Data protection and privacy policy

On this website you will learn:
  • what data and for what purpose we process
  • who monitors correct processing of data in the Bank
  • to what entities data may be made available
  • what your rights and the Bank’s duties are
  • how to easily manage your marketing consents

The new regulations on protection of personal data, commonly known as GDPR, come into force on the 25th of May 2018. The main objective of GDPR is unification of the principles of processing of personal data in the entire European Union. Bank Millennium processes your data, inter alia, in order to conclude agreements, keep bank accounts, perform securely your instructions as well as inform you about new products and services.

Principles of processing of personal data

Who is controller of your data?

  • Within the services we offer, the controller of your data is Bank Millennium S.A. in Warsaw.
  • Supervision of correct processing of your data is exercised by Personal Data Inspector.
  • The information we are entrusted is properly secured and used exclusively for appropriate purposes.

General information on processing of personal data

Below you will find detailed principles of processing your personal data in Bank Millennium S.A. Among others, you will learn for what purposes and how long the Bank processes or will process your personal data. You will get to know the categories of entities which may have access to your personal data, as well as what what rights you may exercise in relation to processing your personal data. The scope of the submitted information corresponds to the requirements stemming from the EU regulations on protection of personal data, i.e. Regulation (EU) 2016/679 of the European Parliament and of the Council, also referred to as the General Data Protection Regulation.

For what purpose and how long will we process your personal data?

Your data are processed first of all in order to conclude and perform agreements with the Bank. Expand the section to check out other purposes.

We do not store your data longer than necessary. Period of storage of personal data depends, for instance, on the duration of agreement.

Your data are processed exclusively for the purposes justified by the law. We regularly verify data bases and remove unnecessary information.

The Bank guarantees that it will process your personal data exclusively for specific clear and legitimate purposes and it does not process them further in breach of these purposes. The purpose of data processing is the reason for which we process your personal data. If the Bank wants to process your personal data for other purposes – not indicated below – you will be informed about this new purpose in a separate communication. The sections below present the purposes of data processing. Each of the below purposes has been thoroughly evaluated by the Bank in terms of their compliance with the provisions of the Regulation and provisions regulating activity of the Bank. Each time, the below information indicates the purpose of data processing and appropriate legal grounds. Your personal data will be stored for a period suitable for execution of the indicated purposes.

Where do we collect your personal data?

  • Most frequently, we receive the data directly from you.
  • Other information comes to us from other banks, KRS registers, BIK or public institutions.
  • All the data sources are carefully verified.

The Bank processes your personal data obtained directly from you (for instance, data submitted in forms), as well as the data obtained lawfully from other sources and on the grounds of agreements with partners. These other sources may be, inter alia, public sources, for instance, KRS registers, CEIDG and sources of limited access, for instance, BIK, BIG. In each of the cases, the Bank verifies meticulously whether it has legal grounds for processing of personal data.

What categories of your personal data do we process?

  • Basic data, which we process, are personal, contact and identification data.
  • We also use online data (for instance, location or web browser history) based on the so-called cookies.
  • Importantly, type of processed data depends also on the relationship with the Bank.

To whom your data may be disclosed?

Authorised employees of the Bank

Public authorities and institutions authorised to demand such access

Entities that cooperate with the Bank, for instance, couriers or payment card producers

What are your rights?

  • You have the right to access your personal data, edit then, limit the processing of your personal data and many more.
  • Remember that in some cases, when you’re entering an agreement some details may be required in order to sign it.
  • You can manage the use of your data in any Bank branch, TeleMillennium careline and Millenet online banking system.

What profiling is?
Profiling allows us to use your data in a selective way, offering you products that are suited to your current or future needs.


What does automated decision making mean?

Automated decision making – based on profiling – is used in order to evaluate risk levels (when assessing your credit score, credit reliability, risk of money laundering or financing terrorism).

Principles of protection of privacy


Detailed information on the types, operation, merging with other data, changing settings or deleting cookies can be found on the Cookie policy page.