Personal data protection

At SKB banka d.d. Ljubljana, Ajdovščina 4, 1000 Ljubljana (hereinafter also: SKB) we are aware of the importance of personal data protection. Therefore, we handle our clients’ data in accordance with the regulations governing the protection of personal data. In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation or GDPR) and Personal Data Protection Act (ZVOP), we hereby provide information on the processing of personal data.

Data on controller

SKB banka d.d. Ljubljana, Ajdovščina 4, 1000 Ljubljana, VAT identification number: SI40502368, registration number of SKB d.d.: 5026237.

Data on authorized person for data protection

The authorized person for data protection is available at:

  • email address dpo@skb.si or
  • at the address SKB d.d. Ljubljana, Data protection officer, Ajdovščina 4, 1000 Ljubljana.

What types of personal data we process and how we obtain them

At SKB, we process various types of personal data, such as:

  • Identification data, e.g. name, surname, date of birth, tax number, citizenship, data from the personal document that we need to conclude a deal o. implementation of our services,
  • Contact details, e.g. phone number, e-mail address, address of residence, which we need to inform regarding the offer or obligations from the contractual relationship,
  • Sociodemographic data, e.g. education, employment status, gender, age, household data obtained when concluding certain services (e.g. loan) or we create it during analyses from other data that you provide to us,
  • Transaction data, e.g. information on executed transactions, date and time of a transaction, the recipient of a transaction, which we obtain in the framework of your card activities,
  • Geolocation data obtained when paying by card and using the website and electronic and mobile banking.

Personal data protection

What types of personal data we process and how we obtain them?

At SKB, we process various types of personal data, such as:

  • Identification data, e.g. name, surname, date of birth, tax number, citizenship, data from the personal document that we need to conclude a deal o. implementation of our services,
  • Contact details, e.g. phone number, e-mail address, address of residence, which we need to inform regarding the offer or obligations from the contractual relationship,
  • Sociodemographic data, e.g. education, employment status, gender, age, household data obtained when concluding certain services (e.g. loan) or we create it during analyses from other data that you provide to us,
  • Transaction data, e.g. information on executed transactions, date and time of a transaction, the recipient of a transaction, which we obtain in the framework of your card activities,
  • Geolocation data obtained when paying by card and using the website and electronic and mobile banking.

The data we process are obtained:

  • Directly from individuals when concluding a business relationship or performing a specific service,
  • Indirectly, through the performance of a contractual relationship and services,
  • By creating them ourselves when performing analysis,
  • From the collections of other controllers, because we need them for the fulfilment of contractual obligations or because of a binding legal obligation (e.g. SISBON).

For what purposes do we process personal data and on what legal foundation?

We process individuals’ personal data only if:

  • Processing is necessary for the implementation of the contract and measures prior to the conclusion of the contract;
  • Processing is necessary to fulfil the legal obligation applicable to SKB as a controller:
  • Individual has consented to the processing of personal data, or if;
  • Processing is necessary for the legitimate interests we are pursuing.

1. We process individuals’ personal data for the purpose of providing banking services and measures necessary before the conclusion of the contract, such as:

  • opening and managing accounts, deposits, direct debits and standing orders,
  • making payments, various types of savings, loans, guarantees, letters of credit, purchase of securities, insurance, stock exchange brokerage,
  • sending SMS messages about the account balance and about transactions performed with payment cards, and
  • to contact in connection with the service.

For listed purposes, the data is processed based on contracts you conclude with us in accordance with Article 6/1 (b) of the GDPR.

In these cases, the provision of your data is a contractual obligation, which means that we cannot enter into a business relationship with you if you do not provide the data.

2. Individuals’ personal data are also processed for the purposes of fulfilling legal obligations applicable to the bank, such as e.g.

  • identification and verification of the client;
  • carrying out a periodic client review;
  • communication of prescribed and required information to the Office for the Prevention of Money Laundering, and;
  • record keeping and data retention.

The legal foundation for the processing of personal data are legal regulations that bind the bank, such as. the current Prevention of Money Laundering and Terrorist Financing Act and the Payment Services, Services for Issuing Electronic Money and Payment Systems Act, in accordance with Article 6/1 (c) of the GDPR.

3. We also process the individuals’ contact details for the purposes for which you have given your consent, such as e.g.

  • Informing about news, events, prize games, possible participation in surveys, and
  • Informing about benefits and novelties regarding products and services.

SKB processes your data for listed purposes only if you have given your consent.

What happens if I do not give consent to data processing or what if I give my consent?

Consent is voluntary and is not a condition for entering into a contractual relationship with the bank and can be revoked at any time without any consequences for you. When you revoke your consent in part or in full, SKB will no longer use your data for the purposes for which you gave your revocation.

You can revoke your consent by completing the form which you submit to SKB in one of the ways in which SKB enables the submission of consent to individuals.

You can also unsubscribe from receiving such SKB messages via the communication medium to which you received a specific message. The link to unsubscribe or information on how to deregister is in the bank's message. SKB will record the individual's request for revocation in its system and start implementing it immediately or at latest 15 days after receipt.

4. We process your personal data also when the processing is necessary due to legal interests pursued by SKB and over which your interests or your fundamental rights and freedoms do not prevail. Data are thus also processed for:

  • Implementing the measures necessary to prevent and investigate frauds,
  • To carry out analysis and market research,
  • To monitor the satisfaction of our clients in order to improve our services,
  • To carry out activities before carrying out marketing campaigns,
  • To call for submission of updated information,
  • Implementation of video surveillance, and
  • Recording of telephone calls in case of concluding transactions by telephone.

For listed purposes, the data are processed based on SKB's legal interest, in accordance with Article 6/1 (f) of the GDPR.

You may object to the processing of data for these purposes at any time. In this case, SKB will stop processing the data for these purposes, unless it proves the necessary legitimate reasons for further processing.

Users of personal data

To achieve some of the above purposes of data processing, your data may also be disclosed to third parties who process your data exclusively on our behalf and under our control (data processors) and in accordance with the personal data processing contract. This way, your data may be disclosed to, for instance:

  • Providers of information infrastructure / technology,
  • Providers of electronic and SMS messaging services,
  • Bank card manufacturers,
  • Postal service providers,
  • Credit intermediaries,
  • Appraisers,
  • Payment transaction providers.

In certain cases stipulated by regulations, we may also send your personal data to public authorities and other third parties if this is necessary for fulfilment of our legal or contractual obligations (Office for the Prevention of Money Laundering, Market Inspectorate, Bank of Slovenia, Police, Financial Office of the Republic of Slovenia, courts, intermediary banks, etc.).

Personal or other confidential or protected data available to us or communicated to us in connection with the provision of services (e.g. execution of a payment order) and which travel between banks for this purpose via the SWIFT network (Society for Worldwide Interbank Financial Telecommunication), may also, based on a special request, be sent to domestic or foreign (including in the USA) state, administrative or judicial authorities for the purpose of implementing measures to prevent money laundering and measures against the financing of terrorist activities.

All users of your personal data are obliged to respect and protect personal data in accordance with the General Regulation on Personal Data Protection, the applicable national law governing the protection of personal data and other legal regulations.

Retention of personal data

The period of personal data retention depends on the legal foundation for data processing and the processing purpose. Personal data are generally kept only for as long as is necessary to achieve the purpose for which they were collected or further processed, unless otherwise provided by law. Personal data shall be deleted, destroyed, blocked or anonymised after the purpose of the processing has been fulfilled, if there is no other legal foundation or if this is necessary for the assertion, implementation or defence of legal claims.

The data that we process within business relationship are kept for 10 years after its termination or 10 years after the conducted transaction, in accordance with the Prevention of Money Laundering and Terrorist Financing Act.

Data processed based on your consent is stored until your cancellation or requests for deletion of data, but not longer than 10 years after the termination of business relationship.

Rights you have with respect to the personal data processing

Individuals whose data we process at the Bank have the following rights in relation to the processing of personal data:

  • The right to access data that you can exercise if you are interested in whether we process personal data related to you and would like to know what data we process about you.
  • The right to rectification if you find that the data we process about you are incorrect or inaccurate.
  • The right to erase personal data if you believe that we do not have an appropriate legal foundation for the processing of personal data, or the data are not necessary for the purposes for which they were collected or processed.
  • The right to restrict the processing if you dispute the accuracy of the data we process about you or you consider that we do not have an appropriate legal foundation for the processing and the data are not necessary for the purposes for which they were collected.
  • The right to object to the processing if your data is processed based on your consent or the legal interest of SKB and you wish to object to such processing.
  • The right to data portability when the processing is carried out based on your consent or contract and the processing is carried out by automated means.

You can submit the request for the exercise of rights in a way that allows your identification, by completing the form provided for the exercise of each individual right and it is available at the bank's outlets and on the bank's website or in another documented way (e.g. verbal request to the minutes at the bank outlet, a written request, a request submitted via electronic or mobile banking).

SKB is obliged to respond to an individual's request without undue delay or within one month at the latest, unless it proves that the individual cannot be identified.

Where an individual's requests are clearly unfounded or excessive, SKB may charge a reasonable fee or refuse to act on the request.

If SKB does not take action on the request for exercising rights or if you believe that the processing of your personal data has violated your rights, you can also file a complaint with the Information Commissioner at the address Information Commissioner, Dunajska cesta 22, 1000 Ljubljana, or at the e-mail address: gp.ip@ip-rs.si

Existence of automated decision making

SKB does not process your personal data with automated decision-making means that could have legal consequences for you.

In the case of an automated decision, the individual will be informed in advance. Also, the following will be enabled to them: the right to personal intervention of the controller, the right to express their position, the right to receive an explanation of the decision taken in this way and the right to challenge such decision.

Profiling

Profiling means any form of automated processing of personal data involving the use of personal data to assess certain personal aspects relating to an individual, in particular to analyse or predict job performance, economic status, health, personal taste, interests, reliability, behaviour, location or movements of that individual.

SKB performs profiling in case you have given your consent for customized direct marketing. Profiling is performed using various methods of statistics, mathematics or predicted analysis, which allows us to anticipate your needs and prepare appropriate offers based on this. As part of profiling, we analyse your demographic data, such as age, gender, education, location, geolocation, and data on performed banking services, based on which we place you in an individual profile and send you only offers that we believe meet your needs and habits.

Export of data to third countries

SKB does not transfer or transmit the collected personal data to third countries, except when necessary for the purpose of making payments to countries outside the European Union (i.e. when you make a payment to third countries) or if we receive a legal request to provide data to administrative authorities for the purpose of exercising measured for the prevention of money laundering and measures against the financing of terrorist activities.

Display all

Final provisions

SKB reserves the right to amend or supplement this general information to ensure compliance with regulations in the field of personal data protection. The information is available in all the Bank’s outlets and on its website.

Anything not specifically specified in this general information or in the contract concluded between SKB and the individual is subject to the provisions of the applicable legislation.

This general information is valid and applicable as of November 2021.