INFORMATION ABOUT PERSONAL DATA PROCESSING WHEN SENDING MONEY REMITTANCES THROUGH THE INTERNET
Postal Savings Bank j.s.c. Belgrade (hereinafter referred to as: the Bank) deems that the protection of personal data is a basic right of any man and wants that you as our Customers feel safe and that your experience with the Bank is at the highest level. Therefore, we process and use your data in a legal, fair and transparent way.
Personal data collected in the light of the Law on Personal Data Protection ("Official Gazette of RS" No. 87/2018) (hereinafter referred to as: the LPDP) and this Information about Personal Data Processing When Sending Money Remittances through the Internet (hereinafter referred to as: the Information) present a trade secret for the Bank and they enjoy protection in the light of all applicable regulations and internal enactments of the Bank. Their violation shall entail personal responsibility of the employees for the violation of secrecy, unauthorized access, change, publishing and any form of fraud of personal data that the Bank keeps in its databases.
I Certain terms used in the Information and their meaning:
- "personal data" is any data relating to a natural person whose identity is determined or determinable, directly or indirectly, especially based on the identity marks (such as name and ID number), location data, identifier in electronic communication networks or one, i.e. more characteristics of his/her physical, physiological, genetic, mental, economic, cultural and social identity;
- "person to whom the data relate" is a natural person whom the data relate. i.e. you as the User of the Service of Sending Money Remittances through the Internet (hereinafter referred to as: the Customer);
- "personal data processing” is any action or a set of actions performed automatedly or unautomatedly with personal data or their sets, such as collecting, recording, classifying, grouping, i.e. structuring, storing, adjusting or changing, disclosing, insight, use, disclosing by transfer, i.e. by delivery, proliferation, dissemination or making available otherwise, comparing, limitation, deletion or destruction (hereinafter referred to as: processing);
- "limitation of processing” is designation of the stored personal data for the purpose of limiting their processing in the future;
- "collection of data" is any structured set of personal data available in accordance with special criteria, irrespective of whether the collection is centralized, decentralized or classifed by functional or geographic bases;
- "operator” is a natural person or legal entity, i.e. authority that independently or together with others establishes the purpose and method of processing. The law establishing the purpose and method of processing may also establish the operator or stipulate conditions for its establishing;
- "processor" is a natural person or legal entity, i.e. authority processing personal data in the name of operator;
- "recipient" is a natural person or legal entity, i.e. authority to whom/which personal data have been disclosed, irrespective of whether a third party is in question or not, unless the authorities receiving personal data in accordance with the law within investigating a particular case and processing them in accordance with the personal data protection rules relating to the purpose of processing;
- "third party” is a natural person or legal entity, i.e. authority that is neither the person to whom the data relate, operator or processor, nor the person authorized to process personal data under direct supervision of the oprator or processor;
- "consent” of the person to whom the data relate is any voluntary, specific, informed and unambiguous expression of the will of that person, with which that person gives a consent for processing of personal data relating to him/her either with a statement or clear affirmative action;
- "violation of personal data” is a violation of personal data security leading to an accidental or illegal destruction, loss, change, unauthorized disclosure or access to personal data that are transferred, stored or otherwise processed;
- "Commissioner for Information of Public Importance and Personal Data Protection (hereinafter referred to as: the Commissioner)“ is an independent and autonomous authority established based on the law, competent for the supervision of enforcing that law and carrying out other operations stipulated by the law;
- "TIZI Portal" – the Internet portal of the Bank through which the service of sending money remittances through the Internet is provided (hereinafter referred to as: web portal). This Information describes how the Bank collects, uses, protects and shares your personal data when you use our Service of Sending Money Remittances through the Internet (hereinafter referred to as: the Service), as well as chosen methods in which your data are collected and used.
II Operator’s data
Your personal data shall be processed by Postal Savings Bank j.s.c. Belgrade, 3, Kraljice Marije Street, 11000 Belgrade, BIN 07004893, TIN 100002549, registered in the Business Registers Agency of the Republilc of Serbia.
The Bank shall process your data in the capacity of an operator. Contact details of the Bank are as follows:
Postal Savings Bank j.s.c. Belgrade
3, Kraljice Marije Street
Phone: +381 11 20 20 292
III Data on the person in charge of personal data protection
The Bank has appointed a person in charge of personal data protection whom you may address in order to be informed and given opinion regarding your personal data protection, implementation of the LPDP and other laws relating to the personal data protection. Contact details of the person in charge of personal data protection are as follows:
Postal Savings Bank j.s.c. Belgrade
Person in charge of personal data protection
3, Kraljice Marije Street
Or to the following e-mail address: firstname.lastname@example.org
IV Personal data collected by the Bank
When you use our Service, you get in touch with us, i.e. you access our web portal and we collect your personal data. In order to transfer funds, you have to indicate certain data that are necessary to the Bank to transfer the funds and fulfil legal obligations related to the transfer of funds. If you do not indicate certain personal data, that may affect our capability to provide you the Service.
We collect different types of personal data on you, such as:
- Contact details - your name and surname, postal address, e-mail address, phone number;
- Payment card number, CVV2 (three-digit code on the back of the payment card), payment card expiry date;
- Personal ID number;
- Details about transactions;
- Technical details at the moment when you access our location, such as the host from which you access the Internet, IP address of the computer or ID number of the device, geographic location (if enabled), details abot the device (such as characteristics of the device, settings, applications, storage facility), browser and operating system software, date and time of the access to our web locations and address of the location from which you reached our web location.
- Information about the compliance with regulations, including fraud prevention, verification of the identity and the existence of sanctions.
V Method of collecting data
The Bank shall collect personal data in several ways:
- Through an order for money remittance purchase through the Internet;
- While we provide customer support or consultations through e-mail, ordinary mail and call centers;
- Within the process of maintaining and upgrading the Service;
- Within the automated processes, such as communications protocols, e-mail communication and cookies or similar Internet technologies;
VI Purpose and legal basis of personal data processing
The Bank shall collect your personal data only in the scope necessary for fulfilling the purpose, such as:
- When providing the Service and giving assistance to the customers when executing transactions and having access to the information about the order;
- For recognizing customers and in order to enable them to remain logged on our web protal without any need to enter their password again;
- For improving security, financial risk reduction and fight against fraud within our Services.
The Bank may use your personal data in the manner described in this Information on any of the following legal bases:
- For the purpose of contracting the Service and fulfilling the contractual obligation. We use your personal data in order to provide you the service of sending money remittances through the Internet. We may use these data for the realization of the contract on one-off payment transaction;
- In addition to the data necessary for contracting the Service, the Bank shall also be obliged to collect certain data for which there is a legal obligation to be collected and without which it will not be able to provide the Service. The data for which there is a legal obligation to be collected have been determined by applicable regulations of the Republic of Serbia, especially the regulations governing AML/CFT (Law on AML/CFT), banks’ operations (the Law on Banks), decisions of the National Bank of Serbia as a regulatory body (the Decision on More Detailed Conditions and Method of Maintaining the Single Register of Users of Money Remittances); resolving of complaints based on the applicable regulations (Law on Payment Services, Law on Financial Service Users Protection), etc;
- The Bank may also process your personal data for the purpose of achieving its legitimate interests, as an operator, or achieving a legitimate interest of a third party. The legitimate interest of the Bank or a third party on which the processing is based must be such that it is stronger than your interests and your basic rights and freedoms. The Bank has a legitimate interest when it processes the data of its customers in the following situations: to protect and investigate frauds and other criminal/offence acts at the expense of the Bank’s customers and/or the Bank; to prevent abuse of the services the Bank provides; to initiate and conduct litigations for the purpose of exercising the rights and interests fo the Bank or third parties; for direct advertisement; to improve the usefulness of service capabilities such as applications, etc for the purpose of developing new products and services; in case of accepting your calls through the Call Center of the Bank (the Bank may record telephone conversations); in case of accepting your calls when the service quality control is in question or in cases of reporting complaints to the work of the Bank (the Bank may record telephone conversations).
- We may process your personal data based on your consent. That means that the lawfulness of personal data processing is based on your consent. You shall give your consent to to the processing of your personal data when registering on the web portal of e-store of remittance in which case we shall inform you about the purpose for which your data will be processed. We especially point out that each consent is voluntary and that you may revoke it at any moment. Revoke of the consent shall not affect the processing of data that was carried out based on the consent prior to the revoke. That means that after the revoke the Bank cannot further process your data, i.e. it cannot further provide you the Service. You may revoke your consent by contacting the Bank or the person in charge of personal data processing on the contact addresses indicated in Chapters II and III hereof.
When collecting information in electronic form through the web portal you have registered for the Service, the Bank shall provide you with information about the types of your personal data that it processes in connection with the Service it provides but that is not contained in this Information.
VII Categories of personal data recepients
An access to your personal data have the employees in the Bank and other persons who, due to the nature of the work they do with the Bank or for the Bank, have access to confidential data. These persons have obligation to keep these data confidential because these data represent Bank Secrecy and, thus, they must not be conveyed to third parties, used contrary to your interests or the interests of the Bank or enabled to be used by third parties. The recipients of your personal data have been defined by the Law on Banks (hereinafter referred to as: the LOB) in the provisions governing the Bank Secrecy (Articles 46-49 of the LOB).
Based on the law, the Bank has an obligation to provide special data based on a court decision or a request of a competent authority, for the needs of the Ministry of Interior Affairs, the AML/CFT Authority, the regulatory bodies in the Republic of Serbia for the purpose of performing operations within their competence, the competent authority in conection with checking the payment operations, the authority in charge of checking foreign exchange operations, a foreign regulatory body under the conditions provided for under the agrement on cooperation concluded between that body and the National Bank of Serbia, etc.
Personal data recipients may also be third parties operating in the Republic of Serbia and processing your personal data. Also, the Bank may also provide your data to third parties for the purpose of carrying out externalized activities.
In addition to that, the Bank has an obligation to enable an access to your data to the service providers issuing card payment instruments.
VIII Transfer of data to third countries or international organizations
The Bank shall process your data in the Republic of Serbia and shall not transfer them to other countries or international organizations.
IX Personal data protection
In order to safeguard the confidentiality, integrity and availability of personal data the Bank shall implement certain organizational, technical and personnel protection measures complied with the applicable national laws and regulations for personal data protection. We are also doing our best to limit an access to the information so that it is available only to those employees who must know it.
X Term for keeping personal data
The Bank shall keep your personal data within the terms defined by some regulations (such as: the Law on AML/CFT, the Law on Banks, the Law on Payment Services, as well as other laws applied by the Bank), i.e. within the period required for achieving the purpose for which these data have been processed. In addition to this, the Bank may also process personal data for a longer period of time in order to protect its interests within the actions before different state authorities (courts, inspections).
XI Internet Technologies
XII Customers’ rights
In accordance with the LPDP, you as our customer may address us at any moment in order to protect your rights, in writing, to one of the addresses indicated in Chapters II and III of this Information.
The Bank shall be obliged to inform you about the actions taken upon your request and the acting based on your request, without any delay, and not later than 30 days following the day the request was received. That term may be extended for additional 60 days, if necessary, taking into consideration the complexity and the number of requests. The Bank is obliged to inform you about the extension of the term and the reasons for it within 30 days following the date when the request was received. If you submitted a request electronically, the Bank shall inform you in the same way, if possible, unless you request to be informed in another way.
All the communcations and actions taken by the Bank in connection with the exercise of your rights indicated below in more details shall be free of charge, i.e. the Bank shall charge you no fees. However, if your request is obviously unfounded or unreasonable, and especially if it repeats frequently, the Bank may charge necessary administrative expenses of providing information, i.e. acting upon the request or refuse to act upon the request.
You can address the Bank for the exercise of the following rights:
Rights to access – right to information about:
- the purpose of processing;
- the types of personal data that are processed;
- the recipient(s) to whom personal data have been or shall be disclosed, and especially to the recipients in other countries or international organizations;
- the term of keeping personal data or criteria for setting that term;
- the existence of right to request from the Bank to correct or delete personal data, the right to a limitation of processing, and the right to a complaint to the processing;
- the right to a complaint to the Commissioner;
- the source of personal data if the Bank has not collected them from the persons to whom they relate;
- the logics used during the processing, then about the importance and expected consequences of that processing on the person to whom the data refer.
Right to complaint – if you deem that that is justifiable, due to the situation you are in, you may, at any moment, lodge a complaint to the processing of your data to the Bank, that is carried out in accordance with the law. The Bank is obliged to stop processing the data as soon as it receives your complaint unless it has been found out that there are legal reasons for processing that are stronger than your interests, rights or freedoms.
Right to correction – right that your incorrect personal data are corrected and complemented without necessary delay, as well as to give an additional statement, if any.
Right to the deletion of personal data – The Bank is obliged to delete the data without any delay especially in following cases:
- if the data have no longer been necessary for achieving the purpose they were collected for;
- if you lodged a complaint to the processing of data for purposes of direct advertisement, including also profiling, to the extent it has been connected with the direct advertisement;
- if your data have been unlawfully processed;
- if the data have to be deleted for the purpose of fulfilling legal obligations of the Bank;
- if your data have been collected in connection with using information society services by a juvenile;
Rights to the processing limitation – Your right to limit the processing of your personal data by the Bank if one of the following cases has been fulfilled:
- if you deny the accuracy of personal data within the term enabling the Bank to check the accuracy of personal data;
- if the processing is unlawful and you are against deletion and request the limitation of using the data;
- if the Bank no longer needs your personal data for achieving the purpose of processing, but you, as the person to whom these data relate, have requested that in order to submit, carry out or defend a legal request;
- if you have lodged a complaint to the processing of data for the purposes of direct advertisement, including also profiling, to the extent it has been connected with the direct advertisement.
Right to revoking consents based on which the Bank processes personal data after which the Bank may no longer process those data.
Right to the transfer of data – your right to receive your personal data that you have previously provided to the Bank in a structured, usually used and electronically readable form and to transfer those data to other bank, without any interference, with the previous fulfilling of following conditions:
- that the processing has been based either on the consent or based on the contract;
- if the processing has been made automatedly;
However, a right to transferring the data may not be exercised if the processing is necessary for carrying out operations of public interest or official authorizations of the Bank. Also, exercising of those rights may not harmfully affect the exercising of rights and freedoms of other persons.
Rights to complaints to the Commissioner and rights to actions – your right to lodge a complaint to the Commissioner if you deem that the processing of your personal data has been done contrary to the Law, and if you are not satisfied with the decision of the Commissioner (as well as the Bank to which the Commissioner’s decision relates to or a third party with which the Bank has a contractual relationship), you may initiate an administrative litigation with a claim against that decesion within 30 days following the date of receiving that decision.
Independently of the above mentioned, if you deem that the LPDP or the Decree has been violated by processing your personal data by the Bank, you may address the person in charge of personal data protection to the address indicated in Chapter III hereof, so that we could jointly try to resolve your complaint.
The Bank shall keep the right to amend and update this Information. The Bank shall regularly publish all amendments to this Information on this web portal so that an updated Information shall always be available to you. We encourage you to check that Information from time to time, i.e. if necessasry, in order to get an insight in the latest version.
POSTAL SAVINGS BANK J.S.C. BELGRADE