On the Procedure for Protection of Personal Data of PrivatBank Clients

At PrivatBank, we understand the value of privacy and the importance of personal data protection. To help you understand the intricacies of personal data processing, we have prepared this Notification of the procedure for protection of personal data and privacy of PrivatBank clients (hereinafter - “Notification”).

This Notification is created for visitors and users of PrivatBank's websites, web services and applications, as well as for potential, current, and former clients of PrivatBank (hereinafter - “Client” or “you”).

In the Notification, you will find the answers to questions regarding the purpose of processing, composition of personal data, reasons for processing, etc. Here we will also tell you about the data we process.

1. Who owns the personal data?

The owner of the personal data is JSC CB “PRIVATBANK” (hereinafter – “PrivatBank”, “Bank” or “we”), a banking institution registered in Ukraine, EDRPOU code 14360570, address: 1D Hrushevsky St., Kyiv, 01001.

If you have any questions regarding the processing of your personal data, you can send us a letter to the above address or contact us via any communication channel specified on the Bank’s official website: https://privatbank.ua.

You can also send an email to dpo@privatbank.ua regarding your personal data processed by the Bank.

2. What personal data do we process?

While providing our services and conducting business activities, we process various categories of personal data. In this section, you will find detailed information on the data we process.

Identification data and contact details:

  • Last name, first name and patronymic (hereinafter - “Full name”);
  • Date of birth;
  • Passport series and number, date and place of its issuance;
  • Place of registration, place of residence (if it differs from the place of registration);
  • Copy of the passport;
  • Copy of the certificate of taxpayer identification number assignment, place and date of its issuance, as well as the identification number itself;
  • Mailing address;
  • Telephone number; and
  • E-mail address.

Financial data:

  • Bank account number;
  • Information on payments and transactions;
  • Transaction history;
  • Credit and other liabilities.

Data necessary for initial financial monitoring and for verification as the Bank’s client:

  • Full name;
  • Place of residence, stay, or registration;
  • Taxpayer’s identification number;
  • Citizenship;
  • Place of tax residence;
  • Information collected during due diligence check: business relationships and business activities of the Client, cash flows, accuracy of information, information on social media;
  • Information obtained from sanction lists;
  • Status of a politically exposed person; etc.

Data on education and family:

  • Information on education;
  • Information on marital status and family members.

Data on professional activities:

  • Employer;
  • Profession, position;
  • Occupation;
  • Work experience.

Data related to contractual obligations to the Bank:

  • Information on the services provided;
  • Information on fulfillment of or failure to fulfill the contractual obligations;
  • Information on the use of ATMs, SSTs, other service equipment, mobile applications, as well as on branch visits;
  • Submitted applications, inquiries, and complaints.

Data related to the use of the Bank's services:

  • Information on the products and services used;
  • Information on the habits, interests, benefits, satisfaction or dissatisfaction with the services provided.

Data related to participation in contests, raffles, lotteries and promotional offers:

Information related to competitions, raffles, lotteries, and promotional offers, including the announcement of winners and awarding prizes to winners.

Data collected in the course of communication with the Bank:

Letters and e-mails received, telephone conversations (with or without audio recording) conducted in the course of communication with the Bank, as well as information about the devices and technologies used.

Data obtained from public sources:

Information from open public databases.

Data contained in the documents:

Information stored in printed and electronic documents received by the Bank.

Sensitive categories of the personal data:

We may process information on racial or ethnic origin, political and religious beliefs, worldview attitudes, membership in political parties and trade unions, criminal convictions, as well as information relating to health, sexual life, biometric or genetic data, if permitted by law.

We do not normally process sensitive categories of personal data, but if we need such information to provide a particular service we will ask for your consent to the processing of such data.

Technical data of websites and mobile applications (when you use the Bank's websites and applications, we automatically process certain data).

These include information about:

  • Browser and device - we collect information about the device (type, model, IP address, MAC address, etc.) and the browser (type, version, language, etc.) that you use;
  • Use of our website or mobile application (for personal data processed during the use of Privat24 mobile application, see Paragraph to this Notification) - we collect information about the use of our website or application, including any actions taken by you on a particular website or application;
  • Cookies and other technologies - we use browser cookies for the purpose of analytics and statistics (read more about the use of cookies in the cookie banners on the relevant website).

Data collected for security control within the Bank:

  • Information obtained through video recordings made in our premises and on our territory, near the ATMs and SSTs, including videos, time, and place;
  • Information obtained from the ATMs and SSTs, including videos, time, and place.

3. What is the purpose and reason for the personal data processing?

Before processing the personal data, we always determine the purpose and reason for the processing. Processing of the personal data is legal if we process personal data for at least one of the following reasons:

  • To enter into and perform the contract in order to provide a relevant service (hereinafter - the “legal transaction”);
  • To fulfill the Bank’s obligations stipulated by law (hereinafter - the “law”);
  • On the basis of your consent (hereinafter - “consent”);
  • To pursue the legitimate interests of the Bank or a third party, except when the need to protect the fundamental rights and freedoms of the personal data subject outweighs such interests in connection with the processing of his / her data (hereinafter - “legitimate interests”);
  • To protect your vital interests;
  • If we have been granted a permit to process data in accordance with the law solely for the exercise of our powers.

Provision of services

Purpose Reason
  • To provide you with financial and banking services: opening and maintenance of accounts, cash and non-cash transactions, issuance and maintenance of payment and credit cards, foreign currency services or money market services, personal banker services, money transfers, services in mobile applications and other services;
  • To contact and notify you of any changes to our services or terms and conditions;
  • To provide you with information and assistance
Legal transaction
  • To inform you of changes to this Notification;
  • To process received inquiries, applications or complaints;
  • To identify and verify you in accordance with the legislation on preventing and counteracting legalization (laundering) of the proceeds of crime, terrorist financing and financing of proliferation of weapons of mass destruction, including verification of you as a client or potential client. This includes check of the origin of funds, checks of sanction lists, open public databases, identification of beneficiaries and statuses of politically exposed persons, provision of information to supervision and investigative authorities in the cases stipulated by law;
  • To ensure automatic sharing of information about accounts and provide your information in the cases stipulated by law;
  • To comply with legal requests of the National Bank of Ukraine, prosecution authorities, state, judicial, investigative and other law enforcement agencies operating within their powers;
  • To comply with other legitimate requests;
Law
  • To check information about you in open public databases;
  • To ensure control over the performance of contracts and repayment of loans or fulfillment of other obligations;
  • To share, through the credit bureau, information about your credit liabilities and the time of their fulfillment;
  • To check information about you in debt history databases
Legitimate interests

Economic and administrative activities

Purpose Reason
  • To ensure compliance with the Bank's solvency criteria, for the purposes of audit and corporate governance;
  • To ensure the Bank’s risk management;
  • To assess your creditworthiness as a Client or a guarantor;
  • To appraise a property to be pledged
Law
  • To assess your creditworthiness and offer relevant services or products before establishment of contractual obligations or during their performance;
  • To assess and evaluate potential clients, analyze and predict their personal preferences, interests, behavior, and reliability;
  • To check information about you in order to prevent fraud related to the use of services or to prevent abuse of our services;
  • To ensure your and our security at the Bank’s premises, as well as to protect property by means of video surveillance;
  • To protect our rights in disputes with you or third parties, if necessary;
  • To ensure and improve the quality of our services;
  • To provide evidence of communication with you;
  • To test new products;
  • To depersonalize the personal data;
  • To summarize the statistics
Legitimate interests

Marketing activities

Purpose Reason
  • To offer our services, including sending personalized offers and other messages;
  • To provide you with personal credit limit offers
Consent
To identify potential clients and groups of clients, assess and verify them, analyze and predict personal preferences, interests, behavior, and reliability Legitimate interests

4. Do we share your data with third parties?

We do not plan to share the personal data with third parties. Most of the data are processed within PrivatBank only by employees having the appropriate access. However, please note that we can share the personal data with third parties in the following cases:

Security, legal grounds, execution of a law.

Security, legal grounds, execution of a law.

Your personal data are transferred to third parties in the cases where it is necessary to:

  • Comply with official requirements of public authorities and local governments within their competence, court decisions, or relevant laws;
  • Protect PrivatBank from complaints by third parties, without prejudice to your rights and freedoms;
With your consent.

With your consent.

With your consent, we may share the personal data with third parties. The terms and time of the data transfer must be set forth in such consent.

Third party services.

Third party services.

From time to time, we may use the services of third parties to process the personal data. Such services may include research, analytics, cookies, e-mails, etc. If we use any third-party data processing services, we conclude relevant data processing agreements in which we require that any third party should take appropriate technical and organizational measures to protect your personal data.

Change of the data ownership.

Change of the data ownership.

We do not sell your data to any company or organization but we may transfer your personal data to a successor. In such a case, we will notify you that your personal data will be transferred, and their processing will thus be covered by another notification of the processing of personal data. You will be able to refuse the transfer of your data to a new owner.

5. How do we process your data?

In this section, you will learn how, where, and for how long we store and protect your personal data.

Data protection.

We use a variety of security measures to protect the personal data we process. We have implemented operational and technical measures to restrict access to your data:


Operational measures

  • In PrivatBank, personal data are classified as limited access information;
  • PrivatBank has implemented a strict policy regulating the processing of the personal data;
  • The data we collect are available only to authorized employees;
  • The Bank has the Information Security Management System and the Private Information Management System.

Technical measures

  • Personal data are stored in the secure data warehouses;
  • We use encryption as one of the means of data protection;
  • In some cases, we use pseudonymization;
  • We use certain types of controlled policies for technical access to databases where the personal data can be stored.

Retaining of your data.

We retain your data for the time necessary to fulfill the purpose of the data processing in accordance with this Notification.

The data are stored in Ukraine and are not transferred abroad.

Please note that certain personal data may be retained even after fulfillment of the purpose of processing specified in the Notification, if this is required by the legislation of Ukraine.

6. What rights do you have regarding your personal data?

If you want to access, view, update, correct, or remove your personal data that we store, or to use any other rights stipulated in Article 8 of the Law of Ukraine “On Personal Data Protection” No. 2297-VI of June 1, 2010, contact us using the contact details listed in the Section 1 hereof.

If you are not satisfied with the way we process your data, you are entitled to file a complaint with the supervisory authority. In Ukraine, such supervisory authority is the Ukrainian Parliament Commissioner for Human Rights. To write a complaint, use the Procedure for filing a petition to the Ukrainian Parliament Commissioner for Human Rights.


How can I remove my personal data?

We exercise your right to remove your personal data to the extent permitted by law. If we have a legal obligation that exceeds your request, we will comply with the law. This means that we will not be able to satisfy your request if we process your personal data on the basis of a legal transaction or a law.

7. What changes can be made to the Notification?

If the current legislation of Ukraine or our procedures for processing of the personal data change significantly, we will make changes to this Notification. You will be informed on all changes related to processing of the personal data by the Bank.

8. List of the data and the purposes of data processing in Privat24

In the process of using Privat24, a Client may be requested to provide the following data or access to a Client's mobile device for the following purposes:

List of data and accesses Purposes of obtaining information or accesses
Client's location, geolocation, exact location coordinates, approximate location coordinates To search for the Bank’s branches, ATMs or SSTs, to call and order a taxi, to build a taxi route, to determine the Client’s location, to search for the nearest gas station, to search for Discount Club partner retailers, to search for Bonus Plus partner retailers, to increase the level of security, etc.
Access to camera of a Client's mobile device, access to the media library of the mobile device To create photo documents, to create or save images or photos, to save media and images on a Client's mobile device, to display a Client's photos in Privat24, to add a payment template, to scan a QR code, to configure FacePay24 for making payments using a Client’s image, to ensure video verification of new clients
Access to microphone, volume adjustment, and connection settings For video verification of new clients of the Bank
Read-only access to a Client's mobile device status, including mobile device phone number, current mobile device network information, status of all current calls, and list of all accounts registered on a Client's mobile device To increase the level of security in Privat24, to auto-fill a mobile phone number when logging in to Privat24
Contacts saved on a Client's mobile device To use the list of a Client's contacts for auto-filling of a phone number in the Top up menu (mobile top-up)
Client's e-mail address To display a Client's e-mail address in Privat24 for communication
Client's SMS messages For auto-filling of one-time password (OTP) in Privat24
Client's photo

To display a photo:

  • in the user profile in Privat24;
  • in the chat with PrivatBank operator during online communication;
  • in payment templates, to persons who made payments to user in Privat24