Data protection and privacy policy

The new regulations on protection of personal data, commonly known as GDPR, come into force on the 25th of May 2018. The main objective of GDPR is unification of the principles of processing of personal data in the entire European Union. Bank Millennium processes your data, inter alia, in order to conclude agreements, keep bank accounts, perform securely your instructions as well as inform you about new products and services.

On this website you will learn:

  • what data and for what purpose we process
  • who monitors correct processing of data in the Bank
  • to what entities data may be made available
  • what your rights and the Bank’s duties are
  • how to easily manage your marketing consents

Glossary of terms concerning data protection

Personal data

Any information relating to an identified or identifiable natural person.
Personal data

Processing

Operation performed on personal data, such as, collection, recording, storage, adaptation, alteration, disclosure and destruction of data etc.
Processing

Controller

A natural person or company which determines why and how your personal data will be processed.
Controller

Processor

A natural person, authority, institution or company which processes personal data on behalf of the controller.
Processor

Pseudonymisation

Processing of data in such a manner that the personal data can no longer be attributed to a specific data subject, for instance, use of series of digits instead of name and surname.
Pseudonymisation

Profiling

Automated processing of personal data whereby we can present you offers customised to your needs and capacity.
Profiling

Personal data

Any information relating to an identified or identifiable natural person.
Personal data

Processing

Operation performed on personal data, such as, collection, recording, storage, adaptation, alteration, disclosure and destruction of data etc.
Processing

Controller

A natural person or company which determines why and how your personal data will be processed.
Controller

Processor

A natural person, authority, institution or company which processes personal data on behalf of the controller.
Processor

Pseudonymisation

Processing of data in such a manner that the personal data can no longer be attributed to a specific data subject, for instance, use of series of digits instead of name and surname.
Pseudonymisation

Profiling

Automated processing of personal data whereby we can present you offers customised to your needs and capacity.
Profiling

Principles of processing of personal data

General information on processing of personal data

Below you will find detailed principles of processing your personal data in Bank Millennium S.A. Among others, you will learn for what purposes and how long the Bank processes or will process your personal data. You will get to know the categories of entities which may have access to your personal data, as well as what what rights you may exercise in relation to processing your personal data. The scope of the submitted information corresponds to the requirements stemming from the EU regulations on protection of personal data, i.e. Regulation (EU) 2016/679 of the European Parliament and of the Council, also referred to as the General Data Protection Regulation.

Who is controller of your data?

  • Within the services we offer, the controller of your data is Bank Millennium S.A. in Warsaw.
  • Supervision of correct processing of your data is exercised by Personal Data Inspector.
  • The information we are entrusted is properly secured and used exclusively for appropriate purposes.
  • Do you want to know more? Expand this section to find detailed answer to this question.

    1. Controller of your personal data is Bank Millennium S.A. with Head Office in Warsaw:
      • address: ul. Stanisława Żaryna 2A, 02-593 Warsaw.
      • telephone: (+48) 801 331 331 or (+48) 22 598 40 40 – for calls from mobile phones and international calls,
      • e-mail: kontakt@bankmillennium.pl
    2. Bank – as data controller – will spare no efforts in order to fulfil the requirements of the Regulation to the highest degree and, thus, to protect of your personal data.
    3. Supervision of correct processing of personal data in the Bank is exercised by the Data Protection Officer, currently Maciej Nowicki (hereinafter referred to as: „Officer”):
      • address: Data Protection Officer, Bank Millennium S.A., ul. Stanisława Żaryna 2A, 02-593 Warsaw.
      • e-mail: iod@bankmillennium.pl

      You may contact the Officer on all cases related to processing of your personal data and in case of doubts as to your rights.


For what purpose and how long will we process your personal data?

Your data are processed first of all in order to conclude and perform agreements with the Bank. Expand the section to check out other purposes.

We do not store your data longer than necessary. Period of storage of personal data depends, for instance, on the duration of agreement.

Your data are processed exclusively for the purposes justified by the law. We regularly verify data bases and remove unnecessary information.

Your data are processed first of all in order to conclude and perform agreements with the Bank. Expand the section to check out other purposes.

We do not store your data longer than necessary. Period of storage of personal data depends, for instance, on the duration of agreement.

Your data are processed exclusively for the purposes justified by the law. We regularly verify data bases and remove unnecessary information.

Below you can check out the purposes for which we process your data:

  • Conclusion, due performance, termination of agreements or other actions required for execution of the agreement concluded with you

    Explanation:
    This is about any actions taken in order to prepare for conclusion of the agreement, to execute agreement, analyse and assess credit capacity, review claims, terminate agreement, archive as well as perform other legal actions related to the agreement, as well as actions taken to conclude, through the Bank, agreements with other entities, for instance, insurance agreement.

    Legal basis:
    GDPR, Art. 6 section 1 letter b)

    Duration of data processing:

    • Until the end of the contract, and after that, in other legitimate purposes related to the contract, e.g. for the period of securing any claims, i.e. until the end of the calendar year in which the 6-year limitation period expires, counting from the day agreement. However, if the contract was concluded before July 9, 2018, this period shall be subject to the transitional provisions defining the limitation periods contained in art. 5 para. 2 and 3 of the Act of 13 April 2018 amending the Act - Civil Code and certain acts (Journal of Laws of 2018, item 1104), by virtue of which the limitation periods for claims were shortened
    • If agreement is not concluded- until the application is reviewed and for 3 years for potential claims and complaints.

  • Fulfilment of the duties stemming from the law or performance of tasks carried out in the public interest

    Explanation:
    In this case the Bank processes personal data in order to fulfil the duties imposed by the virtue of the law or carry out tasks in the public interest. In particular, we talk here about fulfilment of the Bank’s duties in connection with conducting banking activity and execution of the concluded agreements, and for archiving purposes, as well as in connection with assessment of credit capacity and analysis of credit risk. Furthermore, such duties stem from, inter alia, Act on Counteracting Money Laundering and Terrorism Financing, Act on performance of the Agreement between the Government of the Republic of Poland and the Government of the United States of America on improvement of fulfilment of international tax obligations and implementation of FATCA, Act on Exchange of Tax Information with Other Countries, Act on Protection of Competition and Consumers, Act on Trading in Financial Instruments and security measures for funds.

    Legal basis:
    GDPR, Art. 6 section 1 letter c) and special provisions, which impose on the Bank the duties indicated in the explanations or Art. 6 section 1 letter e) of the Regulation.

    Duration of data processing:

    • For calculations related to statistical approaches for calculation of methods and models determined by the banking law - for a period of 12 years from the day of expiry of the obligation.
    • For processing information that constitutes bank secret in order to assess credit capacity and to analyse credit risk – after expiry of the obligation stemming from the agreement concluded with the Bank until the time of withdrawal of this consent.
    • In other cases – until the Bank has fulfilled the duties defined in specific regulations of the law or completed the tasks carried out in the public interest.

  • Marketing of the Bank’s products and services

    Explanation:
    This is about the Bank’s marketing, in particular, that carried out through communication, display or sending trade information by traditional mail or, in case of obtaining an appropriate consent, also through electronic or telephone communication devices. Marketing may be also carried out based on profiling which means processing for marketing purposes the information on Client’s characteristics, behaviour or preferences. Thanks to profiling, on the grounds of to-date relationship, the Bank may customise your trade offers to your interests and needs.

    Legal basis:
    GDPR, Art. 6 section 1 letter f)

    Duration of data processing:

    • Until objection is lodged against such processing, or until agreement with the Bank expires.

  • Execution of actions conducted on the grounds of consents granted

    Explanation:
    It is, for instance, marketing of products and services of the companies cooperating with the Bank; processing information that constitutes bank secret (also, in order to assess credit capacity and analyse credit risk) after expiry of the obligation. In each case, the consent obtained from you will indicate, inter alia, the purpose of data processing, which we intend to achieve based on this consent.

    Legal basis:
    GDPR, Art. 6 section 1 letter a)

    Duration of data processing::

    • Until the consents granted are withdrawn.

  • Communication or service delivery through the Bank’s websites and mobile application

    Explanation:
    Within the indicated purpose, we will process your data, also to enable communication or delivery of services through the Bank’s websites and mobile application. To this extent, inter alia identifiers, such as IP address of the device or geolocation information will be processed.

    Legal basis:
    GDPR, Art. 6 section 1 letter b) or Art. 6 section 1 letter f)

    Duration of data processing:

    • Period of communication or delivery of services, not later than until effective objection is lodged.
    • Until the end of the contract, and after that, in other legitimate purposes related to the contract, e.g. for the period of securing any claims, i.e. until the end of the calendar year in which the 6-year limitation period expires, counting from the day agreement. However, if the contract was concluded before July 9, 2018, this period shall be subject to the transitional provisions defining the limitation periods contained in art. 5 para. 2 and 3 of the Act of 13 April 2018 amending the Act - Civil Code and certain acts (Journal of Laws of 2018, item 1104), by virtue of which the limitation periods for claims were shortened

  • Other purposes pursued within so-called legitimate interests of a controller

    Explanation:
    Purposes pursued within so-called legitimate interest are connected to execution of the agreement concluded with you and these are the following:

    • ensuring security of the persons and the Bank’s assets, including monitoring of the Bank’s branches, preserving privacy and human dignity,
    • ensuring transaction security, in particular, prevention of frauds,
    • customisation of the marketing content of the Bank’s websites, depending on the behaviour of the viewers,
    • protection against claims and collection of receivables,
    • internal administrative, analytical and statistical purposes, including analyses of the credit portfolio, statistics and the internal reporting of the Bank and Bank’s Group.

    When assessing whether the indicated purposes are justified, we take into account inter alia the following:

    1. any connections between the purposes for which the personal data have been collected and the purposes of the intended further processing,
    2. context in which the personal data have been collected, in particular, relationship between the data subjects and the controller,
    3. nature of the personal data,
    4. potential consequences of the intended processing,
    5. existence of appropriate safeguards.

    Legal basis:
    GDPR, Art. 6 section 1 letter f)

    Duration of data processing:

    • Until fulfilment of the Bank’s legitimate interests that constitute the grounds for this processing or until an objection is lodged against such processing, no longer than for the period of securing any claims, i.e. until the end of the calendar year in which the 6-year limitation period expires, counting from the day agreement. However, if the contract was concluded before July 9, 2018, this period shall be subject to the transitional provisions defining the limitation periods contained in art. 5 para. 2 and 3 of the Act of 13 April 2018 amending the Act - Civil Code and certain acts (Journal of Laws of 2018, item 1104), by virtue of which the limitation periods for claims were shortened.

The Bank guarantees that it will process your personal data exclusively for specific clear and legitimate purposes and it does not process them further in breach of these purposes. The purpose of data processing is the reason for which we process your personal data. If the Bank wants to process your personal data for other purposes – not indicated below – you will be informed about this new purpose in a separate communication. The sections below present the purposes of data processing. Each of the below purposes has been thoroughly evaluated by the Bank in terms of their compliance with the provisions of the Regulation and provisions regulating activity of the Bank. Each time, the below information indicates the purpose of data processing and appropriate legal grounds. Your personal data will be stored for a period suitable for execution of the indicated purposes.

Where do we collect your personal data?

  • Most frequently, we receive the data directly from you.
  • Other information comes to us from other banks, KRS registers, BIK or public institutions.
  • All the data sources are carefully verified.
  • Do you want to know more? Expand this section to find detailed answer to this question.

    The Bank processes your personal data obtained directly from you (for instance, data submitted in forms), as well as the data obtained lawfully from other sources and on the grounds of agreements with partners. These other sources may be, inter alia, public sources, for instance, KRS registers, CEIDG and sources of limited access, for instance, BIK, BIG. In each of the cases, the Bank verifies meticulously whether it has legal grounds for processing of personal data.

What categories of your personal data do we process?

  • Basic data, which we process, are personal, contact and identification data.
  • We also use online data (for instance, location or web browser history) based on the so-called cookies.
  • Importantly, type of processed data depends also on the relationship with the Bank.
  • Do you want to know more? Expand this section to find detailed answer to this question

    Depending on the relationship between you and the Bank, the Bank may process, in particular, the following categories of personal data obtained from you or third persons:

    • personal data (for instance, name and surname, domicile address),
    • contact data (for instance, phone number, correspondence address),
    • identification data (for instance, id number, PESEL),
    • socio-demographic data (for instance, nationality, form of employment),
    • financial data (for instance, account balance, source of income),
    • transaction data (for instance, details concerning payments made to and from the account),
    • contact data (for instance, details of the concluded agreements),
    • behavioural data (for instance, data of the products or services, and their utilisation),
    • communication data (for instance, the data from the communication conducted with you),
    • audio-visual data (for instance, data related to recoding conversations or image for security and evidence purposes),
    • data concerning family, legal and financial ties (for instance, information necessary for execution of deposit order in the event of death),
    • data publicly available or obtained from third parties (for instance, data obtained from CEIDG, BIK),
    • technical data (for instance, data of the device on which you use mobile application),
    • location data (for instance, location data of the place where transaction is performed in mobile application),
    • web browser history data (for instance, data necessary for maintaining proper exchange of information between the server and browser when using Millenet).

To whom your data may be disclosed?

Authorised employees of the Bank

Public authorities and institutions authorised to demand such access

Entities that cooperate with the Bank, for instance, couriers or payment card producers

Authorised employees of the Bank

Public authorities and institutions authorised to demand such access

Entities that cooperate with the Bank, for instance, couriers or payment card producers

  • Do you want to know more? Expand this section to find detailed answer to this question.

    Access to your personal data – inside the Bank’s organisational structure – will be available exclusively to employees authorised by the Bank and only to the extent necessary. In some situations your personal data may be disclosed by the Bank to recipients outside the Bank’s structure. In such situation the Bank always examines thoroughly the legal grounds for disclosure of personal data. Importantly, the recipient of the data in the understanding of the Regulation is both the entity which processes personal data on behalf of the Bank and the entity to which the data are made available for its own purposes (for instance, public administration authorities).

    Recipients of your personal data may be:

    1. public authorities, institutions or third parties authorised to demand access or receive personal data on the grounds of the law, for instance, Polish Financial Supervision Authority, Ministry of Finance, General Inspector of Financial Information, Tax Office, Bank arbiter,
    2. bentities, to which the Bank entrusted processing of personal data on the grounds of the concluded agreements, for instance, parcel delivery services, producers of payment cards, photo inspection providers, mass printing providers, IT suppliers and other service providers processing data on behalf of the Bank,
    3. banks, financial or credit institutions, or other institutions, which may receive personal data in connection with execution of economic relations between the Bank and you (for instance, banks intermediating in execution of international transfers) and on the grounds of appropriate laws, for instance, BIK, Centrum Prawa Bankowego i Informacji Sp. z o.o., economic information bureaus (KRD, ERIF, BIG),
    4. clearing chambers, other clearing entities, for instance, KIR, Swift,
    5. card organisations, for instance, VISA, MasterCard – if data are transferred out of the European Economic Area, we apply appropriate safeguards in the form of binding corporate rules,
    6. telecommunication services providers,
    7. entities providing advisory and inspection services, for instance, audit companies,
    8. processors processing the data for recovery of receivables or legal representation, for instance, law firms,
    9. insurance companies,
    10. entities, for which you expressed your consent for making available and processing your personal data,
    11. entities operating with the Bank’s Group or entities from the capital group responsible for execution of contractual obligations and obligations stemming from the law,
    12. detailed list of recipients can be downloaded here

What are your rights?

  • You have the right to access your personal data, edit then, limit the processing of your personal data and many more.
  • Remember that in some cases, when you’re entering an agreement some details may be required in order to sign it.
  • You can manage the use of your data in any Bank branch, TeleMillennium careline and Millenet online banking system.
  • Do you want to know more? Expand this section to find detailed answer to this question.

    1. Detailed Information on your rights:
      • a) you are entitled to access your personal data, and also to get a copy of the data,
      • b) if you find that your personal data processed by the Bank are not correct, you are entitled to rectify or supplement the data,
      • c) you are entitled to demand removal of your personal data in cases stipulated by the law,
      • d) you are entitled to lodge a demand to limit processing of your personal data,
      • e) you are entitled to lodge an objection against processing of your personal data in case of data processing to pursue legitimate interest of the Bank. In order to exercise this right, you may lodge your demand to cease processing of your personal data for the Bank’s direct marketing (this objection makes it impossible to receive, through available contact channels, any marketing materials on offers of the Bank as well as Partners and Companies from the Bank’s Group) or/and profiling your data in order to provide customised offers and commercial information,
      • f) you are also entitled to receive from the Bank your personal data in a structured format and to transfer your personal data to another controller. In case of data transfer, due to other laws, for instance, the banking law, your or other person’s consent, or fulfilment of other conditions required by these regulations may be necessary,
      • g) you are entitled no to subject to decision based exclusively on automated processing, including profiling, which produces legal effects for you or otherwise exerts material influence on you, unless such decision is necessary for performance of the agreement, it is allowed by the law or you have previously expressed your clear consent thereto,
      • h) in these cases when data processing is performed on the grounds of the consent granted, you are entitled to withdraw your consents for individual purposes of processing, at any time. You may withdraw your consent at any branch of the Bank, at TeleMillennium infoline 801 331 331 - number available only for telephones from domestic networks, (+48) 22 598 40 40 – number available also for international calls), in Millenet (Settings/Consent management). Withdrawal of the consent does not affect legal compliance of the processing performed up to the consent withdrawal.
    2. If you conclude agreement or transaction, submission of personal data is required for their execution.
    3. If you want to file Application for execution of the above rights, you may do so:
      • personally at any branch of the Bank – for the list of branches visit https://www.bankmillennium.pl/o-banku/oddzialy-i-bankomaty
      • if you are a Client you can apply:
        - in Millenet, at Settings > Personal data > Applications on personal data (re. items point 1: a ,c, f) and in Contact section (re. items point 1: d, e, g)
        - over the phone, at TeleMillennium careline: 801 331 331
        - by correspondence - sending a letter to the following address: Bank Millennium S.A., ul. Stanisława Żaryna 2A, 02-593 Warsaw
    4. The Bank is obliged to provide the information you are applying for within a month from receiving your application. If the demand is of complex nature or number of demands is high, the Bank has the right to extend the deadline for review of the application by two additional months, whereof the Bank will inform you earlier within a month from receiving your application. The maximum delivery time cannot be longer than 3 months from the date of receiving the application.
    5. Bank’s taking actions indicated in the Application and issuance of the first cope of data is free of charge. However, if the demand is manifestly unfounded or excessive, in particular because of its repetitive character, the Bank may:
      • charge a reasonable fee, as per the Price List,
      • refuse to act on the request providing justification.
    6. Should you find that processing of your personal data by the Bank infringes upon the provisions of the Regulation, you are entitled to lodge a complaint to the supervisory organ. As of 25th of May 2018 this will be Chairman of the Office for Protection of Personal Data.

What profiling is?
Profiling allows us to use your data in a selective way, offering you products that are suited to your current or future needs.

What does automated decision making mean?
Automated decision making – based on profiling – is used in order to evaluate risk levels (when assessing your credit score, credit reliability, risk of money laundering or financing terrorism).

  • Do you want to know more? Expand this section to find detailed answer to this question.

    If you are bound with the Bank by an agreement or if actions have been taken to conclude such agreement, processing of your personal data may be automated. It may result in automated decision taking, including decisions based on profiling. It concerns, in particular, the following cases:

    • assessment of credit capacity and creditworthiness for the purpose of concluding agreement with the Bank, where this assessment is performed on the grounds of Client’s application with use of the data contained therein, data from the Bank’s internal databases and external databases (BIK, BIG, databases kept by ZBP etc.); such profiling may result in credit refusal,
    • assessment of risk of money laundering and risk of financing terrorism, where this assessment is performed on the grounds of the data declared in the documents submitted when placing the order or instruction to perform transaction, or when concluding agreement, based on the set criteria (economic, geographic, behavioural criteria). The assessment is followed by automatic risk classification, where classification to unacceptable risk group may result in automatic blockade and failure to open a relationship.

Principles of protection of privacy

The Bank offers its Clients secure operations. All information submitted by our Clients is protected with use of state-of-the-art technologies, in accordance with applicable legal standards, security requirements and principles of confidentiality. The Bank actively develops its Client privacy and security protection systems implementing new organisational and technical safeguards. The Bank informs its Clients about changes in the applied principles of protection of data confidentiality through its website or another communication channel agreed with the Client.

Cookie files

Bank Millennium website uses cookie files saved in the memory of the internet browser. In the majority of cases it is necessary for correct operation of the website. Cookies support development of personalised web services, which enables users to decide, for instance, about the sequence of displaying some of the components. Cookie files are also used by tools analysing website traffic. Statistical analyses conducted with use of these tools are one of the sources of quality improvement of Bank Millennium website.

  • Do you want to know more? Expand this section to find detailed answer to this question.

    Bank Millennium website uses, inter alia, the following types of cookie files:

    • statistical cookie files, which support collection of information on the use of the Bank’s website,
    • advertising cookie files, which support delivery of content that is better adjusted to user interests,
    • security cookie files, such as cookies used for fraud detection, for instance, in website authentication;
    • functional cookie files supporting „saving” the settings selected by user and personalisation of user interface as regards, for instance, selected language or region from which the user comes, font size, website display.

    Below please find a list of examples of application of cookie files by Bank Millennium website:

    • improvement in security level,
    • keeping user session in applications, forms, questionnaires and transaction system (cookie files used for user session identification in Millenet). They allow to improve security ensuring that all calls to the server come from the Client’s computer. On the server the cookies and IP address of the computer from which user is connecting are validated. In case of an attempt to hijack user’s session from another computer, the session will be interrupted,
    • reporting traffic sources,
    • assessment of effectiveness of promotional actions,
    • Google advertisements – for better adjustment of advertisements to the users’ preferences, Bank Millennium uses cookie files, which collect only basic information about users’ behaviour on the Bank’s website and their interests. All the information is anonymous and their purpose is the best customisation of the advertisements displayed in Google search engine as well as on other websites to user’s preferences with such tools as, for instance, Google AdWords and DoubleClick. At any time, user may resign from Goole cookies advertisement settings (www.google.pl/settings/ads)
    • Analysis with use of Google Analytics – in order to better understand users’ intentions, Bank Millennium uses Google cookie files which anonymously collect only basic information on the user’s activity on the Bank’s portal and are used to report traffic, to analyse users’ behaviour of the website and to assess effectiveness of promotional actions.

Switching off cookies

As standard, majority of internet browsers available on the market by default accept saving cookies. Everybody may define the conditions for use of these files in settings of his or her web browser. It means that you may, for instance, partially limit (for instance, temporarily) or fully turn off the capacity to save cookie files – in this last case, however, it may impact some other functionalities, for instance, logging to Millenet will not be supported, nor you will be able to use some applications, including, account applications.

You may also, at any time, delete the cookie files saved in the browser. For detailed information on changes in the cookies settings and deletion in the most popular web browsers, go to the help section of your web browser or visit the following websites:

Documents