INFORMATION MEMORANDUM PROCESSING OF PERSONAL DATA OF CLIENTS

We need various personal data about you to be able to provide you with quality banking service. For example, when you apply for a loan with us, in addition to your name we need to know the income of your household in order to know how much we can lend you. The personal data we collect can be grouped as indicated below.

Identification data

These mainly include name, surname, date and place of birth, birth registration number, domicile address, type, number and validity of proof of identity, or corporate identification number and VAT number in the case of entrepreneurs. Also, your signature belongs to this group.

Copies of documents

Sometimes we also need information about your proof of identity (type, series and number of the document, issuing state or authority, validity of the document) and its copy. In such case, we ask for your consent to make a copy, unless we are already authorized to make one on the basis of our legal obligations.

Other identification data may include, for example, information about the IP address of the computer used, signature specimen, number of the account we maintain, or sets of specific authentication data we may agree to use, as well as information relating to the issued means of electronic identification.

Biometric data

If you open your account online, we will also process your biometric data derived from the image of your appearance for the purpose of verifying the match of your appearance with the data acquired from photographs on the submitted copies of personal documents.

Contact details

Telephone number, e-mail address, mailing address or other similar information we need to contact you.
Data required to decide on concluding a contract
These are data that let us evaluate whether you will be able to repay a loan or whether there is a risk of money laundering. These include, among other, the following data:

• socio-demographic data - such as age, gender, marital status, education, number of household members, type of income, nature of employment or also whether you are a politically exposed person
• information about your property - such as information about ownership of real property or movables, membership in legal entities (particularly participations in corporations), information about business relationships, information about overall income or regular expenses of your household,
• information about debts - such as information about executions insolvency proceedings, if any, fulfilment of payment obligations towards other creditors
• information about insurance covering property or life risks

Data created by performance of obligations under contracts

These data include, for example, the term of a contract, interest rate, maturity, loan amount, status of your receivables from the bank, status of the bank's receivables from you, information about realized payment transactions, information about the use of payment tools, information about realized instructions to buy securities, information about the status of your investment instrument portfolio.

An overview of these data can be obtained from statements or similar lists that are available to you.

Personal data collected in connection with the provision of our products or services

These include personal data acquired through our mutual interactions. In particular, these are:

• data serving to secure communications, such as PIN
• geolocation data, such as data about your geographic location, home branch office, place of making a payment order (most often card payment) and data identifying the device used to make a payment order
• electronic records of activities in information systems (logs)
• records of your preferred language for communications
• information about shown interest in a product or service
• information about your investment strategies or specific requirements
• Communication recordings

We monitor and record selected communications with you, in particular telephone calls. We always inform you in advance about any recorded communications. We monitor movement of persons using cameras, particularly in premises where services are provided to clients (including ATMs operated by us). Camera recordings are solely made for the purpose of compliance with legal obligations, conclusion and performance of contracts, and protection of our and your legitimate interests, or interests of third parties.

Personal data generated from our activities

These particularly include the client/product numbers we assign, data created by assessing your transaction behaviour or data you provide (such as to evaluate whether the conditions to apply discount on a fee have been met), evaluation of a submitted product or service application, or evaluation required for our decision as to whether we will offer a product or service to you or not.

Processing of personal data without your consent

In a vast majority of cases we do not need your consent to process your personal data. Such cases concern processing imposed by law, processing required to provide you with our services, or processing of personal data necessary to protect the bank's legitimate interests as well as your interests or interest of third parties. Processing not requiring your consent is particularly done for the below purposes.

Obligations implied by law

• compliance with reporting obligations towards public authorities
• compliance with prudential obligations, such as when assessing creditworthiness of clients, including possible verification of provided information with third parties
• prevention of damage to clients' assets vested to us as well as the bank's assets
• prevention of fraud that the clients or the bank may be exposed to
• compliance with obligations relating to enforcement of judgment, such as a court judgment
• exchange of information with other banks about banking details, identification data of account owners and matters indicating creditworthiness and credibility of their clients
• exchange of information with non-banking creditor entities about matters indicating creditworthiness, credibility and payment history of their clients and applicants for offered services, all also via a third party, and protection of rights and protected interests of businesses and clients consisting of evaluation of clients' ability and willingness to fulfil their obligations
• compliance with obligations relating to supervision over banks on a consolidated basis or supplementary supervision, and compliance with prudential obligations, for which we also share your personal data with members of the Raiffeisenbank International (RBI) Group
• compliance with obligations relating to client identification and verification pursuant to the Act on selected measures against legitimisation of proceeds of crime and financing of terrorism
• compliance with obligations imposed upon the bank in direct connection with the services it is entitled to provide to clients primarily under the license or permits granted by the Czech National Bank, in particular in connection with the provision of payment services, loans and investment services
• compliance with obligations imposed upon the bank as a qualified administrator of an electronic identification system
• compliance with archiving obligations.

Processing of personal data for conclusion and performance of a contract

• establishment and term of contract
• realization of a banking transaction or other contractual performance

Processing of personal data for protection of legitimate interests

• debt collection, realization of collateral, or other claiming of debts
• development of provided services
• software testing, if personal data need to be used in certain cases
• negotiations with third parties in connection with debt collection
• negotiations with prospective buyers of our receivables
• handling of dispute matters, in particular for court or other disputes
• internal research, analyses or evaluations (in particular statistical research), internal reporting or internal administrative purposes within RBI Group
• camera recordings at the bank's business locations for the purpose of protecting property of the bank and third parties
• to a limited extent, also offering products and services (direct marketing) to existing clients, if the offer is related to the product or services in use. We will terminate such processing when you object to it.
• establishment of facts relating to banking services towards third parties, such as information about credit card validity provided to merchants

Processing of personal data with your consent

We always need your consent when we wish to process your personal data for the purpose of marketing activities. This particularly covers offering of products and services (for example by mail, e-mail or telephone), be it our products and services or services of third parties. Subject to your voluntary consent we may evaluate whether we are prepared to provide you with a certain service and whether we can expect you to show interest in such service. We may also acquire personal data in the following manner:

• by monitoring actions of visitors on our website
• through surveys focused on your needs, interests and opinions on products and services, or surveys focused on the customer care given to you by our advisors and other members of staff
• by evaluating data collected as part of providing services pursuant to Act No. 370/2017 Coll. on the system of payments, in particular the payment account information services.

Subject to your consent only, we may transfer your personal data to another member of RBI Group to process them for the purpose of own marketing activities. In any case, we will only transfer personal data to the extent as required for the particular processing. An updated list of RBI Group members that may be recipients of your personal data forms part of this Information Memorandum. If the list is to be updated, you will be notified thereof in advance to be able to consider whether you will maintain or withdraw your consent.

The following members of RBI Group may be recipients of your personal data for marketing purposes:
• Raiffeisen - Leasing s.r.o., IČ: 61467863, registered office: Praha 4 - Nusle, Hvězdova 1716/2b, postcode: 140 78
• Raiffeisen stavební spořitelna a.s., IČ: 49241257, registered office: Praha 3, Koněvova 2747/99
• UNIQA pojišťovna, a.s., IČ: 49240480, registered office: Praha 6, Evropská 136/810, postcode: 160 12
• Raiffeisen investiční společnost a.s., IČ: 29146739, registered office: Hvězdova 1716/2b, Nusle, 140 78 Praha 4
• Raiffeisen Bank International AG, registered office: Am Stadtpark 9, 1030 Vienna, Austria
• Raiffeisenbank (Bulgaria) EAD, registered office: 55 Nikola I. Vaptzarov Blvd., Business Center EXPO 2000 PHAZE III, 1407 Sofia, Bulgaria
• Raiffeisenbank Austria d.d., registered office: Magazinska cesta 69, 10000 Zagreb, Croatia
• Raiffeisen Bank Zrt., registered office: Akadémia utca 6, 1054 Budapest, Hungary
• Raiffeisen Bank S.A., registered office: Calea Floreasca 246C, 014476 Bucharest, Romania
• Tatra banka, a.s., registered office: Hodžovo námestie 3, 81106 Bratislava 1, Slovakia
• UNIQA Österreich Versicherungen AG, registered office: Untere Donaustraße 21, 1029 Vienna, Austria
• UNIQA Insurance Group AG, registered office: Untere Donaustraße 21, 1029 Vienna, Austria

Sometimes we may conclude that we also need your consent in other situations. In such case, we will ask for your consent and we will provide your with all material information in this regard.

Your personal data are made available particularly to employees of our bank in connection with the performance of their professional duties, however only to the necessary extent and in compliance with all security measures.

In addition, your personal data are transferred to third parties - controllers and processors. We conclude written agreements with processors to stipulate the terms and conditions of the processing of personal data to contain the same safeguards we adhere to in line with our legal obligations.

The recipients of personal data particularly include:

• state authorities, courts and law enforcement authorities for the purpose of compliance with their obligations and for enforcement of judgment
• business partners letting us offer various supplementary services or cooperating with us in loyalty programmes
• business partners, with whom we offer joint products and with whom we act as joint controllers, which means that we jointly define the purposes and means of processing
• parties providing support services to us to be able to provide you with banking services to the full extent (such as various IT service providers)

• providers of electronic communications services and operators of call centres in connection with proper fulfillment of obligations imposed upon us (for example, contact and identification data is required to be able to identify a calling client)
• providers of legal services, private executors or parties participating in the collection of our receivables in order to be able to properly defend our legitimate interests
• other banks and certain operators of client information registers in connection with exchange of information about credibility, creditworthiness and payment history of clients and applicants for offered services
• groups of businesses defined by law in connection with assessment of ability and willingness of clients to fulfil their obligations
• other providers of payment services if necessary due to prevention, investigation or detection of frauds in the system of payments
• entities of RBI Group for internal administrative purposes of RBI Group or as part of compliance with prudential obligations
• RSTS, or its sales representatives, for the purpose of ensuring customer service relating to our banking products at RSTS points of sale. In respect of some of our banking products, you are given an opportunity to take out the product or process the related communications via RSTS. In such case, your personal data will be made available to RSTS to an extent as necessary to process your request, including offers of suitable products. 

Transfers of personal data to foreign countries - save for exceptions, neither our bank nor the entities participating in the processing of personal data of clients forward personal data of clients to countries outside the European Union. An exception applies to realization of certain transactions using payment cards involving the use of the 3D Secure code. In this regard, certain personal data of payment card holders are transferred to the processor, PrJSC Ukrainian Processing Center, registered office: 9 Moskovskiy Ave., Kiev, Ukraine, which complies with the security, technical and organisational safeguards for the processing of personal data. Also, updates of information on issued Mastercard payment cards are transferred via Mastercard Europe SA, registered office: Chaussée de Tervuren 198, 1410 Waterloo, Belgium, to the ABU (Mastercard Automatic Billing Updater) database created and maintained in the US and containing data such as card validity term, available to payment card acquiring providers and participating merchants.

Our joint controllers currently include:
České aerolinie a.s., IČ: 45795908 (ČSA credit card product)
In some cases, we are only entitled to transfer your personal data subject to your consent. This particularly applies to the following recipients:

• operators of client information registers, if we cannot transfer your personal data to them in connection with compliance with our legal obligations 
• other providers of payment services, through whom you access payment accounts we maintain for you
• selected members of RBI Group for marketing purposes

We only process personal data of clients for a time necessary with regard to the purpose of processing. Once we detect that the data are no longer needed, we delete them. We evaluate such need on a continuous basis, particularly after expiration of the (internally determined) term that is usual for the particular personal data to be useful. Below are typical terms of usability of various personal data.

• We process information for the conclusion and performance of a contract for the term of the contractual relationship with the client and usually for 3 to 14 months afterwards
• Data collected from mutual exchange of information about matters indicating the creditworthiness, credibility and payment history of clients and applicants for offered services are processed for the term of the contractual relationship and afterwards usually for a term determined by the particular client information register operators
• Information relating to the protection of our bank's legitimate interests is processed depending on the particular legitimate interest. This can be a relatively short period of time (such as in the case of camera recordings) or a longer one (such as in the case of debt collection or claims or court disputes)
• We process data for the purpose of marketing activities for the term of the contractual relationship and afterwards for the usable term thereof (up to 5 years), unless you inform us earlier that you do not wish your personal data to be processed in such manner or unless you withdraw your consent to the processing of personal data
• For the purpose of compliance with archiving obligations, we process personal data for the term stipulated by applicable special legislation, however not exceeding 10 years from termination of the contractual relationship relationship or 15 years from expiration of the electronic identification tool.
• Within 30 days from the date when created we evaluate camera recordings as to whether their retention is required for the purpose of criminal, administrative or other similar proceedings. If the recordings are not needed, the bank destroys them without undue delay. If further retention of the recordings is needed, further evaluations take place from time to time.