Information on personal data processing
by Zagrebačka banka d.d.

You can download this information on personal data processing in the form of a PDF document at the link:

Information on personal data processing by Zagrebačka banka d.d. (PDF)

The purpose of the information provided in this document is to give you an overview of the manner in which the Bank processes personal data, and to inform you of the rights you have in connection with the processing of such data. The information applies to the following data subjects: clients (individuals), potential clients and other natural persons whose personal data Zagrebačka banka d.d. collects on a particular lawful basis (e.g., guarantors, joint and several debtors, lien debtors, proxy holders, guardians, heirs, representatives of minors, and natural persons who have ended their business relationship with Zagrebačka banka d.d.).

Document sections:

1. CONTROLLER AND DATA PROTECTION OFFICER
2. PERSONAL DATA WHICH ARE PROCESSED AND THE MANNER IN WHICH THE BANK COLLECTS PERSONAL DATA
3. SOURCES OF PERSONAL DATA
4. LAWFUL BASES AND PURPOSES FOR WHICH THE BANK PROCESSES THE PERSONAL DATA IT COLLECTS
5. WITHDRAWAL OF CONSENT
6. SHARING PERSONAL DATA WITH THIRD PARTIES
7. TRANSFERRING PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA
8. PERSONAL DATA RETENTION PERIOD
9. DATA SUBJECT RIGHTS
10. AUTOMATED DECISION-MAKING AND PROFILING

1. Controller and Data Protection Officer

The controller is Zagrebačka banka d.d., Tax No. (OIB): 92963223473, having its registered office at Trg bana Josipa Jelačića 10, 10000 Zagreb, Republic of Croatia, email: zaba@unicreditgroup.zaba.hr, phone: 01/3773 333 (“Bank”).

The Data Protection Officer is available to you at: sluzbenik.za.zastitu.osobnih.
podataka@unicreditgroup.zaba.hr or at the above-stated registered address of the Controller.

2. Personal Data Which are Processed and the Manner in Which the Bank Collects Personal Data

Personal Data means any information that directly or indirectly identifies an individual, i.e., any information or a combination of information that relates to an identified or identifiable natural person (“data subject” or “you”), e.g., name, surname, personal identification number, address, photograph, account number, income data. Depending on the business relationship, business needs and obligations, the Bank may process all or only certain categories of your personal data. To give you a better insight into the afore-stated, below we provide particular explanations and examples of the data that the Bank processes in its business operations.

In its business operations, the Bank may process the following types of data:

Identification and General Personal Data
The data used to identify an individual, and the data the Bank is obligated to collect in connection with the regulations, including name and surname, personal identification number (OIB), address, citizenship, data contained on the identification document (and a copy of such document), tax residency data, etc.
Financial Data and Data Relating to Your Business Relationship
The data that includes information about the contracts you have entered into with the Bank (products and services you have purchased), the data regarding your accounts, financial situation and management of funds (e.g., transaction records – payments and withdrawals, estimated creditworthiness, pre-loan approval data, data relating to savings or trading in shares, funds, etc.).
Contact Data
The data including email address, phone number/mobile phone number, and similar.
Socio-Demographic Data and Data Concerning Your Use of the Bank’s Products and Services
The data that includes details, e.g., about your job (occupation), employment status, education, the manner in which you use the Bank’s products and services, transactions that you make (e.g., the channel you use, how often you make them, etc.).
Technical Data
The data that includes, for example, information about your user accounts required for using the Bank’s online products and services (e.g., login credentials), IP address when accessing the Bank’s online products and services, information about the device you use to access such products and services, information about your preferences, and the manner in which you use the Bank’s online products and services.
Video Surveillance Footage and Conversation Recordings
The data that includes video recordings of persons who have visited the Bank’s branches, buildings and/or ATMs captured by the Bank’s video surveillance system, and the data in the form of audio recordings of the phone calls you have made to the Bank.
Data Relating to Your Communication with the Bank
The data that includes information relating to your communication with the Bank via the various available channels of communication (calls, online chats, letters, and other types of communication), as well as your inquiries/information provided (e.g., calls related to service/product activation, inquiries about your business relationship or applications/requests submitted to the Bank, inquiries about the complaints you submitted to the Bank (including disputes with the Bank), and the responses, information and advice provided to you by the Bank.
Data Regarding your Choices
The data that includes, for example, your consent to receive marketing messages or invitations to participate in market research, as well as your preferred communication channels.
Special Categories of Data and Sensitive Data Associated with Risk Management
The data that include, for example, health data (if you have provided such data to the Bank for the purpose of, e.g., getting approval for a moratorium on loan repayments, or if you have, on the other hand, enclosed such data in communication with the Bank without the Bank asking you to do so), information on union membership (provided voluntarily as grounds for getting a lower interest rate on a loan), biometric data (e.g., a piece of biometric data generated in the identification process when establishing a business relationship with the Bank remotely). Sensitive data associated with risk management include information relating to, for example, the management of money laundering and terrorism financing risk (e.g., politically exposed person, information regarding criminal offences, etc.), fraud risk, and/or reputational risk.
Publicly Available Data and/or Data Obtained from Other Sources
The data that includes information that the Bank collects from publicly available sources (such as the Unified Accounts Registry, information available on the internet, e.g., the court register, etc.), and information that the Bank obtains from other non-public sources (e.g., from credit intermediaries, i.e., from the Basic Registry System (“OSR System”) via Hrvatski registar obveza po kreditima d.o.o. (Croatian Registry of Credit Obligations).

3. Sources of Personal Data

The Bank’s relies on the following sources of data:

(a) The Bank primarily collects data directly from the data subject through any kind of communication with the Bank (whether oral or written). The most common example of collecting data in this manner is the situation when an application for a particular service or product offered by the Bank is submitted, in which case the data is collected through a standard application/request or form (e.g., KYC questionnaire, My Data form, application for a credit product, etc.).

(b) The Bank also collects data in the course of any kind of communication with the data subject conducted at a branch or through e-branch, via online channels, such as m-zaba and e-zaba, and its website (e.g., data/logs containing information on how the client uses different products and services and his/her preferences associated with the same, data regarding his/her access device(s), collected through the use of cookies and similar technologies), using other channels of communication, in the process of resolving complaints, etc.

(c) The Bank also collects the data generated through the processing of any piece of information in the course of providing banking and financial services or selling products and services offered by its contractual partners, e.g., information regarding transactions, personal spending habits and interests.

(d) The Bank may also collect data from third parties, such as Hrvatski registar obveza po kreditima d.o.o. (Croatian Registry of Credit Obligations) – Basic Registry System (“OSR System”). In cases where accounts are opened in the name of minors or persons (partially) deprived of legal capacity, personal data are collected from their legal representatives/guardians. The Bank also collects data from third parties when it acts as a participant in a payment system (whether international or national), e.g., for the purpose of executing (performing) payments and preparing statements, payment confirmations, and similar, or when it, for example, relies on publicly available or other relevant sources to gather the necessary data (e.g., Unified Registry of Accounts, Document Authenticity Verification System (pravosudje.hr), Sanctions Lists), all in accordance with the applicable regulations and business needs.

(e) The Bank may also collect data from the members of the Zagrebačka banka Group and the members of the UniCredit Group ( www.zaba.hr/home/en/about-us/about-us/structure, Controlled companies - UniCredit (unicreditgroup.eu)), to which it belongs, for the purpose of managing business risks, including: credit risk, liquidity risk, interest risk, operational risk, and other risks to which the Bank and members of its Group are exposed.

4. Lawful Bases and Purposes for Which the Bank Processes the Personal Data It Collects

a) Processing is necessary for compliance with the Controller’s legal obligations

The processing is necessary to enable the Bank to comply with the obligations laid down in the regulations, or for other purposes set forth by the law (e.g., Anti-Money Laundering and Terrorist Financing Act or Act on Administrative Cooperation in the Field of Taxation regulating the implementation of the Agreement between the Government of the Republic of Croatia and the Government of the United States of America to Improve International Tax Compliance and to Implement FATCA), as well as to enable the Bank to act in accordance with particular documents adopted by the relevant institutions of the Republic of Croatia or other bodies whose orders the Bank is obligated to respect pursuant to statutory and other regulations.

The data processed in this regard primarily include: identification data from a valid identification document, and such data that the Bank is obligated to process in accordance with the regulations (including name and surname, permanent and/or temporary residence address, personal identification number (OIB), date, place and country of birth, citizenship(s), tax residency data (whether the data subject is a taxpayer in a country other than the Republic of Croatia), financial data, and data relating to the business relationship, the use of banking services, transactions (e.g., the purpose and scope of doing business with the Bank).

b) Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the data subject's request prior to entering into a contract

The data processed in this regard primarily include: personal data necessary for the purposes of the business relationship with the Bank, which depends on the product/service arranged with the same (e.g., general personal data, name and surname, personal identification number (OIB), financial data, and data associated with the contracting process and the use of different products and/or services, e.g., email address when applying for e-zaba and mobile phone number when applying for m-zaba). In the case of minors or persons (partially) deprived of legal capacity, the Bank, for example, collects the data that concern their legal representatives/guardians. In addition, if, when establishing a business relationship and/or during the business relationship, the client agrees with the Bank a particular method of delivery of information/documents associated with that business relationship, such delivery and all communication with the client (including sending information/documents about products and services) will be done in the chosen/agreed manner.

Consequence of NonProvision of Data/Missing Data

The provision (collection) of personal data with regard to what is stated above in points a) and b) is mandatory. If the data subject (or, where applicable, his/her representative) refuses to provide any of the data necessary for compliance with legal obligations and/or entry into and performance of a contract to which the data subject is a party, including personal data collected for the purposes of risk management in the manner and to the extent prescribed by applicable laws and subordinate legislation, the Bank may not be able to provide certain services, or it may refuse to enter into a contractual relationship, and limit or terminate an existing business relationship..

c) Processing is necessary for the purposes of the legitimate interests pursued by the Controller or a third party (including the interests of the members of the Zagrebačka banka Group and the members of the UniCredit Group)

A legitimate interest of the Bank and/or a third party (including the UniCredit Group) is relied on as the basis for processing personal data only in cases where this is necessary considering the Bank’s business needs and operations (i.e., when no legal obligation or other lawful basis for data processing exists), and primarily in connection with certain processing activities carried out in the context of:

risk management, i.e., management of particular credit and operational risks, which includes taking measures to protect people, premises and property of the Bank (e.g., in the event of incidents/unacceptable behaviour on the part of clients at the branch, in the process of assessing the threat, preventing the occurrence of damage, controlling and/or checking the access), reputational risk, risk of certain types of fraud (e.g., document authenticity verification, conducting additional controls) and other risks to which the Bank is exposed at the level of the UniCredit Group, to which it belongs, and the Zagrebačka banka Group;
taking measures associated with the management of the Bank’s business operations and IT systems (including the infrastructure and the web pages) to ensure business continuity and guarantee IT security, as well as further development of products/services. This includes performing updates, system (re)calibration, maintenance, product and/or service optimization activities (including IT systems, applications, and related functions), reporting activities and certain statistical analyses, all for the purpose of guaranteeing data reliability and accuracy, and the ability to identify and quickly resolve all problems associated with the technical functioning of IT systems;
segmentation of data concerning the use of different products and services by clients with the aim of creating products and services sales reports, as well as for the purpose of adjusting the products and services, which is based on the Bank’s interest to manage its business operations and provide better and higher quality service to its clients;
ensuring an adequate response to client demands and expectations with respect to products and services, and enabling the introduction of new features requested by the clients, such as, for example, sending real-time notifications that improve user experience (e.g., a notification that a payment has been made to the account, sending instructions/information regarding the use of the Bank’s application/product/service at the moment when the client is using it and needs the information), and similar;
processing personal data within members of the Zagrebačka banka Group and members of the UniCredit Group for internal administrative purposes, and for the purpose of protecting property and computer and electronic communications systems;
establishing and defending legal claims the circumstances of which have been stated in written communication with the Bank and/or during the proceedings held before a court or other competent authority, when acting in accordance with the guidelines issued by the regulators and/or other competent authorities, and similar.

Consequence of NonProvision of Data/Missing Data

If the data whose processing is based on a legitimate interest are necessary in connection with the provision (or continued provision) of services, provision of personal data is deemed necessary for pursuing legitimate interests and failure to provide such data will render the provision of services impossible. The Bank, however, always esnures that such processing may only be carried out in cases where, in accordance with the assessment of the legitimate interest, the Bank’s interest is not overridden by the interests and fundamental rights and freedoms of the data subject. In addition, the data subject has the right to object to the processing of personal data based on a legitimate interest.

d) The data subject has given consent to the processing of his/her personal data for one or more specific purposes

The Bank may rely on the data subject’s consent as the basis for processing in connection with, for example:

provision of marketing information about the Bank’s offers, in which context the Bank may deliver to the data subject information regarding the offers and benefits associated with new products and services, or the products and services already arranged with the Bank and/or its contractual partners, which includes individualized offers relating to the use of banking and financial services, and the related services of the Bank and members of the Group based on a generated profile (which may also include automated individual decision-making);

If you have given consent for the afore-mentioned purpose, the Bank will, for example, process such data that relates to the use of different products and services, such as the data about the type and location, amount and frequency of transactions, account balance, card use, and data regarding visits to the branch, and similar.

participation in market research, in which case the Bank may invite you to express your opinion about its products and services in periodic research;
unique data subject identification resulting in the creation of biometric data. Biometric Data means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as the biometric processing of a photograph and a video recording when establishing a business relationship remotely. Additional information is provided at the time when consent for biometric processing is requested.

Giving consent is entirely voluntary, and provision of such data which is collected exclusively on the basis of consent for the specific purpose stated in the consent is not mandatory.

5. Withdrawal of Consent

A consent given may be withdrawn at any time, which will, however, not affect the lawfulness of the processing based on consent prior to withdrawal. In addition, the data subject has the right to deny his/her consent. The Bank will not refuse to provide its banking services to the data subject if he/she denies or withdraws consent. When giving consent, the data subject will be informed of the manner in which consents can be withdrawn. In general, consents can be withdrawn at the Bank’s branches. However, besides at the branches, consents given for marketing and market research purposes can also be withdrawn via direct channels (e-zaba and m-zaba).

Additional Information

In addition, the Bank may also process personal data, e.g., special categories of personal data (such as health data), if one of the conditions laid down in Article 9 of the General Data Protection Regulation applies, including situations where:

processing is necessary for reasons of substantial public interest based on the EU or Member State law which is proportionate to the aim pursued, and respects the essence of the right to data protection,
processing is necessary for the establishment, exercise or defence of legal claims, or whenever courts are acting in their judicial capacity, and
the data subject has given explicit consent to the processing of such personal data.

Furthermore, the processing activities that constitute exemptions from the obligation to provide information to data subjects (as determined in Article 14(5) of the General Data Protection Regulation) are not described in this Information on Personal Data Processing.

CONTINUE READING SECTIONS 6 - 10.

You can download this information on personal data processing in the form of a PDF document at the link:

Information on personal data processing by Zagrebačka banka d.d. (PDF)

6. Sharing Personal Data with Third Parties

When sharing data with third parties, the Bank mainly relies on the following:
a) the data subject’s consent, or
b) necessity for the performance of a contract to which the data subject is a party, or
c) provisions of laws and subordinate legislation.

For example, personal data will be shared with certain third parties to which the Bank is legally obligated to deliver specific data, including, for example, the Financial Agency, the Anti-Money Laundering Office of the Ministry of Finance, the Tax Administration, various courts, and other institutions within the Republic of Croatia and the EU to which the Bank is either authorised or obligated to provide personal data in accordance with applicable laws and other relevant regulations governing banking operations (e.g., Anti-Money Laundering and Terrorist Financing Act, or Act on Administrative Cooperation in the Field of Taxation).

In certain cases, personal data relating to data subjects may also be shared with certain persons with which the Bank has a contractual relationship in place (e.g., insurance companies if the data subject files an insurance claim, postal service providers, card companies, consultants, auditors, and similar) and/or to which the Bank has entrusted the processing of data relating to its data subjects (“processors”, in accordance with Article 28 of the General Data Protection Regulation) for the purpose of providing particular services.

Recipients of data include, for example, providers of document processing services, logistics, IT and telecommunications services, sales and marketing services, as well as debt collection agencies/companies, credit intermediaries, and legal entities forming part of the Zagrebačka banka Group and the UniCredit Group, to which data are provided for the purpose of complying with obligations and/or risk management at the level of a group of companies. All persons that, due to the nature of the business activities performed together with or for the Bank, have access to personal data are equally obligated to protect such data as confidential information and/or a banking secret in accordance with the Credit Institutions Act, and other regulations governing data confidentiality. In addition, certain details regarding the purpose of personal dataprocessing, recipients or categories of recipients, the lawful basis for processing personal data, provision of personal data for use by other recipients, and similar, are further elaborated in specific documents, e.g., questionnaire forms used by the Bank to collect particular data, applications/requests and contracts for the use of different banking products or services, etc.

7. Transferring Data Outside the European Economic Area

The Bank will transfer personal data outside the European Economic Area (third countries) only:

to the extent to which such transfer is necessary to execute the orders of the data subject (e.g., payment orders or orders associated with trading in securities), or
to the extent to which such transfer is required by law or on some other lawful basis which is binding on the Bank (e.g., tax-related notices).

In any case, a transfer of personal data to a third country or an international organisation may take place if the European Commission decides that the third country concerned, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection of personal data of data subjects (Adequacy Decision), more information is available on the website of the European Commission).

In cases where it is necessary to transfer your personal data to a country outside the European Economic Area for which the European Commission has not issued an adequacy decision, the transfer will be subject to appropriate safeguards (including, for example, the use of standard data protection clauses adopted by the European Commission, which are available on the Commissions website, in which case it must also be ensured that enforceable rights and effective legal remedies are available to the data subjects concerned), or in reliance on certain derogations envisaged for specific situations regulated by the General Data Protection Regulation (including, for example, situations in which such transfer is necessary to perform a contract, or to establish, exercise or defend a legal claim).

8. Personal Data Retention Period

The Bank stores personal data for as long as necessary to fulfil its contractual and statutory obligations. Retention periods for the documents and data processed by the Bank in its business operations are also defined in its internal regulations/documents.

In its operations, the Bank, as a credit institution, primarily applies the prescribed retention periods.

Furthermore, in situations where no retention period is prescribed for a particular type of data processing, the Bank, as the Controller, determines the retention period itself, and in such cases the data are always kept for as long as necessary for the purposes for which they are processed (e.g., two years from the entry in the records of visits to the Banks business buildings, ten months from the transactions checks within fraud prevention, thirty days from the submission of a request for a meeting through the website, one year from the market research conducted, etc.).

Retention periods are also defined by the Credit Institutions Act, which stipulates that the data relating to data subjects should be kept for at least 11 years from the expiry of the year in which the business relationship ends. Furthermore, in the context of primary and secondary anti-money laundering and terrorism financing legislation and Regulation (EU) 2015/847, the Bank has an obligation to keep the information and documents associated with the application of such laws and regulations for ten years from the termination of the entire business relationship with the client (closing of the last account/service with the Bank).

In exceptional cases, certain data may be processed for a longer period if such processing is necessary to achieve other justified purposes (e.g., the purposes of court and other legal proceedings, and similar), in which case the data retention periods may be extended. In case of litigation (and similar proceedings), the total retention period will depend on the duration of the proceedings, and it will also include an additional retention period of ten years after the case is archived/marked with "ad acta".

9. Data Subject Rights

Every data subject whose personal data is processed by the Bank, as the Controller, has the right to request the exercise of the following rights:

1) Right to access data (pursuant to the provisions of Article 15 of the General Data Protection Regulation) – this right allows the data subject to find out whether his/her personal data are being processed or not, i.e., the data subject has the right to obtain the Bank’s confirmation as to whether or not the data that concern him/her are being processed and, where that is the case, information regarding the purpose of the processing, the categories of personal data concerned, the recipients or categories of recipients of such data, the envisaged period for which the data will be stored, and similar.

2) The right to rectification of data (pursuant to the provisions of Article 16 of the General Data Protection Regulation) – this right allows the data subject to request that any inaccurate or incomplete personal data concerning him/her be rectified.

3) Right to erasure (pursuant to the provisions of Article 17 of the General Data Protection Regulation) – this right allows the data subject to request that his/her personal data be erased, in which case the Bank will not be able to honour such request if the processing of the personal data of the relevant data subject is necessary (e.g., to comply with the prescribed data retention obligation, or to establish, exercise or defend legal claims).

4) Right to restriction of processing (pursuant to the provisions of Article 18 of the General Data Protection Regulation) – this right allows the data subject to request that the processing of his/her personal data be restricted in cases where he/she contests the accuracy of personal data, considers the processing to be unlawful, opposes the erasure of personal data and requests that the use of such data be restricted instead, and in cases where the data subject has objected to the processing and is waiting for the confirmation as to whether or not the legitimate interests of the Controller override his/her interests as the data subject.

5) Right to data portability (pursuant to the provisions of Article 20 of the General Data Protection Regulation) – this right allows the data subject to receive the data that concern him/her (and to directly transmit those data to another controller). It should be noted that the right to data portability applies exclusively to the personal data of the data subject which he/she has provided to the Bank in a structured, commonly used and machine-readable format, if the processing of data (whether personal data or special categories of personal data) is based on consent, or is carried out for performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract, provided that the right in question does not adversely affect the rights and freedoms of others.

6) Right to object (pursuant to the provisions of Article 21 of the General Data Protection Regulation) – this right allows the data subject to object to the processing of personal data if the processing is carried out in the public interest, or if the processing is necessary for the purposes of pursuing a legitimate interest of the Bank (including profiling), or if the data that concern the data subject are processed for direct marketing purposes. In such case, the Bank will no longer process the personal data of the data subject, unless it demonstrates compelling legitimate grounds for the processing (which override the interests, rights and freedoms of the data subject), or the processing is necessary for the establishment, exercise or defence of legal claims.

The right to lodge a complaint with the supervisory authority (pursuant to the provisions of Article 77 of the General Data Protection Regulation), i.e., to the Personal Data Protection Agency (Agencija za zaštitu osobnih podataka).

You can exercise your rights by visiting any of the Bank’s branches or, if you are an e-zaba user, through its e-branch. You can also access the Bank’s e-branch via m-zaba, provided you also use the e-zaba service, and thus exercise your rights. The only precondition for exercising your rights is to prove your identity unquestionably. The Bank will inform you of the actions taken without undue delay, and no later than within one month of receiving your request. Exceptionally, this time limit may, if necessary, be extended by an additional period of two months, taking into account the complexity and number of requests, of which the Bank is obligated to inform you.

Lodging a Complaint with the Competent Supervisory Authority

Complaints regarding the processing of personal data by the Bank, as the Controller, can also be lodged with the supervisory authority for personal data protection, i.e., Personal Data Protection Agency (Agencija za zaštitu osobnih podataka), Ulica Metela Ožegovića 16, 10000 Zagreb (email: azop@azop.hr, phone: 01 4609 000).

10. Automated Decision-Making and Profiling

In certain cases, the Bank uses automated decision-making, including profiling, to assess the permissibility of entering into or performing a contract between the data subject and the Bank, e.g., in the processes associated with the assessment of data subject risk, which processes the Bank is obligated to establish pursuant to the Credit Institutions Act and Regulation (EU) No. 575/2013 (e.g., loan approval); in the processes the Bank is obligated to establish pursuant to the regulations governing the field of anti-money laundering and terrorism financing and financial sanctions; as well as in the processes it is obligated to establish for the purpose of preventing frauds.

As regards the assessment of client credit risk and creditworthiness, the Bank calculates the monthly risk score for its clients. This score reflects the client's risk profile in terms of his/her ability to fulfil obligations, i.e., settle debts, and is only one of the factors considered in the overall assessment of the client’s credit risk and creditworthiness. In the process of calculating the monthly credit risk and creditworthiness scores for a client, the Bank takes into account the available data about the products and services used by the client, the data provided by the client and the data related to the settlement of obligations by the client (including client income data, information regarding delays/defaults in the fulfilment of obligations), and applies statistical models to determine the client’s ability (referring to a client who has a contracted credit product, or has a debt on some other basis) to fulfil obligations. In addition to the above (i.e., monthly assessment), after an application for a credit product is submitted, the final automated decision on approval or rejection of the application for a credit product will also depend on the score calculated at the time the submitted application is processed,in the same way as the monthly score, only this time taking into account the requested amount and terms of the credit product as well. If the outcome of the risk assessment is positive (the assessment has satisfactory scores), an automated decision is made to approve the signing of a contract for the credit product with the client.

As regards the fraud prevention processes, pursuant to the relevant regulations (including the Payment System Act and Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication), the Bank is obligated to establish such transaction monitoring measures/mechanisms that enable the detection and prevention of unauthorised or fraudulent payment transactions and to implement such security measures that enable the application of strong customer authentication and protection of security credentials of payment service users. In this context, the Bank will carry out both profiling and automated decision-making for the purpose of managing fraud risks.

Decisions will be based on a fraud risk assessment that takes into account all elements relevant to the Bank with a focus on known fraud scenarios or unusual activities of an individual client through analysis of transactions and user behavior.

If the outcome of the assessment indicates that an unauthorised and/or fraudulent payment transaction has been submitted/initiated, such transaction will be stopped automatically, i.e., its execution will be refused (and a transaction refusal notification will be generated).

Furthermore, the Bank is obligated to implement a number of measures, actions and procedures laid down in the Anti-Money Laundering and Terrorist Financing Act, as well as to comply with the Act on Restrictive Measures. In this context, the Bank will also carry out profiling and automated decision-making in connection with the management of the risks associated with money laundering and terrorism financing and financial sanctions/restrictive measures, and the decisions will be based on all the elements the Bank considers relevant to the management of such risks.

The Bank will assess the risks applying the established rules, taking into account:

the data obtained from the data subject through the due diligence measures carried out at the time of establishing a business relationship and during the business relationship,
the data generated in the process of using the products and services used by the data subject,
the data obtained from other sources, including the data available from the relevant published lists (the so-called “watch lists”), media news and information on related persons, in which case the Bank will screen the collected data and transactions against the information regarding the financial sanctions and/or restrictive measures (i.e., check whether any of the data match those included on the relevant lists, or transactions involving known money laundering and terrorism financing scenarios/models);
the methodology (for the assessment of risks associated with money laundering and terrorism financing and financial sanctions) used to determine the actions to be taken depending on the risk assessment score/level, including restrictions on doing business with the client (data subject).

Considering the need to take preventive measures in a timely manner, if the outcome of the risk assessment indicates that there are risks (if positive matches are found, i.e., if the risk of money laundering and terrorism financing, or the risk of financial sanctions/restrictive measures is detected), prevention measures are activated automatically. More precisely, the transaction in question is stopped in order to conduct an additional analysis or, if the transaction is submitted through an instant payment service, the execution of the prohibited transaction is refused.

In general, in the case of automated decision-making, the data subject has the right not to be subject to a decision based solely on automated processing, unless such decision is:

a) necessary for the entry into or performance of a contract,

b) authorised by the EU or Croatian law, which also lays down suitable measures to safeguard the rights and freedoms and legitimate interests of the data subject,

c) based on the data subject’s explicit consent.

In the cases referred to in points a) and c), the Bank will implement suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests, and the data subject will have the right to request human intervention, express his/her point of view and contest the decision.

In addition, in certain cases when automated decision-making is used, the Bank will provide additional information and designate a contact point through which you will be able to express your opinion, exercise the right to human intervention or contest a decision based solely on automated processing, including profiling, if such decision would produce legal effects for you (e.g., termination of a contract) or significantly affect you in some other way (e.g., rejection of a request by the application based on the data entered/provided).

Additional Information on the Processing of Personal Data

The Bank provides information in a layered manner and (to ensure easier understanding and greater transparency) certain details are additionally stated in information documents, some of which are published under the “Personal Data Processing” section at the footer of the Bank’s website (zaba.hr), and, when applicable, in the forms based on which the Bank collects particular data and the applications and contracts for products or services (such as, for example, the My Data form, in which the purpose of processing contact data, if provided, is additionally explained; application/request forms for products and/or services, in which the relevant set of data and purposes for which it is collected are explained, e.g., information on the use of non-purpose loan funds, card spending limit, and similar).

Package for the Youth

Switch your account to Zaba

IziPay - simple mobile payments

SEPA direct debit (SDD)

Use calculator to calculate loan annuities

Current account contracted overdraft

Financing in the palm of your hand

Pensioner loan - up to 78 years of age

m-zaba savings

How to wisely invest in funds

ZB Trader Global Trading

Standing order

Switch your account to Zaba

Credit protection life insurance for cash loans and car loans

Allianz Complementary Health Insurance

Allianz Prospekt with regular premium payment

m-zaba - free of charge for all new users for 3 months

Information on personal data processing
by Zagrebačka banka d.d.

Document sections:

1. Controller and Data Protection Officer

2. Personal Data Which are Processed and the Manner in Which the Bank Collects Personal Data

3. Sources of Personal Data

4. Lawful Bases and Purposes for Which the Bank Processes the Personal Data It Collects

5. Withdrawal of Consent

Additional Information

6. Sharing Personal Data with Third Parties

7. Transferring Data Outside the European Economic Area

8. Personal Data Retention Period

9. Data Subject Rights

Lodging a Complaint with the Competent Supervisory Authority

10. Automated Decision-Making and Profiling

Additional Information on the Processing of Personal Data

Package for the Youth

Switch your account to Zaba

IziPay - simple mobile payments

SEPA direct debit (SDD)

Use calculator to calculate loan annuities

Current account contracted overdraft

Financing in the palm of your hand

Pensioner loan - up to 78 years of age

m-zaba savings

How to wisely invest in funds

ZB Trader Global Trading

Standing order

Switch your account to Zaba

Credit protection life insurance for cash loans and car loans

Allianz Complementary Health Insurance

Allianz Prospekt with regular premium payment

m-zaba - free of charge for all new users for 3 months

Document sections:

1. Controller and Data Protection Officer

2. Personal Data Which are Processed and the Manner in Which the Bank Collects Personal Data

3. Sources of Personal Data

4. Lawful Bases and Purposes for Which the Bank Processes the Personal Data It Collects

5. Withdrawal of Consent

Additional Information

Types of cookies

Custom cookie settings

Technical cookiesAlways active

Performance cookies

Marketing cookies

Analytical cookies