Data protection refers to rules, practices, and measures established to protect personal data.

Personal data includes information relating to natural persons:

• Who can be identified or who are identifiable directly from the information in question; or
• Who can be indirectly identified from that information in combination with other information such as date of birth.

Personal data may also include special categories of personal data or criminal conviction and offences data.

Find more information about the categories of personal data that the Bank processes in Privacy Policy https://procreditbank-kos.com/eng/privacy-policy/.

Law no. 06/L-082 on Protection of Personal Data determines the rights, responsibilities, principles, and punitive measures in regard to protection of personal data and privacy of individuals.

Data of legal entities such as name and surname, email address, financial data, and others do not classify as personal data according to Law on Protection of Personal Data.

This Law does not apply to personal data of deceased persons.

“Processing” is a broad term that covers just about anything you can do with data: collection, organisation, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure or destruction of personal data.

Implementation of Law on Protection of Personal Data is enforced by the Information and Privacy Agency (Agency).

Find more information about the Agency in https://aip.rks-gov.net/.

The data controller is any natural or legal person, organization, public authority, or other body which determines which personal data is collected and the purposes of the processing. ProCredit Bank is the data controller of the personal data provided by natural persons when they are using the services that the Bank offers.

The data processor is any natural or legal person or organization which processes personal data for and on behalf of data controller. Examples of typical data processor services include third party data storage, data analytics, or software companies.

Law on Protection of Personal Data sets out seven principles for the lawful processing of personal data. These principles should be considered in every data processing activity.

1. Lawfulness, justice and transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
7. Accountability

The lawful basis for processing are set out in Article 5 of Law on Protection of Personal Data. At least one of these must apply whenever the Bank processes your personal data:

• Consent: you have given clear consent to process personal data for a specific purpose.

• Contract: the processing is necessary for a contract you have with the Bank, or because you have asked the Bank to take specific steps before entering into a contract.
• Legal obligation: the processing is necessary to comply with the law such as reporting to authorities.
• Vital interests: the processing is necessary to protect your life.
• Public task: the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.
• Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of the Bank, unless there is a good reason to protect your personal data which overrides those legitimate interests.

Data Protection Officer (DPO) is responsible for understanding the Law and ensuring Bank’s compliance. The DPO is the main point of contact for the Agency.

You can contact Bank’s Data Protection team at kos.dpo@procredit-group.com.

Law on Protection of Personal Data provides the following rights for individuals:

• The right to be informed about the collection and use of your personal data
• The right of access and receive a copy of your personal data
• The right to rectification of inaccurate personal data or completed if it is incomplete
• The right to erasure your personal data. This right is not absolute and only applies in certain circumstances.
• The right to restrict processing of your personal data. This right is not absolute and only applies in certain circumstances.
• The right to data portability to transfer personal data. This right only applies to information you have provided to the Bank.
• The right to object processing of your personal data.
• Rights in relation to automated decision making and profiling.

The right to data protection is not an absolute right. It must always be balanced against other values, fundamental rights, human rights, or public and private interests and there may be circumstances under which the Bank may have grounds to refuse your request to exercise your data protection rights.

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.