Personal data protection rules of Šiaulių bankas
IMPORTANT INFORMATION ABOUT HOW WE COLLECT, USE AND PROTECT INFORMATION ABOUT YOU
- The purpose of these Personal Data Protection Rules
- The terms used in the Rules
- Data processor
- Basic information processing objectives and categories of personal data
- The information that must be provided to us and the consequences of failing to provide it
- The information on the basis of which we handle the data
- Data sources
- Data recipients
- Transmission of information about you outside the European Economic Area
- Terms of storage of your information
- Automated decision-making, including profiling
- Bank offers given to you and asking for your opinions
- Using cookies
- Your rights regarding the processing of personal data
- Information on how you can exercise your rights
- Deadlines for replies to your requests
1. The purpose of these Personal Data Protection Rules
In these Personal Data Protection Rules (the Rules) you will find answers to the most important questions about how the public limited liability company Šiaulių Bankas (or simply the Bank or we) collects, uses and stores your Personal data and what rights related thereto you have.
These Rules apply to you: former, current and/or future Bank Clients or related persons who have expressed their willingness to use our services, are already using, previously used them or otherwise related to our services, i.e. you are the representative of our Bank's Client, family member, guarantor, surety, etc., or you are representative of our Bank's legal Clients, shareholder, member of management bodies, the actual beneficiary, etc.
You can also familiarize yourself with these Rules and other Personal data protection information and in the Bank's Client service departments. Please, periodically, visit the Bank's website, where you will find the latest version of these Rules and other relevant information related to Personal data protection.
We invite you to familiarize with these Rules your present or future authorized representatives, persons whom you represent, beneficiaries and other persons who are or may be related to the services we provide.
Please note that the content of these Rules is generally applicable to all persons using various services of the Bank. If you wish to receive personal information on the processing of data, please contact the contacts listed in Part 3 of the Rules " Data processor ".
2. Terms used in the Rules
The Client and/or persons related to it (or you) is any particular natural person who has expressed an interest in using our services, uses them or have previously used or is otherwise related to the services provided by the Bank, i.e. is a representative, a family member, a guarantor, a surety, etc., or a representative of our legal Clients, shareholder, member of the management body, the beneficial owner, etc.
Personal data: any information that is directly or indirectly related to you.
Data processing is any transaction with a Personal data (including collecting, recording, storing, changing, transmitting, deleting, etc.).
The Rules are the following rules on Personal data protection, which contain information on how your data is processed by the Bank.
Other terms used in the Rules are understood as they are defined in the European Union General Data Protection Regulation (abbreviated as GDPR) and other legislation.
Automated decision making - means that without the intervention of the Bank employee the computer system makes a decision on the provision of the service.
1 27 April 2016 Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (the Universal Data Protection Regulation)
3. Data processor
Your Personal data processor is a public limited liability company Šiaulių Bankas, company code: 112025254, address: Tilžės g. 149, 76348 Šiauliai.
We keep information about you and your privacy. When collecting, using and storing your Personal data, we comply with the GDPR, the Law on the Legal Protection of Personal Data of the Republic of Lithuania and other legal acts regulating the protection of Personal data, as well as the instructions and recommendations of the competent authorities.
If you have any questions, requests or comments regarding these Rules, the processing of Personal data, complaints or other issues related to the protection of Personal data in the Bank, please contact the following:
Šiaulių Bankas AB
Tilžės str. 149, 76348 Šiauliai
Telephone: 1813 (+370 37 301 337 calling from abroad)
Data Protection Officer:
4. Basic objectives for the processing of personal data and categories of personal data
The Bank collects, uses, stores and otherwise manages information about you as is necessary for the following main purposes:
- To identify you properly and maintain business relationships (the following information is handled: full name, Personal ID number, copy of identity document, contact information (address of residence, e-mail address, telephone number, etc.) and other data);
- To provide you with the Bank's financial services - in accordance with the requirements of the law, properly and qualitatively (depending on the financial service, the following additional information is collected: information on education, profession, work, your family, incapacity and capacity limitations, details of how you use the Bank's services and/products (e.g. payment information, payment card details, electronic banking login details), financial information (income, income sources, liabilities, assets and other data));
- To assess your solvency, creditworthiness, risk of execution of obligations and, if you are in debt, to manage your debt (the following information is collected about you: information about your family, the number of minors, information on education, profession, work, possessed real/movable property and the rights towards it, types and amounts of current or past financial and/or property liabilities, terms of execution, data on the execution of these obligations and other information relevant to assessment of your creditworthiness and financial position);
- To preventing money laundering and terrorist financing (the following information is collected about you: a copy of your Personal identity document, taxpayer's code, nationality, information about the risk profile that we assign to the customer in terms of the risk of products, services and/or operations (we check whether you are person in politics);
- To inform you about the services provided and ask for your opinion about the services, their quality, including profiling for direct marketing purposes (the following information is collected about you: name, age, your contact information, available banking products, information about the services you use);
- To ensure the security of you, Bank's employees, Bank's Clients’ health, life and Bank assets and public order by monitoring the image - in case you arrive at the filmed premises of the Bank (videos are collected);
- To ensure the quality of your service by recording telephone conversations (the following information is collected about you: telephone conversation records and data provided during the conversation);
- To protect and secure the Bank's rights and interests - if it is necessary in legal proceedings or in the recovery of debts (the following information is collected: all the above-mentioned information, documents and attachments sent to you, the amount of the debt, documents submitted by you or the third parties (such as notaries, bailiffs, lawyers, heirs, spouses, etc.) and their annexes, procedural documents containing your Personal data, information about criminal offences and convictions).
5. The information that must be given to us and the consequences of not giving it
In order to use the Bank's services, you must provide us with the information that is necessary for us to conclude or execute a financial service contract with you or to provide you with a financial service, as well as the information that we need to collect in accordance with legal requirements. If you do not provide the information requested by the Bank, we have the right to refuse to provide financial services or to suspend the provision of financial services.
6. Information on the basis of which we process your personal data
We process your data in accordance with the provisions of the GDPR and other legal acts, based on the following legal bases:
- When executing contracts and/or acting on your request before the conclusion of the contract, for example, during payment transactions, orders, updating data on you, borrowing, etc.
- Seeking for legitimate interests of the Bank and/or third parties to whom your data is provided, for example, by providing and obtaining information from joint lenders' databases, credit institutions in order to assess your solvency, creditworthiness and risk of default, if you are in debt, to manage your indebtedness; in dealing with disputes and claims in legal proceedings in order to ensure the security of the Bank's employees, the Bank's Clients' health, life and the Bank's assets safety and the public order by monitoring the image, recording conversations, etc.
- When implementing the legal obligations imposed on the Bank or in pursuit of the public interest, i.e. we, the Bank, are also subject to various legal obligations set out in the legislation that we must enforce, for example, to prevent money laundering and terrorist financing in accordance with the Law on Money Laundering and Terrorist Financing Prevention of the Republic of Lithuania, to properly evaluate your obligations under the Law on Consumer Credit of the Republic of Lithuania, the Law on Crediting Real Estate of the Republic of Lithuania, the Regulations for the Organization of Responsible Lending, Internal Control and Risk Assessment (Management) approved by the Bank of Lithuania, etc., to properly carry out the Law on Financial Institutions of the Republic of Lithuania, the Law on Banks of the Republic of Lithuania, the Law on Payments of the Republic of Lithuania, the Civil Code and other legal acts provided for the Bank.
- Based on your consent, i.e. we process as much as you allow us by providing your consent to process your Personal data for specific purposes, such as sending marketing proposals.
7. Data sources
We process your Personal data, which we receive directly from you, from your activities, while you use our services. Also, when permitted by law and when required for the reasons specified in paragraph 4 of these Rules, the Bank collects and receives information about you from external sources in accordance with the requirements of the law:
- State Enterprise Centre of Registers or other persons managing the registers specified in the legal acts;
- Creditinfo Lietuva UAB;
- State Social Insurance Fund Board under the Ministry of Social Security and Labor;
- State Enterprise Regitra;
- State Tax Inspectorate under the Ministry of Finance;
- Bank of Lithuania, which oversees the Bank;
- Bank subsidiaries, other credit and financial companies, institutions and organizations;
- Lithuanian State Science and Studies Foundation;
- Public Establishment Lithuanian Agricultural Advisory Service;
- State Enterprise Agricultural Information and Rural Business Center;
- Bailiffs, notaries, courts, other law enforcement agencies;
- Telecommunication companies;
- Utilities providers;
- Debt collection companies;
- Insurance companies;
- Our Clients when they submit us your data as spouses, children, other family members or kinship ties, guarantors, collateral givers, etc.;
- Legal entities, when you are a representative, employee, founder, shareholder, participant of this legal entity, etc.;
- and others.
8. Data recipients
The Bank disclose information or part thereof about you to such persons, as permitted by law, and when required for the reasons specified in paragraph 4 of these Rules:
- Bank affiliated companies;
- Administrators of public registers;
- financial and payment institutions or other payment service providers (including payment initiation and account information services), insurance companies (including insurance intermediaries, insurance brokers);
- Personal data processors or managers handling joint debtor data files or whose activities relate to the recovery, administration or use of debts;
- the Bank of Lithuania, correspondent banks or other intermediaries (e.g. clearing houses, settlement agents, brokerage firms, collective investment undertakings, management companies providing investment services, etc.) involved in the execution of payment or securities settlement transactions systems and / or are involved in the management of these operations;
- Law enforcement authorities, courts, other dispute resolution bodies;
- The third parties who install, administer or otherwise manage the software used by the Bank;
- Printing and/or postal service providers in connection with the printing and/or forwarding of Bank’s messages;
- Persons involved in the archiving and storage of contracts and other documents;
- Persons, who provide the Bank with electronic signature signing service;
- The persons submitting the collaterals for execution of the obligations (sureties, guarantors, collateral givers);
- Notaries, bailiffs, lawyers, consultants, auditors, service providers, which the Bank uses to provide the Bank with the necessary services, or these institutions apply in the course of execution of their statutory functions;
- Other third parties (intermediaries) processing Personal data on behalf of the Bank or under cooperation agreements concluded with the Bank;
- Potential or existing successors of the Bank's business or its part or their authorized consultants or persons.
You may apply to your Bank for specific recipients of Personal Data in the manner provided for in item 15 of the Rules.
9. Transmission of information about you outside the European Economic Area2
In most cases, Personal Data is processed in Lithuania and only in specific cases is transferred within the European Union and European Economic Area (usually when an external service provider hired by the Bank is established in another country). Of course, when necessary for the provision of certain services, data may be transferred and processed outside these territories (e.g. through debt collection processes) provided that the Personal data protection level is maintained:
- The data is transferred to a United States (US) company that follows the principles of the Privacy Shield;
- The data transfer contract has been concluded by the Bank with data recipients in accordance with standard contractual conditions approved by the European Commission, GDPR requirements;
- The recipient of the data belongs to a state that is included in the list of European Commission countries that provide an adequate level of data protection.
2 The European Economic Area consists of all the Member States of the European Union and Iceland, Liechtenstein and Norway.
10. Automated decision-making, including profiling
Personal data is kept for no more than what is necessary to achieve the purposes for Personal data processing or for a period specified or permitted by law, for example:
- We store your Personal data as long as you use the Bank's services and another 10 years after you stopped using the services;
- For direct marketing purposes (in the form of advertising or other special offers), we store your Personal data till your express disapproval, however, in any event no longer than 5 (five) years from the date of consent for direct marketing.;
- We store videos up to 30 (thirty) days.
11. Automated decision-making, including profiling
The Bank uses technologies that evaluate you automatically:
- The Bank conducts collection, use and analysis of your data and Personal aspects related to you, in order to better measure your needs and offer and provide the product, offer, and service that is best suited for you, in order to assess your Personal interests, hobbies, movement, economic situation, billing habits, payment points, etc.;
- In order to prevent money laundering and terrorist financing, the Bank assigns you to categories based on your risks, product, service risk and/or operational risk, country and/or geographic region risk. Depending on the assigned risk category, the potential intensity of your use of the Bank's services and the periodicity of updating your information may vary.
12. Offers given by the Bank and asking for your opinion
When you are our Client, during the validity of the agreement and/or the provision of our services to you, if you have not objected to it, we have the right to contact you by the contact details you provided, in order to provide you with information and promotional material via e-mail, text messages on the phone, social networks, media channels and other similar electronic communication channels about the services provided, ask for your opinion about the quality of services, servicing and needs.
We may also process Personal information for the purpose of organizing promotions, contests or events in order to communicate with participants in contests, competitions or events, select winners and inform them about prizes or provide other relevant information.
You can opt out of marketing messages at any time by clicking on the link in the Bank Newsletter or other information sent to you and by contacting the e-mail address on the Bank's website: we implement your will as soon as possible.
13. Using cookies
Cookies are small text files stored on your device (such as a computer, mobile phone, tablet) browser when you browse the Bank's websites. Cookies help to collect and analyze site traffic statistics, maintain or improve website functionality, enhance security, and so on. Other technologies for storing information in your browser or device may also be used to achieve these goals.
14. Your rights regarding the processing of personal data
The GDPR and other legislation give you the rights and provide you with the cases when you can use them, describe the procedure you must follow, and the exceptions when you cannot do this. If legislation permits, you can:
- Receive confirmation whether the Bank handles Personal data relating to you and, if yes, request access to the data processed;
- Submit to us a request to correct inaccurate, incorrect Personal data or to supplement if it is not complete;
- Request us to delete your Personal data if we use it illegally;
- Submit us a request to restrict the processing of your Personal data;
- Object to the processing of Personal data when we are doing so on the basis of legitimate interests or when processing data for direct marketing purposes, including profiling;
- Submit us an application for transferring (obtaining) by shared electronic means, the Personal data that you provided us under the agreement or expressing consent, and which we handle by automated means;
- Disapprove of the application of a fully automated solution, including profiling, if such decision making has legal consequences or a similar significant effect on you;
- Cancel the consent given to us regarding the processing of your Personal data;
- Submit a complaint to the State Data Protection Inspectorate (see www.ada.lt) if you believe that the data was processed in violation of the requirements of the GDPR and other legal acts.
15. Information on how you can use the above rights
You can enforce your rights by submitting a specific request through the contact details provided under Section 3 “Data Processor” of the Rules.
In order to be able to evaluate your request and provide you with a response, we may need to ask for your specific information, i.e. to confirm your identity by providing identity document or by using electronic identity verification tools so that we can guarantee your right to access your Personal data or to exercise your other rights. This is a security measure to ensure that Personal data is not disclosed to anyone who is not entitled to receive it. We may also contact you to request additional information related to your request so that we can efficiently respond to the submission process.
16. Deadlines for responding to your requests
No later than within 1 month after receipt of your request we will provide (even with a negative response) information about the actions that we have taken upon receipt of your request for realization of the rights, or we will indicate the reasons for non execution of the actions. The period for submitting the requested information may, if necessary, be extended by a further two months depending on the complexity and volume of processed data and the number of provided services.
We may refuse to process the request for realization of the rights from you, or we may ask for a corresponding fee if the request is manifestly unfounded or excessive, as well as in other cases provided by law.