General Information on Data Protection
To ensure transparent processing of data in the document “General Information on Data Protection”, Raiffeisen banka a.d. Beograd (hereinafter: the “Bank”) prepared, as a controller of personal data, a document for customers of the Bank (hereinafter: the “Data Subjects”) that contains basic information related to processing of personal data and the data protection claims and rights to which data subjects are entitled.
In its operations, the Bank applies the highest business standards, strictly in line with the obligations prescribed by the regulations of the Republic of Serbia and the rules applicable at the level of Raiffeisen Bank International Group (hereinafter: “Raiffeisen Group”).
The Personal Data Controller is Raiffeisen banka a.d. Beograd, 16 Djordja Stanojevica Street, 11070 Belgrade, Serbia; Business registration number: 17335600; Phone: 0113202100.
Contact data of the Data Protection Officer of the Bank: Email: dpo@raiffeisenbank.rs, Address: 16 Djordja Stanojevica Street, 11070 Belgrade, Serbia
Categories of data processed by the Bank depend on the type of products and services for which data subjects apply or which have been agreed.
The Bank processes the personal data received from data subjects as part of establishing business relationship and during business cooperation. In addition, the Bank processes data that has been legitimately received from the Credit Bureau within the Association of Serbian Banks and from publicly available sources (e.g. Business Registers Agency, Land Register, etc.) or that is provided through legitimately prescribed sources (e.g. from thecentral database of the Raiffeisen Group, Forum for Prevention of Credit Abuse within the Serbian Chamber of Commerce, working group for prevention of frauds within the Association of Serbian Banks, etc.)
Personal information that is processed by the Bank includes: personal details and contact information (e.g. name, address, date and place of birth, nationality, JMBG, etc.), contact details (e.g. address of residence, address for delivery of mail, phone number, email address, etc.), identity document information (such as type and number of ID document, name of the issuer, date and place of issuance, etc.) and data on the occupation and business activity of data subjects (e.g. profession, employment status, name of company, etc.). In addition, the processing may include payment and clearing data (e.g. payment orders, turnover data in payment transactions, etc.), credit product data (e.g. type and amount of income, loan repayments, rents, marital status, number of household members, etc.), data on the used products and services or data on marketing activities, credit exposure and history of repayment, image and / or sound recordings (e.g. video and telephone recordings for identification of persons), electronic log and identification data (apps, cookies, etc.), financial identification data (data from credit, debit, prepaid cards) or AML (anti-money laundering) and compliance data and other data comparable to the above categories.
The basis and purpose of personal data processing largely depend on the products and services applied for or agreed by data subjects.
The Bank is processing personal data in accordance with the provisions of the Serbian Law on Personal Data Protection related to banks while it is also, as a member of the Raiffeisen Group, it is obliged to observe the standards prescribed in the documents of the Group which are in line with the European General Data Protection Regulation (GDPR).
The Bank collects and processes personal data for the purpose of establishing business relationship and concluding the Agreement, as well as for realization of rights and obligations arising from the Agreement concluded with data subject, as necessary, for the following:
- To fulfill contractual obligations
The Bank collects and processes personal data for the purpose of fulfilling various rights and legal obligations arising from the agreement concluded with data subject for provision and mediation in banking and financial products and services, insurance, pension and investment funds, leasing, execution of orders, as well as execution of pre-agreement activities.
The purposes of the data processing are based primarily on the specific product (e.g. accounts, loans, approved overdraft, deposits, debit and credit cards, securities, brokerage services, etc.) and may, among others, contain analysis of clients’ financial needs, consulting, asset management, and execution of transactions.
Such data processing takes place, for example, in connection with debit cards, which allow clients to execute payment transactions with merchants at POS terminals and on the internet (online payment), to withdraw cash at the cash dispensers (“ATMs”), etc. Such transactions must be assignable to the banks of the cardholder and the payee in order to enable the settlement of the transactions among each other. In order to process transactions and settle accounts between financial institutions, financial institutions must process data of their own clients. The legal basis of the data processing is a variety of laws, such as the Law on Banks, Law on the Prevention of Money Laundering and Terrorism Financing, Payment Services Law, etc. which are mandatory for the contracting parties between the institution and the customers (e.g. current account agreement, card agreement, etc.).
For credit cards, the exchange of personal data, especially with merchants and account-holding banks is necessary for the execution of the credit card transaction.
Specific details for the purpose of the data processing mentioned herein can be found in the respective contractual documents and General terms and conditions.
- To fulfill legal obligations
The Bank is processing personal data for the purpose of fulfilling various legal obligations prescribed by the regulations of the Republic of Serbia governing banking operations (such as the Law on Banks, Law on the Prevention of Money Laundering and Terrorism Financing, Law on Payment Operations, Capital Market Law, etc.) as well as due to regulatory requirements which the Bank is subject to as a financial institution. Examples of such cases are:
- Providing information to the National Bank of Serbia according to the Law on Banks
- Providing information to the relevant state authorities according to the regulations
- Assess and manage risks
- Credit check (credit scoring) on lending while using statistical “peer” group to assess default risk among loan applicants. The calculated “score value” is intended to enable a prognosis with which probability a requested loan is likely to be repaid. This score will be calculated using your master data (marital status, number of children, length of employment, employer), general financial information (income, assets, monthly expenses, amount of liabilities, collateral, etc.) and payment history (proper loan repayments, Reminders, data from credit bureaus). If the default risk is too high, the loan application will be rejected.
- as part of client’s consent
The processing of personal data can be based on the consent of the data subject, that is, your own consent, exclusively in case that you have issued an explicit consent for specific purposes of data processing (e.g. notifications via email and/or at postal address), processing will only take place in accordance with the scope and for the purpose as set out in and agreed in the consent form. A given consent may be withdrawn at any time with effect from the withdrawal of consent. Consent may be given for:
- Delivery of offers and advertising material of the bank and legal entities with which the Bank is in contractual relationship and whose products and services are offered by the Bank;
- Creating an individual offer and information on the services and products which are tailor-made to the personal needs of data subjects;
- Direct marketing of services;
- Video identification according to the regulations governing prevention of money laundering and terrorism financing;
- Obtaining reports from the Credit Bureau to assess the credit rating in order to offer credit products
- For refinancing the loan of the previous bank, where the bank obtains data on the remaining debt (and, if necessary, other data) directly from the previous bank.
- Submission of data for the purpose of preparing an offer for potential clients of the bank (in order to prepare an offer and more detailed information about the offer, contacting for the purpose of arranging a meeting regarding the offer, etc.)
All consents collected by the Bank prior to implementation of the Personal Data Protection Act (RS Official Gazette, no. 87/2018) shall be still valid for creating offers and contacting clients regarding marketing activities of the bank, except in case when the client withdraws given consent.
to safeguard legitimate interests
In exceptional cases, data processing may be carried out to protect legitimate interests of the clients, Bank or third parties. In the following cases, data processing takes place to safeguard legitimate interests. Examples of such cases are:
- Consultation and exchange of data with the Credit Bureau for the determination of creditworthiness or default risks
- Review and optimization of needs analysis
- General infomation and newsletters delivered to clients on service, products and related market information
- Video surveillance to collect evidence in case of crime or to prove transactions and deposits (such as ATMs and bank areas that are publicly accessible) – especially to protect customers and employees
- Certain phone records (for quality assurance or complaint cases)
- Measures for business management and further development of services and products
- Measures to protect customers and employees as well as to secure the property of the Bank and to prevent abuse.
- Measures for controlling business and further development of services and products
- Measures to protect customers and employees as well as the property of the Bank
- Measures in Fraud Transaction Monitoring, against Anti-money laundering, terrorist financing and offending crime (including exchange of information within the Forum for Prevention of Fraud in Credit Transactions maintained within the Serbian Chamber of Commerce, Anti-Fraud Working Group within the Association of Serbian Banks, etc.). At the same time, data evaluations (among others in payment transactions) are carried out. These measures also serve for your protection.
- Data processing within the central database of Raiffeisen Group in the country and abroad (group applications) for administrative needs, improvement of the bank’s products and services in order to provide high quality service, as well as risk management at RBI Group
- Data processing for law enforcement purposes
- Asserting legal claims and defense in legal disputes
- Ensuring the IT security and IT operations of the Bank
- Prevention and investigation of criminal offences
- Further improving the usability of the Bank’s service facilities, such as applications, self-service devices.
To safeguard legitimate interests in the marketing of our services
The evaluation of your data processed for the purpose of:
- providing you with individual information and offers from banka and related parties*
- developing services and products that are tailored to your interest and life situation
- further improving the usability of our service facilities such as, apps, self-service devices and others
- is based on our legitimate interest for the marketing of our services. The evaluation of the data for this purpose takes place only as long as you have not objected to this.
The following data, which either the Bank has collected itself or which you have transmitted to the Bank, will be evaluated:
Personal data / master data
Gender, title, name, date of birth, country of birth, citizenship, gender, occupation, employment status, family status, education, employer, credentials such as data from personal document, income data, address and other contact information such as telephone number or e-mail address and postal address, geographical location information, securities risk class according to investor profile, housing situation such as rent or property, etc., household data (number of persons in the household, number of children, excluding personal data of household members), data disclosed during consultations such as hobbies and interests or planned acquisitions, internal ratings, such as the assessment of the revenue and expenditure situation.
Product and service data of the Bank
Data on the services of the Bank which you use, including:
- means of payment used by you, such as debit and credit cards,
- debits and credits and arrears on accounts and loans
- payment behaviour, including the options you can use to place your order,
- payment transactions incoming and outgoing, recipients and senders, payment orders transmitting intermediaries, amount, purpose and payment references, payer references,
- the frequency and type of transfers, in cashless payments, the data of the traders or service providers receiving the payments and information on transactions concluded with them,
- savings and securities transactions and custody accounts, including details of securities held
Device and contact centre data (telephone service, incl. voice-control computer)
Frequency, dates and locations of use of self-service devices and contact centers (telephone service including voice-control computers) or telephone services, and audio and video recordings conducted in connection with the use of these services according to the relevant basis.
Data from services, website and communication
Data relating to the use of electronic services and websites, functions of the websites and apps as well as e-mail messages between you and the Bank, information about viewed websites or content and links accessed, including external websites, content response time or download errors, and the usage period of websites and information on the use of the websites. This information is collected by way of using automated technologies, such as cookies or web beacons (counting pixels used to register e-mails or websites), or web-tracking (recording and analysis of surfing behavior) on the website and using external service providers or software (for example Google Analytics).
Online queried account and custody account data
Data on information about accounts and depots requested online via service providers, data of these service providers, content and purpose and frequency of queries and content of the given information.
Technical data of end-user-devices
Information about devices and systems used for accessing websites or portals and apps or other means of communication, such as internet protocol addresses or types and versions of operating systems and web browsers, and additional device identifications and advertising identifications or location information and other comparable data on devices and systems.
Data on user-generated content
Information uploaded on websites or apps of the Bank, such as comments or personal messages and photos or videos and the like.
Product and service data of mediated companies
Data of the products and services provided by the Bank to companies affiliated with the Bank: Uniqa životno osiguranje ado Beograd, Uniqa neživotno osiguranje ado Beograd, Generali osiguranje Srbija a.d.o., central database of Raiffeisen Group in the country and abroad, etc.
This data includes the personal data and the detailed data of the products, such as the item of transactions, terms, debits, credits and arrears.
If the products brokered are payment instruments, the analysed data also includes: payment behaviour, incoming and outgoing payment transactions, recipients and senders, payment service providers, amounts, purpose, payment references, originator references, frequencies and types of money movements, cashless payments, data of the dealers or service providers and information about these closed deals.
Within the Bank, those units or employees, RBI members receive your data, as required by them to fulfill their contractual, legal and/or regulatory obligations and legitimate interests based on “need to know” principle (only information that is really required). All processors of personal data shall attend appropriate training related to personal data protection and are obliged to apply in their daily operations the highest business standards.
Processors may also be persons with whom the Bank has concluded an agreement on provision of personal data processing services (processors) which is concluded for fulfilment of contractual services or support to business processes. When making a selection of processors, the Bank checks their eligibility from the aspect of data security and entrusts such third parties which are found to meet the high standards for execution of activities and concludes an agreement on personal data processing with prescribed high data confidentiality standards. Processors (e.g. IT and Back Office service providers) are made available only such information which is needed for execution of the agreed service. All processors are contractually obliged to treat data confidentially and to process the data for the provision of the respected services.
According to legal or regulatory obligation, the state authorities and institutions, banks and auditors may be personal data recipients. With regard to data transfer to other third parties, the Bank is obliged to observe banking secrecy in accordance with the Law on Banks and therefore is obliged to keep confidentiality regarding all customer-related information and facts that have been entrusted or made available due to the business relationship. The Bank can disclose data in the case of client’s consent or if there is an obligation for that.
The recipients of personal data may be other credit and financial institutions related legal entities, members of Raiffeisen Group or similar entities. In that case, the recipients are disclosed only such data that is required for conduct of the business relationship. Depending on the respective contract, these recipients may be, for instance, correspondent banks, stock exchanges, custodian banks, credit bureaus or other companies affiliated with the Bank (due to contractual relationship or regulatory obligation).
Data from the video surveillance of the Bank can be used by competent authorities or the court (for evidence in criminal matters), security services (for security purposes) and other bodies for the purpose of law enforcement.
Transfer of data from Serbia to other countries will only take place if this is necessary for the execution of orders (e.g. payment and securities orders), or if so required by law or if you have given us your explicit consent.
In addition, data may be transferred to legal entities which are under contractual obligation with the Bank, members of Raiffeisen Group or processors or subcontractors in third countries (suppliers). These are obliged to comply with the highest data protection and security standards.
Payments and cash withdrawals with debit and credit cards can lead to the necessary involvement of international card organizations and thus possibly to data processing by these card organizations in third countries.
For example, the data protection measures taken by:
Personal data shall be retained until the purpose and basis of data processing are fulfilled, that is, personal data shall be processed for the whole duration of the entire business relationship, as well as after termination of business relationship in accordance with the prescribed internal acts and regulations, that is, in accordance with the mandatory storage and documentation obligation as required by law, in particular pursuant to the following legal provisions: the Law on Banks, Law on the Prevention of Money Laundering and Terrorism Financing, Law on Cultural Heritage, Law on the Protection of Financial Service Consumers, etc.
The Bank keeps data storage after termination of business relationship if: data storing is legally required or is a legitimate interest of the Bank (e.g. dispute resolution, defence of legal requirements, direct marketing) or for resolution of objections.
Data from the video-surveillance of the Bank will be deleted in principle after 30 days if no longer required for the purposes of video surveillance.
Persons whose personal data is processed have the right to access, rectification, erasure or restriction of the processing of your stored data, a right to object to processing and a right to data portability in accordance with the requirements of Law on data protection.
If you find as a client that any of your data protection rights have been violated, you may file a complaint with the Bank regarding personal data processing.
If you think, after receiving response from the bank, that personal data processing was conducted contrary to the Law on Personal Data Protection, you may address the Commissioner for Information of Public Importance and Protection of Personal Data.
To ensure more efficient resolution of clients’ requests, you must provide us, as a client, with all personal information that is necessary to enter into and to maintain the business relationship, as well as data that must be collected according to the law. If the client does not provide the required data, the Bank shall decline either to conclude or to complete the contract, or the Bank will be unable to execute an existing contract or will be forced to terminate such a contract.
For processing of data which is not necessary for the performance of a contract or is not required by law or regulation, but is collected based on consent, clients are not obliged to grant consent (for example, direct marketing, delivery of individual offers).
All data processed by the Bank shall be appropriately protected from abuse, destruction, loss, unauthorised changes or access. The Bank as personal data processor has undertaken technical, staff and organisational data protection measures, according to the defined standards and procedures, needed for protection of data from loss, destruction, unallowed access, change, publication and any other abuse and established the obligation of persons engaged in data processing to ensure data secrecy.
In order to ensure more efficient resolution of clients’ requests, the Bank may apply in the decision-making process an automated decision. Any negatively resolved request is subject to subsequent revaluation according to the internal procedures and regulations of the Bank.
If you as a client or as an applicant have been declined for a product applied for, you may file a formal complaint regarding the decision of the Bank.
The Bank shall consider the complaint and if it finds it justified, the Bank shall change the initial decision or confirm it and notify the client upon its decision.
Our website uses cookies. Cookies are text files, which are saved during the visit on your terminal.
We mainly use cookies for anonymized analysis about the use of the website. We also use cookies to offer you additional functions on the website in order to interact easier with the website and to ensure error-free usage (e.g. to facilitate navigation on a website or to save your preferences and settings for your next visit).
Necessary cookies: cookies, which are necessary for the basic functions of the website, are used by us because of contract performance obligations.
Functional cookies: cookies, which allow us to analyze the use of the website, are used by us on the basis of legitimate interest.
Marketing cookies: cookies, which allow us to offer you advertisement tailored to your interests, are also used by us on the basis of legitimate interest.
Some cookies are saved on your terminal until you delete them. They enable us to recognize your browser the next time you visit us. Most of the cookies we use are deleted after your visit on our website (so-called session cookies).
Cookies can be blocked, deactivated or deleted. Therefore, a variety of different tools are available (including browser controls and settings). You can find information hereto in the “help area” of the web browser you use.
If all cookies used by us are deactivated, on others the display of the website may be limited.
Our website uses cookies and other market-based web controls in particular to control and improve our internet presence (JavaScript and tracking pixels). The entire data are recorded anonymously. By using so-called tracking pixels we are able to collect information to check for which screen sizes, browsers and operating systems our internet presence should be optimized. JavaScript is a programming language for evaluating user interactions, modifying, reloading or generating content.
This website uses Google Analytics, a web analytics service from Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Google Analytics uses cookies, which are saved on your computer. We process your data based on our legitimate interest in setting up easy-to-use website access statistics. The information generated by the cookie about your use of this website (including your anonymized IP address and pseudonymized ID as well as the URLs of the websites accessed) is transmitted to and stored by Google on servers in the USA. This website uses the given opportunity for IP-anonymization by Google Analytics. Your IP address will be shortened by Google within the member states of the European Union or in other signatory states to the Agreement on the European Economic Area. On our behalf Google will use this information, to evaluate the use of the website, to create reports about the website activities and to provide us with other services related to the use of the website and the internet. You can prevent the general storage of cookies by adjusting your browser software accordingly. However, we point out that in this case you may not be able to use all functions of this website to their full extent.
You can also prevent Google from collecting your data in connection with Google Analytics by downloading and installing the browser plug-in available under the following link.
For more information on Google’s Terms of Use and Google’s Privacy Policy, please visit here.
On our website we use the service Google Maps API. This service is a service of Google, Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. By integrating the service on our website, at least the following data are transmitted to Google, Inc.: IP address, time of visit of the website, screen resolution of the visitor, URL of the website (referrer), the identification of the browser (user agent) and search terms. The data transfer is independent of whether you have a Google account that you are logged in or whether you do not have a Google user account. If you are logged in, the data will be assigned with your account. If you do not wish assignment to your profile, you must log out before activating the button. Google, Inc. stores this data as usage profiles and uses them for the purposes of advertising, market research and/or demand-oriented design of its website. You have the right to object to the creation of these user profiles, whereby you must contact Google Inc. to exercise this right. For more information about the purpose and scope of data collection and processing by Google, Inc., please contact here. We do not process the affected data.
Every time a user accesses our website and every time a file is retrieved or attempted to be retrieved from the server, data about this process is stored in a log file. For us it is not directly recognizable, which user called upon which data. We also do not try to collect this information. This would only be possible in legally regulated cases and with the help of third parties (e.g. Internet service providers). In detail, the following data record is stored for each retrieval: The IP address, the name of the downloaded file, the date and time of the download, the amount of data transferred, the message as to whether the download was successful and the message as to why a download may have failed, the name of your Internet service provider, if applicable to the operating system, the browser software of your computer and the website from which you are visiting us.
The legal basis for the processing of personal data is our legitimate interest. This is to detect, prevent and investigate attacks on our website.
In addition, we process your personal data in special cases on the basis of the legitimate interests of us or legitimated third parties for legal proceedings or on behalf of legally authorized authorities or courts.
This website uses the “Matomo Analytics” software for anonymous analysis of website usage. Matomo uses technologies that make it possible to recognize the user across multiple pages with the aim of analyzing user patterns (e.g. cookies or device fingerprinting). The information recorded by Matomo about the use of this website will be stored on our server. Upon others we collect the following data: visited websites, date and time of the visit, length of stay, browser version, screen resolution, operating system, the country and the referrer, this is the previously visited page from which a page was accessed. Through Matomo, we can measure whether our website visitors perform certain actions (e.g. clicks, purchases, etc.). We host Matomo exclusively on our own servers so that all analysis data remains with us and is not passed on.
For optimizing our landing pages and improving our services, we may record your session with Mouseflow, a website analytics tool. Please note that no personal data is processed during session recording or is shared with third parties.