Privacy Notice

I INTRODUCTION

Crnogorska komercijalna banka AD Podgorica (hereinafter referred to as “the Bank”) is the controller of personal data and it processes the personal data in accordance with Law on personal data protection („Official Gazette RS“, no. 079/08 from 23.12.2008, 070/09 from 21.10.2009, 044/12 from 09.08.2012, 022/17 from 03.04.2017), (hereinafter referred to as “the Law”).

The Bank processes personal data in a legal, transparent and fair manner.

The Bank is carring out only necessary data processing, and in order to implement the contract concluded with the data subject (eg clients, potential clients, hired associates, etc.), when the processing is required by the relevant legislation and represents a legal obligation of the Bank as a controller, when processing is necessary to achieve the legitimate interest of the Bank but only in cases where that interest prevails over the interest of the data subject, as well as processing performed on the basis of explicit and freely given consent of the person to which the data relate. 

The Bank processes personal data for purposes that are specifically determined, explicit, justified and lawful. Personal data may no longer be processed in a manner inconsistent with those purposes.

In obtaining personal data, the Bank adheres to the principle of a minimum amount of data, so only those personal data that are necessary to fulfill the purpose for which they are processed are collected from the data subjects. In case additional personal data are necessary, they are obtained with the consent of the data subject.

The Bank ensures the accuracy of personal data by applying technical and organizational measures and periodically updating the data.

The deadlines for data retention are determined in the Bank’s internal acts in such a way that the data are retained for the period necessary to achieve the purpose of processing and is in accordance with legal requirements.

The Bank respects the principle of integrity and confidentiality of personal data. The Bank has implemented technical and organizational measures for the protection of personal data, following legal provisions, good business practice and internationally recognized standards.

The Bank may hire a processor for the processing of personal data on the basis of a contract which, among other things, regulates the duties of the processor with regard to the protection of personal data.

II SCOPE

This Privacy Notice applies to all personal data of the Bank’s Client that the Bank processes or determines the purpose and manner of processing, as well as to other persons listed in this item.

The Privacy Notice applies to all services and products of the Bank that include the processing of personal data. If the basis for processing is consent, the last expression of the will of the data subject, by which that person gives consent for the processing of personal data, applies to all services and products of the Bank used by that person. 

The Privacy Notice is primarily intended and refers to:

  1. Natural persons who submit a request or use the services and products of the Bank (Clients):
  2. Natural persons interested in using the services and products of the Bank (Potential Clients),
  3. Other natural persons whose data the Bank obtains during its operations in accordance with applicable legal regulations.

 

The Privacy Notice does not apply to anonymised data, ie to data on the basis of which the identity of a person is not directly or indirectly identifiable. Anonymised data is data that has been changed in such a way that it cannot be linked to a specific natural person and therefore, in accordance with the applicable regulations, it is not considered personal data.

The Bank processes personal data for different purposes, and the means of collection, the legal basis for processing, use, disclosure, and retention periods may differ depending on the purpose.

III HOW AND WHAT TYPES OF PERSONAL DATA DO WE COLLECT

The Bank collects personal data in the following ways:

  1. Directly from the Client or Potential Clients, by direct delivery by the Client and / or Potential Client (such as when submitting a request for service at points of sale, during communication of the Client / Potential Client with the Contact Center or through the website and social networks, when filing an objection and the like).
  2. Automatically when using the Bank’s products and services, if it is necessary for the Client / Potential Client to enter their data in order to use the appropriate product and/or service of the Bank.
  3. From publicly available sources such as, for example, data from publicly available services. 

A precondition for any collection of personal data is the existence of an appropriate legal basis in accordance with the Law.

The Bank collects and processes the following categories of personal data – the overview is given comprehensively in relation to different purposes of processing:

  • Data contained in contracts with Clients and application forms of Potential Clients – name and surname, personal identification number, name of one parent, residential address, citizenship, identification document number, place and date of issuance of identification document, country of birth, telephone number (fixed, mobile), address for delivery of mail, contact data, data on the manner and history of payment for services (amounts of debt, existence of a standing order, current account number, etc.), data from the account specification, etc.
  • Financial data – data on earnings, other household income, data on other accounts and liabilities, data from the Credit Registry of the Central Bank of Montenegro, account number, card number, batch number, number of insurance policy, to which the data refer, data on tax residency and tax identification number, etc.;
  • Property data (for certain types of placements) – real estate and movables owned by the person to whom the data relate; o Special type of personal data – political affiliation (oficial status), disability data (to determine a person’s income);
  • Information about the spouse – data on the employment of the spouse, number of children, number of household members;
  • Data on related parties – connection on the basis of management function, connection on the basis of kinship and other connections in accordance with the law;
  • Data necessary for credit products – activity, data on the employer, including employment contract, credit history, previous use of banking products, and similar;
  • Data on visits to our internet portals and information provided by Clients and / or Potential Clients by filling in the appropriate forms on our website, including but not limited to: name, surname, address, mobile phone number, landline number and email address;
  • Mobile Device specific data
    • Geo-Location Information - we may request access or permission to and track location-based information from your mobile device, either continuously or while you are using the mobile application, to provide location-based services. If you wish to change our access or permissions, you may do so in your device’s settings.
    • Mobile Device Access - we may request access or permission to certain features from your mobile device, including your mobile device’s storage. If you wish to change our access or permissions, you may do so in your device’s settings
    • Push Notifications - we may request to send you push notifications regarding your account or the mobile application. If you wish to opt-out from receiving these types of communications, you may turn them off in your device’s settings.
  • Information contained in the records on communications and correspondence in situations of establishing contact by the Client, Potential Clients and other natural persons, including recordings of conversations with the Contact Center, written or electronic communication;
  • Data of Clients, Potential Clients and / or other natural persons from surveys used for research purposes, if the persons wish to be surveyed;
  • Information that the Bank collects and processes for the purposes of direct marketing and profiling, based on the freely given consent of the data subject;

Other personal data for which there is a legal basis for their processing in accordance with the law.

IV FOR WHICH PURPOSES DO WE USE THE COLLECTED PERSONAL DATA

The bank processes the personal data of the data subject only when such processing
is lawful. Processing is legal in the following cases:

  1. Processing is necessary for the execution of the contract concluded with the data subject or in order to take action at the request of the data subject prior to the conclusion of the contract.
  2. Processing is necessary in order to comply with the applicable legal regulations according to which the Bank is obliged to act, especially those that regulate banking operations and the implementation of payment operations services, as well as European legislation, primarily the obligation to report, check clients (prevent money loundering) and risk management. Based on a written request based on applicable legal regulations, the Bank is obliged to provide access to certain personal data of the Client/data subject to the competent state bodies (eg courts, police, etc.) in certain situations.
  3. Processing is necessary in order to achieve the legitimate, law-based interests of the Bank or a third party, except when those interests are stronger than the interests or fundamental rights and freedoms of data subjects that require protection of personal data, especially if the data subject relations are minors.
  4. The data subject has given consent for the processing of his / her personal data for one or more specially specified purposes, whereby that consent must be provable and voluntary, written in easy-to-understand language and the data subject has the right to withdraw his consent at any time.
  5. Processing is necessary for the vital interests of the data subject or another natural person.

Processing is necessary for the purpose of performing activities in the public interest or exercising the legally prescribed powers of the Bank.  

V AUTOMATED PROCESSING

Decision-making based on automated data processing, including profiling, is carried out in accordance with:

  1. applicable laws;
  2. fulfillment of contractual obligations;
  3. with the explicit consent of the data subject;
  4. the legitimate interests of the Bank.

In accordance with the Law, the Bank enables data subjects to exercise the right to object to automated processing, including profiling. The complaint can be filed either in relation to the initial or further processing, at any time and free of charge.

 VI WHO HAS ACCESS TO YOUR PERSONAL INFORMATION AND TO WHOM CAN IT BE PASSED ON?

Only employees of the Bank, as well as hired associates have access to personal data in accordance with the tasks they perform on the basis of appropriate authorizations determined by the Bank and only to the extent necessary, with the obligation to act in accordance with the Bank’s regulation which relates to personal data protection.

Personal data are available to third parties outside the Bank only in the following cases:

  1.  If there is a legal obligation or explicit authority under the law (eg a court request);
  2. If a third party or subcontractor (processor) is engaged to perform certain tasks, whereby that processor acts exclusively in accordance with the order of the Bank, and the Bank ensures all data protection measures as if it performs these tasks independently;
  3. Affiliated companies of the Bank provided that there is a legal basis for such transfer or access (consent of the person or legitimate, law-based interest);
  4. If the data need to be forwarded for the purpose of performing the contract;
  5. Other persons outside the Bank for whom there is the explicit consent of the data subject.

 

As a rule, the Bank processes your personal data in Montenegro, and exceptionally, the Bank may process this personal data in other countries or international organizations in accordance with the Law on Personal Data Protection.

 VII HOW DO WE PROTECT YOUR PERSONAL DATA?

Personal data are treated as a business secret of the Bank and are accordingly classified as confidential. In accordance with their classification, adequate protection measures are applied to them, which protect this data from injury, unauthorized access, accidental loss, destruction, damage, and any other security threat. For these purposes, technical and organizational measures are applied, such as control of access rights, establishment and implementation of information security policy and other related internal acts, establishment of segregation of duties, establishment and enforcement of confidentiality and compliance with the law of all third parties entitled to access personal data in the Bank’s information system, application of methods for monitoring access and activities in information systems, as well as application of software solutions for the protection of information resources.

In the event of a breach of personal data that results or may result in accidental or intentional destruction, loss, alteration or unauthorized disclosure of personal data during their processing, which may pose a high risk to the rights and freedoms of data subjects, the Bank shall immediately upon learning of such violation, without undue delay, notify the Agency for Personal Data Protection and Free Access to Information and the data subject in a clear and understandable manner with a description of possible consequences and a description of measures taken. In the event of a breach of personal data, the Bank shall immediately take appropriate measures to prevent further damage to the rights and freedoms of the data subject and to reduce the consequences of that breach.

VIII WHAT RIGHTS DO YOU HAVE IN RELATION TO YOUR PERSONAL DATA THAT WE PROCESS?

Clients, Potential Clients and other persons to whom personal data relate may exercise the following rights:

  1. The right to access personal data – the applicant for the exercise of this right has the right to obtain information on the existence of processing of personal data relating to him, the purpose of processing, the type of personal data being processed, recipients or categories of recipients personal data are disclosed or may be disclosed, on retention periods, on the existence of the right to request correction or deletion of personal data, ie the right to limit the processing of such data, on the existence of the right to file a complaint.
  2. The right to correction of personal data – the right to request the correction of inaccurate personal data, as well as the right to supplement incomplete data.
  3. The right to restrict the processing of personal data in the cases when the accuracy of personal data is disputed, the Bank will temporarily limit the processing for a period sufficient to verify the accuracy of personal data and when there is no legal basis for the processing of personal data, and the data subject opposes the deletion of data in order to submit the realization or defense of legal claims.
  4. The right to object refers to the right of a person to submit at any time an objection to the Bank on the legality of the processing of his / her personal data established on the basis of the appropriate legal grounds for processing.
  5. The right to erasure (“right to be forgotten”) may be exercised in cases when the personal data have been processed illegally or there is no legal basis for the processing.
  6. The right of a person to data portability means the right of a person who has submitted his personal data to the Bank in a structured, commonly used and electronically legible format, received by the Bank, as well as the right to transfer such data from the Bank to another controller. consent, is performed on the basis of a contract or in accordance with the Law on Personal Data Protection, and if the processing is performed automatically.
  7. The right to revoke consent may be exercised in anytime. The consent for the processing personal data given by the data subject is voluntary and may be withdrawn at any time.

 IX HOW CAN YOU EXCERCISE YOUR RIGHTS

You can exercise your rights regarding the personal data that the Bank processes about you in all branches.

All additional questions related to the processing of your personal data, as well as questions related to the exercise of your rights, you can send to:

E-mail: compliance@ckb.me        

Postal address: Crnogorska komercijalna banka a.d. Podgorica, Compliance Department, Bulevar Revolucije no. 17, 81000 Podgorica.

 X FILING A COMPLAINT TO THE SUPERVISORY BODY

The supervisory body for the protection of personal data in Montenegro is the the Agency for Personal Data Protection and Free Access to Information (https://www.azlp.me/me/kontakt)

The person to whom the personal data refer has the right to file a complaint to the Agency if he / she considers that the processing of his / her personal data by the Bank is contrary to the provisions of the Law.

The data subject has the right to judicial protection if he considers that, contrary to the Law, the controller or processor has violated the right prescribed by the Law by processing his personal data.

Privacy notice is available for download here.