PRIVACY POLICY

In accordance with the Law on Personal Data Protection and the Personal Data Protection Policy of Srpska banka a.d. Belgrade, below we inform you about information related to the processing of personal data:

1. DATA CONTROLLERS

Srpska banka, joint stock company, Belgrade
25 Bulevar kralja Aleksandra I Karadjordjevića,
11000 Belgrade

Registration number: 07092288
Phone: 011-3607-200

Internet address: www.srpskabanka.rs

2. PERSONAL DATA PROTECTION OFFICER

The Bank has appointed a personal data protection officer which you can contact for questions and requests related to the processing of personal data. The contact details of the personal data protection officer are available on the Bank’s official website.

3. SUBMISSION OF REQUESTS FOR THE EXERCISE OF RIGHTS RELATED TO PERSONAL DATA PROTECTION

The person to whom the data refer has the right to submit a request to the Bank for the exercise of rights related to personal data protection in writing:

• personally in the Bank’s business premises or
• by mail or
• by email (email: zastita.licnih.podataka@srpskabanka.rs).

The request can be submitted to the Bank in free form or on the Bank’s form, which is available in the business premises where the Bank offers services and on the Bank’s website.

4. PRINCIPLES OF PERSONAL DATA PROCESSING

The principles of processing are the basic rules that the Bank follows when collecting and processing personal data.

• Personal data must be processed lawfully, fairly and transparently in relation to the person to whom the data refer, in accordance with the legal regulations governing the processing. At the time of data collection, the Bank will provide that person with information about the procedure for collecting and processing his/her data, as well as other information regarding the legality, purpose of processing, method of exercising rights and other necessary data,
• The Bank collects data for purposes that are specifically determined, explicit, reasonable and legal, and they cannot be further processed in a way that is not in accordance with those purposes. The Bank will not process the same data for any other purpose, unless there are some other processes that are regulated by law or are necessary for quality service provision,
• Personal data collected must be appropriate, essential and limited to what is necessary and required in relation to the purpose of processing,
• Personal data must be accurate and, if necessary, updated. Taking into account the purpose of the processing, the Bank undertakes all reasonable measures and regular controls to ensure that inaccurate personal data are deleted or corrected without delay,
• The Bank stores personal data in a form that enables the identification of the person only within the period necessary to achieve the purpose of the processing. Personal data may be stored longer in order to comply with the Bank’s legal obligation requiring processing or when there is a legitimate interest (e.g. submission, exercise or defense of a legal claim),
• Personal data are processed in a way that ensures appropriate data protection, including protection against unauthorized or illegal processing, as well as in case of loss, destruction or damage by applying appropriate technical, organizational and personnel measures. The Bank implements measures aimed at preventing unauthorized disclosure of data, monitoring access to data, limiting access to data in accordance with the needs of the workplace, etc.

5. PERSONAL DATA PROCESSING

In most business processes, the Bank is in the role of controller, independently or together with others determines the purpose and method of data processing, while in certain business processes it can be a processor that processes personal data on behalf of the controller.

In accordance with the level of technological achievements and the costs of their application, nature, scope, circumstances and purpose of the processing, the Bank applies appropriate technical, organizational and personnel measures, which in particular include the following:

• Ability to ensure permanent confidentiality, integrity, availability and resilience of processing systems and services;
• Ensuring the establishment of re-availability and access to personal data in case of physical or technical incidents as soon as possible;
• The procedure of regular testing, assessment and evaluation of the effectiveness of technical, organizational and personnel measures of processing safety.

By applying the aforementioned measures, it is ensured that only those personal data that are necessary for the realization of each individual processing purpose are always processed. This obligation is applied in relation to the number of collected data, the scope of their processing, the term of their storage and their availability.

The Bank does not collect or process data that reveal racial or ethnic origin, political opinion, religious or philosophical belief or trade union membership, and does not process genetic data, biometric data for the purpose of unique identification of a person, health condition data or data on the sexual life or sexual orientation of a natural person.

Exceptionally, the processing of this data is allowed in the following cases:

• The person to whom the data refer has given express consent to the processing for one or more purposes of the processing;
• Processing is necessary for the purpose of fulfilling the obligations or applying the legally stipulated powers of the controller or the person to whom the data refer in the field of work, social insurance and social protection, if such processing is regulated by law or a collective agreement that stipulates the application of appropriate measures to protect fundamental rights, freedoms and interests of the person to whom the data refer;
• Processing is necessary in order to protect vital interests of the person to whom the data refer or another natural person;
• Personal data that the person to whom they refer has apparently made publicly available are processed;
• Processing is necessary in order to submit, exercise or defend a legal claim or in the case when the court is acting within its jurisdiction.

The Bank especially protects the personal data of children (persons under 15 years of age), considering that they may be less aware of the risks, consequences, protection measures, as well as their rights in relation to the processing of personal data.

The person to whom the data refer has the right not to apply to him a decision made solely on the basis of automated processing, including profiling, if that decision produces legal consequences for that person or that decision significantly affects his/her position, unless that decision is:

• Necessary for the conclusion or execution of a contract between the person to whom the data refer and the controller;
• Based on the law, if that law regulates appropriate measures to protect the rights, freedoms and legitimate interests of the person to whom the data refer (for example, for the purpose of preventing fraud, money laundering and terrorist financing);
• Based on the express consent of the person to whom the data refer

6. TRANSFER OF PERSONAL DATA

The Bank transfers personal data when there is a legal obligation to provide them at the request of an authorized authority or regulatory body of the Republic of Serbia (National Bank of Serbia, Credit Bureau - Association of Serbian Banks, Ministry of Finance of the Republic of Serbia - Administration for the Prevention of Money Laundering and Tax Administration of the Republic of Serbia, external auditor of the Bank and other bodies).

The Bank may provide personal data to the Bank’s business partners when it is necessary for the realization of business relations (e.g. IT support, debt collection, legal assistance, consulting services, assignment of claims, etc.), based on the contract which, in accordance with the regulations and the Bank’s internal acts, regulates the obligations and measures to preserve the confidentiality of data.

The transfer of personal data to other countries or international organizations is allowed in accordance with the regulations governing the protection of personal data.

7. THE RIGHTS OF PERSONS TO WHOM THE PERSONAL DATA REFER

Personal data are the property of the person to whom it relates, and although the Bank uses this data to provide services, the person retains certain rights in relation to the processing of his/her personal data at all times.

At the time of collecting personal data, the Bank will provide that person with all the information established by regulations: the identity of the controller, the contact details of the person for personal data protection; the purpose of the intended processing and the legal basis for the processing; the existence of a legitimate interest of the controller or a third party; the recipient of personal data (especially if the data is transferred to other country or international organization); personal data retention period; the type and method of exercising the rights of the person whose data is collected, the right to object; the existence of the right to revoke consent at any time, as well as the fact that the revocation of consent does not affect the admissibility of processing based on consent before the revocation; the right to submit a complaint to the Commissioner; whether the provision of personal data is a legal or contractual obligation or the provision of data is a necessary condition for the conclusion of a contract, as well as whether the person to whom the data refer has an obligation to provide personal data and the possible consequences if the data is not provided; the existence of automated decisionmaking, including profiling (information about the logic used, as well as the importance and expected consequences for the person to whom the data refer), as well as the source of the data (in case the data are not collected from the person to whom they refer).

The Bank allows the following rights to be exercised:

The right to access - The person to whom the data refer has the right to request from the Bank information on whether it processes his/her personal data, access to that data, a copy of that data, as well as information on the purpose of the processing, on the types of personal data that are processed, about the recipient, and in particular about the recipient in other countries or international organizations, about the expected retention period, as well as other information related to data processing.

The right to rectification and supplement - The person to whom the data refer has the right to have his/her inaccurate personal data corrected without undue delay. Depending on the purpose of the processing, the person to whom the data refer has the right to supplement his/her incomplete personal data, which includes providing an additional statement.

The right to erasure - The person to whom the data refer has the right to have his/her personal data erased, and the Bank is obliged to erase the data without undue delay under the following conditions:

• Personal data are no longer necessary to achieve the purpose for which they were collected or otherwise processed;
• The person to whom the data refer has revoked the consent based on which the processing was carried out, and there is no other legal basis for the processing;
• The person to whom the data refer has submitted an objection to the processing, and there is no other legal basis for the processing that prevails over the legitimate interest, right or freedom of the person to whom the data refer,
• Personal data have been illegally processed;
• Personal data must be erased in order to fulfill the legal obligations of the controller;
• Personal data are collected in relation to the use of information society services.

The right to restriction of processing - In certain cases, a person has the right to restrict the processing of his/her personal data (for example, when the accuracy of the data is contested or when, despite the illegal processing, the person requests restricted use of the data instead of erasure).

The right to portability - The person to whom the data refer has the right to receive his/her previously submitted personal data from the Bank in a structured, commonly used and electronically readable form and has the right to transfer this data to other controller without interference from the Bank, if the processing is performed automatically based on consent or contract.

The right to object - The person to whom the data refer has the right to submit to the Bank at any time an objection to the processing of his/her personal data, which is carried out for the purpose of performing tasks in the public interest or exercising the powers regulated by law or is necessary in order to achieve the legitimate interests of the Bank or a third party, including profiling in relation to such processing.

The Bank is obliged to stop processing data about the person who submitted the objection, unless the Bank proves that there are legal reasons for processing that prevail over the interests, rights or freedoms of the person to whom the data refer or are related to the submission, exercise or defense of a legal claim.

The person to whom the data refer has the right to object at any time to the processing of his/her personal data that are processed for the purposes of direct advertising, including profiling, insofar as it is related to direct advertising. If the person to whom the data refer objects to the processing for the purposes of direct advertising, the personal data may not be further processed for such purposes.

The person to whom the data refer has the right to object at any time to the processing of his/her personal data that are processed for the purposes of direct advertising, including profiling, insofar as it is related to direct advertising. If the person to whom the data refer objects to the processing for the purposes of direct advertising, the personal data may not be further processed for such purposes.

The right related to automated decision-making and profiling - The person to whom the data refer has the right not to apply to him/her a decision made solely on the basis of automated processing, including profiling, if that decision produces legal consequences for that person or that decision significantly affects his/her position, unless that decision is necessary for the conclusion or execution of a contract between the person to whom the data refer and the Bank, if it is based on the law (if appropriate measures to protect the rights, freedoms and legitimate interests of the person to whom the data refer are regulated by that law) or is based on the express consent of the person to whom the data refer.

The right to complain - The person to whom the data refer has the right to submit complaint to the Commissioner for Personal Data Protection, if he/she believes that the processing of his/her personal data has been carried out in violation of regulations.

The Bank is obliged to provide the person to whom the data refer with information on the action taken based on the request for exercising the aforementioned rights without delay, and no later than within 30 days from the date of receipt of the request, whereby that deadline can be extended by another 60 days (if this is necessary, taking into account the complexity and number of requests). The Bank is obliged to inform the person to whom the data refer to the extension of the deadline and the reasons for that extension within 30 days from the date of receipt of the request.

If the Bank does not act on the request of the person to whom the data refer, it is obliged to inform that person of the reasons for not acting without delay, and no later than within 30 days from the date of receipt of the request, as well as of the right to submit complaint to the Commissioner, i.e. a lawsuit to the court.

The Bank provides information on the collection and processing of data, i.e. information related to the exercise of rights royalty free. If the request of the person to whom the data refer are clearly unfounded or excessive, and especially if the same request is repeated frequently, the Bank may charge the necessary administrative costs of providing information, i.e. acting on the request (for example, in case of a request to provide a copy of the data) or to refuse to act upon the request.

8. COOKIES POLICY

The rules and method of processing personal data using “cookies” are defined in the “Cookies” Usage Policy on the Bank’s website.

9. SECURITY OF PROCESSING

In accordance with the nature, scope, circumstances and purpose of processing, as well as the probability of risk occurrence and the level of risk for the rights and freedoms of natural persons, the Bank implements the following:

• Appropriate technical, organizational and personnel measures, such as pseudonymization, which aim to ensure the effective application of the principles of personal data protection or such as reducing the number of data;
• Ensures the application of the necessary protection mechanisms during processing, in order to fulfill the conditions for processing regulated by law and to protect the rights and freedoms of the persons to whom the data refer.

The Bank is obliged to ensure that, through the constant application of appropriate technical, organizational and personnel measures, only those personal data that are necessary for the realization of each individual purpose of processing are always processed. This obligation is applied in relation to the number of collected data, the scope of their processing, the term of their storage and their availability.

The Bank ensures that personal data cannot be made available to an unlimited number of natural persons without the participation of a natural person.

Appropriate security in the Bank when processing personal data is achieved through the implementation of security protection measures stipulated in the ICT System Security Policy of Srpska banka a.d. Belgrade.

The Bank ensures business continuity and recovery of activities in case of natural disasters by applying the Business Continuity Plan and the Disaster Recovery Plan.