Enclosure no. 3
No.1
REPORT ON PERSONAL DATA PROCESSING
The terms used in this form have the meaning assigned by the Personal Data Protection Law ("Official
Gazette of the RS", number 97/08) and by this provision.
These records refer to the following:
1) Prior notification on the intended establishing of personal data files. Date of delivery of prior
notification ________.
2) First reporting of personal data files number: 01.
3) Changes, i.e. supplements to files number 03/2013.
Date of delivery of changes, i.e. supplements to the files 26.09.2013.
1
Ordinal number
01
2
Type of personal
data and name of
personal data
collection
Title of the collection: Basic data on Individuals, used for all products of the
Bank.
Type of data:
 Data on a natural person, from an application form:
 Personal data: status and sub-status of residence, Personal Identification
Number, name and surname, parent’s name, gender, date of birth, country
of birth, place of birth, type of identification document (identity card,
passport or extract from the registry for immature persons), registry
number of ID document, place of issuance of ID document, date of
issuance of ID document, authority issued ID document, country code of
the issuer of ID document, employer’s name if the client is employed or
retired, comment (if needed – details on the client or his/her employment);
 Address data: address from the ID document, residence address and
mailing address (municipality, area, street, address code, state, street,
house number, postal code, place), cellular phone number, home/business
phone number, e-mail address, communication channel;
 Additional data: residential status, real estate ownership, motor vehicle
ownership, motor vehicle age, marital status, profession, occupation,
employer’s business name, industry, type of employment, date of
employment, working experience (years and months), number of
supported family members, number of employed family members.
 Data from the KYC Questionnaire:
 Data on the customer: name and surname, Personal Identification
Number, date of birth, place of birth, country of birth, citizenship, gender;
 Customer’s residence/domicile: street, house number, town, postal code,
country;
 Data on the ID document: type, number, issuer, date of release;
 Is he/she: employee, entrepreneur,
unemployed, student, retired, other;
freelancer,
self-employed,
 Has he/she or his/her close relative held at any time during last 12 months
a public office in Serbia or in a foreign country or international organization;
 Country where the main business is carried out;

Code: BIB.1010.P.010-OBR.03
Type of transactions that will be processed through the account (cash,
Version: III/26.09.2013
Page 1 / 6
Enclosure no. 3
cross-border or wire transactions, savings and investments, other);
 Will the turnover on the account mostly refer to cash transactions, the
reasons for that, and the expected average amounts (roughly);
 Expected average monthly level of in-payments to the account (up to €
1,000, up to € 2,000, up to € 4,000, up to € 10,000, or over € 10,000);
 Expected sources of funds (regular salary, other);
 Annual amount of expected other income;
 Will the transactions on behalf of third persons be carried out through the
account.
 Customer data obtained from the Credit Bureau:
 General information: name, father name and surname, Personal
Identification Number, address (street and number, place);
 Applications, liabilities and approvals: number of applications within last 30
days, total number of applications, total liabilities, granted approvals;
 Liabilities upon loans: using of loans, over-dues;
 Personal guarantees:
guarantees;
issued
guarantees,
over-dues,
cancelled
 Current accounts: balance, disputes;
 Payment cards: debit cards (balance, disputes), credit cards (balance,
over-dues);
 Leasing contracts (liabilities, over-dues).
 Data from the registry of births: Name and surname; date of birth; place of
birth; name and surname of parents; number and date of extract from the
registry.
 Data from the registry of marriages: Name and surname; date of birth; date
of marriage; place of birth; name and surname of spouse; name and surname
of parents; number and date of extract from the registry.
 Data from the registry of deaths: Name and surname; date of birth; date of
death; place of birth; name and surname of spouse; number and date of
extract from the registry.
 Data from the identification document (ID card, passport): name and
surname; date of birth; place of birth; Personal Identification Number; place of
issuance; number and date of issuance.
Especially sensitive data: gender and whether welfare is being received.
3
Type of processing
activities
 Entering of new clients;
 Modification of client data;
 Copying of customer documents;
 Obtaining data on client;
 Re-writing of client data;
 Transfer of client data.
4
Name, head office
and address of the
responsible
organizational part
Banca Intesa a.d. Beograd, Milentija Popovića 7B, 11070 Novi Beograd
Retail Division, Retail Product and Service Management Department– in respect
of individuals.
5
Date of commencement of data
processing or date of
Data File creation
23/03/1998
Code: BIB.1010.P.010-OBR.03
Version: III/26.09.2013
Page 2 / 6
Enclosure no. 3
6
Purpose of
processing
Processing of data necessary for a certain product of the Bank, as required by a
customer:
 Data processing in accordance with the law;
 Data processing in accordance with the Bank’s applicative rules.
Processing is done upon the approval granted by the individual and based on law
and other regulations.
7
Legal grounds for
data processing or
creation of data file
 Law on Banks;
 Law on Contracts and Torts;
 Law on Payment Operations;
 Law on Foreign Exchange Operations;
 Family Law;
 Law on Inheritance;
 Law on Money Laundering and Terrorist Financing Prevention;
 Law on Cheques;
 Law on Bill of Exchange;
 Law on Citizen Income Tax;
 Law on Foreign Persons Residence and Transport;
 Law on Identity Card;
 Law on Travel Documents;
 Law on Residence;
 Law on Conditions of Employment of Non-residents;
 Law on Pledge on Registered Movable Property;
 Mortgage Law;
 Law on the National Corporation for Insurance of Mortgage Loans;
 Decision on Minimum Content of “Know Your Customer” Procedure;
 Decision on Conditions for Opening and Maintaining Non-resident Accounts;
 Decision on Conditions for Opening and Maintaining Resident Foreign
Currency Accounts;
 Decision on Conditions and Manner of Opening, Maintaining and Closing
Accounts with a Bank;
 Inter-banking Agreement on Inter-banking Services in the Field of Dinar
Savings, Foreign Currency Savings, Citizen Current Accounts, Legal Entities
Current Accounts and Payment Cards;
 Rules on Refugee Identity Card;
 Consent of a natural person – data subject;
 Contractual relationship.
8
Category of data
subjects
 Current account holder;
 Depositor;
 User of a safe-box;
 Loan user;
 Guarantor;
 Pledge debtor.
9
Type and degree of
data confidentiality
 Banking secret;
 Strictly confidential.
Code: BIB.1010.P.010-OBR.03
Version: III/26.09.2013
Page 3 / 6
Enclosure no. 3
10 Method of data
collection and
keeping
 Data obtained from the identification document;
 Data obtained from other documents issued by responsible Serbian authorities;
 Data obtained from the KYC Questionnaire;
 Data obtained from the Credit Bureau;
 Data obtained from the customer while establishing contractual relationship
with the Bank;
 Data obtained from the borrower;
 Data obtained from the proxy issued within/out of the country;
 Data obtained from the Application for opening the account.
Keeping of data: electronically (on DATABASE server) and in hard copy.
Notification – by enabling the person to inspect the following, prior to giving
consent to personal data processing:
 “Notification on the conditions of collection and further processing of personal
data”;
 Records on data collection of the Bank in the Central Registry of Personal
data database, managed by the Commissioner for Information of Public
Importance and Personal data Protection.
11 Time limit for data
keeping and use
12 Business
name/name, seat
and address of
data users
 Permanently – contract, product file;
 10 years – Documentation for opening and closing the account – starting
from the closing date.
Orders upon which changes were entered – starting from the end of the year in
which the changes were entered into the books.
 Intesa Sanpaolo S.p.A. Torino - Italy, 10121 Torino, Piazza San Carlo, 156;
 Other commercial banks in RS – transfer of data via Credit Bureau, in
accordance with the customer written consent;
 State bodies and other authorities, institutions and public organizations
authorized to use personal data, by law;
 Generali Osiguranje Srbija a.d.o. – Novi Beograd, Milenija Popovića 7b;
 DDOR Novi Sad a.d.o. – Novi Sad, Bulevar Mihajla Pupina 8;
 Paralympic Committee Foundation of Serbia, Beograd, Kolarčeva 5;
 Telekom Srbija a.d, Beograd, Takovska 2.
Intesa Sanpaolo S.p.A. Torino – Italy, 10121 Torino, Piazza San Carlo, 156:
13 Mark under which
data are
 Taking data out of the Republic of Serbia;
transferred in or out  Legal grounds: agreement;
of the Republic of
 Purpose: relocation of the datacentre into Parma.
Serbia
GfK Eurisko s.r.l., Via Monte Rosa 19, 20149 Milano – Italy:
 Taking data out of the Republic of Serbia;
 Legal grounds: agreement;
 Purpose: survey on satisfaction of the Bank’s customers.
Code: BIB.1010.P.010-OBR.03
Version: III/26.09.2013
Page 4 / 6
Enclosure no. 3
14 Personal data
protection
measures taken
Normative protective measures are stipulated by the internal regulation
referring to protection of all data in databases:
 Data protection policy;
 Procedure for safe data destruction.
Logical measure for protection:
 Access to information system housing databases is secured by a user name
and password;
 Privileges in application are being assigned in accordance with the least
privilege principle;
 Procedure for regular (six-month) audit of employees’ access rights in place;
 Procedure for removing access to employees leaving the organization.
Physical protection measures:
 All data bases are located in dedicated premises (data centre);
 Physical control measures have been implemented in the form of: access
using cards, double doors, CCTV on entrances and exits, locking of lockers
with computers containing databases. Access only to authorized persons.
Other protective measures:
 Filing and protection of documents and data based on the Agreement on
filing that the Bank concluded with the Company: Poslovno informacioni
sistemi d.o.o., Simina 1, 11000 Belgrade, implemented as of 2010;
 Research on the satisfaction of the Bank’s customers via phone interviews,
starting from 2008: GFK Beograd d.o.o., Milutina Milankovića 72, 11070
Beograd, and for further analysis and report drafting, data are forwarded to:
GfK Eurisko s.r.l., Via Monte Rosa 19, 20149 Milano – Italy. The Agreement
entered into between the counterparties of this operation defines relations
and cooperation regarding customer satisfaction research (so called ,,Master
Agreement“), as well as data and confidential information protection.
 Procurement and installation of the new module for ALMPro software is
regulated in the contract between Banca Intesa a.d. Beograd and the company
Prometeia S.p.A.Via G. Marconi 43, 40122 Bologna, Italia. During the
implementation period, the company will have insight into the Bank’s personal
data referring to credit and deposit products, contained in the electronic
databases transferred to Italy, as mentioned under 13, paragraph 1 above. In
scope of the contracted activities, Prometeia will process personal data of the
Bank’s clients – individuals, on behalf of the Bank. The contract defines
confidentiality and protection of the personal data;
 Contract between Banca Intesa a.d. Beograd and TELEKOM SRBIJA AD
BEOGRAD, Takovska 2, Beograd regulated services of printing and preprinting of documents, enclosures and envelopes, packing of mails and
personalisation and graphic processing directly performed by the Printing
Centre of TELEKOM SRBIJA AD BEOGRAD, as well as confidentiality and
protection of personal data. Banca Intesa a.d. Beograd provides data for
printing in encrypted format;
 Contract between Banca Intesa a.d. Beograd and NATIONAL BANK OF
SERBIA – INSTITUTE FOR MANUFACTURING BANKNOTES AND COINS –
TOPČIDER, Pionirska 2, Beograd, regulated generation of data used for
personalisation of payment cards and printing of PINs, personalisation of
payment cards issued by the Bank, personalisation of blank cards, packing of
cards into envelopes, printing of PINs. The contract defines confidentiality and
protection of the personal data;
 In the form of contract on business cooperation, Banca Intesa a.d. Beograd
authorised EOS MATRIX DOO BEOGRAD, Đorđa Stanojevića 14, Beograd, to
Code: BIB.1010.P.010-OBR.03
Version: III/26.09.2013
Page 5 / 6
Enclosure no. 3
collect outstanding debt in arrears from the Bank’s clients – individuals, on
behalf of the Bank, without filing court action. Obligation of reporting on taken
actions on a daily basis is also contracted. The contract defines also
confidentiality and protection of the personal data;
 In the form of contract on business cooperation, Banca Intesa a.d. Beograd
authorised DOO CREDITEXPRESS BEOGRAD, Tošin bunar 272/II, Beograd,
to collect outstanding debt in arrears from the Bank’s clients – individuals, on
behalf of the Bank, without filing court action. Obligation of reporting on taken
actions on a daily basis is also contracted. The contract defines also
confidentiality and protection of the personal data;
 Contract between Banca Intesa a.d. Beograd and Grid Studio doo Beograd,
Crnotravska bb, Beograd, regulates services of production, personalisation,
packing in envelopes and delivery of printed promo material to the Bank. The
contract defines also confidentiality and protection of the personal data;
 Contract between Banca Intesa a.d. Beograd and ASSECO SEE DOO
BEOGRAD, Milutina Milankovića 19g, regulates services of e-banking services
centre to the Bank and its clients (issuing of digital certificates). The contract
defines also confidentiality and protection of the personal data;
 Contract between Banca Intesa a.d. Beograd and ELECTRONIC BANKING
BUREAU A.D. BEOGRAD, Beogradska 39, Beograd regulates e-banking
payment services. The contract defines also confidentiality and protection of
the personal data.
15 Requests concerning
data processing
16 Note
DATA FILE CONTROLLER
___________________________
Code: BIB.1010.P.010-OBR.03
Version: III/26.09.2013
Page 6 / 6