Information on data processing

Data Controller

Erste&Steiermärkische Bank d.d., tax number (OIB): HR23057039320 (hereinafter: Bank) acts as a Data Controller. Depending on the purpose of the processing, the Bank as the Data Controller collects, processes, uses and analyses your personal information.

You can contact the Bank for all questions and issues related to exercising your rights in relation with the processing of your personal data at erstebank@erstebank.hr, at the headquarters address, at 0800 7890, at the branch offices or you can contact the data protection officer: SZOP@erstebank.com or at Ivana Lučića 2, Zagreb (for the data protection officer).

Personal Data

As a Data Controller, we are aware of the importance of personal data for each individual, and therefore it is extremely important for us to comply with the applicable regulations. Therefore, we have been working continuously to maintain and improve the security of your personal information and your privacy.

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR) introduces higher standards in the area of personal data protection.

To understand the information on data processing, one needs to understand basic concepts such as Personal data and Data processing.

Personal data is any information or combination thereof which can verify an individual's identity or can be used to establish an identity of an individual, such as name, surname, personal identification number, address data, location, photographs, employment data and income.

Data processing is every process involving personal data such as collecting, recording, structuring, storing, editing, inspecting, using, transferring and deleting.

What data does the bank collect and process?

In the course of its business activities, the Bank collects personal data for the purpose of concluding and executing business relationships with clients, as well as to fulfil the obligations determined by law and other regulations, and a business relationship with the Bank is not possible without the collection and processing of mandatory and business-dependant data.

In addition, based on your explicit consent, the Bank processes your information in order to provide you with a higher quality service.

Mandatory data

Mandatory data are defined by regulations and without them the Bank cannot establish and/or maintain a business relationship.

These are identification data from valid identification documents and the Bank is obliged to collect them in accordance with the regulations (Money Laundering and Terrorist Financing Prevention Act, Law on Administrative Cooperation in the Field of Taxation) as follows: name and surname, the address of residence and/or temporary place of residence, personal identification number (OIB), gender, date, place and country of birth, nationality(ies), name and number of the identification document along with the name and country of the issuer and the validity as well as the validity of the residence permit and data related to tax residence outside of the Republic of Croatia.

If you perform business transactions (craft or free profession), included are also the data from the competent registry, such as: name, address of the head office and registration number.

Business-dependant data

Business-dependant data are those that are necessary for concluding and/or performing a business relationship with a Bank and depend on the service/product that has been contracted or used.

For products and services involving credit exposure with the Bank, the data are necessary for the credit risk management by the Bank, especially those data that relate to property status,household members, income and employment, and if you are performing business transactions, status data, financial data on business operations, credit worthiness and solvency data and similar data.

Business-dependant data may also be contact information, if needed for the contracting of bank services or products (for example, e-mail address for the Internet banking service or the Erste Broker service and mobile phone number for sending SMS messages with the account balance/turnover).

Contact data

Contact data are voluntarily given data and their goal is to inform you in the quickest and easiest way about facts and events relevant to products and services for which you have expressed interest or which you use and to provide information/documentation at your request or inquiry, unless you have explicitly agreed otherwise, or it falls under Bank's obligations (for example, telephone calls to inform clients about the loan approval or current account overdraft approval, sending notifications about the possibility to collect a card or some other identification/authentication document in the branch office, sending notices about potentially unauthorized use of a current account card or some another product etc.).

These are the address which is different from the address of residence / temporary residence, telephone number, cell phone, fax, e-mail address, and if you are a business user, the address different from the address of the head office and the name of the contact person, phone number, cell phone, fax, e-mail address.

How does the bank collect and process data?

Realisation of business relations and fulfilment of obligations defined by regulations

The Bank collects data directly from the client when contracting and expressing interest in services and products, when using Bank's products and services (for example, when conducting a payment transaction) and during any communication between the client and the Bank (for example, a call to the contact centre). For the purpose of realisation of the business relationship, as well as exercising rights and obligations of the bank defined by regulations, the Bank collects data from publicly accessible registers/records, such as the Unified Register of Accounts, Land Registry etc.

Data are processed by the Bank for the purpose of concluding and executing a business relationship and conducting transactions (realisation of products and services offered by the bank) in order to fulfil the obligations stipulated by regulations (reporting to state and supervisory bodies such as the Croatian National Bank, Croatian Financial Services Supervisory Agency, Ministry of Finance, Unified Register of Accounts led by the Financial Agency, the State Agency for Deposit Insurance and Bank Resolution, the bodies which the Bank is obliged to notify in accordance with the Law on International Restrictive Measures and EU Decisions on the Application of International Restrictive Measures and their Implementing Regulations, etc.) and for the purpose of exercising or defending legal requirements.

In accordance with the Credit Institutions Act and other relevant regulations, the Bank is obliged to manage risks for itself and for members of its group, i.e. credit, liquidity, interest, operational and other risks that the Bank and its group members are exposed to or can be exposed to, and therefore the Bank collects, exchanges and processes the necessary data of members of their group for this purpose.

Based on the consent:

On the basis of the given consent, the Bank processes the data contained in the consent solely for the purpose or purposes for which the consent was given.

The consent is given completely voluntarily, and therefore giving and withdrawing the consent does not affect the process of contracting products and services of the Bank nor the realisation of already agreed products and services.

Data processing based on the consent contributes to the continuous improvement of the quality of products and services of the Bank, and consequently the quality of managing your financial needs.

You may give consent for one or more purposes such as: creation of special offers / recommendations on products, services and possibilities of their use (personalized marketing) in order to manage the finances more efficiently as a client.For this purpose, the Bank processes information based on the use of products and services such as, for example, data on the amount, frequency, type and location of the transaction, account balance data, account card usage, and information on visits to a branch office to inform you about the benefits and the possibilities for using a bank card, benefits of electronic banking services or a permanent order, possibilities of contracting a savings product and so on.

Data processing can include profiling on the basis of the analysis of your personal interests, behaviours and locations.

Such profiling serves to anticipate your needs so that the Bank responds to them in a timely manner with an appropriate product offer, service or recommendation; occasional information on products and services, benefits, prize games, news and changes in business activities of the Bank, members of Erste Group and business partners (general marketing) in order to provide you with useful information on the business operations of the Bank, its products and services; improving products and services of the Bank according to your requirements and expectations based on the knowledge from occasional inquiries about your satisfaction and experience using the products and services of the Bank.

Consent can be revoked at any time and the Bank will no longer process the data for the purpose for which the consent was given. You can withdraw your consent in the same way it was given as well as in any branch office of the Bank. The withdrawal of the consent does not affect the legitimacy of the processing based on the consent prior to its withdrawal.

Automated individual decision making and profiling

In relation to a business relationship with a client, the Bank does not use automated individual decision making that would produce legal effects with negative consequences for clients under Article 22 of General Data Protection Regulation.

For clients who use products and services involving credit exposure, the Bank has a regulatory obligation to calculate the credit rating in accordance with the Credit Institutions Act and EU Regulation No. 575/2013.

The credit rating is determined using statistical models based on the available data, among others, data collected from the client, data on used products and services and on the regularity in settling liabilities. Credit rating serves to assess the credit risk that a bank may be exposed to and the creditworthiness of the client. The decision on the approval of the loan, the amount and terms of the loan depends on the credit rating.

In accordance with the Money Laundering and Terrorist Financing Prevention Act, the Bank is obliged to make an analysis of the risk of money laundering and terrorist financing, and in accordance with that analysis, implement the process measure of performing due diligence of the respective client while establishing a business relationship and conducting occasional transactions.

Based on legitimate interests:

On the basis of legitimate interest, the Bank makes available to clients the possibility of contracting a cash loan / loan in the amount estimated on the basis of the credit rating that the bank is obliged to calculate in order to fulfil its regulatory obligation.

The Bank will indicate the possibility of contracting a loan in branch offices and/or via electronic banking services and the client can use such a loan immediately.


The client can file a complaint at any time regarding the above mentioned processing with the Bank, after which the Bank will stop all further processing.

To whom does the bank provide the data?

The Bank submits your information to third parties for the fulfilment of the contract concluded with you – for example, participants needed to carry out payment or card transactions, Central Depository and Clearing Company d.d. (CDCC), courts, land registry and similar public registers – and in order to meet the obligations of certain regulations – for example, reporting to state and supervisory bodies such as the Croatian National Bank, the Croatian Agency for Supervision of Financial Services, the Ministry of Finance, Unified Register of Accounts led by the Financial Agency, the State Agency for Deposit Insurance and Bank Resolution and members of its Group to meet its obligations related to risk management.

Some data processing processes are carried out by the Bank using service providers and applying technical and organizational data protection measures – for example, IT service providers, archiving service providers, providers of the service of printing and sending correspondence to clients, credit card transaction processing providers, card and PIN production and personalization service providers.

Service providers hired by the Bank as the Data Controller act in relation to personal data as Data Processors and the Bank is obliged to ensure that providers are located within the European Union area or in areas that are covered by the decision on adequacy by the European Commission, thus providing the highest level of protection of client personal data.

The Bank is obliged to collect and process identification data from the valid identification document as well as data which the Bank is required to collect in accordance with regulations (Money Laundering and Terrorist Financing Prevention Act) for the client's assignee, legal representative of the juvenile client / person under the custody and the legal representative of the legal person as follows: name and surname, residence and/or temporary residence address, identification number, date, place and country of birth, name and number of identification document with the name and country of the issuer and citizenship(s).

Banking secrecy

In addition to the General Data Protection Regulation, personal data is also protected through the bank's commitment to keep bank secrecy.In accordance with the Credit Institutions Act, the Bank is obliged to keep all the data, facts and circumstances that it has learned on the basis of providing services to clients and performing transactions with an individual client as banking secret. The Bank shall disclose the information that represents the bank secret exclusively in those cases and to those persons and bodies as determined by the Credit Institutions Act.

Security of data processing

The Bank implements technical and organizational protection measures to ensure an adequate level of security for the processing of your data.

Keeping personal data

The period of storage of your data is determined by the regulations governing a particular business relationship.

Your rights in relation to your personal data

General data protection regulation provides the following rights in relation to personal data: the right to be informed about the processing of your personal data, the right to correct inaccurate data, the right to delete data if they are no longer required for the exercise of rights and obligations from a business relationship or for the fulfilment of Bank's obligations determined by regulations or for the purpose of obtaining and defending legal requirements, the right to restrict processing, the right to portability and the right to object.

You have the right to file a complaint related to your personal data with the Bank at erstebank@erstebank.hr or vasemisljenje@erstebank.hr,  at the headquarters address, at 0800 7890, at the branch offices or you can contact the data protection officer: SZOP@erstebank.com or Ivana Lučića 2, Zagreb (for the data protection officer).

You can also file a complaint to the supervisory body for personal data protection i.e. to the Personal Data Protection Agency (AZOP).

ERSTE&STEIERMÄRKISCHE BANK d.d.,  25 May 2018