Are you staying abroad? You open an account online from BT Pay100 euro cashback in account Your home bank
  • CREDITS
    CARDS
    ACCOUNTS AND OPERATIONS
    ECONOMY AND INVESTMENTS
    INSURANCES
    PREMIUM BANKING
    Bt pay kiddo
    Bt pay kiddo
    DIASPORA
    DIASPORA
    Advertisement
  • ACCOUNTS AND OPERATIONS
    Funding
    CARDS
    Payment solutions
    ECONOMY AND INVESTMENTS
    Specialized sectors
    Advertisement
  • Careers
    Newsroom
    Blog
    Podcast
    BT Community
  • We have taken a firm commitment towards Romanians and local entrepreneurs in supporting their dreams, BT being the partner with whom they can start their journey.
    OMER Tetik
    CEO Banca Transilvania
    • Open an account online
    Call Center
    • Call Center status meter dynamic emoji
    High waiting time!

    Currently, we are recording a very large number of calls in the Call Center. If you have an urgent problem, call now, and if not, we look forward to seeing you later. For quick answers, try Question BT - opens in a new tab or BT Visual Help - opens in a new tab.

    • 0264 308 028 or *8028The number is available from any national network. Normal rate.
    0264 303 003Direct line for all Romanians who are abroad, including assistance in English. Regular rate.
    Fraud assistance
    In case you suspect fraud on your account, call quickly at 0264 308 055. Normal rate.
    BT AI Chat Logo - opens in a new tab
    Search with AI Search - opens in a new tab

    AI Search from Ask BT answers all your banking questions.

    - opens in a new tab
    BT Visual Help - opens in a new tab

    See your account details quickly, call 0264 308 000 and you receive a text message with the access link.

    You have reached the end of the results
    No results found
    Popular searches
    Skip to main content

    General information note regarding the processing and protection of personal data belonging to BT clients

    Version applicable starting from 9.05.2025

    Printable version of this information note Download

    Previous versions

    • I. About this information note and our commitments

    This information note is addressed to BT Clients ("Clients" or “BT Clients”) – as defined in section II – and represent the way through which Banca Transilvania S.A. (“Bank”, “BT”, "we") fulfills its obligation to inform them regarding the processing of their personal data (personal data, "date").

    We provide you this information note according to art. 13-14 of the General Data Protection Regulation ("GDPR"), so that you are transparently informed about the processing that BT performs on personal data when you become a BT Client, throughout the period during which you hold this status, as well as for certain periods imposed by law after your BT Client status ceases.

    This informative note is of a general nature and is an integral part of BT Privacy Policies. You can find the Privacy Policy and this general information note both on the BT website (including in the section Privacy Hub from this website), as well as in BT units.

    For certain services/products/personal data processing activities that we perform, we have also prepared specific information notes, which you can find in the section Privacy Hub.

    We commit to processing and protecting your personal data in accordance with applicable legal provisions and the highest standards of security and confidentiality, to respect the fundamental human rights and freedoms in connection with this processing, and to periodically evaluate our activity in this field, to ensure that these rights are always respected.

    To guide and support us in our activity in the field of processing and protection of personal data, we have appointed a Data Protection Officer ("DPO"). The BT DPO can be contacted by any data subject, at any of the following contact details:

    • email address dpo@btrl.ro.
    • BT headquarters in Cluj-Napoca city, Calea Dorobanților, no. 30-36, Cluj county, with the mention: “to the attention of the person responsible for personal data protection”

    We commit to periodically review this information note and to inform you about any substantive changes made to it, through direct communication means (via the secure messaging system of the Neo BT or BT24 internet banking service - if you use these BT services - or by message to the e-mail address or phone number declared at BT - if you do not use the internet banking service and have declared at least one of these contact details to the bank) and/or indirect means (e.g., by displaying the updated version of the information note in all BT units and on the BT website).

    We hereby present who BT (the data operator) is, what categories of personal data we process from BT Clients (the data subjects to whom the data processing referred to in this notice applies), for what purposes we use this data, to whom we may disclose or transfer it, how long we keep it, as well as what rights Clients can exercise in connection with this processing.

    If you are not familiar with the meaning of the different technical terms used in the GDPR or in the legislation applicable in the banking field, we recommend that you first study section A from BT Privacy Policy.

    II. Who is the BT Client

    In this information note, the data subjects of personal data processing are BT Clients, defined as follows:

    „Client BT” or ”Client” is a natural person who belongs to any of the following categories of targeted persons:

    • residents/ non-residents, holders of at least one current account opened at the Bank (also called "individual account holder client") or who rent safety deposit boxes at BT;
    • legal or conventional representatives of Clients who are natural or legal persons holding an account or who have rented safety deposit boxes;
    • persons with operating rights on the accounts of individual or legal entity clients account holders ("authorized on account");
    • the ultimate beneficiaries of Clients natural or legal persons account holders opened at BT (“ultimate beneficiary”);
    • persons authorized to submit bank documents, to collect account statements and/or to deposit cash amounts on behalf of and for the account of individual or legal entity Clients holding accounts ("delegates");
    • associates/shareholders of BT Corporate Clients;
    • users of a bank product/service who do not have any of the qualities mentioned above but regularly use some BT products/services (e.g. additional card users, managers with guarantee accounts open at the bank, users of BT meal vouchers, BT Pay users);
    • guarantors of any kind of the payment obligations assumed by Clients who are natural or legal persons account holders;
    • persons who sign requests on the bank's dedicated forms to become Clients, but this request is rejected or waived (even if these persons are not active BT Clients, we are legally obliged to keep their personal data for a certain period of time);
    • legal or conventional successors of those mentioned above.

    III. Who is the personal data operator

    Banca Transilvania S.A. is a credit institution, Romanian legal entity, registered with the Cluj Trade Registry Office under number J1993004155124, having the unique registration code no. RO5022670 and the following contact details: registered office address - Calea Dorobanților, no. 30-36, Cluj-Napoca, Cluj County, Romania, Tel: 0801 01 0128 (BT) – callable from the Romtelecom network, 0264 30 8028 (BT) – callable from any network, including international, *8028 (BT) – callable from Vodafone and Orange networks, e-mail address: contact@bancatransilvania.ro, BT website: https://.bancatransilvania.ro.

    Banca Transilvania S.A. is the parent company of the BT Financial Group.

    The provisions of this general information note refer to the processing of personal data carried out by BT as the operator.

    Within certain activities, we process personal data alongside other entities, as joint controllers. You can find details about this processing in the specific information notes in the section Privacy Hub from the BT website.

    IV. The purposes for which we process Clients' data

    As a BT Client, we process your data, depending on the situation, for:

    • application of measures regarding customer due diligence for the prevention of money laundering and terrorist financing. Details in specific information note from Privacy Hub;
    • solvency assessment, reduction of credit risk, determination of the indebtedness level of Clients interested in personalized offers related to the bank's credit products or contracting these types of products (credit risk analysis), including through data processing in the Credit Bureau system. Details in specific information note from Privacy Hub;
    • the conclusion and execution of contracts for products/services offered to BT customers (such as, but not limited to: cards, deposits, loans, internet and mobile banking, BT Pay, SMS Alert); Details about the processing of personal data for certain BT products/services can be found in the specific information notes on Privacy Hub;
    • the conclusion and execution of contracts for occasional transactions, (see section C point 2 of BT Privacy Policy when you make occasional transactions, even if you are also a regular client of BT);
    • processing/settlement of bank transactions;
    • the establishment of garnishments, the recording of amounts garnished at the disposal of creditors, and the provision of responses regarding these to enforcement bodies and/or competent authorities, in accordance with the bank's legal obligations;
    • reports to the competent authorities, according to the bank's legal obligations (e.g. reports to the National Agency for Fiscal Administration – A.N.A.F., National Bank of Romania – N.B.R. - including to the National Office for the Prevention and Control of Money Laundering, the Credit Risk Center and the Payment Incidents Center within the N.B.R. etc);
    • carrying out analyses and keeping records of the bank's economic, financial and/or administrative management;
    • administration within internal departments of the services and products offered by the bank, as well as human resource management;
    • collection of receivables and recovery of claims;
    • the legal defense of the bank's rights and interests, the settlement of disputes, investigations or any other petitions/complaints/requests in which the bank is involved;
    • performing risk checks on the bank's procedures and processes, as well as conducting audit or investigation activities, including for the prevention and management of conflicts of interest;
    • taking measures/providing information or responses to requests/notifications/complaints of any nature addressed to the bank by any person, including authorities or institutions. For details about the processing of your data, if you have addressed such petitions to the bank, please also study section C point 10 of BT Privacy Policy;
    • proving requests/ agreements/ options regarding certain requested/ discussed/ agreed aspects within phone calls initiated by Clients or by the bank, by recording the discussed aspects and, if applicable, audio recording of phone conversations or, if applicable, audio-video;
    • informing Clients about the products/services held at the bank, for the proper execution of the contractual relationship (carried out, as appropriate, by sending messages of general or particular interest addressed to Clients such as, but not limited to: sending account/card statements, transaction reports, notifications regarding the imposition of garnishments on accounts, notifications about unauthorized debts or arrears in installment payments, notifications about the approaching termination date of a certain product/service held, notifications about improvements or new facilities offered in connection with the product/service held, about changes in the general business conditions or in the general information note regarding the processing of personal data, about the need to update data, etc.);
    • transmitting advertising messages/commercial communications to Customers who have given their consent to the processing of their personal data for this purpose. For details about the processing of your data, if you have expressed options regarding the processing of your data for advertising purposes at BT, please also study section C point 12 ofBT Privacy Policy;
    • evaluation/improvement of service quality (requesting/collecting Customers' opinions regarding the quality of services/products/BT employees);
    • financial education of Clients;
    • carrying out internal analyses (including statistical ones), both regarding products/services and regarding the portfolio and Client profile, carrying out market studies, analyses of Clients' opinions regarding the products/services/employees of the bank;
    • development and testing of BT products/services;
    • archiving in physical/electronic format of documents/information, including backup copies (back-up);
    • the provision of registry/secretarial services concerning correspondence addressed to the bank and/or sent by it;
    • ensuring the security of the IT systems used by BT and the physical spaces in which the bank carries out its activity;
    • monitoring the security of BT persons/spaces/goods and visitors of BT units/equipment. Details about data processing for this purpose can be found in specific information note regarding video surveillance and in specific information note regarding visits to some BT offices from section Privacy Hub.
    • fraud prevention;

    V. What personal data do we process from Clients

    To BT clients, we process, as appropriate, the following categories of personal data:

    • identification data: name, first name, pseudonym (if applicable), date and place of birth, personal numeric code (C.N.P.) or another similar unique identification element (e.g. CUI for authorized natural persons or CIF for natural persons who practice liberal professions), other details from the identity card/passport, as well as a copy of these documents, signature (handwritten or electronic), citizenship, domicile address, residence, as well as the address where the Client lives and its legal status;
    • contact details: phone number, email address and correspondence, fax;
    • financial data (such as, but not limited to transaction data, payment behavior data, data about accounts and financial/banking products, held/realized at BT or other financial institutions);
    • tax dates (ex. country of tax residence, tax identification number);
    • professional dates (ex. profession, occupation, function, name of employer or nature of own activity, level of education, specialization, information about the public office held, if you are a politically exposed person (PEP), capacity, holdings and, if applicable, representation powers held within legal entities);
    • information about the family situation (ex. marital status, matrimonial regime, number of dependents, kinship relations, marriage, concubinage);
    • information about the economic and financial situation (ex. data about income, data regarding owned/possessed goods, source of wealth – if you are a PEP);
    • data about requested/used BT products and services (ex. information about the purpose and nature of the business relationship, the source/destination of the funds used within the contractual relationship/transactions, the type of products/services, the contractual period, other details related to products/services, including for credit products: type of product, the granting term, the granting date, the due date, the amounts and credits granted, the amounts owed, the account status, the account closing date, the currency of the credit, the payment frequency, the amount paid, the monthly rate, the name and address of the employer, the amounts owed, the amounts overdue, the number of overdue installments, the overdue date, the number of days delayed in repaying the credit. Data about credit products is processed both in the bank's records and - if applicable - in the records of the Credit Bureau and/or in other records/systems of this type);
    • the image (contained in identity documents or captured by video surveillance cameras, as well as the image within some video recordings);
    • voice within the conversations and recordings of telephone or audio/video calls (initiated by Clients or the bank);
    • biometric data (ex. facial recognition, used within remote identification processes through video means, within device unlocking methods on which you have installed bank applications, if you have set methods such as facial recognition or fingerprint-based – in this latter case BT does not have access to biometric data, but only relies on it to allow you to access/use some BT applications);
    • age, for verifying eligibility to contract certain products/services/offers of the bank (e.g. credit products, products dedicated to minors, etc.);
    • opinions, expressed within complaints/claims/conversations, including telephone ones, related to products/services/bank employees;
    • identifiers allocated by BT or by other financial-banking or non-banking institutions, such as, but not limited to: BT client code (BT CIF), references/identifiers of transactions, IBAN codes of bank accounts, debit/credit card numbers, contract numbers, identifiers allocated by the bank to Clients classified as "non-residents", formed from a sequence of digits related to the year, month, day of birth and the identity document number, whole or truncated, IP addresses, device identifiers (e.g. mobile phones) and the operating system of the devices used to access mobile banking services/mobile payment applications;
    • data regarding the state of health, in case such information is provided to us within the documentation submitted to the bank, results from transactions or if their processing is necessary for Clients to prove the difficult situation they or their family members are in, especially in order to grant facilities on credit products;
    • information regarding fraudulent activity or potentially fraudulent;
    • information regarding the location carrying out certain transactions (implicitly, in the case of carrying out operations on BT equipment belonging to Banca Transilvania);
    • any other personal data belonging to the Clients, which are brought to our attention in various contexts by other Clients or by any other persons

    VI. What are the sources from which we collect Clients' personal data

    As a rule, the personal data we process are collected directly from you (e.g. when you become a BT Client, when you update your data at the bank, perform transactions, apply for certain products, such as credit products, etc.).

    However, there are situations when data is collected from other sources, from:

    • other BT Clients (e.g. the authorization of other Clients on their accounts opened with the bank, contracting some products/services of the bank by a Client on behalf of another Client who has authorized them in this regard, contracting by employers who are legal entity Clients of BT of some products/services of the bank for/on behalf of their employees - meal vouchers, collection of salary incomes in accounts opened at BT, guarantee management accounts etc);
    • persons who are not BT clients (e.g. persons who deposit cash amounts into BT Clients' accounts, persons who send petitions complaining that they use data declared at the bank by BT Clients);
    • authorities or public institutions (e.g. General Directorate for Persons Records – G.D.P.R. – from which we receive current data of clients' identity documents or of persons who go through the steps to become BT clients, which we process for the purpose of customer knowledge according to the details in the section Privacy Hub from the site, subsection “Knowing the client”, courts, prosecutor's offices, police, bailiffs, B.N.R., A.N.P.C., A.N.S.P.D.C.P., etc.), notaries, lawyers;
    • institutions involved in the field of payment services (e.g. Transfond, S.W.I.F.T, international payment organizations etc);
    • other credit institutions with which Banca Transilvania S.A. has merged (e.g. Volksbank România S.A., Bancpost S.A., OTP Bank România S.A.) or with which it will merge in the future or from which some contracts have been assigned (e.g. Idea::Bank, currently named Salt Bank) or will be assigned in the future;
    • other banks/financial institutions, including partner banks and correspondent banks or banks/financial institutions participating in syndicated loans;
    • other Legal Entities of the BT Financial Group, for determined and legitimate purposes, generally for the proper conduct of financial/economic activity and for fulfilling the legal requirements related to the consolidated supervision of the BT Group;
    • public sources, such as but not limited to: National Office of the Trade Register (O.N.R.C.), National Register of Mobile Publicity (R.N.P.M.), Office of Cadastre and Real Estate Publicity (O.C.P.I.), court portals (portaljust), Official Gazette, social media, internet etc.;
    • records of the type of the Credit Bureau, the Credit Risk Central within the N.B.R., in case there is a legal basis and a determined and legitimate purpose for consulting them;
    • database providers (e.g. entities authorized to manage databases with persons accused of financing acts of terrorism, publicly exposed persons, providers who aggregate and redistribute data collected from public sources etc);
    • contractual partners of the bank from various fields (e.g. evaluation companies, insurance companies, pension and investment fund management companies);
    • debt collection/recovery companies (e.g. we can find out the new contact details of Clients from companies that support us in debt recovery activities);

    VII. On what legal grounds do we process Customers' personal data and what happens if you refuse their processing

    The legal grounds on which BT processes personal data are, as the case may be:

    • the bank's legal obligation (when data processing is necessary to fulfill a legal obligation of the bank);
    • conclusion/performance of contracts (processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract);
    • the legitimate interest of the bank and/or of some third parties;
    • the necessity of processing data to fulfill a task that serves a public interest (e.g. applying measures for customer knowledge to prevent money laundering and terrorist financing);
    • the consent of the data subject.

    When legal provisions require us to process certain data in a certain situation or if your data is necessary for the conclusion or execution of contracts for BT products/services, if you refuse to process them you will not be able to become/stay BT clients or we will not be able to process the transactions you request from us.

    If we process your data based on our legitimate interest or that of third parties, you can object to such processing for reasons related to your particular situation (e.g., if you are a BT Client and do not want to receive general interest messages or messages asking you to evaluate the quality of our services/products, we will accommodate your request without affecting the business relationship you have with BT). In some cases, our legitimate interest or that of third parties may override yours, and we will not be able to accommodate the request by which you object to the processing (e.g., data processing in the Credit Bureau system, if there are no other reasons to accommodate the objection request).

    If we process your data based on your consent/agreement, you have the right to withdraw this agreement at any time. However, withdrawal will not affect the previous processing of your data (e.g., when we process your data based on consent for advertising/marketing purposes, you have the right to withdraw this agreement. Withdrawal of marketing consent does not affect your right to become or remain a BT client. However, refusal to have your data processed for advertising purposes will make it impossible for the bank to notify you about certain offers/promotions and, consequently, in some cases you may not be able to benefit from products/services under promotional conditions).

    VIII. To whom can we disclose/transfer the personal data of Clients

    Personal data that we process for Clients may sometimes be disclosed/transferred by BT, in accordance with the GDPR principles, based on the applicable legal grounds depending on the situation and only under conditions that ensure their full confidentiality and security.

    We commit to respecting human fundamental rights and freedoms in the case of such disclosures, especially the right to the protection of personal data and the right to privacy, and to periodically evaluate our activity in this field, to ensure that these rights are always respected.

    Find below within this section (* -> ***) details about legal provisions that require us to report/communicate personal data concerning you to certain authorities.

    Also, when public authorities/institutions request us to provide personal data, we undertake that these will be disclosed only if we have a legal obligation or a legitimate interest, only based on clear internal procedures and only with the approval of individuals in leadership positions.

    We will provide the authorities only with the strictly necessary data and if it is proven that we have made such disclosures of personal data in violation of human rights, we commit to compensate for the damage caused to the data subjects.

    The categories of recipients to whom we may disclose personal data, as appropriate, are:

    • other Clients who have the right and the need to know them;
    • other entities within the BT Financial Group;
    • companies involved in payment processing (e.g., Transfond S.A., payment processors);
    • financial-banking entities (e.g. participants in payment and interbank communication schemes/systems such as S.W.I.F.T., S.E.P.A., ReGIS, partner banks and correspondent banks, banks or financial institutions participating in syndicated loans);
    • international payment organizations (e.g. Visa, Mastercard);
    • contractual partners (service providers) used in BT's activity, such as, but not limited to providers/suppliers of: digital certificate issuance services (for the application of qualified/extended electronic signature), collection services for overdue debts/claims, IT services (maintenance, implementation, support, cloud), archiving services in physical and/or electronic format, courier services, audit services, card-related services, market research/study services, e-mail/SMS/telephony transmission services, marketing services, other services provided by suppliers to whom BT has outsourced certain financial-banking services, etc);
    • insurance companies;
    • real estate appraisal companies;
    • management companies of pension and investment funds;
    • guarantee companies (funds) for various types of credit/deposit products (e.g. F.N.G.C.I.M.M., F.G.D.B. etc.);
    • partners of the bank from various fields, whose products/services/events we can promote to BT Customers based on their consent. The updated list of the bank's partners can be found here: https://www.bancatransilvania.ro/partners;
    • assignees;
    • authorities and national public institutions, such as, but not limited to: the National Bank of Romania (N.B.R.), the National Agency for Fiscal Administration (N.A.F.A.)*, the Ministry of Justice, the Ministry of Internal Affairs (M.I.A.), the General Directorate for Personal Records (G.D.P.R.) to which we send the first name, last name and Personal Numeric Code (CNP) of clients/persons who go through the steps to become BT clients for the validation of these data and for providing additional information from their current identity documents, which we process for the purpose of knowing the client according to the details in the section Privacy Hub from the site, subsection "Know Your Customer", National Office for the Prevention and Control of Money Laundering (N.O.P.C.S.B.) **, National Agency for Cadastre and Real Estate Publicity (N.A.C.R.E.P.), National Movable Property Publicity Register (N.M.P.P.R.), Financial Supervisory Authority (F.S.A), including, as appropriate, their territorial units;
    • banking institutions or state authorities, including those outside the European Economic Area - in the case of international S.W.I.F.T. transfers or as a result of processing carried out for the purpose of applying F.A.T.C.A. and C.R.S. legislation;
    • public notaries, lawyers, judicial executors;
    • Credit Risk Center***;
    • Credit Bureau and Participants in the Credit Bureau system****;

    * disclosure of personal data to A.N.A.F.

    According to the provisions of the Fiscal Procedure Code (Law no. 207/2015), in its capacity as a credit institution, BT has the legal obligation to:

    1.Communicate daily to A.N.A.F.:

    - the list of holders individuals, legal entities or other entities without legal personality who open or close bank or payment accounts at BT, persons who hold the signing right for the opened accounts, persons claiming to act on behalf of the client, beneficial owners of the account holders, together with the identification data provided in art. 15 para. (1) of Law no. 129/2019 for preventing and combating money laundering and terrorist financing, as well as for amending and supplementing some normative acts, with subsequent amendments and completions, or with the unique identification numbers assigned to each person/entity, as appropriate, as well as with information regarding the IBAN number and the opening and closing date for each individual account.

    - the list of persons who have rented safe deposit boxes, accompanied by the identification data provided in art. 15 para. (1) of Law no. 129/2019, with subsequent amendments and completions, or by the unique identification numbers assigned to each person/entity, as appropriate, together with the data concerning the termination of rental contracts.

    2. Communicate, at the request of A.N.A.F., for each holder who is the subject of the request, all turnovers and/or balances of the accounts opened at the bank, as well as the information and documents regarding the operations carried out through these accounts.

    3.Send to A.N.A.F. - on the occasion of the request to open a bank account or rent a safe deposit box - the request for assigning the tax identification number/tax registration code, for non-resident natural persons who do not have it. The request sent by BT to A.N.A.F. will include the following data of the non-resident: last name, first name, date and place of birth, gender, home address, data and copy of the identity document, tax identification code from the country of residence (if any). BT may also send to A.N.A.F. supporting documents of the information completed in the request. Based on the transmitted data, the Ministry of Finance assigns the tax identification number or, as the case may be, the tax registration code, registers the respective person for tax purposes, and communicates to BT the information regarding the tax registration.

    ** O.N.P.C.S.B. - In the event that the conditions are met for BT to transmit personal data to the National Office for the Prevention and Control of Money Laundering, according to the legislation for the prevention and combatting of money laundering and terrorist financing, these data are also transmitted simultaneously and in the same format to A.N.A.F.

    *** C.R.C. - The Bank has the legal obligation to report to the Credit Risk Center (C.R.C) within the National Bank of Romania (B.N.R.) the credit risk information for each debtor who meets the condition to be reported (includes identification data of an individual debtor and operations in lei and foreign currency through which the Bank is exposed to risk towards that debtor), as well as to have recorded an individual risk towards this debtor, as well as information about card frauds detected.

    **** Credit Bureau S.A./participants in the Credit Bureau system - The bank has the legitimate interest to report in the Credit Bureau System, to which other Participants also have access (mainly credit institutions and non-banking financial institutions, as associated operators of the bank and of the Credit Bureau) the personal data of Clients who have contracted loans, as well as of Clients who have delays in loan payment of at least 30 days, under certain conditions. The data is disclosed to these recipients also in the case of inquiries to this system, made by the bank during the process of analyzing an application or loan request.

    IX. Transfers of Clients' data to third countries or international organizations

    Some of the contractual partners who provide us with services necessary for the smooth running of our activity and/or their subcontractors are not located in the European Union (E.U.) or the European Economic Area (E.E.A.) territory, but in other states ("third countries").

    When these partners/their subcontractors or international organizations may have access to the personal data that we process, we will only allow the transfer of data when it is strictly necessary and only based on adequacy decisions or, in the absence of these decisions, based on appropriate guarantees provided by the GDPR.

    To ensure that these transfers respect human rights, especially the right to appropriate protection of personal data wherever it is processed, we commit ourselves - both before allowing the transfer of data to third countries or international organizations, and throughout the entire period during which the transfer takes place, including when there are changes to the initially considered circumstances - to analyze whether there are risks to the rights and freedoms of the data subjects and to manage them appropriately, including by taking any necessary additional measures, so that the data benefits from the same level of protection as it would within the E.U./E.E.A.

    The European Commission may decide that some third countries, some territories or some sectors in a third country ensure an adequate level of protection for personal data. The European Commission has issued adequacy decisions for the following third countries/sectors: Andorra, Argentina, Canada (only commercial companies), Switzerland, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Uruguay, Japan, the United Kingdom of Great Britain, South Korea. To these countries/sectors (to the extent that a contrary decision is not issued regarding any of them), as well as to other countries that the Commission will recognize in the future as having an adequate level of protection, transfers of personal data do not require special authorizations and are assimilated to disclosures of personal data to recipients from the EU/EEA. The updated list of third countries for which an adequacy decision has been issued is the one mentioned on the European Commission website.

    To any other third country or international organization, we will carry out transfers of personal data only on the basis of appropriate guarantees permitted by the GDPR, usually those consisting of Standard Contractual Clauses approved by the European Commission which you can find here and, if these guarantees are not sufficient, we will take additional measures for the proper protection of the data.

    By way of exception, if BT Clients order through the bank transactions to beneficiaries located in third countries that have not been recognized as having an adequate level of personal data protection, the data transfer to those countries is based on the provisions of the GDPR according to which: the transfer that is necessary for the performance of a contract between the bank and the Client or for the application of pre-contractual measures adopted at the Client's request or, as the case may be, the transfer that is necessary for the conclusion of a contract or for the performance of a contract concluded in the interest of the data subject.

    X. Automated decision-making processes, including profiling

    In some circumstances, only in compliance with the GDPR provisions, automated decision-making processes are used within BT activities, including as a result of profiling.

    These are decisions made by the bank based on automated processing of personal data, with or without human intervention, and which may produce legal effects and/or may affect the data subjects similarly, to a significant extent.

    Similar situations are the following:

    • for the application of customer knowledge measures in order to prevent and combat money laundering and terrorist financing (including for the implementation of international sanctions), according to our legal obligation, we will carry out checks in databases with persons accused of financing acts of terrorism, in international sanctions lists or in warning lists regarding persons at high risk of fraud. If your data is found in these records, the bank reserves the right to refuse to enter into a business relationship with you or to terminate the contractual relationship. For the same purpose, we will send and receive from D.G.E.P. data from the identity document of clients/persons undergoing the steps to become BT clients. The data received from D.G.E.P. will be recorded or, where applicable, updated in our records as data from the clients' identity documents. BT will not take any measures that produce legal effects or that would similarly affect clients in a significant way solely based on the automated processing of data provided by D.G.E.P., unless the provisions of Article 22 of the General Data Protection Regulation (GDPR) are respected.
    • to protect BT Clients against fraud and so that we appropriately fulfill our know your customer obligations, we monitor their transactions and, if we identify suspicious operations (such as unusual payments in frequency, value, considering also the declared source of funds or the purpose and nature of the business relationship, transactions initiated from different localities at short intervals of time that would not allow movement between those locations, transactions whose details generate suspicions of money laundering or terrorism financing, attempts to use BT cards on suspicious websites), we may take measures to block transactions, cards, accounts, making these decisions on an exclusively automated basis;
    • according to legal provisions, the granting of lending products is conditioned by the existence of a certain level of indebtedness of the applicants. In determining the eligibility to contract a lending product related to the level of indebtedness, it will be determined based on automatic criteria, starting from the level of income and expenses recorded by the applicant;
    • in order to objectively verify the fulfillment of eligibility conditions for pre-offering and, as the case may be, analyzing a credit application of an applicant – natural or legal person – in most cases a bank scoring application will be used which will analyze data filled in the credit application, information resulting from verifications carried out in the bank's own records and/or those of Credit Bureau S.A. and will issue a score that determines the credit risk and the probability of timely repayment of future installments. To the issued score is added the result of other checks on the applicant's situation, which will be analyzed by the bank employees to establish whether the eligibility conditions set by internal regulations are met. However, the final decision to approve or reject the credit application is based on the analysis performed by the Bank's employees (human intervention). An exception to human intervention is made when you apply for credit products exclusively online. In these cases, we will make the decision to grant the credit or, as the case may be, to reject this application based solely on automatic data processing. The decision-making by such means is necessary in order to quickly analyze the application and conclude the credit agreement. However, you are guaranteed the right to request human intervention, meaning the analysis of the credit application by a bank employee, to express your point of view, and to contest the exclusively automatic decision;
    • for the confirmation of your identity, in case of opening a remote business relationship, in case of data update through online means or for remote identification through video means, certain information of your face (taken from a static or video image) is compared with the photo in the identity document and, if you are already a BT Client, the information extracted based on your face and from the identity document is confronted with those we already have in the bank's records. Also, within these online processes, your access to the phone number, email address is verified and these are compared with those already declared at BT (if you are a BT Client). If as a result of these automated processes we identify discrepancies, we will carry out verifications through our employees and, as the case may be, we will ask you to repeat the enrollment/update/identification process at a BT unit;
    • in the case of BT Clients who have expressed their consent on the dedicated form for data processing for advertising purposes, we will create a profile of them based on certain criteria (e.g. transaction data, age, locality, income range), which we will study automatically to form an opinion about the advertising messages that would be relevant to them. In some cases, this profile will only result in promoting a certain product/service to people who meet the profile conditions. In other cases, it will cause only those who meet the profile criteria to be able to contract/benefit from certain promotional offers. Other Clients may, however, benefit from products/services under standard conditions.

    XI. For how long we keep Clients' personal data

    1. The data retention period for Clients following the request to establish/conduct a business relationship with the Bank or following the request to use/using BT products/services

    According to the legal obligation we have, the personal data we process for the application of client knowledge measures for the prevention of money laundering and terrorism financing, together with all records obtained through the application of these measures, such as monitoring and verifications carried out by the bank, supporting documents and transaction records, including the results of any analysis performed related to the client, which determine the client's risk profile, must be kept for 5 years after the termination of the Client's business relationshipaccount holder with the bank.

    We are obliged to keep these data for the indicated period and in the event that the Client's request to open a business relationship with the bank is rejected or if the Client withdraws from it. In this case, the retention period of 5 years shall be calculated from the date of rejection of the request or the client's withdrawal, respectively from the date of the occasional transaction.

    At the request of the competent authorities, the initial legal period of 5 years mentioned above may be extended, up to a maximum of 10 years from the termination of the business relationship.

    Upon the expiration of this legal retention period (initial or extended, as applicable), the bank will delete or anonymize this data, except in situations where other legal provisions require their continued retention. Other legal provisions that oblige us to retain Client data for a longer period are those from:

    • The Code of Fiscal Procedure, which provides that some of the data processed for the application of customer knowledge measures must also be processed for reporting to A.N.A.F. The legal retention period for this data is 10 years from the termination of the business relationship or from the date of the occasional transaction;
    • financial-accounting legislation provides that accounting documents relevant to financial records and supporting documents, including contracts on the basis of which accounting entries were made (implicitly including the personal data contained therein) must be kept until 10 years from the end of the financial exercise of the year in which they were created;
    • national legislation applicable in the field of electronic signature, which obliges providers issuing digital certificates to keep information regarding a qualified certificate for a period of minimum 10 years from the date of its expiration. In cases where the suppliers from Romania with whom we collaborate in this field process personal data as associated operators with the bank, it is possible that we keep the data regarding certificates for this period;
    • for Clients whose personal data has been queried in the A.N.A.F. records (according to the agreement expressed by them), the legal term imposed for keeping the query consent forms (implicitly also for the personal data contained therein) is 8 years;

    Regarding the data that the bank has the legal obligation to report to the Credit Risk Central (C.R.C.), the documents containing credit risk information and information about reported card frauds (including personal data from them) are kept for a period of 7 years.

    Regarding the data processed in the Credit Bureau system based on the legitimate interest of the Participants in this system, these are stored at the level of this institution and disclosed to the Participants for 4 years since the last update date, except for the credit applicants' data who have withdrawn the credit application or who have not been granted credit, which are stored and disclosed to the Participants for a period of 6 months.

    For all cases where the data/some data is subject to multiple retention periods, the longest of these shall apply. After the expiration of the longest period, the data will be deleted or anonymized.

    2. Retention period for Clients' data captured by video surveillance cameras

    If you visit the bank's units (including office buildings) or BT equipment (ATMs, payment machines), your image is captured by the video surveillance system. Data collected through video surveillance cameras is kept for 30 days, after which it is automatically deleted. In specific cases, thoroughly justified, only in compliance with the applicable legal provisions, the retention period of relevant video recordings may be extended up to 6 months from the end of the month in which the images were taken or, if necessary, for a longer period, until the completion of investigations of the incident that required the extension of the storage period. In the case of video images subject to data access requests, the personal data retention terms of BT petitioners apply.

    3. Retention period for the data of Clients who have expressed options for marketing

    BT Client data who have expressed consent to receive advertising messages are processed for this purpose until the consent is withdrawn or, otherwise, until the termination of their status as a BT Client.

    4. The retention period of Clients' data who have submitted complaints to the bank (BT petitioning Clients)

    Pentru a dovedi că am recepționat sesizări/reclamații/solicitări de informații/măsuri de la dumneavoastră și că am formulat și transmis răspunsuri la acestea, datele aferente acestor petiții vor fi păstrate (împreună cu datele personale cuprinse în acestea) în cazul clienților BT, pe perioada relației lor de afaceri cu banca la care se adaugă 3 ani (termen legal de prescripție).

    Any other personal data processed by BT for other purposes indicated in this Information Note will be kept for the period necessary to fulfill the purposes for which they were collected, to which non-excessive terms may be added, established in accordance with the applicable legal obligations in the field, including but not limited to the provisions regarding archiving, or established internally, according to the legitimate interests of the bank.

    XII. What rights do BT clients have regarding the processing of their data

    To all BT Customers, the rights below regarding their personal data processed by BT are guaranteed.

    You should know that we treat these requests with the highest degree of professionalism and their status is periodically brought to the attention of the Bank's management.

    Each of the requests is carefully analyzed, the responses to them are documented and, whenever necessary, we take corrective measures to ensure that we respect the rights you have regarding the lawful processing and proper protection of your data, which is an essential component of our obligation to respect human rights.

    a) the right of access: Clients can obtain from BT confirmation that their personal data is being processed, as well as information regarding the specifics of the processing such as: the purpose, categories of personal data processed, recipients of the data, the period for which the data is retained, the existence of the right to rectification, deletion or restriction of processing. This right allows Clients to obtain a copy of the processed personal data free of charge;

    b) the right of rectification: Clients can request BT to modify incorrect data concerning them or, as the case may be, to complete the data that are incomplete;

    c) the right to erasure (the "right to be forgotten"): Clients can request the deletion of their personal data when:

    • these are no longer necessary for the purposes for which we collected and process them;
    • the consent for the processing of personal data was withdrawn and BT can no longer process them on other grounds;
    • personal data are processed contrary to the law;
    • personal data must be deleted according to the relevant legislation;

    d) the right to withdraw consent: Clients can withdraw their consent regarding the processing of personal data processed on this legal basis at any time. The withdrawal of consent does not affect the legality of the processing carried out before the withdrawal;

    For withdrawing consent for data processing for advertising purposes you can also use the online form “Do you want marketing or not?” (options for BT clients) and check the option “I do not wish to receive advertising messages”;

    e) the right of opposition: Clients can oppose processing for marketing purposes at any time, as well as processing based on BT's legitimate interest, for reasons related to their specific situation;

    f) the right to restriction of processing : Customers may request the restriction of processing their personal data if:

    • disputes the accuracy of personal data, for a period that allows us to verify the accuracy of the data in question;
    • processing is illegal, and the Client opposes the deletion of personal data, instead requesting the restriction of their use;
    • the data is no longer necessary to us but the Client requests it from us for a court action;
    • in the event that the Client has objected to processing, for the period of time during which we verify whether the legitimate rights of BT as the operator prevail over those of the data subject.

    g) the right to data portability : Clients may request, under the conditions of the law, that the bank provide them with certain personal data in a structured form, commonly used and that can be read in an automated manner. If Clients wish, BT may transmit the respective data to another entity, if technically possible.

    h) rights regarding automated individual decision-making processes : as a rule, Clients have the right that their data not be subject to a decision made exclusively by automated means, including profiling, if this produces legal effects on them or similarly affects them, to a significant extent. They have the right to express their point of view, to contest the decision, and to request human intervention (review of the automated decision by a BT employee).

    i) the right to file a complaint with the National Supervisory Authority for Personal Data Processing (A.N.S.P.D.C.P.): Clients have the right to file a complaint with the Supervisory Authority if they consider that their rights have been violated:

    National Authority for the Supervision of Personal Data Processing, General Gheorghe Magheru Blvd. 28-30 Sector 1, postal code 010336 Bucharest, Romania, e-mail: anspdcp@dataprotection.ro

    For exercising the rights mentioned in points a) – h) above with BT, please use the contact details of BT's designated data protection officer (DPO BT), sending the request in any of the following ways:

    • to the e-mail address dpo@btrl.ro
    • completing the online form available for Clients in the section: ”How to exercise your GDPR rights at BT”, available on Privacy Hub
    • by postal mail, at the address in Cluj-Napoca city, Calea Dorobanților street, no. 30-36, Cluj county, with the mention "to the attention of the person responsible for data protection"

    Before sending us your request, we recommend that you read the instructions in the section ”How to exercise your GDPR rights at BT” available on Privacy Hub.

    Previous version of this information note (valid until May 9, 2025) Download Previous version of this information note (valid until March 17, 2025) Download Previous version of this information note (valid until October 23, 2023) Download Previous version of this information note (valid until 27 February 2023) Download Previous version from 1 October 2019 Download Previous version from August 15, 2019 Download