Information on the processing and protection of personal data in the BT24 Internet/ Mobile Banking application

11. CONFIDENTIALITY. PROCESSING AND PROTECTION OF PERSONAL DATA

11.1. The parties undertake to impose the obligation of confidentiality on all their employees who have access to confidential information as a result of their work.

11.2. The Bank shall keep confidential the information concerning the Client's accounts and the operations ordered by the Client or its authorised representatives and shall not disclose it without the Client's consent except in the cases expressly mentioned in the applicable legislation in force.

11.3.When you use the BT24 Internet/Mobile Banking service, Banca Transilvania, as operator, processes personal data as follows:

11.3.1.What data we collect for BT24 user identification/authentication

In order to use BT24, in accordance with the provisions applicable in the field of payment services and because we have a legitimate interest in preventing fraud, it is necessary to verify the identity of users, i.e. to identify them as an authorised user of this service. This identification is done on the basis of the BT24 login ID (hereinafter referred to as "user ID") and a password. The password required for the first login is the one sent by SMS to the phone number declared by the user to the bank. To this phone number we will send unique codes (SMS-OTP, one time password) at each login, as well as for some transactions, together with messages about the transaction.

If the user uses the mobile version of BT24 and logs into the app with biometric data (e.g. fingerprint, face-ID), please note that BT does not have access to this information, but it is stored on the user's device. BT only obtains the information whether or not the authentication method has been validated by the device used.

11.3.2. What data we collect to ensure the security of BT24

In order to protect users' login, transaction and other information available on BT24, we have a legitimate interest in collecting and using the IP address(es) of the devices with which users connect to BT24 and, if using the mobile app, including: the identifier of the devices (device ID or IMEI, as applicable, depending on the device's operating system and version) on which you install the app, the model of the devices, their operating system type and version, including their history (e.g. date added/deleted).

We also use a tool when you start the BT24 mobile app that scans the app list of the device you're connecting to for malware, including apps such as remote/remote login. If such apps are identified, an alert is sent to the bank and, depending on the situation, the transaction will be processed or you will be contacted to set the conditions for processing. We process this data to protect the information in BT24. If you refuse their processing, you will not be able to use BT24.

11.3.3. What data we process in the context of using BT24

In order to provide you with the BT24 service contracted from BT, but also because we have a legitimate interest in sending them messages in connection with this service, we use:

11.3.3.1 Account, card and transaction data

When you use the various functionalities of BT24 we will process data relating to: bank accounts (of the customer who contracted BT24 and of payment recipients), cards attached to accounts opened with BT, transactions ordered through accounts (payments/receipts), as well as information of a personal data nature of the customer who contracted BT24, of the user who uses the service and/or of other persons (such as payment recipients, persons whose data are entered in the BT24 fields for specific payments, e.g. the prepaid cards, the payment of tolls, the payment of utilities), data entered in the fields related to the explanations of transactions, in those used to define predefined beneficiaries, in the messages sent via BT24 secure messaging.

11.3.3.2 Contact dates

If the SMS-OTP login method is used, we will use the phone number to send messages about transactions initiated via BT24, including codes based on which the user approves the transactions (if applicable). We may use the telephone number or e-mail address to inform/request the customer or user for additional information about transactions initiated from BT24 or to prevent fraud attempts (e.g. phishing). We will also use the secure messaging inbox to send various messages of an informative nature in relation to BT and/or the bank's products and services (e.g. messages about changes to the GTC, the Privacy Policy, the opening hours of banking units or possible malfunctions of some of the bank's systems, non-banking working days, etc.). In the case of sending documents such as statements of account, proof of payment or tickets, we will process the e-mail address entered in the dedicated field. The e-mail address can be that of the user/customer or third parties. BT will not be liable in the event of the provision of incorrect addresses which may lead to the disclosure of data contained in bank documents to unauthorised persons, nor in the event that the persons to whom the user has chosen to send these documents are annoyed by the receipt of the message (they consider that they should not have received it).

11.3.3.3. Camera, geolocation and other permissions

The use of certain functionalities of the BT24 mobile application is allowed only after the user has accepted the permissions: camera (access to the camera is requested only when using the option to scan the barcodes of the invoices), location (accurately checked in the "Locations of units and ATMs" section to display the nearest Banca Transilvania units and ATMs), contacts (their list is opened only when accessing the Email/SMS Payments to automatically fill in the beneficiaries' details), status and phone identity (device ID or, where applicable, IMEI is required to activate the mobile application).

In order to use features of BT24 for mobile that require access to the device's camera (e.g. barcode scanning for bill payments) the user will be asked if they agree to allow such access. If they do not agree, they will not be able to use that functionality.

11.3.3.4. Beneficiary Name Display Service (BNDS)

In order to provide the Payee Name Display Service (BNDS) for the purpose of fraud prevention for interbank payments initiated from payment/internet banking applications, your personal data is processed as detailed in the Information Notice on the Processing of Personal Data within the Payee Name Display Service (BNDS).

In order to prevent fraud in the case of intrabank payments initiated from its own payment/internet banking applications, BT processes - as an independent controller - the same categories of personal data that are also used within SANB, but without the involvement of other participating banks and without the involvement of Transfond. The basis for the processing of your data is BT's legitimate interest in preventing fraud in intra-bank payments (BT-BT). Your full first name (one or more, as appropriate) and the first name of your surname registered with BT will be displayed to other BT customers who initiate a payment to your BT account from an application of the bank, whether the payment is completed or not.

11.3. 4. To whom we may disclose data as a result of using BT24

• other BT Customers who have a right and need to know them

a. BT24 users (all BT24 users are BT Customers) - if the customer grants other persons BT24 user rights on all or some of their BT accounts, we will disclose to them - within BT24 - the banking data (accounts, transactions, account and transaction identifiers, etc.) corresponding to the accounts on which they have been granted BT24 user rights.

b. BT customers to whom you order payments from BT24 - When you make transactions via BT24 to accounts of other BT customers, the data related to these transactions (usually name, surname, first name, amount, BT account IBAN, explanation of the payment), will be accessible to the beneficiaries to whom you made the payment.

• contractual partners (service providers) used in BT's business

BT24 allows the purchase of goods and services from the bank's contractual partners. If you use these functionalities, the data required to purchase/activate these services are disclosed to these partners (these partners are also BT Customers).

Also, the personal data processed in BT24 may be accessed on a need-to-know basis and only on the basis of adequate personal data protection safeguards by the bank's contractual partners who support us in providing the Internet/Mobile Banking service.

The above list of addressees shall be supplemented by the list provided for in General information notice on the processing and protection of personal data of BT customerssection VIII.

11.3.5 How long we keep the data processed in the context of accessing/using BT24

Your data, as a BT customer, as well as data on transactions carried out through the accounts (including through BT24) are subject to the retention regime provided for by the applicable regulations, being at least 5 years from the end of the business relationship with the bank/the end of the BT customer status, unless longer legal periods are applicable, which can be up to 10 years from the end of the business relationship/the end of the BT customer status.

11.3.6. What rights do data subjects have

According to the General Data Protection Regulation ("GDPR"), persons whose personal data are processed in the context of accessing/using BT24 are guaranteed the following rights: the right to be informed (we fulfil our obligation to inform data subjects of the processing through this information notice), the right of access, the right to rectification, the right to erasure of data, the right to restriction of processing, the right to data portability, the right to object, the right to address the National Authority for the Supervision of Personal Data Processing (ANSPDCP) and justice. Details of these rights and how they can be exercised can be found in General information note on the processing and protection of personal data of BT customersavailable on the website www.bancatransilvania.roincluding in the section Privacy Hub section of the website and, upon request, in any of the bank's offices.

The terms and conditions for using and carrying out BT24 Internet/ Mobile Banking transactions can be found at here.