Personal data protection
DPF processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of private individuals with regard to the processing of personal data and on the free movement of such data (hereinafter the “General Data Protection Regulation” or “GDPR”), in accordance with Act no. 18/2018 Coll., on personal data protection and on amendments to certain acts as amended (hereinafter referred to as the “Act No. 18/2018 Coll.”), with the Deposit Protection Act and related legal regulations.
Information on personal data processing by the Deposit Protection Fund
For the purposes of the regulation on personal data protection and Act no. 18/2018 Coll., an operator who, in accordance with the Deposit Protection Act, has defined the purpose and means of processing personal data in the DPF information systems.
From the GDPR perspective the Deposit Protection Fund is a controller in accordance with the provisions of Article 4 (7) of the General Data Protection Regulation and respects the principles of legality, fairness, transparency, purpose limitation, data minimization and data retention minimization and accuracy.
Data protection officer
Data protection officers are JUDr. Ildikó Hurínek Kamenická and Ing. Katarína Krištofiaková, members of the Deposit Protection Fund Presidium, at the same time the data protection officers are DPF employees. The Data protection officers respond to questions on information about personal data protection. Data protection officers can be contacted at the e-mail address: [email protected].
Address for written enquiries: Deposit Protection Fund, Kapitulská 12, 812 47 Bratislava.
Purposes of personal data processing by DPF
The Deposit Protection Fund processes personal data only to the extent required by the purposes of personal data processing. These purposes are mainly the processing of personal data
- for the payment of compensation for claims on deposits, in particular pursuant to § 9 and § 10 of the Deposit Protection Act and in bankruptcy proceedings conducted against assets of the banks, on behalf of which the DPF made compensation payments,
- during stress testing/functional testing of the DPF’s Information System for Compensation Payments for Inaccessible Deposits in Banks (hereinafter referred to as the “DPF System”) when testing on real data,
- staff and members of DPF bodies,
- as part of selection process, including job applicants for a vacancy in DPF,
- as part of public procurement,
- as part of the preparation, conclusion and implementation of contracts, in exercising rights and performance of the DPF’s obligations under the contracts concluded,
- in accounting, human resources and payroll,
- in handling complaints and requests, including requests for information,
- in relation to litigation,
- in relation to the safekeeping of documentation, files and records originating from the DPF operations,
- in relation to any other purposes set out in the relevant document, or in documentation.
DPF occasionally processes personal data on the basis of a consent; in this case, the purpose of the processing of personal data is stated directly in this consent. In the event that the DPF occasionally processes personal data for purposes not listed herein, it will ensure that such processing is lawful.
Legitimate interest of DPF
A legitimate interest in the processing of personal data by DPF may arise in the cases where the DPF processes personal data for the following purposes (except for the purposes under par. 3)
- obtaining contact details of the data subject, which may be first name, surname, address,
- providing access to DPF information systems,
- identifying, verifying and checking the identification of data subjects.
Legal basis for the processing of personal data
The legal basis for the personal data processing in the DPF information system is in accordance with provision no. 6 par. 1 letter c) GDPR processing of personal data necessary to comply with a legal obligation of the controller under the law of a Member State which applies to the controller, namely under a special regulation, being in particular the Deposit Protection Act.
Other legal bases for the processing of personal data are
- Act no. 211/2000 Coll., on free access to information, as amended,
- Act no. 18/2018 Coll. as amended,
- Act no. 395/2002 Coll., on archives and registries and on amendment to certain laws as amended,
- Act no. 343/2015 Coll., on public procurement and on amendments to certain acts, as amended,
- Act no. 160/2015 Coll., Civil disputes rules as amended,
- Act no. 431/2002 Coll., on accounting as amended,
- Act no. 40/1964 Coll., Civil Code as amended,
- Act no. 7/2005 Coll., on bankruptcy and restructuring, as amended.
Processing of personal data of depositors of banks and branches of foreign banks, their transmission abroad and sharing of personal data
The Deposit Protection Fund processes personal data of depositors in banks and branches of foreign banks (hereinafter referred to as the “bank”) only for the purposes of:
- compensation payments for inaccessible bank deposits,
- during stress testing of the functionality of the DPF Information System in the case of testing on real data.
Both of these methods of processing are necessary for the fulfillment of the DPF’s legal obligations to pay compensation for inaccessible deposits according to the legal requirements (§ 9 and § 10 of the Deposit Protection Act) and regularly test the functionality of the DPF System (§ 12 par. 1 and 7 of the Deposit Protection Act).
In the case of compensation payment for inaccessible deposits, the personal data of depositors are handed over to the disbursing bank (§ 10 par. 4 of the Deposit Protection Act) for the purpose of compensation payment to depositors for their inaccessible deposits in the bank.
DPF is currently testing the DPF System on encrypted data of bank depositors. In the case of functionality testing of the DPF System on real data, the personal data of depositors are removed – deleted from the DPF System environment immediately after the test is performed. Personal data of bank depositors for the purpose of paying compensation for inaccessible deposits in banks and for the purpose of testing the functionality of the DPF System are processed in an automated mode. In order to ensure confidentiality and protection of personal data, the DPF has implemented and adopted the appropriate organizational and technical measures, including encryption of bank depositors’ data.
The Deposit Protection Fund does not transfer personal data of bank depositors to countries outside the European Union (EU). Personal data of bank depositors are transferred to another EU Member State only in instances where depositors of a foreign branch of a Slovak bank are paid compensation and the compensation payment to depositors of this foreign branch is arranged by the DPF through a foreign deposit protection system.
Personal data of bank depositors, intended for the purpose of specific compensation payment for inaccessible deposits are deleted in accordance with DPF internal regulations, in particular the registry rules, namely after the expiry of the compensation payment period, bankruptcy proceedings conducted against the former bank’s assets or removal of the former bank from the Companies’ register in the event of the bank’s liquidation, whichever occurs later.
DPF shares personal data in the following instances
- in order to secure the payment of compensation, the DPF is entitled to contractually entrust the processing of depositors’ personal data of a bank that has become unable to pay out deposits an intermediary – a bank that will disburse compensation for inaccessible deposits on behalf of DPF,
- Under special regulations DPF may be obliged to provide personal data to other entities, such as the National Bank of Slovakia, which supervises the Fund’s operations, the Social Insurance Company, the Financial Administration, law enforcement agencies, the Slovak Post for sending consignments,
- The DPF is under obligation to have audited financial statements, therefore some personal data may be made available to auditors.
Personal data may be provided in documents, forms, letters and notifications, or in telephone calls or in electronic communication between the DPF and the data subject. The legitimate interest of the DPF cannot override the interests of the data subject, his/her fundamental rights and freedoms. It is the DPF’s duty to provide personal data. If personal data are necessary for the contract execution and the data subject is a contractual party, the DPF may process the personal data without its consent, the refusal to provide personal data may result in the DPF refusing to conclude the contract. Equally, the DPF may refuse to investigate a submission under special laws if a person fails to comply with legal obligation and does not provide his or her personal data for this purpose.
Rights of data subjects
The data subject (private individual whose personal data is processed) has in particular the following rights
- the right to information on whether his/her personal data are being processed (Articles 13 and 14 of the Data Protection Regulation),
- the right of access to hiss/her personal data (Article 15 of the Data Protection Regulation),
- the right to rectify personal data in the event of inaccuracy or incompleteness of such data (Article 16 of the Data Protection Regulation),
- the right to delete personal data (Article 17 of the Personal Data Protection Regulation),
- the right to restrict the processing of such data (Article 18 of the Data Protection Regulation),
- the right to transferrability of personal data to another controller (Article 20 of the Data Protection Regulation),
- the right to object to the processing of personal data (Article 21 of the Personal Data Protection Regulation),
- the right to withdraw consent.
In order to exercise their rights, the data subjects may submit a written request to the DPF’s registered office address. The data subjects have the right to file a motion to initiate proceedings on the protection of personal data – a complaint to the supervisory body, which is the Personal Data Protection Office of the Slovak Republic, Hraničná 12, 820 07 Bratislava 2.
At the same time, in relation to this information, the Fund announces that exercising of certain rights may be limited or excluded due to the fact that personal data are in some cases processed under the DPF’s legal obligation (for example: processing of personal data in compaensation payments for inaccessible deposits during stress testing of a deposit protection scheme).
The process of submitting and processing requests for exercising of the rights of data subjects
A requests for the purpose of exercising the rights of the data subject may be submitted in paper or electronic form to the contact address provided herein. The DPF shall process such request without undue delay, no later than within one month from the delivery of the request. The data subject may file a complaint against the manner of handling of the request with the Personal Data Protection Office of the Slovak Republic, Hraničná 12, 820 07 Bratislava 27, Slovak Republic. Requests from data subjects are handled free of charge. An exception may be a situation where requests are unfounded, disproportionate, in particular because, for example, they are repeated frequently without reason. By publishing on the DPF website www.fovsr.sk, DPF complies with its information obligation towards the general public about the purpose of processing, conditions of acquisition, own processing, provision of personal data, recipients, transmission of personal data, as well as the rights of data subjects whose personal data are processed in the DPF information systems. In such instance, the DPF may impose an appropriate fee taking into account the administrative complexity and possible costs associated with processing the request; such request may also be rejected by the DPF.
Personal data processing duration
The Fund respects the principle of minimizing the retention period of personal data. At the same time, the Fund’s operations are subject to special regulations that stipulate the retention period of certain documents (for example, in the case of accounting documents it is 10 years, in the case of bankruptcy proceedings conducted against the bank assets, for which DPF paid compensation also 10 years, etc.). According to a special law, the DPF is the creator of the registry, whose duty is to draw up a registry plan and submit it to the Slovak National Archive for approval. The retention periods for some DPF documents are therefore governed by the approved registry plan. Personal data of job applicants in DPF are destroyed after the end of the selection procedure, except in cases where job applicants have granted the Fund consent with their retention for a period of 6 months.
By publishing on the DPF website www.fovsr.sk, DPF complies with its information obligation towards the general public about the purpose of processing, conditions of acquisition, own processing, provision of personal data, recipients, transmission of personal data, as well as the rights of data subjects whose personal data are processed in the DPF information systems.
The request in relation to personal data can also be sent via the DPF contact form, which is published in the Contacts section.