In addition to the below-mentioned companies that support the technical processing of the information, the Credit Entities – NBCIR users are the only possible recipients of the personal data contained in the NBCIR.
Another party participating in the data processing in the NBCIR and CIBR is CRIF S.p.A., established in accordance with the law of the Italian Republic, with its registered office at Via M. Fantin 1-3, 40131 Bologna, Italian Republic (hereinafter referred to as “CRIF”), which is in charge, under applicable contractual documentation, of automated technical processing of client information provided to CBCB by banks and to CNCB by creditor entities. CRIF provides this automated processing to CBCB in the case of CIBR and to CNCB in the case of NBCIR.
CRIF – Czech Credit Bureau, a.s.
CRIF – Czech Credit Bureau, a.s., ID No.: 262 12 242, having its registered office in Štětkova 1638/18, Nusle, 140 00 Prague 4, entered in the Commercial Register administered by the Municipal Court in Prague, Section B, Entry 6853 (hereinafter the “CRIF CZ”) provides, under relevant agreements, services to CNCB in the case of the NBCIR connected with mutual information exchange regarding the payment prospects, credibility and payment discipline or creditworthiness of their clients and operation of the Client Centre.
NBCIR – Content
NBCIR is a database of information on contractual relationships between creditor entities and their clients. The NBCIR is created on the basis of information (data) which is provided by the Credit Entities to CNCB and which either separately or in combination indicate the payment prospects, credibility and payment discipline or creditworthiness of the clients of the Credit Entities.
The following personal data of the Clients are processed in the NBCIR:
Client identification details (i.e. name, surname, surname at birth, date of birth, place and country of birth, and address of the Client);
The birth certificate number of the client (for details see the section on Birth Certificate Numbers);
Personal data indicating whether or not a contractual relationship has been established between the Client (or applicant in the case of guarantors) and the Credit Entity;
Personal data indicating the financial obligations of the Client that have arisen or that will or may arise with regard to the Credit Entity in connection with the contractual relationship, as well as data concerning the fulfilment of these obligations by the Client;
Personal data indicating the security of the Client’s liabilities related to the contractual relationship with the Credit Entity;
Data indicating whether a receivable has been assigned with respect to the client under a contractual relationship with the Credit Entity, and data indicating further fulfilment of liabilities by the Client in relation to such an assigned debt; all this provided only that the Credit Entity continues to administer the relevant assigned debt and that other contractual terms are fulfilled;
Any other personal data indicating the solvency, payment discipline and creditworthiness of the Client that the Client has communicated or may communicate to the Credit Entity or that the Credit Entity has obtained or may obtain in connection with the performance or non-performance of the relevant contractual relationship with the Credit Entity, including data about the Client’s identification document.
The legal basis for the processing of the personal data concerning the Clients in the NBCIR is (a) compliance with the legal obligations of the Credit Entities if a consumer loan is provided to a natural person, (b) legitimate interests of the Credit Entities if credit other than a consumer loan is provided to a natural person, in particular, with a view to providing credit products only to solvent and creditworthy Clients, (c) a statutory authorization to process a birth certificate number, if necessary for the enforcement of private claims or for the prevention of non-performing claims, and (d) consent to the processing of the personal data in the case of Representatives of the Client or Owners of the Client.
The treatment of the information (data) in the NBCIR is governed by the following rules:
Information (data) is included and processed in the NBCIR to the extent to which it may serve to assess the client’s the payment prospects, credibility and payment discipline or creditworthiness of the Client and to which the Client has provided the information in connection with the contractual relationship, or which may arise from the contractual relationship during its term, or, in the case of an Assigned Debtor, which may arise from the Assigned Debtor’s obligations towards the Client or the NBCIR user during the term of such liabilities, or which may arise in connection with the administration of the relevant assigned debt (see the above-mentioned list of data processed in the NBCIR).
The NBCIR therefore contains in particular the Clients’ basic identification data, data regarding the Clients’ obligations and the timely performance thereof (see the above-mentioned list of data processed in the NBCIR). No special categories of personal data of the Clients – natural persons within the meaning of the GDPR (e.g. health data) are processed in the CIBR.
The information (data) contained in the NBCIR is regularly updated on a monthly basis and is kept for the purpose of information exchange among the Credit Entities during the term of all the obligations of the Client to a NBCIR user or the Assigned Debtor towards the Client or to a NBCIR user (including situations where the Credit Entity administers the relevant assigned debt – see the above-mentioned list of the personal data processed in the NBCIR) and for the period of another four (4) years following the fulfilment of all obligations of the Client or of the Assigned Debtor.
If the requested Client Agreement is not concluded with the Client, the information (data) regarding the Client including the Assigned Debtor is retained in the NBCIR for six (6) months from the date of submission of the Client’s (or the User’s) application for the conclusion of the relevant agreement (including an agreement concerning the assignment of the Factored Debt of the Assigned Debtor). Upon the expiration of the relevant period, the processing of such information (data) is restricted (meaning that the data are made unavailable and unprocessible) and the data are in no manner provided for the purposes of information exchange among the Credit Entities; after the expiration of the restriction period of five (5) years, the information (data) will be automatically deleted.
The information (data) about the contractual relations with the Clients is provided by the Credit Entities to CNCB, which further processes these data in the NBCIR, including the utilisation of the final automated technical processing system provided by the Italian company CRIF. The final technical processing of the information in Italy is also performed in accordance with the General Data Protection Regulation. In the course of this processing, there is also the profiling of the Clients of the individual Credit Entities, the result of which becomes one of the underlying documents in the Credit Entity’s decision-making about whether or not to conclude the requested agreement with the Client. However, the decision-making about whether or not the Credit Entity concludes the product agreement with the Client does not take place by automated means in the NBCIR.
CNCB makes the information (data) that is processed in this manner available in the form of credit reports to the Credit Entities who use the services of the NBCIR at their request and solely for the purpose of the exchange of information about the payment prospects, credibility and payment discipline or creditworthiness of the Clients among the Credit Entities.
In addition, CNCB also provides or may provide the Credit Entities who use the NBCIR:
the so-called score, which is a synthetic value indicating the assessment of the information (data) about the Clients that is always contained in the relevant credit report and which the users also use for the purpose of assessing the payment prospects, credibility and payment discipline or creditworthiness of their Clients; the score is provided in credit reports as well as in summary statistical reports (as specified below);
A report on the verification of the Client’s document or of the data given in the Client’s document, which is part of the Client’s credibility check also in connection with Act No. 253/2008 Coll., on selected measures aimed at combating money laundering and terrorist financing, as amended, which shall be prepared, inter alia, using public databases and NBCIR; the report on the verification of the Client’s documents or of the data given in the Client’s document is provided either separately or as a part of the credit reports;
Information (data) in the form of summary statistical reports on the payment prospects, credibility and payment discipline of the Client portfolios on the relevant product market; such summary statistical reports constitute aggregate and anonymous information that cannot be associated with any identified or identifiable data subject, and they can also be made available to the competent supervisory authority within the framework of its supervisory and control activities in accordance with the applicable laws and regulations;
Information in relation to Clients concerning whom the Credit Entity that has requested the information will assign or has assigned debt arising from a Client Agreement.
The information (data) regarding the Representatives of the Client who are natural persons and regarding the Owners of the Client is provided by CNCB to the Credit Entities on the basis of the consent of such persons to the processing of their personal data in the NBCIR.
Birth certificate numbers
The structure of the NBCIR assumes that the NBCIR also processes data about the birth certificate numbers of the persons who are the Clients of the NBCIR users.
Your birth certificate number, combined with other data about you, forms a unique set of data which reliably identifies you in the NBCIR database, thus effectively preventing confusion with another person kept in NBCIR database. Such identification is necessary for the enforcement of private law claims and for the prevention of non-performing receivables. Collection of birth certificate numbers follows the conditions specified in the Act on the Register of Population (Section 13c (1) (c) of Act No. 133/2000 Coll.).
The provisions of the other sections of this Memorandum shall apply in their entirety to the handling of your birth certificate number in the NBCIR, including the purpose, period and method of processing, its security, etc. Therefore, the requirement to take specific measures to protect your rights and freedoms as a data subject in processing your birth certificate number is fulfilled.
Operated by CRIF CZ, the Client Centre serves as a contact point where you can address your requests related to the processing of your personal data in the NBCIR. In particular, the Client Centre provides the Clients of the Credit Entities the following services:
It informs Clients about the data that are processed about them in and NBCIR (in accordance with the requirements of the GDPR);
It serves as the point where Clients can submit the requests for information about what data about them are being processed in the NBCIR;
It serves as the point where complaints or objections may be submitted by Clients in connection with any inaccurate data processed in the NBCIR;
It serves as the point where the Clients’ other rights under the GDPR can be exercised.
Technical and organisational guarantees of information (data) security in the NBCIR
As regards the operation of the NBCIR, we would like to inform you that all the parties involved have taken due measures to prevent any unauthorised or accidental access to the information (data) in the NBCIR, its modification, destruction, loss, unauthorised transfer, unauthorised processing, or other misuse of the information contained in the NBCIR.
Such steps shall include in particular:
Regular changes of the individual access codes and access names to the NBCIR;
The transmission of data via private lines, thus preventing from the unauthorized access to information;
Data encryption during transmission.
Transfer of personal data to third countries.
The processing of information in the NBCIR does not involve the transfer of personal data outside the territory of the European Union.
Special protection of the rights of clients - individuals
On the basis of the obligations set out in the GDPR, we would hereby like to advise you of your rights arising from the applicable provisions of the GDPR.
You may exercise these rights in the Client Centre:
Right of access to personal data: you have the right to make a request to CNCB to confirm whether your personal data are actually being processed and, if so, you have the right to access these personal data and the specified information. In that case, CNCB will provide you a copy of the personal data that are being processed in the form of an extract from the NBCIR database free of charge once a year and otherwise against the payment of the material costs.
Right to rectification: you have the right to have CNCB rectify any inaccurate personal data that concern you and are being processed in the NBCIR without undue delay. You also have the right to have incomplete personal data completed, including by providing an additional statement.
Right to erasure (“right to be forgotten”): you have the right to have personal data concerning you erased by CNCB without undue delay if any of the reasons set forth in the GDPR arise (e.g. the data are no longer needed for the purposes of the processing or their processing is unlawful).
Right to restriction of processing: you have the right to have the processing of your personal data restricted by CNCB if any of the reasons set forth in the GDPR arise (e.g. due to the inaccuracy of the personal data that are being processed, or if their processing is unlawful).
Please note that the right to data portability, i.e. the right to obtain personal data (which concern you and which you have provided to the NBCIR user) in a structured, commonly used and machine-readable format, and the right to transmit these data to another data controller without the NBCIR user or CNCB preventing this, is not relevant to the nature of the processing of your personal data in the NBCIR, and therefore we cannot comply with any data portability requests.
Right to lodge a complaint: if you believe that the processing of your personal data in the NBCIR constitutes a violation of the applicable laws, in particular the General Data Protection Regulation, you may lodge a complaint with:
Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7, www.uoou.cz
The requested information and documents and/or information on the measures taken will be provided to you without undue delay, but no later than one (1) month from the date of receipt of your request. In some cases, however, this period may be extended, of which we will notify you. If it is impossible to comply with your request, we will inform you of this fact and of the reasons, including an advice on your further rights (the right to lodge a complaint and the right to judicial protection).
If necessary, we may ask you to provide additional information to confirm your identity in connection with your request. If we cannot establish your identity, we cannot usually comply with your request.
You may exercise your rights free of charge. If the submitted requests are clearly unjustified or unreasonable, especially because they are repeated, we may request reasonable compensation from you or we may refuse to grant your request.
Right to object
For reasons related to your particular circumstances, you have the right at any time to object to the processing of the personal data that concern you. CNCB will no longer process your personal data unless it can demonstrate to you compelling legitimate interests for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
As regards the procedure for the exercise of the right to object, the rules set out above for the exercise of other rights apply accordingly.
Data Protection Officer
If you are unable to resolve your issue through the Client Centre, you can also contact the Data Protection Officer of the NBCIR at email@example.com.
INFORMATION EXCHANGE WITH THE CLIENT INFORMATION BANK REGISTER
The objective of this section of the Information Memorandum is to provide you – the Clients of the Credit Entities – basic information about the exchange of information (data) between the users of the NBCIR and of the CIBR and between the CIBR and the NBCIR.
The NBCIR and CIBR databases are two separately existing databases (albeit having certain identical features, which are further described below). The CIBR is a shared database of data created on the basis of information exchanged among banks about their contractual relations with their clients. The CIBR contains information similar to that contained in the NBCIR.
During the exchange of information (data) between banks and the Credit Entities the CIBR and NBCIR databases continue to be separated because data is exchanged through the operators of the two registers (for detailed information about the operators see the sections entitled “NBCIR Operator” and “CIBR Operator”), who continue to provide the information (data) to their users (i.e. the Credit Entities as the users of the NBCIR and the banks as the users of the CIBR, respectively); provided that all the legal requirements are met, the operators provide their users information (data) from both registers from a certain point (for detailed information see the section entitled “Exchange of Information between the NBCIR and the CIBR”).
Basic Purpose of the CIBR and Its Link to the NBCIR
The basic purpose of the CIBR is defined by law. Specifically, it is by the provision of Section 38a(1) of Act No. 21/1992 Coll. on banks, as amended (hereinafter the “Banking Act”), according to which banks and branches of banks operating in the Czech Republic may (within the framework of their mandatory prudence) inform one another about matters that are descriptive of the payment prospects and credibility th of their Clients including through a third party owned solely by banks.
The basic purpose is similar to that of the NBCIR and, with regard to these similar or identical purposes, the requirement for the compatibility of the purposes within the meaning of the GDPR is met as regards the mutual exchange of data concerning the Clients between banks and Credit Entities.
The operator of the CIBR is CBCB – Czech Banking Credit Bureau, a.s., ID No.: 261 99 696, with its registered office at Štětkova 1638/18, Nusle, 140 00 Prague 4 (hereinafter “CBCB”), which is owned solely by banks in accordance with the Banking Act. CBCB processes the data of the clients (natural persons) of the banks in accordance with the GDPR and other applicable laws and regulations.
The users of the CIBR include the individual banks, which are the controllers of personal data within the meaning of the GDPR and which have concluded the Agreement on Participation in the CIBR Project with CBCB. As of the drafting date hereof, the following companies are the users of the CIBR:
The legal basis for the processing of the Clients’ personal data in the CIBR is (a) compliance with the legal obligations of the banks and (b) consent of the Representatives or Owners of the Client to the processing of their personal data.
Information concerning a certain Client may be exchanged between the NBCIR and CIBR users. The information (data) can be exchanged between the Credit Entities and the banks on the basis of the applicable agreements concluded between CBCB (being the operator of the CIBR) and CNCB (being the operator of the NBCIR) and between CBCB and the banks and between CNCB and the Credit Entities; information (data) from the other database (i.e. data from the NBCIR for banks and data from the CIBR for Credit Entities) can also be provided on the basis of the requests of the relevant users (i.e. banks or Credit Entities) in the form of credit reports (including the score, if applicable) or in the form of reports on the verification of the Client’s documents.
The treatment of the information (data) in the CIBR (i.e. except for making the data available to the NBCIR users) is governed by special rules, about which the banks inform their Clients in connection with the contractual relationship between the bank Entity and the Client. Such rules do not apply to the exchange of information (data) between the banks and the Credit Entities.
The principles that apply to the protection of the Clients’ information (data) in the processing of the data during the exchange of information between the users of the NBCIR and of the CIBR and the rights the Client – a natural person – may exercise in this context are similar to those specified for the NBCIR above.
Any additional information is available from the Client Centre; you can also contact the NBCIR Data Protection Officer at firstname.lastname@example.org.