Privacy policy

1. General provisions

This Privacy Policy sets out and explains how Urbo Bankas UAB (the “Bank”) collects and processes your personal data.

The purpose of this Privacy Policy is to inform you about the ways your personal data are collected and processed and to ensure a fair and transparent process of personal data processing in the Bank.

It is very important that you carefully read this Privacy Policy, because its terms and conditions will apply every time you use/express an intention to use the Bank’s services at the Bank’s customer service units or in the internet banking system, Bank’s mobile application, browse the Bank’s website www.urbo.lt, visit the Bank’s premises, call the Bank’s contact centre and in other cases, where your data are processed.

We confirm that when processing your personal data, the Bank observes:

Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (GDPR);
Law on Legal Protection of Personal Data of the Republic of Lithuania;
Law on Electronic Communications of the Republic of Lithuania;
Other legislation governing the protection of personal data;
Instructions/recommendations of the supervisory authority and other competent authorities.

The Bank may amend this Privacy Policy in the future. Therefore, we recommend that you review it from time to time.

2. Terms and definitions

The terms used in this Privacy Policy will be understood as follows:

Personal Data – any information, directly or indirectly related to you, which is received directly from you or from other sources and may be used to identify you.
Processing – any operation which is performed on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or other destruction.
Data Subject – you or any natural person (including the director/representative or the beneficial owner of a legal entity), who is using/has expressed and intention to use the Bank’s services or is otherwise related to the Bank and/or the services provided by the Bank, and whose data are processed by the Bank, including the visitors of the Bank’s accounts on social networks.

Other terms used in this Privacy Policy will be understood as they are defined in the GDPR and other legislation governing the protection of personal data.

3. What personal data do we process?

The Bank processes personal data of the following categories:

Personal identity data, such as first name, last name, national identification number, date of birth, nationality, identity document data.
Contact information, such as address, zip code, telephone number, email address.
Data related to education and professional activities, such as education, workplace, length of service in the current job, type of employment contract (fixed-term/indefinite), current position, economic-commercial activity.
Family information, such as marital status, number of dependants, heir information.
Social media account data, such as name, surname/company name, profile picture and other information made publicly available on your social media (e.g., Facebook) account.
Financial information, such as income and its source, information about your assets and bank accounts in other financial institutions, information about concluded transactions, expenses, loans and other financial obligations.
Information about creditworthiness and its history, such as credit history, credit rating.
Information related to the services provided by the Bank, such as information about the services provided to you by the Bank and related data (e.g., bank account number), information about performance of/default on contracts, concluded transactions, current and expired contracts, submitted applications.
Data necessary to comply with anti-money laundering, anti-terrorist financing and anti-fraud requirements and to enforce international sanctions, such as data on whether you, your close family members and close associates are politically exposed persons, data on the beneficial owners, data on the activities carried out and the parties to transactions, data on the monitoring of the business relationship, data on the documentation supporting a monetary operation or transaction and other data necessary for the implementation of the Know Your Customer principle and the monitoring of business relationships and transactions.
Information needed to ensure compliance with the requirements applicable in tax administration, such as the country of residence for tax purposes, taxpayer identification number, date and place of birth.
Information about you as the director/representative and beneficial owner of a legal entity who is using/expressed an intention to use Bank services.
Information about you as a manager/representative/employee of the Bank’s business partner, such as your name, surname, job title, telephone number, email address.
Video data captured by the Bank’s video surveillance equipment when you visit the premises of the Bank’s head office and the Bank’s customer service units (locations where video surveillance is carried out are marked with special information signs).
Information about recorded telephone conversations when calling the Bank’s contact centre, such as the caller’s telephone number, call metadata (date, time and duration of connection). The recorded telephone conversation includes the data provided by you during the telephone conversation.
Data obtained from public authorities, such as information received based on inquiries of courts, law enforcement agencies, notaries, bailiffs, lawyers and tax authority about the income, financial obligations, property and outstanding debt.
Information provided or generated while using electronic means of communication, such as information provided by email, on the website and social networks, traffic data: the user’s IP address at the time of connection, operating system version and parameters of the device used to access content/services; login information: your session time and duration; and any information stored in cookies that we have set up on your device.
Data of individuals who have access to insider information of the Bank, such as name, surname, surname at birth, work telephone number, function and reason for having access to insider information, date of birth, national identification number, personal telephone number, home address.
Biometric data – an image of your face, which is processed only if you intend to become a customer of the Bank by remote means.
The information you will provide to the Bank when submitting a breach report under the Law on the Protection of Whistleblowers of the Republic of Lithuania or a notification of a violation of legal acts regulating banking activities.

4. For what purposes do we process your personal data?

The Bank processes your personal data for the following purposes:

personal identification and verification, implementing the Know-Your-Customer principle;
determination and assessment of creditworthiness;
credit risk assessment and management, including but not limited to implementation of the standard maximum loan per customer and a group of related customers;
provision of financial services;
entering into contracts and fulfilling contractual obligations;
maintaining a relationship and communicating with you;
giving advice and assessment of your needs;
compliance with anti-money laundering, anti-terrorist financing and anti-fraud requirements and enforcement of international sanctions;
ensuring compliance with tax administration requirements;
ensuring the quality of services and defence of Bank’s rights (recording of telephone conversations);
ensuring the protection and safety of the Bank’s property (video surveillance);
organisation and implementation of recruitment of employees and trainees;
defence and protection of the Bank’s rights and legitimate interests,
compiling and management of the list of individuals who have access to insider information;
compiling and maintaining a list of persons holding managerial positions in the Bank and persons closely related to them, as well as the administration by the Bank of notifications of transactions concluded/executed for your benefit in relation to the Bank’s financial instruments and public disclosure of the said transactions in accordance with the procedure established by the Bank of Lithuania;
examining (conducting an investigation into) a possible breach under the Law on the Protection of Whistleblowers of the Republic of Lithuania or a violation by the Bank of legal acts regulating banking activities;
direct marketing*;
organising and running competitions and/or promotions for the Bank’s customers;
debt management and recovery.

*Please be advised that you have the right to opt out of receiving direct marketing messages from the Bank by notifying the Bank of your decision at any customer service unit of the Bank, by clicking on an active opt-out link or by changing the direct marketing settings in the online banking system.

5. On what grounds do we process your personal data?

The Bank processes your personal data on the legal grounds defined in the GDPR:

when subject to a legal obligation, i.e., the applicable legislation requires that the Bank process your personal data,
in order to enter into and perform a contract with you,
in pursuit of the Bank’s legitimate interests, unless your private interests are overriding (e.g., providing Bank services, recruitment of employees and trainees, credit risk assessment, management of your debt, dispute resolution, etc.),
your consent to the processing of your personal data,
in the public interest.

6. Where do we get your personal data from?

The Bank processes your personal data, which are:

received directly from you (when you fill in and submit forms/enquiries/requests/claims/applications both at the Bank’s head office and/or customer service unit of the Bank, in the online banking system, mobile application of the Bank or on the Bank’s website at www.urbo.lt, when you post a query or comment on the Bank’s social media accounts or participate in the Bank’s competitions/games organised there, when you call the Bank’s contact centre or when you visit the Bank’s premises);
obtained from other sources;
generated automatically to the extent provided by applicable legislation (when visiting the website and/or social network account, using mobile applications).

Please note that if you provide personal data of other persons related to you (e.g., family members, company employees, shareholders, surety, etc.), you are required to inform those persons of the processing of their personal data by the Bank and to make them aware of this Privacy Policy.

The Bank obtains your personal data from other sources, such as:

other banks and financial institutions;
public institutions and bodies (e.g., the Bank of Lithuania, the Ministry of Finance of the Republic of Lithuania, the State Social Insurance Fund Board under the Ministry of Social Security and Labour (SODRA), the State Data Agency, the National Paying Agency under the Ministry of Agriculture, the Lithuanian Agricultural Advisory Service, the Public Body Deposit and Investment Insurance, the State Enterprise Centre of Registers, Regitra AB);
courts and law enforcement authorities;
other persons exercising functions entrusted to them by law (e.g., notaries, lawyers, bailiffs, bankruptcy administrators);
service providers managing joint debtors’ databases (e.g., Creditinfo Lietuva UAB);
insurance companies, insurance broking undertakings;
credit intermediaries;
other natural persons/their representatives, when they provide details of persons related to them by blood or affinity, co-debtors, sureties, collateral providers, etc.;
other natural persons/their representatives, when they provide information on close family members or close associates who hold or have held (within the last one year) a prominent public function;
legal entities, if you are the director/representative, employee, authorised person, beneficial owner, etc. of the legal entity;
documents submitted to and intended for the Bank in the performance of the contract or legal requirements, which may contain Personal Data (e.g., property valuation certificates, extracts from registers, etc.);
third parties and/or publicly available sources to the extent permitted by applicable legislation (e.g., LinkedIn social network).

7. Who do we transfer your personal data to?

The Bank may transfer your personal data to the following entities:

public authorities and institutions, other persons exercising functions entrusted to them by law (e.g., supervisory authorities, law enforcement authorities, tax administrator, bailiffs, notaries, lawyers);
other banks and financial institutions;
insurance companies, insurance broking undertakings;
companies in the Bank Group. Their full list is available on the Bank’s website at https://urbo.lt/lt/dukterines-imones;
auditors, legal and financial advisors,
state registers (e.g., State Enterprise Centre of Registers, Regitra AB);
the Bank’s shareholders and their authorised representatives (e.g., legal and financial advisors);
successors to the Bank’s rights and obligations;
the persons who provided the collateral (e.g., guarantors, collateral providers or sureties);
courts, out-of-court dispute resolution bodies and bankruptcy administrators;
debt recovery companies to which claims on debts are assigned;
service providers managing joint debtors’ databases (e.g., Creditinfo Lietuva UAB);
participants in national, European Union and international payment systems and other related parties (e.g., SWIFT);
other persons who provide services to the Bank or are related to the services provided by the Bank (e.g., information technology service providers, postal service providers, archiving service providers, credit intermediaries, etc.).

The Bank ensures that your personal data are transmitted strictly in accordance with applicable legislation. Service providers (processors) used by the Bank process your personal data only for strictly defined purposes, which are set out in personal data processing agreements.

8. In which countries are your personal data processed?

Generally, your personal data are processed and stored in the territory of the European Union (EU) and the European Economic Area (EEA). However, in some cases, we may need to transfer your personal data to other countries outside the EU and EEA, or international organisations that may have a lower level of data protection policy. In such cases, the Bank will take all steps to ensure the security of transferred personal data.

The Bank may, in certain cases, transfer your personal data to countries outside the EU and EEA for the following reasons:

such transfer of personal data is necessary in order to provide payment services in accordance with your agreement with the Bank, e.g., to execute an international payment order at your request, the personal data may be transferred to a correspondent bank located in China or to a money remittance company in the United States;
the software service provider (processor) engaged by the Bank is located outside the EU and EEA, for example, in the United Kingdom of Great Britain and Northern Ireland (UK), and the transfer of the data is necessary to ensure the proper provision of services in accordance with the agreement entered into between the Bank and the service provider.

The Bank transfers personal data to countries outside the EU and EEA, or to international organisations, if one of the following security measures is applied:

the contract is signed with the recipient of personal data based on Standard Contractual Clauses approved by the European Commission;
the recipient of personal data is located in a country recognised by a decision of the European Commission as applying adequate data protection standards;
a permission has been obtained from the State Data Protection Inspectorate in accordance with the procedure established by the legal acts in force in the Republic of Lithuania.

The current list of countries that are not members of the EU and the EEA, but have been recognised by a decision of the European Commission as having adequate standards for the protection of personal data, is available on the European Commission website at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en?prefLang=lt .

If you would like to receive more information about the Bank's transfer of personal data to specific recipients outside the EU and EEA, you may submit a request to the Bank’s Data Protection Officer at the contact details provided in this Privacy Policy.

9. Profiling and automated decision making

In certain cases, the Bank carries out profiling and makes decisions by automated means:

If you have given consent to the processing of personal data for direct marketing purposes and have not withdrawn such consent, the Bank profiles your personal data, i.e., performs automated processing of personal data to evaluate certain personal aspects related to you, in particular to analyse your interests, behaviour, movement, economic situation, and payment habits with the purpose of anticipating your needs more accurately and provide you with offers, services and/or products that best suit your interests.
The Bank uses profiling for analysis and assessment by making automated decisions related to, for example, assessment of creditworthiness and credit risk management. Your credit rating is determined using information systems and algorithms and is used as a basis for making a decision on provision of financial services. If you do not agree with the decision taken by automated means, you have the right to demand the involvement of a Bank employee, express your position, receive an explanation of the decision and challenge the decision.
To ensure the implementation of anti-money laundering and terrorist financing prevention measures, the Bank carries out profiling and assigns you a risk category according to the risk associated with you, the risk of products, services and/or operations, risk of a country and/or geographical region, and the risk of the main economic activity. Depending on the assigned risk category, the available intensity of use of Bank services and the periodicity of updating your information may vary.

10. What personal data processing principles do we adhere to?

When processing personal data, the Bank adheres to the following principles:

Your personal data are collected and processed for explicit and legitimate purposes, established prior to beginning of the processing, and not further processed in a manner that is incompatible with those purposes (the purpose limitation principle).
Your personal data are processed fairly, lawfully and transparently, with your consent or on other legitimate basis for personal data processing (the principle of lawfulness, fairness and transparency).
Your personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (the data minimisation principle).
Your personal data are accurate and, if necessary for personal data processing, updated on a regular basis. Personal data that are inaccurate or incomplete are rectified, supplemented, deleted or their processing is suspended. All reasonable steps are taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (the principle of accuracy).
Your personal data are kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data have been collected and are processed (the principle of storage limitation).
Your personal data are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (the principle of integrity and confidentiality).

11. How do we protect your personal data?

When processing your personal data, we implement various organisational and technical measures to protect your personal data against accidental or unauthorised destruction, alteration, disclosure as well as from any other unauthorised form of processing. The Bank requires that the processors used by the Bank for the processing of your personal data, or which have access to your personal data when providing services to the Bank, take appropriate technical and organisational measures, which would ensure the security and integrity of your personal data.

However, please note that even though we take appropriate steps to protect your personal data, no website or email can guarantee complete security due to reasons beyond the control of the Bank. Therefore, you should be careful and assume the risk associated with providing personal data to the Bank on the website or by email.

12. How long do we retain your personal data?

We retain your personal data for no longer than is necessary to achieve the stated purpose. Once the purpose has been achieved, your personal data will be deleted, except in cases where the Bank is obliged by applicable law to retain personal data for the period specified in such law. Once this period expires, the data are deleted/destroyed so that they cannot be reproduced. Specific personal data retention periods depend on the legal grounds for processing of your personal data.

Basic retention periods for personal data:

in the case of the conclusion and performance of an agreement, the agreement will be retained for a period of ten (10) years after the end of the agreement;
personal data provided in the credit application in the absence of a subsequent agreement will be retained for a period of three (3) years from the date of the decision to refuse the financial service;
for the purposes of implementing the anti-money laundering and anti-terrorist financing requirements, copies of identity documents of the customer, identity data of the beneficiary, other data obtained in the course of the identification of the customer, documents relating to accounts and/or agreements will be retained for a period of eight (8) years from the date of termination of transactions or business relationship with the customer. correspondence relating to the business relationship with the customer will be retained for a period of five (5) years from the date of termination of transactions or business relationship with the customer, either in hard copy or in electronic format. Retention periods may be further extended for a maximum of two (2) years.
Visual data will be recorded and retained for a minimum of thirty (30) and a maximum of ninety (90) days.

Please also note that in certain cases, your personal data may be retained for a longer period of time, if:

this is necessary to enable the Bank to defend itself against claims, demands or actions and to exercise its rights;
there are reasonable grounds for suspecting an unlawful act that is the subject of an investigation;
the personal data are necessary for the proper resolution of a dispute, complaint or internal investigation;
on other grounds provided for by law.

13. Cookies, alerts and other similar technologies

When you visit the Bank’s website www.urbo.lt, we want to provide you with information and features that are tailored to your needs. This requires the use of cookies. Cookies are small information elements stored on your web browser. They help the Bank to recognise you as a previous visitor to the Bank’s website, to store the history of your visit to the website and to tailor the content accordingly. Cookies also help the Bank to ensure smooth functioning of the Bank’s website, allow monitoring the duration and frequency of the visits to the website and collecting statistical information on the number of visitors to the website. Analysis of such data helps us improve the Bank’s website and make it more comfortable for your use.

For more details on the Cookie Policy, please visit the Bank’s website www.urbo.lt.

14. What rights do you have?

You, as the data subject whose personal data are processed by the Bank, have the following rights:

the right to know/be informed about the processing of your data (right to know);
the right to access your data and to know how they are processed (right of access);
the right to obtain rectification of inaccurate personal data or, taking into account the purposes of the processing, the right to have incomplete personal data completed (right to rectification);
the right to object to the processing of your personal data if the processing of your personal data is based on your consent;
the right to obtain the restriction of the processing of your personal data on one of the legitimate grounds (right to restriction of processing);
the right to withdraw consent to the processing of your personal data. Such withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
the right to request that your personal data be deleted/destroyed (right to be forgotten), where such data are processed based on your consent. This right does not include the cases where you request to delete your personal data, which are processed by the Bank on other legal grounds, for example, where the processing of personal data is necessary to conclude/perform a contract or for compliance with a legal obligation;
the right not to be subject to a decision based solely on automated processing, which produces legal effects or similarly significantly affects you;
the right to data portability;
the right to lodge a complaint with the State Data Protection Inspectorate if you believe that your personal data are being processed in violation of your rights and legitimate interests in the area of personal data protection. More information is available at www.vdai.lrv.lt.

The Bank provides the opportunity to exercise the above rights upon identification and verification of your identity. You may exercise your rights by submitting your request to the Bank in writing at any of the Bank’s customer service units, by post to Konstitucijos pr. 18B, LT-09308 Vilnius, by email to [email protected] (when submitting your request by email, it must be signed with a qualified electronic signature) or through the Bank’s online banking system, and, where applicable, by using the links at the bottom of the Bank’s promotional content material.

We recommend using the model form for requesting the exercise of the data subject’s rights:

Request For The Exercise Of The Rights Of The Data Subject

The Bank will provide you with information about the steps taken on receipt of your request to exercise the data subject’s rights within one (1) month from receipt of your request. The Bank’s deadline for response may be extended by two (2) months if necessary, depending on the complexity of the request and the number of requests received by the Bank. In any event, the Bank will inform you of any such extension and the reasons for such extension.

Where your requests are manifestly unfounded or disproportionate (for example, because of their repetitive content), the Bank has the right to charge a reasonable fee, taking into account the cost of providing the information.

The Bank may not allow you to exercise the above-mentioned rights in cases where it is necessary to ensure the prevention, investigation and detection of crimes, breaches of integrity or professional ethics, as well as the protection of the rights and freedoms of other persons, as provided for by the applicable legislation, or where these rights cannot be exercised in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679. In the event that you make a request to the Bank for access to your data and information on how they are processed and request certain information that constitutes confidential information of the Bank (for example, trade secrets), the information may be provided to you to the extent that the interests of the Bank are not prejudiced or threatened.

15. Our contact details. Data Protection Officer

Urbo Bankas UAB
Konstitucijos pr. 18B, LT-09308 Vilnius
Tel. 19 300 (for calls from Lithuania), +370 5 264 48 00 (for calls from abroad)
Email: [email protected]

Contact details of the Bank are available on the Bank’s website at https://urbo.lt/lt/kontaktai.

If you have any questions regarding the information presented in this Privacy Policy or any other questions related to the processing of your personal data, please contact the Data Protection Officer of the Bank by any of the following means:

by post: Konstitucijos pr. 18B, LT-09308 Vilnius;
by email: [email protected]

16. Final provisions

Websites of other companies in the Bank’s Group which carry out specific functions may contain additional information about privacy.

This Privacy Policy is effective as of 22 October 2024.

The Bank has the right to unilaterally change this Privacy Policy by informing you by a notice published on the Bank’s website www.urbo.lt, by email or a message sent via the online banking system.

This Privacy Policy is publicly available on the Bank’s website www.urbo.lt and can be accessed at any customer service unit of the Bank.

This Privacy Policy will be revised and updated taking into account the changes in legislation and/or Bank’s activities, but at least once every two (2) years. Whenever we update the Privacy Policy, we will inform you about it by posting a notice on the Bank’s website www.urbo.lt and/or by other means.

Financing

Savings

Daily banking

Other services