Update your browser to the latest version in order to use all functions and increase your online safety.Update the browser
The new regulations on protection of personal data, commonly known as GDPR, come into force on the 25th of May 2018. The main objective of GDPR is unification of the principles of processing of personal data in the entire European Union. Bank Millennium processes your data, inter alia, in order to conclude agreements, keep bank accounts, perform securely your instructions as well as inform you about new products and services.
Glossary of terms concerning data protection
Any information relating to an identified or identifiable natural person.
Operation performed on personal data, such as, collection, recording, storage, adaptation, alteration, disclosure and destruction of data etc.
A natural person or company which determines why and how your personal data will be processed.
company which processes personal data on behalf of the controller.
Processing of data in such a manner that the personal data can no longer be attributed to a specific data subject, for instance, use of series of digits instead of name and surname.
Automated processing of personal data whereby we can present you offers customised to your needs and capacity.
Principles of processing of personal data
Who is controller of your data?
General information on processing of personal data
Below you will find detailed principles of processing your personal data in Bank Millennium S.A. Among others, you will learn for what purposes and how long the Bank processes or will process your personal data. You will get to know the categories of entities which may have access to your personal data, as well as what what rights you may exercise in relation to processing your personal data. The scope of the submitted information corresponds to the requirements stemming from the EU regulations on protection of personal data, i.e. Regulation (EU) 2016/679 of the European Parliament and of the Council, also referred to as the General Data Protection Regulation.
Do you want to know more?
- Controller of your personal data is Bank Millennium S.A. with Head Office in Warsaw:
- address: ul. Stanisława Żaryna 2A, 02-593 Warsaw
- telephone: (+48) 801 331 331 or (+48) 22 598 40 40 – for calls from mobile phones and international calls
- e-mail: firstname.lastname@example.org
- Bank – as data controller – will spare no efforts in order to fulfil the requirements of the Regulation to the highest degree and, thus, to protect of your personal data.
- Supervision of correct processing of personal data in the Bank is exercised by the Data Protection Officer, currently Karolina Gałęzowska (hereinafter referred to as: „Officer”):
- address: Data Protection Officer, Bank Millennium S.A., ul. Stanisława Żaryna 2A, 02-593 Warsaw
- e-mail: email@example.com
For what purpose and how long will we process your personal data?
Your data are processed first of all in order to conclude and perform agreements with the Bank. Expand the section to check out other purposes.
We do not store your data longer than necessary. Period of storage of personal data depends, for instance, on the duration of agreement.
Your data are processed exclusively for the purposes justified by the law. We regularly verify data bases and remove unnecessary information.
Below you can check out the purposes for which we process your data:
This is about any actions taken in order to prepare for conclusion of the agreement, to execute agreement, analyse and assess credit capacity, review claims, terminate agreement, archive as well as perform other legal actions related to the agreement, as well as actions taken to conclude, through the Bank, agreements with other entities, for instance, insurance agreement.
Rozporządzenie, art. 6 ust. 1 lit. b)
Duration of data processing:
- Until the end of the contract, and after that, in other legitimate purposes related to the contract, e.g. for the period of securing any claims, i.e. until the end of the calendar year in which the 6-year limitation period expires, counting from the day agreement. However, if the contract was concluded before July 9, 2018, this period shall be subject to the transitional provisions defining the limitation periods contained in art. 5 para. 2 and 3 of the Act of 13 April 2018 amending the Act - Civil Code and certain acts (Journal of Laws of 2018, item 1104), by virtue of which the limitation periods for claims were shortened
- If agreement is not concluded- until the application is reviewed and for 3 years for potential claims and complaints.
In this case the Bank processes personal data in order to fulfil the duties imposed by the virtue of the law or carry out tasks in the public interest. In particular, we talk here about fulfilment of the Bank’s duties in connection with conducting banking activity and execution of the concluded agreements, and for archiving purposes, as well as in connection with assessment of credit capacity and analysis of credit risk. Furthermore, such duties stem from, inter alia, Act on Counteracting Money Laundering and Terrorism Financing, Act on performance of the Agreement between the Government of the Republic of Poland and the Government of the United States of America on improvement of fulfilment of international tax obligations and implementation of FATCA, Act on Exchange of Tax Information with Other Countries, Act on Protection of Competition and Consumers, Act on Trading in Financial Instruments and security measures for funds.
GDPR, Art. 6 section 1 letter c) and special provisions, which impose on the Bank the duties indicated in the explanations or Art. 6 section 1 letter e) of the Regulation.
Duration of data processing:
- For calculations related to statistical approaches for calculation of methods and models determined by the banking law - for a period of 12 years from the day of expiry of the obligation.
- For processing information that constitutes bank secret in order to assess credit capacity and to analyse credit risk – after expiry of the obligation stemming from the agreement concluded with the Bank until the time of withdrawal of this consent.
- In other cases – until the Bank has fulfilled the duties defined in specific regulations of the law or completed the tasks carried out in the public interest.
This is about the Bank’s marketing, in particular, that carried out through communication, display or sending trade information by traditional mail or, in case of obtaining an appropriate consent, also through electronic or telephone communication devices. Marketing may be also carried out based on profiling which means processing for marketing purposes the information on Client’s characteristics, behaviour or preferences. Thanks to profiling, on the grounds of to-date relationship, the Bank may customise your trade offers to your interests and need.
GDPR, Art. 6 section 1 letter f)
Duration of data processing:
Until objection is lodged against such processing, or until agreement with the Bank expires.
It is, for instance, marketing of products and services of the companies cooperating with the Bank; processing information that constitutes bank secret (also, in order to assess credit capacity and analyse credit risk) after expiry of the obligation. In each case, the consent obtained from you will indicate, inter alia, the purpose of data processing, which we intend to achieve based on this consent.
GDPR, Art. 6 section 1 letter a)
Duration of data processing::
Until the consents granted are withdrawn.
Within the indicated purpose, we will process your data, also to enable communication or delivery of services through the Bank’s websites and mobile application. To this extent, inter alia identifiers, such as IP address of the device or geolocation information will be processed.
GDPR, Art. 6 section 1 letter b) or Art. 6 section 1 letter f)
Duration of data processing:
- Period of communication or delivery of services, not later than until effective objection is lodged.
- Until the end of the contract, and after that, in other legitimate purposes related to the contract, e.g. for the period of securing any claims, i.e. until the end of the calendar year in which the 6-year limitation period expires, counting from the day agreement. However, if the contract was concluded before July 9, 2018, this period shall be subject to the transitional provisions defining the limitation periods contained in art. 5 para. 2 and 3 of the Act of 13 April 2018 amending the Act - Civil Code and certain acts (Journal of Laws of 2018, item 1104), by virtue of which the limitation periods for claims were shortened.
Purposes pursued within so-called legitimate interest are connected to execution of the agreement concluded with you and these are the following:
- ensuring security of the persons and the Bank’s assets, including monitoring of the Bank’s branches, preserving privacy and human dignity,
- ensuring transaction security, in particular, prevention of frauds,
- customisation of the marketing content of the Bank’s websites, depending on the behaviour of the viewers,
- protection against claims and collection of receivables,
- internal administrative, analytical and statistical purposes, including analyses of the credit portfolio, statistics and the internal reporting of the Bank and Bank’s Group.
When assessing whether the indicated purposes are justified, we take into account inter alia the following:
- any connections between the purposes for which the personal data have been collected and the purposes of the intended further processing,
- context in which the personal data have been collected, in particular, relationship between the data subjects and the controller,
- nature of the personal data,
- potential consequences of the intended processing,
- existence of appropriate safeguards.
GDPR, Art. 6 section 1 letter f)
Duration of data processing:
Until fulfilment of the Bank’s legitimate interests that constitute the grounds for this processing or until an objection is lodged against such processing, no longer than for the period of securing any claims, i.e. until the end of the calendar year in which the 6-year limitation period expires, counting from the day agreement. However, if the contract was concluded before July 9, 2018, this period shall be subject to the transitional provisions defining the limitation periods contained in art. 5 para. 2 and 3 of the Act of 13 April 2018 amending the Act - Civil Code and certain acts (Journal of Laws of 2018, item 1104), by virtue of which the limitation periods for claims were shortened.
The Bank guarantees that it will process your personal data exclusively for specific clear and legitimate purposes and it does not process them further in breach of these purposes. The purpose of data processing is the reason for which we process your personal data. If the Bank wants to process your personal data for other purposes – not indicated below – you will be informed about this new purpose in a separate communication. The sections below present the purposes of data processing. Each of the below purposes has been thoroughly evaluated by the Bank in terms of their compliance with the provisions of the Regulation and provisions regulating activity of the Bank. Each time, the below information indicates the purpose of data processing and appropriate legal grounds. Your personal data will be stored for a period suitable for execution of the indicated purposes.
Where do we collect your personal data?
- Most frequently, we receive the data directly from you.
- Other information comes to us from other banks, KRS registers, BIK or public institutions.
- All the data sources are carefully verified.
The Bank processes your personal data obtained directly from you (for instance, data submitted in forms), as well as the data obtained lawfully from other sources and on the grounds of agreements with partners. These other sources may be, inter alia, public sources, for instance, KRS registers, CEIDG and sources of limited access, for instance, BIK, BIG. In each of the cases, the Bank verifies meticulously whether it has legal grounds for processing of personal data.
What categories of your personal data do we process?
- Basic data, which we process, are personal, contact and identification data.
- We also use online data (for instance, location or web browser history) based on the so-called cookies.
- Importantly, type of processed data depends also on the relationship with the Bank.
Do you want to know more?
Depending on the relationship between you and the Bank, the Bank may process, in particular, the following categories of personal data obtained from you or third persons:
- personal data (for instance, name and surname, domicile address)
- contact data (for instance, phone number, correspondence address)
- identification data (for instance, id number, PESEL)
- sociodemographic data (for instance, nationality, form of employment)
- financial data (for instance, account balance, source of income)
- transaction data (for instance, details concerning payments made to and from the account)
- contact data (for instance, details of the concluded agreements)
- behavioural data (for instance, data of the products or services, and their utilisation)
- communication data (for instance, the data from the communication conducted with you)
- audiovisual data (for instance, data related to recoding conversations or image for security and evidence purposes),
- data concerning family, legal and financial ties (for instance, information necessary for execution of deposit order in the event of death)
- data publicly available or obtained from third parties (for instance, data obtained from CEIDG, BIK)
- technical data (for instance, data of the device on which you use mobile application)
- location data (for instance, location data of the place where transaction is performed in mobile application)
- web browser history data (for instance, data necessary for maintaining proper exchange of information between the server and browser when using Millenet)
To whom your data may be disclosed?
Authorised employees of the Bank
Public authorities and institutions authorised to demand such access
Entities that cooperate with the Bank, for instance, couriers or payment card producers
Do you want to know more?
Access to your personal data – inside the Bank’s organisational structure – will be available exclusively to employees authorised by the Bank and only to the extent necessary. In some situations your personal data may be disclosed by the Bank to recipients outside the Bank’s structure. In such situation the Bank always examines thoroughly the legal grounds for disclosure of personal data. Importantly, the recipient of the data in the understanding of the Regulation is both the entity which processes personal data on behalf of the Bank and the entity to which the data are made available for its own purposes (for instance, public administration authorities).
Recipients of your personal data may be:
- public authorities, institutions or third parties authorised to demand access or receive personal data on the grounds of the law, for instance, Polish Financial Supervision Authority, Ministry of Finance, General Inspector of Financial Information, tax office, bank arbiter
- bentities, to which the Bank entrusted processing of personal data on the grounds of the concluded agreements, for instance, parcel delivery services, producers of payment cards, photo inspection providers, mass printing providers, IT suppliers and other service providers processing data on behalf of the Bank
- banks, financial or credit institutions, or other institutions, which may receive personal data in connection with execution of economic relations between the Bank and you (for instance, banks intermediating in execution of international transfers) and on the grounds of appropriate laws, for instance, BIK, Centrum Prawa Bankowego i Informacji Sp. z o.o., economic information bureaus (KRD, ERIF, BIG)
- clearing chambers, other clearing entities, for instance, KIR, Swift
- card organisations, for instance, VISA, MasterCard – if data are transferred out of the European Economic Area, we apply appropriate safeguards in the form of binding corporate rules
- telecommunication services providers
- entities providing advisory and inspection services, for instance, audit companies
- rocessors processing the data for recovery of receivables or legal representation, for instance, law firms, insurance companies
- insurance companies
- entities, for which you expressed your consent for making available and processing your personal data
- entities operating with the Bank’s Group or entities from the capital group responsible for execution of contractual obligations and obligations stemming from the law
- detailed list of recipients can be downloaded here
What are your rights?
- You have the right to access your personal data, edit then, limit the processing of your personal data and many more.
- Remember that in some cases, when you’re entering an agreement some details may be required in order to sign it.
- You can manage the use of your data in any Bank branch, TeleMillennium careline and Millenet online banking system.
Do you want to know more?
- Detailed Information on your rights:
- a) you are entitled to access your personal data, and also to get a copy of the data
- b) if you find that your personal data processed by the Bank are not correct, you are entitled to rectify or supplement the data
- c) you are entitled to demand removal of your personal data in cases stipulated by the law
- d) you are entitled to lodge a demand to limit processing of your personal data
- e) you are entitled to lodge an objection against processing of your personal data in case of data processing to pursue legitimate interest of the Bank. In order to exercise this right, you may lodge your demand to cease processing of your personal data for the Bank’s direct marketing (this objection makes it impossible to receive, through available contact channels, any marketing materials on offers of the Bank as well as Partners and Companies from the Bank’s Group) or/and profiling your data in order to provide customised offers and commercial information
- f) you are also entitled to receive from the Bank your personal data in a structured format and to transfer your personal data to another controller. In case of data transfer, due to other laws, for instance, the banking law, your or other person’s consent, or fulfilment of other conditions required by these regulations may be necessary
- g) you are entitled no to subject to decision based exclusively on automated processing, including profiling, which produces legal effects for you or otherwise exerts material influence on you, unless such decision is necessary for performance of the agreement, it is allowed by the law or you have previously expressed your clear consent thereto
- h) in these cases when data processing is performed on the grounds of the consent granted, you are entitled to withdraw your consents for individual purposes of processing, at any time. You may withdraw your consent at any branch of the Bank, at TeleMillennium infoline 801 331 331 - number available only for telephones from domestic networks, (+48) 22 598 40 40 – number available also for international calls), in Millenet (Settings/Consent management). Withdrawal of the consent does not affect legal compliance of the processing performed up to the consent withdrawal
- If you conclude agreement or transaction, submission of personal data is required for their execution.
- If you want to file Application for execution of the above rights, you may do so:
- personally at any branch of the Bank – for the list of branches visit https://www.bankmillennium.pl/about-the-bank/branches-and-atms
- if you are a Client you can apply:
- - in Millenet, at Settings > Personal data > Applications on personal data (re. items point 1: a ,c, f) and in Contact section (re. items point 1: d, e, g)
- over the phone, at TeleMillennium careline: 801 331 331
- by correspondence - sending a letter to the following address: Bank Millennium S.A., ul. Stanisława Żaryna 2A, 02-593 Warsaw
- The Bank is obliged to provide the information you are applying for within a month from receiving your application. If the demand is of complex nature or number of demands is high, the Bank has the right to extend the deadline for review of the application by two additional months, whereof the Bank will inform you earlier within a month from receiving your application. The maximum delivery time cannot be longer than 3 months from the date of receiving the application.
- Bank’s taking actions indicated in the Application and issuance of the first cope of data is free of charge. However, if the demand is manifestly unfounded or excessive, in particular because of its repetitive character, the Bank may:
- charge a reasonable fee, as per the Price List
- refuse to act on the request providing justification
- Should you find that processing of your personal data by the Bank infringes upon the provisions of the Regulation, you are entitled to lodge a complaint to the supervisory organ. As of 25th of May 2018 this will be Chairman of the Office for Protection of Personal Data.
What profiling is?
Profiling allows us to use your data in a selective way, offering you products that are suited to your current or future needs.
What does automated decision making mean?
Automated decision making – based on profiling – is used in order to evaluate risk levels (when assessing your credit score, credit reliability, risk of money laundering or financing terrorism).
Do you want to know more?
If you are bound with the Bank by an agreement or if actions have been taken to conclude such agreement, processing of your personal data may be automated. It may result in automated decision taking, including decisions based on profiling. It concerns, in particular, the following cases:
- assessment of credit capacity and creditworthiness for the purpose of concluding agreement with the Bank, where this assessment is performed on the grounds of Client’s application with use of the data contained therein, data from the Bank’s internal databases and external databases (BIK, BIG, databases kept by ZBP etc.); such profiling may result in credit refusal
- assessment of risk of money laundering and risk of financing terrorism, where this assessment is performed on the grounds of the data declared in the documents submitted when placing the order or instruction to perform transaction, or when concluding agreement, based on the set criteria (economic, geographic, behavioural criteria). The assessment is followed by automatic risk classification, where classification to unacceptable risk group may result in automatic blockade and failure to open a relationship
Principles of protection of privacy
Principles of protection of privacy
The Bank offers its Clients secure operations. All information submitted by our Clients is protected with use of state-of-the-art technologies, in accordance with applicable legal standards, security requirements and principles of confidentiality. The Bank actively develops its Client privacy and security protection systems implementing new organisational and technical safeguards. The Bank informs its Clients about changes in the applied principles of protection of data confidentiality through its website or another communication channel agreed with the Client.
Bank Millennium website uses cookie files saved in the memory of the internet browser. In the majority of cases it is necessary for correct operation of the website. Cookies support development of personalised web services, which enables users to decide, for instance, about the sequence of displaying some of the components. Cookie files are also used by tools analysing website traffic. Statistical analyses conducted with use of these tools are one of the sources of quality improvement of Bank Millennium website.
Bank Millennium website uses, inter alia, the following types of cookie files:
- statistical cookie files, which support collection of information on the use of the Bank’s website
- advertising cookie files, which support delivery of content that is better adjusted to user interests
- security cookie files, such as cookies used for fraud detection, for instance, in website authentication
- functional cookie files supporting „saving” the settings selected by user and personalisation of user interface as regards, for instance, selected language or region from which the user comes, font size, website display
Below please find a list of examples of application of cookie files by Bank Millennium website:
- improvement in security level
- keeping user session in applications, forms, questionnaires and transaction system (cookie files used for user session identification in Millenet). They allow to improve security ensuring that all calls to the server come from the Client’s computer. On the server the cookies and IP address of the computer from which user is connecting are validated. In case of an attempt to hijack user’s session from another computer, the session will be interrupted
- reporting traffic sources
- assessment of effectiveness of promotional actions,
- Google advertisements – for better adjustment of advertisements to the users’ preferences, Bank Millennium uses cookie files, which collect only basic information about users’ behaviour on the Bank’s website and their interests. All the information is anonymous and their purpose is the best customisation of the advertisements displayed in Google search engine as well as on other websites to user’s preferences with such tools as, for instance, Google AdWords and DoubleClick. At any time, user may resign from Goole cookies advertisement settings (www.google.pl/settings/ads)
- Facebook ads - in order to better target ads, tailor the message to a specific group of users and measure the effectiveness of advertising campaigns conducted on Facebook, Bank Millennium uses Facebook cookies, which are used to present ads, recommend offers and products to people who may be interested in them. The user can adjust the displayed ads to his preferences at any time (https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen)
- analysis using technologies similar to cookies – in order to better understand user behavior and optimize website functioning, Bank Millennium may anonymously collect and process information about user activity on the Bank's websites, including application forms, even if they have not been sent. As a result, Bank Millennium can provide users with better designed and more intuitive solutions
- Analysis with use of Google Analytics – in order to better understand users’ intentions, Bank Millennium uses Google cookie files which anonymously collect only basic information on the user’s activity on the Bank’s portal and are used to report traffic, to analyse users’ behaviour of the website and to assess effectiveness of promotional actions
Information on processing personal data in Bank Millennium S.A. (for former customers of Millennium Dom Maklerski S.A., who are currently not a party to the agreement with the Bank and for proxies of the above clients)link opens in a new window
Information on personal data processing at Bank Millennium SA (for limited debtors, persons indicated in a bequest prepared in case of death, heirs, persons claiming funeral expenses and persons executing a power of attorney for a single act)link opens in a new window
Information on personal data processing in Bank Millennium SA (persons enquiring about accounts in other banks and persons for whom the Bank verifies the fact of their having accounts in other banks)link opens in a new window
Information on personal data processing in Bank Millennium SA (for entrusting party or its representatives in connection with a housing escrow account agreement between the Bank and the trustee)link opens in a new window
Information on personal data processing in Bank Millennium SA (persons whose liabilities the Bank purchased or secured or in favour of whom the Bank repays purchased receivables)link opens in a new window
Information on personal data processing in Bank Millennium SA (persons contacting the Bank through contact form on the Bank’s web site and persons submitting complaint, who are not customers of the Bank)link opens in a new window
Information on personal data processing in Bank Millennium SA (Bank counterparties who are natural persons not performing business activities, sole traders or partners in civil law partnerships and their proxies)link opens in a new window
Information regarding personal data processing at Bank Millennium S.A.(for natural persons who are not Clients of Bank Millennium, who place at the Bank branch cash deposit orders to the accounts in Bank Millennium or other banks or order cash withdrawals from Bank Millennium accounts) – in Polishlink opens in a new window