Data Protection Information

1. Introduction, legal background

K&H Bank Zrt. (hereinafter referred to as: Bank) processes the data of its clients (Client) and any other natural persons in contact with the Bank (hereinafter jointly referred to as Data Subjects) in compliance with the provisions of the effective legal regulations and contracts with clients.

Our data processing activities are governed especially by the provisions of the following laws and regulations:

  • Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter referred to as: Data Protection Act),
  • Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises (hereinafter referred to as: Credit Institutions Act),
  • Act CXXXVIII of 2007 on Investment Firms and Commodity Dealers, and on the Regulations Governing their Activities (hereinafter referred to as: Investment Services Act),
  • Act LXXXVIII of 2014 on Insurance Activities (hereinafter referred to as Insurance Act);
  • Act LIII of 2017 on the Prevention of and Combating Money Laundering and Terrorist Financing (hereinafter referred to as: Anti-Money Laundering Act)
  • Act CXXXIII of 2005 on Security Services and the Activities of Private Investigators (‘Security Services Act’)
  • Act V of 2013 on the Civil Code
  • Act C of 2003 on electronic communication (hereinafter referred to as Electronic Communication Act)
  • act CVIII of 2001 on Electronic Trading Services and Certain Issues Concerning Services in an Information Society (hereinafter referred to as Electronic Trading Act)
  • accounting Act: Act C of 2000 on Accounting;
  • Act XLVIII of 2008 on the Fundamental Conditions and Certain Limitations of Economic Advertising Activities (hereinafter referred to as: Advertising Act)
  • Act CXIX of 1995 on the Use of Name and Address Information Serving the Purposes of Research and Direct Marketing (hereinafter referred to as the DM Act).
  • Central Bank of Hungary (MNB) Decree no. 19/2017. (VII. 19.) on the detailed rules of the development of and specifying the minimum requirements for operating a filtering system under the act on taking financial and restrictive measures relating to service providers supervised by the MNB under the act on the prevention of and combating money laundering and terrorist financing and provided for by the European Union and the Security Council of the United Nations

2. Data protection definitions

Data subject: a natural person who has been identified by reference to specific personal data, or who can be identified, directly or indirectly

Client: the Data Subject who uses any of the Bank’s financial, auxiliary financial, investment or auxiliary investment services. Financial services aimed at credit and loan operations covering also the activities in connection with checking the creditworthiness of borrowers, drafting credit and loan agreements, keeping records on, monitoring and controlling, outstanding loans, and including recovery operations; (Credit Institutions Act, Annex 2. section I.10.3.)

Personal data: data relating to the Data Subject, in particular by reference to the name and identification number of the data subject or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity as well as conclusions drawn from the data in regard to the data subject.

Bank secret: all facts, information, solutions or data at the disposal of the financial institution about the individual clients relating to the client’s personal identity, details, property status, business and economic activities, ownership and business connections and the balance of their account maintained at the financial institution, as well as any information relating to the contracts concluded between the client and the financial institution. The provisions on bank secrets shall also apply to any person who approaches a financial institution in order to receive services, but who ultimately decides not to use such services;

Securities secret: all data and information that is at the disposal of an investment firm, an operator of multilateral trading facilities or a commodity dealer concerning specific clients relating to their personal information, financial standing, business operations and investments, ownership and business relations, and their contracts and agreements with any investment firm or commodity dealer, and to the balance and money movements on their accounts

Insurance secret: all of the data - other than classified information - in the possession of insurance companies, reinsurance companies, insurance intermediaries that pertain to the personal conditions and financial situations or business affairs of their clients (including claimants), and the contracts of clients with insurance companies and reinsurance companies

In a case of natural persons (Data Subject) the information falling within the scope of the secret specified above is personal data.

Consent: any freely and expressly given specific and informed indication of the will of the data subject by which he signifies his agreement to personal data relating to him being processed fully or to the extent of specific operations

Objection: a declaration made by the data subject objecting to the processing of their personal data and requesting the termination of data processing, as well as the erasure of the data processed.

Controller: a natural person, legal entity or organisation without legal personality in charge of defining the objective for data management, making and implementing relevant decisions (including those related to the tools used) or delegating them to the respective appointed data steward.

Data Processing: any operation or the totality of operations performed on the data, irrespective of the procedure applied; in particular, collecting, recording, registering, classifying, storing, modifying, using, querying, transferring, disclosing, synchronising or connecting, blocking, erasing and destructing the data, as well as preventing their further use, taking photos, making audio or visual recordings

Data Transfer: ensuring access to the data for a third party;

Disclosure: shall mean ensuring open access to the data

Data erasure: making data unrecognisable in a way that it can never again be restored

Data destruction: complete physical destruction of the data carrier recording the data

Data processing: performing technical tasks in connection with data processing operations, irrespective of the method and means used for executing the operations, as well as the place of execution, provided that the technical task is performed on the data

Data Processor: any natural or legal person or organisation without legal personality processing the data on the grounds of a contract, including contracts concluded pursuant to legislative provisions

Third party: any natural or legal person or unincorporated organization other than the data subject, the controller or the processor

Third Country: any State other than EEA Member States.

Data Protection Incident: unlawful handling or processing of personal data, in particular the illegitimate access, alteration, transfer, disclosure, erasure or destruction as well as the accidental destruction or damage.

3. Principles and legal basis of data processing

3.1. The Bank may process personal data only for specified and explicit purposes, where it is necessary for the exercising of certain rights and fulfilment of obligations. The purpose of data processing must be satisfied in all stages of the data processing operations; personal data shall be registered and processed lawfully and fairly.

3.2. In our data processing operations we process only such personal data that are essential for the purpose for which they were recorded, and are suitable to achieve that purpose. Our Bank processes personal data to the extent and for the duration necessary to achieve that purpose.

3.3. In the course of data processing, the data in question shall be treated as personal data as long as the data subject remains identifiable through it. The Data Subject shall - in particular - be considered identifiable if the Bank is in possession of the technical requirements which are necessary for identification.

3.4. We maintain the accuracy and completeness, and - if deemed necessary in the light of the aim of processing - the up-to-dateness of the data throughout the processing, also ensuring that the Data Subject may be identified no longer than necessary for the purposes of data processing.

3.5. Personal data may be processed under the following circumstances:

a. when the data subject has given his consent, or

b. when necessary as ordered by law or by a local authority based on authorisation conferred by law concerning specific data defined therein for the performance of a task carried out in the public interest (hereinafter referred to as mandatory processing).

3.6. Where data processing is mandatory, the type of data, the purpose and the conditions of processing, access to such data, the duration of the processing operation, and the controller shall be specified by the law or a decree of a local authority in which it is ordered.

3.7. Personal data may also be processed if obtaining the data subject’s consent is impossible or it would incur disproportionate costs, and the processing of personal data is necessary

a. for compliance with a legal obligation of the Bank, or

b. or for the purposes of the legitimate interests of the Bank or of a third party, and enforcing these interests is considered proportionate to the limitation of the right for the protection of personal data.

3.8. Prior to data processing we inform the Data Subject whether their consent is required or processing is mandatory. We inform the Data Subject clearly, understandably and specifically of all data to be processed, and all aspects concerning the processing of his personal data, such as the purpose for which his data are required and the legal basis, the person entitled to process the data and to carry out the processing, the duration of the proposed processing operation and the persons to whom the data may be disclosed.

3.9. Where personal data are recorded based on the Data Subject’s consent, the Bank shall - unless otherwise provided for by law - be able to process the data recorded, where this is necessary

a. for compliance with a legal obligation pertaining to the controller, or

b. for the purposes of the legitimate interests of its own or of a third party, and enforcing these interests is considered proportionate to the limitation of the right for the protection of personal data

c. without any additional special consent, even after the Data Subject withdraws their consent.

4. Objectives of processing of data and scope of processed data

4.1. The purpose of data processing

The Bank processes the personal data of the Data Subject submitted or made available in any way (including data indicated in documents, contracts, certificates and forms submitted by the Data Subject to the Bank or existing in any other form) especially in compliance with the legal regulations referred to in Paragraph 1, respecting the provisions pertaining to bank secret, securities secret, insurance secret and data protection requirements

  • for the performance or execution of any contract between the Bank and the Client for financial and auxiliary financial services, investment and auxiliary investment services or insurance activities, supply of any service under the contract, certification of obligations and rights associated with the contract, enforcement collection and sale of the any receivables relating to the contract,
  • risk management (risk analysis, risk mitigation - assessment)
  • client and credit rating
  • statistical analysis
  • complaint handling
  • issue of a business offer
  • market survey, customer satisfaction survey
  • marketing purposes, building of analytical models, client profile building
  • maintaining contact
  • performance of data processing obligations, generally stemming from laws and regulations (e.g., the customer due diligence process conducted in order to prevent and impede money laundering and terrorist financing, performance of the tax payment obligations of the Bank with regard to clients, statutory data supply to the Central Credit Information System and other regulatory data supply).

Any other data processing purposes relating to the contract between the Bank and the Client are included in the Bank’s Business Regulations on financial and auxiliary financial, investment and auxiliary investment services, the applicable contracting terms and conditions and the specific contracts.

4.2. Processed data

The list of data processed in relation to a specific transaction is included in the contract between the Bank and the Client, in the Bank’s Business Regulations on financial and auxiliary financial, investment and auxiliary investment services, the contracting terms and conditions applicable to the transaction, the specific contracts and the application forms for the service.

4.3. Duration of data processing

The maximum duration of data processing by the Bank is different depending on whether data processing is based on consent or is mandatory. When data are processed on the basis of the Data Subject’s consent, the Bank shall process the personal data of the Data Subject for no longer than the end of the 10th (tenth) year from the cessation of the contract between the Bank and the Data Subject and the bank’s receivable from the contract or, when there is no contract, for no more than 10 (ten) years from the registration of data but only for as long within that period until the Data Subject withdraws its consent.

In the case of mandatory data processing based on statutory obligations the Bank processes the data of the Data Subject specified by law for the purposes also laid down in the law for the statutory data processing period required under the law. The exact data processing period pertaining to a specific case is defined in the applicable general contracting terms and conditions and the specific contracts.

4.4. Data processing in relation to advertising

Pursuant to Article 6(1) of the Advertising Act, advertisements may be conveyed to natural persons by way of direct contact, (such as through electronic mail or equivalent individual communication, with the exception of dedicated advertisements sent by post) only upon the express prior consent of the person to whom the advertisement is addressed. The Bank keeps records of the personal data of the persons submitting a declaration of consent in compliance with the content of the declaration of consent and the related legal regulations (Advertising Act, DM Act, Electronic Communication Act, etc.) The data of the addressee of the advertisements stated in those records may be processed only in compliance with the declaration of consent until it is withdrawn and may be disclosed to any third party only with the prior consent of the Data Subject or in compliance of the provisions of the law.

On the basis of a specific authorisation of the Data Subject, the Bank may disclose the Data Subject’s data specified in the declaration of consent to legal entities of the K&H Group, in order to enable them to directly recommend their services to the Data Subject and may also send to the Data Subject promotion materials containing offers of the Bank or any other subsidiary of the Group.

Consequently, the Data Subject may authorise the Bank and consent to being informed by the Bank for marketing purposes by way of direct mail or some other communication means (phone, e-mail, ebank, text message, etc.) of the services of the Bank or other companies of the K&H Group and their data being processed by the Bank. The Data Subject may instruct the Bank, at any time without any limitation or reasoning, not to send out any promotion material for direct business acquisition purposes and the data subject may withdraw the declaration of consent to receiving promotion materials and processing of their data for such purposes at any time, free of charge. The Data Subject may give that instruction by using the contact points published on the Bank’s website or in some other way indicated in the mails. In that case the Bank will no longer contact the Client for promotion purposes.

4.5. Photo and video recording

Pursuant to the legislation governing security services and the activities of private investigators, the Bank may carry out surveillance activities using electronic security systems and take photos and/or record videos using electronic security systems in all premises accessible by customers and in the vicinity of cash machines.

The purpose of this surveillance and taking photos/recording videos is to ensure the smooth provision of financial, supplementary financial, investment and supplementary investment services, as well as to guard human life, physical integrity, personal freedom, property as well as banking, securities and business secrets.

If not used, the Bank shall keep photos/recordings generated for the security purposes described above for a period of 60 (sixty) days. If such recording/photo is used in a court’s or any other authority’s procedure, it qualifies as ‘use’.

The visual recording system is operated by the Bank, and recordings are stored on-site until deleted. The Bank does not assign a data processor for the purpose of recording, and recordings may only be disclosed to the Bank’s staff working in the organisational units responsible for achieving the above objectives. Disclosure may only take place if it is essential for the prevention or interruption of any unlawful activity linked to the above targets, or, if a court or another authority contacts and requests the Bank to forward the recordings for use in any court proceedings or processes initiated by another authority.

The Bank shall not hand over the recordings to data subjects; however, it shall allow them to view such recordings within the retention period, on the Bank’s premises, whilst respecting the individual rights of other data subjects and safeguarding the Bank’s business secrets.

Within the retention period, data subjects may request that access to a recording is blocked. In such cases the Bank shall not destroy the recording for a period of 30 days starting from the date of the request to block access, but will keep it no longer than for 60 days starting from the date of the recording.

The Bank shall place signs at the entrance to the branch and also on cash machines drawing the attention of customers to the fact that a photo/video recording is being taken.

4.6. Client screening by electronic telecommunications devices

In compliance with its client screening obligations set forth in the Anti-Money Laundering Act, the Bank shall identify Data Subjects by electronic telecommunications devices audited under the Anti-Money Laundering Act (real-time client screening) in the cases specified in the Bank’s Business Regulations.

Real-time client screening is a precondition to contracting for products announced with this condition. The Bank shall make video and audio recordings of the real-time client screening process – in line with the MNB decree on the implementation of the Anti-Money Laundering Act –, and record the Data Subject’s portrait and documents listed in the Anti-Money Laundering Act during the real-time client screening procedure.

The Bank shall keep the recordings made during the real-time client screening process for the retention period specified for the given transaction. If a contract becomes valid and effective, the Bank, under Article 56(1) of the Anti-Money Laundering Act (taking into account the derogations set out in Articles 56(2) and 57), shall keep the relevant contractual data for 8 years after the termination of the business relationship (including all data which the Data Subject made available to the Bank in the preparatory phase of contracting or were created during the contract term). If a contract does not become valid, or does not become effective due to a failure to comply with one or more condition(s) giving effect to the contract, the Bank, under Article 166/A(2)–(3) of the Credit Institutions Act, shall keep the data for a 5-year retention period starting at the time when such data are recorded.

4.7. Complaint handling, sound recording

If the Bank’s call centre is used, the Bank shall record conversations with data subjects. Data processing is either subject to consent or mandatory.

If the purpose of the phone conversation is complaints handling, the Bank is obliged to record the conversation pursuant to the legislation governing the sector (the Financial Institutions Act and the Act on Investment Firms and Commodity Dealers, and on the Regulations Governing their Activities). In all other instances, recording is subject to the data subject’s consent.

Data subjects who do not wish to consent to their conversation being recorded, may contact the Bank via any other channel.

The purpose of data processing is to allow the Bank to reproduce, retrace and/or verify at a later date any complaints reported by phone; queries, modification requests and/or instructions concerning the preparation and continuation of the contracts of customers and other data subjects; the fact that customer identification has taken place; as well as any information provided by the Bank.

A complaint is defined as any criticism concerning the actions of the Bank or its failure to act prior to or upon signing a contract, in connection with its performance or on or after the termination of the contractual relationship.

If the complaint is handled over the phone, the Bank shall record and keep the voice recording of the conversation between the Bank and the data subjects putting forth the complaint for a period of 5 years, as required by law.

When calls outside the scope of complaints handling are received, the Bank shall keep the voice recording as long as a claim can be submitted concerning anything mentioned in the discussion. Unless otherwise stipulated by law, claims are governed by the general limitation period stipulated in the Civil Code (5 years).

The recordings kept may only be used in court proceedings or procedures initiated by other authorities, or in the course of settling disputes between the Bank and data subjects, or for the purpose of enforcing claims (as evidence). The recordings may only be disclosed to the Bank’s staff acting during any of the above listed uses and parties participating in court procedures or processes initiated by other authorities, to the extent required for the case.

If the recordings are not used, they will be deleted after the end of the retention period.

If a data subject is not the Bank’s customer, and provides personal identification or contact details by phone in order to receive the information sought, his/her consent to the Bank using such details for the purpose of issuing the required information will be regarded to have been provided.

If requested by a data subject contacting the Bank or contacted by the Bank, the Bank shall give access to the recording to the data subject, and provide the certified transcript of the voice recording to the data subject communicating the complaint, free of charge (any additional requests concerning the same conversation may be subject to a charge).

In order to comply with the regulations governing bank and securities secrets, the Bank will only be able to provide general information, not information that qualifies as bank or securities secret in any ordinary (non-encrypted and not containing an electronic signature) e-mail. If the customer files a complaint that contains or requests such information, in ordinary e-mail, the response will always be mailed to the customer’s registered mailing address by regular letter, sent via the postal service. The Bank has a Complaints Handling Regulation, which is displayed in all branches and can also be accessed via the Bank’s website.

4.8. Decision Adopted with Automated Data Processing

In relation to loan agreements the Bank may process and evaluate the data of the Data Subject with computer technology means, in an automated manner. If the processing involves only computer technology equipment, the Bank provides an opportunity to the Data Subject - upon request - to express their position and informs the Data Subject of the applied method and its essence in relation to any decision adopted with automated data processing.

The decision adopted during online credit scoring procedures is based on automated processing, against which the Data Subject may raise an objection. The online credit application process needs automated decision making because that ensures the benefits of faster processing. If a Data Subject does not want to be subjected to a decision made in the course of an online credit application process, they may choose to submit their credit application in person in any branch and have the right to inform the Bank about their views and objections. In the case of online credit applications, the Bank will use the data which the Data Subject makes available to the Bank and which are accessible based on legal regulations (e.g. from the central credit information system) to make its decisions. Credit scoring ensures making responsible lending decisions based on uniform criteria.

4.9. Processing relatives’ data

At request, K&H will provide a premium family service to Clients who are Premium Clients under the relevant Announcement. The essence of this service is that existing and contracted Premium Clients’ children or grandchildren aged 18–30 are granted the K&H premium account and service package without paying a monthly fee based on the status of their family member, which also means that they do not need to comply with the criteria required for Premium Client status while they are within the specified age group and their family member is still a contracted Premium Client of the Bank. When applying for this service, contracted Premium Clients must make a declaration about the family relationship and provide the name and date of birth of their child/grandchild. Contracted Premium Clients shall inform their child/grandchild about the content of the data management guide before starting this process, and may only supply their data if their child/grandchild has consented to that. These data are processed on grounds of the legitimate interests of the Bank and the purpose of this data processing is to grant the discounts provided by the K&H premium family service to the designated family members, exclusively at the request of a contracted Premium Client.

4.10. Data processing on the Bank’s websites

Occasionally the Bank uses technology on its websites available on the Internet for anyone which stores, in the computer of the visitor of the page, the settings required for the display of images and sounds and the settings that assist in the use of various services etc., in order to improve the user experience, in a manner that can be altered or deleted by the user at any time (cookie).

The detailed information on cookies is available on the website at: https://www.kh.hu/web/eng/cookie

5. Data transfer and transmission

5.1. Conditions of data transfer and data transmission

5.1.1. The Bank transmits personal data when the Data Subject has consented to it or it is permitted by the law.

5.1.2. Based on the authorisation of the Client or the law, the Bank may disclose data recorded in relation to the individual contracts of the Client to KBC Bank NV. (Havenlaan 2 - 1080 Brussels, BELGIUM), its controlling shareholder, for credit and debtor rating, risk management, statistical analyses, control or registration of lawsuits. Pursuant to the effective legal regulations on data protection, transfer of data to EEA Member States shall be considered as if the transmission took place within the territory of Hungary.

5.1.3. The Bank forwards personal data to non-EEA states (third countries) only with the expressed consent of the Data Subject or when the requirements of data processing specified in Articles 5-6 of the Data Protection Act have been fulfilled and the personal data are adequately protected in the third country.

5.1.4. Data may be transferred within the K&H Group (the group members are listed on the bank’s website) based on the written authorisation of the Data Subject for direct recommendation of services, more effective customer service and debtor rating in compliance with the conditions and to the extent specified in the law. Data may be transferred within the Group for purposes relating to promotional activities, in relation to the use of a services provided by a Group member or an outsourced activity. 7

5.1.5. Data may be transferred to third parties only pursuant to the law (in cases defined in Articles 161 - 164 of the Credit Institutions Act, Articles 118 - 120 of the Investment Services Act and Act CXXII of 2011 on the Central credit Information System) even without the Data Subject’s consent.

5.2. Data processing

5.2.1. The rights and obligations of data processors contracted by the Bank arising in connection with the processing of personal data shall be determined by the Bank within the scope specified in the Data Protection Act and in special legislation pertaining to data processing. The Bank shall be held liable for the legitimacy of its instructions.

5.2.2. The data processor may employ a further data processor to perform the activities in compliance with the instructions of the Bank.

5.2.3. The data processor may not make any decision on the merits of data processing and shall process any and all data entrusted to him solely as instructed by the Bank; the processor shall not engage in data processing for his own purposes and shall store and safeguard personal data according to the instructions of the Bank.

5.2.4. The Bank prepares the contracts for the processing of data in writing. No company that is interested in the business activity of the Bank shall be contracted for the processing of data.

5.3. Contributing data processors and data controllers

If the Data Subject uses services offered by the Bank but provided by or with the involvement of third parties, the Bank may forward all information to such third parties that is required for the supply of the services to the Data Subject and for the settlement between the Bank and the third party and between the Data Subject and the third party lawfully, in compliance with the applicable legal regulations. The information on such data transfer and the underlying data processing is included in the respective contracts.

5.4. Outsourcing

Pursuant to Article 68(1) of the Credit Institutions Act in due observation of the provisions on data protection, the Bank shall be authorized to outsource the activities, i.e., establish contracts for financial services and activities auxiliary to financial services as well as those mandatory activities prescribed by law that involve the management, processing and storage of data.

Pursuant to Article 79 (1) of the Investment Services Act the Bank may outsource its investment and auxiliary investment services or any other activity not falling within the scope of the Investment Services Act.

The disclosure of data necessary for carrying out activities that have been outsourced by the financial institution to the organisation performing the outsourced activity does not constitute the violation of any bank or securities secret. The party pursuing the outsourced activity may employ a contributor only with the Bank’s prior written approval.

The bank ensures that these organisations arrange for the safe processing of the Client’s data in compliance with the conditions defined in the legal regulations on data protection and on bank and securities secret. The list of outsourced activities and the parties pursuing them is included in the currently effective business regulations. www.kh.hu/web/eng/conditions/retail/terms

5.5. Central Credit Information System (CCIS)

5.5.1. The purpose of data transfer to and storage in the central credit information system (hereinafter referred to as “CCIS”) is to create a closed database for the lenders and to facilitate a better credit rating, to satisfy the requirements of responsible lending and to mitigate credit risks, securing both debtors ad credit institutions. The CCIS stores not only a list of bad debtors but also a list of good debtors.

5.5.2. Prior to transferring the reference data to the CCIS the reference data provider shall obtain a written declaration of consent from the concerned natural person clients with regard to their data being taken over from the CCIS by other reference data providers. This consent may be denied by natural person clients at any time while their data are registered in the CCIS. The Client’s consent to the receipt of data processed pursuant to Paragraph 5.5.4 a)-c) is not required. If the Client does not consent to the transfer of their data from CCIS, then CCIS contains the refusal of the consent as well as the data specified in Chapter II Paragraph 1.1 and Paragraph 1.2 a9-d) as well as Paragraph 1.5 of the Annex of Act CXXII of 2011 on the Central Credit Information System (hereinafter referred to as “CCIS Act”)

5.5.3. The financial enterprise managing the CCIS may transfer reference data on the basis of a data request submitted by the reference data provider. The data request for the reference data of natural persons may satisfy only the following purposes:

a. contracts for the supply of credit and financial loans, financial leasing, paper-based cash substitute payment instruments (travellers cheques and bills printed on paper) and the supply of related services (which are not classified as payment services) as well as for the assumption of suretyship, guarantee or other banker’s commitments.

b. contracts for investment loans defined in the Investment Services Act (supply of investment loans to investors)

c. securities lending contract referred to in the Capital Market Act

d. decision on student loan agreement referred to in the legal regulations

e. and

f. information on the data of the registered party kept in the CCIS upon request.

The reference data provider shall transfer the reference data managed by it (i.e., the data of its clients specified by law when the respective conditions prevail) to the financial enterprise managing the CCIS within five working days. The reference data provider keeps records of the fact and date of data transfer and on the transferred data.

5.5.4. The reference data provider shall transfer the reference data of natural persons, even without the Client’s consent,

a. who fails to meet their payment obligations provided for under the agreement referred to in Paragraph 5.5.3 a)-d) when the amount being overdue and not paid exceeds the monthly minimum wage in effect at the time of such payment becoming overdue, and such default exceeding the minimum wage prevails continuously for more than ninety days. (Data specified in Chapter II Paragraphs 1.1-1.2 of the Annex of the CCIS Act)

b. who, when requesting the conclusion of a contract referred to in Paragraph 5.5.3 a)-d), provides false data and it can be proved with documents or in relation to whom the court concludes, in an effective decision, the commitment of the crime of public document forgery or utilisation of false private documents or abuse of documents defined in the Act on the Criminal Code (hereinafter referred to as the Criminal Code) due to the use of false or forged documents. (Data specified in Chapter II Paragraphs 1.1 and 1.3 of the Annex of the CCIS Act)

c. against whom the court concluded, in an effective decision, the commitment of the crime of an abuse of a cash substitute payment instrument or economic fraud causing an especially great financial disadvantage or economic fraud causing a significant financial disadvantage in criminal conspiracy or as an ordinary business activity defined in the Criminal Code in relation to the use of cash substitute payment instruments (data referred to in Chapter II Paragraphs 1.1 and 1.4 of the Annex of the CCIS Act)

5.5.5. The financial enterprise managing the CCIS processes the reference data for five year after which period and in case the consent to data management is withdrawn, the financial enterprise managing the CCIS will erase the reference data finally in a non-restorable manner. The start date of calculating the time limit

  • according to Paragraph 5.5.4. above, when debt has not been terminated, is the end of the fifth year calculated form the date of the data transfer pursuant to Paragraph 5.5.4 a)
  • in cases b), c) according to Paragraph 5.5.4 above, it is the date of data transfer pursuant to Paragraph 5.5.4 b), c)

The financial enterprise managing the CCIS erases the reference data immediately and finally, if the reference data provider cannot be established, or if it learns that the reference data had been unlawfully entered into the CCIS.

If an overdue debt arising from a contract involved in reporting is paid, the enterprise managing the CCIS shall irretrievably and immediately erase the relevant reference data referred to in Paragraph 5.5.4. a) in one year from the payment of the overdue debt. 

5.5.6. The reference data provider sends written notification to the natural person thirty days prior to the date of the planned data transfer to CCIS stating that in the case referred to in Paragraph 5.5.4 a) above, their data will be entered into CCIS unless they fulfil the contractual obligations. The reference data provider notifies the registered party in writing within five banking days of the data transfer to the financial enterprise managing the CCIS. Anyone is entitled to request information at any reference data provider on the entity’s data registered in the CCIS (client enquiry). The enquiry is free of charge.

5.5.7. The registered party may object to the transfer and processing of the reference data and may request the rectification or erasure of the data. The objection may be submitted to the reference data provider and to the financial enterprise managing the CCIS, which then must investigate it within five banking days and notify the registered party of the result in writing immediately, or within two banking days. If the reference data provider accepts the objection, the reference data to be rectified or erased shall be sent to the financial enterprise managing the CCIS immediately or within five banking days and such data shall be rectified or erased within two banking days. The Registered Party may initiate legal action against the reference data provider or the financial enterprise managing the CCIS on account of the supply or processing of their recorded reference data or the rectification or erasure thereof as well as for the failure to provide information. The time limit for initiating legal action is thirty days from the receipt of notification or the deadline available for the notification; the failure to meet the time limit must be certified.

The complete information about CCIS is included in the respective contracts and in the currently effective business regulations: www.kh.hu/web/eng/conditions/retail/terms

6. Obligation to provide information

6.1. Prior to data processing the Bank informs the Data Subject whether their consent is required or processing is mandatory.

6.2. Prior to the start of data processing the Bank informs the Data Subject clearly and in detail of all facts relating to data processing, such as the purpose and the legal basis of data processing, the persons entitled to process the data and to carry out the processing, the duration of the processing operation, the persons to whom the data may be disclosed as well as the rights and legal remedies available for the Data Subject in relation to data processing.

6.3. Where processing under consent is necessary for the performance of a contract concluded with the Bank in writing, the contract shall contain all information that is to be made available to the data subject in connection with the processing of personal data, such as the description of the data involved, the duration of the proposed processing operation, the purpose of processing, the transmission of data, the recipients and the use of a data processor. The contract must clearly indicate the data subject’s signature and explicit consent for having his data processed as stipulated in the contract.

7. Rights of data subjects and their enforcement

7.1. The data subject may request from the Bank

a. information when his personal data is being processed,

b. the rectification of his personal data, and

c. the erasure or blocking of their personal data, except when where processing is rendered mandatory.

7.2. Upon the data subject’s request the Bank shall provide information concerning the data relating to him, including those processed by a data processor on its behalf, the sources from where they were obtained, the purpose, grounds and duration of processing, the name and address of the data processor and on its activities relating to data processing, the circumstances and effects of the data protection incident and the measures taken for its elimination and - if the personal data of the data subject is made available to others - the legal basis and the recipients.

The Bank must comply with requests for information without any delay, and provide the information requested in an intelligible form, in writing at the data subject’s request, within not more than 25 (twenty-five) days.

7.3. The information shall be provided free of charge if no information request was submitted to the Bank for the category of data in the current year. In any other case the Bank may decide to reimburse the costs. The Bank may refuse information to the Data Subject only in cases specified by law.

7.4. Where information is refused, the Bank shall inform the Data Subject in writing on the provision of the Data Protection Act based on which information was refused. Where information is refused, the Bank shall inform the data subject of the possibilities for seeking judicial remedy or lodging a complaint with the Nemzeti Adatvédelmi és Információszabadság Hatóság (National Authority for Data Protection and Freedom of Information) (address of the registered office: 1024 Budapest, Szilágyi Erzsébet fasor 22/c.; hereinafter referred to as Authority).

7.5. Where any personal data are deemed inaccurate, and the correct personal data is at the disposal of the Bank, the Bank shall rectify the personal data in question.

7.6. Personal data shall be erased if 11

a. processed unlawfully;

b. requested by the Data Subject (unless the data processing is based on a binding provision of the law);

c. incomplete or inaccurate and it cannot be lawfully rectified, provided that erasure is not disallowed by statutory provision;

d. the purpose of processing no longer exists or the legal time limit for storage has expired (except personal data recorded on a carrier that is to be deposited in archive under the legislation on the protection of archive materials);

e. so instructed by court order or by the Authority.

In certain cases (see Sub-paragraph b)) the Bank shall not erase the data of the Data Subject even when the Data Subject requests it. The Bank stores the data of not concluded contracts pursuant to the provisions of the Credit Institutions Act as long as claims can be enforced in relation to the failure of the contract (unless the law provides otherwise, the general limitation period specified in the Civil Code shall be applied.)

The Bank shall not erase the Clients’ data even after the termination of the particular legal relationship as it has an obligation to keep the data stated in the legal regulations (AML Act, Accounting Act). When that obligation is terminated the data are erased.

However, in the previous periods the data are not used for any other purposes unless consent is granted.

7.7. Personal data shall be blocked by the Bank instead of erasing them if so requested by the data subject, or if there are reasonable grounds to believe that erasure could affect the legitimate interests of the Data Subject. Blocked data shall be processed only for the purpose which prevented their erasure.

7.8. If the accuracy of an item of personal data is contested by the data subject and its accuracy or inaccuracy cannot be ascertained beyond doubt, the Bank shall mark that personal data for the purpose of referencing.

7.9. When data are rectified, blocked, marked or erased, the Data Subject and all recipients to whom it was transmitted for processing shall be notified.  Notification is not required if it does not violate the rightful interest of the data subject in light of the purpose of processing.

7.10. If the Bank refuses to comply with the Data Subject’s request for rectification, blocking or erasure, the factual or legal reasons on which the decision for refusing the request for rectification, blocking or erasure is based shall be communicated in writing within 25 (twenty-five) days of receipt of the request. Where rectification, blocking or erasure is refused, the Bank shall inform the Data Subject of the possibilities for seeking judicial remedy or lodging a complaint with the Authority.

8. Objection to handling of personal data

8.1. The Data Subject shall have the right to object to the processing of data relating to him:

a. if processing or disclosure is carried out solely for the purpose of discharging the Bank’s legal obligation or for enforcing the rights and legitimate interests of the Bank, the recipient or a third party, unless processing is mandatory;

b. if personal data is used or disclosed for the purposes of direct marketing, public opinion polling or scientific research; and

c. in all other cases prescribed by law.

8.2. The Bank shall assess the objection within the shortest possible time and no more than within a 15 (fifteen) day period following the submission of the request, shall decide as to merits and shall notify the applicant in writing of its decision.

8.3. If, according to the findings of the Bank, the Data Subject’s objection is justified, the controller shall terminate all processing operations (including data collection and transmission), block the data involved and notify all recipients to whom any of these data had previously been transferred concerning the objection and the ensuing measures, upon which these recipients shall also take measures regarding the enforcement of the objection.

8.4. If the Data Subject disagrees with the decision taken by the Bank or if the Bank fails to meet the deadline specified in the Data Protection Act, the Data Subject shall have the right to bring action in the court of law within 15 (fifteen) days of the date of delivery of the decision or from the last day of the time limit. The action shall be heard by the competent general court. If so requested by the Data Subject, the action may be brought before the general court in whose jurisdiction the Data Subject’s home address or temporary residence is located.

8.5. (The Bank shall be liable for any damage caused to a Data Subject as a result of unlawful processing or by any breach of data security requirements. The Bank shall also be liable to the Data Subject for any damage caused by the data processor. The Bank may be exempted from liability if it proves that the damage was caused by reasons beyond its control.

9. Remedy

Data subjects may turn with any data processing complaints to the Bank’s internal data protection officer (Dr. Zsolt Lukács), the National Authority for Data Protection and Freedom of Information (HQ: H-1024 Budapest, Szilágyi Erzsébet fasor 22/c.) or a court.

Legal disputes concerning data processing shall be resolved by the competent regional court.

K&H Bank Zrt.