Regulation on the Credit Registry

1 of 9 Pursuant to Article 35, paragraph 1, sub-paragraph 1.1, Article 24 and Article 65, paragraph 1, of Law No. 03/L-209 on Central Bank of the Republic of Kosovo (Official Gazette of the Republic of Kosovo, No. 77/ 16 August 2010), the Board of the Central Bank of the Republic of Kosovo in its meeting held on 30 September 2019 adopted: REGULATION ON CREDIT REGISTRY CHAPTER I – GENERAL PROVISIONS Article 1 Purpose

1. The Central Bank of the Republic of Kosovo (hereinafter: “Central Bank”) shall keep and administer the Credit Registry of Kosovo (hereinafter: “Credit Registry”) to collect and distribute credit information between financial institutions for purposes of improving credit quality and carrying out the supervisory function of the Central Bank.
2. This Regulation shall regulate the collection and use of credit information through the Credit Registry. Article 2 Scope This Regulation shall apply to financial institutions licensed by the Central Bank to act as credit providers, including all licensed banks and microfinance institutions, and the non-bank financial institutions and insurance companies licensed to deal with special credit activities. Article 3 Definitions
3. All terms used in this Regulation shall have the same meaning as the terms provided for in Article 3 of Law No. 04/L-093 on Banks, Microfinance Institutions and Non-Bank Financial Institutions (hereinafter: “Law on Banks”) and/or as defined below for the purposes of this Regulation: 1.1. Credit – means any loan or direct or indirect commitment to disburse money in exchange for a right to repayment of the amount disbursed and outstanding and a right to the payment of interest or other charges on such amount, to any extension of the due date of a debt, to any bank/insurance guarantee or letter of credit issued, and to any commitment to acquire a right to payment of a sum of money. The term “credit” also includes overdrawn balances on deposit accounts, or overdrafts. The term

2 of 9 “credit” shall not include interbank loans, purchases of government debt securities and purchases of all debt securities in the secondary market. 1.2. Credit provider - any licensed bank, licensed microfinance institution, non-bank microfinance institution licensed for special credit activity, or an insurance company licensed for special credit activity. 1.3. Natural person – means an individual. 1.4. Personal data - means any information regarding an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can, directly or indirectly, be identified, especially with reference to an identifier based on a name, identification number, location information, an online identifier, or one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person; 1.5. Sensitive personal data - means any personal information that reveals racial or ethnic origin, political or philosophical views, religious beliefs, membership in trade unions, or any data on health condition, sexual orientation, any entry and deletion from the criminal or administrative offense records, pursuant to the law. Biometric characteristics are also considered as sensitive personal data if they enable identification of a data subject in relation to any circumstances mentioned in the above sub￾paragraph; 1.6. Legal entity – means any organization, business organization, corporation, branch of a foreign trade company operating in Kosovo, office of a foreign trade company in Kosovo, publicly owned enterprises under the applicable Law on Publicly Owned Enterprises, and socially owned enterprises under the administration of the Privatization Agency of Kosovo. 1.7. Business organization - is a general term that means and includes any type of business organization established in Kosovo under the Law on Business Organizations or any other law as defined in Article 5, paragraph 3, of the Law on Business Organizations, including individual businesses, general partnerships, limited partnerships, limited liability companies and joint stock companies. 1.8. Corporate - means a Joint Stock Company or Limited Liability Company registered in Kosovo. 1.9. Branch of a foreign trade company - means the business entity registered in Kosovo for the exercise of lawful economic activity by a Foreign Trade Company established under a law of a jurisdiction outside Kosovo. 1.10. Legal entity data - means any information related to a legal entity. 1.11. Credit report - means any communication, written or electronic, of any information from the Credit Registry related to the credit state or exposure of a natural person or legal entity. 1.12. Borrower - means a natural person or a legal entity undertaking a credit obligation. 1.13. Co-borrower - means a natural person or a legal entity that assumes a credit obligation together with another natural person or legal entity. 1.14. Guarantor - means a natural person or a legal entity that undertakes a legal obligation to return the loan in case of failure of loan repayment by the primary borrower. 1.15. Data subject - means a natural person or a legal entity in respect of which Credit Registry

3 of 9 information is collected and a credit report is compiled. The data subject is also referred to as a client – one who has used credit services or applied for a credit, including borrowers and co-borrowers, guarantors and other related persons. 1.16. Consent - means the free expression of a freely given, specific, informed and unambiguous will of the data subject through which he or she, with a declaration or a clear affirmative action, expresses his or her consent to the processing of his/her personal data. 1.17. Processing - means any action or series of actions performed on personal data by automatic or non￾automatic means, such as: collecting, recording, organizing, structuring, storing, adapting or modifying, retreating, consulting, using, publishing by broadcasting, distributing or providing, unifying or combining, restricting, deleting or destruction. 1.18. Negative information - means information relating to a delay in repayment of a credit by the borrower and any other form of violation of obligations related to the loan. 1.19. Positive information - means information relating to the repayment of the credit on time by the borrower and fulfilling the obligations related to the loan. 1.20. Instruction - means a written recommendation issued by the Central Bank that is of general application and is binding in its entirety and directly applicable. 1.21. Exposure - means any off-balance sheet asset or item, including without limitation any direct or indirect cash loan or commitment in exchange for the right to recover the amount paid and outstanding and for payment of interest or other expenses relating to this amount, any postponement of the debt repayment date, any guarantees or letters of credit issued, debt securities and similar forms of bank lending or commitment of credit to the client, as well as shares, shareholding in equity and other types of investments in a legal entity by the bank; 1.22. Alternative data - means other data on the borrower's solvency that are relevant to the lending process, including but not limited to data on payments for utilities, taxes, fees electricity, telephony and court records. CHAPTER II – CREDIT REGISTRY OPERATION AND THE NATURE OF CREDIT INFORMATION Article 4 Credit registry operation

1. The Credit Registry operates within Central Bank as a centralized system for collection and distribution of credit information between credit providers.
2. The Credit Registry collects and distributes positive and negative information about the data subjects.
3. Credit information is reported directly to the Credit Registry by credit providers. Credit providers are responsible for the completeness and accuracy of the information reported to the Credit Registry under this Regulation and shall take all necessary measures for this purpose.
4. The Central Bank holds no responsibility for the manner of use and assessment of credit information, even

4 of 9 in cases when the information is inaccurate, incomplete or delayed as a consequence of such reporting by credit providers. Article 5 Permissible and Prohibited Collection of Credit Information

1. In accordance with this Regulation, the Credit Registry may collect and maintain a credit file, at a minimum, on the following: 1.1. General identification information, including but not limited to: the name of subject or subjects’ data, personal identification number of registration, place of birth/registration, and main address of residence/operation; 1.2. Credit specific data, including but not limited to: a unique identification number, credit product, the allowed amount, relevant dates, the amounts past due (active), the history of repayments and related collateral; 1.3. Credit classifications based on Central Bank regulations; and 1.4. Public data and alternative data determined to be relevant by the Central Bank.
2. The Credit Registry may not collect or report any of the following information on data subjects: 2.1. Sensitive personal data; and 2.2. The data on returned credits after five years following the date of complete return, and the data on credits deleted from the balance, after seven years following the date of deletion. CHAPTER III – RESPONSIBILITIES OF CREDIT PROVIDERS Article 6 Obtaining consent from the data subject
3. Credit providers must obtain consent from the data subject in accordance with the Law on Protection of Personal Data. Through the consent of the data subject, the loan provider shall be authorized to research, process and report the information and data determined in this Regulation.
4. The loan providers, under paragraph 1 of this Article, must be able that the consent has been given from the data subject.
5. The processing of personal data shall be done in accordance with the Law on Protection of Personal Data.
6. Credit providers shall take all reasonable steps to ensure that data subjects understand the effect of giving the consent.
7. Credit providers should not take actions to knowingly conceal the meaning of consent or request for consent from the data subject.
8. The consent of the data subject shall be valid for the entire duration of the credit agreement validity, including renewed agreement or change of terms of the existing agreement.

5 of 9 Article 7 Reporting credit information and reporting standard

1. All credit providers are hereby required to report to the Credit Registry all credit applications and credits extended to their customers in accordance with the terms and conditions of the respective Instruction issued by the Central Bank.
2. Credit providers shall provide accurate, timely, and complete credit information to the Credit Registry.
3. If at any time a credit provider determines that the information provided is not complete, timely, or accurate, the credit provider must take all reasonable steps to complete the complete, timely, and accurate information and submit the information to the Credit Registry.
4. If the credit provider’s reasonable steps cannot produce the completed, timely and accurate information, the credit provider shall notify the Credit Registry immediately. CHAPTER IV – USE OF CREDIT INFORMATION Article 8 Accessing Credit Reports
5. The following entities are permitted to access credit reports from the Credit Registry: 1.1. Credit providers; 1.2. Data subjects who may access their own credit reports; 1.3. The Central Bank, in accordance with this Regulation and any other laws or rules; and 1.4. Other entities authorized by law. Article 9 Use of Credit Reports
6. Entities permitted access to credit information: 1.1. shall use credit reports only for the purpose for which they were obtained and for no other purpose; and 1.2. shall not distribute credit reports to third parties, unless required by law or by direction of a competent court.
7. Credit providers are required to obtain a credit report on any client obligated by the terms and conditions of the credit under the following circumstances: 2.1. before extending credit; 2.2. upon renewal or increase of credit; and 2.3. upon the changing of terms and conditions of credit.

6 of 9 Article 10 Exchange of Credit Information Exchange of credit information with relevant institutions at interstate level may take place in accordance with Article 74 of the Law on Central Bank and with the relevant laws applicable in the Republic of Kosovo, if the Central Bank has signed a memorandum of understanding or other information exchange agreement with a respective institution in that foreign country. CHAPTER V – RIGHTS OF DATA SUBJECTS Article 11 Rights of data subjects

1. Data subjects maintain their right to privacy of data in accordance with the law.
2. Credit providers and the Central Bank shall provide a summary of the data subject’s rights according to this Regulation, upon request by the data subject. This summary, at a minimum, shall include: 2.1. The right of natural person to obtain credit reports, once annually free of charge, and additional credit reports against a fee set by the Central Bank; and the right of a legal entity to obtain credit reports against a fee set by the Central Bank; 2.2. The right of the data subject to dispute credit information and/or the right to file a claim in accordance with the CBK Regulation for the Internal Complaints Handling Process. 2.3. The right to privacy of personal data in accordance with paragraph 1 of this Article. 2.4. An explanation of each data field included in the credit report.
3. Data subjects shall have the option to request credit reports from either their associated credit providers or the Central Bank. Credit providers shall take all necessary steps to ensure they are able to properly receive data subject requests for credit reports. Credit providers shall report data subject requests for credit reports to the Central Bank within three (3) business days of receiving such requests. The credit report shall be provided to the data subject requesting it no later than five (5) business days after the request is received by the Central Bank.
4. Data subjects shall have the right to request the supplementation, correction, or deletion of their credit information.
5. Both the Central Bank and credit providers shall be notified about the request of the data subject to supplement, correct or delete credit information. 5.1. A data subject shall first try to solve any dispute regarding credit information with the respective credit provider by filing the request and/or claim. 5.1.1. Credit provider shall review and respond to the request for correction, supplementation, deletion within five (5) days after the receipt of the request and within fifteen (15) days after receipt of the claim, including any postponement in accordance with the CBK Regulation on the Internal Complaints Handling Process.

7 of 9 5.1.2. Data subject will confirm the agreement or the disagreement with the answer of the credit provider. 5.2. If the resolution according to paragraph 5, sub-paragraph 5.1.1., of this Article is unsatisfactory to data subject, the credit provider shall inform the Central Bank. In such cases, the data subject may also notify the Central Bank on the request and/or claim. The Central Bank shall review the case and respond to the data subject in accordance with the CBK Regulation on the Internal Complaints Handling Process. 5.3. If the data subject is unsatisfied with the final resolution from paragraph 5, sub-paragraph 5.2., of this Article, and/or if his/her request and/or claim is not subject to review by the CBK, the data subject may use relevant legal remedies provided for by applicable legislation. 5.4. The Central Bank shall maintain a record of all credit information disputes. 6. While awaiting a response to the request for the resolution of a dispute, the respective credit report should have a note identifying the contested information under investigation in compliance with the terms of the respective instruction issued by Central Bank. 7. This Article does not eliminate or supersede the disclosure requirements of any other law or rule with respect to data subjects. CHAPTER VI – FEES Article 12 Fees

1. Central Bank shall charge credit providers reasonable fees for participation in the Credit Registry and for credit reports requested.
2. Central Bank shall charge data subjects reasonable fees for requested credit reports, excluding the credit report which is given for free once a year upon request from natural persons. CHAPTER VII – PENALTIES Article 13 Enforcement, remedies and administrative penalties
3. Any violation of the provisions of this Regulation shall be subject to remedial and punitive measures as set forth in the Law on Central Banks and the Law on Banks, Microfinance Institutions and Non-Bank Financial Institutions and the Law on Insurances.
4. Violations that may result in administrative penalties include, but are not limited to:

8 of 9 2.1. failure to report credit information; 2.2. delayed reporting of credit information; 2.3. reporting inaccurate credit data; 2.4. misuse of credit reports by credit providers; 2.5. unauthorized disclosure of credit information. 3. The penalties provided for in this Article shall not preclude the conduct of criminal or administrative proceedings under the legislation in force. CHAPTER VIII - TRANSITIONAL AND FINAL PROVISIONS Article 14 Transitional provisions The provisions of the Credit Registry Guidelines adopted on 30 April 2018, which are not contrary to this Regulation, shall apply mutatis mutandis until the issuance of the new Credit Registry Guidelines. Article 15 Publications The Central Bank, for statistical and research purposes, may publish, partially or fully, the information contained in the Credit Registry, by guaranteeing its anonymity, without specifying certain credit providers or borrowers. Article 16 Instruction The Central Bank shall issue an Instruction to implement its responsibilities under this Regulation. Article 17 Repeal Upon entry into force of this Regulation, the Regulation on Credit Register, adopted on 24 February 2012, shall be repealed. Article 18 Entry into force This Regulation shall enter into force fifteen (15) days after its approval.

9 of 9 Flamur Mrasori Chairperson of the Board, Central Bank of the Republic of Kosovo