OTP Banka Srbija a.d. Beograd (hereinafter: the Bank) is a controller of personal data of data subjects and processes them in accordance with applicable legislation, that is, in accordance with the Law on Personal Data Protection (RS Official Gazette, no. 87/2018) and the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 .April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data , and repealing Directive 95/46/EC (when applicable).
Data subject is any natural person (individual) whose personal data are processed by the Bank.
The Policy applies to any personal data that the Bank collects, uses, or otherwise processes, directly or through its partners. Personal data means any information relating to a natural persons that is identified or identifiable, directly or indirectly (hereinafter: data or personal data). Data processing means any operation which is performed on personal data, for example, collection, recording, storage, use, transmission of data, and making personal data available.
The Policy applies to all services and products of the Bank that involve processing of personal data. The last declaration of will by the data subject regarding the processing of personal data applies to all other services and products of the Bank used by such person.
The Policy primarily relates to the natural persons who submit an application or use the Bank’s services and products and/or are interested in using services and products. Taking into account legitimate interests of subjects that are legal persons, the Policy also applies to legal persons, that is, to the personal data of employees in legal persons, as appropriate, and in accordance with current legislation.
The Policy does not apply to anonymous data. Anonymous data are the data which are altered in such a manner that they can no longer be linked to a specific natural person or cannot be linked without unreasonable effort so that, in accordance with current legislation, they are no longer considered personal data.
Lawfulness, fairness, and transparency
The Bank ensures that personal data are processed lawfully, fairly and transparently using the following measures:
a) providing data subject with information about the purpose, manner and type of personal data processing in a clear and easily accessible manner already in the phase of collection of personal data;
b) processing is necessary for the performance of a contract that the Bank concludes with the data subject (e.g. clients, employees, prospective clients) or is based on a previous consent of the data subject;
c) processing is necessary for compliance with a legal obligation to which the Bank is subject as a controller of personal data (e.g. transmitting employees’ personal data to external institutions based on concluded employment contracts);
d) processing is necessary for the purpose of pursuing a legitimate interest of the Bank.
Personal data are processed by the Bank for the purposes that are specified, explicit, justified and lawful, and may not be processed further in a manner that is incompatible with those purposes.
In the case that personal data are intended to be processed for other purposes as well, the proposer of the new processing of personal data produces an assessment of the impact on data protection and, as needed, obtains consent from the data subject.
When obtaining personal data on a data subject, the Bank obtains only such personal data that are necessary to achieve the purpose for which the data are processed.
Additional personal data are obtained with the consent of the data subject, for achieving a specific purpose.
The Bank ensures the accuracy of personal data by introducing automatic and manual checks when capturing and processing personal data.
Data storage periods are defined in an internal act of the Bank on the retention of registry material, in such a manner that they are stored within the legally established retention periods and for the periods necessary for achieving the purposes of processing thereof.
In the case of processing personal data after the expiry of the retention period for the purposes producing statistical analyses, for instance, the Bank (permanently) anonymises personal data in a manner that will make it impossible to identify the natural person to whom the personal data refer.
Integrity and confidentiality
The Bank has implemented technical and organisational measures to secure personal data following with the legal provisions, good practice, and provisions of ISO standards in the process.
Additionally, the Bank has implemented security of information and event management (SIEM) system for the purpose of early detection of security events that could threaten confidentiality, integrity and/or availability of personal data.
Processing personal data at the location of an external entity (processor) is carried out on the basis of a contract that, among other things, regulates the duties of the processor with respect to securing personal data and prompt reporting about security events that could affect confidentiality and / or integrity of personal data.
The Bank collects personal data in three basic ways:
- We primarily collect data directly from data subjects, by them provide the data to us. The most common example for such a manner of data collection is the submission of application for a service or product, where data subjects, if they wish to use a particular service or product, provide data and documents required for identification (e.g. given name, family name, address, read personal ID document, personal ID number, etc.). We also collect data when the Bank communicates with a data subject through the call centre, web portal and social networks, when dealing with objections, etc.
- We collect data that are automatically generated when a data subject uses the Bank’s services and/or products. For instance, data on performed transactions, manner of use of particular services and products of the Bank, IP address, etc.
- We collect data from publicly available sources, such as, for instance, data from company registers, and data on a person’s status as an official.
A prerequisite of any collection of personal data of a data subject is the existence of appropriate legal grounds pursuant to the law.
Personal data of data subjects that are collected at the Bank, and are subject to data protection, include among others, the data on:
a) personal identification – given and family name, parent’s name, personal identity number, date and place of birth, identity card number, passport number, MoI office, and date of issue of the document;
b) personal address – residence address, account statement delivery address, IP address of the data subject’s equipment;
c) contact information- phone (fixed and/or mobile phone), e-mail;
d) social identity – citizenship and occupation;
e) financial information – information on the salary, information on other accounts and liabilities, information from the Credit Bureau of the Banking Association, account number, card number, sub-account number, insurance policy number, other income of the data subject’s household, tax residency and tax identification number;
f) property information (for housing loans) – immovable and movable property owned by the data subject;
g) special type of personal data – political affiliation, (status of an official), disability information (for determining the subject’s income), information if any criminal proceedings have been initiated against the subject(in the case of employees in order to fulfill a regulatory requirement in accordance with regulations), education information, qualifications of the Bank’s employees;
h) information on the spouse – spouse employment information, number of children, number of household members;
i) related party information –parties related by management function, by familial relationship, in accordance with the law;
j) credit products information – activities and operations, information about the employer, including the contract, credit history, previous use of banking products, etc.
The Bank considers personal data of data subjects their property and treats them accordingly. However, in order for the Bank to be able to provide a service to a data subject, and in accordance with the legal bases listed below, a minimum set of data necessary for quality provision of individual services or products of the Bank needs to be processed. Otherwise, that is if the data subject refuses to provide the required set of data, the Bank will not be able to provide him with the appropriate service. In accordance with above, the personal data of subjects are processed when one of the conditions below are met:
a) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
b) processing is necessary for compliance with a legal obligation of the Bank (applicable legislation with which the Bank has to comply) – at any instance the Bank is authorised or obligated by the law to particular processing, the Bank will, pursuant to such law, process the personal data of data subjects. For instance, in the case there is a legal obligation, such as the Law on the Prevention of Money Laundering and Terrorism Financing, the Bank will collect and process a legally defined set of data, so in the case the data subject refuses to provide the required set of data, the Bank will not be able to provide them with a requested service or product of the Bank;
c) processing is necessary for the purposes of the legitimate interests pursued by the Bank or by a third party – except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a minor. Legitimate interest of the Bank means the processing that serves to improve the process, develop products, and improve operations, ensure alignment of the Bank’s operations with international regulations of extraterritorial reach, prevent fraudulent actions / unlawful activities against the Bank, its clients and/or third parties, modernise services, offer products and services expected to facilitate clients’ dealings with the Bank;
d) the data subject has given consent to the processing of his or her personal data for one or more specific purposes – consent must be demonstrable and voluntary, written in a plain language , and the data subject has the right to withdraw his or her consent at any time (consent withdrawal must be equally easy as granting consent).
e) processing je necessary to protect the vital interests of the data subject or of another natural person;
f) processing je is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Bank.
Decision-making based on automated data processing is an integral part of the Bank’s operations and as such necessary, and is performed:
a) in accordance with applicable laws relevant for the Bank’s operations, among other things, for the purposes of monitoring and prevention of fraud, money laundering, etc., and is carried out in accordance with the legislation;
b) to ensure safety and reliability of the services provided the Bank;
c) if necessary for entering into or performance of a contract between the data subject and the controller, which involves reduction of business risks, improvement of operations, certain overnight processing that are an integral part of the IT system, etc.;
d) where the data subject has explicitly given his or her consent.
In accordance with the law, the Bank gives the data subjects right to object to automated, but also to manual, processing of data for the purpose of direct marketing, including profiling to the extent that it is linked to direct marketing, either with respect to initial or further processing, at any time, free of charge.
Access your personal data is granted only to the Bank’s employees, and our associates for whom such data are necessary to perform their tasks, i.e. who have the “need to know”.
We transfer collected personal data to processors (vendors) with whom we have an appropriate contract, Group members, competent state bodies, as well as third parties, in accordance with the law of the Republic of Serbia.
Your personal data are protected from any breach, including unauthorised access, accidental loss, destruction, damage, and any other breach of personal data safety.
For the purpose of protecting your personal data, we apply technical and organisational measures, such as control of the right to access any data and documents, ensuring that all the persons who have the right to access your personal data fulfil their confidentiality obligations, we apply methods of access control (passwords, PINs, smart cards), and methods of monitoring access and activities in the information systems, and apply software solutions to ensure safety of our IT equipment and data.
First of all, you have the right of access to personal data, meaning the right to obtain information as to whether we are processing your personal data. If we are, we will inform you, among other things, about the purpose of processing personal data, category of personal data, recipients or categories of recipients to whom the personal data have been or will be disclosed, the envisaged period for which the personal data will be stored, and on the rights you can exercise with respect to the Bank as the controller of personal data.
Second, you have the right to rectification of personal data, meaning that you have the right to submit a request for rectification of your inaccurate personal data, and the right to supplement incomplete personal data, including by means of a supplementary statement.
Third, you have the right to restriction of processing of your personal data in the following cases:
a) when you contest the accuracy of personal data, we will restrict processing for a period enabling us to verify the accuracy of the personal data;
b) when the processing of your personal data is unlawful and you oppose the erasure of the data and instead request the restriction of their processing;
c) when the need to process your personal data no longer exists, but you require us to continue with the processing for the establishment, exercise or defence of your legal claims; and
d) when you object to the processing pursuant to Article 37, paragraph 1 of the Law on Personal Data Protection, pending the verification whether there are legal grounds for processing personal data that override your interests, rights or freedoms or are related to for the establishment, exercise or defence of legal claims.
Fourth, you have the right to object, meaning that you have the right to file an objection to the processing of personal data which involves processing necessary for:
a) performing activities in the public interest or performing the Bank’s statutory authorities; or
b) pursuing the legitimate interests of the Bank or of a third party, unless those interests outweigh the interests or fundamental rights of the data subject requesting the protection of personal data, and in particular if the data subject is a minor; as well as
c) profiling performed on the basis of such processing.
When you object, we may no longer process your personal data, unless we can demonstrate that there are legal grounds for processing that override your interests, rights or freedoms or are related to for the establishment, exercise or defence of legal claims.
In addition to the rights of the subject whose personal data are processed, please be notified of the right to erasure, and the right to data portability.
Namely, the right to erasure (“right to be forgotten”) means your right to erasure of your personal data in the following cases:
a) your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) data subject withdraws consent on which the processing is based, in accordance with Article 12, paragraph 1, point 1), or Article 17, paragraph 2, point 1) of the Law on Personal Data Protection, and there is no other legal ground for the processing;
c) you object to the processing in accordance with Article 37, paragraph 1 of this Law, and there are no other legal grounds for processing data which override legitimate interest, rights or liberty of person and its personal data or Article 37, paragraph 2 of the Law on Personal Data Protection
d) your personal data have been unlawfully processed, and
e) personal data have to be erased for compliance with our legal obligations under the law of the Republic of Serbia.
Furthermore, right to data portability means the right to receive your personal data that you have previously provided to the Bank in a structured, commonly used and machine-readable format, and you have right da to transmit those data to another controller without hindrance from our side, if the Bank carried out the processing by automated means and on the basis of consent or contract.
To facilitate the exercise of your rights, we have published on our website the request forms that you can download:
The request that you are submitting must be properly completed and signed.
In the case we receive a request that is not properly completed or is not signed, we will invite you to eliminate the identified deficiency.
You can submit the request to the Bank in the following manner:
- at any branch office of the Bank in person or through a proxy;
- by email from the address provided to the Bank as a contracted channel of communication with the Bank at: email@example.com
Exercising the above rights will be facilitated in accordance with the provisions of the Law on Personal Data Protection within appropriate time limit and without undue delay. Please note that the Bank has the obligation to act upon the request of the person concerned not later than within 30 days of receipt of a complete request. The time limit may be extended for further 60 days where necessary, taking into account the complexity and number of requests. The Bank is obligated to inform the person concerned about the reasons for such extension within 30 days of receipt of the request.
Please also contact us at the above addresses when you have any questions relating to the processing of your personal data by the Bank.
The supervisory authority for personal data protection in the Republic of Serbia is the Commissioner for Information of Public Importance and Personal Data Protection, Bulevar kralja Aleksandra 15, Belgrade (hereinafter: Commissioner).
Please note that you can lodge a complaint with the Commissioner about our actions concerning the processing of your personal data.
Further information concerning the exercise of the right to personal data protection may be sought from the data protection officer of the Bank at the following e-mail address: firstname.lastname@example.org