Personal Data Protection & Cookies
Information pursuant to Articles 13 and 14 of the General Data Protection Regulation (GDPR) on the processing of personal data and of Law no 9887 dated 10.03.2008 replaced with Law no.124/2024 “On Protection of Personal Data” Articles 13&14 of this Law.
We hereby inform you about the processing of your personal data and the data protection claims and rights to which you are entitled. The content and scope of the data processing depends largely on the products and services you have requested, or which are agreed with you.
Responsible for data processing:
Raiffeisen Bank SH.A
Str. “Tish Daija”, Kompleksi KIKA 2, Tiranë, Shqipëri.
Contact data of the Data Protection Officer of the Bank:
Mirela Idrizaj
Phone +355 69 802 2250
We process the personal data that we receive from you as part of our business relationship. In addition, we process data that we have legitimately received from Credit Register (from
publicly available sources (e.g business register, public sources, or media) or that are provided legitimately by other companies affiliated with the bank.
Personal information includes your personal details and contact information (e.g., name, address, date and place of birth, nationality, etc.) or identity and travel document information (such as signature sample, ID information). In addition, this may include payment and clearing data (e.g payment orders, turnover data in payment transactions), credit data (eg type and amount of income, recurring payment obligations for children's education costs, loan repayments, etc), data on marketing and distribution, credit transactions, image and / or sound recordings (eg video and telephone recordings), electronic log and identification data (apps, cookies, etc.), financial identification data (data from credit, debit, prepaid cards) or AML (anti-money laundering) and compliance data and other data comparable to the above categories.
We process your personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and Law local no 9887 dated 10.03.2008 replaced with law
no.124/2024 “On Protection of Personal Data” for the following purposes:
-To fulfill contractual obligations (Article 6 (1) (b) GDPR; article 7 (1)(b) Law “On protection of Personal Data”
“The processing of personal data”, as it is defined at (Art 4 (2) GDPR and Article 5 point 16 of local law is carried out for the provision and the execution of your orders as well as for carrying out pre-contractual measures. The purposes of the data processing are based primarily on the specific product (for example, account, credit, securities, deposits, brokerage, debit and
credit cards) and execution of transactions. Such data processing takes place, for example, in connection with debit/credit cards which RAIFFEISEN BANK SH.A makes available to you and with which you are in particular able to execute cash transaction and payment transactions with merchants at POS terminals and on the internet ( E-commerce payments in the online shop), to withdraw cash at designated ATMs .The legal basis of the data processing are a variety legal framework regarding Banks activity. To exercise your rights in connection with
the data processing referred to in this paragraph, please contact RAIFFEISEN BANK SH.A. Credit cards related, the exchange of personal data, especially with merchants and account-holding banks is necessary for the execution of the credit card transaction. Specific details for the purpose of the data processing mentioned herein can be found in the respective contractual
documents and terms and conditions.
-To fulfill legal obligations (Article 6 (1) (c) GDPR; Article 7/1 (c) of Law “on Protection of Personal data”
The processing of personal data shall only be carried out for the purpose of fulfilling various legal obligations derived from legal framework regarding Banks activity, On taxation,
Anti Money Laundering, On Execution of Court Decisions
Reports to the Money Laundering Reporting Office in certain suspicious cases
Information is shared regarding KYC procedures, to the following recipients (the "Recipients"):
members of RBI group in Austria or within the EU
members of RBI group in third countries outside the EU
other members of the Austrian Raiffeisen Banking Group
This is solely done to fulfill the Know Your Customer requirements of the bank.
Providing information to the Supervisory Authority Bank of Albania
Provision of information to tax authorities
Provision of information to prosecution authorities, court authorities as per their request in the context of court proceedings
Provision of information to bailiff offices as per their request in the context of execution of court decision
Assess and manage risks
Credit check on lending
Credit scoring uses statistical peer groups to assess default risk among loan applicants. The calculated "score value" is intended to enable a prognosis with which
probability a requested loan is likely to be repaid. This score will be calculated using your master data (marital status, number of children, length of employment, employer), general financial information (income, assets, monthly expenses, amount of liabilities, collateral, etc.) and payment history (proper loan repayments, Reminders, data from credit bureau). If the default
risk is too high, the loan application will be rejected.
- As part of your consent (Article 6 (1) (a) GDPR; Article 7/1 (a) Law “On Protection of Personal Data”
If you have given us your consent to the processing of your personal data for specific purposes (eg, disclosure of data to recipients named in the consent) processing will only take place in
accordance with the scope and for the purpose as set out in and agreed in the consent form. A given consent may be withdrawn at any time with effect for the future. Examples of such cases are the evaluation of your data (such as name, age, account turnover data and the like) and the query of credit databases, in order to anticipate your credit rating for credit offers that RAIFFEISEN BANK SH.A provides to you.
- To safeguard legitimate interests (Article 6 (1) (f) GDPR); Article 7 /1 (dh) of Law “On Protection of Personal Data”
If necessary, data processing may be carried out to protect legitimate interests of the Bank or third parties. Inthe following cases, data processing takes place to safeguard legitimate
interests. Examples of such cases are:
Consultation and exchange of data with credit bureau for the determination of creditworthiness or default risks
Regarding operational activity of the Collection Department it is necessary that borrower customers data to be transferred in AWS Cloud of service provider with Dat Center in Frankfurt, to ensure prevention and debt collection management and supporting services. Personal data shall continue to be accessed from Raiffeisen bank Collection Department, using the same system under a different platform with security measures of highest standards with limited and monitored access.
Review and optimization of needs analysis and direct customer approach procedures
General info. mails and newsletters on services, products and related market information. Video surveillance to collect evidence in case of crime or to prove transactions and deposits (such as ATMs) - specially to protect customers and employees
Certain phone records (for service quality assurance or complaint cases) Measures for business management and further development of services and products
Measures to protect customers and employees as well as to secure the property of Raiffeisen Bank and to prevent, contain and investigate criminally relevant conduct.
Bank areas that are publicly accessible are monitored (in particular cash desks, safe rooms, foyers, corridors, staircases, elevator areas, interior / exterior entrance areas,
facades, garage) as well as automated cash dispensers (also outside the bank building)
Certain phone records (for quality assurance or complaint cases) Measures for controlling business and further development of services and products
Measures to protect customers and employees as well as the property of the Bank. Measures in Fraud Transaction Monitoring, against anti-money laundering, terrorist financing and offending crime. At the same time, data evaluations (among others in payment transactions) are carried out. These measures also serve your protection.
Data processing for law enforcement purposes
Asserting legal claims and defense in legal disputes
Ensuring the IT security and IT operations of the Bank
Prevention and investigation of criminal offenses
- To safeguard legitimate interests (Article 6 (1) (f) GDPR) (Article 7/1(dh) of Law 124/2024, in the marketing of our services
The evaluation of your data processed at RAIFFEISEN BANK SH.A for the purpose of:
providing you with individual information and offers from RAIFFEISEN BANK SH.A
developing services and products that are tailored to your interest and life situation, as well
further improving the usability of our service facilities such as, apps, self-service devices and others is based on our legitimate interest for the marketing of our services. The
evaluation of the data for this purpose takes place only as long as you have not objected to this.
The following data, which either RAIFFEISEN BANK SH.A itself has collected itself or which you have transmitted to RAIFFEISEN BANK SH.A, will be evaluated:
Personal data / master data
Gender, title, name, date of birth, country of birth, citizenship, occupation, employer, credentials such as driving license data, income data, address and other contact information such as telephone number or e-mail address and postal address, geographical location information, internal ratings, such as the assessment of the revenue and expenditure situation and the asset and liability situation by RAIFFEISEN BANK SH.A.
Product and service data of RAIFFEISEN BANK sh.a
Data on the services of RAIFFEISEN BANK sh.a which you use including means of payment used by you, such as debit and credit cards,debits and credits and arrears on accounts and loans,interest rates and charges or charges charged in connection with these services, payment transactions incoming and outgoing, recipients and senders, payment orders transmitting intermediaries, amount, purpose and payment references, payer references, the frequency and type of transfers, in cashless payments, the data of the traders or service providers receiving the payments and information on transactions concluded with them, Savings and securities transactions and custody accounts, including details of securities held.
Device and contact center data (telephone service incl. voice-control- computer)
Frequency, dates and locations of use of self-service devices and contact centers (telephone service including voice control computers) or telephone services of RAIFFEISEN BANK sh.a, and audio and video recordings conducted in connection with the use of these services by reference to the respective legal basis
Data from services, websites and communication
Data relating to the use of electronic services and websites, functions of the websites and apps as well as e-mail messages between you and RAIFFEISEN BANK sh.a, information about viewed websites or content and links accessed, including external websites, content response time or download errors, and the usage period of websites and information on the use
and subscriptions of newsletters of RBI. This information is collected by way of using automated technologies, such as cookies or web beacons (counting pixels used to register e-mails or websites), or web-tracking (recording and analysis of surfing behavior) on the website or My ELBA and using external service providers or software (for example Google Analytics).
Technical data of end-user-devices
Information about devices and systems used for accessing websites or portals and apps orother means of communication, such as internet protocol addresses or types and
versions of operating systems and web browsers, and additional device identifications and advertising identifications or location information and other comparable data on devices and systems.
Data on user-generated content
Information uploaded on Raiffeisen Bank sh.a websites or apps, such as comments or personal messages and photos or videos and the like.
Within the Bank, those units or employees receive your data, as required by them to fulfill their contractual, legal and / or regulatory obligations and legitimate interests. In addition,
contractors (especially IT and back-office service providers) will receive your data as long and to the extent as they need the data to perform their respective service. All processors are contractually obliged to treat your data confidentially and to process the data for the provision of the respected services.
If there is a legal or regulatory obligation, public authorities and institutions (Bank of Albania, tax authorities, Anti Money Laundry General directorate, etc.) as well as our Bank and auditors may be the recipients of your personal data. With regard to a data transfer to other third parties, we would like to point out that RAIFFEISEN BANK SH.A as Albanian bank is obliged to observe banking secrecy in accordance with “Law On banks in Republic of Albania” and therefore is obliged to keep confidentiality regarding to all customer-related information and facts that have been entrusted to us or made available due to the business relationship. RAIFFEISEN BANKSH.sh.a, may only disclose such personal information, if you have exempted us in writing and expressly, or if the Bank is legally obliged by law to such a disclosure. The recipients of personal data in this context may be other credit and financial institutions or similar entities. We disclose to such recipients only those data as we need in order to conduct the business relationship with you. Depending on the respective contract, these recipients
may be eg correspondent banks, custodian banks, credit bureau or other companies affiliated with the Bank (due to regulatory or legal obligation).
Data from the video surveillance of RAIFFEISEN BANK SH.A can be used on a case by case basis by competent authorities or the court (for evidence in criminal matters), security services (for security purposes), courts (to secure evidence in civil cases), and other state bodies for the purpose of law enforcement.
A transfer of data to third countries (outside the European Economic Area - EEA) will only take place if this will be necessary for the execution of your orders (e.g payment and
securities orders), or if so required by law or if you have given us your explicit consent.
In addition, data may be transferred to RAIFFEISEN BANK sh.a’s subsidiaries or processors in third countries or subcontractors of RAIFFEISEN BANK sh.a’s processors in third
countries. These are obliged to comply with European data protection andsecurity standards. Information about this can be obtained from us.
Payments and cash withdrawals with debit and credit cards can lead to the necessary involvement of international card organizations and thus possibly to data processing by these
card organizations in third countries. For example, the data protection measures MasterCard ("Binding Corporate Rules") are available here.
If so required by law, we will separately provide you with further details.
We process your personal data, as far as necessary, for the whole duration of the entire business relationship (beginning with the conclusion of a contract, its execution and ending with its termination) as well as in accordance with the mandatory storage and documentation obligation as required by law, in particular pursuant to the following: “Law On banks in Republic of Albania” “Law on Anti Money laundering and Terrorism financing”, “labor Code of Republic of Albania”: Moreover, the data storage is also subject to the statutory limitation periods, provisioned in Civil Code of Republic of Albania, Data from the video-surveillance of the Bank will be deleted in principle after 60 days if no longer requiredfor the purposes of video surveillance.
You have the right for information (art.13), the right to access(art.14), the right of rectification or erasure(art.15), the right to be forgotten(art.16), the right of restriction the processing of your stored data(art.17), the right to data portability (art.18) the right to object to processing (art.19) and the right to not be subject of an automated decision (art.20) in accordance with the requirements of data protection law no. 124/2024. Complaints can be addressed to Albanian Data Protection and Information Right Commissioner https://idp.al/en/eng/
As part of the business relationship, you must provide us with all personal information that is necessary to enter into and to maintain the business relationship with you, and also those data that we are required by law to collect. If you do not provide us with these data, we will generally decline either to conclude or to complete the contract, or we will be unable to execute an existing contract or we would be forced to terminate such contract. However, you are not obliged to give your consent to the processing of data if such data is not necessary for the performance of a contract or is not required by law or regulation.
In general, we do not use fully automated decision-making within the meaning of Article 22 GDPR, and article 20 of local law no124/2024“On personal data Protection” in order to establish and/or to conduct a business relationship. If we should use such procedures for specific cases as provisioned in art.20 paragraph 2, we will inform you accordingly by separate notice to respect your right as a data subject to express your opinion and objection, as provided by law.
Our online presences in social networks or on platforms serve the communication and information of interested parties or customers. As a rule, user data is processed for market research and advertising purposes, e.g., to create usage profiles. These usage profiles can be used, among other things, to place advertisements that correspond to the user's interests. Cookies are stored on the user's computer for this purpose, with the help of which the user's usage behavior and interests are stored. In addition, user data can also be stored in the usage profiles across devices (this primarily concerns users who are logged in to the relevant platform). It is possible for us to place target group-orientedadvertising and to perform an anonymized analysis of the use of our online presence.
The processing of users' personal data is based on your consent (a declaration of consent, e.g., by activating a checkbox or confirming a button). Below you will find details and information on possible data transfers to third countries (countries outside the European Union - EU or the European Economic Area - EEA) based on the provider’s information on processing and objection options.
• Facebook, Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland
Privacy policy: https://facebook.com/about/privacy/
Opt-Out: www.facebook.com/settings?tab=ads and www.youronlinechoices.com
Joint data processing agreement: https://de-de.facebook.com/legal/terms/page_controller_addendum
• LinkedIn, LinkedIn Ireland Unlimited Company, Gardner House, 2 Wilton Place, Dublin 2, Irland
Privacy policy: https://de.linkedin.com/legal/privacy-policy
Opt-Out: https://linkedin.com/psettings/guest-controls/retargeting-opt-out
Our website uses Cookies. Cookies are text files, which are saved during the visit on your terminal. We mainly use Cookies for anonymized analysis about the use of the website. We also use Cookies to offer you additional functions on the website in order to interact easier with the website and to ensure an error-free use (e.g. to facilitate navigation on a website or to save your preferences and settings for your next visit).
Necessary Cookies: Cookies, which are necessary for the basic functions of the website, are used by us because of contract performance obligations.
Functional Cookies: Cookies, which allow us to analyze the use of the website, are used by us on the basis of legitimate interest.
Marketing Cookies: Cookies, which allow us to offer you advertisement tailored to your interests, are also used by us on the basis of legitimate interest. Some Cookies are saved on your
terminal until you delete them. They enable us to recognize your browser the next time you visit us. Most of the Cookies we use are deleted after your visit on our website (so called Session Cookies).Cookies can be blocked, deactivated or deleted. Therefore, a variety of different tools are available (including browser controls and settings). You can find information hereto in the “help area” of the web browser you use. If all Cookies used by us are deactivated, upon others the display of the website may be limited.
Our website uses Cookies and other market-based web controls in particular to control and improve our internet presence (JavaScript and tracking pixels). The entire data are recorded anonymously. By using so-called tracking pixels, we are able to collect information to check for which screen sizes, browsers and operating systems our internet presence should be optimized. JavaScript is a programming language for evaluating user interactions, modifying, reloading or generating content.
This website uses the "Raiffeisen Web Analytics" software for anonymous analysis of website usage. Your IP address will be made anonymous for analysis purposes by deleting the last 8 bits immediately when a website is accessed. For this purpose, Cookies are used which enable an analysis of the website usage by users. Through the evaluation of this data valuable knowledge about the needs of these users can be gained. This knowledge contributes to further improving the quality of our offer. You can prevent this by setting up your browser in a
manner that no Cookies are saved.
Upon others we collect the following data: visited websites, date and time of the visit, length of stay, browser version, screen resolution, operating system, the country and the referrer, this is the previously visited page from which a page was accessed.
For optimizing our landing pages and improving our services, we may record your session with Mouseflow, a website analytics tool. Please note that no personal data is processed during
session recording or is shared with third parties.
This website uses Google Analytics, a web analytics service from Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Google Analytics uses cookies, which
are saved on your computer. We process your data based on our legitimate interest in setting up easy-to-use website access statistics (Art 6 (1) (f) GDPR)/law 124/2024 art 7 point 1 letter dh. The information generated by the Cookie about your use of this website (including your anonymized IP address andpseudonym zed ID as well as the URLs of the websites accessed) is transmitted to and stored by Google on servers in the USA. This website uses the given opportunity for IP-anonymization by Google Analytics. Your IP address will be shortened by Google within the member states of the European Union or in other signatory states to the Agreement on the European Economic Area.
On our behalf Google will use this information, to evaluate the use of the website, to create reports about the website activities and to provide us with other services related to the use
of the website and the internet.
You can prevent the general storage of Cookies by adjusting your browser software accordingly. However, we point out that in this case you may not be able to use all functions of this
website to their full extent.
You can also prevent Google from collecting your data in connection with Google Analytics by downloading and installing the browser plug-in available under the following link:
https://tools.google.com/dlpage/gaoptout?hl=de
For more information on Google's Terms of Use and Google's Privacy Policy, please visit
On our website we use the service Google Maps API. This service is a service of Google, Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. By integrating the service on our
website, at least the following data are transmitted to Google, Inc.: IP address, time of visit of the website, screen resolution of the visitor, URL of the website (referrer), the identification of the browser (user agent) and search terms. The data transfer is independent of whether you have a Google account that you are logged in or whether you do not have a Google user
account. If you are logged in, the data will be assigned with your account. If you do not wish assignment to your profile, you must log out before activating the button. Google, Inc. stores this data as usage profiles and uses them for the purposes of advertising, market research and/or demand-oriented design of its website. You have the right to object to the creation of these user profiles, whereby you must contact Google Inc. to exercise this right.
For more information about the purpose and scope of data collection and processing by Google, Inc., please contact www.google.at/intl/de/policies/privacy/.
We do not process the affected data.
Every time a user accesses our website and every time a file is retrieved or attempted to be retrieved from the server, data about this process is stored in a log file. For us it is not directly recognizable, which user called upon which data. We also do not try to collect this information. This would only be possible in legally regulated cases and with the help of third parties (e.g. Internet service providers). In detail, the following data record is stored for each retrieval: The IP address, the name of the downloaded file, the date and time of the download, the amount of data transferred, the message as to whether the download was successful and the message as to why a download may have failed, the name of your Internetservice provider, if applicable the operating system, the browser software of your computer and the website from which you are visiting us.
The legal basis for the processing of personal data is our legitim ate interest (in accordance with Art 6 (1) (f) GDPR), article 7 point 1, letter (dh) of the Law no124/2024”On Personal Data Protection”. This is to detect, prevent and investigate attacks on our website.
In addition, we process your personal data in special cases on the basis of the legitimate interests of us, or legitimated third parties for legal proceedings or on behalf of legally
authorized authorities or courts.
We generally store data for a period of one month to guarantee the security of our homepage. A longer storage only takes place as far as this is necessary to investigate determined attacks on our website or to pursue legal claims.
When you download a bank’s appi-s from google store you have the right to ask for account deletion. Although yourgoogle account will be deleted from Bank’s appi downloaded from Google store, there are certain data that the Bank will retain for legitimate interest purposes such as security, fraud prevention, as well as to fulfill legal obligations, in compliance with Albanian legislation.