GOAL AND SUBJECT

Pursuant to the Law on Personal Data Protection and requirements from the General Data Protection Regulation (EU) 2016/679, Lovćen banka a.d.Podgorica (hereinafter referred to as: the Bank) adopted the Policy on Personal Data Protection (hereinafter referred to as: the Policy) with the aim of specifying basic principles and rules related to the collection and processing of personal data by the Bank. 
The Bank provides information about data processor, office for the protection of personal data, data collected and processed by the Bank, the purpose and legal basis for the collection of data, period of preservation of your personal data, data protection, as well as the rights of customers with regards to these personal data.
The processing of certain types of personal data is conducted by the employees of the Bank, depending on their powers and working positions, while the part of the processing is also done by other persons in charge for processing, to whom personal data of customers are delivered for the sake of fulfilling contracting duties.
The Bank bounds other persons in charge for processing to apply the rules of the Bank related to the protection of personal data of the customers.

 

SCOPE

The Policy has been applied in Lovćen banka AD Podgorica.

The operator of personal data is:

Lovćen banka A.D
Bulevar Džorža Vašingtona 56/I, 81000 Podgorica
e-mail: office@lovcenbanka.me    

Data protection officer (DPO) in Lovćen banka AD is available on:
E-mail: dpo@lovcenbanka.me 

Mail: Data protection officer, address: Bulevar Džorža Vašingtona 56/I, 81000 Podgorica 


PROCESSING AND COLLECTION OF PERSONAL DATA

The Bank collects customer’s data from different sources. In majority of cases, personal data are provided directly by the customers who decide to use certain banking product or service. Personal data are also obtained indirectly, by using banking products or services. Certain data are created during data processing for the needs of reports, analyses, etc. 
The Bank also uses other data on customers available via public sources (public registries, databases, web applications, social networks or other public sources of information). 
   Personal data processed by the Bank are the following: 
  • Name, surname, personal citizen identification number, contact data, citizenship, e-mail, tax identification number and others
  • Legitimacy data (for example: ID card number or passport number)
  • Socio-demographic data (gender, age, education, employment...)
  • Geographic location (for example: address)
  • Identification data (for example: signatures of customers) 
   The Bank also performs the processing of the following data:
  • Data on related persons
  • Data on orders (for example: payment order)
  • Data stemming from the execution of a contracting duty (for example: data on turnover related to payment operations, data on balance or depost, data on calculated interests)
  • Data related to financial status
  • Documentation data (for example: data related to the counselling of the customers)
  • Data from the registry, photos and audio recordings (for example: video, recording of a telephone conversation)
  • Data on transactions, channels and applications used by individuals for the purpose of contacting with the Bank
  • Data on the products and services used by individuals.
The Bank also conducts the processing of personal data so as to fulfil legal and regulatory obligations.
 

LEGAL BASIS AND PURPOSE OF PERSONAL DATA PROCESSING

The Bank collects data on the following three grounds:
a)Personal data processing for the purpose of performing contracting or pre-contracting obligations
Personal data protection is conducted for the purpose of providing services aimed at performing a contract in which you are a party or in order to take over actions upon your request before concluding the contract. The purpose of data processing depends on the product/service you negotiate with the Bank.
Each product or service is accompanied by documentation which may provide you with the information about individual purposes of data processing.
b)Personal data processing based on legal grounds (legitimate interest of the Bank)
Personal data processing in the Bank is regulated by the regulations related to personal data protection, banking sector and provision of payment services, prevention of money laundering and terrorist financing, as well as the EU General Data Protection Regulation in its parts that are not in the collision with positive legal norms in Montenegro. The Bank also performs data processing based on its legal interests.
c) Personal data processing based on the consent of a customer
Personal data processing may be based on explicit consent of data owner, which enables the bank to use them for the purposes referred to in the consent (for example: marketing purposes, notifications about new offers and services, surveys and questionnaires for testing the satisfaction, etc.).
In case you are not willing to provide your consent for data processing for the above-mentioned purposes or you only provide a partial consent or revoke provided consent, the Bank will inform such customer only within the scope of provided consent and in a manner allowed by applicable law (for example: general notifications, performance of contracting obligations of the Bank with regards to informing about the products, security alerts or information related to the products used by the customer).
 

ACCESS TO PERSONAL DATA OF CUSTOMERS AND TO WHOM THEY ARE DELIVERED

a)Employees of the Bank 
The access to your personal data is enabled only to the organizational units in charge of processing your data so as to fulfil our contracting and legal duties, as well as exercise the legitimate interests of the Bank and third parties.
b)Contracted processors
In order to provide certain services, the Bank has signed contracts with certain data processors (persons in charge for data processing) that may process your data only in compliance with certain law, permit or your consent. Data processors are aware of the fact that your personal data are a banking secret, so the access to your data is ensured only to the processors that guarantee the protection of personal data in compliance with the General Data Protection Regulation.
Data processors are the companies providing credit and financial services, IT services, card business services, logistics, telecommunication services, marketing services, filing services, legal representation services, and the like.
c)Competent state authorities
Pursuant to the laws, the Bank is obliged in certain cases to forward your data to competent state authorities and the authorities in charge for financial, tax or bank inspection (for example: Central Bank of Montenegro, Police Administration, Ministry of Finance, courts, prosecution, credit registry, etc.).

HOW ARE CUSTOMERS’ DATA PROTECTED IN THE BANK AND FOR HOW LONG ARE THEY KEPT

Lovćen banka AD continuously develops and improves the system of data collection, processing and filing. The Bank conducts adequate legal, technical and organizational measures with the aim of ensuring necessary security and safety of data. Some of the measures conducted are the following:

  • Controls of the rights and privileges of the employees in all systems of the Bank,
  • Implementation of the Policies and internal procedures related to data protection,
  • Control of physical access to the system and business premises of the Bank,
  • Establishment of technical and procedural measures necessary so as to implement IT infrastructure in accordance with highest international security standards.
Personal data are processed and kept until it is necessary for the execution of contracted and legal duties. Following the completion of the purpose of their processing, and if there is no other legal ground or if it is needed for the exercise, execution or defence from legal requests, personal data shall be deleted, destroyed, blocked or made anonymous.

RIGHTS OF THE CUSTOMERS

If the owner of data wants to obtain information about all purposes for which the Bank uses his/her personal data, s/he may achieve this by exercising his/her right to data access. Data owner shall exercise his/her rights within the deadlines specified in Table 1. The requests and objections are solved on the basis of particular working procedure.

No.

Request of a customer

Time needed to solve the request

Note

1

Right to be informed and to accede personal data 

Before collection of data from the customer or within 30 days when the customer did not participate in data collection

In case of a large number of Requests, as well in case of the complexity of your inquiry, it is possible that the Bank might need additional time for response. In such case, the Bank will timely inform you, and the response may be expected not later than 3 months following the day of receiving your due Request.

2

Right to the correction of personal data

Up to 30 days

You are entitled to ask for the correction or amending of your personal data by submitting the Request. The Bank will respond to your Request as soon as possible, without unnecessary delay.

3

Right to deletion of personal data

Immediately


(without unnecessary delay)

You are entitled to ask for the deletion of personal data in the following cases:
-  Such data are not necessary anymore with regards to the purposes for which they were collected or otherwise defined.
-  You withdraw your consent upon which the processing is based and if there is no other ground for processing.
-  You file an objection and thus there is no stronger legitimate reason for processing, or if you file an objection to the processing of data whose purpose is direct marketing, which includes the creation of profiles to the extent it is related to such direct marketing.
-  When data are unlawfully processed.
-  Data have to be deleted for the sake of adhering to a legal obligation.

4

Right to limited processing

Up to 30 days 
(without unnecessary delay)

5

Right to data transferability

Up to 30 days

6

Right to objection to the processing

Up to 30 days

7

Right to a complaint

Not specified

Table 1. Deadlines for solving the requests of the customers

REVOCATION OF DATA OWNER’S CONSENT 

The consent for data processing for the purposes described in this document is provided on voluntary basis. The consent is provided only for the purposes listed in the letter of consent and is valid until its revocation, about which you inform the Bank, and this will not influence any contracted relationship between you and the Bank and any use of products and services which do not require such consent. The Bank is obliged to process only those personal data even after the revocation, needed for fulfilment of legal obligations, due to adhering to the contract with you, as well as due to pursuing its legal and legitimate interests.

 

FINAL PROVISIONS

The Bank reserves the right to edit or amend this General Information for the purpose of ensuring the compliance with relevant legal regulations in the area of personal data protection. The Information are available in all branches and on the website of the Bank.

The provisions of valid legislations shall apply to everything not regulated by this General Information or the contract, concluded by the Bank and an individual.