INFORMATION MEMORANDUM PROCESSING OF PERSONAL DATA OF CLIENTS

Unless explicitly stated otherwise, this document applies to existing and former clients as well as prospective clients (i.e. persons with whom we have not established a contractual relationship yet, but maintain contacts with them) or other persons in respect of whom our bank has certain obligations (for example beneficial owners of legal entities and other groups, or parties and persons in respect of whom we acquire data when providing services to our clients, such as parties to realized payment transactions, beneficiaries of concluded letters of credit etc.), or with whom our bank maintains direct contact without having an established contractual relationship with them (such as representatives of legal entities or other users of services provided to legal entities).

In certain cases, our bank also handles personal data of clients as instructed by another party (another controller). For example, these cases include cooperation with other companies of the group of Raiffeisen Bank International (RBI), intermediation of third-party products or services, or cooperation with third parties on loyalty programmes. For detailed information, it is always necessary to contact the particular controller of personal data, unless our bank is entrusted with the provision of such information in a specific case.

We need various personal data about you to be able to provide you with quality banking service. For example, when you apply for a loan with us, in addition to your name we need to know the income of your household in order to know how much we can lend you. The personal data we collect can be grouped as indicated below.

Identification data

These mainly include name, surname, date and place of birth, birth registration number, domicile address, type, number and validity of proof of identity, or corporate identification number and VAT number in the case of entrepreneurs. Also, your signature belongs to this group.

Copies of documents

Sometimes we also need information about your proof of identity (type, series and number of the document, issuing state or authority, validity of the document) and its copy. In such case, we ask for your consent to make a copy, unless we are already authorized to make one on the basis of our legal obligations.

Other identification data may include, for example, information about the IP address of the computer used, signature specimen, number of the account we maintain, or sets of specific authentication data we may agree to use.

Biometric data

If you open your account online, we will also process your biometric data derived from the image of your appearance for the purpose of verifying the match of your appearance with the data acquired from photographs on the submitted copies of personal documents.

Contact details

Telephone number, e-mail address, mailing address or other similar information we need to contact you.
Data required to decide on concluding a contract
These are data that let us evaluate whether you will be able to repay a loan or whether there is a risk of money laundering. These include, among other, the following data:

• socio-demographic data - such as age, gender, marital status, education, number of household members, type of income, nature of employment or also whether you are a politically exposed person
• information about your property - such as information about ownership of real property or movables, membership in legal entities (particularly participations in corporations), information about business relationships, information about overall income or regular expenses of your household,
• information about debts - such as information about executions insolvency proceedings, if any, fulfilment of payment obligations towards other creditors
• information about insurance covering property or life risks

Data created by performance of obligations under contracts

These data include, for example, the term of a contract, interest rate, maturity, loan amount, status of your receivables from the bank, status of the bank's receivables from you, information about realized payment transactions, information about the use of payment tools, information about realized instructions to buy securities, information about the status of your investment instrument portfolio.

An overview of these data can be obtained from statements or similar lists that are available to you.

Personal data collected in connection with the provision of our products or services

These include personal data acquired through our mutual interactions. In particular, these are:

• data serving to secure communications, such as PIN
• geolocation data, such as data about your geographic location, home branch office, place of making a payment order (most often card payment) and data identifying the device used to make a payment order
• electronic records of activities in information systems (logs)
• records of your preferred language for communications
• information about shown interest in a product or service
• information about your investment strategies or specific requirements
• Communication recordings

We monitor and record selected communications with you, in particular telephone calls. We always inform you in advance about any recorded communications. We monitor movement of persons using cameras, particularly in premises where services are provided to clients (including ATMs operated by us). Camera recordings are solely made for the purpose of compliance with legal obligations, conclusion and performance of contracts, and protection of our and your legitimate interests, or interests of third parties.

Personal data generated from our activities

These particularly include the client/product numbers we assign, data created by assessing your transaction behaviour or data you provide (such as to evaluate whether the conditions to apply discount on a fee have been met), evaluation of a submitted product or service application, or evaluation required for our decision as to whether we will offer a product or service to you or not.

Processing of personal data without your consent

In a vast majority of cases we do not need your consent to process your personal data. Such cases concern processing imposed by law, processing required to provide you with our services, or processing of personal data necessary to protect the bank's legitimate interests as well as your interests or interest of third parties. Processing not requiring your consent is particularly done for the below purposes.

Obligations implied by law

• compliance with reporting obligations towards public authorities
• compliance with prudential obligations, such as when assessing creditworthiness of clients, including possible verification of provided information with third parties
• prevention of damage to clients' assets vested to us as well as the bank's assets
• prevention of fraud that the clients or the bank may be exposed to
• compliance with obligations relating to enforcement of judgment, such as a court judgment
• exchange of information with other banks about banking details, identification data of account owners and matters indicating creditworthiness and credibility of their clients
• exchange of information with non-banking creditor entities about matters indicating creditworthiness, credibility and payment history of their clients and applicants for offered services, all also via a third party, and protection of rights and protected interests of businesses and clients consisting of evaluation of clients' ability and willingness to fulfil their obligations
• compliance with obligations relating to supervision over banks on a consolidated basis or supplementary supervision, and compliance with prudential obligations, for which we also share your personal data with members of the Raiffeisenbank International (RBI) Group
• compliance with obligations relating to client identification and verification pursuant to the Act on selected measures against legitimisation of proceeds of crime and financing of terrorism
• compliance with obligations imposed upon the bank in direct connection with the services it is entitled to provide to clients primarily under the license or permits granted by the Czech National Bank, in particular in connection with the provision of payment services, loans and investment services
• compliance with archiving obligations.

Processing of personal data for conclusion and performance of a contract

• establishment and term of contract
• realization of a banking transaction or other contractual performance

Processing of personal data for protection of legitimate interests

• debt collection, realization of collateral, or other claiming of debts
• development of provided services
• negotiations with third parties in connection with debt collection
• negotiations with prospective buyers of our receivables
• handling of dispute matters, in particular for court or other disputes
• internal research, analyses or evaluations (in particular statistical research), internal reporting or internal administrative purposes within RBI Group
• camera recordings at the bank's business locations for the purpose of protecting property of the bank and third parties
• to a limited extent, also offering products and services (direct marketing) to existing clients, if the offer is related to the product or services in use. We will terminate such processing when you object to it.
• establishment of facts relating to banking services towards third parties, such as information about credit card validity provided to merchants

Processing of personal data with your consent

We always need your consent when we wish to process your personal data for the purpose of marketing activities. This particularly covers offering of products and services (for example by mail, e-mail or telephone), be it our products and services or services of third parties. Subject to your voluntary consent we may evaluate whether we are prepared to provide you with a certain service and whether we can expect you to show interest in such service. We may also acquire personal data in the following manner:

• by monitoring actions of visitors on our website
• through surveys focused on your needs, interests and opinions on products and services, or surveys focused on the customer care given to you by our advisors and other members of staff
• by evaluating data collected as part of providing services pursuant to Act No. 370/2017 Coll. on the system of payments, in particular the payment account information services.

Subject to your consent only, we may transfer your personal data to another member of RBI Group to process them for the purpose of own marketing activities. In any case, we will only transfer personal data to the extent as required for the particular processing. An updated list of RBI Group members that may be recipients of your personal data forms part of this Information Memorandum. If the list is to be updated, you will be notified thereof in advance to be able to consider whether you will maintain or withdraw your consent.

The following members of RBI Group may be recipients of your personal data for marketing purposes:
• Raiffeisen - Leasing s.r.o., IČ: 61467863, registered office: Praha 4 - Nusle, Hvězdova 1716/2b, postcode: 140 78
• Raiffeisen stavební spořitelna a.s., IČ: 49241257, registered office: Praha 3, Koněvova 2747/99
• UNIQA pojišťovna, a.s., IČ: 49240480, registered office: Praha 6, Evropská 136/810, postcode: 160 12
• Raiffeisen investiční společnost a.s., IČ: 29146739, registered office: Hvězdova 1716/2b, Nusle, 140 78 Praha 4
• Raiffeisen Bank International AG, registered office: Am Stadtpark 9, 1030 Vienna, Austria
• Raiffeisenbank (Bulgaria) EAD, registered office: 55 Nikola I. Vaptzarov Blvd., Business Center EXPO 2000 PHAZE III, 1407 Sofia, Bulgaria
• Raiffeisenbank Austria d.d., registered office: Magazinska cesta 69, 10000 Zagreb, Croatia
• Raiffeisen Bank Zrt., registered office: Akadémia utca 6, 1054 Budapest, Hungary
• Raiffeisen Bank S.A., registered office: Calea Floreasca 246C, 014476 Bucharest, Romania
• Tatra banka, a.s., registered office: Hodžovo námestie 3, 81106 Bratislava 1, Slovakia
• UNIQA Österreich Versicherungen AG, registered office: Untere Donaustraße 21, 1029 Vienna, Austria
• UNIQA Insurance Group AG, registered office: Untere Donaustraße 21, 1029 Vienna, Austria

Sometimes we may conclude that we also need your consent in other situations. In such case, we will ask for your consent and we will provide your with all material information in this regard.

Below is a list of rights that you have in connection with the processing of your personal data. Some of the rights also include requests for information or documents. We will provide such information without undue delay, however not later than within one month from delivery of your request. In certain cases the term may be extended, about which fact we will always inform you. If your request cannot be granted, we will inform you about the reasons as well as about your other rights (right to lodge a complaint and right to judicial remedy).
If needed, we may ask you to provide additional information to add details to your request or to confirm your identity.
You can exercise the below rights at any branch office or by using any of the contacts specified above. You can also use the form available for download at https://www.rb.cz/attachments/gdpr/gdpr-zadost.pdf.

Right to withdraw consent

If you give us consent to process personal data that we need for marketing or other purposes, you have the right to withdraw such consent.
Once you withdraw the consent, we will discontinue the processing of relevant personal data for the purposes requiring such consent. However, we are entitled to further use the personal data for other purposes (such as purposes implied by law).
If you do not grant or if you withdraw your consent, we may also accordingly adjust the availability, scope or conditions of our products and services.
If you wish to withdraw your consent to the processing of personal data, please refer to any of our branch offices or any of the above contacts.

Right to object

In cases where your personal data are processed for the purpose of protecting our legitimate interest, you have the right to object to such processing. If you do so, we will no longer process your personal data unless we demonstrate to you compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims. You may exercise your right to object the same way as the right to withdraw consent.

Right of access to personal data

You have the right to request confirmation as to whether or not we process your personal data, and, where that is the case, access to the personal data and other specified information. If requested, we will give you a copy of the processed personal data free of charge once in a calendar year, otherwise against payment of the cost associated with processing and providing the copy.
If you are interested in an overview of data about payment transactions and related payments that are available to you based on performance of contracts for the particular services and products in the form of statements, the bank will give you a copy of such statement subject to payment of a fee according to the applicable pricelist of products and services.

Right to rectification

You have the right to obtain from us without undue delay the rectification of inaccurate processed personal data concerning you. Also, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Changes of certain personal data need to be demonstrated by evidence (such as changed domicile address or marital status).

Right to erasure (“right to be forgotten”)

You have the right to obtain from us the erasure of personal data concerning you without undue delay where a legal ground applies (such as when the processing is no longer needed or is unlawful).

Right to restriction of processing

You have the right to obtain from us restriction of processing of your personal data where a legal ground applies (such as due to inaccuracy of the processed personal data or unlawfulness of the processing, or due to an objection to the processing of personal data based on our legitimate interests).

Right to data portability

You have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format and you have the right to transmit those data to another controller. This right only applies to personal data provided by you, which are processed in an automated manner based on your consent or a contract between us. For security reasons we are unable to save your data to your data carrier; however, we can deliver the data to you by e-mail, for example.

Rights relating to automated decision-making

In some cases (such as in the case of a loan application), the decision as to whether we will enter into a contract with you depends on automated assessment (i.e. the recommendation is given by a machine, not a person directly). We will always inform you about this fact, particularly in a situation where your application has been rejected. Consequently, you have the right to challenge the decision, in particular to ask for review of the decision with the participation of our responsible employee, or to express your opinion on the decision. In doing so, you can use any of the contacts above; if the case concerns a loan application, please mainly use a branch office to exercise this right.

Right to complain

If you believe that the processing of your personal data infringes the applicable legislation, you may refer with a complaint to the Office for Personal Data Protection.
https://www.uoou.cz
Pplk. Sochora 27
170 00 Prague 7

We process your personal data in both manual and automated manner (including algorithmic processing) in our bank's information systems. In the case of automated processing, we may profile your data, for example to assess your ability to repay a loan or to prepare an offer of a suitable product.

We collect personal data of clients particularly from the following sources:

• from the clients, either directly (particularly when concluding contracts) or indirectly (such as during the use of banking products and services or our website)
• from prospective clients showing interest in our products and services in marketing promotions and campaigns
• from third parties (when defined conditions are met), such as from client information registers, RBI Group members, mobile telephone operators, authorities, or parties obliged to disclose your data to us (such as legal entities when identifying the beneficial owner), or from other providers of payment services
• from publicly available sources, such as public registers, records and lists, websites, land register etc., or from third parties processing smart data from such sources
• from own activities through the processing and evaluation of other personal data of clients
• Also, when providing products and services electronically, we use cookies, small text files stored on the user's device. These files let us identify more easily the way you work with the contents of websites and applications. This in turn improves our communication with you and makes our work with the website more convenient.

Our cooperation with client information registers

For example, we cooperate with the authorized users of the Banking client information register („BRKI“), Non-banking client information register („NRKI“), or with members of the SOLUS association. The cooperation particularly relates to assessment of credibility and creditworthiness of clients.

Your personal data are made available particularly to employees of our bank in connection with the performance of their professional duties, however only to the necessary extent and in compliance with all security measures.

In addition, your personal data are transferred to third parties - controllers and processors. We conclude written agreements with processors to stipulate the terms and conditions of the processing of personal data to contain the same safeguards we adhere to in line with our legal obligations.

The recipients of personal data particularly include:

• state authorities, courts and law enforcement authorities for the purpose of compliance with their obligations and for enforcement of judgment
• business partners letting us offer various supplementary services or cooperating with us in loyalty programmes
• business partners, with whom we offer joint products and with whom we act as joint controllers, which means that we jointly define the purposes and means of processing
• parties providing support services to us to be able to provide you with banking services to the full extent (such as various IT service providers)

• providers of electronic communications services and operators of call centres in connection with proper fulfillment of obligations imposed upon us (for example, contact and identification data is required to be able to identify a calling client)
• providers of legal services, private executors or parties participating in the collection of our receivables in order to be able to properly defend our legitimate interests
• other banks and certain operators of client information registers in connection with exchange of information about credibility, creditworthiness and payment history of clients and applicants for offered services
• groups of businesses defined by law in connection with assessment of ability and willingness of clients to fulfil their obligations
• other providers of payment services if necessary due to prevention, investigation or detection of frauds in the system of payments
• entities of RBI Group for internal administrative purposes of RBI Group or as part of compliance with prudential obligations

Transfers of personal data to foreign countries - save for exceptions, neither our bank nor the entities participating in the processing of personal data of clients forward personal data of clients to countries outside the European Union. An exception applies to realization of certain transactions using payment cards involving the use of the 3D Secure code. In this regard, certain personal data of payment card holders are transferred to the processor, PrJSC Ukrainian Processing Center, registered office: 9 Moskovskiy Ave., Kiev, Ukraine, which complies with the security, technical and organisational safeguards for the processing of personal data. Also, updates of information on issued Mastercard payment cards are transferred via Mastercard Europe SA, registered office: Chaussée de Tervuren 198, 1410 Waterloo, Belgium, to the ABU (Mastercard Automatic Billing Updater) database created and maintained in the US and containing data such as card validity term, available to payment card acquiring providers and participating merchants.

Our joint controllers currently include:
České aerolinie a.s., IČ: 45795908 (ČSA credit card product)
In some cases, we are only entitled to transfer your personal data subject to your consent. This particularly applies to the following recipients:

• operators of client information registers, if we cannot transfer your personal data to them in connection with compliance with our legal obligations 
• other providers of payment services, through whom you access payment accounts we maintain for you
• selected members of RBI Group for marketing purposes

• Our bank maintains adequate technical and organisational measures to ensure a level of security that is adequate to all the possible risks.
• We process our clients' personal data in a manner preventing any unauthorized or accidental access to the personal data of clients, their alteration, destruction, loss or damage, unauthorized transfer, other unauthorized processing or other abuse.

Data Protection Officer
Raiffeisenbank has a designated Data Protection Officer. The Data Protection Officer ensures compliance with statutory obligations, in particular informs and advises within Raiffeisenbank, monitors compliance of the processing of personal data with the legislation, communicates with the supervisory authority, and fulfils other given obligations.
If your inquiry or matter cannot be handled via the above contact details, you may also contact the Data Protection Officer at Hvězdova 1716/2b, postcode: 140 78, Prague 4, Attn: Data Protection Officer, e-mail poverenec@rb.cz.

We only process personal data of clients for a time necessary with regard to the purpose of processing. Once we detect that the data are no longer needed, we delete them. We evaluate such need on a continuous basis, particularly after expiration of the (internally determined) term that is usual for the particular personal data to be useful. Below are typical terms of usability of various personal data.

• We process information for the conclusion and performance of a contract for the term of the contractual relationship with the client and usually for 3 to 14 months afterwards
• Data collected from mutual exchange of information about matters indicating the creditworthiness, credibility and payment history of clients and applicants for offered services are processed for the term of the contractual relationship and afterwards usually for a term determined by the particular client information register operators
• Information relating to the protection of our bank's legitimate interests is processed depending on the particular legitimate interest. This can be a relatively short period of time (such as in the case of camera recordings) or a longer one (such as in the case of debt collection or claims or court disputes)
• We process data for the purpose of marketing activities for the term of the contractual relationship and afterwards for the usable term thereof (up to 5 years), unless you inform us earlier that you do not wish your personal data to be processed in such manner or unless you withdraw your consent to the processing of personal data
• For the purpose of compliance with archiving obligations, we process personal data for the term stipulated by applicable special legislation, however not exceeding 10 years from termination of the contractual relationship
• Within 30 days from the date when created we evaluate camera recordings as to whether their retention is required for the purpose of criminal, administrative or other similar proceedings. If the recordings are not needed, the bank destroys them without undue delay. If further retention of the recordings is needed, further evaluations take place from time to time.