Privacy Policy

PRIVACY POLICY OF STOPANSKA BANKA AD – SKOPJE

The protection of the privacy and confidentiality of clients’ data is of the utmost importance to Stopanska Banka AD – Skopje (hereinafter: the “Bank / SB”), taking into account the nature of banking operations as well as the data that banks collect in the course of their regular business activities.

SB’s Privacy Policy aims to explain the process of collecting, using, processing, disclosing, protecting and destroying (the “life cycle”) personal data that it processes.

SB carries out every activity related to personal data in accordance with the provisions of the Law on Personal Data Protection and the by-laws adopted pursuant to this Law, as a legal framework implementing the European Union’s General Data Protection Regulation (“EU General Data Protection Regulation (GDPR)”).

For the purposes of personal data protection, the Bank has appointed a Personal Data Protection Officer (contact details below), whom data subjects may contact for questions related to the processing of their personal data and for exercising their legal rights. The Bank also has a dedicated team composed of legal experts and information technology experts who work on protecting the personal data of data subjects. In addition, the protection of the privacy and confidentiality of the Bank’s clients’ data is part of SB’s Code of Ethics, the provisions of which are binding for all employees of SB.

This Policy consists of the following chapters:

1. The role of Stopanska Banka AD – Skopje under the Law on Personal Data Protection
2. Basic principles of personal data processing
3. Categories of personal data processed by the Bank
4. Purposes of personal data processing
5. Recipients to whom the Bank may disclose personal data
6. Rules applicable to the transfer of personal data of data subjects to other countries (cross-border transfer)
7. The retention period for the personal data of data subjects and the status of personal data after the retention period expires
8. Rights of data subjects in relation to their personal data
9. Video surveillance
10. Recording of telephone conversations
11. Marketing
12. Security of personal data processing
13. Amending / supplementing the Privacy Policy
14. Contact details of the Bank and the Personal Data Protection Officer and the method for reporting a personal data breach

ANNEX No. 1: Privacy Policy for personal data on the website of Stopanska Banka AD – Skopje
ANNEX No. 2: Privacy Policy for employees of Stopanska Banka AD – Skopje
ANNEX No. 3: Privacy Policy for job applicants at Stopanska Banka AD – Skopje

1. THE ROLE OF STOPANSKA BANKA AD – SKOPJE UNDER THE LAW ON PERSONAL DATA PROTECTION
   Pursuant to the provisions of the Law on Personal Data Protection, SB is a Controller, i.e., a legal entity that determines the purposes and means of processing personal data of data subjects.
   
   
2. BASIC PRINCIPLES

As a controller, SB ensures the protection and processing of personal data in accordance with the applicable legal framework, which it monitors on a regular basis. For that purpose, it ensures that personal data of data subjects are processed in accordance with the following principles:

• Lawfulness, fairness and transparency – personal data are processed in accordance with the law, to an adequate extent and in a transparent manner in relation to the data subject;
• Purpose limitation – personal data are collected for specific, explicit and legitimate / legally defined purposes and will not be processed in a manner that is not compatible with those purposes;
• Data minimisation – personal data processed are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. This principle is also relevant in relation to access to personal data being processed;
• Accuracy – personal data are accurate and, where necessary, kept up to date, and all appropriate measures are taken to ensure that inaccurate or incomplete data are erased or rectified without delay;
• Storage limitation – personal data are kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods if they are processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with the law, and subject to appropriate technical and organisational measures to protect the rights and freedoms of the data subject;
• Integrity and confidentiality – personal data are processed in a manner that ensures an appropriate level of security, including protection against unauthorised or unlawful processing and against accidental destruction or damage, by applying appropriate technical and organisational measures; and
• Accountability – the Bank is responsible for compliance with the above principles and can demonstrate compliance at any time, in particular upon request / inspection by Internal Auditors, the Personal Data Protection Officer, or the Personal Data Protection Agency.

The above processing principles apply cumulatively, all together, throughout the entire life cycle of personal data processing.

3. CATEGORIES OF PERSONAL DATA PROCESSED BY THE BANK

SB collects, stores and processes personal data disclosed to the Bank by potential and/or existing clients and, in general, by persons who perform business activities with the Bank in any capacity, at all stages of business cooperation in the context of products / services provided by or through the Bank, as well as data arising from bank account statements and/or from previous credit products of the above category of persons, within the banking system.

The primary source of the Bank’s personal data is the personal data that data subjects themselves provide to the Bank when completing the Client Registration Application at the first business contact with the Bank (in the case of clients).

We note that the Bank processes personal data only to the extent necessary for the purposes of processing.

In particular, SB may process the following personal data:

1. i. Personal data provided by data subjects, such as: identification data (name and surname, date and place of birth, identity card or passport data, personal identification number, etc.), demographic data (gender, nationality, marital status), contact data (postal address, telephone number, email address), financial data (information regarding salary and property status, tax number), access data for electronic applications (e.g., i-bank login), electronic identification data, etc.

Data subjects are obliged to immediately notify the Bank of any change in the above data.

1. ii. Personal data collected by the Bank, such as:

• personal data related to the implementation of analytical measures and the identification of designated persons or entities subject to financial restrictive measures, including for the prevention of money laundering and terrorist financing;
• personal data related to the monitoring and assessment of creditworthiness, the Bank’s risk management, and generally for the purposes of clients’ contractual or business relationships with SB;
• data provided to supervisory authorities in accordance with the applicable legal framework;
• data in the context of correspondence and general communication between clients and the Bank;
• economic data that provide an assessment of investment, financial status and clients’ behaviour;
• “cookies” and related technologies enabling access to and use of specific pages and/or websites;
• information provided by supervisory, judicial and other public and independent authorities related to criminal convictions, offences, implementation of measures for the protection of the public interest, seizures, confiscations and pledges;
• data affecting clients that are publicly available via the Internet or otherwise;
• data on SB employees, interns and volunteers in SB in accordance with the applicable legal framework (Law on Labour Records, Labour Relations Law and others), further explained in Annex 2 to this Policy;
• data on job applicants in SB, further explained in Annex 3 to this Policy;
• personal data collected when using the Bank’s website, further explained in Annex 1 to this Policy.

Personal data processed by SB are stored in paper and/or electronic form.

PERSONAL DATA OF MINORS

The Bank takes appropriate measures to protect the personal data of minors in accordance with the regulations. SB stores minors’ data only if the personal data have been provided by the persons who have guardianship over the minors and solely for the needs of the business relationship with the Bank for the benefit of the minors, unless otherwise prescribed by law (for example, in exceptional situations, a minor who has reached 16 years of age and has entered into marriage, in which case the minor acquires legal capacity).

We note that the products and services provided by SB are in no case intended for direct use by minors. In addition, SB does not provide information society services to children within the meaning of Article 12 of the Law on Personal Data Protection.

4. PURPOSES OF PROCESSING PERSONAL DATA

SB processes the personal data of data subjects collected when establishing / continuing the business relationship with the Bank for the following purposes:

1. In the context of performing a contract or prior to its signing, in particular:

1. to confirm the client’s identity;
2. to communicate with clients when undertaking pre-contractual actions or for matters related to the business relationship with SB, including taking actions to collect due receivables of SB;
3. to prepare, conclude and manage the contract concluded with SB and to take actions to fulfil obligations toward clients, as well as to execute, manage, monitor and process client transactions, i.e., to efficiently provide the requested product / service from SB;
4. to ensure the execution of transactions carried out through the electronic banking system (transactions executed through alternative networks);
5. to assess suitability for offering a product / service and, in particular, to assess suitability when providing investment and ancillary services and to provide appropriate information, to monitor the management and supervision of investment products, and, where possible, to include the client in the designated target market for certain types of products.

B. As part of SB’s compliance with obligations established by the applicable legal and regulatory framework, in particular:

1. to prevent and combat money laundering and terrorist financing and to prevent fraud against the Bank and/or its clients and any other unlawful act, i.e., for identification, verification and monitoring of clients’ business activities;
2. to assess clients’ creditworthiness, where necessary for the smooth conduct of the clients’ business relationship with the Bank;
3. to assess compatibility and any other assessment or categorisation of the client in relation to products or services;
4. to record and execute all client orders for transactions with financial instruments, including the obligation to record orders given by telephone;
5. to record and keep records of the Bank’s telephone communications (or those of third parties engaged by the Bank to collect due receivables) carried out for the purpose of informing its debtors about their outstanding debts;
6. to document clients’ requests (e.g., a request for debt restructuring due to the client’s inability to repay the debt) and the Bank’s assessment thereof;
7. to comply with its obligations arising from the applicable legal framework and decisions of supervisory or judicial authorities;
8. to disclose and transfer information to competent public authorities and legal entities with public authorisations whenever necessary in accordance with applicable legislation.

C. In the context of the Bank’s lawful and ongoing operations and the protection of its rights and legitimate interests, in particular:

1. to develop and/or improve the products and services offered by the Bank in relation to clients’ preferences and the ongoing execution of transactions;
2. to respond to client requests / complaints;
3. to assess and manage risks related to the Bank’s operations;
4. to prevent the commission of criminal offences (e.g., fraud) and to identify and collect data on unlawful activities, for the physical security of persons and property (including the video surveillance system);
5. to transfer, assign (directly or as collateral) and/or secure any and all pledges, claims, guarantees, securities arising under a contract concluded between the client and SB, to any third party; and
6. to pursue its legal claims before courts or other bodies for out-of-court / alternative dispute resolution;
7. to assess and optimise security procedures, IT systems, etc.

D. On the basis of given consent:

1. to send information about new products and/or services offered by SB that match the clients’ interests and preferences. In this case, clients have the right to withdraw their consent at any time, free of charge, through several channels: (i) directly at branches by updating the Client Registration Application, (ii) through the Contact Centre, or (iii) by withdrawing consent via the e-banking platform, without affecting the lawfulness of any processing carried out on the basis of consent before it was withdrawn;
2. to better understand how the SB website content is used and interacted with, using “cookies”;
3. to improve the services provided through the website for a better user experience.

With regard to the above, we note that consent is not required in the following cases:

• for the performance of a contract concluded with SB or in order to take steps at the request of the client prior to entering into a contract;
• for compliance with a legal obligation of SB as a controller;
• to protect the vital interests of clients or another person;
• for the performance of tasks carried out in the public interest; and
• where processing is necessary for the purposes of the legitimate interests of SB or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subjects requiring protection of personal data, in particular where the data subject is a child.

Note regarding automated decision-making, including profiling:

In specific cases, such as when this is necessary for concluding or performing contracts between clients and the Bank, determining creditworthiness on the basis of personal data obtained directly from the client or from another database / institution, or based on the client’s explicit authorisation, the processing of personal data may also be carried out through automated procedures resulting in decisions based on statistical analysis of specific parameters enabling an objective assessment of clients’ requests. In addition, the Bank may carry out profiling of clients (segmentation by certain characteristics) in order to better target direct marketing and provide clients with information appropriate to their interests.

In such cases, clients have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the client or similarly significantly affects the client, except where the decision:

a) is necessary for entering into, or performance of, a contract between the data subject and the Bank;

b) is authorised by the applicable legal framework which also provides for suitable measures to safeguard the rights and freedoms and legitimate interests of the data subject; or

c) is based on the data subject’s explicit consent.

The Bank implements appropriate measures to safeguard the rights and freedoms and legitimate interests of data subjects, including at least the right to obtain human intervention by SB, the right to express one’s point of view, and the right to contest such a decision. Such decisions are not based on special categories of personal data, except in cases permitted by the Law on Personal Data Protection.

5. RECIPIENTS TO WHOM THE BANK MAY DISCLOSE PERSONAL DATA OF DATA SUBJECTS

The Bank discloses personal data to public authorities in accordance with their legal competences, within the NBG Group for the purposes of the legitimate interests of the Bank and the Group, and to third parties with whom the Bank cooperates in the course of its regular operations.

More specifically, the Bank may disclose personal data of data subjects only where it is obliged to do so pursuant to law, a decision of a competent authority, or to third parties, i.e. the following categories of recipients: state authorities or legal entities established by the state for the exercise of public powers, agencies or other bodies, as well as third parties (natural or legal persons) acting upon instruction or on behalf of the Bank, such as:

(a) companies within the National Bank of Greece Group, as well as all persons (natural or legal) cooperating with the National Bank of Greece in any form, acting on behalf and for the account of the Bank. For the purposes of the legitimate interests of SB and the NBG Group (primarily for more efficient and secure processing of personal data, group-level reporting obligations or strategic decision-making), the Bank may disclose personal data of its clients within the NBG Group;

(b) third parties (natural or legal persons) cooperating with SB in any form, acting on behalf and for the account of the Bank, in order to achieve the purpose of processing under the contract, including the following categories:

1. Companies that notify debtors and/or guarantors of their debts before or after termination and/or carry out preparatory activities required for out-of-court or court debt collection proceedings;
2. Information technology equipment suppliers;
3. Security service providers;
4. Consulting companies, including financial consultants and auditors;
5. Data providers;
6. Insurance companies and insurance intermediaries in the context of providing insurance products;
7. Social insurance bodies, public institutions and public enterprises;
8. Financial institutions, Public Revenue Office, electronic money issuers, stock exchanges and other institutions in this field;
9. Supervisory, judicial, independent and other authorities at national and European level for the purpose of fulfilling legal obligations of the Bank and the Group imposed by applicable regulations or court decisions;
10. Authorised accountants and audit firms.

The Bank cooperates only with third parties that can implement appropriate technical and organisational measures in accordance with applicable regulations and the Bank’s standards, thus ensuring adequate protection of personal data. In such cases, third parties (personal data processors) are bound by a specific agreement ensuring that personal data are processed solely in accordance with the instructions of the Bank and in compliance with appropriate technical and organisational security measures.

Note: In accordance with the Law on Obligations (Article 426 paragraph 1), SB may assign and/or sell receivables from its debtors, in which case the personal data of the affected data subjects are inevitably transferred. In such cases, the consent of the debtor is not required, but SB will duly notify the debtors of the assignment of receivables.

6. RULES APPLICABLE TO THE TRANSFER OF PERSONAL DATA OF DATA SUBJECTS TO OTHER COUNTRIES (CROSS-BORDER TRANSFER)

The Bank may transfer personal data that it processes within the National Bank of Greece (NBG) Group in accordance with the provisions of the Law on Personal Data Protection.

Where necessary, for example for the implementation of a service agreement with external service providers located abroad, the Bank may transfer personal data to other countries that are members of the EU or the EEA and shall notify the Personal Data Protection Agency in accordance with the Law on Personal Data Protection.

The Bank may also transfer personal data to countries outside the EU or the EEA, subject to prior approval for the transfer of personal data by the Personal Data Protection Agency or based on an Adequacy Decision issued by the Agency, where it has assessed that the third country ensures an adequate level of protection of personal data.

7. RETENTION PERIOD OF PERSONAL DATA AND STATUS OF PERSONAL DATA AFTER EXPIRY OF THE RETENTION PERIOD

The basic principle regarding the retention of personal data is that the Bank retains them no longer than necessary for the purposes for which they are processed. The retention period is often related to the legal basis for processing the personal data. For example, where processing is required in order to comply with a legal obligation, the retention period is often defined by law (e.g. client files of all banks are kept for 10 years from the last transaction pursuant to the Law on the Prevention of Money Laundering and Financing of Terrorism).

Upon expiration of the retention period, SB destroys the data in accordance with its internal procedures, while ensuring compliance with applicable legislation. The Bank also ensures that such procedures are respected by third parties providing services on behalf of the Bank and other business partners.

8. RIGHTS OF DATA SUBJECTS

Data subjects have a set of rights established by the Law on Personal Data Protection, as explained below.

• Right to be informed (Articles 16, 17 and 18 of the Law)

SB informs data subjects about the processing of their personal data, the purposes of processing, the categories of personal data being processed, the recipients / categories of recipients (if any), the intention to transfer personal data to third countries (including information on the appropriate safeguards and how to obtain a copy), the retention period or the criteria used to determine that period, the legitimate interests of SB where processing is based on such grounds, the existence of automated decision-making including profiling, as well as information about the rights of data subjects.

In accordance with the principle of transparency, SB informs data subjects through several channels: (i) brief information contained in the Client Registration Application as the first formal step in establishing a business relationship, (ii) this Privacy Policy, publicly available on the Bank’s website and in printed form at all branches, (iii) the Personal Data Protection Brochure available at all branches, and (iv) video surveillance notices displayed in all areas where surveillance cameras are installed.

SB is not obliged to provide this information in the cases prescribed by the Law on Personal Data Protection (Article 18, paragraph 5).

• Right of access (Article 19 of the Law)

Data subjects have the right to obtain confirmation from SB as to whether or not their personal data are being processed, and where that is the case, to access such data and the information referred to under the right to be informed.

• Right to rectification or completion (Articles 20 and 23 of the Law)

Data subjects have the right to request correction of inaccurate personal data relating to them.

• Right to erasure (“right to be forgotten”) (Article 21 of the Law)

Data subjects have the right to request that SB erase their personal data where the conditions under the Law on Personal Data Protection are met. In essence, upon request, SB will delete personal data only if such data are no longer necessary for the purposes for which they were collected, or where the data subject has withdrawn consent on which processing was based (in the case of direct marketing).

It is important to note that, pursuant to the Law on the Prevention of Money Laundering and Financing of Terrorism, banks are required to retain client files for a period of 10 years from the last transaction or attempted transaction.

When erasing personal data, SB ensures that the same data are also deleted by third parties with whom the Bank cooperates and who process such data.

• Right to restriction of processing (Article 22 of the Law)

Data subjects have the right to request that SB restrict the processing of their personal data, provided that the conditions set out in the Law on Personal Data Protection are met, including where processing is no longer necessary for compliance with a legal obligation imposed on SB.

• Right to object (Article 25 of the Law)

Data subjects have the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data based on the legitimate interest of the Bank or of a third party, including profiling based on such grounds.

Where personal data are processed for direct marketing purposes, data subjects have the right to object at any time to such processing, and to request that the Bank cease further processing of their personal data for such purposes.

• Right regarding automated decision-making and profiling (Article 26 of the Law)

Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, except in cases provided for by the Law on Personal Data Protection.

The rights referred to above are further elaborated in point 4 of the Privacy Policy of Stopanska Banka AD – Skopje.

9. VIDEO SURVEILLANCE SYSTEM

The Bank conducts video surveillance only in areas necessary to achieve the purposes for which it is installed, namely to protect life and health of persons, protect property, ensure the safety of employees, and/or control entry to and exit from official premises.

The manner of conducting video surveillance is regulated in detail by the Rulebook on the Method of Conducting Video Surveillance of SB, which is adopted in accordance with the Law on Personal Data Protection and the relevant by-laws.

Recordings made through video surveillance are stored until the purpose for which the surveillance is conducted is fulfilled, but no longer than 30 days. After this period expires, the recordings are automatically deleted from the video surveillance system. Recordings may be retained for a longer period where retention is required by law or where necessary to protect the legitimate interests of the Bank, in accordance with internal procedures governing the retention and deletion of recordings. Recordings that are not automatically deleted and whose purpose has been fulfilled are destroyed by a special commission for destruction of video material.

At visible and clearly marked locations where video surveillance is conducted, the Bank places appropriate notices indicating that video surveillance is in operation, as well as information on the identity of the controller, the purpose of surveillance, the retention period of recordings, the rights of data subjects and how to obtain additional information.

10. RECORDING OF TELEPHONE CONVERSATIONS

SB uses technical means to record telephone conversations with clients in connection with the execution of transactions with certain organisational units of the Bank, and in the performance and provision of activities related to the execution of transactions and handling of client requests/complaints, in accordance with the applicable legal framework.

In such cases, appropriate notice is provided to clients and business partners of SB prior to recording any telephone conversation.

11. DIRECT MARKETING

The Bank may use personal data of data subjects for the purpose of informing them about products and/or services offered by the Bank, or other similar promotional activities that may be of interest to them, only upon obtaining explicit consent. The Bank does not sell or provide personal data collected for this purpose to unrelated third parties for their marketing purposes.

Please note that the consent given for this purpose may be withdrawn at any time, free of charge, through the following channels:

Consent may be withdrawn through the following channels:

• directly at Bank branches by updating the Client Registration Application;
• through the Contact Centre; or
• by withdrawing consent via the e-banking platform.

Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

   12. SECURITY OF PERSONAL DATA PROCESSING

ANNEX No. 1: PRIVACY POLICY FOR PERSONAL DATA ON THE WEBSITE AND ONLINE SERVICES OF STOPANSKA BANKA AD – SKOPJE

The Bank collects data about visitors / users of its website (hereinafter: “users”), available at www.stb.com.mk, as well as users of the m-banking mobile application which includes the TOPSI PAY service.

The website may contain links to other websites that are under the responsibility of third parties (natural or legal persons). In no case shall SB be responsible for the data protection and privacy practices of such third-party websites.

Personal data collected through the Bank’s website and online services are required at the moment the user requests a service or visits the website. SB may process all or part of the personal data provided by users in order to provide e-services and for statistical / analytical purposes aimed at improving services and user experience.

Personal identification data

SB may collect personal identification data from users in various ways related to activities, services, features or resources available on the Bank’s website and online services.

Users may visit the website anonymously using their browser’s “incognito” mode.

SB collects personal identification data from users only if they voluntarily provide such data. Users may always refuse to supply personal identification data.

Personal data that the Bank may collect and process when you visit the website or use online services include: name and surname, email address, location information (e.g. to indicate the nearest ATM), username and password, payment card information, etc.

Non-personal identification data

SB may collect non-personal identification data about users whenever they interact with the website or online services. Such non-personal data may include:

• tracking data, such as browser name, type of computer, and technical information about users’ means of connection to the website (such as operating system and internet service provider);
• duration of visits and duration of certain issues encountered while using the website or online services;
• pseudonymised ID (unique identifier) used to recognise a user when revisiting the website;
• marketing data indicating which advertisements or promotions the user has viewed;
• location data indicating from where the website or online services were accessed.

All such information is collected in order to create a pseudonymised user profile, thereby protecting the user’s personal data.

“Cookies”

The SB website may use “cookies” in order to improve user experience, improve access to certain services, identify the most frequently visited areas, and assess the effectiveness of the website, without processing users’ personal data. Cookies are small text files sent to the user’s computer to ensure technical functionality and personalise the user experience (e.g. remembering preferences on the next visit).

SB uses cookies that fall into the following categories:

• Strictly necessary cookies – these cookies are always active because they are required for the basic functionality of the website.
• Analytical cookies – data processed through these cookies relate to how users use the website (where visitors come from, which pages they visit, etc.). These data are not used for marketing purposes but solely to improve user experience.
• Marketing cookies – SB does not use cookies that collect data for marketing purposes. However, a third-party cookie from Google AdSense is used for its own marketing purposes (targeting users while browsing different websites), in accordance with Google’s Privacy Policy.

For full transparency, below is an overview of the cookies used on the SB website:

Based on the above, SB uses functional and analytical cookies from Google Analytics that enable better technical functionality of the website and help the Bank monitor and improve its effectiveness and user experience. The information generated by cookies regarding website use (including IP address) is transmitted to Google in anonymised form. This information is used to evaluate website usage and compile statistical reports on website activity.

When visiting the SB website for the first time, users are informed about the Bank’s cookie policy and asked to provide consent. Cookies that are strictly necessary for the technical operation of the website cannot be disabled. Other cookies that are not necessary for the overall functionality of the website may be accepted or rejected by the user. Users may change their preferences at any time.

In addition, use of the SB website is not conditional upon accepting cookies, although in such a case certain processes may not be technically optimised for the user experience.

DATA SECURITY

As described in Section 12 of the Privacy Policy of Stopanska Banka AD – Skopje, the Bank applies appropriate technical and organisational security measures when collecting, storing and processing information in order to protect against unauthorised access, alteration, disclosure or destruction of personal data, as well as non-personal data stored on the website or within the Bank’s online services.

THIRD-PARTY WEBSITES

Users may find advertisements or other content on the SB website that link to the websites and services of partners, suppliers, advertisers, sponsors or other third parties. The Bank does not control the content or links appearing on such websites and is not responsible for the practices employed by websites linked to or from the SB website.

These websites or services may have their own privacy policies and customer service policies. Browsing and interaction on any other website, including those that have links to the SB website, are subject to that website’s own terms and policies.

CHANGES TO THE PRIVACY POLICY

This Privacy Policy was adopted on 11 November 2021.

The Bank reserves the right to update, amend or supplement this Privacy Policy at any time in order to ensure compliance with applicable legislation or standards of the NBG Group, where such standards are more stringent than national legislation.

In such cases, the Bank will publish a notice on its website indicating the date of the amendment and the nature of the changes made.

CONTACT INFORMATION

For any questions related to the protection of personal data, clients may contact the Bank in the manner described in item 14 of the Privacy Policy of Stopanska Banka AD – Skopje.

ANNEX No. 2: PRIVACY POLICY FOR PERSONAL DATA OF EMPLOYEES OF STOPANSKA BANKA AD – SKOPJE

This Policy applies to employees of SB, interns, volunteers, persons engaged under service contracts, and other engaged persons (hereinafter: “employees”). It defines the types of personal data processed by the Bank in relation to employees, the purposes of processing, retention periods, protection measures, etc.

Regarding the principles of personal data protection, the Bank adheres to the principles set out in Section 2 of the Privacy Policy of Stopanska Banka AD – Skopje.

Categories of personal data of employees processed by the Bank

Based on the Law on Records in the Field of Labour, the Labour Relations Law, the Law on Internship, the Law on Volunteering and other applicable legislation, as well as contractual obligations toward employees, the Bank processes the following personal data:

• first name, last name and father’s name;
• unique personal identification number (EMBG);
• date of birth;
• place of birth (municipality, settlement, state);
• gender;
• residential address (municipality, settlement, street, number, country);
• ethnic affiliation;
• religious affiliation;
• trade union membership;
• place of work (municipality, settlement, address);
• level and type of completed education;
• professional qualifications and level of expertise;
• completed professional training, retraining or additional qualifications;
• special knowledge and skills (computer skills, foreign languages, etc.);
• occupation code and description;
• working hours (full-time or part-time);
• insurance service prior to employment;
• duration of employment (indefinite or fixed-term);
• bank account number;
• salary amount;
• disciplinary measures and financial penalties;
• disability status (health data);
• date of commencement of employment;
• date and grounds for termination of employment.

Purposes of processing employee personal data

The purposes of processing are those described in Section 4 of the Privacy Policy of Stopanska Banka AD – Skopje, namely for compliance with legal obligations and fulfilment of contractual obligations toward employees.

Additionally, the Bank processes employees’ personal data based on its legitimate interests for:

• internal allocation of staff, promotions and internal mobility;
• salary decisions and employee benefits;
• granting contractual benefits;
• maintaining accurate and up-to-date employee records to ensure effective communication and emergency contact;
• monitoring work performance and efficiency where justified;
• assessing training and development needs;
• managing sick leave and vacation entitlements;
• managing statutory leave and payroll processes;
• business planning and organisational restructuring;
• handling legal proceedings involving the Bank;
• prevention of fraud.

Special categories of personal data of employees

The Bank processes the following special categories of personal data:

• health-related data;
• ethnic origin;
• religious beliefs;
• trade union membership.

Such special categories of data are processed for the following purposes:

• managing employee absences due to health reasons;
• providing reasonable accommodation for persons with disabilities;
• determining non-working days based on declared religious affiliation;
• providing financial assistance to employees or their immediate family members in cases of illness or hardship.

Under applicable personal data protection legislation, the Bank is not required to obtain separate consent to process special categories of personal data where processing is necessary to fulfil its legal obligations under labour, social security or health legislation. In certain cases, the Bank may request explicit consent, in which case employees will be fully informed about the purpose of processing.

Criminal conviction data

The Bank processes data relating to criminal convictions in accordance with the Law on Personal Data Protection, depending on the nature of the position and legal requirements (e.g. under the Law on Banks or AML legislation). Such data are usually obtained in the form of a criminal record certificate issued by the competent court and are stored in the employee’s file with restricted access.

Recipients and transfer of employee personal data

Where necessary, the Bank may disclose employee personal data to authorised internal staff for the purpose of performing their duties, to direct supervisors, or to HR staff for maintaining personnel records.

For other potential recipients and transfers of personal data, the provisions of Sections 5 and 6 of the Privacy Policy of Stopanska Banka AD – Skopje shall apply.

Security of processing

The Bank implements appropriate technical and organisational measures to ensure that employees’ personal data are protected against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

Retention period

In accordance with the principles of personal data protection, the Bank processes personal data only for as long as necessary to fulfil the purposes of processing.

During employment, personal data are maintained in employee records. After termination of employment, data are retained in accordance with archival legislation and labour regulations as documents of permanent value.

For other data contained in employee files, retention periods may vary depending on the purpose of processing.

Automated decision-making

The Bank does not perform automated individual decision-making concerning employees.

Rights under the Law on Personal Data Protection

Employees’ rights regarding their personal data and the manner of exercising those rights are described in Section 8 of the Privacy Policy of Stopanska Banka AD – Skopje.

Contact details

For any questions related to this Policy or other matters concerning personal data protection, employees may contact the Bank in the manner described in Section 14 of the Privacy Policy of Stopanska Banka AD – Skopje.

ANNEX No. 3: PRIVACY POLICY FOR JOB APPLICANTS AT STOPANSKA BANKA AD – SKOPJE

This Policy applies to candidates applying for employment with SB (“candidates”). It defines the types of personal data processed, the purposes of processing, and the retention periods.

With regard to the principles of personal data protection, the Bank applies the principles set out in Section 2 of the Privacy Policy of Stopanska Banka AD – Skopje.

Categories of personal data processed for job applicants

• name and surname, address, date of birth, telephone number;
• photograph (only with explicit consent of the candidate);
• gender;
• information contained in the CV, including education and employment history;
• documentation confirming the right to work in the Republic of North Macedonia;
• driving licence (for certain job positions).

Purposes of processing personal data of job applicants

The purposes of processing are those set out in Section 4 of the Privacy Policy of Stopanska Banka AD – Skopje.

Additionally, the Bank has a legitimate interest to process personal data of job applicants for the following purposes:

• deciding which candidates to offer employment to, internal allocation and promotions;
• deciding on salary and benefits;
• assessing training and development needs.

If the application is unsuccessful and the candidate is not offered employment, the personal data will not be used for any other purpose. Such data will be deleted from the Bank’s database.

In such cases, the Bank may request consent from the candidate to retain their personal data for future job opportunities within the Bank for a period of 1 or 2 years.

If consent is granted, data will be stored for the agreed period. If consent is withdrawn earlier, the data will be deleted accordingly.

If the application is successful, the personal data will be transferred to the employee records of the Bank.

Recipients and transfer of personal data

The Bank may disclose candidates’ personal data to managers and employees involved in the recruitment and selection process.

For other recipients and transfers of personal data, the provisions of Sections 5 and 6 of the Privacy Policy apply.

Security of processing

The Bank applies appropriate technical and organisational measures to ensure protection of personal data against accidental loss, destruction, unauthorised disclosure or misuse.

Retention period

Personal data are processed only for as long as necessary to fulfil the purposes of processing.

If the application is unsuccessful and no consent is given, personal data will be retained for a maximum of 60 days after completion of the recruitment process.

If consent is given, data will be retained for 1 or 2 years depending on the consent provided.

After expiration of the retention period, the personal data will be permanently deleted.

Automated decision-making

Automated individual decision-making is not used in the recruitment process.

Rights under the Law on Personal Data Protection

The rights of candidates regarding their personal data are described in Section 8 of the Privacy Policy of Stopanska Banka AD – Skopje.

Contact details

For any questions regarding this Policy or matters related to personal data protection, candidates may contact the Bank in the manner described in Section 14 of the Privacy Policy of Stopanska Banka AD – Skopje.