Legal notice
INFORMATION MEMORANDUM OF PERSONAL DATA PROTECTION
The objective of this Information Memorandum of Personal Data Protection is to provide information related to processing of personal data pursuant to provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and repealing Directive 95/46/EC.
In this Information Memorandum of Personal Data Protection you will find information about the purposes we process your personal data for, whom they may be provided to, what your rights are, as well as information where you can contact us in case you have a question related with processing of your personal data.
With regard to this we recommend you to get to know the information contained herein. Any changes related to processing of your personal data will be provided in form of an update of this document published on our websites and available at Tatra-Leasing branches.
1. Information about controller
The controller is Tatra-Leasing, s.r.o., Organization ID.: 31 326 552, registered office at Hodžovo námestie 3, 811 06 Bratislava, registered in the Commercial Register of the City Court Bratislava III, Section: Sro, Insert No.: 2992/B, contact data: INFOLEASING +421 2 5919 5019, e-mail:[email protected] (hereinafter referred to as “Tatra-Leasing”).
Ensuring protection of your personal data is very important for us and therefore we pay proper attention to compliance with the valid legal regulations at personal data processing, especially the principles and requirements resulting from GDPR. We have set the respective technical and organisational measures that contribute to ensuring protection of the processed personal data of our clients.
In case of any questions related to processing of your personal data please contact our DPO (Data Protection Officer) who is authorised to supervise processing of personal data in our company. You may contact DPO by e-mail on [email protected] or in writing at: DPO, Tatra banka, a. s., Hodžovo namestie 3, 811 06 Bratislava 1.
2. Basic Terms
GDPR |
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. |
Data subject |
Natural person whose personal data are processed. It is a person who can be identified directly or indirectly, especially with reference to the identifier such as name, identification number, online identifier or one or several elements specific for physical, physiological, genetic, mental, economic, cultural or social identify of this natural person. |
Client |
Person with whom Tatra-Leasing, performing its formation, change or termination of contractual relationships between the client and Tatra-Leasing. The client is also the person with whom Tatra-Leasing discussed the conclusion of the transaction, even if the transaction was not concluded, the person who ceased to be the client of Tatra-Leasing, the person providing the security and also the client's representative, who was on the client's behalf concluded the transaction or negotiated our conclusion. For the purposes of this document, the Client is also a beneficiary defined by AML Act. |
Processing |
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
Anti Money Laundering (AML) |
Prevention of legalization of proceeds from criminal activity and financing of terrorism. |
Client filing system |
An organized set of personal data processed by Tatra-Leasing for the purpose of: provision of financial services and related services, identification of Tatra-Leasing clients and identification of contractual partners * Tatra-Leasing (* A contractual partner is an entity with which Tatra-Leasing cooperates in providing financial services as far as it could not be an Client. |
Marketing filing system |
Organised set of personal data processed by Tatra-Leasing for the following purpose: Informing about products, innovations and services provided by Tatra-Leasing in connection with obtaining benefits from Tatra-Leasing. |
Controller |
Any person who, alone or together with other parties, determines the purposes and means of personal data processing and processes personal data on their behalf. For purposes hereof the controller is Tatra-Leasing. |
Processor |
Any person who processes personal data on behalf of the controller on basis of authorisation in compliance with Article 28 GDPR. |
Act of income tax |
No. 595/2003 Coll. on Income tax. |
Act on Consumer Loans and Other Credits and Borrowings for Consumers |
No. 129/2010 Coll on Consumer Loans and Other Credits and Borrowings for Consumers |
ALM act |
No. 297/2008 Coll. on the Prevention of Legalization of Proceeds of Criminal Activity and Terrorist Financing on Amendments and supplements to Certain Acts as amended. |
Act on Financial Intermediation and Financial Counselling |
Act No. 186/2009 Coll. Financial Intermediation and Financial Counselling |
Act on Accounting |
No. 431/2002 Coll. on accounting. |
3. What are personal data and why do we process them?
Personal data are any information related with the identified or identifiable natural person who can be determined directly or indirectly, especially by referring to the identifier such as name, identification number, localisation data, online identifier or by referring to one or several elements specific for physical, physiological, genetic, mental, economic, cultural or social identity of the respective natural person.
Tatra-Leasing processes only those personal data which are required for achieving the particular processing purposes. Personal data are processed always for the pre-determined and legitimate purpose while it would not be possible to achieve such purpose without processing of the respective data.
In the case of processing personal data on a legal basis, such as processing for the purpose of Providing financial and related services, identification of clients and identification of contract partners, the provision of relevant data by you is a legal requirement and it is not possible to carry out the service without providing them. Failure to provide the relevant data therefore results in a non-provision of a financial service.
Provision of data by the Client is voluntary in case of processing of personal data based on Client's consent, such as in case of processing in terms of the Marketing filing system. With the aim to adjust the offer of products and services directly to your requirements, Tatra-Leasing evaluates information processed about you in order to provide you with a targeted offer and this way eliminate sending of non-targeted marketing offers. Granting the approval is voluntary. If you decide not to grant the approval, Tatra-Leasing will not be allowed to send you marketing information or offers in this particular case.
Recording telephone calls at INFOLEASING
Tatra-Leasing records all telephone calls executed via INFOLEASING. Personal data obtained in this way are processed in the filing systems of the leasing company – Client filing system and Marketing filing system, and that for purposes determined for the respective filing systems.
4. Categories of personal data that can be processed by Tatra-Leasing
Tatra-Leasing's activities include processing of various categories of personal data which differ depending on the purpose of processing and nature of the particular processing activity. Such personal data categories are as follows:
In case of Client filing system:
- Identification data (for instance name, surname, date of birth, birth identification number, data from the identification document, nationality, identification document photography, client number, product number),
- Contact data (for instance permanent/temporary residence address, e-mail address, telephone number),
- Data about the utilised products and services (e.g. data about the utilised products and services, data related with processing of your suggestions),
- Biometric data (characteristics of the face of signature )
- Sociological and demographic data (for instance age, sex, family status, education, number of persons in household, information about income, type of employment, information related to politically exposed person),
- Economic data (for instance data about ownership of movable and immovable objects, data about total revenues or regular household costs, data about the type of housing),
- Data whether the Client or potential client is in a special relationship with the Tatra-Leasing,
- Data of the Client who have as an unusual business operation of the Tatra-Leasing concidered, and data of the Clients that are subject to international sanctions and similar data showing the client's risk.
- Audio recordings (for instance camera recordings executed at conclusion of transactions, recordings of telephone calls executed by means of INFOLEASING),
- Copies of documents including identification documents (and photographs from the respective documents),
- Data related with utilisation of our websites and applications (for instance cookies),
- Other relevant data (for instance data about execution proceedings, bankruptcy proceedings, personal bankruptcy, data related with meeting your contract duties and obligations, data about your payment discipline, data from credit registers.
In case of Marketing filing system:
- Data related with utilisation of websites and applications (for instance cookies),
- Relevant data processed about you in the Client filing system.
The number of personal data categories set forth herein represents a full and complex account of all personal data categories which can be considered in terms of the particular purpose of processing at provision of the comprehensive scope of financial products and services in all states of a contract relationship. Individual account of personal data categories for individual clients will therefore be just a sub-group of this account.
5. Purpose and legal ground for personal data processing
Tatra-Leasing processes your personal data always for the pre-determined and legitimate purpose of processing while respective legal grounds for such processing must always exist. Tatra-Leasing would like to assure you that your personal data are never further processed for purposes which are incompatible with the originally determined purposes of processing.
Tatra-Leasing's activities might include processing of your personal data for the processing purposes as follows:
5.1 Providing financial and related services, identification of clients and identification of contract partners
This purpose includes especially:
- Identification of clients,
- Conclusion of contract relationships with the Client including pre-contract relationships,
- Maintenance of contract relationships including changes and termination of contract relationships,
- Acceptance and processing of suggestions and complaints of Clients,
- Relationship management,
- Protection and seeking the rights of Tatra-Leasing towards Clients,
- Meeting Tatra-Leasing´s obligations in the field of AML,
- Activities related with performance of the tasks and obligations of Tatra-Leasing pursuant to valid legal regulations,
- Maintenance of the list of persons with a special relationship with Tatra-Leasing,
- Maintenance of separate records of Clients who do not properly and on time fulfill their obligations arising from contractual relations with Tatra Leasing,
- Clients who have committed action considered by the bank as unusual business transaction and Clients the international sanctions relate to
- Activities related with meeting the archive duties.
In this case your personal data are processed in the extent required for meeting the legal obligations of Tatra-Leasing while legal base for processing in this case rests in the following legal regulations:
- AML Act,
- Act on Income tax,
- Act on Consumer Loans and Other Credits and Borrowings for Consumers,
- Act on Financial Intermediation,
- Act on Insurance services,
- Act on Accounting.
Tatra-Leasing may proceed to processing of your personal data in cases when the scope of personal data set forth by the legal regulations set forth herein is not sufficient for achieving the determined purpose of processing, also under the following legal grounds:
- if it is necessary for performance of the contract concluded between you and Tatra-Leasing including precontract relationships pursuant to Article 6 par. 1 b) GDPR,
- if you have granted consent to processing of your personal data for the particular purpose/purposes pursuant to Article 6 par. 1 a) GDPR,
- if you have granted consent to processing of your personal data for the particular purpose/purposes pursuant to Article 9 par. 2 a) GDPR,
- if it is necessary for purposes of legitimate interests followed by Tatra Leasing or a third party pursuant to Article 6 par. 1 f) GDPR,
- if processing is necessary for proving, claiming or justification of legal claims pursuant to Article 9 par. 2 f) GDPR.
Tatra-Leasing is obligated to proceed with expert care in terms of its activities and in connection therewith has legitimate interest in prevention against criminal activity or other illegal action which can cause damage or harm reputation of the company or any other detriment, or against action which can negatively impact the activity of Tatra-Leasing or put its employees or other data subjects in danger, and for this purpose it is entitled to keep the list of persons with potential risk while this processing may lead to termination of the contract relationship or rejection of transaction execution.
5.2. Marketing
Tatra-Leasing processes your personal data on legal grounds of your prior voluntary consent or under legitimate interests of Tatra-Leasing for purposes of informing about products, innovations and services provided by Tatra-Leasing, and also in connection with obtaining advantages by Tatra-Leasing including creation of offers for such advantages at utilisation of profiling.
In case you have granted your consent to processing of your personal data for the purpose set forth herein to Raiffeisen Group, your personal data may be processed (i) by entities with direct or indirect property interest in Tatra-Leasing, (ii) by entities in which Tatra-Leasing has direct or indirect property interest, (iii) by entities in which the entity with property interest in Tatra-Leasing has direct or indirect property interest, (iv) by entities having direct or indirect property interest in the entity with property interest in Tatra-Leasing. For purposes of this document these are especially the following entities:
- Tatra banka, a.s., seated at Hodžovo namestie 3, 811 06 Bratislava, Company ID No: 00 686 930,
- Doplnková dôchodková spoločnosť Tatra banky, a. s., seated at Hodžovo namestie 3, 811 06 Bratislava, Company ID No: 36 291 111,
- Tatra Asset Management, správ. spol. a. s., seated at Hodžovo namestie 3, 811 06 Bratislava, Company ID No: 35 742 968,
- Centrum bývaniaTB seated at Hodžovo namestie 3, 811 06 Bratislava, Company ID No: 35 707 682.
Tatra-Leasing has legitimate interest in taking care for its Clients and developing business relations with its Clients, and hence informing them about its products, innovations, services or offers of various benefits. In relation thereto Tatra-Leasing can contact you yet without your prior consent while it will inform you of such processing of your personal data and instructs you about your rights, especially about the right to object to processing of your personal data. Naturally, this is not the case if you have expressed your disapproval of such contact or if you object it.
Tatra-Leasing may communicate with you for the above purpose by means of automatic calling system, telephone, e-mail, text message or via other means of distance communication. With the aim to adjust the offer of products and services directly to your requirements, Tatra-Leasing evaluates information processed about you in order to provide you with a targeted offer and this way eliminate sending of non-targeted marketing offers.
For the purposes defined in this point, the Client is also considered to be a person with whom Tatra-Leasing has negotiated or is interested in negotiating a transaction, even if this transaction was not executed, a person who ceased to be a client of Tatra-Leasing, a person providing security and also a client's representative concluded a transaction on behalf of the client or negotiated its conclusion.
6. Biometric data processing
According to Article 4(14) of the GDPR, biometric data are “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”.
Biometric data belong to special categories of personal data, the processing of which is subject to special requirements, in particular with regard to the legal basis for processing or the fulfilment of other conditions under the GDPR.
The processing of biometric data also occurs within the activities of Tatra Leasing as part of the Client Information System. The following personal data are subject to processing:
• Biometric facial characteristics
Tatra Leasing may process biometric characteristics of your face in order to maintain or increase the level of security and to unambiguously identify clients and to prevent damage caused to clients by third parties through the appropriation of their identity, and to facilitate the provision of financial services. However, such processing will only take place on the legal basis of consent and will not take place in the absence of consent. The legal basis is the Client's consent.
• Biometric signature characteristics
Tatra Leasing may process biometric characteristics of your signature in order to maintain or increase the level of security and to unambiguously identify clients and to prevent damage caused to clients by third parties through the appropriation of their identity, and to facilitate the provision of financial services. However, such processing will take place on the legal basis of consent and will not take place in the absence of consent.
Within the purpose, which is: Provision of financial services and related services, identification of Tatra Leasing's clients and identification of Tatra Leasing's contractual partners, the processing of biometric characteristic of signature occurs in certain financial operations on the legal basis referred to in Article 9(2)(f) of the GDPR, i.e., if the processing is necessary for the establishment, exercise or defence of legal claims. Such cases include, for example, the signature of the client or the authorised persons on the client's side on an electronic document prepared in connection with the provision of financial services.
On the basis of changes made in the law related to the GDPR, it is also necessary, based on the change in the legal definition, to consider the existing handwritten signature in digitised form as a signature containing the biometric characteristics of a signature.
7. Automated decision making including profiling
Automated decision making including profiling belongs to the processing operations which are worth special attention, executed by the Client filing system.
Processing of a request for provision of a financial service results in automated decisions made on basis of profiling. Profiling of a Client considers the data obtained by Tatra-Leasing at the time of request and also data registered by Tatra-Leasing in terms of previous Client's history in Tatra-Leasing, as well as data obtained in compliance with valid legal regulations from external resources and the system executes automated decisions on basis of these data. Tatra-Leasing considers several data at profiling, which can impact the decision regarding the request both positively and negatively. The data which are considered are data about potential Client risk rate, Client's assets and liabilities with Tatra-Leasing, Client's payment discipline, regularity of utilisation of products at the time when conclusion of the given transaction is negotiated. Tatra-Leasing evaluates the respective data in regular intervals and estimates the risk profile of the Client based on these data. In case of a Client with no previous history in Tatra-Leasing evaluates the data obtained from the Client's request and data obtained in compliance with the valid legal regulations from external resources. The request is considered at the automated decision making on basis of the obtained risk profile of the Client.
This decision may affect automatic request refusal, maximum approved amount of financing, possibility of provision of individual products, maximum maturity of the requested product. Client's risk profile as such has direct impact on the proposal of conditions and it basically applies that the better the Client's risk profile, the better the conditions for the Client suggested by the Tatra-Leasing.
The data set forth herein and also data about behaviour of clients at payment delay can be used for the process of decision making regarding the optimum recovery process and can affect selection of the finance recovery or restructuring strategy. Data can also be used for the activities for the purpose of avoiding the delay of the client.
In case of automated decision making including profiling pursuant to Article 22 GDPR at processing of your request for financing, you will be entitled to human intervention by Tatra-Leasing on your own standpoint and also to object the decision adopted on basis of automated decision making including profiling.
Automated decision making happens when a loan transaction conclusion is negotiated.
8. Credit registers
In connection with the assessment of the Client’s ability to repay a loan, your data may be provided and disclosed to the relevant registers:
- Non-Banking Credit Bureau – Consumer Credit Register (hereinafter referred to as the “Register”) is a register according to Section 7(3) of the Act on Consumer Loans and also a register according to Section 8(20) of the Act on Housing Loans in the extent according to Section 7(9) of the Act on Consumer Loans. According to the Act on Consumer Loans and Act on Housing Loans, Tatra-Leasing is obliged to provide data to the Register and obtain data from the Register without consent of the Client. The legal basis for the processing of personal data in the Register is Article 6(1)(c) of the Regulation, Act on Consumer Loans and Act on Housing Loans. The categories of personal data and the purpose of the processing of personal data in the Register are stipulated by the Act on Consumer Loans and the Act on Housing Loans; the purpose of the processing of personal data in the Register is granting of consumer loans and/or housing loans and the assessment of the consumer’s ability to repay the consumer loan and/or housing loan.
The provision of personal data in the above-mentioned instances is a statutory requirement.
- Non-Banking Credit Bureau (hereinafter referred to as the “Credit Bureau”) is a register which processes, by automated means of processing, personal data of natural persons and legal entities who/which applied for the conclusion of a contract, as well as of those persons who concluded a contract with non-banking creditors and other entities published by the association of legal entities called Non Banking Credit Bureau, záujmové združenie právnických osôb, Company ID No.: 42 053 404, with its registered office at Mlynské Nivy 14, 821 09 Bratislava (hereinafter referred to as “NBCB”) which is the controller of the Credit Bureau. Tatra-Leasing is a founding member of NBCB. The legal basis for the processing of personal data in the Credit Bureau is the consent of the Client granted according to Article 6(1)(a) of the GDPR Regulation. The Client shall have the right to withdraw the granted consent at any time. The categories of personal data are data in the extent provided in the application for conclusion of a contract or, in the case that the contract has been concluded on the basis of the application, data in the extent provided in the contract; the purpose of the processing is mutual provision of information between non-banking creditors and other entities published on www.nbcb.sk, namely information about solvency, credibility and payment discipline of their clients, protection of legitimate economic interests and prevention against credit frauds.
Personal data processed in the Credit Bureau are provided to non-banking creditors and other entities published on www.nbcb.sk
Complete information according to Article 14 of the GDPR Regulation on the processing of personal data in the Credit Bureau and the Register is provided in Annex No. 1 hereto.
9. Who can we provide your personal data to?
Tatra-Leasing shall not provide your personal data to other entities, except for the cases in which you have granted your consent or written instruction to Tatra-Leasing for such provision of data or if other legal ground for provision of your personal data to other entities exists, for instance in case of performance of the legal obligation of Tatra-Leasing as the controller. Provision of your personal data to other entities in terms of performance of the legal obligation can be executed in the environment of Tatra-Leasing only in cases set under the relevant legislations.
Tatra-Leasing may provide personal data to other entities without your consent in terms of meeting the legal duties:
- in the area of protection against legalisation of incomes from criminal activities and financing of terrorism pursuant to the AML Act,
- in connection with reporting to the law enforcement authorities about suspicion that a crime is being prepared, being committed or was committed,
- in connection with consideration of the ability to repay a consumer loan pursuant to the Act No. 129/2010 on Consumer Loans and Other Credits and Loans for Consumers and on amendments to certain laws as amended,
- in connection with meeting the reporting duty towards the National Security Authority in the field of cybersecurity pursuant to the Act No. 69/2018 Coll. on Cybersecurity.
Also please note that Tatra-Leasing and entities from the Raiffeisen Group have legitimate interest in mutual sharing of personal data processed in the Client filing system which can lead also to cross-border transfer of data, and that in terms of:
- protection against legalisation of incomes from criminal activities and financing of terrorism,
- meeting the duties connected with the execution of banking activities at the level of the Raiffeisen Group,
- in connection with consideration of financial standing and credibility of clients.
Tatra banka and its subsidiaries act as a set of entities subject to supervision on a consolidated basis and observe selected legal obligations jointly and in cooperation with each other.
In connection with the facts stated herein, we inform you that Tatra banka, as well as Tatra banka´s subsidiaries, have a legitimate interest in the consistency of the data of clients who are clients of Tatra banka and at the same time clients of Tatra banka´s subsidiaries, and also in maintaining the timeliness of the processed personal data, therefore Tatra banka as the operator, which is authorised on the basis of §93a par. 9 of the Act on Banks, even without the consent of the persons concerned, to obtain information recorded in the register of natural persons and information maintained in the register of ID cards, may provide such up-to-date information for the purpose of updating the already processed personal data to other Tatra banka´s subsidiaries.
The Tatra banka´s subsidiaries for this purpose are:
- Doplnková dôchodková spoločnosť Tatra banky, a. s., seated at Hodžovo námestie 3, 811 06 Bratislava, Company ID No: 36291111,
- Tatra Asset Management, správ. spol. a. s., seated at Hodžovo námestie 3, 811 06 Bratislava, Company ID No: 35742968,
- Tatra Leasing, s. r. o., seated at Hodžovo námestie 3, 811 06 Bratislava, Company ID No: 31326552
Tatra-Leasing does not publish your personal data.
9.1. Processors
Tatra-Leasing may process your personal data in certain cases also by means of its processors. Processor is an entity authorised by Tatra-Leasing to process personal data in compliance with the Article 28 GDPR. Authorisation for processing of your personal data by an processor does not require your consent or other legal ground such as in case of provision of data to other controllers. In such case the processor processes your personal data on behalf of Tatra banka as the controller.
Processing of personal data by means of an processor has no negative impact on performance and application of your rights as the data subject determined in Chapter III GDPR while the client can apply the respective rights with Tatra-Leasing as the controller also directly with the particular processor which processes your personal data.
Tatra-Leasing wants to assure you that it only uses the processors providing appropriate technical, organisational and other measures so that processing meets the GDPR requirements and protection of rights of the data subject is provided in full extent. Tatra-Leasing uses the following categories of processors at processing of your personal data:
- companies which provide or execute financial and related services,
- companies which execute customer satisfaction surveys,
- companies which provide marketing activities,
- companies which provide print services and services of mass correspondence,
- companies which execute maintenance of registry records pursuant to separate regulations,
- companies which provide recovery and maintenance of receivables,
- companies which provide execution of mortgage by means of public auction.
9.2 Transfer of personal data to third countries
Personal data are not the subject of cross-border transfer to third countries that do not ensure an adequate level of personal data protection except for the cases specified by valid legal regulations or specific situations when the Client must be notified of such transfer in advance.
9.3 Processing of personal data using cloud solutions
When processing personal data, cloud solutions or solutions of a similar technical nature are used in many cases. The use of such solutions is, for example, in many cases required as part of the implementation of state-of-the-art software tools, or improves efficiency and cost-effectiveness. Last but not least, such solutions also help maintain the integrity of the processed data and contribute towards the security of processing.
Depending on the type of processing activities, in such processing the providers of cloud or similar services act mainly as processors in accordance with Article 28 of the GDPR. In selecting its partners and in the course of the processing activities, Tatra-Leasing is very careful to avoid any risk of data security breach or any negative impact on the rights of data subjects. Tatra-Leasing also consistently makes sure to select only partners who have demonstrably implemented appropriate technical and organisational measures to ensure the level of security pursuant to point (c) Article 28 par.3 c) and Article 32 of the GDPR, so that the processing is performed in compliance with the valid legal regulations, in particular the GDPR, and to ensure protection of the rights of data subjects.
In such processing, personal data are not transferred to third countries which do not guarantee an adequate level of protection under the GDPR“
10. How long do we store your personal data (period of storage and archiving)?
Tatra-Leaisng shall retain your data in a form enabling your identification for the period necessary to achieve the purpose of personal data processing.
If your personal data are being processed in terms of performance of the legal obligation of Tatra-Leasing, the respective legal regulations specify the period during which Tatra-Leasing is obligated to store your personal data and related documents. Such legal regulations include especially:
- Act No. 431/2002 Coll. on Accounting, based on which the bank is obligated to keep and protect your personal data and related documents, which form part of the accounting documentation in the course of ten years following the year the accounting documentation relates to.
- AML Act, which stipulates that Tatra-Leasing is obligated to store during the period of five years:
- after the contract relationship with the client terminated: data and written documents obtained in connection with care provided for the client and in connection with detecting unusual business transaction,
- after the execution of transaction: all data and written documents about the client
- Act on Financial Intermediation, which stipulates the period for storing documentation for the period of at least ten years after commencement of validity of the contract on provision of financial service and the period of at least five years after termination of the contract on provision of financial consulting (§ 36).
If your personal data have been processed based on your consent, Tatra banka will keep the personal data after the consent is revoked or after the consent validity period has expired for only such period, which is required to prove the application or defending the legal claims of Tatra banka. It also applies in case of processing based on a contract or legitimate interest. After the purpose of processing ends, a part of the processing purpose entitled “Archiving for the needs of protection of the provider´s rights and proving, application or defending the legal claims, as well as providing collaboration to the respective authorities” is fulfilled. The legal base for processing under which the respective personal data were obtained, remains valid yet in such case.
In terms of the archiving period / storage period, personal data are being processed especially:
- in the manner stipulated by the respective legal regulation imposed on the company,
- in connection with the communication of the company towards the public authorities in terms of the protection of company´s rights,
- in connection with the protection of the rights and the right of company´s protected interests, for instance in terms of an internal analysis or internal investigation,
- in connection with the entries and other related communication with the respective authorities in terms of proving, application or defending the legal claims,
- in connection with the handling of collaboration provided to the public authorities in compliance with the legally defined conditions.
11. How do we protect your personal data?
We adopt technical and organisational measures with the aim to protect your personal data against intentional or neglectful deletion, loss or change and unauthorised accession of your personal data. Tatra-Leasing employees, as well as Tatra-Leasing contract partners who process personal data on behalf of Tatra-Leasing are bound by the obligation of secrecy which lasts yet after the contract relationship terminates.
12. What are your rights in relation to personal data processing?
In connection with processing of personal data you have the right to file a compliant to the Office for Personal Data Protection of the Slovak Republic, Hraničná 12, 820 07 Bratislava, Slovak Republic.
You have the right to correct the personal data related to you that are incorrect or to complete the personal data that are incomplete. Please do not hesitate to contact us in case you find out that the data we process in relation to you are incorrect or incomplete.
If your personal data are being processed based on the consent pursuant to Article 6 par. 1 GDPR or pursuant to Article 9 par. 2 GDPR, you are entitled to withdraw this consent at any time. However, withdrawal of consent has no impact on lawfulness of processing resulting from consent before its withdrawal.
Right to object to processing of your personal data
As the data subject, you have the right to object to processing of your personal data if the processing is being carried out on the legal grounds of the legitimate interests of Tatra-Leasing, including objecting to profiling based on legitimate interests. Tatra-Leasing may further process your personal data on grounds of legitimate interests only in case it proves the existence of inevitable legitimate grounds for processing which prevail over your interests, rights and freedom, or grounds for demonstrating, application or defending of legal grounds.
You are entitled to object to processing of your personal data at any time for purposes of direct marketing including profiling in the extent in which it is related to such direct marketing, and that in case of processing on legal grounds of legitimate interests of Tatra-Leasing. If you object to processing for purposes of direct marketing, Tatra-Leasing will not further process your personal data for purposes of direct marketing. As the data subject you are entitled to access your personal data. In case of meeting the terms and conditions defined by GDPR you can apply for a statement of your personal data which we process about you. In certain circumstances you can apply for restriction of processing, transfer of your personal data and you are also entitled to deletion of your personal data.
You can exercise your rights in writing, by telephone via our INFOLEASING, by e-mail sent to [email protected] or in person at any branch. Tatra-Leasing may ask you to provide additional information required for verification of your identity.
Annex 1: Information pursuant to Article 14 of the GDPR on the processing of personal data in registers
Information on personal data processing in Non-Banking Client Information Register
Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “GDPR”), Non-Banking Credit Bureau, an association of legal entities, ID No. 42 053 404, with its registered office at Mlynské Nivy 14, 821 09 Bratislava (hereinafter referred to as “NBCB”), as the operator of the Non-Banking Client Information Register (Nebankový register klientskych informácií), provides you as a data subject by means of this document, in a concise, transparent and comprehensible form, with all relevant information related to the processing of your personal data in the Non-Banking Client Information Register and the exercise of your rights under the GDPR.a
A. General information related to your personal data processing
The Non-Banking Client Information Register – Consent Register (the “NBCIR”) is a database, or a filing system under the GDPR, created for the purposes set out in this document. NBCB processes your personal data in the NBCIR based on your consent to the processing of personal data.
Pursuant to Act No. 129/2010 Coll. on consumer credits and on other credits and loans for consumers (hereinafter referred to as the “Consumer Credit Act”), the Non-Banking Client Information Register – Consumer Credit Register is a register under Section 7(3) of the Consumer Credit Act and also a register under Section 8(20) of Act No. 90/2016 Coll. on housing loans (hereinafter referred to as the “Housing Loans Act”) to the extent under Section 7(9) of the Consumer Credit Act (hereinafter referred to as the “Register”). When granting a consumer credit under the Consumer Credit Act, banking institutions and creditors (hereinafter referred to as the “Creditors”) are obliged, pursuant to the Consumer Credit Act and the Housing Loans Act, to provide your personal data to and retrieve your personal data from the Register without your consent.
The categories of personal data processed about you in the NBCIR are the data to the extent provided in the application and, in the event of entering into a contract based on the application, the data to the extent provided in the contract, and the purpose of their processing is the disclosure of personal data to third parties in order to share information between third parties about the creditworthiness, credibility and payment discipline of their clients (you), protection of legitimate economic interests of the Creditors and prevention against credit frauds.
The categories of personal data processed about you in the Register are stipulated in the Consumer Credit Act and the Housing Loans Act. The purpose of personal data processing in the Register is the granting of consumer loans and the assessment of the consumer’s ability to repay a consumer credit, es specified by the Consumer Credit Act and the Housing Loans Act.
The legal basis for the processing of your personal data in the NBCIR is your consent given in accordance with Article 6(1)(a) of the GDPR. The consent according to the previous sentence is given voluntarily and as a data subject you have the right to withdraw your consent to the processing of personal data relating to you at any time. The withdrawal of consent shall not affect the lawfulness of your personal data processing based on consent before its withdrawal.
The legal basis for the processing of your personal data in the Register is Article 6(1)(c) of the GDPR (compliance with a legal obligation under the Consumer Credit Act and the Housing Loans Act).
If you, as a data subject, default on or partially stop repaying your obligations, a so-called negative information on your solvency (hereinafter referred to as “Negative Information”) will be created in the NRCI). In the event that you begin to repay your obligations properly, such remediation of solvency will not affect the existence of the Negative Information.
The legal basis for the processing of your personal data after the occurrence of the Negative Information is Article 6(1)(f) of the GDPR. The legitimate interests for the processing of your personal data after the occurrence of the Negative Information are:
(a) minimising the likelihood of non-repayment of the financial performance provided to you as a data subject,
(b) minimising the likelihood of decline (loss) of assets on the part of the Creditors,
(c) enhancing the ability of the Creditors to act with professional diligence,
(d) a society-wide interest in the prevention of credit fraud; and
(e) a society-wide interest in reducing the indebtedness of data subjects.
The source of your personal data in the NBCIR and the Register are third parties to whom you have provided them as a client or a prospective client.
Personal data processed about you in the NBCIR are provided to third parties published and regularly updated on www.nbcb.sk and can also be made available by Slovak Banking Credit Bureau, s.r.o., ID No. 35 869 810, with its registered office at Mlynské Nivy 14, 821 09 Bratislava (hereinafter referred to as “SBCB”) to banks and branches of foreign banks as authorized users of the Common Register of Banking Information regularly published on www.sbcb.sk and to other authorised entities pursuant to applicable legislation. The Common Register of Banking Information (hereinafter referred to as the “CRBI”) is created pursuant Section 92a(1) of Act No. 483/2001 Coll. on banks (hereinafter referred to as the “Banking Act”) as a common banking register operated by SBCB established as a joint venture of ancillary banking services pursuant to Section 92a(2) of the Banking Act.
Pursuant to Section 7(6) of the Consumer Credit Act and the applicable provisions of the Housing Loans Act, personal data processed about you in the Register may also be disclosed to banks, foreign banks and branches of foreign banks and to other Creditors and entities defined by these legal regulations. The list of Creditors, banks, foreign banks and branches of foreign banks and consumer credit data registers and their operators pursuant to the Consumer Credit Act is provided on www.nbs.sk.
The purpose of processing of your personal data when providing them to CRBI users by NBCB through SBCB and when providing them to third parties by SBCB through NBCB, is the sharing of information between third parties and authorised users about the creditworthiness, credibility and payment discipline of their clients (data subjects), protection of legitimate economic interests of the Creditors and prevention against credit frauds.
The legal basis for the disclosure of your personal data to CRBI users by NBCB through SBCB, and for their disclosure to third parties by SBCB through NBCB is your consent given in accordance with Article 6(1)(a) of the GDPR. The consent according to the previous sentence is given voluntarily and as a data subject you have the right to withdraw your consent to such processing of your personal data. The withdrawal of the consent shall not affect the lawfulness of personal data processing based on the consent before its withdrawal.
The period of processing and storage of your personal data in the NBCIR, and the period of processing and storage of your personal data when disclosed to CRBI users by NBCB through SBCB, is 5 years from giving your consent, and in the event of concluding a contract between the Creditor and you as a data subject, the period of processing and storage of your personal data is the term of the contract and 5 years from the termination of your obligations to the Creditor under the contract. The period of processing and storage of your personal data after the creation of the Negative Information corresponds to the term of the contract and 5 years from the termination of your obligations to the Creditor under the contract.
The period of processing and storage of your personal data in the Register is the term of the contract and 5 years from the termination of your obligations to the Creditor under the contract. Your personal data will be then placed under the pre-archiving care in accordance with generally binding legal regulations.
NBCB processes your personal data through a processor, CRIF – Slovak Credit Bureau, s.r.o., with its registered office at Mlynské Nivy 14, 821 09, Bratislava.
Another processor of NBCB is CRIF S.p.A. with its registered office at Via M. Fantin 1-3, 40131 Bologna, Italy.
Your personal data processed in the NBCIR and the Register are not disclosed or transferred to third countries.
B. Information related to the exercise of your rights under GDPR
The GDPR generally grants you as a data subject a number of rights, including, in particular, the right of access to personal data, the right to rectification of personal data, the right to erasure of personal data (the right “to forget”), the right to restriction of personal data processing, the notification obligation regarding rectification or erasure of personal data or restriction of personal data processing, the right to personal data portability, the right to object to personal data processing, the right not to be subject to automated individual decision-making, including profiling, and others.
However, not all the rights granted to you as a data subject by the GDPR can be exercised with respect to processing operations performed with your personal data by NBCB as the controller. The list below provides a basic overview of your rights, which can be exercised by you against NBCB as the controller.
I. Right of access to personal data
1) You have the right to obtain confirmation as to whether or not your data are processed by SBCB as the controller and where that is the case, to access such personal data. You also have the right to obtain information on:
a) purposes of your personal data processing,
b) categories of personal data processed about you,
c) recipients or categories of recipients to whom your personal data will be disclosed, in particular about recipients in third countries or international organisations,
d) the expected storage period of your personal data,
e) the existence of the right to request rectification of personal data concerning you or their erasure or restriction of processing,
f) the right to lodge a complaint with a supervisory authority,
g) the source of your personal data, unless they have been obtained directly from you,
h) the existence of automated decision-making, including profiling (however, NBCB does not currently perform automated decision-making or profiling of you).
2) You have the right to obtain a copy of the personal data processed about you. However, the right to obtain such a copy must not adversely affect the rights and freedoms of others. For more information on how to obtain such a copy, please refer to the “Request handling procedure” section.
3) NBCB will provide you with a copy of the personal data processed about you. If you submit a request by electronic means, the information will be provided in a commonly used electronic form. NBCB, as the controller, is, however, entitled to ask you for additional information necessary to confirm your identity where it has reasonable doubts concerning the identity of the natural person making the request. For more information on how to obtain such a copy, please refer to the “Request handling procedure” section.
4) You have the right to lodge a complaint or an application to bring proceedings pursuant to Section 100 of Act No. 18/2018 Coll. on personal data protection if you believe that your rights or freedoms have been violated in connection with the processing of your personal data by NBCB. Such a complaint or an application to bring proceedings may be addressed to the Office for Personal Data Protection (https://dataprotection.gov.sk/uoou/).
II. Right to rectification of personal data
You have the right to obtain from NBCB as the controller the rectification of inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
III. Right to erasure of personal data (“right to be forgotten”)
1) You have the right to obtain from NBCB as the controller the erasure of personal data concerning you without undue delay and NBCB shall have the obligation to erase your personal data without undue delay where one of the grounds below applies:
a) your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) your personal data have been unlawfully processed;
c) your personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
d) if you withdraw your consent to personal data processing regarding their processing in the NBCIR and the disclosure of personal data to CRBI users by NBCB through SBCB.
e) if you have successfully objected to processing, in case of those processing operations that are carried out on the basis of a legitimate interest pursuant to Article 6(1)(f) of the GDPR and no legitimate grounds for processing prevail.
2) Please note that you have the right to withdraw consent to the processing of personal data only for those processing operations that are carried out on the basis of your consent pursuant to Article 6(1)(a) of the GDPR and not for those processing operations that are carried out by NBCB pursuant to Article 6(1)(c) of the GDPR (compliance with a legal obligation; i.e. processing of your personal data in the Register).
3) Please note that you have the right to attain from NBCB, as the controller, the erasure of personal data relating to your person only for those processing operations for which you have successfully objected to the processing and which are carried out on the basis of a legitimate interest pursuant to Article 6(1)(f) of the GDPR (i.e. only in the case of the existence of Negative Information) and not for those processing operations carried out by NBCB on any other legal basis. For more information on the right to object to the processing of your personal data, please see “Right to object to the processing of personal data” (section VII. below).
IV. Right to the restriction of personal data processing
1) You have the right to have NBCB, as the controller, restrict the processing of your personal data in one of the following cases:
a) you as a data subject contest the accuracy of your personal data, for a period enabling NBCB to verify the accuracy of your personal data; NBCB will verify the accuracy of your personal data primarily with the source from which they were obtained, i.e. with the relevant bank to which you provided your data in connection with a loan agreement or a loan agreement application;
b) the processing of your personal data is unlawful and as a data subject you oppose the erasure of your personal data and request the restriction of their use instead;
c) NBCB as the controller no longer needs your personal data for the purposes of the processing, but they are required by you as a data
d) as a data subjekt you have objected to processing, in case of those processing operations that are carried out on the basis of a legitimate interest pursuant to Article 6(1)(f) of the GDPR, and this until it is verified that there are no legitimate grounds for processing prevailsubject for the establishment, exercise or defence of legal claims.
2) Please note that you have the right to attain from NBCB, as the controller, the restriction of proccesing of personal data relating to your person only for those processing operations for which you have objected to the processing and which are carried out on the basis of a legitimate interest pursuant to Article 6(1)(f) of the GDPR (i.e. only in the case of the existence of Negative Information) and not for those processing operations carried out by NBCB on any other legal basis. For more information on the right to object to the processing of your personal data, please see “Right to object to the processing of personal data” (section VII. below).
3) If the processing of your personal data pursuant to paragraph 1 is restricted, such personal data, with the exception of storage, shall be subsequently processed only with your consent or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or its Member State.
4) If you as a data subject have obtained restriction of processing pursuant to paragraph 1, you will be informed by the controller before the restriction of processing is lifted.
V. Notification obligation regarding rectification or erasure of personal data or restriction of personal data processing
NBCB as the controller shall notify any recipient to whom your personal data have been disclosed of any rectification or erasure of personal data or restriction of processing carried out pursuant to Article 16, Article 17(1) and Article 18 of the GDPR, unless this proves impossible or would involve a disproportionate effort. NBCB will inform you of these recipients at your request.
VI. Right to personal data portability
With respect to your personal data processing, GDPR grants you the right to transmit your personal data to another controller. However, you can only exercise this right in relation to those processing operations that are carried out on the basis of your consent pursuant to Article 6(1)(a) of the GDPR.
You cannot exercise the right to the portability of your personal data for those processing operations that are carried out under a legal obligation pursuant Article 6(1)(c) of the GDPR or a legitimate interest on the basis of Article 6(1)(f) of the GDPR.
VII. Right to object to the processing of personal data
Pursuant to Article 21 of the GDPR, you, as a data subject, have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you where it is carried out on the basis of Article 6(1)(e) of the GDPR (processing in the public interest) or Article 6(1)(f) of the GDPR (processing on the basis of a legitimate interest of the controller or of a third party). NBCB does not process your personal data for direct marketing purposes and does not carry out profiling of data subjects.
You can only exercise this right for those processing operations that are based on a legal basis of legitimate interest pursuant to Article 6(1)(f) of the GDPR (i.e. only in the case of the existence of Negative Information).
VIII. Automated individual decision-making, including profiling
The data subject generally has the right, pursuant to Article 22 of the GDPR, not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
Please note that NBCB makes no decisions or profiling regarding you pursuant to the previous paragraph and in no way decides on approval your loan application to the Creditors. For this reason, GDPR does not allow you to exercise the above right against NBCB. Nevertheless, you can exercise this right against the Creditor as the source of your personal data in the NBCIR and the Register, which decides on your loan agreement application and carries out your profiling.
IX. Communication of a personal data breach to the data subject
1) In the event of a breach of your personal data that is likely to result in a high risk to your rights and freedoms, NBCB as the controller shall communicate the breach of your personal data to you without undue delay.
2) The communication referred to in paragraph 1 shall not be required if any of the following conditions are met:
a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
C. Your request handling procedure
As a data subject, you also have the right to exercise the above rights through a request addressed to NBCB as the controller. In accordance with applicable legislation, your request will be addressed within one month. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. NBCB as the controller shall inform you of any such extension within one month of receipt of the request, together with the reasons for missing the base period.
NBCB strives to comply with all requests, but exceptionally there may be a situation where your request cannot be complied with. Not complying with a request for legitimate reasons is, however, only a last resort. If the request is unclear or incomplete, NBCB will contact you for clarification or additional information. Exceptionally, NBCB may have doubts concerning your identity. In this case, you will be subsequently asked to provide additional information to remove such doubts.
Your request will be complied with in the form in which it was made by you, or if you indicate in the request another form of complying with your request, it will be complied with in such a form. For example, if you send a request to NBCB by post, NBCB will also address the processed request to you by post. However, if you indicate in such a request that you wish us to reply to you by email, NBCB will process your request signed by a qualified electronic signature by electronic means, subject to the conditions set out below. However, where NBCB has reasonable doubts concerning your identity that will not be subsequently removed, it may process your request by sending a reply by registered mail to your last permanent address.
NBCB provides you with several options to make a request in order to exercise your rights. You can use the prepared request forms to create a request. All you have to do is provide your personal data so that we can identify you and then send us the request. You can find the request form using the following link: http://www.nbcb.sk/wp-content/uploads/2021/06/%C5%BDiados%C5%A5-NBCB-kopia-osobnych-udajov.pdf
You can deliver the completed request to NBCB:
a) in person to the SBCB client centre located at: Mlynské Nivy 14, 821 09 Bratislava,
b) by post to the following address: Mlynské Nivy 14, 821 09 Bratislava,
c) by email to: [email protected]
If you decide to make your request in person at our client centre, please have a proof of identity with you to prove your identity. If you decide to make your request through another person, such a person must present a power of attorney certified by a notary. In order to ensure your maximum protection, we cannot disclose your personal data to anyone without sufficient proof of authority to act on your behalf.
If you send us your request by post, please sign it by hand.
Communication by electronic means is one of the potentially most dangerous ways for you to provide your personal data in relation to the exercise of your rights as a data subject in accordance with this information document. For this reason, we only fully accept requests made by this means that are signed by a qualified electronic signature. If you send us a request by email that is not signed by a qualified electronic signature, it may take longer to process your request, since in order to protect your personal data it is necessary that NBCB has no reasonable doubts concerning your identity. For this reason, we may request additional information necessary to confirm your identity. Likewise, your request may not be fully complied with in this way, and in case of doubts concerning your identity, we may comply with your request by sending a copy of your personal data (or other relevant processing of your request) by registered mail to your last permanent address.
For more information regarding the processing of your personal data by NBCB in the NBCIR and the Register and the exercise of your rights as a data subject, please contact (i) the Client Centre located at: Mlynské Nivy 14, 821 09 Bratislava, (ii) by phone on +421 2 59207515, or (iii) by email at: [email protected].
The contact details of the data protection officer under the GDPR appointed by the controller are as follows: [email protected].
Information on personal data processing