11. CONFIDENTIALITY. PROCESSING AND PROTECTION OF PERSONAL DATA
11.1. The parties undertake to impose the obligation of confidentiality on all their employees who have access to confidential information as a result of their work.
11.2. The Bank shall keep confidential the information concerning the Client's accounts and the operations ordered by the Client or its authorised representatives and shall not disclose it without the Client's consent except in the cases expressly mentioned in the applicable legislation in force.
11.3.When you use the BT24 Internet/Mobile Banking service, Banca Transilvania, as operator, processes personal data as follows:
11.3.1.What data we collect for BT24 user identification/authentication
In order for people to use BT24, it is necessary to verify their identity, i.e. to check that they are authorised users of this service, in accordance with our obligations under payment services legislation and because we have a legitimate interest in preventing fraud. This identification is carried out on the basis of the BT24 login ID (hereinafter referred to as "user ID") and a password. The password required for the first login is the one sent by SMS to the phone number declared by the user to the bank. To this phone number we will send unique codes (SMS-OTP, one time password) at each login, as well as for some transactions, together with messages about the transaction.
If the user uses the mobile version of BT24 and logs into the app with biometric data (e.g. fingerprint, face-ID), please note that BT does not have access to this information, but it is stored on the user's device. BT only obtains the information whether or not the authentication method has been validated by the device used.
11.3.2. What data we collect to ensure the security of BT24
In order to protect your log data and other information in BT24, we also need to process information about your geographical location and the devices you access BT24 with (as applicable, model, operating system and version, RAM, total bandwidth, type of connection used - WI-FI or mobile data, including the operator from whom you use mobile data, device identifier such as device ID or IMEI, depending on the device operating system and version, including the history of devices used, i.e. date added/removed in BT24). We process this data both because payment services legislation requires us to put in place monitoring mechanisms to enable us to identify unauthorised or fraudulent payment transactions and because we have a legitimate interest in preventing fraud.
In order to prevent fraud, as required by law and in our legitimate interest, we checkthe device you connect with for malware, including applications such as remote/remote login. While using the application, if you are making transactions, we also check whether the device is or has recently been used for calls, but we do not find out details of the numbers/persons you have used. If such apps are identified, an alert is sent to the bank and, depending on the situation, access to the app may be blocked, the transaction may be blocked or you may be contacted by the bank.
If you refuse the processing of the above data, you will not be able to use BT24.
11.3.3. What data we process in the context of using BT24
In order to provide you with the BT24 service contracted from BT, but also because we have a legitimate interest in sending them messages in connection with this service, we use:
11.3.3.1 Account, card and transaction data
When you use the various functionalities of BT24 we will process data relating to: bank accounts (of the customer who contracted BT24 and of payment recipients), cards attached to accounts opened with BT, transactions ordered through accounts (payments/receipts), as well as information of a personal data nature of the customer who contracted BT24, of the user who uses the service and/or of other persons (such as payment recipients, persons whose data are entered in the BT24 fields for specific payments, e.g. the prepaid cards, the payment of tolls, the payment of utilities), data entered in the fields related to the explanations of transactions, in those used to define predefined beneficiaries, in the messages sent via BT24 secure messaging.
11.3.3.2 Contact dates
If the SMS-OTP login method is used, we will use the phone number to send messages about transactions initiated via BT24, including codes based on which the user approves the transactions (if applicable). We may use the telephone number or e-mail address to inform/request the customer or user for additional information about transactions initiated from BT24 or to prevent fraud attempts (e.g. phishing). We will also use the secure messaging inbox to send various messages of an informative nature in relation to BT and/or the bank's products and services (e.g. messages about changes to the GTC, the Privacy Policy, the opening hours of banking units or possible malfunctions of some of the bank's systems, non-banking working days, etc.). In the case of sending documents such as statements of account, proof of payment or tickets, we will process the e-mail address entered in the dedicated field. The e-mail address can be that of the user/customer or third parties. BT will not be liable in the event of the provision of incorrect addresses which may lead to the disclosure of data contained in bank documents to unauthorised persons, nor in the event that the persons to whom the user has chosen to send these documents are annoyed by the receipt of the message (they consider that they should not have received it).
11.3.3.3. Camera, geolocation and other permissions
The use of certain functionalities of the BT24 mobile application is allowed only after the user has accepted the permissions: camera (access to the camera is requested only when using the option to scan the barcodes of the invoices), location (accurately checked in the "Locations of units and ATMs" section to display the nearest Banca Transilvania units and ATMs), contacts (their list is opened only when accessing the Email/SMS Payments to automatically fill in the beneficiaries' details), status and phone identity (device ID or, where applicable, IMEI is required to activate the mobile application).
In order to use features of BT24 for mobile that require access to the device's camera (e.g. barcode scanning for bill payments) the user will be asked if they agree to allow such access. If they do not agree, they will not be able to use that functionality.
11.3.3.4. Beneficiary Name Display Service (BNDS)
In order to provide the Payee Name Display Service (BNDS) for the purpose of fraud prevention for interbank payments initiated from payment/internet banking applications, your personal data is processed as detailed in the Information Notice on the Processing of Personal Data within the Payee Name Display Service (BNDS).
In order to prevent fraud in the case of intrabank payments initiated from its own payment/internet banking applications, BT processes - as an independent controller - the same categories of personal data that are also used within SANB, but without the involvement of other participating banks and without the involvement of Transfond. The basis for the processing of your data is BT's legitimate interest in preventing fraud in intra-bank payments (BT-BT). Your full first name (one or more, as appropriate) and the first name of your surname registered with BT will be displayed to other BT customers who initiate a payment to your BT account from an application of the bank, whether the payment is completed or not.
11.3. 4. To whom we may disclose data as a result of using BT24
- other BT Customers who have a right and need to know them
a. BT24 users (all BT24 users are BT Customers) - if the customer grants other persons BT24 user rights on all or some of their BT accounts, we will disclose to them - within BT24 - the banking data (accounts, transactions, account and transaction identifiers, etc.) corresponding to the accounts on which they have been granted BT24 user rights.
b. BT customers to whom you order payments from BT24 - When you make transactions via BT24 to accounts of other BT customers, the data related to these transactions (usually name, surname, first name, amount, BT account IBAN, explanation of the payment), will be accessible to the beneficiaries to whom you made the payment.
- contractual partners (service providers) used in BT's business
BT24 allows the purchase of goods and services from the bank's contractual partners. If you use these functionalities, the data required to purchase/activate these services are disclosed to these partners (these partners are also BT Customers).
Also, the personal data processed in BT24 may be accessed on a need-to-know basis and only on the basis of adequate personal data protection safeguards by the bank's contractual partners who support us in providing the Internet/Mobile Banking service.
The above list of addressees shall be supplemented by the list provided for in General information notice on the processing and protection of personal data of BT customerssection VIII.
11.3.5 How long we keep the data processed in the context of accessing/using BT24
Your data, as a BT customer, as well as data on transactions carried out through the accounts (including through BT24) are subject to the retention regime provided for by the applicable regulations, being at least 5 years from the end of the business relationship with the bank/the end of the BT customer status, unless longer legal periods are applicable, which can be up to 10 years from the end of the business relationship/the end of the BT customer status.
11.3.6. What rights do data subjects have
According to the General Data Protection Regulation ("GDPR"), persons whose personal data are processed in the context of accessing/using BT24 are guaranteed the following rights: the right to be informed (we fulfil our obligation to inform data subjects of the processing through this information notice), the right of access, the right to rectification, the right to erasure of data, the right to restriction of processing, the right to data portability, the right to object, the right to address the National Authority for the Supervision of Personal Data Processing (ANSPDCP) and justice. Details of these rights and how they can be exercised can be found in General information note on the processing and protection of personal data of BT customersavailable on the website www.bancatransilvania.roincluding in the section Privacy Hub section of the website and, upon request, in any of the bank's offices.