Introduction

Dear User,

Thank you for registering for and using KUIK. Your privacy is really important to us. This document constitutes the Privacy Policy (the “Policy”) of KUIK, and by registering for and/or using KUIK, you confirm that you have read, agreed and accepted this Policy. This Policy explains what information KUIK collects about its Users, the scope of such collection, the processing done and the measures taken by Bank for the protection of their personal data and information. This Policy may change in the future, however, in any case it will not limit the rights guaranteed by the law no.124/2024 “For the protection of personal data”. When registering for KUIK, the User has understood and accepted KUIK’s General Terms and Conditions and this Policy, giving his consent for the collection and processing of his personal data and information for the purposes of using KUIK.

This policy applies only to information we collect via KUIK or in connection with it. This policy does not apply to information that: (i) we collect offline or through any other means, including any other Bank apps or websites, including websites you may access through KUIK; or (ii) you provide to or is collected by any third party. Our websites and other apps, and these third parties may have their own privacy policies, which you should read before providing information on or through them.

CONSENT

Please read this Policy carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, do not download, register with, or use KUIK. By downloading and installing, registering for, or using KUIK, you agree to this Privacy Policy and Bank’s collection and processing of your information according to the terms of this Policy. This Policy may change from time to time. Your continued use of KUIK after we make changes is deemed to be acceptance of those changes, so please check the Policy periodically for updates.

1. GENERAL INFORMATION

1.1 The scope of the Policy is the definition and explanation of the privacy policy and measures pursued by Bank regarding the personal data/information of the Users when using KUIK. This Policy applies to the information obtained by Bank through the registration for and the use of KUIK.

1.2 For the purposes of providing its services, the Bank collects personal data when the User registers for KUIK by accepting KUIK’s General Terms and Conditions. Such personal data is only taken with the consent of the User. In the moment of registering for KUIK, the User confirms the completion and veracity of the given information and gives his consent for the processing of the information given by him, and for promotional notices with several communication means (e.g. telephone, e-mail, etc.). Personal data is collected, processed and stored in full compliance with the provision of the law on personal data protection and respective applicable legislation. These actions are executed pursuant to the principle of respecting and guaranteeing the fundamental rights and liberties of the person and specifically the right to privacy. A person cannot use KUIK if he/she does not consent to the processing of his/her personal data for the purposes of registering for and using KUIK.

1.3 Users’ personal data and information is a matter of high importance for the Bank, and Bank has taken all the technical and organizational measures for their protection and retention and for the execution of all the obligations that derive from the effective legal framework on personal data and other applicable legislation. Bank implements an information security system of the highest standards for the storing and processing of the Users’ personal data and information, in full compliance with the applicable legislation. Bank uses the appropriate security measures to protect the data from manipulation, loss, destruction and unauthorized access or disclosure. Users’ personal data is processed by the Bank only with the purpose of providing KUIK and compliance with the relevant legislation (e.g. anti-money laundering laws, investigation purposes, etc.), with the Users’ consent and in accordance with the respective Albanian legislation and GDPR provisions. In the context of the execution of these measures, the Bank has approved and implements its internal regulations and procedures regarding information security.

2. DEFINITIONS

2.1 “Bank”/“Us”/ “We” – Raiffeisen Bank, a joint stock company, registered at the National Business Centre with VAT number J61911005B and holder of a banking license issued by the Bank of Albania, which provides KUIK to Users.

“Commissioner” – the Albanian Commissioner for the Right of Information and for the Protection of Personal Data.

“Consent of the data subject” – any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

“Controller” – the natural or legal person and any public authority, which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Dissemination” – the communication of personal data between controllers or the communication of personal data to any person other than the processor or the personal data subject, including publication.

“Electronic instruments” – means computers, computer programs and any means, electronic or automatic, by which data processing is carried out.

“Filing system” – any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.

“Law” – law no.124/2024 “For the protection of personal data”.

“GDPR” – the General Data Protection Regulation (2016/679).

“KUIK” – the service provided by Bank to Users, via the KUIK application, enabling domestic bank account-to bank account transfers, both interbank and intrabank.

“Processing” – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Personal data” – any information relating to a data subject.

“Personal data breach” – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

“Personal data subject” – any identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processor”– means a natural or legal person or any public authority which processes personal data on behalf of the controller.

“Profiling” – any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

“Pseudonymisation” – the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

“Recipient” – a natural or legal person or any public authority to which the personal data are disclosed, whether a third party or not.

“Sensitive data” – categories of personal data that reveal racial or ethnic information, political opinions, religious beliefs or philosophical studies, trade union membership, genetic data, biometric data, data concerning a person’s health, life or sexual orientation.

“User”/ “You” shall refer to any and all customers of the Bank, who have at least one active bank account with the Bank, and who have registered for and/or use KUIK to send and/or receive funds, and who, for this purpose, have accepted KUIK’s General Terms and Conditions.

2.2 Regarding the terms used in this Policy, not included above, shall apply the definitions and provisions of the Law.

3. INFORMATION WE COLLECT AND HOW WE COLLECT IT

3.1 Information You Provide to Us

When you install and register for and/or use KUIK, we shall ask you to provide information by which you may be personally identified, such as: name; surname; Personal Number; date of birth; MSISDN; bank account number (IBAN); address; email address.

We also collect/access information that is about you but individually does not identify you, including, but not limited to:

• Information that you provide by using KUIK. This includes information provided at the time of registering to use KUIK, and requesting further services. We may also ask you for information when you report a problem with KUIK.
• Phone contact list.
• Records and copies of your correspondence (including email addresses and phone numbers) if you contact us.
• Details of transactions you carry out through KUIK and of the fulfillment of your requests.

These data are processed by Bank only in terms of provision and use of KUIK and to comply with relevant applicable legislation (e.g. anti-money laundering provisions, investigation purposes, etc.) The use of personal data for sending informative messages or commercial information to the Users regarding KUIK is done only with the prior consent of the User. The personal data are processed:

• to make the individual a KUIK User;
• to enable KUIK usage;
• to communicate with the User;
• to provide support for the User;
• to enforce our terms and conditions;
• for legal compliance and legal obligations.

3.2 Automatic Information Collection and Tracking

When you install and access and/or use KUIK, it may use technology to automatically collect:

• Usage Details. When you access and use KUIK, we may automatically collect certain details of your access to and use of it, including logs, and other communication data and the resources that you access and use on or through KUIK.
• Device Information. We may collect information about your mobile device, including the device’s unique device identifier, operating system and mobile network information.

3.3 Bank does not collect and neither processes sensitive data as defined in the Law.

4. HOW WE USE YOUR INFORMATION

4.1 We use information that we collect about you or that you provide to us, including any personal information, to:

• Provide you with KUIK and its contents, and any other information, products or services that you request from us.
• Fulfill any other purpose for which you provide it.
• Carry out our obligations and enforce our rights arising from any contracts entered into between you and us.
• To contact you by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application’s push notifications regarding updates or informative communications related to the functionalities or products related to KUIK, including the updates, when necessary or reasonable for their implementation.
• Notify you of changes to any products or services we offer or provide through it.
• Comply with relevant legislation.
• For other purposes: We may use Your information for other purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns and to evaluate and improve our products, services, marketing and your experience.

5. DISCLOSURE OF YOUR INFORMATION

5.1 We may disclose aggregated information about our users and information that does not identify any individual or device. In addition, we may disclose personal information that we collect or you provide:

• to our subsidiaries and affiliates;
• to contractors, service providers, and other third parties we use to support our business and who are bound by contractual obligations to keep personal information confidential and use it only for the purposes for which we disclose it to them;
• to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Bank’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by Bank about KUIK users is among the assets transferred;
• to fulfill the purpose for which you provide it;
• for any other purpose disclosed by us when you provide the information;
• with your consent;
• to comply with any legal obligation, court order, law, or legal process, including to respond to any government or regulatory request;
• to enforce our rights arising from any contracts entered into between you and us;
• if we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Bank, our customers or others.

5.2 Bank does not share your personal information with unaffiliated third parties for promotional purposes.

6. GENERAL PRINCIPLES OF PERSONAL DATA PROCESSING

6.1 Users’ personal data and information is used only for the purpose of providing KUIK, for the solution of the complaints/requests of the Users and/or for legal compliance. They are processed only for the time needed for the fulfillment of the purposes for which they are collected. High security measures are implemented to prevent data loss, illegal and unjust use and unauthorized intervention. Personal data and information are kept safe and are not misused or corrupted in any way. Security is not just about the physical measures, but also has to do with the work organization, in order that the risk minimizes. Bank takes all the necessary steps and guarantees that the staff is aware and trained about the security necessity and its enforcement. The security level takes in account the nature of the data that are processed, considers the value of personal data and the harm that may be caused from their use by unauthorized persons, by their loss or destruction, considers the technological possibilities and the costs requested to implement them. Users’ personal data are kept for 5 years after the date of termination of KUIK or for a longer period if required by the applicable legislation.

Personal data processing is based on the criteria specified in the Law as follows:

• Principle of lawfulness, fairness and transparency: processing is carried out lawfully, fairly and in a transparent manner in relation to the data subject.
• Principle of purpose limitation: personal data are collected for specified, explicit and legitimate purposes, clearly determined at the moment of collection, and not further processed in a manner that is incompatible with those purposes.
• Principle of data minimisation: Personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
• Principle of accuracy: Personal data are accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
• Principle of storage limitation: Personal data are kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures in order to safeguard the rights and freedoms of the data subject.
• Principle of integrity and confidentiality: Personal data are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
• Principle of accountability: Bank shall be responsible for, and be able to demonstrate compliance with these principles.

6.2 Personal data protection is guaranteed by their processing in an honest, right and legal way by Bank for the execution of the contractual or legal obligations of the Bank that derive from the General Terms and Conditions of KUIK and effective legal framework, and for the improvement of the services’ quality toward the Users.

6.3 Users have all the rights established by the Law.

6.4 User’s consent. The Bank obtains the prior consent of the User, whose personal data are processed. The User has the right to withdraw his consent for as above. Upon registering for KUIK and accepting its General Terms and Conditions, User shall be deemed to have understood and willingly and explicitly authorizes Bank to transmit to its service providers and/or contractors for processing, the personal data of the Users, for the purpose of providing KUIK.

Upon accepting the Terms and Conditions of KUIK, User gives his explicit consent to receive communications regarding the use and services offered by KUIK, through SMS and/or other communication channels that may be available to both Bank and User. User has the right to revoke such consent at any time by requesting it.

6.5 User confirms the completion and accuracy of the given information, and also declares that he has completed correctly and truly all the information requested. The personal data subject is responsible for the completion, update of the registered data to ensure that the information is updated continuously and completely, by going physically to the Bank.

7. PERSONAL DATA’S SUBJECT’S RIGHTS

7.1 Personal data subjects have all the rights established by the Law.

7.2 Right to information

Where personal data are collected from the data subject and the data subject does not have the following information, Bank shall provide the data subject with all of the following information:

1. the identity and the contact details of Bank and, where applicable, of Bank’s representative and of Bank’s data protection officer;
2. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
3. the existence and logic of automated decision-making and profiling, referred to in the Law and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
4. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
5. the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal, where the processing is based on the consent and the legitimate interests pursued by Bank or by a third party, where processing is based on legitimate interests;
6. information, whether or not the data subject is obliged to provide the data and whether the provision of personal data is an obligation arising from the legislation in force, contract terms or conditions for entering into a contractual relationship, as well as the possible consequences of not providing this data;
7. the recipients or categories of recipients of the personal data, if any;
8. whether the data will be transferred to a third country and if so, how appropriate protection is guaranteed including information on appropriate safeguards and the means by which to obtain a copy of them or where they have been made available;
9. the exercise of rights under the Law, as well as the right to lodge a complaint with the Commissioner.

The above information shall be provided:

1. where the personal data are collected with the data subject’s cooperation, before the data subject provides the data;
2. where the personal data are not collected with the data subject’s cooperation:
3. within a reasonable time, but no later than 30 days after the data were collected; or
4. if the personal data are to be used for communication with the data subject, no later than the moment of the first communication with the data subject; or

• where it is foreseen the dissemination to another recipient, no later than the moment when the personal data are first disseminated.

7.3 Right of access

The data subject shall have the right to obtain from Bank, no later than 30 days from the date of submission of the request, confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

1. the purposes of the processing;
2. the existence and logic of automated decision-making and profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
3. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
4. the legal basis for the processing;
5. the categories of personal data concerned, including, where the personal data are not collected from the data subject, any available information as to their source;
6. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations including where personal data are transferred to a third country and if so, the data subject shall have the right to be informed of the appropriate safeguards;
7. the existence of the rights pursuant to the Law and the right to lodge a complaint wit the Commissioner.

7.4 Right to rectification and erasure

The data subject shall have the right to obtain from Bank without undue delay but no later than 30 days from the date of receipt of the request, the rectification of inaccurate personal data concerning him or her. Taking in account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

The data subject shall have the right to obtain from Bank the erasure of personal data concerning him or her and Bank shall have the obligation to erase personal data without undue delay but no later than 30 days from the date of receipt of the request, where one of the following grounds applies:

1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
2. the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
3. the data subject objects to the processing pursuant to the Law;
4. the personal data have been unlawfully processed;
5. the personal data have to be erased for compliance with a legal obligation of Bank;
6. the personal data have been collected in relation to the online provision of goods or services as provided for by law.

Regarding this right, the Law provides for several exceptions in the cases of processing mentioned therein.

7.5 Right to be forgotten

Where Bank has made the personal data public and is obliged pursuant to the Law to erase the personal data, Bank, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

At the request of the data subject, internet search engines operators are obliged to delete from the results displayed following a search conducted on the basis of the data subject’s name, the information which is no longer up-to-date over time but which, when found, has a significant negative impact on the data subject’s reputation.

7.6 Right to restriction of processing

The data subject shall have the right to obtain from Bank restriction of processing where one of the following applies:

1. the accuracy of the personal data is contested by the data subject, for a period enabling Bank to verify the accuracy of the personal data;
2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
3. Bank no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the filing of a claim or exercise or defence of legal claims, obligations or interests before a court or public authority; or
4. the data subject has objected to processing pursuant to the Law. The restriction lasts for the period necessary for the verification whether the legitimate grounds of Bank override those of the data subject.

Where processing has been restricted under the above paragraph, such personal data shall, with the exception of storage, only be processed:

1. after receiving the data subject’s consent;
2. for the filing of a claim or exercise or defence of legal claims, obligations or interests before a court or public authority;
3. for the protection of the rights of another natural or legal person which override the rights of the data subject; or
4. for reasons of important public interest.

Bank must notify the data subject before the restriction of processing is lifted. If Bank refuses the request, the data subject may lodge a complaint with the Commissioner and request a preliminary decision on the restriction of processing.

7.7 Right to data portability

Where personal data are provided to a controller by the data subject, with his or her consent or for the performance of a contract, and the processing is carried out by automated means, the data subject shall have the right to receive from Bank the personal data concerning him or her in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance.

In exercising his or her right to data portability pursuant to the aforementioned paragraph, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

The exercise of right to data portability shall not prejudice the right to erasure in accordance with the law. The right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or where Bank has been granted the right to exercise public functions, tasks or powers by virtue of applicable law. The right to data portability shall not adversely affect the rights and freedoms of others.

7.8 Right to object

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her including profiling based on provisions of the Law. Bank shall no longer process the personal data unless Bank demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, especially when they concern the filing of a claim or exercise or defence of legal claims, obligations or interests before a court or public authority.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object, at any time and without having to give reasons, to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, Bank shall be obliged to cease processing of the personal data for such purposes.

At the latest at the time of the first communication with the data subject, Bank shall inform the data subject of the right to object shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

7.9 Automated decision-making

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

This shall not apply if the decision:

1. is necessary for entering into, or performance of, a contract between the data subject and a data controller; or
2. is authorized by a law to which Bank is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
3. is based on the data subject’s consent.

In these cases, Bank shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests and the right to obtain human intervention on the part of Bank, to express his or her point of view and to contest the decision.

7.10 The right to complain

Every person who claims that his rights, freedoms and legal interests concerning his personal data have been violated shall have the right to complain or to notify the Commissioner and to request his intervention to remedy the infringed right. When the data subject has filed a complaint, Bank shall have no right to make any changes to the personal data until a final decision ruled.

7.11 Right to compensation of the damage

Everyone who has suffered damage due to an unlawful processing of personal data is entitled to compensation, pursuant to the rules defined by the Civil Code.

7.12 Any request of the User related to personal data or if you think your privacy has been violated must be addressed to: [email protected] or sent to Bank’s address at Rruga e Kavajës, Pallati 71, shk.1, ap.4,  Tirana, Albania. In case of not giving information, Bank shall explain to the User the reasons for withholding information. In any case, the personal data subject has the right to appeal to the Commissioner.

8. REQUESTS FOR INFORMATION AND COMPLAINTS

8.1 Requests for information on KUIK are processed by the Bank’s customer relationship structures.

8.2 Bank will respond to any request or complaint within 30 days of its receipt or according to other deadlines provided by legislation. The response will be in writing to the address from which has come the request or complaint and/or in electronic form when the request or complaint was received electronically. Bank will keep a record of complaints, requests or suggestions received, as well as responses provided.

9. PROTECTION, PROCESSING AND RETENTION OF PERSONAL DATA

9.1 All personal data collected will be processed properly and will be destroyed after the appointed period based on the time limit set in the Law and relevant applicable legislation. Bank uses advanced and modern techniques to maintain its databases and computer systems. Also, we take care that the data processing is done with full security measures in full compliance with the relevant legislation.

9.2 Bank guarantees the personal data subjects that their data is collected and processed only for the purposes of use and functioning of KUIK and legal compliance and obligations, taking all appropriate physical, technical and operational measures for preserving the confidentiality, and for the protection from loss, destruction, damage or unauthorized disclosure in accordance with the Law. Bank uses contemporary technology to keep and secure the electronic and physical Users’ personal data and the information that it possesses, as well as to prevent the unauthorized access in the data and information through appropriate measures.

9.3 The measures taken for processing and retention of personal data and information include without limitation:

• identification, listing and update of the personal data;
• limited access to the datacenter and server rooms;
• data encryption, where applicable;
• audit/s for the measures taken for the personal data processing;
• implementation of information security policies and procedures and business continuity procedures;
• training of staff on Policy procedures and measures to be taken;
• management of breaches in confidentiality, and the notice of breaches;
• enforcement of the respective legislation;
• informing Users with the taken measures and their rights;
• close cooperation and constant communication with the Commissioner;
• implementation of the information confidentiality commitment by Bank’s employees, during and after the employment relationship with Bank;
• new employees integrity verification;
• destruction of stored data, at the end of the retention period, unless otherwise provided by the legislation in force;
• the modification, correction, deletion and transfer of personal data and other actions regarding personal data are registered and documented; etc.

We have implemented measures designed to secure your personal information from accidental loss and unauthorized access, use, alteration and disclosure. All information you provide to us is retained on our secure servers behind firewalls. Your personal information is password protected and restricted within our organization to employees and trusted partners that need access to your personal information in order to correspond with you and provide the products and/or services that you requested from us. The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for using KUIK, you are responsible for keeping this password confidential. Do not share your password with anyone. We are not responsible for circumvention of any privacy settings or security measures we provide.

10. ACCESSING AND CORRECTING YOUR PERSONAL INFORMATION

10.1 You can review and change your personal information by visiting the Bank. If you have any questions about personal information that may be retained by Bank, you may also contact us at [email protected]. Upon your request, we’ll provide to you the personal information under our control, if any, as well as information about the ways in which that information is being used/disclosed. We will use commercially reasonable efforts to ensure that personal information we may be using or disclosing is accurate and complete. If you demonstrate that your information is inaccurate or incomplete, the information will be amended as appropriate. We cannot delete your personal information except by also deleting your user account. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect.

 

11. AMENDMENTS

11.1 This Policy may be amended to keep pace with changes in KUIK and/or the laws applicable to us, but Bank will, however, always maintain its commitment to respect Users’ privacy. Bank will post any revisions to this Policy, so Bank recommends that Users periodically check its content to stay informed on the current version of the Privacy Policy. Users’ continuation of using KUIK after any amendments of this Policy means that they agree with these amendments. It is the Users’ responsibility to read and to be in knowledge of the effective version of this Policy.

12. GOVERNING LAW

12.1 This privacy policy and any disputes related thereto shall be governed by and construed in accordance with the laws of the Republic of Albania.

13. USER’S DECLARATION

13.1 I (User) understand that all my personal data, declared in this form and/or in any other document (form/contract) declared or signed with the Bank, in relation to and for the purposes of providing KUIK, are data that will be processed by the latter with the highest security standards, conform all existing legal framework, with the sole purpose of offering KUIK and/or to fulfil any legal obligation of the Bank, imposed by a legal and/or regulatory act in force in the Republic of Albania. I understand that it remains my full responsibility to update all the personal data as they may be amended and also I’ve been aware of my right to require from the Bank, through a written request, to correct or delete any personal data of mine.

13.2 Processing of personal data

I declare that the information provided in this application is true and correct. I hereby give my consent to the Bank to collect my personal data as above, as well as to process them furtherly only for the purpose of providing KUIK for which I’m applying. I understand that any personal information regarding my person will be treated with a higher level of security in full compliance with the provisions of Law no. 124/2024 “On the Protection of Personal Data” and bylaws issued for its implementation. Also, it is in compliance with the requirements of the General Data Protection Regulation (“GDPR”).

Moreover, I declare and grant my consent for further processing of the personal data by the Bank by transferring these data to the contracting parties which may be in the capacity of the processor in the framework of designing, maintaining and administrating the current account. In such context, I have been aware to the fact that the personal data are transferred to CRISP Centralized Raiffeisen International Services & Payments S.R.L having its seat in Bucharest- Rumania, so that the Bank may practice the needed vigilance and perform its other legal obligations that derive from the legislation in place on money laundering prevention.

I hereby authorize the Bank to store my personal data for a term of 5 years after the termination of the relationship with the User. I am aware of the fact that for any questions or information regarding the processing of my personal data, I have the right to address my enquiries by sending an e-mail to [email protected].

Also, I understand that pursuant to the provisions of GDPR and the Law on Protection of Personal Data as well as the by-laws issued for its implementation, I may at any time exercise the rights of access or the right to request the blocking, rectification or deletion of personal data processed by the Bank as well as all others rights. I also reserve a right to claim to the “Information and Data Protection Commissioner” and a right to withdraw from this consent for my data processing at any time.

13.3 Further Processing of Personal Data

I give my unconditional approval to Raiffeisen Bank to use my personal data on my benefit for promotional offers concerning products and/or services packages that the Bank provides, (or may

provide in the future) through one or more communication channels including but not limited to: i) the Official Mail ii) SMS iii) Phone Call iv) E-mail etc. In such context, I authorize Raiffeisen Bank that, pursuant to the highest security standards defined in the legal and regulatory framework in force, to transfer my personal data for further processing to third parties specialized in this particular field.

Furthermore, I declare that I’ve been aware of my right to require to the Bank at any time, to revoke this approval.