Information note on the processing of personal data for opening a business relationship with Banca Transilvania through BT Pay

1. Who is the controller of the personal data and the data subjects?

BANCA TRANSILVANIA S.A. (hereinafter referred to as "the bank", "BT", "we", "us") a credit institution, a Romanian legal entity, with the identification and contact details set out in section III of the Information Notice processing and protection of personal data belonging to BT Customers, offers resident, adult natural persons who do not have a current account with the bank the possibility to apply exclusively online, through the BT Pay mobile application, to open a business relationship with the bank ("current account"), to contract certain products/services through which transactions can be carried out on this account ("transactional products"), as well as to express their options in relation to the processing of their personal data for advertising purposes during the business relationship ("marketing options").

This process is dedicated only to individuals resident in Romania, of legal age (at least 18 years old), with tax residence in Romania and who do not already have a current account opened with BT in their name. 

Individuals who already have a current account with BT must go through the BT Pay registration/authentication process. If, although you already have a current account with BT, you initiate the process for individuals who do not have a business relationship with us, following the checks described in section A, we will identify you as a customer who already has a current account and you will be directed in the application to the process for current account customers who wish to register with BT Pay.

If you initiate the application process for opening a current account through BT Pay, we process several types of personal data, either on our own, as the exclusive data controller, or, where applicable, together with other controllers associated with us, as we inform you through this specific information notice. You are the data subject of this processing.

In the general note indicated above, which forms an integral part of the BT Privacy Policy website www.bancatransilvania.rowebsite, also found separately in the Privacy Hub section of this website, you will also find information about your rights in relation to the processing of your personal data, how you can exercise these rights or how to contact the designated BT Data Protection Officer (BT DPO).

Individuals who have a current account opened for them as a result of the BT Pay application become BT customers who are account holders and users of the BT Pay application. After opening your current account, when you access/use the BT Pay application, your personal data is processed as stated in Information notice on the processing of personal data within the BT Pay mobile application.

2. On what grounds do we process the data and what happens if you refuse processing?

The processing of personal data carried out when you go through the steps in BT Pay for opening a current account and contracting BT transactional products is based on the following grounds:

• the legal obligations to which BT is subject under various pieces of legislation (e.g. legislation in the area of customer due diligence for the prevention of money laundering and terrorist financing, legislation on remote video identification)
• conclusion/execution of the contract for the current account and transactional products or the completion of the necessary steps to conclude these contracts
• our legitimate interest and/or that of third parties, (e.g. interest in fraud prevention, interest in requesting customers' choices about the processing of their data for advertising purposes, legitimate interest in notifying persons who have initiated the process of opening a current account in BT Pay without completing it)
• the consent of the data subjects, to the extent that they wish to express it (e.g. your explicit consent to the processing of biometric data for remote identity verification by video means, consent to receive advertising messages or to be contacted for support if you interrupt your online flow)

If you do not agree to the processing of biometric data, you will not be able to open your current account via BT Pay. In this case, you can become a BT current account holder in any establishment without having such sensitive data processed.

Also, where we are required by law to carry out some processing of personal data or where it is necessary for the conclusion of contracts, if you refuse to process it, BT will not be able to open your current account or allow you to contract the transactional products available through BT Pay.

On the other hand, if you do not wish to express your marketing options, if you refuse to receive advertising messages or to be contacted for the purpose of providing support in BT Pay to complete the process, there are no consequences and you can continue/complete the process of opening the business relationship.

3. For what purposes do we process personal data, what is the data, how long do we keep it and to whom may we disclose it?

A. Personal data processed for identity verification 

Money laundering prevention legislation obliges us to verify the identity of people who apply to open a current account (establish a business relationship with the bank) and contract products/services. We also have a legitimate interest in ensuring that we prevent identity theft fraud attempts, especially online, and that we only allow people who meet the application conditions to go through the process.

In BT establishments, we verify the identity of the persons on the basis of the original ID card. In the online environment (including BT Pay) we use a remote video identification process, in accordance with the applicable legislation in this field. The remote identification method uses, in addition to personal data from the ID card, contact data, including so-called biometric data. We will not be able to use biometric data without your explicit consent. If you wish to express this consent, please tick the box next to the text "I agree to the processing of biometric data" on the dedicated BT Pay screen. If you do not agree to this processing, you can ask a BT unit to open your current account.

Before you decide freely whether you want to give your explicit consent to the processing of biometric data, here's how we are going to do remote identification in BT Pay:

1. you photograph your identity card or electronic identity card ("ID card"), front and back (requires access to the camera) - we take your identity data from it through optical character recognition (a process that allows automatic extraction of letters and numbers from the photographed ID card). At this point, we check your date of birth and the type of ID document you have photographed, to make sure you are eligible to go through the process in BT Pay.

2. you move in front of the camera (requires camera access) - we use your moving image to make sure you are a real person. In addition, we automatically compare features of your face in the selfie with features of your face in the photo ID. The comparison would be made biometrically, based on criteria such as the colour, size and slant of your eyes, the position and distance between the main features of your face such as your eyes, eyebrows, lips and nose. Following the comparison, the computer solution will output a result (accepted or rejected, as appropriate) indicating the probability that the face in the two images belongs to the same person. The data used for and resulting from the comparison is biometric data, which uniquely identifies you. If the score issued by the facial recognition tool is unsatisfactory, you will be able to resume the application process in a BT unit.

3. If the result of the biometric face comparison is satisfactory, we will automatically retrieve the data from the photo ID (through optical character recognition) and use it to complete the application for opening a business relationship with the bank and contracting transactional products.

4. We will also ask for your contact details - phone number and email address - which we will check to make sure they belong to you, as it is very important that they are correct and up-to-date. If you successfully complete the opening of your current account, these details will be used:

• and to send you messages of particular or general interest related to your status as a customer of the bank (including as necessary for your use of some of the transactional products contracted), messages evaluating the quality of BT's services or responses to various requests/complaints that you send us.
• only if you consent to the processing of your data for advertising purposes, these contact data will also be used to send you such marketing messages.

The remote video identification process described above can only be carried out with your consent. By ticking the appropriate box next to the text "I agree to remote identification by video means", you express your express consent to the remote identification process for the purpose of applying the know-your-customer measures in order to open a business relationship with Banca Transilvania, as well as your consent to the taking of photographs and/or images of you and your identity document.

The personal data indicated in points 1-4, used for identification, we also process to allow you to set your initial security code (PIN) in the application.

The personal data collected will be kept for 30 days unless you complete the current account application initiated in BT Pay by applying the qualified electronic signature. If you have signed the current account opening application through BT Pay and have subsequently opted out or been refused account opening, and if you have become a BT account holder as a result of this process, the data retention periods set out in Section I of the BT Privacy Policy.

For identification in BT Pay, BT uses the services of the service provider Onfido and its subcontractors. They process, only on behalf of and under the instructions of the bank, the data from your ID card, your image (from the selfie/video taken in BT Pay) and the biometric facial data used for identification in BT Pay.

Some of these service providers are located in third countries for which the European Commission has recognised that there is an adequate level of protection of personal data (UK), while others are located in third countries for which no such adequacy decision has been issued.

To the latter category of recipients we have ensured that the data transfer is carried out under appropriate safeguards in accordance with the mechanisms and provisions of the GDPR consisting of Standard Contractual Clauses approved by the European Commission which you can find here: https://eur-lex.europa.eu/legal-content/RO/TXT/PDF/?uri=CELEX:32021D0915&from=EN.

B. Personal data processed for the purpose of customer due diligence for the prevention of money laundering and terrorist financing, as well as for the conclusion and execution of current account contracts and transactional products

In order to prevent money laundering and terrorist financing, the bank applies know-your-customer measures to all persons wishing to open a current account. For the purpose of applying these measures, the bank is legally obliged to collect, update and store at least the following categories of personal data about the person applying for the current account: surname, first name, pseudonym, date and place of birth, personal identification number or similar unique identifier, nationality, domicile, residence, address where he/she lives and his/her legal status, telephone number, fax number, e-mail address, occupation, employer's name or nature of his/her activity, the purpose and nature of the business relationship with the bank, the source of funds to be used in the business relationship, the estimated level of daily transactions, whether or not the person is a publicly exposed person (PEP), the source of wealth and the important public position held (only in the case of PEPs), and details and copy of ID. Your identity card details can also be checked and updated (if applicable, if you become a customer) on the basis of the information provided to the bank by the Directorate General for Personal Records (D.G.E.P.). Also on the basis of the information from the D.G.E.P., the address where you live / mailing address registered with the bank will be updated, if you declare to the bank that the address where you live is the same as your home address.

The data indicated, together with all records obtained through the application of customer due diligence measures required by law - such as monitoring and checks carried out by the bank, supporting documents and records of transactions, including the results of any analysis carried out in relation to you as a customer, determine your risk profile and will be kept for a period of 5 years after the termination of your business relationship with the bank. This legal retention period may be extended under the same legislation. At the end of the retention period under this legislation, the bank will delete or anonymise these data, unless other legal provisions require their continued retention. In accordance with the legal obligation imposed on the bank by the Tax Procedure Code, part of the aforementioned data is also processed for the purpose of the reporting that BT must send daily to ANAF on account holders, their representatives, persons with the right to sign on accounts and beneficial owners. The legal retention period of this data is 10 years from the termination of the business relationship.

At the same time, the bank will assign you identifiers, such as, but not limited to: customer code (CIF BT), IBAN codes related to accounts opened with the Bank, bank card numbers, based on which you will be identified in the bank's systems.

Where required or necessary, your personal data as a customer will be disclosed/transferred to different categories of recipients (e.g.. to ANAF - under tax legislation, to other banks and their customers to whom/ from whom BT customers transfer/ collect amounts to/from BT accounts, to service providers used by the bank), including to entities that are part of the BT Financial Group, for legitimate purposes and under conditions that ensure their security. For full details of the processing of BT customer data, please read in full Note of general information notice on the processing and protection of personal data belonging to BT Customerswith which this specific information notice is supplemented.

C. For the collection of opt-ins in relation to the processing of personal data for advertising purposes, in relation to telephone contact for support and for sending push notifications in BT Pay

Collection of marketing options

The bank has a legitimate interest in collecting the choices of individuals who wish to open a current account regarding the processing of their personal data for advertising purposes. You are not obliged to express this option. However, if you choose to do so, you can choose to have your data processed for advertising purposes or to decline. Only if you give your consent will we send you advertising messages.

Before freely deciding whether you want to receive such messages, please consider the following: consenting to the processing of your data for the purpose of receiving advertising messages is optional. Refusal to give your consent does not affect your right to become a BT customer.

The personal data commonly processed to send advertising messages to customers are: name, surname, telephone number, e-mail and correspondence address declared to the bank for the business relationship.

If you opt-in to receive advertising messages, to ensure they are relevant, we will also use other information we learn about you when you use our services/products (e.g. transaction data, age, location, income range, etc.). We will study this data automatically(profiling) to make an opinion about which products/services/events would suit you.

If you agree to receive advertising messages, your consent will be valid until you withdraw/modify it or otherwise terminate your business relationship with the bank or, where applicable, your representative/agent status on other accounts, if you have such a relationship with BT.

If you wish to be contacted for advertising purposes, depending on the categories from which you choose to receive advertising messages, your option/data will be communicated by BT, for the purpose of sending advertising messages, to:

• entities within Banca Transilvania Financial Group BT Microfinanțare IFN SA, BT Asset Management S.A.I. S.A., BT Leasing Transilvania IFN S.A., BT Direct IFN S.A., BT Capital Partners S.S.I.F. S.A., BT Pensii Societate de Administrare a Fondurilor de Pensii Facultative SA, Fundația Clubul Întreprinzătorului Român, Fundația Clujul has Suflet and other entities that may join this group in the future - ("BT subsidiaries"), unless you have expressed other choices, on the proper forms used by the Subsidiaries for collecting the Marketing Agreement.
• partners current or future partners of BT and/or BT's subsidiaries whose products/services/events are related to BT's services/products ("partners"The list of categories of current partners of BT and/or BT's subsidiaries is accessible at the link https://www.bancatransilvania.ro/parteneri or, upon request, at any BT or BT Subsidiaries' premises.

For the actual delivery of advertising messages, your data will be disclosed to suppliers - as authorised persons of BT, BT subsidiaries or their partners.

Please bear in mind that whatever options you choose:

• does not relate to messages of general or particular interest to customers, which are transmitted by BT based on its legitimate interests in the proper conduct of the business relationship or its legal obligations;
• are not applicable for commercial notifications/messages sent within BT's mobile applications (including BT Pay), which have their own marketing options management system, available in the dedicated sections for settings (notifications) or privacy;
• does not influence the subscription/unsubscription of any e-mail address entered by you in forms available on BT websites to receive information in various areas of interest. Subscription to those newsletters is done via those online forms and unsubscription can be managed by following the unsubscribe link in the subscription messages.

Given the above information, in the process you will go through in BT Pay to open your current account, you will have the opportunity to express your choices regarding the processing of your personal data for advertising purposes. You will be shown both the option not to receive advertising messages (opt-out) and the option to receive such messages (opt-in). The opt-in option will be divided into several categories from which you will be able to choose: products and services of BT and/or BT subsidiaries, events organised by BT and/or BT subsidiaries, products/services of partners, which are related to products/services of BT or BT subsidiaries, or events organised by BT partners.

If you are an existing non-account holder BT customer who has previously given your marketing consent and you now select options that modify or withdraw your previously given consent, we will mark your new options in our records and honor them, but please note that it may take up to 5 business days for us to ensure that your data is removed from ongoing campaigns. During this time you may still receive advertising messages according to your previous choices.

Also, if you have previously expressed your refusal to have your data processed for advertising purposes and in the BT Pay current account opening process you express your consent, the newly expressed option will be the valid one.

With regard to the processing of your personal data for advertising purposes, you are guaranteed your rights under the General Data Protection Regulation (GDPR).

If you choose to express your consent to receive advertising messages, you can always withdraw/modify your consent and/or object to profiling for advertising purposes by doing so:

• by accessing the "Options regarding the processing of personal data for advertising purposes" on the bank's website - www.bancatransilvania.ro;
• by accessing the dedicated section of the NeoBT internet/mobile banking platform;
• through BT offices, where you can ask our employees to update your options regarding the processing of your personal data for advertising purposes;
• by sending a request to this effect to BT's head office, marked "for the attention of the DPO";

Collecting opt-in and contacting by phone for support purposes

If you interrupt the online application flow at any point, we want to give you the support you need to resume it. We will ask you at the start of the process of opening your current account through BT Pay if you consent to us contacting you for support purposes and we will only call you for this if you give us your consent.

Collecting the opt-in for and sending push notifications in BT Pay

Also at the start of the process, you will be asked if you allow push notifications in BT Pay. If you accept such notifications and do not complete the application process within the deadline set after you set your PIN, we will send you notifications to remind you to restart the process. In this case, you will resume the process from where you left off. If you don't set your PIN or complete the process within the set deadline, you will have to start the process again from the beginning if you want to open your current account through BT Pay.

D. For the conclusion of contracts relating to transactional products in the subscription you choose

Depending on the type of subscription you choose, we process your personal data about the type of subscription you have chosen and the transactional products included in it (e.g. cards, internet banking), including for setting the applicable fees for the products included in the subscription.

Please note that for insurance products included in some types of subscriptions, the controller of your personal data necessary for the conclusion and execution of the insurance contract/policy is the insurer offering those services. BT only processes insurance data as a controller for the collection of the insurance premium payment (included in the subscription).

E. For the issuance and management of the Qualified Digital Certificate issued by Alfatrust Certification S.A. for the signing of documentation in relation to BT 

In order to complete the process of opening your BT current account through BT Pay, you will need to sign with a qualified electronic signature the application for opening the contractual/business relationship and for contracting the transactional products included in the subscription and, if applicable, the form with the options regarding the processing of your data for advertising purposes.

The issuance and use of the digital certificate for signing is free of charge for you, but it is necessary for BT and Alfatrust, as associated operators, to jointly process personal data about you for the issuance of this electronic signature, as we inform you below:

a.Personal data controllers

Pursuant to Art. 13-14 of EU Regulation 679/2016 - General Data Protection Regulation ("GDPR"), Alfatrust Certification S.A. ("Alfatrust") and Banca Transilvania S.A. ("BT" or "Bank"), having the identification and contact details indicated in the Terms and Conditions for the provision of certification services for qualified digital certificates, inform you about the processing of your personal data, as a User ("data subject"), that they carry out as associated operators for the purpose mentioned in letter b below.

b.Purpose and basis of processing of personal data

The purpose for which the associated controllers process the User's data is to issue and manage the Qualified Digital Certificate ("Certificate"). BT is the controller that identifies the User, i.e. collects from the User the personal data required for the issuance of the Qualified Digital Certificate, and transmits them to Alfatrust for the controller to issue the Certificate. The data that BT collects from Users are those processed by the Bank in its own records, in the context of the business relationship that is initiated between the User and the Bank at the time of the transmission of the data to Alfatrust.

During the period of validity of the certificate, personal data are processed by the associated operators, as appropriate, including in cases where Users request suspension or revocation of the certificate in the manner detailed in the Terms and Conditions of Service.

The grounds for processing personal data for the defined purpose are the legal obligation (Art. 6 para. 1 lit. c GDPR), the conclusion/performance of the Contract (Art. 6 para. 1 lit. b GDPR) and the legitimate interest of the associated controllers (Art.6 para. 1 lit. f GDPR).

As far as the legal obligation is concerned, both BT - as the credit institution with which the User initiates a business relationship, and Alfatrust - as the accredited certification service provider from which the User wishes to obtain a certificate, are subject to the applicable legal provisions in the field of prevention of money laundering and terrorist financing, according to which they must collect a series of personal data. These data are also necessary for the conclusion/execution of the Contract on the basis of which the User is allowed to use the certificate to sign documentation in relation to BT.

In order to support Users who wish to make a request for suspension or withdrawal of the certificate, member operators justify a legitimate interest in giving them the possibility to submit such requests not only directly to Alfatrust but also via BT. The handling of such requests involves the exchange of Users' personal data between the two associated operators. The contact data - telephone number and home address - will be processed by either of the associated operators whenever it is necessary to contact the end user for the proper performance of the contractual relationship related to the qualified digital certificate.

c.Categories of personal data and persons whose personal data are processed.

The personal data processed in order to achieve the purpose mentioned are those required by law to be collected by a credit institution or by a certification service provider for the prevention of money laundering and the suppression of terrorism, namely: name, surname, CNP, home/residence address, validity date of the identity document, telephone number and copy of the identity document. All these data, as collected by the Bank, will be made available to Alfatrust for the issuance and management of the Qualified Digital Certificate.

The processing of this personal data is necessary for the generation of the Qualified Digital Certificate. The User's refusal to have this data processed will make it impossible to issue the Qualified Digital Certificate. The persons concerned by this processing are only Users, as defined in the Terms and Conditions of Use.

d.Recipients of personal data.

With the exception of associated controllers between whom personal data processed for the purpose of the processing will be exchanged, the data shall be disclosed, as appropriate, to employees of the associated controllers who need to know them, IT service providers, auditors, authorities and institutions entitled to know them.

e.Period of processing of personal data.

Information on a Qualified Digital Certificate (including personal data) is processed by Alfatrust for a period of 10 years from the date of its termination of validity, in accordance with legally established deadlines.

At the level of Banca Transilvania, the remote electronic signature, applied on the basis of the Qualified Digital Certificate issued by Alfatrust on the documentation signed in relation with BT is kept for the entire period during which a business relationship is carried out between the User-customer and BT, plus the terms established in the applicable banking legislation, i.e. at least 5 years from the termination of the business relationship with the credit institution.

f.The rights of data subjects to have their personal data processed for the purposes indicated.

Any User, as a data subject, is guaranteed the right to exercise the following rights with regard to the processing of his/her personal data with any of the associated controllers: the right of access, the right to rectification, the right to restriction of processing, the right to erasure of data, the right to object to the processing of data, the right to data portability.

Users may exercise these rights or contact the Data Protection Officers for any questions/requests regarding the processing of personal data, as follows:

• Banca Transilvania S.A.- by e-mail to dpo@btrl.ro or by a request sent to the BT head office, with the mention "for the attention of the Data Protection Officer (DPO)".
• to Alfatrust Certification S.A.- by e-mail to dataprotection@alfasign.ro or by a request sent to Alfatrust's head office, marked "for the attention of the Data Protection Officer (DPO)".

Users also have the right to lodge a complaint with the supervisory authority - the National Supervisory Authority for Personal Data Processing (ANSPDCP), with sediul Bucharest, sector 1, Bd. G-ral Gh. Magheru nr. 28-30.