Documents in the field of personal data protection

The processing of personal data

Cookie Policy

Candidates' personal data processing

Raiffeisen Online Privacy policy

Raiffeisen: Open Card Privacy Policy

Notice on the procedure of personal data processing and the rights of personal data subjects

In Raiffeisen Bank (hereinafter – “we” or “Bank”) we understand the importance of personal data protection and comply with the laws of Ukraine and the international standards in this area. In the Notice we will tell you about the data we collect, the purposes of the use thereof, ho we record and protect these data.

For your convenience, we have prepared two versions: full text pursuant to the requirements of the laws, as well as summary information on the sections, which will hopefully make legalese easier to understand.

Whose personal data (of what personal data subjects) does the Bank process?

The Bank processes personal data of individuals whose data are received by the Bank during banking activities, the provision of financial services and other activities according to the agreements concluded and the laws ofUkraine.

The Bank processes personal data of customers, shareholders, employees, counterparties of any agreements, as well as their related parties, etc.

What are the legal grounds and purpose of personal data processing?

The personal data are processed by the Bank only on the terms defined by article 11 of the Law of Ukraine On Personal Data Protection: · Entering into an agreement by the Bank and the performance there of, where a personal data subject is also a party or which is concluded to the benefit of a personal data subject or taking certain actions before entering into an agreement on demand of a personal data subject. For example, account opening and servicing, cash and cashless transactions, securities transactions, issuing and servicing payment cards, as well as other services mentioned in article 3 of the Bank’s Articles ofAssociation, and may include, but not be limited to, the analysis of your financial needs, provision of information, consultations and propositions on the products and services of the Bank and its partners.	Your separate consent to data processing is not required for the processing of personal data by the Bank during the provision of the services ordered by you and the implementation of the agreements concluded with you.
· Necessity of fulfilment of the Bank’s duty provided for by the laws of Ukraine and (if applicable to the Bank) the requirements of the legislation of the European Union; For example, due diligence of the new and the existing customers, monitoring of the customer’s financial transactions, in particular clarification of the sources of origin of funds, screening against sanctions lists and publicly available databases, clarification of the beneficiary and the status of a Politically Exposed Person; risk assessment and risk management; responding to legitimate inquiries of the NBU, the prosecutor’s office, government, court, investigation and other law-enforcement authorities, if they act within their powers; responding to the applications, statements or complaints received; ensuring information exchange on accounts in the cases stipulated by the laws.	There are also requirements of the laws imposing the obligation to process your data on us. For example, financial monitoring, risk management, filing information to state agencies.
· Protecting vitally important interests of a personal data subject;	The Bank may process your data or the data of other natural persons in order to protect the vital interests of individuals, for example, in case of emergency situations.
· Private individual’s consent to the processing of his/her personal data (if provided). For example, the preparation of tailored offers for you from the Bank and its partners, including by means of profiling (automated data processing for evaluation of behavior, transactions templates, economic, social and other interests); sending you informational, advertising messages and proposals on the services of the Bank, its partners, for participation in the programs of the Bank and its partners;	In order to prepare the best offers for you, sometimes we will need your consent to personal data processing. You can always withdraw your consent to personal data processing by contacting the Bank
· Permission to personal data processing provided to the Bank according to the law and for the exercise of the Bank’s powers exclusively. For example, a permission for the Bank’s use of the information from the credit register of the National Bank of Ukraine for the purposes provided forby the Law of Ukraine on Banks and Banking (article 671).	The legislation of Ukraine may provide the Bank with permission to process personal data when necessary for its functioning (for example, the specific legislation of Ukraine on banks).
· Need to protect the legitimate interests of the Bank or a third party to which the Bank transfers personal data, except to the extent that the need to protect the fundamental rights and freedoms of private individuals in connection with their data protection prevails over such interests. For example, the improvement and the development of the Bank’s services and products; ensuring the quality and security of servicing, counteraction to fraud and ensuring the Bank’s information security; filing lawsuits and defense in litigations; information exchange on your loan obligations via credit bureaus and checking the information on you in the debtor databases in order to mitigate the Bank’s risks when granting and servicing loans.	In certain cases we process your data to protect our legitimate interest. In particular, fort he purpose of developing our products, ensuring service quality, counteraction to fraud, risk mitigation and information security.

Purpose of your personal data processing

· Provision of banking and other financial services, carrying out other activities according to the Bank’s Articles of Association, the laws ofUkraine and concluded agreements;
· Entering into and fulfillment of the terms and conditions of the agreements that were/will be concluded by the Bank, for the exercise and the protection of the parties’ rights thereunder;
· Ensuring the quality of banking services and security in the Bank’s activities, improving and creating new services/products of the Bank;
· Evaluating the availability of our proposals, products and services to you;
· Ensuring and organizing the provision of information and/or consulting services to you by third-party suppliers (partners of the Bank);
· Sending information, advertising notices and offers of the services of the Bank, its partners, for participation in the programs of the Bank and its partners;
· Provision of advisory and information support in relations with the Bank and dispute resolution;
· Profiling, automatic processing of the data to assess various aspects of behavior, economic, social and other interests/preferences of the customers/counterparties of the Bank, to build the development strategy, develop and offer products and services of the Bank, analyze and target our advertisements, including based on anonymized data;
· Compliance with legal and regulatory requirements, the rules of theBank’s internal documents and the terms of the agreements concluded, the fulfilment of the collective agreement, court decisions, the decisions of theBank’s management bodies;
· Protection of legitimate interests of the Bank or a third party to which the Bank transfers personal data, except to the extent that the needs of the protection of fundamental rights and freedoms of individuals in connection with the processing of their data prevails over such interests;

The purpose of processing may change as a consequence of change in the conditions/nature of our business relationships or changes in the laws of Ukraine.

The key goal of your personal data processing is the provision of banking, financial services and the fulfilment of the terms and conditions of concluded agreements.

The processing is also carried out to ensure quality and security of servicing, development of the bank’s produсts (including the development and filing of proposals on such services from the Bank and its partners to you) and in order to fulfill the requirements of the law.

What are the rights of a personal data subject?

According to article 8 of the Law on Data Protection, a personal data subject shall have the right to:

1. Know about the sources of collection, location of his/her personal data, the purpose of their processing, the location and/or place of residence (stay) of the personal data controller or processor or instruct his/her proxies to receive the respective information, except for the cases stipulated by the laws of Ukraine/European Union, if applicable to the Bank.

2. Receive the information on the conditions of access granting to his/her personal data by the Bank, in particular the information on third parties to whom his/her personal data are transferred.
3. Access his/her personal data processed by the Bank.
4. Receive an answer as to whether his/her personal data are processed by the Bank, as well as the content of such personal data, within thirty calendar days of the inquiry receipt by the Bank.
5. Raise a justified demand to the personal data controller with an objection against the processing of his/her personal data.
6. Raise a justified demand regarding the change or destruction of his/her personal data by any controller and processor of personal data, if the data are false or processed illegitimately.
7. Protect his/her personal data against illegitimate processing and accidental loss, destruction, damage in connection with their intentional concealment, failure to provide or late provision, as well as protect the information that is untrue or discredits the individual’s honour, dignity and business reputation.
8. File complaints regarding the processing of his/her personal data to the Ombudsman of the Verkhovna Rada of Ukraine or to court.
9. Apply legal remedies in the event of violation of the law on personal data protection.
10. Make reservations regarding the restriction of the right to his/her personal data processing when giving a consent.
11. Withdraw a consent to personal data processing.
12. Know the procedure of personal data automated processing.
13. Be protected against an automated solution having legal implications for him/her.

You have certain rights according to the law as a personal data subject.
Regarding the exercise of your rights as a personal data subject, you may contact the employees representing the Bank in business relationships between you and the Bank, as well as based on the contact details specified in this Notice.

What data do we process and what are the sources of their origin?

The content and scope of personal data processing by the Bank largely depend on the type of relations of the Bank and the respective personal data subject, including for the Bank’s customers – personal data subjects, the content and scope of whose data processing depends on products and services that the Bank’s customers requested or agree to.
The personal data processed by the Bank coincide in content with the information received from private individuals – the subjects of such personal data or legally received from their representatives or third parties, including from credit bureaus, from the NBU’s credit register, from BankID System of the NBU, from the persons on whose behalf the personal data subjects act, or taken by the Bank from public sources, and also includes the information, which is known/became known to the Bank in connection with the implementation of contractual or other legal relationships with you.
The Bank processes personal data consisting of:

· Identification and contact details: surname, name, patronymic, gender, date and place of birth, tax id, passport series and number, issue date and place of issue, copies and content of documents issued in the name of a private individual or on his/her behalf, signature sample, electronic signature, place of residence and place of registration, conditions of residence, citizenship, email addresses, internal identifiers in the Bank’s systems; phone numbers;
· Data on the family, educational and professional activities: marital and family status, information on relatives, education, profession, speciality, length of employment and working experience, information on place of employment and position, financial standing, income, types of accruals and deductions; information on the working activities of the Bank’s employees and the results of the respective actions that took place during the fulfilment of the employment agreements concluded with the Bank; information on activities as an entrepreneur or an independent professional practitioner;
· Data on products and services: account numbers, payment card details, information on payments and transactions made, including the information on the payment senders and recipients, credit and other obligations, depository operations, information on the use of ATMs, terminals, remote channels of servicing, visiting of branches, information on habits, interests, participation in loyalty programs, level of satisfaction with services;
· Credit history and any information on the status of fulfilment of a private individual’s obligations under agreements concluded with the Bank, as well as other legal acts, information on the telecommunications behavior of the Bank’s customers;
· Data received in the course of communication with the Bank and when visiting the Bank, ATMs, including: audio/ voice records (e.g., records of telephone conversations), photo and video images (e.g., when carrying out photo and video identification, verification of customers), as well as the data on compliance and other data that are comparable with the category mentioned above; notices and letters sent by the Bank;
· Data concerning the use of websites and mobile applications of the Bank: cookie files, data on users’ interaction with websites and mobile applications, duration of sessions, information on operation system, information on the device, information on the browser, user review screens in an application, information on failures in the use of an application. The Bank receives such data from the Web browser you use when browsing the Bank’s websites, as well as from your device;
· Data on the number, type and/or class of shares held by private individual (PI) shareholders and their parts in the Bank’s share capital, the data on interaction of PI shareholders with the Bank, the participation of the shareholders, their representatives in the General Shareholders’ Meeting of the Bank;
· Sensitive data categories: membership in political parties and/or organizations, professional unions, religious organizations or public organizations of ideological orientation, data on administrative or criminal liability, sanctions taken towards a person as part of pre-trial investigation or actions stipulated by the Law of Ukraine On Operative Investigation Activities; data concerning health; whereabouts and/or movement paths of a personal data subject, ethnic origin;
· Other information that became known to the Bank in connection with legal relations with a private individual, when fulfilling the requirements of the laws of Ukraine and the Bank’s internal documents.

We are processing the data that we received from you or your representatives, the data that the documents provided by you contain. In particular, identification data, contact details, data on a family, education and professional activities.

In the process of your servicing we also process the information regarding the products and services that you use, the information received in the course of communication with the bank and the use of our website and the mobile application.

In addition, pursuant to the requirements of the law or for risk minimization we can obtain the data on you from public registers or from third parties, such as credit bureaus, the NBU credit register, BankID System, Diia.

To whom can the access to the personal data be granted ?

In most cases, the data are processed within the Bank by the employees holding the respective access rights required for the exercise of the duties/functions assigned to them only. But the personal data can be transferred to third parties in the following cases:

· for the purpose of exercise by third parties (including by the Bank customers’ personal data processor) of their functions or provision of the Bank’s services, in particular, to the auditors, insurance companies, appraisal companies, payment systems, institutions carrying out transactions’ identification, authorization and processing, to banks-counterparties;
· to the Bank’s shareholders, the Parent Company - Raiffeisen Bank International AG, (Vienna, Austria) and other legal entities linked to it /to the Bank by corporate relations, including abroad;
· to the persons providing to the Bank the services related to the organisation of postal communication, telephone calls, sending SMS-messages, email messages;
· to the NBU credit register according to the procedure and in the scope provided for by the legislation of Ukraine and to the credit bureaus with the aim of obtaining and forming of the credit histories, as well as to the persons providing the services of debt collection to the Bank and to other persons in relation to the collection of the overdue exposure to the Bank;
· to the person purchasing or acquiring as collateral the claim rights under loans issued by the Bank;
· to the insurance companies – for exercising of the rights and/or fulfilment of the obligations towards the Bank as the beneficiary;
· to the persons providing the services of storage of the customers’ documents, generation and storage of their electronic copies (archives, databases) to the Bank;
· to the companies ensuring implementation of promotion programs, loyalty programs and other advertising activities;
· to the companies conducting statistical and marketing studies;
· to the NBU BankID System to ensure electronic remote customers’ identification, in accordance with the requirements of the legislation of Ukraine;
· in response to legitimate requests of the NBU, prosecution authorities, state, judicial, investigation and other law enforcement authorities, other authorities and persons, if there are valid justifications for receipt of the respective information;
· in other cases provided for by the Law of Ukraine “On Banks and Banking”, other regulatory acts of Ukraine, upon the consent/permission granted by you or pursuant to the terms and conditions of the agreements concluded with the Bank.

In the event of detection of violations of the procedure for processing of the personal data of a citizen of the European Union member state, the Bank shall report on such incidents to Raiffeisen Bank International AG for further submission of such information pursuant to GDPR requirements to the respective supervisory authority of the Republic of Austria.

The Bank shall notify you about the transfer of your data to third parties, except for cases, when such transfer arises from or is required for fulfilment of the agreement concluded with you or your consent, or if you have refused to receive such notifications from the Bank.

Your data are processed by the units and employees of the Bank having the respective permissions and within the limits of their professional duties only.

Some of our partners help us to develop our products and to provide services to you. In such cases, we can transfer a limited list of data to them to be processed for the purposes set by us only and with the provision of the respective guarantees of your data protection.

In certain cases, we are in obligation to transfer your data upon the lawful requests of the authorized state bodies, provided that they are acting within the powers assigned to them.

For more information on the special features of personal data processing while entering into and fulfilment of the banking servicing agreements, please refer to article 7 of section І of the Bank Service Rules for PI Clients at Raiffeisen Bank JSC (hereinafter – “the Rules”). The text of the Rules is published on the Bank’s website at the following link: https://raiffeisen.ua/documents

You can find more information on the peculiarities of personal data processing in the Bank’s mobile applications here:
- Privacy policy of the “Raiffeisen Online” and “Raiffeisen: Open the Card” mobile applications:
https://raiffeisen.ua/storage/files/privacy-policy-raiffeisen-online-eng.pdf
https://raiffeisen.ua/storage/files/privacy-policy-raiffeisen-open-the-card-eng.pdf

In this section you can find information on where to read the Bank Service Rules and the Confidentiality policies of certain applications.

Where and how does the Bank process the personal data?

The databases containing personal data processed by the Bank are kept on the servers located on the territory of Ukraine. With a view to ensure the continuity of critical business processes, your personal data can also be processed with the use of cloud technologies Amazon Web Services, Azure and IBM on the servers located within the European Economic Area.

To ensure the required level of security during the personal data processing by the Bank, the appropriate measures of technical and organizational nature are applied, namely:

· personal data pseudonymization and encryption;
· continuous ensuring of confidentiality, integrity, accessibility of personal data, resilience of the data processing systems and services;
· only the persons having respective permissions have access to the personal data for the purposes stipulated by the law;
· implementation of the policy regulating personal data processing;
· regular training of employees in the personal data protection issues.

The databases are kept on the territory of Ukraine or the European Economic Area with the use of the required organizational and technical protection means.

How long are the personal data kept?

The Bank processes the personal data as required within the entire duration of all business relations with you, as well as until the expiration of terms of information (documents with such information) defined by the terms and conditions of the concluded agreements or by Ukrainian legislation, internal documents of the Bank. Thus, taking into account the provisions of article 268 of the Civil Code of Ukraine regarding the non-application of the action limitation period to the depositor’s claim to the bank (the financial institution) on deposit repayment, all information related to the customers’ accounts and operations under the deposits is kept by the Bank with no time limitations.

If your data are depersonalized with no possibility to relate it to you, such data can be stored and processed by the Bank for an unlimited period of time.

We store your personal data within the term of provision of services to you and additionally for the term provided for by the legislation of Ukraine.

Who is the personal data controller and whom can you direct your questions to?

The personal data controller: Raiffeisen Bank JSC (hereinafter – “Bank”), EDRPOU code 14305909, 01011, Ukraine, Kyiv, Generala Almazova Str., 4a, [email protected]

The Data Protection Officer of the Bank: Karaush Eduard.

Представник Банку в Європейському Союзі (як це визначено ст.27 GDPR*): Raiffeisen Bank International AG, Am Stadtpark 9, 1030 Vienna.

The Bank’s representative in the European Union (as defined by article 27 of GDPR*): Raiffeisen Bank International AG, Am Stadtpark 9, 1030 Vienna.

In order to exercise your rights in accordance with the applicable legislation on personal data protection or any other personal data protection issues, please contact us using the specified contact information.

*GDPR - Regulation of the European Parliament and of the Council (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ЄС (General Data Protection Regulation).

We are Raiffeisen Bank and here you can find our contact details. You can use these contact details for information regarding the exercise of your rights as a personal data subject.

In order to ensure the quality and security of servicing, customers’ identification/verification, the Bank makes audio-recording/recording of the telephone conversations of private individuals with the Bank’s employees, photo-/video-recording of private individuals, including on the Bank’s premises and ATMs and uses the results of the recording, including as evidence.

Supervision over the personal data protection

On the territory of Ukraine, the control over compliance with the legislation on personal data protection within the powers stipulated by law, shall be ensured by the following authorities:
- The Ombudsman of the Verkhovna Rada of Ukraine (hereinafter – “the Ombudsman”);
- courts.

The Ombudsman holds the powers in the area of the personal data protection defined in article 23 of the Law of Ukraine “On Personal Data Protection”, including the right to handle private individuals’ complaints on personal data protection issues.

The Ombudsman’s contact details:

Address: 01008, Kyiv, 21/8 Instytutska Str.

Helpline: 0800-50-17-20 (free calls)

[email protected]

Web-sites: https://ombudsman.gov.ua/

The personal data subjects residing on the territory of the European Economic Area, according to article 77 of GDPR, can submit a complaint to the supervisory authority, in particular in the member state of their permanent residence, employment or the place of occurrence of the alleged violation.

The list of the supervisory authorities of the European Economic Area countries can be found on the website of the European Data Protection Board at the following link https://edpb.europa.eu/about-edpb/about-edpb/members_en.

Raiffeisen Bank is always ready to help you in exercising your rights in accordance with the legislation in force. However, if you think that your rights in the personal data protection area are violated, you can always apply to the supervisory authority in the area of personal data protection.

Regarding the mandatory provision of the personal data to the Bank

Within the framework of the business relations, the personal data subjects have to provide the Bank with all personal data needed by the Bank to take the decision on entering into the relevant agreement (conclusion of a legal deal) and for its further fulfilment, including the personal data collected by the Bank pursuant to the requirements of the Ukrainian legislation. If the personal data subjects refuse to provide the requested data to the Bank, the Bank declines entering into the agreement or ceases to fulfil its obligations under the previously concluded agreements (legal deals) or terminates the agreement, if the subject’s failure to provide the personal data requested by the Bank prevents the Bank from the fulfilment of the agreement in the future. Personal data subjects have no obligation to provide their personal data to the Bank, if such data are not necessary for the conclusion and fulfilment of the agreement or is not required by law and the internal documents of the Bank.

To be able to receive the Bank’s services, the customers have to provide us their personal data in the scope necessary to enable the provision of these services and the fulfilment of the Bank’s obligations provided for by the law.

The Bank defines the procedure for the personal data processing at its discretion and, in the case of its change following the changes in the nature of the Bank’s activity or in the business relations, including as a result of amendments of Ukrainian legislation, changes the wording of this Notice on the procedure of personal data processing. The effective and the previous officially published versions of the Notice are kept on the Bank’s website and the personal data subjects have an opportunity to read them. All versions of the Notice have an effective date. We kindly ask you to check this Notice for changes at least once per month.

For more details on the special features of the personal data processing while entering into and fulfilment of the banking servicing agreement, please refer to article 7 of section I of the Bank Service Rules for PI Clients at Raiffeisen Bank JSC (hereinafter – “the Rules”). The Rules are available on the Bank’s website at the following link: https://raiffeisen.ua/documents

The Policy for use of cookies and similar technologies can be found on the Bank’s website here: https://raiffeisen.ua/storage/files/cookie-policy-eng-1-1.pdf

You can always review the previous versions of this Notification via the links: https://raiffeisen.ua/storage/files/privacy-policy-280722-eng-1-1.pdf

https://raiffeisen.ua/storage/files/privacy-policy-02112022-eng.pdf

More about information security measures

Learn more