This Privacy Policy sets out and explains how Medicinos Bankas UAB (“Bank”) collects and processes your personal data.
The purpose of this Privacy Policy is to inform you about the ways your personal data are collected and processed and to ensure a fair and transparent process of personal data processing in the Bank.
It is very important that you carefully read this Privacy Policy, because its terms and conditions will apply every time you use/express an intention to use the Bank’s services at the Bank’s customer service units or in the internet banking system, browse the Bank’s website www.medbank.lt, visit the Bank’s premises, call the Bank’s contact centre and in other cases, where your data are processed.
We confirm that when processing your personal data, the Bank observes:
Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation”);
Law on Legal Protection of Personal Data of the Republic of Lithuania;
Law on Electronic Communications of the Republic of Lithuania;
Other legislation governing the protection of personal data;
Instructions/recommendations of the supervisory authority and other competent authorities.
The Bank may amend this Privacy Policy in the future. Therefore, we recommend that you review it from time to time.
The terms used in this Privacy Policy shall be understood as follows:
Personal Data – any information, directly or indirectly related to you, which is received directly from you or from other sources and may be used to identify you.
Processing – any operation which is performed on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or other destruction.
Data Subject – you or any natural person (including the director/representative or the true beneficiary of a legal person), who is using/has expressed and intention to use the Bank’s services or is otherwise related to the Bank and/or the services provided by the Bank, and whose data is processed by the Bank.
Other terms used in this Privacy Policy shall be understood as they are defined in the General Data Protection Regulation (EU) 2016/679 and other legislation governing the protection of personal data.
The Bank processes personal data of the following categories:
Personal identity data, such as first name, last name, national identification number, date of birth, nationality, identity document data.
Contact information, such as address, zip code, telephone number, e-mail address.
Information related to education and professional activity, such as education, employment, position, economic commercial activity.
Family information, such as marital status, number of dependents, heir information.
Financial information, such as income and its source, information about your assets and bank accounts in other financial institutions, information about concluded transactions, expenses, loans and other financial obligations.
Information about creditworthiness and its history, such as credit history, credit rating.
Information related to the provision of Bank services, such as information about the services provided to you by the Bank and related data (e.g. bank account number), information about performance of/default on contracts, concluded transactions, current and expired contracts, submitted applications.
Information needed to ensure the compliance with anti-money laundering and terrorist financing prevention requirements and implementation of international sanctions, such as information about whether you or your immediate family members and close associates are politically vulnerable/exposed individuals, information about true beneficiaries, information about business activities and parties to transactions, business relationship monitoring data.
Information supporting the source of funds or transactions, i.e. proof of source of funds, invoices, sale and purchase contracts, service contracts, payment documents.
Information needed to ensure compliance with the requirements applicable in tax administration, such as the country of residence for tax purposes, taxpayer identification number, date and place of birth.
Information about you as the director/representative and true beneficiary of a legal person who is using/expressed an intention to use Bank services.
Visual data recorded by the Bank’s surveillance equipment during your visit in the Bank’s central office and customer service units.
Information about recorded telephone conversations when calling the Bank’s contact centre, such as the caller’s telephone number, call metadata (date, time and duration of connection). The recorded telephone conversation includes the data provided by you during the telephone conversation.
Information created and/or received during performance of a legal obligation, such as information received based on inquiries of courts, law enforcement agencies, notaries, bailiffs, lawyers and tax authority about the income, financial obligations, property and outstanding debt.
Information generated by the use of electronic means of communication, such as information provided by e-mail, on the website and social networks, information about traffic: the user’s IP address at the time of connection, operating system version and parameters of the device used to access content/services; login information: your session time and duration; query words entered on the Bank’s website and any information stored in cookies placed on your device.
Information related to your habits/behaviour on the Bank’s website, in the online banking system or the Bank’s mobile application.
The Bank processes your personal data for the following purposes:
Personal identification and verification, implementing the Know-Your-Customer principle;
Determination and assessment of creditworthiness;
Credit risk assessment and management, including but not limited to implementation of the standard maximum loan per customer and a group of related customers;
Provision of financial services;
Fulfilment of contractual obligations;
Maintaining a relationship and communication with you;
Giving advice and assessment of your needs;
Ensuring compliance with anti-money laundering and terrorist financing prevention requirements and implementation of international sanctions;
Ensuring the quality of services and defence of Bank’s rights (recording of telephone conversations);
Ensuring the protection and safety of the Bank’s property (video surveillance);
Organisation and implementation of recruitment of employees and trainees;
Defence and protection of the Bank’s rights and legitimate interests;
Direct marketing.
Please be advised that you have the right to opt out of receiving direct marketing messages from the Bank by notifying the Bank of your decision at any customer service unit of the Bank, by clicking an active link “Do not send” in a received direct marketing e-mail message or by changing the direct marketing settings in the online banking system.
The Bank processes your personal data on the following legal grounds defined in the General Data Protection Regulation (EU) 2016/679:
When subject to a legal obligation, i.e. the applicable legislation requires that the Bank process your personal data;
In order to enter into and perform a contract with you;
In pursuit of the Bank’s legitimate interests, unless your private interests are overriding (e.g. providing Bank services, recruitment of employees and trainees, credit risk assessment, management of your debt, dispute resolution, etc.);
Your consent to the processing of your personal data.
The Bank processes your personal data, which are:
Received directly from you (provided when completing and submitting forms/inquiries/requests/claims/applications both at the customer service unit of the Bank and in the online banking system or website www.medbank.lt, calling the Bank’s contact centre or visiting the Bank’s premises);
Obtained from other sources;
Generated automatically to the extent provided by applicable legislation (when visiting the website and/or social network account, using mobile applications).
Please note that if you provide personal data of other persons related to you (e.g. family members, company employees, shareholders, guarantor, etc.), you are required to inform those persons of the processing of their personal data by the Bank and to make them aware of this Privacy Policy.
The Bank obtains your personal data from other sources, such as:
Other banks and financial institutions;
State authorities and institutions (the Bank of Lithuania, the Ministry of Finance of the Republic of Lithuania, State Social Insurance Fund Board under the Ministry of Social Security and Labour of the Republic of Lithuania (SODRA), Statistics Lithuania, National Paying Agency, Lithuanian Agricultural Advisory Service, State Enterprise Deposit and Investment Insurance, State Enterprise Centre of Registers, State Enterprise Regitra);
Courts and law enforcement agencies;
Other persons performing the functions assigned by legislation (e.g. notaries, lawyers, bailiffs, bankruptcy administrators);
Service providers administering joint debtor data (e.g. CreditInfo Lietuva UAB);
Insurance companies, insurance brokerage companies;
Credit intermediaries;
Other natural persons/their representatives, when they provide the data of related persons (through blood or marriage), co-debtors, guarantors, collateral providers, etc.;
Other natural persons/their representatives, when they provide the data of immediate family members or close associates, who hold or were holding (over the past year) a prominent public function;
Legal persons, if you are the director/representative, employee, authorised person, true beneficiary, etc. of a legal person;
Documents submitted to the Bank for performance of a contract or fulfilment of regulatory requirements which may contain personal data (e.g. property valuation certificates, extracts from registers, etc.);
Third parties and/or publicly available sources to the extent permitted by applicable legislation (LinkedIn social network).
The Bank may transfer your personal data to the following entities:
State authorities and institutions, other persons performing the functions assigned by legislation (e.g. supervisory authorities, law enforcement agencies, tax administrator, bailiffs, notaries, lawyers);
Other banks and financial institutions;
Insurance companies, insurance brokerage companies;
Companies in the Bank’s Group. Their full list is available on the Bank’s website: https://www.medbank.lt/lt/apie-banka/dukterines-imones;
Auditors, legal and financial advisors;
State registers (e.g. State Enterprise Centre of Registers, State Enterprise Regitra);
Bank’s successors;
Collateral providers (e.g. guarantors, collateral lenders);
Courts, extrajudicial dispute resolution bodies, bankruptcy administrators;
Debt recovery companies, to which debt claims are transferred;
Service providers administering joint debtor data (e.g. CreditInfo Lietuva UAB);
Participants of national, European Union and international payment systems and other related persons (e.g. SWIFT);
The Bank ensures that your personal data are transmitted strictly in accordance with applicable legislation. Service providers (processors) used by the Bank process your data only for strictly defined purposes, which are set out in personal data processing contract.
Generally, your personal data are processed and stored in the territory of the European Union (EU) and the European Economic Area (EEA). However, in some cases, we may need to transfer your personal data to other countries outside the EU and EEA, which may apply a lower-level data protection policy. In such cases, the Bank will take all steps to ensure the security of transferred personal data.
In case of transfer of personal data to countries outside the EU and EEA, one of the following security measures will be applied:
The contract signed with the recipient of personal data must be based on Standard Contractual Clauses approved by the European Commission;
The recipient of personal data must be located in a country recognized by decision of the European Union as applying adequate data protection standards;
Permission from State Data Protection Inspectorate must be obtained.
In certain cases, the Bank carries out profiling and makes decisions by automated means.
If you have given consent to the processing of personal data for direct marketing purposes and have not withdrawn such consent, the Bank profiles your personal data, i.e. performs automated processing of personal data to evaluate certain personal aspects related to you, in particular to analyse your interests, behaviour, movement, economic situation, and payment habits with the purpose of anticipating your needs more accurately and provide you with offers, services and products that best suit your interests.
The Bank uses profiling for analysis and assessment by making automated decisions related to, for example, assessment of creditworthiness and credit risk management. Your credit rating is determined using information systems and algorithms and is used as a basis for making a decision on provision of financial services. If you do not agree with the decision taken by automated means, you have the right to demand the involvement of a Bank employee, express your position, receive an explanation of the decision and challenge the decision.
In order to ensure the implementation of anti-money laundering and terrorist financing prevention measures, the Bank carries out profiling and assigns you a risk category according to the risk associated with you, the risk of products, services and/or operations, risk of a country and/or geographical region, and the risk of the main economic activity. Depending on the assigned risk category, the available intensity of use of Bank services and the periodicity of updating your information may vary.
When processing personal data, the Bank adheres to the following principles:
Your personal data are collected and processed for explicit and legitimate purposes, established prior to beginning of the processing, and not further processed in a manner that is incompatible with those purposes (the purpose limitation principle).
Your personal data are processed fairly, lawfully and transparently, with your consent or on other legitimate basis for personal data processing (the principle of lawfulness, fairness and transparency).
Your personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (the data minimisation principle).
Your personal data are accurate and, if necessary for personal data processing, updated on a regular basis. Personal data that are inaccurate or incomplete are rectified, supplemented, deleted or their processing is suspended. All reasonable steps are taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (the principle of accuracy).
Your personal data are kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data have been collected and are processed (the principle of storage limitation).
Your personal data are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (the principle of integrity and confidentiality).
When processing your personal data, we implement reasonable organisational and technical measures to protect your personal data against accidental or unlawful destruction, alteration, disclosure as well as from any other unauthorised form of processing. The Bank requires that the processors used by the Bank for the processing of your personal data or which have access to your personal data when providing services to the Bank take appropriate technical and organisational measures, which would ensure the security and integrity of your personal data.
However, please note that even though we take appropriate steps to protect your personal data, no website or e-mail can guarantee complete security due to reasons beyond the control of the Bank. Therefore, you should be careful and assume the risk associated with providing personal data to the Bank on the website or by e-mail.
We store your personal data for the time period required to achieve the set objective. Once the set objective is achieved, your personal data are deleted, unless the applicable legislation requires that the Bank store the data for the time period prescribed by such legislation. Once this period expires, the data are deleted/destroyed so that they cannot be reproduced. Specific personal data retention periods depend on the legal grounds for processing of your personal data. Video recording data are stored up to 90 days.
During your visit to the Bank’s website www.medbank.lt, we want to provide you with information and functions that are tailored specifically to your needs. This requires the use of cookies. Cookies are small information elements stored on your web browser. They help the Bank to recognize you as a previous visitor to the Bank’s website, save your visit history and adapt the content accordingly. Cookies also help the Bank to ensure smooth functioning of the Bank’s website, allow monitoring the duration and frequency of the visits to the website and collecting statistical information on the number of visitors to the website. Analysis of such data helps us improve the Bank’s website and make it more comfortable for your use.
Cookies used on the Bank’s website www.medbank.lt:
Cookie name | Purpose of the cookie | Moment of creation and validity period | Data used |
|---|---|---|---|
major_type |
A cookie intended to ensure the functionality of the website: saves the selected type of client. |
Upon entering the website.Valid until leaving the website. |
“Private” or “business” client type selected on the client’s website. |
dc_gtm_UA-# |
A cookie intended to ensure the functionality of the website. This cookie allows to upload part of the software code. |
Upon entering the website.Valid until leaving the website. |
Does not store any user information. |
_mb_cookie |
A cookie intended to remember the user’s choice of cookie policy. |
Upon acceptance of the cookie policy.Valid for one year. |
1/0 |
medbank_prod_lsXSRF-TOKEN |
Cookies for identification of sessions. |
Upon entering the website.Valid for 4 hours. |
Unique identifier of random characters. |
_ga |
Cookies for identification of the user. |
Upon entering the website.Valid for 2 years. |
Unique identifier of random characters. |
_gid |
Cookies for identification of the user. |
Upon entering the website.Valid for 24 hours. |
Unique identifier of random characters. |
fr |
A cookie used to create a user and display targeted advertisements on third-party websites, such as facebook.com, etc. |
Upon entering the website.Valid for 3 months. |
An encrypted Facebook identifier and browser identifier. |
_fbp |
A cookie used to create a user and display targeted advertisements on third-party websites, such as facebook.com, etc. |
Upon entering the website.Valid until the end of session. |
An encrypted Facebook identifier and browser identifier. |
partner-
|
Cookies used to collect anonymous information for statistic and advertising purposes. |
Valid from 1 day to several years. |
Internet provider information, browser type, etc. |
_gat_UA |
A cookie for collecting information about traffic. |
Upon entering the website.Valid for 8 hours. |
Unique identifier of random characters. |
Cookie name |
major_type |
|---|---|
Purpose of the cookie |
A cookie intended to ensure the functionality of the website: saves the selected type of client. |
Moment of creation and validity period |
Upon entering the website.Valid until leaving the website. |
Data used |
“Private” or “business” client type selected on the client’s website. |
Cookie name |
dc_gtm_UA-# |
|---|---|
Purpose of the cookie |
A cookie intended to ensure the functionality of the website. This cookie allows to upload part of the software code. |
Moment of creation and validity period |
Upon entering the website.Valid until leaving the website. |
Data used |
Does not store any user information. |
Cookie name |
_mb_cookie |
|---|---|
Purpose of the cookie |
A cookie intended to remember the user’s choice of cookie policy. |
Moment of creation and validity period |
Upon acceptance of the cookie policy.Valid for one year. |
Data used |
1/0 |
Cookie name |
medbank_prod_lsXSRF-TOKEN |
|---|---|
Purpose of the cookie |
Cookies for identification of sessions. |
Moment of creation and validity period |
Upon entering the website.Valid for 4 hours. |
Data used |
Unique identifier of random characters. |
Cookie name |
_ga |
|---|---|
Purpose of the cookie |
Cookies for identification of the user. |
Moment of creation and validity period |
Upon entering the website.Valid for 2 years. |
Data used |
Unique identifier of random characters. |
Cookie name |
_gid |
|---|---|
Purpose of the cookie |
Cookies for identification of the user. |
Moment of creation and validity period |
Upon entering the website.Valid for 24 hours. |
Data used |
Unique identifier of random characters. |
Cookie name |
fr |
|---|---|
Purpose of the cookie |
A cookie used to create a user and display targeted advertisements on third-party websites, such as facebook.com, etc. |
Moment of creation and validity period |
Upon entering the website.Valid for 3 months. |
Data used |
An encrypted Facebook identifier and browser identifier. |
Cookie name |
_fbp |
|---|---|
Purpose of the cookie |
A cookie used to create a user and display targeted advertisements on third-party websites, such as facebook.com, etc. |
Moment of creation and validity period |
Upon entering the website.Valid until the end of session. |
Data used |
An encrypted Facebook identifier and browser identifier. |
Cookie name |
partner-
|
|---|---|
Purpose of the cookie |
Cookies used to collect anonymous information for statistic and advertising purposes. |
Moment of creation and validity period |
Valid from 1 day to several years. |
Data used |
Internet provider information, browser type, etc. |
Cookie name |
_gat_UA |
|---|---|
Purpose of the cookie |
A cookie for collecting information about traffic. |
Moment of creation and validity period |
Upon entering the website.Valid for 8 hours. |
Data used |
Unique identifier of random characters. |
When using a browser to access the content provided by the Bank, you can configure it to accept all cookies, reject all cookies or alert you when a cookie is sent. All browsers are different. If you do not know how to change cookie settings, see the browser’s help menu. The operating system of your device may have additional cookie controls. If you do not want to have your information collected using cookies, use the simple procedure offered by most browsers to opt out of using cookies. For more information about managing cookies, please visit http://www.allaboutcookies.org/manage-cookies/. However, please note that some services may be designed to operate only with cookies and once cookies are disabled, you will not be able to use them or certain parts of them.
Beside the cookies used by the Bank, the Bank’s website allows certain third parties to place and access cookies on your computer. In such case, the use of cookies is subject to third-party privacy policies.
Please note that the Bank's social network accounts are subject to the cookie policy of the respective social network.
By browsing the Bank’s website, you agree that cookies be placed on your computer or other device. You may withdraw your consent at any time by changing your browser settings and deleting saved cookies. Information on how to do this is available on help pages of the browsers:
The Bank’s website may contain links to third-party websites. Please note that the Bank is not responsible for the content or privacy protection principles of such websites. Therefore, if a link given on the Bank’s website takes you to another website, you should read its privacy policy.
You, as the data subject whose personal data is processed by the Bank, have the following rights:
The right to know/be informed about the processing of your data (the right to know).
The right to access your personal data and receive information about how it is processed (the right to access).
The right to request rectification or supplementation of incomplete personal data, taking into account the purposes of personal data processing (the right to rectification).
The right to object to the processing of your personal data, if the processing of your personal data is based on your consent.
The right to request that the processing of your personal data be restricted for a legitimate reason (the right to restrict).
The right to withdraw consent to the processing of your personal data. Such withdrawal of consent shall not affect the data processing carried out prior to withdrawal of such consent.
The right to request that your personal data be deleted/destroyed (the right to be forgotten), where such data are processed on the basis of your consent. This right does not include the cases where you request to delete your personal data, which are processed by the Bank on other legal grounds, for example, where the processing of personal data is necessary to conclude/perform a contract or subject to a legal obligation.
The right to object to be subject to fully automated decision, if such decision has legal consequences or similar significant effect.
The right to data portability.
The right to file a complaint with the State Data Protection Inspectorate, if you believe that your personal data has been processed in violation of your rights and legitimate interests in the field of personal data protection. More information is available at www.ada.lt.
The Bank provides the opportunity to exercise the above rights upon identification and verification of your identity. You may exercise your rights by submitting a written request to the Bank at any customer service unit or via the online banking system of the Bank or, in some cases, using specific links given at the bottom of advertising materials provided by the Bank.
The Bank will provide you with information about the steps taken on receipt of your request to exercise the data subject’s rights within one (1) month from receipt of your request. The time limit for the Bank’s response may be extended for two (2) months, taking into account the complexity of the request and the number of requests received by the Bank. In any case, the Bank will inform you about the extension of the time period and the reasons for such extension.
If your requests are clearly unreasonable or disproportionate (e.g. because of their repetitiveness), the Bank has the right to charge a reasonable fee, taking into account the costs of providing information.
The Bank may refuse to allow you to exercise the above rights, where prevention, investigation and detection of crimes or violations of official or professional ethics and the protection of rights and freedoms of other persons must be ensured in the cases provided by law.jj
Medicinos Bankas UAB
Pamėnkalnio 40, LT-01114 Vilnius;
Tel. 8 800 60 700 (for calls from Lithuania), +370 5 264 48 00 (for calls from abroad)
E-mail: info@medbank.lt
Contact details of the Bank are available on the Bank’s website at https://www.medbank.lt/lt/kontaktai.
If you have any questions regarding the information presented in this Privacy Policy or any other questions related to the processing of your personal data, please contact the designated Data Protection Officer of the Bank by any of the following means:
by post: Pamėnkalnio 40, LT-01114 Vilnius;
by e-mail: dpo@medbank.lt.
Websites of other companies in the Bank’s Group which carry out specific functions may contain additional information about privacy.
This Privacy Policy will enter into force on 1 May 2019.
The Bank has the right to unilaterally amend this Privacy Policy by informing you by a notice published on the Bank’s website www.medbank.lt, by e-mail or a message sent via the online banking system.
This Privacy Policy is publicly available on the Bank’s website www.medbank.lt and can be accessed at any customer service unit of the Bank.
This Privacy Policy will be revised and updated taking into account the changes in legislation and/or Bank’s activities, but at least once every two (2) years. Once the Privacy Policy is updated, we will inform you by posting a notice on the Bank’s website and by other means.
