We at Bankovní identita, a.s., Company ID number: 095 13 817, with its registered office in Smrčkova 2485/4, Libeň, 180 00 Praha 8, registered in the commercial register administered by the Municipal Court in Prague, section B, insert 25672 (“Bank iD”, “we” or “us”) consider personal data security to be an integral part of our commitments to users of Bank iD Developer Portal as well as Bank iD PLUS Portal (jointly the “Portal”).
A. DATA CONTROLLER
The data controller is Bankovní identita, a.s., Company ID number: 095 13 817, with its registered office in Smrčkova 2485/4, Libeň, 180 00 Praha 8, registered in the commercial register administered by the Municipal Court in Prague, section B, insert 25672.
B. PROCESSED PERSONAL DATA
For the purposes in the section C below, we mainly process the following categories of personal data:
- identification data (name, surname);
- user accounts details (e-mail, password);
C. PURPOSES AND LEGAL GROUNDS FOR DATA PROCESSING AND RETENTION PERIODS
We process your personal data for the following purposes:
- a) your access to the Portal and its functionalities, based on the performance of a contract concluded with you via sign-up to the Portal;
- b) the management of relationship with you, based on the performance of a contract concluded with us via sign-up to the Portal;
- c) the improvement of the Portal and its functionalities, based on our legitimate interest in ensuring the quality of our services provided via the Portal;
- d) the provision of information about our services and other related news, based on our legitimate interest in effectively communicating information related to the Portal and/or us with you;
- e) meeting internal administrative needs, based on our legitimate interest in ensuring proper records of users, relationships with them, the fulfillment of their duties and the proper management of our company;
- f) the protection of legal claims, based on our legitimate interest in ensuring the proper protection and effective exercise of our rights and claims; and
- g) the fulfillment of legal obligations that apply to us as a data controller.
We retain personal data to the extent that is necessary and for:
- a) the duration of the contract in the case of the purposes referred to in a) and b);
- b) for the duration of our legitimate interest, but no longer than the duration of the contractual relationship with you, or until an object to such processing is filed in the case of the purposes referred to in c) to f) above;
- c) the period of the statutory limitation period (up to a maximum of 3 years from the termination of the relationship) for claims arising or related to the relationship with you extended by a further one year, and in the event of the commencement of judicial, administrative or other proceedings to the extent necessary for the duration of such proceedings in the case of the purpose referred to in g) above;
- d) a period stipulated by relevant legal obligations, in the case of the purpose referred to in h) above.
D. WHO PROCESSES YOUR PERSONAL DATA AND WHO DO WE SHARE IT WITH?
As a data controller we process all the above mentioned personal data. This means that we determine the above defined purposes for which we collect your personal data, determine the means of processing and are responsible for its proper execution. In general, we do not share your personal data with other data controllers. The exceptions are cases where we are required to share such data by law (especially in connection with social security, tax authorities, courts and the police in the exercise of their statutory powers). We may use data processors acting as information technology providers assisting us with operation of our infrastructure and systems or providing us with analytical or similar purposes.
We may also transfer your personal data to third countries outside the European Economic Area that do not ensure an adequate level of personal data protection. We will make all such transfers only if the relevant processor undertakes to comply with the standard contractual clauses issued by the European Commission and available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32001D0497&from=CS.
E. WHAT ARE YOUR RIGHTS IN CONNECTION WITH THE PROCESSING OF PERSONAL DATA?
Just as we have our rights and obligations when processing your personal data, you also have certain rights relating to the processing of your personal data. These rights include:
E.1 Right of access
E.2 Right to rectification
If you find that the personal data we process about you is inaccurate or incomplete, you are entitled to have it rectified or completed without undue delay.
E.3 Right to erasure
In some cases, you have the right to have your private data erased. We will erase your personal data without undue delay, if any of the following grounds apply:
- we no longer need your personal data for the purposes for which we processed it,
- you exercise your right to object to processing (see the “Right to object to processing” section below) regarding the personal data we process based on our legitimate interests, and we find that we no longer have any such legitimate interests that would justify such processing, or
- it appears that our processing of personal data has ceased to comply with generally binding regulations.
This right does not apply if the processing of your personal data is still necessary for:
- fulfilling our legal obligations,
- the purposes of archiving, scientific or historical research or for statistical purposes, or
- the establishment, exercise or defense of our legal claims.
E.4 Right to restriction of processing
In some cases, you may, in addition to the right to erasure, exercise the right to restriction of processing of personal data. This right allows you, in certain cases, to require that your personal data be flagged and that this data not be subjected to any further processing operations – in this case, however, not forever (as in the case of a right to erasure) but for a limited period of time. We have to restrict the processing of personal data when:
- you contest the accuracy of personal data, until we agree on the correct data,
- we process your personal data without sufficient legal grounds (for example, beyond what we are obliged to process), however you would prefer merely restricting such data over the erasure of such data (for example, if you expect in any event to provide us such data in the future),
- we no longer need your personal data for the abovementioned purposes of processing, but you require it to establish, exercise or defend your legal claims, or
- you object to processing. The right to object is described in more detail below in the section entitled “Right to object to processing”. For as long as we retain your data, if your claim is legitimate, we are obliged to limit the processing of your personal data.
E.5 Right to portability
You have the right to obtain from us all personal data you have provided to us yourself and which we process on the basis of the performance of the contract. We will provide your personal data in a structured, commonly used and machine-readable format. In order to easily transmit the data at your request, it can only be data that we process by automated means in our electronic databases. We may not always be able to transmit to you in this form and in all circumstances all data we keep in paper form.
E.6 Right to object to processing
You have the right to object to the processing of personal data that occurs on the basis of our legitimate interests. If you object, we will no longer process your personal data unless we have compelling legitimate grounds for continuing such processing.
E.7 Right to file a complaint
The exercise of your rights as outlined above, does not in any way affect your right to file a complaint with the Office for Personal Data Protection, in the manner described below in the next chapter. You may exercise this right, in particular if you believe that we process your personal data in an unauthorized manner or in violation of generally binding legal regulations.
F. HOW CAN YOU EXERCISE YOUR INDIVIDUAL RIGHTS?
In all matters relating to the processing of your personal data, whether it be a question, the exercise of rights, filing of a complaint, or anything else, you can contact us at the following addresses:
- a) Data Protection Officer: email@example.com.
- b) Postal address: Bankovní identita, a.s., Company ID number: 095 13 817, with its registered office in Smrčkova 2485/4, Libeň, 180 00 Praha 8.
We will deal with your request without undue delay, but within one month at most. In exceptional cases, especially due to the complexity of your request, we are entitled to extend this period by another two months. We will, of course, inform you of any such extension and the reason for it.
You may file a complaint against our processing of personal data with the Office for Personal Data Protection located at Pplk. Sochora 27, 170 00 Praha 7.