Protection of personal data

The controller of your personal data is Komerční banka, a.s. (“KB” or “Komerční banka”).

Contact information for the controller:

Komerční banka a.s., Company No: 45317054
Na Příkopě 33
114 07 Prague 1
P.O. BOX 839
Czech Republic

Contact information for the Data Protection Officer (DPO):

You can contact the DPO by e-mail (osobni_udaje@kb.cz) or by writing to the following address:

Office of the Data Protection Officer
Na Příkopě 969/33
114 07 Prague 1

KB collects and uses your personal data, and is responsible for ensuring that your data is processed correctly and lawfully. You can also assert your rights regarding Komerční banka as the controller of your data, as explained below. This does not concern Komerční banka only: if you grant us Group Marketing Consent, your data can be shared throughout the KB Group (see What kinds of consent do we have in Komerční banka?). Examples of situations when we most often obtain your data are:

Arranging to use KB services

The most frequent situation in which we obtain your data is that you arrange to use one of our products or services, or express an interest in them, when you usually give us your basic data and any data needed for you to enter into a contract with us on the product or service.

Using KB products and services

We also obtain your data when you use KB products and services. “Use” covers many different situations: withdrawing or depositing cash at an ATM, taking out loans and mortgages, making insurance claims, connecting to other banks’ products via KB internet banking, and many other operations.

Communications with KB

We also obtain data from communications over the telephone, internet, and in writing, and when you visit a branch. We also use recordings from security cameras and data related to online communications.

There are many reasons why we process your personal data, but we always do so only to the extent required for a given purpose. Most often we process your personal data so that we can provide you with the products and services you use or want to use. We also process your data so that we can satisfy our contractual obligations and the legal and regulatory requirements, and to pursue our legitimate interests.

In other cases we are only authorised to process your data with your explicit consent, unless there is an exemption in the legislation.

We set out the main categories of our purposes below.

Providing products and services

• Discussing a product or service

As part of discussing a product or service, you may model a suitable product on our website or at a branch. You may obtain information on the product or service from the internet, our branch network or our client centre. We will process the data you provide through these channels to facilitate your interest in the product or service, and we will contact you as part of discussing the product or service. We will retain the data you provide through these channels for a period of three months at most, and the legal basis here is the concluding of a contract.

• Concluding a contract on a product or service

If you decide that the product or service you discussed with us is suitable for you, we are obliged to identify you in detail and collect and retain any other data needed to draw up the relevant contract for the product or service. For credit and investment products, we will require a larger set of data from you, and we will carry out additional processing of your data, which you can read about in more detail in Assessing credit risk.

• Servicing a product or service

So that we can ensure the quality of the products and services you use, we are obliged to retain, update and process the relevant data. As part of the performance of the contract, we are also obliged to provide you with this information through the channels you have selected for these products and services, i.e. at our branches, through our direct banking channels, or at our client centre. If you also decide to use direct banking channels for servicing these products and services, we collect information on your location, IP address, etc. We record and evaluate this data so that we can minimise any risks related to the misuse of these direct channels.

If necessary, we will inform you – via SMS, e-mail, messages sent via our direct channels or in another standard way – of any events concerning your products and services, and, e.g., of any changes to our opening hours, any change of your branch or banking advisor, etc.

In this case, the legal basis for processing your data is the concluding and performance of a contract. To defend our legal claims, we will continue to retain this data after the product or service has ended – for more details see How long do we retain your data?

Defending our legal claims

We also process your personal data, including your communications history and information about products and services, to the extent required for any legal claims or potential legal claims against you, especially on the basis of your contractual relationship with us. We also use third parties for debt recovery. For this purpose we will retain your data for a period of 18 years following the termination of the contractual relationship.

The legal basis here is the protection of our legitimate interests.

Preventing, checking, detecting and investigating fraud, and preventing money laundering

We also use your personal data to check for and prevent any potentially unethical or fraudulent conduct. The legislation obliges us to exercise professional care in matters concerning the prevention, detection and investigation of such conduct. To this end we also collect your personal data and data on the products and services you use. We can then create indicators based on this data that help prevent potential fraud and provide better protection for your money. This may involve for instance information on the theft of your ID card or credit card, or data on the country where you normally use your direct banking channels.

The legal basis for such processing is compliance with our legal obligation as the controller.

Tax and accounting requirements

We also collect and process your personal data to comply with our legal obligations as the controller with regard to the state and the regulatory authorities. We are obliged to do so by the Accounting Act, the VAT Act and many other regulations, including the US Foreign Account Tax Compliance Act (FATCA), as part of compulsory reporting to the state and the regulatory authorities. We also transfer all of this mandatory information within the KB Group.

We process and transfer this data to comply with our legal obligation as the controller, and in our legitimate interest.

Protecting against market abuse

The legislation also obliges us to check compliance with the Capital Market Trading Act and prevent its abuse, which could harm our other clients or our group. We process your personal data for this reason too.

We process and transfer this data to comply with our legal obligation as the controller, and in our legitimate interest.

Security

We use camera systems installed on our premises, in front of their entrances and at our ATMs to protect our property, i.e. our buildings and equipment, to protect individuals against unlawful conduct, and to prevent and investigate such conduct. We retain the recordings from these camera systems for the period strictly necessary, and when warranted, especially when there are security breaches, we subsequently process these recordings and transfer them to the appropriate public authorities, such as the law enforcement authorities.

The retention, processing and transfer of this data is essential for us to pursue our legitimate interests.

Prevention and control for investment and insurance products

Before making an investment, the legislation and the regulatory requirements oblige us to assess your knowledge and experience of investing in investment instruments, as well as your attitude to risk and your financial resources. We obtain information for these assessments from an Investment Questionnaire, which we retain (see How long do we retain your data?). In compliance with the regulatory requirements, we also collect and retain records of all communications with you concerning investment or insurance products (e.g. recordings of telephone calls, minutes from meetings, e-mails, Skype calls and messages, etc.). In line with the regulatory requirements for reporting your transactions, we collect data on your instructions and your transactions with investment instruments.

The legal basis for such processing is compliance with our legal obligation as the controller.

The company’s internal needs and reporting

Our employees process your personal data for the company’s internal needs, e.g. for reporting on the efficiency of our servicing and selling.

The legal basis for such processing is our legitimate interest.

Assessing credit risk

We use profiling to correctly assess risks when providing credit products. We use your personal data to create a unique profile so that we can determine whether you will be able to repay a loan. When you ask for a loan, we will for instance evaluate the credit risk using credit registers and our internal resources. We can also use automated processing to perform this evaluation.

To minimise risk, the bank keeps records of persons who have provided false information, experienced difficulties paying their debts, etc.

The legal basis for such processing is compliance with our legal obligation as the controller, and also our legitimate interest.

Regulatory reporting

We also use your personal data and information on selected products and services for regulatory reporting. We use this data to produce reports for our internal use, and we are obliged to transfer information on certain products and services to the regulator.

The basis for such processing is compliance with our legal obligation as the controller.

Debt recovery and factoring

Occasionally you may have problems repaying any loans we have provided. Our primary objective here is to resolve these problems with you efficiently and to our mutual satisfaction, but sometimes we may be unable to find common ground. In these situations we have to use the personal data we have recorded on you, and in some cases we may also use data, especially contact data, from publicly accessible sources such as social networks, etc., so that we can contact you for instance. Under certain circumstances (you fail to respond, you are unreachable, you have no interest in resolving the situation, etc.) we may have to transfer your debts to a company that specialises in debt recovery. In such cases we will transfer the relevant personal data to the company, together with any other relevant data on the debt in question. We also transfer this data if we decide to assign the debt.

The basis for processing and transferring the relevant data is our legitimate interest.

Marketing

We distinguish three basic types of marketing purposes: marketing as Komerční banka’s legitimate interest, direct marketing as a legitimate interest, and marketing on the basis of your consent.

Marketing as a legitimate interest

As part of marketing as a legitimate interest, we carry out basic analyses of your data concerning your use of our products and services. At the same time this legitimate interest allows us to segment our clients in order to choose the most important form of servicing and offer suitable products and services, and it also allows us to find out clients’ opinions. You may object to marketing as a legitimate interest.

Direct marketing as a legitimate interest

As part of direct marketing as a legitimate interest, we may offer you KB products and services through our branch network and direct channels, or via e-mail, SMS and social networks. You may object to direct marketing as a legitimate interest. If you object to such processing, we will automatically comply with your wishes.

Marketing with consent

Purposes for which we need your explicit consent to process your personal data are offering products and services (including via direct channels) provided by the KB Group and third parties who work with us, marketing processing, and analyses and profiling aimed at tailoring our offers to meet your needs and improving the services we provide. As we do not wish to annoy you with unnecessary and inappropriate communications, we use the personal data we collect to get a better idea of your needs so that we can offer you suitable solutions. We may offer you credit products or payment instruments, or congratulate you on your birthday.

We can use a wide range of channels to communicate with you: letters, telephone calls, e-mails, SMS, messages at ATMs, and messages (or pop-ups) in internet banking.

Information on the use of our products and services helps us to monitor and constantly improve their quality and retain your loyalty. We also process personal data to support our business decisions and identify business potential.

Before this information can be used it must be processed, which in particular involves data processing for marketing purposes. This refers to statistical and mathematical analyses aimed at gaining an insight into a client’s behaviour and anticipating the client’s future behaviour and business potential, as well as client profiling, various kinds of segmentation, reporting, etc. Processing can be manual or automated.

We process this data on the basis of your explicit consent. You can find detailed information on Group Marketing Consent in Marketing Consent.

We can only process your personal data within a specific scope, and provided that at least one of the following conditions is satisfied:

• you gave us your consent to process your personal data for one or more specific purposes (see What kinds of consent do we have in Komerční banka?);
• processing is necessary for the performance of a contract;
• processing is necessary for compliance with Komerční banka’s legal obligations
  • the personal data on you that we process to satisfy our legal obligations. This is the data we primarily have to collect, evaluate and retain for a specified period to satisfy our obligations under the legislation. This includes archiving, in compliance with various laws governing our business, obtaining and evaluating data to satisfy our obligations in preventing money laundering (e.g. KYC, Know Your Client), and many other laws;
• processing is necessary for Komerční banka’s legitimate interests, except where such interests are overridden by the data subject’s interests or fundamental rights and freedoms, which require the protection of the subject’s personal data;
• processing is carried out in accordance with other legal bases that only apply exceptionally to Komerční banka. Processing is necessary in order to protect your vital interests, or for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller.

In specific cases we are authorised to process your personal data in order to protect the rights and legitimate interests of Komerční banka, Komerční banka Group and third parties. In these cases we are authorised to process your personal data without your consent, but always for the reasons that authorise us to carry out such processing. Processing on the basis of our legitimate interest is limited, and the legitimate interests we define and on whose basis we carry out processing are always carefully assessed.

The main types of processing we carry out to pursue our legitimate interests are primarily:

• Security – as part of this legitimate interest we process personal data, primarily camera recordings, in order to protect Komerční banka’s property, buildings and reputation, and to protect individuals against unlawful conduct.
• Marketing – our legitimate interests include the restricted processing of personal data for marketing purposes. We process data mainly for basic analysis and segmentation, and to find out your opinions.
• The company’s internal needs and reporting – we use this legitimate interest to satisfy our employees’ internal reporting duties related to the efficiency of our servicing and selling.
• Analysing products, services and profile data – as part of this legitimate interest we are authorised to carry out analyses for the purposes of:
  • selecting the most suitable parameters for a product or service
  • assessing product risks (loans, investments, insurance, etc.)
  • transferring data within our financial group and to our parent company
  • securing computer networks and data to prevent them from being misused or attacked, in order to minimise any damage to the systems we operate
• Debt recovery and factoring, defending our legal claims – this legitimate interest allows us to process personal data for internal collection and to arrange recovery by third parties.
• Covering our risks – as part of this legitimate interest we are authorised to maintain lists of persons who have provided false information, experienced difficulties paying their debts, etc.

This chapter covers the different kinds of consent we collect in Komerční banka.

What is consent?

Consent is any freely given, specific, informed and unambiguous indication of a person’s wishes, in which he or she, by means of a statement or another clear affirmative act, signifies agreement to the processing of his or her personal data. Consent is voluntary, and you can give, refuse or withdraw your consent at any time. If this concerns Group Marketing Consent, you can withdraw it at any company in the KB Group.

Refusing to give your consent, or withdrawing it, has no effect on your contractual relationship with Komerční banka. You have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

Types of marketing consent

Marketing consent refers to consent to processing clients’ data for the purposes of carrying out marketing activities, and sharing data for these purposes between the companies to which you have given your consent.

Group Marketing Consent (“Marketing Consent”)

If you have given us your Marketing Consent, this consent applies to the KB Group as a whole. In this case all companies in the KB Group will be joint controllers of your personal data, and they can share and process the data specified in the consent form for the purposes specified in the consent form.

You can give your consent in person in Komerční banka’s branch network, in one of our subsidiaries’ branch networks, when signing contractual documents for any KB Group products brokered by selected third parties, and via our direct banking channels (MojeBanka, Mobilní banka).

When giving your consent, and subsequently, you cannot choose which companies this applies to or not, and we will be obliged to treat any request that only some of the joint controllers be included as refusing to give or withdrawing your Marketing Consent. You can withdraw your consent at branches of KB Group’s sales network. If you withdraw your consent from one KB Group company, this will also apply to the other members of the KB Group, meaning that subsequently none of them will be able to continue processing your personal data for the purposes specified in your Marketing Consent form.

The KB Group jointly processes all data given by consent, and this data may also be transferred between the controllers. This means for instance that if you have signed the Marketing Consent form, the information you give to a KB banking advisor will be available for marketing purposes to the other joint controllers such as Modrá pyramida stavební spořitelna, a.s. This also means that we share publicly accessible information on you between all companies in the KB Group.

You give your Marketing Consent to the following companies, which we refer to as the “KB Group”:

KB Group

The “KB Group” comprises the following companies:

Komerční banka, a.s., Company No: 45317054
Modrá pyramida stavební spořitelna, a.s., Company No: 60192852
Komerční pojišťovna, a.s., Company No: 63998017
KB Penzijní společnost, a.s., Company No: 61860018
ESSOX s.r.o., Company No: 26764652
ALD Automotive s. r. o., Company No: 61063916
SG Equipment Finance Czech Republic s.r.o., Company No: 61061344
Factoring KB, a.s., Company No: 25148290

According to the legal definition, the controller of personal data is anyone who determines the purpose and means of processing personal data, and for this purpose carries out the collecting, processing and retention of personal data. All of the companies listed above are joint controllers of your personal data, and they can share and process the data specified in the consent form for the purposes specified in the consent form.

Completing the Marketing Consent form

The Marketing Consent form has two boxes: “Agree” and “Disagree”

By ticking the “Agree” box and signing the form, you give your consent for the KB Group to process your personal data for marketing purposes.

By ticking the “Disagree” box and signing the form, you do not give your consent for the companies listed above to process your personal data for marketing purposes within the scope defined in the form.

Crossing out, overwriting or otherwise altering the Marketing Consent form will be regarded as refusing to give consent (the same as choosing “Disagree”)

It is sufficient to give your Marketing Consent only once to a single company in the KB Group and it will remain valid and in effect for the duration of your last contractual relationship with at least one of the companies in the KB Group, and then for one year after it ends, or until you withdraw your consent.

If you give your Marketing Consent when discussing a product or service, for instance, and you ultimately decide not to become our client (i.e. no contractual relationship is established with a member of the KB Group), your consent will apply for one year after you gave it, unless you withdraw it in the meantime. When your Marketing Consent is no longer valid and in effect, your personal data will be deleted, or it will only be processed within the scope and for purposes for which the legislation does not require consent.

Alliance Consent (Cataps Marketing Consent)

If you are a retailer and you use the card acceptance services of the companies KB SmartPay and Worldline, you give your Alliance Consent to the processing of your personal data and your company’s data for marketing purposes within the Alliance relating to card acceptance. The Alliance’s members are joint controllers of this data.

You give your consent to the following companies, which we refer to as the “Alliance”:

Komerční banka, a.s., Company No: 45317054
KB SmartPay (Cataps, s.r.o.), Company No: 03633144
Worldline NV/SA, CBE (Crossroads Bank for Enterprises) No 0418.547.872

This data will be processed from the moment Alliance Consent is given for marketing purposes until the elapse of two years after the termination of your last contractual (or other legal) relationship with one of the personal data controllers in the Alliance.

You can find more information on this consent in Smartpay’s document “Information on Processing Personal Data”.

TelcoScore Consent

If you have given us this consent, we will obtain, through the processor – Společnost pro informační databáze, a.s., Company ID 26118513, aggregated information in order to assess your ability and willingness to fulfil your obligations under the contracts entered into according to the current application or your future requests for entering into contracts with Komerční banka. This information can indicate your payment morale in terms of how you use electronic communications services with the operators: T-Mobile Czech Republic, a.s., Company ID 64949681, O2 Czech Republic a.s., Company ID 60193336, O2 Family, s.r.o virtual operator, Company ID 24215554, Vodafone Czech Republic a.s., Company ID 25788001. For more information, please visit www.sid.cz and consult the “TelcoScore Privacy Statement” available at any Komerční banka branch and on its website www.kb.cz. Such consent may be withdrawn in writing at any branch of Komerční banka.

There are two main reasons why we process and retain your data, and related to these reasons are the time limits for which we need to retain your data:

• A legitimate interest concerning claims, complaints, litigation, etc. – at least four years following the termination of the product or service.
• Certain legislation also requires us to retain data – e.g. the Banks Act, the Capital Market Trading Act, MiFID, etc., mostly for a minimum of ten years following the termination of the product or service. In practice this is longer, up to eighteen years, so that we can satisfy all the regulatory requirements and resolve any disputes with the regulators.

We also retain data on your products and transactions obtained from other financial institutions for the period of five years from their disconnecting from KB internet banking.

The regulations on personal data protection allow the controller to entrust the processing of personal data to a processor. A personal data processor is any entity that processes personal data on the basis of specific legislation, or is entrusted or authorised to do so by the controller. In such cases the contractual and regulatory arrangements guarantee your data the same protection that Komerční banka provides. The most important processors Komerční banka uses for processing personal data are:

• IT providers
• Advertising agencies
• Companies that archive personal data
• Companies and persons providing legal services
• Companies and persons working in debt recovery
• Mortgage appraisers
• Our partners in loyalty programmes
• Mail services and couriers
• Comprehensive insurance providers
• Credit registers

Credit registers

To protect our rights by assessing your ability and willingness to repay your loan commitments, Komerční banka investigates your creditworthiness, payment discipline and integrity. We do this on the grounds of our legal obligations or legitimate interests, with the help of credit registers. When negotiating a loan, and perhaps during the credit agreement, we transfer information on you to these credit registers, and your consent may not be required. In addition to the database maintained by the Czech National Bank, we use three credit registers: the Client Information Bank Register (CIBR), the Non-Bank Client Information Register (NCIR), and the SOLUS association.

Client Information Bank Register

The Client Information Bank Register is operated by CBCB – Czech Banking Credit Bureau, a.s., which collects information on the creditworthiness, payment discipline and integrity of banks’ clients. The data in this register can be shared without the client’s consent, and you can request a printout from the register. You can find out more about the CIBR at www.cbcb.cz.

Non-Bank Client Information Register

The Non-Bank Client Information Register is operated by CNCB – Czech Non-Banking Credit Bureau, z.s.p.o. Again, your consent is not required for the data to be shared. As a bank we are not part of the register, and your data is only shared. You can find out more about the NCIR at www.cncb.cz.

These registers exchange information, and they can also do this without your consent. For more information on these registers, we refer you to their Information Memoranda, which you can find on Komerční banka’s website and the registers’ websites.

SOLUS register

Your personal data may also be kept in the SOLUS register, on the basis of the Consumer Protection Act. This register allows users to share consumers’ identification data. It also covers matters such as consumers’ creditworthiness, payment discipline and integrity. Your consent is not required for the provision of such information, and Komerční banka can transfer your data to and from the SOLUS register without asking for your consent. If you want to find out more about the SOLUS register, please visit www.solus.cz

Other processors

Recording book-entry securities

Investments are a somewhat specific field, where a record must be kept of any book-entry securities you own. For this purpose your personal data is provided to third parties, such as the Central Securities Depository and organisations that keep separate records of these securities.

If this concerns a foreign operator that registers such information, personal data is provided in compliance with the local legislation. In the aforementioned cases this concerns the performance of contracts that comprise the legal framework for repeated investments. Your consent is not required here, as this data is processed on the basis of the contract.

Exchanging information and tax issues

Under international agreements such as FATCA, etc., we are obliged to provide data on our clients to the Ministry of Finance of the Czech Republic. For more information on these agreements, please visit www.mfcr.cz

Central Register of Accounts (CNB)

We transfer your personal data to the Central Register of Accounts, which is maintained by the Czech National Bank. This is a central database with basic information on the accounts that credit institutions keep for their clients, who are natural and legal persons and other entities. The Central Register of Accounts allows the state administration to request a check of the accounts kept at credit institutions in the Czech Republic in order to avoid the financial system being abused for money laundering or financing terrorism.

TelcoScore

The TelcoScore service is operated by Společnost pro informační databáze, a.s., Company ID 26118513, and provides information on the creditworthiness and credibility of users of electronic communications services (see also chapter 6 above). Obtaining your creditworthiness data through TelcoScore is only possible on the basis of your consent to the transfer of your telephone number and/or birth number to the operators.

On request and without consent

A range of public authorities may request information on our clients. They include the Czech Police, the courts, the Czech National Bank and health insurance companies. However, we only provide this data in situations where we are legally obliged to do so.

In Komerční banka we always try to be as transparent as possible, which is why we think it is important that you know how we process your personal data. For this reason we list here the basic categories for the individual items of data.

Basic data

Identification data

This includes the subject’s first name, surname, birth registration number, date or place of birth, identity card numbers and birth certificate. If you are in business, this is also your company ID number, tax registration number, etc.

Address and contact data

This includes all of the subject’s addresses – e.g. permanent place of residence, correspondence addresses, and for entrepreneurs their company’s address, and the subject’s contact data, e.g. telephone numbers, e-mail addresses, social network addresses, data boxes, etc.

Descriptive data

Sociodemographic data

This includes statistical data, such as your age, sex, marital status, education, income and profession, information on your employer, how many children you have, etc.

Financial status

This includes data on your finances, such as any property, shares or other securities you may own. In some cases you will also inform us of your income and liabilities. It also includes the balances of any loans and leasing contracts, payments to building society schemes, pension scheme contributions, insurance premiums (property, household, life, accident and vehicle insurance, etc.), other individual expenditure items (e.g. maintenance), other liabilities (e.g. surety), etc.

Tax residence

This includes data on your tax residence, i.e. where you are obliged to pay tax.

Non-financial business characteristics of a client

This includes information on suppliers and customers, the client’s business strategy, information on any group of connected clients, information on the market environment and situation in the sector, business risks, etc.

Data on products

Data for financing products

This includes the personal data of debtors and co-debtors, information on the parameters of a credit transaction, the identification and value of collateral, etc.

Data for investment banking and insurance products

This includes the personal data of the holders and managers, contract numbers, the level of investment, the order book, information on transactions, insurance claims, etc.

Data for day-to-day banking products

This includes the personal data of the holders and managers, contract numbers, payment card numbers including security data, information on transactions, the sales channels used, etc.

Data from public registers

This includes sanctions lists of persons linked with terrorism and other persons on international watch lists who are subject to international sanctions, ISIR – the insolvency register, the bankruptcy register, the central debt collection register, registers of invalid and stolen documents, the register of groups of connected clients, information from the land register, etc.

Information from the internet, social media and social networks

This includes, e.g., geolocation data identified by GPS coordinates (or the address point), the IP address, cookies, the identification of the device used, information on web browsers, your profile on social networks, etc.

Electronic communication means for authentication and authorisation

This includes data on electronic communication means that are mainly used for authentication, i.e. to verify your identity. Data that comes under this category includes your digital signature, your digital certificate, or the user name you ordinarily use to log into applications, or your device’s serial and manufacturing numbers (MAC address), etc.

Records from banking machines and applications

This includes identification data from, e.g., payment terminals, communication channels and logs from monitoring banking applications, as well as other information such as geolocation data from terminals.

Camera recordings

This includes data and recordings from the monitoring of Komerční banka’s branches and other premises, such as ATMs and safes.

Records of data subjects’ links with products and services

This includes any co-applicants’ personal data and the requisite parameters (interest rate, repayment instalments, etc.), records on relationships, records on the family, information on business relations e.g. between supplier and customer, etc.

Products of other financial institutions connected to KB internet banking

If you connect your product provided and administered by another financial institution to KB internet banking, we process the data provided by you in this context or obtained by us that is necessary for the proper functioning of this service, and information about these products and their transactions to the extent provided by the other financial institution.

Data we neither collect nor process

Special categories of personal data

This is a special type of data that includes information on your race, ethnicity, trade union membership, any health problems, and sexual orientation. It also includes data related to genetic and biometric information. Komerční banka does not collect this data.

You have the right to ask us for information on your personal data that we process, the purpose and nature of processing personal data, and the recipients of personal data.

If you discover or believe that our processing your personal data is contrary to the protection of your personal and private life, or in violation of the legislation, you are entitled to ask us for an explanation, or to ask Komerční banka to remedy the situation.

If we are in breach of our obligations, you also have the right to ask the Office for Personal Data Protection to take remedial measures.

A list of your rights:

• The right of access to personal data
  This right allows you to ask Komerční banka for a printout of the personal data the bank keeps on you. Komerční banka is obliged to produce this printout for you, including information on:
  • the purposes for which the data is processed;
  • the planned processing period;
  • the source of the data;
  • any recipients to which Komerční banka provides this data
• The right to data portability
  This right gives you the option of asking Komerční banka for data concerning you, which you personally provided to Komerční banka. Komerční banka will agree with you on the format and means for transferring the data. It will transfer the data to you or another controller you specify, in a machine-readable format.
• The right to erasure of personal data
  This right entitles you to ask Komerční banka to erase all of your data. Your data can only be erased if there are no other reasons why Komerční banka is obliged to retain your data (the performance of a contract, legal requirements, etc.).
  However, even if Komerční banka cannot fully comply with your request, all forms of marketing consent will be withdrawn and no marketing will subsequently be addressed to you.
• The right to rectification of personal data
  On the basis of information from you, Komerční banka will rectify inaccurate personal data without undue delay, or will supplement any incomplete data if a specific processing purpose requires so.
• The right to restriction of processing. The restriction of personal data processing, in response to a request or an objection
  If you request the restriction of processing, and there are no technical or other reasons why your request cannot be granted, Komerční banka will restrict such processing.
• The right not to be subject to automated individual decision-making with legal or similar effects, including profiling
  At your request, Komerční banka will exclude you from all processing it performs solely automatically. If such processing is necessary for the provision of a contract, Komerční banka will give you the option of discussing the results of such processing with a banking advisor to identify an alternative and more acceptable solution.
• The right to object in cases where we process your data on the basis of our legitimate interest
  You have the right to object to all processing that Komerční banka carries out on the basis of its legitimate interest as the controller. Accepting your objection means that Komerční banka will stop processing your data for all the purposes contested in your objection.

Komerční banka treats all of the above rights in the same way, and always tries to satisfy your requirements.

Komerční banka has a reasonable period to process your request when you exercise a right – usually this is 30 days.

You will be informed by letter when Komerční banka has finished processing your request. You can exercise your rights by sending Komerční banka a letter or e-mail, or directly at one of our branches.

When exercising selected rights, Komerční banka may need your cooperation to identify you. You can exercise your rights on your own behalf or on behalf of someone you represent on the basis of power of attorney or other authorisation.

If you have any questions, please call Komerční banka’s Infoline on 800 521 521, go to www.KB.cz/osobni-udaje or write to us at osobni_udaje@kb.cz.

Alternatively, please contact our Data Protection Officer (DPO), who is responsible for supervising the processing of personal data in Komerční banka.

You can contact the DPO by e-mail (osobni_udaje@kb.cz) or by writing to the following address:

Office of the Data Protection Officer
Komerční banka a.s.
Na Příkopě 969/33
114 07 Prague 1

When providing products and services to legal persons, we also obtain and process data on natural persons who are authorised to represent the bank’s clients, as well as on other natural persons whose personal data is processed in direct connection with conducting their activities, and which the bank must or is entitled to process for its own purposes.

This primarily concerns the registered owners and beneficial owners, persons authorised to view or dispose of funds on their accounts (including holders of business payment cards), persons providing collateral, and other subjects connected with these persons. We obtain data primarily from our clients or their representatives, from publicly accessible sources, and also from specialised databases maintained by third parties.

This involves subjects’ identification data, i.e. their addresses, contact and sociodemographic data, their role and position in a company, their area of interest, scans of documents, information on links with other subjects, and information required by the legislation, especially the laws on money laundering, taxation and the provision of payment and investment services, and any other regulations the bank has to comply with when conducting its business.

We acquire and process this data:

• When providing products and services to clients, for the controller’s legitimate interests. We process data for the duration of a product or service provided to a legal person.
• When satisfying our obligations to prevent money laundering, in compliance with our legal obligations as the controller. We process data for the period specified in the applicable legislation. For these purpose we process scans of identity documents in the Czech Republic on the basis of the data subject’s consent.
• In the automatic exchanging of information on financial accounts (CRS, FATCA). We process data for a period of ten years following the end of the calendar year in which notification was sent to the relevant tax authority.
• When maintaining and developing our relationship with our clients, for the controller’s legitimate interests. We process data for the duration of a product or service provided to a legal person.
• When defending legal claims, for the controller’s legitimate interests. We process data for the duration of a product or service provided to a legal person, and after the termination of the product or service for a period of eighteen years in the Czech Republic and ten years in Slovakia.

If you gave your consent for the KB Group to process your personal data for marketing purposes, the data specified above can also be processed for these purposes.

Komerční banka is the parent company of the KB Group and a member of the Société Générale international financial group. KB ranks among the leading banking institutions in the Czech Republic, as well as in Central and Eastern Europe. It is a universal bank providing a wide range of services in retail, corporate and investment banking. Member companies of the Komerční banka Group provide additional specialised financial services such as pension schemes and building society schemes, leasing, factoring, consumer lending and insurance. These are available through KB’s branch network, its direct banking channels and its subsidiaries’ own sales networks. KB also provides services in Slovakia through a branch that serves corporate clients, as well as through selected subsidiaries.

The Société Générale Group

Since October 2001 Komerční banka has been part of Société Générale’s international retail banking group. Société Générale is one of the largest financial services groups in Europe.

Société Générale has been playing a vital role in the economy for the last 150 years. It operates in 67 countries with over 147 000 employees. The Société Générale Group serves 31 million clients throughout the world, and its teams offer advice and services to individual, corporate and institutional customers in three core businesses:

• retail banking in France with the Société Générale branch network, Credit du Nord and Boursorama, offering a comprehensive range of multichannel financial services on the leading edge of digital innovation;
• international retail banking, insurance and financial services for companies with a presence in emerging markets and leading specialised businesses;
• corporate and investment banking, private banking, asset management and securities services, with recognised expertise, top international rankings and integrated solutions.

When processing your personal data, we comply with the applicable legislation, especially the Personal Data Protection Act, the Banks Act and the Anti-Spam Act, which prohibits the sending of unsolicited commercial communications.

The most important legislation on personal data protection or related to it is: