INFORMATION MEMORANDUM

Processing of Personal Data of Clients at Raiffeisenbank a.s.

Dear client,

Let us inform you how Raiffeisenbank a.s. (hereinafter also referred to as “we” or “our bank”) processes your personal data in connection with offering, concluding, providing and maintaining banking products and services.
The purpose of this Information Memorandum is to give you information about the particular personal data we collect, how we treat them, what sources we get them from, what purpose we use them for, whom we may provide the data to, where you can obtain information about your personal data we process, or what are your individual rights concerning the protection of personal data.

Thus, please read the contents of this Information Memorandum.

1. General Information
Our bank is subject to various statutory obligations regarding the processing of client personal data that we must comply with, particularly with regard to fulfilment of our legal and contractual obligations, security of banking trades or exercise of official authority. In this regard, we would be unable to provide our banking products and services at all without being given your personal data. Also, we process personal data of clients beyond the framework of our statutory obligations for the purpose of customer care, to address you with targeted offers of products and services. We need your consent to do this. If you decide to not grant your consent, our provided products or services may be limited or otherwise adjusted, depending on the scope of data we are entitled to process. Every client is informed about the scope of limitations or adjustments.
Unless explicitly stated otherwise, all of the information contained herein also applies to the processing of personal data of prospective customers, i.e. persons with whom we are in contact but have not established a contractual relationship yet, as well as former clients. The information contained herein also applies, to a reasonable extent, to the processing of personal data of other persons, with regard to whom the bank has certain obligations (such as beneficial owners of legal and other entities or persons, whose data we acquire in the course of providing services to our clients, such as parties to realized payment transactions, beneficiaries of concluded letters of credit and similar), or with whom our bank is in direct contact without being in a contractual relationship with them (such as representatives of legal entities or other users of services provided to legal entities).

1.1 Personal Data Processing Principles
As part of processing your personal data we respect top standards of personal data protection and particularly abide by the following principles:
(a) We always process your personal data lawfully, fairly and in a transparent manner for specified, explicit and legitimate purposes;
the manner of processing personal data is always compatible with the specified purpose and the processing of personal data only
takes place for a time necessary with regard to the purpose; we only process accurate personal data of clients to an extent that is
adequate, relevant and limited in relation to the specified purposes;
(b) We protect your personal data as our banking secret; thus, we process client personal data in a manner ensuring highest possible
security of the data and preventing any unauthorized or accidental access to client personal data, their alteration, destruction, loss
or damage, unauthorized transfers, other unauthorized processing or other abuse;
(c) We always clearly inform you about processing your personal data and your rights to receive precise and full information about
the circumstances of such processing as well as your other related rights;
(d) At our bank we adhere to adequate technical and organizational measures to ensure a level of security matching all possible
risks; all persons who come into contact with client personal data are obliged to keep confidential the information acquired in
connection with the processing of such data.

2. Information about the Processing of Personal Data
2.1. Information about the Controller and Contact Details
The controller of your personal data is our bank, i.e. Raiffeisenbank a.s., having its registered office at: Prague 4, Hvězdova 1716/2b, postcode: 140 78, IČ: 492 40 901, a company entered in the Commercial Register maintained by the Municipal Court in Prague, file number B 2051.
We will be glad to receive and answer your questions and enquiries at any of our branch offices, by mail at Raiffeisenbank a.s., tř. Kosmonautů 1082/29, 779 00 Olomouc, e-mail at info@rb.cz, or by phone on our toll-free infoline at 800 900 900.

2.2. Data Protection Officer
Our bank has a designated Data Protection Officer. The Data Protection Officer ensures compliance with statutory obligations, in particular informs and advises within our bank, monitors compliance of the processing of personal data with the legislation, communicates with the supervisory authority, and fulfils other given obligations.
If your question or matter cannot be handled via the above contact details of our bank, you may also contact the Data Protection Officer at Hvězdova 1716/2b, postcode: 140 78, Prague 4, Attn: Data Protection Officer, e-mail: poverenec@rb.cz, databox ID: skzfs6u.


2.3. Purpose and Legal Basis for Processing
2.3.1. Processing of Personal Data for Compliance with Legal Obligations
In connection with its business, our bank is entitled to process your personal data in order to comply with a variety of legal obligations, particularly arising out of the Act on Banks, as well as other legislation. In particular, this applies to the following obligations:
(i) compliance with the obligation of prudential conduct, such as in assessment of creditworthiness of clients, in which case we
may verify data provided by you with third parties, such as your employer;
(ii) prevention of damages to client assets kept with the bank as well as the bank’s assets;
(iii) prevention of frauds that the clients or the bank may be exposed to;
(iv) compliance with statutory disclosures to public authorities;
(v) compliance with obligations related to enforcement of judgment;
(vi) inter-bank exchange of information about banking contacts, identification data and owners of accounts and about matters
reflecting the clients’ credibility and creditworthiness, exchange of information with non-banking creditors in respect of matters
reflecting credibility, creditworthiness and credit history of their clients and applicants for offered services, also via a third
party, as well as protection of rights and protected interests of businesses and clients, consisting of assessment of clients’
capacities and willingness to fulfil their obligations;
(vii) compliance with obligations related to consolidated banking supervision or additional supervision, and compliance with the
rules of prudential conduct, for which we also share your personal data with entities within our banking group (hereinafter
referred to as “RBI Group”; a list of entities that are members of RBI Group is provided in Annex 2 to this Information
Memorandum and shall be updated from time to time as required);
(viii) compliance with obligations as part of customer identification and check pursuant to the Act on certain measures against the
legalization of proceeds from crime and against financing of terrorism;
(ix) compliance with obligations imposed on the bank in direct connection with the services it is authorized to render to its clients,
particularly on the basis of the license or permits granted by the Czech National Bank, above all in relation to the provision
of payment services, loans and investment services;
(x) compliance with archiving obligations.
Typically, these are situations when the provision of your personal data is required to enable us to provide you with our product or service; the bank is entitled to carry out such processing without your consent.

2.3.2. Processing of Personal Data for the Conclusion and Performance of a Contract
Our bank also processes your personal data for purposes related to the conclusion or performance of a contract with you.
This particularly concerns realization of a banking transaction or other performance of a contract between our bank and you.
Personal data are required, inter alia, to realize the banking transaction without inadequate legal risks, including negotiations on concluding or amending the contract with you. Thus, provision of your personal data is a prerequisite to the establishment and existence of the contract (contractual requirement).


2.3.3. Processing of Personal Data for the Protection of Legitimate Interests of our Bank
For the purpose of protecting legitimate interests of our bank we may process your personal data where our legitimate interests override your interests or your fundamental rights and freedoms. This way we process your personal data particularly for:
(i) protection of authorized recipients or other relevant parties, such as when establishing facts that our bank needs to establish
towards third parties, collecting debts, realizing collateral, or otherwise claiming debts, as well as developing the provided services;
(ii) negotiations with prospective assignees of our bank’s receivables from a client or with parties interested in another form of
receivable transfer or passage, including the related realization, and other related negotiations with third parties, particularly notifications to providers of related collateral, etc.;
(iii) resolution of any and all disputes, particularly for the purpose of court or other disputes;
(iv) sharing your personal data for internal administrative purposes of RBI Group;
(v) internal research, analyses or evaluations (particularly statistical research), monitoring of client behaviour (such as on our
bank’s website), or internal reporting;
(vi) camera recordings at the bank’s points of sale for the purpose of protecting the property of the bank and third parties; and
(vii) to a limited extent also for offering products and services (direct marketing) to existing clients – in this case we only process
a limited scope of personal data and the offered products or services are related to the already used products or services;
however, such processing is immediately discontinued once you object to it.
In these cases, the bank is entitled to process your personal data without your consent.

2.3.4. Processing of Personal Data with Your Consent
Based on your consent, our bank processes your personal data for the following purposes:
a) customer care; these are activities that do not stand for performance of a contract or another legal framework of personal data processing, and include the following:
 market research;
 monitoring of client actions on our bank’s website in connection with the offered services (thus, this purpose does
not relate to mere acquisition of information about actions of visitors to our bank’s website in the form of cookies as
described below in the Article on Electronic Means of Communication and Mobile Applications);
b) certain methods of information exchange among creditors on matters reflecting the credibility, creditworthiness and payment
history of their clients and applicants for offered services, unless such an exchange of information can take place without your
consent;
c) offering of products and services; in particular, this includes distribution of information, offering of products and services of
our bank and other parties, including product and service offers that involve processing of your personal data in order to
create and deliver an offer tailored to meet individual client needs, all via various channels, such as by mail, electronic means
(including electronic mail and messages sent to mobile devices via a telephone number), or by telephone, via a website or
ATMs.
Thus, these are situations where you voluntarily consent that we may process the provided or otherwise acquired personal data. Should we arrive to conclude that we need your consent to the processing of your personal data for an intended purpose other than listed above, such as to let us assess your creditworthiness more efficiently, we will ask you to give us the consent and we will provide you with all related and material information.

2.4 Categories of Processed Personal Data of Clients
Our bank processes your personal data to an extent as necessary to meet the above purposes. We particularly process contact and identification data, information reflecting credibility, creditworthiness and payment history, descriptive and other data, and, to a necessary and legitimate extent, also data about other persons. Detailed information about the scope of processed personal data of clients is stated in Annex 1 to this Information Memorandum. Certain specific categories of personal data and related processing methods:

Birth registration numbers. According to the law, our bank is also obliged to process its clients’ birth registration numbers. If assigned, the client’s birth registration number must be acquired and processed by our bank in line with the law for the purpose of banking transactions and to allow realization of banking transactions without unreasonable legal or factual risks for our bank. If the birth registration number is to be processed for other purposes, it must be done with your consent only.
Copies of documents. With regard to our statutory obligation to duly identify our clients, our bank is also obliged to process certain information about the clients’ identity documents (to the extent of the type, series and number of the identity card, the issuing state or authority, and validity of the document). In cases where we would like to collect such data including a copy of the document registering the data, we will ask for your consent to make such copies.
Communication recordings. Our bank monitors and records selected communications with clients, particularly telephone calls. You are always informed in advance about making any recordings. The contents of such communications are confidential and solely used for the purpose of compliance with statutory obligations, conclusion and performance of contracts, protection of legitimate interests of our bank, and, with your consent, for the purpose of customer care.
Camera recordings. Particularly in premises where services are provided to clients (including ATMs operated by our bank), our bank monitors movement of persons. Camera recordings are solely made for the purpose of compliance with statutory obligations, conclusion and performance of contracts, and protection of legitimate interests of our bank, clients or third parties. Unless the recordings are evaluated as required for the purpose of criminal, administrative or other similar procedures, the bank destroys them; such evaluation takes place without undue delay, however within 30 days from the date when made. In respect of preserved recordings, further evaluations take place on a continuous basis.

2.5 Personal Data Processing Methods
The method how our bank processes your personal data includes both manual and automated processing, including algorithmic processing, in our bank’s information systems. Also, automated evaluation of client personal data (profiling) is one of the personal data processing methods used by our bank; this process also results in creation of derived information about the client. This is particularly done for the purpose of compliance with our statutory obligations and for the purpose of protecting the rights and protected interests of our bank, its clients, or third parties, or for deciding whether we will conclude specific contracts or not.
However, to a certain extent, our bank may also use the results of such evaluation to prepare customized products and services, such as when calculating pre-approved limits for loan products.
Your personal data are mainly processed by employees of our bank and, to an extent as required, by third parties. Before any transfer of your personal data to a third party, we always enter into a written agreement with the third party, containing the same safeguards in respect of personal data processing as adhered to by our bank in line with its legal obligations.

2.6. Recipients of Personal Data
Your personal data are made available particularly to our bank’s employees in connection with performance of their professional duties requiring work with personal data of clients, however only to an extent necessary in the particular case and in compliance with all security measures.
In addition, your personal data are transferred to third parties participating in the processing of personal data of our bank’s clients, or, such personal data may be made available to them on other grounds in line with the law. Before any transfer of your personal data to a third party, we always enter into a written agreement with the third party to stipulate the processing of personal data
in a way to contain the same safeguards in respect of personal data processing as adhered to by our bank in line with its legal obligations. Usually, these are business partners of our bank who allow us to offer various supplementary services, parties providing our bank with supporting services to let our bank provide you with its services in full extent (such as various IT service providers), to let us duly comply with the imposed obligations (in this regard this applies to, for example, electronic communications providers, telephone centre operators) and to let us duly defend our legitimate interests (in this regard this applies to, for example, legal
service providers or private executors).

2.6.1. In accordance with applicable legislation, our bank is entitled, or directly, without your consent, obliged to transfer your personal data to:
(a) relevant state authorities, courts and law enforcement authorities for the purpose of performance of their obligations and for
the purpose of enforcement of judgment;
(b) other banks in connection with exchange of information about facts reflecting the credibility and creditworthiness of their
clients, or to groups of businesses defined by law in connection with the assessment of capacity and willingness of clients to
fulfil their obligations;
(c) other providers of payment services, if necessary to prevent, investigate or detect payment frauds;
(d) certain operators of client information registers in respect of exchange of information about credibility, creditworthiness and
payment history of their clients and applicants for the offered services;
(e) in line with our bank’s legitimate interests, also to other entities of RBI Group for internal administrative purposes of RBI Group
or as part of compliance with obligations imposed under prudential rules as mentioned above;
(f) other parties to an extent stipulated by legislation, such as to third parties for the purpose of collection of our receivables from
clients.

2.6.2. Subject to your consent, we also transfer your personal data to:
(a) certain operators of client information registers in connection with exchange of information about the credibility, creditworthiness
and payment history of their clients and applicants for offered services. At this point we remind again that to a certain extent,
in these cases, our bank is also entitled to participate in mutual exchange of certain information within certain registers without
obtaining the client’s consent;
(b) other providers of payment services, through which you access the payment accounts maintained for you by our bank;
(c) RBI Group entities for the purpose of offering products and services and customer care;
(d) other parties for the purpose of distribution of information, offering of products and services of our bank or other parties to
the clients. Subject to your consent, such transfers will be made in full compliance with the other conditions contained in this
Information Memorandum, particularly with regard to the purpose, scope and time of processing of personal data. We will
only transfer your identification and contact data to an extent necessary for the particular recipient. We will always inform
you about the recipients of data when you give your consent, provided that as of the effective date of this version of the
Information Memorandum the recipients of personal data for the purpose of this paragraph of the Information Memorandum
are listed in Annex 3. The decision whether the personal data will be transferred may be based on criteria agreed with
the particular recipient (mainly socio-demographic and economic criteria or criteria based on the scope and frequency of
services provided by our bank). Upon such transfer, we will exercise special care to prevent any threats to the security of the
transferred personal data or abuse of the same.

2.6.3. In certain cases we also closely cooperate with third parties to be able to offer you attractive joint products. When offering such products, the third party and our bank appear as joint controllers, which means that the purposes and means of data processing are determined jointly with such third parties and that we share your personal data with the third party. Such a situation occurs in cases stated at the end of this document in Annex 4.

2.7 Cooperation with Client Information Registers
As mentioned above, in an effort to ensure prudent conduct, our bank also cooperates with various client information registers or its users or members, with whom it shares personal data of clients, particularly concerning assessment of their credibility and creditworthiness. Thus, our bank cooperates, for example, with authorized users of the Banking Client Information Register (“BCIR”) operated by CBCB – Czech Banking Credit Bureau, a.s., with authorized users of the Non-Banking Client Information Register (“NCIR”) operated by Czech Non-Banking Credit Bureau, z.s.p.o., or with members of SOLUS, z.s.p.o., an association of legal entities. More information can be found in the BCIR Information Memorandum, NCIR Information Memorandum and the Information about SOLUS Association Registers available on our bank’s website.

2.8 Transfers of Personal Data to Foreign Countries
Your personal data are processed in the territory of the Czech Republic and other states of the European Union where RBI Group entities are seated and which apply the same personal data protection standards as the Czech Republic. Neither our bank nor the entities participating in the processing of client personal data transfer personal data of clients to countries outside the European Union. An exception to this principle concerns certain payment transactions ordered by means of payment cards involving the use of a 3D Secure code, as agreed under the contractual terms and conditions applicable to the provision of such payment cards. In connection with the use of the 3D Secure code, certain personal data of holder of payment cards are transferred to the provider, PrJSC Ukrainian Processing Center having its registered office at 9 Moskovskiy Ave., Kyiv, Ukraine, who complies with the safety, technical and organizational safeguards of personal data processing.

2.9 Term of Personal Data Processing
Our bank processed personal data of clients only for a time necessary with regard to the purpose of processing. From time to time we evaluate existence of the need to process certain personal data required for a particular purpose. Once we detect that the data are no longer required for any of the purposes, for which they have been processed, we delete the data. However, in respect of certain purposes of personal data processing, we have internally evaluated the usual term of usability of personal data, after expiration of which we most carefully assess the need to process such personal data for the particular purpose. In this regard, it also holds that personal data processed for the purpose of:
(a) conclusion and performance of contracts are processed over the term of the contractual relationship with the client; then, the
relevant personal data are usually usable for 3 to 14 months;
(b) exchange of information about facts reflecting credibility, creditworthiness and payment history of clients and applicants
for offered services are processed over the term of the contractual relationship; then, the relevant personal data are usually
usable for the term defined by the individual operators of client information registers;
(c) protection of legitimate interests of our bank are processed depending on the principle of the particular legitimate interest; it
may be a relatively short term (camera recordings, etc.) or a longer term (debt collection and claims);
(d) offering of products and services or customer care are processed over the term of the contractual relationship; then, the
relevant personal data are usually usable for 3 to 14 months;
(e) compliance with archiving obligations – after expiration of the contractual relationship we process the personal data in order
to comply with our archiving obligations for 10 years.
2.10. Right to Withdraw Consent
In this Information Memorandum we tried to explain why we need your personal data and that for certain purposes we may
process them with your consent only. You are not obliged to give consent to our bank to process your personal data and you are
also entitled to withdraw your consent. At this point we would like to remind that we are also entitled to process personal data for
other purposes without your consent. If you withdraw your consent, we will discontinue the processing of the relevant personal
data for purposes requiring the relevant consent; however, we may be entitled or even obliged to process the same personal data
for other purposes.If you refuse to give or if you withdraw your consent, we may in particular accordingly adjust the availability,
scope or conditions of our products or services.
If you wish to withdraw your consent to the processing of personal data, please refer to any of our branch offices, send us a
letter to Raiffeisenbank a.s., tř. Kosmonautů 1082/29, 779 00 Olomouc, or an e-mail to info@rb.cz, or call our toll-free info
line at 800 900 000.

2.11 Right to Object
In cases where your personal data are processed for the purpose of protecting legitimate interests of our bank, you are entitled to object to such processing. In such case, our bank shall no longer process your personal data unless it demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims; the above does not apply to processing for the purpose of product and service offering (direct marketing) where our bank shall immediately discontinue the processing of your personal data. The rights to object may be exercised in the same manner as withdrawal of consent or other rights.

2.12 Sources of Personal Data 

We acquire personal data of clients particularly from:
(a) the clients, directly, such as when concluding contracts related to provided banking products or services, and/or indirectly,
such as during use of the banking products or services by the clients, or as part of making information about banking products
and services available to the clients, such as through the bank’s website, etc.;
Raiffeisenbank a.s., Hvězdova 1716/2b, 140 78 Prague 4, ID No 49240901, entered in the Commercial Register maintained by the Municipal Court in Prague, file No B 2051
(b) publicly available sources (such as public registers, records or lists, websites);
(c) third parties authorized to dispose with the client’s personal data and to transfer them to our bank on given terms, such as
from client information registers, RBI Group members, or public authorities or parties obliged to provide such data to us (such
as legal entities when identifying the beneficial owner);
(d) prospective customers interested in services of our bank as part of marketing events and campaigns;
(e) own activities through processing and evaluation of other personal data of the clients.

2.13 Your Other Rights Related to Processing of Personal Data
Right of access to personal data: you have the right to request our bank to provide confirmation as to whether or not your personal data are being processed, and, where that is the case, you have the right of access to the personal data and the specified information. If you are interested, our bank will provide you with a copy of the personal data undergoing processing, namely free of charge once a calendar year, otherwise for compensation of costs associated with processing and providing the copy. If you are interested in having an overview of your personal data being processed, please use the request form. If you are interested in having an overview of data of payment transactions and related payments, which are available to you based on performance of contracts for individual services and products in the form of statements, the bank will provide you with a copy of such statement after paying a fee according to the applicable Price List of products and services.
Right to rectification: You have the right to obtain from our bank without undue delay the rectification of inaccurate processed personal data concerning you. Also, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement. If you wish to point out the need to update your personal data, you can use the prepared request form. However, please note that changes to some personal data must be also supported by evidence (such as changed domicile address or marital status).
Right to erasure (“right to be forgotten”): you have the right to obtain from our bank the erasure of your personal data without undue delay where one of the grounds stipulated by legislation applies (such as when the personal data are no longer necessary for the specified purposes or when the personal data have been unlawfully processed). If you are of the opinion that there are grounds for which our bank should no longer process some or all of your personal data, you can use the prepared request form.
Right to restriction of processing: you have the right to obtain from our bank restriction of processing of your personal data where any of the reasons stipulated by legislation applies (such as due to inaccuracy of processed personal data or unlawful processing,
or objection to the processing of personal data based on your legitimate interests.) If you request restriction of processing by our bank, you can apply to us using the prepared request form.
Right to data portability: you have the right to receive from our bank the personal data concerning you in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller. However, this right only applies to your personal data which you have provided to us, which are processed on an automated basis and based on your consent or contract. For security reasons the bank does not allow to save your data to a carrier brought in by you and will provide the data to you saved on its own CD.
Rights related to automated decision-making: if the conclusion whether Raiffeisenbank a.s. enters into a contract with you and provides you with a banking services is based on automated decision-making, we shall inform you thereof, particularly in a situation where we are not ready to grant your application. You may contest the decision, particularly request review of the decision with the participation of authorized staff of Raiffeisenbank a.s., or express your point of view. In doing so, you may use the contact details stated in Article 2.1 of the Information Memorandum. Automated decision-making particularly takes place in the assessment of certain applications for a loan provided by Raiffeisenbank a.s.
Right to complain: if you believe that the processing of your personal data by our bank infringes the applicable legislation, you may refer with your complaint to:
Office for Personal Data Protection
https://www.uoou.cz/
pplk. Sochora 27
170 00 Prague 7
We will provide you with requested information and documents and/or information about adopted measures without undue delay, however not later than within one (1) month from the date of delivery of your request. In some cases, this term may be extended, about which fact we will inform you. If you request cannot be granted, we will inform you about the fact and the reasons, as well as about your other rights (right to complaint and right to court protection).

If required, we are entitled to request additional information in respect of your request to specify your request in detail or to confirm your identity.
3. Raiffeisenbank a.s. as a Processor of Personal Data In certain cases, our bank also handles client personal data by authorization of another party (another controller). For example, these cases include cooperation with other RBI Group companies, agency for third-party products or services, or cooperation with third parties in loyalty programmes. For detailed information, it is always necessary to contact the particular controller of personal data, unless our bank is authorized to provide information in the particular case.
4. Electronic Means of Communication and Mobile Applications As part of customer care, our bank develops technologies to let you use modern electronic means of communication and mobile applications to use our banking products and services. In particular, these include services related to the use of the internet, social networks and various mobile applications. However, we also bear in mind the special nature of banking products and services, and thus we observe the protection of client personal data and banking secrecy when using these means and applications. 

Internet banking. Our bank lets you use some of your products or services online via internet banking. Also, internet banking is a service, through which information about the bank’s services and products are available to you, including individual offers. We process all personal data acquired about you in this regard in accordance with the conditions and principles stated in this Information Memorandum.
Mobile applications. For greater availability of our products and services, we offer mobile banking services (so-called Mobile eKonto). Mobile banking is also a service, through which information about the bank’s services and products are available to you, including individual offers. In this regard, we process selected information related to your mobile device used for mobile banking (can be found in the internet banking service in the detail of your mobile device). We process all personal data acquired about you as part of mobile banking in accordance with the conditions and principles stated in this Information Memorandum. 

Social networks. Also, you can address us through various social networks. We particularly use these communication channels as marketing tools; our products and services are not provided through social networks at this moment. 

Cookies. Also, we use cookies when providing our products and services. Cookies are small text files stored in the user’s computer after loading a website for the first time. These files facilitate identification of the way the visitors work with the contents of our website, which helps us in pursuing a friendlier communication with our website visitors or a more efficient marketing. More information about cookies is available on our website.

5. Information Memorandum
This Information Memorandum is valid and effective as of 25 May 2018. The current version of the Information Memorandum is published on our bank’s website and is also available at our branch offices.

Annex 1 – Scope of Processed Personal Data
1. Identification data – these include data such as name, surname, date and place of birth, birth registration number, permanentaddress, type, number and validity of the identity card; for clients who are natural persons – entrepreneurs, also the identification number and tax ID. Other possible identification data include, for example, information about the IP address of the computer used, signature specimen, number of the account we hold, and files of specific authentication data we agree to use.
2. Contact data – contact addresses, telephone numbers, email addresses, fax numbers or other similar contact data.
Information required for the decision to conclude the contract – these include data particularly required for risk assessment from the perspective of prevention of legalization of proceeds from crime and financing of terrorism, as well as data collected to assess the credit risk of the trade and data required to provide investment services.
Depending on the contract type, these data include:
(i) socio-demographic data – such as age, gender, marital status, education, number of household members, type of income,
nature of employment, the fact whether you are a politically exposed person;
(ii) information about property – such as information about ownership of real property or movables, membership in legal entities
(particularly shares in corporations), information about total income or regular household expenses;
Raiffeisenbank a.s., Hvězdova 1716/2b, 140 78 Prague 4, ID No 49240901, entered in the Commercial Register maintained by the Municipal Court in Prague, file No B 2051
(iii) information about executions or insolvency proceedings, if any, fulfilment of obligations towards other creditors, information
about insurance against property or life risks, information about business relations.
In the event that you withdraw a submitted application for a product or service, we also process the application withdrawal
date along with the data provided before the withdrawal.
3. Data arising out of performance of obligations under contracts – depending on the nature of the provided product or service,
we process information related to the provided product or service. In this category, we process personal data such as the
term of contract, interest rate, maturity term, loan amount, balance of your receivables from the bank, balance of the bank’s
receivables from you, information about realized payment transactions, information about the use of means of payment,
information about realized instructions to buy securities, information about the balance of an investment instrument portfolio.
An overview of these data is usually available to you by means of statements or similar overviews provided or made available
to you in accordance with the specific contracts.
4. Personal data acquired in connection with the provision of our products or services – these include personal data acquired during our interactions. In particular, these include:
(i) data serving to secure communications;
(ii) geo-location data, such as data about the geographic location, home branch office of the client, place of making a payment
order (most often using a payment card) and data identifying the device used to make the payment order;
(iii) records of your preferred communication language, expressed interest in a product or service, your investment strategies, or
your specific requirements disclosed to us,
(iv) information about execution proceedings against your receivable from the bank, about insolvency proceedings against you,
information about insurance against property or life risks, information about business relations (as opposed to the list under
point 3 of this Annex, these include current data acquired in the course of providing our products or services).
5. Personal data created through our activities – in particular, these include the assigned client/product numbers, data created
by evaluation of your transaction behaviour and/or data provided by you (such as to determine whether the conditions to
apply a fee reduction have been met), evaluation of a submitted application for a product or service, or evaluation required
for our decision to offer you a product and/or service or not.
Annex 2 – RBI Group
As of 25 May 2018, the term RBI Group means the group formed by our bank and the following entities:
 Raiffeisen - Leasing s.r.o., ID No.: 61467863, registered office: Hvězdova 1716/2b, 140 78 Prague 4
 Raiffeisen stavební spořitelna a.s., ID No.: 49241257, registered office: Koněvova 2747/99, 13 45 Prague 3
 UNIQA pojišťovna, a.s., ID No.: 49240480, registered office: Evropská 136/810, 160 12 Prague 6
 Raiffeisen investiční společnost a.s., ID No.: 291 46 739, registered office: Hvězdova 1716/2b, 140 78 Prague 4
 Raiffeisen CEE Region Holding GmbH, Am Stadtpark 9, 1030 Vienna, Austria
 Raiffeisen RS Beteiligungs GmbH, Am Stadtpark 9, 1030 Vienna, Austria
 Raiffeisen Bank International AG, Am Stadtpark 9, 1030 Vienna, Austria
Annex 3 – Recipients of Personal Data
According to the Information Memorandum Article named Recipients of Personal Data (point 2.6.2, letter d)), recipients of
identification and contact personal data of clients may be the following entities:
No such recipients are defined as of 25 May 2018.
Annex 4 – Joint Controllers
According to the Information Memorandum Article named Recipients of Personal Data (point 2.6.3), the following entities are joint
controllers with our bank:
No joint controllers are defined as of 25 May 2018.

Information memorandum