ProCredit Bank d.d. Sarajevo is the data controller and the data processor of the personal data provided by natural persons when they are using the services that we offer, either through our business outlets or through ouronline presence when using our website, web application, or mobile application.

Hereinafter, the terms “the Bank” and “we” and its derivatives refer to ProCredit Bank d.d. (office located at Str. Franca Lehara, bb , 71000, Sarajevo, Bosnia and Herzegovina). The term “you” and its derivatives refer to the user of our services. The term “privacy notice” refers to this document. The term “website” refers to https://www.procreditbank.ba/, the “web app” refers to https://ebanking.procreditbank.ba/, and the“app” refers to ProCredit Bosnia and Herzegovina in App Store and ProCredit Mobile Banking Bosnia and Herzegovina in Google Play.

This privacy notice describes how we process personal data. The rules outlined in this document apply to any form of data, be they stored electronically, on paper, or in any other storage device.

Content:

1. Data protection principles
2. Definitions
3. Which personal data does the Bank process?
4. How does the Bank collect your personal data?
5. What are the purposes of personal data processing?
6. What is the legal basis for personal data processing?
7. How is the Bank bound by consent?
8. How does the Bank process your personal data?
9. Video identification and electronic signature
10. What are your data protection rights?
11. What are data subject access requests?
12. When can the Bank transfer your personal data?
13. What is the personal data retention period or the criteria for determining the retention period?
14. What are cookies?
15. What type of general data and information does the Bank collect?
16. Why does the Bank use cookies and collect general data and information?
17. How can users manage cookies?
18. Google Analytics
19. Data processing when using the customer chat function
20. Updates to the privacy notice

1.   Data protection principles

The Bank is fully compliant with regulations governing data protection and privacy, in particular, Law on Protection of Personal Data of Bosnia and Herzegovina (published in Official Gazzete of Bosnia and Herzegovina no. 49/2006, 76/2011 and 89/2011), applicable national laws, and the General Data Protection Regulation (EU) 2016/679 law (hereinafter “GDPR”) of the European Parliament and of the Council. This ensures that the Bank’s measures to protect natural persons with regard to the processing of their personal data when they request services from the Bank arecompliant with the legally enforceable safeguards and obligations.

The Bank is committed to processing all personal data under its control in accordance with the principles related to the processing of personal data. Therefore, principles of personal data processing are:

• Processed in a lawful, fair, and transparent manner (lawfulness, fairness, and transparency)
• Collected only for specific, explicit, and legitimate purposes (purpose limitation)
• Adequate, relevant, and not excessive to the purposes for which the personal data are processed (data minimization)
• Accurate, and where applicable, kept up to date (accuracy)
• Kept no longer than necessary for the purposes for which the personal data are processed, or as required by law (storage limitation)
• Processed under appropriate security measures for the personal data (integrity and confidentiality)

The Bank is responsible for compliance with the abovementioned principles. If you have further questions or have the impression that something is not addressed in the privacy notice, please contact the Bank at mail address: probanking@procreditbank.ba

2.    Definitions

For the purpose of the privacy notice, the definitions of Article 4 of the GDPR apply.

• Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
• Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
• Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

3.    Which personal data does the Bank process?

The Bank processes personal data in order to provide its services or when it is legally required to do so. The category of personal data to be processed depends on the requested services and products the client uses. Nevertheless, if you wish to open an account using the website, you have to provide more personal data. As such, the personal data that the Bank processes fall into various categories, as provided in the list below. This list, however, is not exhaustive, as the client may be using other services and products which require the Bank to process additional personal data.

4.    How does the Bank collect your personal data?

The Bank collects your personal data mainly when you use the services and products that we offer directly or when you use our online platforms. We collect your personal data when you:

• Open an account and/or are registered as a client
• Apply for any of our products or services, such as term deposits, housing loans, investment loans, etc.
• Use banking services such as e-banking and m-banking, etc.
• Use or view our website via your browser’s cookies
• Visit our branches or offices or use the Bank’s 24/7 self-service zones
• Contact the Bank via e-mail or a contact form (or through telephone calls via the Call Centre or other communication channels)
• Provide information, either verbally or in writing, via e-mail, contact center application forms, contracts, or other communication channels

The Bank may collect your data, within the limits permitted by law, also indirectly from legal entities, individuals, other ProCredit group entities, or any other source, including:

• Public registers (e.g. the central credit register, property register, police website for validity verification of ID cards)
• Socially or economically related parties (e.g. employers, business owners, relatives or other persons)
• Public authorities and law enforcement agencies
• Recruitment agencies

5.    What are the purposes of personal data processing?

The Bank processes your personal data primarily to produce, offer, and deliver its services and products, such as financial services, and relies on a number of legal bases for personal data processing. Personal data are used to:

• Process data subjects’ applications for the services and products that the Bank offers
• Process payments and other transactions made to or by the data subjects
• Process data in relation to the fulfilment of contractual obligations for any of the banking products and services
• Provide high-quality and timely services and products
• Meet legal and regulatory obligations (i.e. reporting and responding to the inquiries of the financial control authorities)
• Verify the data subjects’ identity
• Verify credit ratings
• Prevent money laundering, terrorism financing and fraud
• Control and report obligations as per legal requirements
• Improve customer service and customer relationship management
• Foster business development
• Ensure proper risk management
• Safeguard legitimate interests of the Bank (i.e. video surveillance, clarify cash differences, settle clients’ claims, etc.)

Automated decision-making and profiling

The Bank does not use profiling or automated decision-making when establishing business relations with data subjects.

The Bank may, however, use automated decision-making and profiling to screen individuals, companies, and suspicious transactions, or to identify payments subject to international sanctions related to the prevention of money laundering, fraud, and terrorist financing.

6.    What is the legal basis for personal data processing?

The Bank processes your personal data if at least one of the following applies:

• You, the data subject, have consented to the processing of your personal data for one or more specific purposes
• Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
• Processing is necessary for compliance with a legal obligation to which the Bank is subject
• Processing is necessary to protect the vital interests of the data subject or of another natural person
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Bank
• Processing is necessary for the purpose of the legitimate interests pursued by the Bank or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular if the data subject is a child

7.    How is the Bank bound by consent?

If the processing of personal data is necessary but there is no statutory basis for such processing, the Bank obtains consent from the data subject.

Your consent is revocable at any time and you can withdraw your consent via the same form as you provided the consent or through our contact channels free of charge. The withdrawal of consent shall not affect the lawfulness of the process- ing carried out based on the consent granted before it was withdrawn.

8.     How does the Bank process your personal data?

The Bank processes personal data lawfully, fairly, and in a transparent manner so as to fulfil the requirements of applica- ble laws by protecting against unauthorized or unlawful processing, and accidental loss or disclosure of personal data using appropriate technical and organizational measures. The Bank has established entities for information security and data protection such as the position of Information Security Officer.

The Bank implements appropriate technical and organizational measures in a manner that ensures the highest possible level of security that is appropriate for the risk level in order to protect your personal data, for example by ensuring the protection of equipment and data, access control and access rights, user identity verification, etc.

In instances where personal data are processed on behalf of the Bank, the Bank concludes a separate contract with the processor or sub-processor that clearly stipulates that the processor or sub-processor is subject to the same obligations regarding the protection of personal data so as to ensure that they are in compliance with the GDPR and implement the required technical and organizational measures to safeguard the rights of the data subject.

9.        What are your data protection rights?

As a data subject, you are entitled to the following rights:

• The right to be informed — You have the right to be informed about the collection and use of your personal data.
• The right of access — You have the right to access and receive a copy of your personal data.
• The right to rectification — You have the right to rectify your inaccurate personal data or complete it if it is incomplete.
• The right to erasure (right to be forgotten) — You have the right to have your personal data erased, under certain condi- tions .
• The right to restrict processing — You have the right to request restriction of processing your personal data, under certain conditions.
• The right to data portability — You have the right to obtain the personal data that the Bank holds on you and to reuse them for your own purposes, such as storing them for personal use or transmitting them to another data controller.
• The right to object — You have the right to object to the processing of your personal data from the Bank, under certain conditions. For instance, you have the absolute right to object to the use of your personal data for direct marketing.
• Rights in relation to automated decision-making and profiling — You have the right to request from the Bank not to be subject to a decision based solely on automated processing, including profiling, for example, automatic refusal of an online credit application.

The Bank will respond without delay and within one month to your request should you decide to exercise any of the abovementioned rights.

10.   What are data subject access requests?

Data subjects whose personal and other data are held by the Bank are entitled to:

• Ask what information the Bank holds about them and why
• Ask how to gain access to it
• Be informed on how to keep it up to date
• Be informed on how the Bank meets its data protection obligations

This information can be requested directly through a subject access request (SAR) made via e-mail at: probanking@procreditbank.ba The Bank will always verify the identity of anyone making a subject access request before handing over any information.

11.    When can the Bank transfer your personal data?

The Bank may disclose personal data to third parties, in connection with and subject to the services that are being provided, where such disclosure includes the transfer of personal data to affiliates or subsidiaries of the Bank, the ProCredit group, or other third parties who lawfully process your data.

The Bank will only transmit your data to third parties when this is required by law or you have consented to the transmis- sion. The Bank may transfer your personal data to:

• Authorities: Supervisory and other regulatory and public authorities such as the local government, the Central Bank of the Bosnia and Herzegovina (CB), Banking Agency , Tax Administration, law enforcement and fraud prevention agencies, and the anti-corruption authority, and other bodies authorized by law.
  • Your authorized representatives: Individuals or organizations that provide instructions or operate accounts, products or services on your behalf, such as powers of attorney, solicitors, intermediaries, joint account holders, co-debtors, guarantors.
  • Third parties: Entities the Bank needs to interact with in order to facilitate payments such as Visa, Mastercard, credit card issuers and merchant banks, correspondent banks, ATM administrators, card payment processing companies, your beneficiaries, SWIFT, TARGET 2, SEPA and all other relevant third parties.
  • Other credit or financial institutions: Members of the ProCredit group, European Investment Fund, or other credit and financial institutions providing funding.
  • Others: Companies that provide services for the purpose of fulfilling our legitimate interests or contractual obligations, such as external legal advisers; notaries; property appraisal companies; insurers; auditors; accountants; marketing and advertising companies; document storage, archiving and destruction companies; cloud storage companies; IT and telecommunication service providers; software development contractors and printing companies.

When data are transferred, the transfer takes place in strict accordance with the provisions of Law on Protection of Personal Data of Bosnia and Herzegovina and only if the country or the international organization in question ensures an adequate level of data protection.

12.   What is the personal data retention period or the criteria for determining the retention period?

The retention period of personal data depends on the category of the data and the purposes for which they are processed. In either case, personal data are processed as long as necessary for the Bank to perform its obligations in light of the purpose for which the personal data were obtained, or as required by the applicable legal and regulatory frameworks.

The Bank will process your personal data after the end of the customer and contractual relationship for a period deemed necessary at any given time according to the legal and documentation requirements.

For example, personal data collected in order to establish a business relationship with the Bank are kept for 10 years after the end of the business relationship.

The Bank justifies the retention period based on the purposes for processing personal data and it complies with the statutory obligations for retaining data. If personal data are no longer required, they will be erased in accordance with our erasure processes or anonymized, i.e. stripped of all possible identifying characteristics.

13.    What are cookies?

The Bank’s website uses cookies. Cookies are text files that are stored in a computer system via an Internet browser. Many Internet sites and servers use cookies. Many cookies contain a so-called cookie “ID”. A cookie ID is a unique identi- fier. It consists of a character string through which Internet pages and servers can be assigned to the specific Internet browser in which the cookie was stored. This allows visited Internet sites and servers to differentiate the individual browser of the data subject from other Internet browsers that contain other cookies. A specific Internet browser can be recognised and identified using the unique cookie ID.

14.    What type of general data and information does the Bank collect?

The Bank collects a series of general data and information when a data subject or automated system calls up the website. This general data and information are stored in the server log files and include:

• The browser types and versions used
  • The operating system used by the accessing system
  • The website from which an accessing system reaches our website (so-called “referrers”)
  • The sub-websites
  • The date and time of access to the Internet site
  • The Internet protocol address (IP address)
  • Any other similar data and information that may be used in the event of attacks on our information technology systems

15.    Why does the Bank use cookies and collect general data and information?

The Bank uses cookies to provide the users of the website with more user-friendly services that would not be possible without the cookie setting. Cookies enable the information and offers on the website to be optimized with the user in mind. Cookies also allow us to recognize website users. The purpose of this recognition is to make it easier for users to utilize the website. For example, website users who allow cookies do not have to enter access data every time they visit the website, because this function is taken over by the website, and the cookie is thus stored on the user’s computer system.

When using the abovementioned general data and information, the Bank does not draw any conclusions about the data subject. Rather, this information is needed to:

• Deliver the content of the website correctly
  • Optimize the content of the website, including advertising
  • Ensure the long-term viability of our information technology systems and website technology
  • Provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyberattack

16.   How can users manage cookies?

The data subject may at any time prevent the placement of cookies by the website by adjusting the corresponding setting of the Internet browser used, and may thus permanently deny the placement of cookies. Furthermore, cookies that have already been placed may be deleted at any time via the Internet browser or other software programs. This is possible in all popular Internet browsers. However, if the data subject deactivates the placement of cookies in the respective Internet browser, not all functions of the website may be entirely usable.

17.    Google Analytics

On its website, ProCredit Bank has integrated the Google Analytics component (with the anonymizer function). Google Analytics is a web analytics service. Web analytics is the collection, gathering, and analysis of data about the behavior of visitors to websites. A web analysis service collects, inter alia, data about the website from which a person has come(the so-called referrer), which sub-pages were visited, or how often and for what duration a sub-page was viewed. Web analytics are mainly used for the optimization of a website and in order to carry out a cost-benefit analysis of Internet advertising. The operator of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, United States.

For the web analytics through Google Analytics ProCredit Bank uses the application “_gat. _anonymizeIp”. By means of this application the IP address of the Internet connection of the data subject is abridged by Google and anonymised when the data subject accesses our website. The purpose of the Google Analytics component is to analyse the traffic on our website. Google uses the collected data and information, inter alia, to evaluate the use of our website and to provide online reports, which show the activities on our websites, and to provide other services concerning the use of our Internet site to us.

Further information and the applicable data protection provisions of Google may be retrieved under https://www.goo- gle.com/intl/en/policies/privacy/ and under http://www.google.com/analytics/terms/us.html. Google Analytics is further explained under the following Link https://www.google.com/analytics/

18.     Updates to the privacy notice

The Bank reserves the right to modify the privacy notice from time to time in order to reflect new services, changes in our practices and any legal and regulatory changes that may affect our responsibilities towards our clients. The “Last updated legend at the top of the privacy notice indicates when this document was last revised. Any and all changes become effective when posted on our online presence.