We use cookies on this site to provide you with the best experience.
Documents in the field of personal data protection
Notice on the procedure of personal data processing and the rights of personal data subjects
In Raiffeisen Bank (hereinafter – “we” or “Bank”) we understand the importance of personal data protection and comply with the laws of Ukraine and the international standards in this area. In the Notice we will tell you about the data we collect, the purposes of the use thereof, ho we record and protect these data.
For your convenience, we have prepared two versions: full text pursuant to the requirements of the laws, as well as summary information on the sections, which will hopefully make legalese easier to understand.
Whose personal data (of what personal data subjects) does the Bank process?
The Bank processes personal data of individuals whose data are received by the Bank during banking activities, the provision of financial services and other activities according to the agreements concluded and the laws ofUkraine. | The Bank processes personal data of customers, shareholders, employees, counterparties of any agreements, as well as their related parties, etc. |
What are the legal grounds and purpose of personal data processing?
The personal data are processed by the Bank only on the terms defined by article 11 of the Law of Ukraine On Personal Data Protection:
| Your separate consent to data processing is not required for the processing of personal data by the Bank during the provision of the services ordered by you and the implementation of the agreements concluded with you. |
| There are also requirements of the laws imposing the obligation to process your data on us. For example, financial monitoring, risk management, filing information to state agencies. |
| The Bank may process your data or the data of other natural persons in order to protect the vital interests of individuals, for example, in case of emergency situations. |
For example, the preparation of tailored offers for you from the Bank and its partners, including by means of profiling (automated data processing for evaluation of behavior, transactions templates, economic, social and other interests); sending you informational, advertising messages and proposals on the services of the Bank, its partners, for participation in the programs of the Bank and its partners; | In order to prepare the best offers for you, sometimes we will need your consent to personal data processing. You can always withdraw your consent to personal data processing by contacting the Bank |
| The legislation of Ukraine may provide the Bank with permission to process personal data when necessary for its functioning (for example, the specific legislation of Ukraine on banks). |
For example, the improvement and the development of the Bank’s services and products; ensuring the quality and security of servicing, counteraction to fraud and ensuring the Bank’s information security; filing lawsuits and defense in litigations; information exchange on your loan obligations via credit bureaus and checking the information on you in the debtor databases in order to mitigate the Bank’s risks when granting and servicing loans. | In certain cases we process your data to protect our legitimate interest. In particular, fort he purpose of developing our products, ensuring service quality, counteraction to fraud, risk mitigation and information security. |
Purpose of your personal data processing
The purpose of processing may change as a consequence of change in the conditions/nature of our business relationships or changes in the laws of Ukraine. | The key goal of your personal data processing is the provision of banking, financial services and the fulfilment of the terms and conditions of concluded agreements. The processing is also carried out to ensure quality and security of servicing, development of the bank’s produсts (including the development and filing of proposals on such services from the Bank and its partners to you) and in order to fulfill the requirements of the law. |
What are the rights of a personal data subject?
According to article 8 of the Law on Data Protection, a personal data subject shall have the right to: 1. Know about the sources of collection, location of his/her personal data, the purpose of their processing, the location and/or place of residence (stay) of the personal data controller or processor or instruct his/her proxies to receive the respective information, except for the cases stipulated by the laws of Ukraine/European Union, if applicable to the Bank. 2. Receive the information on the conditions of access granting to his/her personal data by the Bank, in particular the information on third parties to whom his/her personal data are transferred.3. Access his/her personal data processed by the Bank. 4. Receive an answer as to whether his/her personal data are processed by the Bank, as well as the content of such personal data, within thirty calendar days of the inquiry receipt by the Bank. 5. Raise a justified demand to the personal data controller with an objection against the processing of his/her personal data. 6. Raise a justified demand regarding the change or destruction of his/her personal data by any controller and processor of personal data, if the data are false or processed illegitimately. 7. Protect his/her personal data against illegitimate processing and accidental loss, destruction, damage in connection with their intentional concealment, failure to provide or late provision, as well as protect the information that is untrue or discredits the individual’s honour, dignity and business reputation. 8. File complaints regarding the processing of his/her personal data to the Ombudsman of the Verkhovna Rada of Ukraine or to court. 9. Apply legal remedies in the event of violation of the law on personal data protection. 10. Make reservations regarding the restriction of the right to his/her personal data processing when giving a consent. 11. Withdraw a consent to personal data processing. 12. Know the procedure of personal data automated processing. 13. Be protected against an automated solution having legal implications for him/her. | You have certain rights according to the law as a personal data subject. Regarding the exercise of your rights as a personal data subject, you may contact the employees representing the Bank in business relationships between you and the Bank, as well as based on the contact details specified in this Notice. |
What data do we process and what are the sources of their origin?
The content and scope of personal data processing by the Bank largely depend on the type of relations of the Bank and the respective personal data subject, including for the Bank’s customers – personal data subjects, the content and scope of whose data processing depends on products and services that the Bank’s customers requested or agree to. The personal data processed by the Bank coincide in content with the information received from private individuals – the subjects of such personal data or legally received from their representatives or third parties, including from credit bureaus, from the NBU’s credit register, from BankID System of the NBU, from the persons on whose behalf the personal data subjects act, or taken by the Bank from public sources, and also includes the information, which is known/became known to the Bank in connection with the implementation of contractual or other legal relationships with you. The Bank processes personal data consisting of:
| We are processing the data that we received from you or your representatives, the data that the documents provided by you contain. In particular, identification data, contact details, data on a family, education and professional activities. In the process of your servicing we also process the information regarding the products and services that you use, the information received in the course of communication with the bank and the use of our website and the mobile application.
|
To whom can the access to the personal data be granted ?
In most cases, the data are processed within the Bank by the employees holding the respective access rights required for the exercise of the duties/functions assigned to them only. But the personal data can be transferred to third parties in the following cases:
In the event of detection of violations of the procedure for processing of the personal data of a citizen of the European Union member state, the Bank shall report on such incidents to Raiffeisen Bank International AG for further submission of such information pursuant to GDPR requirements to the respective supervisory authority of the Republic of Austria. The Bank shall notify you about the transfer of your data to third parties, except for cases, when such transfer arises from or is required for fulfilment of the agreement concluded with you or your consent, or if you have refused to receive such notifications from the Bank. | Your data are processed by the units and employees of the Bank having the respective permissions and within the limits of their professional duties only. Some of our partners help us to develop our products and to provide services to you. In such cases, we can transfer a limited list of data to them to be processed for the purposes set by us only and with the provision of the respective guarantees of your data protection. In certain cases, we are in obligation to transfer your data upon the lawful requests of the authorized state bodies, provided that they are acting within the powers assigned to them. |
For more information on the special features of personal data processing while entering into and fulfilment of the banking servicing agreements, please refer to article 7 of section І of the Bank Service Rules for PI Clients at Raiffeisen Bank JSC (hereinafter – “the Rules”). The text of the Rules is published on the Bank’s website at the following link: https://raiffeisen.ua/documents You can find more information on the peculiarities of personal data processing in the Bank’s mobile applications here: - Privacy policy of the “Raiffeisen Online” and “Raiffeisen: Open the Card” mobile applications: https://raiffeisen.ua/storage/files/privacy-policy-raiffeisen-online-eng.pdf https://raiffeisen.ua/storage/files/privacy-policy-raiffeisen-open-the-card-eng.pdf | In this section you can find information on where to read the Bank Service Rules and the Confidentiality policies of certain applications. |
Where and how does the Bank process the personal data?
The databases containing personal data processed by the Bank are kept on the servers located on the territory of Ukraine. With a view to ensure the continuity of critical business processes, your personal data can also be processed with the use of cloud technologies Amazon Web Services, Azure and IBM on the servers located within the European Economic Area. To ensure the required level of security during the personal data processing by the Bank, the appropriate measures of technical and organizational nature are applied, namely:
| The databases are kept on the territory of Ukraine or the European Economic Area with the use of the required organizational and technical protection means. |
How long are the personal data kept?
The Bank processes the personal data as required within the entire duration of all business relations with you, as well as until the expiration of terms of information (documents with such information) defined by the terms and conditions of the concluded agreements or by Ukrainian legislation, internal documents of the Bank. Thus, taking into account the provisions of article 268 of the Civil Code of Ukraine regarding the non-application of the action limitation period to the depositor’s claim to the bank (the financial institution) on deposit repayment, all information related to the customers’ accounts and operations under the deposits is kept by the Bank with no time limitations. If your data are depersonalized with no possibility to relate it to you, such data can be stored and processed by the Bank for an unlimited period of time. | We store your personal data within the term of provision of services to you and additionally for the term provided for by the legislation of Ukraine. |
Who is the personal data controller and whom can you direct your questions to?
The personal data controller: Raiffeisen Bank JSC (hereinafter – “Bank”), EDRPOU code 14305909, 01011, Ukraine, Kyiv, Generala Almazova Str., 4a, [email protected] The Data Protection Officer of the Bank: Karaush Eduard. Представник Банку в Європейському Союзі (як це визначено ст.27 GDPR*): Raiffeisen Bank International AG, Am Stadtpark 9, 1030 Vienna. The Bank’s representative in the European Union (as defined by article 27 of GDPR*): Raiffeisen Bank International AG, Am Stadtpark 9, 1030 Vienna. In order to exercise your rights in accordance with the applicable legislation on personal data protection or any other personal data protection issues, please contact us using the specified contact information. *GDPR - Regulation of the European Parliament and of the Council (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ЄС (General Data Protection Regulation). | We are Raiffeisen Bank and here you can find our contact details. You can use these contact details for information regarding the exercise of your rights as a personal data subject. |
In order to ensure the quality and security of servicing, customers’ identification/verification, the Bank makes audio-recording/recording of the telephone conversations of private individuals with the Bank’s employees, photo-/video-recording of private individuals, including on the Bank’s premises and ATMs and uses the results of the recording, including as evidence. |
Supervision over the personal data protection
On the territory of Ukraine, the control over compliance with the legislation on personal data protection within the powers stipulated by law, shall be ensured by the following authorities: - The Ombudsman of the Verkhovna Rada of Ukraine (hereinafter – “the Ombudsman”); - courts. The Ombudsman holds the powers in the area of the personal data protection defined in article 23 of the Law of Ukraine “On Personal Data Protection”, including the right to handle private individuals’ complaints on personal data protection issues. The Ombudsman’s contact details: Address: 01008, Kyiv, 21/8 Instytutska Str. Helpline: 0800-50-17-20 (free calls) Web-sites: https://ombudsman.gov.ua/ The personal data subjects residing on the territory of the European Economic Area, according to article 77 of GDPR, can submit a complaint to the supervisory authority, in particular in the member state of their permanent residence, employment or the place of occurrence of the alleged violation. The list of the supervisory authorities of the European Economic Area countries can be found on the website of the European Data Protection Board at the following link https://edpb.europa.eu/about-edpb/about-edpb/members_en. | Raiffeisen Bank is always ready to help you in exercising your rights in accordance with the legislation in force. However, if you think that your rights in the personal data protection area are violated, you can always apply to the supervisory authority in the area of personal data protection. |
Regarding the mandatory provision of the personal data to the Bank
Within the framework of the business relations, the personal data subjects have to provide the Bank with all personal data needed by the Bank to take the decision on entering into the relevant agreement (conclusion of a legal deal) and for its further fulfilment, including the personal data collected by the Bank pursuant to the requirements of the Ukrainian legislation. If the personal data subjects refuse to provide the requested data to the Bank, the Bank declines entering into the agreement or ceases to fulfil its obligations under the previously concluded agreements (legal deals) or terminates the agreement, if the subject’s failure to provide the personal data requested by the Bank prevents the Bank from the fulfilment of the agreement in the future. Personal data subjects have no obligation to provide their personal data to the Bank, if such data are not necessary for the conclusion and fulfilment of the agreement or is not required by law and the internal documents of the Bank. | To be able to receive the Bank’s services, the customers have to provide us their personal data in the scope necessary to enable the provision of these services and the fulfilment of the Bank’s obligations provided for by the law. |
The Bank defines the procedure for the personal data processing at its discretion and, in the case of its change following the changes in the nature of the Bank’s activity or in the business relations, including as a result of amendments of Ukrainian legislation, changes the wording of this Notice on the procedure of personal data processing. The effective and the previous officially published versions of the Notice are kept on the Bank’s website and the personal data subjects have an opportunity to read them. All versions of the Notice have an effective date. We kindly ask you to check this Notice for changes at least once per month.
For more details on the special features of the personal data processing while entering into and fulfilment of the banking servicing agreement, please refer to article 7 of section I of the Bank Service Rules for PI Clients at Raiffeisen Bank JSC (hereinafter – “the Rules”). The Rules are available on the Bank’s website at the following link: https://raiffeisen.ua/documents
The Policy for use of cookies and similar technologies can be found on the Bank’s website here: https://raiffeisen.ua/storage/files/cookie-policy-eng-1-1.pdf
You can always review the previous versions of this Notification via the links: https://raiffeisen.ua/storage/files/privacy-policy-280722-eng-1-1.pdf
https://raiffeisen.ua/storage/files/privacy-policy-02112022-eng.pdf