Notice regarding the processing and protection of personal data for the provision of the Internet and Mobile Banking service by Banca Transilvania (“NeoBT Privacy Policy”)

General Provisions

Banca Transilvania SA – (hereinafter referred to as “BT”) provides its customers with the Internet and Mobile Banking service – NeoBT (hereinafter referred to as “NeoBT”).

Neo BT users (hereinafter also referred to as "data subjects") are informed through this specific privacy notice which personal data will be processed by BT for various purposes related to accessing/using NeoBT, about the legal grounds on which these data are processed, about the recipients of the data (who we disclose the data to), the retention period for the data (how long we keep it) and the rights the data subjects have.

This policy is supplemented by the provisions of the General Privacy Notice Regarding the Processing and Protection of Personal Data Belonging to BT Customers, which is an integral part of BT’s Privacy Policy, found on BT’s website www.bancatransilvania.ro, including on the Privacy Hub section.

The NeoBT Privacy Policy may be revised by BT from time to time. Data subjects will be notified of such changes via NeoBT's secure messaging.

1. Data collected for the identification/authentication of NeoBT users

In order for you to use Neo BT, according to the provisions applicable in the field of payment services and because we have the legitimate interest to prevent fraud, we need to verify your identity, respectively we must identify you as an authorized user of this service. This identification is carried out on the basis of the login ID in NeoBT (hereinafter referred to as "user ID") and a password. The password required for the first login is the one sent by SMS to the phone number you declared to the bank. To this phone number we will send unique codes (SMS-OTP, one time password) for each login, as well as for some transactions, together with messages about the respective transaction.

If you use the mobile version of NeoBT and log into the app with biometric data (eg fingerprint, face-ID), please note that BT does not have access to this information, which is stored in the device you are using. BT only obtains the information according to which the authentication method has been validated or not by the device you use.

2. Data we collect for the security of NeoBT

In order to protect your login data, transaction data and other information available in NeoBT, we have a legitimate interest in collecting and using the IP address(es) of the devices with which you connect to NeoBT and, if you use the mobile application, including: the device identifier (device ID) on which you install the app, device model, type and version of their operating system, including their history (e.g. date of addition/deletion).

Also, when starting the NeoBT mobile app, we use a tool that scans the app list of the mobile device you're connecting with to check for malware. The entire check is carried out on the mobile device used, without the bank knowing the installed applications. If malware is identified, an alert is sent to the bank and, depending on the situation, the transaction is processed or you are contacted to determine the terms of its processing.

We process this data to protect the information in NeoBT. If you refuse their processing, you will not be able to use NeoBT.

Optionally, you can also upload a profile photo in NeoBT, and your image is to be used in this case as additional information enhancing the protection of your data in NeoBT.

3. Data we process when you use NeoBT

In order to provide you with the NeoBT service contracted from BT, but also because we have the legitimate interest or, as the case may be, the consent of the users to send them messages in relation to this service, we use:

3.1 Data related to the accounts, cards and transactions

When you use different functionalities of NeoBT we shall process data related to: banking accounts (belonging to the customer who contracted NeoBT and the payment beneficiaries’), the cards attached to the accounts opened with BT, transaction ordered via the accounts (payments/receipts), as well as information classified as personal data of the customer who has contracted NeoBT, of the NeoBT user who uses this service and/or of other persons (such as payment beneficiaries, persons whose data you enter in the fields for specific payments, e.g. prepay card charging, payments of road tax vignettes and utilities), data entered in the fields dedicated to transaction descriptions, in the ones used to add predefined beneficiaries, in the messages sent via the secured messaging of NeoBT.

If you use the open banking functionality, BT will also have access to the following information which is, where applicable, personal data of you or of other persons to/from whom you have transferred/received amounts through the accounts with the financial institutions where the accounts you are integrating into Neo BT are opened: balance of the selected non-BT accounts, IBAN codes of these accounts, transaction history of the selected payment accounts, including the following details: transaction date, transaction amount, transaction details (transaction details and transaction authorization code, person from whom amounts were were collected on that account or person to whom amounts were transferred from that account, respectively).

3.2 Contact details

If you use the SMS-OTP login method, we will use your phone number to send you messages about transactions initiated through NeoBT, including codes based on which you will approve transactions (if applicable).

We may use your phone number or email address to inform you/request additional information about transactions you initiate from NeoBT or to prevent fraud attempts (eg. phishing).

We shall also use the inbox of the secured messaging service to send you different informative messages regarding BT and/or the bank’s products and services (e.g. messages about the amendment of the general terms and conditions, confidentiality policies, working hours of the bank units or possible malfunctions of the bank’s systems, non-banking working days, etc.) or advertising messages, if you have consented to this via the dedicated form (e.g. through Neo Radar).

If you submit different requests via NeoBT, such as a card issue request, or if you contract certain BT services available via NeoBT (e.g. SMS Alert, deposits, Mobile Banking, card-free cash withdrawals, etc.) we shall use the phone number that you have submitted to the bank, in order to inform you when the services are activated, or, as applicable, when the products can be taken over from BT’s unit you have selected to pick them up from.

For the transmission of documents such as bank statements, proofs of payment, CIP queries or vignettes, we shall process the e-mail address entered in the dedicated field. The e-mail address may be your own or that of a third party. BT shall not be held liable if you provide incorrect addresses which may lead to the disclosure of the data contained in such documents to unauthorized persons nor if the people to whom you have chosen to send these documents are bothered by receiving the message (they consider that they should not have received it).

3.3 Profile determined based on the payment behavior via NEO Radar 

The NEO Radar functionality within Neo BT analyzes the user's payment behavior, creating a profile of the user through exclusively automated means. To create this profile, data related to the transactions carried out in the last 8 months through BT accounts and cards are used, respectively the amount, the accounts and/or cards through which the payment was made, the beneficiary of the payment (in the case of transactions at merchants including the type, name and location merchant, if this information is available). This information is aggregated, segmented, combined and analyzed. The profile based on the user's payment behavior is created and used for the purpose of analysis and financial education and - only with the consent of the user - also for advertising (marketing) purposes according to the following details:

• for the purpose of analysis and financial education of the user

The processing of personal data for creating the profile based on payment behavior and for issuing alerts/notifications based on this profile is based on the legitimate interest of the bank to notify NeoBT users about aspects related to the transactions carried out through the accounts or about the products/services held at BT and to raise awareness of the use of financial resources.

Examples: If BT finds that there are two payments in the same amount, on the same date and to the same merchant, it will send an alert via NEO Radar about a possible double payment, so that the user can investigate the situation; if the user makes a larger payment at a merchant they did not usually shop at, they may receive a notification about this; if the user used to make a payment around a certain date of the month to a certain payee in the past months, NEO Radar will determine a probability of making a payment to the same payee and notify the user about it. You can also receive notifications about differences between transactions from the previous month and the current month, such as increases or decreases in transaction amounts, etc.

This section of the NEO Radar functionality is enabled by default in NeoBT, but the user can disable it at any time (including re-enable it later if desired).

If you do not want your personal data to be processed for analysis and financial education through NEO Radar, you can deactivate this functionality in the NEO Radar section, by moving/sliding the button in this section to "off", thus expressing your opposition to the profiling based on payment behavior for analysis and financial education.

Disabling this section of NEO Radar does not prevent the user from using the other functionalities available in NeoBT.

• for advertising (marketing) purposes

If the user expresses his/her consent, the profile based on the payment behavior will also be created/used for advertising (marketing) purposes, for the transmission in NEO Radar of messages with information about BT services already contracted/used or with personalized recommendations in relation to other BT products and services.

This section of NEO Radar functionality is disabled by default. The user can express his/her consent for its activation by moving/sliding the button in this section to "on".

Once this section is activated, it can be deactivated at any time by sliding the button to the "off" position, which is equivalent to withdrawing consent for the creation/use of the profile based on payment behavior for advertising purposes.

Disabling this section of NEO Radar does not prevent the user from using the other functionalities available in NeoBT.

Notifications related to both sections of the NEO Radar functionality will only be received by the user, to use if and how they wish. BT does not take any decisions on the profiling based on payment behavior nor does it have access to personalized alerts, only to the number and type of alerts that a given user has received in a given time period.

3.4 Photo camera or geolocation

If you wish to use functionalities of the mobile NeoBT version which require the access to the device camera (e.g. barcode scan for invoice payments) or to the geolocation (e.g. to display the nearest BT ATMs or BT units), you shall be asked whether you want to grant such access or not. If you decline the access you shall not be able to use that functionality.

3.5 The use of cookies in NeoBT 

NeoBT uses cookies as detailed in the NeoBT Cookies Policy. Cookies strictly necessary for the functioning of NeoBT can be placed on the device used by users without their consent. Other types of cookies will be placed only if/after the user expresses his/her consent in this regard.

3.6. Registration and viewing of options regarding the processing of personal data for advertising (marketing) purposes

In Neo BT you can express your choices about the processing of your data for advertising(marketing) purposes (consent or refusal, as appropriate). You can also view what marketing choices you have previously expressed to BT in regard to the processing of your data in this purpose. Details about this processing can be found in section C point 12 of the BT’s Privacy Policy.

4.To whom we may disclose data as a result of using NeoBT

• other BT Customers who have the right and need to know them

a. Neo BT users (all NeoBT users are BT Customers)

If you have granted other people NeoBT user rights on all or some of the BT accounts, we will disclose to them - within Neo BT - the banking data (accounts, transactions, account and transaction identifiers, etc.) corresponding to the accounts you have granted them NeoBT user rights.

b. BT customers to whom you order payments from NeoBT

When you order transactions through NeoBT to the accounts of other BT customers, the data related to these transactions (usually, name, surname, amount, BT account IBAN, payment explanations) will be accessible to the beneficiaries to whom you made the payment.

• contractual partners (service providers) used in BT activity

NeoBT allows the purchase of goods and services of contractual partners of the bank. If you use these functionalities, the data required to purchase/activate these services is disclosed to these partners (these partners are also BT Customers).

Also, the contractual partners of the bank that support us in offering the Internet/Mobile Banking service may have access to your data processed in NeoBT, according to the need to know and only on the basis of adequate personal data protection guarantees.

The list of recipients above is completed with the one provided in the the General Privacy Notice Regarding the Processing and Protection of Personal Data Belonging to BT Customers, section VIII.

5. How long we keep the data processed in the context of accessing/using NeoBT

Your data, in your capacity of BT customer, as well as the data regarding the operations carried on the accounts (including via NeoBT) are subject to the retention periods laid down in the applicable regulations, which are at least 5 years after your business relationship with the Bank/customer capacity ends, unless longer legal retention periods are applicable, which can extend up to 10 years after the business relationship/capacity of customer terminates.

6. How we protect personal data in NeoBT

Banca Transilvania takes appropriate technical and organizational measures to protect personal data in NeoBT. Despite these precautions, the Bank cannot guarantee that unauthorized persons will not gain access to your personal data, through the devices you use to access NeoBT, if they are unprotected or inadequately protected or if you knowingly or by mistake provide login data or other banking data to unauthorized persons. You are solely responsible for maintaining the confidentiality and security of the device used to access NeoBT (phone, computer, etc.) and in particular your login ID and/or login passwords (password, fingerprint or other security method provided by phone).

7. What are the rights of the data subjects

According to the General Data Protection Regulation ("GDPR"), as a data subject concerned with the processing of personal data in the context of accessing/using NeoBT, you are guaranteed the following rights: the right to be informed (we fulfill our obligation to inform you hereby privacy notice), the right of access, the right to rectification, the right to erasure of data, the right to restrict the processing, the right to data portability, the right to opposition, the right to withdraw consent, the right to address the National Authority for the Supervision of Personal Data Processing Personnel (ANSPDCP) and justice. You can find details about these rights and the ways in which you can exercise them in the General Privacy Notice Regarding the Processing and Protection of Personal Data Belonging to BT Customers.