You Are Here: Home >Privacy and GDPR >Privacy Policy

 1.1.Controller – Industrial and Commercial Bank of China (Europe) S.A. (Spółka Akcyjna) Poland Branch based in Warsaw.
 1.2.Personal Data – information relating to an identified person or person identifiable by reference to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity, including the device IP, location data, internet identifier and information collected via cookies and other similar technology.
 1.3.Policy – this Privacy Policy.
 1.4.GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
 1.5.Website – an internet website maintained by the Controller, available at the domain address
 1.6.User – any individual visiting the Website or using one or several services or functionalities described in the Policy.

2.Data processing in connection with the use of the Website
 2.1.In connection with the User’s use of the Website, the Controller collects data to the extent necessary to provide the offered services, as well as information about the User’s activities on the Website. Detailed principles and purposes of processing Personal Data collected during the User’s use of the Website are described below.

3.Purposes and legal basis for the processing of data on the Website
 3.1.The Controller may process Personal Data of all persons using the Website (including IP address or other identifiers and information collected via cookies or other similar technologies):
  3.1.1.for the purpose of electronically providing services by making available to Users contents collected on the Website – in such case the legal basis for the processing is the necessity of processing for the performance of the agreement (Article 6(1)(b) of the GDPR);
  3.1.2.for analytical and statistical purposes – in such case the legal basis for the processing is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR) which consists in analysing Users’ activities and preferences in order to improve the functionalities applied and services provided;
  3.1.3.for the purpose of possibly establishing, exercising or defending legal claims – the legal basis for the processing is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR) consisting in the protection of the Controller’s rights;
 3.2.The User’s activities on the Website, including his or her Personal Data, are recorded in system logs (a special computer program used for keeping a chronological record with information on events and activities concerning the IT system used by the Controller to provide the services). Information collected in the logs is processed primarily for purposes related to the provision of the services. The Controller also processes such information for technical and administrative purposes to ensure the security and management of the IT system, as well as for analytical and statistical purposes – in this regard the legal basis for the processing is the Controller’s legitimate interest (Article 6(1)(f) of the GDPR).

 4.1.Cookies are small text files installed on the device of a User browsing the Website. Cookies collect information facilitating the use of the website – e.g., by recording User's visits to the Website and activities carried out by the User.
 4.2.The Controller uses “service” cookies primarily for the purpose of providing electronically supplied services to the User and improving the quality of such services. Accordingly, the Controller and other entities providing analytical and statistical services for the Controller use cookies by storing information or obtaining access to the information that is already stored in the User’s telecommunications end device (computer, telephone, tablet, etc.). The cookies used for this purpose include:user interface customisation cookies, for the duration of the session or slightly longer.

 5.1.Any use of cookies for the purpose of collecting data via such cookies, including obtaining access to data stored on the User’s device, requires the User’s prior consent. Such consent can be withdrawn at any time.
 5.2.Such consent is not required only in the case of cookies whose application is necessary to provide the telecommunications services (data transmission for the purpose of displaying contents).
 5.3.The User can withdraw his or her consent for using cookies in his or her Internet browser settings. For detailed information, see:
  5.3.1.Internet Explorer:
  5.3.2.Mozilla Firefox:
  5.3.3.Google Chrome:
 5.4.The User can verify the status of his or her current privacy settings for his or her browser at any time using the tools available under the links provided below:

 6.1.The period of data processing by the Controller depends on the type of the service provided and the processing purpose. As a rule, data are processed for the duration of the service provision until such time as the consent granted is withdrawn or the data processing is effectively objected to in cases where the legal basis for data processing is the Controller’s legitimate interest.
 6.2.The data processing period may be extended where the processing is necessary to establish, exercise and defend legal claims, if any, and after the expiry of this period only in the case and to the extent required by law. Following the processing period, the data become irreversibly deleted or anonymised.

 7.1.The User has the right to access the data and to request from the Controller their rectification or erasure or restriction of processing, the right to data portability, the right to object to data processing, and the right to lodge a complaint with a supervisory authority dealing with the Personal Data protection.
 7.2.To the extent the User’s data are processed, such consent can be withdrawn at any time by contacting the Controller by mail at the address: Industrial and Commercial Bank of China (Europe) S.A. (Spółka Akcyjna) Oddział w Polsce, Pl. Trzech Krzyży 18, 00-499 Warszawa or electronically, using the email address:
 7.3.The User has the right to object to data processing for marketing purposes if such processing takes place in connection with the Controller’s legitimate interest as well as, for reasons related to the User’s special situation, in other cases where the legal basis for data processing is the Controller’s legitimate interest (e.g., in connection with pursuing analytical and statistical purposes).

8.Data recipients
 8.1.In connection with the provision of services, the Personal Data will be disclosed to third party entities, including, without limitation, providers of IT services, entities such as other banks and payment operators, entities providing accounting services.
 8.2.If the User’s consent is obtained, his/her data can also be made available to other entities for their own purposes, including marketing ones.
 8.3.The Controller reserves the right to disclose selected information concerning the User to competent authorities or third parties who require the provision of such information, relying on relevant legal basis and in compliance with the applicable law.

 9.1.The Personal Data protection level outside the European Economic Area (EEA) differs from that provided by EU law. For this reason, the Controller transfers personal data outside the EEA only when necessary and ensuring an adequate level of protection, primarily through:
  9.1.1.cooperation with the Personal Data processors in the countries for which the European Commission has issued a decision declaring that an appropriate level of the Personal Data protection is ensured therein (adequacy decision);
  9.1.2.application of standard contractual clauses issued by the European Commission;
  9.1.3.application of binding corporate rules approved by the competent supervisory authority;
 9.2.The Controller always gives notice of its intention to transfer personal data outside the EEA at the collection stage.

10.Personal Data Safety
 10.1.The Controller conducts a risk analysis on an ongoing basis to ensure that Personal Data are processed in a secure manner which primarily guarantees that only authorised persons have access to data, and only to the extent that is necessary for the tasks performed by them. The Controller ensures that all operations on Personal Data are recorded and performed only by authorised employees and associates.
 10.2.The Controller takes all necessary measures to ensure that its subcontractors and other cooperating entities guarantee that appropriate safety controls are applied whenever they process Personal Data at the request of the Controller.

11.Contact details
 11.1.The Controller can be contacted via email at the address or mailing address: Industrial and Commercial Bank of China (Europe) S.A. (Spółka Akcyjna) Oddział w Polsce, Pl. Trzech Krzyży 18, 00-499 Warszawa.

 12.1.The Policy is reviewed on an ongoing basis and updated as necessary.
 12.2.The current version of the Policy was adopted and has been in effect since 17.02.2021.