1. Controller of your personal data is Bank Millennium S.A. with Head Office in Warsaw:
   • address: ul. Stanisława Żaryna 2A, 02-593 Warsaw
   • telephone: (+48) 801 331 331 or (+48) 22 598 40 40 – for calls from mobile phones and international calls
   • e-mail: kontakt@bankmillennium.pl
2. Bank – as data controller – will spare no efforts in order to fulfil the requirements of the Regulation to the highest degree and, thus, to protect of your personal data.
3. Supervision of correct processing of personal data in the Bank is exercised by the Data Protection Officer, currently Aleksandra Bereda (hereinafter referred to as: „Officer”):
   • address: Data Protection Officer, Bank Millennium S.A., ul. Stanisława Żaryna 2A, 02-593 Warsaw
   • e-mail: iod@bankmillennium.pl

You may contact the Officer on all cases related to processing of your personal data and in case of doubts as to your rights.

Explanation:
This is about any actions taken in order to prepare for conclusion of the agreement, to execute agreement, analyse and assess credit capacity, review claims, terminate agreement, archive as well as perform other legal actions related to the agreement, as well as actions taken to conclude, through the Bank, agreements with other entities, for instance, insurance agreement.

Legal basis:
Rozporządzenie, art. 6 ust. 1 lit. b)

Duration of data processing:

• Until the end of the contract, and after that, in other legitimate purposes related to the contract, e.g. for the period of securing any claims, i.e. until the end of the calendar year in which the 6-year limitation period expires, counting from the day agreement. However, if the contract was concluded before July 9, 2018, this period shall be subject to the transitional provisions defining the limitation periods contained in art. 5 para. 2 and 3 of the Act of 13 April 2018 amending the Act - Civil Code and certain acts (Journal of Laws of 2018, item 1104), by virtue of which the limitation periods for claims were shortened
• If agreement is not concluded- until the application is reviewed and for 3 years for potential claims and complaints.

Explanation:
In this case the Bank processes personal data in order to fulfil the duties imposed by the virtue of the law or carry out tasks in the public interest. In particular, we talk here about fulfilment of the Bank’s duties in connection with conducting banking activity and execution of the concluded agreements, and for archiving purposes, as well as in connection with assessment of credit capacity and analysis of credit risk. Furthermore, such duties stem from, inter alia, Act on Counteracting Money Laundering and Terrorism Financing, Act on performance of the Agreement between the Government of the Republic of Poland and the Government of the United States of America on improvement of fulfilment of international tax obligations and implementation of FATCA, Act on Exchange of Tax Information with Other Countries, Act on Protection of Competition and Consumers, Act on Trading in Financial Instruments and security measures for funds.

Legal basis:
GDPR, Art. 6 section 1 letter c) and special provisions, which impose on the Bank the duties indicated in the explanations or Art. 6 section 1 letter e) of the Regulation.

Duration of data processing:

• For calculations related to statistical approaches for calculation of methods and models determined by the banking law - for a period of 12 years from the day of expiry of the obligation.
• For processing information that constitutes bank secret in order to assess credit capacity and to analyse credit risk – after expiry of the obligation stemming from the agreement concluded with the Bank until the time of withdrawal of this consent.
• In other cases – until the Bank has fulfilled the duties defined in specific regulations of the law or completed the tasks carried out in the public interest.

Explanation:
This is about the Bank’s marketing, in particular, that carried out through communication, display or sending trade information by traditional mail or, in case of obtaining an appropriate consent, also through electronic or telephone communication devices. Marketing may be also carried out based on profiling which means processing for marketing purposes the information on Client’s characteristics, behaviour or preferences. Thanks to profiling, on the grounds of to-date relationship, the Bank may customise your trade offers to your interests and need.

Legal basis:
GDPR, Art. 6 section 1 letter f)

Duration of data processing:
Until objection is lodged against such processing, or until agreement with the Bank expires.

Explanation:
It is, for instance, marketing of products and services of the companies cooperating with the Bank; processing information that constitutes bank secret (also, in order to assess credit capacity and analyse credit risk) after expiry of the obligation. In each case, the consent obtained from you will indicate, inter alia, the purpose of data processing, which we intend to achieve based on this consent.

Legal basis:
GDPR, Art. 6 section 1 letter a)

Duration of data processing::
Until the consents granted are withdrawn.

Explanation:
Within the indicated purpose, we will process your data, also to enable communication or delivery of services through the Bank’s websites and mobile application. To this extent, inter alia identifiers, such as IP address of the device or geolocation information will be processed.

Legal basis:
GDPR, Art. 6 section 1 letter b) or Art. 6 section 1 letter f)

Duration of data processing:

• Period of communication or delivery of services, not later than until effective objection is lodged.
• Until the end of the contract, and after that, in other legitimate purposes related to the contract, e.g. for the period of securing any claims, i.e. until the end of the calendar year in which the 6-year limitation period expires, counting from the day agreement. However, if the contract was concluded before July 9, 2018, this period shall be subject to the transitional provisions defining the limitation periods contained in art. 5 para. 2 and 3 of the Act of 13 April 2018 amending the Act - Civil Code and certain acts (Journal of Laws of 2018, item 1104), by virtue of which the limitation periods for claims were shortened.

Explanation:
Purposes pursued within so-called legitimate interest are connected to execution of the agreement concluded with you and these are the following:

• ensuring security of the persons and the Bank’s assets, including monitoring of the Bank’s branches, preserving privacy and human dignity,
• ensuring transaction security, in particular, prevention of frauds,
• customisation of the marketing content of the Bank’s websites, depending on the behaviour of the viewers,
• protection against claims and collection of receivables,
• internal administrative, analytical and statistical purposes, including analyses of the credit portfolio, statistics and the internal reporting of the Bank and Bank’s Group.

When assessing whether the indicated purposes are justified, we take into account inter alia the following:

1. any connections between the purposes for which the personal data have been collected and the purposes of the intended further processing,
2. context in which the personal data have been collected, in particular, relationship between the data subjects and the controller,
3. nature of the personal data,
4. potential consequences of the intended processing,
5. existence of appropriate safeguards.

Legal basis:
GDPR, Art. 6 section 1 letter f)

Duration of data processing:
Until fulfilment of the Bank’s legitimate interests that constitute the grounds for this processing or until an objection is lodged against such processing, no longer than for the period of securing any claims, i.e. until the end of the calendar year in which the 6-year limitation period expires, counting from the day agreement. However, if the contract was concluded before July 9, 2018, this period shall be subject to the transitional provisions defining the limitation periods contained in art. 5 para. 2 and 3 of the Act of 13 April 2018 amending the Act - Civil Code and certain acts (Journal of Laws of 2018, item 1104), by virtue of which the limitation periods for claims were shortened.

Depending on the relationship between you and the Bank, the Bank may process, in particular, the following categories of personal data obtained from you or third persons:

• personal data (for instance, name and surname, domicile address)
• contact data (for instance, phone number, correspondence address)
• identification data (for instance, id number, PESEL)
• sociodemographic data (for instance, nationality, form of employment)
• financial data (for instance, account balance, source of income)
• transaction data (for instance, details concerning payments made to and from the account)
• contact data (for instance, details of the concluded agreements)
• behavioural data (for instance, data of the products or services, and their utilisation)
• communication data (for instance, the data from the communication conducted with you)
• audiovisual data (for instance, data related to recoding conversations or image for security and evidence purposes),
• data concerning family, legal and financial ties (for instance, information necessary for execution of deposit order in the event of death)
• data publicly available or obtained from third parties (for instance, data obtained from CEIDG, BIK)
• technical data (for instance, data of the device on which you use mobile application)
• location data (for instance, location data of the place where transaction is performed in mobile application)
• web browser history data (for instance, data necessary for maintaining proper exchange of information between the server and browser when using Millenet)

Access to your personal data – inside the Bank’s organisational structure – will be available exclusively to employees authorised by the Bank and only to the extent necessary. In some situations your personal data may be disclosed by the Bank to recipients outside the Bank’s structure. In such situation the Bank always examines thoroughly the legal grounds for disclosure of personal data. Importantly, the recipient of the data in the understanding of the Regulation is both the entity which processes personal data on behalf of the Bank and the entity to which the data are made available for its own purposes (for instance, public administration authorities).

Recipients of your personal data may be:

1. public authorities, institutions or third parties authorised to demand access or receive personal data on the grounds of the law, for instance, Polish Financial Supervision Authority, Ministry of Finance, General Inspector of Financial Information, tax office, bank arbiter
2. bentities, to which the Bank entrusted processing of personal data on the grounds of the concluded agreements, for instance, parcel delivery services, producers of payment cards, photo inspection providers, mass printing providers, IT suppliers and other service providers processing data on behalf of the Bank
3. banks, financial or credit institutions, or other institutions, which may receive personal data in connection with execution of economic relations between the Bank and you (for instance, banks intermediating in execution of international transfers) and on the grounds of appropriate laws, for instance, BIK, Centrum Prawa Bankowego i Informacji Sp. z o.o., economic information bureaus (KRD, ERIF, BIG)
4. clearing chambers, other clearing entities, for instance, KIR, Swift
5. card organisations, for instance, VISA, MasterCard – if data are transferred out of the European Economic Area, we apply appropriate safeguards in the form of binding corporate rules
6. telecommunication services providers
7. entities providing advisory and inspection services, for instance, audit companies
8. rocessors processing the data for recovery of receivables or legal representation, for instance, law firms, insurance companies
9. insurance companies
10. entities, for which you expressed your consent for making available and processing your personal data
11. entities operating with the Bank’s Group or entities from the capital group responsible for execution of contractual obligations and obligations stemming from the law
12. detailed list of recipients can be downloaded here

1. Detailed Information on your rights:
• a) you are entitled to access your personal data, and also to get a copy of the data
• b) if you find that your personal data processed by the Bank are not correct, you are entitled to rectify or supplement the data
• c) you are entitled to demand removal of your personal data in cases stipulated by the law
• d) you are entitled to lodge a demand to limit processing of your personal data
• e) you are entitled to lodge an objection against processing of your personal data in case of data processing to pursue legitimate interest of the Bank. In order to exercise this right, you may lodge your demand to cease processing of your personal data for the Bank’s direct marketing (this objection makes it impossible to receive, through available contact channels, any marketing materials on offers of the Bank as well as Partners and Companies from the Bank’s Group) or/and profiling your data in order to provide customised offers and commercial information
• f) you are also entitled to receive from the Bank your personal data in a structured format and to transfer your personal data to another controller. In case of data transfer, due to other laws, for instance, the banking law, your or other person’s consent, or fulfilment of other conditions required by these regulations may be necessary
• g) you are entitled no to subject to decision based exclusively on automated processing, including profiling, which produces legal effects for you or otherwise exerts material influence on you, unless such decision is necessary for performance of the agreement, it is allowed by the law or you have previously expressed your clear consent thereto
• h) in these cases when data processing is performed on the grounds of the consent granted, you are entitled to withdraw your consents for individual purposes of processing, at any time. You may withdraw your consent at any branch of the Bank, at TeleMillennium infoline 801 331 331 - number available only for telephones from domestic networks, (+48) 22 598 40 40 – number available also for international calls), in Millenet (Settings/Consent management). Withdrawal of the consent does not affect legal compliance of the processing performed up to the consent withdrawal


2. If you conclude agreement or transaction, submission of personal data is required for their execution.
3. If you want to file Application for execution of the above rights, you may do so:
• personally at any branch of the Bank – for the list of branches visit https://www.bankmillennium.pl/about-the-bank/branches-and-atms
• if you are a Client you can apply:
  • - in Millenet, at Settings > Personal data > Applications on personal data (re. items point 1: a ,c, f) and in Contact section (re. items point 1: d, e, g)
  • over the phone, at TeleMillennium careline: 801 331 331
  • by correspondence - sending a letter to the following address: Bank Millennium S.A., ul. Stanisława Żaryna 2A, 02-593 Warsaw


4. The Bank is obliged to provide the information you are applying for within a month from receiving your application. If the demand is of complex nature or number of demands is high, the Bank has the right to extend the deadline for review of the application by two additional months, whereof the Bank will inform you earlier within a month from receiving your application. The maximum delivery time cannot be longer than 3 months from the date of receiving the application.
5. Bank’s taking actions indicated in the Application and issuance of the first cope of data is free of charge. However, if the demand is manifestly unfounded or excessive, in particular because of its repetitive character, the Bank may:
• charge a reasonable fee, as per the Price List
• refuse to act on the request providing justification


6. Should you find that processing of your personal data by the Bank infringes upon the provisions of the Regulation, you are entitled to lodge a complaint to the supervisory organ. As of 25th of May 2018 this will be Chairman of the Office for Protection of Personal Data.

If you are bound with the Bank by an agreement or if actions have been taken to conclude such agreement, processing of your personal data may be automated. It may result in automated decision taking, including decisions based on profiling. It concerns, in particular, the following cases:

• assessment of credit capacity and creditworthiness for the purpose of concluding agreement with the Bank, where this assessment is performed on the grounds of Client’s application with use of the data contained therein, data from the Bank’s internal databases and external databases (BIK, BIG, databases kept by ZBP etc.); such profiling may result in credit refusal
• assessment of risk of money laundering and risk of financing terrorism, where this assessment is performed on the grounds of the data declared in the documents submitted when placing the order or instruction to perform transaction, or when concluding agreement, based on the set criteria (economic, geographic, behavioural criteria). The assessment is followed by automatic risk classification, where classification to unacceptable risk group may result in automatic blockade and failure to open a relationship

Information on personal data processing in Bank Millennium SAlink opens in a new window

Information on personal data processing in Bank Millennium (for bodies and representatives of bodies, institutions or other entities performing tasks imposed by law, including receivers, bailiffs, employees of courts, offices, prosecutor’s offices, the Police)link opens in a new window

Information on processing personal data in Bank Millennium S.A. (for former customers of Millennium Dom Maklerski S.A., who are currently not a party to the agreement with the Bank and for proxies of the above clients)link opens in a new window

Information on processing personal data in Bank Millennium S.A. in connection with brokerage services and related financial instrumentslink opens in a new window

Information on processing personal data in Bank Millennium S.A. (for Beneficial owners and Persons authorised to act on behalf of Clients of the Bank)link otwiera się w nowym oknie

Information on personal data processing in Bank Millennium SA (customer’s spouse concluding risk based transaction, spouse of collateral provider e.g. surety provider)link opens in a new window

Information on personal data processing at Bank Millennium SA (for limited debtors, persons indicated in a bequest prepared in case of death, heirs, persons claiming funeral expenses and persons executing a power of attorney for a single act)link opens in a new window

Information on personal data processing in Bank Millennium SA (persons enquiring about accounts in other banks and persons for whom the Bank verifies the fact of their having accounts in other banks)link opens in a new window

Information on personal data processing in Bank Millennium SA (for entrusting party or its representatives in connection with a housing escrow account agreement between the Bank and the trustee)link opens in a new window

Information on personal data processing in Bank Millennium SA (in connection with purchase of receivables from Millennium Leasing Sp. z o.o.)link opens in a new window

Information on personal data processing in Bank Millennium SA (persons whose liabilities the Bank purchased or secured or in favour of whom the Bank repays purchased receivables)link opens in a new window

Information on personal data processing in Bank Millennium SA (persons contacting the Bank through contact form on the Bank’s web site and persons submitting complaint, who are not customers of the Bank)link opens in a new window

Information on personal data processing in Bank Millennium SA (for purpose of execution of contact by phone)link opens in a new window

Information on personal data processing in Bank Millennium SA (persons ordering macro-economic bulletin)link opens in a new window

Information on personal data processing at Bank Millennium SA (for persons registering their participation in events organized or co-organised by the Bank)link opens in a new window

Information on processing of personal data of candidates for work in Bank Millennium SA – in Polishlink opens in a new window

Information on employees personal data processing in Bank Millennium SA – in Polishlink opens in a new window

Information on personal data processing in Bank Millennium SA of contract employees (work contracts, contracts of commission, apprentice) – in Polishlink opens in a new window

Information on personal data processing in Bank Millennium SA (Bank counterparties who are natural persons not performing business activities, sole traders or partners in civil law partnerships and their proxies)link opens in a new window

Information on personal data processing in Bank Millennium SA (Employees/contractors of the Bank’s counterparty)link opens in a new window

Information on personal data processing in Bank Millennium SA (media representatives)link opens in a new window

Information on personal data processing in Bank Millennium SA (former SKOK Piast members who aren’t part of contract with Bank Millennium) – in Polishlink opens in a new window

Information regarding personal data processing at Bank Millennium S.A.(for natural persons who are not Clients of Bank Millennium, who place at the Bank branch cash deposit orders to the accounts in Bank Millennium or other banks or order cash withdrawals from Bank Millennium accounts) – in Polishlink opens in a new window

Information on Biuro Informacji Kredytowej (Credit Information Bureau) - in Polishlink opens in a new window

Information on Biuro Informacji Kredytowej_System WITIP (Credit Information Bureau_ System for Exchanging Information on Derivative Transactions)link opens in a new window

Information on personal data processing at Bank Millennium SA (for minors over 7 years of age)link opens in a new window

Information on personal data processing at Bank Millennium SA (for Potential Customers, persons contacting the Bank and their representatives) – in Polish link otwiera się w nowym oknie

Mobile application privacy policy (in Polish)link otwiera się w nowym oknie