Protection of personal data

The purpose of this document is to provide you with information about the processing of your personal data by Komerční banka and about your rights associated with them.

The information contained herein relates to the processing of personal data of clients – natural persons (potential, existing and former) and, to a reasonable degree, other natural persons to whom our bank owes certain obligations (e.g., beneficial owners or representatives of legal entities, or others users of services provided to legal persons).

We always process your personal data in a transparent, fair and lawful manner, and to the extent necessary for the given purpose. We retain your personal data safely for a period of time that is strictly necessary, as required by law or other regulations.

We encourage you to read the information contained in this document.

In case of any questions, please call KB Infoline at 800 521 521 or visit www.KB.cz/osobni-udaje.

You can also contact our Data Protection Officer by e-mail at the address osobni_udaje@kb.cz or through our branches/points of sale.

The controller of your personal data is Komerční banka, a. s. (hereinafter KB).

Contact details of the controller:

Komerční banka, a. s., IČO: 45317054
Na Příkopě 969/33
114 07 Praha 1
P. O. BOX 839
Česká republika / Czech Republic

Contact details of the Data Protection Officer (DPO):

Kancelář pověřence pro ochranu osobních údajů KB, a.s.
náměstí Junkových 1/2772
155 00 Praha 5 - Stodůlky
Česká republika / Czech Republic

E-mail: osobni_udaje@kb.cz

We may only process your personal data if there is an adequate legal reason to do so, i.e., if at least one of the following conditions is met:

a) The processing is necessary for KB to meet its legal obligations, in particular for the following purposes:

• Credit risk assessment,
• Prevention, detection and investigation of frauds, and money laundering prevention,
• Prevention and control of investment products and insurance products,
• Safeguard against market abuse,
• Regulatory reporting,
• Taxation and accounting obligation,
• Archiving and records management,
• Providing assistance to authorities,
• Documentary protection of data.

 b) The processing is necessary for the fulfilment of a contract, in particular for the following purposes:

• Arranging a product/service,
• Entering into a contract for the provision of a product/service,
• Providing customer service related to a product/service.

c) The processing is necessary for the purpose of our legitimate interests, in particular for the following purposes:

• Risk management,
• Security,
• Defence of our legal claims,
• Recovery and sale of receivables,
• Product and service analysis,
• Development and evolution of provided services, including internal staff training,
• Direct marketing – we can approach our customers with a general offer of KB products and services,
• Company’s internal needs; reporting,
• Software change testing,
• Creation of statistical information used for client counselling,
• Researching publicly available information to assess the possibility of establishing a future relationship.

If KB processes your personal data on the basis of the legitimate interest of the controller, you have the right to object. If you object to the processing of your personal data for direct marketing purposes, we shall always comply and terminate the processing.

 d) The processing based on your consent, in particular for the following purposes:

• Personalized offer of products and services, marketing processing of your data, such as analyses and profiling, surveys and user testing in order to customize our offers to your needs and improve the services provided. In the case that you decide to give us your marketing consent, it shall apply to all companies listed in the consent. If you should request to include only some of the joint managers listed therein, we shall consider it a lack of, or as the case may be, withdrawal of your marketing consent.
  If you withdraw your consent with respect to one of the companies, such withdrawal shall also apply to other companies, which means that none of them shall be authorised to process your personal data for the purposes specified in the marketing consent after that date. If you give us a separate marketing consent to the processing of data from a payment account held with another bank and connected in KB internet banking, this consent shall only apply to KB.
  • Utilising the TelcoScore service, which provides information on the creditworthiness and credibility of users of electronic communications services. More information can be found at www.sid.cz and in the document entitled “Privacy Policy Statement – TelcoScore” available at any KB branch/point of sale and at its website www.kb.cz.
  • If you are a Merchant and you use KB SmartPay and Worldline Card Acceptance Services, you give the Alliance Consent to the processing of personal data and your Company’s data for marketing purposes within the Credit Card Acceptance Alliance, whose members are joint controllers of the data. For more information on this consent, please refer to the “Information on Personal Data Processing by SmartPay” on www.kbsmartpay.cz website.
  • Consents you give us in connection with the use of products and services.

The consent is voluntary; you can give it, refuse it or withdraw it at any time. The withdrawal of your consent shall be without prejudice to the lawfulness of the processing that is based on the consent given before its withdrawal.
A lack or withdrawal of the consent entails no implications for your contractual relationship with KB.

e) The processing is necessary for the protection of your vital interests or for the performance of a task carried out in the public interest or subject to the exercise of official authority potentially vested in us as the controller. Such reasons can be applied to KB only in exceptional circumstances.

Identification data of an individual

In particular, the first name, surname, birth number, date of birth, place of birth, nationality, identity cards numbers, photograph and other personal data stated in the identity card. For businesspersons, also their IČO (ID number), VAT number, etc. It also applies to individuals with a connection to specific products, e.g. a joint holder, statutory representative of a legal person, co-debtor, applicant, or family member. This data is important to make sure we really contact the right person.

Special categories of personal data (sensitive personal data)

In particular, the health data you provide to us with a view to strengthening your interests or that is needed to arrange for a product to be provided.

Contact details

In particular, all addresses of the subject, e.g. the permanent residence address, correspondence addresses (for businesspersons also the address of the company) and other contact details of the entities, e.g. their telephone numbers, electronic addresses, social networking addresses, data mailbox IDs, etc. This data is necessary so that we can deliver our communications to you.

Socio-demographic data

In particular, statistical data, such as age, gender, marital status (single, divorced, etc.), education, profession, employer’s data, number of children, etc. Such data, which you usually share with us when applying for your product, allow us to better tailor our offer and services to your needs.

Property

In particular, data related to financial circumstances, such as ownership of real estate, securities or shares. In some cases, we also process information about your income and liabilities, as well as other loans/credits balances, lease contract balances, building savings instalments, pension insurance instalments, insurance premiums, other individual expenses (e.g. alimonies), other liabilities (surety, guarantee, ...) etc. We collect this data from you in particular as part of a product/service request, or from external sources (e.g. credit registers), or from information about the use of our products, and are primarily used for the evaluation of your loan/credit applications.

Tax residence

In particular, data associated with identifying your tax residence, i.e. where you are liable to pay taxes in order to comply with the statutory tax liability.

Data on used products and services

Information about which services provided by KB or its subsidiaries and/or partner companies you have arranged and how you use them (e.g. account numbers, account balances, transaction data on card payments, ATM withdrawals, outgoing and incoming payments, etc.). If you choose to use direct banking channels to operate your products/services, we keep information about your location, IP address, activity on our website, etc. We derive, for example, your transactional behaviour from this data and accordingly adjust our offer of products and services.

Means of electronic communication used for authentication and authorisation

In particular, data on means of electronic communication that are primarily used for authentication, i.e. verifying your identity. The data that fall into this category include, without limitation, a digital signature, certificate, or commonly used application login user name, identification or authentication through a mobile device, or serial numbers of the devices (MAC address), etc. The main reason for processing these data is to ensure a high level of security of while these means of communication are used.

 Activity records of banking equipment and/or applications

In particular, identification data e.g. from payment terminals, communication channels or banking applications logs, as well as other data, such as geolocation data from payment terminals. The data is used, above all, to monitor and optimize the availability of our facilities and services, e.g. when dealing with your complaints or preventing the misuse of payment cards.

Communication recordings

In particular, telephone call recordings, written records of meetings with relationship managers or other specialized staff, recordings of your complaints and claims. We collect this data on the basis of legal obligations and/or for the purpose of the arrangement and performance of a contract and/or due to the legitimate interests of KB, in particular defending its legal claims; this data is also intended to prevent you from being contacted too often and helps us to adjust our offer to your current needs. You are always informed in advance that a given telephone call is going to be monitored/recorded.

Camera recordings

In particular, data/recordings from the monitoring devices of KB’s branches/points of sale, as well as KB’s other premises, such as ATMs and safes. They are used, first and foremost, to ensure the safety of clients and employees of the bank and to protect property.

Photographs or videos

These are mainly photographs or video footage taken at mass events organised by KB for the public, e.g. educational or promotional events. In these cases, the information is part of the invitation or registration for the event. Where possible, the location of the event shall be marked with pictograms.

In exceptional cases, this may include photographs or video footage relating specifically to your person. In this case, you shall be asked for consent and the processing of this personal data shall only be possible on the basis of your consent.

Data obtained from you or your representatives (e.g. legal guardian or statutory representative) or from other individuals

Data you and/or other individuals provide us, e.g. in an application for the provision of a product/service.

Data resulting from the use of banking products and services

Data automatically recorded by banking systems and devices while your transactions are executed, such as ATM withdrawals, card payments, payments credited and debited to your payment account.

Data from publicly accessible sources

These include, in particular, sanction lists of entities associated with terrorism and other internationally monitored persons subject to international sanction programmes, the insolvency register (ISIR), bankruptcy register, central register of enforcements/distraints, registers of invalid and stolen documents, register of groups of connected clients, information from the land/property register, trade register, business register, etc.

Data obtained from third parties

These include, in particular, the data on the use of products and services provided by the KB Group members, data obtained from mobile operators (using the TelcoScore service – see Section 3), data obtained from public authorities, and data from basic registers, from credit registers, or from mediators of our products and services. Last not least, also data collected from specialized companies that collect information from public sources, such as ministries, the trade register, business register, land/property register, etc.

Data from the Internet, social media and social networks

These include, in particular, the so-called geolocation data that precisely identify the GPS coordinates (or an address point), an IP address, cookies, identification of a device from which you connect, information on browsers, identification of a social network profile, etc. Making use of marketing services offered by some social networking providers (e.g. Facebook), we use your profile information so that we can target our advertising campaigns to users with similar characteristics more efficiently.

Data from our web forms

These include, in particular, contact details you provide to us when you show interest in any of our products so that we can contact you.

Data related to products of other financial institutions connected to internet banking

If you connect a product you use, which is provided by another financial institution, to KB’s internet banking, we shall process the data provided by you or obtained by us, which are necessary for the proper functioning of this service, and the data on such products and their transactions to the extent the other financial institution shall have provided to us.

The regulations on personal data protection allow the controller to entrust the processing of personal data to a processor. A personal data processor is any entity that processes personal data on the basis of specific legislation, or is entrusted or authorised to do so by the controller. In such cases, the contractual and regulatory arrangements guarantee your data the same protection that Komerční banka provides. The most important processors used by KB to process personal data include:

• IT services providers (development, maintenance and support of KB information systems),
• Cloud services providers,
• Payment services providers,
• Card associations,
• Advertising and marketing agencies,
• Companies providing data and documents archiving,
• Companies and individuals providing legal services,
• Companies and individuals collecting debts on our behalf,
• Mortgage appraisers,
• Our partners in loyalty programmes,
• Postal services and couriers,
• Comprehensive insurance providers,
• Providers of services for payment cards issuing and card transactions processing,
• Financial intermediaries.

KB may also act as a processor if it is entrusted by another controller to process personal data, e.g. when negotiating products of certain subsidiaries. In this case, KB is subject to the same terms and conditions as the aforesaid processors.

In addition to the processors listed above, whom we authorise more or less directly to process personal data, we also pass on your personal information (provided that the terms and conditions set forth by law are met) to other institutions or entities, in particular:

• Government entities, courts and law enforcement authorities, intelligence services of the state, distrainers,
• Czech National Bank and the Ministry of Finance,
• Czech Office for Personal Data Protection (ÜOOÜ),
• Other banks or payment services providers to the extent provided by law,
• Investment service providers to the extent provided for by law,
• Mobile telephone operators (if the client uses TelcoScore – see Section 3),
• Bankovní identita, a.s., when the client uses identification services.
• Participants of client information registers and such register.
   

  To protect our rights by assessing your ability and willingness to repay your loan commitments, KB investigates your creditworthiness, payment discipline and integrity. We do this on the grounds of our legal obligations and/or legitimate interests, with the help of credit registers. At the same time, when negotiating a credit or loan, and possibly also during the term of a credit agreement, we pass on your data to these credit registers, without your consent being necessary. In addition to the database maintained by the Czech National Bank, we use three other credit registers:

  • Client Information Bank Register (CIBR) – more information about this register is available at www.cbcb.cz.
  • Non-Bank Client Information Register (NCIR) – more information about this register is available at www.cncb.cz.
    The above registers exchange information and share it with each other without your consent being necessary. We recommend you to consult their Information Memoranda that are available at the registers’ websites.
  • Registr SOLUS Register – more information about this register is available at www.solus.cz

Subject to conditions as defined by law, we may also provide your personal data to our parent company, Société Générale, s.a., registered in France under Company Number R.C.S. Paris B 552 120 222, as well as other Group members incorporated in the Czech and Slovak Republics, such as:

• Modrá pyramida stavební spořitelna, a.s., IČO (Company ID): 60192852,
• Komerční pojišťovna, a.s., IČO (Company ID): 63998017,
• KB Penzijní společnost, a.s., IČO (Company ID): 61860018,
• ESSOX s.r.o., IČO (Company ID): 26764652,
• ESSOX Finance, s. r. o., IČO (Company ID): 35846968 (Slovakia),
• ALD Automotive s. r. o., IČO (Company ID): 61063916,
• ALD Automotive Slovakia, s. r. o., IČO (Company ID): 47977329 (Slovakia),
• SG Equipment Finance Czech Republic s.r.o., IČO (Company ID): 61061344,
• Factoring KB, a.s., IČO (Company ID): 25148290

In the above cases, KB and the recipient of the personal data are in a relationship of:

• Two separate controllers, i.e. KB shall not be responsible for further processing of personal data after their transfer. This includes in particular the transfers based on your consent (e.g. TelcoScore) or transfers based on law (e.g. to government authorities, courts, the Czech National Bank),
• Joint controllers, e.g. in the context of marketing consent granted to KB and other members of the KB Group, in the case of data sharing with the controlling entity and other members of the KB Group according to regulatory rules, or in the context of cooperation with third parties as part of the provision of additional services (provided along with the payment cards, etc.). In such cases, KB shall be responsible for the processing of personal data of yours, as our client, and for the general performance of the relevant obligations as a controller under this document, unless you are informed that you can exercise certain rights with a cooperating third party.

We may transfer your personal data to recipients and processors in third countries, provided that all legal requirements are met. Even in these cases, the same level of protection of your data is guaranteed contractually and by regulation as is provided by KB.

We only retain our clients’ personal data only for as long as necessary and for a period of time that is stipulated by law and depends on the purpose of their processing.

In the case of fulfilling a legal obligation, these deadlines are set by applicable law, in particular the AML Act and the Banking Act. Both acts require us to retain your personal data for 10 years from the execution of a given transaction or the termination of a contractual relationship. This time limit starts from 1 January of the following year.

If the processing is necessary for the performance of a contract, the period of time is usually equal to the term of the relevant contract.

If the processing is necessary for the purposes of our legitimate interests the duration of the processing depends on each individual purpose. E.g., in the case of litigation, your personal data may be processed for the duration of the litigation.

If the processing is performed on the basis of your consent, the period of time shall be equal to the period of validity of the consent granted.

In most cases, the data is processed under several legal titles, which can exist in parallel, follow each other or overlap each other. In these cases, we process/store your personal data necessary for the respective cases of the processing for the duration of each processing. E.g., your personal data we receive from you when entering into a current account contract is processed as part of the performance of the contract. At the same time, and after the termination/expiry of the contract, your data shall further be stored due to our legal obligation under the Banking Act. In the event that litigation is initiated during the course of this legal obligation, a parallel processing shall also be carried out on the grounds of KB's legitimate interest in protecting its legal claims.

Other examples:

As part of the service connecting other financial institutions’ products to KB internet banking, we shall retain data on these products and transactions for 5 years after such products have been disconnected from KB internet banking.

We usually store the data obtained from our web forms for up to 2 months, after which period, they shall be automatically deleted. If a contract is concluded in the meantime, we shall retain your data in accordance with applicable law.

We delete the data associated with the personalized offer of services provided to KB website users after six months at the latest.

Right of access to personal data

• You shall have the right to request a transcript of personal data concerning your person collected by KB

Right to personal data portability

• You shall have the right to receive the personal data concerning your person, which you have provided to us, in a structured, commonly used and machine-readable format. This concerns your personal data undergoing automatic processing under your consent or under a contract

Right to erasure of personal data (right to be forgotten)

• You shall have the right to obtain from KB the erasure of personal data concerning your person without undue delay, where a legal ground is met

Right to have personal data rectified

• You shall have the right to obtain from KB without undue delay the rectification of inaccurate personal data concerning your person, or to have incomplete personal data completed.
• If you notify us of a change in your personal data, we shall update it immediately.

Right to restriction of processing

• You shall have the right to request restriction of processing of personal data concerning your person in the cases defined by law (e.g. if the personal data processed are inaccurate, or the processing is unlawful, or you have objected to the processing of your personal data where it is based on our legitimate interests)

Right not to be subject to a decision based solely on automated processing

• You shall have the right not to be subject to a decision based solely on automated individual processing, including profiling, which produces legal effects concerning your person or similarly significantly affects you. KB shall always inform you about this situation and shall give you an opportunity to discuss the matter with a bank official and together find another, more acceptable option.
• If you use a service that is based solely on automated decision making, you have the right to obtain human intervention, to express your point of view, or to contest the decision. In this case, a bank official shall discuss the matter with you

Right to object

• If KB processes your personal data based on the controller’s legitimate interests, you shall have the right to object
• If you object to processing of personal data concerning your person for direct marketing purposes, we shall always oblige you and shall no longer process your personal data for such purposes

Right to lodge a complaint with a supervisory authority

• You shall have the right to lodge a complaint with a supervisory authority (the Office for Personal Data Protection, www.uoou.cz) if you consider that the processing of personal data relating to your person has infringed the data protection rules.

You may apply for the exercise of the above rights (except the right to lodge your complaint with a supervisory authority)

• in writing, at the address:

Komerční banka, a. s.
Kancelář pověřence pro ochranu osobních údajů
Poštovní přihrádka 839
114 07  Praha 1

• at any of KB branches/points of sale,
• at the KB information line 800 521 521,
• by e-mail at the electronic address osobni_udaje@kb.cz,
• via the MojeBanka application,
• via the data repository 4ktes4w.

When processing your personal data, we adhere to applicable law, in particular (without limitation) by:

Regulation (EU) 2016/679 on personal data protection (GDPR);
Act No. 110/2019 Coll., On the Processing of Personal Data;
Act No. 89/2012 Coll., Civil Code;
Act No. 21/1992 Coll., On Banks;
Act No. 370/2017 Coll., Payments Act;
Act No. 256/2004 Coll., On Trading in Capital Market;
Act No. 253/2008 Coll., On Selected Measures Against Legitimisation of Proceeds of Crime and Financing of Terrorism (also referred to above as the AML Act);
Act No. 480/2004 Coll., On Certain Information Society Services.