PRIVACY NOTICE AND INFORMATION ON THE PROCESSING OF PERSONAL DATA

Applies to the personal data processing as of November 23, 2020


Modifications (the modifications are shown in italics)

Address of Hungarian National Authority for Data Protection (Introduction and II.B.10.)

Retention period of video recordings (IV.23.)

Retention period in case of contact data for claim management (IV.12.)

Erste Bank Hungary Zrt. (registered seat: 1138 Budapest, Népfürdő u. 24-26.; website: www.erstebank.hu, contact details: erste@erstebank.hu; telephone: +36 (1) 298-0222, fax: +36 (1) 272-5160; hereinafter: “Bank” or “Data Controller”) provides the following information to You as the Data Subject of personal data processed by the Bank (hereinafter: “Privacy Notice”) in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; “GDPR”) and Act CXII of 2011 on Informational Self-determination and Freedom of Information (“Info Act”),

We inform You that You may also contact the Erste Data Protection Officer at the postal address 1138 Budapest, Népfürdő utca 24-26, or at the following e-mail address: adatvedelem@erstebank.hu in case of any question regarding the processing of Your personal data by Erste.

You can apply to the Hungarian National Authority for Data Protection and Freedom of Information (contact details: (www.naih.hu), seat address: 1055 Budapest, Falk Miksa utca 9-11., postal address: 1363 Budapest, Pf. 9.., +36 (1) 391-1400, fax: +36 (1) 391-1410, e-mail address:  ugyfelszolgalat@naih.hu), or to the competent court with a complaint regarding the processing of Your personal data by Erste or by any data processor assigned thereby.

Content of the Privacy Notice:

The Bank processes Your personal data either in the capacity of data controller or intermediary assigned by a third party data controller to carry out data processing activities (and also to act as intermediary for financial, auxiliary financial or investment services (hereinafter: “Intermediary”) or in the capacity of joint data controller with a third party company.

Two persons specified in the company register extract of the Bank (available at: https://www.e-cegjegyzek.hu/?cegadatlap/0110041054/TaroltCegkivonat) or two persons designated thereby may jointly represent the Bank.

The Bank has a qualifying holding (100% ownership interest) in the following subsidiaries, which, together with the Bank shall mean the members of the Erste Bank Group (hereinafter jointly referred to as: “Subsidiaries”):

  • Erste Investment Ltd. (registered seat: 1138 Budapest, Népfürdő u. 24-26. 8 floor)
  • Erste Building Society Ltd. (registered seat: 1138 Budapest, Népfürdő u. 24-26.)
  • Erste Mortgage Bank Ltd. (registered seat: 1138 Budapest, Népfürdő u.  24-26.)
  • Erste Real Estate Ltd. (registered seat: 1138 Budapest, Népfürdő u. 24-26.)

The parent company of the Bank (a legal person possessing a qualifying holding in the Bank) is: Erste Group Bank AG (registered seat: Am Belvedere 1, 1100 Vienna, Austria).

We inform You that in case we process Your personal data that qualifies You as a person identified or identifiable by the Bank (regardless of the purpose, legal title or duration of the processing of processing personal data), You shall be considered a Data Subject under the provisions of the governing data protection legislation, and shall be entitled to the rights set forth in the governing data protection legislations, in particular, in the GDPR and in the Info Act regarding the processing and the protection of personal data (hereinafter together: rights related to the processing of personal data).

This Privacy Notice contains information on the processing of the personal data related to all Data Subjects on the one hand, as well as additionally specific rules regarding the processing of the personal data related to each Data Subjects on the other hand. Certain rules of data processing are also included in the Business Rules of the Bank and the Bank shall also undertake and make all effort to ensure that the Data Subject, prior to the commencement of the processing of personal data, get acquainted with that part of this Privacy Notice that concerns him/her. The Bank publish this Privacy Notice on its website at: https://www.erstebank.hu/hu/adatkezelesi and also make it accessible at its branches. The Bank may prepare an extract of this Privacy Notice regarding the various types of Data Subjects and may make it possible for the Data Subject affected by the processing of its personal data to make a declaration regarding that the preliminary information concerning the processing of personal data has been provided and his /her acknowledgement thereof by way of signing this document or an extract thereof.

This Privacy Notice shall apply to personal data processing activity(ies) carried out by the Bank as of 14 October 2020. The Privacy Notice effective at the time of the personal data processing carried out by the Bank prior to this Privacy Notice shall govern such processing of personal data by the Bank.

The Bank shall be entitled for the unilateral amendment of this Privacy Notice at any time. The amendment shall be applicable to personal data processing performed under the previous Privacy Notice of the Bank in respect of the new parts of the amendment (otherwise processing of such personal data shall be subject to the rules prevailing upon the commencement of the processing of the personal data), whereas personal data processing commenced following the amendment of the Privacy Notice shall be entirely governed by the amended Privacy Notice (which shall be deemed the Privacy Notice in force upon the commencement of the processing of the personal data in respect of these Data Subjects). The Bank shall make accessible all amendments of the Privacy Notice on its website  https://www.erstebank.hu/hu/adatkezelesi. If the amendment is driven by legislative changes or by an administrative decision, or if the amendment does not concern issues relating to the processing of personal data (e.g. a change in the data protection officer or any other technical amendment) the change shall also apply to personal data processed prior to such amendment.

The Bank keep records of data incidents and notify the Data Subject and the Hungarian National Authority for Data Protection and Freedom of Information (“NAIH”) of the occurrence of such incidents if required by the GDPR.

We inform the Data Subject that we only issue decision based on automated data processing by using Your personal data in case of online applications for personal loans (the ”automated decision-making”). We do not involve special categories of personal data in the automated decision-making. In the course of such automated decision-making, we check (as per the logic applied in the automated decision-making) Your age, income, regular income, employer, data stored in the Central Credit Information System, credit exposure, repayment behaviour regarding other credit.  If the Data Subject satisfies the minimum criteria, we assess the risk involved in entering into a contract with the Data Subject, implement the risk rating of the Data Subject, the result thereof will affect the eligible credit amount or may result in the approval or the rejection of Your application. You shall be entitled not to be subject to a decision based solely on such automated data processing. You shall furthermore be entitled to require a decision adopted by way of human intervention instead of or following the automated decision-making, to express Your position against the automated decision-making and to submit an objection to us against our automated decision-making at any of the contacts specified in Point II. C of this Privacy Notice, whereby we will assess Your submission and notify You thereupon.

The Bank may carry out profiling for direct marketing purposes on the basis of its legitimate interest for direct marketing under point (47) of the Preamble of the GDPR (for the compilation of a target group of recipients to be contacted for marketing purposes).

We inform the Data Subject that we may use Your anonymised personal data (i.e. that may not be linked to the Data Subject) for statistical purposes.

We inform the Data Subjects entering our registered seat, premises and branches and those using our ATMs that a continuous image recording is being applied at our registered seat, premises, branches and ATMs for the protection of human life, physical integrity, personal freedom, business, banking- and securities secrets as well as for personal and property security purposes upon our legitimate interests concerning personal, property and banking security. We process such image recording in accordance with the governing legislative provisions and our relevant policy on physical security.

Having Your consent thereto as set out in Article 6 (1) a) of the GDPR, we process Your personal data provided in the course of using the applications made available by us through an on-line platform, in principle until the withdrawal of Your consent.

We inform the Data Subject that our core activities and intermediation activities (as defined in Section 10 of the Banking Act) are subject to sector specific legislation that shall govern the processing of Your personal data (e.g. the Banking Act, Act CXXXVIII of 2007 on Investment Firms and Commodity Dealers, and on the Regulations Governing their Activities, Act LXXXV of 2009 on the Pursuit of the Business of Payment Services, Act LXXXVIII of 2014 on the Insurance Activity, Act XCVI of 1993 on Voluntary Mutual Insurance Funds).

If we are subject to an obligation to erase personal data, we comply with such erasure obligation by way of factual, final and irreversible destruction / anonymisation and take measures for the full destruction of the documents to be destructed under such erasure obligation. If the irrevocable and final erasure / anonymisation takes place in the course of our regular erasure procedure, we will not send separate information to the Data Subject about the implementation of the erasure, but will inform the Data Subject whether we maintain record of the Data Subject’s personal data or not within the frame of exercising the right to access by the Data Subject. If the Data Subject submits an individual request for erasure, the Bank shall separately inform the Data Subject about the implementation of the irrevocable and final erasure / anonymisation (if the erasure is possible, otherwise about the reasons for refusal / partial implementation of the erasure). If the personal data requested to be erased by the Data Subject is the Data Subject's contact which we exclusively manage in relation to the Data Subject, we shall inform the Data Subject of the future erasure / anonymisation at this contact and the erasure shall be implemented thereupon by the Bank.

The Bank shall process the personal data (including the contact data as well) provided by the Data Subject as a data related to the Data Subject (the check of which shall not be a duty of the Bank), except the case when the Data Subject provides the Bank with a declaration that the concerned personal data is not related to it, whereby the Data Subject shall ensure that the Bank has lawful right to process the personal data not related to it but to another entitled person. The Data Subject shall issue a declaration in these cases that if it provides the Erste Bank Hungary Zrt. with such data that is not related to it, it has already informed the concerned person that it has shared the data relevant to this concerned person with the Bank, and the concerned person has already information – based on the privacy notice of the Erste Bank at the https://www.erstebank.hu/hu/adatkezelesi page - how Erste Bank shall process the data acquired not from the concerned person.  If a third party indicates to the Bank in relation to a contact managed by the Bank regarding the Data Subject that the Data Subject is not available at that contact, the Bank shall be entitled to inform thereabout the Data Subject at another contact managed by the Bank and to request that the Data Subject modify its particular contact details, and the Bank may restrict / erase / anonymize the processing of personal data challenged by a third party, even if it provides a service to the Data Subject for the given contact, in order that the Bank shall not process a third party related personal data without authorization.  

We may do voice recordings with a Data Subject’s prior express consent which may be managed till the withdrawal of such consent, but till the end of the retention period relevant for the other personal data processed with regard to the Data Subject, the latest (unless otherwise required by this Privacy Notice).

1.) We inform You that we process Your personal data in accordance with the governing data protection legislation, as defined in this Privacy Notice and as required by the Hungarian Data Protection Authority (NAIH), with respect to, and in compliance with the principles applicable to the processing of personal data, accordingly,

  1. Fairly and in a manner transparent for the Data Subject,
  2. Using personal data collected for clearly determined, legitimate purposes,
  3. Processing data that are proper, relevant and necessary in respect of the purpose of the processing of the personal data (complying with the principle of data minimisation),
  4. Precisely and in an up-to-date manner (in accordance with the principle of accuracy),
  5. Complying with the principle of storage limitation,
  6. Applying such technical and organisational measures that ensure the appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (on the basis of the principle of integrity and confidentiality),
  7. In compliance with the principles of privacy by design and by default and of accountability.

We inform the Data Subject that we shall be entitled to process personal data underlying the Intermediary activity as Intermediary carrying out financial, auxiliary financial / investment / auxiliary investment / insurance / payment intermediation activities in the interest, in the name and on behalf of the principals defined in Point VII of this Privacy Notice.

2.) The Bank shall ensure the enforcement of Your rights related to the processing of Your personal data as Data Subject by the Bank.

A.) Thereby we process Your personal data solely upon legal title complying with the data protection legislations, thus

  1. If, in connection with one or more specific (concrete) purposes that is/are identical to the purpose of data processing carried out by the Bank, You have given Your voluntary, explicit consent based on prior information (like this Privacy Notice) provided to the processing of Your personal data by the Bank by way of a clear affirmative action, such as a declaration provided in writing (including electronically) or verbally, or if
  2. The processing of Your personal data is required for establishing a contract between the Bank - or if the Bank acts as an Intermediary for financial, auxiliary financial services -, between the principal of the Bank and You, initiated by You, that is, for taking the steps preceding the conclusion of a contract (the processing of personal data is required for the purpose of entering into a contract) or for the performance of a contract, in which You as Data Subject are one of the contracting parties, or
  3. The processing of Your personal data by the Bank is based on the fulfilment of such legal duty applying to the Bank that has been established by Union or Hungarian legislation, or
  4. The processing of Your personal data by the Bank is required for the protection of the vital interests of You or another natural person, or
  5. The processing of Your personal data by the Bank is necessary for the purposes of the legitimate interests pursued by the Bank or a third party, except where such interests are overridden by Your interests or fundamental rights and freedoms as Data Subject, which requires the protection of Your personal data, in particular where the Data Subject is a child (legitimate interest constitutes the legal basis for the personal data processing).

B.) We inform You that You as Data Subject have the following rights in connection with the protection / processing of Your personal data by the Bank:

If Your personal data is processed by the Bank, in connection therewith,

  1. You may request access to personal data related to You, by way of requesting information from the Bank regarding Your personal data processed thereby. Information and copies of the processed data shall be provided free of charge (Right to access personal data),
  2. You may request the rectification / supplement of personal data related to You without undue delay if Your personal data processed by the Bank are incorrect / incomplete. (Right to rectification). If exercising the right to rectification / supplementing of personal data would result in a change to personal data contained in Your Contract entered into with the Bank, that may be done by Data Subject as specified in the Business Rules of the Bank regarding contract amendment, or in lack thereof, in compliance with the legislative provisions in force or as set out by Your Contract with the Bank regarding the contract amendment;  
  3. You may initiate the erasure of all or only of Your certain personal data processed by the Bank (Right to erasure). Under this right, You may obtain to erasure / anonymisation of Your personal data on a final and irreversible basis (and to destruct / anonymise the documents containing the personal data of the Data Subject involved in such deletion) by the Bank, in respect of which
    1. the processing purpose for which the Bank as Data Controller collected or processed Your personal data no longer exists and no other legal basis exists for the personal data processing by the Bank and the personal data have not been erased / anonymised, or 
    2. the processing of Your personal data is based on Your consent provided to the Bank and You have withdrawn such consent from the Bank in accordance with this Privacy Notice (and no other legal basis provided by law exists for the Bank for the processing of personal data),
    3. You have lawfully objected to the processing of Your personal data and no overriding purpose exists for the continued processing of Your personal data by the Bank,
    4. according to Your position, the processing of Your personal data is unlawful.

Under Article 11 of the GDPR, we inform You that if no data processing purpose exists for the Bank that requires / permits the processing of the data of the Data Subject by the Data Controller, following the erasure / anonymisation of the relevant personal data, the Bank may only retain the customer identification numbers of Data Subjects (in respect of Data Subjects having customer identification numbers) so that the Bank is able to verify, upon a possible disagreement that the erasure / anonymisation has been completed by the Bank. The Data Subject shall provide its customer identification number to facilitate the verification of such erasure; in lack thereof, the Bank will be only able to inform the Data Subject or the party lawfully requesting information regarding the Data Subject that the Bank does not process any personal data regarding the Data Subject at that point in time.

Instead of erasure, the Bank shall block the personal data of the Data Subject if the Data Subject requests so or if it can be assumed on the basis of the information available to the Bank that an erasure would infringe the legitimate interests of the Data Subject. Personal data blocked for this reason may be processed only as long as the purpose for data processing that excluded the erasure of such personal data exists.

4. You may request the restriction of the processing of personal data concerning You, designating the scope of personal data to be restricted (“Right to the Restriction of Data Processing”). Under this right You may obtain restricted processing of Your personal data by the Bank if You contest the accuracy thereof or if, in Your view, the data processing is unlawful, nevertheless, You are against the erasure of the personal data, or if the Bank as Data Controller does not need the personal data for the purpose of processing but You need the same for the submission or assertion or the protection of legal claims.

5. You may request the Bank to specify the recipients whom it had informed of such rectification or erasure of data or of the restriction of data processing,

6. You may withdraw Your consent to the data processing at any time if Your consent shall mean the legal basis for the processing of Your personal data by the Bank (“Right to the withdrawal of consent”). We may process Your personal data following the withdrawal of Your consent, if processing is necessary for the Bank to comply with its legal obligation or on the basis of its legitimate interests, if the pursuit of such interests is proportionate to the limitation of the right regarding the privacy personal data,

7. You have the right to receive Your personal data provided by You to the Bank in a structured, commonly used, machine readable format. You / a third person lawfully authorised by You may request the Bank to transfer such data to another data controller (if data is processed by the Bank on the basis of Your consent or of a contract with the Bank, in which You are one of the contracting parties and if the relevant data are processed using automated means; (“Right to Data Portability”). We inform You that, at this point in time, the Bank is unable to satisfy the request You / the third person lawfully authorised by You submitted on Your behalf regarding Your personal data provided to the Bank (that is, Your application regarding the acceptance of the personal data proposed to be recorded by the Bank) considering that no data processing procedure or a purpose for processing exists for the Bank that would facilitate the satisfaction of Your request and the processing of Your personal data limited to the relevant purpose, thus the Bank is currently not entitled to receive the data carrier containing Your personal data provided to it and to process the personal data stored thereon,

8. You may contest a decision if the Bank uses automated individual decision-making (“Right to contest”),

9. You may object to the processing of Your personal data by the Bank on legal basis of legitimate interest or on grounds relating to Your particular situation in the cases defined in the GDPR (“Right to object”);

10. Regarding the lawfulness of the processing of Your personal data by the Bank, You may initiate the procedure of the Hungarian National Authority for Data Protection and Freedom of Information (abbreviated name: NAIH, registered seat: 1055 Budapest, Falk Miksa utca 9-11., postal address: 1363 Budapest, Pf. 9.., website: www.naih.hu, telephone: +36 (1) 391-1400, fax: +36 (1) 391-1410, central e-mail address: ugyfelszolgalat@naih.hu) or seek judicial remedy (”Right to Redress”);

11. Regarding the processing of Your personal data, You may contact the Data Protection Officer of the Bank.  Name and contact details of the Data Protection Officer of the Bank: dr. Katalin Fonth; email: Adatvedelem@erstebank.hu

C.) As a Data Subject You may submit to the Bank Your questions / requests regarding the exercise of Your rights related to the processing of personal data at the following contact details:  

  1. In writing, in a letter sent to the address of the registered seat of the Bank (Erste Bank Hungary Zrt.; 1138 Budapest, Népfürdő utca 24-26.) (the application form regarding the processing of personal data is attached as Annex no. 1 to this Privacy Notice),
  2. In a written application submitted at any branch of the Bank,
  3. Verbally made via a recorded telephone line using the telephone customer service of the Bank (Telebank telephone number: +36 (1) 298-0222; to special customers: +36 (1) 298-0196),
  4. In an e-mail message sent to the erste@erstebank.hu address,
  5. In an e-mail message forwarded from the NetBank platform.

With a view to the Bank’s obligation regarding the protection of personal data/ banking secrets / securities’ secrets / insurance secrets / business secrets, we shall complete the appropriate identification of the Data Subject in line with its capacity (customer, applicant etc.) in accordance with this Privacy Notice, and shall only be entitled to complete the application / request of the Data Subject only after the (proper level) identification of the Data Subject, upon the fulfilment of the Data Subject’s application regarding the processing of personal data.

We accept requests / applications regarding the processing of personal data submitted by means of standard forms issued by NAIH for applications / requests to be submitted by a data subject, if the personal data to be provided thereon have been completed in full. If this request has been submitted in paper form, it shall also be signed by the Data Subject.  If the Data Subject has not provided all personal data necessary for identification in the request, the Bank shall call on the Data Subject to supplement its personal data to facilitate a response to be provided to the request / application.

We provide the Data Subject with an application form on the personal data processing to submit the written applications as an Annex No. 1 to this Privacy Policy, whereby the Data Subject can submit its written application to the Bank by filling it. As per this Privacy Notice, we however accept written applications of the Data Subject other than this form as well.

Application of the Data Subject under Clause III 1-7 of this Privacy Notice for the processing of personal data shall include (beside the standard form issued by the NAIH) at least the surname and name, place and date of birth, Mother’s maiden name and the address with regard to the Data Subject.

Application of the Data Subject under Clause III 1-7 of this Privacy Notice for the processing of personal data shall be fulfilled by the Bank by way of delivering a response via post. If attachment of copies shall become necessary concerning the response, this duty shall be fulfilled by the Bank by way of delivering a password-protected electronic data carrier to the Data Subject by post (as an annex to the basic information). The Bank shall deliver the password necessary for the use of the electronic data carrier and the information for the use of the password in a separate letter by post (in a so called password letter), in addition to the information letter, at least one working day following the delivery of the basic information letter.  (Due to banking secret privacy and information security duties) a Data Subject under Clause III 1-7 of this Privacy Notice shall only be sent information classified as personal data in an encrypted e-mail if the Data Subject expressly requests the e-mail delivery and even in this case, we shall fulfil the electronic delivery only to the e-mail address available by us, in a password-protected delivery if it is technically possible due to the size of any attachments. In this case, we shall deliver the password to the Data Subject necessary to access to the encrypted content via another contact channel data processed by us other than e-mail (telephone number, mailing address) or in any other identifiable manner. Information on the use of the password shall be included in the information that contains the password.

Application of the employee or former employee of the Bank for the processing of personal data shall include (beside the standard form issued by the NAIH) at least the surname and name, birth name, place and date of birth, Mother’s maiden name and the social insurance number with regard to the Data Subject.

We may request the application of the Data Subject (Other Data Subject) under Clause III 10) of this Privacy Notice in written form, (beside the standard form issued by the NAIH) by way of listing the types of personal data (processed data, for example name, e-mail address, telephone number) provided to and processed by the Bank, and by specifying the reason / purpose of data processing by the Bank.

Such application of the employee or former employee of the Bank, and the Other Data Subject on the personal data processing that means the transfer of personal data regarding the Data Subject, shall be fulfilled by the Bank by way of delivering a response via post if the mailing address of the Data Subject is being processed thereby. If attachment of copies shall become necessary concerning the response, this duty shall be fulfilled by the Bank by way of delivering a password-protected electronic data carrier to the Data Subject by post (as an annex to the basic information). The Bank shall deliver the password necessary for the use of the electronic data carrier and the information for the use of the password in a separate letter by post (in a so called password letter), in addition to the information letter, at least one working day following the delivery of the basic information letter. An employee or former employee of the Bank, and the Other Data Subject shall only be sent information classified as personal data in an encrypted e-mail if the Data Subject expressly requests the e-mail delivery or if the Data Subject's request has been received by e-mail and the Data Subject provides the Bank with a contact channel other than the e-mail (e.g. telephone number, mailing address) in order to send the password required to open the reply letter containing the personal data, or in case of contact information regarding the Data Subject other than the e-mail address is already being processed by the Bank and it is technically possible due to the size of any attachments. In this case, the Bank will send the password to the Data Subject via the contact channel other than e-mail. Information on the use of the password shall be included in the information that contains the password.

If the Data Subject has not received the postal letter (i.e. if the return receipt is returned to the Bank with a signal of not sought / received), the Bank will try to send the letter to the Data Subject once more, thus fulfilling its obligation to ensure the enforcement of the Data Subject's privacy rights, thereafter, the Bank shall resume the delivery of items that could not been received twice, only at the repeated request of the Data Subject.

If the Bank is under the obligation to disclose personal data regarded as banking secret to a third person within the frame of exercising the Right to portability, the Bank shall complete a request / application submitted in the form of a document or public document with full probative force under legislative provisions applicable to the protection of banking secrets, in compliance with Section 161 (1) of Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises (“Banking Act”).

If a Data Subject has submitted its request related to the processing of personal data contrary to the above and the Bank was not able to identify properly the relevant Data Subject as required for data security and / or for the protection of banking secrets (as contained in this Privacy Notice), the Bank shall request the Data Subject to supplement data, and upon a failure or non-fulfilment of such request, the Bank shall not be able to respond to the request. That period of time from starting from the Bank’s request for the provision of the necessary personal data / for the performance of a lacking activity until the provision of the personal data shall not be included in the calculation of the due date for responding to the request.

An application by a Data Subject regarding the processing of personal data shall not be considered by the Bank as a complaint but, if the Data Subject makes a complaint in its application regarding the processing of personal data that is in accordance with the applicable legislative provisions and the complaint handling regulations of the Bank, the Bank may respond to the request regarding the processing of personal data and to the complaint submitted by the Data Subject in a single notice (where adequate information is provided). If, following information provision by the Bank regarding the processing of personal data / a response provided by the Bank to another request regarding the protection of personal data, the Data Subject makes a complaint as set forth in the complaint handling policy of the Bank, where such complaint is not related to the processing of personal data, the Bank shall process and respond to such request as a complaint.  

The Bank shall complete a request regarding the processing of personal data / provide a response to such an application without undue delay, but in any event within one month following the submission thereof. This one-month period may be extended by two further months, taking into account the complexity and the number of requests, where the Bank shall inform the Data Subject of any such extension within one month of submission /  receipt of the request to / by the Bank.

D.) Ensuring Data Accuracy

The Bank shall ensure the accuracy of the processed data based on the principle of cooperation and information set forth in its Business Rules. For this reason, the Bank may contact You to update Your contact data in respect of Your contact data processed by the Bank, in order to ensure the compliance with the principle of accuracy set forth in Article 5 (1) d) of the GDPR and to facilitate data clarification (data cleaning). If data clarification is possible via the modification of contractual data, the Data Subject shall do such amendment in accordance with the provisions of the Bank’s Business Rules on contract amendment.

E.) Advertising contact via direct marketing

Under Section 6 (1) of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (“Commercial Advertising Act”), we inform the Data Subjects that we only send (commercial) advertisements (definition: Section 1 (d) of the Commercial Advertising Act) to natural persons as per direct marketing to the recipients (thus, in particular, via electronic correspondence or other equivalent means of individual communication, with the exception of the addressed postal advertising and telephone contact made via a non-automized telephone calling system), either ourselves or via our agent if the relevant Data Subject as the recipient of such advertising has given its prior, clear and specific consent thereto. We keep records of the personal data of natural persons who make an explicit declaration of consent. Personal data entered into these records relating to the recipients of advertising may be processed only in accordance with and until the withdrawal of the declaration of consent (but in any event until the date set in Clause IV. 13) and may be transferred to a third party only upon the prior approval of the Data Subject given as required by law. Withdrawal of the consent shall cover the period after the withdrawal of the consent, processing of personal data falling before this period shall not be affected by the withdrawal of the consent.

The Bank may contact a Data Subject in accordance with the Act CXIX of 1995 on the Use of Name and Address Information Serving the Purposes of Research and Direct Marketing, upon the conditions set forth therein, either itself or via its authorised representative for the purpose of research or direct marketing. For this purpose, the Bank may contact natural persons at their telephone numbers listed in public telephone directory databases, not marked as restricted.  The Data Subject of such contact may object to such contacts. We keep records of the persons who objected to be further contacted by the Bank for such purpose or its authorised representative.  

F.) Means of information

In this Privacy Notice, we inform the Data Subject of the means applied for processing the personal data obtained from the Data Subject, learned by the Bank through the actions of the Data Subject and from conclusions drawn by the Bank regarding the Data Subject. 

If Your personal data processed by the Bank were not made available to the Bank by You, the Bank provides specific information under Article 14 of the GDPR, with the exception of the case(s) contained in Article 14 (5) of the GDPR.

If the personal data was obtained from You as a Data Subject, that types of personal data related to You and processed by the Bank are contained in the forms via the completion thereof we manage Your personal data.

G.) Other provisions

If the Bank has the right to process personal data, the Bank may also process under such right all related paper-based or electronic documents containing the Data Subject’s relevant personal data through the entire duration of the processing of personal data contained in such documents.

We inform the Data Subject that the duration of processing personal data by the Bank shall be extended (with the period of processing the following personal data, or with the outstanding time of such period) if, upon the expiration of the duration of the processing of personal data available to the Bank, criminal proceedings, claim management or such other proceedings are in progress against the Data Subject in the course of which the processing of personal data by the Bank is necessary for asserting its legal claim / for complying with a legal obligation of the Bank / a legitimate interest of the Bank exists for this purpose.  

The electronic data contained in the litigation records of the Bank regarding the parties to the litigation and the adjudicated issue (with the exception of documents stored electronically) are not erased / anonymised in consideration of the legitimate interest of the Bank (res iudicata can be evidenced).

Documents constituting ownership claim will not be erased considering that ownership claims are not subject to limitation.

If the Bank is obliged to issue personal data to a person other than the Data Subject in compliance with the Data Subject’s right to Data portability, the Bank shall inform and warn such recipient third person in the scope of this Privacy Notice that the personal data issued by the Bank concerning the Data Subject shall not be used for his/her own purposes and such personal data may be only processed in compliance with the applicable data protection legislation, and observing the principle of purpose limitation. The Company does not accept liability for the third-party usage of personal data adequately transmitted to a third person at the Data Subject’s request.

The Data Subjects of personal data processed by the Bank in connection with its activities are typically the following Data Subjects: 

  1. Customer: all the natural persons who use financial services / auxiliary financial services (the “Service”) provided by the Bank as a financial institution (Section 160 (2) of the Banking Act),
  2. Applicant: all the natural persons who contact the Bank to receive Services, but who decide not to use such Services (Section 160 (2) of the Banking Act),
  3. Co-debtor, surety, a natural person providing other security: a person involved in the performance of a contract for financial service / auxiliary financial service (the “Contract”) in addition to the debtor Customer, who shall be liable on behalf of /in addition to the debtor Customer upon a failure by the debtor Customer to satisfy its payment obligations under and as set forth in the Contract,
  4. Authorised representative: a natural person who acts on behalf of another natural or legal person as set forth in Section 6:11 of the Civil Code,
  5. Contributor: A natural person making a cash deposit onto the customer’s account maintained with the Bank,
  6. Beneficiary: a natural or legal person who is the recipient of the funds constituting the subject of the payment transaction (Section 2 (12) of the Payment Services Act),
  7. Contact Person: the person on behalf of the party entering into a Contract with the Bank as being specified in the Contract for the purpose of keeping contact,
  8. Employee
  9. Former employee
  10. Other Data Subject (in particular, a person who signs up to a newsletter, contracted partner’s contact person) All Data Subjects who are not classified as Data Subject specified in Clause III 1) through 9) of this Privacy Notice are included in this category.

We process personal data primarily for the purpose of entering into a Contract with the Data Subject for the performance of financial services and to ensure that the Bank and the Data Subject that concludes such Contract with the Bank are equally able to perform the Contract.  

If the personal data processed by the Bank are considered banking, securities’, insurance secret or data categorised as other protected data (e.g. business secret), the Bank shall process such personal data in compliance with the legislative provisions applicable to the given type of secret in addition to complying with the provisions regulating the protection of personal data.

1.) Out of the natural persons listed in Clause III. 1 of the Privacy Notice, the Bank will / shall process the personal data of the Customer, the co-debtor, the surety and the natural persons providing other security (and any possible document(s) containing such personal data according to the following: (information provision prior to data processing). The Bank shall process the personal data of Data Subjects under this Clause as data deemed banking secret under Section 160 (1) of the Banking Act, in addition to complying with the provisions of the Banking Act on the protection of personal data. 

We inform the Data Subject that we use anonymised personal data for the purpose of product development.

If (any of) Your personal data are processed by the Bank based on Your consent as per the above table, we process Your personal data under such consent, until the withdrawal thereof / or if the purpose of data processing has been implemented previously, until the implementation of the data processing purpose, or in lack thereof, as long as any legal basis exist for the Bank for processing Your personal data (except if this Privacy Notice sets a period shorter than that for the processing of certain consent based personal data processing by the Bank). Withdrawal of the consent shall cover the period after the withdrawal of the consent, processing of personal data falling before this period shall not be affected by the withdrawal of the consent.

If You have entered into a Contract with the Bank that requires the use of a telephone number (e.g. Text message service) and/or of an email address, in that case the we process such personal data on the legal basis and for the duration set out in point 6 of the above table for the purpose of performing the Contract, except if You change Your relevant contact data in the form of contract amendment (whereupon the Bank shall erase /anonymise the former personal data on a final and irreversible basis).

2.) Out of the natural persons listed in Clause III. 1 of the Privacy Notice, the Bank will / shall process the personal data of the Applicant (and any possible document(s) containing such personal data according to the following: (information provision prior to data processing). The Bank shall process the personal data of Data Subjects under this Clause as data deemed banking secret under Section 160 (1) of the Banking Act, in addition to complying with the provisions of the Banking Act on the protection of personal data

  1. The Bank shall process the personal data of Data Subjects under this Clause as data deemed banking secret under Section 160 (2) of the Banking Act, in addition to complying with the provisions of the Banking Act on the protection of personal data.

    If the Bank has conducted credit assessment in Your respect, in the course of which it has commenced Your identification in compliance with the AML Act, but we have rejected Your credit application, the Bank shall process Your personal data and the documents containing those for 5 (five) years following the failure of the Contract based on its legitimate interest set forth in Section 166/A (2) of the Banking Act and, whereafter the Bank shall erase /anonymise Your personal data on a final and irreversible basis.

    If the processing of Your personal data by the Bank is solely based on Your consent (and no other legal basis exist for the Bank to process Your personal data), the Bank shall process Your personal data until the fulfilment of the purpose of data processing but in any event no longer than up to 6 (six) months and thereafter the Bank shall erase /anonymise Your personal data on a final and irreversible basis.
  2. In case You express Your intention, interest, wish towards the Bank to conclude a Contract, but the Bank or its Intermediary has not started the due diligence under the AML Act for the conclusion of the Contract, the Bank may process Your personal data (with Your consent) till 6 (six) months upon the receipt of the personal data, or, if You have withdrawn Your consent within this period of time, till the withdrawal of such consent, whereafter the Bank shall erase /anonymise Your personal data on a final and irreversible basis.

3.) Out of the natural persons listed in Clause III 1 of the Privacy Notice, the Bank will / shall process the personal data of the Beneficiary of the Contract, the Contact person specified in the Contract, other contributors of the party entering into the Contract (in particular interpreters and  translators) and of Authorised Representatives acting with the aim of entering into or performing the Contract (and any possible document(s) containing such personal data according to the following: (information provision prior to data processing). The Bank shall process the personal data of Data Subjects under this Clause as data deemed banking secret under Section 160 (1) of the Banking Act, in addition to complying with the provisions of the Banking Act on the protection of personal data.

4.)  Out of the natural persons listed in Clause III 1 of the Privacy Notice, the Bank will / shall process the personal data of the Payer (and any possible document(s) containing such personal data according to the following: (information provision prior to data processing). The Bank shall process the personal data of Data Subjects under this Clause as data deemed banking secret under Section 160 (1) of the Banking Act, in addition to complying with the provisions of the Banking Act on the protection of personal data.

5.) Out of the natural persons listed in Clause III. 1 of the Privacy Notice, the Bank will / shall process the personal data of the Payer (and any possible document(s) containing such personal data according to the following: (information provision prior to data processing).

i) If the processing of Your personal data by the Bank is solely based on Your consent (and no other legal basis available for the Bank to process Your personal data), the Bank shall process Your personal data until the fulfilment of the purpose of data processing but in any event no longer than 6 (six) months and thereafter the Bank shall erase /anonymise Your personal data on a final and irreversible basis.

ii) The Bank may process Your personal data as Other Data Subject beyond or in lack of Your consent in pursuit of a legitimate purpose of data processing, on any of the legal basis set out in Clauses II.2.) A) 1.) and 4) - 5) of this Privacy Notice as long as such legal basis and the purpose of processing may exist, and thereafter the Bank shall erase /anonymise Your personal data on a final and irreversible basis.

a.) Subscriber to newsletters The Bank may process Your personal data (provided for the purpose of receiving newsletters) in order that You receive the newsletter at the provided contact point as per Your request, until You unsubscribe as Data Subject. You may unsubscribe bay way of pushing the unsubscribe button in the Newsletter.

b.) The website operated by the Bank may automatically save information about You within the course of using the website (whereupon no personal data may be identified about You), and the Bank may place so called cookies thereon for the purpose of

  • collecting information about Your asset,
  • ensuring that such information can assist You in using online transactions, or
  • using such information to optimise advertising contents available on the website and other web pages.

The detailed rules on the use of the cookies is available at the below website: https://www.erstebank.hu/hu/cookie-policy

c) Processing of the personal data of contact persons, authorised representatives and other contributors in respect of contracts concluded by the Bank for non-financial /auxiliary financial services

The processing of personal data of contact persons, authorised representatives and other contributors designated in a contract entered into between the Bank and a service provider under Act V of 2013 on the Civil Code (hereinafter the “Civil Code”) is deemed to be processed for the purpose of keeping contact with the aim of performing the contract (legitimate interest) existing between the Bank and the other party to the contract, in the interest of the party on whose behalf the relevant natural person acts and serves this purpose. The Bank processes the personal data of contact persons, authorised representatives and other contributor natural persons  as personal data of Other Data Subjects during the entire retention period of the contract existing between the Bank and the service provider that has entered into a contract with the Bank, where such retention period is 5 years following the termination of the contractual relationship between the Bank and the service provider if there is no dispute between the Parties (and if the limitation period is not interrupted or suspended), except if such Other Data Subject objects to the processing of his/her personal data with the Bank.  Upon a successful objection to the processing of the personal data of contact persons, authorised representatives or other contributor natural persons, the Bank terminates the processing of the personal data of such Data Subjects.

d) Processing of former employees’ personal data by the Bank

Former employees’ personal data may be processed by the Bank for the purpose, on the legal basis of and for the duration set out in this Clause, by means described in the General part of this Privacy Notice.

  1. According to Section 99/A of the Act LXXXI of 1997 on Social Security Pension Benefits (Social Security Act), the Bank as employer shall retain the labour documents  containing data regarding the social security relationship, duty period relating to the employee as beneficiary or ex-beneficiary of the social security, or the earnings, income that may be taken into consideration by the establishment of the pension benefits, for five years from reaching the retirement age relevant for the beneficiary or ex-beneficiary of the social security. We process these personal data with the purpose of complying with our legal obligations.
  2. The Bank processes other personal data and the documents containing such other personal data in connection with the employment relationship of a Data Subject described in this Clause and the relevant personal data for 3 years following the termination of the employment contract under Section 286 (1) of Act I of 2012 on the Labour Code (the “Labour Code”), with the exception of personal data processed under a legal basis being the Data Subject’s consent.  The Bank processes personal data processed under the consent of Data Subjects described in this Clause until the withdrawal of consent but in any event for up to 3 years following the termination of the employment contract as set forth in Section 286 (1) of the Labour Code.

e.) Processing of personal data of applicants for job offers

We process the personal data of the Data Subject completing a registration on the Career portal of the Bank (http://karrier.erstebank.hu) (including the documents attached by the Data Subject completing the registration and the personal data contained therein) for the below data processing purposes and within the following duration:

-  to consider the application of the Data Subject to the specific job offer within the selection process, from the application till the closure of the selection, but no longer 1 (one) year,

-  to consider this personal data by filling the positions opening at the Bank, to contact the registered Data Subject at the contact details provided by the registration with new positions possibly becoming actual, till 1 (one) year from the last application of the Data Subject to a specific position.

The Data Subject may register its data, and may attach its (photographic) Curriculum Vitae as document in a manner and format offered at http://karrier.erstebank.hu  website. If the registrant Data Subject provides a specific personal data by the registration, or attach a document containing specific personal data, the Data Controller shall inform the Data Subject that it shall not be entitled to process this personal data in the lack of the explicit consent made by the Data Subject, and the Data Controller shall immediately erase / delete this type of personal data after receiving thereof (if the registrant Data Subject does not provide the Data Controller with its explicit consent to the processing of such specific personal data). The Data Controller call the Data Subject not to provide access for the Data Controller to specific personal data (in the lack of its consent), because the Data Controller do not process such personal data of the Data Subject without the consent thereof. Only the Human Resources Management area of the Bank and the managers concerned with the selection procedure have access to the data provided by the Data Subject.

The Data Subject shall be entitled to change its password ensuring the usage of the surface, or the registered personal data at any time, and to terminate the access at any time. We call the attention of the Data Subject completing a registration that erase of the registration completed by the registrant Data Subject and the personal data contained therein can be done by the Data Subject in the account set up by the Registration, and can also initiate it via electronic mail sent to karrier@erstebank.hu e-mail address.

The Data Subject shall acknowledge that we may transfer Your personal data provided at the Career portal to contractual third parties as Data Controller, for the purpose of application to job offers, for the conclusion of targeted employment to use video interview platform service (Indivizo Zrt.), and to fill in The Predictive Index® surveys.

Nexum Magyarország Kft. (registered seat: 6722 Szeged, Gyertyámos u 13.; Company registration number: 06-09-004861) is the assigned data processor of the Bank.

We may specify and disclose more detailed information for the Data Subject applying for position on the application surface.

f.) Use of Facebook, Viber, banking widget surface

We ensure for the Data Subjects to request information regarding our services both at Facebook and Viber user interfaces and at our website. These interfaces cannot be used for lodging complaints and for sending privacy related requests, Data Subjects may only make requests thereby regarding the issuance of or questions concerning the general data not deemed banking or other types of secrets. We process the personal data provided in the course of using these portals upon consent provided by the Data Subject, until the withdrawal of such consent by the Data Subject, or in lack thereof, for 6 months after the relevant personal data have been recorded in our systems. Upon the expiry of this period, the Bank will finally and irreversibly erase /anonymise Your personal data (if no other legal basis exist for the processing of such personal data by the Bank).

1.) Persons below the age of 16 shall be considered children under the GDPR.

We only process personal data in relation to information society related services offered directly to children if the child is over the age of 16. Where the child is below the age of 16, we do the processing of the children’s personal data only if and to the extent that consent is provided or authorised by the person holding the custody rights concerning the child.

2.) Processing of special categories of personal data

Under Article 9 of the GDPR, we process special categories of personal data (that is, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation only if the Data Subject has given explicit consent to the processing of such special categories of personal data for one or more specific purpose(s), except if EU or Member State legislation excludes data processing based on consent and except if any legal basis for the processing of special categories of personal data set forth in Article 6 (b) - j) exist on our side. We process Your special category personal data (even in case of Your consent) solely for the purpose of data processing You have consented to and only as long as such purpose exists. We process Your biometric signature for the purpose of ensuring the electronic signature of documents that may be signed electronically, and the handover of documents in electronic form, and the authentic identification of the signatory person using the electronic signature facility. In case of processing a biometric signature as personal data, we process Your biometric signature for 8 years following the year of adopting the annual report prepared for the year when the last Contract related accounting certificate has been issued (also considered as the termination of the Contract) (under Section 169 (2) of the Accounting Act.

The Customer may withdraw its consent to the register of the biometric data by the Bank at any time within the biometric signature process. If the Customer withdraw the consent, it shall not concern the lawfulness of the earlier data processing, so the contracts concluded, declaration made so shall remain valid and effective even after the withdrawal, those are available for the Customer until the Erste NetBank contract concluded with the Bank remains in force. We process the Customer’s biometric data / biometric signature within the retention period of the Electronic documents, set out in the legislation and in the Privacy Notice of the Bank, linked to the document, we do not use it for other purposes after the withdrawal of the consent.

The Data Controller have made an impact assessment before the commencement of the processing of biometric signature to see how the data processing affects the protection of personal data and have also assessed the risks of data processing related to the rights and freedoms of the data subjects. Based on the assessment, it can be concluded that the existing risks and the chances of possible abuses are very low, considering that the Data Controller ensures the protection of bank secrecy and personal data by applying the necessary technical and organizational measures in accordance with data security and information security regulations.

In consideration of the above, we request You not to provide the Bank with special category personal data without providing Your consent to the Bank for the processing thereof (where such consent shall also contain the purpose in respect of which You authorise the Bank to process data) because, in lack of Your explicit consent containing the purpose of data processing as well, the Bank will not have the right to access and thus to apply such personal data by the adoption of its decisions. We shall immediately erase /anonymise such personal data without reading if we establish that You have not provided Your consent to the Bank to the processing of Your special category personal data.

3.) Processing of personal data related to criminal liability

We process personal data regarding decisions on the declaration of criminal liability and offences and the related security measures in the scope permitted by Hungarian law (if the Bank is deemed complainant or plaintiff in respect of the relevant offence or asserts a civil law claim in the criminal proceeding). If the Bank did not file a civil law claim in the criminal proceeding, we process such data until the decision adopted in the criminal proceeding becomes final, otherwise (if a civil law claim has been lodged) for 5 years after the judgement becomes final (that is, until the limitation of the right of enforcement) except if such period of limitation is interrupted or suspended (in this case, in compliance with Section 57 on the Act on Judicial Enforcement and with Section 286 of the Labour Code).  

4.) In accordance with applicable legislation, the Bank may purchase databases containing personal data from service providers having a contractual relationship with the Bank and if a Data Subject is recorded in such database, the Bank may contact the Data Subject at its contact details listed in the database, in compliance with legislative provisions applicable to the relevant contact to be made.

5.) The Bank may contact business organisations for the purpose of direct marketing (advertising) at the e-mail address and telephone number of such business organisations assigned for contact purpose, in compliance with the applicable legislative provisions.

6.) If, in the scope of its right related to the processing/protection of its personal data, set out in Clause II/ 2/ B of this Privacy Notice, the Data Subject requests the issuance of a copy of such a document processed by the Bank, where the Bank’s right to process / protect the Data Subject’s personal data does not cover the issuance thereof, we inform the Data Subject to that effect and notify it that the Bank can fulfil the relevant request charging a service fee announced in respect of the relevant service and the Bank shall fulfil such request by the Data Subject after the Data Subject has indicated that it requests the issuance of the relevant copy also being aware of the relevant charge.   

Pursuant to Article 13 (1) (e) of the GDPR, we inform You that we transfer Your personal data to the following categories of recipients on the below legal basis:

1.) Within its financial-, auxiliary financial activity, the Bank may transfer the Data Subject’s personal data to the data processors assigned by the Bank for outsourced activity and specified in Annex No. 1 to the actual version of the Erste Bank’s Business Rules (the ”Annex No. 1 to the Business Rules on Financial Services”) based on the Section 164 j) of the Banking Act and the data processing agreement concluded with the person doing the outsourced activity. Actual version of the Annex No. 1 of the Business Rules on Financial Services is available at the https://gate.erstebank.hu/uzletszabalyzat website. Purpose of this data transfer is the fulfilment of the activity as outsourced activity as of the Annex No. 1 of the Business Rules on Financial Services to be performed by the particular data processor, and the duration thereof shall be last till the fulfilment of the data processing purpose.

2.) Based on Section 161 c) of the Banking Act, we (may) transfer Your personal data to company(ies) dealing with debt collection and having contractual relationship with the Bank for the purpose of debt collection defined herein for the period necessary for the fulfilment of the data processing purpose.

3.) Based on Section 164 q) of the Banking Act, we transfer Your personal data necessary for the fulfilment of a contract arranged by an Intermediary for intermediated financial service to the Intermediary being in contractual relationship with the Bank, for the period necessary for the fulfilment of the data processing purpose. List of contractual Intermediaries is available at the http://www.mnb.hu/felugyelet/engedelyezes-es-intezmenyfelugyeles/piaci-szereplok-keresese/kozvetitok-keresese website of the National Bank of Hungary. Intermediaries are entitled upon their contract with the Bank to transfer the personal data lawfully acquired during their intermediary activity.

4.) In accordance with Section 164 d) of the Banking Act and the data processing contract, we may complete a transfer of personal data relating to the Data Subject to the auditor authorized by the Bank, to legal experts (individual lawyer and law office) having contractual relationship with the Bank or to other experts for the purpose of audit / legal, or other expert activity till the fulfilment of this purpose.

In case the Data Subject’s consent is the legal basis for the data processing by the recipient as data processor, we shall inform the data processor about the withdrawal of the Data Subject’s consent, whereupon the data processor shall no longer be entitled to process the data of the Data Subject that is being subject to its consent. We shall notify the data processor, if fulfilment of other duty becomes necessary for the data processor based on a request for the erasure / anonymise, correction, freezing of the personal date relating to the Data Subject or other personal data processing request.

5.) We may assign our claim towards the Data Subject, whereby we transfer all data and document relevant to the debt of the Data Subject to the assignee upon the assignment contract (unless otherwise agreed by the assignor and the assignee in the assignment contract). Under Section 169 (2) of the Accounting Act, we process the accounting certificates relating to the assignment, and the underlying documentation for 8 years following the year of adopting the annual report prepared for the year when the assignment related accounting certificate has been issued

6.) We may transfer Your personal data to the authorities having jurisdiction and competence, if the relevant legislation require us to process these personal data, or if the authority having jurisdiction and competence has delivered us a proper request.

In the frame of ensuring the enforcement of Your access rights, we also inform You (upon Your request) in addition to the information on the recipient categories (by providing the company name and registered seat data) about such recipients whom Your personal data is / has been transferred.

7.) Open banking (API channel) related data transfer

For the performance of the duties of the Payment Initiation Service Provider (hereinafter: PISP), the Account Information Service Provider (hereinafter: AISP), the Card Based Payment Instrument Issuers (CBPII) (hereinafter together: third party payment service provider – TPP) set out in sections 31, 31/A, 38/A of the Act LXXXV of 2009 in Payment Services, the Bank shall transfer the personal data necessary for the fulfilment of its TPP services, if the Data Subject has preliminary provided the TPP with its consent thereto.

The Bank shall automatically provide access to the Indirect Electronic Channel (API) by default, without the Data Subject’s specific order in case of retail customer, if the Account Holder has a NetBank service and its Payment Account is available online. The Indirect Electronic Channel (API) and the TPP may be prohibited in accordance with the relevant General Terms and Conditions.

The Bank may transfer the Data Subject’s personal data included in the table below to the third-party payment service provider (TPP):

8. Data provision by Erste Wizz credit card application

We inform You that Your personal data provided by the application for the Erste Wizz credit card are transferred to the WIZZ Air Hungary Ltd. (registered seat: 1103 Budapest, Kőér utca 2/A building B II-V.) based on the legal title of contract performance for a period necessary for the implementation of the data processing purpose.

Data processing shall mean any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (under Article 4 2. of the GDPR).

Data Subject shall mean an identified or identifiable natural person (under Article 4 1. of the GDPR).

Data Subject’s consent shall mean any voluntary provided clear intention of the Data Subject that is based on specific and adequate information, whereby the concerned person declares by way of a statement or an explicit affirmative conduct that it provides its consent to the processing of its personal data.

Former Employee shall mean a natural person who had performed work for the Bank under an employment contract but is currently not employed by the Bank.

Employee shall mean a natural person who performs work for the Bank under an employment contract (under Section 34 (1) of the Labour Code).

Employer shall mean a person having legal capacity that employs employees under employment contracts (under Section 33 of the Labour Code).

Personal Data shall mean any information relating to an identified or identifiable natural person (‘Data Subject’);  An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an on-line identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (under Article 4 1. of the GDPR).

I. Data processing by the Bank and the nature of the Privacy Notice

The Bank processes Your personal data either in the capacity of data controller or intermediary assigned by a third party data controller to carry out data processing activities (and also to act as intermediary for financial, auxiliary financial or investment services (hereinafter: “Intermediary”) or in the capacity of joint data controller with a third party company.

Two persons specified in the company register extract of the Bank (available at: https://www.e-cegjegyzek.hu/?cegadatlap/0110041054/TaroltCegkivonat) or two persons designated thereby may jointly represent the Bank.

The Bank has a qualifying holding (100% ownership interest) in the following subsidiaries, which, together with the Bank shall mean the members of the Erste Bank Group (hereinafter jointly referred to as: “Subsidiaries”):

  • Erste Investment Ltd. (registered seat: 1138 Budapest, Népfürdő u. 24-26. 8 floor)
  • Erste Building Society Ltd. (registered seat: 1138 Budapest, Népfürdő u. 24-26.)
  • Erste Mortgage Bank Ltd. (registered seat: 1138 Budapest, Népfürdő u.  24-26.)
  • Erste Real Estate Ltd. (registered seat: 1138 Budapest, Népfürdő u. 24-26.)

The parent company of the Bank (a legal person possessing a qualifying holding in the Bank) is: Erste Group Bank AG (registered seat: Am Belvedere 1, 1100 Vienna, Austria).

We inform You that in case we process Your personal data that qualifies You as a person identified or identifiable by the Bank (regardless of the purpose, legal title or duration of the processing of processing personal data), You shall be considered a Data Subject under the provisions of the governing data protection legislation, and shall be entitled to the rights set forth in the governing data protection legislations, in particular, in the GDPR and in the Info Act regarding the processing and the protection of personal data (hereinafter together: rights related to the processing of personal data).

This Privacy Notice contains information on the processing of the personal data related to all Data Subjects on the one hand, as well as additionally specific rules regarding the processing of the personal data related to each Data Subjects on the other hand. Certain rules of data processing are also included in the Business Rules of the Bank and the Bank shall also undertake and make all effort to ensure that the Data Subject, prior to the commencement of the processing of personal data, get acquainted with that part of this Privacy Notice that concerns him/her. The Bank publish this Privacy Notice on its website at: https://www.erstebank.hu/hu/adatkezelesi and also make it accessible at its branches. The Bank may prepare an extract of this Privacy Notice regarding the various types of Data Subjects and may make it possible for the Data Subject affected by the processing of its personal data to make a declaration regarding that the preliminary information concerning the processing of personal data has been provided and his /her acknowledgement thereof by way of signing this document or an extract thereof.

This Privacy Notice shall apply to personal data processing activity(ies) carried out by the Bank as of 14 October 2020. The Privacy Notice effective at the time of the personal data processing carried out by the Bank prior to this Privacy Notice shall govern such processing of personal data by the Bank.

The Bank shall be entitled for the unilateral amendment of this Privacy Notice at any time. The amendment shall be applicable to personal data processing performed under the previous Privacy Notice of the Bank in respect of the new parts of the amendment (otherwise processing of such personal data shall be subject to the rules prevailing upon the commencement of the processing of the personal data), whereas personal data processing commenced following the amendment of the Privacy Notice shall be entirely governed by the amended Privacy Notice (which shall be deemed the Privacy Notice in force upon the commencement of the processing of the personal data in respect of these Data Subjects). The Bank shall make accessible all amendments of the Privacy Notice on its website  https://www.erstebank.hu/hu/adatkezelesi. If the amendment is driven by legislative changes or by an administrative decision, or if the amendment does not concern issues relating to the processing of personal data (e.g. a change in the data protection officer or any other technical amendment) the change shall also apply to personal data processed prior to such amendment.

The Bank keep records of data incidents and notify the Data Subject and the Hungarian National Authority for Data Protection and Freedom of Information (“NAIH”) of the occurrence of such incidents if required by the GDPR.

We inform the Data Subject that we only issue decision based on automated data processing by using Your personal data in case of online applications for personal loans (the ”automated decision-making”). We do not involve special categories of personal data in the automated decision-making. In the course of such automated decision-making, we check (as per the logic applied in the automated decision-making) Your age, income, regular income, employer, data stored in the Central Credit Information System, credit exposure, repayment behaviour regarding other credit.  If the Data Subject satisfies the minimum criteria, we assess the risk involved in entering into a contract with the Data Subject, implement the risk rating of the Data Subject, the result thereof will affect the eligible credit amount or may result in the approval or the rejection of Your application. You shall be entitled not to be subject to a decision based solely on such automated data processing. You shall furthermore be entitled to require a decision adopted by way of human intervention instead of or following the automated decision-making, to express Your position against the automated decision-making and to submit an objection to us against our automated decision-making at any of the contacts specified in Point II. C of this Privacy Notice, whereby we will assess Your submission and notify You thereupon.

The Bank may carry out profiling for direct marketing purposes on the basis of its legitimate interest for direct marketing under point (47) of the Preamble of the GDPR (for the compilation of a target group of recipients to be contacted for marketing purposes).

We inform the Data Subject that we may use Your anonymised personal data (i.e. that may not be linked to the Data Subject) for statistical purposes.

We inform the Data Subjects entering our registered seat, premises and branches and those using our ATMs that a continuous image recording is being applied at our registered seat, premises, branches and ATMs for the protection of human life, physical integrity, personal freedom, business, banking- and securities secrets as well as for personal and property security purposes upon our legitimate interests concerning personal, property and banking security. We process such image recording in accordance with the governing legislative provisions and our relevant policy on physical security.

Having Your consent thereto as set out in Article 6 (1) a) of the GDPR, we process Your personal data provided in the course of using the applications made available by us through an on-line platform, in principle until the withdrawal of Your consent.

We inform the Data Subject that our core activities and intermediation activities (as defined in Section 10 of the Banking Act) are subject to sector specific legislation that shall govern the processing of Your personal data (e.g. the Banking Act, Act CXXXVIII of 2007 on Investment Firms and Commodity Dealers, and on the Regulations Governing their Activities, Act LXXXV of 2009 on the Pursuit of the Business of Payment Services, Act LXXXVIII of 2014 on the Insurance Activity, Act XCVI of 1993 on Voluntary Mutual Insurance Funds).

If we are subject to an obligation to erase personal data, we comply with such erasure obligation by way of factual, final and irreversible destruction / anonymisation and take measures for the full destruction of the documents to be destructed under such erasure obligation. If the irrevocable and final erasure / anonymisation takes place in the course of our regular erasure procedure, we will not send separate information to the Data Subject about the implementation of the erasure, but will inform the Data Subject whether we maintain record of the Data Subject’s personal data or not within the frame of exercising the right to access by the Data Subject. If the Data Subject submits an individual request for erasure, the Bank shall separately inform the Data Subject about the implementation of the irrevocable and final erasure / anonymisation (if the erasure is possible, otherwise about the reasons for refusal / partial implementation of the erasure). If the personal data requested to be erased by the Data Subject is the Data Subject's contact which we exclusively manage in relation to the Data Subject, we shall inform the Data Subject of the future erasure / anonymisation at this contact and the erasure shall be implemented thereupon by the Bank.

The Bank shall process the personal data (including the contact data as well) provided by the Data Subject as a data related to the Data Subject (the check of which shall not be a duty of the Bank), except the case when the Data Subject provides the Bank with a declaration that the concerned personal data is not related to it, whereby the Data Subject shall ensure that the Bank has lawful right to process the personal data not related to it but to another entitled person. The Data Subject shall issue a declaration in these cases that if it provides the Erste Bank Hungary Zrt. with such data that is not related to it, it has already informed the concerned person that it has shared the data relevant to this concerned person with the Bank, and the concerned person has already information – based on the privacy notice of the Erste Bank at the https://www.erstebank.hu/hu/adatkezelesi page - how Erste Bank shall process the data acquired not from the concerned person.  If a third party indicates to the Bank in relation to a contact managed by the Bank regarding the Data Subject that the Data Subject is not available at that contact, the Bank shall be entitled to inform thereabout the Data Subject at another contact managed by the Bank and to request that the Data Subject modify its particular contact details, and the Bank may restrict / erase / anonymize the processing of personal data challenged by a third party, even if it provides a service to the Data Subject for the given contact, in order that the Bank shall not process a third party related personal data without authorization.  

We may do voice recordings with a Data Subject’s prior express consent which may be managed till the withdrawal of such consent, but till the end of the retention period relevant for the other personal data processed with regard to the Data Subject, the latest (unless otherwise required by this Privacy Notice).

II. Information on the processing of all Data Subjects’ personal data

1.) We inform You that we process Your personal data in accordance with the governing data protection legislation, as defined in this Privacy Notice and as required by the Hungarian Data Protection Authority (NAIH), with respect to, and in compliance with the principles applicable to the processing of personal data, accordingly,

  1. Fairly and in a manner transparent for the Data Subject,
  2. Using personal data collected for clearly determined, legitimate purposes,
  3. Processing data that are proper, relevant and necessary in respect of the purpose of the processing of the personal data (complying with the principle of data minimisation),
  4. Precisely and in an up-to-date manner (in accordance with the principle of accuracy),
  5. Complying with the principle of storage limitation,
  6. Applying such technical and organisational measures that ensure the appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage (on the basis of the principle of integrity and confidentiality),
  7. In compliance with the principles of privacy by design and by default and of accountability.

We inform the Data Subject that we shall be entitled to process personal data underlying the Intermediary activity as Intermediary carrying out financial, auxiliary financial / investment / auxiliary investment / insurance / payment intermediation activities in the interest, in the name and on behalf of the principals defined in Point VII of this Privacy Notice.

2.) The Bank shall ensure the enforcement of Your rights related to the processing of Your personal data as Data Subject by the Bank.

A.) Thereby we process Your personal data solely upon legal title complying with the data protection legislations, thus

  1. If, in connection with one or more specific (concrete) purposes that is/are identical to the purpose of data processing carried out by the Bank, You have given Your voluntary, explicit consent based on prior information (like this Privacy Notice) provided to the processing of Your personal data by the Bank by way of a clear affirmative action, such as a declaration provided in writing (including electronically) or verbally, or if
  2. The processing of Your personal data is required for establishing a contract between the Bank - or if the Bank acts as an Intermediary for financial, auxiliary financial services -, between the principal of the Bank and You, initiated by You, that is, for taking the steps preceding the conclusion of a contract (the processing of personal data is required for the purpose of entering into a contract) or for the performance of a contract, in which You as Data Subject are one of the contracting parties, or
  3. The processing of Your personal data by the Bank is based on the fulfilment of such legal duty applying to the Bank that has been established by Union or Hungarian legislation, or
  4. The processing of Your personal data by the Bank is required for the protection of the vital interests of You or another natural person, or
  5. The processing of Your personal data by the Bank is necessary for the purposes of the legitimate interests pursued by the Bank or a third party, except where such interests are overridden by Your interests or fundamental rights and freedoms as Data Subject, which requires the protection of Your personal data, in particular where the Data Subject is a child (legitimate interest constitutes the legal basis for the personal data processing).

B.) We inform You that You as Data Subject have the following rights in connection with the protection / processing of Your personal data by the Bank:

If Your personal data is processed by the Bank, in connection therewith,

  1. You may request access to personal data related to You, by way of requesting information from the Bank regarding Your personal data processed thereby. Information and copies of the processed data shall be provided free of charge (Right to access personal data),
  2. You may request the rectification / supplement of personal data related to You without undue delay if Your personal data processed by the Bank are incorrect / incomplete. (Right to rectification). If exercising the right to rectification / supplementing of personal data would result in a change to personal data contained in Your Contract entered into with the Bank, that may be done by Data Subject as specified in the Business Rules of the Bank regarding contract amendment, or in lack thereof, in compliance with the legislative provisions in force or as set out by Your Contract with the Bank regarding the contract amendment;  
  3. You may initiate the erasure of all or only of Your certain personal data processed by the Bank (Right to erasure). Under this right, You may obtain to erasure / anonymisation of Your personal data on a final and irreversible basis (and to destruct / anonymise the documents containing the personal data of the Data Subject involved in such deletion) by the Bank, in respect of which
    1. the processing purpose for which the Bank as Data Controller collected or processed Your personal data no longer exists and no other legal basis exists for the personal data processing by the Bank and the personal data have not been erased / anonymised, or 
    2. the processing of Your personal data is based on Your consent provided to the Bank and You have withdrawn such consent from the Bank in accordance with this Privacy Notice (and no other legal basis provided by law exists for the Bank for the processing of personal data),
    3. You have lawfully objected to the processing of Your personal data and no overriding purpose exists for the continued processing of Your personal data by the Bank,
    4. according to Your position, the processing of Your personal data is unlawful.

Under Article 11 of the GDPR, we inform You that if no data processing purpose exists for the Bank that requires / permits the processing of the data of the Data Subject by the Data Controller, following the erasure / anonymisation of the relevant personal data, the Bank may only retain the customer identification numbers of Data Subjects (in respect of Data Subjects having customer identification numbers) so that the Bank is able to verify, upon a possible disagreement that the erasure / anonymisation has been completed by the Bank. The Data Subject shall provide its customer identification number to facilitate the verification of such erasure; in lack thereof, the Bank will be only able to inform the Data Subject or the party lawfully requesting information regarding the Data Subject that the Bank does not process any personal data regarding the Data Subject at that point in time.

Instead of erasure, the Bank shall block the personal data of the Data Subject if the Data Subject requests so or if it can be assumed on the basis of the information available to the Bank that an erasure would infringe the legitimate interests of the Data Subject. Personal data blocked for this reason may be processed only as long as the purpose for data processing that excluded the erasure of such personal data exists.

4. You may request the restriction of the processing of personal data concerning You, designating the scope of personal data to be restricted (“Right to the Restriction of Data Processing”). Under this right You may obtain restricted processing of Your personal data by the Bank if You contest the accuracy thereof or if, in Your view, the data processing is unlawful, nevertheless, You are against the erasure of the personal data, or if the Bank as Data Controller does not need the personal data for the purpose of processing but You need the same for the submission or assertion or the protection of legal claims.

5. You may request the Bank to specify the recipients whom it had informed of such rectification or erasure of data or of the restriction of data processing,

6. You may withdraw Your consent to the data processing at any time if Your consent shall mean the legal basis for the processing of Your personal data by the Bank (“Right to the withdrawal of consent”). We may process Your personal data following the withdrawal of Your consent, if processing is necessary for the Bank to comply with its legal obligation or on the basis of its legitimate interests, if the pursuit of such interests is proportionate to the limitation of the right regarding the privacy personal data,

7. You have the right to receive Your personal data provided by You to the Bank in a structured, commonly used, machine readable format. You / a third person lawfully authorised by You may request the Bank to transfer such data to another data controller (if data is processed by the Bank on the basis of Your consent or of a contract with the Bank, in which You are one of the contracting parties and if the relevant data are processed using automated means; (“Right to Data Portability”). We inform You that, at this point in time, the Bank is unable to satisfy the request You / the third person lawfully authorised by You submitted on Your behalf regarding Your personal data provided to the Bank (that is, Your application regarding the acceptance of the personal data proposed to be recorded by the Bank) considering that no data processing procedure or a purpose for processing exists for the Bank that would facilitate the satisfaction of Your request and the processing of Your personal data limited to the relevant purpose, thus the Bank is currently not entitled to receive the data carrier containing Your personal data provided to it and to process the personal data stored thereon,

8. You may contest a decision if the Bank uses automated individual decision-making (“Right to contest”),

9. You may object to the processing of Your personal data by the Bank on legal basis of legitimate interest or on grounds relating to Your particular situation in the cases defined in the GDPR (“Right to object”);

10. Regarding the lawfulness of the processing of Your personal data by the Bank, You may initiate the procedure of the Hungarian National Authority for Data Protection and Freedom of Information (abbreviated name: NAIH, registered seat: 1055 Budapest, Falk Miksa utca 9-11., postal address: 1363 Budapest, Pf. 9.., website: www.naih.hu, telephone: +36 (1) 391-1400, fax: +36 (1) 391-1410, central e-mail address: ugyfelszolgalat@naih.hu) or seek judicial remedy (”Right to Redress”);

11. Regarding the processing of Your personal data, You may contact the Data Protection Officer of the Bank.  Name and contact details of the Data Protection Officer of the Bank: dr. Katalin Fonth; email: Adatvedelem@erstebank.hu

C.) As a Data Subject You may submit to the Bank Your questions / requests regarding the exercise of Your rights related to the processing of personal data at the following contact details:  

  1. In writing, in a letter sent to the address of the registered seat of the Bank (Erste Bank Hungary Zrt.; 1138 Budapest, Népfürdő utca 24-26.) (the application form regarding the processing of personal data is attached as Annex no. 1 to this Privacy Notice),
  2. In a written application submitted at any branch of the Bank,
  3. Verbally made via a recorded telephone line using the telephone customer service of the Bank (Telebank telephone number: +36 (1) 298-0222; to special customers: +36 (1) 298-0196),
  4. In an e-mail message sent to the erste@erstebank.hu address,
  5. In an e-mail message forwarded from the NetBank platform.

With a view to the Bank’s obligation regarding the protection of personal data/ banking secrets / securities’ secrets / insurance secrets / business secrets, we shall complete the appropriate identification of the Data Subject in line with its capacity (customer, applicant etc.) in accordance with this Privacy Notice, and shall only be entitled to complete the application / request of the Data Subject only after the (proper level) identification of the Data Subject, upon the fulfilment of the Data Subject’s application regarding the processing of personal data.

We accept requests / applications regarding the processing of personal data submitted by means of standard forms issued by NAIH for applications / requests to be submitted by a data subject, if the personal data to be provided thereon have been completed in full. If this request has been submitted in paper form, it shall also be signed by the Data Subject.  If the Data Subject has not provided all personal data necessary for identification in the request, the Bank shall call on the Data Subject to supplement its personal data to facilitate a response to be provided to the request / application.

We provide the Data Subject with an application form on the personal data processing to submit the written applications as an Annex No. 1 to this Privacy Policy, whereby the Data Subject can submit its written application to the Bank by filling it. As per this Privacy Notice, we however accept written applications of the Data Subject other than this form as well.

Application of the Data Subject under Clause III 1-7 of this Privacy Notice for the processing of personal data shall include (beside the standard form issued by the NAIH) at least the surname and name, place and date of birth, Mother’s maiden name and the address with regard to the Data Subject.

Application of the Data Subject under Clause III 1-7 of this Privacy Notice for the processing of personal data shall be fulfilled by the Bank by way of delivering a response via post. If attachment of copies shall become necessary concerning the response, this duty shall be fulfilled by the Bank by way of delivering a password-protected electronic data carrier to the Data Subject by post (as an annex to the basic information). The Bank shall deliver the password necessary for the use of the electronic data carrier and the information for the use of the password in a separate letter by post (in a so called password letter), in addition to the information letter, at least one working day following the delivery of the basic information letter.  (Due to banking secret privacy and information security duties) a Data Subject under Clause III 1-7 of this Privacy Notice shall only be sent information classified as personal data in an encrypted e-mail if the Data Subject expressly requests the e-mail delivery and even in this case, we shall fulfil the electronic delivery only to the e-mail address available by us, in a password-protected delivery if it is technically possible due to the size of any attachments. In this case, we shall deliver the password to the Data Subject necessary to access to the encrypted content via another contact channel data processed by us other than e-mail (telephone number, mailing address) or in any other identifiable manner. Information on the use of the password shall be included in the information that contains the password.

Application of the employee or former employee of the Bank for the processing of personal data shall include (beside the standard form issued by the NAIH) at least the surname and name, birth name, place and date of birth, Mother’s maiden name and the social insurance number with regard to the Data Subject.

We may request the application of the Data Subject (Other Data Subject) under Clause III 10) of this Privacy Notice in written form, (beside the standard form issued by the NAIH) by way of listing the types of personal data (processed data, for example name, e-mail address, telephone number) provided to and processed by the Bank, and by specifying the reason / purpose of data processing by the Bank.

Such application of the employee or former employee of the Bank, and the Other Data Subject on the personal data processing that means the transfer of personal data regarding the Data Subject, shall be fulfilled by the Bank by way of delivering a response via post if the mailing address of the Data Subject is being processed thereby. If attachment of copies shall become necessary concerning the response, this duty shall be fulfilled by the Bank by way of delivering a password-protected electronic data carrier to the Data Subject by post (as an annex to the basic information). The Bank shall deliver the password necessary for the use of the electronic data carrier and the information for the use of the password in a separate letter by post (in a so called password letter), in addition to the information letter, at least one working day following the delivery of the basic information letter. An employee or former employee of the Bank, and the Other Data Subject shall only be sent information classified as personal data in an encrypted e-mail if the Data Subject expressly requests the e-mail delivery or if the Data Subject's request has been received by e-mail and the Data Subject provides the Bank with a contact channel other than the e-mail (e.g. telephone number, mailing address) in order to send the password required to open the reply letter containing the personal data, or in case of contact information regarding the Data Subject other than the e-mail address is already being processed by the Bank and it is technically possible due to the size of any attachments. In this case, the Bank will send the password to the Data Subject via the contact channel other than e-mail. Information on the use of the password shall be included in the information that contains the password.

If the Data Subject has not received the postal letter (i.e. if the return receipt is returned to the Bank with a signal of not sought / received), the Bank will try to send the letter to the Data Subject once more, thus fulfilling its obligation to ensure the enforcement of the Data Subject's privacy rights, thereafter, the Bank shall resume the delivery of items that could not been received twice, only at the repeated request of the Data Subject.

If the Bank is under the obligation to disclose personal data regarded as banking secret to a third person within the frame of exercising the Right to portability, the Bank shall complete a request / application submitted in the form of a document or public document with full probative force under legislative provisions applicable to the protection of banking secrets, in compliance with Section 161 (1) of Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises (“Banking Act”).

If a Data Subject has submitted its request related to the processing of personal data contrary to the above and the Bank was not able to identify properly the relevant Data Subject as required for data security and / or for the protection of banking secrets (as contained in this Privacy Notice), the Bank shall request the Data Subject to supplement data, and upon a failure or non-fulfilment of such request, the Bank shall not be able to respond to the request. That period of time from starting from the Bank’s request for the provision of the necessary personal data / for the performance of a lacking activity until the provision of the personal data shall not be included in the calculation of the due date for responding to the request.

An application by a Data Subject regarding the processing of personal data shall not be considered by the Bank as a complaint but, if the Data Subject makes a complaint in its application regarding the processing of personal data that is in accordance with the applicable legislative provisions and the complaint handling regulations of the Bank, the Bank may respond to the request regarding the processing of personal data and to the complaint submitted by the Data Subject in a single notice (where adequate information is provided). If, following information provision by the Bank regarding the processing of personal data / a response provided by the Bank to another request regarding the protection of personal data, the Data Subject makes a complaint as set forth in the complaint handling policy of the Bank, where such complaint is not related to the processing of personal data, the Bank shall process and respond to such request as a complaint.  

The Bank shall complete a request regarding the processing of personal data / provide a response to such an application without undue delay, but in any event within one month following the submission thereof. This one-month period may be extended by two further months, taking into account the complexity and the number of requests, where the Bank shall inform the Data Subject of any such extension within one month of submission /  receipt of the request to / by the Bank.

D.) Ensuring Data Accuracy

The Bank shall ensure the accuracy of the processed data based on the principle of cooperation and information set forth in its Business Rules. For this reason, the Bank may contact You to update Your contact data in respect of Your contact data processed by the Bank, in order to ensure the compliance with the principle of accuracy set forth in Article 5 (1) d) of the GDPR and to facilitate data clarification (data cleaning). If data clarification is possible via the modification of contractual data, the Data Subject shall do such amendment in accordance with the provisions of the Bank’s Business Rules on contract amendment.

E.) Advertising contact via direct marketing

Under Section 6 (1) of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (“Commercial Advertising Act”), we inform the Data Subjects that we only send (commercial) advertisements (definition: Section 1 (d) of the Commercial Advertising Act) to natural persons as per direct marketing to the recipients (thus, in particular, via electronic correspondence or other equivalent means of individual communication, with the exception of the addressed postal advertising and telephone contact made via a non-automized telephone calling system), either ourselves or via our agent if the relevant Data Subject as the recipient of such advertising has given its prior, clear and specific consent thereto. We keep records of the personal data of natural persons who make an explicit declaration of consent. Personal data entered into these records relating to the recipients of advertising may be processed only in accordance with and until the withdrawal of the declaration of consent (but in any event until the date set in Clause IV. 13) and may be transferred to a third party only upon the prior approval of the Data Subject given as required by law. Withdrawal of the consent shall cover the period after the withdrawal of the consent, processing of personal data falling before this period shall not be affected by the withdrawal of the consent.

The Bank may contact a Data Subject in accordance with the Act CXIX of 1995 on the Use of Name and Address Information Serving the Purposes of Research and Direct Marketing, upon the conditions set forth therein, either itself or via its authorised representative for the purpose of research or direct marketing. For this purpose, the Bank may contact natural persons at their telephone numbers listed in public telephone directory databases, not marked as restricted.  The Data Subject of such contact may object to such contacts. We keep records of the persons who objected to be further contacted by the Bank for such purpose or its authorised representative.  

F.) Means of information

In this Privacy Notice, we inform the Data Subject of the means applied for processing the personal data obtained from the Data Subject, learned by the Bank through the actions of the Data Subject and from conclusions drawn by the Bank regarding the Data Subject. 

If Your personal data processed by the Bank were not made available to the Bank by You, the Bank provides specific information under Article 14 of the GDPR, with the exception of the case(s) contained in Article 14 (5) of the GDPR.

If the personal data was obtained from You as a Data Subject, that types of personal data related to You and processed by the Bank are contained in the forms via the completion thereof we manage Your personal data.

G.) Other provisions

If the Bank has the right to process personal data, the Bank may also process under such right all related paper-based or electronic documents containing the Data Subject’s relevant personal data through the entire duration of the processing of personal data contained in such documents.

We inform the Data Subject that the duration of processing personal data by the Bank shall be extended (with the period of processing the following personal data, or with the outstanding time of such period) if, upon the expiration of the duration of the processing of personal data available to the Bank, criminal proceedings, claim management or such other proceedings are in progress against the Data Subject in the course of which the processing of personal data by the Bank is necessary for asserting its legal claim / for complying with a legal obligation of the Bank / a legitimate interest of the Bank exists for this purpose.  

The electronic data contained in the litigation records of the Bank regarding the parties to the litigation and the adjudicated issue (with the exception of documents stored electronically) are not erased / anonymised in consideration of the legitimate interest of the Bank (res iudicata can be evidenced).

Documents constituting ownership claim will not be erased considering that ownership claims are not subject to limitation.

If the Bank is obliged to issue personal data to a person other than the Data Subject in compliance with the Data Subject’s right to Data portability, the Bank shall inform and warn such recipient third person in the scope of this Privacy Notice that the personal data issued by the Bank concerning the Data Subject shall not be used for his/her own purposes and such personal data may be only processed in compliance with the applicable data protection legislation, and observing the principle of purpose limitation. The Company does not accept liability for the third-party usage of personal data adequately transmitted to a third person at the Data Subject’s request.

III. Processing of personal data as per main types of Data Subject

The Data Subjects of personal data processed by the Bank in connection with its activities are typically the following Data Subjects: 

  1. Customer: all the natural persons who use financial services / auxiliary financial services (the “Service”) provided by the Bank as a financial institution (Section 160 (2) of the Banking Act),
  2. Applicant: all the natural persons who contact the Bank to receive Services, but who decide not to use such Services (Section 160 (2) of the Banking Act),
  3. Co-debtor, surety, a natural person providing other security: a person involved in the performance of a contract for financial service / auxiliary financial service (the “Contract”) in addition to the debtor Customer, who shall be liable on behalf of /in addition to the debtor Customer upon a failure by the debtor Customer to satisfy its payment obligations under and as set forth in the Contract,
  4. Authorised representative: a natural person who acts on behalf of another natural or legal person as set forth in Section 6:11 of the Civil Code,
  5. Contributor: A natural person making a cash deposit onto the customer’s account maintained with the Bank,
  6. Beneficiary: a natural or legal person who is the recipient of the funds constituting the subject of the payment transaction (Section 2 (12) of the Payment Services Act),
  7. Contact Person: the person on behalf of the party entering into a Contract with the Bank as being specified in the Contract for the purpose of keeping contact,
  8. Employee
  9. Former employee
  10. Other Data Subject (in particular, a person who signs up to a newsletter, contracted partner’s contact person) All Data Subjects who are not classified as Data Subject specified in Clause III 1) through 9) of this Privacy Notice are included in this category.

We process personal data primarily for the purpose of entering into a Contract with the Data Subject for the performance of financial services and to ensure that the Bank and the Data Subject that concludes such Contract with the Bank are equally able to perform the Contract.  

If the personal data processed by the Bank are considered banking, securities’, insurance secret or data categorised as other protected data (e.g. business secret), the Bank shall process such personal data in compliance with the legislative provisions applicable to the given type of secret in addition to complying with the provisions regulating the protection of personal data.

IV. Specific rules regarding the processing of personal data of each Data Subjects

1.) Out of the natural persons listed in Clause III. 1 of the Privacy Notice, the Bank will / shall process the personal data of the Customer, the co-debtor, the surety and the natural persons providing other security (and any possible document(s) containing such personal data according to the following: (information provision prior to data processing). The Bank shall process the personal data of Data Subjects under this Clause as data deemed banking secret under Section 160 (1) of the Banking Act, in addition to complying with the provisions of the Banking Act on the protection of personal data. 

We inform the Data Subject that we use anonymised personal data for the purpose of product development.

If (any of) Your personal data are processed by the Bank based on Your consent as per the above table, we process Your personal data under such consent, until the withdrawal thereof / or if the purpose of data processing has been implemented previously, until the implementation of the data processing purpose, or in lack thereof, as long as any legal basis exist for the Bank for processing Your personal data (except if this Privacy Notice sets a period shorter than that for the processing of certain consent based personal data processing by the Bank). Withdrawal of the consent shall cover the period after the withdrawal of the consent, processing of personal data falling before this period shall not be affected by the withdrawal of the consent.

If You have entered into a Contract with the Bank that requires the use of a telephone number (e.g. Text message service) and/or of an email address, in that case the we process such personal data on the legal basis and for the duration set out in point 6 of the above table for the purpose of performing the Contract, except if You change Your relevant contact data in the form of contract amendment (whereupon the Bank shall erase /anonymise the former personal data on a final and irreversible basis).

2.) Out of the natural persons listed in Clause III. 1 of the Privacy Notice, the Bank will / shall process the personal data of the Applicant (and any possible document(s) containing such personal data according to the following: (information provision prior to data processing). The Bank shall process the personal data of Data Subjects under this Clause as data deemed banking secret under Section 160 (1) of the Banking Act, in addition to complying with the provisions of the Banking Act on the protection of personal data

  1. The Bank shall process the personal data of Data Subjects under this Clause as data deemed banking secret under Section 160 (2) of the Banking Act, in addition to complying with the provisions of the Banking Act on the protection of personal data.

    If the Bank has conducted credit assessment in Your respect, in the course of which it has commenced Your identification in compliance with the AML Act, but we have rejected Your credit application, the Bank shall process Your personal data and the documents containing those for 5 (five) years following the failure of the Contract based on its legitimate interest set forth in Section 166/A (2) of the Banking Act and, whereafter the Bank shall erase /anonymise Your personal data on a final and irreversible basis.

    If the processing of Your personal data by the Bank is solely based on Your consent (and no other legal basis exist for the Bank to process Your personal data), the Bank shall process Your personal data until the fulfilment of the purpose of data processing but in any event no longer than up to 6 (six) months and thereafter the Bank shall erase /anonymise Your personal data on a final and irreversible basis.
  2. In case You express Your intention, interest, wish towards the Bank to conclude a Contract, but the Bank or its Intermediary has not started the due diligence under the AML Act for the conclusion of the Contract, the Bank may process Your personal data (with Your consent) till 6 (six) months upon the receipt of the personal data, or, if You have withdrawn Your consent within this period of time, till the withdrawal of such consent, whereafter the Bank shall erase /anonymise Your personal data on a final and irreversible basis.

3.) Out of the natural persons listed in Clause III 1 of the Privacy Notice, the Bank will / shall process the personal data of the Beneficiary of the Contract, the Contact person specified in the Contract, other contributors of the party entering into the Contract (in particular interpreters and  translators) and of Authorised Representatives acting with the aim of entering into or performing the Contract (and any possible document(s) containing such personal data according to the following: (information provision prior to data processing). The Bank shall process the personal data of Data Subjects under this Clause as data deemed banking secret under Section 160 (1) of the Banking Act, in addition to complying with the provisions of the Banking Act on the protection of personal data.

4.)  Out of the natural persons listed in Clause III 1 of the Privacy Notice, the Bank will / shall process the personal data of the Payer (and any possible document(s) containing such personal data according to the following: (information provision prior to data processing). The Bank shall process the personal data of Data Subjects under this Clause as data deemed banking secret under Section 160 (1) of the Banking Act, in addition to complying with the provisions of the Banking Act on the protection of personal data.

5.) Out of the natural persons listed in Clause III. 1 of the Privacy Notice, the Bank will / shall process the personal data of the Payer (and any possible document(s) containing such personal data according to the following: (information provision prior to data processing).

i) If the processing of Your personal data by the Bank is solely based on Your consent (and no other legal basis available for the Bank to process Your personal data), the Bank shall process Your personal data until the fulfilment of the purpose of data processing but in any event no longer than 6 (six) months and thereafter the Bank shall erase /anonymise Your personal data on a final and irreversible basis.

ii) The Bank may process Your personal data as Other Data Subject beyond or in lack of Your consent in pursuit of a legitimate purpose of data processing, on any of the legal basis set out in Clauses II.2.) A) 1.) and 4) - 5) of this Privacy Notice as long as such legal basis and the purpose of processing may exist, and thereafter the Bank shall erase /anonymise Your personal data on a final and irreversible basis.

V. Further information regarding the processing of personal data of all Data Subject / Each Data Subjects

a.) Subscriber to newsletters The Bank may process Your personal data (provided for the purpose of receiving newsletters) in order that You receive the newsletter at the provided contact point as per Your request, until You unsubscribe as Data Subject. You may unsubscribe bay way of pushing the unsubscribe button in the Newsletter.

b.) The website operated by the Bank may automatically save information about You within the course of using the website (whereupon no personal data may be identified about You), and the Bank may place so called cookies thereon for the purpose of

  • collecting information about Your asset,
  • ensuring that such information can assist You in using online transactions, or
  • using such information to optimise advertising contents available on the website and other web pages.

The detailed rules on the use of the cookies is available at the below website: https://www.erstebank.hu/hu/cookie-policy

c) Processing of the personal data of contact persons, authorised representatives and other contributors in respect of contracts concluded by the Bank for non-financial /auxiliary financial services

The processing of personal data of contact persons, authorised representatives and other contributors designated in a contract entered into between the Bank and a service provider under Act V of 2013 on the Civil Code (hereinafter the “Civil Code”) is deemed to be processed for the purpose of keeping contact with the aim of performing the contract (legitimate interest) existing between the Bank and the other party to the contract, in the interest of the party on whose behalf the relevant natural person acts and serves this purpose. The Bank processes the personal data of contact persons, authorised representatives and other contributor natural persons  as personal data of Other Data Subjects during the entire retention period of the contract existing between the Bank and the service provider that has entered into a contract with the Bank, where such retention period is 5 years following the termination of the contractual relationship between the Bank and the service provider if there is no dispute between the Parties (and if the limitation period is not interrupted or suspended), except if such Other Data Subject objects to the processing of his/her personal data with the Bank.  Upon a successful objection to the processing of the personal data of contact persons, authorised representatives or other contributor natural persons, the Bank terminates the processing of the personal data of such Data Subjects.

d) Processing of former employees’ personal data by the Bank

Former employees’ personal data may be processed by the Bank for the purpose, on the legal basis of and for the duration set out in this Clause, by means described in the General part of this Privacy Notice.

  1. According to Section 99/A of the Act LXXXI of 1997 on Social Security Pension Benefits (Social Security Act), the Bank as employer shall retain the labour documents  containing data regarding the social security relationship, duty period relating to the employee as beneficiary or ex-beneficiary of the social security, or the earnings, income that may be taken into consideration by the establishment of the pension benefits, for five years from reaching the retirement age relevant for the beneficiary or ex-beneficiary of the social security. We process these personal data with the purpose of complying with our legal obligations.
  2. The Bank processes other personal data and the documents containing such other personal data in connection with the employment relationship of a Data Subject described in this Clause and the relevant personal data for 3 years following the termination of the employment contract under Section 286 (1) of Act I of 2012 on the Labour Code (the “Labour Code”), with the exception of personal data processed under a legal basis being the Data Subject’s consent.  The Bank processes personal data processed under the consent of Data Subjects described in this Clause until the withdrawal of consent but in any event for up to 3 years following the termination of the employment contract as set forth in Section 286 (1) of the Labour Code.

e.) Processing of personal data of applicants for job offers

We process the personal data of the Data Subject completing a registration on the Career portal of the Bank (http://karrier.erstebank.hu) (including the documents attached by the Data Subject completing the registration and the personal data contained therein) for the below data processing purposes and within the following duration:

-  to consider the application of the Data Subject to the specific job offer within the selection process, from the application till the closure of the selection, but no longer 1 (one) year,

-  to consider this personal data by filling the positions opening at the Bank, to contact the registered Data Subject at the contact details provided by the registration with new positions possibly becoming actual, till 1 (one) year from the last application of the Data Subject to a specific position.

The Data Subject may register its data, and may attach its (photographic) Curriculum Vitae as document in a manner and format offered at http://karrier.erstebank.hu  website. If the registrant Data Subject provides a specific personal data by the registration, or attach a document containing specific personal data, the Data Controller shall inform the Data Subject that it shall not be entitled to process this personal data in the lack of the explicit consent made by the Data Subject, and the Data Controller shall immediately erase / delete this type of personal data after receiving thereof (if the registrant Data Subject does not provide the Data Controller with its explicit consent to the processing of such specific personal data). The Data Controller call the Data Subject not to provide access for the Data Controller to specific personal data (in the lack of its consent), because the Data Controller do not process such personal data of the Data Subject without the consent thereof. Only the Human Resources Management area of the Bank and the managers concerned with the selection procedure have access to the data provided by the Data Subject.

The Data Subject shall be entitled to change its password ensuring the usage of the surface, or the registered personal data at any time, and to terminate the access at any time. We call the attention of the Data Subject completing a registration that erase of the registration completed by the registrant Data Subject and the personal data contained therein can be done by the Data Subject in the account set up by the Registration, and can also initiate it via electronic mail sent to karrier@erstebank.hu e-mail address.

The Data Subject shall acknowledge that we may transfer Your personal data provided at the Career portal to contractual third parties as Data Controller, for the purpose of application to job offers, for the conclusion of targeted employment to use video interview platform service (Indivizo Zrt.), and to fill in The Predictive Index® surveys.

Nexum Magyarország Kft. (registered seat: 6722 Szeged, Gyertyámos u 13.; Company registration number: 06-09-004861) is the assigned data processor of the Bank.

We may specify and disclose more detailed information for the Data Subject applying for position on the application surface.

f.) Use of Facebook, Viber, banking widget surface

We ensure for the Data Subjects to request information regarding our services both at Facebook and Viber user interfaces and at our website. These interfaces cannot be used for lodging complaints and for sending privacy related requests, Data Subjects may only make requests thereby regarding the issuance of or questions concerning the general data not deemed banking or other types of secrets. We process the personal data provided in the course of using these portals upon consent provided by the Data Subject, until the withdrawal of such consent by the Data Subject, or in lack thereof, for 6 months after the relevant personal data have been recorded in our systems. Upon the expiry of this period, the Bank will finally and irreversibly erase /anonymise Your personal data (if no other legal basis exist for the processing of such personal data by the Bank).

VI. Additional rules regarding the processing of personal data concerning a group of Data Subjects that is special in respect of the processing of personal data (in particular, persons below the age of 16, natural persons providing data classified as special category personal data) and the processing of personal data by the Bank

1.) Persons below the age of 16 shall be considered children under the GDPR.

We only process personal data in relation to information society related services offered directly to children if the child is over the age of 16. Where the child is below the age of 16, we do the processing of the children’s personal data only if and to the extent that consent is provided or authorised by the person holding the custody rights concerning the child.

2.) Processing of special categories of personal data

Under Article 9 of the GDPR, we process special categories of personal data (that is, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation only if the Data Subject has given explicit consent to the processing of such special categories of personal data for one or more specific purpose(s), except if EU or Member State legislation excludes data processing based on consent and except if any legal basis for the processing of special categories of personal data set forth in Article 6 (b) - j) exist on our side. We process Your special category personal data (even in case of Your consent) solely for the purpose of data processing You have consented to and only as long as such purpose exists. We process Your biometric signature for the purpose of ensuring the electronic signature of documents that may be signed electronically, and the handover of documents in electronic form, and the authentic identification of the signatory person using the electronic signature facility. In case of processing a biometric signature as personal data, we process Your biometric signature for 8 years following the year of adopting the annual report prepared for the year when the last Contract related accounting certificate has been issued (also considered as the termination of the Contract) (under Section 169 (2) of the Accounting Act.

The Customer may withdraw its consent to the register of the biometric data by the Bank at any time within the biometric signature process. If the Customer withdraw the consent, it shall not concern the lawfulness of the earlier data processing, so the contracts concluded, declaration made so shall remain valid and effective even after the withdrawal, those are available for the Customer until the Erste NetBank contract concluded with the Bank remains in force. We process the Customer’s biometric data / biometric signature within the retention period of the Electronic documents, set out in the legislation and in the Privacy Notice of the Bank, linked to the document, we do not use it for other purposes after the withdrawal of the consent.

The Data Controller have made an impact assessment before the commencement of the processing of biometric signature to see how the data processing affects the protection of personal data and have also assessed the risks of data processing related to the rights and freedoms of the data subjects. Based on the assessment, it can be concluded that the existing risks and the chances of possible abuses are very low, considering that the Data Controller ensures the protection of bank secrecy and personal data by applying the necessary technical and organizational measures in accordance with data security and information security regulations.

In consideration of the above, we request You not to provide the Bank with special category personal data without providing Your consent to the Bank for the processing thereof (where such consent shall also contain the purpose in respect of which You authorise the Bank to process data) because, in lack of Your explicit consent containing the purpose of data processing as well, the Bank will not have the right to access and thus to apply such personal data by the adoption of its decisions. We shall immediately erase /anonymise such personal data without reading if we establish that You have not provided Your consent to the Bank to the processing of Your special category personal data.

3.) Processing of personal data related to criminal liability

We process personal data regarding decisions on the declaration of criminal liability and offences and the related security measures in the scope permitted by Hungarian law (if the Bank is deemed complainant or plaintiff in respect of the relevant offence or asserts a civil law claim in the criminal proceeding). If the Bank did not file a civil law claim in the criminal proceeding, we process such data until the decision adopted in the criminal proceeding becomes final, otherwise (if a civil law claim has been lodged) for 5 years after the judgement becomes final (that is, until the limitation of the right of enforcement) except if such period of limitation is interrupted or suspended (in this case, in compliance with Section 57 on the Act on Judicial Enforcement and with Section 286 of the Labour Code).  

4.) In accordance with applicable legislation, the Bank may purchase databases containing personal data from service providers having a contractual relationship with the Bank and if a Data Subject is recorded in such database, the Bank may contact the Data Subject at its contact details listed in the database, in compliance with legislative provisions applicable to the relevant contact to be made.

5.) The Bank may contact business organisations for the purpose of direct marketing (advertising) at the e-mail address and telephone number of such business organisations assigned for contact purpose, in compliance with the applicable legislative provisions.

6.) If, in the scope of its right related to the processing/protection of its personal data, set out in Clause II/ 2/ B of this Privacy Notice, the Data Subject requests the issuance of a copy of such a document processed by the Bank, where the Bank’s right to process / protect the Data Subject’s personal data does not cover the issuance thereof, we inform the Data Subject to that effect and notify it that the Bank can fulfil the relevant request charging a service fee announced in respect of the relevant service and the Bank shall fulfil such request by the Data Subject after the Data Subject has indicated that it requests the issuance of the relevant copy also being aware of the relevant charge.   

VII. Personal data transfer (categories of recipients regarding the personal data transferred by the Bank)

Pursuant to Article 13 (1) (e) of the GDPR, we inform You that we transfer Your personal data to the following categories of recipients on the below legal basis:

1.) Within its financial-, auxiliary financial activity, the Bank may transfer the Data Subject’s personal data to the data processors assigned by the Bank for outsourced activity and specified in Annex No. 1 to the actual version of the Erste Bank’s Business Rules (the ”Annex No. 1 to the Business Rules on Financial Services”) based on the Section 164 j) of the Banking Act and the data processing agreement concluded with the person doing the outsourced activity. Actual version of the Annex No. 1 of the Business Rules on Financial Services is available at the https://gate.erstebank.hu/uzletszabalyzat website. Purpose of this data transfer is the fulfilment of the activity as outsourced activity as of the Annex No. 1 of the Business Rules on Financial Services to be performed by the particular data processor, and the duration thereof shall be last till the fulfilment of the data processing purpose.

2.) Based on Section 161 c) of the Banking Act, we (may) transfer Your personal data to company(ies) dealing with debt collection and having contractual relationship with the Bank for the purpose of debt collection defined herein for the period necessary for the fulfilment of the data processing purpose.

3.) Based on Section 164 q) of the Banking Act, we transfer Your personal data necessary for the fulfilment of a contract arranged by an Intermediary for intermediated financial service to the Intermediary being in contractual relationship with the Bank, for the period necessary for the fulfilment of the data processing purpose. List of contractual Intermediaries is available at the http://www.mnb.hu/felugyelet/engedelyezes-es-intezmenyfelugyeles/piaci-szereplok-keresese/kozvetitok-keresese website of the National Bank of Hungary. Intermediaries are entitled upon their contract with the Bank to transfer the personal data lawfully acquired during their intermediary activity.

4.) In accordance with Section 164 d) of the Banking Act and the data processing contract, we may complete a transfer of personal data relating to the Data Subject to the auditor authorized by the Bank, to legal experts (individual lawyer and law office) having contractual relationship with the Bank or to other experts for the purpose of audit / legal, or other expert activity till the fulfilment of this purpose.

In case the Data Subject’s consent is the legal basis for the data processing by the recipient as data processor, we shall inform the data processor about the withdrawal of the Data Subject’s consent, whereupon the data processor shall no longer be entitled to process the data of the Data Subject that is being subject to its consent. We shall notify the data processor, if fulfilment of other duty becomes necessary for the data processor based on a request for the erasure / anonymise, correction, freezing of the personal date relating to the Data Subject or other personal data processing request.

5.) We may assign our claim towards the Data Subject, whereby we transfer all data and document relevant to the debt of the Data Subject to the assignee upon the assignment contract (unless otherwise agreed by the assignor and the assignee in the assignment contract). Under Section 169 (2) of the Accounting Act, we process the accounting certificates relating to the assignment, and the underlying documentation for 8 years following the year of adopting the annual report prepared for the year when the assignment related accounting certificate has been issued

6.) We may transfer Your personal data to the authorities having jurisdiction and competence, if the relevant legislation require us to process these personal data, or if the authority having jurisdiction and competence has delivered us a proper request.

In the frame of ensuring the enforcement of Your access rights, we also inform You (upon Your request) in addition to the information on the recipient categories (by providing the company name and registered seat data) about such recipients whom Your personal data is / has been transferred.

7.) Open banking (API channel) related data transfer

For the performance of the duties of the Payment Initiation Service Provider (hereinafter: PISP), the Account Information Service Provider (hereinafter: AISP), the Card Based Payment Instrument Issuers (CBPII) (hereinafter together: third party payment service provider – TPP) set out in sections 31, 31/A, 38/A of the Act LXXXV of 2009 in Payment Services, the Bank shall transfer the personal data necessary for the fulfilment of its TPP services, if the Data Subject has preliminary provided the TPP with its consent thereto.

The Bank shall automatically provide access to the Indirect Electronic Channel (API) by default, without the Data Subject’s specific order in case of retail customer, if the Account Holder has a NetBank service and its Payment Account is available online. The Indirect Electronic Channel (API) and the TPP may be prohibited in accordance with the relevant General Terms and Conditions.

The Bank may transfer the Data Subject’s personal data included in the table below to the third-party payment service provider (TPP):

8. Data provision by Erste Wizz credit card application

We inform You that Your personal data provided by the application for the Erste Wizz credit card are transferred to the WIZZ Air Hungary Ltd. (registered seat: 1103 Budapest, Kőér utca 2/A building B II-V.) based on the legal title of contract performance for a period necessary for the implementation of the data processing purpose.

VIII. Further glossary

Data processing shall mean any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (under Article 4 2. of the GDPR).

Data Subject shall mean an identified or identifiable natural person (under Article 4 1. of the GDPR).

Data Subject’s consent shall mean any voluntary provided clear intention of the Data Subject that is based on specific and adequate information, whereby the concerned person declares by way of a statement or an explicit affirmative conduct that it provides its consent to the processing of its personal data.

Former Employee shall mean a natural person who had performed work for the Bank under an employment contract but is currently not employed by the Bank.

Employee shall mean a natural person who performs work for the Bank under an employment contract (under Section 34 (1) of the Labour Code).

Employer shall mean a person having legal capacity that employs employees under employment contracts (under Section 33 of the Labour Code).

Personal Data shall mean any information relating to an identified or identifiable natural person (‘Data Subject’);  An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an on-line identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (under Article 4 1. of the GDPR).