INFORMATION MEMORANDUM

Dear client,

Let us inform you how Raiffeisenbank a.s. (hereinafter also referred to as “we” or “our bank”) processes your personal data in connection with offering, concluding, providing and maintaining banking products and services.

The purpose of this Information Memorandum is to give you information about the particular personal data we collect, how we treat them, what sources we get them from, what purpose we use them for, whom we may provide the data to, where you can obtain information about your personal data we process, or what are your individual rights concerning the protection of personal data.

Thus, please read the contents of this Information Memorandum. We will be pleased to answer any of your questions in any of our branch offices, by mail at Raiffeisenbank a.s., tř. Kosmonautů 1082/29, 779 00 Olomouc, by email at info@rb.cz, or on our toll-free info line at 800 900 900.

1. General Information

Our bank is subject to various statutory obligations regarding the processing of client personal data that we must comply with, particularly with regard to fulfilment of our contractual obligations, security of banking trades or exercise of official authority. In this regard, we would be unable to provide our banking products and services at all without being given your personal data. Also, we process personal data of clients beyond the framework of our statutory obligations for the purpose of customer care, to verify your credibility and creditworthiness for selected banking services, and to address you with targeted offers of products and services. We need your consent to do this. If you decide to not grant your consent in these cases, our provided products or services may be limited or otherwise adjusted, depending on the scope of data we are entitled to process. Every client is informed about the scope of limitations or adjustments.

Unless explicitly stated otherwise, all of the information contained herein also applies to the processing of personal data of prospective customers, i.e. persons with whom we are in contact but have not established a contractual relationship yet, as well as former clients. The information contained herein also applies, to a reasonable extent, to the processing of personal data of other persons, with regard to whom the bank has certain obligations (such as ultimate owners of legal and other entities or persons, whose data we acquire in the course of providing services to our clients, such as parties to realized payment transactions, beneficiaries of concluded letters of credit and similar), or with whom our bank is in direct contact without being in a contractual relationship with them (such as representatives of legal entities).

1.1. Personal Data Processing Principles

As part of processing your personal data we respect top standards of personal data protection and particularly abide by the following principles:

• We always process your personal data for a clearly and comprehensibly defined purpose, using defined means, in a defined manner, and only for a time necessary with regard to the purpose; we only process precise personal data of clients and ensure that their processing corresponds with and is necessary for the defined purpose;
• We protect your personal data as our banking secret; thus, we process client personal data in a manner ensuring highest possible security of the data and preventing any unauthorized or accidental access to client personal data, their modification, destruction or loss, unauthorized transfers, other unauthorized processing or other abuse;
• We always clearly inform you about processing your personal data and your rights to receive precise and full information about the circumstances of such processing as well as your other related rights;
• At our bank we adhere to adequate technical and organizational measures to ensure a level of security matching all possible risks; all persons who come into contact with client personal data are obliged to keep confidential the information acquired in connection with the processing of such data.
   

2. Information about the Processing of Personal Data

2.1. Information about the Administrator

The administrator of your personal data is our bank, i.e. Raiffeisenbank a.s., having its registered office at: Prague 4, Hvězdova 1716/2b, postcode: 140 78, IČ: 492 40 901, a company entered in the Commercial Register maintained by the City Court of Prague, file number B 2051.

2.2. Purpose and Legal Basis of Processing

2.2.1. Processing of Personal Data without Your Consent

This usually concerns situations where you are obliged to disclose certain personal data to us as a condition to let us provide you with our product or service, or where we are entitled to process your personal data acquired otherwise.

(a) By virtue of law, we are entitled to process your personal data without your consent for the following purposes of compliance with our statutory obligations, in particular:

• compliance with the obligation of prudent conduct, such as in assessment of creditworthiness of clients;
• prevention of damages to client assets kept with the bank as well as the bank’s assets;
• prevention of frauds that the clients or the bank may be exposed to;
• compliance with statutory disclosures to public authorities;
• compliance with obligations related to enforcement of judgment;
• inter-bank exchange of information about banking contacts, identification data and owners of accounts and about matters reflecting the clients’ credibility and creditworthiness, as well as protection of rights and protected interests of businesses and clients, consisting of assessment of clients’ capacities and willingness to fulfil their obligations;
• compliance with obligations related to consolidated banking supervision or additional supervision, and compliance with the rules of prudent conduct;
• compliance with obligations as part of customer identification and check pursuant to the Act on certain measures against the legalization of proceeds from crime and against financing of terrorism;
• compliance with obligations imposed on the bank in direct connection with the services it is authorized to render to its clients, particularly on the basis of the license or permits granted by the Czech National Bank, above all in relation to the provision of payment services, loans and investment services;
• compliance with archiving obligations.

(b) Conclusion or performance of a contract with you

This particularly concerns realization of a banking trade or other performance of a contract between our bank and you. Personal data are required, inter alia, to realize the banking trade without inadequate legal risks, including negotiations on concluding or amending the contract with you.

(c) Protection of rights and interests protected by law, particularly in respect of:

• protection of rights and protected interests of our bank, authorized beneficiaries or other relevant parties, such as when establishing facts that our bank needs to establish towards third parties, collecting debts, realizing collateral, or otherwise claiming debts, as well as developing the provided services;
• negotiations with prospective assignees of our bank’s receivables from a client or with parties interest in another form of receivable transfer or passage, including the related realization, and other related negotiations with third parties, particularly notifications to providers of related collateral, etc.;
• resolution of any and all disputes, particularly for the purpose of court or other disputes.

2.2.2. Processing of Personal Data with Your Consent

This particularly concerns situations where you voluntarily agree that we process the provided or otherwise acquired personal data. Not granting your consent may be a reason preventing our bank from providing certain products or services or forcing it to reasonably adjust the availability, scope or conditions of provided products and services.

(a) Based on your consent, our bank processes your personal data for the following purposes:

• customer care; these are activities that do not stand for performance of a contract or another legal framework of personal data processing, and include the following:
• market research;
• monitoring of client actions on our bank’s website in connection with the offered services (thus, this purpose does not relate to mere acquisition of information about actions of visitors to our bank’s website in the form of cookies as described below in the Article on Electronic Means of Communication and Mobile Applications);

(b) certain methods of information exchange among creditors on matters reflecting the credibility, creditworthiness and payment history of their clients and applicants for offered services. To a certain extent, in these cases, our bank is also entitled to participate in mutual exchange of certain information among creditors without obtaining the client’s consent;

(c) offering of products and services; in particular, this includes distribution of information, offering of products and services of our bank and other parties, including product and service offers targeted at particular clients, all via various channels, such as by mail, electronic means (including electronic mail and messages sent to mobile devices via a telephone number), or by telephone, via a website or ATMs. To a certain extent, in these cases, our bank is also entitled to offer products and services to clients without obtaining their consent; if implied by the law, you will be informed in this regard about your right to express your disagreement with any further offering of products or services. In this regard, your personal data may also be forwarded to third parties for the purpose of distribution of information and offering of products and services of such third parties. More details are provided below in this Information Memorandum.

2.3. Scope of Processed Client Personal Data

Our bank processes your personal data to an extent as necessary to meet the above purposes. We particularly process contact and identification data, information reflecting credibility, creditworthiness and payment history, descriptive and other data, and, to a necessary and legitimate extent, also data about other persons. Detailed information about the scope of processed personal data of clients is stated in Annex 1 to this Information Memorandum.

Certain specific categories of personal data and related processing methods:

Birth registration numbers. According to the law, our bank is also obliged to process its client’s birth registration numbers. If assigned, the client’s birth registration number must be acquired and processed by our bank in line with the law for the purpose of banking trades and to allow realization of banking trades without unreasonable legal or factual risks for our bank. If the birth registration number is to be processed for other purposes, it must be done with your consent only.

Copies of documents. With regard to our statutory obligation to duly identify our clients, our bank is also obliged to process certain information about the clients’ identity documents (to the extent of the type, series and number of the identity card, the issuing state or authority, and validity of the document) and thus we also make copies of such identity documents based on your consent.

Communication recordings. Our bank monitors and records selected communications with clients, particularly telephone calls. You are always informed in advance about making any recordings. The contents of such communications are confidential and solely used for the purpose of compliance with statutory obligations, conclusion and performance of contracts, protection of rights and interests protected by law, and, with your consent, for the purpose of customer care.

Camera recordings. Particularly in premises where services are provided to clients (including ATMs operated by our bank), our bank monitors movement of persons. Camera recordings are solely made for the purpose of compliance with statutory obligations, conclusion and performance of contracts, and protection of rights and protected interests of our banks, clients or third parties. Unless the recordings are evaluated as required for the purpose of criminal, administrative or other similar procedures, the bank destroys them; such evaluation takes place without undue delay, however within 30 days from the date when made. In respect of preserved recordings, further evaluations take place on a continuous basis.

2.4. Personal Data Processing Methods

The method how our bank processes your personal data includes both manual and automated processing, including algorithmic processing, in our bank’s information systems. Also, automated evaluation of client personal data (profiling) is one of the personal data processing methods used by our bank; this process also results in creation of derived information about the client. This is particularly done for the purpose of compliance with our statutory obligations and for the purpose of protecting the rights and protected interests of our bank, its clients, or third parties. However, to a certain extent, our bank may also use the results of such evaluation to prepare customized products and services, such as when calculating pre-approved limits for loan products.

Your personal data are mainly processed by employees of our bank and, to an extent as required, by third parties. Before any disclosure of your personal data to a third party, we always enter into a written agreement with the third party, containing the same warranties in respect of personal data processing as adhered to by our bank in line with its statutory obligations.

2.5. Recipients of Personal Data

Your personal data are made available particularly to our bank’s employees in connection with performance of their professional duties requiring work with personal data of clients, however only to an extent necessary in the particular case and in compliance with all security measures.

In addition, your personal data are disclosed to third parties participating in the processing of personal data of our bank’s clients, or, such personal data may be made available to them on other grounds in line with the law. Before any disclosure of your personal data to a third party, we always enter into a written agreement with the third party to stipulate the processing of personal data in a way to contain the same warranties in respect of personal data processing as adhered to by our bank in line with its statutory obligations.

2.5.1. In accordance with applicable legislation, our bank is entitled, or directly, without your consent, obliged to disclose your personal data to:

• relevant state authorities, courts and law enforcement authorities for the purpose of performance of their obligations and for the purpose of enforcement of judgment;
• other banks in connection with exchange of information about facts reflecting the credibility and creditworthiness of their clients, or to groups of businesses defined by law in connection with the assessment of capacity and willingness of clients to fulfil their obligations;
  other providers of payment services, if necessary to prevent, investigate or detect payment frauds;
• other parties to an extent stipulated by legislation, such as to third parties for the purpose of collection of our receivables from clients.

2.5.2. Subject to your consent entitling us to dispose with information representing the banking secret to the relevant extent, we also disclose your personal data to:

• certain operators of client information registers in connection with exchange of information about the credibility, creditworthiness and payment history of their clients and applicants for offered services. At this point we remind again that to a certain extent, in these cases, our bank is also entitled to participate in mutual exchange of certain information within certain registers without obtaining the client’s consent;
• entities belonging to the same financial holding as our bank (hereinafter referred to as “RBI Group”; a list of RBI Group entities is stated in Annex 2 to this Information Memorandum and may be updated over time as necessary), all for the purpose of compliance with statutory obligations of our bank, conclusion and performance of contracts, offering of products and services, protection of rights and protected interests of our bank, customer care, and exchange of information about client credibility and creditworthiness within RBI Group;
• other parties for the purpose of distribution of information, offering of products and services of our bank or other parties to the clients. Subject to your consent, such disclosures will be made in full compliance with the other conditions contained in this Information Memorandum, particularly with regard to the purpose, scope and time of processing of personal data. We will only disclose your identification and contact data to an extent necessary for the particular recipient. Entities defined in Annex 3 to this Information Memorandum may be recipients of personal data. Clients, whose personal data will be disclosed, may be selected based on criteria agreed with the particular recipient (mainly socio-demographic and economic criteria or criteria based on the scope and frequency of services provided by our bank). Upon such disclosure, we will exercise special care to prevent any threats to the security of the disclosed personal data or abuse of the same.
   

2.6. Cooperation with Client Information Registers

As mentioned above, in an effort to ensure prudent conduct, our bank also cooperates with various client information registers or its users or members, with whom it shares personal data of clients, particularly concerning assessment of their credibility and creditworthiness. Thus, our bank cooperates, for example, with authorized users of the Banking Client Information Register (“BCIR”) operated by CBCB – Czech Banking Credit Bureau, a.s., with authorized users of the Non-Banking Client Information Register (“NCIR”) operated by Czech Non-Banking Credit Bureau, z.s.p.o., or with members of SOLUS, z.s.p.o., an association of legal entities. More information can be found in the BCIR Information Memorandum, NCIR Information Memorandum and the Information about SOLUS Association Registers available on our bank’s website.

2.7. Disclosure of Personal Data to Foreign Countries

Your personal data are processed in the territory of the Czech Republic and other states of the European Union where RBI Group entities are seated and which share the same personal data protection standard as the Czech Republic. Neither our bank nor the entities participating in the processing of client personal data disclose personal data of clients to countries outside the European Union.

2.8. Term of Personal Data Processing

Our bank processed personal data of clients only for a time necessary with regard to the purpose of processing. From time to time we evaluate existence of the need to process certain personal data required for a particular purpose. Once we detect that the data are no longer required for any of the purposes, for which they have been processed, we destroy the data. However, in respect of certain purposes of personal data processing, we have internally evaluated the usual term of usability of personal data, after expiration of which we most carefully assess the need to process such personal data for the particular purpose. In this regard, it also holds that personal data processed for the purpose of:

• performance of contracts are processed over the term of the contractual relationship with the client; then, the relevant personal data are usually usable for ten years;
• exchange of information about facts reflecting credibility, creditworthiness and payment history of clients and applicants for offered services are processed over the term of the contractual relationship; then, the relevant personal data are usually usable for the term defined by the individual operators of client information registers;
• offering of products and services are processed over the term of the contractual relationship; then, the relevant personal data are usually usable for ten years; if personal data are disclosed in this regard to third parties, the term of processing is defined by the third parties in accordance with applicable legislation and rules stated in this Information Memorandum;
• customer care are processed over the term of the contractual relationship with the client; then, the relevant personal data are usually usable for ten years.

2.9. Right to Revoke Consent

In this Information Memorandum we tried to explain why we need your personal data and that for certain purposes we may process them with your consent only. You are not obliged to grant consent to our bank to process your personal data and you are also entitled to revoke your consent. At this point we would like to remind that we are also entitled to process some personal data for certain purposes without your consent. If you revoke your consent, we will discontinue the processing of the relevant personal data for purposes requiring the relevant consent; however, we may be entitled or even obliged to process the same personal data for other purposes.

If you refuse to grant or revoke your consent, we may:

• accordingly adjust the availability, scope or conditions of our products or services, or
• refuse to provide you with our products or services once we find out that such consent is necessary to provide the product or service on the given terms.

If you wish to revoke your consent with the processing of personal data, please refer to any of our branch offices, send us a letter to Raiffeisenbank a.s., tř. Kosmonautů 1082/29, 779 00 Olomouc, or an email to info@rb.cz, or call our toll-free info line at 800 900 000.

2.10. Sources of Personal Data

We acquire personal data of clients particularly from:

• the clients, directly, such as when concluding contracts related to provided banking products or services, and/or indirectly, such as during use of the banking products or services by the clients, or as part of making information about banking products and services available to the clients, such as through the bank’s website, etc.;
• publicly available sources (public registers, records or lists);
• third parties authorized to dispose with the client’s personal data and to disclose them to our bank on given terms, such as from client information registers or RBI Group members;
• prospective customers interested in services of our bank as part of marketing events and campaigns;
• own activities through processing and evaluation of other personal data of the clients.

2.11. Your Right to Ask for Access to Personal Data and Protection of Client Rights

If you ask us for information related to the processing of your personal data, we will provide you with all information about the data we process about you without undue delay. For providing this information, we are entitled to claim reasonable compensation of cost incurred in order to provide the information.

If you find out or think that our bank or a third party participating in the processing of data processes your personal data in conflict with the protection of your private life and/or in conflict with the law, in particular if your personal data are inaccurate, you may:

• request explanation from our bank or the third party participating in the processing of data;
• request remedy of the defective state; in particular, you may request correction or amendment of the personal data; if needed, the data will be temporarily blocked or destroyed.
   

If we find your request legitimate, our bank or the third party participating in the processing of data will remove the defective state free of charge and immediately.

3. Raiffeisenbank a.s. as a processor of personal data

In certain cases, our bank also handles client personal data by authorization of another party (another administrator). For example, these cases include cooperation with other RBI Group companies, agency for third-party products or services, or cooperation with third parties in loyalty programmes. For detailed information, it is always necessary to contact the particular administrator of personal data, unless our bank is authorized to provide information in the particular case.

4. Electronic Means of Communication and Mobile Applications

As part of customer care, our bank develops technologies to let you use modern electronic means of communication and mobile applications to use our banking products and services. In particular, these include services related to the use of the internet, social networks and various mobile applications. However, we also bear in mind the special nature of banking products and services, and thus we observe the protection of client personal data and banking secret when using these means and applications.

Internet banking. Our bank lets you use some of your products or services online via internet banking. Also, internet banking is a service, through which information about the bank’s services and products are available to you, including individual offers. We process all personal data acquired about you in this regard in accordance with the conditions and principles stated in this Information Memorandum.

Mobile applications. For greater availability of our products and services, we offer mobile banking services (so-called Mobile eKonto). Mobile banking is also a service, through which information about the bank’s services and products are available to you, including individual offers. In this regard, we process selected information related to your mobile device used for mobile banking (can be found in the internet banking service in the detail of your mobile device). We process all personal data acquired about you as part of mobile banking in accordance with the conditions and principles stated in this Information Memorandum.

Social networks. Also, you can address us through various social networks. We particularly use these communication channels as marketing tools; our products and services are not provided through social networks at this moment.

Cookies. Also, we use cookies when providing our products and services. Cookies are small text files stored in the user’s computer after loading a website for the first time. These files facilitate identification of the way the visitors work with the contents of our website, which helps us in pursuing a friendlier communication with our website visitors or a more efficient marketing. More information about cookies is available on our website.

5.  Information Memorandum

This Information Memorandum is valid and effective as of 9 June 2017. The current version of the Information Memorandum is published on our bank’s website and is also available at our branch offices.
  

Annex 1 – Scope of Processed Personal Data

• Identification data – these include data such as name, surname, date and place of birth, birth registration number, permanent address, type, number and validity of the identity card; for clients who are natural persons – entrepreneurs, also the identification number and tax ID. Other possible identification data include, for example, information about the IP address of the computer used, signature specimen, number of the account we hold, and files of specific authentication data we agree to use.
• Contact data – contact addresses, telephone numbers, email addresses, fax numbers or other similar contact data.
• Information required for the decision to conclude the contract – these include data particularly required for risk assessment from the perspective of prevention of legalization of proceeds from crime and financing of terrorism, as well as data collected to assess the credit risk of the trade and data required to provide investment services.
  Depending on the contract type, these data include:

- socio-demographic data – such as age, gender, marital status, education, number of household members, type of income, nature of employment, the fact whether you are a politically exposed person;
- information about property – such as information about ownership of real property or movables, membership in legal entities (particularly shares in corporations), information about total income or regular household expenses;
- information about executions or insolvency proceedings, if any, fulfilment of obligations towards other creditors, information about insurance against property or life risks, information about business relations.

In the event that you withdraw a submitted application for a product or service, we also process the application withdrawal date along with the data provided before the withdrawal.

• Data arising out of performance of obligations under contracts – depending on the nature of the provided product or service, we process information related to the provided product or service. In this category, we process personal data such as the term of contract, interest rate, maturity term, loan amount, balance of your receivables from the bank, balance of the bank’s receivables from you, information about realized payment transactions, information about the use of means of payment, information about realized instructions to buy securities, information about the balance of an investment instrument portfolio.
  • Personal data acquired in connection with the provision of our products or services – these include personal data acquired during our interactions. In particular, these include:

- data serving to secure communications;
- geo-location data, such as data about the geographic location, home branch office of the client, place of making a payment order (most often using a payment card) and data identifying the device used to make the payment order;
- records of your preferred communication language, expressed interest in a product or service, your investment strategies, or your specific requirements disclosed to us,
- information about execution proceedings against your receivable from the bank, about insolvency proceedings against you, information about insurance against property or life risks, information about business relations (as opposed to the list under point 3 of this Annex, these include current data acquired in the course of providing our products or services).

• Personal data created through our activities – in particular, these include the assigned client/product numbers, data created by evaluation of your transaction behaviour and/or data provided by you (such as to determine whether the conditions to apply a fee reduction have been met), evaluation of a submitted application for a product or service, or evaluation required for our decision to offer you a product and/or service or not.

Annex 2 – RBI Group

As of 24 August 2018, the term RBI Group means the group formed by our bank and the following entities:

• Raiffeisen - Leasing s.r.o., ID No.: 61467863, registered office: Hvězdova 1716/2b, 140 78 Prague 4
• Raiffeisen stavební spořitelna a.s., ID No.: 49241257, registered office: Koněvova 2747/99, 13 45 Prague 3
• UNIQA pojišťovna, a.s., ID No.: 49240480, registered office: Evropská 136/810, 160 12 Prague 6
• Raiffeisen investiční společnost a.s., ID No.: 291 46 739, registered office: Hvězdova 1716/2b, 140 78 Prague 4
• Raiffeisen CEE Region Holding GmbH, Am Stadtpark 9, 1030 Vienna, Austria
• Raiffeisen RS Beteiligungs GmbH, Am Stadtpark 9, 1030 Vienna, Austria
• Raiffeisen Bank International AG, Am Stadtpark 9, 1030 Vienna, Austria
   

Annex 3 – Recipients of Personal Data

According to the Information Memorandum Article named Recipients of Personal Data (point 2.6.3), the following entities are joint controllers with our bank:

No joint controllers are defined as of 24 August 2018.

Information Memorandum 

Legal entities authorized to provide electronic communication services, namely a public communication network and publicly available electronic communication services in the territory of the Czech Republic (this particularly includes mobile operators).

Legal entities authorized to provide supplies of electricity and gas in the territory of the Czech Republic.