Banca Transilvania S.A. Policy regarding the processing and protection of personal data within banking activity ("BT Privacy Policy")

Version applicable in the period 28.02.2023 - 23.10.2023

About this Privacy Policy and our commitments

Banca Transilvania S.A. (hereinafter and “BT”, “Bank” or "we") undertakes to process personal data (hereinafter also personal data or "date") of all natural persons with whom he interacts (hereinafter also "targeted persons"), in accordance with the applicable legal provisions and with the highest standards of security and confidentiality, to respect the fundamental human rights and freedoms in connection with this processing and to periodically assess its activity in this field, in order to ensure that these rights are always respected.

In order to guide and support us in our activity in the field of processing and protection of personal data, we have appointed a data protection officer (“DPO”). BT DPO can be contacted by any data subject at any of the following contact details:

email address dpo@btrl.ro
the BT headquarters in Cluj-Napoca city, Calea Dorobanților street, no. 30-36, Cluj county, with the mention "to the attention of the person responsible for personal data protection"

We present below Our Policy in this very important field (hereinafter also “Policy”), on which we commit to periodically review it, with a view to its continuous improvement, and to inform the data subjects about the substantive changes made thereto.

Through this Policy, we fulfill towards all categories of data subjects whose personal data we process as a controller the obligation to inform in accordance with art. 13 -14 of EU Regulation no. 679/2016 or the General Data Protection Regulation ("GDPR").

Whenever we can directly inform the data subjects about the processing of their data, we commit to doing so. In cases where we either do not have the objective possibility or it would involve a disproportionate effort to fulfill this obligation directly, we inform the data subjects through this Privacy Policy.

If you are a regular customer of the bank (hereinafter also “BT Client” or “Client”), to find out how we process your personal data only in this capacity, you also have the separate information available: General information note regarding the processing and protection of personal data belonging to BT Clients, which is an integral part of this Policy.

You can find the Policy and the general Customer Information Note both on the website www.bancatransilvania.ro (hereinafter and “the BT website”), including in the section Privacy Hub from this website, as well as in BT units.

Also, for certain services/products/activities involving the processing of personal data that we perform, we have prepared specific information notes, which you can find on the BT website in the section Privacy Hub.

The Policy herein does not refer to the processing carried out by BT regarding the personal data of its employees. They are informed about the processing of their data carried out by BT as the employer through a separate document.

We hereby present which categories of personal data we process, who the data subjects of this processing are, for what purposes we use this data, to whom we may disclose or transfer it, how long we keep it, how we ensure their security, as well as what rights the data subjects may exercise in relation to this processing.

If you are not familiar with the meaning of various technical terms used in the GDPR or in the applicable legislation in the banking field, we recommend that you also study the following section, regarding:

A. Specialized terms used in Politics

When we use in this Policy the terms below, they will have the following meaning:

a) "Personal data" or ”personal data” or "date" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

b) "Processing of personal data" or "data processing" means any operation or set of operations performed on personal data or on sets of personal data, with or without the use of automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, extraction, consultation, use, disclosure by transmission, dissemination or making available in any other way, alignment or combination, restriction, erasure or destruction;

c)„GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;

d) „BT Financial Group” or “BT Group” means the Bank together with entities controlled by it (BT subsidiaries/affiliates) such as, BT Microfinancing IFN SA ("BT Mic"), BT Asset Management S.A.I. S.A., ("BTAM"), BT Leasing Transilvania IFN S.A. ("BTL"), BT Direct IFN S.A. ("BTD"), BT Capital Partners S.S.I.F. S.A.("BTCP"), BT Pensii Pension Fund Management Company SA (BT Pensii), Idea::Bank, Victoria Bank, BT Leasing Moldova, BT Code Crafters SRL ("BT Code Crafters"), Improvement Credit Collection SRL ("ICC"), Romanian Entrepreneur Club Foundation ("BT Club"), Clujul has Soul Foundation and other entities that may join this group in the future;

e) „Operator” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union law or the law of a Member State, the controller or the specific criteria for its designation may be provided for by Union law or the law of a Member State;

In this Policy, when we use the term "operator" we generally refer to Banca Transilvania - when the bank processes personal data for purposes established by itself or by the legislation applicable to it - or, as the case may be, to Banca Transilvania and entities that are associated operators with the bank for certain personal data processing operations, when the purposes and means of processing have been jointly established by us and these entities;

f) "Data subject" means any natural person whose personal data is processed Also included in the category of data subjects are entities such as authorized natural persons (P.F.A.), individual enterprises (Î.Î.), individual forms of practicing certain liberal professions – "professionals", such as: individual medical offices, lawyer, notary, judicial executor, accountant, certified translator, etc;

Legal entities are not, as a rule, included in the category of “data subjects” and information about them is usually not personal data.

g) „Authorized person by the operator” means the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

h) "Third party" means a natural or legal person, public authority, agency or other body, other than the data subject, the controller, the processor authorized by the controller, and which, under the direct authority of the controller or the processor authorized by the controller, are authorized to process personal data;

i)Recipient means the natural or legal person, public authority, agency, or other body to which personal data are disclosed, regardless of whether it is a third party or not. However, public authorities to which personal data may be disclosed in the context of a particular inquiry in accordance with EU law or the law of a Member State are not considered recipients;

j)"Supervisory Authority” means an independent public authority established by an EU member state, responsible for monitoring the implementation of the GDPR. In Romania, the supervisory authority is the National Supervisory Authority for Personal Data Processing – "N.S.A.P.D.P.";

k) „Biometric data” means personal data resulting from specific processing techniques concerning the physical, physiological, or behavioral characteristics of a natural person that allow or confirm the unique identification of that person, such as facial images or fingerprint data subjected to such techniques;

l) „Data regarding health” means personal data related to the physical or mental health of an individual, including the provision of medical care services, revealing information about their health status;

m) „Beneficiar real” according to the provisions of art. 4 para. 1 of Law no. 129/2019 for the prevention and combating of money laundering and financing of terrorism, as well as for the amendment and completion of some normative acts, means any natural person who ultimately owns or controls the client and/or the natural person on whose behalf a transaction, operation or activity is carried out and includes at least the categories of natural persons mentioned in art. 4 para. 2 of this normative act;

n) „Person exposed publicly”– “PEP” - according to the provisions of art. 3 para. 1 of Law no. 129/2019 for the prevention and combating of money laundering and terrorist financing, as well as for the amendment and completion of certain normative acts, is considered to be the natural person who exercises or has exercised important public functions and includes at least the categories of natural persons mentioned in art. 3 para. 2 of this normative act. Members of the family of a PEP (defined in art. 3 para. 4 of Law 129/2019), as well as persons known as close associates of a PEP (defined in art. 3 para. 5 of Law 129/2019) are assimilated to PEPs from the point of view of the bank's obligation to apply customer due diligence measures.

B. Who is Banca Transilvania?

BANCA TRANSILVANIA S.A. is a credit institution, Romanian legal person, registered with the Cluj Trade Register Office under number J12/4155/1993, having the unique registration code no. RO5022670 and the following contact details: registered office address Str. Calea Dorobanților No. 30-36, postal code 400117, locality Cluj-Napoca, Cluj County, Romania Tel: 0801 01 0128 (BT) - callable from the Romtelecom network, 0264 308 028 (BT) - callable from any network, including international, *8028 (BT) - callable from Vodafone and Orange networks, e-mail address: contact@bancatransilvania.ro, website www.bancatransilvania.ro.

Banca Transilvania S.A. is the parent company of the BT Financial Group.

The provisions of this Policy refer to the processing of personal data carried out by BT as a data controller.

Within certain activities, we process personal data alongside other entities, as joint controllers. You can find details about this processing in the specific information notes in the section Privacy Hub from the BT website.

C. What personal data we process, who they belong to and what we use them for

Banca Transilvania processes different categories of personal data. The data processed and the purposes for which we process them depend on the status the data subject has in relation to us when it is necessary to process their respective data.

With regard to the quality you have in relation to us in a certain context, we present below how we process your personal data:

a. Who is the BT Client?

„Client BT” or ”Client” is the natural person who belongs to any of the following categories of data subjects:

residents/ non-residents, holders of at least one current account opened at the Bank (also called "individual account holder client") or who rent safety deposit boxes at BT;
legal or conventional representatives of Clients who are natural or legal persons holding an account or who have rented safety deposit boxes;
persons with operating rights on the accounts of individual or legal entity clients account holders ("authorized on account");
the ultimate beneficiaries of Clients natural or legal persons account holders opened at BT (“ultimate beneficiary”);
persons authorized to submit bank documents, to collect account statements and/or to deposit cash amounts on behalf of and for the account of individual or legal entity Clients holding accounts ("delegates");
associates/shareholders of BT Corporate Clients;
users of a bank product/service who do not have any of the qualities mentioned above but regularly use some BT products/services (e.g. supplementary card users, managers with guarantee management accounts opened at the bank, users of BT meal vouchers, users of BT Pay);
guarantors of any kind of the payment obligations assumed by Clients who are natural or legal persons account holders;
persons who sign requests on the bank's dedicated forms to become Clients, but this request is rejected or waived (even if these persons are not active BT Clients, we are legally obliged to keep their personal data for a certain period of time);
legal or conventional successors of those mentioned above.

We remind you that complete details, in printable format, about the processing of data of the bank's regular customers – BT Clients – can also be found in General information note regarding the processing and protection of personal data belonging to BT Customers.

b. The purposes for which we process BT Customers' data

As a BT Client, we process your data, depending on the situation, for:

application of measures regarding customer due diligence for the prevention of money laundering and terrorist financing. Details in specific information note from Privacy Hub;
solvency assessment, reduction of credit risk, determination of the indebtedness level of Clients interested in personalized offers related to the bank's credit products or contracting these types of products (credit risk analysis), including through data processing in the Credit Bureau system. Details in specific information note from Privacy Hub;
the conclusion and execution of contracts for products/services offered to BT customers (such as, but not limited to: cards, deposits, loans, internet and mobile banking, BT Pay, SMS Alert); Details about the processing of personal data for certain BT products/services can be found in the specific information notes on Privacy Hub;
the conclusion and execution of contracts for occasional transactions, (see section C item 2 of the Privacy Policy when performing occasional transactions, even if you are also a regular BT client);
processing/settlement of bank transactions;
the establishment of garnishments, the recording of amounts garnished at the disposal of creditors, and the provision of responses regarding these to enforcement bodies and/or competent authorities, in accordance with the bank's legal obligations;
reports to the competent authorities, according to the bank's legal obligations (e.g., reports to the National Administration of Public Finances – A.N.A.F., the National Bank of Romania – B.N.R. - including to the National Office for the Prevention and Control of Money Laundering, the Credit Risk Center and the Payment Incidents Center within the B.N.R. etc);
carrying out analyses and keeping records of the bank's economic, financial and/or administrative management;
administration within internal departments of the services and products offered by the bank, as well as human resource management;
collection of receivables and recovery of claims;
the legal defense of the bank's rights and interests, the settlement of disputes, investigations or any other petitions/complaints/requests in which the bank is involved;
performing risk checks on the bank's procedures and processes, as well as conducting audit or investigation activities, including for the prevention and management of conflicts of interest;
taking measures/providing information or responses to requests/notifications/complaints of any kind addressed to the bank by any person, including authorities or institutions;
proof of requests/agreements/options regarding certain requested/discussed/agreed aspects within telephone calls initiated by Clients or by the bank, by recording the discussed aspects and, if applicable, the audio recording of telephone conversations or, if applicable, audio-video;
informing Clients about the products/services held at the bank, for the proper execution of the contractual relationship (carried out, as appropriate, by sending messages of general or particular interest addressed to Clients such as, but not limited to: sending account/card statements, transaction reports, notifications regarding the imposition of garnishments on accounts, notifications about unauthorized debts or arrears in installment payments, notifications about the approaching termination date of a certain product/service held, notifications about improvements or new facilities offered in connection with the product/service held, about changes in the general business conditions or in the general information note regarding the processing of personal data, about the need to update data, etc.);
the transmission of advertising messages/commercial communications to Clients who have expressed their consent for the processing of their personal data for this purpose;
evaluation/improvement of service quality (requesting/collecting Customers' opinions regarding the quality of services/products/BT employees);
financial education of Clients;
carrying out internal analyses (including statistical ones), both regarding products/services and regarding the portfolio and Client profile, carrying out market studies, analyses of Clients' opinions regarding the products/services/employees of the bank;
development and testing of BT products/services;
archiving in physical/electronic format of documents/information, including backup copies (back-up);
the provision of registry/secretarial services concerning correspondence addressed to the bank and/or sent by it;
ensuring the security of the IT systems used by BT and the physical spaces in which the bank carries out its activity;
monitoring the security of BT persons/spaces/goods and visitors of BT units/equipment. Details about data processing for this purpose can be found in specific information note regarding video surveillance and in specific information note regarding visits to some BT offices from section Privacy Hub.
fraud prevention;

c. What personal data do we process from BT Clients

To BT clients, we process, as appropriate, the following categories of personal data:

identification data: last name, first name, pseudonym (if applicable), date and place of birth, personal numeric code (C.N.P.) or another unique similar identification element (e.g. CUI for authorized natural persons or CIF for natural persons practicing liberal professions), other details from the identity card/passport, as well as a copy of these documents, signature (handwritten or electronic), citizenship, home address, residence, as well as the address where the Client lives and its legal status;
contact details: phone number, e-mail and correspondence address, fax;
financial data (such as, but not limited to data about transactions, data regarding payment behavior, data about accounts and financial/banking products, held/conducted at BT or other financial institutions);
tax data (e.g. country of tax residence, tax identification number);
professional data (e.g. profession, occupation, position, name of the employer or nature of own activity, level of education, specialization, information about the public office held, if you are a politically exposed person (PEP), quality, holdings and, if applicable, representation powers held within legal entities);
information about the family situation (e.g. marital status, matrimonial regime, number of dependents, kinship relations, marriage, cohabitation);
information about the economic and financial situation (e.g. data on income, data regarding owned/possessed assets, source of wealth – if you are a PEP);
data about the requested/used BT products and services (e.g. information about the purpose and nature of the business relationship, the source/destination of funds used within the contractual relationship/transactions, the type of products/services, the contractual period, other details related to products/services, including, for credit products: product type, granting term, granting date, maturity date, amounts and credits granted, amounts owed, account status, account closing date, credit currency, payment frequency, amount paid, monthly rate, employer name and address, amounts owed, overdue amounts, number of overdue installments, overdue date, number of days delay in credit repayment. Data about credit products is processed both in the bank's records and - if applicable - in the records of the Credit Bureau and/or in other such records/systems);
the image (contained in identity documents or captured by video surveillance cameras, as well as the image within video recordings);
the voice during conversations and recordings of telephone or audio/video conversations (initiated by Clients or by the bank);
biometric data (e.g. facial recognition, used in remote identification processes through video means, within device unlocking methods where you have bank applications installed, if you have set methods such as facial recognition or fingerprint-based – in the latter case BT does not have access to the biometric data, but only relies on it to allow you to access/use certain BT applications);
age, for verifying eligibility to contract certain bank products/services/offers (e.g. credit products, products dedicated to minors, etc.);
opinions, expressed within notifications/complaints/conversations, including telephone ones, regarding products/services/bank employees;
identifiers allocated by BT or by other financial-banking or non-banking institutions, including, but not limited to: BT client code (BT CIF), references/identifiers of transactions, IBAN codes of bank accounts, debit/credit card numbers, contract numbers, identifiers allocated by the bank to Clients classified in the "non-residents" category, formed of a sequence of digits relating to the year, month, day of birth and the identification document number, whole or truncated, IP addresses, device identifiers (e.g. mobile phones) and operating system identifiers of the devices used for accessing mobile banking services/mobile payment applications;
data on the state of health, in case such information is provided to us within the documentation submitted to the bank, results from transactions or if their processing is necessary for proving by the Clients the difficult situation in which they or their family members are, especially for the purpose of granting facilities on credit products;
information relating to fraudulent or potentially fraudulent activity;
information regarding the location where certain transactions are performed (implicitly, in the case of operations at BT equipment belonging to Banca Transilvania);
any other personal data belonging to Clients, which are brought to our knowledge in various contexts by other Clients or by any other persons.

a. Who we process your data as an occasional BT Client / in what situations

“Occasional BT client” is a natural person who carries out at BT counters or through BT equipment transactions of the following types:

cash deposits into BT accounts for which they have no authority. Details in specific information note from Privacy Hub;
currency exchanges;
money transfers through Western Union (WU);
payment of amounts in cash to legal entities with which BT has concluded collection agreements for these amounts (e.g., utility providers);
cash withdrawals at the bank's counters of amounts owed to you by legal entities with which BT has concluded agreements for the distribution of amounts (e.g., for dividend payments);

We process your data as an occasional BT client whenever you make transactions of the type mentioned above, even if you are also a regular client of the bank.

b. The purposes for which we process data of occasional BT Clients

When you act in relation to BT as an occasional client, your data are processed, as the case may be, for the following purposes:

application of measures regarding customer due diligence for the prevention of money laundering and terrorist financing. Details in specific information note from Privacy Hub.
the conclusion and execution of the contract for occasional transactions (including processing/settlement of this transaction);
reports to the competent authorities, according to the bank's legal obligations (e.g. reports to the National Bank of Romania – N.B.R. – including to the National Office for the Prevention and Control of Money Laundering, the Credit Risk Center and the Payment Incidents Center within the N.B.R.);
performing analyses and keeping records of the bank's economic, financial, and/or administrative management;
administration within the internal departments of the services and products offered by the bank;
the legal defense of the bank's rights and interests, the settlement of disputes, investigations or any other petitions/complaints/requests in which the bank is involved;
carrying out risk checks on the bank's procedures and processes, as well as performing audit or investigation activities;
monitoring the security of BT persons/spaces/goods and visitors of BT units/equipment. Details about data processing for this purpose can be found in specific information note regarding video surveillance from Privacy Hub;
taking measures/providing information or responses to requests/notifications/complaints of any kind addressed to the bank by any person, including authorities or institutions;
conducting internal analyses (including statistical);
archiving in physical/electronic format of documents/information, including backup copies (back-up);
carrying out registry and secretarial services regarding the correspondence addressed to the bank and/or sent by it;
ensuring the security of the IT systems used by BT and the physical spaces in which the bank carries out its activity;
prevention of fraud.

c. What personal data do we process for occasional BT Clients

Occasional BT clients we process, as appropriate, the following categories of personal data:

identification data: surname, first name, personal numeric code (P.N.C.), series and number of identity document/passport, home address, citizenship and - in some cases provided by law - including a copy of the identity document/passport (usually for cash deposits, currency exchanges, money transfer services over a certain amount or those that show signs of suspicion), signature (handwritten or electronic);
financial data about the occasional transaction (e.g. the amount subject to the transaction, the currency, the payment recipient, explanations/details regarding the transaction, the reference/identifier of the transaction, implicitly information related to the location of carrying out certain transactions, in case of performing operations at BT units or equipment) and about the history of occasional transactions made at BT;
tax dates (e.g. country of residence);
contact details: phone number, e-mail address declared by cash depositors who are not BT Customers to be notified in case the transaction is canceled, and the phone number/e-mail address declared to the bank by occasional clients who are also BT Customers;
the image (from the identity document, if the bank has the obligation to make/retain a copy of it or, as the case may be, captured by video surveillance cameras);
other_personal data imposed by law, depending on the specifics of the transaction

a. Who is a natural person related to the applicant of a BT loan

There are individuals connected to the applicant of a BT credit/debtor who are included in the "Group of related clients" alongside the applicant, any of the individuals mentioned here: Information on group affiliation

b. The purposes for which we process the data of persons who are part of a BT debtor’s group

If you are such a person, we process your data for the following main purpose:

solvency assessment, credit risk reduction, determination of the indebtedness degree of Clients interested in personalized offers related to the bank's credit products or contracting these types of products (credit risk analysis);

When analyzing a credit application of an individual or legal entity applicant, BT also processes your data, as it has the legal obligation to establish and analyze its exposure to connected customer groups, as part of the credit risk analysis. Your data is necessary for the bank in order to be able to analyze the credit application of the applicant, and the refusal of the applicant (or you) to provide or to have the data processed may result in the bank being unable to analyze and/or approve the credit.

Also, a secondary purpose of processing your data is also that of:

reporting to the competent authorities, according to the bank's legal obligations;

As the declarant, the bank will report these exposures and the composition of the groups of debtor clients in connection to the N.B.R. – Credit Risk Center (if applicable).

Personal data belonging to you may be disclosed, respecting the need-to-know principle, also to entities within the BT Group and/or to service providers used by the bank in the process of analyzing the credit application. The retention period of your data is equal to the existence period of a group/groups of BT clients connected of which you are a part.

Other purposes related to the purposes indicated above, for which we process your data, are, as the case may be, the following:

confirmation/denial of your status as a BT Client;
performing analyses and keeping records of the bank's economic, financial, and/or administrative management;
administration within the internal departments of the services and products offered by the bank;
the legal defense of the bank's rights and interests, the settlement of disputes, investigations or any other petitions/complaints/requests in which the bank is involved;
performing risk checks on the bank's procedures and processes, as well as conducting audit or investigation activities, including for the prevention and management of conflicts of interest;
taking measures/ providing information or responses to requests/ notifications/ complaints of any kind addressed to the bank by any person, including authorities or institutions;
conducting internal analyses (including statistical);
archiving in physical/electronic format of documents/information, including backup copies (back-up);
performance of registry and secretarial services regarding correspondence addressed to the bank and/or sent by it;
ensuring the security of the IT systems used by BT and the physical spaces in which the bank carries out its activity;
prevention of fraud.

c. What personal data do we process about persons in the group of a BT debtor

identification data: name, first name, personal numeric code - P.N.C.;
professional data (e.g. the position, status, holdings in legal persons within the debtor's group);
depending on the case, other data found in the bank's records or publicly available, which need to be processed to fulfill the main purpose regarding the analysis of credit risk.

a. Who is the signatory/contact person on behalf of the contractual partners BT

The signatories are any of the following:

legal representatives or other persons designated by the contractual partners to sign the contracts concluded with the bank (regardless of whether the contractual partners are BT Clients or service providers, collaborators, suppliers of goods contracted by the bank);
legal representatives or other representatives of institutions/authorities who sign documents sent to the bank

Contact persons are any of the following:

persons designated by the contractual partner to maintain contact with the bank for negotiating/concluding/executing the contract, whether or not their data are mentioned in the contract;
persons designated as contact points by institutions/authorities sending various requests to the bank

b. The purposes for which we process the data of signatories/contact persons on behalf of BT contractual partners/institutions/authorities

If you are a signatory/contact person on behalf of any BT contractual partner or on behalf of an institution/authority, we process your data, as the case may be, for:

negotiating, concluding and properly executing the contract concluded between the bank and the contractual partner (usually this is your employer) or, as the case may be, to manage the requests addressed to the bank by the institution/authority where you carry out your professional activity;
reports to the competent institutions to receive them, in accordance with the legal provisions applicable to the bank;
performing analyses and keeping records of the bank's economic, financial, and/or administrative management;
the legal defense of the bank's rights and interests, the settlement of disputes, investigations or any other petitions/complaints/requests in which the bank is involved;
performing risk checks on the bank's procedures and processes, as well as conducting audit or investigation activities, including for the prevention and management of conflicts of interest;
taking measures/providing information or responses to requests/notifications/complaints of any kind addressed to the bank by any person, including authorities or institutions;
conducting internal analyses (including statistical);
archiving in physical/electronic format of documents/information, including backup copies (back-up);
carrying out registry and secretarial services regarding the correspondence addressed to the bank and/or sent by it;
ensuring the security of the IT systems used by BT and the physical spaces in which the bank carries out its activity;
fraud prevention;

c. What personal data do we process from the signatories/contact persons on behalf of contractual partners/institutions/authorities

We generally process the following categories of personal data concerning you, as applicable:

For signatories:

identification data: name and surname, signature (handwritten or electronic);
professional data: position/professional quality, employer;

For contact persons:

identification data: last name and first name;
contact details: phone number, e-mail address (work);
professional data: position/professional quality, employer.

In Privacy Hubfind againinformation note specific for signatories/ contact persons acting on behalf of BT contractual partners.

a. Who is a BT shareholder/bondholder or a person whose data we process in connection with those of our shareholders/bondholders

BT Shareholder - you are a BT shareholder if you hold or have held as a natural or legal person shares issued by Banca Transilvania S.A.;
Bondholder BT- you are a bondholder BT if you hold, as a natural or legal person, bonds issued by Banca Transilvania S.A.;
Natural persons whose data we usually process in relation to those of BT shareholders/obligors - legal or conventional representatives of BT shareholders/obligors, persons who jointly own shares/bonds with BT shareholders/obligors, successors of BT shareholders/obligors.

b. The purposes for which we process the data of the shareholders/obligors of BT or of other persons in connection with those of the shareholders/obligors of BT

If you are a shareholder and/or a BT bondholder or a natural person whose data we process in relation to those of shareholders/bondholders, we will use your data, as appropriate, for the following purposes:

identity verification, for the purpose of confirming/refuting the status of shareholder/bondholder of the bank, another status related to BT shareholders/bondholders;
fulfillment of specific legal obligations and activities arising from the quality of BT issuer (e.g. organization of G.S.M., shareholder services, specific communications for investors);
the establishment of garnishments, the recording of amounts garnished at the disposal of creditors, and the provision of responses regarding these to enforcement bodies and/or competent authorities, in accordance with the bank's legal obligations;
reports to the competent institutions to receive them, in accordance with the legal provisions applicable to the bank;
performing analyses and keeping records of the bank's economic, financial, and/or administrative management;
the legal defense of the bank's rights and interests, the settlement of disputes, investigations or any other petitions/complaints/requests in which the bank is involved;
performing risk checks on the bank's procedures and processes, as well as conducting audit or investigation activities, including for the prevention and management of conflicts of interest;
taking measures/ providing information or responses to requests/ notifications/ complaints of any kind addressed to the bank by any person, including authorities or institutions;
proof of requests/ agreements/ options regarding certain requested/ discussed/ agreed aspects, including within phone calls initiated by you or by the bank, by recording the discussed aspects and, if applicable, audio recording of phone conversations or, if applicable, audio video;
conducting internal analyses (including statistical);
archiving in physical/electronic format of documents/information, including backup copies (back-up);
carrying out registry and secretarial services regarding the correspondence addressed to the bank and/or sent by it;
ensuring the security of the IT systems used by BT and the physical spaces in which the bank carries out its activity;
prevention of fraud.

c. What personal data do we process of BT shareholders/bondholders/other persons in connection with their data

In your capacity as a BT shareholder and/or bondholder, or another person connected with them, we usually process the following categories of personal data about you:

identification data: name, first name, C.N.P. or other unique identification element, series and number of identity document / passport, citizenship, postal address and, if applicable, copy of the identity document (for identifying shareholders in case of requests for shareholder or bondholder certificate or history of shares/bonds held at BT), signature (handwritten or electronic);
tax dates: country of tax residence, tax identification number);
information about the economic and financial situation, relating to owned assets: number of BT shares and/or bonds, including the history of ownership of these assets;
professional data: the quality, holdings and, if applicable, the powers of representation held within legal entities;
contact details: phone number, email address, postal address.

a. Who is a visitor of BT units and/or user/visitor of BT equipment

Visitor of BT units - any natural person who visits the bank's units (including its administrative buildings), regardless of whether or not they carry out banking operations;
BT equipment user/visitor - any natural person who uses these devices or stands in front of them (ATMs, BT Express, BT Express Plus etc.), regardless of where they are located, regardless of whether the user is a BT Client, occasional BT Client, or a third party, regardless of whether they initiate/carry out banking operations through BT equipment or not.

b. The purposes for which we process the data of visitors to BT units and/or users/ visitors of BT equipment

We process your data, as applicable, for:

monitoring the security of BT persons/spaces/goods and those of visitors to BT units/equipment;
processing/settlement of transactions ordered at BT equipment;
identity verification, as appropriate, if necessary for identifying you at the request of the competent authorities or when the bank has a legitimate interest;
carrying out risk checks on the bank's procedures and processes, as well as performing audit or investigation activities;
conducting internal analyses (including statistical);
archiving in physical/electronic format of documents/information, including backup copies (back-up);
the legal defense of the bank's rights and interests, the settlement of disputes, investigations or any other petitions/complaints/requests in which the bank is involved;
ensuring the security of the IT systems used by BT and the physical spaces in which the bank carries out its activity;
prevention of fraud.

Information about the processing of personal data through our video surveillance system or to allow you access to some bank premises can also be found within certain pictograms and/or specific information notes displayed at the entrance of the bank units and respectively on BT equipment. At the same time, you can find details in specific information note regarding video surveillance and in specific information note regarding visits to some BT offices from section Privacy Hub.

c. What personal data do we process of visitors to the units and/or users/visitors of BT equipment

If you visit the bank's units (including its administrative buildings) and/or use/stand in front of the BT equipment, we process the following data, as applicable:

the image, as it is captured by the video surveillance cameras;
any data necessary for processing transactions ordered through BT equipment or for other related purposes mentioned above (e.g. time spent in BT units/at BT equipment).

At the same time, in accordance with the legal obligations we have, to allow you access to some premises where the bank operates, the security staff will identify you based on an identity document and some identification data: first and last name, the series and number of the identity card/passport will be recorded and kept, usually for 2 years.

a. Who is a visitor of BT's websites/social media pages

Any natural person who accesses any of the websites in the BT portfolio and/or its social media pages is a visitor of BT websites/social media pages. The websites in the BT portfolio are https://bancatransilvania.ro/ and those found here: https://www.bancatransilvania.ro/site-uri-bt.pdf (“BT websites”).

Our social media pages are: Facebook, Instagram, Twitter, TikTok, YouTube , LinkedIn ("the BT social media pages").

b. The purposes for which we process the data of visitors to BT websites/social media pages

Through cookies or other similar technologies, we process your data whenever you visit a BT website for the purposes described in detail within the cookie policies of each of the websites in our portfolio and briefly within the cookie banners and settings centers.

For the website https://bancatransilvania.ro/, The cookie policy can be found in the footer of the website or by accessing the following link: https://www.bancatransilvania.ro/cookie-use-policy .

If you fill in data on BT websites in forms for complaints/requests/claims, applications for bank products/services/campaigns, subscriptions to newsletters from various fields, we process the data entered in these forms, as appropriate, for:

taking measures/ providing information or responses to requests/ notifications/ complaints of any kind addressed to the bank by any person, including authorities or institutions;
proof of requests/agreements/options regarding certain requested/agreed aspects;
evaluation/ improvement of service quality (requesting/ collecting your opinion regarding the quality of services/ products/ BT employees);
conducting internal analyses (including statistical);
carrying out risk checks on the bank's procedures and processes, as well as performing audit or investigation activities;
archiving in physical/electronic format of documents/information, including backup copies (back-up);
carrying out registry and secretarial services regarding the correspondence addressed to the bank and/or sent by it;
ensuring the security of the IT systems used by BT;
prevention of fraud.

Please note that subscribing or unsubscribing any e-mail address you enter in forms/fields of the type/named "newsletter", available on BT websites to receive information from various areas of interest, is managed through the respective online forms (subscription) and respectively through unsubscribe links in the emails received following the subscription (unsubscription).

c. What personal data do we process from visitors of BT websites/social media pages

If you visit a BT website we will process the following categories of personal data:

data processed through cookies;
IP address;
data on the device used to access the website (e.g. if you access the website from a laptop, computer or phone and, in the latter case, the type of phone operating system);

Additionally, when you fill in data on BT websites, we collect, as appropriate:

identification data: last name, first name, and, in some cases, with the consent of the data subjects, the personal numerical code (P.N.C.);
contact details: email address, phone number, postal address.

Before accessing our social media pages, we recommend you read Data Protection Guide in Social Media from section Privacy Hub.

If you insert comments, images, opinions and/or reactions on BT's social media pages, we will generally process:

the username on the respective social media platform and the profile picture;
the posted opinions/reactions;
inserted images.

In some cases – usually when you participate in various contests/campaigns or insert comments in which you notice/complain about certain aspects related to our activity - it is possible that we will ask you for additional information in order to identify/verify the reported/complained situation, so that we can provide you with a response. Usually, we ask you for:

details about the reported/complained situation;
identification data: usually last name, first name;
identifiers (e.g. BT client code - BT CIF -, IBAN);
contact details (e.g. e-mail address, phone number).

To protect your data, please do not insert it into public posts on BT's social media pages. If we notice that you have inserted data in public posts, we reserve the right to delete them.

Also, if you insert pictures with your image or that of other people or if you tag other people in comments on BT's social media pages or send them to us in private messages, by posting/tagging you express your consent for the bank to use them.

Please keep in mind that any data you enter on BT social media pages is accessible to social media platform providers and is subject to their privacy policy provisions. BT does not have control over the data processing carried out by social media platform providers for their own purposes and assumes no liability regarding such processing.

We draw your attention to the fact that BT websites/BT social media pages may contain links to websites/social media pages managed by other operators, who have their own privacy policy/personal data processing policy. If you access these websites/social media pages or complete personal data on any of them, the processing of your data is subject to the privacy policy/personal data processing policy of those websites/social media pages, which we recommend you read. BT assumes no responsibility regarding the processing of your data on websites/social media pages that are not controlled by the bank.

a. Who is a BT prospect

You are a BT prospect if you are not a BT client and you have requested the bank, through BT websites or contractual partners, information about BT products/services or you have scheduled online at BT units.

Details about the processing of personal data for online appointments at BT can be found in specific information note from section Privacy Hub.

b. The purposes for which we process BT prospects' data

If you are a BT prospect, we process your data, as applicable, for the following purposes:

identity verification;
taking measures/ providing information or responses to requests/ notifications/ complaints of any kind addressed to the bank by any person, including authorities or institutions;
proof of requests/ agreements/ options regarding certain requested/ discussed/ agreed aspects, including within phone calls initiated by you or by the bank, by recording the discussed aspects and, if applicable, audio recording of phone conversations or, if applicable, audio video;
conducting internal analyses (including statistical);
carrying out risk checks on the bank's procedures and processes, as well as performing audit or investigation activities;
archiving in physical/electronic format of documents/information, including backup copies (back-up);
carrying out registry and secretarial services regarding the correspondence addressed to the bank and/or sent by it;
ensuring the security of the IT systems used by BT;
fraud prevention;

c. What personal data do we process from BT prospects

If you are a BT prospect, we will process you, as applicable:

identification data: last name, first name, and, in some cases, only with your consent or if we justify a legitimate interest, personal numeric code (P.N.C.);
contact details: email address, phone number
voice (if you request information by phone).

a. Who is a BT candidate

You are a candidate for available positions at BT or for internships organized by BT if you have sent us / we have received from other persons your CV to be used for recruitment purposes or if you have informed us in any other way that you are interested in filling BT positions / participating in BT internships.

b. The purposes for which we process BT candidates' data

We process your data, as applicable, for:

recruitment;
taking measures/ providing information or responses to requests/ notifications/ complaints of any kind addressed to the bank by any person, including authorities or institutions;
proof of requests/ agreements/ options regarding certain requested/ discussed/ agreed aspects, including within phone calls initiated by you or the bank, by recording the discussed aspects and, as applicable, audio recording of phone calls or, as applicable, audio-video;
conducting internal analyses (including statistical);
performing risk checks on the bank's procedures and processes, as well as conducting audit or investigation activities, including for the prevention and management of conflicts of interest;
archiving in physical/electronic format of documents/information, including backup copies (back-up);
carrying out registry and secretarial services regarding the correspondence addressed to the bank and/or sent by it;
ensuring the security of the IT systems used by BT;
prevention of fraud.

In case you apply only for a certain position/internship at BT, we will process your data only within the recruitment process for that position/internship and we will delete or anonymize them at its completion. If, on the other hand, you choose to be contacted in general for job vacancies/internships carried out at BT, we will keep your data and use them for recruitment purposes for a period of 1 year, a term which can be extended if you express your agreement.

In the recruitment process, if we need references from previous employers or teachers, we will request your consent to obtain these references on your behalf. If you do not give your consent in this regard, you will need to obtain these references and provide them to us if you wish to continue the recruitment process.

c. What personal data of BT candidates do we process

We usually process the following categories of personal data of BT candidates:

identification data: last name, first name;
age, for checking your eligibility to become an employee or, as the case may be, to participate in certain BT internships;
contact details - e-mail address and/or phone number;
professional data (e.g. profession, occupation, previous employers, information about studies, experience and professional training, references from previous employers/teaching staff);
any other relevant data from the CV.

For the case in which you have already been selected to occupy a BT position, we process your data for the purpose of presenting the job offer and, if you accept it, to complete the necessary procedures for employment as you are informed in detail through specific information note from Privacy Hub.

a. Who we are/when we process your data as a BT petitioner

You are a BT petitioner if you address the bank with any request/notification/complaint ("petition"), through any channel, regardless of whether you are a BT client, an occasional BT client, or if you belong to any other category of targeted persons.

b. The purposes for which we process the data of BT petitioners

Depending on the situation and the specific status you have in relation to the bank, when you send us a request, we process your personal data for the following purposes:

identity verification, including for the purpose of confirming/refuting the status of BT Client;
taking measures/ providing information or responses to requests/ notifications/ complaints of any kind addressed to the bank by any person, including authorities or institutions;
evidencing requests/ agreements/ options regarding certain requested/ discussed/ agreed aspects within the telephone calls initiated by you or by the bank, through the recording of the discussed aspects and, where applicable, the audio recording of telephone conversations;
evaluation/ improvement of service quality (requesting/ collecting the opinion of BT petitioners regarding the quality of the responses provided to petitions);
performing risk checks on the bank's procedures and processes, as well as conducting audit or investigation activities, including for the prevention and management of conflicts of interest;
conducting internal analyses (including statistical);
reports to the competent authorities, according to the bank's legal obligations;
administration within internal departments of the services and products offered by the bank, as well as human resource management;
archiving in physical/electronic format of documents/information, including backup copies (back-up);
carrying out registry and secretarial services regarding the correspondence addressed to the bank and/or sent by it;
ensuring the security of the IT systems used by BT;
prevention of fraud.

c. What personal data do we process from BT petitioners

To register, confirm receipt, analyze, formulate and send a response to any petitions you address to us, we process, as appropriate, the following categories of personal data:

identification data: name, surname and other data in this category that you provide us or personal data necessary for processing to identify you, to identify and verify the situation regarding which you send us the petition, to formulate the response to the petition, to prevent the disclosure of confidential information (including personal data) to recipients who are not entitled to receive it;
contact details: postal address, e-mail address, phone number.

Please note that, in case you are a BT Client and send us a petition using contact details that you have not declared to the bank, if we cannot confirm beyond any doubt that the petition was transmitted to us by you, in order to protect the data that needs to be included in the response to the petition, we reserve the right to send you this response to the contact details you have declared to the bank;

the voice, within conversations and recordings of telephone conversations (initiated by the BT petitioners or by the bank);
as appropriate, any other information of which the bank is aware and which is necessary for handling complaints.

a. Who is/when do we process your data as a third party BT

We process your data as a third party BT (even if you have other statuses mentioned in this Policy) when you are a natural person in situations such as those shown by way of example below:

you are a client of another bank/financial institution and you make a transfer to a BT account from the account you hold at the other bank;
you are a client of another bank/financial institution and a BT client initiates a transfer to your account at that bank. In this case, based on some payment schemes to which BT may adhere, we find out your name and the initial of your first name as they appear in the records of the other bank, even if the BT client enters a different name associated with the IBAN code when initiating the transfer to your account at another bank;
make online payments with cards issued by other banks/financial institutions on websites that use payment solutions provided by BT. We process your data according to the rules of international payment organizations;
dates concerning you are mentioned in the details/explanations of the payment in a payment order submitted/transmitted/received at BT– filling in the fields related to the explanations/details of a payment is mandatory according to the legal provisions in the field of payment services;
a BT client submits to the bank supporting documents for transactions or constitutive acts for BT Clients legal entities and your data are found in these;
a BT loan applicant must provide us with the sale-purchase contract of the property for which they are applying for the loan or which they bring as collateral, and your data appears in that contract or the loan applicant submits an extract from the land register of the property in which your data also appears;
BT clients use open banking services and integrate into BT applications transactions from other financial institutions in which your data is also found;
use cards issued by other banks/financial institutions at BT equipment (ATMs, BT Express, BT Express Plus), including when they are captured and need to be returned to you;
we receive requests from various individuals, including institutions/authorities, notaries, lawyers, judicial executors, in which your data is mentioned;
are you authorized persons (other than empowered or delegated on accounts) to order/initiate on behalf of a BT Client operations – banking or non-banking – through the channels offered by BT (e.g. telephone payment instructions);
a BT employee provides us with data concerning you because you are a family member under their care or the BT employee benefits from leave/free days based on the relationship they have with you (e.g. days off for marriage, child-rearing leave, medical leave for children etc) or to provide you with benefits offered to the family members of BT employees;
we collect data concerning you in the process of preventing and managing conflicts of interest – either from BT employees within their declaration regarding conflicts of interest, or following the checks we carry out – and we collect your data because you are related to a BT employee (e.g. you are a relative, husband, wife, life partner, business partner with the employee or with close family members of the latter, etc.);
participants at various events, press conferences, social responsibility actions, etc. organized by the bank;
your data are mentioned on various documents submitted to BT in different situations (e.g. certificates or documents of any kind containing personal data of the signatories or, as the case may be, of other persons mentioned in the content of the documents). We will process these data considering the need to keep these documents, even if it is possible that we do not need to process them in any other way than their storage;
your personal data is provided to us by any other person with whom we interact or comes into our possession in any other way.

b. The purposes for which we process third-party BT data

We process your data as BT third party according to the purpose for which it is necessary in our relationship with the person who provided it to us, as well as, where appropriate, for the following related purposes:

management of labor relations with BT employees, as appropriate;
performing risk checks on the bank's procedures and processes, as well as conducting audit or investigation activities, including for the prevention and management of conflicts of interest;
conducting internal analyses (including statistical);
archiving in physical/electronic format of documents/information, including backup copies (back-up);
providing registry and secretarial services regarding the correspondence addressed to the bank and/or sent by it, as well as for carrying out courier activities;
ensuring the security of the IT systems used by BT;
prevention of fraud.

c. What personal data do we process for BT third parties

The most common categories of data that we process as a third party BT are, as appropriate, those presented by way of example in the following lines:

identification data: last name, first name, personal numeric code (P.N.C.), signature (handwritten or electronic);
the relationship between you and the person who provided us with your data;
function held within a legal entity;
any other data made available to us by any person with whom we interact in the course of our activity.

a. Who are the persons who express/have expressed options regarding the processing of their data for advertising purposes (as applicable, consent or refusal)

Currently, the following categories of data subjects who have expressed their consent to BT for the processing of their personal data for advertising purposes are considered to be:

natural persons of legal age - BT clients or non-clients (occasional BT clients or any other person) - who have expressed their choices regarding the processing of their data for advertising purposes (as applicable, consent/agreement or refusal) – hereinafter referred to as "marketing options" on BT's dedicated form, starting from 12.03.2018.

The expression of consent for the processing of your data for advertising purposes is optional. We guarantee that the refusal of any person to express this consent does not affect their right to become or remain a BT Client. Also, this consent can be withdrawn at any time. In this case, we will no longer contact you for advertising purposes.

BT clients can find the form for expressing marketing preferences at any BT unit, in NeoBT, as well as by accessing the online form available on the bank's website , in the section Privacy Hub. This form can be used for the initial expression of marketing options, for modifying previously expressed options or for withdrawing the marketing consent.

If you are a BT Client, please note that any option expressed through this form, including the withdrawal of consent to be contacted for advertising purposes:

- nu se referă la și nu afectează mesajele de interes general sau de interes particular pentru Clienți, care sunt transmise de BT în baza intereselor sale legitime de derulare în bune condiții a relației de afaceri sau în baza obligațiilor sale legale;

- not applicable to and do not affect commercial notifications/messages sent within BT's mobile applications, which have their own marketing options management system, available in the sections dedicated to settings or privacy;

Non-clients can find the form dedicated to expressing marketing options at any BT branch. The consent of non-clients to be contacted for advertising purposes can be withdrawn both at bank branches and online, by completing the form for withdrawing the marketing consent of non-clients, available in Privacy Hub.

We draw attention that, regardless of whether you are a BT client or non-client, any option expressed through the aforementioned BT forms, including the withdrawal of consent to be contacted for advertising purposes:

- does not influence the subscription/unsubscription of any e-mail address entered by you in forms available on BT websites to receive information from various areas of interest. Subscription to the respective newsletters is done through the respective online forms and the unsubscription can be managed by following the unsubscribe link in the content of the messages received after subscribing.

b. The purposes for which we process the data of persons who express marketing preferences (as applicable, consent or refusal)

If you give your consent for data processing for advertising purposes, we will process them as follows:

transmission of advertising messages*, according to the expressed consent (advertising/marketing purpose);
identity verification of persons, for the purpose of confirming/disproving their status as BT Client;
proving requests/agreements/options regarding aspects related to advertising options, by recording the discussed aspects and, if applicable, audio recording of telephone conversations (initiated by the bank or by you);
conducting internal analyses (including statistical);
archiving in physical/electronic format of documents/information, including backup copies (back-up);
ensuring the security of the IT systems used by BT;
prevention of fraud.

If you have expressed your refusal to have your data processed for advertising purposes, we will process your data for all the above purposes, except for the one relating to *sending advertising messages.

c. What personal data do we process from individuals who express marketing preferences

The data processed by BT for the purpose of sending advertising messages are usually:

identification data: last name, first name;
contact details: phone number, email or postal address
only in the case of BT Customers: other information that we find out about them when they use BT services/products, in order to send them personalized advertising messages.

If you refuse to have your data processed for advertising purposes, we process your identity and contact data and, if you are a BT customer and the customer code – BT CIF – only to mark and respect your option.

D. What are the sources from which BT collects personal data

As a rule, the personal data we process are collected directly from the data subjects (e.g. when they become BT Clients, update their data at the bank, make transactions, visit or fill out forms on BT websites etc.).

However, there are situations when data is collected from other sources, from:

other BT Clients (e.g. the authorization of other Clients on their accounts opened with the bank, contracting some products/services of the bank by a Client on behalf of another Client who has authorized them in this regard, contracting by employers who are legal entity Clients of BT of some products/services of the bank for/on behalf of their employees - meal vouchers, collection of salary incomes in accounts opened at BT, guarantee management accounts etc);
persons who are not BT clients (e.g. persons who deposit cash amounts into BT Clients' accounts, persons who send petitions complaining that they use data declared at the bank by BT Clients);
authorities or public institutions (e.g. General Directorate for Persons' Records, courts, prosecutor's offices, police, bailiffs, N.B.R., N.C.P.A., N.S.P.D.C.P., etc.), notaries, lawyers;
institutions involved in the field of payment services (e.g. Transfond, S.W.I.F.T, international payment organizations etc);
other_credit_institutions_with_which_Banca_Transilvania_S.A._merged_(Volksbank_Romania_S.A._and_Bancpost_S.A.)_or_from_which_some_contracts_were_assigned_(Idea::Bank);
other banks/financial institutions, including partner banks and correspondent banks or banks/financial institutions participating in syndicated loans;
other Legal Entities of the BT Financial Group, for determined and legitimate purposes, generally for the proper conduct of financial/economic activity and for fulfilling the legal requirements related to the consolidated supervision of the BT Group;
public sources, such as but not limited to: National Office of the Trade Register (O.N.R.C.), National Register of Mobile Publicity (R.N.P.M.), Office of Cadastre and Real Estate Publicity (O.C.P.I.), court portals (portaljust), Official Gazette, social media, internet etc.;
records of the type of the Credit Bureau, the Credit Risk Central within the N.B.R., in case there is a legal basis and a determined and legitimate purpose for consulting them;
database providers (e.g. entities authorized to manage databases with persons accused of financing acts of terrorism, publicly exposed persons, providers who aggregate and redistribute data collected from public sources etc);
contractual partners of the bank from various fields (e.g. evaluation companies, insurance companies, pension and investment fund management companies);
debt collection/recovery companies (e.g. we can find out the new contact details of Clients from companies that support us in debt recovery activities);
Central Depository S.A., Bucharest Stock Exchange (B.V.B) in the case of the bank shareholders' data;

E. On what legal grounds does BT process personal data and what happens if you refuse their processing

The legal grounds on which BT processes personal data are, as the case may be:

the bank's legal obligation (when data processing is necessary to fulfill a legal obligation of the bank);
conclusion/performance of contracts (processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract);
the legitimate interest of the bank and/or of some third parties;
the necessity of processing data to fulfill a task that serves a public interest (e.g. applying measures for customer knowledge to prevent money laundering and terrorist financing);
the consent of the data subject.

When legal provisions require us to process certain data in a certain situation or if your data is necessary for the conclusion or execution of contracts for BT products/services/occasional transactions, if you refuse to process them, you will not be able to become/remain BT clients or we will not be able to process the transactions you request from us.

If we process your data based on our legitimate interest or that of third parties, you can object to such processing for reasons related to your particular situation (e.g., if you are a BT Client and do not want to receive general interest messages or messages asking you to evaluate the quality of our services/products, we will accommodate your request without affecting the business relationship you have with BT). In some cases, our legitimate interest or that of third parties may override yours, and we will not be able to accommodate the request by which you object to the processing (e.g., data processing in the Credit Bureau system, if there are no other reasons to accommodate the objection request).

If we process your data based on your consent/agreement, you have the right to withdraw this agreement at any time. However, withdrawal will not affect the previous processing of your data (e.g. we process your data based on consent for advertising/marketing purposes and you have the right to withdraw this agreement. Withdrawal of marketing consent does not affect your right to become or remain a BT client; data processing via some cookies is based on your consent. If you do not express your agreement to the placement of these cookies, you can use BT websites without any negative consequences for you).

F. To whom can we disclose/transfer the personal data we process

Personal data processed by us may sometimes be disclosed/transferred by BT in accordance with GDPR principles, based on the applicable legal grounds depending on the situation and only under conditions that ensure their full confidentiality and security.

We commit to respecting human fundamental rights and freedoms in the case of such disclosures, especially the right to the protection of personal data and the right to privacy, and to periodically evaluate our activity in this field, to ensure that these rights are always respected.

Find below within this section (* -> ***) details about legal provisions that require us to report/communicate personal data concerning you to certain authorities.

Also, when public authorities/institutions request us to provide personal data, we undertake that these will be disclosed only if we have a legal obligation or a legitimate interest, only based on clear internal procedures and only with the approval of individuals in leadership positions.

We will provide the authorities only with the strictly necessary data and if it is proven that we have made such disclosures of personal data in violation of human rights, we commit to compensate for the damage caused to the data subjects.

The categories of recipients to whom we may disclose personal data, as appropriate, are:

other Clients who have the right and the need to know them;
other entities within the BT Financial Group;
companies involved in payment processing (e.g., Transfond S.A., payment processors);
financial-banking entities (e.g. participants in payment and interbank communication schemes/systems such as S.W.I.F.T., S.E.P.A., ReGIS, partner banks and correspondent banks, banks or financial institutions participating in syndicated loans);
international payment organizations (e.g. Visa, Mastercard);
contractual partners (service providers) used in BT's activity, such as, but not limited to providers/suppliers of: digital certificate issuance services (for the application of qualified/extended electronic signature), collection services for overdue debts/claims, IT services (maintenance, implementation, support, cloud), archiving services in physical and/or electronic format, courier services, audit services, card-related services, market research/study services, e-mail/SMS/telephony transmission services, marketing services, other services provided by suppliers to whom BT has outsourced certain financial-banking services, etc);
insurance companies;
real estate appraisal companies;
management companies of pension and investment funds;
guarantee companies (funds) for various types of credit/deposit products (e.g. F.N.G.C.I.M.M., F.G.D.B. etc.);
partners of the bank from various fields, whose products/services/events we can promote to BT Customers based on their consent. The updated list of the bank's partners can be found here: https://www.bancatransilvania.ro/partners;
social media platform providers;
assignees;
authorities and national public institutions, such as, but not limited to: the National Bank of Romania (N.B.R.), the National Agency for Fiscal Administration (N.A.F.A.)*, the Ministry of Justice, the Ministry of Internal Affairs (M.I.A.), the National Office for the Prevention and Control of Money Laundering (N.O.P.C.M.L.)**, the National Agency for Cadastre and Real Estate Advertising (N.A.C.R.E.A.), the National Register of Movable Publicity (N.R.M.P.), the Financial Supervisory Authority (F.S.A), including, where applicable, their territorial units;
banking institutions or state authorities, including those outside the European Economic Area - in the case of international S.W.I.F.T. transfers or as a result of processing carried out for the purpose of applying F.A.T.C.A. and C.R.S. legislation;
notaries public, lawyers, judicial executors;
Credit Risk Center***;
Credit Bureau and Participants in the Credit Bureau system****;

* disclosure of personal data to A.N.A.F.

According to the provisions of the Fiscal Procedure Code (Law no. 207/2015), in its capacity as a credit institution, BT has the legal obligation to:

1.Communicate daily to A.N.A.F.:

- the list of holders individuals, legal entities or other entities without legal personality who open or close bank or payment accounts at BT, persons who hold the signing right for the opened accounts, persons claiming to act on behalf of the client, beneficial owners of the account holders, together with the identification data provided in art. 15 para. (1) of Law no. 129/2019 for preventing and combating money laundering and terrorist financing, as well as for amending and supplementing some normative acts, with subsequent amendments and completions, or with the unique identification numbers assigned to each person/entity, as appropriate, as well as with information regarding the IBAN number and the opening and closing date for each individual account.

- the list of persons who have rented safe deposit boxes, accompanied by the identification data provided in art. 15 para. (1) of Law no. 129/2019, with subsequent amendments and completions, or by the unique identification numbers assigned to each person/entity, as appropriate, together with the data concerning the termination of rental contracts.

2. Communicate, at the request of A.N.A.F., for each holder who is the subject of the request, all turnovers and/or balances of the accounts opened at the bank, as well as the information and documents regarding the operations carried out through these accounts.

3. Transmit to A.N.A.F. - on the occasion of the request to open a bank account or rent a safe deposit box - the request for the assignment of the tax identification number/tax registration code, for non-resident natural persons who do not have it. The request sent by BT to A.N.A.F. will include the following data of the non-resident: last name, first name, date and place of birth, gender, home address, data and copy of the identity document, tax identification code from the country of residence (if any). BT may also send to A.N.A.F. supporting documents of the information completed within the request. Based on the data transmitted, the Ministry of Finance assigns the tax identification number or, as the case may be, the tax registration code, registers the respective person for tax purposes and communicates the information regarding the tax registration to BT.

** O.N.P.C.S.B. - In the event that the conditions are met for BT to transmit personal data to the National Office for the Prevention and Control of Money Laundering, according to the legislation for the prevention and combatting of money laundering and terrorist financing, these data are also transmitted simultaneously and in the same format to A.N.A.F.

*** C.R.C. - The Bank has the legal obligation to report to the Credit Risk Center (C.R.C) within the National Bank of Romania (B.N.R.) the credit risk information for each debtor who meets the condition to be reported (includes identification data of an individual debtor and operations in lei and foreign currency through which the Bank is exposed to risk towards that debtor), as well as to have recorded an individual risk towards this debtor, as well as information about card frauds detected.

**** Credit Bureau S.A./participants in the Credit Bureau system - The bank has the legitimate interest to report in the Credit Bureau System, to which other Participants also have access (mainly credit institutions and non-banking financial institutions, as associated operators of the bank and of the Credit Bureau) the personal data of Clients who have contracted loans, as well as of Clients who have delays in loan payment of at least 30 days, under certain conditions. The data is disclosed to these recipients also in the case of inquiries to this system, made by the bank during the process of analyzing an application or loan request.

G. Transfers of personal data to third countries or international organizations

Some of the contractual partners who provide us with services necessary for the proper conduct of our activity and/or their subcontractors are not located in the territory of the European Union (EU) or the European Economic Area (EEA), but in other countries (“third countries”).

When these partners/their subcontractors or international organizations may have access to the personal data that we process, we will only allow the transfer of data when it is strictly necessary and only based on adequacy decisions or, in the absence of these decisions, based on appropriate guarantees provided by the GDPR.

To ensure that these transfers respect human rights, especially the right to appropriate protection of personal data wherever it is processed, we commit ourselves - both before allowing the transfer of data to third countries or international organizations, and throughout the entire period during which the transfer takes place, including when there are changes to the initially considered circumstances - to analyze whether there are risks to the rights and freedoms of the data subjects and to manage them appropriately, including by taking any necessary additional measures, so that the data benefits from the same level of protection as it would within the E.U./E.E.A.

The European Commission may decide that some third countries, some territories or some sectors in a third country ensure an adequate level of protection for personal data. The European Commission has issued adequacy decisions for the following third countries/sectors: Andorra, Argentina, Canada (only commercial companies), Switzerland, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Uruguay, Japan, the United Kingdom of Great Britain, South Korea. To these countries/sectors (to the extent that a contrary decision is not issued regarding any of them), as well as to other countries that the Commission will recognize in the future as having an adequate level of protection, transfers of personal data do not require special authorizations and are assimilated to disclosures of personal data to recipients from the EU/EEA. The updated list of third countries for which an adequacy decision has been issued is the one mentioned on the European Commission website.

To any other third country or international organization, we will carry out transfers of personal data only on the basis of appropriate guarantees permitted by the GDPR, usually those consisting of Standard Contractual Clauses approved by the European Commission which you can find here and, if these guarantees are not sufficient, we will take additional measures for the proper protection of the data.

By way of exception, if BT Clients or occasional BT Clients order transactions through the bank to beneficiaries located in third countries that have not been recognized as having an adequate level of personal data protection, the transfer of data to those respective countries is based on the provisions of the GDPR according to which: the transfer that is necessary for the execution of a contract between the bank and the Client or for the application of pre-contractual measures taken at the Client's request or, as the case may be, the transfer that is necessary for concluding a contract or for executing a contract concluded in the interest of the data subject.

H. Automated decision-making processes, including profiling

In some circumstances, only in compliance with the GDPR provisions, automated decision-making processes are used within BT activities, including as a result of profiling.

These are decisions made by the bank based on automated processing of personal data, with or without human intervention, and which may produce legal effects and/or may affect the data subjects similarly, to a significant extent.

Similar situations are the following:

for the application of customer knowledge measures for the purpose of preventing and combating money laundering and terrorist financing (including for the implementation of international sanctions), in accordance with our legal obligation, we will carry out checks in databases with persons accused of financing acts of terrorism, in international sanctions lists or in warning lists regarding persons with a high risk of fraud. If the persons concerned are found in these records, the bank reserves the right to refuse to enter into a business relationship with them or to terminate the contractual relationship or, as appropriate, to refuse to process the occasional transaction they have initiated;
to protect BT Customers and Occasional Customers against fraud, as well as for the bank to adequately fulfill its customer due diligence obligations, it monitors their transactions and, if it identifies suspicious operations (such as unusual payments in terms of frequency, value, including compared to the declared source of funds or the purpose and nature of the business relationship, transactions initiated from different localities at short intervals of time, which did not allow travel between those locations, transactions whose details raise suspicions of money laundering or financing of terrorism, attempts to use BT cards on suspicious websites), it may adopt measures to block transactions, cards, accounts, making these decisions solely on an automated basis;
according to legal provisions, the granting of lending products is conditioned by the existence of a certain level of indebtedness of the applicants. In determining the eligibility to contract a lending product related to the level of indebtedness, it will be determined based on automatic criteria, starting from the level of income and expenses recorded by the applicant;
in order to objectively verify the fulfillment of eligibility conditions for pre-offering and, as the case may be, analyzing a credit application of an applicant – natural or legal person – in most cases a bank scoring application will be used which will analyze data filled in the credit application, information resulting from verifications carried out in the bank's own records and/or those of Credit Bureau S.A. and will issue a score that determines the credit risk and the probability of timely repayment of future installments. To the issued score is added the result of other checks on the applicant's situation, which will be analyzed by the bank employees to establish whether the eligibility conditions set by internal regulations are met. However, the final decision to approve or reject the credit application is based on the analysis performed by the Bank's employees (human intervention). An exception to human intervention is made when you apply for credit products exclusively online. In these cases, we will make the decision to grant the credit or, as the case may be, to reject this application based solely on automatic data processing. The decision-making by such means is necessary in order to quickly analyze the application and conclude the credit agreement. However, you are guaranteed the right to request human intervention, meaning the analysis of the credit application by a bank employee, to express your point of view, and to contest the exclusively automatic decision;
for confirming your identity, in the case of opening a remote business relationship, in the case of updating data through online means or for remote identification through video means, certain information of your face (taken from static or video images) is compared with the identity photo and, if you are already a BT Client, the information extracted based on your face and identity document is confronted with what we already have in the bank's records. Also, within these online processes, your access to the phone number and email address is verified and these are compared with those already declared at BT (if you are a BT Client). If, following these automated processes, we identify discrepancies, we will carry out checks through our employees and, where appropriate, we will ask you to repeat the enrollment/update/identification process at a BT unit;
in the case of BT Clients who have expressed their consent on the dedicated form for data processing for advertising purposes, we will create a profile of them based on certain criteria (e.g. transaction data, age, locality, income range), which we will study automatically to form an opinion about the advertising messages that would be relevant to them. In some cases, this profile will only result in promoting a certain product/service to people who meet the profile conditions. In other cases, it will cause only those who meet the profile criteria to be able to contract/benefit from certain promotional offers. Other Clients may, however, benefit from products/services under standard conditions.

I. For how long do we keep personal data

1. Retention period for BT Clients' data and BT Occasional Clients' data

According to the legal obligation we have, the personal data we process for the application of client knowledge measures for the prevention of money laundering and terrorism financing, together with all records obtained through the application of these measures, such as monitoring and verifications carried out by the bank, supporting documents and transaction records, including the results of any analysis performed related to the client, which determine the client's risk profile, must be kept for 5 years after the termination of the business relationship to the Client account holder with the bank or, as the case may be, from the date of the occasional transaction. We are obligated to keep these data for the indicated period and also in the case where the request to open a business relationship of the Client with the bank is rejected or the Client renounces it or, as the case may be, if the occasional transaction could not be processed or was abandoned. In this case, the retention period of 5 years will be calculated from the date of the rejection of the request or the Client's renunciation, respectively from the date of the occasional transaction.

At the request of the competent authorities, the initial legal period of 5 years mentioned above can be extended, up to a maximum of 10 years from the termination of the business relationship/date of the occasional transaction.

At the expiration of the legal retention period (initial or extended, as applicable), the bank will delete or anonymize this data, except in situations where other legal provisions require their continued retention. Other legal provisions that oblige us to retain Customers' data or, as applicable, occasional Customers' data for a longer period are those from:

The Code of Fiscal Procedure, which provides that some of the data processed for the application of customer knowledge measures must also be processed for reporting to A.N.A.F. The legal retention period for this data is 10 years from the termination of the business relationship or from the date of the occasional transaction;
financial-accounting legislation provides that accounting documents relevant to financial records and supporting documents, including contracts on the basis of which accounting entries were made (implicitly including the personal data contained therein) must be kept until 10 years from the end of the financial exercise of the year in which they were created;
the national legislation applicable in the field of electronic signature obliges providers issuing digital certificates to keep information regarding a qualified certificate for a period of minimum 10 years from the date of its expiration. In cases where the suppliers from Romania with whom we collaborate in this field process personal data as associated operators with the bank, it is possible that we keep the data regarding certificates for this period;
for Clients whose personal data has been queried in the A.N.A.F. records (according to the agreement expressed by them), the legal term imposed for keeping the query consent forms (implicitly also for the personal data contained therein) is 8 years;

Regarding the data that the bank has the legal obligation to report to the Credit Risk Central (C.R.C.), the documents containing credit risk information and information about reported card frauds (including personal data from them) are kept for a period of 7 years.

Regarding the data processed in the Credit Bureau system based on the legitimate interest of the Participants in this system, these are stored at the level of this institution and disclosed to the Participants for 4 years since the last update date, except for the credit applicants' data who have withdrawn the credit application or who have not been granted credit, which are stored and disclosed to the Participants for a period of 6 months.

For all cases where the data/some data is subject to multiple retention periods, the longest of these shall apply. After the expiration of the longest period, the data will be deleted or anonymized.

2. Retention period for data captured by video surveillance cameras

The data collected through video surveillance cameras is stored for 30 days, after which it is deleted through an automatic procedure. In specific cases, thoroughly justified, only in compliance with the applicable legal provisions, the retention period of relevant video recordings can be extended up to 6 months from the end of the month in which the images were taken or, if necessary, for a longer period, until the completion of the investigations of the incident due to which the extension of the storage period was necessary. In the case of video images that are subject to data access requests, the retention periods for the personal data of BT petitioners apply.

3. Retention period for data of persons who have expressed marketing preferences

BT Customers' data who have given their consent to receive advertising messages are processed for this purpose until the consent is withdrawn or, otherwise, until the termination of their status as BT Customer. The data of non-customers who have given such consent are processed for this purpose until the consent is withdrawn.

4. BT candidates' data retention period

Personal data processed for BT candidates will be kept until the end of the recruitment process for the position they applied for or, if the candidates have shown interest in being contacted for other BT positions that might suit them, the data will be kept for 1 year. This period can be extended with the candidate's consent.

The data of BT candidates who become BT employees are subject to the retention periods for BT employee data, provided in the information dedicated to BT employees.

5. Data retention period of BT petitioners

In order to prove that complaints/claims/requests for information/measures have been received and that responses to them have been formulated and sent, the data related to these petitions will be kept (together with the personal data contained therein), as follows: BT clients' petitions, for the duration of their business relationship with the bank plus 3 years, and petitions from persons who did not have/do not have the status of BT clients, 3 years from the date the response to the petition was sent (legal prescription period).

Any other personal data processed by BT for other purposes indicated in this Policy will be kept for the period necessary to achieve the purposes for which they were collected, to which excessive terms may be added, established in accordance with the applicable legal obligations in the field, including but not limited to the provisions regarding archiving, or established internally, according to the legitimate interests of the bank.

J. What rights do the data subjects have regarding the processing of personal data

All data subjects are guaranteed the rights below regarding their personal data processed by BT.

You should know that we treat these requests with the highest degree of professionalism and their status is periodically brought to the attention of the Bank's management.

Each of the requests is carefully analyzed, the responses to them are documented and, whenever necessary, we take corrective measures to ensure that we respect the rights you have regarding the lawful processing and proper protection of your data, which is an essential component of our obligation to respect human rights.

a) right of access: the data subjects can obtain from BT confirmation that their personal data is processed, as well as information regarding the specifics of the processing such as: the purpose, categories of processed personal data, data recipients, the period for which the data is retained, the existence of the right to rectification, deletion or restriction of processing. This right allows data subjects to obtain a free copy of the processed personal data;

b) the right to rectification : the persons concerned may request BT to modify the incorrect data concerning them or, as appropriate, to complete the data that is incomplete;

c) the right to erasure (the right “to be forgotten”) : the data subjects may request the deletion of their personal data when:

these are no longer necessary for the purposes for which we collected and process them;
the consent for the processing of personal data was withdrawn and BT can no longer process them on other grounds;
personal data are processed contrary to the law;
personal data must be deleted according to the relevant legislation;

d) the right to withdraw consent : the data subjects may withdraw their consent regarding the processing of personal data processed on this legal basis at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal;

For withdrawing consent for data processing for advertising purposes, you can also use the following online forms available in the section Privacy Hub:

if you are a BT Client: access the form “Do you want marketing or not?” (options for BT clients) and check the option “I do not want advertising messages”;
if you are not a BT client: access the form “Don’t want marketing anymore?” (withdrawal of marketing consent for non-clients);

e) the right of opposition: the data subjects may object at any time to processing for marketing purposes, as well as processing based on BT's legitimate interest, for reasons related to their specific situation;

f) the right to restriction of processing: the data subjects may request the restriction of processing of their personal data if:

disputes the accuracy of personal data, for a period that allows us to verify the accuracy of the data in question;
the processing is illegal, and the data subject objects to the deletion of personal data, requesting instead the restriction of their use;
the data are no longer necessary for us but the concerned person requests them from us for a court action;
in case the data subject has objected to the processing, for the time period during which we verify whether BT's legitimate rights as the controller prevail over the rights of the data subject.

g) the right to data portability: the data subjects may request, under the conditions of the law, that the bank provide them with certain personal data in a structured, commonly used, and machine-readable form. If the data subjects wish, BT may transmit the respective data to another entity, if technically feasible.

h) rights regarding automated individual decision-making process: as a rule, the data subjects have the right not to be subject to a decision based exclusively on automated processing, including profiling, if it produces legal effects concerning them or similarly significantly affects them. They have the right to express their point of view, to challenge the decision, and to request human intervention (review of the automated decision by a BT employee).

i) the right to file a complaint with the National Authority for the Supervision of Personal Data Processing (N.A.S.P.D.P.) : the persons concerned have the right to file a complaint with the Supervisory Authority if they consider that their rights have been violated:

National Authority for the Supervision of Personal Data Processing, General Gheorghe Magheru Blvd. 28-30 Sector 1, postal code 010336 Bucharest, Romania, e-mail: anspdcp@dataprotection.ro

For exercising the rights mentioned in points a) – h) above with BT, please use the contact details of BT's designated data protection officer (DPO BT), sending the request in any of the following ways:

to the e-mail address dpo@btrl.ro
by postal mail, at the address in Cluj-Napoca city, Calea Dorobanților street, no. 30-36, Cluj county, with the mention "to the attention of the person responsible for data protection"

Before sending us your request, we recommend that you read the instructions in the section ”How to exercise your GDPR rights at BT” available on Privacy Hub.

K. How we protect the personal data we process

BT has developed an internal framework of policies, procedures, and standards to maintain the security of personal data. These are periodically reviewed to comply with the regulations applicable to the Bank and the highest standards in the field of data security.

Specifically, the Bank adopts and applies appropriate technical and organizational measures (policies and procedures, IT security, etc.) to ensure the confidentiality, integrity, and availability of personal data and its processing only in accordance with the legal provisions applicable in the field of personal data.

BT employees are obliged to maintain confidentiality and may not illegally disclose personal data to which they have access as part of their professional activity.

All employees are periodically trained in the field of personal data processing and protection.

In case your data is involved in incidents that constitute breaches of their security and if, following the assessment we conduct regarding the incident, we conclude that this incident is likely to pose high risks to your rights and freedoms as a data subject, we commit to informing you about the occurrence of the breach and to providing you with all the information provided by law for these cases.

At BT we ensure – both before entering into contractual relationships with partners/suppliers who need access to personal data (as a person authorized by the operator), and throughout the entire period during which they have access to the data – that they:

processes the data only on behalf of and under the instructions of the bank (except when they have a legal obligation to process it);
have implemented appropriate technical and organizational measures to ensure the proper security of the data;
assumes contractual obligations in accordance with the provisions of GDPR and these obligations are complied with;
do not disclose personal data of other persons authorized except with prior authorization from BT;
if I cannot ensure data processing only in the E.U./E.E.A., I carry out the transfer of data to third countries or international organizations only on the basis of adequacy decisions or appropriate safeguards provided by the GDPR, including taking additional measures if necessary for the adequate protection of the data

We guarantee that BT will not sell the personal data of any visited person and will disclose this data only to those entitled to know it, in compliance with the principles and obligations established by law.

The present policy is regularly reviewed to guarantee the rights of the data subjects and to improve the methods of processing and protection of personal data.