Personal data protection

The operator is the company Tatra banka, a.s., ID number: 00 686 930, registered office: Hodžovo námestie 3, 811 06 Bratislava, registered in the Commercial Register of the City Court Bratislava III, section: Sa, insert number: 71/B, contact: DIALOG Live, *1100 / 0800 00 1100 / +421 2 5919 1000 (hereinafter referred to as "Tatra banka").

Ensuring the protection of your personal data is very important to us, and therefore, when processing personal data, we strictly ensure compliance with applicable legal regulations, especially the principles and requirements arising from the GDPR. We have set appropriate technical and organizational measures that contribute to ensuring the protection of the processed personal data of our clients.

In case of any questions related to the processing of your personal data, please contact our DPO (Data Protection Officer), who is entrusted with the supervision of the processing of personal data in our company. You can contact the DPO by email at [email protected] or in writing at the address: DPO, Tatra banka, a. s., Hodžovo námestie 3, 811 06 Bratislava 1.

GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Data subject - Natural person whose personal data are processed. It is a person who can be identified directly or indirectly, especially with reference to the identifier such as name, identification number, online identifier or one or several elements specific for physical, physiological, genetic, mental, economic, cultural or social identify of this natural person.

Client - Person with whom Tatra banka, in performing its banking activities, entered into transaction, where a bank transaction means formation, change or termination of contractual relationships between the client and Tatra banka. The Clients also means a person with whom Tatra banka discussed an execution of transaction, although this transaction was not executed , the person who ceased to be a client of Tatra banka, a person providing security and the representative of a client who concluded a banking transaction on behalf of the client or negotiated such conclusion. For the purposes of this document, the Client is also a beneficiary defined by AML Act.

Processing - Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Anti Money Laundering - Prevention of legalization of proceeds from criminal activity and financing of terrorism.

Client processing purpose - Personal data processed by Tatra banka for the following purpose:
Provision of banking services, financial and related services, identification of Tatra banka clients and identification of Tatra banka contract partners* (*Contract partner is an entity Tatra banka cooperates with at receiving payment means in the extent in which it could not be considered as the Client under other circumstances).

Marketing processing purpose - Personal data processed by Tatra banka for the following purpose:
Informing about products, innovations and services provided by Tatra banka in connection with obtaining benefits from Tatra banka.

Controller - Any person who, alone or together with other parties, determines the purposes and means of personal data processing and processes personal data on their behalf. For purposes hereof the controller is Tatra banka.

Processor - Any person who processes personal data on behalf of the controller on basis of authorisation
in compliance with Article 28 GDPR.

Act on Banks Act
No. 483/2001 Coll. on Banks.

AML Act
No. 297/2008 Coll. on the Prevention of Legalization of Proceeds of Criminal Activity and Terrorist Financing on Amendments and supplements to Certain Acts as amended.

Act on Securities
Act No. 566/2001 Coll. on Securities and Investment Services

Act on Collective Investment
Act No. 203/2011 Coll. on Collective Investment

Act on Payment Services
Act No. 492/2009 Coll. on Payment Services

Act on Financial Intermediation and Financial Counselling
Act No. 186/2009 Coll. Financial Intermediation and Financial Counselling

Act  on Accounting
Act No. 431/2002 Coll. on Accounting

Personal data are any information related with the identified or identifiable natural person who can be determined directly or indirectly, especially by referring to the identifier such as name, identification number, localisation data, online identifier or by referring to one or several elements specific for physical, physiological, genetic, mental, economic, cultural or social identity of the respective natural person.

Tatra banka processes only those personal data which are required for achieving the particular processing purposes. Personal data are processed always for the pre-determined and legitimate purpose while it would not be possible to achieve such purpose without processing of the respective data.

Provision of the respective data is a legal requirement of yours and no banking transaction can be executed without them being provided in case of processing of personal data on legal grounds determined by legal regulations such as in case of processing for purpose of provision of banking services, financial and related services, identification of bank´s clients and identification of bank’s contract partners. Hence, non-execution of a transaction results from non-provision of the respective data.

Provision of data by the Client is voluntary in case of processing of personal data based on Client's consent, such as in case of processing in terms of the Marketing processing purpose. With the aim to adjust the offer of products and services directly to your requirements, Tatra banka evaluates information processed about you in order to provide you with a targeted offer and this way eliminate sending of non-targeted marketing offers. Granting the approval is voluntary. If you decide not to grant the approval, Tatra banka will not be allowed to send you
marketing information or offers in this particular case.

Recording telephone calls at DIALOG Live
Tatra banka records all telephone calls executed via DIALOG Live. Personal data obtained in this way are processed within the Client processing purpose and Marketing processing purpose.

Tatra banka's activities include processing of various categories of personal data which differ depending on the purpose of processing and nature of the particular processing activity. Such personal data categories are as follows:

In case of Client processing purpose:

• Identification data (for instance name, surname, date of birth, birth identification number, data from theidentification document, nationality, identification document photography, client number, product number),
• Contact data (for instance permanent/temporary residence address, e-mail address, telephone number),
• Data about the utilised products and services (e.g. data about the utilised products and services, data related with processing of your suggestions),
• Sociological and demographic data (for instance age, sex, family status, education, number of persons in household, information about income, type of employment, information related to politically exposed person),
• Economic data (for instance data about ownership of movable and immovable objects, data about total revenues or regular household costs, data about the type of housing),
• Data whether the Client or potential client is in a special relationship with the bank,
• Data about classification of the Client in the register pursuant to § 92 par. 7 Act on Banks or about classification of the Client in other similar register,
• Transaction data (for instance data about the executed transactions, data about beneficiaries and senders, data about utilisation of payment means),
• Geolocation data (for instance data about the place of transaction execution, data which identify device by means of which the transaction was executed, data about the place where the payment card was used),
• Data required for monitoring of secure utilisation of products and services (for instance IP address of the used device, data about the used device and browser),
• Biometric data (for instance voice, face or signature identification),
• Video and audio recordings (for instance camera recordings executed at conclusion of transactions, recordings of telephone calls executed by means of DIALOG Live),
• Copies of documents including identification documents (and photographs from the respective documents),
• Data related with utilisation of our websites and applications (for instance cookies),
• Other relevant data (for instance data about execution proceedings, bankruptcy proceedings, personal bankruptcy, data related with meeting your contract duties and obligations, data about your payment discipline, data from credit registers, data about inclusion in the list of clients the international sanctions relate to).

In case of Marketing process purpose:

• Data related with utilisation of websites and applications (for instance cookies),
• Data ensuing from activities on social networks,
• Relevant data processed about you in the Client processing purpose including geolocation data (for instance data about the place of transaction execution, data which identify device by means of which the transaction was executed, data about the place where the payment card was used).

The number of personal data categories set forth herein represents a full and complex account of all personal data categories which can be considered in terms of the particular purpose of processing at provision of the comprehensive scope of banking products and services in all states of a contract relationship. Individual account of personal data categories for individual clients will therefore be just a sub-group of this account.

Tatra banka processes your personal data always for the pre-determined and legitimate purpose of processing while respective legal grounds for such processing must always exist. Tatra banka would like to assure you that your personal data are never further processed for purposes which are incompatible with the originally determined purposes of processing.

Tatra banka's activities might include processing of your personal data for the processing purposes as follows:

Providing banking services, financial and related services, identification bank clients and identification of contract partners of the bank

This purpose includes especially:

• Identification of clients,
• Conclusion of contract relationships with the Client including pre-contract relationships,
• Maintenance of contract relationships including changes and termination of contract relationships,
• Acceptance and processing of suggestions and complaints of Clients,
• Relationship management,
• Protection and seeking the rights of Tatra banka towards Clients,
• Meeting Tatra banka's obligations in the field of AML,
• Activities related with performance of the tasks and obligations of Tatra banka pursuant to valid legal regulations,
• Maintenance of separate records of Clients who do not meet their obligations ensuing from the contract relationships with the bank duly and on time, Clients who have committed action considered by the bank as unusual business transaction and Clients the international sanctions relate to,
• Maintenance of the list of persons with a special relationship with Tatra banka,
• Activities related with meeting the archive duties.
• Informing and providing awareness of clients in connection with the impact of their financial activities on sustainability and environment.
• Monitoring of outgoing payment transactions with the aim to prevent unusual, fraudulent or unauthorised transactions.

In this case, your personal data are processed in the scope required in order to observe the legal obligations of Tatra banka, with the Article 6, par. 1, letter c) GDPR being a legal base for the processing, and hence the processing is required to meet the legal obligations. The legal regulations to be observed are especially the following:

• Act on Banks,
• AML Act,
• Act on Securities,
• Act on Collective Investment,
• Act on Payment Services,
• Act on Deposit Protection,
• Act on Consumer Loans and Other Credits and Borrowings for Consumers,
• Act on Home Loans,
• Act on Financial Intermediation,
• Act on Insurance Services.

Pursuant to §93a par. 9 Act on Banks, Tatra banka, for the purposes of detecting, verifying and checking the identification of clients and their representatives, for the purposes of concluding and carrying out transactions with clients, for other purposes pursuant to §93a par. 3, as well as for the purposes of updating information already stored by Tatra banka on clients and their representatives, is authorised to obtain information according to §93a par. 1 yet without the consent of the affected persons in the scope of information maintained in the register of natural persons and information maintained in the register of ID cards. The Controller of the said registers is the Ministry of Interior of the Slovak Republic. The bank has decided to proceed in compliance with the mentioned provision and to update the information whenever it is technically possible from the bank´s point of view. The bank shall update the information whenever there is a change in the client´s ID card and thus the information entered in it. The bank informs the client of the implementation of the change via electronic communication media selected by the client for his/her communication with the bank. Likewise, the bank has also decided to use the right to obtain such information and data as part of meeting its obligation of identification and its verification pursuant to the AML Act when establishing a business relationship and in selected cases, also when performing a transaction.

Tatra banka may proceed to processing of your personal data in cases when the scope of personal data set forth by the legal regulations set forth herein is not sufficient for achieving the determined purpose of processing, also under the following legal grounds:

• if it is necessary for performance of the contract concluded between you and Tatra banka including precontract relationships pursuant to Article 6 par. 1 b) GDPR,
• if you have granted consent to processing of your personal data for the particular purpose/purposes pursuant to Article 6 par. 1 a) GDPR,
• if you have granted consent to processing of your personal data for the particular purpose/purposes pursuant to Article 9 par. 2 a) GDPR,
• if processing is necessary for proving, claiming or justification of legal claims pursuant to Article 9 par. 2 f) GDPR.

Your personal data might also be processed if it is required for the purposes of the legitimate interests of Tatra banka or a third party, and that pursuant to Article 6 par 1, letter f) GDPR. Such legitimate interests are:

• Tatra banka is obligated to proceed with expert care in terms of its activities and in connection therewith has legitimate interest in prevention against criminal activity or other illegal action which can cause damage or harm reputation of the bank or any other detriment, or against action which can negatively impact the activity of the bank or put its employees or other data subjects in danger, and for this purpose it is entitled to keep the list of persons with potential risk while this processing may lead to termination of the contract relationship or rejection of transaction execution.
• Tatra banka as a significant banking institution providing financial and related services to a large number of clients is aware of its social responsibility in the area of protection of the environment and support of sustainability and has a legitimate interest in the related provision of information and creation of client awareness in the field of sustainable behaviour and support of the environment, and that especially in form of providing information to clients about the impact of their financial activities on the environment. In terms of this legitimate interest, the bank evaluates client transactions and tries to provide them with the best possible overview about the impact of their individual transactions on the environment in the form of providing information about the volume of produced CO2. Such processing aims to positively affect the behaviour of bank's clients towards a responsible utilisation of natural resources.
• Tatra banka is obligated to proceed with expert care in terms of its activities and in connection therewith has legitimate interest in prevention against criminal activity or other illegal action, and for this purpose Tatra banka performs monitoring and evaluation of the authorised outgoing payment transactions with the aim to prevent unusual or fraudulent transactions.
• Tatra banka has legitimate interest in the execution of care for clients and development of business relationships with them. The aim of processing client's personal data for the given purpose is especially to maintain correct relationship between Tatra banka and its clients, focus on clients and their specific needs, which helps better understand clients' needs. This is performed by organizing various events, webinars and similar activities, as well as performing client satisfaction surveys. Personal data processing is performed in form communication with clients through which Tatra banka informs clients of different activities it performs.

Execution of video and audio recordings

In compliance with Section 38a (2) Act on Banks, Tatra banka is obligated to monitor using a camera monitoring security system with a 24-hour recording in the quality, which allows to distinguish persons and premises where contact with clients and also manipulation with cash is executed. Premises are monitored in such manner for instance at bank's branches. Tatra banka stores such executed recordings with are reference to Section 93a (7) Act on Banks for the period of 13 months after their making.

According to Section 93a (7) Act on Banks: The premises of banks, foreign bank branches, and Národná banka Slovenska, as well as automated teller machines and currency exchange machines located outside the premises of banks and foreign bank branches, may be monitored using video cameras or sound recording equipment even where there is no notice that the area is under surveillance; 88ia the recordings may be used to reveal criminal acts, detect and search for the perpetrators, and in particular to ensure effective protection against money laundering and terrorist financing, to uncover illegal financial operations, judicial proceedings, criminal proceedings, misdemeanour proceedings, and to supervise the discharge of obligations imposed by law on banks and foreign bank branches. 88ia Any such video or audio recording made by a bank, foreign bank branch or Národná banka Slovenska shall be handed over without delay to the authority mentioned in Section 91(4)(b), (g), (o) and (p), if it so requests. If a recording is not used for these purposes, then it shall be destroyed without delay by the person who made it, after the expiration of thirteen months after its making".

Tatra banka has a legitimate interest, in compliance with Article 6 par. 1 (f) GDPR, to protect the property, rights and interests of Tatra banka and other parties protected by law, which results in the monitoring of ATMs and their immediate surroundings by the security system with a 24-hour recording in the quality, which allows to distinguish the person. The purpose of such processing is: Protection of property, rights and interests of Tatra banka and other arties protected by law. Tatra banka stores such executed recordings for the period of 15 days.

In connection with the monitoring of ATMs and their immediate surroundings based on a legal ground, which is the justified interest of Tatra banka, the affected person is entitled, in compliance with the Article 21 (1) GDPR, to object against such processing. Further information about your rights as the affected person, including the right of objection are available in Clause 13 Information Memorandum of Personal Data Protection.

Marketing

Tatra banka processes your personal data on legal grounds of your prior voluntary consent or under legitimate interests of Tatra banka for purposes of informing about products, innovations and services provided by Tatra banka, and also in connection with obtaining advantages by Tatra banka including creation of offers for such advantages at utilisation of profiling.

In case you have granted your consent to processing of your personal data for the purpose set forth herein to Raiffeisen Group, your personal data may be processed (i) by entities with direct or indirect property interest in Tatra banka, (ii) by entities in which Tatra banka has direct or indirect property interest, (iii) by entities in which the entity with property interest in Tatra banka has direct or indirect property interest, (iv) by entities having direct or indirect property interest in the entity with property interest in Tatra banka. For purposes of this document these are especially the following entities:

• Doplnková dôchodková spoločnosť Tatra banky, a. s., seated at Hodžovo námestie 3, 811 06 Bratislava, Company ID No: 36291111,
• Tatra Asset Management, správ. spol. a. s., seated at Hodžovo námestie 3, 811 06 Bratislava, Company ID No: 35742968,
• Tatra Leasing, s. r. o., seated at Hodžovo námestie 3, 811 06 Bratislava, Company ID No: 31326552.

Tatra banka has legitimate interest in taking care for its Clients and developing business relations with its Clients, and hence informing them about its products, innovations, services or offers of various benefits. In relation thereto Tatra banka can contact you yet without your prior consent while it will inform you of such processing of your personal data and instructs you about your rights, especially about the right to object to processing of your personal data. Naturally, this is not the case if you have expressed your disapproval of such contact or if you object it.

Further information about your rights as the affected person, including the right of objection against processing in the legitimate interest are available in Clause 13 Information Memorandum of Personal Data Protection.

Tatra banka may communicate with you for the above purpose by means of automatic calling system, telephone, e-mail, text message or via other means of distance communication.

With the aim to adjust the offer of products and services directly to your requirements, Tatra banka evaluates information processed about you in order to provide you with a targeted offer and this way eliminate sending of non-targeted marketing offers.

For the purposes set forth in this section, the Client also means a person with whom Tatra banka discussed or wishes to discuss an execution of transaction, although this transaction was not executed, the person who ceased to be a client of Tatra banka, a person providing security and the representative of a client who concluded a banking transaction on behalf of the client or negotiated such conclusion.

Pursuant to Article 4 Clause 14 GDPR, biometric data are “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data“. Biometric data belong to a specific category of personal data whereof processing is subject to separate
requirements, especially in the area of legal grounds of processing or meeting other terms and conditions pursuant to GDPR.

Biometric data are processed also in terms of Tatra banka's activity as part of the Client processing purpose. The scope of processing includes the following personal data:

• Biometric voice characteristics
  Tatra banka is entitled to process biometric characteristics of your voice pursuant to § 93a par. 2 Act on Banks. Hence, the legal ground form processing in this case is the law.
• Biometric face characteristics
  Tatra banka can process biometric characteristics of your face in order to maintain or increase the level of security and unique identification of clients and avoid damages caused to the clients by third parties by taking their identity, and to simplify execution of banking transactions. However, such processing is done only on legal basis of consent and in case it is not granted, such processing will not be done. Client’s consent is the legal basis for processing.
• Biometric signature characteristics
  Tatra banka can process biometric characteristics of your signature in order to maintain or increase the level of security and unique identification of clients and avoid damages caused to the clients by third parties by taking their identity, and to simplify execution of banking transactions. However, such processing is done on legal basis of consent and in case it is not granted, such processing will not be done.
  
  Within the purpose being: the provision of banking services, financial and related services, identification of Tatra banka clients and identification of Tatra banka contract partners, certain banking operations involving the processing of the biometric characteristics of a signature on the legal basis referred to in Article 9 par. 2 f) GDPR and, therefore, where the processing is necessary for the establishment, exercise or defence of legal claims.  Such cases include, for example, the signature of the client or those of the client’s authorised persons on an electronic document executed in connection with making a cash deposit or carrying out a foreign exchange operation.

Based on changes executed in the legal order related to GDPR it is necessary, following the change of legal definition, to consider yet the current authentic signature in digitalised form as signature containing the biometric signature characteristics.

Automated decision making including profiling belongs to the processing operations which are worth special attention, executed by the Client processing purpose.

Processing of a request for provision of a banking service results in automated decisions made on basis of profiling. Profiling of a Client considers the data obtained by Tatra banka at the time of request and also data registered by Tatra banka in terms of previous Client's history in Tatra banka, as well as data obtained in compliance with valid legal regulations from external resources and the system executes automated decisions on basis of these data. The bank considers several data at profiling, which can impact the decision regarding the request both positively and negatively. The data which are considered are data about potential Client risk rate, Client's assets and liabilities with Tatra banka, Client's payment discipline, regularity of utilisation of banking products and data the bank obtains from the Client at the time when conclusion of the given transaction is negotiated.

Tatra banka evaluates the respective data in regular intervals and estimates the risk profile of the Client based on these data. In case of a Client with no previous history in Tatra banka the bank evaluates the data obtained from the Client's request and data obtained in compliance with the valid legal regulations from external resources. The request is considered at the automated decision making on basis of the obtained risk profile of the Client.

This decision may affect automatic request refusal, maximum approved amount of individual loans, possibility of provision of individual products, maximum maturity of the requested product and the LTV threshold. Client's risk profile as such has direct impact on the proposal of conditions by the bank and it basically applies that the better the Client's risk profile, the better the conditions for the Client suggested by the bank.

The data set forth herein and also data about behaviour of clients at payment delay can be used for the process of decision making regarding the optimum recovery process and can affect selection of the loan recovery or restructuring strategy. Data can also be used for the activities for the purpose of avoiding the delay of the client.

In case of automated decision making including profiling pursuant to Article 22 GDPR at processing of your request for a banking product, you will be entitled to human intervention by Tatra banka on your own standpoint and also to object the decision adopted on basis of automated decision making including profiling.

Automated decision making happens:

• when a loan transaction conclusion is negotiated,
• when the amount of optional overdraft which belongs to the current account of a client is reviewed.

Your data may be provided and made available for the respective registers in connection with consideration of
Client's ability to repay the loan:

• Slovak Banking Credit Bureau (hereinafter referred to as “SBCB“) created pursuant to § 92a par. 1 Act on Banks as the common banking register the provider whereof is Slovak Banking Credit Bureau, s. r. o., Company ID No: 35869810 seated at Mlynské nivy 14, 821 09 Bratislava (hereinafter referred to as “SBCB”), established as a joint venture of auxiliary banking services in compliance with § 92a par. 2 Act on Banks. The legal ground for processing of personal data in the SBCB is Article 6 par. 1.c) GDPR jointly with Article 6 par. 2 GDPR, as well as the Act on Banks. Personal data categories and purpose of personal data processing in the SBCB is determined by the Act on Banks. Provision of personal data is executed pursuant to the Act on Banks.
• Slovak Banking Credit Bureau, section Register of Consumer Loans Data is a register pursuant to § 7 par. 3 and § 7 par. 9 Act on Consumer Loans and register pursuant to § 8 par. 20 Act on Home Loans, in the scope pursuant to § 7 par. 9 Act on Consumer Loans (hereinafter referred to as the “Register”). The bank is obligated to provide the data to the Register and obtain the data from the Register without Client´s consent in compliance with the Act on Consumer Loans and Act on Home Loans. The legal ground for processing of personal data in the Register is Article 6 par. 1 c) GDPR, Act on Consumer Loans and Act on Home Loans. Categories of personal data processed in the Register are determined by the Act on Consumer Loans and Act on Home Loans while the purpose of personal data processing in the Register is provision of consumer loans and/or housing loans and consideration of the ability of the consumer to repay the consumer loan and/or housing loan. Provision of personal data in these cases is a legal requirement. Comprehensive information in terms of Article 14 GDPR about personal data processing in the SBCB and Register form the contents of Annex 1 hereof.

Tatra banka shall not provide your personal data to other entities, except for the cases in which you have granted your consent or written instruction to Tatra banka for such provision of data or if other legal ground for provision of your personal data to other entities exists, for instance in case of performance of the legal obligation of Tatra banka as the controller. Provision of your personal data to other entities in terms of performance of the legal obligation can be executed in the environment of Tatra banka only in cases set under the Act on Banks. In accordance with the Act on Banks, Tatra banka is obligated to provide personal data of its client without client's consent to the National Bank of Slovakia, to persons authorised to perform banking supervision including the invited persons and persons specified in § 6 par. 7 and § 49 par. 2 Act on Banks, resolution board for purposes of its function pursuant to the Act on Banks or a separate regulation, to auditors for the activities specified in the Act on Banks or separate act and to the Deposit Protection Fund for meeting the tasks pursuant to the separate
regulation.

Tatra banka is also obligated to provide your personal data if they are requested by an authority pursuant to § 91 par. 4 Act on Banks (and that for instance court, notary, investigative, prosecuting and adjudicating bodies, executor, criminal police services, etc.).

Tatra banka may also provide personal data to other entities without your consent in terms of meeting the legal duties:

• in the area of providing and securing payment services pursuant to the Act on Payment Services,
• in the area of protection against legalisation of incomes from criminal activities and financing of terrorism pursuant to the AML Act,
• in connection with reporting to the law enforcement authorities about suspicion that a crime is being prepared, being committed or was committed,
• in connection with the reporting duty to the respective authority of the Slovak Republic for the purpose of automatic exchange of information about financial accounts for purposes of tax administration pursuant to a separate regulation (FATCA, CRS),
• in connection with consideration of the ability to repay a consumer loan pursuant to the Act No. 129/2010 on Consumer Loans and Other Credits and Loans for Consumers and on amendments to certain laws as amended,
• in connection with meeting the reporting duty towards the National Security Authority in the field of cybersecurity pursuant to the Act No. 69/2018 Coll. on Cybersecurity,
• in connection with providing data to the central register of accounts and fulfilment of obligations pursuant to the Act No. 123/2022 Coll. on Central Register of Accounts.

Also please note that Tatra banka and entities from the Raiffeisen Group have legitimate interest in mutual sharing of personal data processed within the Client processing purpose which can lead also to cross-border transfer of data, and that in terms of:

• protection against legalisation of incomes from criminal activities and financing of terrorism,
• meeting the duties connected with the execution of banking activities at the level of the Raiffeisen Group,
• in connection with consideration of financial standing and credibility of clients.

Tatra banka is authorised, in compliance with provisions of the Act on Banks, to maintain its register of clients who do not meet their obligations ensuing from the contract relationships with Tatra banka duly and on time, Clients who have committed action considered by the Tatra banka as unusual business transaction under the AML Act and Clients the international sanctions according to a separate regulation relate to, and also to provide, yet without consent of the Client, information from the register to other banks and branches of foreign banks. 

Tatra banka and its subsidiaries act as a set of entities subject to supervision on a consolidated basis and fulfill selected legal obligations jointly and in cooperation with each other.

In connection with the above, we inform you that Tatra banka, as well as Tatra banka's subsidiaries, have a legitimate interest in the consistency of the data of clients who are clients of Tatra banka and at the same time clients of Tatra banka's subsidiaries, as well as in keeping the processed personal data up-to-date, therefore Tatra the bank as an operator, which is authorized on the basis of §93a par. 9 of the Banking Act, even without the consent of the persons concerned, to obtain data recorded in the register of natural persons and data kept in the register of identity cards, may provide such current personal data for the purpose of updating already processed personal data to other subsidiaries of Tatra banka.

Tatra banka's subsidiaries for this purpose are mostly:

• Supplementary pension company Tatra banka, a. s., with registered office at Hodžovo námestie 3, 811 06 Bratislava, ID number: 36291111,
• Tatra Asset Management, admin. spol. a. s., with registered office at Hodžovo námestie 3, 811 06 Bratislava, ID number: 35742968,

In connection with mutual sharing on legal grounds, which is the legitimate interest of Tatra banka, the affected person can object against such processing in compliance with Article 21 par. 1 GDPR. Further information about your rights as the affected person, including the right of objection are available in Clause 13 Information Memorandum of Personal Data Protection. 

As part of the provision of selected banking services, Tatra banka cooperates with selected third parties, such mutual relationship being defined as a relationship between two individual controllers. These are cases where such cooperation is necessary for the provision of both the bank’s services as well as the services of the third party. Such third parties are, for example:

• APPLE DISTRIBUTION INTERNATIONAL in providing the Apple Pay service
• Diagnose.me, a.s. in operating the website www.diagnose.me

Tatra banka does not publish your personal data.

Processors

Tatra banka may process your personal data in certain cases also by means of its processors. Processor is an entity authorised by Tatra banka to process personal data in compliance with the Article 28 GDPR. Authorisation for processing of your personal data by an processor does not require your consent or other legal ground such as in case of provision of data to other controllers. In such case the processor processes your personal data on behalf of Tatra banka as the controller.

Processing of personal data by means of an processor has no negative impact on performance and application of your rights as the data subject determined in Chapter III GDPR while the client can apply the respective rights with Tatra banka as the controller also directly with the particular processor which processes your personal data.

Tatra banka wants to assure you that it only uses the processors providing appropriate technical, organisational and other measures so that processing meets the GDPR requirements and protection of rights of the data subject is provided in full extent.

Tatra banka uses the following categories of processors at processing of your personal data:

• companies which provide or execute financial and related services,
• companies which provide payment services and monitoring of payment services,
• companies which execute customer satisfaction surveys,
• companies which provide marketing activities,
• companies which provide print services and services of mass correspondence,
• companies which execute maintenance of registry records pursuant to separate regulations,
• companies which provide administrative services connected with delivery of petitions at the cadastral division of the respective district authorities and execution of other activities related with presenting a proposal for entering a record of mortgage in the Land Registry,
• companies which provide retention activities,
• companies which provide recovery and maintenance of receivables,
• companies which provide execution of mortgage by means of public auction,
• companies which provide protection of the services provided by Tatra banka via the Internet and prevention against cyber-attacks.

Transfer of personal data to third countries

Personal data are not the subject of cross-border transfer to third countries that do not ensure an adequate level of personal data protection except for the cases specified by valid legal regulations or specific situations when the Client must be notified of such transfer in advance.

Processing of personal data using cloud solutions

When processing personal data, cloud solutions or solutions of a similar technical nature are used in many cases. The use of such solutions is, for example, in many cases required as part of the implementation of state-of-the-art software tools, or improves efficiency and cost-effectiveness. Last but not least, such solutions also help maintain the integrity of the processed data and contribute towards the security of processing.

Depending on the type of processing activities, in such processing the providers of cloud or similar services act mainly as processors in accordance with Article 28 of the GDPR. In selecting its partners and in the course of the processing activities, Tatra banka is very careful to avoid any risk of data security breach or any negative impact on the rights of data subjects. Tatra banka also consistently makes sure to select only partners who have demonstrably implemented appropriate technical and organisational measures to ensure the level of security pursuant to point (c) Article 28 par.3 c) and Article 32 of the GDPR, so that the processing is performed in compliance with the valid legal regulations, in particular the GDPR, and to ensure protection of the rights of data subjects.

In such processing, personal data are not transferred to third countries which do not guarantee an adequate level of protection under the GDPR.

Tatra banka shall retain your data in a form enabling your identification for the period necessary to achieve the
purpose of personal data processing.

If your personal data are being processed with your consent, Tatra banka will store personal data after the
consent is revoked or its validity expires only for the period required to demonstrate, apply or defend legal claims
of Tatra banka. This also applies in case of processing under the contract.
If your personal data are being processed in terms of performance of the legal obligation of Tatra banka, the
respective legal regulations specify the period during which Tatra banka is obligated to store your personal data
and related documents. Such legal regulations include especially:

• Act on Banks, which stipulates that Tatra banka is obligated to store and protect against damage, change, destruction, loss, theft, disclosure, misuse and unauthorised access the data and copies of data proving client's identity and documents about detecting ownership of the means utilised by the client for the transaction and contracts and other documents about the executed transactions for the period of at least five years after the transaction terminated.
• AML Act, which stipulates that Tatra banka is obligated to store during the period of five years:
  - after the contract relationship with the client terminated: data and written documents obtained in connection with care provided for the client and in connection with detecting unusual business transaction,
  - after the execution of transaction: all data and written documents about the client.
• Act on Collective Investment, which stipulates the obligation to store identification or copies of documents about proving identity of investors and clients and documents about detecting ownership of the means utilised by investors and clients and executed transaction for the period of at least ten years after the transaction terminated (§ 55 Clause 5).
• Act on Securities, which stipulates the obligation to store and protect against damage, change, destruction, loss, theft, disclosure, misuse and unauthorised access the data and copies of data proving client's identity and documents about detecting ownership of the means utilised by the client for the transaction and contracts and other documents about the executed transactions for the period of at least ten years after the transaction terminated (§ 73 Clause 6).
• Act on Supplementary Pension Saving, which stipulates the obligation to store records and other documents related to the managed supplementary pension funds and provided services for the period of at least five years after termination of management of the supplementary pension fund the documents and beneficiary recipients for the period of at least five years after disclosure of the participation contract (§ 31 Clause 3).
• Act on Financial Intermediation, which stipulates the period for storing documentation for the period of at least ten years after commencement of validity of the contract on provision of financial service and the period of at least five years after termination of the contract on provision of financial consulting (§ 36).
• Act No. 431/2002 Coll. on Accounting, based on which the bank is obligated to keep and protect your personal data and related documents, which form part of the accounting documentation in the course of ten years following the year the accounting documentation relates to.

If your personal data have been processed based on your consent, Tatra banka will keep the personal data after the consent is revoked or after the consent validity period has expired for only such period, which is required to prove the application or defending the legal claims of Tatra banka. It also applies in case of processing based on a contract or legitimate interest. After the purpose of processing ends, a part of the processing purpose entitled “Archiving for the needs of protection of the provider's rights and proving, application or defending the legal claims, as well as providing collaboration to the respective authorities” is fulfilled. The legal base for processing under which the respective personal data were obtained, remains valid yet in such case.

In terms of the archiving period/storage period, personal data are being processed especially:

• in the manner stipulated by the respective legal regulation imposed on the bank,
• in connection with the communication of the bank towards the public authorities in terms of the protection of bank's rights,
• in connection with the protection of the rights and the right of bank's protected interests, for instance in terms of an internal analysis or internal investigation,
• in connection with the entries and other related communication with the respective authorities in terms of proving, application or defending the legal claims,
• in connection with the handling of collaboration provided to the public authorities in compliance with the legally defined conditions.

We adopt technical and organisational measures with the aim to protect your personal data against intentional or neglectful deletion, loss or change and unauthorised accession of your personal data.

Tatra banka employees, as well as Tatra banka contract partners who process personal data on behalf of Tatra banka are bound by the obligation of secrecy which lasts yet after the contract relationship terminates.

In connection with processing of personal data you have the right to file a complaint to supervisory authority, which is:

Úrad na ochranu osobných údajov Slovenskej republiky
Budova Park One
Námestie 1. mája 18
811 06 Bratislava
Slovenská republika

You have the right to correct the personal data related to you that are incorrect or to complete the personal data that are incomplete. Please do not hesitate to contact us in case you find out that the data we process in relation to you are incorrect or incomplete.

If your personal data are being processed based on the consent pursuant to Article 6 par. 1 GDPR or pursuant to Article 9 par. 2 GDPR, you are entitled to withdraw this consent at any time. However, withdrawal of consent has no impact on lawfulness of processing resulting from consent before its withdrawal.

Right to object to processing of your personal data

As the data subject, you have the right to object to processing of your personal data if the processing is being carried out on the legal grounds of the legitimate interests of Tatra banka, including objecting to profiling based on legitimate interests. Tatra banka may further process your personal data on grounds of legitimate interests only in case it proves the existence of inevitable legitimate grounds for processing which prevail over your interests, rights and freedom, or grounds for demonstrating, application or defending of legal grounds.

You are entitled to object to processing of your personal data at any time for purposes of direct marketing including profiling in the extent in which it is related to such direct marketing, and that in case of processing on legal grounds of legitimate interests of Tatra banka. If you object to processing for purposes of direct marketing, Tatra banka will not further process your personal data for purposes of direct marketing. As the data subject you are entitled to access your personal data. In case of meeting the terms and conditions defined by GDPR you can apply for a statement of your personal data which we process about you. In certain circumstances you can apply for restriction of processing, transfer of your personal data and you are also entitled to deletion of your personal data.

You can exercise your rights in writing, by telephone via our DIALOG Live service, by e-mail sent to [email protected] or in person at any branch. Tatra banka may ask you to provide additional information required for verification of your identity.

The company Slovak Banking Credit Bureau, s.r.o., Company Identification Number [IČO]: 35 869 810, with its registered office at Mlynské Nivy 14, 821 09 Bratislava (hereinafter referred to also as the “SBCB”), as the operator of the information system Common Register of Banking Information, presents to you as the concerned entity, within this document, in terms of the Regulation of the European Parliament and of the Council (EU) 2016/679 on the Protection of physical entities with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the "GDPR"), in a concise, transparent and comprehensible form, all the important information related to the processing of your personal data in the Common Register of Banking Information and to the exercise of your rights under the GDPR.

1. General information related to the processing of your personal data

The Common Register of Banking Information (hereinafter referred to also as the “SRBI”) was created in accordance with the provisions of Section 92a Para (1) of the Banking Act.

The Common Register of Banking Information, "SRBI" - part Register of Consumer Loans is, pursuant to Act No. 129/2010 Coll. on Consumer Credits and other Credits and Loans for Consumers, as amended, a register under Section 7 Para (3) of the Act on Consumer Credits and a register under Section 8 Para (20) of the Act No. 90/2016 Coll. on Housing Loans, to the extent under Section 7 Para (9) of the Act on Consumer Credits (hereinafter referred to as the “Register"). In accordance with the Act on Consumer Credits and the Act on Housing Loans, the bank is obligated to provide data to the Register and to obtain data from the Register without the consent of the bank's client.

Categories of personal data processed about your person are determined by the Act No. 483/2001 Coll. on Banks, as amended. The purpose of processing the personal data in the SRBI is the preparation, conclusion and execution of transactions with clients, documentation of the activities of banks in accordance with the Banking Act and conducting mutual informing among banks in order to verify the creditworthiness, credibility and payment discipline of bank clients in accordance with Section 92a Para (1) of the Banking Act.

Categories of personal data processed about your person in the Register are determined by the Act on Consumer Credits and the Act on Housing Loans. The purpose of processing the personal data in the Register is the provision of consumer loans and the assessment of the consumer's ability to repay the consumer loan as defined by the Act on Consumer Credits and the Act on Housing Loans.

The legal basis for the processing of your personal data in the SRBI is Article 6 Para 1, letter c) (compliance with the legal obligation) of the GDPR.

The legal basis for the processing of your personal data in the Register is Article 6 Para 1, letter c) (compliance with the legal obligation) of the GDPR.

The source, from which your personal data processed in the SRBI and in the Register come, are the banks and branches of foreign banks.

The period of processing and storing the personal data is established for the duration of liabilities and 5 years after the termination of all your obligations as a client¹ towards the bank in relation to a particular loan agreement², or, in the case of SRBI, 12 months following the date of your application for the conclusion of a loan agreement to the bank, if the agreement is not concluded (this applies to the applications for loan contract conclusion submitted after 1 December 2023; applications for loan contract conclusion submitted before 1 December 2023, in relation whereto the requested loan contract was not concluded will no longer be processed in the Register with effect as of 1 January 2025.) Subsequently, your personal data will be included in the pre-archival care in accordance with the generally binding legal regulations.

1 For the purposes of this information, the term client means a physical entity, with whom the bank has entered into a loan agreement, a person securing the client's obligation under the loan agreement, as well as a physical entity applying in the bank for the conclusion of a loan agreement.
2 A loan agreement means any agreement concluded between the bank and the client or any legal act of the bank or the client, on the basis of which a right for the return of financial resources provided to the client has arisen or may arise for the bank, including a consumer loan agreement.

The SBCB processes your personal data through an intermediary, the company CRIF S.p.A. with its registered office at Via M. Fantin 1-3, 40131 Bologna, Italy.

Another intermediary of the SBCB is the company CRIF - Slovak Credit Bureau, s.r.o., with its registered office at Mlynské Nivy 14, 821 09, Bratislava.

Personal data processed about your person in the SRBI are made available to the banks and branches of foreign banks and through the Non-Banking Credit Bureau, an interest association of legal entities, Company Identification Number [IČO]: 42 053 404, with its registered office at Mlynské Nivy 14, 821 09 Bratislava (hereinafter referred to as the "NBCB"), also to authorized users of the Non-Banking Register of Client Information, regularly published on the website www.nbcb.sk.

Personal data processed about your person in the Register may also be made available to banks, foreign banks and branches of foreign banks and other creditors defined by these legal regulations, in accordance with Section 7 Para 6 of the Act on Consumer Credits and the relevant provisions of the Act on Housing Loans. The list of creditors, banks, foreign banks and branches of foreign banks is, in accordance with the Act on Consumer Credits, available at the web page www.nbs.sk.

Personal data processed about your person in the SRBI and the Register are provided to the National Bank of Slovakia and to other entities in accordance with the relevant provisions of the Banking Act and the Act on Consumer Credits and the Act on Housing Loans.

Your personal data processed in the SRBI and the Register are not published or provided to third countries.

2. Information related to the exercise of your rights under the GDPR

The GDPR generally grants you as a concerned entity a number of rights, including the right to access the personal data, the right to correct the personal data, the right to erase the personal data (the so-called right "to be forgotten"), the right to restrict the processing of the personal data, the notification obligation in connection with the correction or deletion of personal data or restriction of the processing of personal data, the right to transferability of the personal data, the right to object to the processing of personal data, the right not to be subject to automated individual decision-making, including profiling, and others.

However, not all the rights granted to you as a concerned entity by the GDPR can be applied to the processing operations carried out with your personal data by the SBCB as an operator. The list below contains a basic overview of your rights, as well as an overview of those rights that cannot be exercised on your part due to the specificity of the processing operations performed by the SBCB as an operator.

1. The right to access the personal data

1. You have the right to obtain a confirmation of whether the SBCB, as the operator, processes your personal data and, if so, you have the right to gain access to such personal data. You also have the right to obtain information about:

1. the purposes of processing your personal data,
2. the categories of personal data that are processed about you,
3. the recipients or categories of recipients to whom your personal data have been or will be provided, in particular about recipients in third countries or international organizations,
4. the expected retention period of your personal data,
5. the existence of the right to request a correction of personal data concerning your person or their deletion or restriction of processing (however, you do not have the right to object to the processing of your personal data under Article 21 of the GDPR). For more information on the reasons for not being able to object to the processing of your personal data, see the section "Right to object to the processing of personal data (Article VII)",
6. the right to lodge a complaint to the supervisory authority,
7. the source of obtaining your personal data, if these were not obtained directly from you,
8. the existence of automated decision-making, including profiling (however, SBCB does not currently perform automated decision-making or profiling of your person).

2. You have the right to be informed about adequate safeguards according to Article 46 of the GDPR regarding the transfer, should your personal data be transferred to a third country or an international organization in terms of the GDPR (however, the SBCB, as the operator, does not currently transfer your personal data to a third country or international organization in terms of the GDPR).
3. You have the right to obtain a copy of the personal data that is processed about you. However, the right to obtain such a copy must not adversely affect the rights and freedoms of others. You can find more information on how to obtain such a copy in the section "Procedure for the processing of your application (Part C)".
4. The SBCB shall provide you with a copy of the personal data it processes about you. If you submit an application by electronic means, the information will be provided in a commonly used electronic form. However, the SBCB, as the operator, is entitled to ask you for the provision of additional information necessary to confirm your identity in case it has reasonable doubts regarding the identity of the physical entity submitting such an application. For more information on how to obtain such a copy, see the section "Procedure for the processing of your application (Part C)".
5. You have the right to file a complaint or a motion to initiate proceedings pursuant to Section 100 of the Act No. 18/2018 Coll. on Personal data protection, if you believe that your rights or freedoms have been violated in connection with the processing of your personal data on the part of the SBCB. You can address such a complaint or a motion to initiate proceedings to the Office for Personal Data Protection of the Slovak Republic (https://dataprotection.gov.sk/en/).

II. The right to correct the personal data

You have the right to have the SBCB, as the operator, correct the incorrect personal data concerning your person without undue delay. At the same time, with regard to the purposes of processing, you have the right to supplement the incomplete personal data, including by the provision of a supplementary declaration.

III. The right to erase the personal data (the right to be "forgotten")

1. You have the right to have the SBCB, as the operator, delete the personal data concerning your person without undue delay, and the SBCB is obligated to delete your personal data without undue delay if any of the following reasons are fulfilled:

1. Your personal data is no longer needed for the purposes for which they were collected or otherwise processed,
2. Your personal data has been processed illegally,
3. Your personal data have to be deleted in order to comply with the legal obligation under European Union law or the law of the Member State to which the operator is subject.

2. Please note that the SBCB, as the operator, processes your personal data on the basis of a legal obligation pursuant to Article 6 Para 1 letter c) of the GDPR and not on the basis of your consent. For this reason, in this case, the GDPR does not grant you the right to withdraw your consent to the processing of personal data;

3. Please note that the GDPR does not grant you the right to obtain, from the SBCB as the operator, the deletion of the personal data concerning your person in the event of an objection to the processing of personal data pursuant to Article 21 of the GDPR. For more information on the reasons for not being able to object to the processing of your personal data, see the section "The right to object to the processing of personal data (Article VII)".

IV. The right to restrict the processing of the personal data

1. You have the right to have the SBCB, as the operator, restrict the processing of your personal data in one of the following cases:

1. as the concerned entity, you challenge the accuracy of your personal data, namely within the period allowing the SBCB to verify the accuracy of your personal data; the SBCB will verify the accuracy of your personal data primarily with the source from which it obtained them, i.e., with the relevant bank, to which you provided your data in connection with the loan agreement, or with the application for its conclusion,
2. processing of your personal data is illegal and, as the concerned entity, you have objected to the deletion of your personal data and you are requesting a restriction of their use instead,
3. the SBCB, as the operator, no longer needs your personal data for processing purposes, however, you, as the concerned entity, need it to prove, assert or defend legal claims.

2. If the processing of your personal data is restricted pursuant to paragraph 1, such personal data, with the exception of archiving, shall subsequently be processed only with your consent or for the reasons of proving, asserting or defending legal claims, or for the protection of the rights of another physical or legal entity, or for reasons of overriding public interest of the European Union or its Member State.
3. If you as the concerned entity have attained the processing restriction pursuant to paragraph 1, the operator shall inform you before the processing restriction is lifted.
4. Please note that the GDPR does not grant you the right to attain with the SBCB, as the operator, a restriction of the processing of personal data concerning your person in the event of an objection to the processing of personal data pursuant to Article 21 of the GDPR. For more information on the reasons for not being able to object to the processing of your personal data, see the section " The right to object to the processing of personal data (Article VII)".

V. Notification obligation in connection with the correction or deletion of personal data or restrictions of the processing of personal data

The SBCB, as the operator, shall notify each recipient to whom your personal data has been provided of any correction or deletion of personal data or restrictions of processing carried out pursuant to Article 16, Article 17 Para 1 and Article 18 of the GDPR, unless this proves impossible or requires a disproportionate effort. The SBCB will inform you of these recipients should you request it.

VI. The right to transferability of personal data

Please note that the GDPR, in connection with the processing of your personal data in the SRBI and the Registry, does not grant you the right to transfer your personal data to another operator, since the SBCB processes your personal data on the basis of a legal obligation pursuant to Article 6 Para 1 letter c) of the GDPR. They are therefore not processed on the basis of the consent of the concerned entity pursuant to Article 6 Para 1 letter a) of the GDPR or Article 9 Para 2 letter a) of the GDPR (these are not specific categories of personal data, such as ethnic origin, political opinions or health-related data) or Article 6 Para 1 letter b) of the GDPR (when the processing is necessary for the performance of a contract, to which the concerned entity is a contractual party, or for measures to be taken before the conclusion of the contract at the request of the concerned entity).

VII. The right to object to the processing of personal data

Please note that the GDPR, in connection with the processing of your personal data in the SRBI and the Registry, does not grant you the right to object to the processing of your personal data. According to Article 21 of the GDPR, the concerned entity has the right to object, on grounds relating to his or her specific situation, to the processing of personal data concerning his or her person, if it is carried out pursuant to Article 6 Para 1 letter e) of the GDPR (processing in the public interest) or Article 6 Para 1 letter f) of the GDPR (processing based on a legitimate interest of the operator or a third party). The SBCB also does not process your personal data for direct marketing purposes and does not perform profiling of concerned entities.

VIII. Automated individual decision-making, including profiling

In general, the concerned entity has the right not to be subject, in terms of Article 22 of the GDPR, to a decision which is based exclusively on automated processing, including profiling, and which has legal effects appertaining to or significantly influencing the concerned entity in a similar manner.

Please note that the SBCB does not make any decisions against you and no profiling of your person in accordance with the previous paragraph. For this reason, the GDPR does not grant you the opportunity to exercise the above-stated right against the SBCB. However, you can exercise this right against the bank as the source of your personal data in the SRBI and the Registry, which decides about your application for a loan agreement conclusion and performs profiling of your person, in accordance with its Information Memorandum of Personal Data Protection.

IX. Notification of the concerned entity about the breach of personal data protection

1. In the event of a breach of the protection of your personal data, which is likely to lead to a high risk for your rights and freedoms, the SBCB, as the operator, will notify you without undue delay of the breach of the protection of your personal data.
2. The notification referred to in paragraph 1 shall not be required if any of the following conditions is fulfilled:

1. the operator has taken appropriate technical and organizational protection measures and applied these measures to the personal data, to which the breach of the protection of personal data pertains, in particular those measures, on the basis of which the personal data are illegible to all entities who are not entitled to have access to them; such as, for example, encryption,
2. the operator has taken follow-up measures to ensure that the high risk for the rights and freedoms of the concerned entities referred to in paragraph 1 is unlikely to have any consequences,
3. it would require a disproportionate effort. In such a case, the public will be informed or a similar measure will be taken instead, thus ensuring that the concerned entities are informed in an equally effective manner.

3. Procedure for the processing of your application

As a concerned entity, you have the right to exercise the above-mentioned rights also through an application addressed to the SBCB as an operator. Your application will be processed within one month in accordance with the applicable legal regulations. The given period may be extended, if necessary, by a maximum of further two months, taking into account the complexity of the application and the number of applications. The SBCB, as the operator, will inform you of any such extensions within one month of the receipt of the application, along with the reasons for missing the basic deadline.

The SBCB will endeavour to satisfy all the applications, however, in exceptional cases there may be a situation, where your application could not be accommodated. However, non-satisfaction of the application for justified reasons is only the last resort. In case of ambiguity or incompleteness of the application, the SBCB will contact you with a request for a clarification or a provision of additional information. Exceptionally, the SBCB may have doubts about your identity. In such a case, you will be asked to provide additional information to resolve such concerns.

Your application will be processed in the form in which you submit it, or if you specify another form of application processing in the application itself, it will be accommodated in such a form. For example, if you send the application to the SBCB by mail, the SBCB will address the processing of the application also by mail. However, if you indicate in such an application that you would like us to respond to you by e-mail, the SBCB will process your application by electronic means. However, if the SBCB has legitimate doubts about your identity, which will not be resolved subsequently, it may process your application by sending the response via a registered mail to the address of your last permanent residence.

The SBCB provides you with several options on how to submit the application related to the application of your rights. You can prepare the relevant application yourself, or you can use our sample applications, which we have pre-filled for your convenience. In this case, all you have to do is enter your personal data so that we can identify you and then send it to us. You can find the pre-filled applications at the following link: http://www.sbcb.sk/na-stiahnutie/

You can deliver the completed application to the SBCB:

1. in person to the SBCB client centre, located at: Mlynské Nivy 14, 821 09 Bratislava,
2. by post addressed to the address: Mlynské Nivy 14, 821 09 Bratislava,
3. by e-mail to: [email protected] .

If you decide to submit your application in person at our client centre, please bring your ID card to prove your identity. If you decide to deliver your application through another person, it is essential that this person has a notarized power of attorney. In the interest of the greatest possible protection of your person, we cannot make your personal data available to anyone without a sufficient proof of authorization to act on your behalf.

If you send us your application by mail, please sign it by hand.

One of the potentially most dangerous ways of providing your personal data in connection with the exercise of your rights as a concerned entity in terms of this information document is the communication by electronic means. For this reason, in this way we fully accept only those applications that are signed by a guaranteed electronic signature. If you send us an application by e-mail that is not signed by a guaranteed electronic signature, it may take longer to process your application, since it is essential for the protection of your personal data that the SBCB does not have substantiated doubts about your identity. For this reason, we may request additional information to confirm your identity. Your application may also not be fully accommodated in this way, and in case of doubts about your identity, we may process your application  in such a  way that we would send a copy of your personal data (or other relevant processing of your application) by registered mail to the address of your last permanent residence.

Further additional information concerning the processing of your personal data on the part of the SBCB in the SRBI and the Registry, as well as the exercise of your rights of a concerned entity can be obtained (i) at the Client Centre, located at: Mlynské Nivy 14, 821 09 Bratislava, (ii) by phone at the telephone number: +421 2 59207515, or (iii) by e-mail at the electronic mail address: [email protected].

The contact information of the responsible person in terms of the GDPR determined by the operator is: [email protected].