Information on the processing of personal data in the registry base system between credit and financial institutions

General information

 

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the Regulation), we provide you with this information to inform you of the possible processing of your data in the Core System of the Registry (hereinafter: the “OSR” system).
The OSR system is a system of processing and exchanging customer data between credit and financial institutions as users of the OSR system (hereinafter: users) through HROK (Croatian Registry of Credit Obligations) for the purpose of creditworthiness assessment and/or credit risk management. 
Within the meaning of the Regulation, the users are both individual and joint controllers in the OSR system, and the company  Hrvatski registar obveza po kreditima d.o.o., Zagreb, Ulica Filipa Vukasovića 1 (hereinafter: HROK; or Croatian Registry of Loan Obligations), is, depending on the situation, their individual or joint data processor.
In accordance with Articles 13 and 14 of the Regulations, we hereby inform you, as our client and a debtor, co-debtor and/or guarantor, that we, as one of the users of the OSR system, process your personal data in the OSR system if you have, or have had, a monetary obligation towards us (such as a loan or overdraft or card debt, etc.). We process your data, including personal data, in the OSR system by exchanging information about your monetary obligations with other participants in the ORS system.  

Purposes and legal basis for processing

The purpose of processing and exchanging your personal data in the OSR system between credit and financial institutions as users of the OSR system is to assess your creditworthiness and/or manage our credit risk to you when you are our client or when you intend to be one. 

Exchange of your data in the OSR system:
 
a) between credit institutions (banks, savings banks and building societies) is based on the compliance with the legal obligation (in accordance with Article  6(1)(c) of the Regulation) contained in Article 321 of the Credit Institutions Act, which regulates the obligation to exchange customer data and  information between credit institutions for the purpose of creditworthiness assessment and/or credit risk management and
 
b) between credit and financial institutions and between two financial institutions, based on our legitimate interest, as well as the legitimate interest of all users (in accordance with Article 6(1)(f) of the Regulation) to assess the creditworthiness of clients (ability by the client to repay their obligations when due) in order to reduce and/or avoid the risk of non-performing loans and over-indebtedness of clients and to manage credit risks in relation to clients, which is one of the regulatory obligations of the users.

Which of your data are processed in the OSR system?

 

The following categories of your data are processed and exchanged in the OSR system:
- identification data, and
- data on the existing and settled or otherwise extinguished liabilities.

 

Data processing

  • How, why and when are your data processed in the OSR system?

    How, why and when are your data processed in the OSR system?

    Your data are processed by providing and storing data in the OSR system and exchanging such data between OSR system users at the request of an individual user in cases when this user performs creditworthiness  assessment and/or credit risk management. 
    For this purpose, we, as well as other users of the OSR system, provide  updated personal information about our clients to the OSR system once a month.  
    The exchange request may be made by us, as well as by other users, when we assess your creditworthiness and/or manage credit risk towards you. Based on the request, all data on your financial liabilities stored in the OSR system at the time of the request are exchanged and aggregated and an OSR report on the data contained in the OSR system is compiled.  
    If there are no data  about your financial liabilities  in the OSR system, a notification is generated  instead of a report, stating that there is no such information on you in the OSR system.

  • What is the impact of data processing in the OSR system on you?

    What is the impact of data processing in the OSR system on you?

    The content of the report generated on the basis of the exchange of your financial liabilities data in the OSR system may have an impact on our business decisions concerning you, both the decisions for  which your creditworthiness is relevant, as well as the decisions  we make regarding the management of credit risk towards you.

     

  • How long do we retain your personal data?

    How long do we retain your personal data?

    Data on your financial liabilities which are up to 4 (four) years old are retained and exchanged in the OSR system. After your financial liability has been fully settled or otherwise extinguished, your data will be kept for a maximum of 4 (four) years from the date on which the financial liability is fully settled or otherwise extinguished.


     

  • Who are the recipients of your personal data?

    Who are the recipients of your personal data?

    The recipients of the data from the OSR system are only users of the OSR system, and only those who have made a request for data exchange and, based on such request, received a report with information about your financial liabilities or a notification that there is no information about your financial liabilities in the OSR system. Indirectly, HROK, being the processor in the OSR system, is also one of the recipients.

    The current list of users of the OSR system is published on the HROK website. 

Your rights in RBA (in the case of processing your data in the OSR system)

 
  • Right of access to personal data
    • Regarding the data processed in the OSR system, you can request confirmation as to  whether your personal data are processed and a copy of your personal data in case the data are processed.

  • Right to rectification
    • If you believe that the data processed in the OSR system is incorrect or incomplete, you can demand the rectification or completion of the data.

  • Right to erasure ("right to be forgotten")
    • You may exercise the right to have your personal data deleted if one of the following conditions is met:
      - personal data are no longer necessary in relation to the purposes for which it was collected or otherwise processed;
      - you have objected to the processing, and your legitimate reasons for erasure override our legitimate interest in processing (as well as the legitimate interest of other users); 
      - personal data are not lawfully processed or personal data must be deleted for the purpose of compliance with a legal obligation.
      The right to erasure under the Regulation does not apply, even if one of the above conditions is met, where processing is necessary for the exercise of the right to freedom of expression and information; for the purpose of complying with a legal obligation requiring processing under Union or  Member State law to which the user is subject or for the purpose of performing a task in the  public interest or for the purpose of exercising  the official authority vested in the user; for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with relevant regulations; as well as for the purpose of establishing, exercising or defending legal claims.

  • Right to restriction of processing
    • You can exercise the right to restrict the processing of personal data if one of the following conditions is met:
      - you contest the accuracy of the personal data, for a period which allows the user to verify the accuracy of personal data;
      - the processing is unlawful and you oppose the erasure of the personal data and demand restrictions on their use instead;
      - the user no longer needs personal data for the purpose of processing, but you require the data for to make, exercise or defend legal claims;
      - you have objected to the processing under Article 21(1) of the Regulation and  confirmation as to whether the legitimate interest of the user overrides your legitimate interest is pending.

  • Right to object
    • Where your personal data are processed and exchanged in the OSR system on the grounds of legitimate interest, you may, pursuant to Article 21(1) of the  Regulation, object at any time to such processing of your personal data based on its specific situation that would go beyond our legitimate interest in the processing of your data in the OSR system and the legitimate interest of other users in the processing of such data.  
      Please note that your objection to the processing and exchange of your data in the OSR system on the basis of legitimate interest has no impact on the processing and exchange of your data in the OSR system insofar as such processing and exchange are based on compliance with the legal obligation that credit institutions have under Article 321 of the Credit Institutions Act, as such processing and exchange of data are aimed at complying with the legal obligation under Article 6(1)(c)  of the Regulation.  
      In addition, any person whose personal data are processed in the OSR system has the right to object to the processing of their personal data to the supervisory authority, which is the Croatian Personal Data Protection Agency. 

More information

 
 

HOW TO EXERCISE THESE RIGHTS?
If you wish to exercise these rights as a private individual, please provide your OIB number, first name and surname name when you submit your request for exercising the rights. 
If you wish to exercise your rights exclusively as a business entity, please specify the type of the business activity, OIB number and business entity’s court registration ID number on your request. 

You can exercise these rights by submitting a written request that will enable the unequivocal identification of you as a client, in person or by proxy in any RBA branch, and you can send the request by post to Raiffeisenbank  Austria  d.d., 10000 Zagreb, Magazinska 69 or by e-mail to the e-mail address: zastita-osobnih-podataka@rba.hr.

HOW TO ACCESS DATA IN THE OSR SYSTEM?
You exercise all rights in RBA, and you can also demand the right of access to personal data in writing at HROK d.o.o., Filipa Vukasovića 1, 10000 Zagreb, provided that the request contains your certified signature authenticated by a notary public in the Republic of Croatia or by the diplomatic or consular representation office of the Republic of Croatia.

QUESTIONS OR COMMENTS REGARDING THE PROCESSING OF PERSONAL DATA IN THE OSR SYSTEM
If you have any questions or comments regarding the processing of your personal data in the OSR system, you can contact our data protection officer by e-mail at the e-mail address: zastita-osobnih-podataka@rba.hr or in writing at: Raiffeisenbank  Austria  d.d., Službenik za zaštitu osobnih podataka (Personal Data Protection Officer), 10000 Zagreb, Magazinska 69.