Privacy Policy for Processing Personal Data

This Privacy Policy for Processing Personal data (hereinafter – Policy) provides the main information about processing your personal data when contacting (live, by phone, or electronic means of communication) UAB SME Bank (hereinafter – us), when you use our website www.smebank.lt or mobile application “smeBank” or when you intend to use any of the services we provide, or when you apply for jobs offered by us.

We are your personal data controller, that is:

UAB SME Bank
Legal entity ID	305223469
Office address	Antano Tumėno g. 4-15, Vilnius
E-mail address	[email protected]
Phone number	8 614 88991
Data protection officer (DPO) e-mail	[email protected]

You, the individual (client, client’s representative, family member, guarantor, security measure provider, candidate for a job offer, employee, family member of the employee, member of management body, shareholder) and the representative of a legal person, manager of the company, shareholder, member of the board or other collegiate body, security measure provider, the final beneficiary, etc., seeking to conclude the contract with UAB SME Bank for the services we provide are the subject of the personal data processed by us.

Personal data is understood as any information about you that you submitted yourself or which was received from other sources, and because of which we can identify you. Usually, but not always, it is your name, last name, personal code, or date of birth, contact information, information about the contracts you have concluded with us and information about accounts in these contracts, e-bank user data, phone call records when you call us for a consultation, or video data recorded with video surveillance cameras and other.

Should you have any questions related to the processing, use, or protection of your personal data or this Policy, please contact the data protection officer of UAB SME Bank. We ensure you we put maximum effort to protect your personal data.

This Policy can be renewed should such a need arise. In such events, the renewed version of the Policy is published on our website, so we encourage you to periodically review this Policy.

ON WHAT BASIS DO WE PROCESS YOUR DATA?

We process the personal data in accordance with this Policy, General Data Protection Regulation (hereinafter – GDPR), the law of Legal Protection of Personal Data of the Republic of Lithuania, the law of Electronic Communications of the Republic of Lithuania and other applicable legislation, provisions, and recommendations of regulatory bodies.

When processing your personal data, we act in accordance with the principles of legitimacy, integrity, transparency, data processing scope and time limit (reduction), accuracy principles, we do not collect or require the data subjects to provide, and we do not process the data that is not necessary.

WHAT DATA DO WE COLLECT?

We try to collect as little as possible information about you. We collect the following personal data of yours to carry out our activities and provide quality services, including, but not limited to the following:

Main personal data: name, last name, personal code, date of birth, phone number, e-mail address, home address, or mailing address.
Identity data: data of personal documents, picture of your face, IP address, e-bank or mobile app login data, device language settings and other browsing information, including data about when and where you logged in to our e- bank and website or other electronic platforms.
Data about your financial literacy: education, investment knowledge, and experience.
Data about your transactions and other contracts concluded with our partners SME Finance Group, UAB, depending on the services provided, i.e., bank account number, deposits, payment order and/or other payment transactions, means of payment and actions performed using them, depositing and withdrawing funds, etc.
Financial data: origin of the funds, country of residence for tax purposes, bank accounts, payment documents, financial obligations, assets, types and value of the assets, credit history and creditworthiness, expenses and income, financial goals.
Economic data: Your current/previous employer, your economic-commercial activities (i.e., if you are a farmer, self-employed, etc.), the stability of your income and other sources of income.
Sociodemographic data: gender, marital status, number of dependents and information about your family.
Data about your online behavior and habits which we determine based on your behavior on our website, e-bank, or while using other electronic channels of SME Digital Financing, UAB and our partners SME Finance Group (with your consent).
Data obtained while fulfilling the legislation requirements, such as data obtained through inquiries by court, notaries, bailiffs, law enforcement authorities, etc.
Other data which can provide information about your debtors/creditors, actual beneficiaries, data obtained through transfer of claim rights, and, if it is necessary for the service provided, health data collected with your consent, but no other data of special categories is collected unless you reveal it to us voluntarily.

YOUR PERSONAL DATA PROCESSING IN ORDER TO PROVIDE SERVICES TO YOU

Prevention of Money Laundering and Terrorist Financing

We are a financial institution; thus, we are obliged to properly implement the requirements for money laundering and terrorist financing prevention specified in the legislation. For this purpose, we process your – our clients’, their representatives’ and (or) beneficiaries’ – personal data. We implement the prevention of money laundering and terrorist financing procedures in accordance with the provisions of legislation and UAB SME Bank internal procedures.

Before beginning a business relationship with a client, we establish the identity of such client, its representative and (or) beneficiary.

Usually, the personal data required for the purpose of prevention of money laundering and terrorist financing must be submitted directly by you (e.g., details of your identity documents or other). Despite that, for the aforementioned purposes, we have the right to receive data related to you from other legal sources (e.g., national registries administered by State Enterprise Centre of Registers, other databases used for the aforementioned purpose).

For this purpose, we keep your personal data for up to 8 years from the day of the implementation of the transaction or from the day the business relationship with the client is terminated.

The assessment of Client’s financial status

If you would like to use the services of UAB SME Bank, we must first assess the information about your financial status (e.g., income), to make sure you can properly fulfill the contractual obligations you undertake.

To assess your financial status, we can process the following personal data:

Identity and contact information about you or your representative (e.g., name, last name, personal code, date and place of birth, e-mail address, phone number, etc.).
Information regarding your financial status (e.g., workplace, position, information about income, financial obligations, credit and payment history, information about your family).
Other data that might significantly influence your ability to properly fulfill contractual obligations (e.g., absence of negative circumstances (debts, seizures, insolvency, etc.)).

We obtain most of the information, required to assess your financial credibility, directly from you, however, we may obtain the required information from other sources (e.g., credit information bureau, administered by “Creditinfo Lietuva”, UAB, and other registries).

If you have given your consent to UAB SME Finance Group for it to provide us with your personal data for the purpose of preparing an offer for you, we will obtain this personal data of yours (identity, contact information, overall credit score, etc.) from UAB SME Finance Group.

Please note that in the event where you fail to submit your personal data for us, which is required to assess your financial credibility, we will not be able to develop a business relationship with you.

Sometimes, our decisions are made based on automatic profiling, which we perform in accordance with previously stated information. If you disagree with such automated decision, upon your request, our employee will review the decisions and assess your credit score manually.

We will process your personal data on financial credibility for 10 years from the day of fulfillment of obligations under respective contracts concluded with us (unless a longer period for keeping the data is specified in applicable legislation).

Providing the services and administering concluded contracts

By providing our services for you, we process your personal data on the grounds and for the purpose of concluding contracts and fulfilling the concluded contracts.

While providing our services for you, we can process your personal data, provided in the application (e.g., contact information), data related to transactions and concluding and fulfilling contracts, and other personal data, required for the services we provide. In all cases, we will process the data of our clients (or their representatives, or persons providing security measures) in a manner and scope that is required for proper provision of the services and fulfillment of our legal obligations and (or) legal interests.

We keep our clients’ data for 10 years from the fulfillment of the respective contract. We can keep the data for longer if legislation specifies a longer period for keeping respective data, keeping the personal data for longer is required to protect our interests or it is necessary for a proper administration and recovery of debts.

PROCESSING PERSONAL DATA FOR DIRECT MARKETING

Upon your consent, we analyze your personal data automatically (profile), including information about our services you have ordered and how you use them. We collect and analyze this data to continuously improve our website and your browsing experience as well as our services. We use the collected data to monitor the popularity of our services, the most relevant information for the website visitors, and may customize our website content for you and improve its operations.

If you do not consent with the profiling of your personal data and the use of it for direct marketing, you can withdraw your consent at any time by emailing us at [email protected]

On our website, you can subscribe to our newsletters, related to our activities and services provided. In such an event, we process your personal data for direct marketing, e.g., to send you the newsletters. The grounds for processing the data is your consent, which you express by signing up to our newsletters on our website. We will process your contact information for this purpose.

We will keep such personal data for up to 3 years from the day of consent unless you withdraw your consent before the end of the term.

We, in accordance with the Law of Electronic Communications of the Republic of Lithuania, Article 60, Part 2, may also process the data of existing clients for direct marketing on the grounds of a legal interest of ours.

You have the right to unsubscribe from our newsletters at any time. You can do this by clicking the specific link at the bottom of the newsletters or inform us by e-mail at [email protected].

PROCESSING THE PERSONAL DATA FOR MANAGING YOUR QUERIES

You can contact us by e-mail or phone, submit queries via our social media accounts and (or) contact us using other means. In such cases, we process the data you submitted to administer the queries received from you, ensure the quality of services provide, and, additionally, to fulfill various legal requirements and protect our legitimate interests. The grounds for processing your personal data submitted with the queries is our legitimate interest.

When submitting queries, we kindly ask you to follow at least minimal requirements for protecting your personal data and not to reveal excess personal data that is not required for the particular purpose (the disposition of a request, complaint, query, or any other address to us).

We will keep your data, provided with the queries, for up to 3 years. However, please note that this period may differ depending on the content and type of personal data your provided to us and other circumstances. Your personal data can be kept for a longer period if it is necessary for defending our (or other parties’) rights or legitimate interests, proper administration of your queries, investigation of your complaint or dispute resolution and, in addition, for other cases specified in the legislation.

PROCESSING OF PERSONAL DATA OF JOB CANDIDATES

We can process your personal data which you provide when applying to a work position at our company either by submitting your resume, motivational letter, etc., or through a hiring agency. We process this personal data on the grounds of your consent which you express by submitting the respective data.

The personal data which you provided to become a candidate to a position we offer will be kept for a time which depends on the duration of a particular recruitment process. Once the recruitment is completed, we will only process your personal data if you submit a separate consent to do so.

If you submit your personal data at a time when recruitment for a position is not announced, we can keep your personal data for up to 1 year and use it for later recruitment processes. You can withdraw your consent to process the submitted data at any time by emailing us at [email protected].

When submitting your personal data for existing or future recruitment processes, we kindly ask you to follow at least minimal requirements for protecting your personal data and not to reveal excess personal data that is not required for or related to the evaluation of your candidacy.

COOKIES USED ON THE WEBSITE

Once you visit our website (www.smebank.lt), we may process your IP address, as well as other network data if you submit it. Such data is collected using cookies and (or) similar technological solutions on the grounds on user consent. Cookies are small files sent to the browser you use and saved on your device (e.g., phone or computer). Cookies are transferred to your computer upon the first visit to our website.

Because of this, our website can “remember” your activity, preferences and performed actions for some time. Thus, cookies help us to ensure comfortable and safe operation of our website and analyze the habits of our website visitors. This allows to adapt the website to the needs of its visitors. Some of the cookies (mandatory and analytical) are required for proper functioning of the website, so, if you don’t agree to save cookies, the website might not function properly.

Based on their duration, the cookies are divided into session cookies (deleted as soon as the visitor ends the browsing session) and long-term cookies (saved for a longer time). Cookies can also be divided into those that belong to the first party (e.g., website administrator) or other – third party (e.g., online advertising organizers).

Our website uses the following cookies:

Necessary technical (mandatory) cookies – cookies required for website availability and operation and helping analyze internet website or mobile app content on the device of the visitor. Necessary technical cookies ensure the functionality of the website and mobile app, its adaptation to visitors’ needs. Without these cookies, website operation may be disturbed, and it is impossible to use the website completely freely without them, thus you cannot reject them. Necessary technical cookies do not collect information about the visitors which could be used for marketing.

Analytical – statistical cookies are used to get to know website visitors better and adapt website operations to visitors’ needs. These cookies allow seeing the most popular offers viewed on the website, news, and other similar useful information, help analyze website operation, assess which parts work properly, which ones work perfectly, and which need improvement, thus they cannot be rejected. Information collected with analytical cookies is not individualized and is used generalized, but such cookies can be used to assess if the ad campaigns on the website are efficient.

Name	Type and description	Moment of creation	Expiration date	Data
Necessary technical (mandatory) cookies
wordpress_test_cookie	The cookie checks if the browser accepts cookies.	Upon opening	Until the browser window closes	none
cookielawinfo	The cookie remembers cookie settings.	Upon opening	1 year	none
JSESSIONID	The cookie is used for session support.	Upon opening	Until the browser window closes	Session ID
Analytical – statistical cookies
gtm list	The cookie works as a container from which data is transferred to “Google Tag Manager”.	Upon opening	Until the browser window closes	User ID
_gid	Cookie from “Google Analytics” cookies, used to save unique ID and create statistical information.	Upon opening	1 day	User ID
_ga	One of “Google Analytics” cookies, used to analyze information about how visitors use the website.	Upon opening	2 years	User ID
_gat	This cookie is used to collect “Google Analytics” statistical information about the visits to the website.	Upon opening	1 minute	User ID
_gac_	This cookie is used to collect “Google Analytics” statistical information about the visits to the website.	Upon opening	90 days	User ID

You can manage the use of cookies by changing the settings of your internet browser. Each browser is different, so, if you are not sure how to change the cookie settings, we recommend familiarizing with its user manuals and instructions.

If you do not want the cookies to collect information, reject the use of cookies in your browser settings. However, certain types of cookies (such as the necessary cookies) are required for the proper functioning of the website, so, by rejecting these cookies, the website may not function properly.

You can find more useful information about the cookies, and about managing and deleting them, on the website: www.allaboutcookies.org.

PERSONAL DATA RECIPIENTS

For our operations, we may use certain service providers (e.g., companies providing data storage services, companies creating and maintaining software, companies providing debt administration services, companies providing network services, companies providing archiving services, etc.), which may receive your personal data. We only transfer your personal data to these respective persons in the event and to the extent which is necessary for providing the respective services.

We may also submit your personal data to these recipients:

State institutions and registries (courts, bailiffs, law enforcement authorities, etc.).
Persons administering joint debtors’ data files (e.g., “Creditinfo Lietuva”, UAB).
Other companies when it is necessary for financial accounting, audit, risk assessment, or service provision.
Upon your consent and with grounds and purpose to SME Finance Group companies. In some cases, your personal data recipients may not only be UAB SME Bank but also our partners SME Finance Group and related companies that belong to the same company group.
Other third parties related to providing our services and (or) having legal grounds to receive this data.

In the events where we must submit your processed personal data to a data recipient that is outside EU/EEZ, we aim to ensure that one of the following measures is implemented:

The European Commission has made the decision that the country (where the data receiver is) ensures a proper level of personal data protection (there is a decision for suitability).
There is a contract with the data recipient under the standard contract conditions approved by the European Commission.
Security measures are implemented under applicable codes of conduct or there is a certification mechanism, other security measures are ensured under the General Data Protection Regulation.

In all events, reasonable effort is put to ensure that, in compliance with the legislation, personal data is not lost or illegally used.

YOUR RIGHTS AS THE DATA SUBJECT

As the data subject, you have the following rights:

Familiarize with your personal data and the way it is processed.
Require rectifying incorrect, inaccurate, or incomprehensive data.
Require deleting your personal data.
Require limiting your personal data processing.
Require transferring your personal data to other data manager or submit directly in a form convenient to you.
Disagree with the processing of your personal data if it is processed on the grounds of a legitimate interest.
Withdraw the given agreement for personal data processing.
Submit a complaint to the State Data Protection Inspectorate.

If you wish to implement your rights as a data subject, contact us via e-mail: [email protected]. In your request, please provide information that would allow us to identify you correctly: personal ID document, notarized copy of the document or by signing the request with e-signature. Specify which of the rights and to what extent you would like to implement. If you seek to implement your rights via a representative, please provide the representative’s name, last name, contact information and documents for the grounds of representation additionally.

We will provide you the answer within 30 calendar days from receiving the request. In exceptional cases, we might extend the examination of the request to 60 calendar days from receiving the request. We will inform you about such an event in advance.

If you think that we are processing your personal data illegally or otherwise violate your rights, related to personal data processing, you have the right to contact the State Data Protection Inspectorate by email [email protected] or phone (8 5) 271 28 04, 279 1445. However, before contacting the State Data Protection Inspectorate, we encourage you to immediately contact us first. In such an event, we will be able to find the most effective and optimum decision for both parties.

In our operations, we undertake to process your personal data, which you either personally submitted to us or which we received from other sources, under the principles specified in the General Data Protection Regulation and with responsibility specified in the legislation.

_______________________________