Policy for processing and protection of personal data

Transilvania Bank S.A. Policy regarding the processing and protection of personal data within banking activities ("Policy" or "BT Privacy Policy")

Reviewed on 06.11.2021

Version valid in the period 11.06.2021-27.02.2023

Download Previous versions of the Privacy Policies

At Banca Transilvania S.A. (hereinafter referred to as "BT", "the Bank" or "we") we constantly ensure that the personal data of all individuals we interact with are processed in full compliance with applicable legal provisions and with the highest standards of security and confidentiality.

To guide and support us in our activities in the field of processing and protection of personal data, we have appointed a data protection officer (data protection officer or DPO), who can be contacted by any person regarding any aspects related to how BT processes this data, by sending a notification to:

BT headquarters in Cluj-Napoca municipality, Calea Dorobanților street, no. 30-36, Cluj county, with the mention "to the attention of the person responsible for personal data protection" or a message at
email address dpo@btrl.ro

In the following, we present our policy in this very important field, which we commit to reviewing at certain intervals of time, with a view to its continuous improvement.

Through this Policy, we intend to fulfill our obligation to inform all categories of natural persons whose personal data we process within our banking activities ("data subjects") in accordance with the provisions of Articles 13-14 of EU Regulation No. 679/2016 or the General Data Protection Regulation (hereinafter referred to as "GDPR").

Whenever we have the objective possibility to directly inform certain categories of targeted persons about the processing of their data, we commit to proceed accordingly.

In some cases, however, either we do not have the objective possibility, or it would involve a disproportionate effort for the bank to directly fulfill this obligation. For all these situations, we fulfill our obligation to inform through this Privacy Policy.

If you are a regular bank client - BT Client - and you wish to consult only the section related to the data processing of this category of data subjects, you can access: General information note concerning the processing and protection of personal data belonging to BT Clients, which is an integral part of this Policy.

The present Policy is not addressed to Transilvania Bank employees, this category of targeted persons being informed regarding the personal data processed by BT as an employer through a separate document.

We will now present which categories of personal data we process within our banking activity, who the data subjects of this processing are, for what purposes we use the personal data, to whom we disclose or transfer them, how long we keep them, how we ensure their security, as well as what rights the data subjects can exercise in relation to this processing.

In case you are not familiar with the meaning of the different technical terms used within GDPR or the applicable banking legislation, we recommend that you first study the section related to:

A. Specialized terms used in Politics

The terms defined in this section shall have the following meaning when used in this Policy:

a) "Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

b) "Processing of personal data" or "data processing", means any operation or set of operations performed on personal data or on sets of personal data, with or without the use of automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, extraction, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

c)„GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;

d) „BT Financial Group” - The bank together with entities controlled by it such as, BT Microfinance IFN SA ("BT Mic") ,BT Asset Management S.A.I. S.A., ( "BTAM"), BT Leasing Transilvania IFN S.A. ("BTL"), BT Direct IFN S.A. ("BTD"), BT Capital Partners S.S.I.F. S.A.(„BTCP”), The Romanian Entrepreneurial Club Foundation, The Clujul Has Soul Foundation and other entities that may join this group in the future;

e) „Operator” means a legal entity, which, alone or together with other persons, determines the purposes and means of processing personal data;

f) "Data subject" means the natural person whose personal data are processed;

g)Recipient means the natural or legal person, public authority, agency or other body to which the personal data are disclosed, whether or not it is a third party;

h) "Third party" means a natural or legal person, public authority, agency or other body, other than the Data Subject, the Controller, the Processor, and who, under the direct authority of the Controller or the Processor, are authorized to process Personal Data;

i) "Supervisory Authority" means an independent public authority established by a member state, responsible for monitoring the application of the GDPR. In Romania, the supervisory authority is the National Supervisory Authority for Personal Data Processing – "ANSPDCP";

j)"Biometric data” means personal data resulting from specific processing techniques relating to the physical, physiological or behavioral characteristics of a natural person which allow or confirm the unique identification of that person, such as facial images or fingerprint data;

k) „Data regarding health means personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information about that person's state of health;

l) "Signature specimen" represents the client's handwritten signature recorded on documents used in their relationship with the bank and/or the client's signature captured through an electronic device (SignaturePad), provided to the bank as a specimen signature;

m) „Beneficiar real” according to the provisions of art. 4 para. 1 of Law no. 129/2019 for preventing and combating money laundering and terrorist financing, as well as for amending and supplementing some normative acts, is any natural person who ultimately owns or controls the client and/or the natural person on whose behalf a transaction, operation or activity is carried out, and includes at least the categories of natural persons mentioned in art. 4 para. 2 of this normative act;

n) „Person exposed to the public according to the provisions of art. 3 para. 1 of Law no. 129/2019 for the prevention and combating of money laundering and terrorist financing, as well as for the amendment and completion of certain normative acts, are the natural persons who exercise or have exercised important public functions and include at least the categories of natural persons mentioned in art. 3 para. 2 of this normative act.

B. Who is Banca Transilvania?

BANCA TRANSILVANIA S.A. is a credit institution, Romanian legal person, registered with the Cluj Trade Register Office under number J12/4155/1993, having the unique registration code no. RO5022670 and the following contact details: registered office address Str. Calea Dorobanților No. 30-36, postal code 400117, locality Cluj-Napoca, Cluj County, Romania Tel: 0801 01 0128 (BT) - callable from the Romtelecom network, 0264 308 028 (BT) - callable from any network, including international, *8028 (BT) - callable from Vodafone and Orange networks, e-mail address: contact@bancatransilvania.ro, website www.bancatransilvania.ro.

BT has over 500 units - branches, agencies, work points, which carry out their activity in Romania, as well as units through which they carry out banking activity in Italy.

Our official internet page is www.bancatransilvania.ro (hereinafter referred to as „BT website”).

The bank also manages other websites, whose updated list you can consult here: https://www.bancatransilvania.ro//site-uri-bt.pdf

Banca Transilvania S.A. is the parent company of the Banca Transilvania Financial Group (hereinafter also referred to as "BT Group”), which also includes the following subsidiary entities of the Bank: BT Microfinancing IFN SA ( "BT Mic"), BT Asset Management S.A.I. S.A., ( "BTAM"), BT Leasing Transilvania IFN S.A. ("BTL"), BT Direct IFN S.A. ("BTD"), BT Capital Partners S.S.I.F. S.A.(„BTCP”)

C. What personal data does BT process, who do they belong to, and for what purposes do we use them?

Within the banking activity it carries out, Banca Transilvania processes different categories of personal data, depending on the status that the data subjects have in relation to BT. The purposes for which we process the data are directly dependent on the way in which the different categories of data subjects enter into a relationship with us.

In relation to the relationship you have with the bank in a certain context, we distinctly present below how we will process your personal data:

a. Who is the BT Client?

„Client BT” or „Client” is the natural person who belongs to any of the following categories of data subjects:

residents or non-residents, holders of at least one account opened at the Bank (also called "client natural person account holder”) or who complete the dedicated forms to acquire this status;
legal or conventional representatives of Customers, natural or legal persons account holders, including Customers of the type of authorized natural persons;
authorized persons with operating rights on the accounts of clients, natural or legal persons, account holders;
the real beneficiaries of the Clients individuals or legal entities account holders opened at BT;
persons entitled to submit bank documents, to withdraw account statements and/or to deposit cash amounts on behalf of and for the account of Client individuals or legal entities account holders (also known as "delegates");
any other individual users of a product/service of the bank, who do not have the status of Account Holder Client, legal representative, authorized person, delegate, or beneficial owner, including but not limited to: users of supplementary cards, users of internet/mobile banking services, users of mobile payment applications offered by the bank, managers with management guarantee accounts opened at the bank, users of BT meal vouchers);
guarantors of any kind of the payment obligations assumed by Clients who are natural or legal persons account holders;
persons who request the bank to open a contractual relationship and/or to contract a certain bank product/service, even if this request is rejected;
legal or conventional successors of those mentioned above.

We remind you that complete details, in printable format, about BT's processing of its regular customers' data – BT Customers – can also be found in General information note concerning the processing and protection of personal data belonging to BT Clients

b. The purposes for which we process BT Customers' data

Depending on the case, if you have the status of BT Client, we will process your data as follows:

identity verification, in order to prevent money laundering and terrorist financing, as well as to confirm the status of BT Client;

Identity verification is carried out when establishing and during the course of a business relationship, when ordering any transaction, or when requesting information or performing operations such as, but not limited to: information about accounts, submitting/transmitting any requests/complaints, handing over cards, tokens, expressing options, contracting the bank's products/services, accessing bank services already contracted, as well as during phone calls initiated by Clients or by the bank.

In the bank's units, identity is verified based on valid identity documents, which must be presented in original, and in the online environment and during phone calls initiated by the Client or the bank, by requesting the provision and validation of information already recorded in the bank's records regarding the Client;

know Your Customer for money laundering and terrorism financing prevention, including risk-based verification, by applying Know Your Customer measures that involve both identity verification and the processing of personal data required by law, both at the time when a particular individual acquires the status of Customer (data collection), throughout the entire period during which this status is held (data update), as well as after this point, for the legally established period after the termination of the Customer status (data storage and their processing for legally permitted purposes);
- For details about the processing of personal data for the purpose of knowledge of the Clientele access the following link: https://www.bancatransilvania.ro//Nota-de-informare-privind-prelucrarea-datelor-cu-caracter-personal-in-scop-KYC.pdf
solvency evaluation, reducing credit risk, determining the indebtedness level of Clients interested in customized offers related to the bank's credit products or contracting these types of products (credit risk analysis);
- For details about the processing of personal data for the purpose of analysis of a credit application submitted to Banca Transilvania S.A. access the following link: https://www.bancatransilvania.ro//Information-regarding-the-processing-of-personal-data-for-the-purpose-of-analyzing-a-credit-application-1.10.2019.pdf
the conclusion and execution of contracts concluded between the bank and Clients, related to some products and services offered by it in its own name (such as, but not limited to: cards, deposits, loans, internet and mobile banking, SMS Alert);
- For details about the processing of personal data on the occasion of concluding and during the execution of a credit contract (card or non-card) concluded with Banca Transilvania S.A. access the following link: https://www.bancatransilvania.ro//Nota-de-informare-privind-prelucrarea-datelor-cu-caracter-personal-in-contextul-incheierii-executarii-unui-contract-de-credit-BT.pdf
- For details related to the processing of personal data within the mobile application BT Pay, access the following link: https://www.bancatransilvania.ro/wallet-bt-pay/privacy-policy-en/
For details related to the processing of personal data within the service Self Service Livia from BT, access the following link: https://www.bancatransilvania.ro/files/self-service-livia-de-la-bt/nota_informare_prelucrare_date_caracter_personal_serviciu_livia_de_la_bt.pdf
For details related to the processing of personal data within the service BT Visual Help access the following link: https://www.bancatransilvania.ro/information-note-processing-personal-data-bt-visual-help/
the conclusion and execution of certain contracts related to occasional transactions, such as but not limited to: deposits of cash amounts made by Clients at the bank's counters or with the help of the bank's devices, in cases where the amounts are deposited into bank accounts to which those Clients have no operating rights (they do not have the status of account holder, authorized person, delegate on those accounts), money transfer services, currency exchanges;
- For details about the processing of personal data for the purpose of the depositing of some cash amounts access the following link: https://www.bancatransilvania.ro//Nota-de-informare-privind-prelucrarea-datelor-cu-caracter-personal-depunere-sume-in-numerar-clienti-ocazionali-BT.pdf
settlement of bank transactions;
the establishment of garnishments, the recording of amounts garnished at the disposal of creditors, and the provision of responses regarding these to enforcement bodies and/or competent authorities, in accordance with the bank's legal obligations;
monitoring the security of persons, premises and/or the bank's or its units' visitors' goods;
- Details about data processing through video surveillance can be found here: https://www.bancatransilvania.ro/video-surveillance/
- Details about the processing of visitors' data for access in some BT units can be found here www.bancatransilvania.ro/monitorizare.pdf
the preparation and transmission of reports to the competent institutions to receive them, in accordance with the legal provisions applicable to the bank (such as, but not limited to: reports on payment incidents to the Payment Incidents Central within the NBR, declaring transactions exceeding the amount established by law to the National Office for the Prevention and Control of Money Laundering);
carrying out analyses and keeping records of the bank's economic, financial and/or administrative management;
administration within the internal departments of the services and products offered by the bank;
evaluation and monitoring of the financial-commercial behavior of Clients during the course of the business relationship with the bank, in order to detect unusual transactions and suspicious transactions, according to the legal obligations of knowing the Clientele imposed on the bank for the prevention of money laundering and terrorist financing;
the collection of receivables and the recovery of claims recorded from Clients;
prevention of acquiring or reacquiring the status of Client by persons with inappropriate behavior, which is likely to hinder the conduct of prudent banking activity, in accordance with the legal obligations the bank has;
defense in court of the rights and interests of the bank, settlement of disputes, investigations or any other petitions/complaints/requests in which the bank is involved;
carrying out risk checks on the bank's procedures and processes, as well as performing audit or investigation activities;
taking measures/providing information or responses to requests/notices/complaints of any nature addressed to the bank by any person and/or authorities or institutions, through any channel, including via electronic communications and internet services;
proof of requests/agreements/options regarding certain requested/discussed/agreed aspects within telephone calls initiated by Clients or by the bank, by recording the discussed aspects and, if applicable, the audio recording of telephone conversations or, if applicable, audio-video;
informing Customers about the products/services they hold at the bank, in order to properly execute the contracts (such as, but not limited to, account or card statements, information about the bank units' opening hours, information regarding the imposition of garnishments on accounts, notifications about the existence of unauthorized debts or overdue loan payments, information about the approaching termination date of a specific held product/service, information about improvements or new facilities offered in connection with the held product/service);
the transmission of advertising messages, according to the consent expressed by Clients on forms available in the bank's units, on its internet page or within some services offered online;
collecting Customers' opinions regarding the quality of BT services/products/employees (services quality evaluation);
financial education of Clients;
performing internal analyses (including statistical), both with regard to products/services, and with regard to the portfolio and Client profile, for the improvement and development of products/services, as well as conducting studies, market analyses, analyses of Clients' opinions regarding the bank's products/services/employees;
archiving- both in physical and electronic format- of documents, making backup copies;
performing registry and secretarial services regarding correspondence addressed to the bank and/or dispatched by it, as well as carrying out courier activities;
ensuring the security of the IT systems used by BT and the physical spaces in which the bank carries out its activity;
fraud prevention;
calculating the commissions to which certain categories of bank employees are entitled;

c. Categories of personal data processed of BT Clients

identification data: surname, first name, pseudonym (if applicable), date and place of birth, personal numerical code (CNP) or another similar unique identification element, such as CUI for authorized natural persons or CIF for natural persons practicing liberal professions (e.g. another unique identification element is allocated by the bank to Clients categorized as "non-residents" and it is represented by a code consisting of a sequence of digits referring to the year, month, day of birth and the number of the identity document, complete or truncated), series and number of the national or international identity document/passport, as well as a copy of it, domicile and residence address;
contact data: correspondence address (if applicable), telephone number, fax number, electronic mail address;
citizenship;
information about the purpose and nature of the business relationship;
financial data (such as, but not limited to, data about transactions, including about the amount of projected transactions);
tax dates (country of tax residence);
profession, occupation, name of the employer or nature of the own activity (if applicable),
information about the important public function held- if applicable- and political opinions (excluding in the context of obtaining information related to the status of a politically exposed person- PEP);
quality, holdings and, as the case may be, powers of representation held within legal entities;
information about family situation (including marital status, number of children, children in care, etc.);
information about the economic and financial situation (including data on income, data on bank transactions and their history, data regarding owned/possessed assets, as well as data related to payment behavior);
the image (contained in identity documents or captured by video surveillance cameras installed in the bank's units, at BT equipment, as well as in some audio and/or video recordings, as the case may be);
the voice, within phone or audio/video conversations and recordings (initiated by Clients or by the bank);
age, for verifying eligibility to contract certain bank products/services/offers (e.g. credit products, products dedicated to minors, etc.);
opinions, expressed within notifications/complaints/conversations, including telephone ones, regarding products/services/bank employees;
signature (including within signature specimens);
biometric data (such as, but not limited to, the situation of illiterate persons or persons with visual impairments, whose fingerprint can be processed);
identifiers, including identifiers allocated by Banca Transilvania or by other financial-banking or non-banking institutions, necessary for the provision of certain services, such as, but not limited to: the BT Client code (BT CIF), transaction identifiers, IBAN codes attached to bank accounts, debit/credit card numbers, card expiration dates, contract numbers, codes and the operating system type of mobile phones or other devices used to access mobile banking services/mobile payment applications, as well as the IP address of the device used to access these services. Mobile phone codes, operating system type and IP addresses are processed exclusively to ensure security measures for transactions carried out through these services, to prevent fraud;
health data, exclusively in case the processing of such data is necessary for Clients to prove the difficult situation in which they or their family members find themselves, especially in order to grant some facilities or in the context of the provision/execution of insurance products/services intermediated by the bank;
for credit products: product type, granting term, granting date, due date, amounts and credits granted, amounts owed, account status, account closing date, credit currency, payment frequency, amount paid, monthly installment, employer's name and address, amounts owed, outstanding amounts, number of overdue installments, due date of the overdue amount, number of days delay in loan repayment. These data are processed both in the bank's own records, and - if applicable - in the Credit Bureau system and/or other records/systems of this type;
information relating to fraudulent/potentially fraudulent activity, consisting of data relating to accusations and convictions related to offenses such as fraud, money laundering and financing acts of terrorism;
information related to the commission of crimes or offenses in the financial-banking field, in direct relation with Banca Transilvania S.A., established by final or irrevocable court decisions, as the case may be, or by uncontested administrative acts;
information regarding the location where certain transactions are performed (implicitly, in the case of operations at BT equipment belonging to Banca Transilvania);
dates and information related to the products and services offered by the bank or its collaborators, which the data subjects use (such as, but not limited to, credit, deposit, insurance products);
any other personal data belonging to Clients, which are brought to our attention in various contexts by other Clients or by any other persons.

a. Who are/ in what situations do we process your data as an occasional BT Client?

„Occasional BT Client” is the individual who orders, at counters or through BT equipment, transactions of the following types:

cash deposits in BT accounts in which they have no capacity (including BT Clients who deposit amounts in the bank's accounts in which they have no capacity will act in this capacity);
currency exchanges;
money transfers through Western Union (WU);
payment of utility bills;
payment of various installments or insurance premiums;
dividend withdrawal or other types of amounts;
cash withdrawals from BT equipment with cards issued by other banking or payment institutions etc).

Specific information note regarding the processing of personal data for the purpose of depositing cash amounts can be found here https://www.bancatransilvania.ro//Nota-de-informare-privind-prelucrarea-datelor-cu-caracter-personal-depunere-sume-in-numerar-clienti-ocazionali-BT.pdf

We process your data as an occasional BT client whenever you make transactions of the type mentioned above, even if you are also a regular client of the bank.

b. The purposes for which we process data of occasional BT Clients

When you act in relation to BT as an occasional client, your data are processed, as the case may be, for the following purposes:

identity verification, in order to prevent money laundering and terrorist financing; In the case of occasional transactions carried out through the bank's units, the identity is verified based on valid identity documents, which must be presented in original, and in the case of using BT equipment through other information about the payer available in the bank's records;
knowledge of the clientele for the prevention of money laundering and terrorist financing, including risk-based verification, through the application of customer due diligence measures;
evaluation and monitoring of financial-commercial behavior with a view to detecting unusual transactions and suspicious transactions, according to the legal obligations of customer due diligence imposed on the bank for the prevention of money laundering and terrorist financing;
the conclusion and execution of the contract related to the occasional transaction;
settlement of bank transactions;
the preparation and submission of reports to the competent institutions to receive them, in accordance with the legal provisions applicable to the bank (such as, but not limited to: reports on payment incidents to the Payment Incidents Center within the National Bank of Romania, declaration of transactions exceeding the amount established by law to the National Office for the Prevention and Control of Money Laundering);
performing analyses and keeping records of the bank's economic, financial, and/or administrative management;
administration within the internal departments of the services and products offered by the bank;
defense in court of the rights and interests of the bank, settlement of disputes, investigations or any other petitions/complaints/requests in which the bank is involved;
carrying out risk checks on the bank's procedures and processes, as well as performing audit or investigation activities;
monitoring the security of persons, premises and/or the bank's or its units' visitors' goods;
taking measures/providing information or responses to requests/notifications/complaints of any kind addressed to the bank by any person and/or by authorities or institutions, through any channel, including via electronic communication services and the internet;
conducting internal analyses (including statistical);
archiving - both in physical format and electronic - of documents, creating backup copies;
performing registry and secretarial services regarding correspondence addressed to the bank and/or dispatched by it, as well as carrying out courier activities;
ensuring the security of the IT systems used by BT and the physical spaces in which the bank carries out its activity;
prevention of fraud.

c. Categories of personal data processed of Occasional BT Clients

Occasional BT clients we process, as appropriate, the following categories of personal data:

identification data - name, first name, the series and number of the national or international identity document/passport, personal numeric code (CNP) or another similar unique identification element, such as CUI for authorized natural persons or CIF for natural persons practicing liberal professions (e.g. another unique identification element is assigned by the bank to Clients classified as "non-residents" and it is represented by a code consisting of a sequence of digits referring to the year, month, day of birth and the identity document number, complete or truncated), address of residence and - in some cases provided by law - including a copy of the identity document (usually for cash deposits, currency exchanges, money transfer services over a certain amount or that present indicators of suspicion);
details regarding the amount subject to the transaction and explanations regarding the nature of the payment (what the payment represents);
transaction identifier;
signature;
contact details- phone number and/or e-mail address in the case of cash depositors who are not BT Clients and who wish to provide them to us to be notified in the event the transaction is canceled);
the image (from the identity document, if it is necessary to retain a copy of it or, as the case may be, captured by video surveillance cameras);
information regarding the location of certain transactions (implicitly, in the case of operations performed on BT equipment);

a. Who is a natural person related to the applicant for a BT loan?

There are natural persons connected to the applicant for a loan* (also called "applicant” or „the debtor”) and form the same group with this one, any of those indicated in the table below:

*The credit applicant is a natural or legal person who submits a loan application to BT.
It is considered to be a credit applicant including the husband/wife/life partner/co-borrower/guarantor of the main credit applicant.

The husband/wife/life partner of the applicant together with the companies over which the applicant holds control or which he manages
Other close family members of the applicant along with the companies over which they hold control or which they manage, to the extent that there is a relationship of: direct or indirect control/dominant influence/economic dependence between them and the credit applicant or between the companies they control/manage
Entities in which the applicant exercises direct or indirect control through:
- Holding at least 50% of the shares/parts;
  and/or
- Capacity to obtain the majority of votes within the GMS
  and/or
- The capacity to appoint/revoke the majority of the members of management, administration, or supervisory bodies
Entities in which the applicant is an administrator
Entities in which the applicant is general director respectively leader in the case of foundations/associations/public bodies
Parent companies/subsidiaries of the companies from points 3 and 4;
Companies controlled by the companies at points 3 and 4.
Administrators and persons who exercise direct or indirect control in the companies at points 3, 4 and 6 except those mentioned above
Natural person and/or legal entity that guarantees the applicant's loan with its assets (including income in the case of the co-debtor/guarantor), if the execution of these guarantees would affect it in such a way as to put its payment capacity at risk

b. The purposes for which we process personal data belonging to individuals from the group of a BT debtor

If you are such a person, we process your data, as appropriate, for the following main purpose:

solvency assessment, credit risk reduction, determination of the indebtedness degree of Clients interested in personalized offers related to the bank's credit products or contracting these types of products (credit risk analysis);

In the context of analyzing the credit application of an individual or legal entity applicant, Banca Transilvania S.A. also processes your personal data if you fall into any of the categories of individuals indicated in the table above (who are part of the debtor's group), as the bank is subject to legal obligations to establish and analyze its exposure to related customer groups, as part of the credit risk analysis.
Also, as a reporting person, the bank will report these exposures and the composition of the groups of debtor clients in connection to the NBR, the Credit Risk Center (only where applicable).
These data of yours are necessary for the bank in order to proceed with the analysis of the credit request/application, and the refusal of the credit applicant (or yours) to provide them or to be processed may determine the bank's inability to analyze and/or approve the credit.

The personal data that belong to you are transmitted/disclosed, as the case may be, to the Credit Risk Center within the NBR, as well as, respecting the need-to-know principle, to entities within the BT financial Group and/or to service providers used by the bank in the credit application analysis process.

The retention period of your data in the bank's records is equal to that of the existence of a group/some groups of clients connected of which you are a part.

Other purposes related to the main purpose indicated above, in which we process your data are, as the case may be, the following:

identity verification, including for confirming/rejecting your status as a BT Client;
the preparation and transmission of reports to the competent institutions authorized to receive them, in accordance with the legal provisions applicable to the bank (such as, but not limited to: the Credit Risk Central Office within the NBR);
performing analyses and keeping records of the bank's economic, financial, and/or administrative management;
administration within the internal departments of the services and products offered by the bank;
defense in court of the rights and interests of the bank, settlement of disputes, investigations or any other petitions/complaints/requests in which the bank is involved;
carrying out risk checks on the bank's procedures and processes, as well as performing audit or investigation activities;
taking measures/providing information or responses to requests/notifications/complaints of any kind addressed to the bank by any person and/or by authorities or institutions, through any channel, including via electronic communication services and the internet;
conducting internal analyses (including statistical);
archiving - both in physical format and electronic - of documents, making backup copies (back-up);
the provision of registry and secretarial services concerning correspondence addressed to the bank and/or sent by it, as well as for carrying out courier activities;
ensuring the security of the IT systems used by BT and the physical spaces in which the bank carries out its activity;
prevention of fraud.

c. Categories of personal data processed of natural persons from the group of a BT debtor

identification data - last name, first name, personal numeric code;
the function, position, holdings and, as the case may be, powers of representation held within legal entities in the debtor's group;
after case, other data found in the bank's records or publicly available, which are necessary for fulfilling the main purpose related to credit risk analysis.

a. Who is the signatory/contact person on behalf of the BT contractual partners?

Signatories are usually the legal representatives or other persons designated by the contractual partners to sign the contracts concluded with the bank (regardless of whether the contractual partners are BT Clients legal entities account holders or service providers, collaborators, contracted goods suppliers by the bank);
Contact persons are persons designated by the contractual partner and communicated to the bank by it to maintain contact for the proper conduct of the contract, regardless of whether their data is mentioned in the content of the contract or not.

b. The purposes for which we process the data of signatories/contact persons on behalf of BT contractual partners

If you are the signatory/contact person on behalf of any contractual partner of the bank, we process your data, as appropriate, for:

the conclusion and proper execution of the contract concluded with the contractual partner (usually this is your employer), as well as for other purposes, closely related to the conclusion and execution of the contract, namely:
realization and transmission of reports to the competent institutions to receive them, in accordance with the legal provisions applicable to the bank;
performing analyses and keeping records of the bank's economic, financial, and/or administrative management;
appearance in court of the rights and interests of the bank, the settlement of disputes, investigations or any other petitions/complaints/requests in which the bank is involved;
carrying out risk checks on the bank's procedures and processes, as well as performing audit or investigation activities;
taking measures/providing information or responses to requests/notifications/complaints of any nature addressed to your bank or to authorities or institutions, through any channel, including through electronic communications services and the internet;
conducting internal analyses (including statistical);
archiving - both in physical format and electronic - of documents, making backup copies (back-up);
performing registry and secretarial services regarding correspondence addressed to the bank and/or dispatched by it, as well as carrying out courier activities;
ensuring the security of the IT systems used by BT and the physical spaces in which the bank carries out its activity;
fraud prevention;

Categories of personal data processed of signatories/contact persons on behalf of contractual partners

We generally process the following categories of personal data concerning you, as applicable:

For signatories:

identification data - first and last name;
function;
signature.

For contact persons:

identification data - first and last name;
contact details - phone number (work) and/or email address (work);
function.

Information note dedicated to signatories and contact persons acting on behalf of BT's contractual partners can be found here: https://www.bancatransilvania.ro//Nota-de-informare-privind-prelucrarea-datelor-cu-caracter-personal-semnatari-persoane-de-contact-pentru-partener-contractual-BT.pdf

a. Who is a BT shareholder/bondholder or a person whose data we process in connection with those of our shareholders/bondholders?

BT Shareholder - you are a BT shareholder if you hold shares issued by Banca Transilvania S.A. as a natural or legal person;
Mandatory BT- you are a BT bondholder if you hold, as a natural or legal person, bonds issued by Banca Transilvania S.A.;
Individuals whose date are usually processed in relation to those of BT shareholders/bondholders- legal or conventional representatives of BT shareholders/bondholders, persons who jointly own shares/bonds with BT shareholders/bondholders, successors of BT shareholders/bondholders.

b. The purposes for which we process the data of BT shareholders/bondholders or of other persons in connection with those of BT shareholders/bondholders

If you are a shareholder and/or a BT bondholder or a natural person whose data we process in relation to those of shareholders/bondholders, we will use your data, as appropriate, for the following purposes:

identity verification, for the purpose of confirming/refuting the status of shareholder/bondholder of the bank, another status related to BT shareholders/bondholders;
fulfillment of the specific legal obligations and activities arising from BT's status as an issuer (e.g., organizing the EGMS, shareholder services, specific communications for investors);
the establishment of garnishments, the recording of amounts garnished at the disposal of creditors, and the provision of responses regarding these to enforcement bodies and/or competent authorities, in accordance with the bank's legal obligations;
carrying out and sending reports to the competent institutions to receive them, in accordance with the legal provisions applicable to the bank;
performing analyses and keeping records of the bank's economic, financial, and/or administrative management;
administration within the internal departments of the services and products offered by the bank;
appearance in court of the rights and interests of the bank, the settlement of disputes, investigations or any other petitions/complaints/requests in which the bank is involved;
carrying out risk checks on the bank's procedures and processes, as well as performing audit or investigation activities;
taking measures/providing information or responses to requests/notifications/complaints of any nature addressed to the bank by any person, as well as those addressed by authorities or institutions regarding BT shareholders/obligors, through any channel, including via electronic communications and internet services;
proving requests/agreements/options regarding certain requested/discussed/agreed aspects, including during telephone calls initiated by you or by the bank, by noting the discussed aspects and, if applicable, audio recording of telephone conversations or, if applicable, audio video;
conducting internal analyses (including statistical);
archiving - both in physical format and electronic - of documents, making backup copies (back-up);
performing registry and secretarial services regarding correspondence addressed to the bank and/or dispatched by it, as well as carrying out courier activities;
ensuring the security of the IT systems used by BT and the physical spaces in which the bank carries out its activity;
prevention of fraud.

c. Categories of personal data processed of BT shareholders/obligors/other persons in connection with their data

If you are a shareholder and/or BT bondholder, or another person related to them, we generally process the following categories of personal data:

identification data- last name, first name, CNP or other unique identification element, series and number of the national or international identity document/passport, postal address and, if applicable, a copy of the identity document (for the identification of shareholders in case of requests for shareholder or bondholder certificates or history of shares/bonds held at BT);
citizenship;
tax dates (country of tax residence);
information about the economic and financial situation, regarding the owned assets - number of BT shares and/or bonds, including the history of ownership of these assets;
quality, holdings and, as the case may be, powers of representation held within legal entities;
signature (on requests addressed to the bank);
phone number, e-mail address, mailing address, depending on the communication channel selected within the requests addressed to the bank.

a. Who is a visitor of BT units and/or a user/visitor of BT equipment?

It is visitor of BT units any natural person who visits the bank's units (including its administrative buildings), regardless of whether or not they perform banking operations;
It is user/visitor of BT equipmentany natural person who uses these devices or stands in front of them (ATMs, BT Express, BT Express Plus etc), regardless of whether these devices are located inside BT units or in other locations, regardless of whether the user is a BT Client, Occasional BT Client or any other third party, regardless of whether they initiate banking transactions through BT devices or not, regardless of whether they complete the banking transaction initiated through BT devices or not.

b. The purposes for which we process the data of visitors to BT units and/or users/visitors of BT equipment

We process your data, as applicable, for:

monitoring the security of persons, premises and/or the bank's or its units' visitors' goods;
- Details about data processing through video surveillance can be found here: https://www.bancatransilvania.ro/video-surveillance/.
- Details about the processing of visitor data for access to some BT units can be found here: www.bancatransilvania.ro/monitorizare.pdf
- making transactions ordered through the bank's equipment;

as well as for other related purposes connected to the primary purpose mentioned above, namely:

identity verification, as appropriate, if necessary for identifying you at the request of the competent authorities or when the bank has a legitimate interest;
carrying out risk checks on the bank's procedures and processes, as well as performing audit or investigation activities;
conducting internal analyses (including statistical);
archiving- both in physical and electronic format- of documents, making backup copies;
ensuring the security of the IT systems used by BT and the physical spaces in which the bank carries out its activity;
prevention of fraud.

On video surveillance, as well as on data processing for access to some BT units, the data subjects are informed including through pictograms and/or specific notifications displayed at the entrance of the bank's units and respectively on BT equipment.

c. Categories of personal data processed of visitors of the units and/or users/visitors of BT equipment

If you visit the bank's units (including its administrative buildings) and/or use or stand in front of BT equipment, we will process, as applicable:

the image, as it is captured by the installed video surveillance cameras;
any data necessary for carrying out transactions ordered through BT devices or for other related purposes mentioned above (e.g. times spent in the BT units/on the devices).

At the same time, to allow you access to certain units where the bank operates, the personnel with security duties will identify you based on identity documents and will record in special letter registers, provided by law, the following data concerning you:

identification data – last name, first name, series and number of the national or international identity document/passport.

a. Who is a visitor of BT websites/social media pages ?

Has this quality any natural person who accesses any of the websites from the BT portfolio and/or its social media pages.

b. The purposes for which we process the visitors' data of BT websites/social media pages

Through cookies or other similar technologies we process your data as a visitor of BT websites for the purposes described in detail within the cookie policies corresponding to each of the websites and briefly within the banners and cookie settings centers.

For the website www.bancatransilvania.ro , The cookie policy can also be found by accessing the following link: https://www.bancatransilvania.ro/cookie-use-policy/

If on BT websites you enter your data in complaint/request/claim forms, in applications for bank products/services/campaigns, in subscriptions to newsletters from various fields, we process the data entered in these forms, as appropriate, for:

taking measures/providing information or responses to requests/notifications/complaints of any nature addressed to the bank by any person, as well as those addressed by authorities or institutions regarding BT shareholders/obligors, through any channel, including via electronic communications and internet services;
proof of requests/agreements/options regarding certain requested/discussed/agreed aspects, including during phone calls initiated by you or by the bank, by recording the discussed aspects and, where applicable, the audio recording of telephone conversations or, where applicable, audio-video;
collecting your opinion regarding the quality of BT services/products/employees (service quality evaluation);
conducting internal analyses (including statistical);
carrying out risk checks on the bank's procedures and processes, as well as performing audit or investigation activities;
archiving- both in physical and electronic format- of documents, making backup copies;
performing registry and secretarial services regarding correspondence addressed to the bank and/or dispatched by it, as well as carrying out courier activities;
ensuring the security of the IT systems used by BT and the physical spaces in which the bank carries out its activity;
fraud prevention

Please note that subscribing or unsubscribing any e-mail address entered by you in forms/fields of the type/named "newsletter", available on BT websites to receive information from various fields of interest, is managed through the respective online forms (subscription) and respectively through unsubscribe links in the content of the messages received following the subscription (unsubscription).

Also, we inform you that subscribing/unsubscribing to/from the "newsletters" you choose on the BT websites does not affect the options regarding the processing of your data for advertising purposes filled in on the bank's forms available at the units or on the BT website (the online form found at the following link: https://www.bancatransilvania.ro/gdpr/ is available only to BT Clients for expressing marketing options in the context of the contractual relationship conducted by them with the bank).

c. Categories of personal data processed of visitors to BT websites/social media pages

If you visit a website BT we will collect the following categories of personal data:

data processed through cookies;
IP address;
data about the equipment used to access the website.

Also, within the forms available on BT websites, we collect, if applicable:

identification data- name, first name, and, in some cases, with the consent of the data subjects, the personal numeric code;
contact details - email address and/or telephone number.

We draw your attention to the fact that BT websites may contain links to websites whose privacy/personal data processing policy is different from that of BT. Persons who send personal data to any of these websites should be aware that they fall under the privacy/personal data processing policy of those websites, which we recommend reading. The BT policy regarding the processing and protection of personal data does not apply to information provided on these websites, BT has no control over the personal data processing carried out by the providers of these websites for their own purposes and assumes no responsibility for these processes.

If you use the social media pages of BT and insert comments, images, opinions and/or appreciations on our posts, we will generally process:

your user name on the respective social media platform
expressed opinions;
inserted images.

In some cases it is possible – usually as a result of your participation in various contests/campaigns or your insertion of comments in which you report dissatisfaction related to BT's activity or inquire about any aspects related to our activity – that we ask you to provide other information that allows us to identify you and/or the reported situation, as well as to provide the response to it. Usually, it concerns:

details about the reported situation;
identification data - usually surname, first name;
identifiers: as applicable, BT client ID (BT CIF), IBAN;
contact details: usually the e-mail address and/or telephone number.

In case you provide us with this personal data within the social media platform, we will process it for the purposes mentioned above within this section. For the protection of your data, please do not send us personal data within posts that are public on our social media platforms.

Please note that, in situations where you insert images that contain personal data of yourself or other persons or when you tag various other persons within the bank's social media pages, you express your consent regarding the use of these data by the bank, and you guarantee that you have obtained the consent of the persons to whom these data belong.

Last but not least, we inform you that any personal data you enter on BT's social media pages are also processed by the providers of the respective social media platforms and are subject to the privacy policies of those platforms. BT has no control over the processing of personal data carried out by the providers of these platforms for their own purposes and assumes no responsibility regarding such processing.

a. Who is a BT prospect?

You can have the status of BT prospect if you have requested information about BT products/services at the bank's units, through the websites in its portfolio or through BT's contractual partners, you have initiated the contracting of these without completing this action or you have registered in various campaigns organized by the bank.

b. The purposes for which we process BT prospects' data

If you are a BT prospect, we process your data, as applicable, for the following purposes:

identity verification, for the purpose of confirming/refuting the status of BT client;
taking measures/providing information or responses to requests/notifications/complaints of any nature addressed to the bank by any person, as well as those addressed by authorities or institutions through any channel, including via electronic communication services and the internet;
proof of requests/agreements/options regarding certain requested/discussed/agreed aspects, including during phone calls initiated by you or the bank, by recording the discussed aspects and, if applicable, audio recording of phone conversations or, if applicable, audiovisual recording;
collecting your opinion regarding the quality of BT services/products/employees (service quality evaluation);
conducting internal analyses (including statistical);
carrying out risk checks on the bank's procedures and processes, as well as performing audit or investigation activities;
archiving- both in physical and electronic format- of documents, making backup copies;
performing registry and secretarial services regarding correspondence addressed to the bank and/or dispatched by it, as well as carrying out courier activities;
ensuring the security of the IT systems used by BT;
fraud prevention;
calculating the commissions to which certain categories of employees are entitled.

c. Categories of personal data processed of BT prospects

If you are a BT prospect, as the case may be, we generally process you:

identification data- last name, first name, and, in some cases, only with your consent or if we justify a legitimate interest, the personal numerical code (CNP);
contact details - e-mail address and/or phone number.

a. Who is a BT candidate ?

You are a candidate for available positions at BT or for internships organized by BT if you have sent us or if we have received your CV to use it for recruitment purposes, directly from you or from/through other persons, or if you have informed us in any other way that you are interested in filling BT positions/participating in BT internships.

b. The purposes for which we process BT candidates' data

We process your data, as applicable, for:

recruitment for the position/positions or, as the case may be, for the internship you want to take/follow within the bank, as well as for purposes closely related to this activity, such as:
taking measures/providing information or responses to requests/notifications/complaints of any nature addressed to the bank by any person, as well as those addressed by authorities or institutions, through any channel, including via electronic communications and internet services;
proof of requests/agreements/options regarding certain requested/discussed/agreed aspects, including during phone calls initiated by you or by the bank, by recording the discussed aspects and, where applicable, the audio recording of telephone conversations or, where applicable, audio-video;
conducting internal analyses (including statistical);
carrying out risk checks on the bank's procedures and processes, as well as performing audit or investigation activities;
archiving- both in physical and electronic format- of documents, making backup copies;
performing registry and secretarial services regarding correspondence addressed to the bank and/or dispatched by it, as well as carrying out courier activities;
ensuring the security of the IT systems used by BT;
prevention of fraud.

In case you apply only for a specific position/internship, your personal data will be processed by the bank only within the recruitment process for that specific position/internship, and will be deleted at the end of the respective recruitment process.

If, on the other hand, you choose to be contacted in general for vacant positions/internships carried out at BT, we will keep your data and use it for recruitment purposes for a period of 1 year, a term that can be extended with your consent.

Within the recruitment process, references from previous employers or from teaching staff may become relevant. If the bank needs these, it will contact you to request your consent to obtain these references on your behalf. If you do not express your consent in this regard, it will be necessary for you to obtain these references yourself if you wish to continue the recruitment process.

c. Categories of personal data processed of BT candidates

To BT candidates, we usually process the following categories of personal data, as they are indicated in the CV submitted to/transmitted to the bank:

identification data - last name, first name;
age, for checking your eligibility to become an employee or, as the case may be, to participate in certain BT internships;
contact details - e-mail address and/or phone number;
data regarding studies and professional experience;
any other relevant data from the CV.

a. Who is/when do we process your data as a BT petitioner ?

You are such a person if you address BT with any request, on any channel, regardless of whether you are a BT client, an occasional BT client, or if you belong to any other category of individuals.

b. The purposes for which we process BT petitioners' data

Depending on the situation and specific status you have in relation to the bank, when you send us a request we process your personal data for the following purposes:

identity verification, including for the purpose of confirming/refuting the status of BT client;
taking measures/providing information or responses to requests/notifications/complaints of any nature addressed to the bank by any person, as well as those addressed by authorities or institutions, through any channel, including via electronic communications and internet services;
proof of requests/agreements/options regarding certain requested/discussed/agreed aspects within phone calls initiated by you or the bank, by recording the discussed aspects and, where applicable, audio recording of the telephone conversations;
collecting your opinion regarding the quality of BT services/products/employees (service quality evaluation);
carrying out risk checks on the bank's procedures and processes, as well as performing audit or investigation activities;
conducting internal analyses (including statistical);
archiving- both in physical and electronic format- of documents, making backup copies;
performing registry and secretarial services regarding correspondence addressed to the bank and/or dispatched by it, as well as carrying out courier activities;
ensuring the security of the IT systems used by BT;
fraud prevention;
calculating the commissions to which certain categories of employees are entitled.

c. Categories of personal data processed of BT petitioners

To register, confirm receipt, analyze, formulate and send a response to any requests/notifications/complaints you address to us, we process the following categories of personal data:

identification data: name, first name and other data in this category that you provide us or personal data that BT needs to process for identifying the petitioner BT in order to prevent the disclosure of confidential information (including personal data) to recipients who are not authorized to receive it;
contact details: mailing address, e-mail address, phone number;
the voice, within the conversations and recordings of telephone calls (initiated by the petitioners or by the bank);
depending on the case, any other information of which the bank is aware and that is necessary for analyzing the requests.

a. Who are/when do we process your data as a BT third party ?

You are included in this category of targeted persons if any personal data concerning you is disclosed / transferred to us by BT clients, by occasional BT clients in the context of their relationship with us, or by any other person. We process your data in this context in the capacity of a BT third party, even if you have other direct relationships with us (e.g., a BT credit applicant provides us with the sale-purchase contract of the property in which you appear as the seller. In this case, we will process the data from this contract in your capacity as a third party, even if you are actually also a BT client and we process your data for other purposes, specific to the contractual relationship you have established with the bank).

Thus, by way of example, we process your data in your capacity as BT third parties, if you belong to any of the following categories of natural persons:

members of a BT client's family or of a BT employee- it is possible that, in certain situations, Clients may bring to our attention data concerning members of their family, especially in the context of formulating and analyzing a credit application or the execution of a credit contract.
At the same time, BT employees may provide data belonging to family members, in various contexts related to their employment relationship with us (e.g. minor children of employees, other family members of BT employees);
non-client payers: natural persons who are clients of other institutions that offer payment services and who order transfers of amounts to the accounts of Clients opened at BT (interbank transfers ordered by clients of other payment institutions to BT Client account holders) - it is necessary to process the data of these persons for the provision of payment services and in accordance with our legal obligations;
beneficiaries of non-client payments: natural persons who are clients of other institutions that provide payment services, to the accounts of which BT Clients order transfers of sums (interbank transfers ordered to clients of other payment institutions by BT Clients)– it is necessary to process the data of this category of persons in order to provide payment services and according to legal obligations;
pindividuals mentioned in the details/explanations of the paymentin a payment orderdeposited/sent/received at BT– filling in the fields related to the explanations/details of a payment is mandatory according to the legal provisions in the field of money laundering prevention and terrorism financing. According to the principle of minimizing data, personal data should be entered in these fields only when absolutely necessary and only the data that is strictly necessary;
authorized persons (other than authorized or delegated on accounts) natural persons nominated to order/initiate on behalf of a BT Client operations – banking or non-banking – through the channels offered by BT (e.g. telephone payment instructions);
natural persons whose data are mentioned on various documents made available to the bank– in case a BT client, occasional BT client or any person with whom the bank interacts submits to/sends to the bank various documents, in different situations (e.g. certificates or documents of any type containing personal data of the signatories or, as the case may be, of other persons mentioned in the content of the documents) the bank will process these data considering the need to keep these documents, even if it may not need to process the data in any other way than storing them;
persons with whom the bank receives requests/applications for information from various institutions and/or public authorities, from notaries, lawyers, bailiffs, etc;
participants in various events or social responsibility actions organized by the bankă, whose data needs to be processed in order to ensure event logistics;
any other categories of natural persons whose personal data are made available to us by any person with whom we interact or that come into our possession in any other way.

b. The purposes for which we process third parties' data BT

We process your data as a BT third party according to the purpose for which it is necessary in our relationship with the person who provided it to us, as well as for the following related purposes:

management of labor relations with BT employees, as appropriate;
carrying out risk checks on the bank's procedures and processes, as well as performing audit or investigation activities;
conducting internal analyses (including statistical);
archiving- both in physical and electronic format- of documents, making backup copies;
the provision of registry and secretarial services concerning correspondence addressed to the bank and/or sent by it, as well as for carrying out courier activities;
ensuring the security of the IT systems used by BT;
prevention of fraud.

c. Categories of personal data processed by BT third parties

The most commonly encountered data that we process for BT third parties are, by way of example:

identification data- last name, first name, personal numeric code (CNP);
relationship between you and a BT client or employee, as appropriate;
function held within a legal entity;
signature;
any other data made available to us by any person with whom we interact in the course of our activity.

a. Who can be the persons who have expressed to BT options regarding the processing of their data for advertising purposes (where applicable, consent or refusal)

Currently, the following categories of data subjects who have expressed their consent to BT for the processing of their personal data for advertising purposes are considered to be:

BT clients, occasional BT clients or any BT third parties who have expressed this consent on the dedicated BT form used in BT units starting from 12.03.2018 and on the BT website www.bancatransilvania.ro (online the form within this link: https://www.bancatransilvania.ro/gdpr/ is available only to BT customers) starting from May 2018;
BT clients, occasional BT clients or any third parties who have expressed this consent on forms used in the bank's activity before the date 12.03.2018 and have not modified/withdrawn this consent in the meantime, neither following the information the bank provided to them in May 2018 regarding this possibility, nor on their own initiative.

There are currently individuals who have expressed their refusal to have their personal data processed for advertising purposes, BT clients, occasional BT clients, or any third parties of BT who have initially expressed their refusal to have their data processed for this purpose, as well as individuals who, although they initially expressed consent to have their data processed for advertising purposes, have subsequently withdrawn this consent.

b. The purposes for which we process the personal data of persons who have expressed their options at BT regarding the processing of their data for advertising purposes (as applicable, consent or refusal)

If you have given your consent for your data to be processed for advertising purposes, we will process them as follows:

transmission of advertising messages*, according to the expressed consent (advertising purpose);
identity verification of persons, for the purpose of confirming/disproving their status as BT Client;
proving requests/agreements/options regarding aspects related to advertising options, by recording the discussed aspects and, if applicable, audio recording of telephone conversations (initiated by the bank or by you);
conducting internal analyses (including statistical);
archiving- both in physical and electronic format- of documents, making backup copies;
performing registry and secretarial services regarding correspondence addressed to the bank and/or dispatched by it, as well as carrying out courier activities;
ensuring the security of the IT systems used by BT;
prevention of fraud.

If you have expressed your refusal regarding the processing of personal data for advertising purposes, we will process your data for all the above purposes, except for the one related to sending advertising messages.
*BT wishes to inform interested persons about the products/services/events offered/organized by the bank, by the entities of the BT Financial Group or by their partners, whereby it processes the personal data of these persons, if they have expressed their consent to receive advertising messages.
The form dedicated to expressing/collecting marketing options currently used by BT is accessible in any branch of the bank and on the website www.bancatransilvania.ro, or directly at the following link: https://www.bancatransilvania.ro/gdpr/
The online form is available only for BT Clients and can be used by them not only for the initial expression of marketing options, but also for modifying previously expressed options, as well as, if applicable, for withdrawing consent for receiving advertising messages.

c. Categories of personal data processed of persons who have expressed to BT their agreement regarding the processing of their data for advertising purposes, their recipients and the period of their processing

The data processed by BT for the purpose of sending advertising messages are usually:

identification data: last name, first name;
contact details: the phone number and/or the email address or mailing address provided by the interested persons to receive advertising messages or, if applicable, those declared in the bank's records for the purpose of knowing the clientele (conducting the contractual relationship) in the case of BT Clients;
in the case of BT Clients: other information we learn about clients, in the context in which they use BT services/products (e.g. data about transactions, age, location, income range etc.), which we will study automatically (profiling) to form an opinion related to the products/services/events that would suit them (personalized advertising).

Personal data will be processed by the bank for sending advertising messages until the termination of the contractual relationship with BT Clients or, as the case may be, until the moment of their withdrawal of consent to receive such messages (the latter variant also applies to any other categories of persons who are not BT Clients).

In some cases, for the transmission of advertising messages, BT will contract service providers, who will process the personal data of the data subjects on behalf of and for BT, only for the transmission of the established advertising messages strictly following BT's instructions and being under the close supervision of the Bank.

Individuals wishing can choose to receive advertising messages from several categories, including: BT products and services and those of BT subsidiaries, events organized by BT, products/services of partners related to BT products/services or those of BT subsidiaries, and events organized by BT partners.

BT subsidiaries whose products/services and events are to be promoted within the advertising messages sent to persons who have opted for this are the following entities within the BT Financial Group:BT Microfinancing IFN SA ( "BT Mic"), BT Asset Management S.A.I. S.A., ( "BTAM"), BT Leasing Transilvania IFN S.A. ("BTL"), BT Direct IFN S.A. ("BTD"), BT Capital Partners S.S.I.F. S.A.(„BTCP”), other entities that can join the BT Group in the future.

The list of current partners of BT and/or BT subsidiaries whose products/services and events are to be promoted within advertising messages sent to persons who have opted in this regard is available at the link: https://www.bancatransilvania.ro/partners.

In case you have opted to receive advertising messages about products/services events offered/organized by BT subsidiaries or by partners, these entities will process personal data for the purpose of sending these messages, under the careful supervision and coordination of the Bank and, where appropriate, together with it. For any potential processing of personal data carried out by BT partners/BT subsidiaries outside or adjacent to the sending of advertising messages, such as, for example, for the purpose of concluding contracts related to their products/services that have been promoted, these partners are to act as controllers of the processed personal data.

The agreement to be contacted for advertising purposes can be withdrawn or modified at any time through multiple methods, indicated separately on the dedicated form for expressing consent for the processing of personal data for advertising purposes.
The withdrawal of consent applies only for the future and does not affect the legality of data processing carried out before the moment of this withdrawal.

Please note that the subscription or unsubscription of any email address entered by you in forms/fields of the type/named "newsletter", available on BT websites to receive information from various areas of interest, is managed through the respective online forms (subscription) and respectively from unsubscribe links within the received messages following the subscription (unsubscription).
Also, we inform you that subscribing/unsubscribing to/from the "newsletters" you opt for on the BT websites does not affect the options regarding the processing of your data for advertising purposes completed on the bank's forms available in the branches or on the BT website.

D. What are the sources from which BT collects personal data?

As a rule, personal data belonging to the data subjects whose data we process are collected by us directly from them, on various occasions and in various ways, such as:

at the time of establishment and during the course of the business relationship with BT;
on the occasion of concluding and executing some contracts for products/services offered by the bank, in own name or for third parties;
by filling out some forms available on the BT website, on other websites owned by the bank or by other entities of the Group;
by registering/participating in various contests/campaigns organized by BT in its units, on the BT website or on the bank's pages on social media platforms;
when we are asked for information/we receive notifications/complaints at the bank's phone numbers, at email addresses, through messages sent on the bank's pages on social networks or received in writing at BT units;
when applying for available positions in the bank (online, by sending/depositing CVs at BT units or on various email addresses, at career fairs or other events);
when visiting the websites/social media platforms of BT.

However, there are situations when data is collected from other sources, such as:

from other Clients, natural or legal persons account holders, in situations such as, but not limited to: the authorization of other Clients on their accounts opened at the bank, the contracting of bank products/services by a Client on behalf of another Client who authorized them in this regard, the contracting by employers who are legal person Clients of BT of bank products/services for/on behalf of their employees (e.g., meal vouchers, benefits upon collection of salary income in accounts opened at BT, management guarantee accounts, etc);
from payers - natural or legal persons, regardless of whether they have the status of BT Clients - in the context in which they transfer/deposit amounts into the accounts of account holder Clients who are natural/legal persons;
from authorities or public institutions (e.g. courts, prosecutors' offices, bailiffs, BNR, ANPC, ANSPDCP etc.), notaries, lawyers in the context in which they send us notifications or requests;
from/through Transfond, SWIFT, international payment organizations, etc;
from credit institutions with which Banca Transilvania S.A. merged (Volksbank România S.A. and Bancpost S.A.);
from partner banks and correspondent banks, from banks or financial institutions participating in syndicated loans;
from international payment organizations;
from other entities of the Financial Group Banca Transilvania etc;
from public sources, such as but not limited to: the Trade Register Office, the National Register of Movable Property Advertising, the Cadastre and Real Estate Advertising Office, the court portal, the Official Gazette, social media, internet etc.;
from records such as the Credit Bureau, Credit Risk Central, in case there is a legal basis and a specific and legitimate purpose for consulting them;
from private database providers – e.g. entities authorized to manage databases with persons accused of financing acts of terrorism and those politically exposed;
from entities within the BT Financial Group, for their use in specific and legitimate purposes, generally for the smooth conduct of the common economic activity carried out together with the other entities within the BT Group and for fulfilling the legal requirements related to the consolidated supervision of the BT Financial Group;
from the contractual partners of the bank from various fields
from debt collection/recovery companies (e.g. we can find out the new contact details of Clients from companies that support us in debt recovery activities, data that they obtain based on their own interactions with them or with persons close to them);
from evaluation companies;
from insurance companies;
from pension and investment fund management companies;
from the Central Depository S.A., in the case of the bank shareholders' data;
from any other natural or legal persons who submit notifications/requests containing personal data (e.g. persons notifying us that some BT Clients no longer have the same contact details they declared in the bank's records).

E. What are the grounds on the basis of which BT processes personal data and the consequences of refusing to have the data processed?

The grounds on which BT processes personal data are, where applicable:

the necessity to process data for the fulfillment of a task serving a public interest;
the bank's legal obligation;
concluding/executing the contracts concluded with the data subject;
the legitimate interest of the bank and/or of some third parties;
the consent of the data subjects.

Except in cases where personal data is processed based on the consent of the data subjects, and in some cases where the processing is based on legitimate interest, the refusal of individuals to have their data processed by BT will make it impossible to provide the requested services or to resolve their requests.

F. To whom does BT disclose/transfer the personal data it processes?

The personal data of the Bank's Clients and, where applicable, of other categories of data subjects mentioned in this Policy, are disclosed by BT or, where applicable, transferred, in accordance with the GDPR principles, based on the applicable legal grounds depending on the situation and only under conditions that ensure full confidentiality and security of the data, to categories of recipients, such as, but not limited to:

other Clients who have the right and the need to know them;
entities within the BT Financial Group;
assignees;
contractual partners (service providers) used by the bank in the course of its banking activities, including but not limited to: IT services (maintenance, software development), archiving in physical and/or electronic format, courier, audit, services related to card issuance and enrollment in platforms, market research/study services, advertisement message transmission services, monitoring traffic and behavior of users of online tools, marketing services through social media resources, etc);
interbank payment processing companies and transmission of information regarding interbank operations (e.g., Transfond SA, Society for Worldwide Interbank Financial Telecommunication- SWIFT);
partners of the bank from various fields, whose products/services/events we can promote to BT Customers based on their consent. The updated list of the bank's partners can be found here: https://www.bancatransilvania.ro/partners;
international payment organizations (e.g. Visa, Mastercard);
payment processors;
financial and banking entities participating in payment and interbank communication schemes/systems such as SWIFT, SEPA, ReGIS, financial and banking institutions to which we confirm or request confirmation of signatures and/or certain information that can be found within creditworthiness letters, bank guarantee letters, other addresses issued by the Bank's Clients in favor of their business partners, other entities (such as banks or financial and banking institutions) in the context of assignments or restructuring of portfolios of claims and/or other rights of the Bank arising from legal relationships with Clients;
partner banks and correspondent banks, banks or financial institutions participating in syndicated loans;
authorities and public institutions, such as, but not limited to: the National Bank of Romania (BNR), the National Agency for Fiscal Administration (ANAF)*, the Ministry of Justice, the Ministry of Administration and Interior, the National Office for the Prevention and Control of Money Laundering (ONPCSB) **, the National Agency for Cadastre and Real Estate Publicity (ANCPI), the National Register of Movable Publicity (RNPM), the Financial Supervisory Authority (ASF), including, where appropriate, their territorial units;
companies (funds) guaranteeing various types of credit/deposit products (e.g. FNGCIMM, FGDB etc.);
notaries public, lawyers, judicial executors;
Credit Risk Center***;
Credit Bureau and Participants in the Credit Bureau system****;
insurance companies;
evaluation companies;
companies for collecting overdue debts/claims of the bank;
management companies of pension and investment funds entities to which the Bank has outsourced the provision of financial-banking services;
banks or state authorities, including from outside the European Economic Area - in the case of international SWIFT transfers or as a result of processing carried out for the purpose of applying FATCA and CRS legislation;
social media platform providers.

*According to the provisions of the Fiscal Procedure Code (Law 207/2015), in its capacity as a credit institution, BT has the legal obligation to communicate daily to the central fiscal authority – A.N.A.F. – the list of account holders, whether individuals, legal entities, or any other entities without legal personality that open or close accounts, as well as the identification data of persons who hold the signing rights for the accounts opened with them, the list of persons who rent safe deposit boxes, as well as the termination of the rental contract. A.N.A.F. may communicate this data to local fiscal authorities or to other central and local public authorities, under the conditions of the law.

**In case the conditions are met for BT to transmit personal data to the National Office for the Prevention and Control of Money Laundering, according to Law no. 129/2019 for preventing and combating money laundering and terrorism financing, as well as for amending and supplementing certain normative acts, these are transmitted simultaneously and in the same format also to A.N.A.F.

***The Bank has the legal obligation to report to the Credit Risk Central (CRC) the credit risk information for each debtor who meets the reporting condition (includes the identification data of a debtor, natural person or non-banking legal entity, and the operations in lei and foreign currency through which the Bank is exposed to risk towards that debtor), respectively to have recorded an individual risk towards this debtor, as well as information about confirmed card frauds.
****The bank has the legitimate interest to report in the Credit Bureau System, to which other Participants (mainly credit institutions and non-bank financial institutions) also have access, the personal data of debtors who register delays in loan repayment of at least 30 days, after prior notification of the persons concerned in this regard at least 15 days before the reporting date.

G. The regime of transfers of personal data carried out by BT to third countries/international organizations

When necessary for the fulfillment of the contracts concluded with BT Clients or BT occasional Clients, and only in specific situations or based on appropriate guarantees, the bank will transfer personal data abroad, as the case may be, including to countries that do not ensure an adequate level of protection of such data. Countries that do not ensure an adequate level of protection are those outside the European Union/European Economic Area, except for countries to which the European Commission has recognized an adequate level of protection, namely: Andorra, Argentina, Canada (only commercial companies), Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Uruguay, Japan, United States of America – only within the limits of the protection offered by the EU-US Privacy Shield – (to the extent that no contrary decision is issued regarding any of these countries).

If BT Clients or Occasional BT Clients order transactions through the bank in which the payment recipients are located in countries that do not ensure an adequate level of protection of personal data, the transfer of data to those countries is based on the provisions of the General Data Protection Regulation concerning: the transfer that is necessary for the execution of a contract between the bank and the Client or for the application of pre-contractual measures adopted at the request of the Client or, as the case may be, the transfer that is necessary for the conclusion of a contract or for the execution of a contract concluded in the interest of the data subject.
In the situation where it is necessary to transfer personal data to third countries/international organizations and in other circumstances, the bank will proceed in this respect only with the legally provided guarantees for these transfers.

H. Automated decision-making processes, including profiling

In some circumstances, only by fulfilling the provisions of the GDPR, within the banking activity carried out by BT automated decision-making processes are used, including as a result of creating profiles. These are decisions made by the bank as the case may be, with or without the intervention of a human factor, and may produce legal effects and/or may affect the data subjects similarly, to a significant extent.

Such situations, presented as examples, are as follows:

for the application of customer due diligence measures in order to prevent and combat money laundering and terrorist financing, checks will be carried out in databases with persons accused of financing acts of terrorism or, as the case may be, with persons at high risk of fraud and, if the Clients are found registered in these records, the bank reserves the right to refuse to enter into a business relationship with them or to terminate the contractual relationship;
to protect BT Customers and Occasional Customers against fraud, as well as to enable the bank to properly fulfill its customer due diligence obligations, it monitors their transactions and, if it identifies suspicious operations (such as unusual payments in terms of frequency, value, also reported relative to the declared source of funds by the Account Holder Customers or the purpose and nature of the business relationship, transactions initiated from different localities at short intervals of time, which did not allow movement between those locations), it accordingly takes measures to block transactions, account cards, making these decisions exclusively on an automated basis;
according to legal provisions, the granting of credit products is conditioned by the existence of a certain degree of indebtedness of the applicants. For determining the eligibility to contract a credit product related to the degree of indebtedness, it will be determined based on automatic criteria, starting from the level of income and expenses recorded by the applicant;
for the purpose of objectively verifying the fulfillment of eligibility conditions for pre-offering and, where applicable, analyzing a credit request submitted to BT by an applicant, in most cases a bank scoring application will be used which will analyze data filled in the credit request, information resulting from checks carried out in the bank's own records and/or those of Credit Bureau S.A. and will issue a score that determines the credit risk and the probability of timely repayment of the installments in the future. To the issued score is added the result of other checks of the applicant's situation, which will be analyzed by bank employees to establish whether the eligibility conditions set by internal regulations are met. However, the final decision to approve or reject the credit request is based on the analysis performed by the Bank's employees (human intervention);
in case BT Clients have expressed their consent on the dedicated form for their personal data to be processed for advertising purposes to send personalized messages, these are based on a profile created based on various criteria, such as, but not limited to, transaction data, age, location, income range, which the bank will automatically study to form an opinion regarding the products/services/events that would suit the Clients. In some cases, this created profile will only determine the promotion of a certain product/service to persons determined to meet the profile conditions, and other times it will cause only persons who meet the profile criteria to be able to contract/benefit from certain promotional offers.

I. For how long does BT process personal data?

Personal data processed by the bank for the purpose of customer knowledge for prevention of money laundering and financing of terrorism, including the data concerning the transactions carried out through the accounts opened at the bank, will be kept by the bank at least 5 years from the date of termination of the business relationship with the Client, whether an individual or a legal entity, account holder, according to the legal retention period established in the bank's responsibility.

Also, in the case in which the business relationship is not open, the data contained in the request will be stored at the BT level for at least 5 years from the date of the bank's refusal to establish that contractual relationship.

Personal data filled in a loan application are kept in BT records for a period of 3 years from the date of signing the loan application, in case it is rejected and, respectively, for a period of 5 years starting from the date of termination of the business relationship with the client's bank, in the event that a credit contract is concluded following the approval of the credit application.
Regarding the data processed within BT's activity in the Credit Bureau system, these are stored at the level of this institution and disclosed to the Participants for a duration of 4 years from the date of the last update, except for data of loan applicants who have withdrawn their loan application or who have not been granted the loan, which are stored and disclosed to Participants for a period of 6 months.

Personal data for which BT has the legal obligation to report to Credit Risk Center (CRC) will be retained in the CRC records for a period of 7 years from their registration date.
For the data processed based on the consent of the data subjects for the purpose of sending advertising messages, these will be processed until the termination of the business/contractual relationship with the bank or, as the case may be, until the withdrawal of the respective agreement.

In order to prove that they have been received notifications/complaints/requests for information/measures and that answers have also been formulated and sent to these, the data related to these petitions will be kept in BT records (together with the personal data contained therein) both in paper and electronic format, for the duration of the business relationship for BT clients, and for a period necessary to fulfill the purpose for which they were processed (response formulation/information provision), plus a period of 3 years - the statutory limitation period in case the data does not belong to BT clients.

Processed personal data BT candidates will be kept until the end of the recruitment process for the available position or, in case the candidates have shown interest to be contacted for multiple positions suitable for them, the data from the CVs and other documents they have provided to BT for this purpose will be kept for a period of at most 1 year, if within this time interval their deletion from the Bank's records is not requested. This term may be extended with the candidate's consent.

Storage duration of data obtained through the video surveillance system is proportional to the purpose for which the data is processed, respectively does not exceed 30 days, the period after which the recordings are deleted by automatic procedure, in the order in which they were recorded. In case of a security incident (including a breach of personal data security), the retention period of relevant filmed material may exceed the normal limits depending on the time required for further investigation of the security incident.

Any other personal data processed by BT for other indicated purposes will be kept for the period necessary to achieve the purposes for which they were collected, to which non-excessive terms may be added, established according to the applicable legal obligations in the field, including but not limited to the provisions regarding archiving.

J. What are the rights of the data subjects that can be exercised in connection with the processing of their data by BT?

Any data subject is guaranteed the exercise of the rights provided by the GDPR, namely:

a) right of access: the data subjects can obtain from BT confirmation that their personal data are being processed, as well as information regarding the specifics of the processing such as: the purpose, the categories of personal data processed, the recipients of the data, the period for which the data are retained, the existence of the right to rectification, erasure or restriction of processing. This right allows data subjects to obtain free of charge a copy of the processed personal data, as well as for a fee any additional copies;

b) the right to data rectification : the persons concerned may request BT to modify the incorrect data concerning them or, as appropriate, to complete the data that is incomplete;

c) the right to erasure : the data subjects may request the deletion of their personal data when:

these are no longer necessary for the purposes for which we collected and process them;
the consent for the processing of personal data has been withdrawn and BT can no longer process them based on other grounds;
personal data is processed contrary to the law;
personal data must be deleted in accordance with the relevant legislation;

d) the right to withdraw consent : the data subjects can withdraw their consent at any time regarding the processing of personal data processed based on consent. The withdrawal of consent does not affect the lawfulness of processing carried out prior to this moment.

e) right of opposition : the data subjects may object at any time to processing for marketing purposes, as well as processing based on BT's legitimate interest, for reasons relating to their specific situation;

f) the right to restriction of processing: the data subjects may request the restriction of processing of their personal data if:

contest the correctness of personal data, for a period that allows us to verify the accuracy of the data in question;
processing is illegal, and the data subject opposes the deletion of personal data, instead requesting the restriction of their use;
the data is no longer necessary for processing, but the data subject requests them from us for a court action;
in the event that the data subject has objected to the processing, for the time period in which it is verified whether the legitimate rights of BT as controller prevail over the rights of the data subject.

g) the right to data portability: the data subjects may request, under the conditions of the law, that the bank provide them with certain personal data in a structured form, commonly used and which can be read automatically. If the data subjects request, BT may transmit the respective data to another entity, if technically possible.

h) the right to file a complaint with the National Supervisory Authority for the Processing of Personal Data: the data subjects have the right to file a complaint with the National Supervisory Authority for Personal Data Processing if they consider that their rights have been violated: National Supervisory Authority for Personal Data Processing, 28-30 General Gheorghe Magheru Blvd., Sector 1, postal code 010336 Bucharest, Romania anspdcp@dataprotection.ro

For exercising the rights mentioned in points a) – g) above, or for any questions about the processing of personal data carried out by BT, the data subjects can use the contact details of the data protection officer appointed by BT, sending the request:

by postal mail, to the address in Cluj-Napoca city, Calea Dorobanților street, no. 30-36, Cluj county, with the mention "to the attention of the person responsible for data protection"
at the email address dpo@btrl.ro.

K. How does BT protect the personal data it processes?

BT develops an internal framework of standards and policies to maintain the security of personal data. These are updated periodically to comply with regulations applicable to the Bank and the highest standards in the field.

Specifically and according to the law, the Bank adopts and applies appropriate technical and organizational measures (policies and procedures, IT security etc.) to ensure the confidentiality and integrity of personal data and the manner in which they are processed.
BT employees have the obligation to maintain confidentiality and cannot illegally disclose personal data that they process as part of their activities.
The bank ensures that its contractual partners who have access to personal data and who act as BT's authorized persons are imposed contractual obligations in accordance with legal provisions and that it verifies their compliance with the obligations they have assumed.
Contractual partners acting as authorized persons of the bank will process personal data on behalf of and for the bank, only in accordance with the instructions received from it and only respecting the security and confidentiality requirements within the imposed limits.
We guarantee that BT will not sell the personal data collected from the visited persons and that it will only transmit these data to those entitled to know them, in compliance with the legally established principles and obligations.

The present policy is regularly reviewed to guarantee the rights of the data subjects and to improve the processing and protection methods of personal data.