Personal Data Protection

Personal Data Protection Information

The Association of Serbian Banks – the Credit Bureau fully adheres to all legal regulations, principles and best practices in the field of personal data protection. For the purpose of adequate informing, the Credit Bureau is making the Personal Data Protection Information publicly available on its website. The information includes the contact details of the controller, the contact information of the person in charge of processing personal data, the data collected and processed by the Credit Bureau, the grounds for processing, the rights of persons with respect to processing as well as ways of exercising those rights, and other issues of interest regarding lawful, fair and transparent informing.

Contact information

Association of Serbian Banks b.a.
86 Kralja Aleksandra Blvd
11000 BelgradeTel. +381 11 30 20 760; and email: ubs@ubs-asb.com

Contact information on the person in charge of personal data protection

Milan Brković
Tel. +381 11 30 20 565; and email: zastita.podataka@ubs-asb.com

Data Controller and Processor

In terms of the Law on Personal Data Protection, personal data controllers are banks, leasing companies, payment institutions, government funds, lending agencies and other members of the Credit Bureau. The list of data handlers is published and updated on the Credit Bureau website.

The data controller shall be responsible for the lawful, fair and transparent processing of a subject’s data, the accuracy and up-to-dateness of the data, as well as for the modification, deletion, updating and other activities, as well as the personal rights arising from such processing.

It is the responsibility of the data controller to implement appropriate technical, organisational and personnel measures to ensure that the processing of personal data is being carried out in a lawful, transparent and fair manner.

The personal data controller is required to keep records of processing activities.

The Association of Serbian Banks is a data processor which performs personal data processing on behalf and for the controller. The data processor guarantees the implementation of appropriate technical, organisational and personnel measures in such a way that the processing is carried out in a lawful, transparent manner and enables the rights of data subjects to be protected.

The data processor processes the data only with the written instructions of the controller and must ensure that the individual who processes the personal data is obliged to maintain the confidentiality of the data.

The data processor, taking into account the nature of the processing, assists the controller by implementing appropriate technical, organisational and personnel measures to fulfil the obligations of the controller in relation to the exercise of the data subject’s rights and to make available to the controller all the information necessary to increase the fulfilment of the processor’s obligations.

The data processor is required to keep records of all types of processing operations performed on behalf of the controller, which contain information on the name and contact information of each processor and each controller on whose behalf the processing is performed, as well as the types of processing performed on behalf of each of the controllers.

Data in the Credit Bureau’s system

The information in the Credit Bureau’s system refers to the identification data and to the data on liabilities and regularity in settlement of liabilities towards banks, leasing companies and other members of the Credit Bureau.

The identification information that is collected and processed refers to: first name, one parent's name, surname; unique citizen identification number; day, month and year of birth; residence address, city, postal code.

Data on liabilities and regularity in settlement of liabilities refers to: data on loan liabilities, current accounts, payment cards, leasing contracts and guarantees of an individual, as well as regularity in settlement of liabilities. The Credit Bureau is making publicly available a list of information on liabilities and regularity in settlement of liabilities on its website.

The information in the Credit Bureau’s system is used only for the purpose of approval of service, i.e. the assessment of the creditworthiness and solvency of the clients, for monitoring the settlement regularity during the service life and cannot be used for other purposes.

The Credit Bureau’s system does not collect particularly sensitive information, data of minors, income and property status of persons, nor does it make data available to a third party for any purpose.

Data in the Credit Bureau’s system shall be retained for a period sufficient to fulfil the purpose of the processing and which shall be defined by internal acts of the Credit Bureau.

Legal Basis for Processing Personal Data

The processing of personal data in the Credit Bureau’s system is legal if at least the following conditions are met:

  • The data subject has consented to the processing of his or her personal data for one or more specific purposes,
  • Processing is necessary for the execution of the contract concluded with the data subject or for taking actions, at the request of the data subject, before the conclusion of the contract,
  • Processing is necessary in order to comply with the controller's legal obligations

The processing of personal data in the Credit Bureau’s system will also be considered legal in other cases defined by the Law on Personal Data Protection.

Rights of Data Subjects

The data controller and the processor of the personal data are obliged to provide the data subjects with the exercise of the following rights based on the abovementioned processing:

  • The right to being clearly, concisely and transparently informed on the processing of personal data (controller’s contact details, contact details of the persons in charge of the protection of personal data, purpose of intended processing, type of data and legal basis for processing, about the recipient or group of recipients of personal data, if they exist, and on the length of keeping personal information)
  • The right to require the controller to grant access, correct or delete his or her personal data, as well as to revoke consent at any time.
  • The right to file a complaint with the Commissioner
  • Whether the provision of personal data is a legal or contractual obligation or whether the provision of personal data is a necessary condition for the conclusion of the contract, as well as whether the data subject has an obligation to provide personal information and the possible consequences if data is not provided.

The controller is obliged to provide the data subject, at their request, with a copy of the data being processed.

The Association of Serbian Banks publishes and regularly updates the list of data controllers and types of data processed on its website.

Processing Security

In accordance with the level of technological achievements and the costs of their implementation, the nature, extent, circumstances and purpose of processing, as well as the likelihood of risks occurrence and the level of risk regarding the rights and freedoms of individuals, the controller and processor shall implement appropriate technical, organisational and personnel measures to achieve the appropriate security level against risks such as pseudonymisation and cryptographic protection of personal data, ability to ensure lasting confidentiality, integrity, availability and resilience of systems and processing services, enabling re-availability in case of incidents as soon as possible, regular testing procedures and evaluation of the measures taken, etc.

The controller and processor are required to take steps to ensure that any natural person authorised to access personal data by the controller or processor only processes this data at the controller’s request (authentication and authorisation).

Addressing the Commissioner for Personal Data Protection

Pursuant to the Law on Protection of Personal Data, persons may appeal for protection of rights to the Commissioner for Personal Data Protection:

Commissioner for Information of Public Importance and Personal Data Protection
15 Kralja Aleksandra Blvd
11000 Belgrade
Tel. +381 11 3408 900, email: оffice@poverenik.rs

Changes to the Personal Data Protection Statement

The Credit Bureau reserves the right to change the Statement on Personal Data Protection that will be posted on this website. Please check for changes in order to be timely informed.

Back to top
Back to top