The reason for the adoption of the new Personal Data Protection Law (“Official Gazette of RS", no. 87/2018), which will become effective on 21 August 2019, is the harmonisation of the national legislation with the European Union regulations, ensuring the highest personal data protection level, in particular based on:
- Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and
- Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.
Among all, the new legal framework introduces new means, in accordance with the time we live in: profiling, pseudonymisation, biometric data processing, information society service, introduction of IP address as personal data, obligatory creation of Data Protection Impact Assessment, as well as notifications to data subjects on breach of personal data, under the conditions set out in the Law, etc.
The Personal Data Protection Law was enacted, modelled on the General Data Protection Regulation - GDPR, the regulation which does not apply in the Republic of Serbia, but in the EU since 25 May 2018. Both regulations ensure the highest personal data protection level and, to a high extent, change the manner of operation of all entities dealing with personal data collection and processing.
From the time when personal data protection field was last regulated at the European level - in 1995, the world was faced with the expansion of communication and social network occurrence, therefore, the need of detailed and stricter regulation of the protection of data against unauthorised, groundless, and, above all, excessive use and transmission to other persons, was recognised by regulators.
Personal data are very broadly set out in the Law. Personal data are numerous and various, because those are all data based on which a person may directly or indirectly be identified (i.e. combined with other data). An obvious example includes name and surname, e-mail address, and unique personal identification number, but those are also voice recording, photograph, video recording of face, IP address, etc.
Particular personal data enjoy specific protection based on the law, therefore, processing thereof is prohibited in majority of cases. Those are the following data:
- racial or ethnic origin,
- political affiliation,
- religious or philosophical affiliation, membership at trade union, as well as
- processing of genetic data, biometric data aimed at unique facial identification,
- medical data,
- data on sexual life or sexual orientation of natural person.
In the majority of cases, e-mail addresses and business contact information are deemed personal data. Personal data are defined by the Law as any information relating to a natural person who may be identified or identifiable based on such information.
Since business e-mail addresses mostly include name and surname, name of employer based on which it may be identified where particular natural person is employed, name of natural person’s position and similar data identifying particular natural person, they are deemed personal data.
The above-mentioned does not apply in the event the Bank processes business contact data on natural person when such person does not have contact with the Bank in his/her private capacity (e.g. as a party within agreement on credit taken on his/her behalf and for his/her account), but acts within his/her operating or statutory tasks, as a representative of his/her employer which has business relation with the Bank.
Yes, personal data are also processed by video surveillance systems (identification of natural person's activities). In accordance with the Law, obtaining consent in writing from a person is not necessary, and, on the other hand, it is not always physically possible. Therefore, it is important to determine legal grounds for video recording processing, in particular the Bank’s legitimate interest to prevent criminal activities and prejudice of security of its clients and personnel, as well as the Bank's property and the property of clients entrusted for custody or management by the Bank.
Personal data processing is not only the expert analysis of client data based on which decision of business relation between respective client and the Bank is made, but it also means data collection and storing, recording, classification, restriction, deletion, or deletion, etc.
In its operation, personal data are processed by the Bank for the purpose of entering into and executing agreement with client, as well as for the purpose of meeting obligations set out in law and other regulations. Implementation of the business relation with the Bank is not possible unless obligatory data, conditioned by particular operation, are collected and processed.
The first group includes identification data, as well as other data which the Bank is obligated to collect in accordance with the Law on the Prevention of Money Laundering and Terrorism Finance and other applicable regulations, as follows: name and surname, address of domicile and/or place of stay, personal identification number, date, place, and state of birth, nationality(ies), and other data in accordance with regulations.
Other data group collected by the Bank are those the processing of which is necessary for the purpose of the execution of agreement with data subject or to take actions upon request of data subject, prior to agreement execution. In specific case, these data depend on service/product agreed and/or used, whereby strict care is taken by the Bank to be in compliance with the “data minimum” principle (therefore, only those personal data necessary for respective processing purpose are processed).
Other data necessary for agreement execution may also be contact data, as necessary for the implementation of Bank service or product (e.g. e-mail address for netbanking service or mobile telephone number for the service of sending SMS on balance/turnover under account).
The third data group includes contact data as voluntarily provided data, used for notification by the Bank, in the fastest and simplest manner, on facts significant for respective product or service you have shown interest in, or which is used by you, and for providing other useful information/documentation by the Bank upon your request, whereby it may also be a statutory obligation by the Bank (e.g. obligation by the Bank to send statements under account).
Acceptance of data processing may be given for one or several specified processing purposes, such as:
- Creation of specific offers/recommendations of products, services, and options of their use (personalised marketing) in order for you, as the client, to efficiently manage your finance.
- Temporary information on products and services, benefits, prize games, news, and changes in the operation of the Bank, Erste Group members, and business partners with which you may agree cooperation through the Bank (direct marketing) for the purpose of the availability of useful information on the Bank operation, products, and services which may be of interest to you.
- Improvement of the Bank products and services based on your requirements and expectations, based on results of interim surveys about your satisfaction and experience in connection with the use of the Bank products and services.
At any time, you may withdraw (recall) your acceptance of data processing, after which your data will not be processed by the Bank for the purpose which related to your acceptance.
Regarding its business relation with client, automated, individual decision-making resulting in adverse legal consequences to such person is not used by the Bank.
For clients using products and services with credit exposure, the Bank has the statutory obligation in accordance with the Bank Law and relevant by-laws to calculate credit rating. Credit rating is determined by comparing statistical models on the grounds of available data, among all, data collected from client, data on products and services used by client, as well as whether liabilities are settled at maturity.
Particular data processing is performed by the Bank using service providers’ services, applying relevant technical and organisational personal data protection measures, e.g. providers of IT services, archiving, printing and sending letters to clients, card transaction processing service, card and PIN making (personalisation), etc.
Care is taken by the Bank that such service providers are always from the Republic of Serbia, EU, or the states which are the members of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, pursuant to the Personal Data Protection Law. Also, in the event of outsourcing data processing to a third party (service provider), the Bank is obligated to stipulate the same level of protection as provided by it in this field, in accordance with the Law.
In addition, the Bank is entitled, and, in particular cases obligated, to forward personal data to:
- members of its bodies, its shareholders, Erste Group members the updated list of which may be found on the following web page https://www.erstegroup.com/en/about-us
- Bank’s external auditor,
- Serbian Bank Association Credit Bureau,
- National Bank of Serbia,
- other public authorities and persons who, due to the nature of the work they perform, must have access to such data, in accordance with the Bank Law.
The Bank receives anonymous reports via Google’s analytics service (without transferring the client's personal data) in the event of a malfunction or defect in the application usage performance, all with an aim to timely eliminate such malfunctions and defects, as well as to ensure stable use of mBanking.
In order to perform payment transactions through the use of the said payment instrument (legal basis - execution of the contract concluded with the data subject); the Bank needs to have access to the personal data of the client using the application. This is regulated by the Framework Agreement and the General Terms and Conditions of the Bank.
Data subject is entitled to access personal data processed by the Bank.
In the cases provided for in the Personal Data Protection Law, data subject is entitled to request data deletion, as well as processing restriction.
The right which is also guaranteed in the Law is the right to data correction and updating, however, please note that in banking business relation, data correction and updating are stipulated obligation of the Bank’s client, and such obligation is implemented in accordance with respective agreement, in majority of cases, by providing evidence indicating which data need to be corrected (e.g. change in ID, address, etc.).
Under the conditions stipulated in the Personal Data Protection Law, data subject is entitled to personal data transferability i.e. to receive from the Bank any data which have been provided to the Bank by data subject, for the purpose of transfer to other controller, as well as the right that data on such subject are directly transferred to other controller by the Bank if it is technically feasible and if, in accordance with the assessment by the Bank, necessary personal data transfer security standard has been ensured. For the time being, such standards have not been defined yet at the banking sector level.
If deemed reasonable in terms of particular situation, data subject whose data are processed is entitled to, at any time, provide the Bank, as the controller, with complaint regarding processing of his/her personal data, in accordance with the Personal Data Protection Law, also including profiling based on such Law.
If the Bank fails to act upon request of person whose data are processed, it must, without any delay, notify such person on reasons of such failure within the term stipulated in the law and instruct such person on his/her right to file complaint to the Commissioner or to file claim to respective court.
The right to deletion is not an absolute right. It is possible to enforce it only unless data are further necessary for the purpose they have originally been collected for and for which there are still statutory grounds of processing. Please note that particular data must be processed by the Bank based on the Law (for instance, the Law on the Prevention of Money Laundering and Terrorism Finance sets out a large set of mandatory data), as well as to be able to execute its stipulated obligations with client.
In many cases, deletion is directly prohibited by particular laws in specified time period following business relation termination (for example, the above Law on the Prevention of Money Laundering and Terrorism Finance clearly stipulates obligation for the Bank to keep data and documentation in connection with client, established business relation with such client, risk analysis made, and executed transaction, for minimum ten years from the date of business relation termination).
Also, the so-called legitimate interest for data processing excluding acceptance is prescribed in the Law, which is a valid legal basis for processing, let’s say, in case of the protection of the Bank in pending legal proceedings with client, for the purpose of prevention of fraud at the Bank, prevention of client’s security threat, etc. It is necessary to construe such legitimate interest in a very restrictive manner, which is done by the Bank.
In accordance with the Law, independent, Personal Data Protection Expert has been nominated by the Bank, whose contact is e-mail address: dpo@erstebank.rs
Request for exercising his/her right is filed by a client i.e. a person whose data are processed is always filed to the Bank by completing particular form which is provided:
- directly at any Bank Branch to authorised Bank Officer, who must electronically identify applicant, to e-mail address: dpo@erstebank.rs or zalbe.stanovnistvo@erstebank.rs, provided that the e-mail address of the sender is the address registered by the client with the Bank as an official communication channel with the Bank,
- in writing, by ordinary mail provided that indicated sender's address is the address reported by client to the Bank as the official communication channel.
The Bank must provide the client and/or person whose data are processed with information based on his/her request, no later than 30 days from the date of request receipt. Such deadline may be prolonged by further 60 days, as necessary.
Yes, but such consent must be recorded and documented (in specific case recorded based on prior consent granted for conversation recording) in cases of control by supervisory body (Commissioner for Information of Public Importance and Personal Data Protection), and it must satisfy all requirements of the Law relating to correct granting of consent (also including client identification in accordance with the Law, which is not always possible, or only for restricted data processing where identification is not necessary - e.g. only for telephone number in sense of further call by the Bank).
Yes, it is also possible to accept data processing by e-mail, but only for specified purposes, on which you may be informed on the web site, as well as at the Bank branches.
For the purpose of security of your data, in this case particular prerequisites must be met, as follows: adequate client identification in accordance with the Law, as well contacting of the Bank solely through the e-mail address which has been reported to the Bank as the communication channel with the client.