Information note on the processing of certain personal data of BT customers provided by the Directorate-General for Personal Data Registration for the purpose of applying customer awareness measures
1. About BT customer data provided by the Directorate General for Personal Records
On the basis of the regulations applicable in Romania in the field of customer due diligence for the purpose of preventing money laundering and terrorist financing, a framework cooperation agreement was concluded between the Romanian Association of Banks ("A.R.B.") and the Directorate General for Personal Records ("D.G.E.P."), establishing the general conditions under which A.R.B. member banks - including Banca Transilvania ("the bank", "BT") - will be able to conclude contracts with D.G.E.P. in order for the banks to carry out customer due diligence measures for the prevention of money laundering and terrorist financing, respectively for the validation of personal data related to the bank's customers, by comparing them with the existing information in the National Register of Persons (R.N.E.P.) and providing additional updated personal data.
Pursuant to the framework agreement concluded between A.R.B. and D.G.E.P., Banca Transilvania and D.G.E.P. concluded the Contract on the validation and provision of data from the National Register of Persons (R.N.E.P.), which was registered under no. 501615/04.05.2023 at BT and under no. 3497232/08.05.2023 at D.G.E.P. (hereinafter referred to as "the Contract"), found in Annex this information note.
2. Controllers of personal data and data subjects
If you are a Romanian citizen, an individual customer of BT or if you are going through the steps to become a BT customer, the personal data mentioned in this information will be processed in accordance with the provisions of the Contract concluded between BT and D.G.E.P., for the purpose of the application by BT of the customer due diligence measures to prevent money laundering and terrorist financing. Thus, you are a data subject of the processing.
The BT customers whose data will be processed are natural persons, Romanian citizens, both holders of products and services and legal representatives (e.g. guardians, curators) and conventional representatives (authorised representatives, delegates, mandataries, etc.), shareholders and beneficial owners of legal persons, including natural persons who are users of the products or services owned by the legal person, natural persons who are third party guarantors (signatories of movable or immovable mortgage contracts) for loans granted to natural persons or legal persons.
BT and D.G.E.P. will process data subjects' data as each in its capacity as controller, but they have contractually agreed on ways to work together to respect your rights and freedoms in relation to the processing of your data and to ensure the appropriate security of such data.
We remind you that general information about Banca Transilvania's processing of BT customers' data can be found in General information note on the processing and protection of personal data of BT customers.
3. Purpose and basis of data processing, categories of data processed
BT, as a credit institution, has a legal obligation to collect from its customers/potential customers including personal data from their identity card and copies of their identity documents, for the purpose of applying know-your-customer measures to prevent money laundering and terrorist financing. Details of BT's data processing for this purpose can be found on the BT website at Information notice on the processing of personal data of BT customers for the purpose of customer due diligence for the prevention of money laundering and terrorist financing.
BT must also ensure that this data is always accurate and, where necessary, updated in its records. To this end, BT will transmit to the D.G.E.P. the name, surname and CNP of data subjects who are customers or are taking steps to become BT customers.
The D.G.E.P. will process and validate these data through automated procedures and will additionally provide to BT about these persons: name, surname, type, series and number of the identity document, date of issue and expiry of the identity document, place of birth, issuer of the identity document, home address, residence address, photograph and information on the date of death, where applicable, as these data appear in the R.N.E.P.
BT will use the data received from the D.G.E.P. for the purpose of applying customer awareness measures. This means that if you are already a BT customer and the data we receive from D.G.E.P. is different/more recent than the data we hold about you, we will update the data we receive from D.G.E.P. without you having to update this data yourself at the bank.
4. Automated decision-making processes
BT will not take any action that would produce legal effects or similarly affect you to a significant extent solely on the basis of the automatic processing of data provided by D.G.E.P., unless the provisions of Article 22 of the General Data Protection Regulation (GDPR) are complied with.
5. Recipients of the data
The recipients to whom we disclose/transfer BT customer data, including in this information, are set out in Section VIII. To whom we may disclose/transfer Customer personal data from General information notice on the processing and protection of BT Customers' personal data. Data exchanged between BT and D.G.E.P. is not transmitted to third countries or international organisations.
6. Period of storage of personal data by BT
The data processed for the purpose of applying customer due diligence measures shall be kept, in accordance with the applicable legislation in this field, for 5 years after the termination of the customer's business relationship with the bank. This period may be extended under the same legislation. Upon expiry of the retention period under this legislation, the bank will delete or anonymise these data, unless other legal provisions require their continued retention.
7. The rights you are guaranteed
In connection with the processing of personal data, you are guaranteed the exercise of your rights under the GDPR. You can exercise these rights at BT or contact the BT Data Protection Officer (BT DPO) for questions about data processing by writing to the e-mail address dp o@btrl.ro or, by post to the Banca Transilvania office in mun. Cluj-Napoca, Calea Dorobantilor no. 30-36, jud. Cluj. As long as you are a BT customer, you can also exercise these rights at the bank using the online form available at this address: https://www.bancatransilvania.ro/dsar/verificare/
The rights guaranteed to you are: the right to information (we fulfil our obligation to inform you through this information notice), the right to object, the right of access to processed data, the right to rectification of data, the right to erasure of data, the right to restriction of processing, the right to data portability, the right not to be subject to a decision based solely on automatic data processing, the right to lodge a complaint with the National Authority for the Supervision of Personal Data Processing (ANSPDCP). The fact that you are guaranteed the exercise of these rights does not mean, however, that all of them can be accommodated, given the legal basis and the purpose for which the data in this information are processed.