PRIVACY NOTICE
Effective for the data processing from 24 November 2025
1.1. Who is the data controller?
Erste Bank Hungary Zrt. (registered seat: H-1138 Budapest, Népfürdő u. 24-26.; website: www.erstebank.hu, email: erste@erstebank.hu; telephone: +36 (1) 298-0222, fax: +36 (1) 272-5160; hereinafter: “Bank” or “Data Controller”) processes Your personal data either in the capacity of data controller or intermediary assigned by a third party data controller to carry out data processing activities (and also to act as intermediary for financial, auxiliary financial or investment services (hereinafter: “Intermediary”) or in the capacity of joint data controller with a third party company.
The Bank has a qualifying holding (100% ownership interest) in the following subsidiaries, which, together with the Bank shall mean the members of the Erste Bank Group (hereinafter jointly referred to as: “Subsidiaries”):
- Erste Befektetési Zrt. (registered seat: H-1138 Budapest, Népfürdő u. 24-26., Floor 8)
- Erste Lakás-takarékpénztár Zrt. (registered seat: H-1138 Budapest, Népfürdő u. 24-26.)
- Erste Jelzálogbank Zrt. (registered seat: H-1138 Budapest, Népfürdő u. 24-26.)
- Erste Ingatlan Kft. (registered seat: H-1138 Budapest, Népfürdő u. 24-26.)
The parent company of the Bank (a legal person possessing a qualifying holding in the Bank): Erste Group Bank AG (registered seat: Am Belvedere 1, 1100 Vienna, Austria).
1.2. Why is data privacy important?
Data privacy is a fundamental right. Similarly to freedom or security, you have the right to the protection of Your data.
Your personal data can contain a wide range of information about you: they may as well relate to your hobbies, preferences and aspirations. Such things are, of course, worth protecting. Yet Erste can only improve the customized service it provides to its customers if it is aware of its customers' preferences. It is important for Erste to cooperate with its customers to find ways to manage their data in the best interests and under the supervision of its customers. In processing personal data, Erste makes every effort to ensure the highest level of protection in accordance with applicable data protection and information security requirements.
In this notice, you will find and learn, among other things, about the data processing activities carried out by Erste as data controller, your data protection rights and the steps you can take to enforce your data protection rights.
1.3. What legislation applies to my data privacy rights? What is the GDPR and what does it regulate?
If we process Your personal data that qualifies You as a person identified or identifiable by the Bank (regardless of the purpose, legal title or duration of the processing of processing personal data), You shall be considered a Data Subject under the provisions of the governing data protection legislation, and shall be entitled to the rights set forth in the governing data protection legislations, in particular, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; “GDPR”)" and Act CXII of 2011 on Informational Self-determination and Freedom of Information (“Info Act”) regarding the processing and the protection of personal data (hereinafter together: rights related to the processing of personal data).
1.4. Basic concepts of data protection
What is personal data?
Personal data means any information relating to an identified or identifiable natural person, a co-called ‘Data subject. E.g. a person’s name or identifier, IBAN or account number. (For further detail, refer to Article 4(1) of the GDPR.)
What is data processing?
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. (For further detail, refer to Article 4(2) of the GDPR.)
Further definitions
Data Subject shall mean an identified or identifiable natural person (under Article 4(1) of the GDPR).
Consent of the Data Subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Third Country shall mean any country other than the Member States of the European Union, Iceland, Liechtenstein and Norway is a third country.
Former Employee shall mean a natural person who worked for the Bank under an employment contract but is currently not employed by the Bank.
Employee shall mean a natural person who works for the Bank under an employment contract (under Section 34 (1) of Act I of 2012 on the Labour Code, hereinafter the Labour Code).
Employer shall mean a person having legal capacity that employs employees under employment contracts (under Section 33 of the Labour Code).
1.5. What is the Privacy Notice about?
This Privacy Notice contains information on the processing of the personal data related to all Data Subjects on the one hand, as well as additionally specific rules regarding the processing of the personal data related to each Data Subjects on the other hand. Certain rules of data processing are also included in the Business Rules of the Bank and the Bank shall also undertake and make all effort to ensure that the Data Subject, prior to the commencement of the processing of personal data, get acquainted with that part of this Privacy Notice that concerns him/her. The Bank shall publish this Privacy Notice on its website at: https://www.erstebank.hu/hu/adatkezelesi and also make it accessible at its branches. The Bank may prepare an extract of this Privacy Notice regarding the various types of Data Subjects and may make it possible for the Data Subject affected by the processing of its personal data to make a declaration regarding that the preliminary information concerning the processing of personal data has been provided and his /her acknowledgement thereof by way of signing this document or an extract thereof.
This Privacy Notice shall apply to personal data processing activity(ies) carried out by the Bank as of the date specified in the header. The Privacy Notice effective at the time of the personal data processing carried out by the Bank prior to this Privacy Notice shall govern such processing of personal data by the Bank.
The Bank shall be entitled for the unilateral amendment of this Privacy Notice at any time. The amendment shall be applicable to personal data processing performed under the previous Privacy Notice of the Bank in respect of the new parts of the amendment (otherwise processing of such personal data shall be subject to the rules prevailing upon the commencement of the processing of the personal data), whereas personal data processing commenced following the amendment of the Privacy Notice shall be entirely governed by the amended Privacy Notice (which shall be deemed the Privacy Notice in force upon the commencement of the processing of the personal data in respect of these Data Subjects). The Bank shall make accessible all amendments of the Privacy Notice on its website https://www.erstebank.hu/hu/adatkezelesi. If the amendment is driven by legislative changes or by an administrative decision, or if the amendment does not concern issues relating to the processing of personal data (e.g. a change in the data protection officer or any other technical amendment) the change shall also apply to personal data processed prior to such amendment.
2.1. The contact details of the Data Protection Officer:
In relation to the processing of your personal data you can contact the Data Protection Officer of the Bank in writing. Name and contact details of the data protection officer of the Bank: dr. Zsolt Misky; email: adatvedelem@erstebank.hu; mailing address: 1138 Budapest, Népfürdő utca 24-26.
2.2. Regulatory authority competent in data protection matters:
You can make a complaint in connection with processing by Erste or any data processor engaged by Erste to the Hungarian National Authority for Data Protection and Freedom of Information (contact details: (www.naih.hu), registered seat: 1055 Budapest, Falk Miksa utca 9-11. mailing address: 1363 Budapest, PO Box. 9, +36 (1) 391-1400, fax: +36 (1) 391-1410, email: ugyfelszolgalat@naih.hu), or the competent court.
2.3. Whose data is processed by Erste?
The Data Subjects of personal data processed in connection with our activities are typically:
- Customer: means all the natural persons who use financial services / auxiliary financial services (the “Service”) provided by the Bank as a financial institution (Section 160 (2) of Act CCXXXVII of 2013 on Credit Institutions and Financial Undertakings, hereinafter the “Banking Act”),
- Applicant: means all the natural persons who contact the Bank to receive Services, but who decide not to use such Services (Section 160 (2) of the Banking Act),
- Co-debtor, payment guarantor, a natural person providing other security: means a person involved in the performance of a contract for financial service / auxiliary financial service (the “Contract”) in addition to the debtor Customer, who shall be liable on behalf of /in addition to the debtor Customer upon a failure by the debtor Customer to satisfy its payment obligations under and as set forth in the Contract,
- Authorised representative: means a natural person who acts on behalf of another natural or legal person as set forth in Section 6:11 of Act V of 2013 on the Civil Code, hereinafter the “Civil Code”,
- Payer: means a natural person making a cash deposit onto the customer’s account maintained with the Bank,
- Beneficiary: a natural or legal person who is the recipient of the funds constituting the subject of the payment transaction (Section 2 (12) of Act LXXXV of 2009 on payment services, hereinafter the “Payment Services Act”),
- Contact Person: the person on behalf of the party entering into a Contract with the Bank as being specified in the Contract for the purpose of keeping contact,
- Employee
- Former employee
- Other Data Subject (in particular, a person who signs up to a newsletter, contracted partner’s contact person, contact person of a contracted partner, contact person of a potential entrepreneur/corporate client who is a natural person, contact person of a contracted partner, contact person of a potential entrepreneur/corporate client who is a natural person) All Data Subjects who are not classified as Data Subject specified in Clause III 1) through 9) of this Privacy Notice are included in this category.
The Bank shall process the personal data (including the contact data as well) provided by the Data Subject as a data related to the Data Subject (the check of which shall not be a duty of the Bank), except the case when the Data Subject provides the Bank with a declaration that the concerned personal data is not related to it, whereby the Data Subject shall ensure that the Bank has lawful right to process the personal data not related to it but to another entitled person. The Data Subject shall declare in these cases that if he or she provides Erste Bank Hungary Zrt. with data that is not related to him or her, then he or she has already informed the Data Subject that he or she has shared data with respect to him or her with the Bank, and the Data Subject has already information – based on the privacy notice of the Erste Bank at https://www.erstebank.hu/hu/adatkezelesi - on how Erste Bank processes data obtained not from the Data Subject. If a third party indicates to the Bank in relation to a contact managed by the Bank regarding the Data Subject that the Data Subject is not available at that contact, the Bank shall be entitled to inform thereabout the Data Subject at another contact managed by the Bank and to request that the Data Subject modify its particular contact details, and the Bank may restrict / erase / anonymize the processing of personal data challenged by a third party, even if it provides a service to the Data Subject for the given contact, in order that the Bank shall not process a third party related personal data without authorization.
2.4. What are the purposes and legal bases for processing my data?
- Processing for the performance of a contract or actions taken at your request before entering into a contract
The services that Erste provides to its customers depend on the specific contact, e.g. loan contact, account contact, lease contact, insurance brokerage or George contact. For example, Erste may process customer data to enable customers to log in to George, manage their account online and carry out transactions. The scope of such processing is set out in the contractual documents and the Business Rules and General Terms and Conditions in effect from time to time. - Processing for the fulfilment of a legal obligation
Personal data processing may also take place in the case and scope where the processing of personal data is necessary for compliance with a legal obligation. Such mandatory processing may occur, for example, in the following cases: Customer due diligence obligations under the rules on the prevention and combating of money laundering and terrorist financing, retention obligations under accounting rules, processing necessary for fraud prevention/fraud management. - Processing based on legitimate interest
If certain conditions are met, Erste may carry out processing on the basis of legitimate interests in order that the controller or a third party can pursue their legitimate interest. - Processing based on your consent
If there is no contract, legal obligation or legitimate interest, processing may also be lawful if the Data Subject has given his or her consent. The scope and content of such processing will always depend on the specific consent on a case-by-case basis. The Data Subject may withdraw his or her consent at any time for the future. The withdrawal of consent shall however not affect the lawfulness of processing based on consent before its withdrawal. This means that withdrawal of consent has no retrospective effect. - Processing for statistical purposes
The Bank may use your anonymized personal data (i.e. that may not be linked to the Data Subject) for statistical purposes.
2.5. Is there any other data processed about me in addition to the data collected from me?
In this Privacy Notice, we inform the Data Subject of the means applied for processing the personal data obtained from the Data Subject, learned by the Bank through the actions of the Data Subject and from conclusions drawn by the Bank regarding the Data Subject. If Your personal data processed by the Bank were not made available to the Bank by You, the Bank provides specific information under Article 14 of the GDPR, with the exception of the case(s) contained in Article 14 (5) of the GDPR. If the personal data was obtained from You as a Data Subject, that types of personal data related to You and processed by the Bank are contained in the forms via the completion thereof we manage Your personal data.
2.6. Do I have to provide my personal data? What if I do not want to do so?
For the establishment of a business relationship between the Data Subject and the Bank, the Bank shall be obliged to process the personal data of the Data Subject required by law and necessary for the fulfilment of a contract and for the establishment of a business relationship under the provisions of the law. In view of this, if the Data Subject may fail to provide the personal data required for the fulfilment of the contract or required by law, the Bank may refuse to provide certain services. In all other cases, we shall only process your data with a Data Subject consent, which you may provide only on a voluntary basis.
2.7. How long does Erste process my personal data?
If we are subject to an obligation to erase personal data, we comply with such erasure obligation by way of factual, final and irreversible destruction / anonymisation and take measures for the full destruction of the documents to be destructed under such erasure obligation. If the irrevocable and final erasure / anonymisation takes place in the course of our regular erasure procedure, we will not send separate information to the Data Subject about the implementation of the erasure, but will inform the Data Subject whether we maintain record of the Data Subject’s personal data or not within the frame of exercising the right to access by the Data Subject. If the Data Subject submits an individual request for erasure, the Bank shall separately inform the Data Subject about the implementation of the irrevocable and final erasure / anonymisation (if the erasure is possible, otherwise about the reasons for refusal / partial implementation of the erasure). If the personal data requested to be erased by the Data Subject is the Data Subject's contact which we exclusively manage in relation to the Data Subject, we shall inform the Data Subject of the future erasure / anonymisation at this contact and the erasure shall be implemented thereupon by the Bank.
3. Information on Erste’s data processing
If the Bank has the right to process personal data, the Bank may also process under such right all related paper-based or electronic documents containing the Data Subject’s relevant personal data through the entire duration of the processing of personal data contained in such documents.
We inform the Data Subject that the duration of processing personal data by the Bank shall be extended (with the period of processing the following personal data, or with the outstanding time of such period) if, upon the expiration of the duration of the processing of personal data available to the Bank, criminal proceedings, claim management or such other proceedings are in progress against the Data Subject in the course of which the processing of personal data by the Bank is necessary for asserting its legal claim / for complying with a legal obligation of the Bank / a legitimate interest of the Bank exists for this purpose.
The electronic data contained in the litigation records of the Bank regarding the parties to the litigation and the adjudicated issue (with the exception of documents stored electronically) are not erased / anonymised in consideration of the legitimate interest of the Bank (res iudicata can be evidenced). Based on the Bank's legitimate interest, the personal data of customers with foreign currency-based contracts may be processed for an additional five years beyond the retention period specified in Act C of 2000 on Accounting. The purpose of this extended processing is to ensure the proper handling of potential legal disputes, the enforcement of legal claims, and the conclusion of related settlements.
Documents constituting ownership claim will not be erased considering that ownership claims are not subject to limitation.
If the Bank is obliged to issue personal data to a person other than the Data Subject in compliance with the Data Subject’s right to Data portability, the Bank shall inform and warn such recipient third person in the scope of this Privacy Notice that the personal data issued by the Bank concerning the Data Subject shall not be used for his/her own purposes and such personal data may be only processed in compliance with the applicable data protection legislation, and observing the principle of purpose limitation. The Company does not accept liability for the third-party usage of personal data adequately transmitted to a third person at the Data Subject’s request.
3.2 Specific rules regarding the processing of personal data of each Data Subjects
- i.e. you are a natural person defined in Clauses 2.3.1 and 2.3.3 of the Privacy Notice, your personal data will be processed by the Bank as follows:
The Bank shall process the personal data of Data Subjects under this Clause as data categorised as banking secret under Section 160 (1) of Act CCXXXVII of 2013 on Credit Institutions and Financial Undertakings, the Banking Act, in accordance with the rules of the Banking Act on bank secrets in addition to complying with the provisions of laws on the protection of personal data
I. Processing for the performance of a contract or actions taken at your request before entering into a contract:
- Automated decision-making
We inform the Data Subject that we only issue decision based on automated data processing by using Your personal data in case of online applications for personal loans and credit cards (the “automated decision-making”) that is necessary for the conclusion or completion of the contract between the Data Subject and the Bank. The Bank shall not include special categories of personal data in automated decision-making. In the course of such automated decision-making, we check (as per the logic applied in the automated decision-making) Your age, income, regular income, employer, data stored in the Central Credit Information System, credit exposure, repayment behaviour regarding other credit. If the Data Subject satisfies the minimum criteria, we assess the risk involved in entering into a contract with the Data Subject, implement the risk rating of the Data Subject, the result thereof will affect the eligible credit amount or may result in the approval or the rejection of Your application.
A decision based on data processing automated on the “green branch” is being made within the course of the application for account package, which is necessary for the conclusion or the fulfilment of the contract between the Data Subject and the Bank. There is no manual process step on the “green branch” on the side of the Bank that would require a human intervention. Each step of the application is automated, the automated decision is based on the processing of the data of the Applicant recorded thereby on the product application interface and stored in the banking systems. The online bank account process shall require an automated decision-making because it provides the benefits from rapidity. The Bank shall not include special categories of personal data in automated decision-making.
You shall have the right to request an assessment of the decision made on the basis of automated decision-making process by the Bank’s experts, and to share your position as well as to submit an objection in this regard which shall be made at any contact points specified under Clause 2 of Chapter 4 of the Privacy Notice. In this case, the Bank shall examine your application and inform you thereafter.
If you do not want the decision made during the online application to apply to you, you can submit the personal loan, credit card or account package application in person at any of our bank branches in this case, and you shall be entitled to share your position or objections with the Bank.
- We inform the Data Subject that we shall be entitled to process personal data underlying the Intermediary activity as Intermediary carrying out financial, auxiliary financial / investment / auxiliary investment / insurance / payment intermediation activities in the interest, in the name and on behalf of the principals defined in Clause 5 of this Privacy Notice.
- If You have entered into a Contract with the Bank that requires the use of a telephone number (e.g. Text message service) and/or of an email address, in that case we process such personal data on the legal basis and for the duration set out in point 4 of the above table for the purpose of performing the Contract, unless You change Your relevant contact data in the form of contract amendment (whereupon the Bank shall erase/anonymise the former personal data on a final and irreversible basis).
II. Processing for the fulfilment of a legal obligation:
Device information processed within the course of using the George App for fraud prevention/fraud management purposes: operating system type and version number, the security state of the device (e.g., whether the operating system has been modified through rooting or jailbreaking*), list of applications installed on the device (particularly, but not exclusively the softwares which enable remote access), and IP address used by the customer while using electronic channels (George):
The data processing is based on the legal requirements of the Payment Services Act and SCAr., the purpose of which is to prevent and investigate fraud. Data related to the Bank and the customer are stored for 8 years, while data related to transactions, use of instruments and data generated by the Bank (scoring) are stored for 1 year.
The Bank uses transaction monitoring mechanisms to detect payment fraud, which are capable of monitoring payment transactions and certain non-payment transactions (e.g. Netbank login) in real time, while they are being executed, via remote channels. Due to the acceleration of digital services, fraudulent use can be effectively detected and prevented by automated monitoring and decisions (automated decision making), which may result in the rejection of the payment transaction. The Data Subject has the right to object to automated decision-making.
Furthermore, in order to filter out payment transactions that were not approved by clients or were approved through deception, it is necessary to establish customer profiles. This means collecting customer-related information such as the typical geographic location of the usage (IP address, geolocation data), typical characteristics of previous payments, software data of the user's devices, etc.
Our Bank also uses supervised machine learning models to risk assess the complex data (customer profiles, fraud patterns) available during transaction monitoring.
Data transfer to the Central Abuse Filtering System (GIRO Zrt.)
As of July 1, 2025, the Bank will transfer to GIRO Zrt. the data specified in Act LXXXV of 2009 on the provision of payment services, relating to HUF payment orders to be processed, settled, and executed in the payment system, as well as foreign currency and cross-border transfer orders submitted to the Bank, and HUF and foreign currency transfer orders between the Bank’s own clients, for the purpose of supporting the detection and prevention of fraud related to payment transactions.
III. Processing based on legitimate interest:
- We inform the Data Subjects entering our registered seat, premises and branches and those using our ATMs that a continuous image recording is being applied at our registered seat, premises, branches and ATMs for the protection of human life, physical integrity, personal freedom, business, banking- and securities secrets as well as for personal and property security purposes upon our legitimate interests concerning personal, property and banking security. We process such image recording in accordance with the governing legislative provisions and our relevant policy on physical security.
- Profiling
The Bank may carry out profiling for direct marketing purposes on the basis of its legitimate interest for direct marketing under point (47) of the Preamble of the GDPR (for the compilation of a target group of recipients to be contacted for marketing purposes). - Further information on data processing related to the use of the IT system that credit institutions and insurers have in place for the registration of housing insurance and the provision of security in the form of credit protection (the so-called DLT system for the registration of housing insurance, which provides IT support for the business process of registration of housing insurance and the provision of security in the form of credit protection using shared ledger1 technology) is available here.
1Distributed database technology in which data modification transactions, data and program code providing the business logic are stored redundantly between operator nodes. The block-chain component of the technology ensures data integrity protection.
IV. Processing based on Data Subjects’ consent:
56. The following data processing in relation to the Central Credit Information System (“KHR”):
See the table above for specific rules on the withdrawal of consents under the KHR Act:
- Under the applicable law a consent under Section 5(3) of the KHR Act may only be withdrawn in writing.
- Under the applicable law a consent under Section 9(2) of the KHR Act may only be withdrawn in writing; until the termination of the contractual relationship, through the Bank, and thereafter directly contacting the financial undertaking managing the KHR.
If (any of) Your personal data are processed by the Bank based on Your consent as per the above table, we process Your personal data under such consent, until the withdrawal thereof / or if the purpose of data processing has been implemented previously, until the implementation of the data processing purpose, or in lack thereof, as long as any legal basis exist for the Bank for processing Your personal data (except if this Privacy Notice sets a period shorter than that for the processing of certain consent based personal data processing by the Bank). Withdrawal of the consent shall cover the period after the withdrawal of the consent, processing of personal data falling before this period shall not be affected by the withdrawal of the consent. You may withdraw your consent at any time without a reasoning by providing the Bank with any legal notice to the Bank, in particular by telephone, in written or electronic way / form or in person at our bank branch. (see point 4.2)
- Having Your consent thereto as set out in Article 6 (1)(a) of the GDPR, we process Your personal data provided in the course of using the applications made available by us through an on-line platform, in principle until the withdrawal of Your consent. You may withdraw your consent at any time without a reasoning, by way of providing the Bank with any legal notice, in particular by telephone, in written, electronic way / form or in person at our bank branch. Photograph(s) uploaded to such applications may only be uploaded to the application with the consent of the Data Subject(s) visible thereon. It is the responsibility of the user authorized to use the application to obtain the consent and to prove its existence, and the liability for all damages occurring related to the uploading of the image and the obligation to delete the image from the application shall be on the burden thereof. If there is any doubt about the lawfulness of the use of the image, the Data Controller shall be entitled, but not obliged, to take measures to delete the image.
- The Bank shall process the personal data (name, telephone number, e-mail address) provided on the website thereof during the online booking, on the legal basis of Data Subject consent as per point a) of Article 6(1) of the GDPR, in principle, until the completion of the data processing purpose or the withdrawal of the Data Subject's consent. In the latter case, the consent withdrawal methods described above provided related to the applications usable on the online interface shall apply.
- We may do voice recordings with a Data Subject’s prior express consent which may be managed till the withdrawal of such consent, but till the end of the retention period relevant for the other personal data processed with regard to the Data Subject, the latest (unless otherwise required by this Privacy Notice). You may withdraw your consent at any time without a reasoning by providing the Bank with any legal notice to the Bank, in particular by telephone, in written or electronical way / form or in person at our bank branch.
- How can I manage my consents related to direct marketing communications, visibility on external digital platforms (Google, Meta, Adform), and the use of my browsing data?
You can modify or withdraw your previously given consents in the “Declarations” menu on the George Web interface, or via any of the contact options listed in point 4.2. If you withdraw your consent for “visibility on digital service provider platforms” as described in point 49, Google and Meta will no longer use the transmitted email addresses to display marketing messages from the Bank and its subsidiaries. Adform will also cease processing the identifier created for this purpose. - Direct marketing
We inform the Data Subjects that we only send (commercial) advertisements (definition: Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities) to natural persons as recipients by means of direct marketing (thus, in particular, via electronic correspondence or other equivalent means of individual communication, with the exception of the addressed postal advertising and telephone contact made via a non-automized telephone calling system), either ourselves or via our agent if the relevant Data Subject as the recipient of such advertising has given its prior, clear and specific consent thereto. We keep records of the personal data of natural persons who make an explicit declaration of consent. Personal data entered into these records relating to the recipients of advertising may be processed only in accordance with and until the withdrawal of the declaration of consent (but in any event until the date set in Clause 35 of Chapter 3 and may be transferred to a third party only upon the prior approval of the Data Subject given as required by law. Withdrawal of the consent shall cover the period after the withdrawal of the consent, processing of personal data falling before this period shall not be affected by the withdrawal of the consent.
When personalizing messages, profiling based on legitimate interest is applied to the data processing (see Chapter 3, point 28). This activity is carried out until the data subject objects.
i.e. you are a natural person defined in Clause 2.3.2 of the Privacy Notice, your personal data will be processed by the Bank as follows:
The Bank shall process the personal data of the Data Subject submitting an application as data categorised as banking secret under Section 160 (2) of Act CCXXXVII of 2013 on Credit Institutions and Financial Undertakings, the “Banking Act”, in accordance with the provisions of the Banking Act on the protection of bank secrets, in addition to complying with the provisions of laws on the protection of personal data.
I. If the Bank has conducted credit assessment in Your respect, in the course of which it has commenced Your identification in compliance with the AML Act, but we have rejected Your credit application, the Bank shall process Your personal data and the documents containing those for 5 (five) years following the failure of the Contract based on its legitimate interest set forth in Section 166/A (2) of the Banking Act and, thereafter the Bank shall erase/anonymise Your personal data on a final and irreversible basis.
If the processing of Your personal data by the Bank is solely based on Your consent (and no other legal basis exist for the Bank to process Your personal data), the Bank shall process Your personal data until the fulfilment of the purpose of data processing but in any event no longer than up to 6 (six) months and thereafter the Bank shall erase /anonymise Your personal data on a final and irreversible basis.
II. In case You express Your intention, interest, wish towards the Bank to conclude a Contract, but the Bank or its Intermediary has not started the due diligence under the AML Act for the conclusion of the Contract, the Bank may process Your personal data (with Your consent) till 6 (six) months upon the receipt of the personal data, or, if You have withdrawn Your consent within this period of time, till the withdrawal of such consent, whereafter the Bank shall erase /anonymise Your personal data on a final and irreversible basis.
III. Applicants are also subject to marketing-related data processing based on their consent, as detailed in point IV.
How can I manage my consents (as an applicant) related to direct marketing communications, visibility on external digital platforms (Google, Meta, Adform), and the use of my browsing data?
In the case of a request submitted via a microsite, previously provided settings can be modified or withdrawn through the web interface linked in the confirmation email sent after the request, or via any of the contact options listed in point 4.2.
If the consent for “visibility on digital service provider platforms” referred to in points A–D is withdrawn as described above, Google and Meta will no longer use the transmitted email addresses to display marketing messages from the Bank and its subsidiaries. Adform will also cease processing the identifier created for this purpose.
i.e. you are natural person defined in Clauses 2.3.4, 2.3.6 and 2.3.7 of the Privacy Notice your personal data will be processed by the Bank as follows:
The Bank shall process the personal data of Data Subjects under this Clause as data deemed banking secret under Section 160 (1) of the Banking Act, in accordance with the rules of the Banking Act on bank secrets in addition to complying with the rules on the protection of personal data.
i.e. you are a natural person defined in Clause 2.3.5 of the Privacy Notice, your personal data will be processed by the Bank as follows:
The Bank shall process the personal data of Data Subjects under this Clause as data deemed banking secret under Section 160 (1) of the Banking Act, in accordance with the rules of the Banking Act on bank secrets, in addition to complying with the provisions on the protection of personal data.
i.e. you are a natural person defined in Clause 2.3.10 of the Privacy Notice, your personal data (and the documents containing such personal data (if any)) will be processed by the Bank as follows:
If the processing of Your personal data by the Bank is solely based on Your consent (and no other legal basis exist for the Bank to process Your personal data), the Bank shall process Your personal data until the fulfilment of the purpose of data processing but in any event no longer than up to 6 (six) months and thereafter the Bank shall erase /anonymise Your personal data on a final and irreversible basis.
II. As other Data Subjects, the Bank is entitled to process your personal data in addition to your consent or, in the absence of your consent, on a legal basis pursuant to Chapter 2, Clause 4 of this Privacy Policy, for a lawful processing purpose, and as long as such legal basis and processing purpose exists, after which he Bank will permanently and irretrievably delete/anonymise your personal data.
III. Promotional Outreach to Potential Entrepreneurial/Corporate Clients via Direct Marketing:
For the purpose of direct business acquisition, the Bank may contact potential entrepreneurial or corporate clients using email addresses and telephone numbers listed in the databases of Opten Informatikai Kft. and Dun & Bradstreet Hungary Kft., as well as contact details available on company websites. Once these data are recorded in the Bank’s system, the Bank will notify the company—using one of the contact methods available in the database or on the website—about the data registration and the possibility to object.
The Bank maintains a record of companies that have expressed their objection, and such companies will no longer receive promotional direct marketing communications.
The legal basis for data processing is the Controller’s legitimate interest pursuant to Article 6(1)(f) of the GDPR. The duration of data processing lasts until a successful objection is received, or in the absence thereof, until the Bank’s legitimate interest ceases to exist, but for no longer than one year.
Your personal data (including, in particular, delivery agents, beneficial owners, politically exposed persons of corporate clients, natural person providing security for corporate banking products) (and any document(s) containing such personal data, including, in particular, the personal identification data of natural person data subjects, contact data, customer identification data necessary to prevent and deter money laundering and terrorist financing, other related personal data) will be processed by the Bank as follows (information before data processing).
The source of the data subjects’ personal data under this Clause is Commerzbank Zrt. The Bank acquires/has acquired the information on the corporate clients of Commerzbank Zrt. in accordance with Section 164(e) of the Banking Act, and Sections 117(9), 120(f) and 140(1) of the Investment Act. The interest of the Bank acknowledged by the Hungarian National Bank is that the transferor bank (Commerzbank Zrt.) provides the transferee bank (the Bank) with customer data so that the transferee bank (the Bank) can continue to provide the contractual services to customers. In addition to the rules on the protection of personal data, the Bank shall process the personal data of the data subjects under this Clause as bank secrets under Section 160(1) of the Banking Act and/or business secrets or securities secrets under Sections 117 and 118 of the Investment Act, in accordance with the confidentiality obligations thereof.
The data shall be processed until a successful objection by the data subject or, failing that, until the Bank’s legitimate interest exists, i.e., until the conclusion of a contract with Commerzbank Zrt.’s corporate clients, or until the portfolio transfer has been completed at the latest. Thereafter, the personal data will continue to be processed by the Bank for additional purposes and under the legal basis set out in this Privacy Notice.
I. Visitor: A Visitor is a person (data subject) who visits the Bank’s website without providing any personal data and without engaging with the Bank for the purpose of using its services.
The website operated by the Bank may automatically save information about your device while you are using the website (from which no personal data may be inferred about You), and the Bank may place so called cookies thereon for the purpose of
- collecting information about Your device,
- ensuring that such information to assist you in using the Bank’s websites, or
- using such information to optimise advertising contents available on the website and other web pages.
The detailed rules on the use of the cookies is available at the below website: https://www.erstebank.hu/hu/cookie-policy https://www.erstebank.hu/hu/cookie-policy
II. Processing of the personal data of contact persons, authorised representatives and other contributors in respect of contracts concluded by the Bank for non-financial /auxiliary financial services
The processing of personal data of contact persons, authorised representatives and other contributors designated in a contract entered into between the Bank and a service provider under Act V of 2013 on the Civil Code (hereinafter the “Civil Code”) is deemed to be processed for the purpose of keeping contact based on the legal basis of performing the contract existing between the Bank and the other party to the contract, in the interest of the party on whose behalf the relevant natural person acts and serves this purpose. The Bank processes the personal data of contact persons, authorised representatives and other contributor natural persons as personal data of Other Data Subjects during the entire retention period of the contract existing between the Bank and the service provider that has entered into a contract with the Bank, where such retention period is 5 years following the termination of the contractual relationship between the Bank and the service provider if there is no dispute between the Parties (and if the limitation period is not interrupted or suspended), except if such Other Data Subject objects to the processing of his/her personal data with the Bank. Upon a successful objection to the processing of the personal data of contact persons, authorised representatives or other contributor natural persons, the Bank terminates the processing of the personal data of such Data Subjects.
III. Processing of former employees’ personal data by the Bank
Former employees’ personal data may be processed by the Bank for the purpose, on the legal basis of and for the duration set out in this Clause, by means described in the General part of this Privacy Notice.
1. According to Section 99/A of the Act LXXXI of 1997 on Social Security Pension Benefits (Social Security Act), the Bank as employer shall retain the labour documents containing data regarding the social security relationship, duty period relating to the employee as beneficiary or ex-beneficiary of the social security, or the earnings, income that may be taken into consideration by the establishment of the pension benefits, for five years from reaching the retirement age relevant for the beneficiary or ex-beneficiary of the social security. We process these personal data with the purpose of complying with our legal obligations.
2. The Bank processes other personal data and the documents containing such other personal data in connection with the employment relationship of a Data Subject described in this Clause and the relevant personal data for 3 years following the termination of the employment contract under Section 286 (1) of Act I of 2012 on the Labour Code (the “Labour Code”), with the exception of personal data processed under a legal basis being the Data Subject’s consent. The Bank processes personal data processed under the consent of Data Subjects described in this Clause until the withdrawal of consent but in any event for up to 3 years following the termination of the employment contract as set forth in Section 286 (1) of the Labour Code.
IV. Processing of personal data of applicants for job offers
We process the personal data of the Data Subject completing a registration on the Career portal of the Bank (http://karrier.erstebank.hu) (including the documents attached by the Data Subject completing the registration and the personal data contained therein) for the below data processing purposes and within the following duration:
- to consider the application of the Data Subject to the specific job within the selection process, from the application till the closure of the selection, but no longer 1 (one) year,
- to consider this personal data by filling the positions opening at the Bank, to contact the registered Data Subject at the contact details provided by the registration with new positions possibly becoming actual, till 1 (one) year from the last application of the Data Subject to a specific position.
The Data Subject may register his or her data and may attach his or her Curriculum Vitae (with his or her photo) as document in a manner and format offered at http://karrier.erstebank.hu. If the registrant Data Subject provides a specific personal data by the registration, or attach a document containing specific personal data, the Data Controller shall inform the Data Subject that it shall not be entitled to process this personal data in the lack of the explicit consent made by the Data Subject, and the Data Controller shall immediately erase / delete this type of personal data after receiving thereof (if the registrant Data Subject does not provide the Data Controller with its explicit consent to the processing of such specific personal data). The Data Controller call the Data Subject not to provide access for the Data Controller to specific personal data (in the lack of its consent), because the Data Controller do not process such personal data of the Data Subject without the consent thereof. Only the Human Resources Management area of the Bank and the managers concerned with the selection procedure have access to the data provided by the Data Subject.
The Data Subject shall be entitled to change its password ensuring the usage of the surface, or the registered personal data at any time, and to terminate the access at any time. We call the attention of the Data Subject completing a registration that erase of the registration completed by the registrant Data Subject and the personal data contained therein can be done by the Data Subject in the account set up by the registration and can also initiate it via electronic mail sent to karrier@erstebank.hu e-mail address.
The Data Subject shall acknowledge that we may transfer Your personal data provided at the Career portal to contractual third parties as Data Controller, for the purpose of application to job offers, for the conclusion of targeted employment to use video interview platform service (Indivizo Zrt.), and to fill in The Predictive Index® surveys.
Nexum Magyarország Kft. (registered seat: 6722 Szeged, Gyertyámos u 13.; company registration number: 06-09-004861) is the data processor engaged by the Bank.
We may specify and disclose more detailed information for the Data Subject applying for position on the application surface.
V. Use of Facebook, Viber, banking widget surface
We ensure for the Data Subjects to request information regarding our services both at Facebook and Viber user interfaces and at our website. These interfaces cannot be used for lodging complaints and for sending privacy related requests, Data Subjects may only make requests thereby regarding the issuance of or questions concerning the general data not deemed banking or other types of secrets. We process the personal data provided in the course of using these portals upon consent provided by the Data Subject, until the withdrawal of such consent by the Data Subject, or in lack thereof, for 6 months after the relevant personal data have been recorded in our systems. Upon the expiry of this period, the Bank will finally and irreversibly erase /anonymise Your personal data (if no other legal basis exist for the processing of such personal data by the Bank).
I. Persons below the age of 16 shall be considered children under the GDPR.
We only process personal data in relation to information society related services offered directly to children if the child is over the age of 16. Where the child is below the age of 16, we do the processing of the children’s personal data only if and to the extent that consent is provided or authorised by the person holding the custody rights concerning the child.
II. We process personal data regarding decisions on the declaration of criminal liability and offences and the related security measures in the scope permitted by Hungarian law (if the Bank is deemed complainant or plaintiff in respect of the relevant offence or asserts a civil law claim in the criminal proceeding). If the Bank did not file a civil law claim in the criminal proceeding, we process such data until the decision adopted in the criminal proceeding becomes final, otherwise (if a civil law claim has been lodged) for 5 years after the judgement becomes final (that is, until the limitation of the right of enforcement) except if such period of limitation is interrupted or suspended (in this case, in compliance with Section 57 on the Act on Judicial Enforcement and with Section 286 of the Labour Code).
III. In accordance with applicable legislation, the Bank may purchase databases containing personal data from service providers having a contractual relationship with the Bank and if a Data Subject is recorded in such database, the Bank may contact the Data Subject at its contact details listed in the database, in compliance with legislative provisions applicable to the relevant contact to be made.
IV. The Bank may contact business organisations for the purpose of direct marketing (advertising) at the e-mail address and telephone number of such business organisations indicated for contact keeping, in compliance with the applicable legislative provisions.
4.1 What rights do I have in relation to data protection?
We inform You that You as Data Subject have the following rights in connection with the protection / processing of Your personal data by the Bank:
If Your personal data is processed by the Bank, in connection therewith,
1. You may request access to personal data related to You, by way of requesting information from the Bank regarding Your personal data processed thereby. Information and copies of the processed data shall be provided free of charge (Right to access personal data),
2. You may request the rectification / supplement of personal data related to You without undue delay if Your personal data processed by the Bank are incorrect / incomplete. (Right to rectification). If exercising the right to rectification / supplementing of personal data would result in a change to personal data contained in Your Contract entered into with the Bank, that may be done by Data Subject as specified in the Business Rules of the Bank regarding contract amendment, or in lack thereof, in compliance with the legislative provisions in force or as set out by Your Contract with the Bank regarding the contract amendment;
3. You may initiate the erasure of all or only of Your certain personal data processed by the Bank (Right to erasure). Under this right, You may obtain to erasure / anonymisation of Your personal data on a final and irreversible basis (and to destruct / anonymise the documents containing the personal data of the Data Subject involved in such deletion) by the Bank, in respect of which
3.1 the processing purpose for which the Bank as Data Controller collected or processed Your personal data no longer exists and no other legal basis exists for the personal data processing by the Bank and the personal data have not been erased / anonymised, or
3.2 the processing of Your personal data is based on Your consent provided to the Bank and You have withdrawn such consent from the Bank in accordance with this Privacy Notice (and no other legal basis provided by law exists for the Bank for the processing of personal data),
3.3 You have lawfully objected to the processing of Your personal data and no overriding purpose exists for the continued processing of Your personal data by the Bank,
3.4 according to Your position, the processing of Your personal data is unlawful.
Under Article 11 of the GDPR, we inform You that if no data processing purpose exists for the Bank that requires / permits the processing of the data of the Data Subject by the Data Controller, following the erasure / anonymisation of the relevant personal data, the Bank may only retain the customer identification numbers of Data Subjects (in respect of Data Subjects having customer identification numbers) so that the Bank is able to verify, upon a possible disagreement that the erasure / anonymisation has been completed by the Bank. The Data Subject shall provide its customer identification number to facilitate the verification of such erasure; in lack thereof, the Bank will be only able to inform the Data Subject or the party lawfully requesting information regarding the Data Subject that the Bank does not process any personal data regarding the Data Subject at that point in time.
Instead of erasure, the Bank shall block the personal data of the Data Subject if the Data Subject requests so or if it can be assumed on the basis of the information available to the Bank that an erasure would infringe the legitimate interests of the Data Subject. Personal data blocked for this reason may be processed only as long as the purpose for data processing that excluded the erasure of such personal data exists.
4. You may request the restriction of the processing of personal data concerning You, designating the scope of personal data to be restricted (“Right to the Restriction of Data Processing”). Under this right You may obtain restricted processing of Your personal data by the Bank if You contest the accuracy thereof or if, in Your view, the data processing is unlawful, nevertheless, You are against the erasure of the personal data, or if the Bank as Data Controller does not need the personal data for the purpose of processing but You need the same for the submission or assertion or the protection of legal claims.
5. You may request the Bank to specify the recipients whom it had informed of such rectification or erasure of data or of the restriction of data processing,
6. You may withdraw Your consent to the data processing at any time if Your consent shall mean the legal basis for the processing of Your personal data by the Bank (“Right to the withdrawal of consent”). We may process Your personal data following the withdrawal of Your consent, if processing is necessary for the Bank to comply with its legal obligation or on the basis of its legitimate interests, if the pursuit of such interests is proportionate to the limitation of the right regarding the privacy personal data,
7. 7. You have the right to receive Your personal data provided by You to the Bank in a structured, commonly used, machine readable format. You / a third person lawfully authorised by You may request the Bank to transfer such data to another data controller (if data is processed by the Bank on the basis of Your consent or of a contract with the Bank, in which You are one of the contracting parties and if the relevant data are processed using automated means; (“Right to Data Portability”). We inform You that, at this point in time, the Bank is unable to satisfy the request You / the third person lawfully authorised by You submitted on Your behalf regarding Your personal data provided to the Bank (that is, Your application regarding the acceptance of the personal data proposed to be recorded by the Bank) considering that no data processing procedure or a purpose for processing exists for the Bank that would facilitate the satisfaction of Your request and the processing of Your personal data limited to the relevant purpose, thus the Bank is currently not entitled to receive the data carrier containing Your personal data provided to it and to process the personal data stored thereon,
8. You may contest a decision if the Bank uses automated individual decision-making (“Right to contest”),
9. You may object to the processing of Your personal data by the Bank on legal basis of legitimate interest or on grounds relating to Your particular situation in the cases defined in the GDPR (“Right to object”);
10. Regarding the lawfulness of the processing of Your personal data by the Bank, You may initiate the procedure of the Hungarian National Authority for Data Protection and Freedom of Information (abbreviated name: NAIH, registered seat: 1055 Budapest, Falk Miksa utca 9-11. mailing address: 1363 Budapest, PO Box. 9., website: www.naih.hu, telephone: +36 (1) 391-1400, fax: +36 (1) 391-1410, central e-mail address: ugyfelszolgalat@naih.hu) or seek judicial remedy (”Right to Redress”);
4.2 How can I file a claim with respect to the above?
As a Data Subject You may submit to the Bank Your questions / requests regarding the exercise of Your rights related to the processing of personal data at the following contact details:
1. In writing, in a letter sent to the address of the registered seat of the Bank (Erste Bank Hungary Zrt.; 1138 Budapest, Népfürdő utca 24-26.) (the application form regarding the processing of personal data is attached as Annex no. 1 to this Privacy Notice),
2. In a written application submitted at any branch of the Bank,
3. Verbally made via a recorded telephone line using the telephone customer service of the Bank (Telebank telephone number: +36 (1) 298-0222; to key customers: +36 (1) 298-0196),
4. In an e-mail message sent to erste@erstebank.hu,
5. In an electronic message forwarded from the George platform.
4.3 What information should I provide to this end?
With a view to the Bank’s obligation regarding the protection of personal data/ banking secrets / securities’ secrets / insurance secrets / business secrets, we shall complete the appropriate identification of the Data Subject in line with its capacity (customer, applicant etc.) in accordance with this Privacy Notice, and shall only be entitled to complete the application / request of the Data Subject only after the (proper level) identification of the Data Subject, upon the fulfilment of the Data Subject’s application regarding the processing of personal data.
We accept requests / applications regarding the processing of personal data submitted by means of standard forms issued by NAIH for applications / requests to be submitted by the Data Subject, if the personal data to be provided thereon have been completed in full. If this request has been submitted in paper form, it shall also be signed by the Data Subject. If the Data Subject has not provided all personal data necessary for identification in the request, the Bank shall call on the Data Subject to supplement its personal data to facilitate a response to be provided to the request / application.
We provide the Data Subject with an application form on the personal data processing to submit the written applications as an Annex No. 1 to this Privacy Policy, whereby the Data Subject can submit its written application to the Bank by filling it. As per this Privacy Notice, we however accept written applications of the Data Subject other than this form as well.
The request of the Data Subject under Clauses 4.1-4.7 of Chapter 2 of this Privacy Notice for the processing of personal data shall include (beside the standard form issued by the NAIH) at least the surname and given name, place and date of birth, mother’s birth name and the address of the Data Subject.
Application of the employee or former employee of the Bank for the processing of personal data shall include (beside the standard form issued by the NAIH) at least the surname and name, birth name, place and date of birth, Mother’s maiden name and the social insurance number with regard to the Data Subject.
We may request the application of the Data Subject (Other Data Subject) under Clause 4.10 of Chapter 2 of this Privacy Notice in written form, (beside the standard form issued by the NAIH) by way of listing the types of personal data (processed data, for example name, e-mail address, telephone number) provided to and processed by the Bank, and by specifying the reason / purpose of data processing by the Bank.
If a Data Subject has submitted his or her request related to the processing of personal data contrary to the above and the Bank was not able to identify the relevant Data Subject appropriately as required for data security and/or for the protection of banking secrets (as specified in this Privacy Notice), the Bank may request the Data Subject to provide further personal data, and upon a failure or non-fulfilment of such request, the Bank shall not be able to respond to the request. That period of time from starting from the Bank’s request for the provision of the necessary personal data / for the performance of a lacking activity until the provision of the personal data shall not be included in the calculation of the due date for responding to the request.
4.4 How long does it take to process my request?
The Bank shall perform requests regarding the processing of personal data / respond to such requests without undue delay, but in any event within one month following the submission thereof. This one-month period may be extended by two further months, taking into account the complexity and the number of requests, where the Bank shall inform the Data Subject of any such extension within one month of submission / receipt of the request to / by the Bank.
4.5 How does Erste respond to data subjects’ requests for exercising their rights?
In the case of the Data Subjects falling within the scope of Clauses 4.1 to 2.4.7 of Chapter 2 of this Privacy Notice - the Customer, the Applicant, the Debtor, the payment guarantor , other natural person providing security, the Authorised Representative, the Payer, the Beneficiary and the Contact Person - the Bank will respond as follows:
The Bank shall comply with the Data Subject’s request in connection with the processing of personal data by sending a reply by post. If attachment of copies shall become necessary concerning the response, this duty shall be fulfilled by the Bank by way of delivering a password-protected electronic data carrier to the Data Subject by post (as an annex to the basic information). The Bank shall deliver the password necessary for the use of the electronic data carrier and the information for the use of the password in a separate letter by post (in a so called password letter), in addition to the information letter, at least one working day following the delivery of the basic information letter. (Due to the Bank’s obligation to protect banking secret and information security duties) the Bank shall only send the Data Subject information classified as personal data in an encrypted e-mail if the Data Subject expressly requests the e-mail delivery and even in this case, we shall fulfil the electronic delivery only to the e-mail address available to us, in a password-protected delivery if it is technically possible due to the size of any attachments. In this case, we shall deliver the password to the Data Subject necessary to access to the encrypted content via another contact channel data processed by us other than e-mail (telephone number, mailing address) or in any other identifiable manner. Information on the use of the password shall be included in the information that contains the password.
The Bank shall respond to that Data Subject’s request via the George interface, if the Data Subject has submitted it via this channel or has requested such a response in a subsequently verifiable manner. If the size of the documents to be sent attached to the response letter may not allow a response via the George interface, a response shall be sent by way of attaching an encrypted CD to a postal mail, as described above.
The requests of Data Subjects falling within the scope of Clauses 4.8 to 4.10 of Chapter 2 of this Privacy Notice - the employee or former employee of the Bank, and the Other Data Subject - concerning personal data processing that involves the transfer of personal data regarding the Data Subject, shall be fulfilled by the Bank by way of delivering a response via post if the mailing address of the Data Subject is being processed. If attachment of copies shall become necessary concerning the response, this duty shall be fulfilled by the Bank by way of delivering a password-protected electronic data carrier to the Data Subject by post (as an annex to the basic information). The Bank shall deliver the password necessary for the use of the electronic data carrier and the information for the use of the password in a separate letter by post (in a so called password letter), in addition to the information letter, at least one working day following the delivery of the basic information letter. An employee or former employee of the Bank, and the Other Data Subject shall only be sent information classified as personal data in an encrypted e-mail if the Data Subject expressly requests the e-mail delivery or if the Data Subject's request has been received by e-mail and the Data Subject provides the Bank with a contact channel other than the e-mail (e.g. telephone number, mailing address) in order to send the password required to open the reply letter containing the personal data, or in case of contact information regarding the Data Subject other than the e-mail address is already being processed by the Bank and it is technically possible due to the size of any attachments. In this case, the Bank will send the password to the Data Subject via the contact channel other than e-mail. Information on the use of the password shall be included in the information that contains the password.
If the Data Subject has not received the postal letter (i.e. if the return receipt is returned to the Bank with a signal of not sought / received), the Bank will try to send the letter to the Data Subject once more, thus fulfilling its obligation to ensure the enforcement of the Data Subject's privacy rights, thereafter, the Bank shall resume the delivery of items that could not been received twice, only at the repeated request of the Data Subject.
If the Bank is under the obligation to disclose personal data regarded as banking secret to a third person within the frame of exercising the Right to portability, the Bank shall complete a request / application submitted in the form of a document or public document with full probative force under legislative provisions applicable to the protection of banking secrets, in compliance with Section 161 (1) of Act CCXXXVII of 2013 on Credit Institutions and Financial Undertakings (“Banking Act”).
4.6 Will it cost me anything to assert my data protection rights?
No, Erste fundamentally fulfils such requests free of charge.
If, in the scope of his or her right related to the processing/protection of its personal data, set out in Clause 1.1 of Chapter 4 of this Privacy Notice, the Data Subject requests the issuance of a copy of such a document processed by the Bank, where the Bank’s right to process / protect the Data Subject’s personal data does not cover the issuance thereof, we inform the Data Subject to that effect and notify it that the Bank can fulfil the relevant request charging a service fee announced in respect of the relevant service and the Bank shall fulfil such request by the Data Subject after the Data Subject has indicated that it requests the issuance of the relevant copy also being aware of the relevant charge.
4.7 What options do I have to submit a complaint?
An application by a Data Subject regarding the processing of personal data shall not be considered by the Bank as a complaint but, if the Data Subject makes a complaint in its application regarding the processing of personal data that is in accordance with the applicable legislative provisions and the complaint handling regulations of the Bank, the Bank may respond to the request regarding the processing of personal data and to the complaint submitted by the Data Subject in a single notice (where adequate information is provided). If, following information provision by the Bank regarding the processing of personal data / a response provided by the Bank to another request regarding the protection of personal data, the Data Subject makes a complaint as set forth in the complaint handling policy of the Bank, where such complaint is not related to the processing of personal data, the Bank shall process and respond to such request as a complaint.
Pursuant to Article 13 (1)(e) of the GDPR, we inform You that we transfer Your personal data to the following categories of recipients on the below legal basis:
5.1 Within its financial-, auxiliary financial activity, the Bank may transfer the Data Subject’s personal data to the data processors assigned by the Bank for outsourced activity and specified in Annex No. 1 to the actual version of the Erste Bank’s Business Rules (the ”Annex No. 1 to the Business Rules on Financial Services”) based on the Section 164 j) of the Banking Act and the data processing agreement concluded with the person doing the outsourced activity. The effective version of Annex 1 of the Business Rules is available at https://gate.erstebank.hu/uzletszabalyzat. Purpose of this data transfer is the fulfilment of the activity as outsourced activity as of the Annex No. 1 of the Business Rules on Financial Services to be performed by the particular data processor, and the duration thereof shall be last till the fulfilment of the data processing purpose.
5.2 Based on Section 161 c) of the Banking Act, we (may) transfer Your personal data to company(ies) dealing with debt collection and having contractual relationship with the Bank for the purpose of debt collection defined herein for the period necessary for the fulfilment of the data processing purpose.
5.3 Based on Section 164 q) of the Banking Act, we transfer Your personal data necessary for the fulfilment of a contract arranged by an Intermediary for intermediated financial service to the Intermediary being in contractual relationship with the Bank, for the period necessary for the fulfilment of the data processing purpose. The list of intermediaries that have a contractual relationship with the Bank is available on the website of the Hungarian National Bank at http://www.mnb.hu/felugyelet/engedelyezes-es-intezmenyfelugyeles/piaci-szereplok-keresese/kozvetitok-keresese. Intermediaries are entitled upon their contract with the Bank to transfer the personal data lawfully acquired during their intermediary activity.
5.4 In accordance with Section 164 d) of the Banking Act and the data processing contract, we may complete a transfer of personal data relating to the Data Subject to the auditor authorized by the Bank or to the responsible asset controller, to legal experts (individual lawyer and law office) having contractual relationship with the Bank or to other experts for the purpose of audit / legal, or other expert activity till the fulfilment of this purpose.
In case the Data Subject’s consent is the legal basis for the data processing by the recipient as data processor, we shall inform the data processor about the withdrawal of the Data Subject’s consent, whereupon the data processor shall no longer be entitled to process the data of the Data Subject that is being subject to its consent. We shall notify the data processor, if fulfilment of other duty becomes necessary for the data processor based on a request for the erasure / anonymise, correction, freezing of the personal date relating to the Data Subject or other personal data processing request.
5.5 We may assign our claim towards the Data Subject, whereby we transfer all data and document relevant to the debt of the Data Subject to the assignee upon the assignment contract (unless otherwise agreed by the assignor and the assignee in the assignment contract). Under Section 169 (2) of the Accounting Act, we process the accounting certificates relating to the assignment, and the underlying documentation for 8 years following the year of adopting the annual accounts prepared for the year when the assignment related accounting certificate has been issued.
5.6 We may transfer Your personal data to the authorities having jurisdiction and competence, if the relevant legislation requires us to process these personal data, or if the authority having jurisdiction and competence has delivered us a proper request.
In the frame of ensuring the enforcement of Your access rights, we also inform You (upon Your request) in addition to the information on the recipient categories (by providing the company name and registered seat data) about such recipients whom Your personal data is / has been transferred.
5.7. Open banking (API channel) related data transfer
For the performance of the duties of the Payment Initiation Service Provider (hereinafter: PISP), the Account Information Service Provider (hereinafter: AISP), the Card Based Payment Instrument Issuers (CBPII) (hereinafter together: third party payment service provider – TPP) set out in Sections 31, 31/A, 38/A of Act LXXXV of 2009 in Payment Services, the Bank shall transfer the personal data necessary for the fulfilment of its TPP services, if the Data Subject has preliminary provided the TPP with its consent thereto.
In case of a retail customer, the Bank shall automatically provide access to the Indirect Electronic Channel (API) by default, without explicit request by the Data Subject, if the Account Holder has an Internet banking service and his / her Payment Account is accessible online. The Indirect Electronic Channel (API) and the TPP may be prohibited in accordance with the relevant General Terms and Conditions.
The Bank shall automatically provide access to the Indirect Electronic Channel (API) by default, without the Data Subject’s specific order in case of retail customer, if the Account Holder has an internet banking service and its Payment Account is available online. The Indirect Electronic Channel (API) and the TPP may be prohibited in accordance with the relevant General Terms and Conditions.
The Bank may transfer the Data Subject’s personal data included in the table below to the third-party payment service provider (TPP):
5.8 Data provision by Erste Wizz credit card application
We inform You that Your personal data provided by the application for the Erste Wizz credit card are transferred to the WIZZ Air Hungary Ltd. (Registered seat: 1103 Budapest, Kőér utca 2/A, Building B II-V) based on the legal title of contract performance for a period necessary for the implementation of the data processing purpose.
5.9 Data transfer related to the Erste Student Loan Account Fee Package
The Framework Agreement for the Erste Student Loan Account Fee Package (hereinafter the Erste Student Loan Account) is only available to an Account Holder who has a student loan in accordance with the terms and conditions set out by Student Loan Centre Corporation %5Bin Hungarian: “Diákhitel Központ Zrt”%5D or whose eligibility for a student loan has been confirmed by the Student Loan Centre Corporation and who has made a declaration as to the utilisation of an Erste Student Loan Account. Upon opening and closing of an Erste Student Loan Account, the Bank shall transmit the data detailed below to Student Loan Centre Corporation in order that Student Loan Centre Corporation can enter them into its records for the purpose of verifying the eligibility conditions.
The transfer of data is made for the purpose of the performance of the contract (Article 6 (1)(b) GDPR), in respect of the following data:
(1) Erste Student Loan Account bank account number,
(2) Date of opening of the Erste Student Loan Account
(3) Date of termination of the Erste Student Loan Account
The period of retention of the transferred data by Student Loan Centre Corporation shall be governed by the Privacy Notice of the Student Loan Centre Corporation in effect from time to time.
5.10 Data transfer in connection with collecting Erste Shopping Credit Card points
The condition for collecting Erste Shopping Credit Card points is that the Cardholder must have a valid Tesco Clubcard. When applying for the Erste Shopping Credit Card, the Cardholder shall provide the Tesco Clubcard number on the application form. The Bank shall provide the data detailed below to Tesco-Global Áruházak Zrt. in order to credit the points collected to the Cardholder's Clubcard balance.
The legal basis for the date transfer is the performance of a contract regarding the following data (Article 6(1)(b) GDPR): (1) the Clubcard card number, (2) the amount of points collected in a given period. Tesco-Global Áruházak Zrt.'s current Privacy Notice is applicable to the storage period of the data concerned by the data transfer.
5.11 The Data Controller informs the Data Subject that personal data relating to the use of the digital service George (George Digital Platform - George Web, George App) are processed for the purpose of providing our services and for the performance of the contract with you (Article 6(1)(b) GDPR). As indicated in Annex 1 to the Terms of Service, Amazon Web Services, the public cloud service provider under contract with Erste Digital GmbH, as data processor, processes the following personal data for the purpose of providing the service: name, address, account information, credit card details, financial transactions. Amazon Web Services processes data in the Republic of Ireland, Germany and Austria. The personal data is stored in the cloud hosted by Amazon Web Services, and compliance with the outsourcing requirements of the Banking Act is a guarantee of the adequacy of the processing performed by the data processor
5.12 Data transfer to third country / international organization
In case of a data transfer to a third country or to an international organization, the Data Controller shall ensure an adequate level of protection for the transfer in accordance with the provisions of the GDPR and other European Union and national legislation.
5.12.1 Data transfers to other external digital platforms (Data Subjects: Client, Applicant)
Transmission of identifier data to external digital platforms (Google*, Meta*, Adform***) for the purpose of displaying personalized content in marketing campaigns run by the Bank. For Google and Meta, the transmitted identifier is the email address; for Adform, it is a unique identifier.
The data transfers to Google Ireland Limited, Meta Platforms Ireland Limited, and Adform A/S are considered intra-EU data transfers. However, under the Data Privacy Framework, Google and Meta may, in certain cases, transfer the email addresses to their data centers located in the United States.