General Information on Personal Data Protection

Protecting your privacy is important to us, so we provide this information to help you understand which of your personal data we are collecting, why we are collecting them, how we use them, what processing procedures we implement, what your rights are and how to enforce them.

We store and protect personal data in a way that prevents any undue disclosure of data to unauthorised persons. We undertake not to transfer, lend, or sell personal data to third parties without prior notice and obtaining your consent. In all cases, we will ensure adequate safety measures and process personal data only within the framework of lawful legal bases and for the selected purposes. 

Your personal data manager is:

• NLB d.d., Trg republike 2, 1000 Ljubljana (hereinafter: NLB)
  

In the NLB, the Personal Data Protection Officer (DPO) is available at:

• E-mail: dpo@nlb.si or 
• by regular mail: NLB d.d., Compliance and Integrity, Personal Data Protection Officer, Trg republike 2, 1520 Ljubljana.

The NLB processes personal data to perform individual banking services and measures before concluding an agreement and during the execution of a contract with you, such as the opening and administration of accounts / banking packages, deposits, direct debits and standing orders, making payments, various saving schemes, loans, guarantees, letters of credit, purchasing securities, insurances, stock brokerage, sending SMS messages about the account balance and transactions made with payment cards, processing of complaints and managing contacts with an individual using various channels.

When NLB processes your payments through the correspondent network of banks or through large-value payment systems (e.g., TARGET2) or exchanges messages related to resolving complaints or related to guarantee and documentary materials, the data is also processed by SWIFT (S.W.I.F.T. SC, Avenue Adele 1, 1310 La Hulpe, Belgium), which provides the network for interbank connection – Society for Worldwide Interbank Financial Telecommunication. In this case, NLB and SWIFT act as joint controllers (more information is available at this link).

The NLB processes personal data do fulfil legal and other regulations, especially those regulating banking and payment services, and relevant European law, especially the obligation of reporting, customer checking (money laundering and terrorist financing prevention) and risk management. For example: the Bank may perform an enquiry and obtain information about your personal and other data, especially employment, movable and immovable property, receivables, interests, shares and other securities, account numbers at other banks and payment institutes, and other property, residence, tax number and other data from other managers, if the NLB did not have it or if you would not personally submit them to the Bank despite our request, yet these data were required to fulfil contractual obligations, or there was a legal basis for such enquiry. The Bank may also process personal data in the case of court decisions it receives for enforcement (e.g. inheritance decisions, enforcement orders). The legal basis for processing personal data are also the legal requirements for keeping updated records.

The NLB processes personal data also based on our legitimate interest, which indicates our responsibility towards you and maintains the range of services offered on the market that will fulfil your expectation; here we carefully weigh our interests and your rights to privacy. Examples of data processing based on legitimate interest:

• with measures to prevent, detect and investigate fraud and other harmful conduct,
• in video surveillance (for example in branch offices or ATMs) and similar measures, in particular, to prove transactions and to ensure the protection of assets of customers and employees,
• when recording phone or video conversations (e.g. when concluding deals, in case of complaints, etc.),
• in product range development and management measures,
• in communications with corporate customers,
• in market research, business analyses and analyses aimed at making business decisions. 

Personal data processing can also be based on an individual's consent that allows the NLB to use their personal data for purposes defined in the consent, namely:

• For marketing activities such as sending news, general notifications about the product range, novelties, benefits, events, prize games and other news important for an individual segment of users of banking services and the wider public.
• For sending information about services, new products/services and special offers adapted to your interests, based on profiling used by the NLB for this purpose. Profiling, i.e. the formation of profiles, means any type of automated personal data processing including the use of personal data to estimate certain personal aspects related to an individual or group of individuals, especially to analyse or predict work performance, the economic situation, health, personal taste, interests, habits, reliability, behaviour, location or movement of the individual.
• To perform surveys or questionnaires to check the satisfaction, use of services and market channels with the aim of adapting and improving the range of products/services.

These purposes include contents relating to NLB d.d., the companies from the NLB Group and contractual partners of NLB d.d., yet your data will not be given to these companies.

If you do not give your consent to perform these purposes of personal data processing, give it partly or (partly) cancel the consent, we will inform you only in cases and in the scope of the consent you gave, in ways permitted by the applicable law (such as general notifications, fulfilling the Bank’s obligation about a service you are using).

The consent is given voluntarily, and if you decided you do not wish to give it, or cancel it later, this does not impair your rights arising from your business relationship with the NLB and does not represent additional expenses or aggravating circumstances. The conclusion of the contract and provision of banking services do not depend on the consent. 

The NLB obtains personal data from various sources. In most cases, they are directly given by customers who select an individual banking service. They are also obtained indirectly through the use of banking services. We generate some data by processing data for reporting, analyses, etc. We can also use other information on individuals that can be accessed or were sent to us from public sources (public registers, databases, internet applications, social networks or other public sources of information) and information from other sources, such as a decision, order or other legal act, provided to the bank by one of the parties to the litigation. All collected data and information are processed by employees of the Bank only in the framework and for our work. Personal information that has not been directly obtained from an individual is made available by the data controller at the request of the individual.

The NLB processes the following types of personal data:

• basic identification and other data for identification and contact data

Your personal information, such as name and surname, date of birth, place of residence, tax number, phone number and/or e-mail address, that we need to send you messages. Otherwise, you will not be informed about our special offers and product/service range. These are the basic identification and contact data required to conclude the business or for notifications about the offer.

• socio-demographic information

These are standard statistical data, for example, your age, address of residence, gender, level of education, income, etc. These data are usually disclosed when you begin to use our services, or we deduce them from other available data.

• information about other companies

When you place a loan order, the source of your income must be listed. If you are employed, we will ask you to state your title and name of your employer, if you lead a company, to give the name of your company. If you never applied for a loan at the NLB, we do not know whether you are employed and by whom, or if you are selfemployed.

• data about transactions

Our systems record and save every payment made from your account or with your debit or credit card or via online, mobile or telephone banking, as well as any cash withdrawal from ATMs, transactions made on your behalf following your request, and payments made to your account. Each transaction contains additional information, such as the amount of the transaction, remittance account number, name and number of the merchant POS terminal used to make the payment, address or location of the merchant, date and time of the payment, as well as text and comments. From such information we can also make conclusions about your behaviour related to transactions, i.e. do you frequently pay by card rather than withdrawing cash from ATMs, how often, where, what your income is, does your income come from several employers, in which stores you shop, how much you pay for your shopping, etc. All this helps us to offer you accessible and useful services.

• information about channels and applications used

You can contact the NLB through various communication channels and points of sale (phone, video call, online banking, the web and mobile application NLB Klik, etc.). During registration, transactions, and other activities your computer automatically send your IP address to the NLB’s server you accessed. In this way, we can detect the number of the network and sub-network in which your computer is located. If you allowed the use of cookies in your browser, these provide the smooth operation of the website with all functionalities and better user experience. Read more about cookies on the web page www.nlbgroup.com/int-en/nlb-skupina/pravna-obvestila/piskotki. We can also determine the duration of your login, which activities you performed in the applications, which data you entered into forms – all this for security reasons. Information about your operating system and its version and technical data about the devices you are using help us to ensure that our web pages and services will be displayed correctly on your devices, as this is the only way to continuously improve our services and adapt them to your technical needs.

• information about your use of NLB Klik

NLB Klik digital bank allows you to perform NLB banking services via a web browser or a mobile application. In order to provide you with its full range of functionalities, improve the security, the user experience and adapt the content to your interests the application requires access to following data and components stored in your mobile device:

- access to your camera because of the functionality Scan and pay, which allows you to capture data from the payment order with your camera and transfer them to the UPN payment order in the NLB Klik mobile bank.

- access to your location to show the nearest Branches and ATMs. It can access your location only when it is in use and you can see it on your display.

The decision on which information you would like to share in NLB Klik is up to you and you can:

- Restrict the access of the mobile application to camera and location by changing the settings on your mobile device. Please note that if the access is restricted some of the functionalities will not function as provided above,

-Restrict the access to information about your device, mobile application details and user details by changing the settings on mobile application.

The NLB Klik web and mobile application collects certain data for the purpose of statistical analysis, using the builtin analytical tools:

- Device Details: The Bank needs information about the device you are using to be able to upgrade the application, test and approve mobile devices, improve the application and its functionalities and for statistical analysis at the level of user groups. Information about mobile devices that is tracked is, for example, brand, type of device (e.g. a mobile phone or tablet), model, operating system, language settings.

- Application Details: The Bank needs information about how the mobile application is used for statistical analysis at the level of user groups, which serves as a basis for customising the functionalities to the users’ needs, optimising its performance, enhancing the security and user experience and adapting its content to your interests. With these data we track which online store you used to download or upgrade the application, which version has been installed, how long you have been using NLB Klik, which functionalities you use and how you use them (e.g. which screens are accessed, for how long, etc.).

- User Details: User details are very important to us, because they help us understand our users’ characteristics and needs. For this purpose, we collect information about your age, gender, interests and country of residence, which is again statistically analysed at the level of user groups, which means that a relevant user could not be identified on the basis of collected data.

• information about your use of services of the NLB and other members of the NLB Group

For targeting activities, we use the information which services of the NLB or other NLB Group members you are already using, for how long, under what conditions, and did you keep or cancel them. We know how often you use payment cards issued by the NLB and where, in what amounts and for what purposes the payments are made. If you raised a loan from the NLB, we could use the information about the amount and date of a certain instalment or defaults. If you have a savings account at our Bank, we know how often and how much you remit to it. In the environments of online, mobile, phone and video banking we collect information about the options you selected (selected fields, type of entered information and forms, etc.) We also process the information how often you register into applications for online and mobile banking, phone, and video banking, and did you perform any action while you were logged in (i.e. made a payment, held a session with banker).

• contacts with the Bank

We keep records about our contacts with you, especially the date (possibly also the time) of the contact and the reason for it. This applies to all kinds of contacts (phone, video call, SMS, mail, e-mail, branch office and others). We record these contacts to avoid calling several times for the same purpose. Whenever we notify you about an offer, we save the information whether you accepted or not, to avoid offering you the same products or services several times. We also keep records about when you had conversations with NLB consultants.

• social networks

For our marketing campaigns we also use social networks such as Facebook, and although we do not store data published on your profile, we use them to improve the targeting of our marketing activities, of course only if you consent to this when you use these social networks. For us, social networks are a channel to address our customers, and targeting is an added value. In the context of third-party cookies, we offer an even better user experience, sharing contents across different social networks, as well as adapting our offer to your wishes and needs that can be read from your previous browsing. Data collected with the help of these cookies are available to the NLB as well as service providers. Your consent for social networks can be edited under www.nlb.si/cookies-nlb .

• records of communication

When you call us on the phone or via video call, we may ask you before the call to consent for the call to be recorded. In some cases, the calls must be recorded because this is a legal requirement, or to be able to prove that we followed your instruction or that the contract has been validly executed or that we are acting in line with our legal obligations. You are notified in advance of any recording.

• geolocation data

Information on payments made with the NLB payment instruments (debit or credit card, online, phone, video banking) and applications used for mobile banking include geolocation data. These data precisely define the GPS coordinates (or the address point of a certain transaction, depending on the physical location of the merchant’s payment terminal. At registration, we read your location from special logs. We also use geolocation data when you visit our web pages and when you use the NLB mobile applications, to provide you with contact information and help you find the closest consultant or branch office.

• information about your creditworthiness

When you apply for a loan, the law demands that we must check your creditworthiness in the SISBON system. This information is used to calculate your creditworthiness or ability to pay your debt. In addition to the information from the SISBON system, to calculate your creditworthiness we also use information stored in our systems (such as information about the operations with your personal account, payment of loans in the past) and the systems of our contractual data processors (for example at an insurance company). Based on these data we can offer you a loan with characteristics we evaluate as the best for you.

• external sources

We want to be sure that our offer will be appropriate for you. Therefore we sometimes use data from external sources, when our own data are not sufficient for targeting. Such sources include mostly public registers and records, for example, the business entity register.

• surveys, research and user testing

We are interested in the opinion of our customers about our existing services and ads, what type of services you wish, so we would like to ask you about this in surveys and research. In this way, we usually obtain the average results representing the entire group of respondents. When developing new services we also use other approaches, for example, we ask our customers how they like the new versions of applications etc., and perform a so-called user testing to find out will they find the new service attractive and easy to use.

• data and information to process so we can act in line with our legal obligations

These are data we must collect, evaluate and store for a certain amount of time, to act in line with our legal obligations. These are for example the obligation of keeping updated records and to archive data under various laws regulating business activity, or the collection and evaluation of data to prevent money laundering and terrorism financing, and other legal requirements, such as the enforcement of court decisions. These data can, for example, include the source and origin of your income, mutual capital connections, nationality, citizenship, address of residence, area of activity, political exposure, etc. Based on your consent, or if there is any other legal foundation, we can use these data for other purposes too, in line with your wishes.

• NLB employees

Your personal data are processed by NLB systems and individual employees who require these data for their work and may also share them with other employees. This means that any information you gave to the bank consultant will be available also to other NLB employees, for example, employees in marketing, for marketing purposes.

• contractual data processors

In addition to NLB employees, users of personal data are the employees of the Bank’s contractual data processors who may process your data only pursuant to a certain law, contractual provisions, approval or your consent. These are for example printers who print various notifications and advertising material sent to you by mail. Another example are telecommunication operators who relay our messages to you. In each case, we assure the protection of your personal data in the same way as if processed by the NLB itself.

• competent state authorities

In certain cases prescribed by applicable laws we must relay your personal data or report about them to competent state authorities and authorities in charge of financial tax or bank supervision (such as the Office for Money Laundering Prevention, the Financial Administration of the Republic of Slovenia, courts, the Information exchange system (SISBON), etc.) We also have to pass them to third parties if such obligation of forwarding or disclosure is imposed by the law.

Details about the categories of users, contractual partners and contractual processors can be obtained upon request from our Personal Data Protection Officer. 

The NLB can process data manually or automatically.

An automated data processing can also mean the application of so-called automated decision-making. The NLB uses certain automated processes, including the formation of profiles, where a decision can be made about an individual which results in legal effects related to them or have a significant effect on them (such as the assessment of creditworthiness, etc.) In case of an automated decision the individual will be notified in advance and will have the right to personal treatment, the right to express their view, the right to obtain an explanation of the decision made in this way, and the right to challenge such decision.

For example in the procedure of granting the NLB Quick Loan, the application itself processes your data and automatically grants or rejects your loan application. Before the procedure begins, you receive all information about the processing of personal data, and if you agree to have your personal data processed, you give your consent. The NLB allows you to, instead of raising a loan using the NLB application (for example using NLB Klik), cancel the procedure at any stage and carry it out the usual way at one of our branch offices.

The storage period for personal data depends on the basis and purpose of the processing of each category of personal data. Personal data for the purposes of providing banking services are processed ten years after the termination of the business relationship or the transaction. Personal data of individuals for the purposes of preparation for the conclusion of a contract for the provision of banking services, in the event that the contract is not concluded, are generally not processed for more than six months. Personal data processed by the bank on the basis of the individual's consent are processed until the consent is revoked. Other personal data are stored only for as long as prescribed or allowed and necessary to achieve the purpose for which they were collected or further processed. After the purpose of processing has been achieved, and unless there is another legal basis or if this is required to enforce, execute or defend legal claims, personal data are deleted, destroyed, blocked or made anonymous. Under the right of access to data, an individual may at any time request information on the retention period of a particular type of data.

If you wish to obtain information about the processing of your personal data, you can request them by enforcing your right to access. In addition, the NLB lets you enforce the right to correction (for example if you notice your personal data are not accurate), the right to deletion of personal data (for example if there is no legal basis for processing) and the right to portability (for example when you wish to transfer your personal data to another data manager).

If you disagree with the processing of your personal data based on our legitimate interest, or if you do not wish your personal data to be used for purposes of direct marketing, you have the right to objection to demand the cessation of processing. You can file this request in a manner that enables your identification, namely by filling a form prepared for exercising each such right, which is available at the Bank’s branch offices and published on the website www.nlbgroup.com/int-en/nlb-skupina/pravna-obvestila/varstvo-osebnih-podatkov, or in another documented manner (e.g. oral request for the record in the Bank’s branch office, written request, oral request submitted via video call, request sent via online or mobile bank).

The received requests are processed by the Personal Data Protection Officer who is available at the addresses listed above. We will respond to your request without unnecessary delay or within one month at the latest.

At any time you have the right to file a complaint with the supervising authority for personal data protection: Information Commissioner, Dunajska cesta 22, 1000 Ljubljana 

Your consent to process personal data for purposes described in this information is voluntary. You can at any time restrict or revoke your consent for data processing by informing the NLB, yet this will not impact any contractual relationship between you and the NLB or the use of products or services not requiring such consent. 

Even after the revoking of your consent, the NLB will only process those data related to you that it will have to process to fulfil the legal obligations based on the execution of the contract with you and to pursue its legitimate interest.

The NLB reserves the right to amend this General Information to ensure compliance with regulations related to personal data protection. This information is available in all branch offices of the NLB and on its website.

All issues not expressly defined in this General Information or the contract between the Bank and the individual follow the provisions of the applicable law.

This General Information applies and is in force as of 1 May 2024.

NLB d.d.