The parent company of the Bank (a legal person possessing a qualifying holding in the Bank) is: Erste Group Bank AG (registered seat: Am Belvedere 1, 1100 Vienna, Austria).
We inform You that in case we process Your personal data that qualifies You as a person identified or identifiable by the Bank (regardless of the purpose, legal title or duration of the processing of processing personal data), You shall be considered a Data Subject under the provisions of the governing data protection legislation, and shall be entitled to the rights set forth in the governing data protection legislations, in particular, in the GDPR and in the Info Act regarding the processing and the protection of personal data (hereinafter together: rights related to the processing of personal data).
This Privacy Notice contains information on the processing of the personal data related to all Data Subjects on the one hand, as well as additionally specific rules regarding the processing of the personal data related to each Data Subjects on the other hand. Certain rules of data processing are also included in the Business Rules of the Bank and the Bank shall also undertake and make all effort to ensure that the Data Subject, prior to the commencement of the processing of personal data, get acquainted with that part of this Privacy Notice that concerns him/her. The Bank shall publish this Privacy Notice on its website at: https://www.erstebank.hu/hu/adatkezelesi and also make it accessible at its branches. The Bank may prepare an extract of this Privacy Notice regarding the various types of Data Subjects and may make it possible for the Data Subject affected by the processing of its personal data to make a declaration regarding that the preliminary information concerning the processing of personal data has been provided and his /her acknowledgement thereof by way of signing this document or an extract thereof.
This Privacy Notice shall apply to personal data processing activity(ies) carried out by the Bank as of the date specified in the header. The Privacy Notice effective at the time of the personal data processing carried out by the Bank prior to this Privacy Notice shall govern such processing of personal data by the Bank.
The Bank shall be entitled for the unilateral amendment of this Privacy Notice at any time. The amendment shall be applicable to personal data processing performed under the previous Privacy Notice of the Bank in respect of the new parts of the amendment (otherwise processing of such personal data shall be subject to the rules prevailing upon the commencement of the processing of the personal data), whereas personal data processing commenced following the amendment of the Privacy Notice shall be entirely governed by the amended Privacy Notice (which shall be deemed the Privacy Notice in force upon the commencement of the processing of the personal data in respect of these Data Subjects). The Bank shall make accessible all amendments of the Privacy Notice on its website https://www.erstebank.hu/hu/adatkezelesi. If the amendment is driven by legislative changes or by an administrative decision, or if the amendment does not concern issues relating to the processing of personal data (e.g. a change in the data protection officer or any other technical amendment) the change shall also apply to personal data processed prior to such amendment.
In case of divergence between the Hungarian and the English version of the Privacy Nitoce and Information on the Processing of Personal Data, the Hungarian version shall prevail.
The Bank keep records of data breaches and notify the Data Subject and the Hungarian National Authority for Data Protection and Freedom of Information (“NAIH”) of the occurrence of such data breaches if required by the GDPR.
We inform the Data Subject that we only issue decision based on automated data processing by using Your personal data in case of online applications for personal loans and credit cards (the ”automated decision-making”) that is necessary for the conclusion or completion of the contract between the Data Subject and the Bank. We do not involve special categories of personal data in the automated decision-making. In the course of such automated decision-making, we check (as per the logic applied in the automated decision-making) Your age, income, regular income, employer, data stored in the Central Credit Information System, credit exposure, repayment behaviour regarding other credit. If the Data Subject satisfies the minimum criteria, we assess the risk involved in entering into a contract with the Data Subject, implement the risk rating of the Data Subject, the result thereof will affect the eligible credit amount or may result in the approval or the rejection of Your application.
A decision based on data processing automated on „green branch” (see below) is being made within the course of the application for account package, which is necessary for the conclusion or the fulfillment of the contract between the Data Subject and the Bank. There is no manual process step on the “green branch” banking side that would require a human intervention. Each step of the application is automated, the automated decision is based on the processing of the data of the Applicant recorded thereby on the product application interface and stored in the banking systems. The online bank account process shall require an automated decision making because it provides the benefits from rapidity. The Bank shall not include special categories of personal data in automated decision-making.
You shall have the right to request an assessment of the decision made on the basis of automated decision-making process by the Bank's experts, and to share your position as well as to submit an objection in this regard which shall be made at any contact points specified under paragraph II.2.C of the Privacy Notice. In this case, the Bank shall examine your application and inform you thereafter.
If you do not want the decision made during the online application to apply to you, you can submit the personal loan, credit card or account package application in person at any of our bank branches in this case, and you shall be entitled to share your position or objections with the Bank.
The Bank may carry out profiling for direct marketing purposes on the basis of its legitimate interest for direct marketing under point (47) of the Preamble of the GDPR (for the compilation of a target group of recipients to be contacted for marketing purposes).
We inform the Data Subject that we may use Your anonymised personal data (i.e. that may not be linked to the Data Subject) for statistical purposes.
We inform the Data Subjects entering our registered seat, premises and branches and those using our ATMs that a continuous image recording is being applied at our registered seat, premises, branches and ATMs for the protection of human life, physical integrity, personal freedom, business, banking- and securities secrets as well as for personal and property security purposes upon our legitimate interests concerning personal, property and banking security. We process such image recording in accordance with the governing legislative provisions and our relevant policy on physical security.
Having Your consent thereto as set out in Article 6 (1) a) of the GDPR, we process Your personal data provided in the course of using the applications made available by us through an on-line platform, in principle until the withdrawal of Your consent. You may withdraw your consent at any time without a reasoning, by way of providing the Bank with any legal notice, in particular by telephone, in written, electronic way / form or in person at our bank branch. Photograph(s) uploaded to such applications may only be uploaded to the application with the consent of the Data Subject(s) visible thereon. It is the responsibility of the user authorized to use the application to obtain the consent and to prove its existence, and the liability for all damages occurring related to the uploading of the image and the obligation to delete the image from the application shall be on the burden thereof. If there is any doubt about the lawfulness of the use of the image, the Data Controller shall be entitled, but not obliged, to take measures to delete the image.
The Bank shall process the personal data (name, telephone number, e-mail address) provided on the website thereof during the online booking, on the legal basis of Data Subject consent as per point a) of Article 6(1) of the GDPR, in principle, until the completion of the data processing purpose or the withdrawal of the Data Subject's consent. In the latter case, the consent withdrawal methods described above provided related to the applications usable on the online interface shall apply.
We inform the Data Subject that our core activities and intermediation activities (as defined in Section 10 of the Banking Act) are subject to sector specific legislation that shall govern the processing of Your personal data (e.g. the Banking Act, Act CXXXVIII of 2007 on Investment Firms and Commodity Dealers, and on the Regulations Governing their Activities, Act LXXXV of 2009 on the Pursuit of the Business of Payment Services, Act LXXXVIII of 2014 on the Insurance Activity, Act XCVI of 1993 on Voluntary Mutual Insurance Funds).
If we are subject to an obligation to erase personal data, we comply with such erasure obligation by way of factual, final and irreversible destruction / anonymisation and take measures for the full destruction of the documents to be destructed under such erasure obligation. If the irrevocable and final erasure / anonymisation takes place in the course of our regular erasure procedure, we will not send separate information to the Data Subject about the implementation of the erasure, but will inform the Data Subject whether we maintain record of the Data Subject’s personal data or not within the frame of exercising the right to access by the Data Subject. If the Data Subject submits an individual request for erasure, the Bank shall separately inform the Data Subject about the implementation of the irrevocable and final erasure / anonymisation (if the erasure is possible, otherwise about the reasons for refusal / partial implementation of the erasure). If the personal data requested to be erased by the Data Subject is the Data Subject's contact which we exclusively manage in relation to the Data Subject, we shall inform the Data Subject of the future erasure / anonymisation at this contact and the erasure shall be implemented thereupon by the Bank.
The Bank shall process the personal data (including the contact data as well) provided by the Data Subject as a data related to the Data Subject (the check of which shall not be a duty of the Bank), except the case when the Data Subject provides the Bank with a declaration that the concerned personal data is not related to it, whereby the Data Subject shall ensure that the Bank has lawful right to process the personal data not related to it but to another entitled person. The Data Subject shall issue a declaration in these cases that if it provides the Erste Bank Hungary Zrt. with such data that is not related to it, it has already informed the concerned person that it has shared the data relevant to this concerned person with the Bank, and the concerned person has already information – based on the privacy notice of the Erste Bank at the https://www.erstebank.hu/hu/adatkezelesi page - how Erste Bank shall process the data acquired not from the concerned person. If a third party indicates to the Bank in relation to a contact managed by the Bank regarding the Data Subject that the Data Subject is not available at that contact, the Bank shall be entitled to inform thereabout the Data Subject at another contact managed by the Bank and to request that the Data Subject modify its particular contact details, and the Bank may restrict / erase / anonymize the processing of personal data challenged by a third party, even if it provides a service to the Data Subject for the given contact, in order that the Bank shall not process a third party related personal data without authorization.
For the establishment of a business relationship between the Data Subject and the Bank, the Bank shall be obliged to process the personal data thereof required for the fulfilment of the contract and the statutory personal data required for the establishment of a business relationship in accordance with legal provisions. In view of this, if the Data Subject may fail to provide the personal data required for the fulfilment of the contract or required by law, the Bank may refuse to provide certain services. In all other cases, we shall only process your data with a Data Subject consent, which you may provide only on a voluntary basis.
We may do voice recordings with a Data Subject’s prior express consent which may be managed till the withdrawal of such consent, but till the end of the retention period relevant for the other personal data processed with regard to the Data Subject, the latest (unless otherwise required by this Privacy Notice). You may withdraw your consent at any time without reasoning by way of providing the Bank with any legal notice, in particular by telephone, in written or electronical way / form or in person at our bank branch.
The Data Controller shall perform an analysis of the voice records based on speech and data analysis, including a profiling of the bank administrator, by using a comprehensive performance and quality management system. The application shall analyse customer service conversations, shall recognize the words spoken, and other factors that may affect the quality of customer service and the performance of the administrator.
As part of the analysis, the system shall perform objective measurements related to the call (measuring, for example, the length of the call, the percentage of speech by the administrator and the customer, the percentage of silence or words spoken at a given time, and the number of certain predefined words), whereupon it shall calculate averages, shall compile statistics to monitor, improve, and evaluate the efficiency (performance) of the administrator. A textual description shall be made about the sound material; this shall make it possible to search for specific words, which is suitable, for example, for checking the provision or appropriate quality of mandatory information (quality assurance, education).
Based on the above data, the bank staff in charge shall perform sortings (for example, for calls that are significantly different from the average or that contain certain words, such as “complaint”) by the system and shall listen again all or part of the calls collected, controlling thereby the performance of the administrator or the proper handling of requests and questions from the customer. The verification shall require the recording of call statistics (call date, customer ID).
Sound analysis software has no self-learning capability. It is a pre-parameterized system, ie. it is able to complete a more reliable search and to display the search results based on the criteria (parameters) specified by Erste. The system shall not make an automated decision, it shall analyse the calls as specified above and organize them into groups according to the set parameters.
The above operation of the system shall allow Erste to analyse the data for the full range of incoming calls and primarily on the basis of objective criteria. (Without this, verification and analysis would only be possible by listening back to randomly selected calls, which would drastically reduce the possibility of error detection.)
The purpose of data processing shall be to ensure an adequate and effective control of the quality of Erste's services (primarily telephone customer service) (to ensure service quality) and a further improvement thereof for a strengthened efficiency and customer satisfaction (which facilitates customer retention as well) and to prevent possible internal abuse. Within these goals, the analyses shall also focus on the prevention of complaints, the reduction of the number of calls, customer education and related process improvements.
In view of the above and as a result of the balance of interests carried out by the Data Controller, Article 6 (1) (f) GDPR, the Data Controller's legitimate interest in data processing shall provide legal basis for data processing. The personal data processed during this data processing are: date of call, customer ID (telephone number or banking customer number), basic type of call: incoming or outgoing call, text description of audio material, length of call, productivity data: the percentage of customer's speech, silence and conversation on each other as well as other non-classifiable time, the rate of words number per minute. Erste shall not process or analyse health data (eg emotional or mental state) during voice analysis.
The retention period for audio material suitable for analysis shall be 12 months, and the retention period for additional personal data listed above shall be 18 months.
The audio and results shall be stored and analyzed on Erste's own device, which can only be accessed by authorized employees of Erste or data processors.
Data procesors involved in data processing: