Az oldal helyes megjelenítéséhez JavaScript szükséges, amit az Ön böngészője jelenleg nem támogat!

 
 

Information on data controlling

 
  1. Introduction

    ERSTE BANK HUNGARY ZRT. (hereinafter: “Bank”) holds it important to respect and enforce the data processing rights of its clients (hereinafter: “Client”) and all other affected natural persons (the Client and other affected persons hereinafter jointly: “Data Subject”). During the control, registration, processing and forwarding of the personal data of the Data Subject, the Bank shall act on the basis of the provisions of Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter: “Info Act”), Act CCXXXVII of 2013 on Credit Institutions and Financial Undertakings (hereinafter: “Credit Institutions Act”), Act CXXXVIII of 2007 on Investment Companies and Commodity Exchange Service Providers, as well as on the Rules of the Activities to be Carried out by them (hereinafter: “Investment Services Act”), and also on the basis of other statutory provisions on data protection. In the interest of compliance with the requirements on data security, the Bank shall take measures to protect and ensure the safety of Data Subjects’ personal data, especially against unauthorised access, alteration, forwarding, disclosure, intentional deletion or destruction, as well as advertent destruction or damage.
  2. Definitions

    Data Subject
    shall mean a natural person who has been identified by reference to specific personal data, or who is identifiable, directly or indirectly;

    Client
    shall mean the Data Subject using the financial - supplementary financial or investment - supplementary investment services provided by the Bank. The financial service activity aimed at providing credit and loans shall include the measures related to the examination of creditworthiness, the preparation of credit and loan agreements, the registration, monitoring and review of the loans disbursed, as well as their eventual recovery (Annex 2 Item I.10.3 of the Credit Institutions Act);

    Personal data
    shall mean any data relating to the Data Subject – in particular their name, identifier or any information identifying them by their physical, physiological, mental, economic, cultural or social identity – as well as any conclusions with respect to the Data Subject which can be drawn from such data; 

    Consent
    shall mean a free and informed (based on sufficient information) definite indication of the intent of the Data Subject, providing a unequivocal agreement to their personal data being controlled fully or only to the extent of specific operations;

    Objection
    shall mean a declaration made by the Data Subject objecting to the control of their personal data and requesting the termination of data controlling, as well as the deletion of the data controlled;

    Data controller
    shall mean a natural person, legal entity or organisation without legal personality in charge of defining the aim of data management, making and implementing the decisions on data control (including the measures used) or delegating them to the respective assigned data controller;

    Data control
    shall mean any operation or set of operations performed upon data, such as in particular their collection, recording, registration, organisation, storage, alteration, use, query, forwarding, disclosure, alignment or linking, blocking, erasure or destruction, and prevention of further use, photographing, sound or video recording;

    Data forwarding
    shall mean making data accessible by designated third parties;

    Disclosure 
    shall mean making data accessible by anyone;

    Deletion of data
    shall mean the process in which data are rendered undecipherable in such a manner that they can no longer be reconstructed by any known technique.

    Destruction of data
    shall mean the complete physical destruction of the medium containing the data; data processing shall mean any technical operation in relation to data control activities, regardless of the specific method or tool used to carry out the operations, as well as of the place of data processing, providing that the technical activity is performed on the data;

    Data processing
    shall mean any technical operation in relation to data control activities, regardless of the specific method or tool used to carry out the operations, as well as of the place of data processing, providing that the technical activity is performed on the data;

    Data processor
    shall mean a natural or legal person or unincorporated organisation that is engaged in the processing of data under contract with the data controller, including contracting by virtue of the law;

    Third party
    shall mean any natural or legal person or unincorporated organisation other than the data subject, the data controller or the data processor;

    Third countryshall mean any country outside the EEA.
  3. The principles and legal basis of controlling data

    1. Personal data can only be controlled for a specific purpose, in the interest of exercising a right or performing an obligation. Data control must, in every phase, comply with the purpose of controlling the data, and the collection and control of the data must be fair and lawful.

    2.Only the data indispensable for achieving the aim of data control and suitable for achieving this purpose can be controlled as personal data. Personal data shall be controlled only to the extent and for the time necessary to achieve the purpose of controlling the data.

    3. Throughout the process of data control, personal data shall be considered to remain personal data as long as their correlation with the given Data Subject can be reconstructed. Correlation with the Data Subject shall be considered reconstructable if the Bank is in possession of the technical requirements necessary for reconstruction.The accuracy and the completeness and - if deemed necessary in the light of the aim of data control - the updating of the data must be ensured throughout the data control, and the identification of the Data Subject shall only be possible for as longer as is necessary for the purpose of data controlling.

    4. Personal data shall only be controlleda
    - with the consent of the Data Subject, orb.
    - upon the order of an Act of Parliament or of a local government decree - on the basis of the authorisation by an Act of Parliament and in the scope specified therein - for any purpose based on public interest (hereinafter: mandatory data control).
    Where data control is mandatory, the type of data to be controlled, the purpose and the conditions of data control, access to such data, the duration of the data control operation and the controller’s identity shall be specified by the Act of Parliament or local government decree ordering the control of data.

    5. Personal data may also be controlled if obtaining the Data Subject’s consent is impossible or it would give rise to disproportionate costs, and the control of personal dataa
    - is required to fulfil the Bank’s legal obligations, or
    - it is required for the purpose of enforcing the legitimate interest of the Bank or of a third party, and enforcing this interest is proportionate to the limitation of the rights protecting personal data.

    6.Prior to commencing data control, the Data Subject must be informed whether the data control is based on consent or it is mandatory. The Data Subject must be informed - unambiguously, plainly and in detail - on the scope of the data to be controlled, as well as regarding any fact related to controlling their data, in particular the purpose and the legal basis of data control, the identity of the person entitled to control and process data, the duration of data controlling and on the scope of persons who have access to the data.

    7. Where personal data are collected with the Data Subject’s consent, the Bank may - unless otherwise provided by the law - control the collected data without any further consent or after the withdrawal of the Data Subject’s consent where this is necessary
    - for the purpose of meeting a legal obligation pertaining to the Bank, or
    -  for the enforcement of a legitimate interest of the Bank or of a third party,provided that the enforcement of such interest is proportionate to the restriction of the right to the protection of personal data
  4. The purpose of data controlling and scope of the data controlled

    1. The purpose of data controlling
    The Bank shall control the personal data transferred or provided in any manner (including by indicating them on the documents, contracts, certificates and forms submitted to the Bank by the Data Subject and in any other form) by the Data Subject, with due account to the provisions of the law on bank secrets, security secrets and data protection, for the purpose of implementing and enforcing the financial, supplementary financial, investment and supplementary investment service contract executed between the Bank and the Client, providing a service on the basis of such a contact, the verification of obligations and rights related to that contact, the enforcement, collection or disposal of possible claims arising in connection with the contract, risk management (analysis, mitigation and assessment of risks), customer and credit rating, statistical analysis, complaint management, giving business proposals, market research, customer satisfaction surveys, utilisation for marketing purposes, contact maintenance, mandatory data control based on the law (e.g. client due diligence conducted in order to prevent and hinder money laundering and the financing of terrorism, the fulfilment of tax liabilities to be borne by the Bank as regards the Client, mandatory data provision as required by law to the Central Credit Information System). Other purposes of data controlling connected to the contract between the Bank and the Customer are specified in the Bank’s Business Rulebooks, the relevant general terms and conditions and the specific contracts in relation to financial and auxiliary financial services and investment and auxiliary investment services of the Bank.

    2. Scope and types of data controlled
    The personal data controlled with regard to the specific transaction are listed in the Bank’s Business Rulebooks in relation to financial and auxiliary financial services and investment and auxiliary investment services, the general terms and conditions relevant to the given transaction and the specific contracts, as well as in the forms for applying for services.
  5. Duration of the controlling of data

    The maximum duration of data controlling by the Bank is different with regard to controlling by consent and mandatory data control. For data control on the basis of the Data Subject’s consent, the Bank may control the Data Subject’s personal data until the end of the 5th (fifth) year after the termination of the contractual relationship between the Bank and the Client, or the Bank’s claim arising from the contract; in the absence of a contractual relationship, the Bank may control the data for a maximum of 5 (five) years from the date of data recording, but within this term only until the withdrawal of the Data Subject’s consent. For mandatory data control based on the law, the Bank may control, for the purpose specified in the law, the statutorily specified personal data of the Data Subject until the expiry of the relevant statutory deadline. Other data controlling terms pertaining to the specific transaction can be found in the relevant general terms and conditions and in the specific contracts.
  6. Control of data related to advertising activities

    According to Article 6(1) of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (hereinafter: “Advertising Activities Act”), advertisements can only be communicated for the purpose of direct marketing to a natural person by using the method of targeting the addressee of the advertisement directly (in particular by way of electronic mail or any other equivalent individual method of communication, with the exception of addressed advertisements sent by postal mail) if the addressee of the advertisement has given their definitive and express prior consent.

    The Bank shall keep a record of the personal data of the persons making a declaration of consent, taking the declarations of consent and the provisions of the applicable law (Advertising Activities Act, on handling name and address data serving the purpose of surveys and direct marketing) into account. The data - related to the addressee of the advertisement - recorded in this registry can only be controlled in line with the declaration of consent, until its withdrawal, and it can only be transferred to a third party with the data subject’s prior consent.

    The Bank may - on the basis of the Client’s relevant specific authorisation - in accordance with the provisions of the applicable law in force, forward to the legal entities belonging to the bank group of ERSTE BANK HUNGARY ZRT. (hereinafter: “Erste Group”) - the full list of the members of the bank group can be found on the Bank’s internet website - the name, postal address, telephone number and electronic mailing address of the Client for the purpose of enabling them to offer their own services directly to the Client, and the Bank may also send to the Client advertising material containing banking offers and offers of subsidiaries belonging to the Erste Group. The Client may empower the Bank and approve the Bank’s informing, in accordance with the provisions of the applicable law in force, the Client for marketing purposes by way of direct mailing or by other means of communication (telephone, e-mail, Netbanking, text message etc.) on its own services and the services of the companies of the Erste Group and to control the Client’s data for the above purpose. The Client may at any time request the Bank not to send them advertising materials for direct marketing, and the Client may at any time withdraw, without charge and without giving reasons, their declaration of consent regarding receiving advertisements and the related data control. The Client may submit the relevant request through the contacts announced on the Bank’s website. In this case the Client shall not be contacted in the future for advertising purposes.
  7. Photo and video recording

    In its premises open to clients and at the ATM machines, the Bank may take photos and record videos on using the Bank’s services, for the purpose of ensuring the safety of financial and auxiliary financial services and investment and auxiliary investment services, and for the protection of human life, physical integrity, personal freedom and property protection, as well as for the protection of banking, securities and business secrets, and such recordings can be stored by the Bank for security reasons or used as evidence. The Bank shall store the recordings for not more than 50 (fifty) days and delete them thereafter. The Bank shall place signs calling the attention of clients to photo and video recording at the entrance to the bank branch and on the ATM machines.
    The image-recording system shall be operated by the Bank and the recordings shall be stored on-site until deletion.
    The Bank shall inform both its Clients and the Data Subjects on the rules of photo- and video-recording. The Information shall be placed in the bank branches and on the Bank’s website as well.
  8. Handling complaints, audio recording

    With regard to handling complaints over the phone, the telephone conversation between the Bank and the Client shall be audio-recorded by the Bank and stored for 5 (five) year. At the request of the Client making the complaint, the Bank shall allow them to listen to the audio recording, and make available, free of charge, the authentic minutes taken from the audio recording. Otherwise the Bank shall retain the complaint and the answer given for 5 (five) years. Calls recorded outside the scope of handling complaints shall be stored for 5 (five) years. For the purpose of compliance with the provisions on banking and securities secrecy, the Bank shall only and exclusively provide general information via standard (non-encrypted, not containing an electronic signature) electronic mail (e-mail), and no information classified as banking or securities secrets shall be provided by the Bank. All complaints containing or requesting such information and sent by the Client in a standard e-mail shall be answered in each case in a postal letter sent to the recorded mailing address of the Client.The Bank has a Complaint Handling Policy posted in all bank branches and placed on the Bank’s website as well.
  9. Data processing

    1. The rights and the obligations of the data processor mandated by the Bank, related to processing personal data, shall be determined by the Bank within the limits of the Info Act and of specific Acts pertaining to the control of data. The Bank shall be liable for the lawfulness of the instructions it has given.

    2. During its data processing activity, the data processor shall not use another data processor.

    3. The data processor shall not make any decision on the merits of controlling data, and they may only process the personal data acquired by them in accordance with the instructions of the Bank; they shall not process data for their own purposes and they shall store and retain the personal data in accordance with the instructions of the Bank.

    4. The contract related to data processing must be put down in writing. No organisation having an interest in the Bank’s business activity shall be mandated with the task of data processing.

    5. The Bank may outsource any activity related to financial or auxiliary financial services or any activity ordered by the law where such activity includes the control, processing or storage of data, in compliance with the provisions on data protection. The party engaged in the outsourced activity can only use a contributor with the Bank’s prior written consent. The Bank may also outsource any of its investment or auxiliary investment service activities or any of its activities or services under the scope of the Investment Services Act.

    6. The updated list of the parties engaged in outsourced activities shall be announced by the Bank in the Bank’s Business Rulebooks related to the financial and auxiliary financial services and investment and auxiliary investment services of the Bank.

    7. The Bank may use an intermediary for providing financial and auxiliary financial services and investment and auxiliary investment services. The list of the intermediaries used by the Bank shall be accessible at all times on the website of the Central Bank of Hungary(http://www.mnb.hu/) under “Search of market participants”.
  10. The conditions of data forwarding (data transfer)

    1. Personal data can only be forwarded with the consent of the Data Subject or when it is allowed by the law.

    2. On the basis of the Client’s authorisation or with the relevant written consent of the Bank’s Board, the Bank may transfer to Erste Group Bank AG (Austria), as the owner of the Bank with qualified interest, Client data recorded in the context of specific contracts with the Client for the purpose of credit and client rating, risk management, statistical analysis, checks and the registration of court litigation, in accordance with the provisions of the Credit Institutions Act, the Investment Services Act and the laws on data protection. In accordance with the data protection law in force, forwarding data to any EEA Member State must be considered as if forwarding data within the territory of Hungary The Bank shall only forward any personal data to a non-EEA Member State (third country) with the express consent of the Data Subject or when the conditions of data controlling specified in Articles 5-6 of the Info Act are complied with, and the appropriate level of protecting personal data is granted in the third country.

    3. Data transfer within the Erste Group (the current list of the group members can be found on the Bank’s website) can be made upon the Data Subject’s written authorisation, for the purpose of the direct offering of services, more efficient client service and client rating, and when the statutory conditions are met, to the extent allowed by the law. Data transfer within the Erste Group can be made for purposes related to advertising activities (see point 6) and in the framework of an intermediary activity (see point 9.7).

    4. Data transfer to a third pact - even without the consent of the Data Subject - can only be made on the basis of an Act (e.g. the instances specified in Articles 50-54 of the Credit Institutions Act and in Act CXXII of 2011 on the Central Credit Information System)
  11. Obligation to provide information

    1. Prior to commencing data control, the Data Subject must be informed whether the data control is based on consent or it is mandatory. Prior to commencing data control, the Data Subject must be informed - unambiguously and in detail - on any fact related to controlling their data, in particular the purpose and the legal basis of data controlling and the identity of the person entitled to control and process data, as well as the duration of data controlling.The information must include the Data Subject’s rights related to the controlling of data and to the possibilities of legal remedies as well.

    2. From time to time, the Bank uses image- and sound-display technology based on a Rich Internet Application (e.g. Adobe Flash) on its websites open to the general public, in the course of which the image- and sound-display settings of necessary for enhancing the user’s experience shall be stored - and can be changed or deleted by the user at any time - on the computer of the visitor to the website (persistent cookie, Local Shared Objects).From time to time the Bank uses web applications (e.g. appointment-making or ATM search applications etc.) on its websites open to the general public that may store data on the user’s computer (session cookie) on the duration of using the service, for the identification of the user or the application of a safety timeframe. The data will be deleted automatically upon ending the use of the service or upon exceeding the safety timeframe specified. While using the services provided by the Bank’s contracted partners (e.g. Nettrader), through the electronic services provided by the Bank, third parties may store data about the user’s settings on the user’s computer, for the purpose of enhancing the user experience, until their expiry or their manual deletion. The deletion of such data may have a negative impact on the operation of the service provided by the Bank (persistent cookie). When the user allows cookies to be used in their web-browser, the websites operated by the Bank automatically store the necessary cookies on the user’s computer until their expiry or their manual deletion. The Bank shall not store cookies on users in its own IT systems.
  12. Rights of the Data Subject and their enforcement

    1. The Data Subject may request the Banka
    - to inform them on the control of their personal data,
    - to correct their personal data, and
    - to delete or block their personal data, with the exception of instances of mandatory data controlling.

    2. At the request of the Data Subject, the Bank shall provide information on the Data Subject’s data controlled by the Bank or processed by the data processor mandated by the Bank, as well as on the sources of such data, the purpose, legal basis and duration of controlling the data, the name and the address of the data processor and their activity related to controlling the data, and - in the event of forwarding the Data Subject’s personal data - the legal basis and the addressee of data forwarding.

    3. The Bank shall provide the information in a plainly written form as soon as possible upon the submission of the request, but not later than in 25 (twenty-five) days.

    4. Providing the information is free of charge if the party concerned has not yet submitted in the current year a request for information concerning the same scope of data. Reimbursement of the costs may be applied in other cases. The Bank can only refuse to inform the Data Subject in those cases specified in an Act of Parliament.

    5. In the event of refusing to provide information, the Bank shall notify the Data Subject in writing about the provisions of the Info Act, on the basis of which the provision of the information has been refused. In the event of refusing to provide information, the Bank shall notify the Data Subject of the possibility to seek legal remedy in court and to turn to the Hungarian National Authority for Data Protection and Freedom of Information (registered address: 1024 Budapest, Szilágyi Erzsébet fasor 22/c.; hereinafter: “Authority”).

    6. If the personal data fail to be true and the Bank is in the possession of the correct personal data, the Bank shall correct the personal data.

    7. The personal data must be deleted if
    a. it is unlawful to control the data;
    b. it is requested by the Data Subject (except if the controlling of data is based on a mandatory statutory provision);
    c. the data are incomplete or wrong - and this state cannot be remedied pursuant to the law - providing that deletion is not excluded by law;
    d. the purpose of controlling the data no longer exists or the time limit for the storage of data specified by law has expired (with the exception of the data, the medium of which must be deposited in the archive according to the law on the protection of archived materials);
    e. it has been ordered by the court or the Authority.

    8. Instead of deletion, the Bank shall block the personal data if it has been requested by the Data Subject, or it is presumed on the basis of the information available that deletion would infringe the legitimate interests of the Data Subject. Any personal data blocked in this way can be controlled only as long as the data controlling purpose that excluded the deletion of the personal data exists.

    9. If the accuracy of an item of personal data is contested by the Data Subject and its accuracy or inaccuracy cannot be ascertained beyond doubt, the Bank shall mark that personal data for the purpose of referencing.

    10. The Data Subject and all recipients to whom the data had been transmitted earlier for the purpose of controlling the data must be notified of the correction, blocking or deletion of the data. The notification can be bypassed when it does not violate the legitimate interest of the Data Subject in view of the purpose of data controlling.

    11. If the Bank fails to fulfil the Data Subject’s request for correction, deletion or blocking, then, within 25 (twenty-five) days of the receipt of the request, the Bank shall inform the Data Subject in writing of the factual and legal rationale for the rejection of the request for correction, deletion or blocking. In the event of refusing to fulfil the request for correction, deletion or blocking, the Bank shall notify the Data Subject of the possibility to seek legal remedy in court and to turn to the Authority.
  13. Objection against the control of personal data

    1. The Data Subject may raise an objection against the controlling of their personal data,

    a. if the personal data are controlled or transferred solely for the purpose of fulfilling the Bank’s legal obligation or for enforcing the legitimate interests of the Bank, the data recipient, or a third party, unless the controlling of data is mandatory;
    b. if the personal data are used or forwarded for the purpose of direct marketing, a public opinion survey or scientific research; and
    c. in other cases specified in an Act of Parliament.

    2. The Bank shall examine the objection raised as soon as possible, but within not more than 15 (fifteen) days from its submission, and it shall decide on the merits of the request together with notifying the applicant in writing of its decision.

    3.Should the Bank verify the well-foundedness of the Data Subject’s objection, it shall stop controlling the data - including further data collection and data forwarding - and block the data together with sending a notification on the objection and the connected measures taken to all persons who had earlier received the personal data affected by the objection and who are obliged to take measures for the purpose of enforcing the right of objection.

    4. If the Data Subject disagrees with the Bank’s decision or if the Bank fails to comply with the deadline specified in the Info Act, the Data Subject may turn to the court within 30 (thirty) days from the last day of the deadline. Judging upon the case shall fall in the competence of the regional court of justice. The Data Subject may at their discretion file the lawsuit at the regional court of justice having jurisdiction of the place of residence or place of stay of the Data Subject.

    5. The Bank shall be liable for any damage caused due to the unlawful controlling of the Data Subject’s data or the violation of the requirements of data security. The Bank shall also be liable towards the Data Subject for any damage caused by the data processor. The Bank shall be exempted from liability if it proves that the cause of the damage was unavoidable and outside the scope of the controlling of data.

    Please send your questions or complaints related to the controlling of data to the Bank’s internal data protection officer to the adatvedelem@erstebank.hu e-mail address