Privacy policy for CA24 Mobile application

At Credit Agricole Bank Polska S.A. (‘the Bank’) we protect the privacy of users of the CA24 Mobile application (‘CA24 Mobile’). Please familiarise yourself with the information below explaining the basic rules for collecting, processing and using information about CA24 Mobile users.

General Information

1. It is possible to use all the functionalities of CA24 Mobile provided that the User:
   1. Has entered into the CA24 Electronic Banking Agreement;
   2. Has activated CA24 online banking;
   3. Has installed and activated CA24 Mobile on a Mobile Device (that meets the technical requirements);
   4. Has been authenticated by means of a Mobile Password or biometric data.
2. It is possible to use CA24 Mobile without activating it, provided that it is installed on a Mobile Device. In this mode the User has access to a limited number of functionalities.
3. The technical requirements relating to Mobile Devices on which CA24 Mobile can be installed are available on the Bank’s website: https://www.credit-agricole.pl/klienci-indywidualni/bankowosc-elektroniczna/serwis-mobilny-ca24.
4. Communication between CA24 Mobile and the Bank’s transactional systems takes place with the use of secure encryption mechanisms.
5. During the process of activating CA24 Mobile, the Bank collects the following information: model, brand, mobile device ID, as well as the time of connecting to CA24 Mobile and other operating data concerning the user’s activity.
6. Depending on the operating system on which CA24 Mobile is installed, it may require the following permissions or access to the following functions on your mobile device:
   1. The following data related to your Contacts, when using the ‘Mobile Phone Top-Up’ functionality or BLIK transfers to mobile phones:
      • Name and surname of the recipient or business name of the recipient
      • Phone number.
        • This data is required to fill in the transfer form or to carry out the phone top-up operation.
   2. Information on the location of the mobile device, when searching for the Bank’s ‘Branches and ATMS’ and/or 'Discount Club’ points;
   3. The camera, when using the ‘QR Transfer' functionality;
   4. The memory of the mobile device when using the ‘QR Transfer’ functionality;
   5. A telephone connection and/or software necessary to send e-mails, when dialling the Bank's phone numbers and/or sending an e-mail using the 'Contact us' functionality;
   6. An internet connection required to connect with the Bank;
   7. The phone’s calendar, to check whether the device has a calendar and whether reminders can be added to it (e.g. a reminder to pay off a credit card);
   8. Biometric data (information regarding whether the fingerprint or facial pattern have been verified correctly by the device’s software), required to obtain the result of user authorization from the biometrics module in the case of this method being chosen;
   9. Identification of the device used by the user required for security reasons to link the device to the user when activating CA24 Mobile;
   10. User accounts, required for PUSH notifications to work.

   The user may revoke or change the permissions using the mobile device settings or by uninstalling CA24 Mobile.

7. The Bank hereby informs you that filling in and sending the forms used in CA24 Mobile is understood as transferring the personal data contained in a given form.
8. Detailed information on CA24 Mobile is available on the Bank's website: https://www.credit-agricole.pl/klienci-indywidualni/bankowosc-elektroniczna/serwis-mobilny-ca24.
9. If you do not agree to this privacy policy you should not install the CA24 Mobile application or, if you have already downloaded it from the store, you should uninstall it.

Collecting other data

CA24 Mobile does not store any personal data that could enable a third party to identify a particular user. Cookies are IT data, in particular text files, that are stored on the CA24 Mobile user's mobile device. The Bank uses these types of files solely to maintain the user’s session while he/she uses CA24 Mobile.

Is it possible to opt out of accepting cookies?

The storage and sending of cookies by a mobile device is invisible to the user. It is not possible to disable the cookies function via CA24 Mobile settings or mobile device configuration. A user who does not accept the use of cookies should not install CA24 Mobile or log in to the CA24 Mobile service using it. If you choose not to accept cookies in the course of using CA24 Mobile, you should uninstall the application.
The Bank hereby informs the user that the moment the user connects to CA24 Mobile, information about the number (including IP) and type of the user’s mobile device as well as the time of connecting with CA24 Mobile and other operating data concerning the user's activity, is stored in the system logs.

Information on personal data protection

Credit Agricole Bank Polska S.A. with its registered office in Wrocław, ul. Legnicka 48 bud. C-D, 54-202 Wrocław, is the personal data controller within the meaning of Article 4.7 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (‘GDPR’), and the Bank processes the personal data of CA24 Mobile users.

You can contact the personal data controller:

• Electronically: via Mailbox in the CA24 Online service or via the contact form available at https://www.credit-agricole.pl/kontakt/e-mail.
• By phone: 19 019 , +48 71 35 49 009 (from abroad and from mobile phones)
  cost according to you operator’s tariffs,
• By post: at the Bank’s registered address, pul. Legnicka 48 bud. C-D, 54-202 Wrocław.

Additionally, the Bank has appointed a Data Protection Officer whom you can contact:

• Electronically, using a contact form or sending an e-mail to:
  
• By post, sending a letter to the Bank’s registered address: ul. Legnicka 48 bud. C-D, 54-202 Wrocław, for the attention of: ‘Inspektor Ochrony Danych / Data Protection Officer’.

For what purposes and on what legal basis do we process your personal data?

• For the purposes of entering into and performing your Agreement with the Bank; the legal basis for it is the need to process data in order to enter into and perform the Agreement;
• For the Bank’s internal administrative purposes, inter alia for reporting purposes within a group of undertakings; the legal basis is the legitimate interest of the Bank which forms part of the group of undertakings;
• For direct marketing of the Bank’s products and services; the legal basis is the Bank’s legitimate interest;
• For direct marketing of products and services of third parties; the legal basis is the consent given;
• For the purposes of performing obligations connected with countering money laundering and terrorist financing; the legal basis is the Act on Countering Money Laundering and Terrorist Financing;
• To take action in connection with countering economic offences, including obtaining a loan under false pretences; the legal basis is the Banking Act;
• To fulfil obligations connected with CRS tax reporting and FATCA;
• To fulfil legal obligations related to banking operations, including credit capacity assessment and credit risk analysis, including the use of profiling; the legal basis is the legal obligation of the Bank;
• To consider complaints and pursue claims; the legal basis is the Bank’s legitimate interest.

What data do we process?

• Identification data; PESEL/NIP numbers, name, surname, identity card details, surname at birth, mother's maiden name, father’s and mother’s first names, date of birth, place of birth, nationality;
• Address and contact details;
• Socio-demographic data such as information on employment, business activity, education, income, marital status, number of people in the household, matrimonial property regime;
• Data on the user’s financial situation and financial obligations.

How long do we store your data?

• Until the expiry of the obligation to store data resulting from the law in force, including the obligation to store accounting documents related to Agreements concluded with the Bank;
• Until an objection is raised to the processing of data for direct marketing purposes;
• Until your consent is withdrawn, if previously granted by you;
• Until the statute of limitations of the right to claim expires.

To whom and for what purposes can we transfer data?

• Biuro Informacji Kredytowej (the Credit Information Bureau);
• The Polish Banks Association;
• Business information bureaus;
• Entities from the group of undertakings of which the Bank is a part;
• Entities processing personal data at the Bank’s request, inter alia IT service providers, entities processing data for the purposes of debt collection, agents and credit intermediaries – where such entities process data on the basis of outsourcing agreements concluded with the Bank exclusively and in accordance with the Bank's requirements - a full list is available at the following link: https://www.credit-agricole.pl/partnerzy-biznesowi/baza-partnerow-outsourcingowych;
• The PESEL Register or the Register of Identity Cards for the purposes of verifying the correctness of the personal data obtained.

What rights do you have with regard to the protection of your personal data?

• To access your data or receive a copy of your data;
• To require that your data be rectified, deleted or its processing restricted;
• To object to data processing done in the legitimate interest of the Bank;
• To object to data processing for marketing purposes, including by means of profiling;
• To withdraw your consent (if it was given); however, the activities carried out before the consent is withdrawn remain valid;
• To transfer your personal data if it is processed based on your consent or on an agreement;
• To file a complaint with the authority competent for the protection of personal data.

What do we use profiling for?

Your data is profiled on the basis of:
A list of purposes to which the Bank is authorised by applicable laws (thus the data subject may not exercise their right to object):

• To assess credit risk and credit capacity (pursuant to Article 70 of the Banking Act);
• To counter money laundering (using models enabling the assessment of behaviour) on the basis of the Act on Counteracting Money Laundering and Terrorist Financing, Articles 165 and 299 of the Penal Code);
• To prevent the Bank’s operations from being used for criminal activity (detection of correlations, similarities) on the basis of Article 106a and 106 d of the Banking Act;

A list of purposes based on the legitimate interest of the data controller, including:

• Communication (determining the preferred contact channel; content; time of contact, potential of a given communication campaign);
• Marketing and segmentation of own and third party services (i.e. personalised offers: based on events or on expert recommendation; determination of the customer’s willingness to buy a product or service);
• Communication to customers with a pre-approved offer based on the Bank's calculations;
• Online banking service and mobile application (e.g. categorisation of customer's payments; sending guidance to the customer on expected future payments on the basis of previous operations in the account; guidance and suggestions on asset management, use of services, etc.).

Information on the transfer of data to third countries

The Bank may transfer your data to a third country, i.e. one that does not belong to the European Economic Area, if the Client makes international money transfers via SWIFT.

What is automated decision making and what is it used for?

The Bank makes decisions automatically (i.e. without human intervention, based on models and algorithms developed using IT systems) in order to assess the customer’s credit capacity pursuant to Article 22.2 (a) of the GDPR in conjunction with Article 70 of the Banking Act. For these purposes the Bank uses for each Customer a rating calculated by credit bureaus (e.g. BIK).
More essential information is available on a specially prepared website: https://www.credit-agricole.pl/rodo;