Personal Data Protection
Information based on Articles 13 and 14 of the European General Data Protection Regulation (GDPR) and Law no. 9887 dated 10.03.2008, which is replaced by Law no. 124/2024 “On the Protection of Personal Data”
Through this document, we inform you about the processing of your personal data and the rights you are entitled to. The content and scope of processing your personal data are closely related to the products and services you have requested or agreed upon.
Who is responsible for data processing and whom can you contact?
Data Controller: Raiffeisen Invest SH.A Rr. Tish Daija, Kompleksi Kika 2, Tirana, Albania.
Contact details of the Data Protection Officer in Raiffeisen Group Albania:
- Mirela Idrizaj
- Phone: +355698022250
- Email: rbal.dataprotection@raiffeisen.al
What data is processed and from which sources?
We process data obtained from you within our business relationship. Additionally, we lawfully process data from publicly available sources (e.g., commercial registry, public websites, or media). Personal information includes your personal and contact details (e.g., name, address, date and place of birth, nationality, etc.) or information from identification documents or passports (such as signature and ID information). This may also include payment and clearing data (e.g., transfer orders, transaction turnover), trading and distribution data, account credits, audio and video recordings (e.g., camera footage and call recordings), login and electronic identification data (applications, cookies, etc.), financial identification data or data for anti-money laundering, compliance data, and other similar categories.
For what purposes and on what legal basis is data processed?
We process data in accordance with the European General Data Protection Regulation (GDPR) and local Law no. 9887 dated 10.03.2008 “On the Protection of Personal Data” for the purposes listed below:
To fulfill contractual obligations (Article 6(1)(b) GDPR; Article 6(1)(b) of the local law). Processing personal data (Article 4(2) GDPR, Article 3(12) local law) is necessary to provide and execute your transfer orders and to meet pre-contractual information requirements for clients. The main purpose is to provide specific products such as investment and pension funds and execute transactions. The legal basis includes the full local legal/regulatory framework governing the company’s activities. To exercise your rights regarding this processing, you may contact Raiffeisen Invest SH.A.
To comply with legal obligations (Article 6(1)(c) GDPR; Article 6(1)(c) local law). Processing personal data is performed to fulfill various legal obligations under local legislation for collective investment enterprises and private pension funds, anti-money laundering, taxation, and enforcement of court decisions. This includes reporting suspicious money laundering cases, providing information to the Financial Supervisory Authority, depository (First Investment Bank sh.a.), Raiffeisen Bank sh.a. as fund sales agent, tax authorities, investigative and judicial authorities, and bailiffs.
Based on your consent (Article 6(1)(a) GDPR; Article 6(1)(a) local law). If you have given consent for specific purposes (e.g., naming the data recipient in the consent declaration), processing will be carried out according to the agreed scope and purpose. Consent can be revoked at any time with future effect.
To protect legitimate interests (Article 6(1)(f) GDPR; Article 6(1)(f) local law). When necessary, your data is processed to protect the legitimate interests of RIAL or third parties, such as:
- General information, posts, and notifications about services, products, and market information;
- Video surveillance to collect evidence in criminal cases or verify transactions (e.g., ATM withdrawals/deposits) to protect clients and employees;
- Recording certain calls to ensure service quality or handle complaints;
- Business management and product/service development;
- Protection of clients and employees, property security, and investigation of criminal events;
- Monitoring transactions to prevent fraud, money laundering, terrorism financing, and criminal offenses, including transaction data evaluation;
- Law enforcement purposes;
- Protection in legal proceedings;
- IT security in RIAL operations;
- Prevention and investigation of violations.
To protect legitimate interests in marketing our services. Processing your data helps us:
- Provide personalized information about RIAL products;
- Develop services and products tailored to your interests and life situation;
Improve and facilitate the use of our services (e.g., apps, self-service devices). This processing continues unless you object. Data collected by Raiffeisen Invest or provided by you will be evaluated, including personal and primary data such as gender, marital status, name, date of birth, nationality, employment, employer, income data, address, contact details (phone, email, postal address), geographic location, and internal classifications (e.g., your fund balances at RIAL).
Who receives my data?
Within RIAL, only units and employees who require your data to fulfill legal and regulatory obligations have access. Additionally, contractors (mainly IT and back-office service providers) receive your data only as necessary to perform their services, under confidentiality agreements. Public authorities and institutions (e.g., Financial Supervisory Authority, Tax Authorities, General Directorate for Prevention of Money Laundering) and auditors may also receive your data as required by law. Raiffeisen Invest is obliged to maintain confidentiality about client information and may disclose it only with your explicit written consent or if legally required. Recipients may include other financial or credit institutions or similar entities. We provide only the necessary data to fulfill the business relationship. Depending on the contract, recipients may be correspondent banks, custodial banks, or other related companies. Video surveillance data may be used by competent authorities or courts as evidence in criminal or civil cases, by security services for protection, or other state bodies for law enforcement.
Are data transferred to third countries or international organizations?
Data transfer to third countries (outside the European Economic Area - EEA) occurs only when necessary for business activities, required by law, or with your explicit consent. Transfers to third countries require authorization from the local Data Protection Authority. Your data may be transferred to Raiffeisen branches or data processors in third countries outside the EU, or subcontractors of RIAL’s processors in third countries. These parties are obliged to protect data and ensure information security according to European standards. Further information can be provided upon request.
How long is my data retained?
We process your personal data as long as necessary for our business relationship (starting with contract signing and execution, ending with contract closure), in compliance with local retention obligations under Civil Code, Archives Law, and Anti-Money Laundering Law. Data archiving is subject to time limits.
What rights do I have regarding my personal data?
You have the right to access, request correction, deletion, or restriction of processing of your data stored by us. You may object to processing and have the right to data portability under GDPR and the Law “On the Protection of Personal Data.” Complaints can be addressed to the Commissioner for the Right to Information and Personal Data Protection at http://www.idp.al.
Am I obliged to provide my data?
As part of the business relationship, you must provide all necessary personal information to establish and maintain the relationship. You must also provide data required by law. Refusal to provide such data may result in refusal to enter into a contract, inability to continue an existing contract, or contract termination. However, you are not obliged to give consent for data processing if the data is not necessary for contract fulfillment or not required by law or regulations.
Is there any automated decision-making?
Generally, we do not use fully automated decision-making under Article 22 GDPR to create or develop a business relationship. If such processing is needed in a specific case, we will notify you separately as required by law.
Cookies
Our website uses cookies. Cookies are text fragments that we store on your device during your visit. We mainly use cookies for anonymized analysis of website usage. We also use cookies to provide additional functions on the website, enabling easier interaction and error-free use (e.g., facilitating navigation or saving your preferences for future visits).
Necessary Cookies: Cookies required for basic website functions are stored due to contractual obligations.
Functional Cookies: Cookies that allow us to analyze website usage are used based on our legitimate interest.
Marketing Cookies: Cookies that enable us to offer you advertising tailored to your interests are used based on legitimate interest.
Some cookies remain on your device until you delete them. They allow us to recognize your search engine on your next visit to our website (so-called session cookies). Cookies can be blocked, disabled, or deleted using various tools (including browser controls). You can find information in the “help section” of your browser. If all cookies used by us are disabled, your website experience may be limited.
Programming Language and Tracking
Our website uses cookies and other market-related controls, especially to monitor and improve our online presence (known as JavaScript and tracking pixels). All data is recorded anonymously. Using tracking pixels, we can collect information, check screen sizes, browsers, and optimize our online performance. JavaScript is a programming language used to assess user interaction, modify, reconnect, or generate requested content.