Notification by Česká exportní banka on the Processing of Personal Information

Personal Data Protection

Dear Clients,

Let us inform you about the protection of your personal data. We kindly ask you to read the terms and conditions below. 

Česká exportní banka, a. s. (hereinafter the “Bank”) provides services only to legal entities and processes personal data of only those persons who represent these legal entities or who are authorised by the legal entities to act on their behalf and are part of the governance or ownership structure of a legal entity.

We process and protect your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter “GDPR”).

Among other things, the Bank is obliged to have technologies promoting privacy and retain only materially accurate and secured data to the necessary extent for a given purpose and processing needs.

General information on collecting, processing and storing clients’ personal data

We collect, process and store your personal data primarily in accordance with Act No. 253/2008 Sb., on some measures against money laundering and terrorist financing, as amended (hereinafter the “AML Act”), and other act related to the Bank’s activities.

What personal data can we process without your consent?

  • identification data – personal data used for unambiguous and unmistakable identification of a client – the authorised representative, actual owner of the legal entity (e.g. name, surname, degree, birth certificate number, if assigned, otherwise the date of birth, permanent address, identity card number, passport number or the number of a similar document, signature);
  • contact details – personal data allowing to contact a client (in particular, the contact address, phone number, email address and other similar information provided by the client);
  • data on the client’s creditworthiness and credibility – personal data which are necessary for the Bank, with regard to its statutory obligation to proceed cautiously in its activities, to undertake a banking transaction without unreasonable legal and material risks; the nature and scope of these personal data depend on the nature of the banking transaction or service provided to the client;
  • data on the use of services – e.g. personal data on arranging and using Bank’s services (i.e. data on account balances, transaction data, recordings of phone calls, records of other communication with the client).

Why do we process personal data?

The main reason for processing personal data is the performance of a contract (provision of a banking product based on your request) concluded with you for the purposes of business activities, and the fulfilment of a legal/statutory obligation (e.g. the obligation under the AML Act, Act No. 21/1992 Sb., on banks). Other reasons include the legitimate interest to protect the Bank’s interests (e.g. in the case of making an audio recording for the purpose of taking minutes). The personal data processed by the Bank with the client’s consent are listed in the consent to the processing of personal data that the client may grant to the Bank. Given the contractual nature of relationships between the Bank and the client, the provision of personal data is completely voluntary.

The Bank hereby informs the client that the Bank cannot undertake a banking transaction or provide a service if it is not provided with personal data necessary for undertaking the relevant banking transaction or providing the service in accordance with the AML Act.

How does the Bank obtain personal data?

  • directly from the client in negotiations on the conclusion of a banking transaction or provision of a service and subsequent implementation;
  • from publicly available registers, lists and records (Commercial Register, Trade Register, Land Register etc.) and other public sources (including information from social networks and the Internet published by the client);
  • or other entities if the client has consented to it.

For what purposes does the Bank use and process personal data?

Without the client’s consent:

  • for purposes related to the Bank’s business activities, in particular, to assess an application for a banking transaction or a service, to secure all other activities related to the execution of a transaction or a service and to optimise them;
  • to fulfil Bank’s statutory obligations arising from special regulations (namely Act No. 21/1992 Sb., on banks, the AML Act, and others);
  • to protect its rights and legally protected interests, in particular, to analyse and assess potential risks.

For how long do we process personal data?

  • for a strictly necessary period if such a period is stipulated by legal regulations relating to Bank’s activities (e.g. for 10 years after the end of the transaction or business relationship under the AML Act; for the duration of the limitation or archiving period).

How do we secure personal data protection?

  • personal data are under continuous physical, electronic and procedural control, and the Bank has modern technical, control and, in particular, security mechanisms in place, ensuring the maximum possible protection of processed personal data against unauthorised access or transfer, loss or destruction, as well as against another possible misuse;
  • all persons who come into contact with clients’ personal data in performing their job duties or contractual obligations are bound by a statutory or contractual confidentiality obligation;
  • all client information is subject to banking secrecy.

To whom does the Bank provide personal data?

  • national authorities or other entities under the statutory obligations arising from special regulations (e.g. Act No. 21/1992 Sb., on banks, the AML Act) – these include, in particular, state authorities, state administration bodies, courts, law enforcement bodies, supervisory authorities, executors, notaries – judicial commissioners, insolvency administrators etc.;
  • banks to the extent stipulated by Act No. 21/1992 Sb., on banks, either directly or through a legal entity established to maintain a client information register (Client Information Bank Register);
  • the information database maintained by the Czech National Bank;
  • other entities if necessary to protect the Bank’s rights, e.g. insurance companies, courts, court executors, auctioneers; the scope of personal data provided is limited to personal data necessary for a successful claim;
  • specialised external entities (hereinafter the “processor”) which process personal data for the Bank under the relevant agreement on personal data processing and which must fulfil, among other things, personal data protection obligations to the extent stipulated by GDPR; after careful consideration, the Bank entrusts the role of a processor only to an entity which can provide the Bank with a maximum guarantee regarding the technical and organisational protection of transferred personal data;
  • personal data may be provided to other entities with the client’s consent or by order of the client.

What are the client’s possibilities regarding the processing and transfer of personal data?

  • except for cases stipulated by law where the processing does not require the client’s consent (see Article 6 of GDPR), the Bank processes personal data with the client’s consent;
  • the client is free to decide whether to grant consent to the extent proposed by the Bank;
  • the client may withdraw the consent or change/modify its scope. The Bank is bound by the scope of the consent and fully respects it.

Information on the rights of clients (individuals) in relation to GDPR

  • upon request, the Bank will provide you free of charge with information on whether your personal data are processed and with a copy of processed personal data; the Bank will charge a reasonable fee for each additional copy; the Bank may reject unjustified or unreasonable requests;
  • if your personal data are processed, you have the right to access the personal data, in particular, the right to request the information on (i) the purpose of processing, (ii) the category of the personal data, (iii) the recipient or category of recipients of the personal data that will have access to the personal data, and (iv) planned retention period of the personal data;
  • you may request the Bank to (i) rectify the personal data if you believe that they are inaccurate, (ii) erase the personal data if you believe that they are no longer necessary for the purpose for which they were provided or if you withdraw your consent under which they were processed, and/or (iii) restrict the processing of the personal data if you believe that they are inaccurate or are no longer necessary for the purpose for which they were provided to the Bank;
    • if the personal data are processed automatically, you have the right to data portability (the right to obtain the provided personal data in a structured, commonly used and machine-readable format and the related right to provide the personal data to another personal data controller, which the Bank will not prevent);
    • if your personal data are processed under a legitimate interest or if the Bank must process the personal data to fulfil a task in the public interest, you have the right to raise an objection.

Who can the client contact for further information? Where can the client lodge objections to the processing of personal data?

The client may contact the Bank:

The client may exercise rights in relation to the processing of personal data in any of the following ways:

  • By visiting the Bank’s registered office;
  • By email:,

To facilitate the exercise of the client’s rights, the Bank has prepared model requests which are available on the Bank’s website.

Bank’s information on the privacy policy

The client is informed about the rules of personal data processing and protection when entering into a bank transaction or arranging the provision of a service; in this context, the client is also requested to take a stand on the proposed consent to the processing of personal data.

Contact details of the supervisory authority

The client may also contact directly the Office for Personal Data Protection with comments and complaints.

Seat of the Office: Pplk. Sochora 27, 170 00 Prague 7, fixed line: +420 234 665 111, email:, web:

This document is also available in printed form at the Bank’s registered office