We at Bankovní identita, a.s., Company ID number: 095 13 817, with its registered office in Smrčkova 2485/4, Libeň, 180 00 Praha 8, registered in the commercial register administered by the Municipal Court in Prague, section B, insert 25672 (“BankID”, “we” or “us”) consider personal data security to be an integral part of our commitments to users of BankID Developer Portal (the “Portal”).
A. DATA CONTROLLER
The data controller is Bankovní identita, a.s., Company ID number: 095 13 817, with its registered office in Smrčkova 2485/4, Libeň, 180 00 Praha 8, registered in the commercial register administered by the Municipal Court in Prague, section B, insert 25672.
B. PROCESSED PERSONAL DATA
For the purposes in the section C below, we mainly process the following categories of personal data:
- identification data (name, surname);
- user accounts details (e-mail, password);
- data about your behavior on the website (which content of the Portal you use, links on which you click, method of navigation through the Portal and moving a screen and also data about a device from which you visit the Portal, such as an IP address and location derived from it, device identification, its technical parameters, such as an operating system, its version, screen resolution, browser and its version and also data obtained from cookies and similar technologies for device identification);
C. PURPOSES AND LEGAL GROUNDS FOR DATA PROCESSING AND RETENTION PERIODS
We process your personal data for the following purposes:
- a) your access to the Portal and its functionalities, based on the performance of a contract concluded with you via sign-up to the Portal;
- b) the management of relationship with you, based on the performance of a contract concluded with us via sign-up to the Portal;
- c) the creation of internal statistics and records based on our legitimate interest in ensuring an internal overview of the activities taking place in our company, an evaluation of the outputs of the company and users, planning and optimization of capacities and evaluation of other aspects of our operations;
- d) the improvement of the Portal and its functionalities, based on our legitimate interest in ensuring the quality of our services provided via the Portal;
- e) the provision of information about our services and other related news, based on our legitimate interest in effectively communicating information related to the Portal and/or us with you;
- f) meeting internal administrative needs, based on our legitimate interest in ensuring proper records of users, relationships with them, the fulfillment of their duties and the proper management of our company;
- g) the protection of legal claims, based on our legitimate interest in ensuring the proper protection and effective exercise of our rights and claims; and
- h) the fulfillment of legal obligations that apply to us as a data controller.
We retain personal data to the extent that is necessary and for:
- a) the duration of the contract in the case of the purposes referred to in a) and b);
- b) for the duration of our legitimate interest, but no longer than the duration of the contractual relationship with you, or until an object to such processing is filed in the case of the purposes referred to in c) to f) above;
- c) the period of the statutory limitation period (up to a maximum of 3 years from the termination of the relationship) for claims arising or related to the relationship with you extended by a further one year, and in the event of the commencement of judicial, administrative or other proceedings to the extent necessary for the duration of such proceedings in the case of the purpose referred to in g) above;
- d) a period stipulated by relevant legal obligations, in the case of the purpose referred to in h) above.
D. USING COOKIES
If you visit the Portal, we store in your device and subsequently read from it small files called cookies. A cookie is a small file of letters and numbers which we store in your internet browser or on the hard disk of your computer. Some cookies enable us to connect your activities when you are browsing the Portal from the moment you open a window of a web browser until you close it. When you close the window of the web browser, the cookies are deleted. Other cookies remain in the device for the set period of time. We also use web beacons which are small pictures with a similar function as cookies. Unlike cookies that are stored on your computer's hard disk, web beacons are a fixed part of the Portal. For the sake of simplicity, in this document we will refer all these technologies as cookies. Not only that we store cookies in your device, but we also read cookies that are stored in your device by the Portal. For the sake of simplicity, we will refer this process only as storing.
Some cookies are stored in your device directly by the Portal. These cookies help us:
- identify you when you are browsing through the Portal and when you visit it repeatedly so as we could remember your logging in from a specific device and so as not to ask you again for your e-mail and password, or to store the version of the Portal we should display if the Portal is offering more alternatives at the given moment;
- record that you granted a consent according to this document, or whether you, for example, offered your participation in a survey;
- ensure safety, for example in order to examine whether your connection to the Portal has not been misused by someone acting instead of you;
- register, examine and remove failures and dysfunctional components of the Portal.
Such cookies and other files are necessary in order to make the Portal functional. If you block these cookies in your browsers, the Portal may not function correctly, and we may not be able to provide you with our products and services.
In your device, we also:
- store cookies from the Portal which enable us:
- to monitor a visitor rate of the Portal and its individual sites, create statistics and reviews and measure effectiveness of advertisement;
- to show you various alternatives of the Portal when we are testing new functionalities;
- allow third parties to store cookies which they may use for collection of data about your behavior on the Portal and on other websites.
E. WHO PROCESSES YOUR PERSONAL DATA AND WHO DO WE SHARE IT WITH?
As a data controller we process all the above mentioned personal data. This means that we determine the above defined purposes for which we collect your personal data, determine the means of processing and are responsible for its proper execution. In general, we do not share your personal data with other data controllers. The exceptions are cases where we are required to share such data by law (especially in connection with social security, tax authorities, courts and the police in the exercise of their statutory powers). We may use data processors acting as information technology providers assisting us with operation of our infrastructure and systems or providing us with analytical or similar purposes.
F. TRANSFER OF YOUR PERSONAL DATA OUTSIDE THE MEMBER STATES OF THE EUROPEAN ECONOMIC AREA
We may also transfer your personal data to third countries outside the European Economic Area that do not ensure an adequate level of personal data protection. We will make all such transfers only if the relevant processor undertakes to comply with the standard contractual clauses issued by the European Commission and available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32001D0497&from=CS.
G. WHAT ARE YOUR RIGHTS IN CONNECTION WITH THE PROCESSING OF PERSONAL DATA?
Just as we have our rights and obligations when processing your personal data, you also have certain rights relating to the processing of your personal data. These rights include:
G.1 Right of access
G.2 Right to rectification
If you find that the personal data we process about you is inaccurate or incomplete, you are entitled to have it rectified or completed without undue delay.
G.3 Right to erasure
In some cases, you have the right to have your private data erased. We will erase your personal data without undue delay, if any of the following grounds apply:
- we no longer need your personal data for the purposes for which we processed it,
- you exercise your right to object to processing (see the “Right to object to processing” section below) regarding the personal data we process based on our legitimate interests, and we find that we no longer have any such legitimate interests that would justify such processing, or
- it appears that our processing of personal data has ceased to comply with generally binding regulations.
This right does not apply if the processing of your personal data is still necessary for:
- fulfilling our legal obligations,
- the purposes of archiving, scientific or historical research or for statistical purposes, or
- the establishment, exercise or defense of our legal claims.
G.4 Right to restriction of processing
In some cases, you may, in addition to the right to erasure, exercise the right to restriction of processing of personal data. This right allows you, in certain cases, to require that your personal data be flagged and that this data not be subjected to any further processing operations – in this case, however, not forever (as in the case of a right to erasure) but for a limited period of time. We have to restrict the processing of personal data when:
- you contest the accuracy of personal data, until we agree on the correct data,
- we process your personal data without sufficient legal grounds (for example, beyond what we are obliged to process), however you would prefer merely restricting such data over the erasure of such data (for example, if you expect in any event to provide us such data in the future),
- we no longer need your personal data for the abovementioned purposes of processing, but you require it to establish, exercise or defend your legal claims, or
- you object to processing. The right to object is described in more detail below in the section entitled “Right to object to processing”. For as long as we retain your data, if your claim is legitimate, we are obliged to limit the processing of your personal data.
G.5 Right to portability
You have the right to obtain from us all personal data you have provided to us yourself and which we process on the basis of the performance of the contract. We will provide your personal data in a structured, commonly used and machine-readable format. In order to easily transmit the data at your request, it can only be data that we process by automated means in our electronic databases. We may not always be able to transmit to you in this form and in all circumstances all data we keep in paper form.
G.6 Right to object to processing
You have the right to object to the processing of personal data that occurs on the basis of our legitimate interests. If you object, we will no longer process your personal data unless we have compelling legitimate grounds for continuing such processing.
G.7 Right to file a complaint
The exercise of your rights as outlined above, does not in any way affect your right to file a complaint with the Office for Personal Data Protection, in the manner described below in the next chapter. You may exercise this right, in particular if you believe that we process your personal data in an unauthorized manner or in violation of generally binding legal regulations.
H. HOW CAN YOU EXERCISE YOUR INDIVIDUAL RIGHTS?
In all matters relating to the processing of your personal data, whether it be a question, the exercise of rights, filing of a complaint, or anything else, you can contact us at the following addresses:
- a) Data Protection Officer: email@example.com.
- b) Postal address: Bankovní identita, a.s., Company ID number: 095 13 817, with its registered office in Smrčkova 2485/4, Libeň, 180 00 Praha 8.
We will deal with your request without undue delay, but within one month at most. In exceptional cases, especially due to the complexity of your request, we are entitled to extend this period by another two months. We will, of course, inform you of any such extension and the reason for it.
You may file a complaint against our processing of personal data with the Office for Personal Data Protection located at Pplk. Sochora 27, 170 00 Praha 7.