Privacy notice no. 26

PRIVACY NOTICE

Last Updated and effective date: May 03, 2025


In order to be compliant with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “GDPR”), Bank Handlowy w Warszawie S.A. (the “Bank”) hereby informs about the rules of processing Your personal data and about Your rights related with it.

Following rules are applicable from 25 May 2018.

If You have any questions regarding manners and scope of processing of Your personal data by the Bank, as well as regarding Your rights, please contact the Bank on the address ul. Senatorska 16, 00-923 Warsaw (Poland), or the data protection officer at the Bank via email (daneosobowe@bankhandlowy.pl) or post (address: ul. Senatorska 16, 00-923 Warsaw).

I. Indication of the data controller

The data controller of Your personal data is Bank Handlowy w Warszawie S.A. with its registered office in Warsaw at ul. Senatorska 16.

II. Purposes and legal basis for the processing of Your personal data:

  • 1. The Bank processes Your personal data for purposes of taking steps aiming to commence a cooperation between the Bank and You and for purposes of executing such cooperation to the extent necessary to perform the agreement (Art. 6.1.b of the GDPR), and additionally:

    • a) if applicable, for purpose to verify your clean criminal record pursuant to the Act of 12 April 2018 on the rules of obtaining information on clean criminal record of applicants and persons employed in financial sector

    • b) if applicable, for purposes of registering You (and Your family members) for social security pursuant to the Article 36 of the Polish Act of 13 October 1998 on the social security system;

    • c) if applicable, for purposes of registering You (and Your family members) for health care insurance according to principles stipulated in the Polish Act of 27 August 2004 on health services financed through public funds (the so-called “Health Act”);

    • d) if applicable, for purposes related to ensuring health and safety at work pursuant to the Article 304 of the Polish Labor Code;

    • e) for purposes of responding to letters, motions, inquiries, and requests to inspect documentation related to the cooperation with You, originating from authorities legitimized under law or from entities You authorized in this regard;

    • f) for purposes of paying remuneration and settling other payments and costs related to exercising agreement, including tax settlements, as well as to make public and legal settlements with the Polish Tax Office, the Polish Social Insurance Institution, the Polish State Fund for Rehabilitation of Disabled (if applicable) and other authorities;

    • g) for purposes of being compliant with legal obligations borne by the Bank in relation with conducting banking activities or brokerage, including:

      • i. related to counteracting abuses and making advantage of the Bank’s activity for criminal purposes pursuant to the Article 106d and subsequent of the Polish Banking Law;

      • ii. related to receiving and processing notifications on violations of law and ethical procedures and standards, including pursuant to the Article 9.2a-9.2b of the Polish Banking Law;

      • iii. resulting from the Act of March 1, 2018, on counteracting money laundering and financing of terrorism (the so-called "AML Act"), in particular art. 117-118 of this Act;

      • iv. if applicable to You, related to monitoring of correspondence with the Bank and transactions / orders on basis of the Regulation (EU) 2016/1011 on benchmarks and Regulation (EU) 596/2014 on market abuse (Market Abuse Regulation, the “MAR Regulation”), as well as in accordance with relevant sector-specific codes relevant for institutions of the banking sector (e.g. Code of Conduct for WIBID and WIBOR fixing participants);

      • v. if applicable, related with monitoring and recording of phone calls and electronic communications with the Bank on basis of the Polish Act of 29 July 2005 on trading in financial instruments;

      • v. if applicable, related with monitoring and recording of phone calls and electronic communications with the Bank on basis of the Polish Act of 29 July 2005 on trading in financial instruments;

      • vi. related to reporting to authorities, including supervisory authorities, and to other entities to which the Bank is required to report on the basis of applicable law, in particular pursuant to provisions of Polish Banking Law;

      • vii. related to handling actions and complaints related to services provided by the Bank on basis of the Article 5 of the Act of 5 August 2015 on handling of complaints by financial market organizations and on the Financial Ombudsman, as well as other requests, motions and inquiries addressed to the Bank.

  • 2. Moreover, in certain situations it might be necessary to process Your personal data due to necessity to pursue legitimate interests by the Bank (the Article 6.1.f of the GDPR), in particular but not limited to:

    • a) for purposes related to IT service and ensuring IT and information security at the Bank, including in particular management of mobile devices, administration of accesses and authorizations to systems and applications, ensuring the Bank's continuity of business and quality management of data held by the Bank;

    • b) for purposes related to ensuring the physical security of the Bank, its branches and facilities, including in particular in the scope of internal and external video monitoring and recording of entering and leaving persons;

    • c) for purposes related to management of Your assessments and performance results of the cooperation, and issues related to remuneration for provided services;

    • d) if applicable, for purposes related to management and handling of car fleet and the Bank’s parking slots;

    • e) if applicable, for purposes related to organization and management of trips within the provision of services for the Bank by You;

    • f) for purposes of preventing mobbing and discrimination within the Bank’s organizational structure;

    • g) for purposes related with monitoring and improving quality of products and services provided by the Bank, including, if applicable for You, monitoring of telephone conversations and meetings with the Bank, surveying Clients’ satisfaction from provided services and evaluation of sale results;

    • h) for purposes of monitoring of activity of employees and contractors of the Bank in scope of received benefits, conflicts of interests or violation of ethics;

    • i) for purposes related to organization and administration of activity of the Bank and entities from the Citigroup capital group, including in order to conduct internal communication (including intranet system “Źródło”) within Bank and within Citigroup, in particular for purposes related to Your presence and activity on the Citi Collaborate intranet forum;

    • j) for purposes related to integration activities for employees and contractors of the Bank, including the organization of events and integration trips, and for purposes related to the organization of the so-called "non-sale contests”;

    • k) for purposes related with risk management and internal control of the Bank on basis of the Article 9 and subsequent of the Polish Banking Law;

    • l) if applicable, for purposes related with litigation, as well as pending state authorities proceedings and other proceedings, including for purposes of pursue and defending against claims;

    • m) if applicable, for purposes of internal reporting within the Bank or within Citigroup, including management reporting or as a part of performance of Bank's obligations specified in the agreements with entities from the Citigroup;

    • n) if applicable for You, for purposes related to exercising the principle of corporate social responsibility by the Bank and its employees and persons cooperating with it, e.g. through participation in volunteering within the Kroenenberg Foundation and within other employee’s initiatives;

    • o) if applicable for You, for purposes related to business development, cooperation with suppliers, consultants, contractors and clients, and improving the Bank's image, including, in particular, for purposes related to organization and participation in conferences and press appearances, participation in events and also broader advertising and promotional activities of the Bank;

    • p) if applicable, for purposes of monitoring reasons of cooperation termination;

    • q) if applicable, for purposes of Your eventual employment in the Bank or commencing a cooperation in different form, after termination of previous cooperation;

    • r) if applicable, for purposes of eventual employing You in other entities from Citigroup;

    • s) for other legitimate purposes related to the management of the Bank's human resources.

  • 3. In other cases, Your personal data will be processed only on basis of previously given consent to the extent and for purposes specified in consent’s content.

III. Obligation to provide personal data to the Bank

Providing personal data by You is a condition for establishing and performing the agreement between You and the Bank, results from abovementioned law provisions. In scope of realization of purposes specified in p. II.2 above, providing personal data might be necessary to pursue purposes resulting from abovementioned legitimate interests of the Bank.

The failure to provide all required personal data by You will be a hindrance for commencing cooperation and for providing services for the Bank.

To the extent, where personal data are being collected on basis of consent, providing personal data is voluntary.

IV. Information on recipients of Your personal data

With regard to processing of Your personal data for purposes mentioned in p. II, Your personal data might by shared with following recipients or categories of recipient:

  • a) state authorities and entities performing public tasks or acting at the direction of state authorities, to the extent and for purposes, which results from law provisions, e.g. the Polish Financial Supervision Authority (KNF), the Polish Tax Office; the Social Insurance Institution (ZUS);

  • b) entities affiliated with the Bank, including within Citigroup, during performing reporting obligations;

  • c) entities performing tasks resulting from law provisions, such as business information offices;

  • d) entities participating in processes necessary for exercising agreements with client, including Krajowa Izba Rozliczeniowa S.A (KIR), Visa, Mastercard, First Data Polska;

  • e) clients, suppliers and contractors of the Bank, as well as third parties in relations with the Bank to the extent and for the purposes necessary to perform obligations arising from Your cooperation with the Bank, including for contact purposes on behalf of and for the Bank;

  • f) entities supporting Bank in its business processes and banking operations, including data processors on behalf of the Bank;

  • g) the Polish Bank Association and other organizations associating financial market institutions.

V. Periods of processing personal data

Your personal data will be processed for period necessary for realization of purposes indicated in p. II, i.e. to the extent of exercising agreement concluded between You and the Bank, for period until end of its exercising, and after this time for period and to the extent required by law provisions or for pursuing data controller’s legitimate interests by the Bank in scope stipulated in p. II.2 above, and in case where You have given a consent for processing personal data after termination of expiration of the agreement, until withdrawal of such consent.

VI. Profiling or automated decision-making

Your personal data will not be used for profiling You or for automated decision-making in relation to You.

VII. Rights of data subjects

The Bank wishes to ensure You that all persons, which personal data are being processed by the Bank, are entitled to use its rights resulting from GDPR. With regards to such, You are entitled to following rights:

  • 1. right of access to the personal data, including a right to obtain a copy of such data;

  • 2. right to obtain the rectification (correction) of the personal data – in case when such data are inaccurate or incomplete;

  • 3. right to obtain the erasure of the personal data (so called “right to be forgotten”) – in case when: (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, (ii) the data subject objects to the processing, (iii) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing, (iv) the personal data have been unlawfully processed, (v) the personal data have to be erased for compliance with a legal obligation;

  • 4. right to obtain the restriction of processing of personal data – in case, when: (i) the accuracy of the personal data is contested by the data subject; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead, (iii) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, defense or exercise of claims, (iv) the data subject has objected to processing of the personal data - pending the verification whether the legitimate grounds of the controller override those of the data subject;

  • 5. right to receive or transmit the personal data in case when: (i) the processing is based on agreement concluded with data subjects or on consent expressed by such person, and (ii) the processing is carried out by automated means;

  • 6. right to object to processing of personal data, including profiling, when (i) grounds relating to Your particular situation arise, (ii) processing of personal data is based on necessity to pursue purposes resulting from legitimate interests of the Bank, referred to in p. II.2 above.

VIII. Right to withdraw consent for processing of personal data

To the extent, where You have given a consent for processing of personal data, You are entitled to withdraw such consent for processing of personal data. Withdrawal of consent shall not affect the lawfulness of processing conducted based on consent before its withdrawal.

IX. Right to lodge a complaint with a supervisory authority

In case You find processing of Your personal data by the Bank as infringing the GDPR provisions, You are entitled to lodge a complaint to relevant supervisory authority.

X. Transfer of personal data to entities outside European Economic Area (EEA) or to international organizations

The Bank in justified and necessary cases might, given the circumstances, share Your personal data to entities situated outside EEA, i.e. USA, Singapore, India, China, Hong Kong, Canada and United Kingdom, and international organizations (e.g. SWIFT), as well as to other entities situated outside EEA, or international organizations, to which the transfer is necessary in order to exercise an agreement (e.g. in order to exercise Your order. In general, the transfer of data outside EEA shall take place on basis of standard data protection clauses concluded with the recipient of data, which content has been adopted by the European Commission and guarantees highest applied on the market standards of protection of personal data.

To the extent of realisation of purposes related to the execution of the agreement concluded with You and the management of human resources, as well as to the organization and administration of the activity of the Bank and Citigroup entities, including for the purpose of internal communication within the Bank and the Citigroup, the Bank may disclose Your personal data to entities from Citigroup based outside the EEA. In general, the transfer of data outside the EEA will take place on the basis of binding corporate rules between the Bank, the use of which has been approved by GIODO (the GIODO decision No. DESiWM / DEC-1252813 of 9 December 2013) and other EU supervisory authorities (under consistency mechanism) and guarantees highest applied on the market standards of protection of personal data.

You have a right to obtain a copy of abovementioned standard contractual clauses (or other appropriate safeguards for transfer outside EEA) via the Bank.

Citi LogoCopyright © 2024 Citigroup Inc