A A A Contrast version
Infoline: +48 22 599 8888
GDPR

GDPR

The information below is hereby provided in connection with the entry into force of the Regulation of the European Parliament and the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data and repealing the Directive 95/56/EC (“GDPR”).

We provide you with information on the processing of personal data as well as its terms and conditions. 

1. What is personal data?

Information which identify you or allow for your identification, e.g. your name, surname, phone number, or e-mail address. The Bank has collected and will continue to collect your data in connection with banking activities so that we can provide with various services and products as defined below.

2. Who is responsible for the processing of personal data and who is the Bank’s contact person in this regard?

The controller of your personal data is Bank Gospodarstwa Krajowego with its registered office in Warsaw (00-955), Al. Jerozolimskie 7 (hereinafter referred to as “Bank”).

The Bank has appointed a person responsible for the processing of personal data - that is, the Personal Data Inspector who may be contacted on all matters pertaining to the processing of personal data as well as exercising the rights related thereto, and the inspector may be reached in the following ways:

  • by sending a letter to the following address:
    Bank Gospodarstwa Krajowego
    Inspektor Danych Osobowych [Personal Data Inspector]
    Al. Jerozolimskie 7
    00-955 Warszawa
  • by sending an e-mail to: iod@bgk.pl
3. Why does the Bank process my personal data and under what legal basis?

The processing of your personal data is mainly related to carrying out tasks imposed on BGK, including those related to the administration of funds and governmental as well as EU programmes established, entrusted or transferred to BGK under acts or contracts, provision of guarantees and sureties as part of governmental programmes, investments in capital funds, i.e.: Krajowy Fundusz Kapitałowy (the National Capital Fund, KFK), Fundusz Mieszkań na Wynajem (the Apartment For Rent Fund), Polish Growth Fund of Funds, maintenance of bank accounts of state budget, the budget of local governments, the budget of voivodeships concerning an efficient distribution of EU funds, state accounts or local government of legal persons established under separate legislation to carry out public functions. Another purpose of data processing is to carry out banking operations defined under the Banking Act of 29 August t1997, and in particular: accepting deposits payable on demand or term deposits in cash, in addition to maintaining the related deposit accounts, maintaining other bank accounts, lending credits, issuing and confirming bank guarantees and sureties as well as opening letters of credit, issuing bank securities, carrying out banking cash settlements in all forms accepted in domestic and foreign trade, conducting operations with regard to bills-of-exchange and promissory notes as well as operations relating to warrants, issuing payment cards and carrying out operations with the use of these cards, carrying out forward and future transactions on the domestic and foreign market, purchase and sale of monetary liabilities, safeguarding of items and securities, management of the purchase and sale of foreign currencies, granting and confirming sureties, performing commissioned activities related to securities issuance, intermediating in conducting international money transfers by residents and settlements in Poland with non-residents, carrying out transactions with the use of derivatives, intermediating in offsetting transactions. Moreover, data is processed to carry out tasks concerning credit institutions closed down or considered to be closed down based on: the Decree of 25 October 1948 on the Principles and Procedure of Liquidation of Certain Banking Enterprises (Journal of Laws, no. 52, item 410, of 1949, no. 35, item 256 and of 1951, no. 31, item 240); the Decree of 25 October 1948 on the Principles and Procedure of Liquidation of Certain Long-Term Credit Institutions (Journal of Laws, no. 52, item 411, and of 1951, no. 31, item 241), the Decree of 25 October 1948 on the Banking Reform (Journal of Laws of 1951, no. 36, item 279, and of 1957, no. 31, item 136). 

The processing of personal data is conducted:

  • For the performance of contractual obligations (Art. 6 section 1 (b) of the GDPR):
    The data is processed to comply with the contracts concluded with customers or to carry out activities before the conclusion of the contract that are performed at customer’s request.
  • For the performance of legal duties (Art. 6 section 1 (c) of the GDPR) or tasks carried out for the public interest (Art. 6 section a 1 (e) of the GDPR).
    As a bank, we are governed by a number of legal obligations, i.e. the requirements under e.g. the Banking Act, the Act on Trading in Financial Instruments, the Act on Investment Funds and the Management of Alternative Investment Funds, the Anti-Money Laundering and Counter-Terrorism Financing Act, the Act on Payment Services, tax laws as well as regulatory requirements (imposed by institutions such as: The European Central Bank, the European Banking Authority, the Polish Financial Supervision Authority). The purpose of data processing is in particular to: assess credit capacity, analyse credit risk, verify the identity of customers and their representatives, counteract offences, including money laundering and financing of terrorism, to meet monitoring and reporting obligations in line with tax laws and risk management at the bank, to counteract misselling, i.e. a sales practice in which a product is offered to customers contrary to their needs, assess knowledge on investment in terms of financial instruments.
  • Based on an explicit consent (Article 6 section 1 (a) of the GDPR).
    If you’ve granted your consent for the processing of personal data to specific purposes (e.g. data transmission between cooperating institutions), the bank is authorised to process such data under this consent. The consent may be withdrawn at any time. Consent withdrawal does not affect the legal compliance of data processing until the moment of consent withdrawal.
  • For purposes arising from legally justified interests performed by the Bank or a third party (Art. 6 section 1 (f) of the GDPR).
    If need be, the bank processes data in order to protect the legally justified own or third party interests. Examples of such activities are as follows:

    • processing of the data of the persons acting for the benefit of the customers,
    • preventing offences to be perpetrated to the detriment of banks, credit, financial, lending and payment establishments and their customers,
    • ensuring IT security,
    • surveying customer satisfaction,
    • seeking claims and defending against them,
    • internal administrative goals of the Bank, including an analysis of loan portfolio, statistics and internal reporting of the Bank. 

4. Who can receive my personal data?

Personal Data may be made available to some other recipients in order to perform the agreement or carry out a legal duty imposed on the Bank, based on your consent or for the purposes arising from legally justified interests of the bank or a third party.

The recipients can be in particular: the authorised staff of the bank, the Polish Financial Supervision Authority, the Ministry of Finance, including the General Inspector for Financial Information, Biuro Informacji Kredytowej S.A, Krajowy Depozyt Papierów Wartościowych S.A., Krajowa Izba Rozliczeniowa S.A. and other clearing houses, the Polish Bank Association, business information bureau, other banks, credit and payment institutions, payment system users, investment funds associations, financing institutions, and other institutions with statutory power to receive your personal data under relevant legal provisions.

Personal data may be forwarded to some entities processing them at the Bank’s request as well as to their authorised staff; however, such entities shall process personal data under the agreement concluded with the Bank and solely in accordance with the Bank’s instructions and subject to keeping bank, professional and insurance secrecy.

5. Will my personal data be sent to a third country (beyond the European Union)?

Data is forwarded to recipients in the countries beyond the European Union (“third countries”) exclusively if such an action has been indispensable to the performance of the agreements concluded between you and the Bank, i.e. to the performance of orders (such as: payment orders and orders to buy or sell securities). Any other forwarding of the personal data to a third country shall be solely upon your consent.

You can obtain a copy of the personal data forwarded to a third country once you file such request to the Personal Data Inspector. 

6. How long will the Bank process (keep) my data?

Personal data shall be processed for the term necessary to the performance of processing goals, i.e.:

  • with regard to the performance of the contract concluded with the Bank – until the end of its term, and following this term for a period required under legal provisions or necessary to the settlement of claims (if any);
  • with regard to the performance of legal duties rested with the Bank as a consequence of its operations and the performance of the concluded agreements – until the performance of those obligations by the Bank;
  • with regard to direct marketing carried out based on a consent – until such processing consent is withdrawn;
  • until the performance of legally justified interests of the Bank that serve as a ground for such processing or until you lodge any objection to such processing, unless there are other legally justified grounds for further data processing. 
7. What rights do I have in connection with personal data? 

You have the right to:

  • demand access to your personal data as well as the right to correct, restrict the processing of personal data or delete it altogether;
  • to the extent the processing of personal data is based on a consent, you have the right to withdraw your consent for the processing of personal data at any time;
  • raise your objection to the processing of personal data at any time:

    • due to reasons related to your particular situation when the Bank has been processing the data for the purposes arising from legally justified interests (Art. 21 section 1 of the GDPR),
    • to marketing ends related to direct marketing, including with respect to profiling for marketing purposes, to the extent the processing of your data is related to direct marketing (Article 21 sec. 2 of the GDPR),

  • demand that the personal data, processed to conclude and perform a contract or processed under a consent, be transferred. A transfer consists in receiving by the Bank your personal data in a structured, commonly used format, such as machine-readable data, and providing such data to another data controller. The right to transfer data does not concern data which constitute banking secrecy;
  • lodge a complaint at a supervisory authority, such as the President of the Office for the Protection of Personal Data if concluded that the processing of personal data is not compliant with the GDPR.
8. How can my personal data be obtained and what are the categories of personal data?

Above all the personal data kept by the Bank comes directly from you. The Bank also processes certain categories of personal data which do not come directly from you. Personal data can be obtained from:

  • business information bureau,
  • Biura Informacji Kredytowej S.A;
  • The Polish Bank Association;
  • Electronic Land and Mortgage Register;
  • your representatives who act on your behalf under a power of attorney;
  • any entities which have obtained your consent for processing.

With regard to personal data concerning entrepreneurs, said data can also be obtained from other public sources in which the data concerning entrepreneurs are kept, i.e. The National Court Register, the Central Registration and Information on Business (CEIDG), and similar sources located in other countries or private entities specialised in the collection and making available of information on entrepreneurs. As regards personal data of the persons representing entrepreneurs or acting for or on their behalf, such data is also collected from the above sources as well as from the entrepreneurs themselves.

9. To what extent does the Bank use automatic decision-making, including profiling?

The processing of your personal data can take place in an automatic manner, which may involve automatic decision-making, including profiling. This concerns the following situations:

  • to asses credit capacity in order to conclude a contract with the bank, with the assessment being conducted on the basis of the data included in the request for use of products and services offered by the bank, information held by the bank about you in connection with the use of products and services, information obtained in the course of the assessment (such as from downloaded reports from Biuro Informacji Kredytowej S.A., business information bureaux, and interbank restriction lists) on the basis of a pre-defined set of rules and algorithms in line with the credit capacity analysis process described and approved by the bank. The assessment results in: an automatic consent for entering into a contract, an automatic denial of entering into a contract or the need on the part of the Bank to make an individual decision;
  • to assess the fulfilment of the conditions which determine whether it will be possible for the Bank to provide specific services to customers, with the assessment being carried out on the basis of the data held by the Bank with regard to an active use of specific services, reception of cash transfers to bank accounts, or holding a specific balance of assets in investment products. The conditions are set each time in the documentation related to 
  • a given service, e.g. a contract, regulations, or principles related to their provision. The assessment results in: an automatic consent for providing services, an automatic denial of providing services or the need on the part of the Bank to make an individual decision;
  • to assess the risk of money laundering and financing of terrorism, with the assessment being carried out on the basis of the data included in the documents presented as part of conclusion of the contract or placement of a transaction order pursuant to pre-defined (economic, geographic, subject matter, behavioural) criteria. The assessment results in an automatic categorisation of risk group, with the unacceptable risk categorisation resulting in an automatic blockage or failure to establish relations.
10. Data transmitted to the Business Information Bureau (BIK)

Under Article 105 sec. 1 item 1 (c) and Article 105 sec. 4 of the Banking Act of 29 August 1997 (hereinafter: “Banking Act”), the bank is authorised to transmit your data to Biuro Informacji Kredytowej S.A. with its registered office in Warsaw (hereinafter: “BIK”). As a result, the BIK – in addition to the Bank – becomes the controller of your personal data. Information on the processing of personal data by the BIK is presented below:

  • The controller of personal data is Biuro Informacji Kredytowej S.A. with its registered office in Warsaw at ul. Jacka Kaczmarskiego 77a, 02-679 Warsaw;
  • You may contact the BIK by sending an e-mail to kontakt@bik.pl or a letter (to the registered office of the controller). At BIK, there is a designated personal data inspector you may contact by e-mail at iod@bik.pl or in writing (Personal Data Inspector, Customer Service Office BIK S.A., 02-676 Warszawa at ul. Postępu 17A). You may contact the Personal Data Inspector on all matters pertaining to the processing of personal data as well as exercising the rights related thereto.
  • The purpose of data processing by the BIK is to:

    • assess the credit capacity and analyse the credit risk, including profiling – the legal basis for the processing of personal data is provided for in the Banking Act;
    • carry out statistical analyses – which are performed as part of information obligations defined under separate legislation – the result of which is not personal data and on condition that the result is not to be used as a basis for making decisions on specific natural persons – the legal basis for the processing of personal data is provided for in the Banking Act;
    • apply internal methods and other methods and models referred to in Article 105a sec.4 of the Banking Act – the legal basis for the processing of personal data is provided for in the Banking Act;
    • process any complaints you may make and claims you may lodge – the legal basis for the processing of personal data is a legally justified interest of data controller, which consists in processing of the complaint and defending against any potential claims.

  • The BIK processes your personal data concerning:

    • data which identifies the person: PESEL (personal ID no.)/NIP (Tax ID), name, surname, data on ID documents, family name, mother’s maiden surname, father’s name, mother’s name, date and place of birth, citizenship;
    • contact data: place of residence, domicile (whether fixed or temporary), current temporary residence address other than the place of residence or domicile, correspondence address, e-mail address, phone number;
    • socio-demographic data: place of work, profession, education, type of employment, income, expenses, marital status, household size, marital property system;
    • data on liabilities: source of liability, amount, currency, account number and state, date of liability, liability repayment conditions, purpose of funding, legal security and collateral, history of liability, debt due to liability as at the expiry of liability, date of expiry of the liability, reason for default of the liability or delay referred to in Article 105a sec. 3 of the Banking Act, reasons for expiry of liability, information on personal bankruptcy, credit decision, and data concerning credit applications.

  • The BIK obtains your personal data from the Bank.
  • The purpose of processing of your personal data by the BIK is to:

    • assess the credit capacity and analyse the credit risk – for the term of your liability and, once it expires – only if you grant a consent or meet the conditions referred to in Art. 105a sec. 3 of the Banking Act, whereas under in any case for no more than 5 years after the expiry of the liability;
    • apply internal methods and other methods and models referred to in Article 105a sec.4 of the Banking Act – for a period of 12 years after the expiry of the liability;
    • carry out statistical analyses – for a period no longer than the period of processing of your personal data for the above purposes;
    • process any complaints you may make and claims you may lodge – until the claims under the contract or otherwise fall under a statute of limitations.

  • Your personal data can also be made available by the BIK to other entities authorised to receive it under applicable legal regulations, including the entities defined in Article 105 sec. 4 and 4a of the Banking Act as well as Article 105 sec. 4d of the Banking Act, as well as PESEL or Personal ID Registration Offices to verify the accuracy of provided personal data, as well as to other entities which cooperate with the BIK, including business information bureaux and lending institutions – as long as such entity has received your consent.
  • Your rights to the protection of your data in relation to the BIK are described in item 7 above.
11. Data transmitted to the Banking Register

Under Article 105 sec. 1 item 1 (c) and Article 105 sec. 4 of the Banking Act of 29 August 1997 (hereinafter: “Banking Act”), the bank is authorised to transmit your data to the Polish Bank Association (PBA) with its registered office in Warsaw at ul. Zbigniewa Herberta 8 in order to enter it into the Banking Register Central Database (hereinafter: “BRCD”). As a result, the PBA – in addition to the Bank – becomes the controller of your personal data. Information on the processing of personal data by the PBA is presented below:

  • The controller of personal data is the Polish Bank Association with its registered office in Warsaw at ul. Zbigniewa Herberta 8, 00-380 Warsaw;
  • You may contact the PBA by sending an e-mail tokontakt@zbp.pl or a letter (to the registered office of the controller). At PBA, there is a designated personal data inspector you may contact by e-mail at iod@zbp.pl or in writing at CSO – Customer Service Office, 02-676 Warszawa, ul. Postępu 17A. You may contact the Personal Data Inspector on all matters pertaining to the processing of personal data as well as exercising the rights related thereto.
  • The purpose of data processing by the PBA is to:

    • assess the credit capacity and analyse the credit risk, where the legal basis for the processing of personal data is provided for in the Banking Act; and
    • process any complaints you may make and claims you may lodge – the legal basis in this case is a legally justified interest of the PBA, as data controller, which consists in processing of the complaint and defending against any potential claims.

  • The PBA processes your personal data concerning:

    • data which identifies the person: PESEL (personal ID no.)/NIP (Tax ID), name, surname, data concerning ID documents;
    • contact data: place of residence.

  • The PBA obtains your personal data from the Bank.
  • The purpose of processing of your personal data by the PBA is to:

    • assess the credit capacity and analyse the credit risk – for a period of five years from the date of expiry of the liability under the contract concluded with the participant of the Banking Register (after the fulfilment of the conditions referred to in Art. 105a sec. 3 of the Banking Act), and in the event of expiry of the liability – for a period of ten years from the date of provision of the personal data to the BANKING REGISTER; and
    • process any complaints you may make and claims you may lodge – until the claims under the contract or otherwise fall under a statute of limitations.

  • Your personal data can be made available by the PBA to the entities involved in information exchange via the Banking Register, with the entities defined in Art. 105 sec. 4 and 4d of the Banking Act, i.e. national banks and the branches of foreign banks, credit institutions and their branches, other institutions having statutory power to grant credits, business information bureaux, financial institutions which are dependent on banks within the meaning of the Banking Act, along with lending institutions and entities referred to in Art. 59d of the Act of 112 May 2011 on Consumer Credit.
  • Your rights to the protection of your data in relation to the PBA are described in item 7 above.
12. Providing data to the AMRON system (the System of Analysis and Monitoring of the Property Market) 

The bank is authorised to transmit your data to the Polish Bank Association (PBA) with its registered office in Warsaw at ul. Zbigniewa Herberta 8 in order to enter it into the AMRON system (the System of Analysis and Monitoring of the Property Market) (hereinafter: “AMRON”). As a result, the PBA – in addition to the Bank – becomes the controller of your personal data. Information on the processing of personal data by the PBA is presented below:

  • Your personal data in the form of the number of mortgage-secured land register can be provided by the Bank to the System of Analysis and Monitoring of the Property Market (hereinafter: “AMRON”);
  • The controller of personal data is the Polish Bank Association with its registered office in Warsaw at ul. Zbigniewa Herberta 8, 00-380 Warsaw;
  • You may contact the PBA by sending an e-mail to kontakt@zbp.pl or a letter (to the registered office of the controller). At PBA, there is a designated personal data inspector you may contact by e-mail at iod@zbp.pl or in writing at CSO – Customer Service Office, 02-676 Warszawa, ul. Postępu 17A. You may contact the Personal Data Inspector on all matters pertaining to the processing of personal data as well as exercising the rights related thereto.
  • Personal data shall be processed based on Art. 6 sec. 1 (c) of the GDPR in order to assess and monitor the value of real estate collateral, to carry out analyses of the real estate market, and in case of banks with significant exposure, to assess the risk of change of the value of real estate collateral (the legal basis for the processing of personal data is the recommendations issued by the Polish Financial Supervision Authority based on Art. 137 item 5 of the Banking Act (i.e. Journal of Laws of 2017, item 1876, as amended), Recommendation S concerning best practices in the management of mortgage-secured credit exposures of 2013, and Recommendation J concerning the principles of storing and processing data on property by banks of 2012);
  • The scope of personal data processed in this set comprise only the number of mortgage-secured land register;
  • The recipients of personal data kept in the AMRON system are national banks and the branches of foreign banks, credit institutions and their branches, other institutions having statutory power to grant credits, the number of land register can also be provided to entities processing the data on behalf of the PBA, such as IT service providers, whereas such entities process data as subcontractors, under a contract concluded with the PBA and solely in line with PBA’s instructions.
  • The personal data referred to above shall be processed for the time necessary to comply with the requirements of Recommendation S and Recommendation J of the Polish Financial Supervision Authority.
  • Your rights to the protection of your data in relation to the AMRON system are described in item 7 above.
  • BGK is the source from which personal data has been transmitted to the AMRON data set.