Information memorandum processing of personal data of clients

We need various personal data about you to be able to provide you with quality banking service. For example, when you apply for a loan with us, in addition to your name we need to know the income of your household in order to know how much we can lend you. The personal data we collect can be grouped as indicated below.

Identification data

These mainly include name, surname, date and place of birth, birth registration number, domicile domicile or other address, type, copy of proof of identity, citizenship, or corporate identification number and VAT number in the case of entrepreneurs. Also, your signature belongs to this group.

Other identification data may include, for example, information about the IP address of the computer used, signature specimen, number of the account we maintain, or sets of specific authentication data we may agree to use, as well as information relating to the issued means of electronic identification.

Biometric data

If you open your account online or you wish to reactivate RB Key online, we will also process your biometric data derived from the image of your appearance for the purpose of verifying the match of your appearance with the data acquired from photographs on the submitted copies of personal documents.

Contact details

Telephone number, e-mail address, mailing address or other similar information we need to contact you.
Data required to decide on concluding a contract
These are data that let us evaluate whether you will be able to repay a loan or whether there is a risk of money laundering. These include, among other, the following data:

• socio-demographic data - such as age, gender, marital status, education, number of household members, type of income, nature of employment or also whether you are a politically exposed person
• information about your property - such as information about ownership of real property or movables, membership in legal entities (particularly participations in corporations), information about business relationships, information about overall income or regular expenses of your household,
• information about debts - such as information about executions insolvency proceedings, if any, fulfilment of payment obligations towards other creditors
• information about insurance covering property or life risks

Data created by performance of obligations under contracts

These data include, for example, the term of a contract, interest rate, maturity, loan amount, status of your receivables from the bank, status of the bank's receivables from you, information about realized payment transactions, information about the use of payment tools, information about realized instructions to buy securities, information about the status of your investment instrument portfolio.

An overview of these data can be obtained from statements or similar lists that are available to you.

Personal data collected in connection with the provision of our products or services

These include personal data acquired through our mutual interactions. In particular, these are:

• data serving to secure communications, such as PIN
• geolocation data, such as data about your geographic location, home branch office, place of making a payment order (most often card payment) and data identifying the device used to make a payment order
• electronic records of activities in information systems (logs)
• records of your preferred language for communications
• information about shown interest in a product or service
• information about your investment strategies or specific requirements
• Communication recordings

We monitor and record selected communications with you, in particular telephone calls. We always inform you in advance about any recorded communications. We monitor movement of persons using cameras, particularly in premises where services are provided to clients (including ATMs operated by us). Camera recordings are solely made for the purpose of compliance with legal obligations, conclusion and performance of contracts, and protection of our and your legitimate interests, or interests of third parties.

 Application security

Our banking applications (in particular, Mobile Banking, RB Key and Raiffeisen mobile investing) and tools may contain antimalware/antivirus detection and detection of amended administrator rights (root/jailbreak) to determine if the device, from which you access our applications or tools, is secure or has been affected by a virus risk. These tools collect and then process information about the device security setting (e.g. deactivated screen lock, etc.), information about the integrity of the application and operating system (e.g. modified administrator rights [root/jailbreak]; start in emulator, use of hooking framework, etc.), device information (e.g. device model, anonymous device identifier to check whether the application is run on the same device as originally installed), metadata of potentially harmful applications and setting of notifications. The above-mentioned data are processed in order to prevent fraud, ensure user security, comply with legislation, and conduct analysis for the purposes of improving security and evaluating potential threats.

Personal data generated from our activities

These particularly include the client/product numbers we assign, data created by assessing your transaction behaviour or data you provide (such as to evaluate whether the conditions to apply discount on a fee have been met), evaluation of a submitted product or service application, or evaluation required for our decision as to whether we will offer a product or service to you or not.

Processing of personal data without your consent

In a vast majority of cases we do not need your consent to process your personal data. Such cases concern processing imposed by law, processing required to provide you with our services, or processing of personal data necessary to protect the bank's legitimate interests as well as your interests or interest of third parties. Processing not requiring your consent is particularly done for the below purposes.

Obligations implied by law

• compliance with reporting obligations towards public authorities
• compliance with prudential obligations, such as when assessing creditworthiness of clients, including possible verification of provided information with third parties
• prevention of damage to clients' assets vested to us as well as the bank's assets
• prevention of fraud that the clients or the bank may be exposed to
• compliance with obligations relating to enforcement of judgment, such as a court judgment
• exchange of information with other banks about banking details, identification data of account owners and matters indicating creditworthiness and credibility of their clients
• exchange of information with non-banking creditor entities about matters indicating creditworthiness, credibility and payment history of their clients and applicants for offered services, all also via a third party, and protection of rights and protected interests of businesses and clients consisting of evaluation of clients' ability and willingness to fulfil their obligations
• compliance with obligations relating to supervision over banks on a consolidated basis or supplementary supervision, and compliance with prudential obligations, for which we also share your personal data with members of the Raiffeisenbank International (RBI) Group
• compliance with obligations relating to client identification and verification pursuant to the Act on selected measures against legitimisation of proceeds of crime and financing of terrorism
• compliance with obligations imposed upon the bank in direct connection with the services it is entitled to provide to clients primarily under the license or permits granted by the Czech National Bank, in particular in connection with the provision of payment services, loans and investment services
• compliance with obligations imposed upon the bank as a qualified administrator of an electronic identification system
• compliance with archiving obligations.

Processing of personal data for conclusion and performance of a contract

• establishment and term of contract
• realization of a banking transaction or other contractual performance

Processing of personal data for protection of legitimate interests

• debt collection, realization of collateral, or other claiming of debts
• development of provided services
• software testing, if personal data need to be used in certain cases
• negotiations with third parties in connection with debt collection
• negotiations with prospective buyers of our receivables
• handling of dispute matters, in particular for court or other disputes
• internal research, analyses or evaluations (in particular statistical research), internal reporting or internal administrative purposes within RBI Group
• camera recordings at the bank's business locations for the purpose of protecting property of the bank and third parties
• to a limited extent, also offering products and services (direct marketing) to existing clients, if the offer is related to the product or services in use. We will terminate such processing when you object to it.
• establishment of facts relating to banking services towards third parties, such as information about credit card validity provided to merchants

Processing of personal data with your consent

We always need your consent when we wish to process your personal data for the purpose of marketing activities. This particularly covers offering of products and services (for example by mail, e-mail or telephone), be it our products and services or services of third parties. Subject to your voluntary consent we may evaluate whether we are prepared to provide you with a certain service and whether we can expect you to show interest in such service. We may also acquire personal data in the following manner:

• by monitoring actions of visitors on our website
• through surveys focused on your needs, interests and opinions on products and services, or surveys focused on the customer care given to you by our advisors and other members of staff
• by evaluating data collected as part of providing services pursuant to Act No. 370/2017 Coll. on the system of payments, in particular the payment account information services.

Subject to your consent only, we may transfer your personal data to another member of RBI Group to process them for the purpose of own marketing activities. In any case, we will only transfer personal data to the extent as required for the particular processing. An updated list of RBI Group members that may be recipients of your personal data forms part of this Information Memorandum. If the list is to be updated, you will be notified thereof in advance to be able to consider whether you will maintain or withdraw your consent.

The following members of RBI Group may be recipients of your personal data for marketing purposes:
• Raiffeisen - Leasing s.r.o., IČ: 61467863, registered office: Praha 4 - Nusle, Hvězdova 1716/2b, postcode: 140 78
• Raiffeisen stavební spořitelna a.s., IČ: 49241257, registered office: Praha 3, Koněvova 2747/99
• UNIQA pojišťovna, a.s., IČ: 49240480, registered office: Praha 6, Evropská 136/810, postcode: 160 12
• Raiffeisen investiční společnost a.s., IČ: 29146739, registered office: Hvězdova 1716/2b, Nusle, 140 78 Praha 4
• Raiffeisen Bank International AG, registered office: Am Stadtpark 9, 1030 Vienna, Austria
• Raiffeisenbank (Bulgaria) EAD, registered office: 55 Nikola I. Vaptzarov Blvd., Business Center EXPO 2000 PHAZE III, 1407 Sofia, Bulgaria
• Raiffeisenbank Austria d.d., registered office: Magazinska cesta 69, 10000 Zagreb, Croatia
• Raiffeisen Bank Zrt., registered office: Akadémia utca 6, 1054 Budapest, Hungary
• Raiffeisen Bank S.A., registered office: Calea Floreasca 246C, 014476 Bucharest, Romania
• Tatra banka, a.s., registered office: Hodžovo námestie 3, 81106 Bratislava 1, Slovakia
• UNIQA Österreich Versicherungen AG, registered office: Untere Donaustraße 21, 1029 Vienna, Austria
• UNIQA Insurance Group AG, registered office: Untere Donaustraße 21, 1029 Vienna, Austria

Sometimes we may conclude that we also need your consent in other situations. In such case, we will ask for your consent and we will provide your with all material information in this regard.

We only process personal data of clients for a time necessary with regard to the purpose of processing. Once we detect that the data are no longer needed, we delete them. We evaluate such need on a continuous basis, particularly after expiration of the (internally determined) term that is usual for the particular personal data to be useful. Below are typical terms of usability of various personal data.

• We process information for the conclusion and performance of a contract for the term of the contractual relationship with the client and usually for 3 to 14 months afterwards
• Data collected from mutual exchange of information about matters indicating the creditworthiness, credibility and payment history of clients and applicants for offered services are processed for the term of the contractual relationship and afterwards usually for a term determined by the particular client information register operators
• Information relating to the protection of our bank's legitimate interests is processed depending on the particular legitimate interest. This can be a relatively short period of time (such as in the case of camera recordings) or a longer one (such as in the case of debt collection or claims or court disputes)
• We process data for the purpose of marketing activities for the term of the contractual relationship and afterwards for the usable term thereof (up to 5 years), unless you inform us earlier that you do not wish your personal data to be processed in such manner or unless you withdraw your consent to the processing of personal data
• For the purpose of compliance with archiving obligations, we process personal data for the term stipulated by applicable special legislation, however not exceeding 10 years from termination of the contractual relationship relationship or 15 years from expiration of the electronic identification tool.
• Within 30 days from the date when created we evaluate camera recordings as to whether their retention is required for the purpose of criminal, administrative or other similar proceedings. If the recordings are not needed, the bank destroys them without undue delay. If further retention of the recordings is needed, further evaluations take place from time to time.