K&H mobilbank Privacy Policy

As data controller, K&H Bank Zrt. (registered seat: 1095 Budapest, Lechner Ödön fasor 9.; company registration number: 01-10-041043, hereinafter: „Bank”) provides the following information concerning the processing of personal data during the use of the K&H mobilbank application.

I. Accesses required by the application

Access

Why?

Description

Camera

Operation of the application

For using the application’s features such as cheque scanning, K&H e-bank login and signature, K&H e-bank activation, K&H+ ticket validation.

Contacts

Operation of the application

For using the application’s features such as setting a phone number as secondary identifier, creating a partner, selecting a phone number during a mobile top-up transaction.

Microphone

Operation of the application

For in-app communication and voice interaction with the application (e.g., K&H quickcall and Kate).

Telephone

Operation of the application

For in-app communication and voice interaction with the application.

Internal memory

Operation of the application

For using the application’s features such as adding attachments to messages sent using the app, saving a contract to the device, storing mobile token and other data needed for the application to function.

Location

Operation of the application, fraud prevention

For using certain features of the app, such as the ATM and branch locator, as well as fraud prevention and fraud detection.

Others

Operation of the application

For using such features as the NFC for payment transactions, and using the biometric identifier and the fingerprint reader hardware on the device for authentication and authorisation purposes.

II. Purpose of data processing

II.1. Providing e-channel services

The Bank enters into a contract with its clients to provide the K&H mobilbank service.

Legal basis

Article 6 (1) (b) of the GDPR (performance of the contract)

Data processing period

Data are processed until the termination of the contract.

Related storage period

8 years after the termination of the business relationship (contract) (based on Article 6 (1) (c) of the GDPR, according to Articles 56 to 58 of the Anti-Money Laundering Act).
In the case of a non-executed contract, 5 years from the date of failure to execute the contract (based on Article 6 (1) (f) of the GDPR, according to Article 166/A(2) of the Banking Act*).

Personal data categories

Basic data (basic identification data, contact details); contractual data relating to the use of the product or service; product and service usage data; customer communication data; data considered sensitive beyond those specified in the GDPR (geolocation, photo).

* Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises (“Banking Act”)

II.2. Fraud prevention and fraud detection

For the purpose of improving its capacity to detect and prevent fraud, the Bank processes data in order to mitigate the risks inherent in providing services electronically.

Legal basis

Article 6 (1) (f) of the GDPR (legitimate interest)

Compelling legitimate interest

Pursuant to Article 107(1) of the Banking Act, the Bank uses effective processes to identify, measure, manage, monitor and report risks.

Data processing period

Until the termination of the contract.

Related storage period

5 years after recording the data (based on Article 6 (1) (f) of the GDPR, according to Article 6:22 of the Civil Code)

Personal data categories

Basic data (basic identification data); contractual data relating to the use of the product or service; product and service usage data; customer communication data; data considered sensitive beyond those specified in the GDPR (geolocation, IP address, details regarding interactions)

Please note that the K&H mobilbank does not track your location continuously: location data are only saved upon key security events, such as activating the mobilbank application, logging into the application and signing transactions.

II.3. Logging by the mobilbank application for troubleshooting and debugging purposes

The Bank records various data through the application, to the extent necessary to resolve any errors that may occur during the use of the K&H mobilbank application and thus, to ensure the reliability of the service.

Such data includes information related to the device (ID, IP address, geolocation, operating system, screen resolution, browser type, hacked operating system signal), user activity data during the use of the application, errors and application crash data.

Legal basis 

Article 6 (1) (f) of the GDPR (legitimate interest)

Compelling legitimate interest

Yes, there is – logging is essential for the provision of the service.

Data processing period 

180 days after recording the data.

Related storage period 

5 years after recording the data (based on Article 6 (1) (f) of the GDPR, according to Article 3 (3) (f) of Government Decree no. 42/2015 (III. 12.))

Personal data categories 

Basic data (basic identification data, contact details); product and service usage data; customer communication data.

III. Transfer of personal data

Personal data are transferred to companies carrying out outsourced activities as listed below:

III.1. Bloomreach B.V. (former company name: Exponea s.r.o., Fred. Roeskestraat 109, 1076 EE Amsterdam, Netherlands)

It provides the Bank with software licensing, support and operating services related to the Bloomreach automation communication system. It takes part in sending and storing messages forwarded via the K&H mobilbank application, as well as in processing customer, message, interaction and device data required for sending messages.

III.2 KBC Global Services NV (Havenlaan 2, 1080 Molenbeek-Saint-Jean) 

KBC Global Services provides support through IT services for the development and operation of a new digital assistant solution integrated into the K&H mobile banking application. For this solution, the Service Provider provides infrastructure platform services through Amazon Web Services, and also provides the usage of Google STT/TTS.

Data is transferred to third countries based on an adequacy decision (Article 45 of the GDPR).

IV. Data subjects’ rights and remedies in relation to data processing

You have the right to access, request the rectification, erasure and the restriction of the processing of your personal data, and - in certain cases - object to the processing of the same.

For further information on data processing, including information on rights and remedies and the contact details of the Bank and its data protection officer, please consult our Privacy Notice at www.kh.hu/web/eng/data-protection.