Protection of personal data

The purpose of this website is to inform you about the processing of your personal data in Komerční banka, and about your rights relating to your personal data. We want you to know what kind of personal data we collect, what we do with it, and what we use it for. You can also find information on the sources we obtain this data from, as well as learning who we can provide this data to.

We always process your personal data transparently, fairly and lawfully, and to the extent required for a given purpose. We securely retain your personal data for the period that is strictly necessary, in compliance with the time limits defined by legislation and other regulations. If the bank has a legitimate interest, we can decide for ourselves how long we will retain your data. We only process the personal data of persons aged under 18 if a child’s legal representative is acting on the child’s behalf.

We recommend that you familiarise yourself with the information contained in document Information about processing of personal data you will find below.

Cookies settings

 

Information About Processing of Personal Data for Clients

The purpose of this document is to provide you with information about the processing of your personal data by Komerční banka and about your rights associated with them.

The information contained herein relates to the processing of personal data of clients – natural persons (potential, existing and former) and, to a reasonable degree, other natural persons to whom our bank owes certain obligations (e.g., beneficial owners or representatives of legal entities, or others users of services provided to legal persons).

We always process your personal data in a transparent, fair and lawful manner, and to the extent necessary for the given purpose. We retain your personal data safely for a period of time that is strictly necessary, as required by law or other regulations.

We encourage you to read the information contained in this document.

In case of any questions, please call KB Infoline at 800 521 521 or visit www.KB.cz/osobni-udaje.

You can also contact our Data Protection Officer by e-mail at the address osobni_udaje@kb.cz or through our branches/points of sale.

The controller of your personal data is Komerční banka, a. s. (hereinafter KB).

Contact details of the controller:

Komerční banka, a. s., IČO: 45317054
Na Příkopě 969/33
114 07 Praha 1
P. O. BOX 839
Česká republika / Czech Republic

Contact details of the Data Protection Officer (DPO):

Kancelář pověřence pro ochranu osobních údajů KB, a.s.
Václavské nám. 796/42
114 07 Praha 1
Česká republika / Czech Republic

E-mail: osobni_udaje@kb.cz

 

We may only process your personal data if there is an adequate legal reason to do so, i.e., if at least one of the following conditions is met:

a) The processing is necessary for KB to meet its legal obligations, in particular for the following purposes:

  • Credit risk assessment,
  • Prevention, detection and investigation of frauds, and money laundering prevention,
  • Prevention and control of investment products and insurance products,
  • Safeguard against market abuse,
  • Regulatory reporting,
  • Taxation and accounting obligation,
  • Archiving and records management,
  • Providing assistance to authorities.

 b) The processing is necessary for the fulfilment of a contract, in particular for the following purposes:

  • Arranging a product/service,
  • Entering into a contract for the provision of a product/service,
  • Providing customer service related to a product/service.

c) The processing is necessary for the purpose of our justified interests, in particular for the following purposes:

  • Risk management,
  • Security,
  • Defence of our legal claims,
  • Recovery and sale of receivables,
  • Product and service analysis,
  • Development and evolution of provided services,
  • Direct marketing – we can approach our customers with a general offer of KB products and services,
  • Company’s internal needs; reporting,
  • Software change testing,
  • Creation of statistical information used for client counselling.

 d) The processing based on your consent, in particular for the following purposes:

  • Personalized offer of products and services, marketing processing of your data, such as analyses and profiling, surveys and user testing in order to customize our offers to your needs and improve the services provided.

       In the case that you decide to give us your marketing consent, it shall apply to all companies listed in the consent. If you should request to include only some of the joint managers listed therein, we shall consider it a lack of, or as the case may be, withdrawal of your marketing consent. If you withdraw your consent with respect to one of the companies, such withdrawal shall also apply to other companies, which means that none of them shall be authorised to process your personal data for the purposes specified in the marketing consent after that date.

If you give us a separate marketing consent to the processing of data from a payment account held with another bank and connected in KB internet banking, this consent shall only apply to KB.

  • Utilising the TelcoScore service, which provides information on the creditworthiness and credibility of users of electronic communications services. More information can be found at www.sid.cz and in the document entitled “Privacy Policy Statement – TelcoScore” available at any KB branch/point of sale and at its website www.kb.cz.
  •  If you are a Merchant and you use KB SmartPay and Worldline Card Acceptance Services, you give the Alliance Consent to the processing of personal data and your Company’s data for marketing purposes within the Credit Card Acceptance Alliance, whose members are joint controllers of the data. For more information on this consent, please refer to the “Information on Personal Data Processing by SmartPay” on www.kbsmartpay.cz website.
  • Consents you give us in connection with the use of products and services.

The consent is voluntary; you can give it, refuse it or withdraw it at any time. The withdrawal of your consent shall be without prejudice to the lawfulness of the processing that is based on the consent given before its withdrawal.

A lack or withdrawal of the consent entails no implications for your contractual relationship with KB.

e) The processing is necessary for the protection of your vital interests or for the performance of a task carried out in the public interest or subject to the exercise of official authority potentially vested in us as the controller. Such reasons can be applied to KB only in exceptional circumstances.

 

Identification data of an individual

In particular, the first name, surname, birth number, date of birth, place of birth, nationality, identity cards numbers, photograph and other personal data stated in the identity card. For businesspersons, also their IČO (ID number), VAT number, etc. It also applies to individuals with a connection to specific products, e.g. a joint holder, statutory representative of a legal person, co-debtor, applicant, or family member. This data is important to make sure we really contact the right person.

Special categories of personal data (sensitive data)

In particular, the health data you provide to us with a view to strengthening your interests or that is needed to arrange for a product to be provided.

Contact details

In particular, all addresses of the subject, e.g. the permanent residence address, correspondence addresses (for businesspersons also the address of the company) and other contact details of the entities, e.g. their telephone numbers, electronic addresses, social networking addresses, data mailbox IDs, etc. This data is necessary so that we can deliver our communications to you.

Socio-demographic data

In particular, statistical data, such as age, gender, marital status (single, divorced, etc.), education, profession, employer’s data, number of children, etc. Such data, which you usually share with us when applying for your product, allow us to better tailor our offer and services to your needs.

Property

In particular, data related to financial circumstances, such as ownership of real estate, securities or shares. In some cases, we also process information about your income and liabilities, as well as other loans/credits balances, lease contract balances, building savings instalments, pension insurance instalments, insurance premiums, other individual expenses (e.g. alimonies), other liabilities (surety, guarantee, ...) etc. We collect this data from you in particular as part of a product/service request, or from external sources (e.g. credit registers), or from information about the use of our products, and are primarily used for the evaluation of your loan/credit applications.

Tax residence

In particular, data associated with identifying your tax residence, i.e. where you are liable to pay taxes in order to comply with the statutory tax liability.

Data on used products and services

Information about which services provided by KB or its subsidiaries and/or partner companies you have arranged and how you use them (e.g. account balances, transaction data on card payments, withdrawals from ATMs, outgoing and incoming payments, etc.). If you choose to use direct banking channels to operate your products/services, we keep information about your location, IP address, activity on our website, etc. We derive, for example, your transactional behaviour from this data and accordingly adjust our offer of products and services.

Means of electronic communication used for authentication and authorisation

In particular, data on means of electronic communication that are primarily used for authentication, i.e. verifying your identity. The data that fall into this category include, without limitation, a digital signature, certificate, or commonly used application login user name, identification or authentication through a mobile device, or serial numbers of the devices (MAC address), etc. The main reason for processing these data is to ensure a high level of security of while these means of communication are used.

 Activity records of banking equipment and/or applications

In particular, identification data e.g. from payment terminals, communication channels or banking applications logs, as well as other data, such as geolocation data from payment terminals. The data is used, above all, to monitor and optimize the availability of our facilities and services, e.g. when dealing with your complaints or preventing the misuse of payment cards.

Communication recordings

In particular, telephone call recordings, written records of meetings with relationship managers or other specialized staff, recordings of your complaints and claims. We collect this data on the basis of legal obligations and/or for the purpose of the arrangement and performance of a contract and/or due to the legitimate interests of KB, in particular defending its legal claims; this data is also intended to prevent you from being contacted too often and helps us to adjust our offer to your current needs. You are always informed in advance that a given telephone call is going to be monitored/recorded.

Camera recordings

In particular, data/recordings from the monitoring devices of KB’s branches/points of sale, as well as KB’s other premises, such as ATMs and safes. They are used, first and foremost, to ensure the safety of clients and employees of the bank and to protect property.

Data obtained from you or your representatives (e.g. legal guardian or statutory representative) or from other individuals

Data you and/or other individuals provide us, e.g. in an application for the provision of a product/service.

Data resulting from the use of banking products and services

Data automatically recorded by banking systems and devices while your transactions are executed, such as ATM withdrawals, card payments, payments credited and debited to your current account.

Data from publicly accessible sources

These include, in particular, sanction lists of entities associated with terrorism and other internationally monitored persons subject to international sanction programmes, the insolvency register (ISIR), bankruptcy register, central register of enforcements/distraints, registers of invalid and stolen documents, register of groups of connected clients, information from the land/property register, trade register, business register, etc.

Data obtained from third parties

These include, in particular, the data on the use of products and services provided by the KB Group members, data obtained from mobile operators (using the TelcoScore service – see Section 3), or public authorities, and also data collected from specialized companies that collect information from public sources, such as ministries, the trade register, business register, land/property register, etc.

Data from the Internet, social media and social networks

These include, in particular, the so-called geolocation data that precisely identify the GPS coordinates (or an address point), an IP address, cookies, identification of a device from which you connect, information on browsers, identification of a social network profile, etc. Making use of marketing services offered by some social networking providers (e.g. Facebook), we use your profile information so that we can target our advertising campaigns to users with similar characteristics more efficiently.

Data from our web forms

These include, in particular, contact details you provide to us when you show interest in any of our products so that we can contact you.

Data related to products of other financial institutions connected to internet banking

If you connect a product you use, which is provided by another financial institution, to KB’s internet banking, we shall process the data provided by you or obtained by us, which are necessary for the proper functioning of this service, and the data on such products and their transactions to the extent the other financial institution shall have provided to us.

The regulations on personal data protection allow the controller to entrust the processing of personal data to a processor. A personal data processor is any entity that processes personal data on the basis of specific legislation, or is entrusted or authorised to do so by the controller. In such cases, the contractual and regulatory arrangements guarantee your data the same protection that Komerční banka provides. The most important processors used by KB to process personal data include:

  • IT services providers (development, maintenance and support of KB information systems),
  • Cloud services providers,
  • Card associations,
  • Advertising and marketing agencies,
  • Companies providing data and documents archiving,
  • Companies and individuals providing legal services,
  • Companies and individuals collecting debts on our behalf,
  • Mortgage appraisers,
  • Our partners in loyalty programmes,
  • Postal services and couriers,
  • Comprehensive insurance providers,
  • Providers of services for payment cards issuing and card transactions processing,
  • Financial intermediaries.

 

In addition to the processors listed above, whom we authorise more or less directly to process personal data, we also pass on your personal information to other institutions or entities, in particular:

  • Government entities, courts and law enforcement authorities,
  • Czech National Bank and the Ministry of Finance,
  • Czech Office for Personal Data Protection,
  • Other banks or payment services providers to the extent provided by law,
  • Mobile telephone operators (if the client uses TelcoScore – see Section 3).
  • Participants of client information registers
    To protect our rights by assessing your ability and willingness to repay your loan commitments, KB investigates your creditworthiness, payment discipline and integrity. We do this on the grounds of our legal obligations and/or legitimate interests, with the help of credit registers. At the same time, when negotiating a credit or loan, and possibly also during the term of a credit agreement, we pass on your data to these credit registers, without your consent being necessary. In addition to the database maintained by the Czech National Bank, we use three other credit registers:
  • Client Information Bank Register (CIBR) – more information about this register is available at www.cbcb.cz.
  • Non-Bank Client Information Register (NCIR) – more information about this register is available at www.cncb.cz.
    The above registers exchange information and share it with each other without your consent being necessary. We recommend you to consult their Information Memoranda that are available at the registers’ websites.
  • Registr SOLUS Register – more information about this register is available at www.solus.cz

Subject to conditions as defined by law, we may also provide your personal data to our parent company, Société Générale, s.a., registered in France under Company Number R.C.S. Paris B 552 120 222, as well as other Group members incorporated in the Czech and Slovak Republics, such as:

  • Modrá pyramida stavební spořitelna, a.s., IČO (Company ID): 60192852,
  • Komerční pojišťovna, a.s., IČO (Company ID): 63998017,
  • KB Penzijní společnost, a.s., IČO (Company ID): 61860018,
  • ESSOX s.r.o., IČO (Company ID): 26764652,
  • ESSOX Finance, s. r. o., IČO (Company ID): 35846968 (Slovakia),
  • ALD Automotive s. r. o., IČO (Company ID): 61063916,
  • ALD Automotive Slovakia, s. r. o., IČO (Company ID): 47977329 (Slovakia),
  • SG Equipment Finance Czech Republic s.r.o., IČO (Company ID): 61061344,
  • Factoring KB, a.s., IČO (Company ID): 25148290

We only retain our clients’ personal data only for as long as necessary and for a period of time that is stipulated by law and depends on the purpose of their processing.

In the case of fulfilling a legal obligation, these deadlines are set by applicable law, in particular the AML Act and the Banking Act. Both acts require us to retain your personal data for 10 years from the execution of a given transaction or the termination of a contractual relationship. This time limit starts from 1 January of the following year.

If the processing is necessary for the performance of a contract, the period of time is usually equal to the term of the relevant contract.

If the processing is necessary for the purposes of our legitimate interests; e.g., for the purposes of litigation, your personal data may be processed for the duration of the litigation, which may be longer than the retention period set by applicable law.

If the processing is performed on the basis of your consent, the period of time shall be equal to the period of validity of the consent granted.

In most cases, the data is processed under several legal titles, which can exist in parallel or follow each other. E.g., your personal data we receive from you when entering into a current account contract is processed as part of the performance of the contract. After the termination/expiry of the contract they are processed for the purposes of KB’s legitimate interest in the event of litigations, and at the same time due to a legal obligation under the Banking Act.

Other examples:

As part of the service connecting other financial institutions’ products to KB internet banking, we shall retain data on these products and transactions for 5 years after such products have been disconnected from KB internet banking.

We usually store the data obtained from our web forms for up to 2 months, after which period, they shall be automatically deleted. If a contract is concluded in the meantime, we shall retain your data in accordance with applicable law.

Right of access to personal data

  • You shall have the right to request a transcript of personal data concerning your person collected by KB.
     

Right to personal data portability

  • You shall have the right to receive the personal data concerning your person, which you have provided to us, in a structured, commonly used and machine-readable format. This concerns your personal data undergoing automatic processing under your consent or under a contract.
     

Right to erasure of personal data (right to be forgotten)

  • You shall have the right to obtain from KB the erasure of personal data concerning your person without undue delay, where a legal ground is met.
     

Right to have personal data rectified

  • You shall have the right to obtain from KB without undue delay the rectification of inaccurate personal data concerning your person, or to have incomplete personal data completed.
  • If you notify us of a change in your personal data, we shall update it immediately.
     

Right to restriction of processing

  • You shall have the right to request restriction of processing of personal data concerning your person in the cases defined by law (e.g. if the personal data processed are inaccurate, or the processing is unlawful, or you have objected to the processing of your personal data where it is based on our legitimate interests).
     

Right not to be subject to a decision based solely on automated processing

  • You shall have the right not to be subject to a decision based solely on automated individual processing, including profiling, which produces legal effects concerning your person or similarly significantly affects you. KB shall always inform you about this situation and shall give you an opportunity to discuss the matter with a bank official and together find another, more acceptable option.
  • If you use a service that is based solely on automated decision making, you have the right to obtain human intervention, to express your point of view, or to contest the decision. In this case, a bank official shall discuss the matter with you.
     

Right to object

  • If KB processes your personal data based on the controller’s legitimate interests, you shall have the right to object.
  • If you object to processing of personal data concerning your person for direct marketing purposes, we shall always oblige you and shall no longer process your personal data for such purposes.
     

Right to lodge a complaint with a supervisory authority

  • You shall have the right to lodge a complaint with a supervisory authority (the Office for Personal Data Protection, www.uoou.cz) if you consider that the processing of personal data relating to your person has infringed the data protection rules.

When processing your personal data, we adhere to applicable law, in particular (without limitation) by:

Regulation (EU) 2016/679 on personal data protection (GDPR);
Act No. 110/2019 Coll., On the Processing of Personal Data;
Act No. 89/2012 Coll., Civil Code;
Act No. 21/1992 Coll., On Banks;
Act No. 370/2017 Coll., Payments Act;
Act No. 256/2004 Coll., On Trading in Capital Market;
Act No. 253/2008 Coll., On Selected Measures Against Legitimisation of Proceeds of Crime and Financing of Terrorism (also referred to above as the AML Act);
Act No. 480/2004 Coll., On Certain Information Society Services.

Documents

Contacts

Office of the Data Protection Officer

Komerční banka a.s.

Na Příkopě 969/33

114 07 Prague 1

Phone number: in CZE: 800 521 521, from abroad: +420 955 559 550

E-mail: osobni_udaje@kb.cz

 

Other Important Contacts

Office for Personal Data Protection

address: Pplk. Sochora 27, 170 00 Prague 7

tel.: 234 665 111

website: www.uoou.cz

Text of GDPR: http://eur-lex.europa.eu/legal-content/CS/ALL/?uri=CELEX:32016R0679

Guidlines of WP29 for GDPR:

http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1360

For employees, job seekers and external partners

This web page aims to provide employees, job seekers and external partners of the Komerční banka corporate group in the Czech and Slovak Republics with information on personal data processing and the related rights. You will learn what personal data we collect, how we manage them, from what sources we obtain them, for what purposes we use them and to whom we may provide them.

Download

Information on processing personal data (PDF, 895 kB)

The information on personal data processing will be regularly updated

Information on processing personal data

In each individual case, the relevant member of KB Group as listed below to whom personal data are provided or who acquired such data in another manner acts as the personal data controller. The personal data controller collects personal data, manages them and bears responsibility for their correct and lawful processing.

KB Group

ALD Automotive s. r. o., with registered office at: Praha 10, U Stavoservisu 527/1, postal code: 108 00, Reg. No.: 61063916,

ALD Automotive Slovakia s. r. o., with registered office at: Bratislava, Panónska cesta 47, postal code: 851 04, Reg. No.: 47 977 329

ESSOX s.r.o., with registered office at: České Budějovice, F. A. Gerstnera 52, postal code: 370 01, Reg. No.: 26764652

Essox Finance, s.r.o., with registered office at: Bratislava, Karadžičova 16, postal code: 821 08, Reg. No.: 35 846 968

Factoring KB, a.s., with registered office at: Praha 5 – Stodůlky, náměstí Junkových 2772/1, postal code: 155 00, Reg. No.: 25148290.

Komerční banka, a.s., with registered office at: Praha 1, Na Příkopě 33 čp. 969, postal code: 114 07, Reg. No.: 4531 7054,

Komerční banka, a.s., pobočka zahraničnej banky, with registered office at: Bratislava, Hodžovo námestie 1A, postal code: 811 06, Reg. No.: 47231564

KB Penzijní společnost, a.s., with registered office at: Praha 5 – Stodůlky, náměstí Junkových 2772/1, postal code: 155 00, Reg. No.: 61860018,

Komerční pojišťovna, a.s., with registered office at: Praha 8, Karolinská 1, č. p. 650, postal code: 186 00, Reg. No.: 63998017,

Modrá pyramida stavební spořitelna, a.s., with registered office at: Praha 2, Bělehradská 128, č. p. 222, postal code: 120 21, Reg. No.: 60192852,

SG Equipment Finance Czech Republic s.r.o., with registered office at: Praha 5 – Stodůlky, náměstí Junkových 2772/1, postal code: 155 00, Reg. No.: 61061344

SG Equipment Finance Czech Republic – org. zložka, with registered office at: Bratislava 1, Hodžovo nám. 1A, postal code: 810 00, Reg. No.: 31785972

When processing personal data, we respect and abide by the highest standards of personal data protection and comply in particular with the following principles:

  • We process your personal date for specified purposes, by specified means and in specified manners, and only for the time required with respect to the purposes of the processing of the data.
  • We protect personal data in our possession and ensure that they are processed under conditions of maximum security in order to prevent any unauthorised or accidental access, modification, destruction, loss, unauthorised transfer or other unauthorised processing of personal data.
  • We implement adequate technical and organisational measures to ensure the highest level of security corresponding to any possible risk. All persons who come into contact with personal data in our possession are bound by strict confidentiality regarding any information obtained in connection with the processing of personal data.

Contact information for the Data Protection Officer (DPO):

Office of the Data Protection Officer
Václavské nám. 796/42
114 07 Praha 1
Tel.: +420 955 532 780
e-mail: osobni_udaje@kb.cz

Legislation governing personal data protection provides for the appointment by the personal data controller of a personal data processor. A personal data processor is any entity that processes personal data in accordance with special legislation or by appointment or authorisation by the personal data controller. In certain cases, this approach to personal data processing is applied by companies of the KB Group. Where this happens, the same principles of personal data processing that are applicable to the KB Group are guaranteed to apply by both contractual and regulatory provisions.

Purpose and legal basis of personal data processing

Personal data are processed in the following situations:

  • Conclusion of an employment contract – in order to select the most suitable candidate to fill a vacancy as efficiently as possible,
  • Consent by the data subject – in order to notify of other vacancies,
  • Legitimate interest – in order to protect rights and interests protected by law.

Sources of personal data

Information is obtained from a candidate’s CV, job portals where a response to a vacancy has been received, via employment agencies, references, mutual communication, social media and the internet.

Extent of personal data being processed

Identification and contact information

First name and surname, date and place of birth, personal ID number, address of residence, telephone number, marital status, citizenship, nationality, photograph, e-mail address, social media profile handles.

Information regarding education and previous employment

A list of schools attended/graduated from, diplomas, progress reports, courses, certificates, previous employers, motivation letter, driver’s licence, psychological test results, psycho-diagnostic test results, recruitment test results.

Information in the public domain

Other data obtained may include information that is publicly accessible on the internet on the companies register, trade register, insolvency register or other similar insolvency listings with a similar or comparable content, and/or the LinkedIn social network.

Information obtained through mutual communication

Notes taken during telephone calls, video recordings, notes taken during interviews, possibly written communication where appropriate.

Protection of premises

In order to ensure the protection of rights and legally protected interests, the movements of job candidates around our premises are recorded, with video recordings from selected areas within our premises being stored.

From what sources do we obtain information about you?

We obtain information from your CV, from portals focusing on job advertisements to which a response was made, from recruitment agencies, based on references and mutual communication, from social networks and the internet. 

Period of personal data retention

We process personal data only for the time required in accordance with the purposes for which they are acquired and processed. We regularly review the need for processing of specific personal data for specific purposes. As soon as it is established that certain data are no longer required for any purpose, they are destroyed. A typical period of personal data retention has been established for the following purposes of personal data processing:

  • Performance of contract – personal data is processed for the duration of the recruitment process but for no longer than six months,
  • Consent by the data subject – personal data are retained for the purposes of offers of vacancies for a period of 24 months or until the consent is withdrawn, whichever happens first,
  • Legitimate interest – personal data collected in connection with the protection of premises are retained for 90 days.

Recipients and processors of personal data

Job candidates’ personal data are available primarily to employees in connection with the latter’s duties that involve the handling of personal data to an extent limited to the essential minimum applicable in each specific case while adhering to all security measures.

In addition to the above, job candidates’ personal data are also submitted to third parties that participate in the processing of such data. Any such transfer of personal data to a third party is preceded by the conclusion of a written contract with the recipient third party that sets out the same personal data processing guarantees by which the personal data controller is legally bound.

Major processors of personal data include employment agencies and processors of psychological tests.

Personal data may also be provided to a third party for other reasons specified by law (e.g. requests made by courts of law, the police, etc.).

Purpose and legal basis of personal data processing

Personal data are processed in the following situations:

  • Performance of contract – personal data are processed in the minimum possible extent, primarily in connection with the employment contract, any benefit program contracts, a contract with the provider of occupational healthcare, or savings and insurance contracts,
  • Performance of legal obligations – in particular the notification duty towards public authorities, courts of law and the police, duties pertaining to the enforcement of rulings and archiving duties,
  • Legitimate interest in order to protect rights and legally protected interests, including in particular the protection of information technologies, premises and property, protection of reputation, management of security risks, preventing and investigation of fraud, or the controller’s legitimate interests in the areas of HR consulting, education and assessments.

In the case of a special category of personal data (sensitive information), such as information on health status, personal data is processed in the extent necessary to meet obligations in the areas of labour law, social security law and social protection.

Sources of personal data

Personal data are acquired from the introductory form, CV, initial interview and mutual communication. Further information is acquired from applications used by employees in their work and from on-premises security systems.

Employees who provide personal data of third party data subjects (e.g. contact information to be used in an emergency) bear responsibly for notifying such data subjects of the processing of their respective identification and contact information and for maintaining such information as up to date. Such information is subject to personal data processing on the grounds of legitimate interest.

Extent of processed personal data

Identification and contact information

First name and surname, academic titles, address of residence, telephone number, date and place of birth, personal ID number, marital status, photograph, citizenship, nationality, information on any membership of statutory or supervisory bodies in third party entities, information on any business undertaking, banking information, employee personal number.

Data related to processing of salaries, remuneration and benefits

Records of hours worked, information on tax discounts and deductions, information on saving and insurance discounts and deductions, information on occupational injuries, information on business travel including accommodation and bookings of flight tickets, public transport tickets and minor expenses, mandatory salary deductions, documents confirming completed studies, information on old-age or disability pension, meal vouchers, “Cafeterie” benefits program, employee shares program, information for annual tax accounting that includes a summary of all income and levies for a given period.

Personal consulting, education and assessments

In the sphere of personal consulting and employees’ career development, we access employees’ histories of positions, remunerations and performance assessments. Psychological assessments are also used in the case of selected positions. Retained sources of information also include records of any breaches of internal regulations and/or law, agreements on material responsibility, agreements of employee’s obligations, occupational medical check-ups, employee assessments, issued powers of attorney, and information on completed training and educational programs.

Protection of premises and information systems, recording of telephone calls, communication monitoring, GPS records

Video recordings are made solely for the purpose of adhering to legal obligations and protecting rights and legally protected interests. The protection of information systems involves the storing of information on employees logging in and out of computer systems, and of activity logs from selected applications. For selected positions, all telephone calls are recorded and archived along with all electronic communication (e-mail, chat). This recording of telephone calls and electronic communication extends to all employees contacting the positions subject to the recording regime. The contents of such communication remain confidential and serve solely the purpose of complying with legal obligations, concluding and performing of contracts, and the protection of rights and legally protected interests. Notification of such recording and processing of information is always given in advance. GPS tracking records of the company car fleet are retained for purposes of reporting private and business trips and purposes of property protection.

E-mail communication directed outside the KB Group is subject to monitoring along with data uploads to outside online storage services, outside e-mail addresses and social media in order to protect the Group’s internal documents and prevent the disclosure of personal data, information subject to bank secrecy or other sensitive/non-public business information.

Period of personal data retention

We process personal data only for the time required in accordance with the purposes for which they are acquired and processed. Personal data may also be retained for purposes of enforcing and defending legal claims. We regularly review the need for processing of specific personal data for specific purposes. As soon as it is established that certain data are no longer required for any purpose, they are destroyed. A typical period of personal data retention has been established for the following purposes of personal data processing:

  • Performance of contract – personal data is processed for the duration of employment; following the termination of employment, the use of personal data typically remains permissible for five and 10 years in the Czech Republic and Slovakia, respectively,
  • Performance of legal obligations – personal data are retained for such purposes for 30 years following the termination of employment in the Czech Republic, and until the respective data subjects reach the age of 70 in Slovakia,
  • Legitimate interest – personal data collected in connection with the protection of premises are retained for 90 days, voice recordings and records of electronic communication are retained for a period specified in the relevant legislation, while information systems logs are retained for 10 years.

Recipients and processors of personal data

Employees’ personal data are available primarily to employees in connection with the latter’s duties that involve the handling of personal data to an extent limited to the essential minimum applicable in each specific case while adhering to all security measures.

In addition to the above, employees’ personal data are also submitted to third parties that participate in the processing of such data. Any such transfer of personal data to a third party is preceded by the conclusion of a written contract with the recipient third party that sets out the same personal data processing guarantees by which the personal data controller is legally bound.

Major processors of personal data include the operators of Cafeterie and providers of catering services, companies securing the operation, administration and safeguarding of premises and information systems, BCD Travel, companies belonging to the KB Group, and Société Générale.

Personal data may also be provided to a third party for other reasons specified by law (e.g. requests made by courts of law, the police, etc.).

Purpose and legal basis of personal data processing

External partners’ personal data may be processed without their explicit consent to an extent limited to the essential minimum required by the following purposes:

  • Performance of contract – setting out the terms and conditions of provision of services by such external partners to the KB Group,
  • Legitimate interest – namely the protection of premises and information technologies.

Sources of personal data

Personal data are acquired from the introductory form and mutual communication. Further information is acquired from applications used by external partners in their work and from on-premises security systems.

Extent of personal data being processed

Identification and contact information

First name and surname, date of birth, citizenship, contact address, e-mail address.

Protection of premises and information systems, recording of telephone calls, communication monitoring, GPS records

Video recordings are made solely for the purpose of adhering to legal obligations and protecting rights and legally protected interests. The protection of information systems involves the storing of information on employees logging in and out of computer systems, and of activity logs from selected applications.

For selected positions, all telephone calls are recorded and archived along with all electronic communication (e-mail, chat). This recording of telephone calls and electronic communication extends to all persons contacting the positions subject to the recording regime. The contents of such communication remain confidential and serve solely the purpose of complying with legal obligations, concluding and performing of contracts, and the protection of rights and legally protected interests. Notification of such recording and processing of information is always given in advance. GPS tracking records of the company car fleet are retained for purposes of reporting private and business trips and purposes of property protection.

Period of personal data retention

We process personal data only for the time required in accordance with the purposes for which they are acquired and processed. We regularly review the need for processing of specific personal data for specific purposes. As soon as it is established that certain data are no longer required for any purpose, they are destroyed. A typical period of personal data retention has been established for the following purposes of personal data processing:

  • Performance of contract – personal data is processed for the duration of the contractual relationship between KB Group and an external partner or for the period during which the external partner performs activities stipulated by the contractual relationship between them and the KB Group; following the termination of the contractual relationship, the use of personal data typically remains permissible for five and 10 years in the Czech Republic and Slovakia, respectively,
  • Protection of legitimate interests – personal data collected in connection with the protection of premises are retained for 90 days, voice recordings and records of electronic communication are retained for a period specified in the relevant legislation, while information systems logs are retained for 10 years.

Recipients and processors of personal data

External partners’ personal data are available primarily to employees in connection with the latter’s duties that involve the handling of external partner’s personal data to an extent limited to the essential minimum applicable in each specific case while adhering to all security measures.

In addition to the above, employees’ personal data are also submitted to third parties that participate in the processing of such data. Any such transfer of personal data to a third party is preceded by the conclusion of a written contract with the recipient third party that sets out the same personal data processing guarantees by which the personal data controller is legally bound.

Major processors of personal data include companies securing the operation, administration and safeguarding of premises and information systems, and companies belonging to the KB Group.

Personal data may also be provided to a third party for other reasons specified by law (e.g. requests made by courts of law, the police, etc.).

Personal data in the care of the KB Group are processed within the territories of the Czech Republic and Slovakia and the territories of other countries in which entities of the Société Générale Group and/or personal data processors reside. Where personal data is processed abroad, corresponding guarantees of personal data protection are always provided, e.g. in the form of standard contractual appendices or binding internal rules.

The processing of personal data by the personal data controller does not involve automated decision-making.

We process all personal data in a transparent and correct manner, fully in compliance with the relevant legislation. You, as a data subject, are entitled to request information on personal data processed by us, the purposes and nature of the personal data processing, and recipients of such personal data. Should you feel that the processing of your personal data takes place in contradiction of the protection of your personal life and/or the relevant legislation, you are entitled to request an explanation or request a member of the KB Group to rectify the non-compliant situation. You are also entitled to contact the Office for personal data protection (ÚOOÚ) and request that steps be taken to rectify any perceived breach of our obligations.

Legal rights of data subject

Right to access personal data

Data subjects have the right to request the specification of personal data in the possession of the personal data controller.

Right to personal data portability

Data subjects have the right to obtain personal data in the possession of the controller in a structured, commonly used and machine-readable format.

Right of erasure

Data subjects have the right to request the erasure, without undue delay, of their personal data if any of the grounds for such erasure specified by the relevant legislation applies.

Right to rectification

Data subjects have the right to request an immediate rectification or supplementation by the controller of inaccurate personal data.

Right to restriction of processing

Data subjects have the right to request the restriction of processing of their personal data on grounds specified by the relevant legislation (e.g. inaccuracy of personal data, unlawful processing or an objection to the claim of a legitimate interest as a reason for personal data processing).

Right to object and automated individual decision-making

Data subjects have the right to object to the processing of their personal data solely by automated individual decision-making including profiling with legal or similar effects.

Right to object

Data subjects have the right to object to the processing of their personal data if the personal data are not processed on the grounds of the data controller’s legitimate interest.

Right to withdraw consent

This information memorandum explains why we need to process personal data and how some purposes of personal data processing are permissible only with the explicit consent of the data subject. You, as data subjects, are not obliged to give such consent and you are also entitled to withdraw previously given consent. When a consent is withdrawn, we cease processing corresponding personal data for purposes conditioned by such consent.

It is possible to withdraw consent or to lodge an objection to personal data processing on the grounds of a legitimate interest via electronic mail sent to osobni_udaje@kb.cz.

Right to lodge complaint with supervisory authority

Data subjects have the right to lodge a complaint with the relevant supervisory authority (Office for personal data protection (ÚOOÚ), www.uoou.cz) if they feel there has been a breach of personal data protection rules in the processing of their personal data.

Right to revoke consent and right to object to processing

This Information Memorandum describes why we need your personal data and that we may process such data for certain purposes only with your consent. You are not obliged to grant consent to the processing of your personal data and, at the same time, you may revoke such consent, if granted. If you revoke your consent, we will terminate the processing of the relevant personal data for purposes requiring the relevant consent.

In case of processing on the grounds of a legitimate interest, you have the right to object to such processing.

You may revoke your consent or raise an objection to personal data processing on the grounds of a legitimate interest by e-mail sent to osobni_udaje@kb.cz.

Should you have any questions, please call 800 521 521 (+420 955 559 550 if calling from abroad), visit www.kb.cz or send an e-mail to osobni_udaje@kb.cz.

This information memorandum becomes valid and comes into force on 1 July 2020. An up-to-date version of this information memorandum is available at www.kb.cz.