General Information on Personal Data Protection

The NLB Bank continuously develops and improves our services to meet your needs. Therefore, collecting and processing some personal data allows us to adapt to your needs and preferences faster and better; for you, they provide more effective communication with us and better user experience.

Protecting your privacy is important to us, so we provide this information to help you understand which of your personal data we are collecting, why we are collecting them, how we use them, what procedures we implement, what your rights are and how to enforce them.

We store and protect personal data in a way that prevents any undue disclosure of data to unauthorized persons. We undertake not to transfer; lender sell personal data to third parties without prior notice and obtaining your consent. In all cases, we will ensure adequate safety measures and process personal data only within the framework of lawful legal bases and for the selected purposes. 

Your personal data manager is:

NLB Bank J.S.C Pristina, Ukshin Hoti street, number 124, 10000, Pristina (hereinafter: NLB Bank).

In the NLB Bank, the Personal Data Protection Officer (DPO), is available at:

Email: dpoprishtina@nlb-kos.com

Phone number: 038 744 991 / 115

By regular mail: NLB Bank J.S.C, Compliance and Integrity Sector, Str. Ukshin Hoti, No. 124, 10000, Pristina.

The NLB Bank processes personal data to perform inprocessinging services and measures before concluding an agreement and during the execution of a contract with you, such as the opening and administration of accounts/banking packages, deposits, direct debits and standing orders, making payments, various savings schemes, loans, guarantees, letters of credit, purchasing securities, insurances, stock brokerage, sending SMS messages about the account balance and transactions made with payment cards, processing of complaints and managing contacts with an individual using various channels.

When NLB Bank processes your payments through the correspondent network of banks or exchanges messages related to resolving complaints or related to guarantee and documentary materials, the data is also processed by SWIFT (S.W.I.F.T. SC, Avenue Adele 1, 1310 La Hulpe, Belgium), which provides the network for interbank connection - Society for Worldwide Interbank Financial Telecommunication. In this case, NLB Bank and SWIFT act as joint controllers (more information is available at this: link).

The NLB Bank processes personal data to fulfill legal and other regulations, especially those regulating banking and payment services, and relevant European law, especially the obligation of reporting, customer checking (money laundering and terrorist financing prevention) and risk management. For example: the Bank may perform an enquiry and obtain information about your personal and other data, especially employment, movable and immovable property, receivables, interests, shares and other securities, account numbers at other banks and  payment institutes, and other property, residence, tax number and other data from other managers, if the NLB Bank did not have it or if you would not personally submit them to the Bank despite our request, yet these data were required to fulfill contractual obligations, or there was a legal basis for such enquiry. The NLB Bank may also process personal data in the case of court decisions it receives for enforcement (e.g. inheritance decisions, enforcement orders). The legal basis for processing personal data is also the legal requirements for keeping updated records.

The NLB Bank processes personal data also based on our legitimate interest, which indicates our responsibility towards you and maintains the range of services offered on the market that will fulfill your expectation; here we carefully weigh our interests and your rights to privacy. Examples of data processing based on legitimate interest:

• with measures to prevent, detect and investigate fraud and other harmful conduct;
• in video surveillance (for example in branch offices or ATMs) and similar measures, in particular, to prove transactions and to ensure the protection of assets of customers and employees;
• when recording phone or video conversations (e.g. when concluding deals, in case of complaints, etc.);
• in product range development and management measures;
• in the execution of marketing campaigns;
• in the restructuring of clients in financial distress;
• in communications with corporate customers;
• in market research, business analyses and analyses aimed at making business decisions;
• upon inviting the customer to rate the service after it has been provided.

Personal data processing can also be based on an individual’s consent that allows the NLB Bank to use their personal data for purposes defined in the consent, namely:

• For marketing activities, such as sending news, general notifications about the product range, novelties, benefits, events, prize games and other news important for an individual segment of users of banking services and the wider public;
• For sending information about services, new products/ services and special offers adapted to your interests, based on profiling used by the NLB Bank for this purpose. Profiling, i.e. The formation of profiles, means any type of automated personal data processing including the use of personal data to estimate certain personal aspects related to an individual or group of individuals, especially to analyses or predict work performance, the economic situation, health, personal taste, interests, habits, reliability, behavior, location or movements of the individual;
• To conduct surveys or questionnaires to assess the satisfaction, use of services and market channels with the aim of adaptation and improving the range of products/services.

These purposes include content related to NLB Bank, the companies from the NLB Group and contractual partners of NLB Bank, yet your data will not be given to these companies.

If you do not give your consent to perform these purposes of personal data processing, give it partly or partly cancel the consent, we will inform you only in cases and in the scope of the consent you gave, in ways permitted by applicable law (such as general notifications, fulfilling the Bank's obligation about a service you are using).

The consent is given voluntary, and if you decide you do not wish to give it, or cancel it later, this does not impair your rights arising from your business relationship with the NLB Bank and does not represent additional expenses or aggravating circumstances. The conclusion of the contract and provision of banking services do not depend on the consent.

The NLB Bank obtains personal data from various sources. In most cases, they are directly given by customers who select an individual banking service. They are also obtained indirectly through the use of banking services. We generate some data by processing data for reporting, analyses, etc. We can also use other information on individuals that can be accessed or were sent to us from public sources, such as a decision, order or other legal act, provided to the bank by one of the parties to the litigation (public records, databases, internet applications, mobile applications, social networks or other public sources of information). All collected data and information are processed by employees of the Bank only in the framework and for our work. Personal information that has not been directly obtained from an individual is made available by the data controller at the request of the individual.

• basic identification and other data for identification and contact data

Your personal information name and surname, date of birth, place of residence, personal number, tax number, phone number and/or e-mail address, that we need to send you messages. Otherwise, you will not be informed about our special offers and product/service range. These are the basic identification and contact data required to conclude the business or for notifications about the offer.

• socio-demographic information

These are standard statistical data, for example, your age, address of residence, gender, level of education, income, etc. These data are usually disclosed when you begin to use our services, or we deduce them from other available data.

• information about other companies

When you place a loan order, the source of your income must be listed. If you are employed, we will ask you to state the title and name of your employer, if you lead a company, to give the name of your company. If you have never applied for a loan at the NLB Bank, we do not know whether you are employed and by whom, or if you are self-employed. Similarly, NLB Bank can find suitable services for the whole family, if we have the information for your relatives that have account at the NLB Bank.

• data about transactions

Our systems record and save every payment made from your account or with your debit or credit card or via online, mobile or telephone banking, as well as any cash withdrawal from ATMs, transactions made on your behalf following your request, and payments made to your account. Each transaction contains additional information, such as the amount of the transaction, remittance account number, name and number of the merchant POS terminal used to make the payment, address or location of the merchant, date and the time of the payment, as well as text or comments. From such information we can also make conclusions about your behavior related to transactions, i.e. do you frequently pay by card rather than withdrawing cash from ATMs how often, where, what your income is, does your income come from several employers, in which stores your shop, how much you pay for your shopping, etc. All this helps us to offer you accessible and useful services.

• information about the channels and applications used

You can contact the NLB Bank through various communication channels and points of sale (phone, video call, online banking, the web and mobile application NLB mKlik, etc.). During registration, transactions and other activities your computer automatically sends your IP address to the NLB Banks’s server you accessed. In this way, we can detect the number of the network and sub-network in which your computer is located. If you allowed the use of cookies in your browser, these provide the smooth operation of the website with all functionalities and better user experience. Read more about cookies on the webpage Cookies. We can also determine the duration of your login, which activities you performed in the applications, which data you entered forms - all this for security reasons. Information about your operating system and its version and technical data about the devices you are using help us to ensure that our web pages and services will be displayed correctly on your devices, as this is the only way to continuously improve our services and adapt them to your technical needs.

• information about your use of NLB eKlik and mKlik

NLB eKlik and mKlik digital bank allows you to perform the NLB Bank banking services via a web browser or a mobile application. To provide you with its full range of functionalities, improve the security, the user experience and adapt the content to your interests, the application requires access to following data and components stored in your mobile device:

• access to your camera because of the functionality Scan and Pay, which allows you to capture data from the payment order with your camera and transfer them to the UPN payment order in the NLB mKlik mobile bank;
• access to your location to show the nearest Branches and ATMs. It can access your location only when it is in use and you can see it on your display.

The decision on which information you would like to share in NLB Klik is up to you and you can:

• Restrict the access of the mobile application to camera and location by changing the settings on your mobile device. Please note that if access is restricted some of the functionalities will not function as provided above;
• Restrict access to information about your device, mobile application details and user details by changing the settings on mobile application.

The NLB Klik web and mobile application collects certain data for the purpose of statistical analysis, using the built in analytical tools:

• Device Details: The Bank needs information about the device you are using to be able to upgrade the application, test and approve mobile devices, improve the application and its functionalities and for statistical analysis at the level of user groups. Information about mobile devices that are tracked, is for example, brand, type of device (e.g. a mobile phone or tablet), model, operating system, language settings.
• Application Details: The Bank needs information about how the mobile application is used for statistical analysis at the level of user groups, which serves as a basis for customizing the functionalities to the users’ needs, optimizing its performance, enhancing the security and user experience and adapting its content to your interests. With this data we track which online store you used to download or upgrade the application, which version has been installed, how long you have been using NLB Klik, which functionalities you use and how you use them (e.g. which screens are accessed, for how long, etc.).
• User Details: User details are very important to us, because they help us understand our users’ characteristics and needs. For this purpose, we collect information about your age, gender, interests and country of residence, which is again statistically analyzed at the level of user groups, which means that a relevant user could not be identified on the basis of collected data.

• information about your use of services of the NLB and other members of the NLB Group

For targeting activities, we use the information about which services of the NLB or other Group members you are already using, for how long, under what conditions and did you keep or cancel them. We know how often you use payment cards issued by the NLB and where, in what amounts and for what purposes the payments are made. If you raised a loan from the NLB Bank, we could use the information about the amount and date of a certain instalment or faults. If you have a savings account at our Bank, we know how often and how much you remit to it. In the environments of online, mobile, phone and video banking we collect information about the options you selected (selected fields, type of entered information and forms, etc.). We also process the information how often you register into applications for online and mobile banking, phone and video banking and did you perform any action while you were logged in (i.e. made a payment, held a session with banker).

• contacts with the NLB Bank

We keep records of our contacts with you, especially the date (possibly also the time) of the contact and the reason for it. This applies to all kinds of contacts (phone, video call, SMS, mail, e-mail, branch office and other). We record these contacts to avoid calling several times for the same purpose. Whenever we notify you about an offer, we save the information whether you accepted or not, to avoid offering you the same products or services several times. We also keep records about when you had conversations with NLB Bank counselors and other NLB Bank officials.

• social networks

For our marketing campaigns we also use social networks such as Facebook and although we do not store data published on your profile, we use them to improve the targeting of our marketing activities, of course only if you consent to this when you use these social networks. For us, social networks are a channel to address our customers and targeting is an added value. In the context of third-party cookies, we offer an even better user experience, sharing contents across different social networks, as well as adapting our offer to your wishes and needs, that can be read from your previous browsing. Data collected with the help of these cookies is available for the NLB Bank as well as service providers. Your consent for social networks can be edited under Cookies.

• records of communication

When you call us on the phone or via video call, we may ask you before the call to consent for the call to be recorded. In some cases, the calls must be recorded because this is a legal requirement, or to be able to prove that we followed your instruction or that the contract has been validly executed or that we are acting in line with our legal obligations. You are notified in advance of any recording.

• geolocation data

Information on payments made with the NLB Bank payment instruments (debit or credit card, online, phone, video banking) and applications used for mobile banking include geolocation data. These data precisely define the GPS coordinates (or the address point of a certain transaction, depending on the physical location of the merchant’s payment terminal). At registration, we read your location from specific logs. We also use geolocation data when you visit our web pages and when you use the NLB mobile applications to provide you with contact information and help you find the closest consultant or branch office.

• information about your creditworthiness

When you apply for a loan, the law demands that we must check your creditworthiness in the CRO system (Credit Registry Office). This information is used to calculate your creditworthiness or ability to pay your debt. In addition to the information in the CRO system, to calculate your creditworthiness or credit ability, we also use information stored in our systems (such as information about the operations with your personal account transactions, payments of loans in the past) and the systems of our contractual data processors. Based on this data we can offer you a loan with characteristics we evaluate as the best for you.

• external sources

We want to be sure that our offer will be appropriate for you. Therefore, we sometimes use data from external sources, when our own data is not sufficient for targeting. Such sources include mostly public registers and records, for example, the business entity register (e.g. business identification registry, CRO etc.).

• surveys, research and user testing

We are interested in the opinion of our customers about our existing services, ads and what type of services you wish, so we would like to ask you about this in surveys and research. In this way, we usually obtain the average results representing the entire group of respondents. When developing new services, we also use other approaches, for example, we ask our customers how they like the new versions of applications etc. and perform a so-called user test to find out will they find the new service attractive and easy to use.

• data and information to process so we can act in line with our legal obligations

These are the data we must collect, evaluate and store for a certain amount of time, to act in line with our legal obligations. These are for example the obligation of keeping updated records and to archive data under various laws regulating business activity, or the collection and evaluation of data to prevent money laundering and terrorism financing and other legal requirements, such as the enforcement of court decisions. These data can, for example, include the source and origin of your income, mutual capital connections, nationality, citizenship, address of residence, area of activity, political exposure etc. Based on your consent, or if there is any other legal foundation, we can use this data for other purposes too, in line with your wishes. 

• NLB Bank Employees

Your personal data is processed by NLB Bank systems and individual employees who require this data for their work and may also share it with other bank employees. This means that any information you gave to the bank consultant will be available also to other NLB Bank employees, for example, employees in marketing, for marketing purposes.

• contractual data processors

In addition to NLB Bank employees, users of personal data are the employees of the Bank’s contractual data processors who may process your data only pursuant to a certain law, contractual provisions, approval or your consent. These are, for example, printers who print various notifications and advertising material sent to you by mail. Another example is telecommunication operators who relay our messages to you. In each case, we assure the protection of your personal data in the same way as if processed by the NLB Bank itself.

• competent state authorities

In certain cases, prescribed by applicable laws we must relay your personal data or report about them to competent state authorities and authorities in charge of financial tax or bank supervision (such as the Financial Intelligence Unit of Kosovo, Kosovo Tax Administration, Courts, etc.). We also must pass them to third parties if such obligation of forwarding or disclosure is imposed by the law.

Details about the categories of users, contractual partners and contractual processors can be obtained upon request from our Personal Data Protection Officer.

The NLB Bank can process data manually or automatically.

An automated data processing can also mean the application of so-called automated decision-making, which means that decision about you is made using technological means and without human intervention. The NLB Bank uses certain automated processes, including the formation of profiles, where a decision can be made about an individual which results in legal effects related to them or have a significant effect on them (such as the assessment of creditworthiness, etc.). In case of an automated decision the individual will be notified in advance and will have the right to personal treatment, the right to express their view, the right to obtain an explanation of the decision made in this way, and the right to challenge such decision.

For example, in the procedure of granting the NLB Personal Loan in application NLB Klik, the application itself processes your data and automatically grants or rejects your loan application. Automated decision-making, which enables decisions to be made more quickly and improves the efficiency of the procedure of granting a loan, is necessary for concluding a loan agreement when raising a loan using the NLB Klik application. Before the procedure begins, you receive all information about the processing of personal data. The NLB Bank allows you to, instead of raising a loan using the NLB Klik, cancel the procedure at any stage and carry it out the usual way at one of our branch offices. 

The storage period for personal data depends on the basis and purpose of each category of personal data. Personal data is stored only for as long as prescribed or allowed and necessary to achieve the purpose for which they were collected or further processed. After the processing has been achieved, unless there is another legal basis or if this is required to enforce, execute or defend legal claims, personal data are deleted, destroyed, blocked or made anonymous. Under the right of access to data, an individual may at any time request information on the retention period of a particular type of data. 

If you wish to obtain information about the processing of your personal data, you can request it by enforcing your right to access. In addition, the NLB Bank lets you enforce  the right to correction (for example if you notice your personal data are not accurate), the right to deletion of personal data (for example if there is no legal basis for processing) and the right to portability (for example when you wish to transfer your personal data to another data manager).

If you disagree with the processing of your personal data based on our legitimate interest, or if you do not wish your personal data to be used for purposes of direct marketing, you have the right to object to demand the cessation of processing. You can file this request in a manner that enables your identification, namely by filling a form prepared for exercising each such right, which is available at the Bank's branch offices and published on the website www.nlb-kos.com, or in another documented manner (e.g. oral request for the record in the Bank’s branch office, written request, oral request submitted via video call,  request sent via online or mobile bank). The requests received are processed by the Personal Data Protection Officer who is available at the addresses listed above. We will respond to your request without unnecessary delay or within one month at the latest.

At any time you have the right to file a complaint with the supervising authority for personal data protection: Information and Privacy Agency, address Zejnel Salihu street, number 22, 10000, Pristina, web-site https://aip.rks-gov.net. 

Your consent to process personal data for purposes described in this information is voluntary. You can at any time restrict or revoke your consent for data processing by informing the NLB Bank, yet this will not impact on any contractual relationship between you and the NLB Bank or the use of products or services requiring such consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Even after the revoking of your consent, the NLB Bank will only process those data that related to you that it will have to process to fulfill legal obligations based on the execution of the contract with you and to pursue its legitimate interest.

The NLB Bank reserves the right to amend this General Information to ensure compliance with regulations related to personal data protection. This information is available in all branch offices of the NLB Bank and on its website.

All issues not expressly defined in this General Information or the contract between the Bank and the individual follow the provisions of the applicable law.

This General Information applies and is in force as of May 2026.

NLB Bank Pristina