Who is processing your personal data?
Your personal data are processed by a controller – insolvent AS PNB Banka (hereinafter – the Bank).
Bank’s contact information – address: Riga, 15-2 Elizabetes Street, LV-1010, e-mail: info@pnbbanka.eu; phone: 67041100.
How does the Bank ensure the lawfulness of the processing of your personal data?
Your personal data are being processed based on the European Union General Data Protection Regulation, Law of the Republic of Latvia on the Processing of Personal Data, special legal norms included in various laws and regulations of the European Union and the Republic of Latvia (e.g. Credit Institutions Law, Law on the Prevention of Money Laundering and Terrorism and Proliferation Financing), Bank’s General Provisions for Transactions, Bank’s General Provisions for Client Data Processing, Bank’s Privacy Policy, Bank’s Provisions for the Processing of Personal Data and other Bank’s regulatory documents.
The laws and regulations lay down that the Bank is entitled to process your personal data only if the Bank (i) has previously determined the purposes of processing of your personal data, (ii) has determined the amount of your personal data required to accomplish the pre-determined purpose, (iii) has a legal basis to process your personal data and (iv) has provided you with information on your rights within the context of personal data processing.
The Bank processes your personal data according to the standard procedure based on:
1. the performance of the agreement you are a party to or based on taking measures at your request prior to the conclusion of an agreement;
2. the necessity to fulfil a legal obligation applicable to the Bank;
3. the consideration of legitimate interests of the Bank or a third party;
4. your consent to the processing of your personal data for one or several specific purposes.
When the Bank has a business or commercial legal interest to process your personal data or the legal interest that is based on the protection of legitimate interests of the Bank or a third party, your personal data are processed “for the consideration of legitimate interests”. However, in these cases, too, the Bank processes your personal data in good faith, taking into account your interests or fundamental rights and freedoms that require protection of personal data.
Requirements of the laws and regulations provide for an obligation to process the data of special categories in a particular way – i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership and genetic data, biometric data processed solely to identify a natural person, health-related data or data concerning a person’s sex life or sexual orientation, and data on criminal convictions and offences or related security measures. The Bank has the right to acquire and process the data of special categories only with your consent, except for the cases when the laws and regulations directly allow or oblige the Bank to acquire and process such personal data. In the cases above, the Bank will process the data of special categories based on:
1. significant public interests arising from the laws and regulations of the European Union or the Republic of Latvia that are proportionate to the purpose advanced, considering the essence of the rights to data protection and providing for appropriate and specific measures for the protection of your fundamental rights and interests;
2. the necessity to establish, exercise or defend legal claims.
Please see below the purposes, legal basis and the Bank’s legitimate interests in the processing of your personal data:
Reasons why the Bank processes your personal data: |
Legal basis for the processing of your personal data: |
Bank’s legitimate interests in the processing of your personal data: |
Provision of services |
- to manage business relationships with a client or clients’ business;
- to communicate with a client about the services offered by the Bank.
|
- client’s consent;
- performance of an agreement;
- legitimate interests of the Bank or a third party;
- fulfilment of a legal obligation applicable to the Bank.
|
- maintaining accurate and updated information in the Bank’s information systems, data bases and registers;
- determining prices for the Bank’s services ;
- obtaining your consent when the Bank needs it to communicate with you;
- ensuring the effectiveness when the Bank carries out its legal or contractual obligations.
|
Improvement of service provision (commercial practice) |
- to supervise the way the Bank works with other service providers that deliver services to the Bank or clients;
|
- performance of an agreement or implementation of measures prior to the conclusion of an agreement;
- legitimate interests of the Bank or a third party;
- fulfilment of a legal obligation applicable to the Bank;
|
- determining prices for the Bank’s services;
- ensuring the effectiveness when the Bank carries out its legal or contractual obligations.
|
Management of service provision (activities) |
- to provide the Bank’s services;
- to manage the payments, interest payments and other types of payments;
- to obtain or recover the money owed by a client to the Bank;
- to make financial instruments and securities balance transfers on behalf of the client.
|
- performance of an agreement;
- legitimate interests of the Bank or a third party;
- fulfilment of a legal obligation applicable to the Bank;
|
- ensuring the effectiveness when the Bank carries out its legal or contractual obligations;
- ensuring the compliance of the Bank’s operation according to the provisions and recommendations of supervisory authorities.
|
Crime prevention, security and risk management |
- to identify, investigate and report on financial crimes, as well as to try to prevent them;
- to manage the Bank and the clients’ risks;
- to comply with the laws and regulations and other regulatory framework applicable to the Bank;
- to respond to complaints and try to settle them.
|
- performance of an agreement;
- legitimate interests of the Bank or a third party;
- fulfilment of a legal obligation applicable to the Bank;
|
- development and improvement of the functionality of operations performed by the Bank to prevent financial crimes, as well as development and improvement of the fulfilment of legal obligations related to such operations;
- ensuring the compliance of the Bank’s operation according to the provisions and recommendations of supervisory authorities;
- ensuring the effectiveness when the Bank carries out its legal or contractual obligations.
|
Commercial practice management |
- Management of the Bank's financial position planning, refinement (updating) and testing of various systems and processes, communication management, corporate governance, as well as organization and implementation of audits and inspections;
- to exercise the Bank’s right provided for in contracts or agreements.
|
- legitimate interests of the Bank or a third party;
- fulfilment of a legal obligation applicable to the Bank;
- performance of an agreement or implementation of measures prior to the conclusion of an agreement.
|
- ensuring the compliance of the Bank’s operation according to the provisions and recommendations of supervisory authorities;
- ensuring the effectiveness when the Bank carries out its legal or contractual obligations.
|
Management of the processing of data of special categories |
- to carry out activities related to significant public interests.
- to carry out activities related to the compliance with regulatory requirements of supervisory authorities.
- to carry out activities, establishing, exercising or defending legal claims.
- to carry out activities that are based on the client’s consent.
|
- using the data of the Punishment Register, the Bank helps to prevent, establish and hold liable for illegal activities and fraudulent conduct.
- using the data of special categories, the Bank demonstrates and confirms that it has assessed you and your business correctly under the Know Your Customer procedure;
- transferring the data of special categories to supervisory authorities, the Bank allows and enables them to verify whether it has acted correctly (legally).
- using the data of special categories, the Bank exercises and defends its legal claims.
- inviting you to provide consent to the use of the data of special categories when the Bank’s activities derive from your consent to process personal data.
|
What are the personal data the Bank processes?
To provide you with services that meet your needs, the Bank uses various personal data. The personal data processed by the Bank are grouped into categories for the Bank to be able to manage them in the most efficient way and for you to be able to see the amount of client information managed by the Bank. At the same time, the Bank guarantees to its clients that the personal data under the Bank’s management are being processed according to the highest security standards in the field of personal data processing.
Personal data categories |
Description |
Basic (identification) data |
Name, surname, identity number, date of birth, picture, language of communication, etc. |
Data characterising the behaviour and habits |
Information on the origin of funds, etc. |
Financial data |
Basic information on a settlement account or card, information on income and assets, etc. |
Tele- and e-communication data |
Location data, identification information, etc. |
Authentication details |
User name, password, PIN code, etc. |
Data of special categories |
Information on a politically exposed person, etc. |
Data obtained when fulfilling legal obligations |
Information obtained upon request of investigating authorities, tax authorities, bailiffs, etc. |
How does the Bank receive your personal data?
1. Personal data you provide to the Bank yourself:
- when you applied for the Bank’s services and products;
- when you contact the Bank and talk to the Bank’s specialists by phone or meet and talk to the Bank’s specialists at the Bank’s customer servicing centres, incl. records of telephone conversations or notes made by the Bank’s specialists during the meeting;
- when you use the Bank’s homepage, online bank, mobile phone applications, online conversations, etc.;
- from your e-mails and mails or courier parcels;
- from your applications, orders, complaints and other documents you have submitted;
- from financial reports and interviews;
- from customer surveys;
2. Personal data obtained by the Bank when you receive the Bank’s services
(The said data are applicable to information on how and where you have accessed the Bank’s services)
IMPORTANT: If you have borrowed money, the information on the repayment is included and on whether the payments are made in due time and in full amount.
IMPORTANT: The said data include security details you have created and use to access the Bank’s services. The said data include also your settings and the choice of commercial communication. Moreover, the Bank collects data also from the devices you use (e.g. computers and mobile phones) for you to be able to establish a connection with the Bank in a fast and convenient way. Additionally, the Bank uses cookies and other internet usage habit research tools to collect data when you use the Bank’s homepage, online bank or mobile applications. For more information on the usage of cookies, see Section Cookies in the Privacy Policy.
3. Personal data obtained by the Bank from third parties (incl. external databases)
- credit card service providers, e.g. Mastercard;
- social networks (e.g. by clicking on one of our Facebook or Google ads);
- public registers (e.g. Register of Enterprises);
- Bank’s representatives or other third parties who process personal data on behalf or by order of the Bank;
IMPORTANT: The persons and institutions mentioned above assist the Bank in ensuring provision of services.
- other credit institutions or financial service providers who help to prevent, detect and hold liable for illegal and fraudulent activities;
- state (incl. law enforcement) authorities.
For how long does the Bank store your personal data?
According to the general procedure, the Bank is entitled to store your personal data for 10 years as from the moment of termination of business relationships unless the laws and regulations set other time-limits for storing the data. The Bank complies with this general time limit for storing the client’s personal data:
- to respond to questions or complaints or demonstrate that the Bank has fulfilled its obligations towards you in good faith;
- to meet the requirements of the laws and regulations that provide for storage of various types of documentary information.
IMPORTANT: Upon expiry of the data storage period, your personal data are being destroyed in a secure way.
What are the possible consequences if you choose not to provide your personal data (or other information) upon the Bank’s request?
The Bank might need to obtain your personal data (or other information) according to the requirements of the laws. If you choose not to provide the information (incl. personal data) requested by the Bank, it may delay or preclude the Bank from fulfilling legal obligation applicable thereto according to the requirements of the laws and regulations.
IMPORTANT: If due to your choice not to provide the Bank’s requested information (incl. personal data) the Bank is unable to implement the policy relating to the fulfilment of regulatory requirements and servicing of your transactions, the Bank will most probably discontinue provision of the services to you.
IMPORTANT: The Bank may request you to submit information that it finds useful for the purposes other than fulfilment of legal obligations applicable to the Bank, performance of an agreement or carrying out measures prior to the conclusion of an agreement. If in such cases the Bank requests you to provide information about yourself, the Bank will previously inform you of the purposes of processing of your personal data and will explain separately whether it is mandatory for you to provide these additional personal data (or any other information) and how it will affect the delivery of service to you.
What are your rights in relation to the processing of your personal data?
You have the following rights:
1. to access your personal data and forward them; in particular, you are entitled:
- to obtain additional information about the processing of your personal data irrespective of what type of information you already have;
- to receive an electronic copy of your personal data processed by the Bank.
IMPORTANT: The Bank is not obliged to provide a client with the copies of the documents at the Bank’s disposal, and the Bank does not provide a client with the information that contains data of a third party. The Bank may provide you with a copy of your personal data in an electronic form, which may be used by you repeatedly, in particular, you yourself may submit it to other institutions or request the Bank to forward it.
2. to amend or delete your personal data:
- you are entitled to amend your personal data if they have changed or you have grounds to believe that your personal data processed by the Bank are not accurate.
IMPORTANT: The client is responsible for the accuracy of the submitted personal data (or other information) and for providing the Bank with correct and updated information about the client. The Bank has neither the right to amend the client’s personal data at its own discretion, nor the right to search – at its own discretion – for the client’s personal data in third parties’ databases to keep the Bank’s customer databases accurate and updated.
- You are entitled to request the Bank to delete your personal data, and the Bank will do it if the Bank does not need these personal data anymore for the purposes which the data were collected or processed in any other way.
IMPORTANT: The Bank will not be able to delete the client’s personal data if the laws and regulations provide for a legal obligation to store such personal data or the Bank’s legitimate interests are more important than the client’s rights infringed by non-deletion of the personal data;
3. to limit the processing of your personal data:
- you are entitled to request the Bank to limit the processing of your personal data (or certain processing activities), which means that the Bank could store and process your personal data only to establish, exercise or defend the Bank’s legal claims. You are entitled to limit the processing of your personal data if (i) they are not accurate, (ii) they are being processed unlawfully but you do not want to delete them, (iii) their processing is not required anymore but you want to establish, exercise or defend your legal claims, (iv) you have already exercised your right to object to the processing of your personal data but you are waiting for the Bank’s assessment whether the Bank is entitled to further process your personal data based on the Bank or third party’s legitimate interests.
IMPORTANT: By exercising the right to limit the processing of your personal data, the delivery of services to you could be limited for some time – i.e. the Bank’s services would be available to you in a limited amount or could even be unavailable for some time.
4. to object to the processing of your personal data:
- you are entitled to object to the processing of your personal data if the objection is based on serving the Bank or third party’s legitimate interests, and your rights, interests and freedoms are more important than the said Bank or third party’s legitimate interests.
5. in relation to the automated individual decisions:
- you are entitled to make the Bank’s specialist participate in taking such decisions or request that the Bank does not take a decision based on an automated calculation only.
How does the Bank process your personal data, taking automated individual decisions?
The Bank uses automated systems to make decisions without engaging the Bank’s specialists in relation to you or your company. The automated systems help taking decisions in a fast, honest, efficient and correct way based on the objective information (incl. personal data) at the Bank’s disposal. The automated individual decisions can affect possibilities to receive the Bank’s services available or planned, and have an impact on prices of the Bank’s services or products. The automated individual decisions are based on the information (incl. personal data) that you have submitted to the Bank or that has already been at the Bank’s disposal, or that the Bank is authorized to collect from third parties.
- Detection of fraudulent activities
The Bank uses the automated systems to monitor your financial activities to detect fraudulent or money laundering activities compliant with the regulatory requirements.The automated systems allow the Bank to establish the instances when the client’s account is used in an atypical or unusual way.
IMPORTANT: If the Bank has reasonable grounds to suspect that fraud or money laundering has occurred, the Bank shall be entitled to deny the Customer access to financial instruments, securities, personal safe depository contents and other valuables kept with the Bank.
Whom can your personal data be transferred to?
The Bank may forward your personal data (incl. other information) to external organisations to ensure provision of the Bank’s services, to manage the Bank’s business (e.g. to external auditors) and fulfil legal obligations applicable to the Bank (e.g. to supervisory authorities).
The Bank may forward your personal data (incl. other information) to the following external organisations:
- public institutions – depending on the legal obligation the Bank must fulfil, e.g. to the Financial and Capital Market Commission, the State Revenue Service;
- persons or organisations involved in the provision of financial services – depending on your chosen Bank’s services or products, e.g. to the Bank’s representatives, intermediaries, contractors or other third parties who process personal data on behalf or by order of the Bank;
- various registers – depending on your chosen Bank’s services or products, e.g. to the Credit Register of the Bank of Latvia;
IMPORTANT: The Bank processes your personal data in cooperation with investment service providers if you have chosen the respective products, therefore under this cooperation your personal data can be communicated to the representatives of these organisations.
Are your personal data being communicated beyond the European Union or the European Economic Area?
The Bank may pass your personal data (incl. information on you) beyond the European Union or the European Economic Area in the following cases:
1. based on your application – e.g. in cases when you transfer money to third countries;
2. to fulfil a legal obligation applicable to the Bank;
Which of the Bank's regulatory documents regulate the processing of your personal data?
The processing of your personal data is regulated and your rights in the field of protection and legality of processing of personal data are protected by:
Are you entitled to submit a proposal or complaint?
The Bank is a responsible controller of your personal data. To demonstrate clearly that the Bank performs a lawful, fair and transparent processing of your personal data, the Bank has created and maintains a system of accountability that is based on:
1. timely informing of clients about the processing of personal data and exercising of the clients’ access rights;
2. assessment of the impact of the processing of personal data if the planned activities related to the processing of personal data could put at high risk your rights and freedoms, as well as on the registration of personal data proceedings activities;
3. timely detection and comprehensive investigation of safety incidents related to the security of personal data, as well as on reporting about personal data breaches to the Data State Inspectorate and clients;
4. transparent cooperation with service providers who on behalf of the Bank provide financial and other services or ensure the processing of your personal data by order of the Bank;
5. regular training of the Bank’s employees and assessment of the compliance of the system of personal data protection and of the legality of personal data processing.
However, if you have any suggestions or objections regarding the processing of personal data performed by the Bank, you are entitled to submit to the Bank a suggestion, feedback, application or complaint. You may submit an application or complaint in a way that is most convenient for you:
- in the form of an electronic order using the Bank’s automated system for remote access to an account (Internet bank) ”PNB Internetbanka”;
- in person in paper format at any of the Bank’s customer service centres ensuring that the application is signed;
- by mail (incl. delivery by courier) in paper format to the Bank’s correspondence address in Riga, 15 Elizabetes str., LV-1010, ensuring that the application is signed.
Moreover, you are entitled to file a complaint to the Data State Inspectorate regarding the non-compliance of the Bank’s performed processing of personal data with the requirements of the laws and regulations in the field of protection of data of natural persons. A complaint to the Data State Inspectorate may be filed by:
- placing it in the mail box of the Data State Inspectorate in Riga, 11/13 Blaumaņa Street, 1st storey;
- sending it electronically (according to Section 1(2) of the Electronic Documents Law, signed with a secure electronic signature) to the e-mail address info@dvi.gov.lv;
- sending it by mail to the address: 11/13-15 Blaumaņa Street, Riga, LV-1011.