Banca Intesa ad Beograd (hereinafter: “the Bank” or “the Controller”) processes your personal data (hereinafter: “Personal Data” or “the Data”) legally, fairly and transparently, and this Notice has been prepared with intent to inform you in a simple way on the purposes of the Data processing and type of the Data we collect directly from you or from other parties, as well as on how you may protect your rights and other details on the Data processing.

Firstly, it is useful to know that, according to the Personal Data Protection Law (hereinafter: “the Law”), personal data may be any information relating to an identified or identifiable natural person, including name, surname, postal address, ID number, IP address, account number, phone/mobile phone number, etc.

This Notice will guide you through information you should be aware of before you entrust us to process your Personal Data.

5609263154. 1 - IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER

Banca Intesa ad Beograd

Milentija Popovića No. 7b

11070 Novi Beograd

www.bancaintesa.rs

5609263154. 2 - CONTACT DETAILS OF THE DATA PROTECTION OFFICER

Please feel free to contact our Data Protection Officer for any matter relating to the processing of your Personal Data and/or to exercising the rights provided by the Law, using any of the following channels:

• E-mail: zastita.podataka@bancaintesa.rs;
• Registered address of the Bank: Banca Intesa ad Beograd, Milentija Popovića No. 7b, 11070 Novi Beograd – Attn. Data Protection Officer;
• Written request delivered to any of our Branch Offices, addressed to the Data Protection Officer.

5609263154. 3 - PURPOSE AND LEGAL BASIS OF THE PROCESSING, AND CATEGORIES OF PERSONAL DATA
            4879406329. and legal basis of the processing

Purpose of and legal basis for the Data processing depend on the type of relationship with the Bank. The Data processing is minimised to those necessary for fulfilling the purpose (e.g. preparation and/or execution of a contract on opening Current Account, or granting a loan, etc.).

Legal basis for collection and processing of the Data may refer to legal requirements prescribed by applicable law (e.g. the Law on Prevention of Money Laundering and the Financing of Terrorism, etc.), or to execution of a contract, or to pursue a legitimate interest of the Bank or a third party, or it may be founded on your consent. Please find more details below.

1. 1. 1. Providing services and performing contracts

The processing of your Personal Data is needed for providing you the services requested and to perform the contracts, including the steps to be taken prior to entering into a contract. Refusal to provide this Personal Data do not allow the Bank to fulfil the relevant requests and/or enter into a contract with you.

1. 1. 2. Complying with the Bank’s legal obligations

The processing of your Personal Data in order to comply with the regulatory provisions is mandatory and your consent is not required. Such processing is performed, for example, when it is required by anti-money laundering, taxation, fraud prevention regulations in the payment services, or to comply with the requests of the responsible Authority (such as the National Bank of Serbia, or the Administration for  the Prevention of Money Laundering), or for responding to the consumer complaints submitted in accordance with the regulations (e.g. the Law on Payment Services, or the Financial Services Consumer Protection Act, etc.).

1. 1. 3. Legitimate interest of the Bank or third parties

The Bank may process your Data on the ground of pursuing its own or third party’s legitimate interest, if such interest overrides your interests or fundamental rights and freedoms, for instance:

• when the purpose of processing is to determine clients’ preferences and attitudes and clients segmentation in order to offer products and services that better meet the needs and desires of individual client categories (in this way, the Bank's interests in providing better and higher quality services to its clients are in line with the clients' interests and expectations of the best possible service);
• when the purpose of processing is to improve the activities of the Bank's Contact Centre, incoming telephone conversations of clients with Bank's Contact Centre may be audio recorded (in this way, the Bank's interest in monitoring the activities of the Bank's Contact Centre and detecting possible irregularities in the activities of the Bank's Contact Centre are in line with the clients' interests in receiving complete and accurate information, as well as the highest level of professional support);
• when the purpose is to ensure IT security of the Bank's systems and activities, including the security of services offered to clients;
• when the Data processing is done for the purpose of monitoring and preserving physical security in the business premises of the Bank (e.g. in case of video surveillance of the Bank's business premises, or visitor logs);
• when the purpose is to prevent and investigate fraud and other criminal offences against the Bank, its clients and/or third parties;
• when the purpose of the processing is additional assessment of risks that the Bank is obliged to control, including risk management at the level of the Bank’s local Group or Intesa Sanpaolo Group (for example, credit-worthiness or regularity of business operations of its clients);
• when the processing is done for administrative needs of the Bank or Intesa Sanpaolo S.p.A., Torino, Italy (hereinafter: “the Parent Company”);
• when the processing is required to initiate and conduct legal disputes in order to exercise the rights and interests of the Bank or third parties.

The Bank may process the Data in order to pursue any legitimate interests of the Bank or third party, subject to its assessment that achieving such interests does not override fundamental rights and freedoms of the Data Subjects, which is assessed by the Data Protection Officer through so called “balancing test”.

In the specified cases your consent is not required,  but you are entitled to require protection of your rights at any time, as described in Section 7 below.

1. 1. 4. Consent to Data processing

Your consent for Personal Data processing is precondition for communication of commercial information or direct offers of our services, products and services of the Bank’s related parties (e.g., Intesa Leasing, Intesa Invest), as well as products and services of the Bank’s business partners (e.g., selected insurance companies) or for market research or studying customer satisfaction with the Bank’s services. Namely, we need your consent in order to enable further tailoring of our offer to your wishes and needs, inform you of new services and benefits, and receive feedback on your satisfaction with the services provided, review your suggestions for improvements, or include you in the researches and surveys we conduct, and reward you for your loyalty by participation in prize-winning games and competitions.

Your consent (or its absence) does not affect the performance of a contract with the Bank, neither complying with its prescribed duties and obligations, nor pursuing of legitimate interest of the Bank or a third party. You are entitled to withdraw the consent at any time by contacting the Bank through any channel specified in Section 2 above.

In relation to the offer of information society services, Juvenile Data Subject may give consent on its own, if it is at least 15 years old. Where the child is below the age of 15 years, such processing shall be lawful only if the consent is given or authorised by the holder of parental responsibility over the child.

1. 11012925404643. of Personal Data processed

(A) Basic Identification Data

In order to establish a business relationship with you, we need your basic Identification Data, as to meet our legal obligations (e.g. under the provisions of the Law on Prevention of Money Laundering and the Financing of Terrorism, or the Intergovernmental Agreement on implementation of the U.S. Foreign Account Tax Compliance Act – FATCA). For the said purposes, we collect your Personal Data, such as: name and surname, date and place of birth, unique personal identity number (JMBG), registration number of the agricultural household in case of their owners, domicile/residence address, type and number of identification document, citizenship, etc. Copy of your identification document is kept in accordance with the Anti-Money Laundering regulations, but also for the purpose of pursuing legitimate interest of the Bank regarding fraud prevention.

Refusal to provide these Data will result in the rejection of your application for establishing a business relationship with the Bank.

(B) Other Data categories

The Bank also processes your Contact Data such as: your postal address, telephone/mobile phone number, e-mail address, be it for the purpose of performance of a contract (e.g. agreed method of notification related to a product, etc.) or fraud prevention. We collect data on the gender primarily for the risk management purposes.

If you contact the Bank's Contact Centre by telephone, please be aware that telephone conversations directed to the Bank's Contact Centre (incoming calls) may be recorded, of which you will be warned beforehand and have possibility to quit the conversation.

If you are contacting us via the Bank’s website (web contact forms) and expect us to provide feedback, we would need your basic Identification and Contact Data, such as: your name and surname, address, phone/mobile phone number, e-mail address, etc. The Personal Data you provide to us in this manner will not be visible to other users.

After the installation of the Bank mobile app, the following data is automatically detected and collected through the mobile device:

• Device information: IP addresses, name of the smarthphone, model of operating system, device UUID, device root status;
• Applications installed to check if there are any malicious apps installed;
• Network/SIM, ICCID (Integrated Circuit Card ID, aka, SIM Serial Number), IMSI (International mobile subscriber identity), IMEI (International Mobile station Equipment Identity), MAC Address

 

This information may be collected to avoid defects in the display of content, improper shutdown, and unlawful access. In addition, it helps to ensure the security of operations about authentication and transactions.

Other Data collected and processed depending on the type of products and services you intend to use, taken for execution of a contract or its preparation, are presented below.

Loans – In order to create an offer for a loan and/or for the purpose of tailoring the offer to your needs and capabilities, and /or an analysis of a loan application (e.g. verification of your credit worthiness), and/or loan approval, and/or performance of a loan agreement, as well as the actions that precede credit agreement, in addition to your Identification Data under (A), we also need identification and other data on other parties to the loan, if any (for example, co-borrowers, guarantors, lien debtors, etc.), depending on their role in the credit arrangement. Also, when assessing your creditworthiness and the ability to meet your obligations, the Bank obtains report of the Credit Bureau on your credit exposure to other financial services providers and regularity in performance of your financial obligations, as well as on holding accounts with other payment institutions. For the purpose of assessing your financial standing and creditworthiness and fulfilling the regulatory requirements, we also need your other Data, such as the Data on: your marital status, the persons you are connected to (such as the spouse or an immediate family member), Data on the number of dependent members, professional qualifications, housing Data (whether you rent the house/apartment or poses your own), etc. Data on your employment status, income, expenses, spending, etc. are being processed so that we can estimate sources of your income and your ability to repay the loan. Depending on the individual distribution channel of the Bank through which you apply for a loan, receive credit decision, or repay a loan, some of your Personal Data are additionally processed due to the particularities and the functionality of the channel you use. If you do not settle your obligations in time, your Data may also be processed for the purpose of debt collection, which includes, but is not limited to: phone contact, or outsourcing of debt collection to third parties, or trading and/or assignment of your debt, all to the extent permitted by the consumer protection regulations. Should collateral be exercised in the process of debt collection, we process your Data for this purpose, too.

Payment accounts and payment transactions – When concluding a framework contract on payment services and a transaction account, the Bank processes your Identification Data under (A), as well as some of data specified under (B). We use your Personal Data to conclude and perform the framework contract, make a card and other payment instruments, and to send the required notices, etc. In some cases, we also use your phone or mobile phone number (e.g. if necessary to prevent a card misuse by third parties, resolve a complaint or to remind you of your due obligations). If your authorized representative also appears in your contractual relationship, we also process the Data of the authorized person. If you have agreed standing order/direct debit in addition to transaction account, we process the payee’s account number and exchange Data with it. If the Bank, on the basis of a current account agreement, makes certain funds available in the form of an overdraft, we process your Data in same manner as in the case of loan products, as described above. The Data also include, for example, information contained in a payment order, Data related to installation and use of on-line payment applications, etc.

The Bank also processes your Personal Data necessary for the performance of a deposit agreement, depending on the type of deposit (such as Identification Data, contact information and agreed communication channels). If a standing order have been agreed in addition to the deposit account, we process the data on the number of the account or the number of order. In case of deposit denominated in foreign currency, processing is also done for the purpose of accruing withholding tax.

Payment Cards – The Bank processes your Personal Data provided in the customer information form and the card application form, in order to verify of your creditworthiness, as described for loans above. Your Data are also processed for the purpose of activating and using individual card functionalities (Dina/Visa/MasterCard/Amex). The Contact Data are processed by the Bank to communicate with you for the purpose of sending you prescribed or agreed notifications or preventing misuse and fraudulent actions by third parties. In order to additionally check your identity when communicating by means of remote communication (e.g. phone, e-mail, etc.) and prevent fraud by third parties, the Bank also collects some specific data as required by card processors. Certain Personal Data (for example, name, surname, address, postal code, place, etc.) are required so that a card could be made by a legal person entrusted with the processing of card operations. If the contractual relationship includes an additional cardholder besides you, we process also the Personal Data of that person.

Safe deposit boxes – In order to conclude a safe deposit box agreement, the Bank collects and processes your Identification Data under (A), as well as Personal Data of persons accessing the safe deposit box (e.g. attorney, legal representative), such as: name and surname, domicile, date of birth, JMBG, type and number of identification document, and citizenship.

Fast Money Transfers (Western Union) – The Bank collects and processes your Personal Data under (A), and, in cooperation with the company Eki Transfers, information on the transaction and Personal Data on the sender.

On-line and mobile banking – In addition to the basic Identification Data under (A) and Contact Data, in order to perform a contract and ensure adequate technical support and improve the quality of its digital services, the Bank processes also the technical Data of the system that are a prerequisite for using the service by means of remote communication (for example, the type of mobile device/ computer, name and version of the mobile application, etc.).

Brokerage transactions – For the purpose of performance of contracts on the use of brokerage services, the Bank may collect and process your basic Identification Data under (A) and the Contact Data, as well as data on the number of your securities account with the Central Securities Depository and Clearing House and/or third parties, and your transactional account, and the Data from the Appropriateness Questionnaire (education Data, knowledge of financial markets and instruments, knowledge and experience related to investment services). If, besides you, a third person appears in the contractual relationship (such as an attorney, a legal representative), the Bank collects and processes the Identification and Contact Data on such person. Due to the particularity of these services, the Bank records telephone calls, of which the Bank shall inform you prior to the beginning of the conversation. During the telephone conversation being recorded, for the purpose of unambiguous identification and performance of the contract on the use of brokerage services, the Bank may ask for certain Personal Data.

(C) Personal Data processed by the Bank as the processor

Except as controller, the Bank processes certain Personal Data as a processor on the basis of a contract for the assignment of certain Data processing activities by third parties (for example, as an insurance agent, or related to promotion of investment services offered by Intesa Invest, etc.). In such cases, the Bank processes Personal Data exclusively by order and according to the instructions received from the controller pursuant to the Law.

1. 1000. of Personal Data collection

We collect your Personal Data directly from you or from third parties. If the Data are not obtained from you, the Bank will inform you on terms of the Data processing within 30 days after the Data are collected, unless you are already aware of the terms, or the provision of the information proves impossible or would involve a disproportionate effort, or obtaining or disclosure is expressly laid down by the law which provides appropriate measures to protect your legitimate interests, or where the Personal Data must remain confidential, subject to an obligation of professional or banking secrecy regulated by the law.

5609263154. 4 - CATEGORIES OF RECIPIENTS TO WHOM YOUR PERSONAL DATA MAY BE COMMUNICATED

To achieve the purposes of Data processing, the Bank may communicate your Data to the following categories of recipients:

1. to the Parent Company and members of its Group;
2. to Third Parties that process your Personal Data within:
   • banking, financial and insurance services, payment systems, revenue offices and treasuries or for the purpose of preventing misuse and fraudulent actions in connection with those services;
   • provision of brokerage services, including the receipt and transmission of securities trading orders, as well as maintenance of data related to such orders and their execution on the Belgrade Stock Exchange. The OASIS trading platform within the Hellenic Exchanges - Athens Stock Exchange S.A., Greece (hereinafter: Athex) is used for trading financial instruments on the Stock Exchange, whereby the Bank transfers personal data exclusively for the purpose of executing trading orders. By submitting a trading order, it is considered that you agree and authorize the Belgrade Stock Exchange,to transfer the collected personal data, for the purposes of performing the activities of the market organizer, to the company Athex for the purpose mentioned above;
   • recording the financial risks for the purpose of preventing and controlling the risk of insolvency;
   • credit recovery and related activities;
   • providing and managing procedures and IT systems;
   • security and CCTV management services;
   • real estate appraisal services;
   • auditing activities and consultancy in general;
   • managing communication with customers, as well as the storage of Data and documents, whether in paper or electronic form;
   • recording of service quality, market research, information and commercial promotion of the Bank’s products and/or services;
3. to responsible Authorities and institutions (such as the National Bank of Serbia, Securities Commission, judicial and administrative authorities);
4. to public information systems (e.g. single registers of accounts of natural persons and legal entities with the National Bank of Serbia) and information systems maintained by the Association of Serbian Banks (e.g. Credit Bureau).

The third parties your Personal Data may be communicated to, act as: (1) independent Data Controllers, i.e. subjects which autonomously determine the purposes and means of the Personal Data processing; or (2) Data Processors, i.e. subjects which process the Personal Data on behalf of the Bank as the controller; or (3) Joint Data Controllers, which determine, together with the Bank, the relevant purposes and means. When processing your Personal Data, the recipients are due to apply measures to protect the Data at the same level as the Bank.

You may require more details on Data Processors and Joint Data Controllers in any Branch Office of the Bank or from the Data Protection Officer.

5609263154. 5 - TRANSFERRING PERSONAL DATA TO A THIRD COUNTRY OR TO AN INTERNATIONAL ORGANISATION

Your Data are processed by the Bank in Republic of Serbia and exceptionally transferred into other country or international organisation. Your consent is not required if such other country or international organisation guarantees appropriate safeguards.

It is considered that appropriate safeguards are ensured in the countries and international organisations: (a) parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, or (b) vis-à-vis the “adequacy” decisions of the European Commission based on the appropriate safeguards, or (c) when the transfer of Personal Data is regulated by governmental agreement with such country or international organisation.

When necessary, the Bank transfers your Data to the central Databases of the Parent Company and to other members of Intesa Sanpaolo Group operating in the countries fulfilling conditions specified above.

Transfer of your Data to a third country or international organisation not fulfilling the said prerequisites may not be executed without your explicit consent and subject to other requirements defined in Article 69 of the Law.

You may require more details on safeguards in any Branch Office of the Bank or from the Data Protection Officer.

5609263154. 6 - PROCESSING METHOD AND PERSONAL DATA RETENTION TIME

Your Personal Data will be processed using manual and electronic tools and in a way that ensures their security and confidentiality. In some cases Data processing is automated (e.g. in case of some credit applications, the Bank adopted automated decision-making processes).

In accordance with the Law on Prevention of Money Laundering and the Financing of Terrorism, your Personal Data are retained for a time period of 10 years, starting from the end of the business relationship with the Bank. Other Personal Data are kept until achieving the purpose they had been collected for, unless the Bank needs them in order to comply with its prescribed obligations or to pursue a legitimate interest.

5609263154. 7 - RIGHTS OF THE DATA SUBJECT

In your capacity of the Data Subject, you may exercise your rights by sending a specific request to the Data Protection Officer, using any of the channels specified in Section 2 above. Any communications and actions undertaken by the Bank in connection with exercising the rights listed below, will be made free of charge. However, if your requests are manifestly unfounded or excessive, in particular due to their repetitive character, the Bank may charge you a fee, taking into account the administrative costs incurred, or refuse to act on your requests.

As the Data Subject, you have the following rights:

1. 1. 1. 1. Right of access

Right of access enables you to obtain information whether the Bank processes your Personal Data and, where that is the case, to obtain access to the Personal Data and the information, such as: the purposes of the processing, the categories of Personal Data concerned, Data recipients, retention period, etc. Where Personal Data are transferred to a third country or to an international organisation, you have the right to be informed of the appropriate safeguards relating to the transfer, as provided in Section 5 above. If requested, the Bank shall provide you with a copy of the Personal Data undergoing processing. For any further copies requested, the Bank may charge you a reasonably fee based on the administrative costs. If the request is submitted by electronic means, and unless otherwise requested, the information shall be provided by the Bank in a commonly used electronic form.

1. 1. 1. 2. Right to rectification

The Bank will correct your Personal Data that are inaccurate, as well as amend the Data that are incomplete.

1. 1. 1. 3. Right to erasure

You may require from the Bank to erase your Personal Data, if any of the reasons provided by Article 30 of the Law occurs (e.g. when the Data are no longer necessary in relation to the purposes for which they were collected, or if the consent was withdrawn by you and there is no other legal ground for the processing). The Bank may not erase your Personal Data if their processing is  necessary: to comply with a legal obligation, or for reasons of public interest (e.g. complying with the regulatory order), or for the establishment, exercise or defence a legal claim (e.g. filing a court claim, conducting juridical/administrative proceedings, etc.).

1. 1. 1. 4. Right to restriction of processing

You may obtain the restriction of processing your Personal Data if one of the cases provided by Article 31 of the Law applies (e.g. should the accuracy of your Personal Data or the legitimate grounds of the processing be arguably contested by you, etc.).

1. 1. 1. 5. Right to Data portability

At your request, the Bank will provide you with your Personal Data in a structured, commonly used and machine-readable format (e.g. at a computer) and enable you to transmit the Data to another Data Controller without hindrance from the Bank, subject to all of the following conditions: (a) the processing is based on the consent or it is necessary for the performance of a contract, and (b) the processing is carried out by automated means, and (c) the Data transfer does not affect fundamental rights and freedoms of other persons.

Subject to technical feasibility, you may request to have your Personal Data transmitted directly from the Bank to another Data Controller indicated by you.

1. 1. 1. 6. Right to object

You may object at any time to the processing of Personal Data, if the processing is grounded on pursuing legitimate interest or public interest or the Bank’s rights established by the law. In such case, the Bank will abstain from further processing the Data, unless compelling legitimate grounds for the processing occur, overriding your interests, rights and freedoms, or the processing is necessary for the establishment, exercise or defence of legal claims (e.g. filing a court claim, counter-claim, etc.).

Where the Bank processes your Personal Data for the purpose of direct marketing, including profiling, in case you object such processing, the Bank will cease further processing of your Personal Data for the purpose of direct marketing.

1. 1. 1. 7. Automated decision process relating to natural persons, including profiling

If you deem that your rights might be harmed by a decision reached in a fully automated process, you have a right to object such decision and require from the Bank to re-consider it in presence of human intervention.

1. 1. 1. 8. Right to lodge a complaint with the Commissioner for Personal Data Protection and right to initiate court and/or administrative proceedings

Should you deem that the processing of your Personal Data takes place in breach of the Law and/or the applicable regulations, you may lodge a complaint with the Commissioner for Information of Public Importance and Personal Data Protection. The Commissioner's rulings may be challenged in administrative proceedings within 30 days of delivery of its decision. Initiating administrative proceedings does not affect your right to appeal to any other administrative or jurisdictional court.

5609263154. 8 - PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

In relation to the processing of special categories of Personal Data necessary to provide specific services and products, your explicit consent is required (such as in case of collecting biometric Data for the purpose of uniquely  identifying a natural person, or Data concerning health for the purpose of selling certain insurance products), without prejudice to the specific cases provided by the Law, which allows the processing of special categories of Personal Data  also without the explicit consent (e.g. when collecting copy of the ID document with the fingerprint specimen).