PRIVACY POLICY

We give utmost importance to the protection of personal data of our users. This Privacy Policy defines the purpose and methods of processing personal data and explains how we collect, use, process and disclose your data, including personal data regarding your access to and use of the Flik Pay mobile application (hereinafter: the mobile application, the Flik Pay mobile application) in accordance with the provisions of Regulation (EU) 2016/697 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: the GDPR) and the national legislation (Personal Data Protection Act, hereinafter: ZVOP-1).

References to “we”, “us” or “our” herein refer to one of the user’s (savings) banks stated below, which is responsible for processing your data (hereinafter: the Data Controller):

• Addiko Bank d.d., with its registered office and registered address at Dunajska cesta 117, 1000 Ljubljana. For additional information regarding the collection, processing and protection of personal data, please write to dpo.si@addiko.si or call +386 (0)1 580 40 00.
• BKS Bank AG, with its registered office and registered address at Verovškova ulica 55a, 1000 Ljubljana. For additional information regarding the collection, processing and protection of personal data, please write to info@bksbank.si or call +386 (0)1 589 57 18.
• DBS d.d., with its registered office and registered address at Kolodvorska ulica 9, 1000 Ljubljana. For additional information regarding the collection, processing and protection of personal data, please write to info@dbs.si or call +386 (0)1 472 71 00.
• Gorenjska banka d.d., with its registered office and registered address at Bleiweisova cesta 1, 4000 Kranj. For additional information regarding the collection, processing and protection of personal data, please write to info@gbkr.si or call +386 (0)4 208 40 00.
• LON d.d., with its registered office and registered address at Žanova ulica 3, 4000 Kranj. For additional information regarding the collection, processing and protection of personal data, please write to info@lon.si or call +386 (0)4 280 07 77.
• N Banka d.d., with its registered office and registered address at Dunajska cesta 128a, 1000 Ljubljana. For additional information regarding the collection, processing and protection of personal data, please write to dpo@nbanka.si or call 080 22 65.
• Primorska hranilnica Vipava d.d., with its registered office and registered address at Glavni trg 15, 5271 Vipava. For additional information regarding the collection, processing and protection of personal data, please write to info@phv.si or call +386 (0)5 366 45 00.
• SKB banka d.d., with its registered office and registered address at Ajdovščina 4, 1000 Ljubljana. For additional information regarding the collection, processing and protection of personal data, please write to dpo@skb.si or call +386 (0)1 471 55 55.
• UniCredit Banka Slovenija d.d., with its registered office and registered address at Ameriška ulica 2, 1000 Ljubljana. For additional information regarding the collection, processing and protection of personal data, please write to dpo@unicreditgroup.si or call 080 88 00.

For information on the data protection officer of the Data Controller, please contact the Data Controller using the contact details above.

References to “you”, “your” or “yours” herein refer to you as a user of our service.

For the purposes of this Privacy Policy, the service includes all services related to sending and receiving instant payments in accordance with the rules of the Slovenian national Flik scheme and the General Terms and Conditions of the Flik Pay Mobile Application (hereinafter: the Terms and Conditions).

By accepting the Terms and Conditions together with this Privacy Policy, you confirm that you are familiar with this Privacy Policy. The personal data we collect, use, process and keep are used only to provide and improve the service. We will not use, share or disclose your personal data to third parties except as described herein.

1. What is the legal basis for processing of data?

Processing if necessary:

• for the performance of a contract (Article 6(1)(b) of the GDPR) concluded by the data subject (vi) and under which the Data Controller is obliged to provide the services as defined in the Terms and Conditions;
• on the basis of your explicit consent (Article 6(1)(a) of the GDPR), as defined hereinafter (for instance, if you consent to receiving push notifications);
• on the basis of the requirements of the applicable legislation, namely the provisions of the Payment Services, Electronic Money Issuing Services and Payment Systems Act (hereinafter: ZPlaSSIED) and the Prevention of Money Laundering and Terrorist Financing Act (hereinafter: ZPPDFT-1) (Article 6(1)(c) of the GDPR).

2. What data are being collected and/or processed?

I. Data about you/your device:

• type of user (natural person),
• name and surname,
• address: street and number, town, postal code,
• tax number,
• transaction account data (IBAN and BIC),
• contact number for sending a one-time password,
• contact information (alias): telephone number, e-mail address,
• information about your mobile device,
• push token,
• operating system and version,
• mobile application and its version,
• IP address,
• data about transactions.

II. Use of permissions on your device
The mobile application requires access to the data and components of your device described below for the proper functioning of some of its functions.

Required permissions to use the mobile application on Android devices:

View network connections, Full network access, View Wi-Fi connections and Receive data from the internet
The mobile application requires access to the internet to function.

Disable stand-by mode
The mobile application requires access to this permission to prevent a device from switching to stand-by mode during the payment process.

Vibration control
The mobile application requires this permission to send feedback to you.

Read badge notifications
This permission is needed to allow to read and change number of notifications received by the mobile application.

Control Near-Field Communication
The mobile application requires access to communications using NFC technology for the purpose of communicating with POS terminals.

Optional permissions to use the mobile application on Android devices:

Enable fingerprint authentication and biometrics
If your device supports fingerprint recognition or other biometric identification, the mobile application requires this permission for user authentication.

Photographs and video recording
The mobile application needs camera access in order to scan a QR code and thus trigger payment.

Access Contacts, Edit Contacts
It is used to access the Contacts on your phone to obtain the recipient’s contact information (alias), which is then translated into the recipient’s account information.

Find accounts on the device
The mobile application requires access to accounts for reasons of compatibility.

Directly call phone numbers
The mobile application needs access to call phone numbers to call the contact number of the user’s (savings) bank.

Modify or delete contents of your SD card and Read the contents of your SD card
The mobile application requires these two permissions to save data on a device.

Overlay permission
A screen overlay allows making NFC payments outside the mobile application.

Required permissions to use the mobile application on iOS devices:

Read badge notifications
This permission is needed to allow to read and change number of notifications received by the mobile application.

Background App Refresh
It is used to refresh the mobile application while running in the background.

Optional permissions to use the mobile application on iOS devices:

Camera, Images
The mobile application needs camera access in order to scan a QR code and thus trigger payment.

Mobile data transfer
The mobile application requires access to the internet to function.

Contacts
It is used to access the Contacts on your phone to obtain the recipient’s contact information (alias), which is then translated into the recipient’s account information.

Fingerprint
If your device supports fingerprint recognition, the mobile application requires this permission for user authentication.

Face ID
If your device supports face identification, the mobile application requires this permission for user authentication.

Notifications
The mobile application needs access to notifications for sending and receiving push notifications.

You can limit the access to your personal data in the mobile application through the settings of your mobile device. Please note that certain functions will be disabled if you limit access which might cause the mobile application not to function properly. Biometric identification, such as fingerprint and facial recognition, can be used instead of a password to log in to the Flik Pay mobile application and to confirm payment transactions in the Flik Pay mobile application. Fingerprint or facial data are stored exclusively on your mobile device. We do not process fingerprint and facial image data (we do not store or access these data), which means that we are not the controller of such personal data. Nor can it be considered that such data are processed by our contractual processor on our behalf. In view of the above, we do not guarantee the compliance of the processing of such personal data with ZVOP-1 or the GDPR. Moreover, we are not liable nor do we guarantee the security of the fingerprint identification and facial recognition function on any device and the operation of the function as provided by the device manufacturer.

The mobile application will ask for your consent to process the data necessary for additional features provided by the mobile application – optional permissions.

3. For what purposes do we use the data we collect

We use, store, and process data, including personal data, about you and your device in order to provide the service of:

• • Verifying or authenticating information or identifications provided by you;
  • Authenticating your access to the mobile application;
  • Sending instant payments to the merchant via the QR interface;
  • Sending instant payments to the merchant via the NFC interface on Android devices (if supported by the mobile device);
  • Sending instant payments to a recipient who has defined contact details (alias) in the Flik Directory;
  • Sending payment requests to a recipient who has defined contact details (alias) in the Flik Directory;
  • Receiving instant payments if you have defined at least one contact (alias) in the Flik Directory;
  • Receiving payment requests if you have defined at least one contact (alias) in the Flik Directory;
  • Reviewing the status of transactions performed using the Flik Pay mobile application;
  • Providing and monitoring your payment transactions;
  • Receiving push notifications regarding important updates to the mobile application or other information related to the use of the mobile application.

Based on the ZPPDFT-1 and the ZPlaSSIED, your data is also processed for the following purposes:

• identifying and verifying your identity;
• verifying the compliance of transactions with the intended purpose of business;
• record keeping and data retention.

Based on legitimate interests pursued by controllers and which are not overridden by your interests or your fundamental rights and freedoms, your data are also processed for the purpose of providing a better and safer user experience and functioning of the application, and to prevent possible fraud and scam.

With your consent, your data are processed for the purpose of using additional functionalities of the mobile application, as stated in item II under the optional permissions for the use of the mobile application.

4. Data retention

In accordance with ZPPDFT-1, data on executed transactions are kept for 10 years after the transaction or after the termination of the business relationship with you or, if the collection of personal data is subject to you consent, until the revocation of consent.

5. With whom do we share the data

We do not provide or disclose data to third parties, unless we are required to do so by the law or other appropriate legal basis.

The processing of payment transactions on our behalf is performed by Bankart d.o.o., which has its registered office and registered address at Celovška cesta 150, 1000 Ljubljana and with which we have concluded an appropriate data processing contract and which is our contractual partner for the processing of personal data. Some parts of the above described personal data processing are carried out by a US-based sub-processor contracted by Bankart under Article 28 of the GDPR, and transfer of personal data to the EU is carried out based on standard contractual clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021).

6. Push notifications and opt-out options

We may occasionally send you push notification for important mobile application udpates or other information regarding the use of the mobile application. You may opt-out of receiving such notifications by going to your device Settings, clicking on App Notifications and then changing the settings.

7. Safety

We take the responsibility to ensure that your personal data is secured.
To prevent unauthorised access to or disclosure of data transmitted, stored or otherwise processed we maintain physical, technical, electronic, organisational and procedural safeguards that comply with applicable regulations to guard non-public personal data. All internet communications are secured using all necessary measures. We allow access to your personally identifiable data only to persons authorised to process such data who need to know such information in order to provide the service to you. These persons are bound by secrecy.

8. Automated decision-making

On the basis of the provisions of Articles 13 and 22 of the General Data Protection Regulation, we hereby inform you that the Bank uses automated decision-making when processing data on the use of Flik Pay only in the framework of anti-fraud procedures, pursuant to Article 22(2)(a), as this processing is necessary for the implementation of legal obligations. Special categories of personal data are not processed. If you disagree with the result of the automated decision of the payment fraud prevention system, you can challenge this decision by stating your position and requesting the Bank to have the decision reviewed by its employee.

9. Right of access by the data subject

Under the GDPR you have a series of rights related to personal data processing, regulated in Articles 15–22 of the GDPR.

Right to withdraw consent

If you have given consent to the processing of your personal data for one or more specific purposes as the data subject, you have the right to withdrawal your consent at any time.

Immediately after receiving the withdrawal of your consent for one or more specific purposes, the Data Controller shall stop processing your personal data for the specific purpose.

The withdrawal of consent for personal data processing shall not affect the lawfulness of processing of personal data based on consent before its withdrawal and the use of these personal data for legally or contractually specified purposes.

Right of access by the data subject to processed personal data

You have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients to whom the personal data have been or will be disclosed; the envisaged period for which the personal data will be stored; the source of personal data.

Right to have your personal data that are inaccurate rectified

You have the right to request that the Data Controller rectifies or completes inaccurate or incomplete personal data concerning you.

The Data Controller will immediately notify you of the correction of your personal data.

Right to restriction of processing of personal data

You have the right to request that the Data Controller restricts processing of your personal data if such data are inaccurate, unlawful, no longer needed for the purposes of the processing or if objection has been made.

Right to erasure of personal data (“right to be forgotten”)

You have the right to request the Data Controller to erase, without undue delay, your personal data that it has been processing.

If personal data are erased at your request, you will be notified by the Data Controller of erasure.

Right to objection

In addition to the right to withdraw consent, if your personal data are used for information purposes and/or direct marketing, you can request in writing that your data stop being used for that purpose at any time. If you object to processing for marketing purposes, the Data Controller will immediately stop processing personal data for marketing and information purposes.

Right to data portability

You have the right to have your personal data that are processed by the Data Controller transmitted directly from the Data Controller to another controller, where technically feasible.

You can exercise the rights referred to in this item by sending a request by any means to your Data Controller (contact details are given in paragraph two of this Privacy Policy) or the contractual processor – Bankart d.o.o., Ljubljana, with registered office at Celovška 150, 1000 Ljubljana, telephone: +386 (0)1 583 41 00, e-mail: info@bankart.si. The request will be decided in 30 days of receipt, except in exceptional cases.

Right to lodge a complaint with a supervisory authority

If you consider that your rights have been infringed by data processing, you may file a complaint with the Information Commissioner at Dunajska cesta 22, 1000 Ljubljana.

10. Amendments to this Privacy Policy

We reserve the right to modify this Privacy Policy at any time in accordance with this provision. If this Privacy Policy is amended, the revised Privacy Policy will be posted on the website of the data processor Bankart d.o.o. and in the mobile application.

Ljubljana, 13/04/2022