We confirm that when processing your personal data, the Bank observes:
- egulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation”),
- Law on Legal Protection of Personal Data of the Republic of Lithuania;
- Law on Electronic Communications of the Republic of Lithuania;
- Other legislation governing the protection of personal data;
- Instructions/recommendations of the supervisory authority and other competent authorities.
Terms and definitions
- Personal Data – any information, directly or indirectly related to you, which is received directly from you or from other sources and may be used to identify you.
- Processing – any operation which is performed on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or other destruction.
- Data Subject – you or any natural person (including the director/representative or the true beneficiary of a legal person), who is using/has expressed and intention to use the Bank’s services or is otherwise related to the Bank and/or the services provided by the Bank, and whose data is processed by the Bank.
What personal data do we process?
The Bank processes personal data of the following categories:
- Personal identity data, such as first name, last name, national identification number, date of birth, nationality, identity document data.
- Contact information, such as address, zip code, telephone number, e-mail address.
- Information related to education and professional activity, such as education, employment, position, economic commercial activity.
- Family information, such as marital status, number of dependents, heir information.
- Financial information, such as income and its source, information about your assets and bank accounts in other financial institutions, information about concluded transactions, expenses, loans and other financial obligations.
- Information about creditworthiness and its history, such as credit history, credit rating.
- Information related to the provision of Bank services, such as information about the services provided to you by the Bank and related data (e.g. bank account number), information about performance of/default on contracts, concluded transactions, current and expired contracts, submitted applications.
- Information needed to ensure the compliance with anti-money laundering and terrorist financing prevention requirements and implementation of international sanctions, such as information about whether you or your immediate family members and close associates are politically vulnerable/exposed individuals, information about true beneficiaries, information about business activities and parties to transactions, business relationship monitoring data.
- Information supporting the source of funds or transactions, i.e. proof of source of funds, invoices, sale and purchase contracts, service contracts, payment documents.
- Information needed to ensure compliance with the requirements applicable in tax administration, such as the country of residence for tax purposes, taxpayer identification number, date and place of birth.
- Information about you as the director/representative and true beneficiary of a legal person who is using/expressed an intention to use Bank services.
- Information about you as a manager/representative/employee of the Bank’s business partner, such as name, title, telephone number, email address.
- Visual data recorded by the Bank’s surveillance equipment during your visit in the Bank’s central office and customer service units.
- Information about recorded telephone conversations when calling the Bank’s contact centre, such as the caller’s telephone number, call metadata (date, time and duration of connection). The recorded telephone conversation includes the data provided by you during the telephone conversation.
- Information created and/or received during performance of a legal obligation, such as information received based on inquiries of courts, law enforcement agencies, notaries, bailiffs, lawyers and tax authority about the income, financial obligations, property and outstanding debt.
- Information provided or generated by the use of electronic means of communication, such as information provided by e-mail, on the website and social networks, information about traffic: the user’s IP address at the time of connection, operating system version and parameters of the device used to access content/services; login information: your session time and duration; and any information stored in cookies placed on your device.
- Data of individuals who have access to insider information of the Bank, such as name, surname, birth surname, work telephone number, function and reason for having access to insider information, date of birth, national identification number, personal telephone number, home address.
- Biometric data – your facial image, which is only processed if you intend to become a customer of the Bank remotely.
- The data you will provide to the Bank when reporting an infringement – under the Law on the Protection of Whistleblowers of the Republic of Lithuania or an infringement of the legislation regulating banking activities.
For what purposes do we process your personal data?
The Bank processes your personal data for the following purposes:
- personal identification and verification, implementing the Know-Your-Customer principle;
- determination and assessment of creditworthiness;
- credit risk assessment and management, including but not limited to implementation of the standard maximum loan per customer and a group of related customers;
- provision of financial services;
- fulfilment of contractual obligations;
- maintaining a relationship and communication with you;
- giving advice and assessment of your needs;
- ensuring compliance with anti-money laundering and terrorist financing prevention requirements and implementation of international sanctions;
- ensuring the quality of services and defence of Bank’s rights (recording of telephone conversations);
- ensuring the protection and safety of the Bank’s property (video surveillance);
- organisation and implementation of recruitment of employees and trainees;
- defence and protection of the Bank’s rights and legitimate interests;
- compiling and management of the list of individuals who have access to insider information;
- compiling and management of the list of persons holding managerial positions at the Bank and persons closely related to them, and administering the Bank’s notifications of transactions concluded/executed on your behalf in relation to the Bank’s financial instruments and publicly disclosing such transactions in accordance with the procedure established by the Bank of Lithuania;
- handling (conducting an investigation) of a possible violation of the Law on the Protection of Whistleblowers of the Republic of Lithuania or a violation of the legislation regulating banking activities in the Bank;
- direct marketing*;
- organising and conducting competitions and/or promotions for the Bank’s customers.
* Please be advised that you have the right to opt out of receiving direct marketing messages from the Bank by notifying the Bank of your decision at any customer service unit of the Bank, by clicking an active link “Do not send” in a received direct marketing email or by changing the direct marketing settings in the online banking system.
On what grounds do we process your personal data?
The Bank processes your personal data on the following legal grounds defined in the General Data Protection Regulation (EU) 2016/679:
- When subject to a legal obligation, i.e., the applicable legislation requires that the Bank process your personal data,
- In order to enter into and perform a contract with you;
- In pursuit of the Bank’s legitimate interests, unless your private interests are overriding (e.g. providing Bank services, recruitment of employees and trainees, credit risk assessment, management of your debt, dispute resolution, etc.);
- Your consent to the processing of your personal data.
- In the public interest.
Where do we get your personal data from?
- Received directly from you (provided when completing and submitting forms/inquiries/requests/claims/applications both at the central office and/or customer service unit of the Bank and in the online banking system, Bank's mobile app or website www.urbo.lt, calling the Bank’s contact centre or visiting the Bank’s premises),
- Obtained from other sources;
- Generated automatically to the extent provided by applicable legislation (when visiting the website and/or social network account, using mobile applications).
- other banks and financial institutions;
- state authorities and institutions (such as the Bank of Lithuania, the Ministry of Finance of the Republic of Lithuania, State Social Insurance Fund Board under the Ministry of Social Security and Labour of the Republic of Lithuania (SODRA), Statistics Lithuania (State Data Agency), National Paying Agency under the Ministry of Agriculture, Lithuanian Agricultural Advisory Service, State Enterprise Deposit and Investment Insurance, State Enterprise Centre of Registers, State Enterprise Regitra);
- courts and law enforcement agencies;
- other persons performing the functions assigned by legislation (e.g. notaries, lawyers, bailiffs, bankruptcy administrators);
- service providers administering joint debtor data (e.g. CreditInfo Lietuva UAB);
- insurance companies, insurance brokerage companies;
- credit intermediaries;
- other natural persons/their representatives, when they provide the data of related persons (through blood or marriage), co-debtors, guarantors, collateral providers, etc.;
- other natural persons/their representatives, when they provide the data of immediate family members or close associates, who hold or were holding (over the past year) a prominent public function;
- legal entities, if you are the director/representative, employee, authorised person, true beneficiary, etc. of a legal person;
- documents submitted to the Bank for performance of a contract or fulfilment of regulatory requirements which may contain personal data (e.g. property valuation certificates, extracts from registers, etc.);
- third parties and/or publicly available sources to the extent permitted by applicable legislation (e.g. LinkedIn social network).
Who do we transfer your personal data to?
The Bank may transfer your personal data to the following entities:
- State authorities and institutions, other persons performing the functions assigned by legislation (e.g., supervisory authorities, law enforcement agencies, tax administrator, bailiffs, notaries, lawyers),
- Other banks and financial institutions;
- Insurance companies, insurance brokerage companies;
- Companies in the Bank’s Group. Their full list is available on the Bank’s website: https://urbo.lt/en/subsidiaries;
- Auditors, legal and financial advisors;
- State registers (e.g. State Enterprise Centre of Registers, State Enterprise Regitra);
- Bank shareholders and their authorised representatives (such as legal and financial consultants);
- Bank’s successors;
- Collateral providers (e.g. guarantors, collateral lenders);
- Courts, extrajudicial dispute resolution bodies, bankruptcy administrators;
- Debt recovery companies, to which debt claims are transferred;
- Service providers administering joint debtor data (e.g. CreditInfo Lietuva UAB);
- Participants of national, European Union and international payment systems and other related persons (e.g. SWIFT);
- Other persons who provide services to the Bank or are related to the services provided by the Bank (e.g. information technology service providers, postal service providers, archiving service providers, credit intermediaries, etc.).
The Bank ensures that your personal data are transmitted strictly in accordance with applicable legislation. Service providers (processors) used by the Bank process your data only for strictly defined purposes, which are set out in personal data processing contract.
In which countries are your personal data processed?
Generally, your personal data are processed and stored in the territory of the European Union (EU) and the European Economic Area (EEA). However, in some cases, we may need to transfer your personal data to other countries outside the EU and EEA, or international organisations that may apply a lower-level data protection policy.
In such cases, the Bank will take all steps to ensure the security of transferred personal data.
The Bank may, in certain cases, transfer your personal data to countries outside the EU and EEA for the following reasons:
- such transfer of personal data is necessary for the provision of payment services in accordance with your contract with the Bank, e.g., when executing an international payment order at your request, the personal data may be transferred to a correspondent bank based in China or to a money remittance company based in the United States;
- the software service provider (data processor) engaged by the Bank is located outside the EU and EEA, for example, in the United Kingdom of Great Britain and Northern Ireland (UK), and the transfer of data is necessary to ensure the proper provision of services in accordance with the contract between the Bank and the service provider.
The Bank transfers personal data to countries outside the EU and EEA, or to international organisations, if one of the following security measures is applied:
- the contract is signed with the recipient of personal data based on Standard Contractual Clauses approved by the European Commission;
- the recipient of personal data must be located in a country recognized by decision of the European Union as applying adequate data protection standards;
- a permission from State Data Protection Inspectorate must be obtained.
The current list of countries that are not members of the EU and EEA, but have been recognised by a decision of the European Commission as having adequate standards for the protection of personal data, is available on the European Commission’s website: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_lt.
In order to ensure the protection of its assets and the security of the Bank’s employees and customers, the Bank carries out video surveillance. Locations where video surveillance is carried out are marked with special information signs.
The video surveillance data are recorded and stored for a minimum of thirty (30) and a maximum of ninety (90) days. If the video surveillance data are necessary for the Bank’s internal investigation, are/shall be used as evidence in a civil, administrative or criminal case or in other cases established by the legal acts of the Republic of Lithuania, the video surveillance data shall be stored to the extent necessary to achieve these purposes.
Profiling and automated decision making
In certain cases, the Bank carries out profiling and makes decisions by automated means:
- If you have given consent to the processing of personal data for direct marketing purposes and have not withdrawn such consent, the Bank profiles your personal data, i.e., performs automated processing of personal data to evaluate certain personal aspects related to you, in particular to analyse your interests, behaviour, movement, economic situation, and payment habits with the purpose of anticipating your needs more accurately and provide you with offers, services and/or products that best suit your interests.
- he Bank uses profiling for analysis and assessment by making automated decisions related to, for example, assessment of creditworthiness and credit risk management. Your credit rating is determined using information systems and algorithms and is used as a basis for making a decision on provision of financial services. If you do not agree with the decision taken by automated means, you have the right to demand the involvement of a Bank employee, express your position, receive an explanation of the decision and challenge the decision.
- In order to ensure the implementation of anti-money laundering and terrorist financing prevention measures, the Bank carries out profiling and assigns you a risk category according to the risk associated with you, the risk of products, services and/or operations, risk of a country and/or geographical region, and the risk of the main economic activity. Depending on the assigned risk category, the available intensity of use of Bank services and the periodicity of updating your information may vary.
What personal data processing principles do we adhere to?
When processing personal data, the Bank adheres to the following principles:
- Your personal data are collected and processed for explicit and legitimate purposes, established prior to beginning of the processing, and not further processed in a manner that is incompatible with those purposes (the purpose limitation principle).
- Your personal data are processed fairly, lawfully and transparently, with your consent or on other legitimate basis for personal data processing (the principle of lawfulness, fairness and transparency).
- Your personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (the data minimisation principle).
- Your personal data are accurate and, if necessary for personal data processing, updated on a regular basis. Personal data that are inaccurate or incomplete are rectified, supplemented, deleted or their processing is suspended. All reasonable steps are taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (the principle of accuracy).
- Your personal data are kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data have been collected and are processed (the principle of storage limitation).
- Your personal data are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (the principle of integrity and confidentiality).
How do we protect your personal data?
When processing your personal data, we implement various organisational and technical measures to protect your personal data against accidental or unlawful destruction, alteration, disclosure as well as from any other unauthorised form of processing. The Bank requires that the processors used by the Bank for the processing of your personal data or which have access to your personal data when providing services to the Bank take appropriate technical and organisational measures, which would ensure the security and integrity of your personal data.
However, please note that even though we take appropriate steps to protect your personal data, no website or e-mail can guarantee complete security due to reasons beyond the control of the Bank. Therefore, you should be careful and assume the risk associated with providing personal data to the Bank on the website or by e-mail.
How long do we keep your personal data?
We store your personal data for not longer than it is necessary to achieve the stated purpose. Once the set objective is achieved, your personal data are deleted, unless the applicable legislation requires that the Bank store the data for the time period prescribed by such legislation. Once this period expires, the data are deleted/destroyed so that they cannot be reproduced. Specific personal data retention periods depend on the legal grounds for processing of your personal data.
Cookies, alerts and other similar technologies
What are your rights?
You, as the data subject whose personal data is processed by the Bank, have the following rights:
- The right to know/be informed about the processing of your data (the right to know).
- The right to access your personal data and receive information about how it is processed (the right to access).
- The right to request rectification or supplementation of incomplete personal data, taking into account the purposes of personal data processing (the right to rectification).
- The right to object to the processing of your personal data, if the processing of your personal data is based on your consent.
- The right to request that the processing of your personal data be restricted for a legitimate reason (the right to restrict).
- The right to withdraw consent to the processing of your personal data. Such withdrawal of consent shall not affect the data processing carried out prior to withdrawal of such consent.
- The right to request that your personal data be deleted/destroyed (the right to be forgotten), where such data are processed on the basis of your consent. This right does not include the cases where you request to delete your personal data, which are processed by the Bank on other legal grounds, for example, where the processing of personal data is necessary to conclude/perform a contract or subject to a legal obligation.
- The right to object to be subject to fully automated decision, if such decision has legal consequences or similar significant effect.
- The right to data portability.
- The right to file a complaint with the State Data Protection Inspectorate, if you believe that your personal data has been processed in violation of your rights and legitimate interests in the field of personal data protection. More information is available at www.vdai.lrv.lt.
The Bank provides the opportunity to exercise the above rights upon identification and verification of your identity. You can exercise your rights by submitting a written request to the Bank at any of the Bank’s customer service units, by mail to Konstitucijos Ave. 18B, LT-09308 Vilnius, by email to [email protected] (when the request is sent by email, it must be signed with a qualified electronic signature) or through the Bank’s online banking system, and, in certain cases, by using certain links provided at the bottom of the promotional content provided by the Bank.