Privacy Policy

PRIVACY POLICY OF STOPANSKA BANKA AD – SKOPJE

The protection of privacy and confidentiality of client data is of most significant importance of Stopanska Banka AD – Skopje (hereinafter: “Bank / SB”), taking into consideration the nature of banking operations, as well as the data which banks collect in the course of their current activity.

The Privacy Policy of SB has a purpose to explain the process of collecting, using, processing revealing, protecting and destroying („the life cycle“) of personal data that are processed.

Each activity related to personal data is performed by SB in accordance with the provisions of the Law on personal data protection and the by-laws passed based  on this Law, as well as the legal framework that is implemented by the European Union legislation regarding data protection (Eng.: “General Data Protection Regulation-GDPR”).

For the purposes of personal data protection, the Bank has appointed a Personal data protection Officer (contact data below), whom subjects may contact about issues related to the processing of their personal data and about the realization of their legal rights. The Bank also has a complete team of legal experts and experts in the IT domain, dedicated to the work on personal data protection of subjects. Additionally, the privacy protection and confidentiality of client data of the Bank are part of the Code of ethics of SB, the provisions of which are mandatory to all employees of SB.

This Policy is consisted of the following chapters:

1. The role of Stopanska Banka AD – Skopje as per the Law on personal data protection
2. General principles for personal data processing
3. Categories of personal data processed on part of the Bank
4. The purposes of personal data processing
5. User of which the Bank may reveal personal data
6. Rules applied at transferring personal data of subjects into other countries (via cross-border transfer)
7. Time period for keeping personal data of subjects and the balance of personal data after expiry of the time period
8. Rights of subjects related to their personal data
9. Video surveillance
10. Recording phone calls
11. Marketing
12. Security of personal data processing
13. Amending / supplementing the Privacy Policy
14. Contact data of the Bank and the Personal data protection Officer and the manner of reporting a misuse of personal data
ANNEX number 1: Policy for privacy of personal data on the website of Stopanska Banka Ad – Skopje
ANNEX number 2: Privacy Policy for the employees of Stopanska Banka AD – Skopje
ANNEX number 3: Policy for privacy of the candidates for employment with Stopanska Banka AD – Skopje

1. THE ROLE OF STOPANSKA BANKA AD – SKOPJE AS PER THE LAW ON PERSONAL DATA PROTECTION

In accordance with the provisions of the Law on personal data protection, SB is a Controller, i.e. a legal entity that determines the purposes and the manner of processing personal data of personal data subjects.   

2. GENERAL PRINCIPLES 

As a controller, SB provides protection and processing of personal data in accordance with the valid legal framework that it monitors on regular basis, and for that purposes it makes sure that personal data of subjects are processed in accordance with the following principles:

• Lawfulness, fairness and transparency – personal data are processed in accordance with the law, in sufficient manner and transparently in relation to the personal data subject;
• Purpose limitation – personal data are collected for specific, clear and legitimate. Legally determined purposes and they shall not be processed in a manner that is not in accordance with those purposes;
• Data minimization – personal data that are processed are accurate, relevant and limited to what is necessary in relation to the purposes for which the data are processed. This principle is also relevant in relation to the access to personal data that are processed;
• Accuracy – personal data are accurate and, where applicable, updated, in the course of which all appropriate measures are taken for prompt deleting or correction of the data which are inaccurate or incomplete;
• Storage limitation – personal data are kept in a form that enables identification of personal data subjects, not for longer periods than the necessary one for the purposes for which they are processed. Personal data may be kept longer than their period for keeping only if processed for archiving purposes of public interest, for scientific or historical researches or for statistical purposes in accordance with the law, by applying appropriate technical and organizational measures for protection of the rights and liberties of personal data subjects;
• Integrity and confidentiality – personal data are processed in a manner that provides for an appropriate level of security of the personal data, including protection from unauthorized or illegal processing and an accidental destruction or damaging, by applying appropriate technical or organizational measures; and
• Accountability – the Bank is responsible for the reconciliation of the above-mentioned principles and may demonstrate the reconciliation at any time, especially upon request/ at control of the Internal auditors, the personal data protection Officer or the Agency for personal data protection.

The above-mentioned principles of processing are applied cumulatively, all together in the course of the whole cycle of personal data processing. 

3. CATEGORIES OF PERSONAL DATA THAT ARE PROCESSED ON PART OF THE BANK

SB collects, keeps and processes personal data that are revealed or have already been revealed to the Bank by potential and/ or current clients and generally, persons that perform business activities with the Bank at any capacity in all phases of the business cooperation in the context of products/ services provided by the Bank or via the Bank, as well as data that arise from Statement of banking accounts and/ or from previous loan products of the above-mentioned category of persons, from the banking system.  

Primary source of personal data of the Bank are those data that subjects provided to the Bank themselves, in the course of completing (fulfilling) the Application for client registration at the first business contact with the Bank (in case of clients).

We would like to point out that the Bank is processing personal data only within the volume that is necessary for the purposes of processing.

Specifically, SB may process the following personal data: 

i. Personal data submitted by subjects, like for example: identification data (name and surname, date and place of birth, ID card data or passport data, personal ID number etc.), demographic data (gender, nationality, marital status), contact data (postal address, phone number, e-mail address), financial data (information in relation to the salary and property situation, tax number), data about access to electronic applications (for ex. logging into i-bank), data of electronic identification etc.

Personal data subjects are obliged to immediately notify the Bank about any type of change in relation to the abovementioned data.

ii. Personal data the Bank collects, like for example:

• Personal data in relation to the implementation of analysis measures, revealing certain persons or subjects against which restrictive financial measures were pronounced, as well as at prevention of money laundering and financing of terrorism;
• Personal data about the monitoring and assessment of the creditworthiness, managing risks of the Bank and in general – for the needs of contractual or business relations of clients with SB;
• In accordance with valid legal framework for submitting data to competent authorities;
• In the context of the correspondence and general communication of clients with the Bank;
• Data of economic natures that provide assessment of the investment, the financial status and the behavior of clients;
• “cookies” and auxiliary technologies that enable access to and use of specific websites and/ or web-sites;
• Information provided by supervisory, judicial and other public and independent bodies, related to criminal verdicts, violations, implementation of public interest protection measures, confiscations and pledges;
• Date involving clients that are publicly accessible via the Internet or in another manner;
• Data on employees of SB, persons on training or volunteering with SB, in accordance with the enforceable legal framework in this domain (Law on registrations in the labor domain, Law on labor relations etc.), explained in more detail in Annex 2 of this Policy;
• Data about employment candidates of SB, explained in more detail in Annex 3 of this Policy;
• Personal data collected throughout the use of the webpage of the Bank, explained in more detail in Annex 1 of this Policy.

Personal data processed by SB are kept in paper and/ or in electronic form.

PERSONAL DATA OF MINORS (UNDERAGE PERSONS)

The Bank is undertaking appropriate measures for protection of personal data of minors, in accordance with regulations. Data of minors are kept by SB only in case they were provided by the persons having guardianship of the minors and only for the needs of the business relations with the Bank in favor of the minors, except if not prescribed otherwise in accordance with the law (like for ex. in exceptional cases, like of a minor aged 16 with a married status, in which case he/ she acquires a status of capable to work).

We would like to mention that the products and services provided by SB are in no case intended for use by minors. Furthermore, SB is not providing IT services to children in the context of Article 12 of the Law on personal data protection.

4. PURPOSES OF PERSONAL DATA PROCESSING

SB is processing personal data of subjects that are collected in the course of the establishing/ extending the business relations with the Bank, for the following purposes:

A. In the context of the realization of the agreement or prior the its signing, especially:

1. To confirm the identity of the client;
2. To realize communication with clients in the course of the undertaking of pre-agreement actions or about issues related to the business relations with SB, as well as to undertake actions for collection of overdue claims of SB;
3. To prepare, conclude and manage the Agreement with SB and to take actions for fulfillment of obligations towards clients, as well as for the purposes of realization, management, monitoring and processing of client transactions i.e. to efficiently provide the required product/ service by SB;
4. To provide for realization of transactions that are processed via the electronic banking system (transactions realized via the alternative network);
5. To assess the accuracy of the offered product/ service and especially to assess the accuracy at providing investment and auxiliary services, as well as to provide accurate information, to supervise the management and monitoring of investment products and to include the client if possible in the designated client market for the specific type of product.

B. As part of the reconciliation of SB with the obligations determined by the enforceable legal and regulatory framework, especially:

1. To prevent and suppress money laundering and terrorist financing and to prevent a fraud against the Bank and/ or clients as well as any other illegal action i.e. for identification, verification and monitoring of the business activities of clients.
2. To assess the creditworthiness of clients, where necessary, for disruptive flow of the business relations with clients of the Bank.
3. To assess compatibility and accurately each other’s assessment or categorization of the client in relation to products and services.
4. To register and realize client orders for transactions with financial instruments, including the obligation to register orders provided by phone.
5. To register and keep records of communications by the Bank by phone (or of third parties the Bank communicates with for collection of mature claims), made for the purposes to inform its debtors about their remaining debts.
6. To document requests of clients (for ex. Request for restructuring of debt due to inability of the client to repay the debt) and the assessment made therein on part of the Bank.
7. To comply with its obligations arising from the enforceable legal framework and from the decisions of supervisory and court authorities.
8. To detect and transfer information to competent public authorities as well as legal entities with public authorizations, when necessary, in accordance with enforceable legislation.

C. In the context of the legislative and current activity of the Bank and the protection of its rights and legal interests, especially:

1. To develop and/ or improve products and services offered by the Bank in relation to preferences of clients and the current realization of transactions.
2. To respond to Requests/ Complains of clients.
3. To assess and manage risks to the activity of the Bank.
4. To prevent criminal acts (for ex. frauds) and to identify and collect data of illegal activities, for physical security of persons and property (including the video surveillance system);
5. To transfer, to provide (directly or as a collateral) and/ or to provide securities for any or all collateral rights, claims, guarantees, securities in accordance with the agreement of client with SB, to any third party (s);
6. To realize its legal claims with court institutions or other authorities for out-of-court/ alternative dispute resolution,
7. To assess and optimize security procedures, IT systems etc.

D. Based on a provided consent:

1. To send information about new products and/ or services offered by SB corresponding to the interests and preferences of clients. In this case, clients have the right to withdraw the consent at any time, without compensation, via several channels: i. directly in the Branch by updating the Applications for client registration, ii. Via the Call Center, or iii. BY withdrawing the consent at the e-banking platform, without any influence on the enforceability of any such processing that may have taken place based on the consent before it was withdrawn.
2. For better understanding of the manner of use and interaction with the contents of the website of SB, with the use of “cookies”.
3. To improve the services it provides via the website, for improved user experience.

In relation to the above-mentioned we would like to point out that no consent is required in the following cases:

• For realization of an agreement concluded with SB or for undertaking of required activities in relation to the Request which the client submitted prior to proceeding to the agreement;
• For fulfillment of the legal obligation of SB as controller;
• For protection of the essential interests of clients and other parties;
• For realization of activities of public interest; and
• When the processing is required for the legitimate interests of SB or a third party, except when those interests do not prevail over the interest or basic rights and liberties of the subjects for which personal data protection is required, especially when the subject is a child.

Remark in relation to the automated decision-making, including profiling:

In specific cases, when required for the purposes of concluding or realizing the agreements between clients and the Bank, for the purposes of determining the creditworthiness based on the personal data received directly from the clients or from another database/ institution, or in accordance with expressed approval by the client, personal data processing may be performed also via automated procedures that result into decisions established on statistical analysis of individual parameters that enable objective assessment of the requests of clients. Furthermore, the Bank may conduct profiling of clients (segmentation according to certain characteristics) for accurate direct marketing, and to provide information to clients in accordance with their interests.

In these cases, clients have the right not to be subject to decision established only on automatic processing, including the profiling that results in legal consequences or in a similar manner significantly affects the client, except in case the decision:

а) is required for concluding or realizing the agreement between the personal data subject and the Bank.

b) is allowed in accordance with the valid legal frame which also stipulates appropriate measures for protection of the rights and liberties and the legitimate interests of the subject; or

c) is established on expressed consent by the subject.

The Bank is applying appropriate measures for protection of the rights and liberties and the legitimate interests of the personal data subjects, and at least the right of providing a human intervention on part of SB, the right to express the personal attitude and the right to dispute that decisions. This type of Decisions is not established on separate categories of personal data, except in the cases as permitted in accordance with the Law on personal data protection.

5. USERS TO WHICH THE BANK MAY REVEAL PERSONAL DATA OF SUBJECTS

The Bank is revealing the personal data to public authorities in accordance with their legal authorization, within the frame of NBG Group, for the purposes of the legitimate interests of SB and the Group and to third parties with which the Bank cooperates within the scope of its regular operations.               

More specifically, the Bank may reveal personal data of subjects only in case it is obliged in accordance with the law, a decision of a competent authority or to third parties, i.e. to the following category of personal data users: government authorities or legal entities established in the country to perform public authorizations, an agency or other bodies and to third parties (individuals or legal entities) that act upon order or in the name of the Bank, such as:

(а) the companies of NBG Group, as well as all parties (individuals and legal entities) that cooperate with NBG in any form, acting in the name and for account of the Bank. For the purposes of the legitimate interests of SB and NBG Group (primarily for more efficient and safer personal data processing, obligations for reporting on group level or passing of strategic decisions with the frame of the Group), the Bank may reveal personal data of its clients within the frame of NBG Group;           

(b) third parties (individuals and legal entities) that cooperate with SB in any form, acting in the name and for account of the Bank, to achieve the purpose for processing the agreement, including the following categories:

1. Companies that inform debtors and/or guarantors about their debts prior to or after the finalization of preparation activities required for out-of-court and court procedure for collection on part of the Bank of their remaining debts;
2. Companies – suppliers of IT equipment;
3. Security Agencies of property and people;
4. Companies for consultative services, including financial advisors and auditors;
5. Companies – data providers;
6. Insurance companies and insurance representatives in the context of providing insurance products;
7. Bodies for special security, public institutions and public companies;
8. Financial institutions, Internal Revenues Office, issuers of electronic money, markets and other institutions in this domain;
9. Supervisory, judicial, independent and other bodies on national and European level for fulfillment of legal obligations of the Bank and the Group imposed in accordance with valid regulations or by court decision;
10. Authorized accountants and audit companies.

The Bank is cooperating only with third parties that may implement appropriate technical and organizational measures as per the regulations and standards of the Bank, in due course providing an appropriate protection of personal data. In these cases, the third parties (personal data processors) are obliged with a specific Agreement that makes sure personal data are processed only in accordance with the instructions provided by the Bank, and by obeying the protection technical and organizational measures that provide for security of personal data.

*Remark: In accordance with the Law on obligation relations (Article 426 paragraph 1), SB may transfer and/ or sell the claims on debtors of SB, in the course of which it is inevitable to also transfer personal data of involved parties. In such situations, no consent is required from the debtor, but SB is obligatorily notifying debtors about the assignment of claims.

6. RULES THAT ARE APPLIED AT TRANSFER OF PERSONAL DATA OF SUBJECTS TO OTHER COUNTRIES (VIA CROSS-BORDER TRANSFER)

The Bank may transfer personal data it processes within the frame of NBG in accordance with the provisions of the Law on personal data protection.

If required, for example for the purposes to realize the Agreement for use of services of external entities, when the service provider is an external entity from abroad, the Bank may transfer personal data in other countries – members of EU or EEA, and it notifies therein the Agency for personal data protection in accordance with the Law on personal data protection. The Bank also has the right to transfer personal data in other countries that are not countries – members of EU or EEA upon previous approval for transfer of personal data from the Agency of personal data protection i.e. upon received Decision for accuracy on part of the Agency, in case they estimated that the third country provides an appropriate level of personal data protection.

7. TIME FRAME FOR KEEPING PERSONAL DATA OF SUBJECTS AND THE BALANCE OF PERSONAL DATA AFTER THE EXPIRY OF THE TIME PERIOD

Basic principle in relation to the keeping of personal data is that the Bank is keeping them not longer than from what is required for the purposes for which they are processed. The period for the period for keeping is related to the basis for which personal data are processed. For example, if personal data processing is required for fulfillment of legal obligations, most frequently the period of keeping is determined within the specific law (e.g. the clients file of all bank clients is kept for 10 years from the last transaction in accordance with the Law on AML/TF).

Upon expiry of the period for keeping the data, SB is destroying the data in accordance with relevant Procedure of the Bank, by obeying the provisions of the enforceable regulations. Furthermore, it makes sure that this process is obeyed on part of third parties that provide services in the name and for account of the Bank and the other business associates.

8. RIGHTS OF PERSONAL DATA SUBJECTS

Personal data subjects have a certain set of rights determined in the accordance with the Law on personal data protection, explained below.

• Right to be informed (Article 16, 17 and 18 of the Law)

SB is informing personal data subjects about the process of data processing, the purposes of processing, the categories of personal data that are processed, the users/ categories of users in case there are any, the purpose of cross-border transfer (in case transferred, information about appropriate protection measures with a possibility of receiving a copy or information where they are available), the time period for keeping the personal data/ criteria used for determining that period, the legitimate interests of SB in case the processing is made in accordance with this basis for personal data processing, the existence of an automated deciding process, including profiling, as well as information about the rights of personal data subjects. In accordance with the transparency principle, SB is informing personal data subjects about issues related to personal data via several channels: i. brief information about the Application for registration of clients, which is the first formal step at the establishing of business relations, ii. this Privacy policy, which is publicly available on the website of SB and in printed form in all branches, iii. the flyer for personal data protection intended for the client and available in all branches, and via iv. a notification about the video surveillance in all the places in which the Bank has installed cameras.

We would like to notify that SB is not obliged to submit these information in the cases as stipulated in accordance with the Law on personal data protection (Article 18 paragraph 5).

• Right to access (Article 19 of the Law)

Personal data subjects have the right to receive a confirmation from SB in relation to whether their personal data are processed and in case so, they have to right to receive information in accordance with the right to information.

• Right to rectification (Article 20 and 23 of the Law)

Personal data subjects have the right to a correction of their erroneous personal data.

• Right to erasure (Article 21 of the Law)

Personal data subjects have the right to request from SB to delete their personal data in case the conditions are fulfilled in accordance with the Law on personal data protection. Upon request of the personal data subject, SB shall delete them only if the personal data are no longer required for the purposes for which they were collected or, where appropriate, in case the personal data subject withdraw the consent and the personal data were processed based on the provided consent (in case of direct marketing). Of essential importance is to mention that, in accordance with the Law on AML/TF, banks keep client files of all clients for a period of 10 years from the last transaction / attempted transaction.

By deleting the data, SB makes sure they are also deleted by third parties with which the Bank cooperates and processes those data.

• Right to restrict processing (Article 22 of the Law)

Personal data subjects have the right to require form SB to limit their personal data processing in case the conditions are met in accordance with the Law on personal data processing, including under condition the processing is no longer required for the purposes of reconciliation with the legal obligation that requires processing in accordance with the  law that is being applied in relation to SB.

• Right to object (Article 25 of the Law)

Personal data subjects have the right to submit an objection to the Bank at any time, based on the specific situation related to them, whet their personal data processing is based on the legitimate interest of the Bank or a third party or on public interest, including profiling based therein. In case personal data is processed for the purposes of direct marketing, subjects have the right at any time to submit an objection for their personal data processing and to request from the Bank to stop the processing of personal data for those purposes.

• Right to related to automated decision making and profiling (Article 26 of the Law)

Personal data subjects have the right not to be subject to a decision based only upon automatic processing of their personal data, including profiling that results in legal consequences or in a similar manner significantly influences the client, except in the cases as stipulated in accordance with the Law on personal data protection. 

• Right to data portability (Article 24 of the Law)

Personal data subjects have the right to receive their personal data, which they have provided to the Bank in a structured, usually used, machine readable form, and they have the right to transfer them to another controller within being disrupted by the Bank, in case conditions are met in accordance with the Law on personal data protection.

Please be notified that the Request for realization of the rights is available at the following link: https://www.stb.com.mk/naselenie/zashtita-na-licni-podatoci/ and it may be submitted at the address „ 11 Oktomvri street no. 7, 1000 Skopje“ to the attention of the „Officer for personal data protection“ or electronically at the address: privacy@stb.com.mk , wherein you are to electronically sign the Request or send the completed Request as a scan document.

REMARK: Prior to submitting the Request for realization of the rights, all personal data subjects are encouraged and asked to read the relevant legal provision quoted above, which contains the limitations in relation to when and how the rights are realized, all to avoid unnecessary and unfounded requests to the Bank.

At the same time, we would like to mention that the Bank provides the required information without compensation, except in the case when the Requests are clearly unfounded or excessive, especially if the same requests are repeated. In these cases, the Bank will either refuse to act on the Request or will charge a fee considering the volume, complexity and time required to provide the information or act on the Request, for which you will be notified accordingly.

We would also like to mention that if more than one copy of the personal data being processed is requested, SB can decide whether to charge a fee considering the volume, complexity and time required to provide the copies.

9. VIDEO SURVEILLANCE SYSTEM

The bank is performing video surveillance only in space that is sufficient to fulfill the purposes for which it was installed, that is, to protect the life and health of people, protect the property, protect the life and health of employees, and/or ensure control of the entry and exit from the office premises.

The manner of performing video surveillance is regulated in more detail by the Rulebook on the method of conducting video surveillance of the SB. This Rulebook was prepared based on the Law on personal data protection and the relevant by-laws adopted based on this Law.

The recordings made during video surveillance are kept until the purpose for which the video surveillance is performed is fulfilled, but not longer than 30 days. After the expiration of this period, the recordings are automatically deleted from the video surveillance system. Video surveillance recordings can be stored for a longer period if the storage is in accordance with a law that contains protective measures and other measures to protect the rights and freedoms of the subjects of personal data, but not longer than the fulfillment of the purpose. Also, the recordings can be stored for a longer period when it is necessary to realize the Bank's legitimate interest in conducting appropriate procedures in accordance with the law, and the internal procedures for the method of storing and deleting the recordings. Video recordings that are not deleted automatically, that are kept for a longer period and for which the purpose is fulfilled, are destroyed by a special Commission for the destruction of video material.

In a visible and clear place where the video surveillance is installed, the Bank has an appropriate notification (sticker) that highlights that video surveillance is being carried out, as well as data on the name of the Controller, the purpose of video surveillance, the term of storage of the video recordings, the rights of the subjects of personal data, as well as the way to obtain additional information.

10. RECORDING PHONE CALLS 

SB is using technical means to record telephone conversations with customers in connection with the execution of transactions by customers with certain organizational units of the Bank, when performing and providing appropriate activities in connection with the execution of transactions and requests/complaints from customers in accordance with the applicable legal framework. In such cases, adequate notification is provided to clients and SB business partners prior to any recording of any telephone call.

11. DIRECT MARKETING

The Bank may use personal data of subjects for the purposes to inform them about products/ services of the Bank or other similar promotional activities that may be of interest to them, only upon received explicit consent. The Bank is not selling nor providing personal data for this purpose to uninterested third parties for their marketing purposes.                          

We would like to mention that the consent provided for this purpose might be withdrawn at any time without compensation, via three channels:

i. directly in the branches with the update of the Application for registration of the client,
ii. via the Call Center, or
iii. by withdrawing the consent from the e-banking platform (in the part „My profile“).

12. SECURITY AND PROCESSING OD PERSONAL DATA

Confidentiality of banking and personal data of SB clients is of special importance of all units of the Bank.

SB undertakes the necessary technical and organizational measures in order to ensure that personal data are protected from accidental loss or disclosure, destruction or misuse. For this purpose, a large set of technical and organizational measures are applied by which the Bank guarantees that personal data are processed strictly in accordance with the Law on personal data protection and that they are processed by well-trained persons with limited and controlled access to the same and through secure and modern IT systems.

Each employee is responsible for complying with the Bank's internal personal data protection policies and the Bank has zero tolerance for cases that may jeopardize the trust and privacy of customers and the general public.

A breach of personal data security may occur in the event of accidental or intentional destruction, loss, alteration, disclosure or access to personal data. In such a situation, the Bank notifies the Agency for personal data protection immediately after learning about the breach of security and within 72 hours at the latest. If it considers that it is a situation that it is likely to cause a high risk for the rights and freedoms of customers, and the legal requirements of the Law on personal data protection of are met, it also informs all affected individuals accordingly.

13. AMENDING/ SUPPLEMENTING OF THIS PRIVACY POLICY 

The Privacy Policy was adopted on 11.11.2021.

The Bank has the right to update/ amend i.e. supplement this Privacy Policy of Stopanska Banka AD – Skopje, for the purposes to reconcile with the enforceable legal frame or standards of NBG Group, in case they are higher than the stipulated ones by the national legislation.

In such a case, SB shall publish a notification on its website by mentioning the date of amendment and the actual amendments made within the Policy.

14. CONTACT DATA OF THE BANK AND THE PERSONAL DATA PROTECTION OFFICER

For any issues related to this Privacy Policy of Stopanska Banka AD – Skopje, as well as in relation to the Policies from the Annexes enclosed to this Policy, please contact the Officer for personal data protection in one of the following manners:

• in writing, by a letter that you may submit to SB at the address „11 Oktomvri street no. 7, 1000 Skopje, to the attention of the „ Officer for personal data protection “;
• electronically, at the e-mail address: privacy@stb.com.mk; or
• at the phone number: (02) / 3295 – 538.

ANNEX number 1: POLICY FOR PERSONAL DATA PRIVACY ON THE WEBSITE AND THE ONLINE SERVICES OF STOPANSKA BANKA AD – SKOPJE

The Bank is collecting data about the visitors / users of its website (hereinafter: „users“), available at the following link: www.stb.com.mk, as well as about the users of the m-banking mobile application that includes the TOPSI PAY Service.

The website may include links to other websites that are under responsibility of third parties (individuals and legal entities). SB is in no case responsible for the measures for protection and management of personal data in relation to the abovementioned websites of third parties.

Personal data collected via the website and the internet services of the Bank are required at the moment the user requires a service or visits the website. SB may process all or part of the provided personal data from users for the purposes to provide the e-services as well as for statistical/ analytical purposes for improvement of the services and user experience.

More specifically, the Bank is collecting the following data:

Personal identification data

SB may collect personal identification data from users in various ways, and in connection with the activities, services, features or resources available on the website and online services of the Bank.

Users can visit the site anonymously via the web browser's "incognito" mode.

SB collects personal identification data from users only if they themselves agree to submit them to the Bank. They may at any time decline to provide personally identifiable information.

Personal data that the Bank may collect and process when you visit the website or other online services are: name and surname, email address, location information (for example, in order to point you to the nearest ATM), username and password, payment card information, etc.

Identification data that are not personal

SB may collect identification data of users that are not personal, evert time they visit the website or the online services of the Bank. Identification data that are not personal may include:

• Data tracking, i.e. the name of the Internet browser, the type of computer, as well as technical information about the connection used by the user when visiting the website, such as the operating system and the Internet service provider and similar information,
• Duration of the visit and duration of a particular problem encountered when using the website or online services,
• Pseudonym ID (unique identification number) stored in order to identify the user when he/she revisits the website,
• Marketing data, i.e. data that indicates to the Bank which advertisements and promotions the user has viewed, etc.,
• Location information, i.e. data about the location from which the website is opened or online services were accessed.

All this information is collected in order to create a pseudonym user profile. In this way, the user's personal data is protected.

“Cookies”

The website of SB may use cookies to improve the user experience, to improve the access to certain services of SB, to identify the most visited areas and to evaluate the effectiveness of the website, but no personal data of the user is processed in due course. Cookies are small text files that are sent to the user's computer in order to provide technical functionality of the website and to personalize the user experience (e.g. a cookie that remembers the user's preferences on the next visit to the website).

SB uses „cookies“ that belong to three categories:

• Strictly necessary cookies. These cookies are always active because of the functionality of the website.   
• Analytical cookies. Data processed with these cookies are related to the manner in which the website is used by the users (where does the user come from, which pages he/she visits etc.). These data are not used for marketing or other purposes except for improvement of the user experience of the visitor.
• Marketing cookies. SB is not using „cookies“ that collect data which are further processed for marketing purposes. At the same time, it has established a cookie from Google AdSense (third party) for their marketing purposes (targeting visitors while they visit different websites). They are used in accordance with the Privacy Policy of Google.

For complete transparency, please find below a review of the cookies used on the website of SB:

In accordance with the above-mentioned, the Bank uses functional-analytical "cookies" from Google Analytics that enable better technical functionality of the website, i.e. help the Bank to monitor and improve the effectiveness of the website and improve the user experience of visitors. The information generated by the "cookies" about the use of the website (including the IP address) is transmitted to "Google" in anonymized form. This information is used to evaluate the use of the website by users and to make statistical reports on the Bank's website activity.

At the first visit to the Bank's website, the visitor receives information about the Bank's "cookie" policy and consents to its use. In this regard, we would like to point out that it is not possible to disable cookies that are technically necessary for users to use the website of the SB. With regard to other types of "cookies", which are not necessary for the general functionality of the website, the possibility is provided to refuse them or to agree to accept them. Users can change their preferences at any time.

In addition, the use of the website of SB is not conditioned by the acceptance of cookies although in this way certain processes may not be technically optimized for the user experience of the visitor.

PURPOSES OF PERSONAL DATA PROCESSING  

• To improve the functionality of the website and the online services

The Bank is continuously striving to improve the offer on its website and online services based on feedback information received by users.

• To improve the services of SB to clients

Personal data help us to more efficiently respond to users' requests for certain services or support their needs (e.g. transaction processing, identity verification, fraud prevention, analytics, etc.).

• To administer the contents, promotions, polls and other functionalities

SECURITY OF PERSONAL DATA

As described in item number 12 of the Privacy Policy of Stopanska Banka - AD Skopje, the Bank applies security measures when collecting, storing and processing information in order to protect against unauthorized access, change, disclosure or destruction of personal data, as well as data that are not personal, but which are stored on the Bank's websites or online services.

WEBSITES OF THIRD PARTIES

Users may find advertisements or other content on the website of SB that link to other sites and services of our partners, suppliers, advertising firms, sponsors, and other third parties. The Bank does not control the content or links present on those pages and is not responsible for the actions of employees from pages linked to or from the SB website. In addition, the sites or services referred to, including the content and links, may change from time to time. These sites or services may have their own Personal Data Privacy Policy on their websites and a separate Customer Relations Policy. Browsing and interaction with any other site, including sites that have links to the SB website, is subject to the specific rules and policies of those sites.

AMENDMENTS TO THE POLICY FOR PRIVACY OF PERSONAL DATA

The Privacy Policy was adopted on 11.11.2021.

The bank has the right to update / amend or supplement this Personal Data Privacy Policy on the website of Stopanska Banka - AD Skopje, in order to comply with the applicable legal framework or the standards of the NBG Group, in case they are stricter than those provided by national legislation. In this case, SB will publish a notice on its website indicating the date of amendment and which amendments to the Policy were made.

CONTACT DATA  

For any issues related to the protection of personal data, customers can contact the Bank in the manner as described in item number 14 of the Privacy Policy of Stopanska Banka - AD Skopje.

ANNEX number 2: POLICY FOR PRIVACY OF PERSONAL DATA OF EMPLOYEES OF STOPANSKA BANKA AD – SKOPJE

This Policy applies to SB employees, SB interns and volunteers, contract deed employees and engaged persons (hereinafter: "employees"). This Policy determines the types of data processed by the Bank for SB employees, the purposes of processing their personal data, the period of their storing, the protection, etc.. Regarding the principles of protection of personal data, the Bank is guided by the principles described in item 2 of the Privacy Policy of Stopanska Banka - AD Skopje.

Categories of personal data of employees that are processed  

Based on the Law on recording in the labor domain, the Law on labor relations, the Law on internships, the Law on volunteering and other legal acts and by-laws in this domain, as well as for the purpose of fulfilling the contractual obligations with the employees of SB, the Bank processes the following personal data:

• Name, surname and  father’s name of the employee;
• Personal registration number of the citizen (PRN);
• Day, month and year of birth;
• Place of birth (municipality, city, country);
• gender (male - female);
• place of residence and address (city, municipality, name of the street and number, country);
• belonging to communities;
• religion;
• participation in labor unions;
• place of work (city, municipality, name of the street and number, country);
• degree and type of education (no education, elementary school, high-school, college, university, post-graduate studies);
• professional training degree (no education, elementary school, high-school, college, university, post-graduate studies):
  • completed programs for professional advancement (training, additional qualification and re-qualification) and
  • special skills and knowledge (computer skills, foreign languages and other skills);

• code and description of profession;
• employer’s working hours (full time or part time);
• years of service with paid insurance prior to the employment with the current employer;
• duration of labor relations:
  • permanent employment and
  • temporary;

• transaction account number;
• salary amount;
• data about disciplinary procedures or pronounced cash penalties;
• whether the employee is disabled (health data);
• date of establishing the labor relations;
• date of terminating the labor relations;
• basis for termination of labor relations.

Purposes of the processing personal data of SB employees

With regard to the purposes of processing, these are elaborated in item number 4 of the Privacy Policy of Stopanska Banka AD - Skopje, i.e. for the purposes of fulfilling the legal obligations of the Bank, as well as fulfilling the contractual obligations with the employees of SB.

In addition, the Bank processes personal data of SB employees for the purposes of the legitimate interest of the Bank in the following situations:

• At passing decisions on internal appointment by division, promotions, etc. ;
• Making decisions about salary and other benefits;
• Providing contractual benefits to employees;
• Maintaining a comprehensive, up-to-date record of SB employees in order to ensure, inter alia, the establishment of effective correspondence and the maintenance of appropriate contact points in the event of an emergency;
• Effectively monitoring performance and efficiency and taking appropriate actions as and when the need arises;
• Assessment of training needs;
• Effective management of employee sickness and leave;
• Managing the system of legal absence from work and pay, such as parental leave, unpaid leave, and the like;
• Business planning and restructuring;
• Dealing with legal procedures against SB;
• Preventing fraud;

Special categories of personal data of SB employees

Special category of personal data processed by SB:

• Health data;
• Ethnicity;
• Religion;
• Union membership.

Special categories of data are processed for the purposes of:

• Internal procedures regarding absence from work of employees due to health conditions,
• Performing reasonable adjustments for disabled persons;
• Determining non-working days according to the provided religious beliefs of SB employees;
• For financial aid of employees and/ or their closest family members related to medical conditions or some type of accident/ misfortune.

Based on the legal regulations for personal data protection, the Bank is not obliged to provide special consent for processing of special categories of personal data in order to implement its legal obligations arising from regulations on labor relations, social and health insurance. Depending on the purpose of processing, it is possible in certain situations to require consent for the processing of special categories of personal data. In that case, the employees are fully aware of the reasons for the processing.

Data related to criminal charges  

The Bank is processing data about convictions for criminal offenses in accordance with the Law on Personal Data Protection, depending on the nature of the work tasks and for those jobs for which the Bank has a legal obligation to process them (for example, in accordance with the Law on Banks, the Law on Prevention of Money Laundering and Financing of Terrorism). These data usually appear in the form of a Certificate of No Conviction, which is issued by the appropriate competent court and is kept in the employee's file with limited access.

Users and transfer of personal data  

The Bank, if necessary, may disclose personal data of authorized colleagues within SB, if necessary for the performance of their work tasks; a relevant manager for the performance of the management  work responsibilities; employees in the HR Division of SB for the purposes of maintaining employee files and/or entering data into the appropriate systems. Regarding the other possible users of this type of data, as well as the transfer of personal data, the provisions of item 5 and 6 of the Privacy Policy of Stopanska Banka - AD Skopje apply.

Security at processing personal data

SB is taking all required technical and organizational measures to make sure that personal data of employees are protected from accidental loss or disclosure, destruction or misuse.

Time for keeping the personal data

In accordance with the principles of personal data protection, SB processes personal data only to the extent necessary to fulfill the purposes of the processing. In the course of the duration period of the employment, personal data of employees are kept in the records of employees, and after the termination of the employment relationship, in accordance with the Law on archive material, the Instructions for the method and technique of handling archive and documentary material in office and archive operations  and the Law on records in the labor domain, they are kept as a document of permanent value. Regarding other data from the file, the data storage period may vary, depending on the purposes of the personal data processing.

Automated decision making  

The Bank is not processing personal data of SB employees for automated decisions related to employees.

Rights in accordance with the Law on personal data protection

Rights of employees related to personal data and the manner of their realization are described in item 8 of the Privacy Policy of Stopanska Banka AD – Skopje.

Contact data  

Please contact the Bank in relation to all issues in the domain of this Policy or in relation to other issues, in the manner as described in item 14 of the Privacy Policy of Stopanska Banka AD – Skopje.

ANNEX number 3: POLICY PRIVACY FOR THE EMPLOYMENT CANDIDATES OF STOPANSKA BANKA AD – SKOPJE

This Policy applies to candidates for employment in SB (hereinafter: "candidates"). This Policy determines the types of data that the Bank keeps for candidates for employment in SB, the purposes of processing their personal data, the time of their storage, etc.. In relation to the principles of personal data protection, the Bank is guided by the principles described in item number 2 of the Privacy Policy of Stopanska Banka - AD Skopje.

Categories of personal data of employment candidates that SB processes  

SB is processing the following personal data of the candidates for employment:

• Name and surname, address, date of birth, telephone number;
• A photo only upon expressed consent by the candidate, provided in accordance with the Law on personal data protection;
• Gender;
• Information included in the CV, including education and history of employment;
• Documentation confirming the right of the candidate to work in the Republic of North Macedonia;
• Driver’s license (for specific job positions).

Purposes for personal data processing of employment candidates of SB

Regarding the purposes for processing, they have been elaborated in item 4 of the Privacy Policy of Stopanska Banka AD - Skopje.

Furthermore, the Bank has a legitimate interest to process personal data of candidates for employment for the following purposes:

• to make decision on employing the specific candidate, for internal appointment within divisions, for promoting the personal etc.;
• to make decision about the salary and other welfare;
• to assess the needs of training.

If the application is not successful and the candidate is not offered the job, the personal data will not be used for any other reason. They will be destroyed from the database of SB. In the above case, SB may require a consent from the candidate to save his personal data in the database of potential candidates for employment, in case suitable vacancies appear in the organization for which according to their opinion the candidate would like to apply within 1 or 2 years maximum.

Users and transfer of Your personal data  

Regarding employment candidates of SB, the Bank is disclosing their personal data to the manager of the Division with SB of the job position that is applied for, as well as to other employees of SB responsible for the interview and selection of candidates. In relation to other possible users of personal data of the candidate, as well as about the transfer of personal data, the positions in items number 5 and 6  shall apply of the Privacy Policy of Stopanska Banka - AD Skopje.

Safety of personal data processing

SB is taking all required technical and organizational measures to make sure that personal data of employees are protected from accidental loss or disclosure, destruction or misuse.

Time period for keeping the personal data

In accordance with the principles of personal data protection, SB processes personal data only to the extent as necessary to fulfill the purposes of processing, and the same depends on whether the candidate's application will be successful or unsuccessful.

If the application is unsuccessful, and SB does not have the consent of the candidate to keep his personal data for future open job positions in SB, the personal data will be kept for a maximum of 60 days from the day of completion of the selection for the job position.

If SB required and received consent to store personal data for future open job positions in SB, it will keep the data for a period of 1 or 2 years, depending on the consent.

After the end of this period, SB will destroy the personal data, except in case the candidate withdrew the consent earlier.

If the application is successful, the personal data will be transferred to the records of SB employees.

Automated decision makaing

This title is described in item number 4 of the Privacy Policy of Stopanska Banka AD – Skopje.

Rights in accordance with the Law on personal data protection

Rights in relation to personal data are described in item 8 of the Privacy Policy of Stopanska Banka AD – Skopje.

Contact data  

For any issues related to this Policy or for other issues related to personal data protection, please contact the Bank in the manner as described in item number 14 of the Privacy Policy of Stopanska Banka AD – Skopje.