Polityka prywatności aplikacji mobilnej

Mobile App Privacy & Cookie Policy

The following information is intended for users of the mobile application of Bank Millennium S.A. ("Bank" or "Bank Millennium"). Mobile Application is special software installed on a mobile device connected to the Internet and additional devices connected to it (in particular smart watches), enabling access to bank accounts and use of banking services ("Mobile Application").

Application Users are persons who have installed the mobile application on a mobile device, including the Bank's Clients or persons authorised by the Clients.

Privacy Policy

Bank Millennium ensures data security to its Clients, including Mobile Application users. All information provided by users is protected using modern technologies, in accordance with applicable legal standards, security requirements and confidentiality rules. The Bank is actively developing its systems for protecting the privacy and security of users by implementing new organisational and technical safeguards. The Bank informs users about changes in the confidentiality protection rules via the website or other means of communication agreed with the user.

General information on using the Bank Millennium mobile application

The use of the Mobile Application is possible on condition of:

Conclusion of an agreement for access to services through Electronic Banking Channels ("EBCs");
Have active access to the EBCs;
Installation of the Mobile Application on a mobile device that meets the technical requirements;
Activation of the Mobile App and authenticating the user:

- launching the Mobile Application and entering the Millecode and password (SMS P@ssword received by SMS or answering a call made to a defined phone number and correctly performing the actions provided by the Bank and giving the Temporary Password);
- providing a Mobile Password or Password1 (if applicable) or an identifier (e.g. Social Security number or ID card);
- setting a PIN and Password1 (if not set).

Details on how to download the Mobile Application, current technical requirements, instructions for activating the Mobile Application as well as questions and answers can be found on www.bankmillennium.pl/en/electronic-banking/mobile-banking/mobile-application-individuals-business

Is the Mobile App Safe?

Communication between the Mobile Application and the Bank's transaction systems takes place using secure encryption mechanisms.

In order to increase the security of its Clients using the Mobile Application and to prevent fraud, the Bank collects the following information:

whether the basic security of the mobile device has been broken (root / jailbreak) – i.e. whether the data processed on it has at least the level of security expected by Google / Huawei / Apple (the information obtained is a yes/no answer);
device information – among others language, time zone, model, brand, phone name;
psedounique* identifiers of the phone, based on various elements related to the device (such as resolution, etc.) without components of these identifiers.

*Such identifiers are unique in relation to a certain group of clients who have similar phone settings / similar model.

The bank does not collect a list of applications. However, it is possible to analyse on a mobile device whether there are any suspicious applications installed from outside the official Google, Apple or Huawei store, which have high privileges and may pose a threat to the Client's actions in the Mobile Application – in such cases, the application identifier, its hash (i.e. the sum of the checks calculated on the installation file) and the scope of application permissions are collected.

Access to permissions or information on your mobile device

Mobile Application - depending on the operating system on which it is installed - can access permissions or functions on the mobile device, among others to:

technical data of the device (to enable verification of the user's identity),
displaying network connections, receiving data from the Internet (to check Internet access through the application and for security purposes),
using information about the Wi-Fi connection – for the purpose of generating unique application identifiers used to encrypt data and communication between the Mobile Application and the server;
gyroscope, accelerometer, the manner of using the touchscreen (for security purposes);
device memory (when using the QR transfer function);
contacts (to retrieve the e-mail address/phone number from the contact list for transfer to e-mail/telephone or to send transaction confirmations);
adding an emergency phone number to contacts (e.g. when buying OC/AC insurance);
location (to search for the nearest ATMs or branches of the Bank or to save the location on the map in the transaction history);
photos (e.g. to choose a wallpaper from your photo gallery);
still camera (e.g. to scan a QR code in the "Scan and Pay" option);
fingerprint reader (to log in and approve certain operations with your fingerprint).

A detailed catalogue of access for iOS and Android, along with an explanation of what each access is for, can be found on the www.bankmillennium.pl/en/electronic-banking/mobile-banking/mobile-application-individuals-business website in the "Application Security and Permissions" tab.

Managing access permissions

Depending on the version of the device and the version of the mobile device's operating system, the permissions are accepted before the installation of the Mobile Application or before the use of a given functionality. Permissions can also be granted by default. The permissions (functions and information of the mobile device) that the user grants to the Mobile Application are visible in the settings panel of the mobile device, where access rights can be managed (changed or revoked). Please note that a change or cancellation may result in the loss of the Mobile Application function linked to the given permission. The authorisations of the Mobile Application may also be revoked by uninstalling the Mobile Application.

Details can be found on the www.bankmillennium.pl/en/electronic-banking/mobile-banking/mobile-application-individuals-business website in the "Application Security and Permissions" subsection and in the user manuals of manufacturers: Google, Apple, Huawei.

Mobile applications use mobile device identifiers. A Device ID is a series of numbers and letters that identifies each mobile device (e.g. tablet, smartphone) and is stored in such a device. The ID can be accessed by any application that you download and install. Mobile device identifiers are used in the Mobile Application for the functioning of many processes. Applications most often use the identifier to communicate with the server.

The Device ID is necessary for processes related in particular to:
- activation of the Mobile Application,
- authorisation of payment transactions,
- virtualisation of payment cards and payments using a mobile device,
- BLIK transactions,
- purchase of public transport tickets,
- adding and displaying loyalty cards in the mobile application,
- configuration and displaying add-ons before logging in.
A device is also identified by means of the Instance ID – it is an identifier generated in the process of registration/activation of the Mobile Application; an Instance ID of the mobile application is valid until the next activation of the application. The bank also uses identifiers that enable logging in, as well as communication with the device after logging in.

Mobile applications use cookies that are not used for marketing, but are necessary for the proper operation of some functionalities of the Mobile Application. Cookies are IT data, in particular text files, saved in the memory of the end device (e.g. computer, tablet, phone) employed by the user. Cookies in the Mobile Application are used for functions that use the Webview technology in the Mobile Application, i.e. a technology that allows for the display of selected screens from websites within the Mobile Application using the Mobile Application interface. Hybrid process cookies are created by the mobile application and are used to maintain client identification/authorisation information so that a specific page, with specific functionality, can be opened without the need for additional login by the user. The owner of these cookies is Bank Millennium and they are not saved on the phone after turning off the Mobile Application.

You can find detailed information about cookies in the table below:

Cookie name	Category	Description	Validity period	Owner
userContext	necessary	Cookie required for communication between system components to provide services by the Bank	session	Bank Millennium
x_bm_auth_ret	necessary	Cookie used for authorization purposes and the proper functioning of Millenet.	session	Bank Millennium
x_bm_dcte_id	necessary	Cookie used to transfer information between system components.	session	Bank Millennium
WebformsSessionId	necessary	Session identifier for handling government applications.	session	Bank Millennium
govapp-cookie	necessary	Session identifier for handling government applications.	session	Bank Millennium
x_bm_tabid	necessary	Cookie used to identify the browser window.	session	Bank Millennium
JSESSIONID	necessary	Cookie used for authorization purposes and the proper functioning of Millenet.	session	Bank Millennium
_genesys.widgets.app.autoLoadList	necessary	Cookie required for client communication with a consultant.	session	Bank Millennium
_genesys.widgets.webchat.metaData	necessary	Cookie required for client communication with a consultant.	session	Bank Millennium
_genesys.widgets.webchat.state.index	necessary	Cookie required for client communication with a consultant.	session	Bank Millennium
_genesys.widgets.webchat.state.keys	necessary	Cookie required for client communication with a consultant.	session	Bank Millennium
_genesys.widgets.webchat.state.open	necessary	Cookie required for client communication with a consultant.	session	Bank Millennium
_genesys.widgets.webchat.state.ping	necessary	Cookie required for client communication with a consultant.	session	Bank Millennium
_genesys.widgets.webchat.state.session	necessary	Cookie required for client communication with a consultant.	session	Bank Millennium
dtCookie	necessary	Cookie used by the system diagnostic tool.	session	Bank Millennium
dtLatC	necessary	Cookie used by the system diagnostic tool.	session	Bank Millennium
dtPC	necessary	Cookie used by the system diagnostic tool.	session	Bank Millennium
dtSa	necessary	Cookie used by the system diagnostic tool.	session	Bank Millennium

In the process of registering the Mobile Application, the Bank obtains information on the type of mobile device (e.g. make, model), which is transferred to the Bank and used to identify the Mobile Application and the mobile device.

When the user connects to the Mobile Application, the Bank may also gain access to information about the IP number, the time of the user's connection to the Mobile Application and use the identifier allowing for tracking events in the Mobile Application.
The information that the Bank stores on the user's mobile device is necessary for the proper functioning of the Mobile Application and the provision of services through it. Mobile apps sometimes also use mobile device identifiers for marketing purposes, which are provided by the mobile device's operating system and can be reset by the user. The Bank does not use such identifiers in the Mobile Application. The rules for displaying marketing and commercial information in the Mobile Application are described in the subsection "Marketing and commercial information in the Mobile Application", and the rules for data processing in "Processing of personal data".
DeviceID is a unique series of numbers and letters assigned to a mobile device and cannot be changed or reset by the user themselves. This identifier can be accessed by any application that you download and install.

The activities related to the storage and sending of cookies and the use of identifiers performed by the mobile device are not visible to the user. There is no way to disable them through the settings. A user who does not accept the use of identifiers or cookies should not install or log into the Mobile Application. If you object to the use of cookies or identifiers while using the Mobile Application, you should uninstall it.
The following information is used or technically transferred to communication between the Bank's servers and the mobile device after logging in:
- Mobile Application installation/activation ID (the above-mentioned Instance ID)
- a unique identifier of the mobile device (the above-mentioned Device ID),
- information about the language of the mobile device (Accept-Language)
- information about the platform used (iOS/Android/Huawei)
- information whether the mobile device uses Google or Huawei services (GMS or HMS, Mobile Services)
- information about the version number of the Mobile Application,
- type/kind of user's mobile device (User-Agent),
- "token", which verifies the user's session on the mobile device, including checking if the session is still ongoing and valid (Authorisation token)
For communication between the Bank's servers and the mobile device before logging in, a solution similar to a cookie/token based on the Device ID is used, necessary to maintain the configuration of widgets before logging in.

Processing of personal data

Online identifiers such as IP addresses, mobile device identifiers, cookie identifiers may constitute personal data for the Bank.

Below you will find detailed rules regarding the processing of your personal data in Bank Millennium S.A. You will find out, among others, for what purposes and for how long the Bank processes or will process your personal data. You will learn about the categories of entities that may have access to your personal data, as well as what rights you can exercise in connection with the processing of your personal data. The scope of information provided meets the requirements resulting from EU regulations on the protection of personal data, i.e. Regulation (EU) 2016/679 of the European Parliament and of the Council, also known as the General Data Protection Regulation. The Bank - as the data controller - will make every effort to meet the requirements of the Regulation to the fullest extent possible and thus protect your personal data.
The controller of personal data of Mobile Application users is Bank Millennium S.A. z siedzibą w Warszawie:
- address: ul. Stanisława Żaryna 2A, 02-593 Warszawa,
- telephone: (+48) 801 331 331 or (+48) 22 598 40 40 – for people calling from mobile phones and from abroad (the cost of the call according to the operator's tariff),
- e-mail: kontakt@bankmillennium.pl.
The Data Protection Officer supervises the proper processing of personal data at the Bank:
- aaddress: Data Protection Officer, Bank Millennium S.A., ul. Stanisława Żaryna 2A, 02-593 Warszawa,
- e-mail: iod@bankmillennium.pl.
You can contact the Officer in all matters related to the processing of personal data, also in case of doubts as to your rights.

The Bank guarantees that it will process your personal data only for specific, explicit and legitimate purposes and does not further process it in a manner inconsistent with these purposes. The purpose of the data processing is the reason why we process your personal data. If the Bank wants to process your personal data for other purposes – not indicated below – you will then be separately informed about this new purpose. The table below shows the purposes of the data processing. Each of the following purposes has been thoroughly assessed by the Bank in terms of compliance with the provisions of the Regulation and the regulations governing the Bank's operations. The table below indicates the purpose of the data processing and its respective legal basis. Your personal data will be processed for a period of time appropriate to achieve the indicated purposes.

Depending on your relationship with the Bank, your data is processed for the following purposes:

Purpose	Explanation	Legal basis	Length of data processing period
Performance of an agreement to which you are a Party or taking action at your request prior to entering into an agreement	This refers to all activities aimed at preparing for the conclusion, performance or termination of an agreement (e.g. a loan agreement, a bank account agreement, an agreement for access to services through electronic banking channels), as well as the performance of other legal actions related to the agreement.	Regulation, Article 6(1)(b)	Until the application for the Bank's product or service is considered, including the completion of all activities preceding the conclusion of the agreement with the Bank, and in the case of concluding the agreement with the Bank, until the end of the agreement. Both during this period and after its end, the Bank may process personal data based on other purposes and legal grounds indicated below.
Performance of an agreement to which you are not a Party or taking action at the request of another person prior to entering into an agreement	This refers to all activities aimed at preparing for the conclusion, performance or termination of an agreement to which you are not a party (e.g. you have been appointed as an attorney, you are a representative or other person indicated by the Bank's client), as well as to perform other legal actions related to the agreement.	Regulation, Article 6(1)(f)	Until the application for the Bank's product or service is considered, including the completion of all activities preceding the conclusion of the agreement with the Bank, and in the case of concluding an agreement with the Bank, also until the termination of the agreement to which you are not a party. Both during this period and after its end, the Bank may process personal data based on other purposes and legal grounds indicated below.
Fulfilling obligations arising from legal provisions or performing tasks in the public interest	In this case, the Bank processes personal data in order to fulfil the obligations imposed by law or to perform tasks in the public interest, e.g. to set up a Trusted Profile. In particular, we are talking about the fulfilment of the Bank's obligations in connection with the conduct of banking activities and the performance of concluded agreements, archiving, identity confirmation (e.g. in the process of remote verification), creditworthiness assessment and credit risk analysis, as well as the performance of notification obligations towards authorised authorities, e.g. the Polish Financial Supervision Authority. Such obligations arise from, among others, the Banking Law (including the obligation of special care in ensuring the security of the funds stored), the Act on Counteracting Money Laundering and Terrorist Financing, the Payment Services Act, the Act on the Implementation of the Agreement between the Government of the Republic of Poland and the Government of the United States of America on Improving the Compliance with International Tax Obligations and the Implementation of FATCA Legislation, the Act on the Exchange of Tax Information with other Countries, the Accounting Act, the Tax Law, the Competition and Consumer Protection Law, the Act on Complaint Handling by Financial Market Entities and the Financial Ombudsman, and the Act on Trading in Financial Instruments.	Regulation, Article 6(1)(c) or Regulation Article 6(1)(e) or Regulation Article 9(2)(g) in connection with individual provisions of law imposing obligations on the Bank, among others indicated in the Explanations.	– With regard to calculations related to statistical methods for calculating methods and models specified in the banking law – for a period of 12 years from the date of expiry of the liability. – If the Bank is interested in credit products offered by the Bank for the period necessary to measure the risk of default by debtors and to manage the risk (internal ratings). – With regard to the processing of personal data for the purposes of tax documentation – for a period of 5 years from the end of the calendar year in which the tax payment deadline expired. – With regard to the processing of personal data for the purposes of accounting documentation – for a period of 5 years from the end of the calendar year in which operations, transactions and proceedings have been/will be finally completed, repaid, settled or expired. – With regard to the processing of personal data for the purposes of counteracting money laundering and terrorist financing – for a period of 5 years from the date of termination of business relations with the client or from the date of an occasional transaction. – In order to provide explanations regarding the assessment of creditworthiness made by the Bank – no longer than for the period in which the Bank is authorised to process your data, among others for the purpose of credit risk assessment. – For the duration of processing the complaint. – Pursuant to Article 79b of the Banking Law, for a period of 5 years from the date of termination of the function or from the date on which the conditions referred to in the above-mentioned provision ceased to be met. – In other cases – until the Bank fulfils its obligations specified in individual provisions of law or performs tasks carried out in the public interest.
Purposes pursued within the framework of the so-called legitimate interest of the data controller	The purposes pursued within the framework of the so-called legitimate interest of the controller are: - ensuring the security of persons and property of the Bank, including monitoring of the Bank's branches, while maintaining the privacy and dignity of persons, - ensuring the security of transactions, in particular the prevention of fraud, - adjusting the content of the Bank's websites, depending on the behaviour of the persons displaying them, - maintaining client identification/authorisation information - ensuring the proper functioning of the Mobile Application, including the provision of services by the Bank through it - if applicable, for purposes related to the conduct of litigation, as well as proceedings before public authorities and other proceedings, including for the purpose of pursuing and defending against claims, - internal administrative, analytical and statistical purposes, including analysis of the loan portfolio, statistics and internal reporting of the Bank and within the Bank's Group, - organisation and conduct of competitions in accordance with the provisions of the regulations, - marketing of the Bank's products and services carried out by providing commercial information during meetings or by traditional mail, and in the case of obtaining relevant consents, also electronically or by phone, - implementation of communication via the Bank's website and mobile application, - responding to client requests submitted via the contact form on the Bank's website, by phone, e-mail, letter to the address of the Bank's registered office or at the Bank's branch. When assessing whether the indicated objectives are justified, the Bank takes into account whether your interests, rights or freedoms do not override the legitimate interests of the Bank.	Regulation, Article 6(1)(f)	– For up to 3 months in the case of video surveillance. – Until the Bank's legitimate interest constituting the basis for this processing is fulfilled or an effective objection to such processing is filed, no longer than until the end of the calendar year in which the relevant limitation period for the claim expires. – In the event that a dispute is pending or proceedings are pending during the above-mentioned period, in particular court proceedings, personal data will be processed for the period determined in accordance with the applicable provisions of the Civil Code governing the limitation periods, which will be counted from the date of termination of the dispute or final termination of the proceedings.
Implementation of activities carried out on the basis of granted consents	In particular, it can be: - marketing of services and products of entities cooperating with the Bank, - processing of information constituting banking secrecy (including for the purpose of credit risk analysis) after the expiry of the liability.	Regulation, Article 6(1)(a)	– Until the consent is withdrawn. – With regard to the processing of information constituting banking secrecy for the purpose of credit risk analysis – after the expiry of the obligation under the agreement concluded with the Bank, until the consent is withdrawn.

The Bank processes your personal data obtained directly from you (e.g. data provided on forms) or obtained from other sources, e.g.
- publicly available sources, e.g. PESEL register, Register of Identity Cards, National Court Register (KRS), Central Registration and Information on Business (CEIDG), REGON database,
- sources with limited access, e.g. BIK, BIG.
Depending on your relationship with the Bank, your data may also come from, for example, the person granting you a power of attorney, the company that indicated you to contact or perform certain activities, or your statutory representative.

In each of the indicated cases, the Bank scrupulously verifies whether it has a legal basis for the processing of personal data.
Depending on your relationship with the Bank, the Bank may process the following categories of personal data obtained from you or third parties:
- identification data (e.g. name and surname, registered address, series and number of an ID card, PESEL),
- contact details (e.g. telephone number, e-mail address, correspondence address),
- socio-demographic data (e.g. nationality, form of employment, number of dependents),
- behavioural data (e.g. data on the use of the Bank's services),
- communication data (e.g. data resulting from communication with you),
- audio-visual data (e.g. data related to the recording of conversations or image for security and evidence purposes, facial image for the purpose of confirming identity in the remote verification process),
- if you are a party to an agreement concluded with the Bank:
  
  - transactional data (e.g. details of transactions carried out),
  - data on family, legal and property connections (e.g. when you submit an instruction for a contribution in the event of death),
  - financial data (e.g. account balance, source of income, asset information),
  - contract data (e.g. details of concluded agreements, liabilities), including, if you use electronic banking services:
  - technical data (e.g. identifiers and details of the device you are using),
  - location data (e.g. location data of the place where transactions are made using the mobile application),
  - browsing history data (e.g. data necessary to maintain proper exchange of information between the server and the browser when using Millenet).
Access to your personal data – within the Bank's organisational structure – will be granted only to employees authorised by the Bank and only to the extent necessary. In certain situations, your personal data may be disclosed by the Bank to recipients outside the Bank's structure. In such a situation, the Bank always carefully examines the legal basis for the disclosure of personal data. It should be noted that the recipient of data within the meaning of the Regulation is both the entity that processes personal data on behalf of the Bank and the entity to which the data is made available for its own purposes (e.g. public administration bodies).

Depending on your relationship with the Bank, the recipients of your personal data may be:
- public authorities or entities authorised to request access to or receive personal data on the basis of legal provisions, e.g. the Polish Financial Supervision Authority, the Ministry of Finance, the General Inspector of Financial Information, the National Tax Administration, the Bank Arbitrator, the President of the Office for Personal Data Protection,
- entities to which the Bank entrusted the processing of personal data on the basis of concluded agreements, e.g. courier delivery providers, payment card manufacturers, companies providing photoinspection services, companies involved in the production of mass printouts, IT and other service providers processing data on behalf of the Bank, franchise branches, instalment partners,
- banks or other institutions that may receive personal data in connection with the performance of banking activities (e.g. banks intermediating in the execution of transfers) and on the basis of legal provisions, e.g. BIK, economic information bureaus, as well as the Polish Bank Association,
- depending on the scope of services you use - entities participating in processes related to the implementation of domestic and foreign agreements and transactions, e.g. KIR, VISA, Mastercard, SWIFT, entities providing telecommunications services.
- In the case of international agreements and transactions, the data may be transferred outside the European Economic Area (EEA), including to the territory of the United States of America. In the above-mentioned circumstances, the Bank will transfer personal data to countries outside the EEA whose level of data protection has not been deemed adequate by the European Commission only to the extent permitted by law, e.g. with the use of appropriate safeguards in the form of standard data protection clauses adopted by the European Commission or in the cases indicated in Article 49(1) of the Regulation. Copies of any collaterals referred to above or information on their availability can be obtained by contacting the Bank at the correspondence addresses indicated in points 1 and 3,
- insurance companies – if you use insurance products,
- entities providing advisory and control services, e.g. audit firms,
- entities processing data for the purpose of debt collection or legal representation, e.g. law firms,
- entities to which you have consented to the sharing and processing of your personal data,
- entities within the Bank Millennium S.A. Group responsible for the performance of contractual, reporting and information obligations.
A detailed list of recipients of personal data is available on www.bankmillennium.pl/en/data-protection.
Detailed information about your rights:
- you have the right to access your personal data, including obtaining a copy of the data,
- if you decide that your personal data processed by the Bank are inconsistent with reality, you have the right to rectify or supplement them,
- you have the right to request the deletion of your personal data in cases provided for by law,
- you have the right to request restriction of the processing of your personal data,
- you have the right to object to the processing of your personal data in the case of processing them for the purpose of pursuing the legitimate interest of the Bank or performing tasks in the public interest,
- you also have the right to receive your personal data from the Bank in a structured format and to transfer your personal data to another controller.
- in the case of data transfer, due to other legal regulations, e.g. banking law, it may be necessary to obtain your or another person's consent or meet other conditions required by these regulations.
- you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or otherwise significantly affects you, unless the decision is necessary for the performance of an agreement, is permitted by law or you have previously given your explicit consent,
- in cases where data processing is based on your consent, you have the right to withdraw your consents for individual purposes of processing at any time.
- you can withdraw your consent at the Bank's Branch, by phone, in Millenet and in the Mobile App. Withdrawal of consent does not affect the lawfulness of the processing carried out until the consent is withdrawn.
In the case of concluding an agreement or transaction, providing data is voluntary, but necessary for their implementation.

If you find that the processing of your personal data by the Bank violates the provisions of the Regulation, you have the right to lodge a complaint with the supervisory authority, i.e. the President of the Office for Personal Data Protection.

Details of your rights related to data processing can be found on www.bankmillennium.pl/en/data-protection.
Your data may be processed in an automated manner, including profiling. Profiling is a form of automated data processing that involves the use of personal data to evaluate certain personal aspects of a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Sometimes, the processing methods described above may result in decisions based on them being issued to you.

Depending on the relationship between you and the Bank, your data may be processed in an automated manner, including profiling in the situations indicated below - importantly - in cases where automated decisions are made that have legal effects on you or significantly affect you in a similar way, the following explanations also contain important information about the principles of making them, and the significance and envisaged consequences of such processing for you. If you are subject to a decision based on automated processing in other cases, you will be informed about it separately - together with information about the principles of making such a decision and its significance and expected consequences.
Your data is used to tailor offers based on the analysis of your relationship with the Bank, characteristics, behaviours and needs, including information on your products and identification, socio-demographic, financial, transactional, technical, location data, as well as your previous credit history and creditworthiness assessment. When creating profiles, the Bank limits their detail to the assumptions of a specific offer, i.e. it selects and analyses only the necessary data and is guided by the principles of reliability and non-discrimination. Profiling results in the Bank being able to match and direct you with the best possible offers. Profiling and not using the offer prepared on the basis of it does not in any way limit the possibility of using products and services.
Your personal data is used in the process of assessing the risk of money laundering and terrorist financing conducted on the basis of the AML Act, which takes place both at the stage of establishing a relationship with the Bank and within its duration, as part of regular reviews. On the basis of the information and documents provided by you, taking into account, among others, criteria such as the type of client, purpose, duration of business relations, type of products, transaction history, geographical risk and verification in terms of taking a politically exposed position and possible previous activity of increased risk, the Bank performs profiling, which results in the determination or update of the risk group. If, as a result of such profiling at the stage of establishing a relationship, you are classified as a high-risk group, the Bank may refuse to conclude an agreement with you;

Your personal data during the relationship with the Bank will also be subject to profiling in order to identify, in accordance with the AML Act, cases indicating the possibility of money laundering or terrorist financing. In this case, criteria such as the type of client, type of business relationship, transaction data, citizenship, geographical area, as well as previous high-risk activity are taken into account, among others. If the Bank has a reasonable suspicion of money laundering or terrorist financing, it may result in termination of the agreement, refusal to conclude another agreement with you in the future and/or refusal to extend the current relationship with further products offered by the Bank, as well as reporting such actions to the relevant state authorities.
In the case of financial services specified in the financial services agreement and in the case of investment advisory services, the information obtained in the investment questionnaire regarding, among others, education, investment experience, knowledge of investment products, financial situation, investment objectives, tolerance of investment risk, will be used to assess your knowledge and experience in investing in financial instruments, financial products and services and to correctly defining the target group. If it is determined that there is insufficient knowledge about the service covered by the agreement you intend to conclude, the Bank may refuse to conclude the agreement.
In order to ensure the security of transactions and prevent fraud, the bank uses profiling that takes into account information about the characteristics of your transaction, including the manner in which it is executed, other previous transactions and statistics on the risk of infringement for individual types of transactions. In justified cases, i.e. in particular when the Bank suspects a breach of the security of a payment instrument, its unauthorised use or leading to an unauthorised transaction, it is possible to make an automated decision against you to refuse to perform a payment transaction made by card or available electronic banking channels.
Your personal data is used to assess your creditworthiness and/or analyse your credit risk. The Bank assesses creditworthiness and borrowing capacity based on data including, in particular, information on your current liabilities, information on the history of servicing other products and services, as well as other data admissible in accordance with Article 105a(1b) of the Banking Law provided by you in the application for concluding an agreement with the Bank and information obtained from external databases of confirmed quality recognised on the market, such as databases maintained by the Bank Association, Polish Credit Information Bureau or Economic Information Bureau. In the process of assessing creditworthiness and borrowing capacity, statistical models are used, as a result of which your ability and borrowing capacity to incur liabilities to the Bank are assessed. The result of profiling assessing your creditworthiness and borrowing capacity is that the Bank makes a decision on whether to grant or refuse to grant a credit product.

In connection with the Bank's performance of its obligations in the field of credit risk and capital management, assessment of prudential requirements, including the assessment of portfolio credit risk, your personal data, i.e. among others credit history, demographic data, transaction history, as well as the previous assessment of your creditworthiness and borrowing capacity, may be profiled. Such profiling will not have any consequences for you.
As part of debt collection activities, your data, such as socio-demographic, financial and behavioural data, will be profiled in order to determine how the debt is served, as a result of which the liability may be transferred to automatic processing. In justified cases, i.e. in the event of non-repayment, despite the request, of the due liability under the agreement, the Bank automatically makes a decision to terminate the agreement based on your data including information about the concluded agreements, financial situation and debt collection actions taken both in the Bank's internal and external databases, such as the Credit Information Bureau or the Economic Information Bureau.

If you are subject to a decision based on automated processing in other cases, you will be informed about it separately - together with information about the principles of making such a decision and its significance and expected consequences.

Marketing and commercial information in the Mobile Application

The Bank does not use marketing cookies or mobile identifiers for displaying advertisements in the Mobile Application, however, marketing and commercial information may be displayed in the User's Mobile Application.

Marketing campaigns are addressed to the user, taking into account the statements expressed by the user in relations with the Bank, including the marketing consents granted indicating the form of receiving marketing and commercial messages preferred by the Client. The Mobile Application is only one of the Bank's communication channels in this respect. Information on the rights that the Client has in connection with the processing of data for the purpose of providing marketing and commercial information can be found in the "Processing of personal data" subsection.

Not agreeing to the Mobile App Privacy and Cookie Policy

If you do not agree to this privacy and cookie policy, you should not install the Mobile App or, if it has been installed, uninstall it.

Useful links

Details about the Mobile App www.bankmillennium.pl/en/electronic-banking/mobile-banking/mobile-application-individuals-business.
Bank's Privacy Policy and Information Clauses: Data Protection - Bank Millennium.

Mobile App Privacy & Cookie Policy

Privacy Policy

General information on using the Bank Millennium mobile application

Is the Mobile App Safe?

Access to permissions or information on your mobile device

Managing access permissions

Information stored on your mobile device

Processing of personal data

Marketing and commercial information in the Mobile Application

Not agreeing to the Mobile App Privacy and Cookie Policy

Useful links

Bottom navigation

Call to us