Privacy Notice

What Personal Data Do We Process?

In the course of providing our services and conducting business activities, we process various categories of personal data. Data may be received in the course of establishing and implementing business relations with the Bank, while making payments and other financial transactions, taking financial monitoring measures, or personal data may be received from other sources.

In particular, the Bank processes the following categories of personal data:

Profile Data of the Customer Who Is an Individual

Last name, first name, and middle (patronymic) name (in Ukrainian and in English).
The data from the identification document (ID), and a photocopy of it.
Tax information regarding the individual (Ukraine’s registration number of the taxpayer’s account card, identification code, Tax ID, TIN).
Residence address (registration address) in Ukraine.
Address of the actual place of residence or the address of stay in Ukraine.
Place of a temporary stay in Ukraine.
Residence (registration) address in the country of residence (person’s permanent residence address).
Date and place of birth.
Citizenship status.
Education, place of study.
Place of work, position.
Social status.
Contact details (cell, home, work phone numbers).
Email address.
Information related to the customer’s status as an individual – entrepreneur.
Information related to the customer’s status as a self-employed person/person engaged in independent professional activities.
Person’s affiliation to national, foreign public figures or figures performing public duties in international organizations.
Affiliation to persons related to public figures or to their family members.
Marital status, spouse’s last name, first name, and middle (patronymic) name, date of birth, TIN/tax ID, number of children.
Relations with other banks.
Information about US citizenship, permanent US resident card, information about long-term stay within the US territory.
Information about a power of attorney or signature authority on the accounts opened with the JSC CB PrivatBank granted to the person who is a US resident.
Information on the US tax residency.
The expected amount of revenues to the account.
Cash financial transactions which are planned/expected during the first quarter since the account opening.
Sources of funds/revenues.
The sum of earnings received at the main place of work.
The sum of additional regular revenues.
The description of financial status.
Affiliation to politically exposed persons or to their affiliates.
Affiliation to ultimate beneficial owners and controlled legal entities.
Documents confirming the sources of revenues/funds.

Profile Data of the Customer Who Is a Legal Entity

Identification data of the persons entitled to dispose of the accounts of the customers who are legal entities.
Information regarding the supporting document which would confirm the powers of the persons entitled to dispose of an account, and upon the basis of which all of these persons are acting (power of attorney, charter, articles, minutes/decision of general assembly/the meeting of a supervisory board/management board, order, etc).
Last name, first name, middle (patronymic) name of the chairperson or the person entrusted to perform managerial functions and the functions of conducting business activities of the customer who is a legal entity.
Information regarding governing bodies (executive body and, if available, controlling/supervisory body) and their composition (including last names, first names, and middle (patronymic) names, Ukraine’s registration numbers of the taxpayer’s account cards, and dates of birth).
Information on the ownership structure of a legal entity (including the supporting documents for the documented system of relations between legal entities and individuals, in order to establish all the present ultimate beneficial owners), also the information on the share which individuals possess in the equity capital and the data related to these individuals.
Information regarding the ultimate beneficial owner of a legal entity.
Information related to persons who are authorized to represent the interests of shareholders, members of a legal entity.
Affiliation of the mentioned persons to politically exposed persons.
Affiliation to the US residency.
Information regarding the main counterparties in case they are individuals.
Data regarding bank cards with signature samples.
Contact details of the persons authorized to communicate with the Bank.

Data Obtained in the Course of Providing Services

Information on what products and services are provided.
Data from agreements concluded with the Bank (including requisites, data about signatories, and other parties who are specified in agreements, data about the third parties, in favor of whom the agreements were concluded).
Information on the accounts opened in the Bank (including account numbers, information on the owners and users of the accounts, account balance in foreign currency, securities, or precious metals).
Data regarding the transactions (including payment details and details of other accounting documents, data about payers and recipients, data of other persons who are mentioned in payment and accounting documents).
Data on payment instruments (particularly, credit and debit card details, payment systems data, user devices data, tokens data).
Data on the funds kept in the accounts, including the sources of revenues.
Data on family members, customer’s spouse, and children in case of legal obligations under the collateral (including pledge and mortgage).
Data related to customer’s ownership, including the data on the enforcement of legal obligations, data on the mortgagor.
Data about the purpose of payments made by the customer, particularly the data regarding the goods and services paid for (including via mobile app and POS-terminals), data related to debts on utilities and other services, payments made in favor of the state and local budgets.
Data regarding the customer, which is additionally obtained when the funds are enrolled in their favor, including the data on their employment (in the event of salary projects), data on social status (in case of pension, student scholarship payment or other social benefits), and other additionally obtained information.
Data related to children or parents (guardians, custodians) of the customer, in case the services are provided to minors and to other persons without full legal capacity.
Data related to insurance agreements concluded with the customer or in favor of the customer.
Data related to the provision of other services, such as safe deposit boxes.
Data arising in the course of providing informational and advisory services, such as qualified electronic signature, BankID, LiqPay, Paperless, etc.
Data in the respect of generation, support, use, and cancelation of the qualified electronic signature and electronic document management.
Data related to participation in contests, raffles, lotteries, and promotions which the Bank holds either independently or by involving partners, including as well announcement of the winners and awarding of the winners.
Data regarding persons authorized to dispose of the account and/or funds, including the customer’s relatives and heirs.
An image of the personal signature of an individual.

Data Obtained in the Course of Financial Monitoring Procedures

Data on the ultimate beneficial owner.
Data related to business reputation.
Information about persons exercising direct and/or indirect decisive influence.
Publicly available information (posted in official sources, public registers, at the official websites of the authoritative publications).
Information regarding the grounds and reasons for the customer to exercise a comprehensive ownership structure and/or to have a particular state registration (jurisdiction).
Sources of wealth and/or sources of funds related to financial transactions.
Information regarding the availability/validity of licenses, permits, supporting data on the customer in the relevant registers.
Information regarding the purpose and nature to establish business relations.
Information contained in the open sources regarding criminal proceedings against the customer, its representatives, ultimate beneficial owners.
Data on customer’s legal and commercial relations established with other customers of the Bank, their essence/role in the group.
Information on customer’s activities.
Data from the supporting documents/information related to certain specific financial transactions.
The information which is obtained during the due diligence of the customer, its business relations, commercial activities, cash flows, accuracy and faithfulness, information appearing in the customer’s social networks.
Information obtained from the lists of sanctions.
Other information which the Bank is obliged to obtain due to the legislative requirements for financial monitoring and anti-money laundering.

Data Obtained in the Course of Providing Banking Services

Data on the provision of services at the Bank branches.
Data related to remote services, including the use of the mobile app.
Information on using ATMs, POS-terminals, other devices for banking services, mobile apps.
Information about habits, interests, benefits, whether the customer is satisfied or dissatisfied with the services provided.
Information regarding claims and appeals related to the provision of banking services.
Data obtained in the course of communication between the Bank and the customer, including correspondence, emails, phone calls (both recorded and unrecorded), and information about the used devices and applied technologies.
The information which is either intentionally or unintentionally told by the customer while they are being serviced and are related to any other life aspects of the customer or third parties.

Data Related to the Customer Credit History

Information about credit agreement and amendments thereto (number and date of the conclusion of the agreement, information on the parties, type of the agreement).
The sum of the obligation under the concluded credit agreement.
Type of the currency of the obligation.
The terms and enforcement procedure for the credit agreement.
Information about the amount of the repaid sum and about the final obligation sum under the credit agreement.
The initial date when the obligation under the credit agreement is overdue, its amount, and the stage of repayment.
Information on the termination of the credit agreement and the way of termination.
Information confirming the invalidity of the credit agreement and the grounds under which it is recognized as invalid.
Documented information on an individual taken from the public registers, other publicly available databases.
Available tax debts and obligatory payments.
Court decisions related to that origin, execution, and termination of obligations under the concluded credit agreement.
Court decisions or resolutions made by executive authorities on the property status of an individual’s credit history.
Other information affecting the individual’s ability, regarding their credit history, to fulfill obligations.
Data on operations regarding the information containing the details of the credit history.

Image of the Customer

Customers’ photographs taken from the documents provided by the customer.
Photographs made either in the Bank branch and during remote servicing.
Customer’s photographs taken from publicly available sources in the course of financial monitoring activities.
Customer’s images taken during video surveillance in the Bank premises, as stipulated by the current legislation.
Customer’s images taken when they use the Bank’s self-servicing devices and equipment for the purposes of secure payments.
Videos and photographs taken during video verification in compliance with the legislative requirements.
Digital casts made from the customer’s photograph, recorded in machine code.

Voice of the Customer

Recorded conversations with the customer for the purpose of checking the quality of the provided services.
Digital casts made from the customer’s voice in case when the voice biometrics technology is applied in order to authenticate the customer.

Data Obtained from Public Sources

Information about the open data obtained from public sources and made available pursuant to the legislation on access to public information.
Information obtained from public sources of other countries.
The information which is related to the person, in case it is made public by the person.

Data Collected for Controlling the Security within the Bank

Information obtained from ATMs and POS-terminals, including the time and the place when and where a transaction is made.
Information obtained from third parties in case of preventive anti-fraud and security measures.
Information processed in the course of relations with law enforcement bodies in the event of the presence of evidence of a crime, an administrative offense, losses, or other damage.

Data Obtained When Operating with Credit Obligations

Information on the debt and its condition.
Information on the evaluation, condition, and location of collateral under the obligation, including pledged and mortgaged items.
Information related to other property which belongs to the customer or other parties.
Information in respect of the customer’s relatives, neighbors, friends, which is obtained during the evaluation procedures, monitoring of a pledged property, foreclosure on the property, debt collection, other taken steps regarding the credit obligations.
Information related to the third parties, which the customer provides in the manner prescribed by the law on consumer credit.
Information on the third parties with the rights to pledged and other types of property which belongs to the customer, information on pledgers and mortgagors.
Data obtained in the course of arbitrary, judicial, and executive proceedings and mediation, data from notaries, state, and local government bodies.
Data obtained from collection companies.
Data on the ownership and legal deeds related to ownership (including the rights of intellectual property and corporate rights).

Data Contained in the Documents

The information which is received by the Bank and kept in the form of printed and electronic documents.
Images or photocopies of documents.

Technical Data from Websites and Mobile Apps

Data about the device (including its type, model, IP address, MAC address, etc) and browser (its type, version, language, etc), which the customer uses.
Information on the use of our website or mobile app, in particular, regarding actions on a certain website or app if any.
Information obtained from cookies and other web technologies.
Information transmitted in the URL heading in the process of accessing our website from other web resources.

Data Related to Other Legal Relations with the Bank

Information related to labor relations if the customer is or was an employee of the Bank.
Information regarding any commercial or administrative relations between the Bank and another individual, if this individual or their employee is the Bank’s customer at the same time.
Data provided by third parties under various circumstances and reasons (in particular, when the data provided by other Bank’s customers in order to perform their duties).
Data obtained in the case of seizure and forced collection of customer’s funds and accounts.

Data Which the Bank Generates in the Process of Servicing Customers

Customers’ IDs for storing their data in databases.
Customers’ profiles and evaluations made in the process of scoring their creditworthiness.
Data regarding the entity’s behavior, interests, or habits which the Bank becomes aware of during the provision of services.
Any other analytical or statistical data related to the customer.

Sensitive Categories of Personal Data

We usually do not process sensitive categories of personal data, unless you give your consent or in case of having other grounds stipulated by the current legislation, we may process such categories of personal data. Particularly, sensitive data may be processed in the following cases:

Biometric voice casts of the customer based on consent for the purpose of secure authentication at customer support and in automated channels for carrying out risky operations, including payments, on cards and accounts, and for providing information on the status and movement of funds on cards and accounts.
Biometric videos and images in order to verify the customer, in the cases stipulated by the regulatory legal acts of the National Bank of Ukraine.
Biometric facial image to make payments via the FacePay24 service.
Biometric facial image to authenticate the customer via the FaceID services.
Biometric facial image to be able to receive services in the Branch of the Future.
Data related to administrative or criminal prosecution or in the cases of taking measures as part of a pre-trial investigation, violent actions committed against a person in the event where obtaining such data is required by law, and the Bank is a party to such proceedings, or the customer informed the Bank on the matter.
Information about political, religious, or ideological convictions, membership in political parties, data obtained as a result of financial monitoring activities, and in the case of identification of politically exposed persons.

In addition, the Bank, due to the provision of services, may obtain the data and documents that might indirectly indicate racial or ethnic origin, political, religious, or ideological convictions, membership in political parties and trade unions, exposure to administrative or criminal punishment, and the data related to health, sex life, biometric or genetic data.

In particular, the Bank may obtain such data from payment purposes, customer agreements, (such as insurance agreement), or documents provided by the customer. The Bank neither collects nor processes such information intentionally.

What Are the Purposes and Grounds for Personal Data Processing?

Before we process personal data, we always determine the relevant purpose and grounds for processing. Personal data is processed lawfully if we process personal data on at least one of the following grounds:

In order to conclude and execute an agreement or another legal action where one of the parties is an individual or if an agreement is concluded in favor of an individual (hereinafter - “Conclusion and Execution of a Legal Agreement”);
For the Bank to be able to fulfill its obligations established by the current legislation (hereinafter - “Legislative Requirements”);
Based on your consent (hereinafter - “Individual’s Consent”);
To implement legal interests of the Bank or of the third party, excluding the cases where the necessity to protect the fundamental rights and freedoms of a personal data subject prevail these legal interests (hereinafter - “Legitimate Interests”);
To protect your vital interests;
In the case when we are allowed to process personal data pursuant to the current legislation exclusively in order to exercise our authorities.

Purposes for data processing

Provision of Services

Financial Monitoring

Credit Debt

Economic Activities

Marketing Activities

Certain Types of Processes

Providing financial and banking services

We process personal data to provide you with the following financial and banking services:

current accounts;
accounts for receiving a salary, scholarship, pension, and other social benefits;
certificates of deposit accounts;
escrow accounts;
term deposit accounts;
accounts for credit debt;
warranty accounts;
accounts for letters of credit;
accounts for documentary collection;
financial operations for the purchase/sale of foreign currency;
financial operations for the purchase/sale of banking metals;
other financial operations for the cash receival/withdrawal without establishing business relations;
fund transfers, including international transfers, without account opening;
securities accounts opened with the depository institutions;
leasing-related services;
digital wallets;
trade acquiring services;
Internet acquiring services;
money transfers to individuals, including the PrivatMoney system;
cash collection;
brokerage services;
accepting and making payments, including via the LiqPay system;
servicing salary enrollment, pension, and social projects;
insurance services;
custodian services or storing valuables, providing an individual bank vault;
informational and advisory services;
a qualified electronic signature, (including the SmartID system);
electronic document management, Paperless;
PrivatBank BankID identification system and the NBU BankID Identification system;
Public procurement services via the ProZorro system;
Services provided via the Privat24 mobile apps and “Privat24 for Business”;
Any other banking services which the Bank provides to its customers.

Ground for processing: Conclusion and Execution of a Legal Agreement.

Related actions for the provision of services

Related actions are included and required as part of the provision of services. These related measures are:

Identifying the data and authorities of signatories and contact persons in agreements;
authorizing a customer in cashier interfaces and self-servicing POS-terminals;
granting customers access to payment mechanisms (including payment cards);
providing customer with data on their accounts and transactions;
issuing loans to the Bank customers and servicing them;
changing the terms for credit obligations, including granting credit holidays and restructuring;
informing customers;
servicing customers and their representatives at the Bank branches, cash desks, or during the remote services, including via the all-round-the-clock phone support line by 3700, through mobile messengers and mobile apps;
interacting with heirs and with other persons who are entitled to dispose of the customer’s funds.

Ground for processing: Conclusion and Execution of a Legal Agreement.

Compliance with Legislative Requirements

Pursuant to the current legislation, in the course of the provision of services the Bank is obliged to take various measures which include the following:

to process received requests, claims, or complaints;
to identify the customer;
to inform and to take all the relevant steps stipulated by the current legislation on the protection of consumer rights and on consumer credit;
to collect and transfer information in the manner prescribed by the current legislation on organizing credit formation and its turnover;
to evaluate creditworthiness and offer relevant services and products prior to entering into contractual obligations or in the course of fulfillment thereof;
to evaluate and check for potential customers, to analyze and forecast personal preferences, interests, behavior, and trustworthiness;
to manage risks, including credit risks, adhere to the compliance requirements, comply with physical and informational security requirements;
to ensure security within the Bank premises and protect Bank property, applying a video surveillance system; to ensure video surveillance at the self-servicing points;
to submit statistical and other reporting, to take measures for deposit guarantees of individuals;
to ensure automatic data exchange on accounts and to provide the relevant information on customers in the cases prescribed by the current legislation;
to respond to the requests from the National Bank of Ukraine, the prosecutor’s office, judicial, investigative, and other governmental bodies, if they are acting within the scope of their competence (including revealing banking secrets, providing documents on seizures, seizing and carrying out a forced withdrawal of funds);
to fulfill other legitimate requests;
to store data and documents in the manner and terms stipulated by the current legislation.

Ground for processing: Legislative Requirements.

Protecting the Bank’s Legitimate Interests during the provision of services

Besides, when providing its services, the Bank may process personal data required for the protection of Legitimate Interests, in particular:

interacting with operators and users of payment systems, with participants of financial and payment markets, with the securities market and other business areas;
collecting and obtaining customer-related information associated with potential customers from the parties operating under agency contracts;
verifying the information about you in publicly available databases;
controlling the execution of a legal agreement and loan repayment or fulfillment of other obligations;
exchanging the data related to your credit obligations and the terms for the execution via the credit bureaus, obtaining the information from credit bureaus and credit registers at the stage when the loan applications are considered;
verifying the information on you in the history of repayments in the relevant databases;
communicating and informing you of any changes in our services or terms;
analyzing if the customer’s needs are satisfied with the services provided by the Bank according to the customers’ requests, including by means of automatically processed requests by topics and search phrases of the client;
transferring information on the customer to insurers or other parties in the case of an insured event;
transferring information related to the agreement and the status of its fulfillment to the parties who are fulfilling the obligations on behalf of or in the name of the customer;
scoring customer payment discipline;
conducting additional inspections and terminating the course of transactions in the cases of signs indicating fraud or other criminal offenses, taking other measures aimed at counteracting crime, including seeking, detecting, and prosecuting the persons involved in committing crimes or other offenses.

Ground for processing: Legitimate Interests.

Compliance with the financial monitoring legislative requirements

Being a primary financial monitoring subject, the Bank is obliged to take measures to prevent and counteract to legalization (money laundering) of proceeds from crime; financing of terrorism, and proliferation of weapons of mass destruction, in particular, these preventive measures include:

proper customer identification and verification, inter alia, by involving agents;
proper customer inspection in a simplified or enhanced manner;
ultimate beneficial owner determination;
proper correspondent relations with foreign financial institutions;
additional verification measures regarding politically exposed persons;
other preventive measures prescribed, inter alia, by the regulations of the National Bank of Ukraine on Financial Monitoring.

Ground for processing: Legislative Requirements.

Customer video verification

The Bank may carry out customer video verification by the remote service channels in the manner prescribed by the Regulation of the National Bank of Ukraine on Financial Monitoring.

Ground for processing: Individual’s Consent.

Judicial protection of the Bank Interests

If extrajudicial measures did not result in the debt repayment, we shall address the court in order to protect the Interests of the Bank. Therefore, personal data may be processed in various ways, including those, required by the current legislative requirements, which are, inter alia, the following:

filing the statement of claim, other claims, appeals, petitions, motions, and requests which would contain all the supporting documents and required information as evidence, confirming the Bank’s claim and demands;
considering claims, statements of claim, and motions by the court of all the instances, by the arbitration court, other judicial bodies, and other parties authorized to consider disputes, including out of Ukraine and considering claims in notarial proceedings;
transferring of customer-related information to the parties representing the Bank’s Interests in the relevant proceedings, and to the debt collection firms, in the manner prescribed by the current legislation;
recoursing to the enforcement of court and other types of decisions, including by means of transferring executive documents to public or private executors;
revealing the information on a debtor and its debt to other parties or publicly disclosing it, if the relevant measures are prescribed by the current legislation.

Ground for processing: Legitimate Interests and Legislative Requirements.

Credit debt settlement

In the case of an overdue debt under a loan which the Bank has issued, or under the loan for which the Bank has acquired the right of claim, we may take various steps aimed at settling such a debt. These include the following:

communication with the debtor, their representative, officials, ultimate beneficial owner, guarantor, mortgagor, and other persons concerned, whose contact details were provided by the debtor, in the manner prescribed by the current legislation;
checking the debtor’s actual place of residence or the location of the customer (a legal entity), for the purpose of which, we may communicate with relatives, neighbors of the debtor or guarantor, with other persons who are in cohabitation/co-location with the debtor;
inspection of the available pledged property and its conditions, which may involve personal data processing;
obtaining and analysis of the information related to the debtor, taken from the public sources and from those, indicated by the debtor;
passing the debt to the debt collection companies in the manner prescribed by the current legislation;
assigning the debt to another contractual party in the form and manner prescribed by the current legislation, including partially;
settling the debt in a contractual manner, inter alia, by means of foreclosure of the pledged property, as a result, personal data may be transferred to notaries, representatives of governmental bodies, and other parties;
carrying out the debt restructuring, as well, pursuant to the procedure stipulated by the current legislation;
addressing legal, audit, or other consulting firms (including foreign firms) in the respect of an overdue debt settlement or concerning other issues related to the interaction with the customer;
addressing the law enforcement agencies and transferring the information related to the customer thereto in the case of criminal or administrative offenses, and
addressing other governmental or non-governmental bodies which are authorized to settle certain types of relations concerning the issues when the customer violates the rules established within these relations.

Ground for processing: Legitimate Interests.

Support for Bank activities

Since banking activities are thoroughly regulated, we are obliged to take numerous steps, and some of which are directly related to customer personal data processing. These steps include:

taking risk management measures, namely related to liquidity, market, and compliance risks;
taking measures of internal control, audits, inter alia, by independent auditing firms;
complying with solvency criteria established by the Bank, performing audits, complying with corporate governance requirements;
ensuring the stable operation of the network of regional branches, work of cash collection, securities services, and custody departments;
ensuring compliance with the anti-corruption programs;
compiling, submitting, and publishing the financial statements or statistical reports on our banking activities;
carrying out appraisal or insurance of property;
taking other steps required and prescribed by the current legislation.

Ground for processing: Legislative Requirements.

Data transfer to the data processors

The Bank may transfer personal data to the persons who will process them on behalf of and in the interests of the Bank (to data processors). In particular, such a transfer may occur in the following cases:

when the data is stored and processed in cloud environments or locally placed data centers in Ukraine and abroad;
when the applications, processing, and other information systems are operating in a cloud environment in Ukraine and abroad, including mobile apps;
provision of services for storage, processing, or destruction of paper archives;
when the Bank arranges partnership promotions, public offers, and raffles;
when the Bank is provided with advisory, informational, and other services, including analytics, market research, studying and communication with customers;
when the work is performed under subcontracts, and when other legal agreements are concluded and executed in order to ensure the stable operation of the Bank.

Data may be transferred when the Bank is acting as a joint controller, on equal terms with other parties.

Ground for processing: Legitimate Interests.

Protection of Legitimate Interests in economic activities

Besides, the Bank may process personal data to protect its legitimate interests by taking the following steps:

to process requests from supervisory and other governmental bodies and officials, including foreign, requests from financial institutions on counteraction to money laundering;
to ensure document circulation and management, operation of the Bank’s informational systems;
to support working process, maintenance, and control over the functioning of the equipment, including the devices to which the customers are granted access, to ensure a smooth communication process;
to comply with the internal and informational security requirements, to control and conduct internal audits;
to perform legal activities, make legal analyses and opinions, carry out other professional activities which are required for the proper functioning of the Bank;
if necessary, to protect our rights in the case of having a dispute with you or with third parties;
to ensure and improve the quality of the provided services;
to provide proof of having relations with customers;
to test new products and services;
to anonymize and pseudonymize personal data;
to summarize data, analyze services and internal processes, study and improve statistical and machine learning models, to generate statistics;
to conclude and execute other business contracts.

Ground for processing: Legitimate Interests.

Biometric data processing

For the purpose of strengthening security and for the improvement of the quality of the provided services, the Bank may process personal data which is considered as biometric. This data is processed with your consent. The measures which are taken, shall include:

increasing the security level through the recognition of the customer’s voice during calls to the Bank's customer support channels and in automated channels;
paying for the goods and services via the face recognition method and via the FacePay24 service;
recognizing your face at the entrance of certain Bank branches and premises (via FacePay24 or by involving other types of similar technologies);
recognizing your face in order to access the premises of other enterprises, institutions, organizations, if the face recognition service is created based on the Bank technologies or equipment;
recognizing and digital processing of your fingerprint for the purpose of control over the access to the premises of other enterprises, institutions, and organizations, if the fingerprint recognition service is created on the basis of the Bank technologies or equipment.

Ground for processing: Individual’s Consent.

Seeking and attracting customers

The Bank develops business and, on a regular basis, implements marketing activities in the respect of seeking and attracting customers. These activities usually involve personal data processing. Marketing activities may include:

determination of potential customers and groups of customers, their evaluation and verification, analysis and forecast of their personal preferences, interests, and behavior;
placing and managing advertisements;
selecting the most relevant offers and posting them on the internet, social networks, chats and messenger channels, video, and photo hosting, it is as well accompanied by data processing, including telephone numbers, full names, and the information which is transmitted when a person clicks on hyperlinks;
offering services which include personalized offers and other communicative notifications;
providing you with personal credit limit offers.

Ground for processing: Legitimate Interests.

Working with existing customers

The Bank has various promotional activities to popularize its services, in particular, these are the following:

arranging and holding public events or promotions, raffles, loyalty systems, including by involving our partners (to learn more, visit https://newpromos.privatbank.ua/zakhyst_personalnykh_danykh);
accrual and accounting the bonuses for the participation in promos, accrual and accounting cashback, the service for managing promotional offers - “Chugaister”, other promotions and offers;
creating and managing discount cards;
the services for managing fuel cards.

Ground for processing: Conclusion and Execution of a Legal Agreement.

Data processed in the “Privat24” mobile app

We may request access to the customer’s mobile device for the following purposes:

Access to the location of your device – in order to find the Bank branches, ATMs, or POS-terminals, call and order a taxi, lay the route for a taxi trip, determine the customer’s location, find the nearest gas station, find the points of the “Discount Club”, increase the security level, etc.
Access to the camera and media library of the mobile device – to create photocopies of documents, to take or save a picture or an image, to save media files, to save images on the customer’s mobile device, to display the customer’s images in “Privat24” app, to add payment templates, to scan QR codes, to configure FacePay24 to be able to pay via the customer’s image, and to verify new customers by their video images.
Access to the microphone, volume adjustment, and connection management – for the Bank to verify new customers by video images.
Read only access to the mobile device status, including its telephone number, information on current networks, condition of all the currently made calls, and the list of all the accounts registered on the device – to increase the security level when the “Privat24” app is used, to automatically fill in telephone number when the customer logins in “Privat24” app.
Access to the telephone book of the mobile device – the customer’s telephone book is used for automatic filling in the telephone number in the “Top-up” menu (the top-up mobile phone number function), and if the customer is connected to the service of money transfers by the telephone number.
Access to the email address – to display your email in the “Privat24” mobile app, to communicate with the customer.
Access to your SMS – to automatically fill in a one-time password (OTP) in the “Privat24” app.
Access to the customer’s photo – to display the photo in:
- “Privat24” user’s profile;
- the chat with PrivatBank operator when the customer contacts us online;
- Payment templates, of those persons who made payments for the user in the “Privat24” app.

Ground for processing: Conclusion and Execution of a Legal Agreement, an Individual’s Consent (in certain cases).

Processing data of other banks in our mobile app

The Bank processes personal data if our users add payment cards of other banks into the “Privat24” mobile app.

In this case, the Bank may process the following data:

Payment card details;
name of the issuing bank;
security codes of a payment card;
payment card token information.

The data are processed while the card is being added to the mobile app.

Ground for processing: Conclusion and Execution of a Legal Agreement.

Personal data processing on the Bank’s websites

The Bank processes personal data when customers or users visit its websites.

Such processing may occur when information is obtained from the Cookies; or from the local storage of your internet browser; information related to the device with which you are visiting the website; data from the URL feed which will be transmitted if you click on our website from other websites.

Ground for processing: the protection of Legitimate Interests of the Bank.

You can always disallow the Bank to obtain these data by configuring the relevant settings in your browser.

To learn more about processing cookies, see the notice on processing cookies in PrivatBank.

Recording conversations with our customers

The Bank makes and stores the recordings of conversations with the customer when they call us by dialing 3700, which is the Bank multi-channel phone number, or write us in the “Help Online” chat in “Privat24” or contact us in other mobile chats, and during the incoming phone calls to the Bank.

The recording is made for the purpose of controlling and improvement of the quality level of customer service. If a customer makes a claim or complains, or when the Bank makes a spot-check, some recordings may be studied by the authorized employees in order to detect flows in servicing customers.

Certain data taken from the recorded conversations may be used for studying customers’ interests in the respect of the Bank's products or services.

Ground for processing: protection of Legitimate Interests.

Processing the voice casts by means of the Voice Biometrics technologies

The Bank may process your biometric data for the purpose of servicing you with Voice Biometrics technologies.

Biometric data will be recognized and compared to your voice cast. It is made for authenticating, identifying, and verifying you as the Bank’s customer, for carrying out risky operations, including payments, on cards and accounts, for providing information on the status and movement of funds on cards and accounts, as well as for increasing the security level and for reducing the time of the provision of services in the case of consultations in the Contact Center.

Therefore, the digital imprint of the voice data is recorded, saved, and used (this is the biometric data of the voice cast).

To learn more about processing the data with Voice Biometrics technologies, you can visit https://privatbank.ua/voice-biometrics and in the relevant notice.

Ground for processing: Individual’s Consent.

Audio and video recording when settling an overdue debt

Pursuant to the requirements set in the current legislation on the protection of consumer rights and consumer loans, in the course of settling an overdue debt, the Bank is obliged to make a recording of each of the direct interaction with the consumer, their close relatives and friends, their representative, heir, guarantor, property guarantor or third parties. The recording is made by means of video and/or audio recording technical devices.

By complying with the mentioned requirements, the Bank employees record conversations with customers and other persons when they deal with an overdue debt.

Therefore, in accordance with the current legislation, the Bank is obliged to store all the media, where the interaction with the consumer is recorded, for the period of three years since the recording has been made.

Ground for processing: Legislative Requirements.

Processing of the face image in FacePay24

If you have given your consent, the Bank may obtain and process your biometric data in order to provide our services using FacePay24.

By means of this technology, we may process the following data:

digitally stored photo of your face;
digitally stored fingerprint.

The data is processed for the purpose of:

facial and fingerprint recognition to identify and verify you as the Bank’s customer;
provision of services in ATMs, including access to payment details, making payment transactions and cash withdrawals;
confirming and making payment in FacePay24;
providing other services based on your consent.

To find out more about data processing in FacePay24, go to our web page https://privatbank.ua/facepay24 or read the relevant notice.

Ground for processing: Individual’s Consent.

Telecommunication behavior ratio

If stipulated by your agreement or in the case of any other grounds, the Bank may contact mobile operators in order to obtain the customer’s telecommunication behavior ratio.

This data is some sort of generalized indicator which the mobile operator gives to mobile number user. The telecommunication behavior ratio does not contain any data on the customer’s telephone calls, their payments, or information on the relations with a mobile operator, however, it is some sort of a generalized assessment of a user.

The Bank may obtain and use the telecommunication behavior ratio when evaluating the customer’s solvency, in the case they have applied for credit services.

The Bank shall not possess any information on the procedure for generating or determining the telecommunication behavior ratio. You can obtain this information directly from your mobile operator (mobile service provider).

Ground for processing: Conclusion and Execution of a Legal Agreement.

Transferring data from the fiscal receipt

The Bank may process the data contained in the consumer’s fiscal (or other) receipts if a purchase is made with the payment card issued by the Bank.

Such data may be transferred to the Bank from trade or service enterprises in the following cases:

if the Bank and the merchant entered into a service agreement in the field of cloud fiscalisation;
if the relevant terms have been set out in the agreement which you concluded with the Bank;
if exist any other legal grounds (such as your consent or Legislative Requirements).

The purpose for obtaining and processing such data may be the following:

data transfer from a merchant to the State Fiscal Service of Ukraine (or other governmental body if it is stipulated by the current legislation);
demonstrating to you the aggregated and analytical information regarding your purchases (if there are appropriate grounds);
analyzing the Bank customers’ needs (on the basis of the Bank’s Legitimate Interests).

In the event of using the cloud fiscalisation services, the Bank shall not use the data for any other purposes than those stipulated by an agreement.

If the data is used for analytical purposes and on the basis of the Bank’s Legitimate Interests, you shall have the right to reject such processing and disable this option in the “Privat24” mobile app or contact us via the remote service channels or visit the Bank branch.

Ground for processing: Conclusion and Execution of a Legal Agreement and the Legitimate Interests.

Processing the personal data of individuals who are related to counterparties (legal entities)

The Bank processes the personal data of individuals related to the counterparties which are the legal entities.

Ground for processing the Conclusion and Execution of a Legal Agreement and Protection of Legitimate Interests.

Therefore, the Bank processes the personal data which may be found in:

in founding documents, in particular, in the charter, founding (fundamental) agreement, or in other documents stipulated by the current legislation of Ukraine, amended and restated;
in the state registration certificate of a business entity, and if the certificate has not been issued, then in the extract from the Unified State Register of Legal Entities and Individual Entrepreneurs;
in the certificate on the registration of the business entity to the Unified State Register of Enterprises and Organizations of Ukraine, if the entity was registered prior to December 17, 2012;
in the VAT payer certificate;
in the documents describing the business activities, ownership structure, entity’s website, and in other documents related to the matter;
in other documents which can be found in publicly available sources or which the Bank was able to receive in any other legal way.

Transferring face image to credit bureau

If you have given your consent, the Bank may transfer the image of your face to the Ukrainian Credit Bureau (UCB) to identify you when you are serviced at the financial institutions which are the UCB partners.

Ground for processing: Individual’s Consent.

Do We Transfer Data to Third Parties?

The major part of the data is processed within PrivatBank and only by authorized employees who were appropriately trained and passed the course on personal data protection, have relevant permits and rights of access, and have legal obligations on non-disclosure of confidential information.

Nevertheless, consider that personal data may be transferred to third parties in compliance with the following:

Legal grounds, security requirements, law enforcement.

In particular, personal data may be transferred to third parties for the reason of:

compliance with official requirements set by the state authorities and local self-government bodies within their competence, enforcement of a court decision or the relevant laws;
the protection of PrivatBank from claims made by the third parties, but with no prejudice to your rights and freedoms;
the third parties request for access to personal data, if it is within the granted rights of these third parties (e.g., in the relation to inheritance);
assistance in preventing and investigating illegal actions (such as fraud).

Changing the data controller.

We shall not sell your personal data to any company or organization, nevertheless, we may transfer your personal data to a legal successor. In such a case, you shall be informed on the matter that your personal data shall be transferred, therefore, it is the subject of another notice on personal data processing.

In case we use the services provided by third parties.

We at times may use the services provided by third parties in order to process personal data. These services may include storage and/or cloud services, research, analytics, cookies, emailing, etc. If any of the services of the third parties are involved in the data processing, we shall sign data processing agreements in which we require any third party to take appropriate technical and organizational measures so that your personal data would be protected.

By your consent.

If you have given your permission, we may transfer personal data to third parties. The terms and conditions for the transfer shall be bound by your consent.

How Do We Process Your Data?

Personal data protection

Data Storage

We apply various security measures in order to protect the personal data which we process. We’ve implemented the following organizational and technical measures to restrict access to your personal data:

Organizational

Personal data within PrivatBank is the information with restricted access.
PrivatBank is conducting a severe policy which regulates personal data processing.
The data we receive, shall be accessed by our authorized employees only.
The Bank applies the information security management system.

Technical

Personal data are stored in secure data storages.
We apply encryption as one of the means to protect the data.
In some cases, we may pseudonymize your personal data.
We use certain types of controlled policy for technical access to databases where personal data may be stored.

What Rights Do You Have in the Respect of Your Personal Data?

Your rights in the respect of personal data protection are set out in Article 8 of the Law of Ukraine “On Protection of Personal Data”. Pursuant to Article 8 mentioned hereabove, you have the following rights:

1. to know the sources of collection and location of your personal data, purpose for the processing, location or place of residence (habituation) of the data controller or the data processor or to be able to make an appropriate assignment to the authorized persons to obtain this information, excluding the cases defined by current legislation;

2. to obtain information on the conditions for granting the access to personal data, including information which is related to the third parties to whom this personal data shall be transferred;

3. to have access to your personal data;

4. to receive a response on whether the personal data is being processed, and to receive the content of such a personal data, but no later than thirty calendar days from the day when the relevant request has been made, excluding the cases stipulated by the current legislation;

5. to make a reasonable claim to the personal data controller objecting against the personal data processing;

6. to make a reasonable claim regarding alteration or destruction of the personal data to any data controller or/and data processor, if personal data is being processed illegally or the data is unreliable;

7. to protect your personal data from illegal processing or from an accidental loss, destruction, damage which is related to the intentional concealment, non-provision or an untimely provision of the personal data, and to protect from the provision of an unreliable information or information which dishonors dignity, honor or business reputation of an individual;

8. to file claims regarding the processing of personal data to the Ukrainian Parliament Commissioner for Human Rights or to court;

9. to apply legal remedies in case if the legislation on the protection of personal data is violated;

10. to make precautions in the respect of the limitation for the right to process your personal data in the course of giving your consent thereto;

11. to withdraw your consent to process your personal data;

12. to know how the mechanism for an automatic personal data processing operates;

13. to be protected from an automated decision when it has legal consequences.

If you wish to have access, review, update, correct, or delete your personal data which we store, or if you would like to exercise any other rights defined in Article 8 of the Law of Ukraine “On Protection of Personal Data” No. 2297-VI dated by June 1, 2010, address us using the contact details specified in section 1 herein.

If you are not satisfied with how we process your personal data, you are granted the right to make a claim to the supervisory authority. In Ukraine, the supervisory authority is the Ukrainian Parliament Commissioner for Human Rights. To file your claim, visit the official website of the Ukrainian Parliament Commissioner for Human Rights.

Cookies settings

Necessary cookies

Analytical cookies

Advertising cookies

Who Is the Personal Data Controller?

What Personal Data Do We Process?

What Are the Purposes and Grounds for Personal Data Processing?

Purposes for data processing

Do We Transfer Data to Third Parties?

How Do We Process Your Data?

What Rights Do You Have in the Respect of Your Personal Data?

How can I delete my personal data?

How the Notice May Be Amended?

Cookies settings

Necessary cookies

Analytical cookies

Advertising cookies

Who Is the Personal Data Controller?

What Personal Data Do We Process?

What Are the Purposes and Grounds for Personal Data Processing?

Purposes for data processing

Do We Transfer Data to Third Parties?

How Do We Process Your Data?

What Rights Do You Have in the Respect of Your Personal Data?

How can I delete my personal data?

How the Notice May Be Amended?