Protection of personal data

Protection of personal data

The purpose of this website is to inform you about the processing of your personal data in Komerční banka, and about your rights relating to your personal data. We want you to know what kind of personal data we collect, what we do with it, and what we use it for. You can also find information on the sources we obtain this data from, as well as learning who we can provide this data to.

We always process your personal data transparently, fairly and lawfully, and to the extent required for a given purpose. We securely retain your personal data for the period that is strictly necessary, in compliance with the time limits defined by legislation and other regulations. If the bank has a legitimate interest, we can decide for ourselves how long we will retain your data. We only process the personal data of persons aged under 18 if a child’s legal representative is acting on the child’s behalf.

We recommend that you familiarise yourself with the information contained in document Information about processing of personal data you will find below.

Information About Processing of Personal Data for Clients

The controller of your personal data is Komerční banka, a.s. (“KB” or “Komerční banka”).

Contact information for the controller:

Komerční banka a.s., Company No: 45317054
Na Příkopě 33
114 07 Prague 1
P.O. BOX 839
Czech Republic

 

Contact information for the Data Protection Officer (DPO):

You can contact the DPO by e-mail (osobni_udaje@kb.cz) or by writing to the following address:

Office of the Data Protection Officer
Na Příkopě 969/33
114 07 Prague 1

KB collects and uses your personal data, and is responsible for ensuring that your data is processed correctly and lawfully. You can also assert your rights regarding Komerční banka as the controller of your data, as explained below. This does not concern Komerční banka only: if you grant us Group Marketing Consent, your data can be shared throughout the KB Group (see What kinds of consent do we have in Komerční banka?). Examples of situations when we most often obtain your data are:

Arranging to use KB services

The most frequent situation in which we obtain your data is that you arrange to use one of our products or services, or express an interest in them, when you usually give us your basic data and any data needed for you to enter into a contract with us on the product or service.

Using KB products and services

We also obtain your data when you use KB products and services. “Use” covers many different situations: withdrawing or depositing cash at an ATM, taking out loans and mortgages, making insurance claims, connecting to other banks’ products via KB internet banking, and many other operations.

Communications with KB

We also obtain data from communications over the telephone, internet, and in writing, and when you visit a branch. We also use recordings from security cameras and data related to online communications.

There are many reasons why we process your personal data, but we always do so only to the extent required for a given purpose. Most often we process your personal data so that we can provide you with the products and services you use or want to use. We also process your data so that we can satisfy our contractual obligations and the legal and regulatory requirements, and to pursue our legitimate interests.

In other cases we are only authorised to process your data with your explicit consent, unless there is an exemption in the legislation.

We set out the main categories of our purposes below.

Providing products and services

  • Discussing a product or service

As part of discussing a product or service, you may model a suitable product on our website or at a branch. You may obtain information on the product or service from the internet, our branch network or our client centre. We will process the data you provide through these channels to facilitate your interest in the product or service, and we will contact you as part of discussing the product or service. We will retain the data you provide through these channels for a period of three months at most, and the legal basis here is the concluding of a contract.

  • Concluding a contract on a product or service

If you decide that the product or service you discussed with us is suitable for you, we are obliged to identify you in detail and collect and retain any other data needed to draw up the relevant contract for the product or service. For credit and investment products, we will require a larger set of data from you, and we will carry out additional processing of your data, which you can read about in more detail in Assessing credit risk.

  • Servicing a product or service

So that we can ensure the quality of the products and services you use, we are obliged to retain, update and process the relevant data. As part of the performance of the contract, we are also obliged to provide you with this information through the channels you have selected for these products and services, i.e. at our branches, through our direct banking channels, or at our client centre. If you also decide to use direct banking channels for servicing these products and services, we collect information on your location, IP address, etc. We record and evaluate this data so that we can minimise any risks related to the misuse of these direct channels.

If necessary, we will inform you – via SMS, e-mail, messages sent via our direct channels or in another standard way – of any events concerning your products and services, and, e.g., of any changes to our opening hours, any change of your branch or banking advisor, etc.

In this case, the legal basis for processing your data is the concluding and performance of a contract. To defend our legal claims, we will continue to retain this data after the product or service has ended – for more details see How long do we retain your data?

Defending our legal claims

We also process your personal data, including your communications history and information about products and services, to the extent required for any legal claims or potential legal claims against you, especially on the basis of your contractual relationship with us. We also use third parties for debt recovery. For this purpose we will retain your data for a period of 18 years following the termination of the contractual relationship.

The legal basis here is the protection of our legitimate interests.

Preventing, checking, detecting and investigating fraud, and preventing money laundering

We also use your personal data to check for and prevent any potentially unethical or fraudulent conduct. The legislation obliges us to exercise professional care in matters concerning the prevention, detection and investigation of such conduct. To this end we also collect your personal data and data on the products and services you use. We can then create indicators based on this data that help prevent potential fraud and provide better protection for your money. This may involve for instance information on the theft of your ID card or credit card, or data on the country where you normally use your direct banking channels.

The legal basis for such processing is compliance with our legal obligation as the controller.

Tax and accounting requirements

We also collect and process your personal data to comply with our legal obligations as the controller with regard to the state and the regulatory authorities. We are obliged to do so by the Accounting Act, the VAT Act and many other regulations, including the US Foreign Account Tax Compliance Act (FATCA), as part of compulsory reporting to the state and the regulatory authorities. We also transfer all of this mandatory information within the KB Group.

We process and transfer this data to comply with our legal obligation as the controller, and in our legitimate interest.

Protecting against market abuse

The legislation also obliges us to check compliance with the Capital Market Trading Act and prevent its abuse, which could harm our other clients or our group. We process your personal data for this reason too.

We process and transfer this data to comply with our legal obligation as the controller, and in our legitimate interest.

Security

We use camera systems installed on our premises, in front of their entrances and at our ATMs to protect our property, i.e. our buildings and equipment, to protect individuals against unlawful conduct, and to prevent and investigate such conduct. We retain the recordings from these camera systems for the period strictly necessary, and when warranted, especially when there are security breaches, we subsequently process these recordings and transfer them to the appropriate public authorities, such as the law enforcement authorities.

The retention, processing and transfer of this data is essential for us to pursue our legitimate interests.

Prevention and control for investment and insurance products

Before making an investment, the legislation and the regulatory requirements oblige us to assess your knowledge and experience of investing in investment instruments, as well as your attitude to risk and your financial resources. We obtain information for these assessments from an Investment Questionnaire, which we retain (see How long do we retain your data?). In compliance with the regulatory requirements, we also collect and retain records of all communications with you concerning investment or insurance products (e.g. recordings of telephone calls, minutes from meetings, e-mails, Skype calls and messages, etc.). In line with the regulatory requirements for reporting your transactions, we collect data on your instructions and your transactions with investment instruments.

The legal basis for such processing is compliance with our legal obligation as the controller.

The company’s internal needs and reporting

Our employees process your personal data for the company’s internal needs, e.g. for reporting on the efficiency of our servicing and selling.

The legal basis for such processing is our legitimate interest.

Assessing credit risk

We use profiling to correctly assess risks when providing credit products. We use your personal data to create a unique profile so that we can determine whether you will be able to repay a loan. When you ask for a loan, we will for instance evaluate the credit risk using credit registers and our internal resources. We can also use automated processing to perform this evaluation.

To minimise risk, the bank keeps records of persons who have provided false information, experienced difficulties paying their debts, etc.

The legal basis for such processing is compliance with our legal obligation as the controller, and also our legitimate interest.

Regulatory reporting

We also use your personal data and information on selected products and services for regulatory reporting. We use this data to produce reports for our internal use, and we are obliged to transfer information on certain products and services to the regulator.

The basis for such processing is compliance with our legal obligation as the controller.

Debt recovery and factoring

Occasionally you may have problems repaying any loans we have provided. Our primary objective here is to resolve these problems with you efficiently and to our mutual satisfaction, but sometimes we may be unable to find common ground. In these situations we have to use the personal data we have recorded on you, and in some cases we may also use data, especially contact data, from publicly accessible sources such as social networks, etc., so that we can contact you for instance. Under certain circumstances (you fail to respond, you are unreachable, you have no interest in resolving the situation, etc.) we may have to transfer your debts to a company that specialises in debt recovery. In such cases we will transfer the relevant personal data to the company, together with any other relevant data on the debt in question. We also transfer this data if we decide to assign the debt.

The basis for processing and transferring the relevant data is our legitimate interest.

Marketing

We distinguish three basic types of marketing purposes: marketing as Komerční banka’s legitimate interest, direct marketing as a legitimate interest, and marketing on the basis of your consent.

Marketing as a legitimate interest

As part of marketing as a legitimate interest, we carry out basic analyses of your data concerning your use of our products and services. At the same time this legitimate interest allows us to segment our clients in order to choose the most important form of servicing and offer suitable products and services, and it also allows us to find out clients’ opinions. You may object to marketing as a legitimate interest.

Direct marketing as a legitimate interest

As part of direct marketing as a legitimate interest, we may offer you KB products and services through our branch network and direct channels, or via e-mail, SMS and social networks. You may object to direct marketing as a legitimate interest. If you object to such processing, we will automatically comply with your wishes.

Marketing with consent

Purposes for which we need your explicit consent to process your personal data are offering products and services (including via direct channels) provided by the KB Group and third parties who work with us, marketing processing, and analyses and profiling aimed at tailoring our offers to meet your needs and improving the services we provide. As we do not wish to annoy you with unnecessary and inappropriate communications, we use the personal data we collect to get a better idea of your needs so that we can offer you suitable solutions. We may offer you credit products or payment instruments, or congratulate you on your birthday.

We can use a wide range of channels to communicate with you: letters, telephone calls, e-mails, SMS, messages at ATMs, and messages (or pop-ups) in internet banking.

Information on the use of our products and services helps us to monitor and constantly improve their quality and retain your loyalty. We also process personal data to support our business decisions and identify business potential.

Before this information can be used it must be processed, which in particular involves data processing for marketing purposes. This refers to statistical and mathematical analyses aimed at gaining an insight into a client’s behaviour and anticipating the client’s future behaviour and business potential, as well as client profiling, various kinds of segmentation, reporting, etc. Processing can be manual or automated.

We process this data on the basis of your explicit consent. You can find detailed information on Group Marketing Consent in Marketing Consent.

We can only process your personal data within a specific scope, and provided that at least one of the following conditions is satisfied:

  • you gave us your consent to process your personal data for one or more specific purposes (see What kinds of consent do we have in Komerční banka?);
  • processing is necessary for the performance of a contract;
  • processing is necessary for compliance with Komerční banka’s legal obligations
    • the personal data on you that we process to satisfy our legal obligations. This is the data we primarily have to collect, evaluate and retain for a specified period to satisfy our obligations under the legislation. This includes archiving, in compliance with various laws governing our business, obtaining and evaluating data to satisfy our obligations in preventing money laundering (e.g. KYC, Know Your Client), and many other laws;
  • processing is necessary for Komerční banka’s legitimate interests, except where such interests are overridden by the data subject’s interests or fundamental rights and freedoms, which require the protection of the subject’s personal data;
  • processing is carried out in accordance with other legal bases that only apply exceptionally to Komerční banka. Processing is necessary in order to protect your vital interests, or for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller.

In specific cases we are authorised to process your personal data in order to protect the rights and legitimate interests of Komerční banka, Komerční banka Group and third parties. In these cases we are authorised to process your personal data without your consent, but always for the reasons that authorise us to carry out such processing. Processing on the basis of our legitimate interest is limited, and the legitimate interests we define and on whose basis we carry out processing are always carefully assessed.

 

The main types of processing we carry out to pursue our legitimate interests are primarily:

  • Security – as part of this legitimate interest we process personal data, primarily camera recordings, in order to protect Komerční banka’s property, buildings and reputation, and to protect individuals against unlawful conduct.
  • Marketing – our legitimate interests include the restricted processing of personal data for marketing purposes. We process data mainly for basic analysis and segmentation, and to find out your opinions.
  • The company’s internal needs and reporting – we use this legitimate interest to satisfy our employees’ internal reporting duties related to the efficiency of our servicing and selling.
  • Analysing products, services and profile data – as part of this legitimate interest we are authorised to carry out analyses for the purposes of:
    • selecting the most suitable parameters for a product or service
    • assessing product risks (loans, investments, insurance, etc.)
    • transferring data within our financial group and to our parent company
    • securing computer networks and data to prevent them from being misused or attacked, in order to minimise any damage to the systems we operate
  • Debt recovery and factoring, defending our legal claims – this legitimate interest allows us to process personal data for internal collection and to arrange recovery by third parties.
  • Covering our risks – as part of this legitimate interest we are authorised to maintain lists of persons who have provided false information, experienced difficulties paying their debts, etc.

This chapter covers the different kinds of consent we collect in Komerční banka.

What is consent?

Consent is any freely given, specific, informed and unambiguous indication of a person’s wishes, in which he or she, by means of a statement or another clear affirmative act, signifies agreement to the processing of his or her personal data. Consent is voluntary, and you can give, refuse or withdraw your consent at any time. If this concerns Group Marketing Consent, you can withdraw it at any company in the KB Group.

Refusing to give your consent, or withdrawing it, has no effect on your contractual relationship with Komerční banka. You have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

Types of marketing consent

Marketing consent refers to consent to processing clients’ data for the purposes of carrying out marketing activities, and sharing data for these purposes between the companies to which you have given your consent.

Group Marketing Consent (“Marketing Consent”)

If you have given us your Marketing Consent, this consent applies to the KB Group as a whole. In this case all companies in the KB Group will be joint controllers of your personal data, and they can share and process the data specified in the consent form for the purposes specified in the consent form.

You can give your consent in person in Komerční banka’s branch network, in one of our subsidiaries’ branch networks, when signing contractual documents for any KB Group products brokered by selected third parties, and via our direct banking channels (MojeBanka, Mobilní banka).

When giving your consent, and subsequently, you cannot choose which companies this applies to or not, and we will be obliged to treat any request that only some of the joint controllers be included as refusing to give or withdrawing your Marketing Consent. You can withdraw your consent at branches of KB Group’s sales network. If you withdraw your consent from one KB Group company, this will also apply to the other members of the KB Group, meaning that subsequently none of them will be able to continue processing your personal data for the purposes specified in your Marketing Consent form.

The KB Group jointly processes all data given by consent, and this data may also be transferred between the controllers. This means for instance that if you have signed the Marketing Consent form, the information you give to a KB banking advisor will be available for marketing purposes to the other joint controllers such as Modrá pyramida stavební spořitelna, a.s. This also means that we share publicly accessible information on you between all companies in the KB Group.

You give your Marketing Consent to the following companies, which we refer to as the “KB Group”:


KB Group

The “KB Group” comprises the following companies:

Komerční banka, a.s., Company No: 45317054
Modrá pyramida stavební spořitelna, a.s., Company No: 60192852
Komerční pojišťovna, a.s., Company No: 63998017
KB Penzijní společnost, a.s., Company No: 61860018
ESSOX s.r.o., Company No: 26764652
ALD Automotive s. r. o., Company No: 61063916
SG Equipment Finance Czech Republic s.r.o., Company No: 61061344
Factoring KB, a.s., Company No: 25148290

According to the legal definition, the controller of personal data is anyone who determines the purpose and means of processing personal data, and for this purpose carries out the collecting, processing and retention of personal data. All of the companies listed above are joint controllers of your personal data, and they can share and process the data specified in the consent form for the purposes specified in the consent form.

Completing the Marketing Consent form

The Marketing Consent form has two boxes: “Agree” and “Disagree”

By ticking the “Agree” box and signing the form, you give your consent for the KB Group to process your personal data for marketing purposes.

By ticking the “Disagree” box and signing the form, you do not give your consent for the companies listed above to process your personal data for marketing purposes within the scope defined in the form.

Crossing out, overwriting or otherwise altering the Marketing Consent form will be regarded as refusing to give consent (the same as choosing “Disagree”)

It is sufficient to give your Marketing Consent only once to a single company in the KB Group and it will remain valid and in effect for the duration of your last contractual relationship with at least one of the companies in the KB Group, and then for one year after it ends, or until you withdraw your consent.

If you give your Marketing Consent when discussing a product or service, for instance, and you ultimately decide not to become our client (i.e. no contractual relationship is established with a member of the KB Group), your consent will apply for one year after you gave it, unless you withdraw it in the meantime. When your Marketing Consent is no longer valid and in effect, your personal data will be deleted, or it will only be processed within the scope and for purposes for which the legislation does not require consent.

Alliance Consent (Cataps Marketing Consent)

If you are a retailer and you use the card acceptance services of the companies KB SmartPay and Worldline, you give your Alliance Consent to the processing of your personal data and your company’s data for marketing purposes within the Alliance relating to card acceptance. The Alliance’s members are joint controllers of this data.

You give your consent to the following companies, which we refer to as the “Alliance”:

Komerční banka, a.s., Company No: 45317054
KB SmartPay (Cataps, s.r.o.), Company No: 03633144
Worldline NV/SA, CBE (Crossroads Bank for Enterprises) No 0418.547.872

This data will be processed from the moment Alliance Consent is given for marketing purposes until the elapse of two years after the termination of your last contractual (or other legal) relationship with one of the personal data controllers in the Alliance.

You can find more information on this consent in Smartpay’s document “Information on Processing Personal Data”.

TelcoScore Consent

If you have given us this consent, we will obtain, through the processor – Společnost pro informační databáze, a.s., Company ID 26118513, aggregated information in order to assess your ability and willingness to fulfil your obligations under the contracts entered into according to the current application or your future requests for entering into contracts with Komerční banka. This information can indicate your payment morale in terms of how you use electronic communications services with the operators: T-Mobile Czech Republic, a.s., Company ID 64949681, O2 Czech Republic a.s., Company ID 60193336, O2 Family, s.r.o virtual operator, Company ID 24215554, Vodafone Czech Republic a.s., Company ID 25788001. For more information, please visit www.sid.cz and consult the “TelcoScore Privacy Statement” available at any Komerční banka branch and on its website www.kb.cz. Such consent may be withdrawn in writing at any branch of Komerční banka.

There are two main reasons why we process and retain your data, and related to these reasons are the time limits for which we need to retain your data:

  • A legitimate interest concerning claims, complaints, litigation, etc. – at least four years following the termination of the product or service.
  • Certain legislation also requires us to retain data – e.g. the Banks Act, the Capital Market Trading Act, MiFID, etc., mostly for a minimum of ten years following the termination of the product or service. In practice this is longer, up to eighteen years, so that we can satisfy all the regulatory requirements and resolve any disputes with the regulators.

We also retain data on your products and transactions obtained from other financial institutions for the period of five years from their disconnecting from KB internet banking.

The regulations on personal data protection allow the controller to entrust the processing of personal data to a processor. A personal data processor is any entity that processes personal data on the basis of specific legislation, or is entrusted or authorised to do so by the controller. In such cases the contractual and regulatory arrangements guarantee your data the same protection that Komerční banka provides. The most important processors Komerční banka uses for processing personal data are:

  • IT providers
  • Advertising agencies
  • Companies that archive personal data
  • Companies and persons providing legal services
  • Companies and persons working in debt recovery
  • Mortgage appraisers
  • Our partners in loyalty programmes
  • Mail services and couriers
  • Comprehensive insurance providers
  • Credit registers

 

Credit registers

To protect our rights by assessing your ability and willingness to repay your loan commitments, Komerční banka investigates your creditworthiness, payment discipline and integrity. We do this on the grounds of our legal obligations or legitimate interests, with the help of credit registers. When negotiating a loan, and perhaps during the credit agreement, we transfer information on you to these credit registers, and your consent may not be required. In addition to the database maintained by the Czech National Bank, we use three credit registers: the Client Information Bank Register (CIBR), the Non-Bank Client Information Register (NCIR), and the SOLUS association.

Client Information Bank Register

The Client Information Bank Register is operated by CBCB – Czech Banking Credit Bureau, a.s., which collects information on the creditworthiness, payment discipline and integrity of banks’ clients. The data in this register can be shared without the client’s consent, and you can request a printout from the register. You can find out more about the CIBR at www.cbcb.cz.

Non-Bank Client Information Register

The Non-Bank Client Information Register is operated by CNCB – Czech Non-Banking Credit Bureau, z.s.p.o. Again, your consent is not required for the data to be shared. As a bank we are not part of the register, and your data is only shared. You can find out more about the NCIR at www.cncb.cz.

These registers exchange information, and they can also do this without your consent. For more information on these registers, we refer you to their Information Memoranda, which you can find on Komerční banka’s website and the registers’ websites.

SOLUS register

Your personal data may also be kept in the SOLUS register, on the basis of the Consumer Protection Act. This register allows users to share consumers’ identification data. It also covers matters such as consumers’ creditworthiness, payment discipline and integrity. Your consent is not required for the provision of such information, and Komerční banka can transfer your data to and from the SOLUS register without asking for your consent. If you want to find out more about the SOLUS register, please visit www.solus.cz

Other processors

Recording book-entry securities

Investments are a somewhat specific field, where a record must be kept of any book-entry securities you own. For this purpose your personal data is provided to third parties, such as the Central Securities Depository and organisations that keep separate records of these securities.

If this concerns a foreign operator that registers such information, personal data is provided in compliance with the local legislation. In the aforementioned cases this concerns the performance of contracts that comprise the legal framework for repeated investments. Your consent is not required here, as this data is processed on the basis of the contract.

Exchanging information and tax issues

Under international agreements such as FATCA, etc., we are obliged to provide data on our clients to the Ministry of Finance of the Czech Republic. For more information on these agreements, please visit www.mfcr.cz

Central Register of Accounts (CNB)

We transfer your personal data to the Central Register of Accounts, which is maintained by the Czech National Bank. This is a central database with basic information on the accounts that credit institutions keep for their clients, who are natural and legal persons and other entities. The Central Register of Accounts allows the state administration to request a check of the accounts kept at credit institutions in the Czech Republic in order to avoid the financial system being abused for money laundering or financing terrorism.

TelcoScore

The TelcoScore service is operated by Společnost pro informační databáze, a.s., Company ID 26118513, and provides information on the creditworthiness and credibility of users of electronic communications services (see also chapter 6 above). Obtaining your creditworthiness data through TelcoScore is only possible on the basis of your consent to the transfer of your telephone number and/or birth number to the operators.

On request and without consent

A range of public authorities may request information on our clients. They include the Czech Police, the courts, the Czech National Bank and health insurance companies. However, we only provide this data in situations where we are legally obliged to do so.

In Komerční banka we always try to be as transparent as possible, which is why we think it is important that you know how we process your personal data. For this reason we list here the basic categories for the individual items of data.

 

Basic data

Identification data

This includes the subject’s first name, surname, birth registration number, date or place of birth, identity card numbers and birth certificate. If you are in business, this is also your company ID number, tax registration number, etc.

Address and contact data

This includes all of the subject’s addresses – e.g. permanent place of residence, correspondence addresses, and for entrepreneurs their company’s address, and the subject’s contact data, e.g. telephone numbers, e-mail addresses, social network addresses, data boxes, etc.

 

Descriptive data

Sociodemographic data

This includes statistical data, such as your age, sex, marital status, education, income and profession, information on your employer, how many children you have, etc.

Financial status

This includes data on your finances, such as any property, shares or other securities you may own. In some cases you will also inform us of your income and liabilities. It also includes the balances of any loans and leasing contracts, payments to building society schemes, pension scheme contributions, insurance premiums (property, household, life, accident and vehicle insurance, etc.), other individual expenditure items (e.g. maintenance), other liabilities (e.g. surety), etc.

Tax residence

This includes data on your tax residence, i.e. where you are obliged to pay tax.

Non-financial business characteristics of a client

This includes information on suppliers and customers, the client’s business strategy, information on any group of connected clients, information on the market environment and situation in the sector, business risks, etc.

 

Data on products

Data for financing products

This includes the personal data of debtors and co-debtors, information on the parameters of a credit transaction, the identification and value of collateral, etc.

Data for investment banking and insurance products

This includes the personal data of the holders and managers, contract numbers, the level of investment, the order book, information on transactions, insurance claims, etc.

Data for day-to-day banking products

This includes the personal data of the holders and managers, contract numbers, payment card numbers including security data, information on transactions, the sales channels used, etc.

 

Data from public registers

This includes sanctions lists of persons linked with terrorism and other persons on international watch lists who are subject to international sanctions, ISIR – the insolvency register, the bankruptcy register, the central debt collection register, registers of invalid and stolen documents, the register of groups of connected clients, information from the land register, etc.

 

Information from the internet, social media and social networks

This includes, e.g., geolocation data identified by GPS coordinates (or the address point), the IP address, cookies, the identification of the device used, information on web browsers, your profile on social networks, etc.

 

Electronic communication means for authentication and authorisation

This includes data on electronic communication means that are mainly used for authentication, i.e. to verify your identity. Data that comes under this category includes your digital signature, your digital certificate, or the user name you ordinarily use to log into applications, or your device’s serial and manufacturing numbers (MAC address), etc.

 

Records from banking machines and applications

This includes identification data from, e.g., payment terminals, communication channels and logs from monitoring banking applications, as well as other information such as geolocation data from terminals.

 

Camera recordings

This includes data and recordings from the monitoring of Komerční banka’s branches and other premises, such as ATMs and safes.

Records of data subjects’ links with products and services

This includes any co-applicants’ personal data and the requisite parameters (interest rate, repayment instalments, etc.), records on relationships, records on the family, information on business relations e.g. between supplier and customer, etc.

 

Products of other financial institutions connected to KB internet banking

If you connect your product provided and administered by another financial institution to KB internet banking, we process the data provided by you in this context or obtained by us that is necessary for the proper functioning of this service, and information about these products and their transactions to the extent provided by the other financial institution.

Data we neither collect nor process

Special categories of personal data

This is a special type of data that includes information on your race, ethnicity, trade union membership, any health problems, and sexual orientation. It also includes data related to genetic and biometric information. Komerční banka does not collect this data.

You have the right to ask us for information on your personal data that we process, the purpose and nature of processing personal data, and the recipients of personal data.

If you discover or believe that our processing your personal data is contrary to the protection of your personal and private life, or in violation of the legislation, you are entitled to ask us for an explanation, or to ask Komerční banka to remedy the situation.

If we are in breach of our obligations, you also have the right to ask the Office for Personal Data Protection to take remedial measures.

 

A list of your rights:

  • The right of access to personal data
    This right allows you to ask Komerční banka for a printout of the personal data the bank keeps on you. Komerční banka is obliged to produce this printout for you, including information on:
    • the purposes for which the data is processed;
    • the planned processing period;
    • the source of the data;
    • any recipients to which Komerční banka provides this data
  • The right to data portability
    This right gives you the option of asking Komerční banka for data concerning you, which you personally provided to Komerční banka. Komerční banka will agree with you on the format and means for transferring the data. It will transfer the data to you or another controller you specify, in a machine-readable format.
  • The right to erasure of personal data
    This right entitles you to ask Komerční banka to erase all of your data. Your data can only be erased if there are no other reasons why Komerční banka is obliged to retain your data (the performance of a contract, legal requirements, etc.).
    However, even if Komerční banka cannot fully comply with your request, all forms of marketing consent will be withdrawn and no marketing will subsequently be addressed to you.
  • The right to rectification of personal data
    On the basis of information from you, Komerční banka will rectify inaccurate personal data without undue delay, or will supplement any incomplete data if a specific processing purpose requires so.
  • The right to restriction of processing. The restriction of personal data processing, in response to a request or an objection
    If you request the restriction of processing, and there are no technical or other reasons why your request cannot be granted, Komerční banka will restrict such processing.
  • The right not to be subject to automated individual decision-making with legal or similar effects, including profiling
    At your request, Komerční banka will exclude you from all processing it performs solely automatically. If such processing is necessary for the provision of a contract, Komerční banka will give you the option of discussing the results of such processing with a banking advisor to identify an alternative and more acceptable solution.
  • The right to object in cases where we process your data on the basis of our legitimate interest
    You have the right to object to all processing that Komerční banka carries out on the basis of its legitimate interest as the controller. Accepting your objection means that Komerční banka will stop processing your data for all the purposes contested in your objection.

 

Komerční banka treats all of the above rights in the same way, and always tries to satisfy your requirements.

Komerční banka has a reasonable period to process your request when you exercise a right – usually this is 30 days.

You will be informed by letter when Komerční banka has finished processing your request. You can exercise your rights by sending Komerční banka a letter or e-mail, or directly at one of our branches.

When exercising selected rights, Komerční banka may need your cooperation to identify you. You can exercise your rights on your own behalf or on behalf of someone you represent on the basis of power of attorney or other authorisation.

If you have any questions, please call Komerční banka’s Infoline on 800 521 521, go to www.KB.cz/osobni-udaje or write to us at osobni_udaje@kb.cz.

Alternatively, please contact our Data Protection Officer (DPO), who is responsible for supervising the processing of personal data in Komerční banka.

You can contact the DPO by e-mail (osobni_udaje@kb.cz) or by writing to the following address:

Office of the Data Protection Officer
Komerční banka a.s.
Na Příkopě 969/33
114 07 Prague 1

When providing products and services to legal persons, we also obtain and process data on natural persons who are authorised to represent the bank’s clients, as well as on other natural persons whose personal data is processed in direct connection with conducting their activities, and which the bank must or is entitled to process for its own purposes.

This primarily concerns the registered owners and beneficial owners, persons authorised to view or dispose of funds on their accounts (including holders of business payment cards), persons providing collateral, and other subjects connected with these persons. We obtain data primarily from our clients or their representatives, from publicly accessible sources, and also from specialised databases maintained by third parties.

This involves subjects’ identification data, i.e. their addresses, contact and sociodemographic data, their role and position in a company, their area of interest, scans of documents, information on links with other subjects, and information required by the legislation, especially the laws on money laundering, taxation and the provision of payment and investment services, and any other regulations the bank has to comply with when conducting its business.

We acquire and process this data:

  • When providing products and services to clients, for the controller’s legitimate interests. We process data for the duration of a product or service provided to a legal person.
  • When satisfying our obligations to prevent money laundering, in compliance with our legal obligations as the controller. We process data for the period specified in the applicable legislation. For these purpose we process scans of identity documents in the Czech Republic on the basis of the data subject’s consent.
  • In the automatic exchanging of information on financial accounts (CRS, FATCA). We process data for a period of ten years following the end of the calendar year in which notification was sent to the relevant tax authority.
  • When maintaining and developing our relationship with our clients, for the controller’s legitimate interests. We process data for the duration of a product or service provided to a legal person.
  • When defending legal claims, for the controller’s legitimate interests. We process data for the duration of a product or service provided to a legal person, and after the termination of the product or service for a period of eighteen years in the Czech Republic and ten years in Slovakia.

If you gave your consent for the KB Group to process your personal data for marketing purposes, the data specified above can also be processed for these purposes.

Komerční banka is the parent company of the KB Group and a member of the Société Générale international financial group. KB ranks among the leading banking institutions in the Czech Republic, as well as in Central and Eastern Europe. It is a universal bank providing a wide range of services in retail, corporate and investment banking. Member companies of the Komerční banka Group provide additional specialised financial services such as pension schemes and building society schemes, leasing, factoring, consumer lending and insurance. These are available through KB’s branch network, its direct banking channels and its subsidiaries’ own sales networks. KB also provides services in Slovakia through a branch that serves corporate clients, as well as through selected subsidiaries.

Czech subsidiaries Adress Company No
Modrá pyramida stavební spořitelna, a.s. Bělehradská 128/222, 120 21 Prague 2 60192852
Komerční pojišťovna, a.s. Karolinská 1/650, 186 00 Prague 8 63998017
KB Penzijní společnost, a.s. náměstí Junkových 2772/1, Stodůlky, 155 00 Prague 5 61860018
SG Equipment Finance Czech Republic s.r.o. náměstí Junkových 2772/1, Stodůlky, 155 00 Prague 5 61061344
ESSOX s.r.o. F. A. Gerstnera 52, České Budějovice 7, 370 01 České Budějovice 26764652
Factoring KB, a.s. náměstí Junkových 2772/1, Stodůlky, 155 00 Prague 5 25148290
Protos, uzavřený investiční fond, a.s. Dlouhá 713/34, Staré Město, 110 00 Prague 1 27919871
KB Real Estate, s.r.o. Václavské náměstí 796/42, Nové Město, 110 00 Prague 1 24794015
VN 42, s.r.o. Václavské náměstí 796/42, Nové Město, 110 00 Praha 1 02022818
STD2, s.r.o. Václavské náměstí 796/42, Nové Město, 110 00 Praha 1 27629317
Subsidiaries in other countries    
Bastion European Investments S.A. Rue Des Colonies, 11 1000 Brussels, Belgium BE0877.881.474

 

The Société Générale Group

Since October 2001 Komerční banka has been part of Société Générale’s international retail banking group. Société Générale is one of the largest financial services groups in Europe.

Société Générale has been playing a vital role in the economy for the last 150 years. It operates in 67 countries with over 147 000 employees. The Société Générale Group serves 31 million clients throughout the world, and its teams offer advice and services to individual, corporate and institutional customers in three core businesses:

  • retail banking in France with the Société Générale branch network, Credit du Nord and Boursorama, offering a comprehensive range of multichannel financial services on the leading edge of digital innovation;
  • international retail banking, insurance and financial services for companies with a presence in emerging markets and leading specialised businesses;
  • corporate and investment banking, private banking, asset management and securities services, with recognised expertise, top international rankings and integrated solutions.

When processing your personal data, we comply with the applicable legislation, especially the Personal Data Protection Act, the Banks Act and the Anti-Spam Act, which prohibits the sending of unsolicited commercial communications.

The most important legislation on personal data protection or related to it is:

Anti-Spam Act Act No 480/2004 on certain information society services commercial communications by e-mail and SMS
FATCA Agreement No 72/2014 between the Czech Republic and the United States of America to improve international tax compliance; Act No 164/2013 on international cooperation in tax administration the bank’s obligations in checking compliance with fiscal obligations
MiFID Directive 2004/39/EC on markets in financial instruments a directive introducing a common market and regulatory regime for providing investment services in the EU
Market Abuse Regulation Regulation (EU) No 596/2014 on market abuse; Directive 2014/57/EU on market abuse market manipulation
Civil Code Act No 89/2012, the Civil Code protection of privacy
General Data Protection Regulation Regulation (EU) 2016/679 protection of personal data in the EU, in force since 25 May 2018
Banks Act Act No 21/1992 on banks banking operations
VAT Act Act No 235/2004 on value-added tax processing tax data
Act on Act on international cooperation in tax administration Act No 164/2013 on international cooperation in tax administration international exchange of information on tax
Personal Data Protection Act Act No 101/2000 on the protection of personal data protection of personal data
Consumer Protection Act Act No 634/1992 on consumer protection

credit registers

Capital Market Undertakings Act Act No 256/2004 on business activities on the capital market security trading operations
Insurance Act Act No 77/2009 on insurance insurance companies
Accounting Act Act No 563/1991 on accounting processing accounting data
Money Laudering Act Act No 253/2008 on selected measures against legitimising the proceeds of crime and financing terrorism client identification and checking

 

Contacts

Office of the Data Protection Officer

Komerční banka a.s.

Na Příkopě 969/33

114 07 Prague 1

Phone number: in CZE: 800 521 521, from abroad: +420 955 559 550

E-mail: osobni_udaje@kb.cz

 

Other Important Contacts

Office for Personal Data Protection

address: Pplk. Sochora 27, 170 00 Prague 7

tel.: 234 665 111

website: www.uoou.cz

Text of GDPR: http://eur-lex.europa.eu/legal-content/CS/ALL/?uri=CELEX:32016R0679

Guidlines of WP29 for GDPR:

http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1360

For employees, job seekers and external partners

This web page aims to provide employees, job seekers and external partners of the Komerční banka corporate group in the Czech and Slovak Republics with information on personal data processing and the related rights. You will learn what personal data we collect, how we manage them, from what sources we obtain them, for what purposes we use them and to whom we may provide them.

Download

Information on processing personal data (PDF, 642 kB)

The information on personal data processing will be regularly updated

Information on processing personal data

The controller of your personal data is, in each individual case, the specific company of the KB Group, as defined below (hereinafter “KB Group”), to which you provided the personal data or which obtained the personal data from you. The controller collects your personal data, manages them is responsible for their proper and lawful processing.

KB Group

ALD Automotive s. r. o., with its registered office: Praha 10, U Stavoservisu 527/1, Postal Code 108 00, Id. No.: 61063916

ALD Automotive Slovakia s. r. o., with its registered office: Bratislava, Panónska cesta 47, Postal Code 851 04, Id. No.: 47 977 329

ESSOX s.r.o., with its registered office: České Budějovice, F. A. Gerstnera 52, Postal Code 370 01, Id. No.: 26764652

Essox Finance, s.r.o., with its registered office: Bratislava, Karadžičova 16, Postal Code 821 08, Id. No.: 35 846 968

Factoring KB, a.s., with its registered office: Prague 5 – Stodůlky, náměstí Junkových 2772/1, Postal Code 155 00, Id. No.: 25148290

Komerční banka, a.s., with its registered office: Prague 1, Na Příkopě 33/969, Postal Code 114 07, Id. No.: 4531 7054

Komerční banka, a.s., foreign bank’s branch, with its registered office: Bratislava, Hodžovo námestie 1A, Postal Code 811 06, Id: 47231564

KB Penzijní společnost, a.s., with its registered office: Prague 5 – Stodůlky, náměstí Junkových 2772/1, Postal Code 155 00, Id. No.: 61860018

Komerční pojišťovna, a.s., with its registered office: Prague 8, Karolinská 1/650, Postal Code 186 00, Id. No.: 63998017

Modrá pyramida stavební spořitelna, a.s., with its registered office: Prague 2, Bělehradská 128/222, Postal Code 120 21, Id. No.: 60192852

SG Equipment Finance Czech Republic s.r.o., with its registered office: Prague 5 – Stodůlky, náměstí Junkových 2772/1, Postal Code 155 00, Id. No.: 61061344

SG Equipment Finance Czech Republic – org. zložka, with its registered office: Bratislava 1, Hodžovo nám. 1A, Postal Code 810 00, Id. No.: 31785972

We honour and respect the highest standards of personal data protection in processing of your personal data and comply, in particular, with the following principles:

  • We process your personal data for the set purpose, using the set means and in the set manner, and only for a period necessary for the purposes of their processing;
  • We protect your personal data and provide for their processing while ensuring the highest possible security so as to prevent any unauthorised or accidental access to your personal data, their change, destruction or loss, unauthorised transfer and other unauthorised processing;

We comply with appropriate technical and organisational measures to ensure a level of security corresponding to all possible risks; all persons who come into contact with employees’ personal data are obliged to maintain confidentiality of information obtained in connection with the processing of such data.

The data protection officer for all companies within the KB Group is:

Ing. Radek Basár, MBA
Na Příkopě 969/33
114 07 Prague 1

Tel.: +420 955 532 780

The legislation on personal data protection allows the controller to authorise another person – a processor – to process personal data. A personal data processor is every entity that processes personal data on the basis of a special law or authorisation of the controller. In some cases, this procedure is also used by companies of the KB Group in personal data processing. Compliance with the same principles of personal data processing as those followed by the KB Group is guaranteed in these cases by a contract and by law.

Your personal data are being processed in the territory of the Czech and Slovak Republics and in other countries of the European Union where entities belonging to the KB Group are seated and that share the same standards of personal data protection as the Czech and Slovak Republics. Neither the controller nor the processors involved in the processing of employees’ personal data transfer employees’ personal data to countries outside the European Union.

The manner in which the controller processes your personal data includes only manual processing in information systems.

Purpose and legal basis of personal data processing

We process personal data without your consent: (a) on the grounds of a legitimate interest with a view to selecting the most suitable candidate and filling a job vacancy as efficiently as possible, and (b) to execute the employment contract.

We process personal data with your consent with a view to offering further job vacancies to you.

Extent of personal data being processed:

Identification and contact details

Name and surname, date and place of birth, birth identification number, place of residence, telephone number, marital status, nationality, photograph, e-mail address, profile address in social networks.

Details on education and previous employment

List of completed schools, diplomas, school reports, courses, certificates, previous employers, motivation letter, driving licence, psychological tests, psychodiagnostic tests, recruitment tests.

Publicly available data

Furthermore, information may be obtained that is freely available on the internet in the Commercial Register, Trade Register, Insolvency Register or other insolvency records with a similar or identical content, or the LinkedIn social network.

Details from mutual communication

Notes made during telephone calls, video recordings, notes made during personal interviews and, if appropriate, written communication.

Protection of buildings

With a view to protecting rights and legally protected interests, your movement in buildings are recorded and camera recordings from selected areas of buildings are stored.

 

From what sources do we obtain information about you?

We obtain information from your CV, from portals focusing on job advertisements to which a response was made, from recruitment agencies, based on references and mutual communication, from social networks and the internet.  

 

For how long do we keep personal data?

We process your personal data only for the period necessary for the purposes of their processing. We regularly evaluate whether it is still necessary to process certain personal data for the given purpose. If we determine that they are no longer required for any of the purposes for which they were processed, we will destroy the data. In relation to certain purposes of personal data processing, we have evaluated the usual duration of processing of personal data as follows for the relevant purposes:

  • we process data on the grounds of a legitimate interest and the performance of a contract for the duration of the recruitment process, but not exceeding 6 months;
  • we process data related to protection of buildings on the grounds of legitimate interests for a period of 180 days.
  • if you have granted consent to processing of your personal data, the personal data will be stored for the purpose of offering another potential job vacancy for a period of 24 months or until the consent is revoked.

 

Recipients and processors of personal data

Your personal data are disclosed especially to employees in relation to the performance of their working tasks that require handling of personal data, but in each case only to the necessary extent and in compliance with all security measures.

In addition, your personal data are transferred to third parties involved in the processing of personal data, and such personal data may also be disclosed to such third parties on other grounds in accordance with the law. Prior to any transfer of your personal data to a third party, a written contract is always executed which regulates the personal data processing so as to include safeguards for personal data processing identical to those that the controller of your personal data complies with in accordance with its statutory obligations. Important processors include recruitment agencies and companies performing psychological tests.

Purpose and legal basis of personal data processing

We perform personal data processing without your consent to the necessary extent (a) on the grounds of performance of the contract – especially employment contract, agreement related to benefit programmes, contract with a medical facility providing occupational health services, contract for savings and insurance plans; (b) to perform a legal obligation – especially duties to notify public authorities, courts and the police, duties pertaining to the enforcement of decisions and performance of the archiving duty; (c) for the purpose of protecting the rights and legally protected interests, including, but not limited to, protection of information technology, buildings and property, and goodwill, and in relation to the management of security risks, prevention and investigation of frauds; and (d) on the grounds of legitimate interests of the controller in the area of HR consultancy, education and evaluation.

Extent of personal data being processed:

Identification and contact details

Name and surname, academic degrees, address of residence, telephone number, date and place of birth, birth identification number, marital status, photographs, nationality, information whether you are the governing body or a member of the supervisory body of another legal person, whether you operate a business, bank details, personal number.

Data for payroll agenda, remuneration and benefits

Records of hours of work, data necessary for reflecting discounts and deductions for taxes, data necessary for reflecting discounts and deductions for savings and insurance schemes, information on accidents at work, data on business trips including accommodation and booking of transport tickets and minor expenses, mandatory deductions from salary, confirmation of study, disability or old-age pension, meal vouchers, Cafeteria benefits scheme, employee equity plan, information for annual settlement of tax including the aggregate of all income and levies for the given period.

HR consultancy, education and evaluation

In the area of HR consultancy and your career development, we work with your history of jobs, remuneration and work evaluation.  Psychological reports are used for selected jobs. Information is also stored on any violations of internal regulations and the law, agreements on material responsibility, agreements on employees’ obligations, occupational medical check-ups, employee evaluation and powers of attorney. Information on training and educational programmes completed.

Protection of buildings and information systems, recording of calls, GPS records.

Camera recordings are made exclusively for the purposes of compliance with legal duties, and protection of rights and legally protected interests. For reasons of protection of information systems, information is stored on the history of your logins and logouts, and your activity in selected applications may also be logged. For selected jobs, interviews with clients are recorded as a proof of submitting a requirement for services. You will always be advised in advance if such recordings are made. The contents of this communication are confidential and we use them exclusively for the purposes of compliance with the legal duties, execution and performance of the relevant contract, protection of rights and legally protected interests. Records from GPS devices in company cars are stored for the purposes of recording private and service trips and protection of property.

 

From what sources do we obtain information about you?

We obtain information from the initial form, CV, initial interview and mutual communication. Furthermore, information is obtained from applications you use in your work and the systems of protection of buildings.
 

For how long do we keep personal data?

We process your personal data only for the period necessary for the purposes of their processing. We regularly evaluate whether it is still necessary to process certain personal data for the given purpose. If we determine that they are no longer required for any of the purposes for which they were processed, we will destroy the data. In relation to certain purposes of personal data processing, we have evaluated the usual duration of processing of personal data as follows for the relevant purposes:

  • we process data for the purposes of performing the contract during the term of the contractual relationship; furthermore, the relevant personal data can usually be utilised for a period of five years in the Czech Republic and ten years in Slovakia;
  • we process personal data of employees for the purpose of performing our legal obligations for a period of 30 years in the Czech Republic and up to 70 years of age of the data subject in Slovakia;
  • on the grounds of protection of legitimate interests, we process data related to protection of buildings for a period of 180 days, voice recordings for a period 5 years and records from information systems for a period of 10 years.
     

Recipients and processors of personal data

Your personal data are disclosed especially to employees in relation to the performance of their working tasks that require handling of employees’ personal data, but in each case only to the necessary extent and in compliance with all security measures.

In addition, your personal data are transferred to third parties involved in the processing of personal data, and such personal data may also be disclosed to such third parties on other grounds in accordance with the law. Prior to any transfer of your personal data to a third party, a written contract is always executed which regulates the personal data processing so as to include safeguards for personal data processing identical to those that the controller of your personal data complies with in accordance with its statutory obligations. Important processors include Edenred, Benefity Management, companies providing for operation, management and security of buildings and information systems, BCD Travel, companies of the KB Group, Societe Generale.

Purpose and legal basis of personal data processing

We perform personal data processing without your consent to the necessary extent (a) for the performance of a contract related to the provision of services to the KB Group; and (b) for the purpose of protecting the rights and legally protected interests – in particular, protection of buildings and information technologies.

Extent of personal data being processed:

Identification and contact details

Name and surname, date of birth, nationality, contact address, e-mail address.

Protection of buildings and information systems

Camera recordings are made exclusively for the purposes of compliance with legal duties, and protection of rights and legally protected interests. For reasons of protection of information systems, information is stored on the history of your logins and logouts, and your activity in selected applications may also be logged.


From what sources do we obtain information about you?

The information is obtained from the initial form and mutual communication. Furthermore, information is obtained from applications you use in your work and the systems of protection of buildings.


For how long do we keep personal data?

We process your personal data only for the period necessary for the purposes of their processing. We regularly evaluate whether it is still necessary to process certain personal data for the given purpose. If we determine that they are no longer required for any of the purposes for which they were processed, we will destroy the data. In relation to certain purposes of personal data processing, we have evaluated the usual duration of processing of personal data as follows for the relevant purposes:

  • we process data for the performance of the contract during the term of the contractual relationship between the company of KB Group and your employer, or the person for whom you perform, based on the contractual relationship, the activities that are the subject of the contractual relationship between the company of the KB Group and this person; furthermore, the relevant personal data can usually be utilised for a period of five years in the Czech Republic and ten years in Slovakia;
  • on the grounds of protection of legitimate interests, we process data related to protection of buildings for a period of 180 days and records from information systems for a period of 10 years.
     

Recipients and processors of personal data

Your personal data are disclosed especially to employees in relation to the performance of their working tasks that require handling of employees’ personal data, but in each case only to the necessary extent and in compliance with all security measures.

In addition, your personal data are transferred to third parties involved in the processing of personal data, and such personal data may also be disclosed to such third parties on other grounds in accordance with the law. Prior to any transfer of your personal data to a third party, a written contract is always executed which regulates the personal data processing so as to include safeguards for personal data processing identical to those that the controller of your personal data complies with in accordance with its statutory obligations. Important processors include companies providing for operation, management and security of buildings and information systems, companies of the KB Group.

Right to revoke consent and right to object to processing

This Information Memorandum describes why we need your personal data and that we may process such data for certain purposes only with your consent. You are not obliged to grant consent to the processing of your personal data and, at the same time, you may revoke such consent, if granted. If you revoke your consent, we will terminate the processing of the relevant personal data for purposes requiring the relevant consent.

In case of processing on the grounds of a legitimate interest, you have the right to object to such processing.

You may revoke your consent or raise an objection to personal data processing on the grounds of a legitimate interest by e-mail sent to osobni_udaje@kb.cz.

 

Your rights

We process your personal data in a transparent and proper manner and in conformity with the legal regulations. You have the right to request that we provide you with information on personal data we process in respect of you, the purpose and nature of personal data processing and the recipients of personal data. Should you determine or believe that we process your personal data contrary to protection of your private and personal life or at variance with the legal regulations, you may request explanation from us and, if appropriate, claim that a member of the KB Group eliminate or remedy such a defective state of affairs. You may also contact the Office for Personal Data Protection with a request for remedy in case of breach of our duties.