Crédit Agricole Serbia a.d. Novi Sad (hereinafter: the "Bank") processes personal data in compliance with the Law on Personal Data Protection (Official Gazette of the Republic of Serbia, No. 87 of November 13, 2018).
The Law on Personal Data Protection ensures that personal data processing is performed in compliance with guaranteed human rights and fundamental freedoms.
This Information Notice on Personal Data Processing by the Bank (hereinafter: the "Information Notice") includes the obligations prescribed by the Law on Personal Data Protection.
In line with Articles 23 and 24 of the Law on Personal Data Protection, we provide you with the information about how we process your personal data, your rights in respect of such processing and data protection and how you can exercise these rights.
We process and use your personal data in a lawful, fair and transparent way, while protecting the data from unlawful and unauthorized processing, by applying the highest organizational, technical and safety protection measures.
This Information Notice applies to a private individual who requests or receives a service from the Bank, as well as to all other private individuals who are involved in certain direct and indirect business relations with the Bank or are/will be connected in any way to the Bank as the personal data controller (guarantors, joint debtors, pledgers, heirs, proxies, guardians, successors, legal representatives of minors and legal representatives of legal entities, as well as other private individuals related to the legal entity, whose personal data are subject to processing).
The data controller is Crédit Agricole Bank Serbia joint-stock company Novi Sad, Corporate ID No. 08277931, TIN 101697525.
Contact information: Crédit Agricole Serbia a.d., 21000 Novi Sad, Tel: +381(21)4876876, Fax: +381(21)4876976, E-mail: firstname.lastname@example.org
If the Bank is a joint controller with another controller, in terms of Article 43 of the Law on Personal Data Protection, i.e. if it determines the purpose and method of processing together with one or more organizations on the basis of business cooperation, joined service, or legitimate interest of the Bank and a third party, you may request additional information, not only from the Bank but from the other data controller as well. In that case, you may exercise your rights prescribed by the Law on Personal Data Protection with respect to any individual data controller and against them.
Pursuant to Article 56 of the Law on Personal Data Protection, the Bank must appoint a personal data protection officer. For any questions regarding personal data protection and/or the exercise of rights prescribed by the Law on Personal Data Protection, you may contact the Personal Data Protection Officer at the following addresses:
CRÉDIT AGRICOLE SRBIJA A.D. NOVI SAD, PERSONAL DATA PROTECTION OFFICER, Address: BRAĆE RIBNIKARA 4-6, NOVI SAD
Tel: 021 4876960
We receive personal data directly from you or another source depending on the business relationship in question, i.e. the purpose and basis for processing. We process data to the extent necessary to fulfil the purpose of processing. In case we receive your personal data from another source, you will be notified in accordance with Article 24 of the Law on Personal Data Protection.
Information on the types of personal data, which are processed in connection with a specific kind of banking service provided by the Bank as a controller or joint controller in accordance with Article 43 of the Law on Personal Data Protection, will be provided to you at the time of collection by the Bank, in accordance with Article 23 of the Law on Personal Data Protection, through the agreed communication channel.
If the bank is processing your personal data that were not collected directly from you (e.g. through a legal representative of a legal entity, a person authorized for the legal entity’s account, etc.), you will receive information on personal data processing within a reasonable time after receiving personal data, taking into consideration the specific circumstances of processing, either to the e-mail address or other agreed communication channel used for communication with a legal entity or at the time when the first contact with you was established.
According to Article 24, paragraph 5 of the Law on Personal Data Protection, the Bank is not required to provide you with the requested information if you are already in possession of that information, if the provision of that information is impossible or if it would entail a disproportionate cost in terms of time and resources, especially in case of processing for archiving purposes in the public interest, for scientific or historical research purposes, as well as for statistical purposes, provided that the measures referred to in Article 92 of the Law on Personal Data Protection are applied. The Bank has no obligation to provide said information if it is likely that such provision would prevent or significantly impede the achievement of the purpose of processing, provided that the Bank as the data controller takes suitable measures to protect the rights and freedoms, as well as the legitimate interests of data subjects, including the public disclosure of information. Additionally, the Bank has no obligation to provide the information if the collection or disclosure of personal data is expressly required by the law which prescribes measures for protection of your legitimate interests. The Bank has no obligation to provide the information if the confidentiality of data must be ensured in accordance with the legal obligation to keep trade secrets.
The Bank exchanges certain personal data with members of Crédit Agricole Group, in its legitimate interest, in order to manage risks at group level. We also disclose data to third parties and government authorities, in the legitimate interest to prevent fraud and money laundering. In addition, we also obtain certain data from your payment orders, as well as data from used applications which are connected with some of the contracted services - including geolocation data, data obtained from web service, etc.).
In order to establish a business cooperation with you or to provide certain financial services, the bank needs your identification data. When establishing a business cooperation and checking your identity, including due diligence, and fulfilling the bank’s legal obligations (in accordance with the Law on the Prevention of Money Laundering and Terrorism Financing), we collect and process your personal data: name and surname, personal identification number, address of permanent or temporary residence, data on the type, number, issuer and the validity period of the identity document, residency status. Refusal to provide this information will result in the denial of your request to conclude a particular agreement with the Bank or to establish a business relationship.
Besides identification data listed above, the Bank processes your contact information, namely mailing address in accordance with the law, mobile phone number, e-mail address, either for the purpose of executing a certain contract (sending information on the specific product) and/or notifying a client with the purpose of preventing potential fraud and/or if you have given your explicit consent to the bank. Certain data might be necessary for the execution of a certain contract if the provision of the service is conditioned on the provision of data (e.g. the use of a mobile phone for the mobile application). Refusal to provide the requested information will result in the denial of your request to conclude a certain contract with the Bank.
Gender information is collected for the purpose of customized address when sending notifications under a contract or based on the consent you have given to the Bank.
We use a copy of your personal document or a printout of an identification document generated by an electronic reader in order to fulfil the legal obligations of the Bank as a data controller in accordance with the regulations governing the prevention of money laundering and terrorism financing, as well as to verify your identity during contract conclusion, use of certain services and updating your data, all with the purpose of pursuing the legitimate interest of the Bank regarding fraud prevention.
If you contact the Bank’s call center or if the Bank contacts you after your call, the conversation may be recorded in some cases, of which you will be notified in advance. Depending on the subject of conversation, and if it is necessary to confirm your identity, the Bank may ask you for some additional information necessary for said purpose.
If you contact the Bank via the website www.creditagricole.rs, and you expect feedback, the bank may ask for identification and contact information. Data provided in this way will not be made available to other users.
Depending on the type of product and requested service, the Bank may collect and process other data necessary for the execution of a contract or for taking actions preceding the conclusion of the contract or for meeting the legal obligation or legitimate interest of the Bank or a third party or under your consent, in accordance with Article 12 of the Law of Personal Data Protection.
Below you can find an informative overview of the personal data we process for certain types of products and financial services offered to our clients. Information not contained herein will be provided to you verbally or in another appropriate manner at the time of its collection, in accordance with Articles 23 and 24 of the Law on Personal Data Protection.
In order to prepare a loan offer (or informative loan calculation at your request) and/or analysis of the loan application and/or loan approval and/or execution of a loan agreement, as well as for actions preceding the loan approval, in addition to your identification data and identification data of other participants in a credit facility (joint debtors, guarantors, pledgers or any other participants), and for the purpose of assessing your financial situation and creditworthiness and providing appropriate explanations related to the offered loan tailored to your needs and possibilities, risk management, compliance with regulations, especially decisions of the National Bank of Serbia and Anti-Money Laundering and Counter-Terrorism Financing Act, we also need additional data such as data on: marital status, related persons (e.g. data on a spouse or immediate family member or private individuals employed by a legal entity with which you have a close business relationship), education level, debts in other credit and financial institutions, data on the place of residence, type of credit card you use, data on the number of family members, data on the number of dependents, etc.
We process your employment data, income, expenses, consumption, etc. in order to assess your sources of income and your ability to repay the loan out of your income as the primary source of repayment of your loan obligations. When approving certain types of loans, we also submit your data for automated processing (including profiling). In that case, you have the right to ensure that a natural person under the control of the data controller participates in the decision-making process and to contest the decision before an authorized person of the data controller.
Likewise, when assessing your creditworthiness and ability to timely settle your obligations, the Bank may require a Credit Bureau report. We may also process this information when a loan is being approved by the Bank and a third party as a joint controller, in which case, if you are dissatisfied with such processing, you may file a complaint as described in more detail below.
For some loans, we also process data on your current account held with the Bank or another bank in order to check the stability of your operations and/or the amount and/or regularity of income payments in order to calculate creditworthiness, disburse the approved loan or repay the loan if the loan is repaid this way (e.g. loan disbursement, setting up a standing order, etc.).
For the loans which are tied to a credit card (e.g. revolving loans, etc.), in addition to this data, we also process the data specified in the card issuance applications, which you provided as the data subject, either to the Bank or a third party that is a joint controller with the Bank, together with other processing operations required for loan approval. For the loans secured by a lien either on property, moveable assets or some other right (e.g. deposit, etc.), the Bank processes data on the owners of property or deposits or some other right which is the basis of lien. Likewise, for certain types of loans (e.g. housing loans), we collect data on spouses in accordance with the provisions of the Family Law (spousal co-ownership, etc.). If your loan is granted upon provision of security in the form of pledge on the property and if the Bank has secured the claim under that loan with an insurance company, the data are exchanged between the Bank and that insurance company only to the extent necessary for the realization of that contract in compliance with all technical and organizational requirements and protection of your data.
If your loan is approved on the basis of business cooperation between the Bank and a third party, either a member of Crédit Agricole Group or a third party, regardless of the relation with the Bank, information is exchanged between the Bank and the legal entity only to the extent that is necessary for the performance of this contract in compliance with all technical and organizational requirements and protection of your data.
Depending on the distribution channel through which you apply for or use a loan or through which the loan is approved or repaid, some personal data are additionally processed due to the specific features and functionalities of the relevant channel.
If you do not settle your obligations on time, your data may be processed for the collection of receivables, including, but not limited to telephone contacts to the extent permitted by regulations governing consumer protection, outsourcing of collection to personal data processors in the Republic of Serbia. If security instruments are activated to collect payments, we process your data for this purpose. In case of an enforced collection of receivables, we process the data prescribed by the specific regulation (e.g. the Law on Enforcement and Security Interest, etc.) and in certain cases, we submit them to attorneys.
CURRENT ACCOUNTS AND PAYMENT OPERATIONS WITH PRIVATE INDIVIDUALS
To conclude a framework agreement on payment services and/or open individual current accounts, the Bank processes your identification data listed under (a), as well as contact information. We use your personal data to conclude and execute a framework cards and other instruments which enable you to use your account, to send prescribed notices (by mail or e-mail), PINs, etc. In some cases, we also use your landline or mobile phone number if necessary to prevent the misuse of payment cards by third parties, to resolve complaints or send notices on due payments, to the extent allowed by regulations. If your contract with us includes your proxy as well, we will also process his/her data (e.g. data required to issue a payment card, address for sending PIN, etc.). If standing orders are a part of the contract, their realization requires that we process your personal data listed under (a), including account number, and that we also exchange data with payees.
If under a contract, the Bank provides you with an overdraft or enables you to make payments in instalments, we will process the same data as for credit products.
CARDS AND PAYMENT INSTRUMENTS
In terms of payment cards (Mastercard/Visa Classic credit cards [charge or revolving] and Dina cards), the Bank will process the personal data which you provided in the application form for the issuance of individual cards, including other data which the Bank has about you, in order to check the stability of your business operations and risk management. The Bank collects and processes these data to assess your capability to timely settle payment obligations arising out of credit card use or to assess your creditworthiness for revolving credit or when credit is linked to your credit card. Personal data provided in the application will also be processed before reaching the approval decision, so that some card features can be activated and used. When a credit card or revolving credit need to be approved, your personal data will be subject to automated data processing, including profiling. In this case, you have the right to request that an individual working under the control of the data controller participates in the decision-making process, to state your position regarding the decision and the right to dispute the decision before the data controller's authorized person.
Contact information specified in the application (landline or mobile phone number, address, e-mail, etc.) are processed by the Bank in order to communicate with you through the agreed communication channel or to prevent abuse and fraud by third parties. For additional verifications of your identity during communication, e.g. by phone, e-mail, etc., and to prevent frauds of third parties, the Bank also collects some specific data conditioned by the requirements of the contract with Mastercard/Visa and Dina system. Certain data (name, surname, address, postal code, place, personal identification number (JMBG), etc.) are required for the issuance of a credit card by a legal entity entrusted with the activity of processing card products. If there is an additional card user in the contract, we also process the data of the additional card user listed on the application (name, surname, address, postal code, place, personal ID No., etc.).
Depending on the distribution channels via which you apply for a credit card or through which you sign a contract for a credit card, some additional data are processed depending on the specific features and functionalities of the channel you are using.
The Bank processes your personal data necessary for the performance of a deposit agreement, depending on the type of deposit, in order to send you notices on deposit status, changes in interest rates, deposit insurance, etc.
If your proxy is also included in the contract, we also process the proxy’s personal data, i.e., if you are a legal representative or guardian, we process your data as well as the data of a minor, by ensuring the protection of the rights of these persons in accordance with special regulations governing the protection of their rights. If, in addition to the deposit account, a transfer account, standing order or payment order have also been contracted, we process the data on the account number or order number for the purpose of completing the transaction.
In addition to the basic identification data listed under (a) and contact information, we also need your mobile phone number in order to perform these services. To prevent unauthorized access and fraud when using these services, as this involves remote use of banking and financial services, the Bank collects and processes data on IP addresses and geolocation of service users. At the same time, to perform these services, the Bank processes the system’s technical data which are a prerequisite to use this service via a means of remote communication. For the same reason, the Bank uses specialized software tools, collects and analyses methods in which you use the services.
To conclude a contract for a safe deposit box, the Bank collects and processes your personal data listed under (a) as well as personal data of persons who have access to the safe deposit box (e.g. proxy, legal representative of a legal entity), such as name, surname, place of residence, day, month and year of birth, personal identification number (JMBG), ID type and number, name and country of issue and citizenship.
The Bank also processes certain personal data as a data processor in accordance with the contract on outsourcing certain activities or jobs to third parties (e.g. insurance agency, etc.). In these cases, the Bank processes personal data exclusively upon an order and in accordance with the instructions received from data controllers on the basis of a contract and Article 41 of the Law on Personal Data Protection.
BASICS OF PERSONAL DATA PROCESSING
The personal data specified in this Information Notice and processed by the bank, whether collected from you or a third party, shall be processed in accordance with the Law on Personal Data Protection on the following grounds:
The purpose of data processing and the categories of data that you are obligated to provide to us before the conclusion of a contract or the provision of a service depend on the specific features of individual services described earlier. Your consent is not required for the processing of data necessary to conclude the contract or to take actions upon your request before the contract is concluded.
The Bank also processes data to the extent necessary to ensure that legitimate interests of the Bank and third parties are realized.
The legitimate interests for processing must be such to override the interests or fundamental rights and freedoms of the data subject. The processing based on legitimate interests of the Bank may be conducted in the following situations:
Data processing necessary for direct marketing, when the offer is based on the fact that the client has previously/already used the products and/or services with similar characteristics and options to those offered. In cases of data processing based on a legitimate interest, your consent is not required. In these situations, you have the right at any time to submit a request for the exercise of rights of the data subject as described in this Information Notice.
We need your consent to further customize our offer to match your needs and desires, to inform you about new services and benefits and to receive feedback regarding your satisfaction with the provided services, to review your suggestions for improvements or to include you in researches and surveys, and to reward your loyalty by allowing you to participate in prize contests and competitions.
We need your consent to process your personal data for the following purposes:
- to inform you of the Bank’s banking and financial services, as well as of the possibilities to obtain benefits and discounts (e.g. customized offers for loans, accounts, cards and deposit services, and for obtaining various benefits and discounts tied to these services)
If you have already given your consent to the processing of personal data for certain purposes, the legality of such processing is based on your consent. The consent may be withdrawn at any time. This also applies to the withdrawal of consents given to us before the Law on Personal Data Protection came into force. Likewise, providing or denying consent on your part does not affect the performance of the contract, nor does the termination of a contract result in the cessation of the validity of the consent you have given us.
You can withdraw your consent by contacting the Bank or the Personal Data Protection Officer by using the contact information provided in this Information Notice.
PERSONAL DATA PROTECTION RELATED TO THE USE OF THE BANK’S INTERNET PRESENTATION
The Bank collects and processes the following personal data via this website: user's name and surname, date of birth, contact phone number, e-mail address and data on the location of the user’s terminal equipment.
We use the mentioned data solely to facilitate the provision of services via this website, to contact and inform users and for marketing purposes, fully in accordance with the provisions of the Law on Personal Data Protection. The Bank may provide personal data for the stated purposes to third parties as well.
CATEGORIES OF PERSONAL DATA RECIPIENTS
The persons who have access to your personal data are the Bank’s employees and other persons who, due to the nature of the work they perform with or for the Bank, have access to classified information. These persons must keep the confidentiality of these data because this information also represents a banking secret and may not be disclosed to third parties, used against your or the Bank’s interests, and third parties may not be allowed to use it.
Besides, to achieve the processing purposes mentioned earlier in this Information Notice, we may disclose your personal information to other members of Crédit Agricole Group (when the exchange is exempt from the obligations regarding a banking secret), or to the parent banking institution Crédit Agricole S.A., including the legal entity entrusted with certain operations within the information system and administrative services at Group level, all for risk management purposes at Group level, as well as if the data are necessary to establish a cooperation or realize legitimate interests of the data controller or a third party.
Based on the legal obligations under special regulations, the Bank is obligated to provide and submit personal data to supervisory authorities (e.g.: National Bank of Serbia, Agency for Combating Corruption, Administration for the Prevention of Money Laundering, judicial authorities, etc.) or for the needs of collecting and providing information on the creditworthiness of private individuals or legal entities if such an obligation is prescribed by a special regulation.
In addition to the aforementioned recipient categories, the Bank transfers your data for the purpose of performing outsourced activities (e.g. to a legal entity for mail preparation and distribution, to a legal entity for card operations, etc.). When needed for certain proceedings before courts and other bodies, data may be provided to attorneys.
Information on certain recipients of your data, if not covered by this point, will be provided to you at the time of conclusion of a contract for a particular service or subsequently, in accordance with Article 23 of the Law on Personal Data Protection.
Your personal data are processed in the Republic of Serbia or the European Union. If required for some technical or operational reasons, the Bank reserves the right to transfer your personal data to non-EU countries, in relation to European Commission decisions on adequacy or on the basis of adequate protection measures or certain deviations outlined in the General Data Protection Regulation.
We keep your personal data for a period either specified by a regulation (e.g. the Law on the Prevention of Money Laundering and Terrorism Financing, the Law on Accounting) or no longer than is necessary to achieve the purpose for which they were processed if the retention period is not prescribed or a minimum retention period is prescribed. Your personal data may be processed for a longer period of time if needed for some other justified purposes (for court litigations and other legal proceedings, etc.), which leads to the extension of data retention periods beyond the deadlines specified in this point. Data retention periods in some cases for which the retention period is not prescribed by law may be longer or shorter than the above deadlines and this period is determined by the Bank as the controller, provided that in these cases the data are retained only as long as necessary depending on the purpose of data processing.
You are entitled to contact the Bank at any time in order to exercise your rights in accordance with the Law on Personal Data Protection at the contact addresses specified above in this Information Notice. You may submit your request in writing or personally in the Bank’s branches or at the e-mail address of the Personal Data Protection Officer: email@example.com.
The Bank will inform you of the actions we take in connection with your request without undue delay, and no later than within 30 days from the receipt of your request. Exceptionally, this period may be extended by an additional 60 days if necessary, bearing in mind the complexity and the number of requests. In that case, the Bank will notify you of the reasons for the delay within thirty days from the reception of your request.
If you submitted the request electronically, the information will be provided to you in the same way, if possible, unless you specified otherwise in the request. If the Bank fails to act on your request, without delay, but no later than 30 days from the receipt thereof, it will inform you of the reasons why it failed to act and of the option to file a complaint to the Commissioner for Information of Public Importance and Personal Data Protection.
Any communication and actions by the Bank in connection with the exercise of the rights set forth below shall be free of charge. However, if your claims are clearly ungrounded or excessive, in particular, because of their recurring nature, the Bank may charge you a fee, based on the costs incurred, or refuse to act on your requests.
You may contact the Bank, as the data controller, to exercise the following rights:
(1) Right to access data - You can obtain a confirmation from the Bank as the data controller, whether your data are processed. If they are processed, you have the right to access your personal data and information as prescribed by the Law on Personal Data Protection.
In the case where the personal data are transferred to a third country or an international organization, you have the right to be informed of the protection measures applied to such transfer.
If requested by you, the Bank shall supply a copy of the personal data being processed. For all additional requested copies, the Bank may charge you a reasonable fee for the incurred administrative costs. If the request is submitted electronically, and unless requested otherwise, the Bank shall submit them in the usual electronic form.
We hereby inform you that the Bank may not erase your data if their processing is necessary to comply with the legal obligation of data retention or in the public interest for the submission, exercise or defense of legal claims.
In the cases under a) and c), the Bank shall apply adequate measures to safeguard your rights, freedoms and legitimate interest, and you may exercise the right to obtain human intervention on the part of the Bank to express your position and contest the decision.
Regardless of the foregoing, if you believe that the processing of data conducted by the Bank violates the Law on Personal Data Protection, you can contact the Data Protection Officer at firstname.lastname@example.org to jointly try to resolve your complaint.