Within its activity, BT processes the personal data of Regular customers, the ones with whom we have a contractual relationship, performed pursuant to Banca Transilvania’s applicable General Terms and Conditions - as the case may be - individuals or legal entities (hereinafter referred to as the business relationship). These regular customers are, in general: individuals - full-aged or under-aged - who hold at least one current account with BT as individual client, authorized persons/legal representatives who operate on the accounts opened with BT in the name of certain companies and their beneficial owners.
Likewise, BT also provides its services and products to Occasional customers. These customers are persons that do not hold an account opened with BT, nor do they have the right to operate on such accounts, but occasionally use BT’s units and equipment (such as ATMs, BT Express, BT Express Plus, etc.) to perform different banking transactions (cash deposits on BT accounts, invoice payments), money transfers (e.g. Western Union) or FX operations, supply their personal data when visiting BT’s websites or units, or when benefit of the support services provided via the Bank’s Call Center.
Banca Transilvania is a company listed on the Bucharest Stock Exchange, and, in such capacity, it processes the personal data of its Shareholders, in accordance with the legal provisions regulating the capital market.
Sometimes, in order to be able to obtain an answer to certain requests, a product, or in order to have certain operations/services performed, such Clients or Shareholders have to supply personal data belonging to other persons, such as: spouse, partners, family members, beneficiary of a payment operation, guarantor of a loan, beneficiary of an insurance policy, individuals the personal data of whom are inserted in the documents provided by the client.
If the Customer or Shareholder is the one who provides BT with information about other persons, he/she must inform such data subjects with regard to the content of this policy regarding the processing of personal data.
The agreements concluded by BT with any provider/product or service supplier (contractual partner) contain the personal data of the signatories thereof (usually, the full name, position held and signature of the legal or conventional contractual partners), of the contact persons appointed by the contractual partner (usually, full name, phone number and e-mail address), of other categories of individuals the personal data of whom are disclosed to the Bank by the contractual partner. Such personal data shall be processed by BT in connection to the execution and performance of the said agreements, for purposes such as the internal administrative-financial management, the storage and archiving of the contractual documents, the testing and use of the IT systems and services, complaint management, audit missions. The legal basis for the processing of the personal data belonging to these categories of data subjects resides in the Bank’s legal obligation, the signing/execution of the contract and the Bank’s legitimate interests. The personal data we become aware of within the performance of the relationship with a contractual partner are disclosed, as applicable, to: the contractual partner that has supplied them, the entities within the BT Group, BT’s partners who need to know them, authorities and public institutions entitled to request them. The data shall be processed by BT during the contractual period and thereafter, until the expiry of the statutory archiving period for the contractual documentation. For the fulfillment of the abovementioned purposes, the Bank may transfer certain personal data categories made available by the contractual partner outside the European Economic Area (EEA). The data subjects affected by this processing benefit of the rights laid down in this policy for the data subjects affected by the processing.
All these previously enumerated categories of individuals shall be hereinafter referred to as “data subjects” impacted by the processing of personal data.
I. To identify the Customers, as well as to establish and carry out their business relationship with BT
The performance of any operation, requested at BT’s counters by regular or occasional customers, implies the identification by BT of the persons requesting the operations. For this, BT’s employees shall request a valid ID document. In certain cases stipulated by law, BT shall make and retain copies of the ID document, for the period laid down by the law.
The cases in which BT must apply the standard know-your-customer (KYC) measures which include copying and retaining the copy of the ID document are:
- upon the establishment of the business relationship;
- when performing occasional transactions in amount of at least EUR 15,000 or the equivalent, regardless whether the transaction is performed through one or several operations that seem related;
- when the Bank suspects that the operation is directed towards money laundering or terrorist financing, irrespective of the applicability of the derogative provisions on the obligation to apply the standard KYC measures stipulated by law and the value of the operation;
- if there is doubt with regard to the truthfulness or relevance of the identification information already collected about the client;
Based on its legal obligation to apply the standard KYC measures, which any Romanin credit institution is bound to pursuant to the provisions laid down in NBR’s Regulation No. 9/2008 on "know-your-customer" rules for the prevention of money laundering and terrorist financing, Law No. 656/2002 on the prevention and sanctioning of money laundering and on setting up of certain measures for the prevention and combating terrorism financing and in Government Decision No. 594/2008 for the application of Law no. 656/2002 for the prevention and combating of money laundering terrorism financing, upon the initiation of a business relationship, BT must collect and keep records of at least the following personal data categories: first name and last name, date and place of birth, national identification number or another similar identification element, domicile, phone number, fax, e-mail address, citizenship, and, if applicable, alias, residence, job, employer’s name or nature of the individual activity, important public position held, name of the beneficial owner.
This information is also collected if a client is represented by another person who acts as authorized person, trustee, legal guardian or any other capacity, and, additionally, data regarding the nature and limits of the authorization.
If a business relationship is initiated and carried out with a legal entity, the data mentioned in the previous paragraphs shall be collected in order to identify the persons who, according to the articles of association and/or the resolutions of the statutory bodies, are vested with the competence to manage and represent the entity, and, their authority to bind the entity, as well as in order to identify the person that acts on behalf of the client and information in order to establish that such person is duly authorized in this respect. The Bank is obliged to check such data with the public registers, as well.
Based on the same legal obligations, the Bank collects, if applicable, the identification details of the beneficial owner.
The collected data shall be verified based on the ID documents and by verification of other sources, as well.
The Bank is also obliged to make and retain copies of the ID documents of all these persons.
Within the KYC process, the Bank is also under the legal obligation of collecting information regarding their clients’ capacity of politically exposed person. Exclusively for such purpose, BT shall process information that fall under the category of political opinions - special personal data.
Likewise, also in accordance with the legal obligations in the field, within the enrollment and account opening stage, BT shall classify its clients per risk degrees, based on certain criteria such as nationality, residence, affiliation, important functions or positions held.
Within the KYC process, based on the legal obligation resulting from Government Emergency Ordinance No. 202/2008 on the enforcement of international sanctions and from Regulation No. 28/2009 on overseeing the enforcement of international sanctions, as well as based on its legitimate interests in not entering business relationships with persons accused or suspected of law violations, the Bank processes information regarding the fraudulent/potentially fraudulent activity (data about accusations and convictions for crimes such as fraud, money laundering and terrorism financing)
BT must make sure that all such data are updated within its records throughout the business relationship with the customers, and to such end BT shall request them to update the data supplied upon the initiation of the business relationship, whenever necessary, being also entitled to update such information at its own initiative, from safe, public or private external sources, accessed directly or via third-party providers.
All such data are kept in the Bank’s records in accordance with the legal term, which is of minimum 5 years as of the termination of the business relationship with the customer.
If the request for the initiation of the business relationship is filled out online, in the sections available on BT’s website, the applicants will have to supply the same data imposed by the previously mentioned legal provisions, whereby the enrollment process (establishment of the business relationship) is to be completed only after the signing of the documentation in one of the bank’s units. If, within 60 days as of the filling out of the online application for the initiation of the business relationship, the applicant does not visit a BT unit in order to sign and complete the enrollment process, respectively, the applicant’s data shall be erased from the bank’s records.
II. For the preliminary offer of a loan product, the analysis of a loan application, the execution and performance of the loan (card or non-card) agreements
The lending activity is one of the main activities carried out by a credit institution. Executing and carrying out a loan agreement, with an individual or legal entity, implies several stages within which one shall process personal data based on the Bank’s legal obligations, the execution and performance of the loan/guarantee/appraisal agreement, based on the legitimate interests justified by the Bank, as well as, in certain particular cases, based on the consent of the data subjects.
1.Personal data processing within the stage of the preliminary-offer or the analysis of a loan application filed with Banca Transilvania
1.1.Personal data processing within the system of the Credit Bureau
1.1.a.Legal basis and purpose of the personal data processing within the system of the Credit Bureau
In accordance with the applicable legal provisions, prior to the signing of a loan agreement and during the performance thereof, the Bank must appraise the applicant’s repayment capacity. To this end, the Bank processes the information under section 1.1.c below, both within its own records and by sending them to the Credit Bureau in order for such information to be processed by this institution and to be inquired by any Participant in this system, in order to initiate and carry out a lending relationship, as well as to secure loan products.
For the loan applicants and certain categories of related parties, during the analysis stage for a loan application, the Bank makes inquiries in the system of the Credit Bureau, justifying a legitimate interest in this respect in order to carry out a responsible lending activity.
Biroul de Credit SA is the private-law entity managing the system of the Credit Bureau in which personal data related to the lending activity carried out by the Participants are managed.
The Participants in the system of the Credit Bureau are credit institutions, non-banking financial institutions, insurance companies and debt collection companies, which have signed a Participation Agreement with the Credit Bureau.
1.1.b. Obligation to supply data and consequences of the failure to do so
The supply of personal data is necessary for the purposes mentioned under section 1.1a. The refuse of the data subjects to provide the personal data necessary for the achievement of the abovementioned purpose shall prevent the Bank from fulfilling its legal obligations in terms of loan granting.
1.1.c. Personal data categories processed in the system of the Credit Bureau
Personal data processed within the system of the Credit Bureau:
- identification details of the data subject: last name, first name, national identification number, domicile/residence/mailing address, landline / mobile telephone no., date of birth, country code, passport serial no. in case of non-resident individuals;
- data regarding the employer: name and address
- data regarding the requested/granted loan types: Participant’s name, product type, product/account status, granting date, loan period, loan amount, amounts owed, maturity date, currency, payment frequency, paid amount, monthly installment, overdue amounts, number of overdue installments, number of days of default, default category, product termination date;
- data regarding the events occurring during the loan period, such as the ones concerning the restructuring/refinancing of the loan, the giving in payment, assignment of the loan agreement, assignment of the receivables;
- data regarding insolvency: information concerning the data subjects which undergo an insolvency procedure;
- number of inquiries: number of Credit Reports issued by the Credit Bureau upon the request of one or several Participants;
1.1.d Data recipients
The personal data recorded in the system of the Credit Bureau are disclosed to the Participants in this system, upon request, for the purpose mentioned under section 1.1a.
The personal data processed in the system of the Credit Bureau shall not be disclosed to third parties, except for the public authorities and institutions, according to their competences and the applicable law, such as the National Supervisory Authority For Personal Data Processing, the National Bank of Romania, the National Integrity Agency, court authorities, notaries public, court executors, criminal prosecution bodies.
1.2. Personal data processing within the records of Banca Transilvania S.A.
1.2.a. Legal basis and purpose of the personal data processing
For the preliminary offer and, as applicable, the analysis of a loan application, in accordance with the need to carry out a responsible lending activity, in addition to the processing of personal data within the system of the Credit Bureau, the Bank processes such data within its own records, based on the legal obligations that the Bank must observe, the execution of the loan/guarantee/insurance agreement, based on its legitimate interest and, as applicable, with the data subjects’ consent.
1.2.b. Obligation to supply data and consequences of the failure to do so
The supply of personal data is necessary for the purpose of the preliminary offer / analysis of the loan application. The refuse of the data subjects to provide the personal data necessary for this purpose, shall prevent the Bank from fulfilling its legal obligations in terms of loan granting, and as consequence the loan application cannot be analyzed.
1.2.c. Personal data categories processed within the records of Banca Transilvania S.A.
The personal data previously mentioned for the processing in the system of the Credit Bureau are also processed by Banca Transilvania S.A. within its own records. Additionally, the Bank also processes information that the Bank becomes aware of during the verification of the data subjects in its own records, as well as in the public databases such as the websites - portal of the court authorities, ONRC (National Trade Register Office), etc.
1.2.d.Existence of an automatic decision-making process, including the creation of profiles via BT’s scoring application
For the objective verification of the compliance with the eligibility criteria, during the stages of the preliminary offer and, as applicable, the analysis of the loan application - BT processes, in certain cases, based on its legitimate interest, personal data of the loan applicants (individuals or legal representatives of the legal entities), as well as other individuals participating in the loan application analysis through an individual automatic system (“BT scoring application”).
The personal data entered and analyzed in the BT scoring application are: identification data, other data filled out in the loan application, information resulting from the verifications performed in the Bank’s own records or in the records of the Credit Bureau, such as - whether the data subjects collect their income in an account opened with the Bank or are regular customers of the Bank, the level of the monthly payment obligations, the payment history related to other loans granted by the Bank, etc. Following the analysis of such data/information, the BT scoring application generates a score based on the profile of the debtor/potential debtor as good or defaulted debtor. The score returned determines the credit risk and the probability to pay the installments on time.
Based on the score generated by the BT scoring application, correlated with the result of the verification of the relevant personal situation in public databases as well as websites - portal of the court authorities, ONRC (National Trade Register Office), etc., - the Bank decides if the eligibility criteria according to its internal regulations are met or rejects the loan application, a decision based on the analysis performed by the Bank’s employees (human intervention).
1.2.e During this stage of the lending process, the applicants are given a form and by way of signature thereof, they can express their consent to the Bank’s inquiry in the database of the National Agency for Fiscal Administration (ANAF), for a limited period of time - maximum 5 working days - with regard to the applicant’s income, considering that the income level is an essential element in establishing the applicant’s classification according to the bank’s lending conditions.
Within the same stage, for certain types of loan products, the Bank wants to make inquiries in the records of the Central Credit Register, in which case the Bank shall provide a dedicated consent form to be filled in and signed by the applicant.
2.Personal data processing upon the execution and during the performance of a loan agreement concluded with the Bank
2.1. Legal basis and purpose of the personal data processing
For the execution and performance of the loan agreements and, as applicable, the guarantee/appraisal/insurance assessments thereof, the Bank processes the personal data in the categories under 2.3, based on its legal obligations, the execution and performance of the agreements and its legitimate interests
2.2. Obligation to supply data and consequences of the failure to do so
The supply of personal data is necessary for the purpose of concluding and performing the loan agreements and, as applicable, of the related agreements (e.g. guarantee agreements). If the data subject refuses the processing of his/her personal data necessary for the mentioned purpose, such refusal shall render the granting of the requested loan impossible.
2.3. Categories of processed personal data
The personal data processed by the Bank for the purpose mentioned under 2.1 in this section are the ones used within the stage of the preliminary offer/analysis, plus other similar data that have been filled in and/or received on the occasion of/for the signing of the agreement or during the duration of the loan or guarantee agreement.
III. For the purpose of offering other BT products/services, including via online media
Each BT customer is assigned a client code (client ID) for the identification in the bank’s records, as well as an IBAN code for each account (current, card or savings account, etc.) opened in the name of the client with the Bank.
Likewise, for each of the cards issued by BT to its clients, a unique number (PAN) is assigned and embossed on the card together with the card expiry date, the full name of the cardholder and the CVV code (on the back of the card). Subject to the cardholder’s consent, the IBAN code can also embossed on the card.
Banca Transilvania is constantly trying to provide its customers with online services and products, such as the internet banking services - BT24, mobile BT24 or Invoice BT24 - the digital wallet application - BT Pay, the chatbot “Livia from BT” accessible via Facebook, the Self Serv service reachable by phone. In order to use these services, the Bank has to process certain personal data categories for the identification of the persons as BT clients and, subsequently, as users. Such data are usually the: last name, first name, date of birth, client code, phone number.
Part of BT’s applications, accessible via mobile devices (e.g. mobile BT24, BT Pay) might request their users to provide access to additional personal data, either upon the installation or during the use thereof, including without limitation: camera (to scan the invoice barcodes), location (within certain application sections, in order to display certain BT units or ATMs in the neighborhood or stores of the retailers registered with the Star BT loyalty program), contacts (only for Email/SMS/P2P payments in order to automatically fill out the details of the beneficiaries, SMS (in order to fill out the SMS-OPT codes in different application section, automatically), phone status and identity (e.g. phone IMEI for the activation of the mobile MBT24 internet banking application), information regarding the existence or absence of a security method for the phone used within the applications.
Likewise, for online services, in order to ensure the security of the performed transactions, the IP address of the device shall also be processed. These data are requested and used strictly for the purpose of ensuring the security of the transactions and are processed strictly for the necessary period.
For the provision of certain banking services, including without limitation, the internet and mobile banking - with the variants BT24, mobile BT24 or BT24 Invoices- SMS Alert, BT Alert, the Bank shall process the phone number communicated by the clients for the use of the said services.
Additionally, the phone number, e-mail address or domicile/residence/mailing address supplied by the clients for the performance of the business relationship shall be processed by the bank with the purpose of informing its Customers with regard to aspects of interest related to the operation of the services/products contracted from BT, as well as, without limitation, interruptions of the operation of certain services, establishment of bank account attachments, warnings for BT card or ID card expiry, as well as of contacting them for the debt collection activity.
In the case of certain services of the type “Apply online” for different BT products/services/contests/events, available as application forms on BT’s website and other websites managed by the Bank, we usually request the applicants to provide the following personal data: last name, first name, phone number and e-mail address in order to contact the applicants and provide them with answers/information regarding their applications.
Depending on the specificity of the product/service requested online, there are situations when additional personal data must be supplied, either as legally imposed, or as processed by BT based on its legitimate interest in identifying the persons so as to be able to offer the requested products/services/information.
The data filled out in such application forms are processed by the Bank with the purpose of providing the requested products/services/information, throughout the period necessary for the fulfillment of such purposes, in accordance with the bank’s retention policies prepared in line with the principles and obligations laid down by the law governing the processing and protection of personal data.
BT shall not collect and store the personal data of the online applicants who have not completed their registration.
IV. For the purpose of depositing cash on accounts opened with BT by Occasional Customers
Every person has the right to deposit cash amounts on accounts opened with BT, if the account holders allowed for such operations to be performed by third parties.
For such an operation, the Bank is legally obliged to identify the payers based on their ID documents, and thus to process certain personal data of the payers - last name, first name, serial number of the ID document, national identification number, address, details on the deposited amount and explanations on the nature of the payment (what the payment represents).
In the cases stipulated by law, as indicated under I in this section, for the cash deposit operation, the Bank must make and retain a copy of the Occasional Client’s ID document depositing the cash
If certain Occasional Clients repeatedly visit the units of the bank in order to deposit cash on accounts opened with BT, in order to streamline the Bank’s activity and reduce waiting times, the Bank has the legitimate interest to use the data collected within the previous cash deposit operations in order to pre-fill the cash deposit form. The data of external payers shall not be processed for other purposes, shall only be accessed by the Bank’s employees who need to know them and shall be kept only for the periods stipulated in the internal retention policies and the legal regulations on such aspects.
V. For the purposes of providing information/answers, of taking action on the requests/notices/complaints of any nature addressed to the Bank by different persons, via any channel
Every person has the possibility to make requests, to ask for information/measures or to send notices/complaints, via different channels, such as - in the form of letters sent to/submitted at the Bank’s headquarters or units, by phone using the phone number of BT’s Call Center or any other phone number assigned to the units, by e-mail messages sent to the addresses made available to the clients or the e-mail addresses of the Bank’s employees, by electronic messages via the secured internet banking platform BT24, by filling in dedicated forms on BT’s website or other websites managed by the Bank - for a complete list of BT’s websites click here.
In order to identify the applicants, analyze the situation brought to the Bank’s attention and reply to such inquiries/complaints/notices, the Bank processes certain personal data - last name, first name, phone number, e-mail or postal address from where the inquiry is received, other personal data supplied within the messages or required in order to provide the requested replies/information.
As evidence of the fact that such notices/complaints/inquiries/measures have been received, as well as for quality control purposes regarding the replies/information/actions sent/taken by the Bank, as well as for quality control purposes regarding the support services, the received messages shall be kept within BT’s records both in the form in which they are received and electronically, and phone calls are recorded and kept during the period of the business relationship for BT clients, and for the period necessary for the fulfillment of the purpose for which they have been processed (preparing the reply/providing the information), plus an additional period of 3 years - the legal prescription period if the data do not belong to persons with whom the Bank has an established business relationship.
VI. For monitoring purposes, including video surveillance, for the security of persons, BT premises and/or assets
In accordance with the provisions laid down in Law No. 333/2003 on the security of objectives, goods, valuables and protection of individuals, as subsequently amended and supplemented and in Decision No. 301 of April 11, 2012 for the approval of the Methodology of Law No. 333/2003 on the security of objectives, goods, valuables and protection of individuals, BT is legally obliged to ensure video surveillance in the area of the ATMs, as well as on access pathways, corridors and other high-risk areas.
Based on its legitimate interests, the Bank seeks to extend the video surveillance over other areas accessible to the public and bearing a potential security risk for individuals/areas or goods.
The video surveillance activity implies the processing of images with persons, and the places where the cameras are placed are appropriately marked, by means of a specific notice, accompanied by the corresponding icon.
The video surveillance system is not used for purposes other than the mentioned one, does not aid in monitoring the activity of the public, employees or in the preparation of timesheets. Likewise, the system does not represent a means of investigation or information source for internal investigations or disciplinary proceedings, unless a physical security incident occurs or a criminal behavior is noticed (in exceptional cases, the images may be transferred to the prosecution bodies within a disciplinary or criminal investigation).
The system may record any movement detected by the installed cameras in the monitored area, along with the date, time and location. All cameras operated 24/7. If necessary, the quality of the images enables the recognition of the persons that pass through the area covered by the cameras. The video recordings are stored within the Bank’s internal records.
In addition to the processing of images within the video surveillance activity, in order to grant visitors access to certain areas in which the Bank carries out its activity, the security staff shall identify the visitors based on their ID documents, and their full name and serial number of the ID documents are recorded in special registers and kept in hard copy for the period laid down by law.
VII. For the purpose of sending advertising messages about the Bank’s products/services/events offered/organized by the Bank, the Group entities or their partners
BT wants to inform interested parties about the products/services/events offered/organized by the Bank, the Group entities or their partners, and, to this end, it processes the personal data of such interested parties, if they have consented to receiving such advertising messages by filling in the dedicated form, available in every unit of the Bank and on BT’s website.
The data processed by BT for the advertising purposes are usually the last name, first name, phone number and/or e-mail/correspondence address supplied by the persons interested in receiving advertising messages. In order to make sure that the sent ads are relevant to its clients, the Bank shall also process other types of information about the client, within the context in which they use BT services/products (e.g. data about transactions, age, place, income, etc.), which are analyzed automatically (profiling) so as to get an image of the products/services/events that best match the client’s profile.
The personal data shall be processed by the Bank until the termination of the business relationship with the data subjects or, as applicable, until the consent to receiving such messages is revoked.
Ads shall be mainly sent via SMS, phone calls, e-mail, postal address.
In certain cases, in order to send ads via such channels, BT shall contract service providers that will process the personal data of the data subjects on behalf of and for BT, exclusively for the purpose of sending the established ads, strictly observing the instructions from BT and under the Bank’s close supervision.
People willing to receive ads, may opt for ads from several categories, including without limitation: BT products and services, products and services of the BT subsidiaries, events organized by BT, products/services of BT’s partners related to the products/services of BT or of BT’s subsidiaries and events organized by BT’s partners.
BT’s subsidiaries the products/services and events of which are promoted within the ads sent to the persons willing to receive such messages are the following entities within the Banca Transilvania Financial Group:
- BT Microfinanțare IFN SA ( „BT Mic”)
- BT Asset Management S.A.I. S.A., ( „BTAM”)
- BT Leasing Transilvania IFN S.A. („BTL”)
- BT Direct IFN S.A. („BTD”)
- BT Capital Partners S.S.I.F. S.A.(„BTCP”)
- other entities that may join the Group in the future.
If one has consented to receiving ads about the products/services and events offered/organized by BT subsidiaries or partners, such entities shall process personal data with the purpose of sending such messages, under the Bank’s close supervision and coordination. For any other possible personal data processing activities carried out by BT partners/subsidiaries outside or connected to the sending of ads, such as, e.g. for the purpose of concluding certain agreements related to their promoted products/services, these partners are to act as controllers of the processed personal data.
The consent to receiving ads can be withdrawn or modified through several methods, separately indicated in the consent form regarding the processing of personal data for advertising purposes.
In certain specific cases, under the strict observance of the individuals’ rights and liberties, Banca Transilvania shall process personal data with the purpose of sending advertising messages based on its legitimate interest in promoting its products and services.
VIII. For the purpose of recruiting the persons interested in the vacancies of BT
BT is one of the companies with the largest number of employees in Romania, and ads about different vacant positions with the Bank are posted on different recruitment websites. The persons who access these websites and apply for a job available with BT, or the “Careers” section on the website www.bancatransilvania.ro, shall be redirected to the secured recruitment platform used by Banca Transilvania.
On such platform, regardless whether they want to apply for a certain position or to be contacted by the Bank for different vacant positions within the company, the applicants shall be requested to create an account, entering their last name, first name, phone number and e-mail address where they can be contacted for recruitment purposes and to upload at least their CV.
If one applies only for one of the accessed vacant positions, the applicant’s personal data shall be processed by the Bank only within the recruitment process for the said position, whereas the applicant’s personal data and account created on the platform are to be erased upon the completion of the recruitment process for the respective position.
However, if the applicant selects the option to be contacted for the vacancies with BT, in general, the applicant will have to select a series of predefined criteria on the platform, based on which he/she shall be informed about the vacancies that match his/her profile. In this case, the applicant’s data shall be kept for recruitment purposes for a period of 1 year as of the registration of such option.
The same retention period applies when the CVs are submitted/sent to the Bank via any other channels.
Upon the expiry of the abovementioned period, BT shall anonymize the personal data collected for recruitment purposes, and such data shall only be used to generate statistical reports for the Bank’s internal use. Once such recordings become anonymous, they can no longer identify the person they belong to.
Should the Bank need such references, it shall contact the applicant in order to request his/her consent to obtain them on his/her behalf. If the applicant does not consent to this, he/she will have to obtain the references on his/her own, if he/she want to go on with the recruitment process.
The applicant can erase his/her account created within BT’s recruitment platform, any time, and such erasure shall also be interpreted as withdrawal of the consent to the Bank’s processing of his/her personal data for recruitment purposes. As of the erasure of the account on the platform, only the applicant shall be able to access the recorded data.
If the Bank receives CVs or job applications through channels other than the previously mentioned recruitment platform, the Bank shall retain such data for the periods stipulated above, i.e. until the completion of the recruitment process for the selected position or, as the case may be, for a period of 6 months, which can be extended upon the applicant’s request, if the applicant wishes to apply for different vacancies.
IX. Further purposes for which BT processes personal data
In addition to the purposes presented in detail in the sections above, Banca Transilvania processes personal data for other purposes, as well, such as the:
- preparation of analyzes and the keeping of records for the Bank’s economic, financial and/or administrative management;
- management within the internal departments of the services and products provided by the Bank;
- assessment and monitoring of the Client’s financial-commercial behavior during the performance of the business relationship with BT;
- creation and analysis of profiles in order to improve the products/services provided by BT or the Group entities;
- the analysis of the behavior of the website users through cookies, both BT and third-party websites, with the purpose of providing a general or particular content, offers matching the users’ interests (details in the Cookies Policy);
- the preparation of internal analyses (statistics included) both with regard to products/services and the client portfolio, for an ongoing improvement of the products/services, as well as market researches for the Bank’s products/services;
- the calculation of the fees to which BT’s sales force is entitled;
- the archiving, both in hard-copy and electronic, of the documents, BT correspondence registration services, as well as courier activities;
- the settlement of disputes, investigations or any other petitions/complaints/inquiries in which BT is involved;
- the performance of risk control activities on BT’s procedures and processes, as well audit and investigation activities;
- the preparation and submission of reports to the competent authorities, authorized to receive them in accordance with the legal provisions governing BT’s activity (e.g. payment incident reports to the Office of Payment Incidents within the NBR, declaring the transactions that exceed the amount established by the National Office for Prevention and Control of Money Laundering);
- the monitoring of the clients’ activity with the purpose of detecting unusual and suspect transactions;
The personal data of the Bank’s Customers are disclosed or, as applicable, transferred, in accordance with the applicable legal provisions, depending on the situation, and only under strict confidentiality and security conditions, to the recipient categories, including without limitation:
- branches, agencies, work units, the Bank’s rep offices,
- entities within the BT Financial Group, mentioned in this policy or on BT’s website and other such entities that may join the Group in the future
- Service providers used by the Bank for: IT services (maintenance, software development), hard-dopy or electronic archiving; courier services; audit; services related to card issuing and enrollment; market research, advertising, monitoring of traffic and behavior of the users of online tools, marketing services via social media, etc.;
- inter-bank payment processing and dispatch of information regarding inter-bank operations (e.g.: Transfond, Society for Worldwide Interbank Financial Telecommunication- SWIFT);
- public authorities and institutions (including without limitation NBR, ANAF*, police, National Office for Prevention and Control of Money Laundering**),
- guarantee companies (funds) for different lending/deposit products (e.g. FNGCIMM, FGDB, etc.).
- ONRC, OCPI, AEGRM, notaries public, court executors;
- Central Credit Register***;
- Credit Bureau and Participants in the System of the Credit Bureau****;
- insurance companies;
- appraisal companies;
- debt collection companies;
- entities to which the Bank has outsourced the provision of financial-banking services;
- Bank’s partners;
- international payment organizations (e.g. Visa, Mastercard);
- banking institutions or government authorities, including authorities outside the European Economic Area - for SWIFT international transfers or as a result of the processing activities for the purpose of observing the FATCA and CRS legislation, providers of social media, debt recovery companies, appraisers, real-estate agencies.
*In accordance with the provisions laid down in the Fiscal Code (Law No. 207/2015), in its capacity of credit institution, BT in legally bound to report to the central fiscal body - A.N.A.F. - the list of account holders - individuals, legal entities or any other entities without legal personality - that open or close accounts, as well as the identification details of the persons that are authorized to sign for the accounts held by them, the list of persons that rent safe deposit boxes, as well as the termination of the rental agreement. A.N.A.F. may communicate such details to the local fiscal bodies and to other local or central public authorities, under the applicable legal provisions.
**If the conditions for the transmission by BT o personal data to the National Office for Prevention and Control of Money Laundering are met, pursuant to Law No. 656/2002 on the prevention and sanctioning of money laundering and on setting up of certain measures for the prevention and combating terrorism financing, as republished and subsequently amended, such personal data are simultaneously sent, in the same format, to A.N.A.F., as well.
***The Bank is legally bound to report to Central Credit Register (CRC) the credit risk information related to each debtor that meets the reporting conditions (including the debtor’s (individual or non-banking legal entity) identification details, and the RON and FCY operations through which the Bank is exposed to risk in relation to such debtor), and in relation to whom the Bank has an individual risk, respectively, as well as details regarding acknowledged card frauds.
****The Bank’s legitimate interest is to record your personal data in the system of the Credit Bureau accessed by the other Participants (mainly credit institutions and non-banking financial institutions), in case of payment defaults above 30 days, subject to the prior notification of the data subjects in this respect at least 15 days before the reporting date.
For the provision of the banking services subject matter of the agreements concluded between the Customer and the Bank, the Bank shall transfer personal data abroad, as applicable, including to countries that do not provide an adequate level of protection of such data. The initiation by the Customer of certain payment orders represents the Customer’s consent to the transfer of his/her personal data to the said countries. The countries that do not ensure an adequate level of protection are countries outside the European Union/European Economic Area, except for the countries for which the European Commission has recognized an adequate level of protection, such as: Andorra, Argentina, Canada, Switzerland, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zeeland, Uruguay (unless a contrary decision of issued for any of these countries).
For the achievement of the purposes herein, the personal data shall be processed by BT throughout the contractual relationship with the data subjects and after the termination thereof, in order to comply with the applicable legal requirements, including the ones on archiving.
The personal data filled out in the loan application and the ones processed for KYC activates with the purpose of preventing and combating money laundering and terrorist financing, are stored in BT’s records for a period of 3 years as of the signing of the loan application, if the application is rejected and, for a period of 5 years as of the termination of the business relationship, if a loan agreement is concluded following the approval of the loan request.
With regard to the data processed within BT’s activity in the system of the Credit Bureau, such data are stored by this institution and disclosed to the Participants for a period of 4 years as of their updating date, except for the data of the loan applicants who have given up the loan request or the loan request of whom has been rejected, cases in which the data are stored and disclosed to the Participants for a period of 6 months.
The personal data that BT is legally bound to report to the Central Credit Register (CRC) shall be kept in CRC’s records for a period of 7 years as of the loan recording date.
The consents for the consultation of the ANAF database shall be kept within the Bank’s records for a period of 10 years as of the signing thereof - if the loan application is rejected - and for a period of 5 years as of the termination of the contractual relationship, however not less than 10 years as of the signing of the consent - if the loan request is accepted and a loan agreement is concluded. Such consents are to be submitted to ANAF, upon request.
For the persona data processed based on the consent of the data subjects to receiving advertising messages, such data shall be processed until the termination of the business relationship with the Bank or, as applicable, until the revocation of the said consent.
As evidence of the fact that notices/complaints/inquiries/measures have been received and replied to, as well as for quality control purposes regarding the replies sent by BT, the received messages shall be kept within BT’s records, both in hard-copy and electronically, during the period of the business relationship for BT clients, and for the period necessary for the fulfillment of the purpose for which they have been processed (preparing the reply/providing the information), plus an additional period of 3 years - the legal prescription period - if the data do not belong to persons with whom the Bank has an established business relationship.
Personal data processed for recruitment purposes shall be kept within BT’s records until the completion of the recruitment process for the vacant position. If the data subjects wish to be contacted for several positions that match their profile, the data in the CVs and other documents provided to BT in this respect shall be kept for a period of maximum 1 year, unless their erasure from the Bank’s records is requested during this period.
The retention period for the data obtained via the video surveillance system is commensurate with the purpose for which the data are processed, i.e. it does not exceed 30 days, the period after which the recordings are automatically erased, in the order of their recording. In case of a security incident, the retention period for the relevant recorded material can exceed the normal limits depending on the time necessary for the additional investigation of the security incident.
Any other personal data processed by BT for other indicated purposes shall be stored for the period necessary for the achievement of the purposes for which they have been collected, to which non-excessive terms may add up, as established in the applicable legal requirements, including without limitation, the legal provisions in the field of archiving.
Any data subject has the following rights with regard to the processing of their personal data by BT.
- Right to be informed:
It is the right of the data subjects to receive clear, transparent, easy-to-understand information from BT, with regard to the way in which BT uses the personal data, as well as the rights of the data subjects. BT undertakes to fulfill this information obligation via the details herein, as well as via other notes inserted in the forms and agreements used in its activity
- Right of access:
The data subjects shall have the right of access to the personal data, and to obtain a confirmation from BT as to whether or not personal data concerning him/her are being processed, and, where that is the case, a copy thereof so as to have the possibility to check whether they are processed by BT in accordance with the legal provisions in this field.
- Right to rectification:
The data subjects shall have the right to obtain the rectification of inaccurate personal data, if such data in BT’s records are wrong, inaccurate or incomplete
- Right to erasure:
This rights is also collated the ‘ right to be forgotten’. Based on such right, the data subjects can request that their personal data processed by BT be erased, if their is no ground for the processing thereof, anymore.
- Right to restriction of processing:
In certain cases, the data subjects may suspend the processing by the Bank of their personal data for a certain period of time. When the processing of such data is restricted, the personal data will remain in BT’s records, but they shall no longer be used during such period, being marked as restricted from processing.
- Right to data portability:
The data subjects have the right to obtain the supplied data from BT in an automatically readable format, or to have them transmitted to another controller, selected at the data subject’s discretion
- Right to object:
Data subjects can object to certain types of processing of their personal data, such as the processing for advertising purposes.
- Right to address the The National Supervisory Authority For Personal Data Processing (ANSPDCP) and the court authorities
Based on such right, the data subjects may address requests/petitions to the ANSPDCP or the court authorities with regard to the processing of their personal data by BT
The ways in which the data subjects can exert their rights under sections 2-7 above, are:
- transmission by post of a written request at BT’s headquarters in Cluj-Napoca, str. G. Baritiu, nr. 8, Cluj, endorsed “Attn.: Data Protection Officer” or
- electronically, at the e-mail address email@example.com
Likewise, for the data processed by BT within the system of the Credit Bureau, as provided for in this policy, the data subjects can exercise their rights to access and restriction in relation to Biroul de Credit S.A., as follows:
- by a written request, signed and sent by post to the Credit Bureau, or
- by secured access to the website of the Credit Bureau (www.birouldecredit.ro).
The data subjects having their personal data processed in the system of the Credit Bureau also have the right to obtain, upon request and at the time when the lending decision is communicated to them, a copy of the Credit Report issued by the Credit Bureau and used by BT in the analysis of the loan application.
BT prepares an internal framework of standards and policies to ensure the security of the personal data. They are regularly updated in line with the legal regulations applicable to BT and the highest standards in the field.
Specifically and in accordance with the law, the Bank adopts and applies adequate technical and organizational measures (policies and procedures, IT security etc.) in order to ensure the confidentiality and integrity of the personal data and of the way in which they are processed.
BT employees must keep the confidentiality of the personal data they process within their activity and may not disclose them, under any circumstances.
The Bank makes sure that its contractual partners that have access to personal data are contractually bound in accordance with the legal provisions and checks their compliance with the assumed obligations. They shall process the personal data on behalf and for the Bank only in accordance with the instructions received from the Bank and under the strict observance of the security and confidentiality requirements within the imposed limits.
We warrant that BT does not sell the personal data it collects from the data subjects and does not transmit such data to entities, other than the ones that are entitled to know them, in line with the legally established principles and obligations.
Visitors of BT’s websites are made aware of the fact that such websites may contain links to websites the privacy/personal data processing policy of which differs from that of BT. The persons sending personal data to any of these websites must be aware that their information falls within the scope of the privacy/personal data processing policy of the said websites, which we strongly recommend them to read. The Policy of Banca Transilvania S.A. regarding the processing and protection of personal data does not apply to the information supplied on such websites.
This policy is regularly reviewed in order to make sure that the rights of the data subjects are guaranted and to improve the ways in which personal data are processed and protected.