The purpose of this website is to inform you about the processing of your personal data in Komerční banka, and about your rights relating to your personal data. We want you to know what kind of personal data we collect, what we do with it, and what we use it for. You can also find information on the sources we obtain this data from, as well as learning who we can provide this data to.
We always process your personal data transparently, fairly and lawfully, and to the extent required for a given purpose. We securely retain your personal data for the period that is strictly necessary, in compliance with the time limits defined by legislation and other regulations. If the bank has a legitimate interest, we can decide for ourselves how long we will retain your data. We only process the personal data of persons aged under 18 if a child’s legal representative is acting on the child’s behalf.
We recommend that you familiarise yourself with the information contained in document Information about processing of personal data you will find below.
Information about cookies
Document in pdf – Information About Processing of Personal Data for Clients (PDF, 294 kB)
This document will be regularly updated. The archive of previous versions of the document.
The controller of your personal data is Komerční banka, a. s. (hereinafter KB).
Contact details of the controller:
Komerční banka, a. s., IČO: 45317054
Na Příkopě 969/33
114 07 Praha 1
P. O. BOX 839
Česká republika / Czech Republic
Contact details of the Data Protection Officer (DPO):
Kancelář pověřence pro ochranu osobních údajů KB, a.s.
Václavské nám. 796/42
114 07 Praha 1
Česká republika / Czech Republic
We may only process your personal data if there is an adequate legal reason to do so, i.e., if at least one of the following conditions is met:
a) The processing is necessary for KB to meet its legal obligations, in particular for the following purposes:
b) The processing is necessary for the fulfilment of a contract, in particular for the following purposes:
c) The processing is necessary for the purpose of our justified interests, in particular for the following purposes:
d) The processing based on your consent, in particular for the following purposes:
The consent is voluntary; you can give it, refuse it or withdraw it at any time. The withdrawal of your consent shall be without prejudice to the lawfulness of the processing that is based on the consent given before its withdrawal.
A lack or withdrawal of the consent entails no implications for your contractual relationship with KB.
e) The processing is necessary for the protection of your vital interests or for the performance of a task carried out in the public interest or subject to the exercise of official authority potentially vested in us as the controller. Such reasons can be applied to KB only in exceptional circumstances.
Identification data of an individual
In particular, the first name, surname, birth number, date of birth, place of birth, nationality, identity cards numbers. For businesspersons, also their IČO (ID number), VAT number, etc. It also applies to individuals with a connection to specific products, e.g. a joint holder, statutory representative of a legal person, co-debtor, applicant, or family member. This data is important to make sure we really contact the right person.
Special categories of personal data (sensitive data)
In particular, the health data you provide to us with a view to strengthening your interests or that is needed to arrange for a product to be provided.
In particular, all addresses of the subject, e.g. the permanent residence address, correspondence addresses (for businesspersons also the address of the company) and other contact details of the entities, e.g. their telephone numbers, electronic addresses, social networking addresses, data mailbox IDs, etc. This data is necessary so that we can deliver our communications to you.
In particular, statistical data, such as age, gender, marital status (single, divorced, etc.), education, profession, employer’s data, number of children, etc. Such data that you usually share with us when you products are opened allow us to better tailor our offer and services to your needs.
In particular, data related to financial circumstances, such as ownership of real estate, securities or shares. In some cases, we also process information about your income and liabilities, as well as other loans/credits balances, lease contract balances, building savings instalments, pension insurance instalments, insurance premiums, other individual expenses (e.g. alimonies), other liabilities (surety, guarantee, ...) etc. We collect this data from you in particular as part of a product/service request, or from external sources (e.g. credit registers), or from information about the use of our products, and are primarily used for the evaluation of your loan/credit applications.
In particular, data associated with identifying your tax residence, i.e. where you are liable to pay taxes in order to comply with the statutory tax liability.
Data on used products and services
Information about which services provided by KB or its subsidiaries and/or partner companies you have arranged and how you use them (e.g. account balances, transaction data on card payments, withdrawals from ATMs, outgoing and incoming payments, etc.). If you choose to use direct banking channels to operate your products/services, we keep information about your location, IP address, activity on our website, etc. We derive, for example, your transactional behaviour from this data and accordingly adjust our offer of products and services.
Means of electronic communication used for authentication and authorisation
In particular, data on means of electronic communication that are primarily used for authentication, i.e. verifying your identity. The data that fall into this category include, without limitation, a digital signature, certificate, or commonly used application login user name, identification or authentication through a mobile device, or serial numbers of the devices (MAC address), etc. The main reason for processing these data is to ensure a high level of security of while these means of communication are used.
Activity records of banking equipment and/or applications
In particular, identification data e.g. from payment terminals, communication channels or banking applications logs, as well as other data, such as geolocation data from payment terminals. The data is used, above all, to monitor and optimize the availability of our facilities and services, e.g. when dealing with your complaints.
In particular, telephone call recordings, written records of meetings with relationship managers or other specialized staff, recordings of your complaints and claims. This data is intended to prevent you from being contacted too often and helps us to adjust our offer to your current needs. You are always informed in advance that a given telephone call is going to be monitored/recorded.
In particular, data/recordings from the monitoring devices of KB’s branches/points of sale, as well as KB’s other premises, such as ATMs and safes. They are used, first and foremost, to ensure the safety of clients and employees of the bank and to protect property.
Data obtained from you or your representatives (e.g. legal guardian or statutory representative)
Data you provide us, e.g. in an application for the provision of a product/service.
Data resulting from the use of banking products and services
Data automatically recorded by banking systems and devices while your transactions are executed, such as ATM withdrawals, card payments, payments credited and debited to your current account.
Data from publicly accessible sources
These include, in particular, sanction lists of entities associated with terrorism and other internationally monitored persons subject to international sanction programmes, the insolvency register (ISIR), bankruptcy register, central register of enforcements/distraints, registers of invalid and stolen documents, register of groups of connected clients, information from the land/property register, trade register, business register, etc.
Data obtained from third parties
These include, in particular, the data on the use of products and services provided by the KB Group members, data obtained from mobile operators (using the TelcoScore service – see Section 3), or public authorities, and also data collected from specialized companies that collect information from public sources, such as ministries, the trade register, business register, land/property register, etc.
Data from the Internet, social media and social networks
These include, in particular, the so-called geolocation data that precisely identify the GPS coordinates (or an address point), an IP address, cookies, identification of a device from which you connect, information on browsers, identification of a social network profile, etc. Making use of marketing services offered by some social networking providers (e.g. Facebook), we use your profile information so that we can target our advertising campaigns to users with similar characteristics more efficiently.
Data from our web forms
These include, in particular, contact details you provide to us when you show interest in any of our products so that we can contact you.
Data related to products of other financial institutions connected to internet banking
If you connect a product you use, which is provided by another financial institution, to KB’s internet banking, we shall process the data provided by you or obtained by us, which are necessary for the proper functioning of this service, and the data on such products and their transactions to the extent the other financial institution shall have provided to us.
The regulations on personal data protection allow the controller to entrust the processing of personal data to a processor. A personal data processor is any entity that processes personal data on the basis of specific legislation, or is entrusted or authorised to do so by the controller. In such cases, the contractual and regulatory arrangements guarantee your data the same protection that Komerční banka provides. The most important processors used by KB to process personal data include:
In addition to the processors listed above, whom we authorise more or less directly to process personal data, we also pass on your personal information to other institutions or entities, in particular:
To protect our rights by assessing your ability and willingness to repay your loan commitments, KB investigates your creditworthiness, payment discipline and integrity. We do this on the grounds of our legal obligations and/or legitimate interests, with the help of credit registers. At the same time, when negotiating a credit or loan, and possibly also during the term of a credit agreement, we pass on your data to these credit registers, without your consent being necessary. In addition to the database maintained by the Czech National Bank, we use three other credit registers:
Subject to conditions as defined by law, we may also provide your personal data to our parent company, Société Générale, s.a., registered in France under Company Number R.C.S. Paris B 552 120 222, as well as other Group members incorporated in the Czech and Slovak Republics, such as:
We only retain our clients’ personal data for a period of time that is appropriate to the purpose of their processing.
The relevant legislation establishes a time limit for the retention of clients’ personal data – as a rule 10 years from the termination of the contractual relationship. However, in order to protect our legitimate interests, in particular in the event of possible complaints, claims or lawsuit, we may retain your personal data longer.
As part of the service connecting other financial institutions’ products to KB internet banking, we shall retain data on these products and transactions for 5 years after such products have been disconnected from KB internet banking.
We usually store the data obtained from our web forms for up to 2 months, after which period, they shall be automatically deleted. If a contract is concluded in the meantime, we shall retain your data in accordance with applicable law.
Right of access to personal data
Right to personal data portability
Right to erasure of personal data (right to be forgotten)
Right to have personal data rectified
Right to restriction of processing
Right not to be subject to a decision based solely on automated processing
Right to object
Right to lodge a complaint with a supervisory authority
When processing your personal data, we adhere to applicable law, in particular (without limitation) by:
Regulation (EU) 2016/679 on personal data protection (GDPR);
Act No. 110/2019 Coll., On the Processing of Personal Data;
Act No. 89/2012 Coll., Civil Code;
Act No. 21/1992 Coll., On Banks;
Act No. 370/2017 Coll., Payments Act;
Act No. 256/2004 Coll., On Trading in Capital Market;
Act No. 253/2008 Coll., On Selected Measures Against Legitimisation of Proceeds of Crime and Financing of Terrorism;
Act No. 480/2004 Coll., On Certain Information Society Services.
Office of the Data Protection Officer
Komerční banka a.s.
Na Příkopě 969/33
114 07 Prague 1
Phone number: in CZE: 800 521 521, from abroad: +420 955 559 550
Office for Personal Data Protection
address: Pplk. Sochora 27, 170 00 Prague 7
tel.: 234 665 111
Text of GDPR: http://eur-lex.europa.eu/legal-content/CS/ALL/?uri=CELEX:32016R0679
Guidlines of WP29 for GDPR:
This web page aims to provide employees, job seekers and external partners of the Komerční banka corporate group in the Czech and Slovak Republics with information on personal data processing and the related rights. You will learn what personal data we collect, how we manage them, from what sources we obtain them, for what purposes we use them and to whom we may provide them.
Information on processing personal data (PDF, 642 kB)
The information on personal data processing will be regularly updated
The controller of your personal data is, in each individual case, the specific company of the KB Group, as defined below (hereinafter “KB Group”), to which you provided the personal data or which obtained the personal data from you. The controller collects your personal data, manages them is responsible for their proper and lawful processing.
ALD Automotive s. r. o., with its registered office: Praha 10, U Stavoservisu 527/1, Postal Code 108 00, Id. No.: 61063916
ALD Automotive Slovakia s. r. o., with its registered office: Bratislava, Panónska cesta 47, Postal Code 851 04, Id. No.: 47 977 329
ESSOX s.r.o., with its registered office: České Budějovice, F. A. Gerstnera 52, Postal Code 370 01, Id. No.: 26764652
Essox Finance, s.r.o., with its registered office: Bratislava, Karadžičova 16, Postal Code 821 08, Id. No.: 35 846 968
Factoring KB, a.s., with its registered office: Prague 5 – Stodůlky, náměstí Junkových 2772/1, Postal Code 155 00, Id. No.: 25148290
Komerční banka, a.s., with its registered office: Prague 1, Na Příkopě 33/969, Postal Code 114 07, Id. No.: 4531 7054
Komerční banka, a.s., foreign bank’s branch, with its registered office: Bratislava, Hodžovo námestie 1A, Postal Code 811 06, Id: 47231564
KB Penzijní společnost, a.s., with its registered office: Prague 5 – Stodůlky, náměstí Junkových 2772/1, Postal Code 155 00, Id. No.: 61860018
Komerční pojišťovna, a.s., with its registered office: Prague 8, Karolinská 1/650, Postal Code 186 00, Id. No.: 63998017
Modrá pyramida stavební spořitelna, a.s., with its registered office: Prague 2, Bělehradská 128/222, Postal Code 120 21, Id. No.: 60192852
SG Equipment Finance Czech Republic s.r.o., with its registered office: Prague 5 – Stodůlky, náměstí Junkových 2772/1, Postal Code 155 00, Id. No.: 61061344
SG Equipment Finance Czech Republic – org. zložka, with its registered office: Bratislava 1, Hodžovo nám. 1A, Postal Code 810 00, Id. No.: 31785972
We honour and respect the highest standards of personal data protection in processing of your personal data and comply, in particular, with the following principles:
We comply with appropriate technical and organisational measures to ensure a level of security corresponding to all possible risks; all persons who come into contact with employees’ personal data are obliged to maintain confidentiality of information obtained in connection with the processing of such data.
The data protection officer for all companies within the KB Group is:
Ing. Radek Basár, MBA
Na Příkopě 969/33
114 07 Prague 1
Tel.: +420 955 532 780
The legislation on personal data protection allows the controller to authorise another person – a processor – to process personal data. A personal data processor is every entity that processes personal data on the basis of a special law or authorisation of the controller. In some cases, this procedure is also used by companies of the KB Group in personal data processing. Compliance with the same principles of personal data processing as those followed by the KB Group is guaranteed in these cases by a contract and by law.
Your personal data are being processed in the territory of the Czech and Slovak Republics and in other countries of the European Union where entities belonging to the KB Group are seated and that share the same standards of personal data protection as the Czech and Slovak Republics. Neither the controller nor the processors involved in the processing of employees’ personal data transfer employees’ personal data to countries outside the European Union.
The manner in which the controller processes your personal data includes only manual processing in information systems.
Purpose and legal basis of personal data processing
We process personal data without your consent: (a) on the grounds of a legitimate interest with a view to selecting the most suitable candidate and filling a job vacancy as efficiently as possible, and (b) to execute the employment contract.
We process personal data with your consent with a view to offering further job vacancies to you.
Extent of personal data being processed:
Identification and contact details
Name and surname, date and place of birth, birth identification number, place of residence, telephone number, marital status, nationality, photograph, e-mail address, profile address in social networks.
Details on education and previous employment
List of completed schools, diplomas, school reports, courses, certificates, previous employers, motivation letter, driving licence, psychological tests, psychodiagnostic tests, recruitment tests.
Publicly available data
Furthermore, information may be obtained that is freely available on the internet in the Commercial Register, Trade Register, Insolvency Register or other insolvency records with a similar or identical content, or the LinkedIn social network.
Details from mutual communication
Notes made during telephone calls, video recordings, notes made during personal interviews and, if appropriate, written communication.
Protection of buildings
With a view to protecting rights and legally protected interests, your movement in buildings are recorded and camera recordings from selected areas of buildings are stored.
From what sources do we obtain information about you?
We obtain information from your CV, from portals focusing on job advertisements to which a response was made, from recruitment agencies, based on references and mutual communication, from social networks and the internet.
For how long do we keep personal data?
We process your personal data only for the period necessary for the purposes of their processing. We regularly evaluate whether it is still necessary to process certain personal data for the given purpose. If we determine that they are no longer required for any of the purposes for which they were processed, we will destroy the data. In relation to certain purposes of personal data processing, we have evaluated the usual duration of processing of personal data as follows for the relevant purposes:
Recipients and processors of personal data
Your personal data are disclosed especially to employees in relation to the performance of their working tasks that require handling of personal data, but in each case only to the necessary extent and in compliance with all security measures.
In addition, your personal data are transferred to third parties involved in the processing of personal data, and such personal data may also be disclosed to such third parties on other grounds in accordance with the law. Prior to any transfer of your personal data to a third party, a written contract is always executed which regulates the personal data processing so as to include safeguards for personal data processing identical to those that the controller of your personal data complies with in accordance with its statutory obligations. Important processors include recruitment agencies and companies performing psychological tests.
We perform personal data processing without your consent to the necessary extent (a) on the grounds of performance of the contract – especially employment contract, agreement related to benefit programmes, contract with a medical facility providing occupational health services, contract for savings and insurance plans; (b) to perform a legal obligation – especially duties to notify public authorities, courts and the police, duties pertaining to the enforcement of decisions and performance of the archiving duty; (c) for the purpose of protecting the rights and legally protected interests, including, but not limited to, protection of information technology, buildings and property, and goodwill, and in relation to the management of security risks, prevention and investigation of frauds; and (d) on the grounds of legitimate interests of the controller in the area of HR consultancy, education and evaluation.
Name and surname, academic degrees, address of residence, telephone number, date and place of birth, birth identification number, marital status, photographs, nationality, information whether you are the governing body or a member of the supervisory body of another legal person, whether you operate a business, bank details, personal number.
Data for payroll agenda, remuneration and benefits
Records of hours of work, data necessary for reflecting discounts and deductions for taxes, data necessary for reflecting discounts and deductions for savings and insurance schemes, information on accidents at work, data on business trips including accommodation and booking of transport tickets and minor expenses, mandatory deductions from salary, confirmation of study, disability or old-age pension, meal vouchers, Cafeteria benefits scheme, employee equity plan, information for annual settlement of tax including the aggregate of all income and levies for the given period.
HR consultancy, education and evaluation
In the area of HR consultancy and your career development, we work with your history of jobs, remuneration and work evaluation. Psychological reports are used for selected jobs. Information is also stored on any violations of internal regulations and the law, agreements on material responsibility, agreements on employees’ obligations, occupational medical check-ups, employee evaluation and powers of attorney. Information on training and educational programmes completed.
Protection of buildings and information systems, recording of calls, GPS records.
Camera recordings are made exclusively for the purposes of compliance with legal duties, and protection of rights and legally protected interests. For reasons of protection of information systems, information is stored on the history of your logins and logouts, and your activity in selected applications may also be logged. For selected jobs, interviews with clients are recorded as a proof of submitting a requirement for services. You will always be advised in advance if such recordings are made. The contents of this communication are confidential and we use them exclusively for the purposes of compliance with the legal duties, execution and performance of the relevant contract, protection of rights and legally protected interests. Records from GPS devices in company cars are stored for the purposes of recording private and service trips and protection of property.
Email communication sent outside KB and the SG Group, as well as uploading data to web repositories, web emails and social networks, is monitored. The aim of the monitoring is to protect client data and ensure that sensitive information does not leave the bank. This obligation is imposed on the bank by legislation. The monitoring automatically searches for chains that would indicate that the client's sensitive data such as client identification data, credit card numbers, internal data on the client's financial situation evaluation, etc. are leaving the bank. If the search algorithm evaluates a possible violation of the information handling rules (see INS24-003), it is forwarded to the SOC for further investigation.
We obtain information from the initial form, CV, initial interview and mutual communication. Furthermore, information is obtained from applications you use in your work and the systems of protection of buildings.
Your personal data are disclosed especially to employees in relation to the performance of their working tasks that require handling of employees’ personal data, but in each case only to the necessary extent and in compliance with all security measures.
In addition, your personal data are transferred to third parties involved in the processing of personal data, and such personal data may also be disclosed to such third parties on other grounds in accordance with the law. Prior to any transfer of your personal data to a third party, a written contract is always executed which regulates the personal data processing so as to include safeguards for personal data processing identical to those that the controller of your personal data complies with in accordance with its statutory obligations. Important processors include Edenred, Benefity Management, companies providing for operation, management and security of buildings and information systems, BCD Travel, companies of the KB Group, Societe Generale.
We perform personal data processing without your consent to the necessary extent (a) for the performance of a contract related to the provision of services to the KB Group; and (b) for the purpose of protecting the rights and legally protected interests – in particular, protection of buildings and information technologies.
Name and surname, date of birth, nationality, contact address, e-mail address.
Protection of buildings and information systems
Camera recordings are made exclusively for the purposes of compliance with legal duties, and protection of rights and legally protected interests. For reasons of protection of information systems, information is stored on the history of your logins and logouts, and your activity in selected applications may also be logged.
From what sources do we obtain information about you?
The information is obtained from the initial form and mutual communication. Furthermore, information is obtained from applications you use in your work and the systems of protection of buildings.
For how long do we keep personal data?
In addition, your personal data are transferred to third parties involved in the processing of personal data, and such personal data may also be disclosed to such third parties on other grounds in accordance with the law. Prior to any transfer of your personal data to a third party, a written contract is always executed which regulates the personal data processing so as to include safeguards for personal data processing identical to those that the controller of your personal data complies with in accordance with its statutory obligations. Important processors include companies providing for operation, management and security of buildings and information systems, companies of the KB Group.
Right to revoke consent and right to object to processing
This Information Memorandum describes why we need your personal data and that we may process such data for certain purposes only with your consent. You are not obliged to grant consent to the processing of your personal data and, at the same time, you may revoke such consent, if granted. If you revoke your consent, we will terminate the processing of the relevant personal data for purposes requiring the relevant consent.
In case of processing on the grounds of a legitimate interest, you have the right to object to such processing.
You may revoke your consent or raise an objection to personal data processing on the grounds of a legitimate interest by e-mail sent to email@example.com.
We process your personal data in a transparent and proper manner and in conformity with the legal regulations. You have the right to request that we provide you with information on personal data we process in respect of you, the purpose and nature of personal data processing and the recipients of personal data. Should you determine or believe that we process your personal data contrary to protection of your private and personal life or at variance with the legal regulations, you may request explanation from us and, if appropriate, claim that a member of the KB Group eliminate or remedy such a defective state of affairs. You may also contact the Office for Personal Data Protection with a request for remedy in case of breach of our duties.