit institutions for the purposes of assessing creditworthiness and/or managing the credit risk, as well as
b) between credit and financial institutions or between two financial institutions, based on our legitimate interest, as well as the legitimate interest of all users (in accordance with Article 6(1)(f) of the Regulation) to assess the creditworthiness of clients (the clients’ ability to duly repay their liability) in order to reduce and/or avoid the risk of non-performing loans and over-indebtedness of clients, as well as manage credit risks in relation to our clients, which is one of the regulatory obligations of users. :*7
What data of yours are processed in the OSR system?
The following categories of your data are processed and exchanged in the OSR system:
identification data and
data on the existing and settled or otherwise extinguished liabilities
Identification data are:
OIB (Personal Identification Number), name and surname
OIB (Personal Identification Number), name and identification number of the business entity (if you are engaged in a business activity)
Data on the existing and settled or otherwise extinguished liabilities (financial liabilities) of the client are the following:
type of liability,
total amount of the liability,
capacity in which you participate in the liability (debtor, co-debtor and/or guarantor),*7
amount and periodicity of annuity/instalment,
regularity in settling liabilities,
number of arrears,
amount of arrears,
number of days of delay in complying with a liability.
How, why, and when will your data be processed in the OSR system?
Your data is processed by delivering and storing data in the OSR system and exchanging said data between OSR system users at the request of an individual user in cases where it assesses creditworthiness or manages credit risk.
For said reason, we, as well as other users of the OSR system, submit updated personal data on our clients to the OSR system once a month.
The exchange request can be made by us when we assess your creditworthiness and/or manage the credit risk towards you, as well as by other users when they do the above. Based on the request made, all data on your financial liabilities stored in the OSR system at the time of the request are exchanged and consolidated, and an OSR report on the data contained in the OSR system is drawn up.
If there are no data on your financial liabilities in the OSR system, a notification is being drawn up instead of a report, namely stating that there are no such data of yours in the OSR system.
How would you be affected by OSR system data processing?
The content of the reports drawn up on the basis of the exchange of data on your financial liabilities in the OSR system may have an effect on our business decisions regarding you, namely both those for which your creditworthiness is important, and those we make in relation to the management of credit risk towards you.
How long do we retain your personal data?
Data on your financial liabilities that are no more than 4 (four) years old are retained and exchanged in the OSR system. After your financial liability has been fully settled or otherwise extinguished, your data will be kept for a maximum of 4 (four) years from the day when the financial liability was fully settled or otherwise extinguished.
Who are the recipients of your personal data?
The recipients of data from the OSR system are only the users of the OSR system, namely only those who have made a request for data exchange and who thus received a report containing data on your financial liabilities or a notification that the OSR system does not contain data on your financial liabilities. Indirectly, as a processor in the OSR system, HROK is also one of the recipients.
In case your data are being processed in the OSR system, you are entitled to request the exercise of the following rights in relation to us, as controllers:
1. Right of access to personal data
Regarding the data processed in the OSR system, you can request a confirmation as to whether your personal data are being processed, as well as a copy of your personal data in case they are indeed being processed.
2. Right to rectification
If you believe that the data processed in the OSR system are incorrect or incomplete, you can request they be rectified or completed.
3. Right to erasure (“right to be forgotten”)
You may exercise the right to erasure of personal data if one of the following conditions is met:
the personal data are no longer necessary for the purpose for which they were collected or otherwise processed;
you have objected to the processing, and your legitimate reasons for erasure override our legitimate interest in the processing (and the legitimate interest of other users);*7
the personal data have been unlawfully processed or they have to be erased for the purpose of compliance with a legal obligation.
The right to erasure under the Regulation shall not be applied, even if one of the above conditions is met, namely if the processing is necessary for the purpose of exercising the right to freedom of expression and information, for the purpose of complying with a legal obligation requiring the processing under Union law or the law of the Member State to which the user is subject, or for the purpose of performing a task carried out in the public interest, or in the exercise of official authority vested in the user, for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes in accordance with the regulations, as well as for the purpose of establishing, exercising or defending legal claims.
4. Right to restriction of processing
You can exercise the right to restrict the processing of personal data if any of the following applies:
you contest the accuracy of the personal data, for a period enabling the user to verify the accuracy of the personal data;
the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
the user no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims;
you have objected to the processing pursuant to Article 21(1) of the Regulation awaiting confirmation whether the legitimate interests of users override your legitimate interests. *7
5. Right to object*7
Whenever your personal data are processed and exchanged in the OSR system on grounds of a legitimate interest, you may, pursuant to Article 21(1) of the Regulation, object to such processing of your personal data at any time, namely on the basis of your particular situation overriding our legitimate interest in the processing of your data in the OSR system, as well as the legitimate interest of other users in the processing of such data.
Please note that your objection to the processing and exchange of your data in the OSR system on grounds of a legitimate interest does not affect the processing and exchange of your data in the OSR system insofar as such processing and exchange are based on the compliance with the legal obligation of credit institutions under Article 321 of the Credit Institutions Act, as such processing and exchange of data are aimed at complying with the legal obligation referred to in Article 6(1)(c) of the Regulation.
In addition, any person whose personal data are processed in the OSR system has the right to object to the processing of their personal data to the supervisory body, namely the Croatian Personal Data Protection Agency.
Important: When submitting a request for the exercise of your rights, please state your OIB (Personal Identification Number), name and surname, or the name of the business activity and the business entity's court registration number.*7
The above rights can be exercised as described in the chapterYour rights regarding your personal data.
Additionally, you can submit a request for the exercise of the right of access to personal data in writing, to the address HROK d.o.o., Ulica Filipa Vukasovića 1, 10000 Zagreb, provided that the request contains your signature authenticated by a notary public from the Republic of Croatia or by the diplomatic and consular post of the Republic of Croatia.*7
If you have any questions or remarks regarding the processing of your personal data in the OSR system, you can contact us as described in the chapter The Controller.
In case of divergence the Croatian original shall prevail.
ERSTE&STEIERMÄRKISCHE BANK d.d., 25 May 2018
*1 14 August 2018, supplemented with the explanation of the Erste Group members and their business partners regarding the consents, and the data processing of the client’s assignee and legal representative.
*2 Pursuant to the Act on the Comparability of Fees related to Payment Accounts, Payment Account Switching and Access to Basic Accounts and the Decision on the most represented services related to the payment account of the Croatian National Bank, from 1 November 2018, the “electronic banking services” are called “online banking services”.
*3 Supplemented on August 23, 2019 by the Information on DOR system data processing.
*4 Complemented with the Information on the processing of personal data in the Basic Register System between credit institutions on May 27, 2020, with the part related to the Bank's regulatory obligation to calculate the client's rating reflecting the client's risk being updated.
*5 Amended by updating the registered office address of HROK on August 4, 2020.
*6 On 28 September 2020 supplemented with information on biometric data processing and the digital video identification process based on consent within the scope of online banking services.
*7 On June 16, 2021 Information on the processing of personal data in the Basic Registry System between credit institutions (*4) has been updated with the Information on the processing of personal data in the Basic Registry System between credit and financial institutions, namely in relation to data exchange between credit and financial institutions (card companies) on grounds of a legitimate interest.
*8 On August 4, 2021 Information on data processing was updated by removing the chapter “Information on the processing of personal data in the DOR system *3”, as the exchange of data in the DOR system ceased on that day.
*9 On November 8, 2021 Information on data processing was supplemented by processing mandatory contact details based on legitimate interest, and data for business purposes was further clarified.