1. Who is the data controller and what is the purpose of the processing?
Banca Transilvania S.A. ("Bank", "BT"), shall ensure that payments with BT cards in the online environment are secure. That is why in BT Pay we apply identification rules in accordance with payment services legislation, whereby we verify who you are, what you hold and what you know, to ensure your identity. We verify your identity for this purpose at several stages: when you register/re-register with BT Pay, when you set/reset/unlock your PIN (security code) in the app, and every time you access the app or authorise transactions in it.
As part of this identification process, we process personal data as follows:
2. What data do we use and what happens if you refuse to process it?
To register for BT Pay
To verify your identity in BT Pay when you register in the app, you will need to go through a few steps:
1. you photograph your identity card ("ID card"), front and back (requires access to camera) - we take your ID details from your ID card using optical character recognition (a process that automatically extracts the letters and numbers from the photographed ID card) and compare them with those already in the bank's records to make sure they match.
2. you move in front of the camera (requires camera access) - we use your moving image to make sure you are a real person. In addition, we automatically compare features of your face in the selfie with features of your face in the photo ID and, if applicable, in the ID already on file, to make sure they belong to the same person. The comparison would be made biometrically, based on criteria such as the colour, size and slant of the eyes, the position and distance between the main facial features such as the eyes, eyebrows, lips and nose. Following the comparison, the computer solution will give a confidence score, indicating the likelihood that the faces in the two images belong to the same person. The data used for and resulting from the comparison is biometric data, which uniquely identifies you. They are special/sensitive data. We use such data only under the following conditions:
- if you are a major user BT Pay processes biometric data:
- for your identification in BT Pay only if you give your explicit consent/agreement by clicking on the "I consent to the processing of biometric data" button below. If you do not wish to consent to the processing of your biometric data, we can identify you in a BT unit, where your biometric data will not be processed for registration in BT Pay. .
- for the identification in BT Pay of a minor over 14 years of age for whom you are the parent/guardian/legal representative (hereinafter referred to as "parent") and wish to use a card attached to his/her own bank account in BT Pay, only if you explicitly consent/agree to this. You express this consent in the BT Pay Kiddo section, if you tick the box next to the third "I agree to the processing of my child's biometric data" and then press the 'confirm' button. If you want your child to be able to use BT Pay for minors who have a BT account but you do not wish to give your consent to the processing of their biometric data, you must present yourself and your child at a BT unit, where they will be identified without the use of their biometric data.
- if you are a minor who wants to use BT Pay for minors who have a BT account, we may only use your biometric data for identification in BT Pay if a parent/guardian/legal representative of your "parent") gives explicit consent/agreement (as detailed in the previous paragraph). Even if a parent consents to us processing your biometric data for identification in BT Pay, if you do not feel comfortable with us using such data, do not initiate the BT Pay enrolment process and ask your parent to go to a BT unit where you can be identified without us processing your biometric data.
3. say the numbers that are displayed on the screen (requires access to the microphone) - we use your voice to make sure you are a real person
We not only rely on these automatic processing of your data, but we also perform checks on your data through our employees.
If you are a major user, you will also be able to set your BT Pay PIN during the registration process.
For re-registering with BT Pay after setting a PIN in the app, for setting, resetting and unlocking the PIN
We use for your identification, as appropriate, all or part of the following personal data: the phone number declared to the bank, the PIN set for the application, the image from the selfie you will have to take (requires access to the camera) and the one from the ID card in the bank's records that we will compare biometrically, thus using the biometric data of your face (only if you consent to the processing of this type of data, through an explicit action that you will be asked for in a dedicated screen).
To access the application and authorise transactions in BT Pay (together referred to as "BT Pay login")
To identify you for authentication in BT Pay, regardless of whether the identification for registration in BT Pay was done directly in the App or in a BT unit, we process the following categories of personal data, depending on the method you used for authentication:
- if you do not have a PIN set in BT Pay, we process your phone's unlock method (whatever it is: fingerprint, face ID, PIN or phone unlock pattern). In this case, the Bank does not know the unlock method used, but implicitly knows that it has been entered correctly, if the transaction authorisation is successful.
- if you have your PIN set in the app, we use your PIN for identification and/or - if you activate the use of biometrics for authentication in BT Pay: biometrics (fingerprint, face ID - biometric facial features) and the biometric method set in your phone and BT Pay respectively.
If you enable biometric authentication in BT Pay, you should be aware that the Bank does not have access to your fingerprint or biometric facial features, but only uses the result of the comparison between your fingerprint/applied/ fingerprint-scanned facial features/ facial features stored in the device you are using to enable you to authenticate in the app. If biometric authentication fails, you will need to use the PIN set in BT Pay for authentication.
By activating biometric authentication in BT Pay you give your explicit consent to the processing of biometric data related to your chosen biometric method for the purpose of identifying you for authentication in BT Pay.
Please note that if you enable biometric authentication in BT Pay and other people's fingerprints/face-IDs are also registered on the device you are using, any of them can successfully authenticate in BT Pay.
3. Data recipients and transfer of data to third countries
For this identification service, BT uses the services of the provider Onfido and its subcontractors, who process, solely on behalf of and under the instructions of the bank, the data from your ID card, your image (from the selfie/video taken in BT Pay) and the biometric facial data used for identification in BT Pay.
Some of these service providers are located in third countries for which the European Commission has recognised that there is an adequate level of protection of personal data (UK), while others are located in third countries for which no such adequacy decision has been issued.
To the latter category of recipients we have ensured that the transfer of data is carried out under appropriate safeguards in accordance with the mechanisms of the GDPR provisions consisting of Standard Contractual Clauses approved by the European Commission which you can find here: https://eurlex.europa.eu/legal-content/RO/TXT/PDF/?uri=CELEX:32021D0915&from=EN.
4. Special notice to US users of the App regarding the processing of personal data required for identification purposes
U.S. users of BT Pay, as defined in the Terms and Conditions of Use of the App, should be aware that under applicable U.S. law for the processing of biometric data, including the Illinois Biometric Information Privacy Act (BIPA), their personal data of this type is processed by Onfido as detailed in Onfido's Facial Scanning and Voice Recording Policy, found at the following link:https://onfido.com/facial-scan-policy-and-release/
If you are a US user of BT Pay, by continuing the identification process in the App as described above, you confirm that you have read, understand and accept Onfido's Facial Scanning and Voice Recording Policy and Onfido Privacy Policy and Onfido Terms and Conditions.
The provisions of this specific information note shall be supplemented by those of Information notice on the processing of personal data within the BT Pay mobile applicationrespectively with those of the Information Notice on the processing in BT PAY of personal data of users under 14 years of age who have a BT account - (in the case of users under the age of 14 who use the functionality for minors who have a BT account), as well as the the General Information Notice on the processing and protection of personal data of BT Customers. The General Information Notice is an integral part of the BT Privacy PolicyPrivacy Policy, which you can find on website of Banca Transilvania in the Privacy Hub section or in BT units. In this notice you will find details about your rights in relation to the processing of your data, the ways in which you can exercise them, the contact details of the BT DPO and the data retention period.
For the english version of this privacy notice tap here.