Kinstellar has successfully advised the Czech Banking Credit Bureau (CBCB) as part of an audit of its activities relating to the personal data processing carried out through its operation of the Client Information Bank Register (CIBR).
The CIBR provides information on banking clients who have or have had a loan agreement or an unsanctioned overdraft of a bank account with a bank in the Czech Republic, as well as information on loan applications. It evidences the creditworthiness or credit history of bank clients, and its outputs play an important role in the decisions of banks to approve or deny a loan. In terms of personal data processing, the 24 participating banks act as joint controllers of personal data in connection with the bank register, while its operation is entrusted to the CBCB as the data processor.
"This is a fundamental project, because the CIBR is the only register of its kind in the Czech Republic, gathering information on all banking clients in the Czech market", explains Zdeněk Kučera, Co-Head of Kinstellar's firm-wide TMT Practice. "The CIBR receives data on clients from the majority of banks and branches of foreign banks established here. The bank register is an essential source of information for banks in their decision-making for loan approval."
The CIBR is managed and operated in accordance with Section 38a of the Banks Act, which authorises banks and branches of foreign banks to inform each other about their clients and matters that testify to the creditworthiness and credibility of their clients, including through legal entities that are not banks but that are owned exclusively by banks. The CBCB, which is co-owned by five banks, acts as this legal entity.
Kinstellar carried out a detailed audit of the personal data processing performed by the CBCB as data processor within the CIBR, in line with the EU's General Data Protection Rules (GDPR). The firm also conducted an inspection of the CBCB's fulfilment of its contractual obligations and those of other sub-processors, including the Czech Credit Bureau. In particular, the audit focused on whether or not the CBCB is fulfilling all of its obligations as a data processor under the GDPR, as well as in the contractual documentation, and whether it is properly operating and processing personal data within the CIBR.
The Kinstellar team was led by Zdeněk Kučera together with `těpánka Havlíková, who specialises in personal data protection. The team also included Radek Benea, an independent IT specialist focused on security issues and other members of the TMT practice.
