General Data Protection Regulation (GDPR)

The operator of the NBCIR is CNCB, which also serves as the controller of your personal data within the NBCIR.

If you believe that the processing of your personal data within the NBCIR has violated legal regulations or your rights, or if you are unable to resolve your matter with the Client Center, you have the option to contact the Data Protection Officer electronically at poverenec@cncb.cz.

The NBCIR represents a database of information on contractual relationships between creditor entities and their clients. The NBCIR is established based on information (data) provided by creditor entities to CNCB, which individually or collectively reflects the creditworthiness, reliability, and payment discipline, or credit capacity, of the clients of creditor entities.

The following personal data of clients are processed within the NBCIR:

• Identification personal data of the client (e.g., name, surname, birth surname, date of birth, place and country of birth, client’s residential address, and identity document details) and contact personal data provided by the client (e.g., contact address, phone number, and email address).
• Birth registration number of the client – The NBCIR database structure anticipates that personal birth registration numbers of natural persons who are clients of NBCIR users are processed within the NBCIR. Your personal birth registration number, together with other information about you, forms a unique data set that ensures reliable identification of your person in the NBCIR database, effectively preventing any possible confusion with another person listed in the NBCIR. Such identification is also essential for enforcing private-law claims and preventing the occurrence of unpaid debts. Therefore, the conditions stipulated in the Act on Population Records (§ 13c, Paragraph 1, Letter c) of Act No. 133/2000 Coll.) for processing birth registration numbers without the consent of their holders are met. The handling of your birth registration number within the NBCIR, including its purpose, duration, and method of processing, as well as its security and related matters, is governed entirely by the provisions of this memorandum. The requirement to take specific measures to protect your rights and freedoms as a data subject when processing your birth registration number is thus fulfilled.
• Personal data indicating whether a contractual relationship has been established or not between the client (or an applicant, in the case of a guarantor) and the creditor entity.
• Personal data indicating financial obligations of the client that have arisen, may arise, or will arise toward the creditor entity in connection with the contractual relationship, and the fulfillment of these obligations by the client.
• Personal data indicating the security of the client’s obligations related to the contractual relationship with the creditor entity.
• Personal data indicating whether a claim from a contractual relationship with the creditor entity has been assigned regarding the client and the subsequent fulfillment of obligations by the client in relation to such assigned claims, provided that the creditor entity continues to manage the relevant assigned claim and additional contractual conditions are met.
• Any other personal data reflecting the client’s creditworthiness, reliability, and payment discipline that the client has provided or will provide to the creditor entity, or that the creditor entity has obtained or will obtain in connection with the fulfillment or non-fulfillment of the relevant contractual relationship with the creditor entity, including data from the client’s documents.

No special categories of personal data of clients – natural persons (as defined under GDPR, such as health information) are processed within the NBCIR.

The primary purpose of the NBCIR is to facilitate the exchange of information among creditor entities regarding matters reflecting the creditworthiness, reliability, and payment discipline, or credit capacity, of their clients.

The lawful basis for processing clients’ personal data within the NBCIR includes: (a) Compliance with legal obligations of creditor entities when providing consumer credit to an individual. (b) Legitimate interests of creditor entities when providing credit other than consumer credit to an individual, particularly the interest in offering credit products only to creditworthy and reliable clients. (c) Authorization by law for processing birth registration numbers where necessary for enforcing private-law claims or preventing the occurrence of unpaid debts. (d) Consent for processing personal data of individuals representing clients or owners of clients.

Information (data) is included in the NBCIR and subsequently processed to the extent necessary for assessing the payment prospects, credibility and payment discipline or creditworthiness of the client. This includes data provided by the client to the creditor entity in connection with a contractual relationship or data arising from such a relationship during its term. In the case of an assigned debtor, it also includes data arising from their obligations toward the client or NBCIR user during the term of these obligations or the management of the relevant assigned claims.

Information (data) in the NBCIR is updated monthly and retained to facilitate the exchange of information among creditor entities for the duration of all obligations of the client toward an NBCIR user or of the assigned debtor toward the client or NBCIR user. This includes situations where the creditor entity manages the relevant assigned claim (as detailed in the list of personal data processed within the NBCIR above) and for an additional four (4) years after the fulfillment of all obligations by the client or the assigned debtor.

If the requested contract with the client was not concluded, information (data) concerning the client, including the assigned debtor, is retained in the NBCIR for six (6) months from the date the client (or user) submitted the application for the relevant contract (including contracts related to the assignment of factored claims of the assigned debtor).

After the expiration of the relevant period, the processing of such information (data) is restricted. This means the data is made inaccessible for the purposes of information exchange among creditor entities and is archived to determine, exercise, or defend the legal claims of NBCIR users or the data subject. The legal basis for this restricted processing is the legitimate interest of the controller or the data subject in retaining the data for the specified purpose. As part of its legal obligations, CNCB may provide archived data upon request to certain state authorities under specific laws.

After the five-year (5) restricted processing period expires, the information (data) will be automatically deleted.

Information (data) regarding contractual relationships with clients is provided by creditor entities to CNCB, which processes this data within the NBCIR. This processing involves the use of a system for final automated technical processing by the Italian company CRIF S.P.A., headquartered at Via della Beverara 21, 40131 Bologna, Italy, and CRIF – Czech Credit Bureau, a.s., ID No.: 26212242, headquartered at Štětkova 1638/18, Nusle, 14000 Prague 4. CRIF – Czech Credit Bureau provides services related to the mutual exchange of information about the payment prospects, credibility and payment discipline or creditworthiness of clients, as well as the operation of the Client Center, based on relevant agreements with CNCB. In Italy, information is also processed through final automated technical means in compliance with the General Data Protection Regulation (GDPR). This processing includes profiling clients of individual creditor entities. The profiling results are used as one of the bases for a creditor entity’s decision on whether to enter into the requested agreement with the respective client. However, no automated decision-making regarding the conclusion of product agreements with clients takes place within the NBCIR.

CNCB makes processed information (data) available in the form of credit reports to creditor entities using NBCIR services, exclusively for the purpose of exchanging information among creditor entities about the creditworthiness, reliability, and payment discipline of their clients.

Additionally, CNCB provides or may provide the following to creditor entities using the NBCIR:

• Score: A synthetic value representing an evaluation of the information (data) about clients contained in the relevant credit report. This score is also used to assess the creditworthiness, reliability, and payment discipline of clients and is included in both credit reports and aggregate statistical reports (described below).
• Document verification report: A report verifying a client’s document or information stated on it. This serves to confirm the client’s reliability, including compliance with Act No. 253/2008 Sb., on Certain Measures Against Money Laundering and Financing of Terrorism, as amended. The report is generated using public databases and the NBCIR and is provided either independently or as part of credit reports.
• Client risk profile: A profile created based on the client’s data provided to the creditor entity (primarily contact details and any inconsistencies therein) and additional personal data, particularly financial obligations and their fulfillment. This service serves as another basis for verifying the creditworthiness and reliability of the client.
• Aggregate statistical reports: Summarized and anonymized information about the the payment prospects, credibility and payment discipline or creditworthiness of client portfolios within the relevant product market. These reports cannot be linked to any identified or identifiable data subject and may also be shared with supervisory authorities for monitoring and inspection purposes in compliance with applicable laws.
• Information regarding clients with assigned claims: Details about clients whose claims arising from agreements have been or will be assigned by the requesting creditor entity.

The primary right of data subjects (clients of non-banking creditors) is the right to information about the processing and protection of their personal data. This information, along with a list of creditor entities that are NBCIR users, is available in the CNCB Information Memorandum.

Under the GDPR, data subjects have the following rights concerning the processing of their personal data:

1. Right of Access to Personal Data
   You have the right to request confirmation from CNCB about whether your personal data is being processed. If so, you are entitled to access this data and certain related information. CNCB will provide a copy of the personal data processed about you in NBCIR free of charge. However, in accordance with GDPR rules, CNCB may charge a reasonable fee to cover administrative costs if your requests are manifestly unfounded, excessive, or repetitive. If incorrect data about you in NBCIR is corrected, you will receive confirmation of the correction free of charge in the form of a copy of the processed personal data.
2. Right to Rectification of Data
   You have the right to request CNCB to promptly correct any inaccurate personal data processed about you in NBCIR. You also have the right to have incomplete personal data completed, including through the provision of an additional statement.
3. Right to Erasure of Data (“Right to Be Forgotten”)
   You have the right to request that CNCB promptly erase your personal data if any of the conditions stipulated by GDPR are met (e.g., the data is no longer necessary for the specified purposes or has been processed unlawfully).
4. Right to Restrict Processing
   You have the right to request CNCB to restrict the processing of your personal data under certain conditions defined by GDPR (e.g., if the data is inaccurate or the processing is unlawful).
5. Right to Object to Data Processing
   You have the right, for reasons related to your particular situation, to object at any time to the processing of your personal data. CNCB will cease processing your data unless it demonstrates compelling legitimate grounds for processing that override your interests, rights, and freedoms, or if the processing is necessary for the establishment, exercise, or defense of legal claims.
6. Right to Data Portability
   This right allows you to receive personal data concerning you (that you provided to an NBCIR user) in a structured, commonly used, and machine-readable format, and to transfer this data to another controller. However, due to the nature of data processing within NBCIR, this right is not applicable, and requests for data portability cannot be fulfilled.
7. Right to Lodge a Complaint
   If you believe that the processing of your personal data in NBCIR violates applicable laws, particularly GDPR, you can file a complaint with:
   The Office for Personal Data Protection
   Pplk. Sochora 27, 170 00 Prague 7, Czech Republic Website: www.uoou.cz

You can exercise your rights at the Client Center operated by CRIF – Czech Credit Bureau, a.s., which CNCB has authorized to handle this activity. Detailed information on how to contact the Client Center, submit a request to exercise your rights, and access request forms can be found here.

Requests to exercise your rights are processed free of charge. However, if a request is manifestly unfounded or excessive—particularly due to its repetitive nature—a fee may be charged to cover administrative costs.

Your personal data is not transferred to third countries outside the European Union or the European Economic Area.