Data protection and privacy policy

On this website you will learn:
  • what data and for what purpose we process
  • who monitors correct processing of data in the Bank
  • to what entities data may be made available
  • what your rights and the Bank’s duties are
  • how to easily manage your marketing consents

The new regulations on protection of personal data, commonly known as GDPR, come into force on the 25th of May 2018. The main objective of GDPR is unification of the principles of processing of personal data in the entire European Union. Bank Millennium processes your data, inter alia, in order to conclude agreements, keep bank accounts, perform securely your instructions as well as inform you about new products and services.

Glossary of terms concerning data protection

Principles of processing of personal data

Who is controller of your data?

  • Within the services we offer, the controller of your data is Bank Millennium S.A. in Warsaw.
  • Supervision of correct processing of your data is exercised by Personal Data Inspector.
  • The information we are entrusted is properly secured and used exclusively for appropriate purposes.

General information on processing of personal data

Below you will find detailed principles of processing your personal data in Bank Millennium S.A. Among others, you will learn for what purposes and how long the Bank processes or will process your personal data. You will get to know the categories of entities which may have access to your personal data, as well as what what rights you may exercise in relation to processing your personal data. The scope of the submitted information corresponds to the requirements stemming from the EU regulations on protection of personal data, i.e. Regulation (EU) 2016/679 of the European Parliament and of the Council, also referred to as the General Data Protection Regulation.

Do you want to know more?

  •  

     

     

     

    1. Controller of your personal data is Bank Millennium S.A. with Head Office in Warsaw:
      • address: ul. Stanisława Żaryna 2A, 02-593 Warsaw
      • telephone: (+48) 801 331 331 or (+48) 22 598 40 40 – for calls from mobile phones and international calls
      • e-mail: kontakt@bankmillennium.pl
    2. Bank – as data controller – will spare no efforts in order to fulfil the requirements of the Regulation to the highest degree and, thus, to protect of your personal data.
    3. Supervision of correct processing of personal data in the Bank is exercised by the Data Protection Officer, currently Aleksandra Bereda (hereinafter referred to as: „Officer”):
      • address: Data Protection Officer, Bank Millennium S.A., ul. Stanisława Żaryna 2A, 02-593 Warsaw
      • e-mail: iod@bankmillennium.pl

    You may contact the Officer on all cases related to processing of your personal data and in case of doubts as to your rights.

For what purpose and how long will we process your personal data?

Your data are processed first of all in order to conclude and perform agreements with the Bank. Expand the section to check out other purposes.

We do not store your data longer than necessary. Period of storage of personal data depends, for instance, on the duration of agreement.

Your data are processed exclusively for the purposes justified by the law. We regularly verify data bases and remove unnecessary information.

Below you can check out the purposes for which we process your data:

  • Explanation:
    This is about any actions taken in order to prepare for conclusion of the agreement, to execute agreement, analyse and assess credit capacity, review claims, terminate agreement, archive as well as perform other legal actions related to the agreement, as well as actions taken to conclude, through the Bank, agreements with other entities, for instance, insurance agreement.

    Legal basis:
    Rozporządzenie, art. 6 ust. 1 lit. b)

    Duration of data processing:

    • Until the end of the contract, and after that, in other legitimate purposes related to the contract, e.g. for the period of securing any claims, i.e. until the end of the calendar year in which the 6-year limitation period expires, counting from the day agreement. However, if the contract was concluded before July 9, 2018, this period shall be subject to the transitional provisions defining the limitation periods contained in art. 5 para. 2 and 3 of the Act of 13 April 2018 amending the Act - Civil Code and certain acts (Journal of Laws of 2018, item 1104), by virtue of which the limitation periods for claims were shortened
    • If agreement is not concluded- until the application is reviewed and for 3 years for potential claims and complaints.

  • Explanation:
    In this case the Bank processes personal data in order to fulfil the duties imposed by the virtue of the law or carry out tasks in the public interest. In particular, we talk here about fulfilment of the Bank’s duties in connection with conducting banking activity and execution of the concluded agreements, and for archiving purposes, as well as in connection with assessment of credit capacity and analysis of credit risk. Furthermore, such duties stem from, inter alia, Act on Counteracting Money Laundering and Terrorism Financing, Act on performance of the Agreement between the Government of the Republic of Poland and the Government of the United States of America on improvement of fulfilment of international tax obligations and implementation of FATCA, Act on Exchange of Tax Information with Other Countries, Act on Protection of Competition and Consumers, Act on Trading in Financial Instruments and security measures for funds.

    Legal basis:
    GDPR, Art. 6 section 1 letter c) and special provisions, which impose on the Bank the duties indicated in the explanations or Art. 6 section 1 letter e) of the Regulation.

    Duration of data processing:

    • For calculations related to statistical approaches for calculation of methods and models determined by the banking law - for a period of 12 years from the day of expiry of the obligation.
    • For processing information that constitutes bank secret in order to assess credit capacity and to analyse credit risk – after expiry of the obligation stemming from the agreement concluded with the Bank until the time of withdrawal of this consent.
    • In other cases – until the Bank has fulfilled the duties defined in specific regulations of the law or completed the tasks carried out in the public interest.

  • Explanation:
    This is about the Bank’s marketing, in particular, that carried out through communication, display or sending trade information by traditional mail or, in case of obtaining an appropriate consent, also through electronic or telephone communication devices. Marketing may be also carried out based on profiling which means processing for marketing purposes the information on Client’s characteristics, behaviour or preferences. Thanks to profiling, on the grounds of to-date relationship, the Bank may customise your trade offers to your interests and need.

    Legal basis:
    GDPR, Art. 6 section 1 letter f)

    Duration of data processing:
    Until objection is lodged against such processing, or until agreement with the Bank expires.

  • Explanation:
    It is, for instance, marketing of products and services of the companies cooperating with the Bank; processing information that constitutes bank secret (also, in order to assess credit capacity and analyse credit risk) after expiry of the obligation. In each case, the consent obtained from you will indicate, inter alia, the purpose of data processing, which we intend to achieve based on this consent.

    Legal basis:
    GDPR, Art. 6 section 1 letter a)

    Duration of data processing::
    Until the consents granted are withdrawn.

  • Explanation:
    Within the indicated purpose, we will process your data, also to enable communication or delivery of services through the Bank’s websites and mobile application. To this extent, inter alia identifiers, such as IP address of the device or geolocation information will be processed.

    Legal basis:
    GDPR, Art. 6 section 1 letter b) or Art. 6 section 1 letter f)

    Duration of data processing:

    • Period of communication or delivery of services, not later than until effective objection is lodged.
    • Until the end of the contract, and after that, in other legitimate purposes related to the contract, e.g. for the period of securing any claims, i.e. until the end of the calendar year in which the 6-year limitation period expires, counting from the day agreement. However, if the contract was concluded before July 9, 2018, this period shall be subject to the transitional provisions defining the limitation periods contained in art. 5 para. 2 and 3 of the Act of 13 April 2018 amending the Act - Civil Code and certain acts (Journal of Laws of 2018, item 1104), by virtue of which the limitation periods for claims were shortened.

  • Explanation:
    Purposes pursued within so-called legitimate interest are connected to execution of the agreement concluded with you and these are the following:

    • ensuring security of the persons and the Bank’s assets, including monitoring of the Bank’s branches, preserving privacy and human dignity,
    • ensuring transaction security, in particular, prevention of frauds,
    • customisation of the marketing content of the Bank’s websites, depending on the behaviour of the viewers,
    • protection against claims and collection of receivables,
    • internal administrative, analytical and statistical purposes, including analyses of the credit portfolio, statistics and the internal reporting of the Bank and Bank’s Group.

    When assessing whether the indicated purposes are justified, we take into account inter alia the following:

    1. any connections between the purposes for which the personal data have been collected and the purposes of the intended further processing,
    2. context in which the personal data have been collected, in particular, relationship between the data subjects and the controller,
    3. nature of the personal data,
    4. potential consequences of the intended processing,
    5. existence of appropriate safeguards.

    Legal basis:
    GDPR, Art. 6 section 1 letter f)

    Duration of data processing:
    Until fulfilment of the Bank’s legitimate interests that constitute the grounds for this processing or until an objection is lodged against such processing, no longer than for the period of securing any claims, i.e. until the end of the calendar year in which the 6-year limitation period expires, counting from the day agreement. However, if the contract was concluded before July 9, 2018, this period shall be subject to the transitional provisions defining the limitation periods contained in art. 5 para. 2 and 3 of the Act of 13 April 2018 amending the Act - Civil Code and certain acts (Journal of Laws of 2018, item 1104), by virtue of which the limitation periods for claims were shortened.

The Bank guarantees that it will process your personal data exclusively for specific clear and legitimate purposes and it does not process them further in breach of these purposes. The purpose of data processing is the reason for which we process your personal data. If the Bank wants to process your personal data for other purposes – not indicated below – you will be informed about this new purpose in a separate communication. The sections below present the purposes of data processing. Each of the below purposes has been thoroughly evaluated by the Bank in terms of their compliance with the provisions of the Regulation and provisions regulating activity of the Bank. Each time, the below information indicates the purpose of data processing and appropriate legal grounds. Your personal data will be stored for a period suitable for execution of the indicated purposes.

Where do we collect your personal data?

  • Most frequently, we receive the data directly from you.
  • Other information comes to us from other banks, KRS registers, BIK or public institutions.
  • All the data sources are carefully verified.

The Bank processes your personal data obtained directly from you (for instance, data submitted in forms), as well as the data obtained lawfully from other sources and on the grounds of agreements with partners. These other sources may be, inter alia, public sources, for instance, KRS registers, CEIDG and sources of limited access, for instance, BIK, BIG. In each of the cases, the Bank verifies meticulously whether it has legal grounds for processing of personal data.

What categories of your personal data do we process?

  • Basic data, which we process, are personal, contact and identification data.
  • We also use online data (for instance, location or web browser history) based on the so-called cookies.
  • Importantly, type of processed data depends also on the relationship with the Bank.

Do you want to know more?

  • Depending on the relationship between you and the Bank, the Bank may process, in particular, the following categories of personal data obtained from you or third persons:

    • personal data (for instance, name and surname, domicile address)
    • contact data (for instance, phone number, correspondence address)
    • identification data (for instance, id number, PESEL)
    • sociodemographic data (for instance, nationality, form of employment)
    • financial data (for instance, account balance, source of income)
    • transaction data (for instance, details concerning payments made to and from the account)
    • contact data (for instance, details of the concluded agreements)
    • behavioural data (for instance, data of the products or services, and their utilisation)
    • communication data (for instance, the data from the communication conducted with you)
    • audiovisual data (for instance, data related to recoding conversations or image for security and evidence purposes),
    • data concerning family, legal and financial ties (for instance, information necessary for execution of deposit order in the event of death)
    • data publicly available or obtained from third parties (for instance, data obtained from CEIDG, BIK)
    • technical data (for instance, data of the device on which you use mobile application)
    • location data (for instance, location data of the place where transaction is performed in mobile application)
    • web browser history data (for instance, data necessary for maintaining proper exchange of information between the server and browser when using Millenet)

To whom your data may be disclosed?

Authorised employees of the Bank

Public authorities and institutions authorised to demand such access

Entities that cooperate with the Bank, for instance, couriers or payment card producers

Do you want to know more?

  • Access to your personal data – inside the Bank’s organisational structure – will be available exclusively to employees authorised by the Bank and only to the extent necessary. In some situations your personal data may be disclosed by the Bank to recipients outside the Bank’s structure. In such situation the Bank always examines thoroughly the legal grounds for disclosure of personal data. Importantly, the recipient of the data in the understanding of the Regulation is both the entity which processes personal data on behalf of the Bank and the entity to which the data are made available for its own purposes (for instance, public administration authorities).

    Recipients of your personal data may be:

    1. public authorities, institutions or third parties authorised to demand access or receive personal data on the grounds of the law, for instance, Polish Financial Supervision Authority, Ministry of Finance, General Inspector of Financial Information, tax office, bank arbiter
    2. bentities, to which the Bank entrusted processing of personal data on the grounds of the concluded agreements, for instance, parcel delivery services, producers of payment cards, photo inspection providers, mass printing providers, IT suppliers and other service providers processing data on behalf of the Bank
    3. banks, financial or credit institutions, or other institutions, which may receive personal data in connection with execution of economic relations between the Bank and you (for instance, banks intermediating in execution of international transfers) and on the grounds of appropriate laws, for instance, BIK, Centrum Prawa Bankowego i Informacji Sp. z o.o., economic information bureaus (KRD, ERIF, BIG)
    4. clearing chambers, other clearing entities, for instance, KIR, Swift
    5. card organisations, for instance, VISA, MasterCard – if data are transferred out of the European Economic Area, we apply appropriate safeguards in the form of binding corporate rules
    6. telecommunication services providers
    7. entities providing advisory and inspection services, for instance, audit companies
    8. rocessors processing the data for recovery of receivables or legal representation, for instance, law firms, insurance companies
    9. insurance companies
    10. entities, for which you expressed your consent for making available and processing your personal data
    11. entities operating with the Bank’s Group or entities from the capital group responsible for execution of contractual obligations and obligations stemming from the law
    12. detailed list of recipients can be downloaded here

What are your rights?

  • You have the right to access your personal data, edit then, limit the processing of your personal data and many more.
  • Remember that in some cases, when you’re entering an agreement some details may be required in order to sign it.
  • You can manage the use of your data in any Bank branch, TeleMillennium careline and Millenet online banking system.

Do you want to know more?

    1. Detailed Information on your rights:
      • a) you are entitled to access your personal data, and also to get a copy of the data
      • b) if you find that your personal data processed by the Bank are not correct, you are entitled to rectify or supplement the data
      • c) you are entitled to demand removal of your personal data in cases stipulated by the law
      • d) you are entitled to lodge a demand to limit processing of your personal data
      • e) you are entitled to lodge an objection against processing of your personal data in case of data processing to pursue legitimate interest of the Bank. In order to exercise this right, you may lodge your demand to cease processing of your personal data for the Bank’s direct marketing (this objection makes it impossible to receive, through available contact channels, any marketing materials on offers of the Bank as well as Partners and Companies from the Bank’s Group) or/and profiling your data in order to provide customised offers and commercial information
      • f) you are also entitled to receive from the Bank your personal data in a structured format and to transfer your personal data to another controller. In case of data transfer, due to other laws, for instance, the banking law, your or other person’s consent, or fulfilment of other conditions required by these regulations may be necessary
      • g) you are entitled no to subject to decision based exclusively on automated processing, including profiling, which produces legal effects for you or otherwise exerts material influence on you, unless such decision is necessary for performance of the agreement, it is allowed by the law or you have previously expressed your clear consent thereto
      • h) in these cases when data processing is performed on the grounds of the consent granted, you are entitled to withdraw your consents for individual purposes of processing, at any time. You may withdraw your consent at any branch of the Bank, at TeleMillennium infoline 801 331 331 - number available only for telephones from domestic networks, (+48) 22 598 40 40 – number available also for international calls), in Millenet (Settings/Consent management). Withdrawal of the consent does not affect legal compliance of the processing performed up to the consent withdrawal

    2. If you conclude agreement or transaction, submission of personal data is required for their execution.
    3. If you want to file Application for execution of the above rights, you may do so:
      • personally at any branch of the Bank – for the list of branches visit https://www.bankmillennium.pl/about-the-bank/branches-and-atms
      • if you are a Client you can apply:
        • - in Millenet, at Settings > Personal data > Applications on personal data (re. items point 1: a ,c, f) and in Contact section (re. items point 1: d, e, g)
        • over the phone, at TeleMillennium careline: 801 331 331
        • by correspondence - sending a letter to the following address: Bank Millennium S.A., ul. Stanisława Żaryna 2A, 02-593 Warsaw

    4. The Bank is obliged to provide the information you are applying for within a month from receiving your application. If the demand is of complex nature or number of demands is high, the Bank has the right to extend the deadline for review of the application by two additional months, whereof the Bank will inform you earlier within a month from receiving your application. The maximum delivery time cannot be longer than 3 months from the date of receiving the application.
    5. Bank’s taking actions indicated in the Application and issuance of the first cope of data is free of charge. However, if the demand is manifestly unfounded or excessive, in particular because of its repetitive character, the Bank may:
      • charge a reasonable fee, as per the Price List
      • refuse to act on the request providing justification

    6. Should you find that processing of your personal data by the Bank infringes upon the provisions of the Regulation, you are entitled to lodge a complaint to the supervisory organ. As of 25th of May 2018 this will be Chairman of the Office for Protection of Personal Data.

What profiling is?
Profiling allows us to use your data in a selective way, offering you products that are suited to your current or future needs.


What does automated decision making mean?
Automated decision making – based on profiling – is used in order to evaluate risk levels (when assessing your credit score, credit reliability, risk of money laundering or financing terrorism).

Do you want to know more?

  • If you are bound with the Bank by an agreement or if actions have been taken to conclude such agreement, processing of your personal data may be automated. It may result in automated decision taking, including decisions based on profiling. It concerns, in particular, the following cases:

    • assessment of credit capacity and creditworthiness for the purpose of concluding agreement with the Bank, where this assessment is performed on the grounds of Client’s application with use of the data contained therein, data from the Bank’s internal databases and external databases (BIK, BIG, databases kept by ZBP etc.); such profiling may result in credit refusal
    • assessment of risk of money laundering and risk of financing terrorism, where this assessment is performed on the grounds of the data declared in the documents submitted when placing the order or instruction to perform transaction, or when concluding agreement, based on the set criteria (economic, geographic, behavioural criteria). The assessment is followed by automatic risk classification, where classification to unacceptable risk group may result in automatic blockade and failure to open a relationship

Principles of protection of privacy


Detailed information on the types, operation, merging with other data, changing settings or deleting cookies can be found on the Cookie policy page.

Important documents