Enclosure no. 3 No.1 REPORT ON PERSONAL DATA PROCESSING The terms used in this form have the meaning assigned by the Personal Data Protection Law ("Official Gazette of the RS", number 97/08) and by this provision. These records refer to the following: 1) Prior notification on the intended establishing of personal data files. Date of delivery of prior notification ________. 2) First reporting of personal data files number: 01. 3) Changes, i.e. supplements to files number 03/2013. Date of delivery of changes, i.e. supplements to the files 26.09.2013. 1 Ordinal number 01 2 Type of personal data and name of personal data collection Title of the collection: Basic data on Individuals, used for all products of the Bank. Type of data: Data on a natural person, from an application form: Personal data: status and sub-status of residence, Personal Identification Number, name and surname, parent’s name, gender, date of birth, country of birth, place of birth, type of identification document (identity card, passport or extract from the registry for immature persons), registry number of ID document, place of issuance of ID document, date of issuance of ID document, authority issued ID document, country code of the issuer of ID document, employer’s name if the client is employed or retired, comment (if needed – details on the client or his/her employment); Address data: address from the ID document, residence address and mailing address (municipality, area, street, address code, state, street, house number, postal code, place), cellular phone number, home/business phone number, e-mail address, communication channel; Additional data: residential status, real estate ownership, motor vehicle ownership, motor vehicle age, marital status, profession, occupation, employer’s business name, industry, type of employment, date of employment, working experience (years and months), number of supported family members, number of employed family members. Data from the KYC Questionnaire: Data on the customer: name and surname, Personal Identification Number, date of birth, place of birth, country of birth, citizenship, gender; Customer’s residence/domicile: street, house number, town, postal code, country; Data on the ID document: type, number, issuer, date of release; Is he/she: employee, entrepreneur, unemployed, student, retired, other; freelancer, self-employed, Has he/she or his/her close relative held at any time during last 12 months a public office in Serbia or in a foreign country or international organization; Country where the main business is carried out; Code: BIB.1010.P.010-OBR.03 Type of transactions that will be processed through the account (cash, Version: III/26.09.2013 Page 1 / 6 Enclosure no. 3 cross-border or wire transactions, savings and investments, other); Will the turnover on the account mostly refer to cash transactions, the reasons for that, and the expected average amounts (roughly); Expected average monthly level of in-payments to the account (up to € 1,000, up to € 2,000, up to € 4,000, up to € 10,000, or over € 10,000); Expected sources of funds (regular salary, other); Annual amount of expected other income; Will the transactions on behalf of third persons be carried out through the account. Customer data obtained from the Credit Bureau: General information: name, father name and surname, Personal Identification Number, address (street and number, place); Applications, liabilities and approvals: number of applications within last 30 days, total number of applications, total liabilities, granted approvals; Liabilities upon loans: using of loans, over-dues; Personal guarantees: guarantees; issued guarantees, over-dues, cancelled Current accounts: balance, disputes; Payment cards: debit cards (balance, disputes), credit cards (balance, over-dues); Leasing contracts (liabilities, over-dues). Data from the registry of births: Name and surname; date of birth; place of birth; name and surname of parents; number and date of extract from the registry. Data from the registry of marriages: Name and surname; date of birth; date of marriage; place of birth; name and surname of spouse; name and surname of parents; number and date of extract from the registry. Data from the registry of deaths: Name and surname; date of birth; date of death; place of birth; name and surname of spouse; number and date of extract from the registry. Data from the identification document (ID card, passport): name and surname; date of birth; place of birth; Personal Identification Number; place of issuance; number and date of issuance. Especially sensitive data: gender and whether welfare is being received. 3 Type of processing activities Entering of new clients; Modification of client data; Copying of customer documents; Obtaining data on client; Re-writing of client data; Transfer of client data. 4 Name, head office and address of the responsible organizational part Banca Intesa a.d. Beograd, Milentija Popovića 7B, 11070 Novi Beograd Retail Division, Retail Product and Service Management Department– in respect of individuals. 5 Date of commencement of data processing or date of Data File creation 23/03/1998 Code: BIB.1010.P.010-OBR.03 Version: III/26.09.2013 Page 2 / 6 Enclosure no. 3 6 Purpose of processing Processing of data necessary for a certain product of the Bank, as required by a customer: Data processing in accordance with the law; Data processing in accordance with the Bank’s applicative rules. Processing is done upon the approval granted by the individual and based on law and other regulations. 7 Legal grounds for data processing or creation of data file Law on Banks; Law on Contracts and Torts; Law on Payment Operations; Law on Foreign Exchange Operations; Family Law; Law on Inheritance; Law on Money Laundering and Terrorist Financing Prevention; Law on Cheques; Law on Bill of Exchange; Law on Citizen Income Tax; Law on Foreign Persons Residence and Transport; Law on Identity Card; Law on Travel Documents; Law on Residence; Law on Conditions of Employment of Non-residents; Law on Pledge on Registered Movable Property; Mortgage Law; Law on the National Corporation for Insurance of Mortgage Loans; Decision on Minimum Content of “Know Your Customer” Procedure; Decision on Conditions for Opening and Maintaining Non-resident Accounts; Decision on Conditions for Opening and Maintaining Resident Foreign Currency Accounts; Decision on Conditions and Manner of Opening, Maintaining and Closing Accounts with a Bank; Inter-banking Agreement on Inter-banking Services in the Field of Dinar Savings, Foreign Currency Savings, Citizen Current Accounts, Legal Entities Current Accounts and Payment Cards; Rules on Refugee Identity Card; Consent of a natural person – data subject; Contractual relationship. 8 Category of data subjects Current account holder; Depositor; User of a safe-box; Loan user; Guarantor; Pledge debtor. 9 Type and degree of data confidentiality Banking secret; Strictly confidential. Code: BIB.1010.P.010-OBR.03 Version: III/26.09.2013 Page 3 / 6 Enclosure no. 3 10 Method of data collection and keeping Data obtained from the identification document; Data obtained from other documents issued by responsible Serbian authorities; Data obtained from the KYC Questionnaire; Data obtained from the Credit Bureau; Data obtained from the customer while establishing contractual relationship with the Bank; Data obtained from the borrower; Data obtained from the proxy issued within/out of the country; Data obtained from the Application for opening the account. Keeping of data: electronically (on DATABASE server) and in hard copy. Notification – by enabling the person to inspect the following, prior to giving consent to personal data processing: “Notification on the conditions of collection and further processing of personal data”; Records on data collection of the Bank in the Central Registry of Personal data database, managed by the Commissioner for Information of Public Importance and Personal data Protection. 11 Time limit for data keeping and use 12 Business name/name, seat and address of data users Permanently – contract, product file; 10 years – Documentation for opening and closing the account – starting from the closing date. Orders upon which changes were entered – starting from the end of the year in which the changes were entered into the books. Intesa Sanpaolo S.p.A. Torino - Italy, 10121 Torino, Piazza San Carlo, 156; Other commercial banks in RS – transfer of data via Credit Bureau, in accordance with the customer written consent; State bodies and other authorities, institutions and public organizations authorized to use personal data, by law; Generali Osiguranje Srbija a.d.o. – Novi Beograd, Milenija Popovića 7b; DDOR Novi Sad a.d.o. – Novi Sad, Bulevar Mihajla Pupina 8; Paralympic Committee Foundation of Serbia, Beograd, Kolarčeva 5; Telekom Srbija a.d, Beograd, Takovska 2. Intesa Sanpaolo S.p.A. Torino – Italy, 10121 Torino, Piazza San Carlo, 156: 13 Mark under which data are Taking data out of the Republic of Serbia; transferred in or out Legal grounds: agreement; of the Republic of Purpose: relocation of the datacentre into Parma. Serbia GfK Eurisko s.r.l., Via Monte Rosa 19, 20149 Milano – Italy: Taking data out of the Republic of Serbia; Legal grounds: agreement; Purpose: survey on satisfaction of the Bank’s customers. Code: BIB.1010.P.010-OBR.03 Version: III/26.09.2013 Page 4 / 6 Enclosure no. 3 14 Personal data protection measures taken Normative protective measures are stipulated by the internal regulation referring to protection of all data in databases: Data protection policy; Procedure for safe data destruction. Logical measure for protection: Access to information system housing databases is secured by a user name and password; Privileges in application are being assigned in accordance with the least privilege principle; Procedure for regular (six-month) audit of employees’ access rights in place; Procedure for removing access to employees leaving the organization. Physical protection measures: All data bases are located in dedicated premises (data centre); Physical control measures have been implemented in the form of: access using cards, double doors, CCTV on entrances and exits, locking of lockers with computers containing databases. Access only to authorized persons. Other protective measures: Filing and protection of documents and data based on the Agreement on filing that the Bank concluded with the Company: Poslovno informacioni sistemi d.o.o., Simina 1, 11000 Belgrade, implemented as of 2010; Research on the satisfaction of the Bank’s customers via phone interviews, starting from 2008: GFK Beograd d.o.o., Milutina Milankovića 72, 11070 Beograd, and for further analysis and report drafting, data are forwarded to: GfK Eurisko s.r.l., Via Monte Rosa 19, 20149 Milano – Italy. The Agreement entered into between the counterparties of this operation defines relations and cooperation regarding customer satisfaction research (so called ,,Master Agreement“), as well as data and confidential information protection. Procurement and installation of the new module for ALMPro software is regulated in the contract between Banca Intesa a.d. Beograd and the company Prometeia S.p.A.Via G. Marconi 43, 40122 Bologna, Italia. During the implementation period, the company will have insight into the Bank’s personal data referring to credit and deposit products, contained in the electronic databases transferred to Italy, as mentioned under 13, paragraph 1 above. In scope of the contracted activities, Prometeia will process personal data of the Bank’s clients – individuals, on behalf of the Bank. The contract defines confidentiality and protection of the personal data; Contract between Banca Intesa a.d. Beograd and TELEKOM SRBIJA AD BEOGRAD, Takovska 2, Beograd regulated services of printing and preprinting of documents, enclosures and envelopes, packing of mails and personalisation and graphic processing directly performed by the Printing Centre of TELEKOM SRBIJA AD BEOGRAD, as well as confidentiality and protection of personal data. Banca Intesa a.d. Beograd provides data for printing in encrypted format; Contract between Banca Intesa a.d. Beograd and NATIONAL BANK OF SERBIA – INSTITUTE FOR MANUFACTURING BANKNOTES AND COINS – TOPČIDER, Pionirska 2, Beograd, regulated generation of data used for personalisation of payment cards and printing of PINs, personalisation of payment cards issued by the Bank, personalisation of blank cards, packing of cards into envelopes, printing of PINs. The contract defines confidentiality and protection of the personal data; In the form of contract on business cooperation, Banca Intesa a.d. Beograd authorised EOS MATRIX DOO BEOGRAD, Đorđa Stanojevića 14, Beograd, to Code: BIB.1010.P.010-OBR.03 Version: III/26.09.2013 Page 5 / 6 Enclosure no. 3 collect outstanding debt in arrears from the Bank’s clients – individuals, on behalf of the Bank, without filing court action. Obligation of reporting on taken actions on a daily basis is also contracted. The contract defines also confidentiality and protection of the personal data; In the form of contract on business cooperation, Banca Intesa a.d. Beograd authorised DOO CREDITEXPRESS BEOGRAD, Tošin bunar 272/II, Beograd, to collect outstanding debt in arrears from the Bank’s clients – individuals, on behalf of the Bank, without filing court action. Obligation of reporting on taken actions on a daily basis is also contracted. The contract defines also confidentiality and protection of the personal data; Contract between Banca Intesa a.d. Beograd and Grid Studio doo Beograd, Crnotravska bb, Beograd, regulates services of production, personalisation, packing in envelopes and delivery of printed promo material to the Bank. The contract defines also confidentiality and protection of the personal data; Contract between Banca Intesa a.d. Beograd and ASSECO SEE DOO BEOGRAD, Milutina Milankovića 19g, regulates services of e-banking services centre to the Bank and its clients (issuing of digital certificates). The contract defines also confidentiality and protection of the personal data; Contract between Banca Intesa a.d. Beograd and ELECTRONIC BANKING BUREAU A.D. BEOGRAD, Beogradska 39, Beograd regulates e-banking payment services. The contract defines also confidentiality and protection of the personal data. 15 Requests concerning data processing 16 Note DATA FILE CONTROLLER ___________________________ Code: BIB.1010.P.010-OBR.03 Version: III/26.09.2013 Page 6 / 6