Notice on the processing of personal data

Yettel Bank a.d. In the process of processing personal data, Belgrade (hereinafter: the Bank) applies the provisions of the Personal Data Protection Act (hereinafter: the Law) and the provisions of other regulations governing the aforementioned area. In order to apply the principles of legal, fair and transparent processing of personal data, the Bank has prepared this Notice on the processing of personal data in order to provide natural persons (clients, potential clients and other persons) with relevant information related to the processing of personal data in one place .

Definition of terms:

“Personal data” is any data relating to a natural person whose identity is determined or determinable, directly or indirectly, in particular on the basis of an identity marker, such as name and identification number, location data, identifiers in electronic communication networks or one , that is, more features of his physical, physiological, genetic, mental, economic, cultural and social identity;

“Processing of personal data” is any action or set of actions performed automatically or non-automated with personal data or their sets, such as collection, recording, sorting, grouping, i.e. structuring, storing, matching or changing, disclosure, inspection, use, disclosure by transmission, i.e. delivery, duplication, dissemination or otherwise making available, comparing, limiting, deleting or destroying (hereinafter: processing);

“Data subject” is a natural person whose personal data is processed;

“Handler” is a natural or legal person, i.e. the authority that independently or together with others determines the purpose and method of processing – for the purposes of this notice, the handler is the Bank;

“Processor” is a natural or legal person, i.e. an authority that processes personal data on behalf of the controller.

Data handler:

Yettel Bank a.d. Belgrade, st. Omladinskih brigade 88, ID number 17138669. Appointed person for the protection of personal data:

As part of the implementation of personal data protection standards prescribed by the Law, the Bank has appointed a person for the protection of personal data to whom you can contact with all questions and requests related to the processing of your personal data at the following addresses:

Post office: Omladinskih brigada 88, 11070 Novi Beograd

Types of personal data:

The bank processes the following types of personal data:

1. Data contained on the client’s identification document,
2. Contact details of the client,
3. Data required for creditworthiness assessment i
4. Other data necessary for the fulfillment of a specific processing purpose.

Also, immediately after downloading the Yettel Bank mobile application from stores such as Google Play, App Store or App Gallery and installing it on the device, the Bank will collect information about the device itself via the mobile device (operating system of the device, model, resolution, language, data about the country/region), without which the use of the Bank’s products and services via the mobile application would not be possible.

Purpose of processing and legal basis of personal data processing

The Bank processes the personal data of natural persons for the purpose of providing banking services, products, performing pre-contractual activities, including but not limited to opening and managing accounts, making payments, various types of savings products, loans, sending text messages and account balance notifications and transactions made with payment cards, maintaining contact with clients through various channels, monitoring client satisfaction, resolving complaints, delivering advertising materials and information to inform about benefits and news in its offer, participation in prize games as well as other services and products that the Bank will provide to clients.

Principles of personal data processing:

The Bank will process personal data: lawfully, fairly and transparently in relation to the Person to whom the data refer; data will be limited in relation to the purpose of processing; data will be appropriate, essential and limited to what is necessary; the data will be accurate and up-to-date, whereby the client has the right to request the correction of incorrect data at any time; the data will be stored for the period necessary to achieve the purpose of the processing; data will be protected against unauthorized or illegal processing, as well as against loss, destruction or damage.

Basics for personal data processing:

1) Processing based on consent
The person to whom the personal data relates has consented to the processing of his personal data for one or more specifically specified purposes.
The person has the right to revoke consent at any time. Revocation of consent does not affect the admissibility of processing that was carried out on the basis of consent before the revocation.
In case of withdrawal of consent, data processing is possible if there is a contractual relationship between the client and the Bank or some other basis for processing (law or legitimate interest).

2) Processing for the purpose of preparation, conclusion and fulfillment of the contract

The processing of personal data on this basis is carried out in the event of the need to execute a contract concluded with the person to whom the data refer or to take actions before the conclusion of the contract, at the request of the person to whom the data refer.

3) Processing based on laws and other binding regulations

The bank processes personal data on the basis of laws or other regulations in order to comply with the legal obligations of the handler (for example, according to the Law on Prevention of Money Laundering and Financing of Terrorism, there is an obligation to store client data for 10 years after the termination of the contractual relationship, etc.).

4) Legitimate interest

In the following cases, banks base the processing of personal data on legitimate interest:

• Processing of personal data even after the expiry of the terms for data storage in order to defend the interests of the Bank in proceedings before various state authorities (courts, inspections, etc.);

• Processing of personal data related to fraudulent/illegal activities of persons in order to protect the Bank from possible losses and consequences for reputation;

• Obtaining a certificate of a person’s criminal record during employment in order to protect the interests and reputation of the bank;

• Video surveillance of the Bank’s premises as well as the area around the Bank’s premises for security reasons. The bank will issue a notification about video surveillance, so that people are informed about it. In the case of cameras installed within the ATM machine in order to identify illegal actions, the display of video surveillance notices is not necessary;

• Data on family members and assets of certain employees in order to prevent conflicts of interest;

• Recording of telephone conversations of the bank’s Contact Center for the purpose of records of submitted requests, implementation of controls and adequate processing of all requests of persons to whom the data refer;

• in order to comply with regulations that are not directly applicable in the Republic of Serbia, and in order to comply with regulations that have an impact on the Bank or the group to which the Bank belongs (eg FATCA regulations, sanction regimes issued by the European Union and the United States of America);

• in other cases, when the processing is necessary in order to achieve the legitimate interests of the controller or a third party, unless these interests are overridden by the interests or fundamental rights and freedoms of the person to whom the data refer.

Recipients of personal data:

The Bank has the right to disclose personal data related to the person, documentation related to the person, as well as other data that are considered banking secrets, and data on obligations under contracts concluded between the Bank and the Person to whom the data refer, as well as the manner their settlement and adherence to contractual provisions, forwarded to the National Bank of Serbia, the Credit Bureau of the Association of Serbian Banks, the Forum for the Prevention of Abuses in Credit and Payment Card Businesses at the Chamber of Commerce of Serbia, the external auditor of the Bank, the company Yettel d.o.o., members of the PPF Group in the country and abroad , members of its bodies, its shareholders and all other persons who, due to the nature of the work they perform, must have access to such data, third parties with whom the Bank has concluded an Agreement regulating the handling of confidential data, as well as all other bodies and persons to whom the Bank obliged by law to provide appropriate data.

Output of data from the Republic of Serbia

Personal data may be transferred from the Republic of Serbia to other countries or international organizations only in accordance with the rules determined by the Personal Data Protection Act, internal acts of the Bank, as well as other proposals that regulate this area.

The bank can share personal data with the PPF group to which it belongs, which implies the possibility of transferring personal data to other countries that are members of the European Union and/or the Convention of the Council of Europe on the Protection of Personal Data in relation to automatic data processing, in which there is an appropriate level of data protection personality. If the Bank intends to transfer personal data to countries that do not belong to the aforementioned group, the transfer of data will be done in accordance with the Personal Data Protection Act and in compliance with the prescribed personal data protection standards.

Retention period for personal data

The Bank will process and store personal data collected for the purpose of exercising rights and obligations from the business relationship for the entire duration of the contractual relationship, and after that only if there is a person’s consent, a legal obligation or the Bank’s legitimate interest.

Personal data that is processed solely on the basis of the consent of the person to whom the data refers, is processed in accordance with the purpose for which it was collected, that is, until the consent is withdrawn by the person to whom the data refers.

In the event that the client submits his data to the Bank on his own initiative, the Bank will process them if necessary and within a period corresponding to the purpose of processing that data. An example is the delivery of a CV or other documents to the published addresses of the Bank; submission of other documents, information or data containing personal data, employees of the Bank, through electronic channels, orally through the Bank’s Contact Center or in other ways.

Right Persons to whom the data refer in connection with the processing of personal data

The person to whom the data refers has the right to access the personal data processed by the Bank. The person to whom the data refers has the right to request correction, updating, deletion of data, as well as restriction of processing. The person to whom the data relates has the right to submit an objection to the Bank at any time regarding the processing of personal data relating to him/her.

In addition to the above-mentioned rights, the Person to whom the data refers has the right to the transferability of personal data, i.e. the right to have the data previously submitted to the Bank received from it, and for the purpose of transfer to another operator, as well as the right to have the data about him directly transferred to another operator by the Bank, if it is technically feasible and if, in accordance with the Bank’s assessment, the necessary standard of personal data transfer security is provided.

The person to whom the data refers has the right to lodge a complaint with the competent authority (Commissioner for Information of Public Importance and Protection of Personal Data) regarding the processing of personal data if he believes that his personal data is not processed in accordance with the Personal Data Protection Act .

Automated data processing

As part of the business relationship between the Bank and the Person to whom the data relates, and in order to exercise the rights and obligations arising from the same, the Bank may process client data in whole or in part in an automated manner, in order to offer and provide services that correspond to the specific needs of the Person on to which the data relates, as well as in order to improve the Bank’s business relationship with clients.

Policy of cookies (Cookies)

A cookie is a text file that is stored locally on your computer, tablet or mobile phone and that enables the recognition of a user who has returned to a website.
The Bank’s Internet Application uses cookies for the purpose of optimization, i.e. to remember your preferred options regarding language, font size and other display features. This means that you do not have to specify your desired options every time you visit the Bank Application. Personal data is not saved in this case, so this information cannot be used for personal identification.

If you do not want to accept that a cookie is stored on your computer, it is necessary to disable the cookie for this website in your internet browser. You can delete previously installed cookies from your internet browser.

In addition, the Bank uses software solutions for web analytics that are integrated into the Bank’s Applications and which serve for statistical analysis of the use of the Bank’s Applications (Piwik, Google Analytics…).