The controller of your personal data is PKO Bank Polski S.A.
Personal Data Processing Notice
Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, hereinafter referred to as the “Regulation”, we wish to inform you that:
1. Data Controller
The controller of your personal data is Powszechna Kasa Oszczędności Bank Polski Spółka Akcyjna with its registered office in Warsaw, address: ul. Puławska 15, 02-515 Warszawa, registered by the District Court for the Capital City of Warsaw in Warsaw, 13th Commercial Division of the National Court Register, under KRS number 0000026438, NIP (tax identification number): 525-000-77-38, REGON (business statistical number): 016298263, its (paid-up) share capital amounting to PLN 1,250,000,000, helpline: 800 302 302, hereinafter referred to as the “Bank”.
2. Data Protection Officer
The Bank has appointed a Data Protection Officer. Address: Inspektor Ochrony Danych (Data Protection Officer), ul. Puławska 15, 02-515 Warszawa, iod@pkobp.pl. Details concerning the Data Protection Officer are available under the “GDPR” tab on the Bank’s website, and can be obtained at the Bank’s branches or from its agents.
3. Categories of personal data -this information applies to personal data acquired otherwise than from the data subject
The Bank processes the following categories of your personal data: identification data, address details, and contact details.
4. Purpose and legal bases of data processing
Personal data may be processed by the Bank for the following purposes:
1) presentation of offers or processing of a request for a product offered by the Bank or a service provided by the Bank, including for and on behalf of companies from the Bank’s Corporate Group and entities cooperating with the Bank, on the basis of Article 6(1)(b) or (f) of the Regulation,
2) conclusion of an agreement on the basis of Article 6(1)(b) of the Regulation,
3) implementation of an existing agreement or provision of services by the Bank, on the basis of Article 6(1)(b)-(c) of the Regulation,
4) creditworthiness assessment and credit risk analysis, on the basis of Article 6(1)(b)-(c) of the Regulation,
5) 5) management of risk by the Bank, including assessment of the creditworthiness and credit standing, on the basis of Article 6(1)(b)-(c) of the Regulation,
6) handling of complaints, requests and appeals, on the basis of Article 6(1)(b)-(c) and (f) of the Regulation,
7) execution by the Bank of actions resulting from generally applicable laws, including tasks undertaken in the public interest, on the basis of Article 6(1)(c) and (e) of the Regulation,
8) exercise representation powers (for example, under a power of attorney) or rights arising from a surety, on the basis of Article 6(1)(b)-(c) of the Regulation,
9) marketing, including promotion of products offered by the Bank or services provided by the Bank or companies from the Bank’s Corporate Group or entities cooperating with the Bank, on the basis of Article 6(1)(f) of the Regulation,
10) establishing and exercising claims by the Bank in connection with its activity, including restructuring, debt collection, debt enforcement, taking actions to find buyers for assets securing an agreement and sale of receivables arising from such an agreement, or defence against claims made against the Bank, before law enforcement bodies, judicial bodies, including common courts, administrative courts, the Supreme Court, in the course of administrative proceedings, including tax proceedings, on the basis of Article 6(1)(f) of the Regulation,
11) detection and mitigation of fraud related to the Bank’s activity, and ensuring the safekeeping of the Bank’s customers’ money, as well as conducting enquiries, on the basis of Article 6(1)(f) of the Regulation.
The details of the entities of the Bank’s Corporate Group and entities cooperating with the Bank are available under the “GDPR” tab on the Bank’s website, and can be obtained at the Bank’s branches or from its agents.
5. Sharing personal data
The Bank can share your personal data with:
1) entities and bodies to which the Bank is required or authorised to disclose personal data on the basis of generally applicable laws, including entities and bodies authorised to receive personal data from the Bank or authorised to request access to personal data on the basis of generally applicable laws, in particular on the basis of Article 104(2) and Article 105(1) and (2) of the Banking Law,
2) entities to which the Bank entrusts banking operations or activities associated with banking operations conducted for the Bank,
3) the institutions referred to in Article 105(4) of the Banking Law,
4) bodies and entities authorised to receive personal data on the basis of Article 149 or 150 of the Act on trading in financial instruments or other laws governing trade in financial instruments (in respect of trust services provided by the Bank under Article 119 of the Act on trading in financial instruments, or services performed by the Bank under Article 70(2) of the Act on trading in financial instruments),
5) Economic Information Bureaus operating under the Act on the sharing of economic information and exchange of economic data, pursuant to the provisions of this Act,
6) entities from the Bank’s Corporate Group and entities cooperating with the Bank in connection with products and services offered by these entities. The list of the above entities is available under the “GDPR” tab on the Bank’s website, and can be obtained at the Bank’s branches or from its agents.
6. Transferring personal data to third countries
Your data may be transferred to the US government administration in connection with international money transfers via the SWIFT network.
7. Data retention period
Your personal data will be retained:
1) for the duration of the offer or processing of your request for a product offered by the Bank or a service provided by the Bank, including for and on behalf of companies from the Bank’s Corporate Group and entities cooperating with the Bank,
2) for the term of your agreement with the Bank, and thereafter in connection with the Bank’s legal obligations stemming from generally applicable laws,
3) for a period necessary for the Bank to exercise its claims in connection with its operations, or defend against claims filed against the Bank, on the basis of generally applicable laws, subject to the claim limitation periods provided for by generally applicable laws,
4) for the duration of the application of the internal approaches and other approaches and models referred to in Part Three of Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012,
5) 5) as long as the power of attorney granted to you remains in effect, and after it expires, in connection with the Bank’s legal obligation stemming from generally applicable laws.
Information on data retention periods is available under the “GDPR” tab of the Bank’s website, and can be obtained at the Bank’s branches or from its agents.
8. Available rights
In relation to the processing of your personal data by the Bank, you have:
1) a right to access your personal data,
2) a right to have your personal data rectified,
3) a right to have your personal data erased (right to be forgotten),
4) a right to have the processing of your personal data restricted,
5) a right to have your personal data transferred to another personal data controller,
6) a right to object to the processing of your personal data, including for the needs of profiling and direct marketing,
7) a right to withdraw your consent, when the Bank processes your personal data on the basis of your consent, at any time and by any means, without prejudice to the lawfulness of processing conducted on the basis of your consent prior to the withdrawal,
8) a right to file a complaint with the President of the Office for Personal Data Protection (Prezes Urzędu Ochrony Danych Osobowych) if you consider that the processing of your personal data is in breach of the Regulation.
9. Source of data - this information applies to personal data acquired otherwise than from the data subject
Your personal data may be obtained from your legal representative, a principal subject to a power of attorney, a company for which you are the beneficial owner, your employer, a party to an agreement concluded with the Bank, as well as from publicly available sources, in particular from the following databases and registers: the Universal Electronic System for Registration of the Population (PESEL), the Identity Document Register (Rejestr Dowodów Osobistych), the National Court Register (KRS), the Central Business Registration and Information Records (CEIDG), and the National Business Register (REGON).
10. Requirement to provide data
We need your personal data for the purpose set out in point 4 above for:
1) us to process your request for a product offered by the Bank or a service provided by the Bank, including for and on behalf of the Bank’s Corporate Group and entities cooperating with the Bank, whereby your not providing us with your personal data will make us unable to handle your request for the product offered by the Bank or the service provided by the Bank, including for and on behalf of companies from the Bank’s Corporate Group and entities cooperating with the Bank,
2) us to conclude and perform an agreement between you and the Bank, whereby your not providing us with your personal data will result in us being unable to conclude and perform such an agreement,
3) the Bank to be able to provide its services, whereby your not providing us with your personal data will result in the Bank being unable to provide the services,
4) us to consider your complaint or grievance, whereby your not providing us with your personal data will result in us being unable to consider your complaint or grievance,
5) you to receive offers or marketing materials for products offered by the Bank or services provided by the Bank, including for and on behalf of companies from the Bank’s Corporate Group and entities cooperating with the Bank, whereby your not providing us with your personal data will make you unable to receive such offers or marketing materials for products or services.
11. Automated decision-making, including profiling
Your personal data will be processed by automated means, including profiling, for the purpose of evaluating your creditworthiness and for marketing purposes, which will enable us to simplify your customer service and provide you with an individualised offer of products offered by the Bank or services provided by the Bank, including for and on behalf of the Bank’s Corporate Group and entities cooperating with the Bank.
Information on automated decision-making, including profiling, is available under the “GDPR” tab of the Bank’s website, and can be obtained at the Bank’s branches or from its agents.
