Operation performed on personal data, such as, collection, recording, storage, adaptation, alteration, disclosure and destruction of data etc.

Operation performed on personal data, such as, collection, recording, storage, adaptation, alteration, disclosure and destruction of data etc.

A natural person or company which determines why and how your personal data will be processed.

Company which processes personal data on behalf of the controller.

Processing of data in such a manner that the personal data can no longer be attributed to a specific data subject, for instance, use of series of digits instead of name and surname.

Automated processing of personal data whereby we can present you offers customised to your needs and capacity.

Explanation:
This is about any actions taken in order to prepare for conclusion of the agreement, to execute agreement, analyse and assess credit capacity, review claims, terminate agreement, archive as well as perform other legal actions related to the agreement, as well as actions taken to conclude, through the Bank, agreements with other entities, for instance, insurance agreement.

Legal basis:
GDPR, Art. 6 ust. 1 lit. b)

Duration of data processing:

• Until the end of the contract, and after that, in other legitimate purposes related to the contract, e.g. for the period of securing any claims, i.e. until the end of the calendar year in which the 6-year limitation period expires, counting from the day agreement. However, if the contract was concluded before July 9, 2018, this period shall be subject to the transitional provisions defining the limitation periods contained in art. 5 para. 2 and 3 of the Act of 13 April 2018 amending the Act - Civil Code and certain acts (Journal of Laws of 2018, item 1104), by virtue of which the limitation periods for claims were shortened
• If agreement is not concluded- until the application is reviewed and for 3 years for potential claims and complaints.

Explanation:
In this case the Bank processes personal data in order to fulfil the duties imposed by the virtue of the law or carry out tasks in the public interest. In particular, we talk here about fulfilment of the Bank’s duties in connection with conducting banking activity and execution of the concluded agreements, and for archiving purposes, as well as in connection with assessment of credit capacity and analysis of credit risk. Furthermore, such duties stem from, inter alia, Act on Counteracting Money Laundering and Terrorism Financing, Act on performance of the Agreement between the Government of the Republic of Poland and the Government of the United States of America on improvement of fulfilment of international tax obligations and implementation of FATCA, Act on Exchange of Tax Information with Other Countries, Act on Protection of Competition and Consumers, Act on Trading in Financial Instruments and security measures for funds.

Legal basis:
GDPR, Art. 6 section 1 letter c) and special provisions, which impose on the Bank the duties indicated in the explanations or Art. 6 section 1 letter e) of the Regulation.

Duration of data processing:

• For calculations related to statistical approaches for calculation of methods and models determined by the banking law - for a period of 12 years from the day of expiry of the obligation.
• For processing information that constitutes bank secret in order to assess credit capacity and to analyse credit risk – after expiry of the obligation stemming from the agreement concluded with the Bank until the time of withdrawal of this consent.
• In other cases – until the Bank has fulfilled the duties defined in specific regulations of the law or completed the tasks carried out in the public interest.

Explanation:
This is about the Bank’s marketing, in particular, that carried out through communication, display or sending trade information by traditional mail or, in case of obtaining an appropriate consent, also through electronic or telephone communication devices. Marketing may be also carried out based on profiling which means processing for marketing purposes the information on Client’s characteristics, behaviour or preferences. Thanks to profiling, on the grounds of to-date relationship, the Bank may customise your trade offers to your interests and need.

Legal basis:
GDPR, Art. 6 section 1 letter f)

Duration of data processing:
Until objection is lodged against such processing, or until agreement with the Bank expires.

Explanation:
It is, for instance, marketing of products and services of the companies cooperating with the Bank; processing information that constitutes bank secret (also, in order to assess credit capacity and analyse credit risk) after expiry of the obligation. In each case, the consent obtained from you will indicate, inter alia, the purpose of data processing, which we intend to achieve based on this consent.

Legal basis:
GDPR, Art. 6 section 1 letter a)

Duration of data processing::
Until the consents granted are withdrawn.

Explanation:
Within the indicated purpose, we will process your data, also to enable communication or delivery of services through the Bank’s websites and mobile application. To this extent, inter alia identifiers, such as IP address of the device or geolocation information will be processed.

Legal basis:
GDPR, Art. 6 section 1 letter b) or Art. 6 section 1 letter f)

Duration of data processing:

• Period of communication or delivery of services, not later than until effective objection is lodged.
• Until the end of the contract, and after that, in other legitimate purposes related to the contract, e.g. for the period of securing any claims, i.e. until the end of the calendar year in which the 6-year limitation period expires, counting from the day agreement. However, if the contract was concluded before July 9, 2018, this period shall be subject to the transitional provisions defining the limitation periods contained in art. 5 para. 2 and 3 of the Act of 13 April 2018 amending the Act - Civil Code and certain acts (Journal of Laws of 2018, item 1104), by virtue of which the limitation periods for claims were shortened.

Explanation:
Purposes pursued within so-called legitimate interest are connected to execution of the agreement concluded with you and these are the following:

• ensuring security of the persons and the Bank’s assets, including monitoring of the Bank’s branches, preserving privacy and human dignity,
• ensuring transaction security, in particular, prevention of frauds,
• customisation of the marketing content of the Bank’s websites, depending on the behaviour of the viewers,
• protection against claims and collection of receivables,
• internal administrative, analytical and statistical purposes, including analyses of the credit portfolio, statistics and the internal reporting of the Bank and Bank’s Group.

When assessing whether the indicated purposes are justified, we take into account inter alia the following:

1. any connections between the purposes for which the personal data have been collected and the purposes of the intended further processing,
2. context in which the personal data have been collected, in particular, relationship between the data subjects and the controller,
3. nature of the personal data,
4. potential consequences of the intended processing,
5. existence of appropriate safeguards.

Legal basis:
GDPR, Art. 6 section 1 letter f)

Duration of data processing:
Until fulfilment of the Bank’s legitimate interests that constitute the grounds for this processing or until an objection is lodged against such processing, no longer than for the period of securing any claims, i.e. until the end of the calendar year in which the 6-year limitation period expires, counting from the day agreement. However, if the contract was concluded before July 9, 2018, this period shall be subject to the transitional provisions defining the limitation periods contained in art. 5 para. 2 and 3 of the Act of 13 April 2018 amending the Act - Civil Code and certain acts (Journal of Laws of 2018, item 1104), by virtue of which the limitation periods for claims were shortened.