PriBank values your privacy and is committed to protecting your personal data. We have drafted this statement to make it easier to access all the information you need regarding the processing of your personal data.

Our Privacy Promise

PriBank is about relationships with people – with our customers, our colleagues, and our business partners. Each of these relationships is built on trust – a trust we earn by protecting your information and privacy. How we use your data depends on the nature of our relationship with you.

We assure you that:

• We handle personal data fairly, legally and transparently
• To process your personal data only for the purposes we have stated
• To process only those personal data that we need to fulfill the stated purpose
• To process personal data only for as long as we have a business relationship with you and for as long as it is legally permitted
• To take care of your privacy by taking adequate technical and organizational measures
• To provide you with opportunities to exercise your rights regarding the processing of personal data

Purpose of this Statement

PriBank’s Privacy Statement aims to provide you with clear information about what personal data we process, the purpose for which we process it and the legal basis of processing, when you cooperate with PriBank, whether as a customer, business partner or job candidate. This privacy statement applies to data collected and processed by PriBank physically, electronically, using the PriBank M-Banking application, the E-Banking platform, and from our website. Your privacy is important to PriBank, therefore PriBank treats your data with care. In addition, this statement describes our obligations and responsibilities regarding the protection of this data and the rights of the subjects of personal data.

PriBank is committed to meeting the highest standards in terms of personal data protection. Our business standards and procedures are inspired by Law no. 06/L-082 on the Protection of Personal Data, Regulation of the European Union 2016/679 on the Protection of Personal Data (“GDPR”), and respect for the fundamental right of protection of personal data guaranteed by the Constitution of the Republic of Kosovo.

The way we process personal data may change over time and we will update this statement from time to time to reflect best practice. In addition, we operate with a number of internal policies and procedures that relate to this Statement. PriBank has internal policies and procedures that regulate the confidentiality, integrity and availability of personal data.

Definitions

The expressions used in this statement have the following meanings:

Personal data means any information that can, directly or indirectly, identify a natural person.

Processing means any action or series of actions performed on personal data by automatic or non-automatic means, such as: collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, publication by transmission, distribution or provision, integration or combination, restriction, deletion or disposal.

Data controller means any natural or legal person from the public or private sector that individually or jointly with others determines the purposes and methods of personal data processing.

Data processor means any natural or legal person, from the public or private sector, who processes personal data for and on behalf of the data controller.

Consent of the data subject means the free expression of the freely given, specific, informed and clear will of the data subject’s wishes through which he or she, by a statement or a clear affirmative action, expresses consent his/her for the processing of personal data related to him/her.

PriBank as Data Controller

PriBank is the data controller and responsible for determining the purpose related to the processing of your personal data described in this privacy statement.

Below are the contact details for the data controller:

PriBank sh.a.

Calabria neighborhood, St. Sicily

Prishtina, 10,000

Phone: 0800 74 777

Email: [email protected]

• Personal Data Protection Officer at PriBank

PriBank has appointed a Personal Data Protection Officer, who is supported by team members in the Bank’s Compliance Department and whose role includes acting as a point of contact for individuals regarding their concerns about how their data is processed. .

You can contact the Personal Data Protection Officer at PriBank:

Personal Data Protection Officer

PriBank

Calabria neighborhood, St. Sicily

Prishtina, 10,000

Email: [email protected]

Purposes and legal basis of personal data processing

We will process and share your information only when necessary to carry out our banking activities. The main purpose for which we process your data is based on your requests to our services, including opening a bank account, applying for loan financing, opening a savings account, term deposits, leasing, applying for a debit and credit card, use of online banking applications such as E/M-Banking.

Below we have described the purposes for which PriBank may process your data.

A| To fulfill contractual obligations

The main purpose of processing the personal data of PriBank’s customers is the documentation, execution and administration of agreements related to the Customer.

This may include processing for:

1. Take steps related to the client’s request to conclude an agreement for specific products or services,
2. Executed national and international transactions through institutions and payment systems,
3. Conduct internal assessments of credit risk management in order to determine under what conditions and what services can be offered,
4. Evaluate and process applications for banking products or services,
5. Offer and administer those products and services throughout your relationship with the bank, including opening, maintaining, closing accounts or other products; collecting and issuing all the necessary documentation; executing your instructions; process transactions, including transferring money between accounts; make payments to third parties; provide solutions to any questions or discrepancies and administer any changes; calls to the customer contact center, communications via e-mail or mobile phone may be recorded and monitored for these purposes,
6. Manage and maintain our relationship with you for ongoing customer service,
7. Administer any credit or debt facility, including agreement on repayment options,
8. Communicated with you about your account(s) or the products and services you receive from us.

B| To fulfill legal obligations

In order for PriBank to be able to demonstrate compliance with its legal and regulatory obligations, it processes personal data.

This may include processing for:

1. To confirm the identity of the customer, to keep personal data accurate and up-to-date and to correct this data when it is incomplete or not updated (KYC),
2. To carry out checks and to monitor transactions in order to prevent and detect crime and to comply with the law for the prevention of money laundering, fraud, financing of terrorism, bribery, corruption. For this purpose we may be required to process data, to investigate and collect information on suspected financial crimes and to share this data with law enforcement bodies,
3. Make the assessment related to the financial capacity for financing with credit products and throughout the duration of the relationship, including the analysis of data related to the credit for regular reports to the regulatory bodies,
4. Share data with other banks and third parties to help recover funds that have entered your account as a result of misuse by a third party,
5. Sharing data with police, law enforcement, tax authorities or other government agencies in connection with fraud prevention where we have a legal obligation including reporting suspicious activity and complying with and complying with court orders;
6. Sending mandatory communications to customers as defined by the relevant regulation, such as when we communicate updates to general terms and conditions or specific product and service,
7. Investigate and resolve complaints, correct errors that may occur in your account or the service you use,
8. Manage ongoing regulatory issues, investigations and legal matters,
9. Conduct assessments and analyzes of customer data for the purposes of data quality management, improvement and regulation,
10. Investigated and reported on incidents or emergencies in the bank’s properties and premises,
11. Coordinate responses to incidents that disrupt business and ensure that facilities, systems and people are available to continue providing services.

C| Legitimate interests of the Bank

PriBank may process personal data for the purposes of the Bank’s legitimate interests.

We may process your data for the purpose of the day-to-day development of our business activities, to manage financial matters and to protect our customers, employees and property. It is in our interest to ensure that our processes and systems work effectively and that we can continue to operate our business.

This may include processing your data to:

-monitored, maintained and improved internal business processes, information and data, technology and communications, solutions and services,

– to ensure business continuity and disaster recovery and to respond to information technology, business and emergency incidents,

-provide network and information security, including monitoring and controlling access of authorized users to our information technology systems in order to prevent cyber-attacks, unauthorized use of our systems and website, crime prevention and detection and the protection of your personal data,

– perform general financial reporting and accounting to regulatory bodies,

– protect our rights and legitimate interests,

– manage, monitor and protect our properties, branches, employees and customers through camera surveillance systems in order to prevent crime and prosecute offenders, to identify incidents and emergency situations,

-to research your experience with us and to monitor the performance and effectiveness of our products and services,

– performed analysis of customer complaints for the purpose of preventing errors and process failures and correcting negative impacts on customers,

– performed financial, credit and operational risk assessments,

– share data with the Credit Registry, fraud prevention and law enforcement agencies,

– follow the debtors in order to realize the unpaid debt,

-conduct controls, monitoring and investigations to prevent and detect crime including money laundering, financing of terrorism, bribery, corruption, and international sanctions. It may include investigating and gathering information on suspected financial crimes, fraud and threats and sharing data between banks and with law enforcement and regulatory bodies,

– to respond to and investigate complaints raised directly with us or through a third party such as through a regulatory body.

 | Your consent

PriBank in some specific cases may request the customer’s consent to process personal data. Before we receive the client’s consent for the processing of personal data, PriBank will provide information about the purpose of data processing. When personal data is processed on the basis of consent, the customer has the right at any time to request the withdrawal of consent and the customer will be notified of any consequences of the withdrawal of consent.

Collection and categories of personal data

Personal data can be collected directly from the Customer, from the use of services by the Customer including opening a bank account, applying for any of our banking products (loan, overdraft, term deposit), using online banking services through E-Banking and PriBank Mobile Banking as well as from external sources such as the credit registry system, property registry, public authority, etc.. as far as we are legally allowed.

PriBank primarily collects and processes personal data for natural persons with whom it has entered into an agreement or with natural persons who wish to enter into an agreement with PriBank. PriBank also collects and processes personal data from legal representatives, corporate representatives, payees, transient visitors to PriBank branches.

We use personal data to provide our banking services and to improve our products and quality by conducting customer surveys and market analysis. Personal data also helps us to prevent money laundering and terrorist financing and to prevent and investigate fraud, as well as make payments, credit assessment and risk assessment possible.

Categories of Personal Data

The categories of personal data that PriBank collects and processes are described below, but not limited to:

Identification & contact data including first and last name, personal identification number, date and place of birth, nationality, data related to identification documents, FATCA status, residential address, telephone number, email.

Financial data including account information, transactions, income, credit history, employment, financial experience with banks or other financial institutions, interbank and international payment details, beneficiary details.

Data about due diligence & due diligence means data that enables PriBank to perform due diligence related to the prevention of money laundering and terrorist financing and to ensure compliance with national and international sanctions, including the purpose of the business relationship and whether a customer is politically exposed, as well as data on the origin of assets or funds related to the beneficiaries of the Customer’s transaction and business activity.

Data obtained and/or created in connection with an obligation arising from the law means data that PriBank may be required to report to authorities, such as tax authorities, courts, law enforcement agencies including details of income, credit, notes and debts.

Data related to online identification means data that PriBank collects when you activate the PriBank Mobile Banking mobile application and includes user registration data such as registration credentials.

Communication & service data collected from the Customer when he visits PriBank branches, ATMs, and other areas where PriBank can provide services, or communicates with the customer regarding complaints via phone, email, complaint box, social networks , data related to the customer’s visit to websites, and the online banking mobile application.

Data related to camera & visitor surveillance means data collected by security cameras located on PriBank properties and facilities, and data collected on visitors entering the PriBank Head Office facility.

Data related to co-borrowers & guarantors who are not customers of PriBank means data collected from individuals who may not be customers of PriBank, but are persons related to our customers. All these data are collected by PriBank in full compliance with the provisions of the Personal Data Protection Law.

Profiling and automated decision making

Profiling refers to any form of automatic processing of personal data that consists in the use of personal data to assess personal aspects related to a natural person, in particular to analyze or predict certain aspects related to the economic situation, personal preferences and interests and location of a natural person.

Profiling can be used by PriBank to analyze measures to prevent money laundering and terrorist financing as well as for automated individual decision-making such as credit assessment, risk management and transaction monitoring to prevent fraud.

Direct marketing

PriBank may process your personal data for the purpose of direct marketing to inform you about offers and campaigns regarding banking products and services through various forms of communication such as mail, telephone, e-mail. The processing of personal data for the purpose of direct marketing takes place only if you have expressly given your consent. At any time, you have the right to withdraw your consent for the purpose of direct marketing by contacting us at 0800 74 777, by writing to us at [email protected] or by visiting one of the PriBank branches. After withdrawing consent we will no longer contact you to notify you of PriBank’s latest offers and campaigns.

Camera surveillance

PriBank has installed a camera surveillance system in its properties and facilities. Camera surveillance by PriBank is based on the bank’s legitimate interests to ensure the safety of its employees and customers, for the purposes of public safety and crime prevention and detection. Security cameras are located at all entry points to Pribank facilities, customer waiting areas, checkout areas, cash storage areas, ATM areas and server areas. All areas monitored by security cameras have warning signs posted.

The images recorded by the camera surveillance will be stored for up to 1 (one) month, but in specific cases they can be stored even longer for legitimate purposes of PriBank.

. Using the PriBank Mobile Banking and E-Banking application

To make it easier to manage the balance of your bank accounts and transactions, to have access to the account 24/7, and the possibility to carry out transactions just by pressing a button, without the need to physically visit the branch, PriBank has created the online E-Banking and PriBank Mobile Banking platforms.

Before you have access to our online platforms, PriBank will conclude agreements with its customers on the terms and conditions of use of these online platforms. In order for these platforms to be functional for you, PriBank must collect and process your personal data in order to fulfill the contract related to the provision of this service.

You can access the PriBank Mobile Banking mobile application by downloading the application from mobile operating systems such as Android and iOS.

Categories of personal data recipients and data transfer

PriBank employees

At PriBank, your personal data will be processed by the relevant employees and departments, they process your personal data to fulfill contractual, legal or regulatory obligations and legitimate interests.

Our employees are trained in matters of data protection and compliance with the principle of confidentiality and bank secrecy.

Outsourced processors

Personal data may also be processed for specific purposes by processors contracted by PriBank, who process personal data according to PriBank’s instructions. Contracted processors can be defined as companies that provide services that we need for the purposes of fulfilling our legitimate interests or contractual obligations, including information technology service providers, auditors, legal advisors, debt recovery services, service providers marketing, video surveillance service providers. All processors contracted by PriBank have legal and contractual obligations to treat your data confidentially and to have taken adequate measures for the security of the data they process.

Relevant state authorities

PriBank respects the laws and regulations in force, so in certain cases, if there is a legal or regulatory obligation, it may share data with public bodies and institutions, including the Central Bank of Kosovo, the Register of Bank Accounts, the Register of Loans, the Courts, the Unit of Financial Intelligence, Tax Administration, Internal Revenue Service.

Third parties

PriBank, in order to provide and offer the highest quality services, needs to share some data with entities such as Visa or Master Card, card processors for personalization (credit and debit cards), correspondent banks, international systems for the part of payments and management of accounts, local systems for registration of pledge and registration of mortgage.

Transfer of personal data to other countries and international organizations

PriBank can transfer personal data outside of Kosovo in compliance with the provisions of Law no. 06/L-082 on the Protection of Personal Data, in cases where it is necessary to include international institutions for payments and cash withdrawals with credit cards debtors and creditors. These institutions or organizations are obliged to respect the European standards of personal data protection and security.

PriBank will ensure that it will undertake all adequate organizational or technical measures and will verify the third countries where it intends to transfer personal data in full compliance with the provisions of the law on the protection of personal data regarding the transfer of personal data in other countries or international organizations.

How long PriBank keeps your personal data

By providing products or services to you, we create records (in physical or electronic format) containing your information, depending on the business relationship you establish with us.

We manage our logs with the information you have provided to us to help us serve our customers as best as possible, to comply with legal and regulatory requirements. Data retention helps us demonstrate to the competent legal and regulatory bodies that we are fulfilling our responsibilities in accordance with our banking function and activity.

Data retention periods are determined based on the nature of the activity, the purpose of the processing, the type of product or service. In principle, your personal data will be processed and kept as long as the business relationship with PriBank exists. However, we can keep your data even after the end of the business relationship with PriBank, if legally required. Data retention periods may be changed, depending on legal and regulatory requirements that require us to keep them for a shorter or longer period after the end of the business relationship with you.

We may retain your information for longer periods, especially when based on a court order or an investigation by law enforcement or regulators, we may not destroy or dispose of your data. In this way, PriBank ensures that it will be able to use the data as evidence, if it is necessary to use it as such.

Your rights

If your personal data is processed by PriBank, you have certain rights in relation to that data, which are described in summary form below.

PriBank may request additional information from you before responding to your request, to verify your identity.

Right of access

You have the right to request a copy of the personal data that PriBank holds about you, as well as information on how it is used.

Applicability

You can exercise this right at any time, when PriBank processes your personal data

Right to rectification

You have the right to ask PriBank to correct the personal data they hold about you when they are incorrect or incomplete.

Applicability

You can exercise this right as long as PriBank processes your data.

The right to be forgotten

You have the right to request the deletion of your personal data from PriBank’s systems and databases.

However, this right applies only in certain circumstances (for example when PriBank no longer needs the personal data for the purpose for which they were collected and processed or when you withdraw your consent to the processing of your personal data and when there is no other basis legal to continue to process and retain that data).

Applicability

This right does not apply when personal data is required for the purpose of fulfilling a legal or regulatory obligation of PriBank or for the performance of a task of public interest. Therefore, this right is not applicable in relation to many of the data kept by PriBank in the performance of its statutory functions.

Right to restriction of processing

This right means that you have the right to restrict the processing of your personal data by PriBank. When you exercise this right, PriBank still has the right to store your personal data, but other use of the data is prohibited, except in certain limited circumstances.

Applicability

You can exercise this right if one of the following circumstances applies:

You dispute the accuracy of the personal data held for you and PriBank is verifying the accuracy of this data.

The personal data has been processed unlawfully and you object to exercise the right to erasure of the data and instead request to exercise the right to restriction of processing.

PriBank no longer needs your personal data, but you need the data in connection with a legal claim.

You have objected to the processing and PriBank is considering whether its legitimate reasons exceed your rights and interests.

Right to data portability

This right allows you to receive your personal data in a format that enables you to transfer that personal data to another institution where PriBank processes your personal data on the basis of consent or in fulfillment of a contract. You may have the right to have your personal data transferred from us directly to another institution, if technically feasible.

Applicability

This right does not apply when personal data is required for the purpose of fulfilling a legal obligation or for the performance of a duty in the public interest. Therefore, this right is not applicable in relation to many of the personal data held by PriBank in the performance of its statutory functions.

The right to object to processing

You have the right to object to the processing of your personal data by PriBank in certain circumstances. However, PriBank may continue to process your personal data despite your objection, when there are compelling legitimate reasons to do so or when PriBank needs to process your personal data in connection with a legal claim.

Applicability

This right is applicable when PriBank processes your personal data to fulfill a legal obligation or in pursuit of its legitimate interests.

The right regarding automated individual decision-making and profiling

You have the right to object to the use of your personal data by PriBank in certain circumstances. However, PriBank may continue to use your personal data, despite your objection, when there are compelling legitimate reasons to do so or we need to process your personal data in connection with a legal claim.

Applicability

This right applies when PriBank processes your personal data for the exercise of its legitimate interests.

Right to withdraw consent

You have the right to withdraw your consent to the processing of your personal data by PriBank at any time. This will not affect the lawfulness of our processing prior to withdrawal of consent.

Applicability

This right only applies where the only legal basis for processing your personal data is your consent.

The right to file a complaint with the Information and Privacy Agency

You have the right to file a complaint with the Information and Privacy Agency if you think that PriBank has not processed your personal data in accordance with the legislation in force on the protection of personal data.

Applicability

You can exercise this right at any time.

You can at any time contact PriBank’s Personal Data Protection Officer to submit a request to exercise your rights regarding the processing of personal data at [email protected].

Non-provision of personal data by the data subject

In order to conclude a contract, execute an order or offer you a specific product, you must provide PriBank with your data as part of the business relationship. If you do not provide us with this data, we cannot provide you with our products and services and we will not be able to enter into a contract with you. However, you are not obliged to give your consent to data processing in relation to data that is not relevant for the performance of the contract or that is not required by law or regulation.

Use of cookies – what are they?

Cookies are small text fragments that are placed on the computer or other devices that you use, e.g. smartphone, tablet etc…, from the websites you visit. The main function of their use by websites is to ensure the most efficient functionality, provide greater security and to provide website owners with some information about their use by visitors, anonymously.

On this website www.pribank-ks.com we use cookies for the following purposes:

To provide a safe environment when using our products and services offered on this website,

To provide you with a better online browsing experience and to track the performance of this site/application,

To help us make our site/app more convenient for you.

Types of cookies

Necessary cookies

These cookies are essential for the secure operation of our website, and for us to provide a product or service you have requested.

Without these cookies, we will not be able to offer you some services or products that you may request.

This category of cookies cannot be deactivated.

These types of cookies are used to:

• Enable you to identify yourself in secure areas of our website or access the application,

• Track bugs on our site and app and enable us to report incidents to our regulators,

Offered interactive services, such as:

• use of the M-banking application
• online applications for opening a bank account, loan application, overdraft, etc.

To keep our site/app secure and protect against online fraud and cyber attacks.

Privacy Statement Updates

PriBank may change this privacy statement, for example when we add new features to our services or activities that may have an impact on individuals’ privacy, due to changes in law or regulations. All updates will be reflected in this privacy statement published on our official website www.pribank-ks.com.