OTP Bank Srbija a.d. Novi Sad (hereinafter referred to as “the Bank”) is the controller of personal data and it processes the personal data in accordance with Law on personal data protection („Official Gazette RS“, no. 87/2018) and in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) when applicable.
The data subject is any natural person (individual) whose personal data is processed by the Bank.
The Policy applies to all personal data of the Bank’s Client that the Bank processes or determines the purpose and manner of processing, as well as to other persons listed in this item.
The policy applies to all services and products of the Bank that include the processing of personal data. If the basis for processing is consent, the last expression of the will of the data subject, by which that person gives consent for the processing of personal data, applies to all services and products of the Bank used by that person.
The policy is primarily intended and refers to:
- Natural persons who submit a request or use the services and products of the Bank (Clients):
- Natural persons interested in using the services and products of the Bank (Potential Clients),
- Other natural persons whose data the Bank obtains during its operations in accordance with applicable legal regulations.
The policy does not apply to anonymised data, ie to data on the basis of which the identity of a person is not directly or indirectly identifiable. Anonymised data is data that has been changed in such a way that it cannot be linked to a specific natural person and therefore, in accordance with the applicable regulations, it is not considered personal data.
The Bank processes personal data for different purposes, and the means of collection, the legal basis for processing, use, disclosure, and retention periods may differ depending on the purpose.
The Bank processes personal data in a legal, transparent and fair manner by carrying out the following activities:
- Informs the persons to whom the data relate about the purpose of processing and the legal basis for processing in a clear, simple and clear manner;
- Only necessary processing is carried, and in order to implement the contract concluded with the data subject (eg clients, potential clients, hired associates, etc.), when the processing is required by the relevant legislation and represent a legal obligation of the Bank as a controller, when processing necessary to achieve the legitimate interest of the Bank but only in cases where that interest prevails over the interest of the data subject, as well as processing performed on the basis of explicit and freely given consent of the person to which the data relate.
The Bank processes personal data for purposes that are specifically determined, explicit, justified and lawful. Personal data may no longer be processed in a manner inconsistent with those purposes.
In obtaining personal data, the Bank adheres to the principle of a minimum amount of data, so only those personal data that are necessary to fulfill the purpose for which they are processed are collected from the data subjects. In case additional personal data are necessary, they are obtained with the consent of the data subject.
The Bank ensures the accuracy of personal data by applying technical and organizational measures and periodically updating the data.
The deadlines for data retention are determined in the Bank’s internal acts in such a way that the data are retained for the period necessary to achieve the purpose of processing and is in accordance with legal requirements.
The Bank respects the principle of integrity and confidentiality of personal data. The Bank has implemented technical and organizational measures for the protection of personal data, following legal provisions, good business practice and internationally recognized standards.
The Bank may hire a processor for the processing of personal data on the basis of a contract which, among other things, regulates the duties of the processor with regard to the protection of personal data.
The Bank collects personal data in the following ways:
- Directly from the Client or Potential Clients, by direct delivery by the Client and / or Potential Client (such as when submitting a request for service at points of sale, during communication of the Client / Potential Client with the Contact Center or through the website and social networks, when filing an objection and the like).
- Automatically when using the Bank’s products and services, if it is necessary for the Client / Potential Client to enter their data in order to use the appropriate product and/or service of the Bank.
- From publicly available sources such as, for example, data from publicly available services.
A precondition for any collection of personal data is the existence of an appropriate legal basis in accordance with the Law.
The Bank collects and processes the following categories of personal data – the overview is given comprehensively in relation to different purposes of processing:
- Data contained in contracts with Clients and application forms of Potential Clients – name and surname, personal identification number, name of one parent, residential address, citizenship, identification document number, place and date of issuance of identification document, country of birth, telephone number (fixed, mobile), address for delivery of mail, contact data, data on the manner and history of payment for services (amounts of debt, existence of a standing order, current account number, etc.), data from the account specification, etc.
- Financial data – data on earnings, other household income, data on other accounts and liabilities, data from the Credit Bureau of the Association of Banks, account number, card number, batch number, number of insurance policy, to which the data refer, data on tax residency and tax identification number, etc.;
- Property data (for certain types of placements) – real estate and movables owned by the person to whom the data relate; o Special type of personal data – political affiliation (oficial status), disability data (to determine a person’s income);
- Information about the spouse – data on the employment of the spouse, number of children, number of household members;
- Data on related parties – connection on the basis of management function, connection on the basis of kinship and other connections in accordance with the law;
- Data necessary for credit products – activity and activity, data on the employer, including employment contract, credit history, previous use of banking products, and similar;
- Data on visits to our internet portals and information provided by Clients and / or Potential Clients by filling in the appropriate forms on our website, including but not limited to: name, surname, address, mobile phone number, landline number and email address;
- Information contained in the records on communications and correspondence in situations of establishing contact by the Client, Potential Clients and other natural persons, including recordings of conversations with the Contact Center, written or electronic communication;
- Data of Clients, Potential Clients and / or other natural persons from surveys used for research purposes, if the persons wish to be surveyed;
- Information that the Bank collects and processes for the purposes of direct marketing and profiling, based on the freely given consent of the data subject;
- Other personal data for which there is a legal basis for their processing in accordance with the law.
The bank processes the personal data of the data subject only when such processing
is lawful. Processing is legal in the following cases:
- Processing is necessary for the execution of the contract concluded with the data subject or in order to take action at the request of the data subject prior to the conclusion of the contract.
- Processing is necessary in order to comply with the legal obligations of the Bank (applicable legal regulations according to which the Bank is obliged to act). Based on a written request based on applicable legal regulations, the Bank is obliged to provide or provide access to certain personal data of the Client to the competent state bodies (eg courts, police, etc.) in certain situations.
- Processing is necessary in order to achieve the legitimate interests of the Bank or a third party, except when those interests are stronger than the interests or fundamental rights and freedoms of data subjects that require protection of personal data, especially if the data subject relations are minors. The legitimate interest of the Bank means processing that serves to improve the process, product development and business improvement, modernize services, offer products and services that are expected to improve business with customers.
- The data subject has given consent for the processing of his / her personal data for one or more specially specified purposes, whereby that consent must be provable and voluntary, written in easy-to-understand language and the data subject has the right to withdraw his consent at any time.
- Processing is necessary for the vital interests of the data subject or another natural person.
- Processing is necessary for the purpose of performing activities in the public interest or exercising the legally prescribed powers of the Bank.
Decision-making based on automated data processing, including profiling, is carried out in accordance with:
- applicable laws;
- fulfillment of contractual obligations;
- with the explicit consent of the data subject;
- the legitimate interests of the Bank.
In accordance with the Law, the Bank enables data subjects to exercise the right to object to automated processing, including profiling. The complaint can be filed either in relation to the initial or further processing, at any time and free of charge.
Only employees of the Bank, as well as hired associates have access to personal data in accordance with the tasks they perform on the basis of appropriate authorizations determined by the Bank and only to the extent necessary, with the obligation to act in accordance with the Bank’s regulation which relates to personal data protection.
Personal data are available to third parties outside the Bank only in the following cases:
- If there is a legal obligation or explicit authority under the law (eg a court request);
- If a third party or subcontractor (processor) is engaged to perform certain tasks, whereby that processor acts exclusively in accordance with the order of the Bank, and the Bank ensures all data protection measures as if it performs these tasks independently;
- Affiliated companies of the Bank provided that there is a legal basis for such transfer or access (consent of the person or legitimate interest);
- If the data need to be forwarded for the purpose of performing the contract;
- Other persons outside the Bank for whom there is the explicit consent of the data subject.
As a rule, the Bank processes your personal data in the Republic of Serbia, and exceptionally, the Bank may process this personal data in other countries or international organizations in accordance with the Law on Personal Data Protection.
Personal data are treated as a business secret of the Bank and are accordingly classified as confidential. In accordance with their classification, adequate protection measures are applied to them, which protect this data from injury, unauthorized access, accidental loss, destruction, damage, and any other security threat. For these purposes, technical and organizational measures are applied, such as control of access rights, establishment and implementation of information security policy and other related internal acts, establishment of segregation of duties, establishment and enforcement of confidentiality and compliance with the law of all third parties entitled to access personal data in the Bank’s information system, application of methods for monitoring access and activities in information systems, as well as application of software solutions for the protection of information resources.
In the event of a breach of personal data that results or may result in accidental or intentional destruction, loss, alteration or unauthorized disclosure of personal data during their processing, which may pose a high risk to the rights and freedoms of data subjects, the Bank shall immediately upon learning of such violation, without undue delay, notify the Commissioner and the data subject in a clear and understandable manner with mandatory contact details of the person authorized to protect personal data, a description of possible consequences and a description of measures taken. In the event of a breach of personal data, the Bank shall immediately take appropriate measures to prevent further damage to the rights and freedoms of the data subject and to reduce the consequences of that breach.
Clients, Potential Clients and other persons to whom personal data relate may exercisethe following rights:
1. The right to access personal data – the applicant for the exercise of this right has the right to obtain information on the existence of processing of personal data relating to him, the purpose of processing, the type of personal data being processed, recipients or categories of recipients personal data are disclosed or may be disclosed, on retention periods, on the existence of the right to request correction or deletion of personal data, ie the right to limit the processing of such data, on the existence of the right to file a complaint to the Commissioner.
2. The right to correction of personal data – the right to request the correction of inaccurate personal data, as well as the right to supplement incomplete data.
3. The right to restrict the processing of personal data in the following cases:
– when the accuracy of personal data is disputed, the Bank will temporarily limit the processing for a period sufficient to verify the accuracy of personal data;
– when there is no legal basis for the processing of personal data, and the data subject opposes the deletion of data in order to submit the realization or defense of legal claims;
– The bank no longer needs personal data to achieve the purpose of processing, but the person to whom the data relates requested them in order to submit, realize or defend a legal claim;
– when an objection to processing is filed, and the assessment of whether the legal basis for processing by the Bank prevails over the interests of that person is in progress.
4. The right to object refers to the right of a person to submit at any time an objection to the Bank on the legality of the processing of his / her personal data established on the basis of the appropriate legal grounds for processing.
5. The right to erasure (“right to be forgotten”) may be exercised in the following cases:
– personal data are no longer necessary to achieve the purpose for which they were collected or otherwise processed;
– the data subject revokes the consent on the basis of which the processing was performed, and there is no other legal basis for the processing;
– the data subject has filed an objection to the processing in accordance with the Law, and there is no other legal basis for the processing that prevails over the legitimate interest, right or freedom of the data subject;
– personal data have been processed illegally;
– personal data must be deleted in order to fulfill the legal obligations of the controller;
– personal data are collected in connection with the use of information society services.
6. The right of a person to data portability means the right of a person who has submitted his personal data to the Bank in a structured, commonly used and electronically legible format, received by the Bank, as well as the right to transfer such data from the Bank to another controller. consent, is performed on the basis of a contract or in accordance with the Law on Personal Data Protection, and if the processing is performed automatically.
You can exercise your rights regarding the personal data that the Bank processes about you in all branches. All additional questions related to the processing of your personal data, as well as questions related to the exercise of your rights, you can send to the Data protection officer of the Bank at the address email@example.com. Persons to whom personal data refer can exercise their rights by filling in the application for exercising rights. Requests for the exercise of rights can be downloaded from any of the Bank’s branches or on the Bank’s website, in the section provided for data protection. The submitted request should be filled in legibly and neatly and signed (in case of sending the request electronically, it must be signed with a qualified electronic certificate). Along with the request submitted through a proxy, a power of attorney certified before a notary public shall be submitted, which authorizes the proxy to take actions before the Bank in connection with the exercise of rights prescribed by the Law on Personal Data Protection. The signed request for exercising the rights of the data subject shall be submitted to any branch of the Bank. The Bank will respond to the request without delay, and no later than 30 days from the date of receipt of a complete and correct request. That period may be extended by a further 60 days if necessary, taking into account the complexity and number of requests. The Bank shall notify the data subject of the extension of the deadline and the reasons for that extension within 30 days from the day of receipt of the request.
You can send your request to the Bank as follows:
- in any branch of the Bank in person or through a proxy;
- by e-mail from the address submitted to the Bank as an agreed channel of communication with the Bank to the address:firstname.lastname@example.org. In case of using this communication channel, the request must be signed using a qualified electronic certificate. All additional questions related to the processing of your personal data, as well as questions related to the exercise of your rights, you can send to the Data protection officer at the address email@example.com.
The supervisory body for the protection of personal data in the Republic of Serbia is the Commissioner for Information of Public Importance and Personal Data Protection, Bulevar kralja Aleksandra 15, Beograd (hereinafter: the Commissioner).
The person to whom the personal data refer has the right to file a complaint to the Commissioner if he / she considers that the processing of his / her personal data by the Bank is contrary to the provisions of the Law.
The data subject has the right to judicial protection if he considers that, contrary to the Law, the controller or processor has violated the right prescribed by the Law by processing his personal data. Filing a lawsuit in court does not affect the right of this person to initiate other administrative or judicial protection proceedings. The lawsuit referred to in this item shall be submitted to the competent higher court.
can be found below.
The data subject has the right to file a complaint to the Commissioner if he / she considers that the processing of his / her personal data by the Bank is contrary to the provisions of the Law.
The data subject has the right to judicial protection if he considers that, contrary to the Law, the controller or processor violated his right prescribed by the Law by processing his personal data. Filing a lawsuit in court does not affect the right of this person to initiate other administrative or judicial protection proceedings. The lawsuit referred to in this item shall be submitted to the competent higher court