Who Is the Personal Data Controller?
The JSC CB PrivatBank (hereinafter - “PrivatBank”, “Bank” or “we”) shall be the data controller. PrivatBank is the banking institution registered in Ukraine, the USREOU code is 14360570, located at the address: 01001, Hrushevskoho street, 1D, Kyiv.
In case you have any questions about the processing of your personal data, you can contact us by any channel of communication indicated at our official website – https://privatbank.ua/about/contacts. You can also send us a letter to our registered address or visit the nearest branch.
What Personal Data Do We Process?
In the course of providing our services and conducting business activities, we process various categories of personal data. Data may be received in the course of establishing and implementing business relations with the Bank, while making payments and other financial transactions, taking financial monitoring measures, or personal data may be received from other sources.
In particular, the Bank processes the following categories of personal data:
Profile Data of the Customer Who Is an Individual
- Last name, first name, and middle (patronymic) name (in Ukrainian and in English).
- The data from the identification document (ID), and a photocopy of it.
- Tax information regarding the individual (Ukraine’s registration number of the taxpayer’s account card, identification code, Tax ID, TIN).
- Residence address (registration address) in Ukraine.
- Address of the actual place of residence or the address of stay in Ukraine.
- Place of a temporary stay in Ukraine.
- Residence (registration) address in the country of residence (person’s permanent residence address).
- Date and place of birth.
- Citizenship status.
- Education, place of study.
- Place of work, position.
- Social status.
- Contact details (cell, home, work phone numbers).
- Email address.
- Information related to the customer’s status as an individual – entrepreneur.
- Information related to the customer’s status as a self-employed person/person engaged in independent professional activities.
- Person’s affiliation to national, foreign public figures or figures performing public duties in international organizations.
- Affiliation to persons related to public figures or to their family members.
- Marital status, spouse’s last name, first name, and middle (patronymic) name, date of birth, TIN/tax ID, number of children.
- Relations with other banks.
- Information about US citizenship, permanent US resident card, information about long-term stay within the US territory.
- Information about a power of attorney or signature authority on the accounts opened with the JSC CB PrivatBank granted to the person who is a US resident.
- Information on the US tax residency.
- The expected amount of revenues to the account.
- Cash financial transactions which are planned/expected during the first quarter since the account opening.
- Sources of funds/revenues.
- The sum of earnings received at the main place of work.
- The sum of additional regular revenues.
- The description of financial status.
- Affiliation to politically exposed persons or to their affiliates.
- Affiliation to ultimate beneficial owners and controlled legal entities.
- Documents confirming the sources of revenues/funds.
Profile Data of the Customer Who Is a Legal Entity
- Identification data of the persons entitled to dispose of the accounts of the customers who are legal entities.
- Information regarding the supporting document which would confirm the powers of the persons entitled to dispose of an account, and upon the basis of which all of these persons are acting (power of attorney, charter, articles, minutes/decision of general assembly/the meeting of a supervisory board/management board, order, etc).
- Last name, first name, middle (patronymic) name of the chairperson or the person entrusted to perform managerial functions and the functions of conducting business activities of the customer who is a legal entity.
- Information regarding governing bodies (executive body and, if available, controlling/supervisory body) and their composition (including last names, first names, and middle (patronymic) names, Ukraine’s registration numbers of the taxpayer’s account cards, and dates of birth).
- Information on the ownership structure of a legal entity (including the supporting documents for the documented system of relations between legal entities and individuals, in order to establish all the present ultimate beneficial owners), also the information on the share which individuals possess in the equity capital and the data related to these individuals.
- Information regarding the ultimate beneficial owner of a legal entity.
- Information related to persons who are authorized to represent the interests of shareholders, members of a legal entity.
- Affiliation of the mentioned persons to politically exposed persons.
- Affiliation to the US residency.
- Information regarding the main counterparties in case they are individuals.
- Data regarding bank cards with signature samples.
- Contact details of the persons authorized to communicate with the Bank.
Data Obtained in the Course of Providing Services
- Information on what products and services are provided.
- Data from agreements concluded with the Bank (including requisites, data about signatories, and other parties who are specified in agreements, data about the third parties, in favor of whom the agreements were concluded).
- Information on the accounts opened in the Bank (including account numbers, information on the owners and users of the accounts, account balance in foreign currency, securities, or precious metals).
- Data regarding the transactions (including payment details and details of other accounting documents, data about payers and recipients, data of other persons who are mentioned in payment and accounting documents).
- Data on payment instruments (particularly, credit and debit card details, payment systems data, user devices data, tokens data).
- Data on the funds kept in the accounts, including the sources of revenues.
- Data on family members, customer’s spouse, and children in case of legal obligations under the collateral (including pledge and mortgage).
- Data related to customer’s ownership, including the data on the enforcement of legal obligations, data on the mortgagor.
- Data about the purpose of payments made by the customer, particularly the data regarding the goods and services paid for (including via mobile app and POS-terminals), data related to debts on utilities and other services, payments made in favor of the state and local budgets.
- Data regarding the customer, which is additionally obtained when the funds are enrolled in their favor, including the data on their employment (in the event of salary projects), data on social status (in case of pension, student scholarship payment or other social benefits), and other additionally obtained information.
- Data related to children or parents (guardians, custodians) of the customer, in case the services are provided to minors and to other persons without full legal capacity.
- Data related to insurance agreements concluded with the customer or in favor of the customer.
- Data related to the provision of other services, such as safe deposit boxes.
- Data arising in the course of providing informational and advisory services, such as qualified electronic signature, BankID, LiqPay, Paperless, etc.
- Data in the respect of generation, support, use, and cancelation of the qualified electronic signature and electronic document management.
- Data related to participation in contests, raffles, lotteries, and promotions which the Bank holds either independently or by involving partners, including as well announcement of the winners and awarding of the winners.
- Data regarding persons authorized to dispose of the account and/or funds, including the customer’s relatives and heirs.
- An image of the personal signature of an individual.
Data Obtained in the Course of Financial Monitoring Procedures
- Data on the ultimate beneficial owner.
- Data related to business reputation.
- Information about persons exercising direct and/or indirect decisive influence.
- Publicly available information (posted in official sources, public registers, at the official websites of the authoritative publications).
- Information regarding the grounds and reasons for the customer to exercise a comprehensive ownership structure and/or to have a particular state registration (jurisdiction).
- Sources of wealth and/or sources of funds related to financial transactions.
- Information regarding the availability/validity of licenses, permits, supporting data on the customer in the relevant registers.
- Information regarding the purpose and nature to establish business relations.
- Information contained in the open sources regarding criminal proceedings against the customer, its representatives, ultimate beneficial owners.
- Data on customer’s legal and commercial relations established with other customers of the Bank, their essence/role in the group.
- Information on customer’s activities.
- Data from the supporting documents/information related to certain specific financial transactions.
- The information which is obtained during the due diligence of the customer, its business relations, commercial activities, cash flows, accuracy and faithfulness, information appearing in the customer’s social networks.
- Information obtained from the lists of sanctions.
- Other information which the Bank is obliged to obtain due to the legislative requirements for financial monitoring and anti-money laundering.
Data Obtained in the Course of Providing Banking Services
- Data on the provision of services at the Bank branches.
- Data related to remote services, including the use of the mobile app.
- Information on using ATMs, POS-terminals, other devices for banking services, mobile apps.
- Information about habits, interests, benefits, whether the customer is satisfied or dissatisfied with the services provided.
- Information regarding claims and appeals related to the provision of banking services.
- Data obtained in the course of communication between the Bank and the customer, including correspondence, emails, phone calls (both recorded and unrecorded), and information about the used devices and applied technologies.
- The information which is either intentionally or unintentionally told by the customer while they are being serviced and are related to any other life aspects of the customer or third parties.
Data Related to the Customer Credit History
- Information about credit agreement and amendments thereto (number and date of the conclusion of the agreement, information on the parties, type of the agreement).
- The sum of the obligation under the concluded credit agreement.
- Type of the currency of the obligation.
- The terms and enforcement procedure for the credit agreement.
- Information about the amount of the repaid sum and about the final obligation sum under the credit agreement.
- The initial date when the obligation under the credit agreement is overdue, its amount, and the stage of repayment.
- Information on the termination of the credit agreement and the way of termination.
- Information confirming the invalidity of the credit agreement and the grounds under which it is recognized as invalid.
- Documented information on an individual taken from the public registers, other publicly available databases.
- Available tax debts and obligatory payments.
- Court decisions related to that origin, execution, and termination of obligations under the concluded credit agreement.
- Court decisions or resolutions made by executive authorities on the property status of an individual’s credit history.
- Other information affecting the individual’s ability, regarding their credit history, to fulfill obligations.
- Data on operations regarding the information containing the details of the credit history.
Image of the Customer
- Customers’ photographs taken from the documents provided by the customer.
- Photographs made either in the Bank branch and during remote servicing.
- Customer’s photographs taken from publicly available sources in the course of financial monitoring activities.
- Customer’s images taken during video surveillance in the Bank premises, as stipulated by the current legislation.
- Customer’s images taken when they use the Bank’s self-servicing devices and equipment for the purposes of secure payments.
- Videos and photographs taken during video verification in compliance with the legislative requirements.
- Digital casts made from the customer’s photograph, recorded in machine code.
Voice of the Customer
- Recorded conversations with the customer for the purpose of checking the quality of the provided services.
- Digital casts made from the customer’s voice in case when the voice biometrics technology is applied in order to authenticate the customer.
Data Obtained from Public Sources
- Information about the open data obtained from public sources and made available pursuant to the legislation on access to public information.
- Information obtained from public sources of other countries.
- The information which is related to the person, in case it is made public by the person.
Data Collected for Controlling the Security within the Bank
- Information obtained from ATMs and POS-terminals, including the time and the place when and where a transaction is made.
- Information obtained from third parties in case of preventive anti-fraud and security measures.
- Information processed in the course of relations with law enforcement bodies in the event of the presence of evidence of a crime, an administrative offense, losses, or other damage.
Data Obtained When Operating with Credit Obligations
- Information on the debt and its condition.
- Information on the evaluation, condition, and location of collateral under the obligation, including pledged and mortgaged items.
- Information related to other property which belongs to the customer or other parties.
- Information in respect of the customer’s relatives, neighbors, friends, which is obtained during the evaluation procedures, monitoring of a pledged property, foreclosure on the property, debt collection, other taken steps regarding the credit obligations.
- Information related to the third parties, which the customer provides in the manner prescribed by the law on consumer credit.
- Information on the third parties with the rights to pledged and other types of property which belongs to the customer, information on pledgers and mortgagors.
- Data obtained in the course of arbitrary, judicial, and executive proceedings and mediation, data from notaries, state, and local government bodies.
- Data obtained from collection companies.
- Data on the ownership and legal deeds related to ownership (including the rights of intellectual property and corporate rights).
Data Contained in the Documents
- The information which is received by the Bank and kept in the form of printed and electronic documents.
- Images or photocopies of documents.
Technical Data from Websites and Mobile Apps
- Data about the device (including its type, model, IP address, MAC address, etc) and browser (its type, version, language, etc), which the customer uses.
- Information on the use of our website or mobile app, in particular, regarding actions on a certain website or app if any.
- Information obtained from cookies and other web technologies.
- Information transmitted in the URL heading in the process of accessing our website from other web resources.
Data Related to Other Legal Relations with the Bank
- Information related to labor relations if the customer is or was an employee of the Bank.
- Information regarding any commercial or administrative relations between the Bank and another individual, if this individual or their employee is the Bank’s customer at the same time.
- Data provided by third parties under various circumstances and reasons (in particular, when the data provided by other Bank’s customers in order to perform their duties).
- Data obtained in the case of seizure and forced collection of customer’s funds and accounts.
Data Which the Bank Generates in the Process of Servicing Customers
- Customers’ IDs for storing their data in databases.
- Customers’ profiles and evaluations made in the process of scoring their creditworthiness.
- Data regarding the entity’s behavior, interests, or habits which the Bank becomes aware of during the provision of services.
- Any other analytical or statistical data related to the customer.
Sensitive Categories of Personal Data
We usually do not process sensitive categories of personal data, unless you give your consent or in case of having other grounds stipulated by the current legislation, we may process such categories of personal data. Particularly, sensitive data may be processed in the following cases:
- Biometric voice casts of the customer based on consent for the purpose of secure authentication at customer support and in automated channels for carrying out risky operations, including payments, on cards and accounts, and for providing information on the status and movement of funds on cards and accounts.
- Biometric videos and images in order to verify the customer, in the cases stipulated by the regulatory legal acts of the National Bank of Ukraine.
- Biometric facial image to make payments via the FacePay24 service.
- Biometric facial image to authenticate the customer via the FaceID services.
- Biometric facial image to be able to receive services in the Branch of the Future.
- Data related to administrative or criminal prosecution or in the cases of taking measures as part of a pre-trial investigation, violent actions committed against a person in the event where obtaining such data is required by law, and the Bank is a party to such proceedings, or the customer informed the Bank on the matter.
- Information about political, religious, or ideological convictions, membership in political parties, data obtained as a result of financial monitoring activities, and in the case of identification of politically exposed persons.
In addition, the Bank, due to the provision of services, may obtain the data and documents that might indirectly indicate racial or ethnic origin, political, religious, or ideological convictions, membership in political parties and trade unions, exposure to administrative or criminal punishment, and the data related to health, sex life, biometric or genetic data.
In particular, the Bank may obtain such data from payment purposes, customer agreements, (such as insurance agreement), or documents provided by the customer. The Bank neither collects nor processes such information intentionally.
What Are the Purposes and Grounds for Personal Data Processing?
Before we process personal data, we always determine the relevant purpose and grounds for processing. Personal data is processed lawfully if we process personal data on at least one of the following grounds:
- In order to conclude and execute an agreement or another legal action where one of the parties is an individual or if an agreement is concluded in favor of an individual (hereinafter - “Conclusion and Execution of a Legal Agreement”);
- For the Bank to be able to fulfill its obligations established by the current legislation (hereinafter - “Legislative Requirements”);
- Based on your consent (hereinafter - “Individual’s Consent”);
- To implement legal interests of the Bank or of the third party, excluding the cases where the necessity to protect the fundamental rights and freedoms of a personal data subject prevail these legal interests (hereinafter - “Legitimate Interests”);
- To protect your vital interests;
- In the case when we are allowed to process personal data pursuant to the current legislation exclusively in order to exercise our authorities.
Purposes for data processing
Providing financial and banking services
We process personal data to provide you with the following financial and banking services:
- current accounts;
- accounts for receiving a salary, scholarship, pension, and other social benefits;
- certificates of deposit accounts;
- escrow accounts;
- term deposit accounts;
- accounts for credit debt;
- warranty accounts;
- accounts for letters of credit;
- accounts for documentary collection;
- financial operations for the purchase/sale of foreign currency;
- financial operations for the purchase/sale of banking metals;
- other financial operations for the cash receival/withdrawal without establishing business relations;
- fund transfers, including international transfers, without account opening;
- securities accounts opened with the depository institutions;
- leasing-related services;
- digital wallets;
- trade acquiring services;
- Internet acquiring services;
- money transfers to individuals, including the PrivatMoney system;
- cash collection;
- brokerage services;
- accepting and making payments, including via the LiqPay system;
- servicing salary enrollment, pension, and social projects;
- insurance services;
- custodian services or storing valuables, providing an individual bank vault;
- informational and advisory services;
- a qualified electronic signature, (including the SmartID system);
- electronic document management, Paperless;
- PrivatBank BankID identification system and the NBU BankID Identification system;
- Public procurement services via the ProZorro system;
- Services provided via the Privat24 mobile apps and “Privat24 for Business”;
- Any other banking services which the Bank provides to its customers.
Ground for processing: Conclusion and Execution of a Legal Agreement.
Related actions for the provision of services
Related actions are included and required as part of the provision of services. These related measures are:
- Identifying the data and authorities of signatories and contact persons in agreements;
- authorizing a customer in cashier interfaces and self-servicing POS-terminals;
- granting customers access to payment mechanisms (including payment cards);
- providing customer with data on their accounts and transactions;
- issuing loans to the Bank customers and servicing them;
- changing the terms for credit obligations, including granting credit holidays and restructuring;
- informing customers;
- servicing customers and their representatives at the Bank branches, cash desks, or during the remote services, including via the all-round-the-clock phone support line by 3700, through mobile messengers and mobile apps;
- interacting with heirs and with other persons who are entitled to dispose of the customer’s funds.
Ground for processing: Conclusion and Execution of a Legal Agreement.
Compliance with Legislative Requirements
Pursuant to the current legislation, in the course of the provision of services the Bank is obliged to take various measures which include the following:
- to process received requests, claims, or complaints;
- to identify the customer;
- to inform and to take all the relevant steps stipulated by the current legislation on the protection of consumer rights and on consumer credit;
- to collect and transfer information in the manner prescribed by the current legislation on organizing credit formation and its turnover;
- to evaluate creditworthiness and offer relevant services and products prior to entering into contractual obligations or in the course of fulfillment thereof;
- to evaluate and check for potential customers, to analyze and forecast personal preferences, interests, behavior, and trustworthiness;
- to manage risks, including credit risks, adhere to the compliance requirements, comply with physical and informational security requirements;
- to ensure security within the Bank premises and protect Bank property, applying a video surveillance system; to ensure video surveillance at the self-servicing points;
- to submit statistical and other reporting, to take measures for deposit guarantees of individuals;
- to ensure automatic data exchange on accounts and to provide the relevant information on customers in the cases prescribed by the current legislation;
- to respond to the requests from the National Bank of Ukraine, the prosecutor’s office, judicial, investigative, and other governmental bodies, if they are acting within the scope of their competence (including revealing banking secrets, providing documents on seizures, seizing and carrying out a forced withdrawal of funds);
- to fulfill other legitimate requests;
- to store data and documents in the manner and terms stipulated by the current legislation.
Ground for processing: Legislative Requirements.
Protecting the Bank’s Legitimate Interests during the provision of services
Besides, when providing its services, the Bank may process personal data required for the protection of Legitimate Interests, in particular:
- interacting with operators and users of payment systems, with participants of financial and payment markets, with the securities market and other business areas;
- collecting and obtaining customer-related information associated with potential customers from the parties operating under agency contracts;
- verifying the information about you in publicly available databases;
- controlling the execution of a legal agreement and loan repayment or fulfillment of other obligations;
- exchanging the data related to your credit obligations and the terms for the execution via the credit bureaus, obtaining the information from credit bureaus and credit registers at the stage when the loan applications are considered;
- verifying the information on you in the history of repayments in the relevant databases;
- communicating and informing you of any changes in our services or terms;
- analyzing if the customer’s needs are satisfied with the services provided by the Bank according to the customers’ requests, including by means of automatically processed requests by topics and search phrases of the client;
- transferring information on the customer to insurers or other parties in the case of an insured event;
- transferring information related to the agreement and the status of its fulfillment to the parties who are fulfilling the obligations on behalf of or in the name of the customer;
- scoring customer payment discipline;
- conducting additional inspections and terminating the course of transactions in the cases of signs indicating fraud or other criminal offenses, taking other measures aimed at counteracting crime, including seeking, detecting, and prosecuting the persons involved in committing crimes or other offenses.
Ground for processing: Legitimate Interests.
Do We Transfer Data to Third Parties?
The major part of the data is processed within PrivatBank and only by authorized employees who were appropriately trained and passed the course on personal data protection, have relevant permits and rights of access, and have legal obligations on non-disclosure of confidential information.
Nevertheless, consider that personal data may be transferred to third parties in compliance with the following:
Legal grounds, security requirements, law enforcement.
In particular, personal data may be transferred to third parties for the reason of:
- compliance with official requirements set by the state authorities and local self-government bodies within their competence, enforcement of a court decision or the relevant laws;
- the protection of PrivatBank from claims made by the third parties, but with no prejudice to your rights and freedoms;
- the third parties request for access to personal data, if it is within the granted rights of these third parties (e.g., in the relation to inheritance);
- assistance in preventing and investigating illegal actions (such as fraud).
Changing the data controller.
We shall not sell your personal data to any company or organization, nevertheless, we may transfer your personal data to a legal successor. In such a case, you shall be informed on the matter that your personal data shall be transferred, therefore, it is the subject of another notice on personal data processing.
In case we use the services provided by third parties.
We at times may use the services provided by third parties in order to process personal data. These services may include storage and/or cloud services, research, analytics, cookies, emailing, etc. If any of the services of the third parties are involved in the data processing, we shall sign data processing agreements in which we require any third party to take appropriate technical and organizational measures so that your personal data would be protected.
By your consent.
If you have given your permission, we may transfer personal data to third parties. The terms and conditions for the transfer shall be bound by your consent.
How Do We Process Your Data?
We apply various security measures in order to protect the personal data which we process. We’ve implemented the following organizational and technical measures to restrict access to your personal data:
- Personal data within PrivatBank is the information with restricted access.
- PrivatBank is conducting a severe policy which regulates personal data processing.
- The data we receive, shall be accessed by our authorized employees only.
- The Bank applies the information security management system.
- Personal data are stored in secure data storages.
- We apply encryption as one of the means to protect the data.
- In some cases, we may pseudonymize your personal data.
- We use certain types of controlled policy for technical access to databases where personal data may be stored.
What Rights Do You Have in the Respect of Your Personal Data?
Your rights in the respect of personal data protection are set out in Article 8 of the Law of Ukraine “On Protection of Personal Data”. Pursuant to Article 8 mentioned hereabove, you have the following rights:
1. to know the sources of collection and location of your personal data, purpose for the processing, location or place of residence (habituation) of the data controller or the data processor or to be able to make an appropriate assignment to the authorized persons to obtain this information, excluding the cases defined by current legislation;
2. to obtain information on the conditions for granting the access to personal data, including information which is related to the third parties to whom this personal data shall be transferred;
3. to have access to your personal data;
4. to receive a response on whether the personal data is being processed, and to receive the content of such a personal data, but no later than thirty calendar days from the day when the relevant request has been made, excluding the cases stipulated by the current legislation;
5. to make a reasonable claim to the personal data controller objecting against the personal data processing;
6. to make a reasonable claim regarding alteration or destruction of the personal data to any data controller or/and data processor, if personal data is being processed illegally or the data is unreliable;
7. to protect your personal data from illegal processing or from an accidental loss, destruction, damage which is related to the intentional concealment, non-provision or an untimely provision of the personal data, and to protect from the provision of an unreliable information or information which dishonors dignity, honor or business reputation of an individual;
8. to file claims regarding the processing of personal data to the Ukrainian Parliament Commissioner for Human Rights or to court;
9. to apply legal remedies in case if the legislation on the protection of personal data is violated;
10. to make precautions in the respect of the limitation for the right to process your personal data in the course of giving your consent thereto;
11. to withdraw your consent to process your personal data;
12. to know how the mechanism for an automatic personal data processing operates;
13. to be protected from an automated decision when it has legal consequences.
If you wish to have access, review, update, correct, or delete your personal data which we store, or if you would like to exercise any other rights defined in Article 8 of the Law of Ukraine “On Protection of Personal Data” No. 2297-VI dated by June 1, 2010, address us using the contact details specified in section 1 herein.
If you are not satisfied with how we process your personal data, you are granted the right to make a claim to the supervisory authority. In Ukraine, the supervisory authority is the Ukrainian Parliament Commissioner for Human Rights. To file your claim, visit the official website of the Ukrainian Parliament Commissioner for Human Rights.
How can I delete my personal data?
We are exercising your right to deletion of your personal data to the extent, permitted by law. If we have a legal obligation which prevails over your request for the deletion, then we shall comply with the current legislation. Which means, we shall not be able to satisfy your request if your personal data are being processed on the basis of legal agreement or in compliance with the current legislation.
How the Notice May Be Amended?
This Notice was developed and posted in accordance with the requirements set out in the legal regulatory acts and regulations of the National Bank of Ukraine on the way banks provide information to their customers in the respect of banking and other financial services.
If any amendments take place in the current legislation of Ukraine or if the Bank makes any significant changes in the respect of personal data processing, then, we shall amend this Notice. You will be informed about all the amendments and changes made by the Bank in the respect of processing your personal data.