Personal data protection at the Croatian National Bank

Published: 11/5/2018

The Croatian National Bank, Trg hrvatskih velikana 3, 10000 Zagreb, OIB: 95970281739, is the data controller for the personal data of data subjects and processes these data in accordance with applicable regulations, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)and the Act on the Implementation of General Data Protection Regulation (Official Gazette 42/2018).

A data subject is any identified or identifiable natural person (individual).

Why does the CNB process your personal data?

The CNB processes your personal data when processing is necessary for the performance of its tasks carried out in the public interest, the exercise of official authority vested in it and compliance with its legal obligations, pursuant to laws and other regulations of the Republic of Croatia and the law of the European Union.

To put it more precisely, the CNB processes your personal data within the meaning of point (e) of Article 6(1) of the General Data Protection Regulation to be able to perform its tasks carried out in the public interest or exercise official authority vested in it as regards the following:

  • consumer protection activities, prescribed in Title XXIII of the Credit Institutions Act (Official Gazette 159/2013, 19/2015, 102/2015, 15/2018, 70/2019, 47/2020, 146/2020 and 151/2022) and a number of other regulations, especially in connection with the power to address consumer complaints in accordance with Article 309 of the Credit Institutions Act;
  • the procedure of authorisation to provide credit intermediation services in relation to consumer housing loans, prescribed in Articles 29 and 31 of the Act on Consumer Housing Loans (Official Gazette 101/2017, 128/2022 and 156/2023) and the subordinate legislation adopted under that act;
  • the purpose of processing complaints by payment service users and electronic money holders pursuant to Article 71 of the Payment System Act (Official Gazette 66/2018 and 114/2022), Article 10 of the Electronic Money Act (Official Gazette 64/2018 and 114/2022), Article 30 of the Act on the Comparability of Fees Related to Payment Accounts, Payment Account Switching and Access to Basic Accounts (Official Gazette 70/2017) and Article 6 of the Act on the Implementation of EU Regulations Governing Payment Systems (Official Gazette 50/2016 and 16/2020);
  • the analysis and exchange of cash in accordance with Articles 28 and 30 of the Act on the Introduction of the Euro as the Official Currency in the Republic of Croatia (Official Gazette 57/2022 and 88/2022) and the subordinate legislation adopted under that act as well as the prevention of money laundering pursuant to Article 89 of the Act on the Prevention of Money Laundering and Terrorist Financing (Official Gazette 108/2017, 39/2019 and 151/2022);
  • the control of the verification of the authenticity and fitness of euro coins within the meaning of Regulation (EU) No 1210/2010 as well as the verification of the authenticity and fitness of euro banknotes and their return into circulation in accordance with Decision ECB/2010/14 and Article 37 of the Act on the Introduction of the Euro as the Official Currency in the Republic of Croatia;
  • in order to be able to participate in the definition and implementation of the common monetary policy of the European Union pursuant to Article 88, paragraph (1), item (1) of the Act on the Croatian National Bank (Official Gazette 75/2008, 54/2013 and 47/2020), adopt decisions on macroprudential policy measures pursuant to Article 89, paragraph (1), item (9) of the Act on the Croatian National Bank and perform official statistics activities pursuant to Article 89, paragraph (1), item (5) of the Act on the Croatian National Bank and Articles 18 and 43 of the Official Statistics Act (Official Gazette 25/2020), the CNB collects data on the state and conditions of consumer indebtedness as well as on the conditions, stock and distribution of savings in the form of household deposits, the distribution of loans and deposits and accompanying interest income and expenses within the banking system and the calculation of the indicators of financial wealth distribution in the institutional sector. These data are specified in the Decision on collecting data on standards for lending to consumers and household deposits (Official Gazette 36/2020, 116/2021, 34/2022, 123/2022 and 66/2023).
  • collecting documentation for granting prior approval to acquire or increase a qualifying holding pursuant to Articles 25 and 28 of the Credit Institutions Act, collecting documentation for granting authorisations of credit institutions pursuant to Article 65 of the Credit Institutions Act that are issued by the ECB and authorisations that the CNB grants for the purpose of prior approval to perform the function of a management board member pursuant to Article 39 of the Credit Institutions Act, prior approval to perform the function of the chairperson of the management board of a credit institution pursuant to Article 40 of the Credit Institutions Act and prior approval to perform the function of a supervisory board member pursuant to Article 46 of the Credit Institutions Act;
  • providing non-binding and informal support to business entities developing an innovative FinTech product or service. The CNB aims to provide assistance with understanding regulatory requirements, in view of financial market participants and other business entities’ increased interest in the development of innovations in the area of banking and payment services.

For more information on data processing in the area of consumer protection, visit: link.

For more information on the processing of personal data for the above-stated purposes in the areas of macroprudential policy, monetary policy and statistics, visit: link.

When processing your personal data, the CNB fulfils its legal obligations within the meaning of point (c) of Article 6(1) of the General Data Protection Regulation as regards the following:

  • responding to requests for exercising the right of access to information pursuant to the Act on the Right of Access to Information (Official Gazette 25/2013, 85/2015 and 69/2022);
  • video surveillance to protect people and property pursuant to the Act on the Protection of Monetary Institutions (Official Gazette 56/2015, 46/2021 and 114/2022);
  • controlling visits to the CNB pursuant to the Act on the Protection of Monetary Institutions;
  • the treatment of the notifications of breaches of regulations in accordance with Article 358 of the Credit Institutions Act (Official Gazette 159/2013, 19/2015, 102/2015, 15/2018, 70/2019, 47/2020, 146/2020 and 151/2022) or Article 38 of the Regulation (EU) No 468/2014 of the European Central Bank of 16 April 2014 establishing the framework for cooperation within the Single Supervisory Mechanism between the European Central Bank and national competent authorities and with national designated authorities (SSM Framework Regulation);
  • the protection of the reporters if irregularities, which includes ensuring accessible and reliable mechanisms to report irregularities and acting on complaints pursuant to the Law on the Protection of Reporters of Irregularities (Official Gazette 46/2022).

The CNB processes your personal data on the basis of consent as defined in point (a) of Article 6(1) of the General Data Protection Regulation for the following purposes:

  • improving the functioning of all website features and providing an upgraded user experience;
  • CNB Newsletter notifications;
  • informing the public and posting on Facebook, YouTube, LinkedIn, Twitter and Flickr.

The CNB’s official website www.hnb.hr uses cookies. Cookies are small text files that are sent by the network server to the browser on your computer. The browser notifies the server about your repeated visits to a website. Cookies enable the CNB to store preferences and follow website use trends on an aggregated basis. For more information on the cookies, visit:

https://www.hnb.hr/#

In addition, the CNB can inform you that you have the right to withdraw your consent at any given time, which does not affect the lawfulness of processing based on consent before its withdrawal.

The CNB processes your personal data for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract within the meaning of point (b) of Article 6(1) of the General Data Protection Regulation for the purpose of:

  • employment at the CNB.

For more information on the processing of personal data in the area of employment and on other legal bases regarding employment see: link.

Which personal data does the CNB process?

When taking action in the area of consumer protection, the CNB processes the following data:

  • name and surname;
  • address;
  • city;
  • postal code;
  • e-mail address;
  • account/contract number;
  • OIB.

In the context of the lodging of complaints by payment service users and electronic money holders, the CNB processes the following data:

  • name and surname/name and address;
  • subject matter of the complaint (a description of the disputable situation or transaction, the location and time of occurrence, etc.);
  • where applicable, the evidence referred to by the data subject (e.g. a transaction receipt, bank statement, framework contract, etc.).

When exercising its official authority with regard to analysing and exchanging cash and for the purpose of preventing money laundering, the CNB processes the following data:

  • name and surname;
  • personal identification number (OIB) or the place, date and year of birth for persons who do not have a personal identification number;
  • domicile or head office of the legal person (country, city, street and number);
  • name and number of the identification document, name and country of the

issuer;

  • day, month and year of birth;
  • citizenship;
  • information on activity or occupation;
  • telephone number;
  • e-mail address, if any;
  • source of the cash that is presented for the exchange;
  • proof of authorisation for representation/power of attorney, where a bearer presents cash for exchange through a legal representative or a proxy.

When acting for the purposes of macroprudential and monetary policies and statistical purposes stated above, the CNB processes the following data:

  • personal identification number (OIB);
  • data for the geographical identification of loan and deposit users; country and county of residence for persons resident in the Republic of Croatia;
  • data on the loan; loan number, amount, currency and interest rate, the first instalment maturity date, final repayment date and loan collateral (as well as other loan features);
  • data on the finances of the loan user: debt owed by the loan user to the credit institution at the individual loan level, income and other earnings of the loan user, total debt of the loan user – total outstanding liabilities on all loans granted by credit institutions or other financial institutions to the loan user and co-debtor (if the co-debtor is included in the calculation of creditworthiness in the loan granting procedure);
  • data on the deposit: deposit contract identifier, deposit type, amount, currency, nominal interest rate, deposit date, date of expiry of the agreed deposit term (and other deposit features);
  • data on the responsible person (employee) in the credit institution who sends the report (name, surname and contact data: e-mail address and/or telephone number);

Specifically, when granting prior approvals for a holder of a qualifying holding, the chairperson or a member of the management or supervisory boards of a credit institution and when granting authorisation of a credit institution, the CNB processes data as regulated by its subordinate legislation and the Commission Delegated Regulation (EU) 2022/2580 of 17 June 2022 supplementing Directive 2013/36/EU of the European Parliament and of the Council with regard to regulatory technical standards specifying the information to be provided in the application for the authorisation as a credit institution, and specifying the obstacles which may prevent the effective exercise of supervisory functions of competent authorities, including:

  1. Decision on the assessment of the suitability of the chairperson of the management board, members of the management board, members of the supervisory board and key function holders in a credit institution (Official Gazette 20/2021 and 104/2022) – data referred to in Article 13 (e.g. identification data, contact data, data on the position, information on education and work experience, information on whether the candidate is a party to any court or arbitration proceedings and whether he or she has been convicted by a judgement with final force and effect of a criminal offence or misdemeanour, information on the candidate’s financial condition, the candidate’s relationship with the members of the management or supervisory boards as well as the candidate’s financial and non-financial interests). For more details, see Article 13 at link.
  2. Decision on the approval to acquire a qualifying holding in a credit institution (Official Gazette 25/2018 and 139/2022) – data referred to in Article 14 (e.g., identification data, contact data, detailed curriculum vitae, data on whether the acquirer has been subject to any court or arbitration proceedings, data on whether the acquirer has been convicted of any crime and the related evidence and statements, a description of the acquirer’s financial position). For more details, see Article 14 at link.
  3. Decision on the documentation to be enclosed with the application for the authorisation of a credit institution and the application for the authorisation to provide financial services (Official Gazette 135/2023). Data on the identity of all natural and legal persons who will hold, in case of obtaining authorisation, directly or indirectly, a qualifying holding in a credit institution, indicating the amount of these holdings in the capital of the credit institution or a list of twenty largest shareholders of the credit institution, indicating the amount of their holdings in the capital of the credit institution. For more information, see link.
  4. Commission Delegated Regulation (EU) 2022/2580 of 17 June 2022 supplementing Directive 2013/36/EU of the European Parliament and of the Council with regard to regulatory technical standards specifying the information to be provided in the application for the authorisation as a credit institution, and specifying the obstacles which may prevent the effective exercise of supervisory functions of competent authorities. Information about the effective direction of the applicant credit institution referred to in Annex I to Commission Delegated Regulation (e.g., name and surname, place and date of birth, details of the position, curriculum vitae, history, description of all financial and non-financial interests that could create potential conflicts of interest). Information to enable competent authorities to assess shareholders or members with qualifying holdings referred to in Annex II to Commission Delegated Regulation (e.g., name and surname, date of birth, nationality, personal identification number, copy of an identification card, the explanation of the sources of funding for any proposed acquisition of shares or other holdings in the applicant credit institution). For more information, see link.

Specifically, as regards FinTech, the CNB processes the following data: name and surname, e-mail address, source of funding.

During video surveillance, the CNB processes the image of an individual shown on a surveillance recording.

When acting on the notifications of breaches of relevant regulations, the CNB processes the following categories of personal data:

  • identification data (e.g., name and surname and date of birth);
  • contact data (e.g., e-mail address and domicile);
  • data on employment and professional activity (e.g., the employer, profession and position of an individual);
  • financial data (e.g., statements on salaries, bank accounts and securities portfolio).

As concerns the reporters of irregularities, the CNB processes the name and surname, OIB and data on the person to whom the report of irregularities refers.

When you register for the CNB Newsletter, the CNB processes the following personal data: your name, surname, e-mail address and the choice of preferences.

In the area of employment the CNB processes the following data:

  • identification data of the candidate (name and surname, date of birth);
  • contact data of the candidate (e-mail address, telephone number);
  • data on the required qualifications and work experience (when stated as a requirement in the advertisement);
  • data on the candidate’s referees;
  • data on the candidate’s previous participation in the selection process for employment at the Croatian National Bank;
  • data on the facts constituting an employment advantage (e.g., data on the veteran status);
  • the candidate’s responses and the results of the professional competence exam and psychological test as well as the examiners’ notes regarding those responses.

In some cases the CNB processes special personal data categories in the employment procedure. For more information, see link.

In addition, the CNB notifies data subjects that they are under an obligation (with the exception of whistleblowers) to submit personal data when this concerns the area of the CNB’s legal obligations, tasks carried out in the public interest and official authority as well as the execution contracts, because otherwise the CNB would not be able to act upon submitted requests and complaints, carry out its tasks, exercise its official authority and comply with legal obligations.

In which cases does the CNB receive your personal data from other entities?

When processing data for the purposes of macroprudential and monetary policies and for the purposes of statistics, the CNB does not collect personal data directly from consumers, that is, natural persons and craftsmen, but indirectly – from credit institutions in the Republic of Croatia and branches of credit institutions from the European Union or branches of third-country credit institutions providing services in the Republic of Croatia authorised by the Croatian National Bank to establish a branch.

When granting prior approval for the chairperson or a member of the management or supervisory boards and authorisation of a credit institution, the CNB receives data indirectly from credit institutions. (When the CNB grants prior approval to acquire a qualifying holding, data are submitted by shareholders, i.e., individuals.)

Who has access to your personal data and to whom these data can be forwarded?

At the Croatian National Bank data can be accessed only by CNB employees and associates who need these data to be able to perform their tasks, i.e., those to whom the need to know principle applies.

The CNB forwards collected personal data to third parties outside the CNB only when obliged to do so under the law of the Republic of Croatia or the law of the European Union, pursuant to consent, or in order to execute a contract.

In the area of consumer protection the CNB discloses some personal data to the entity to which a claim relates (e.g., a credit institution) in order to enable this entity to respond to the complaint.

In the procedure for authorisation to provide credit intermediation services in relation to consumer housing loans, the CNB forwards some personal data received for the purpose of granting authorisation to competent ministries as supervisory authorities in the situations when an application is submitted by a credit intermediary authorised pursuant to the Act on Consumer Housing Loans.

As regards payment service users and electronic money holders, the CNB forwards the personal data of data subjects/consumers connected with complaints to payment service providers and electronic money issuers subject to these complaints, and only for the purposes of the complaint processing procedure.

In the credit institution authorisation procedure and in the procedure of granting prior approval to acquire a qualifying holding, the CNB submits data to the ECB.

The CNB may submit video surveillance recordings to competent authorities (the police, courts) at their request if these are necessary for the proceedings carried out pursuant to special regulations.

When acting on the notifications of breaches of regulations related to an important credit institution, the CNB forwards the personal data of the complainant to the ECB only with the complainant’s consent.

The CNB may also forward your data to the providers of information technology services and other services with which it has concluded service provision contracts regulating in detail the treatment of personal data pursuant to Article 28 of the General Data Protection Regulation. These parties to the contract act as processors and must comply with the instructions and orders of the CNB as the controller and may not forward personal data to third parties.

As the personal data controller, the CNB may transmit personal data outside the EU if these data are required for the execution of a contract concluded between the CNB and a processor and/or another controller or for the fulfilment of legal obligations. In such a case, the CNB transmits these personal data only to countries that ensure an appropriate level of protection pursuant to the Decision on suitability of the European Commission and in line with appropriate standard contractual clauses or the approved certification mechanism and/or privacy protection framework during the transmission of personal data from the EU to the USA.

Which social networks does the Croatian National Bank use?

The CNB wants to understand how social network users discuss monetary policy, bank supervision and other topics associated with its work and the work of the Eurosystem in order to take into account the needs of the wider public in its communication. Therefore, like other public institutions, the CNB analyses social network activities related to its tasks and monitors the use of its social network channels. The conclusions and analyses aid to the design of the CNB’s communication policy and the performance of its tasks carried out in the public interest. The CNB uses the following social networks: Facebook, X (former Twitter), Linkedln, You tube and Flickr.

The CNB collects and processes personal data in order to perform its tasks carried out in the public interest.

The CNB is the personal data controller. The CNB mostly uses aggregate data in its analyses. However, it sometimes records the statements of individuals, using them to exemplify and illustrate the general attitude towards the CNB on social networks.

The CNB has strictly limited the monitored topics and ensured that its employees comply with clearly defined instructions and confidentiality requirements when using publicly disclosed data on social networks.

When the CNB promotes some social network posts, an external service provider analyses public data for the CNB in accordance with its instructions.

The CNB processes only publicly disclosed data.

The external service provider collects and analyses data from social network users’ public Facebook posts only for promotional posts. The external service provider processes only publicly accessible data.

The external service provider processes the following data for the CNB:

  • job and education;
  • geographical area;
  • personal characteristics (age, sex);

The external service provider collects all the above-mentioned personal data, while the CNB analyses only part of these data.

The CNB has strictly limited the monitored topics and ensured that its employees comply with clearly defined instructions and confidentiality requirements when using the database of the external service provider.

Only the narrowest circle of CNB employees will receive your data.

Since the CNB does not communicate directly with social network users whose data it processes and, as a rule, has no access to their contact data, it cannot notify them individually, as such notifications would require investing disproportionately large efforts. This privacy policy therefore serves as a notification for all social network users.

How long does the CNB keep your personal data?

The CNB processes your personal data until the purpose of the personal data processing has been fulfilled. Once this purpose has expired, the CNB keeps the personal data pursuant to its legal obligations.

In addition, given that the CNB is the producer of official statistics and the creator of archival and registration materials, it stores the personal data of data subjects for longer periods for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to suitable safeguards.

The rules of procedure regarding archival materials are prescribed by the Act on Archival Materials and Archives (Official Gazette 61/2018, 98/2019 and 114/2022) and retention periods are set forth by the internal ordinance governing the protection and processing of archival and registration materials, which obliges the CNB.

In the area of consumer protection, the CNB keeps personal data received in connection with

  • consumer inquiries, notifications and complaints – 10 years;
  • applications for authorisation to provide credit intermediation services in relation to consumer housing loans – 50 years;

The CNB stores and keeps the personal data of data subjects/consumers in the payment operation area connected with complaints – 30 years.

Data collected for the already mentioned processing for the purposes of macroprudential and monetary policies and statistical purposes are coded and the CNB keeps them permanently.

The CNB keeps video surveillance recordings at least 168 hours pursuant to the Act on the Protection of Monetary Institutions (Official Gazette 56/2015, 46/2021 and 114/2022) and longer if these recordings are exempted as evidence in judicial proceedings.

For information on all other data retention periods, please contact the CNB at the e-mail address: sluzbenik.osobni@hnb.hr.

How does the CNB protect your personal data?

The CNB protects your personal data from every breach, including unauthorised access, accidental loss, destruction, damage and any other security breach.

In order to protect your personal data the CNB implements technical and organisational measures, such as controlling the right of access to all data and documents, ensuring that all persons having access to your personal data comply with confidentiality requirements, applying authentication methods (passwords, PINs, smart cards) as well as monitoring the access to and activities in the information system and utilising software that ensures the security of the CNB’s information technology equipment and data.

All Croatian National Bank employees are required to keep data confidentiality pursuant to their employment contracts.

The CNB Governor, Deputy Governor, Vicegovernors and employees are obliged, pursuant to Article 53 of the Act on the Croatian National Bank (Official Gazette 75/2008, 54/2013 and 47/2020) governing business secrecy to keep as a business secret any documents and data of which they become aware in the course of carrying out their duties and tasks. This obligation continues after the termination of office of the Governor, Deputy Governor and Vicegovernor and after the termination of employment in the Croatian National Bank.

What are your rights regarding your personal data processed by the CNB?

First of all, you have the right of access to personal data, which means the right to receive information on whether the CNB processes your personal data. If it processes your personal data, the CNB will notify you about, among other things, the purpose of personal data processing, the categories of personal data concerned, the recipients or categories of recipients to whom these data have been or will be disclosed, the anticipated storage period and your rights as a data subject relative to the Croatian National Bank as the data controller.

Access to personal data can be restricted only in the cases prescribed in the law of the European Union or the national legislation of the Republic of Croatia, that is, in the cases when such a restriction provides for respecting the fundamental rights and freedoms of others.

Second, you have the right to rectification, which means that you have the right to submit a request for inaccurate data concerning you to be rectified as well as the right to have incomplete personal data completed by submitting an additional statement, among other things.

Third, you have the right to restriction of processing of your personal data in the following cases:

  1. when you contest the accuracy of your personal data, the CNB will restrict the processing to the period enabling it to verify the accuracy of the data;
  2. when the processing of your personal data is unlawful and you oppose the erasure of the data and request the restriction of their use instead;
  3. when there is no longer a need to process your personal data and you require that the CNB continue processing them for the purpose of the establishment, exercise or defence of your legal claims;
  4. when you object to processing pursuant to Article 21(1) of the General Data Protection Regulation, pending the verification whether the legitimate grounds of the CNB for the processing of personal data override your grounds.

Fourth, you have the right to object, which means that you have the right to object to the processing of personal data if the processing is based on a CNB’s task carried out in the public interest, the exercise of its official authority or its legitimate interests. Once you have objected, the CNB may no longer process your personal data, unless it is demonstrated that the CNB’s legitimate reasons for processing override your interests, that is, if the processing is necessary to protect legal requirements.

In addition to about the rights of data subjects, the CNB also notifies you of the right to erasure and the right to personal data portability, which you will be able to exercise only exceptionally, given the prescribed conditions for their execution.

Specifically, the right to erasure (right to be forgotten) means the right to obtain the right to erasure of personal data concerning you, where one of the following grounds applies:

  1. when your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. when you withdraw consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) of the General Data Protection Regulation, and where there is no other legal ground for the processing;
  3. when you object to the processing pursuant to Article 21(1) of the General Data Protection Regulation and there are no overriding legitimate grounds for the processing;
  4. when your personal data have been unlawfully processed; and
  5. when your personal data have to be erased for compliance with CNB’s legal obligations referred to in the law of the Republic of Croatia or the law of the European Union.

The said right is not applicable in so far as the processing is necessary:

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the General Data Protection Regulation in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • for the establishment, exercise or defence of legal claims.

Furthermore, the right of the data subject to data portability means the right of the data subject to receive the personal data concerning him or her, which he or she has provided to the CNB in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the CNB and only where the processing is carried out by automatic means and based on consent.

How can you exercise your rights?

In order to facilitate the exercise of your rights, the CNB has put up on its website the request forms, which can be downloaded here:

PDF documents have to be downloaded and completed using Adobe Acrobat Reader DC as this cannot be done in an internet browser.

Request form for access to personal data

Request form for rectification of personal data

Request form for restriction of processing of personal data

Objection form for processing of personal data

Request form for erasure of personal data

Request form for transmission of personal data to another controller.

A request form submitted to the Croatian National Bank must be properly completed and signed.

A request form that has not been properly completed or signed by the data subject will be returned for correction.

In addition, where the CNB has reasonable doubts concerning the identity of the individual making the request, it may, pursuant to Article 12(6) of the General Data Protection Regulation, request the provision of additional information necessary to confirm the identity of the data subject.

The CNB will respond to your request no later than one month after receiving the request and, if the request is complex or if it has received a large number of requests within a short period, notify you that the deadline will be extended for another two months.

How can you contact the CNB?

You can submit your request form to the Croatian National Bank

a) by post, to the address indicated below:

HRVATSKA NARODNA BANKA (CROATIAN NATIONAL BANK)n/p službeniku za zaštitu podataka (attn: data protection officer)Trg hrvatskih velikana 3 (Trg hrvatskih velikana 3)10000 Zagreb, Republika Hrvatska (10000 Zagreb, Republic of Croatia)

or

b) by e-mail, to the e-mail address indicated below:

sluzbenik.osobni@hnb.hr.

Should you have any questions regarding the processing of your personal data at the Croatian National Bank, feel free to contact the CNB at the addresses given above.

Lodging a complaint with the Personal Data Protection Agency

The supervisory authority for the protection of personal data in the Republic of Croatia is the Croatian Personal Data Protection Agency, Zagreb, Selska cesta 136, e-mail address: azop@azop.hr, tel.: 00385(1) 4609-000, www.azop.hr (AZOP).

Please note that you can lodge a complaint about CNB’s actions concerning the processing of your personal data with the Personal Data Protection Agency.

Additional information

Any additional information on the realisation of the right to personal data protection may be requested by e-mail from the Croatian National Bank personal data protection officer at: sluzbenik.osobni@hnb.hr.

Changes to privacy rules

The CNB may amend or supplement these privacy rules at any time by publishing an amended and supplemented text at www.hnb.hr, of which you will be informed in due time in line with the transparency principle.