On 25 May 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) takes effect. The main goal of the GDPR is to strengthen protection of the personal data of natural persons that are collected and processed by companies and institutions operating on the territory of the European Union.
It’s worth knowing more about the GDPR, which is why we have prepared the information below. It will be supplemented and updated on an ongoing basis, so please visit our website.
The GDPR is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). The directive is intended to protect the fundamental rights and freedoms of natural persons, in particular rights to the protection of personal data. At the moment, there is still a lack of national regulations, but we encourage you to keep track of the subject.
The GDPR takes effect on 25 May 2018.
Controller – means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
The controller of personal data is PKO Bank Hipoteczny Spółka Akcyjna with its registered office in Warsaw, address: ul. Puławska 15, 02-515 Warsaw.
The controllers of personal data of Clients of PKO Bank Hipoteczny are PKO Bank Hipoteczny Spółka Akcyjna and PKO Bank Polski Spółka Akcyjna. We provide more information on this subject in the section titled “Information on the processing of personal data of PKO Bank Hipoteczny Clients.”
Personal data – means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Clients’ personal data (e.g. names and surnames, dates and places of birth, residence addresses, PESEL national ID numbers, telephone numbers) are processed by the Bank for the purpose of delivering products and services.
Recipient – means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
The Bank discloses Clients’ personal data to data recipients, who may be e.g. entities and authorities authorised on the basis of the generally applicable provisions of the law, e.g. other banks, courts, prosecutors, Biuro Informacji Kredytowej S.A.
Supervisory authority – means an independent public authority which is established by a Member State for the purpose of protecting fundamental rights and freedoms of natural persons in relation to data processing.
The supervisory authority is the Head of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych).
Processing – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The Bank processes personal data, i.e. it collects, records, stores, erases and destroys it.
Profiling – means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Profiling-based tools are used by the Bank for several purposes:
- profiling for the purposes of assessing creditworthiness to support the transaction evaluation process and assessing the Client by using historical information on the level of credit risk for particular groups of Clients, e.g. a Client who meets their credit obligations on time receives a higher assessment.
An expression of objection to profiling for purposes of assessing creditworthiness may mean:
- the inability to designate and use a preferential pre-defined offer,
- the inability to conduct an automated assessment of creditworthiness, in effect significantly lengthening the lending process,
- the inability to perform the Bank’s obligation to assess the Client’s request in accordance with the Regulator’s recommendations (e.g. Recommendation T) and a denial of lending.
- profiling carried out for the purpose of preventing crimes and counteracting money laundering, including building models arising from the Bank’s obligations defined by the provisions of generally applicable law.
Consent to the processing of personal data – denotes an expression of will of the individual whose data it applies to, whose content is permission for processing of personal data. The granting of consent should be freely given, specific, informed and unambiguous.
The data subject has the right at any moment to withdraw their consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
In connection with the servicing of banking products or the provision of services, Clients’ data are processed not based on consent but in light of the fact that this is essential to implement authorisations or to fulfil an obligation arising from a provision of the law (e.g. the conclusion of a mortgage loan agreement).
The GDPR contains a closed catalogue of conditions in which data processing may be deemed lawful. This means that each instance of data processing must be based on at least one legal basis indicated in the GDPR:
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
If, when filling out an application for a product offered by the Bank, e.g. a mortgage loan, the individual filing it out does not provide data, the bank will not have the ability to review the application and conclude an agreement.
The Bank may process personal data e.g.:
- in relation to an agreement concluded about a banking product or a service provided by the Bank,
- when it is performing obligations arising from the generally applicable provisions of the law, e.g. for the purpose of ensuring Client security (protection against threats arising e.g. from cybersecurity, protection against deception and fraud),
- when it is essential for the exercise of the Bank’s legally justified interests, e.g. to establish and pursue claims related to its operations, including debt collection and enforcement.
On the basis of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, hereinafter “the Regulation”, we inform you that:
1. The data controller
The controllers of the personal data of PKO Bank Hipoteczny Clients are:
PKO Bank Hipoteczny Spółka Akcyjna with its registered office in Warsaw, address: ul. Puławska 15, 02-515 Warsaw, registered in the Capital City of Warsaw District Court in Warsaw, XIII Commercial Division of the National Court Register, under the number KRS 0000528469; NIP taxpayer ID No. 204-000-45-48; REGON: 222181030; share capital (paid-up capital) 1,611,300,000 złoty; telephone +48 22 521 57 50 (secretariat), e-mail: PKOBankHipoteczny@pkobh.pl, hereinafter “PKO BH”,
and
Powszechna Kasa Oszczędności Bank Polski Spółka Akcyjna with its registered office in Warsaw, address: ul. Puławska 15, 02-515 Warsaw, registered in the District Court for the capital city of Warsaw in Warsaw, XIII Commercial Division of the National Court Registry under the number KRS 0000026438, NIP taxpayer ID No. 525-000-77-38, REGON: 016298263, share capital (paid-up capital) 1,250,000,000 zł, telephone hotline: +48 800 302 302, hereinafter “PKO BP SA”,
each of which is also separately also referred to as “the Bank”, and jointly “the Banks” or “the co-controllers”.
Control of data by PKO BH and PKO BP SA (the co-controllers) arises from the joint offering of mortgage loans and their joint servicing on the basis of an agreement concluded between the Banks. The scope of the obligations of the co-controllers is available on the websites of the Banks, in the “GDPR” section.
2. The Data Protection Officer
The Banks have appointed Data Protection Officers:
- in PKO BH: Inspektor Ochrony Danych PKO Banku Hipotecznego SA, address: ul. Puławska 15, 02-515 Warsaw, e-mail: iod.pkobh@pkobh.pl.
- in PKO BP SA: Inspektor Ochrony Danych, address: ul. Puławska 15, 02-515 Warsaw, e-mail: iod@pkobp.pl.
Data concerning the Data Protection Officers are available on the websites of the Banks in the “GDPR” section and in the branches and agencies of PKO BP SA.
3. Categories of personal data – information concerning the personal data acquired in a way other than from the data subject
The Banks process the following categories of personal data from Clients: identification data, address data and contact data.
4. Purpose of data processing and legal bases
Personal data may be processed by the Banks for the following purposes:
- presenting offers or reviewing an application for a product or products offered by the Banks or a service provided by PKO BP SA, including in the name and on behalf of companies from the PKO BP Group and entities working with the Banks - on the basis of Article 6 paragraph 1 letter b or letter f of the Regulation,
- concluding an agreement - on the basis of Article 6 paragraph 1 letter b of the Regulation,
- performing an agreement concluded with the Bank or for the purpose of PKO BP SA providing services - on the basis of Article 6 paragraph 1 letters b-c of the Regulation,
- performing an assessment of creditworthiness and analysing credit risk - on the basis of Article 6 paragraph 1 letters b-c of the Regulation,
- the Bank’s management of risk, including the assessment of creditworthiness - on the basis of Article 6 paragraph 1 letters b–c of the Regulation,
- reviewing complaints, requests and appeals - on the basis of Article 6 paragraph 1 letters b-c and f of the Regulation,
- performance by the Banks of actions arising from the general provisions of the law, including performance of tasks executed in the public interest - on the basis of Article 6 paragraph 1 letter c and letter e of the Regulation,
- the exercise of rights arising from representation (including powers of attorney), guarantees - on the basis of Article 6 paragraph 1 letters b-c of the Regulation,
- marketing, including promotion of products offered by the Banks, services provided by PKO BP SA or companies from the PKO BP SA Group and entities working with the Banks - on the basis of Article 6 paragraph 1 letter f of the Regulation,
- establishing and pursuing claims by the Banks in relation to their operations, including restructuring, debt collection, enforcement of receivables, undertaking actions for the purpose of finding acquirers of assets that constitute collateral for an agreement and the sale of receivables arising from this agreement or defence against claims directed at the Banks, in proceedings before investigative authorities and adjudicating authorities, including common courts, administrative courts, the Supreme Court, in administrative proceedings, including tax proceedings - on the basis of Article 6 paragraph 1 letter f of the Regulation,
- discovery and limitation of financial abuses related to the Banks’ operations, as well as for the purpose of ensuring the safety of monetary funds of PKO BP SA clients and conducting explanatory proceedings - on the basis of Article 6 paragraph 1 letter f of the Regulation.
Data on the PKO BP SA Group and entities working with the Banks are available on the websites of the Banks in the “GDPR” section, and in the branches and agencies of PKO BP SA.
5. Disclosure of personal data
The Banks may disclose Clients’ data to:
- entities and authorities to which the Banks are obliged or authorised to make available personal data on the basis of the generally applicable provisions of the law, including entities and authorities authorised to receive from the Bank personal data or authorised to demand access to personal data on the basis of the generally applicable provisions of the law, in particular on the basis of Article 104 paragraph 2 and Article 105 paragraphs 1 and 2 of the Banking Law,
- entities entrusted with performing banking functions or functions related to banking operations on the basis of article 6a of the Banking Law,
- institutions described in Article 105 paragraph 4 of the Banking Law,
- authorities and entities authorised to receive personal data on the basis of Article 149 or 150 of the Act on Trading in Financial Instruments or other legal regulations on trade in financial instruments (within the scope of custody services provided by PKO BP SA on the basis of Article 119 of the act on trade in financial instruments or services performed by PKO BP SA on the basis of Article 70 paragraph 2 of the Act on Trading in Financial Instruments),
- consumer credit rating bureaux operating on the basis of the act on provision of commercial information and exchange of commercial data, on the basis of the provisions of this regulation,
- entities from the PKO BP Group and entities working with the Banks in connection with products and services offered by those entities. The list of such entities is available on the Banks’ websites in the “GDPR” section and in the branches and agencies of PKO BP SA.
6. Transfer of personal data to third states
Clients’ data may be transferred to the government administration of the United States of America as a result of the performance of international money transfers using SWIFT.
7. Period of personal data storage
Clients’ personal data will be stored for the period:
- of the validity of an offer or the review of an application for products offered by the Banks or a service provided by PKO BP SA, including in the name and on behalf of companies from the PKO BP Group and entities working with the Banks,
- during which an agreement concluded with the Bank is valid, and after its expiration, in connection with the Bank’s legal obligation arising from the generally applicable provisions of the law,
- that is essential for pursuing claims by the Bank in connection with its operations or defence against claims directed at the Bank, on the basis of the generally applicable provisions of the law, taking into account the statute of limitations for claims described in the generally applicable provisions of the law,
- for the application of internal methods or other methods and models described in the third part of Regulation No. 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation No. 648/2012,
- of validity of a power of attorney granted to the Client, and after its expiry, in connection with a legal obligation of the Banks arising from the generally applicable provisions of the law.
Information concerning the retention periods of data are available on the websites of the Banks in the “GDPR” section and in the branches and agencies of PKO BP SA.
8. Rights
In connection with the Banks’ processing of Clients’ personal data, Clients have the right:
- to access their personal data,
- to rectify their personal data,
- to erase their personal data (the right to be forgotten),
- to restrict the processing of their personal data,
- to transfer their data to another controller,
- to file an objection to the processing of their data, including profiling, and for the purposes of direct marketing, including profiling,
- to withdraw their consent, if the Bank processes the Client’s personal data based on consent, at any time and in any way, without affecting the legality of the processing that was performed on the basis of the consent before its withdrawal,
- to file a complaint with the Supervisory Authority when the Client decides that the processing of the personal data violates the provisions of the Regulation.
9. Origin of the personal data – information concerning personal data received by a method other than from the data subject
Clients’ personal data may originate from a legal representative or grantor in the case of a power of attorney; an enterprise in relation to which the Client remains a real beneficiary; employers or parties to an agreement concluded with the Bank and from generally accessible sources, in particular from databases and registers: PESEL identification numbers, the Registry of ID cards, the National Court Registry (KRS), the Central Registration and Information on Business (CEIDG), REGON.
10. Requirement to provide data
The provision of a Client’s personal data is essential for the purpose described in point 4 above, for:
- examining an application for products offered by the Banks or a service provided by PKO BP SA, including in the name and on behalf of companies from the PKO BP Group and entities working with the Banks, and the result of failure by the Client to provide personal data will be the inability to consider the application for products offered by the Banks or services provided by PKO BP SA, including in the name and on behalf of companies from the PKO BP Group and entities working with the Banks,
- concluding and performing agreements concluded with the Bank, and the result of failure to provide the personal data will be the inability to conclude and perform the agreement,
- the provision of services by PKO BP SA, and the result of failure to provide the Client’s personal data will be the failure to provide the services,
- reviewing a claim, request or appeal, and the result of failure to provide the Client’s personal data will be the inability to review the claim, request or appeal,
- receiving offers or marketing products offered by the Banks or services provided by PKO BP SA, including, in the name and on behalf of companies from the PKO BP Group and entities working with the Banks, and a result of failure to provide the Client’s personal data is the inability to receive such offers or marketing of products or services.
11. Automated decision-making, including profiling
The personal data of Clients will be processed by automated means, including by profiling, for the purpose of assessing creditworthiness and for marketing purposes, a result of which will be the ability to apply a simplified service procedure and presentation of individualised offers of products offered by the Banks or services provided by PKO BP SA, including in the name and on behalf of companies from the PKO BP Group and entities working with the banks.
Information concerning automated decision-making, including profiling, is available on the websites of the Banks in the “GDPR” section and in the branches and agencies of PKO BP SA.
The purpose of the GDPR is to ensure each person the ability to protect their rights and freedoms and to ensure control over the processing of the data that belong to them. For this purpose, they may exercise their rights:
- right of access to data – a data subject has the right to receive information including on how their data are processed by the Bank and for what purposes, and to receive a copy.
Each person may file to the Bank a request to receive information on whether the Bank is processing their personal data.
- right to erasure of data (right to be forgotten) – the data subject may indicate the scope and circumstances justifying the requested erasure of data, e.g. the data are no longer essential for the provision of services for which they were collected and there is no legal basis for further processing of data; the data are being processed illegally.
The right to erasure of data may be exercised in cases where the Bank has no legal basis to process data. We point out that in the case of possession of a current with the Bank, the processing of data is essential for its performance and the personal data cannot be erased.
- right to data portability – a data subject has the right to receive in a structured, commonly used machine-readable format, the data that they have supplied to the Bank.
A request to transfer data may be filed by a data subject. The information will be transferred in the form of a file on a password-protected CD.
- right to restrict data processing - a data subject indicates that the conditions described in Article 18 of the GDPR for the restriction of processing of their data have occurred, e.g. the Bank does not need certain data, there are no reasons for further processing and the data subject requests the suspension of operations on the data or the retention of the data.
Each request for a restriction of data processing will require individual consideration in terms of the existing bases for data processing, the purpose and scope of their processing.
- right to rectify data – at any point when such a need arises, a data subject informs the Bank of changes in their personal data.
Anyone may file a request to the Bank for the rectification of incorrect personal data, or to supplement incomplete data.
- right to object – at any point an objection may be filed to the automated processing of data, including profiling, as well as an objection to the processing of data for marketing purposes.
PKO Bank Hipoteczny Clients may file objections to data processing e.g. in a PKO BP facility, by letter to the Bank’s address, via electronic banking or by calling the PKO BP telephone hotline. Other persons may file an objection to the processing of data by letter or electronically to the Bank’s address, or contact the PKO BH Data Protection Officer.
The expression of an objection to profiling means that the Client’s personal data will not be processed by automated means, aside from exceptional cases described in the applicable law. As a result, the Bank will not apply the simplified service procedure or assess the needs or creditworthiness of the Clients to present individualised offers to purchase products and services from the Bank, companies from the Bank’s Group and entities working with the Bank.
For the purpose of exercising the indicated rights, Clients may visit PKO BP outlets or send a request by mail to the Bank’s address or electronically. Other persons may contact PKO Bank Hipoteczny by mail or electronically at the Bank’s address, or contact the PKO BH Data Protection Officer.
The Bank provides information in writing. Clients of the Bank may collect it at PKO BP sites after receiving notification by e-mail or SMS.
Without undue delay, and no later than a month from the day the request is submitted, the Bank shall provide to the data subject information on the actions undertaken in connection with the execution of these rights. In the case of need, this deadline may be extended by a further two months in light of the complicated nature of a request or the number of requests. Within one month from its receipt of the request, the Bank shall inform the data subject of such an extension, providing the reason for the delay.
The Bank processes data using all technical and organisational means that are essential to ensure the safety of those data. Personal data are the Bank’s most precious resource. The Bank has implemented and is implementing the appropriate technical and organisational means ensuring the protection of personal data processing, in particular protecting data from disclosure to unauthorised persons, acquisition by unauthorised people, loss or change, damage or destruction.
Additionally, all information concerning Client-Bank relations are also covered by banking secrecy, according to which the Bank, individuals it employs and individuals through whose intermediacy the Bank performs banking functions are obliged to maintain banking secrecy, which covers all information concerning banking functions received during negotiations, conclusion and performance of agreements on the basis of which the Bank performs those functions.
Bank employees are trained in the area of safety of protected data, including in the area of protection of personal data and banking secrecy.
A Data Protection Officer has been designated at the Bank: Magdalena Dłużewska. The Data Protection Officer can be contacted by mail at the address: Inspektor Ochrony Danych PKO Banku Hipotecznego S.A., ul. Puławska 15, 02-515 Warszawa, or at the e-mail: iod.pkobh@pkobh.pl.
Data may be disclosed e.g. to entities and bodies to which the Bank is obliged or authorised to provide personal data on the basis of the generally applicable provisions of the law, including entities or bodies authorised to receive from the Bank personal data or authorised to demand access to personal data on the basis of the generally applicable provisions of the law, in particular on the basis of Article 104 paragraph 2 and Article 105 paragraphs 1 and 2 of the Banking Law, institutions mentioned in Article 105 paragraph 4 of the Banking Law.
Third countries refers to countries that are not members of the European Economic Area. This means that the flow of data within the European Economic Area is treated the same as transfers of data on the territory of Poland. This rule applies to all member states of the European Union and those member states of the European Economic Area which are not members of the EU (Norway, Iceland and Lichtenstein).
Additionally, we inform you that the data of Bank Clients may be transferred to the government administration of the United States of America in connection with the execution through the intermediacy of PKO BP SA of international money transfers using the SWIFT system. Using SWIFT transfers, we perform transfers in any currency and to any bank in the world.
Personal data are processed for purposes arising from the generally applicable provisions of the law, including after the expiry of the agreement between the Client and the Bank.
Obligations and rights related to data processing for archival purposes, as well as the establishment and pursuit of claims by the Bank in relation to its operations, including restructuring, debt collection, enforcement of receivables, undertaking actions for the purpose of finding acquirers for assets constituting collateral for an agreement and the sale of receivables arising from this agreement or defence against claims directed at the Bank, before investigative bodies, adjudicating bodies, including common courts, administrative courts, the Supreme Court, in administrative proceedings, including tax proceedings, arise from regulations including:
- The act of 29 August 1997 - Banking Law,
- The act of 23 April 1964 - Civil Code,
- The act of 29 September 1994 on accounting,
- The act of 1 March 2018 on counteracting money laundering and the financing of terrorism,
- The Ordinance of the Finance Minister dated 1 October 2010 on the specific rules of bank accounting,
- The Ordinance of the Finance Minister dated 30 May 2018 on the method and conditions of procedures for investment companies, banks as described in Article 70 paragraph 2 of the act on trade in financial instruments, and custodian banks
- The Ordinance of the Finance Minister dated 29 May 2018 on the detailed technical and organisational conditions for investment companies, banks as described in Article 70 paragraph 2 of the act on trade in financial instruments, and trust banks.
The PKO Bank Polski SA Group includes PKO Bank Polski SA as the dominant entity and direct subsidiaries including PKO Bank Hipoteczny and indirect subsidiaries. Personal data are transmitted only to selected Companies of the PKO Bank Polski SA Group.
PKO Bank Hipoteczny specialises in mortgage loans for individual clients. Based on its strategic relationship with PKO Bank Polski SA, these loans are offered to retail clients via PKO Bank Polski SA’s network of branches, intermediaries and agents.
PKO Towarzystwo Ubezpieczeń SA together with PKO Życie Towarzystwo Ubezpieczeń S.A. functions under the joint brand PKO Ubezpieczenia. PKO Towarzystwo specialises in property insurance and other personal insurance, offering solutions closely connected with the banking products available from the Bank. The Company’s products include mortgage insurance.
PKO BP Finat sp. z o.o. provides comprehensive services to companies from the financial sector, including transfer agent services and accountancy for funds and companies.
Information on entities working with the Bank in relation to products and services offered by these entities can be found here.
Information about the contents of the main arrangements between PKO Bank Polski S.A. and PKO Bank Hipoteczny S.A. of the Agreement on the co-controlling of Customers’ personal data[1] of 25 May 2018
- The controllers (co-controllers) of Customers’ personal data are:
Powszechna Kasa Oszczędności Bank Polski Spółka Akcyjna, with its registered office in Warsaw, the address: ul. Puławska 15, 02-515 Warsaw, hereinafter called “PKO BP”
and
PKO Bank Hipoteczny Spółka Akcyjna, with its registered office in Warsaw, the address: ul. Puławska 15, 02-515 Warsaw, hereinafter called “PKO BH”.
hereinafter called jointly the “Banks”.
- Relationships between the controllers
- The Banks belong to one group, and PKO BP is the sole shareholder of PKO BH;
- in the process of servicing mortgage loans, the Banks follow uniform policies and procedures for Customer service and use shared ICT resources.
- Scope of the personal data processed
The personal data subject to co-controlling includes, in particular, identification details, address details, contact details, and Customers’ financial data:
- processed in connection with offering a mortgage loan and considering an application for granting it, received from a customer and from external sources (e.g. BIK (Credit Information Bureau), MIG DZ (Interbank Commercial Information – Classified Documents));
- processed in the course of considering a loan application and performing a loan agreement, exchanged by the Banks on the basis of a Customer’s consent given in the loan application;
- concerning a mortgage loan granted or acquired by PKO BH, obtained and used by PKO BP in performing an Outsourcing Contract[2], as well as offering and servicing PKO BP’s own products;
- necessary for meeting the Banks’ obligations arising from the generally applicable laws.
- Personal data is processed by the Banks for the following purposes:
- to present offers or consider an application for a product or products offered by the Banks or a service provided by PKO BP, including on behalf of and for the companies in the PKO BP S.A. Group and the entities cooperating with the Banks – on the basis of Article 6 (1) (b) or (f) of the GDPR[3];
- to enter into a contract – on the basis of Article 6 (1) (b) of the GDPR;
- to perform a contract concluded or for the purpose of the provision of services by PKO BP – on the basis of Article 6 (1) (b)-(c) of the GDPR;
- to assess the borrowing capacity and analyse credit risk – on the basis of Article 6 (1) (b)-(c) of the GDPR;
- risk management by the Banks, including an assessment of the borrowing capacity and creditworthiness – on the basis of Article 6 (1) (b)-(c) of the GDPR;
- to deal with complaints, requests and appeals – on the basis of Article 6 (1) (b)-(c) and (f) of the GDPR,
- performance of activities arising from the generally applicable laws by the Banks, including tasks carried out in the public interest – on the basis of Article 6 (1) (c) and (e) of the GDPR;
- to exercise rights arising from representation (including a power of attorney), a surety – on the basis of Article 6 (1) (b)-(c) of the GDPR;
- marketing, including the promotion of products offered by the Banks, the services provided by PKO BP or the companies in the PKO BP S.A. Group and the entities cooperating with the Banks – on the basis of Article 6 (1) (f) of the GDPR;
- establishment and enforcement of claims by the Banks in connection with their activities, including restructuring, debt collection, enforcement of receivables, taking measures to find buyers for the property constituting a security for an agreement and to sell the receivable arising from that agreement or to defend against claims lodged against the Banks, in proceedings before law enforcement bodies, adjudicating bodies, including common courts, administrative courts, the Supreme Court, in administrative proceedings, including tax proceedings – on the basis of Article 6 (1) (f) of the GDPR;
- to detect and curb fraud relating to the Bank’s activities, as well as to ensure the safeguarding of funds of PKO BP Customers and to conduct investigation proceedings – on the basis of Article 6 (1) (f) of the GDPR.
- PKO BP’s obligations:
- To provide and maintain the ICT infrastructure and software necessary for processing personal data throughout its life cycle, including development, modifications, updates, cooperation with suppliers, taking into account privacy by design and privacy by default.
- To secure personal data in the ICT environment and traditional (paper) documentation containing personal data.
- To ensure human, technical and organizational resources necessary for handling personal data, i.e. to perform the following processes: acquisition, registration in IT systems, digitization (if applicable), alteration, updating, archiving, pseudonymization, anonymization, deletion (shredding paper documents).
- To process personal data in connection with receiving complaints, requests and appeals from Customers. If, in the course of handling Customers’ complaints, requests or appeals, PKO BP identifies a matter relating to personal data protection, it should send it to the proper handling path so as to ensure the proper exercise of the Customers’ rights and dealing with the incidents identified.
- To ensure technical support for the exercise of Customers’ rights as regards their data.
- Joint obligations of the Banks:
- To establish Customer service procedures, including standard forms used to collect personal data.
- To fulfil the obligations to provide information to Customers, in accordance with Articles 13 and 14 of the GDPR.
- To exercise rights (handle requests) of Customers, arising from the GDPR:
- to access Personal Data;
- to rectify Personal Data;
- to erase Personal Data (the right to be forgotten);
- to restrict the processing of Personal Data;
- to transfer Personal Data to another controller;
- to object to the processing of Personal Data, including profiling, in cases in which Customers have such right under the GDPR;
- to withdraw consent to the processing of Personal Data.
- To make personal data available – to identify the entity gaining access to personal data, to verify the legal grounds for making data available, to determine the scope of the personal data being made available.
- To assess the risk related to the processing of Customers’ personal data.
- The common point of contact for Customers is:
- PKO BP branches and agencies;
- contact form in the iPKO system;
- address for written correspondence: Inspektor Ochrony Danych (Data Protection Officer), ul. Puławska 15, 02-515 Warsaw, e-mail address: iod@pkobp.pl.
- Rules for handling Customers’ letters
Correspondence sent through a common point of contact is handled by PKO BP. If correspondence from a Customer, concerning personal data, is received other than through a common point of contact (e.g. to the IOD), it will be forwarded to the proper handling path, in accordance with the internal procedures.
- Notifying Customers of an incident
- If, in the course of analysing and dealing with a personal data incident, the Banks established that it may pose a high risk to the rights or freedoms of Customers, the Banks notify the Customers of such infringement without undue delay.
- Notification is not required in the following cases:
- the Banks have implemented appropriate technical and organizational safeguards, in particular measures such as encryption, preventing persons not authorized to access that personal data from reading it, and those measures have been applied to the personal data to which the infringement relates;
- the Banks have applied measures eliminating the probability of a high risk to the rights or freedoms of the personal data subject;
- it would require a disproportionate effort; in that case, the Banks make a public announcement or take a similar measure by means of which the data subjects are informed in an equally effective manner.
[1] The term “Customers” should be understood as consumers to whom PKO BH is bound by the obligation of banking secrecy, in accordance with the Banking Law
[2] The agreement concluded by and between the Banks, based on which PKO BP performs entrusted activities for PKO BH, related to concluding and servicing mortgage loans
[3] GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)