Information on personal data processing by Zagrebačka banka d.d.

The purpose of the information below is to give you an overview of how we process your personal data and to make you familiar with the rights you have concerning personal data processing. Firstly, you should be aware that personal data processing depends greatly upon the type of the Bank’s services you have arranged and use. This information is intended for clients, potential clients and other natural persons whose personal data the Bank collects relying on a legal basis, regardless of the type.

I. WHO PERFORMS THE ROLE OF THE CONTROLLER?

Zagrebačka banka d.d., PIN (OIB): 92963223473, having its registered office at Trg bana Josipa Jelačića 10, 10000 Zagreb, Republic of Croatia (hereinafter referred to as: Bank).

II. WHAT CONSTITUTES PERSONAL DATA?
“Personal Data” is any piece of information which refers to an identified or identifiable natural person (hereinafter referred to as: Data Subject), i.e. any piece of information: 
(a) that the Data Subject provides to the Bank, either orally or in writing,

     (i) in any type of communication with the Bank, regardless of its purpose, including but not limited to communication by phone, communication through the Bank’s digital channels, at the Bank's branches, via the Bank's website;
     (ii) when arranging new services and products of the Bank;
     (iii) in requests and forms used for arranging the services and products of the Bank;
     (iv) when participating in client satisfaction surveys conducted by the Bank;

(b) that become known to the Bank through the provision of banking, financial and related services to the Data Subject or through arranging the products and services of its contractual partners, including but not limited to information about transactions, personal spending and interests, and other financial information arising from the use of any of the Bank's products or the products of its contractual partners, as well as all personal information of which the Bank became aware through the provision of banking and financial services based on previous business relationships with the client;
(c) provided to the Bank by the members of the Zagrebačka banka Group and members of the UniCredit Group to which the Bank belongs and third parties;
(d) created as a result of the processing of any of the previously mentioned pieces of information by the Bank;

(hereinafter referred to collectively as: Personal Data).

III. HOW DOES THE BANK COLLECT PERSONAL DATA?

The Bank collects Personal Data directly from the Data Subjects or obtains them from third parties relying on some other type of legal basis. Where Personal Data are collected from third parties, the Data Subject has the right to be informed of the identity of the source concerned and, if necessary, also of the fact whether his/her Personal Data come from a publicly available source or not, in accordance with valid legislation and taking into consideration possible exemptions from informing obligations.

IV. WHAT ARE THE PURPOSES FOR PROCESSING PERSONAL DATA?

a) Complying with the Bank’s statutory obligations or other purposes determined by law, and complying with individual acts passed by the relevant institutions within the Republic of Croatia or other bodies whose instructions the Bank is required to follow in accordance with legal or other regulations. The processing of such Personal Data constitutes the Bank’s statutory obligation and it may therefore refuse to establish a contractual relationship or provide an arranged service, or even terminate an existing business relationship if the Data Subject fails to provide the legally prescribed data.

b) Entering into and performing a contract to which the Data Subject is party, or in order to take actions upon the request of the Data Subject prior to entering into such contract. The provision of Personal Data for this purpose is required. If the Data Subject refuses to provide any information required for the purpose of entering into and performing a contract to which he/she is party, including the Personal Data that are collected for risk management purposes in the manner and within the scope prescribed under applicable laws and subordinate legislation, the Bank could be rendered unable to provide certain services and may, therefore, refuse to establish such contractual relationship.

c) Data Subject's consent

     i. for the purpose of marketing activities as part of which we may send you information regarding the offers and benefits associated with the new or already arranged products and services of the Bank, and for the purpose of direct marketing aimed at developing a business relationship with the Bank as part of which we may send you individualized offers to make new contracts for the use of the banking, financial and related services provided by the Bank and Members of the Group based on profiling, which may include individual automated decision-making.

     ii. for the purpose of occasional research regarding our operations and the related sharing of Personal Data with third parties, including members of the Zagrebačka banka Group, members of the UniCredit Group to which the Bank belongs and legal entities formally registered for conducting research and engaged by the Bank for that purpose.

The Data Subject may withdraw any previously given consent at any time and has the right to object to the processing of his/her Personal Data for marketing and market research purposes, in which case the Personal Data that concern him/her will no longer be processed for such purposes, which will however not affect the lawfulness of processing based on consent before such withdrawal.

The provision of data for the above-mentioned purposes is voluntary and the Bank will not refuse to enter into or perform a contract if the Data Subject refuses to consent to provide Personal Data for such purposes.

d) Legitimate interests of the Bank, other members of the Group and members of the UniCredit Group and third parties, including but not limited to:

     - managing credit, operational, reputational and other risks at the level of the Bank and the Group;
     - conducting direct marketing, market research and opinion surveys to the extent the Data Subject does not object to the processing of data for such purposes;
     - taking actions for the purpose of managing the Bank’s operations and further development of its products and services;
     - taking actions for the purpose of protecting the Bank’s employees, facilities and assets, including access control and/or authentication; and
     - processing of Personal Data by the members of the Group and the members of the UniCredit Group for internal administrative purposes and for the purpose of protecting computer and electronic communication systems.

When processing a Data Subject’s Personal Data on the basis of a legitimate interest, the Bank always considers his/her interests and basic rights and freedoms, and takes particular care to ensure that the Data Subject’s interests do not override its interests for personal data processing, especially if the Data Subject is a child (a minor).

V. HOW DOES THE BANK PROCESS PERSONAL DATA?

The Bank processes Personal Data in compliance with the highest standards of the European Union and applicable legislation of the Republic of Croatia. In certain cases, for the purpose of entering into or performing a contract with a particular Data Subject, the Bank may rely on automated decision-making, including profiling. The parameters used in such automated decision-making, e.g. assessment of the Data Subject’s risk profile, are adjusted to fit the relevant purpose. Also, in such cases the Data Subject has the right to request human intervention from the Bank, as the Controller, as well as to express his/her own opinion and challenge the decision made. Furthermore, the Bank may create a client’s profile on the basis of his/her consent for direct marketing and/or market research purposes as well.

VI. HOW LONG DOES THE BANK RETAIN PERSONAL DATA?

The Personal Data of Data Subjects will be kept by the Bank for the duration of its contractual relationship with the Data Subject, within the period of validity of the Data Subject’s consent to personal data processing, and for the period during which it is legally required to store particular data, in which case it will not be allowed to actively process such Personal Data for other purposes, but will only be allowed to keep them stored (archived) for purposes prescribed by law.

VII. ARE THE PERSONAL DATA TRANSFERRED TO THIRD PARTIES?

The Personal Data of Data Subjects may be transferred to third parties pursuant to:

a) the Data Subject's consent,
b) the contract to which the Data Subject is party, and
c) the provisions of laws and subordinate legislation.

The Personal Data will be transferred to third parties to which the Bank is required to provide such data, such as the Financial Agency, the Ministry of Finance – Tax Administration as well as any other person to which the Bank is authorized or required to deliver Personal Data in accordance with the Credit Institutions Act and other relevant regulations governing the banking business. Furthermore, the Personal Data concerning Data Subjects may also be delivered to persons with which the Bank maintains a contractual relationship, including in particular service providers and agents, such as providers of postal, document processing, logistics, ICT, advisory and consulting, as well as marketing and sales services.

Please note that all persons who, due to the nature of the activities performed with or for the Bank, have access to Personal Data, are also required to keep such data as a banking secret pursuant to the Credit Institutions Act and other data secrecy regulations.

The details about the purposes of personal data processing, the recipients or categories of recipients, the legal bases for personal data processing and the sharing of Personal Data with other recipients to be used for their purposes are provided in individual documents, such as the questionnaire forms used by the Bank to collect particular information and request and contract forms used to arrange a particular banking service or product.


VIII. ARE THE PERSONAL DATA TRANSFERRED TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS?

The Personal Data of Data Subjects may be transferred to third parties pursuant to:

a) the Data Subject's consent,
b) the contract to which the Data Subject is party, and
c) the provisions of laws and subordinate legislation.

The Personal Data will be transferred to third parties to which the Bank is required to provide such data, such as the Financial Agency, the Ministry of Finance – Tax Administration as well as any other person to which the Bank is authorized or required to deliver Personal Data in accordance with the Credit Institutions Act and other relevant regulations governing the banking business. Furthermore, the Personal Data concerning Data Subjects may also be delivered to persons with which the Bank maintains a contractual relationship, including in particular service providers and agents, such as providers of postal, document processing, logistics, ICT, advisory and consulting, as well as marketing and sales services.

Please note that all persons who, due to the nature of the activities performed with or for the Bank, have access to Personal Data, are also required to keep such data as a banking secret pursuant to the Credit Institutions Act and other data secrecy regulations.

The details about the purposes of personal data processing, the recipients or categories of recipients, the legal bases for personal data processing and the sharing of Personal Data with other recipients to be used for their purposes are provided in individual documents, such as the questionnaire forms used by the Bank to collect particular information and request and contract forms used to arrange a particular banking service or product.


The Personal Data of Data Subjects may be transferred outside of the European Economic Area (hereinafter referred to as: Third Countries) only to the extent that:

- such transfer is necessary to execute the Data Subject's instructions (e.g. payment orders or orders which refer to the legal transactions in securities); or
- such transfer is prescribed by law or pursuant to some other legal basis that the Bank is subject to (e.g. notifications concerning tax issues);
- the Data Subject has granted his/her consent to the transfer of Personal Data to third countries.

In any case, the transfer of Personal Data to a Third Country or international organization may be carried out only if the European Commission assesses that such third country, territory where the operations are performed or one or more sectors within that Third Country, or the international organization concerned ensures an adequate level of data protection.

IX. WHAT RIGHTS DO THE DATA SUBJECTS HAVE?

Any person whose Personal Data are processed by the Bank has the right to access all the provided Personal Data, the right to rectify and erase the same, the right to restrict the processing of the same, and the right to data portability. The Data Subjects also have the right to withdraw any previously given consent. Please note that such withdrawal will not affect the lawfulness of the processing based on consent before the withdrawal was made.

Any Data Subject of the Bank and any person whose Personal Data are processed by the Bank has the right to lodge a complaint with regards to the processing of his/her Personal Data by the Bank, as the Controller, to the supervisory authority, i.e. the Personal Data Protection Agency.


X. HOW CAN THE RIGHTS BE EXERCISED?

The Data Subjects can contact the employees of the Bank at any of the Bank's branches, and they can also contact the Bank's Data Protection Officer in writing at Zagrebačka banka d.d., Službenik za zaštitu osobnih podataka, Trg bana Josipa Jelačića 10, 10000 Zagreb, or via e-mail at
sluzbenik.za.zastitu.osobnih.podataka@unicreditgroup.zaba.hr.


Postavke kolačića

Tehnički kolačići (neophodni)

Performansni kolačići (neobavezni)

Marketinški kolačići (neobavezni)

Tehnički kolačićiUvijek aktivni

Ovi kolačići su neophodni za funkcioniranje web stranice i ne mogu se isključiti u našem sustavu. Obično se postavljaju samo kao reakcija na vašu radnju koja predstavlja zahtjev za uslugom, kao što je postavljanje vaših postavki privatnosti, prijavljivanje ili popunjavanje obrazaca.

Kolačići koji se koriste:

JSESSIONID - čuva stanje sesija kroz zahtjeve za stranicama

PD_STATEFUL - kolačići sigurnosti sesije Server session security cookies

PD_SESSION-ID - jdinstveni Unique server session security cookie

PWSESSIONID – kolačić sesije poslužitelja

Parent_alive - kolačić sesije poslužitelja

Gtm_tracking - čuva korisnikov pristanak na praćenje

Option_set – čuva vrijednost za pokazivanje cookie bara

Zaba_performance- čuva posjetiteljev pristanak za bolje performance


Performansni kolačići

Ovi kolačići omogućuju nam da računamo posjete i izvore prometa, kako bismo mogli izmjeriti i poboljšati performanse naših stranica. Oni nam pomažu da znamo koje su podstranice najpopularnije ili najmanje posjećene, te kako se posjetitelji ponašaju po web stranici. Sve informacije koje ovi kolačići prikupljaju su agregirani a time i anonimizirani. Ako spriječite te kolačiće, nećemo znati kada ste posjetili našu web stranicu.

Kolačići koji se koriste:

ZABGN - postavke naslovnice ovisno o tome je li korisnik građanin ili pravna osoba

ZABRM - kolačić s vrijednošću korisnikovog web preglednika zbog boljih performansi


Marketinški kolačići

Ovi kolačići služe kao pomoć pri tumačenju internetskih aktivnosti korisnika te u svrhu marketinških aktivnosti, poput oglašavanja i remarketinga.

Kolačići koji se koriste:

1P_JAR - prikuplja statistiku web stranice i prati stopu konverzije Google.com/google.hr

CONSENT - postavke kolačića - google.com

DV - Google ad personalizacija - google.com

NID - Google ad personalizacija - google.com

IDE- Koristi se za prepoznavanje preglednika za oglašavanje i praćenje izvedbe i postavki. Google.com/ DoubleClick

ga - Google Universal Analytics postavlja jedinstveni ID koji se koristi za izračunavanje podataka za analitička izvješća

gid - koristi se za razlikovanje korisnika jednog od drugog.

Anj - Anj kolačić sadrži podatke koji označavaju da li se ID kolačića sinkronizira s našim partnerima. ID sinkronizacija omogućuje našim partnerima korištenje svojih podataka izvan platforme na platformi.

uuid2 - Ovaj kolačić sadrži jedinstvenu, slučajno generiranu vrijednost koja Platformu omogućuje razlikovanje preglednika i uređaja.

Sess - Kolačić sesije sadrži jednu ne-jedinstvenu vrijednost: "1". Platforma se koristi za testiranje je li preglednik konfiguriran za prihvaćanje kolačića iz aplikacije AppNexus.

Icu - Kolačić se koristi za odabir oglasa i ograničavanje broja prikaza određenog oglasa. Sadrži informacije poput broja prikaza oglasa, nedavnog prikazivanja oglasa ili broja prikazanih oglasa

Uid - jedinstveni identifikator

cid - Cookie id (legacy) – jedinstveni identifikator

Facebook - prati konverzije FB oglasa, optimizira oglase, gradi ciljanu publiku i radi remarketing

HotJar - prikuplja informacija o ponašanju korisnika i njihovim uređajima