This page is automatically translated from Romanian into English.

Download BT Pay

Scan the code with your mobile phone, depending on your phone system.

Download BT Pay

Scan the code with your mobile phone, depending on your phone system.

Download BT Pay

Scan the code with your mobile phone, depending on your phone system.

Download NeoBT

Scan the code with your mobile phone, depending on your phone system.

Download NeoBT

Scan the code with your mobile phone, depending on your phone system.

Download NeoBT

Scan the code with your mobile phone, depending on your phone system.

Download BT24

Scan the code with your mobile phone, depending on your phone system.

Download BT24

Scan the code with your mobile phone, depending on your phone system.

Invest directly from the app 4.8
Install
Call Center
  • High waiting time!

    We are currently experiencing a very high number of calls in our Call Center. If you have an urgent problem, call now, otherwise we'll wait for you later. For quick answers try Ask BT or BT Visual Help.

  • 0264 308 308 028 or *8028 The number is available from any national network.
    0264 303 003 Hotline for all Romanians who are out of the country, including assistance in English.
    Fraud assistance
    If you suspect fraud on your account, quickly call 0264 308 055.

    Search with AI Search

    AI Search on Ask BT answers all your banking questions.

    BT Visual Help

    Quickly view your account details, call 0264 308 000 and receive an SMS with the access link.

    Privacy Policy

    Policy Of Banca Transilvania S.A. Regarding The Processing And Protection of Personal Data Within The Banking Activity (The “BT Privacy Policy”)

    Version applicable from 24.10.2023

    About this Privacy Policy and our commitments

    Banca Transilvania S.A. (hereinafter referred to as "BT", "the Bank" or "we") commits to process the personal data (hereinafter "personal data" or "data") of all the individuals it interacts with (hereinafter "data subjects") in compliance with the applicable legal provisions and the highest security and confidentiality standards, to respect the fundamental human rights and freedoms in regard to this processing and to regularly assess our activity in this field, to make sure these rights are always respected.

    For guidance and support of our personal data processing and protection activity we have appointed a data protection office ("DPO"). BT’s DPO can be contacted by any data subject, at any of the following contact data:

    • the e-mail address dpo@btrl.ro
    • the Bank’s headquarters in Cluj-Napoca, Calea Dorobanților, no. 30-36, Cluj County, Romania, with the specification: “to the attention of the data protection officer”.

    We present next our Policy in this field of utmost importance (hereinafter "Policy"), which we commit to review periodically for an ongoing improvement and to inform data subjects of the substantial changes made to it.

    Through this Policy we comply with our obligation to inform all the categories of data subjects whose personal data we process as controller in accordance with the provisions of art. 13-14 of the EU Regulation no. 679/2016 or the General Data Protection Regulation ("GDPR").

    Whenever we will be able to directly inform the data subjects about the processing of their data, we comit to do so. When we either have no objective possibility to do so or it would involve a disproportionate effort for us to fulfill this obligation directly, we inform the data subjects through this Privacy Policy.

    If you are a regular BT customer (hereinafter referred to as “BT Customer” or “Customer”), to find out how we process your personal data in this only quality, you can also access the separate notice: The General Privacy Notice regarding the processing and protection of personal data belonging to the BT Customers,which is part of this Policy.

    You can find this Policy and the General Privacy Notice for Customers both on the https://en.bancatransilvania.ro/ website (hereafter (hereinafter also "the BT website"), including in the Privacy Hub section of this website, as well as in BT units.

    Also, for certain services/products/personal data processing activities that we carry out, we have prepared specific privacy notices, which you can find on the BT website, in the Privacy Hub section.

    This Policy does not refer to the processing carried out by BT regarding the personal data of its employees. They are informed about the processing of their data by BT as an employer through a separate document.

    If you are not familiar with the meaning of the different specialized terms used in the GDPR or the applicable banking law, we recommend you study the following section, regarding:

    If you are not familiar with the meaning of the various specialist terms used in the GDPR or in applicable banking legislation, we recommend that you also study the following section on:

    When we use the following terms in this Policy, they shall have the following meaning:

    (a) 'Personal data' or 'data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity;

    b) "Processing of personal data" or "data processing" means any operation or set of operations which is performed on personal data or on sets of personal data, wether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

    c) "GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

    d) "BT Financial Group" or "BT Group" means the Bank together with entities controlled by it (BT subsidiaries/affiliates) such as, BT Microfinanțare IFN SA ("BT Mic"), BT Asset Management S.A.I. S.A., ("BTAM"), BT Leasing Transilvania IFN S.A. ("BTL"), BT Direct IFN S.A. ("BTD"), BT Capital Partners S.S.I.F. S.A.("BTCP"), BT Pensii Societate de Administrare a Fondurilor de Pensii Facultative SA ("BT Pensii"), Salt Bank, Victoria Bank, BT Leasing Moldova, BT Code Crafters SRL ("BT Code Crafters"), Improvement Credit Collection SRL ("ICC"), Fundația Clubul Întreprinzătorului Român ("BT Club"), Fundația Clujul has Suflet and other entities that may join this group in the future;

    e) "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by European Union or Member State law, the controller or the specific criteria for its nomination may be provided for by European Union or Member State law.

    In this Policy, when we use the term "controller" we usually refer to Banca Transilvania - when the bank processes personal data for purposes established by itself or by the legislation the bank is subject to - or, as the case may be, to Banca Transilvania and entities that are joint controllers with the bank for certain processing operations, when the purposes and means of processing are jointly established by us and these entities;

    f) "Data subject" means any natural person whose personal data is processed.

    Also included in the category of data subjects are entities such as authorized natural persons (P.F.A.), individual enterprises (I.I.), individual forms of exercising liberal professions - "professionals", such as: individual medical, lawyer, notary, bailiff, accountant, authorized translator offices, etc.;

    Legal entities are not, as a rule, included in the category of "data subjects" and information about them is usually not personal data;

    g) "Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

    h) "Third party" means a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

    (i) "Recipient" means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with EU or Member State law shall not be regarded as recipients;

    j) "Supervisory Authority" means a public independent supervisory authority which is established by a EU Member State, responsible with the monitoring of GDPR application. In Romania the supervisory authority is The National Supervisory Authority for Personal Data Processing- “A.N.S.P.D.C.P.”;

    (k) 'Biometric data' means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data that were subject to such techiques;

    (l) 'Data concerning health' means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

    m) "Beneficial owner" according to the provisions of art. 4 paragraph 1 of Romanian Law no. 129/2019 on the Prevention of Money Laundering and Terrorism Financing, and the subsequent amends brought to certain normative acts, means any natural person who ultimately owns or controls the client and/or the natural person on whose behalf a transaction, an operation or an activity is performed and includes at least the categories of natural persons mentioned in art. 4 paragraph 2 of this normative act;

    n) "Publicly Exposed Person" - "PEP " - according to the provisions of art. 3 paragraph 1 of Romanian Law no. 129/2019 on the Prevention of Money Laundering and Terrorism Financing, and the subsequent amends brought to certain normative acts, means any natural person who exercises or has exercised an important public position and includes at least the categories of natural persons mentioned in art. 3, paragraph 2 of this law. Family members of a PEP (defined in art. 3 paragraph 4 of Law 129/2019), as well as people known to be close associates of a PEP (defined in art. 3 paragraph 5 of Law 129/2019) are assimilated to PEP in regard to the bank’s obligation to apply the know your customer measures.

    BANCA TRANSILVANIA S.A.  is a credit institution, Romanian legal entity, registered with the Trade Register under no. J12/4155/1993, tax identification number RO 5022670, with the following address: registered office in - Cluj-Napoca, Calea Dorobanților, no. 30-36, Cluj County, phone no. *0801 01 0128 (BT) - Romtelecom network, 0264 30 8028 (BT) - any network, including international calls, *8028 (BT) - Vodafone, Orange network, e-mail address: contact@bancatransilvania.ro, website BT: website www.bancatransilvania.ro.

    Banca Transilvania S.A. is the parent company of BT Financial Group.

    The provisions of this Policy refer to the processing of personal data that BT carries out as a controller.

    In some of our activities we process personal data as joint controllers, together with other entities. You can find details about this processing in the specific privacy notices found in the Privacy Hub section on the BT website.

    C. What personal data do we process, who does it belong to and what do we use it for

    Banca Transilvania processes different categories of personal data. The data we process and the purposes for which we process these data depend on the quality that the data subject has in relationship with us when we need to process the respective data.

    Based on your quality in relationship with us in a certain context, we present below how we process your personal data:

    a. Who is a BT customer?

    “BT customer” or “Customer” means any of the below mentioned categories of data subjects:

    • resident/non-resident individuals, holders of at least one current account opened with the bank (also referred to as “BT individual account holder”) or persons who rent safe deposit boxes at BT;
    • legal or conventional representatives of the BT individual/legal entities account holders or who rent deposit boxes;
    • individuals authorized to perform operations on the accounts of BT individual/legal entities account holders (“mandated person”);
    • the real beneficiaries of Customers who are individual or legal entity BT account holders (“beneficial owner”);
    • individuals with rights to submit bank documents, to pick up account statements and/or to make cash deposits on behalf of BT individual/legal entities account holders ( “delegates”);
    • associates/shareholders of some BT Clients legal entities;
    • users of a product/service of the bank who do not have any of the qualities mentioned above but they regularly use some BT products/services (e.g. users of additional cards, individuals with account manager’s securities records opened with the bank, BT meal tickets users, users of BT Pay);
    • guarantors of any kind of the payment obligations assumed by the individuals/ legal entities account holders;
    • persons who sign the bank’s dedicated request forms to become BT Customers, but this request is rejected or waived (even if these individuals are not active BT Customers, we are bound by law to keep their personal data for a certain period of time);
    • the legal or conventional successors of the aforementioned.

    We remind you that full details, in printable form, concerning the processing of BT customers’ personal data can be found in the General Privacy Notice regarding the processing and protection of personal data belonging to BT Customers.

    b. Purposes for which we process personal data of BT customers

    As a BT customer, we process your personal data, upon case, for:

    • applying the know your customer (KYC) measures in order to prevent money laundering and terrorism financing. Details in the specific privacy notice in the Privacy Hub;
    • assessing the solvency, reducing the credit risk, determining the degree of indebtedness of the Customers interested in personalized offers in relation to the bank’s credit products or in contracting these types of products (credit risk analysis), including by processing the personal data in the Credit Bureau system. Details in the specific privacy notice in the Privacy Hub;
    • the conclusion and performance of contracts related to products/services offered to BT customers (such as, but not limited to: debit/credit cards, deposits, credits, internet and mobile banking, BT Pay, SMS Alert); Details on the processing of personal data for some BT products/services can be found in the specific privacy notices in the Privacy Hub;
    • entering into and executing contracts for occasional transactions, (see section C, point 2 of the Privacy Policy when you carry out occasional transactions, even if you are also a regular BT customer);
    • processing/decoding of bank transactions;
    • establishing the garnishments, recording the amounts garnished to the creditors and providing answers to the enforcement bodies and/or the competent authorities, according to the legal obligations of the bank;
    • reporting to the competent authorities, in accordance with the legal obligations that the bank is subject to (e.g. reports to the National Administration of Public Finances – A.N.A.F., National Bank of Romania -N.B.R.- including to the National Office for Prevention and Control of Money Laundering, the Central of Credit Risks and the Office of Payment Incidents within N.B.R. etc);
    • conducting analyzes and the keeping of records for the Bank’s economic, financial and/or administrative management;
    • management within the internal departments of the services and products provided by the Bank, as well as management of the human resources;
    • debit collection and recovery of receivables;
    • defending the bank’s rights and interests in court, the resolution of disputes, investigations or any other petitions/ complaints/requests in which the bank is involved;
    • performing risk controls on the bank’s procedures and processes, as well as carrying out audit or investigation activities, including for the prevention and management of conflicts of interest;
    • taking measures/providing information or answers to the requests/claims/complaints of any nature addressed to the bank by any person, including by legal authorities or institutions.
    • proving the requests / agreements / options regarding certain aspects requested / discussed / agreed upon via the phone calls initiated by the Customers or by the bank, by taking notes of the discussed issues and, as the case may be, the audio or video recordings of the phone calls or the video calls;
    • informing the Customers in regard to the products/services held with the bank, for the proper execution of the contractual relationship (this is done, upon case, through messages of general or particular interest addressed to the Customers such as, but not limited to: transmitting of bank account/card statements, transaction reports, notices regarding garnishments on the accounts, notifications for unauthorized debits or overdue payments of installments, notices about the approach of the contractual term for a particular product/service held, notices about improvements or new facilities offered in relation to the product/service held, about the modification of the general business conditions or the general privacy notice regarding the processing of personal data, about the need to update the data etc.);
    • sending marketing messages/commercial communication to Customers who have consented to have their personal data processed for this purpose;
    • evaluating/improving the quality of services (requesting/collecting the opinion of Customers regarding the quality of BT services/products/employees);
    • the Customers’ financial education;
    • conducting internal analyses (statistics included) both with regard to products/services and the Customers profile and portfolio, market research, customer satisfaction analysis for the Bank’s products/services/employees);
    • development and testing of BT products/services;
    • archiving in physical/electronic format of documents/information, including back-up copies;
    • the performance of registration and secretary services regarding the correspondence addressed to the bank and/or sent by it;
    • ensuring the security of the IT systems used by BT and of the premises in which the bank operates its activity;
    • monitoring the security of persons/premises/assets of BT and of the visitors of BT units/equipment. Details about the processing of personal data in this purpose can be found in the specific privacy notice regarding video surveillance in the Privacy Hub section.
    • fraud prevention;

    c. What personal data of BT Customers we process  

    We process the following categories of personal data belonging to BT Customers, upon case:

    • identity data: name, surname, alias (if applicable), date and place of birth, national identification number (Romanian national identification number - “cod numeric personal”- C.N.P.) or another unique similar identification element (e.g. CUI for authorized natural persons or CIF for natural persons carrying out liberal professions -professionals), other details from the ID document/passport, as well as a copy such documents, signature (handwritten or electronic), citizenship, domicile and residence address as well as the address where the Customer lives and its legal regime;
    • contact data: phone number, e-mail and correspondence address, fax;
    • financial data (such as, but not limited to: transactions, data on the payment behavior, data about accounts and financial/banking products, held with/processed through BT or other financial institutions);
    • fiscal data (e.g. country of fiscal residence, tax registration number);
    • professional data (e.g. profession, job, job title, name of employer or nature of the individual activity, level of studies, specialization, information about the important public position held if you are a publicly exposed person (PEP), the quality, the social parts/shares and, as the case may be, the powers of attorney held within certain legal entities);
    • information on the family status (e.g. marital status, marital regime, number of dependents, kinship relations, marriage, cohabitation);
    • information on the economic and financial status (including data on income, data on owned assets, as well as your wealth’s source if you are PEP);
    • data about the BT products/services requested/used (e.g. information about the purpose and nature of the business relationship, the source/destination of the funds used in the contractual relationship/transactions, the type of products/services, the contractual period, other details of the products/services, including, for credit products - the type of product, the granting term, the granting date, the maturity date, the granted amounts and credits, the amounts due, the status of the account, the date of closing the account, the currency of the credit, the frequency of payments, the amount paid, the monthly rate, the name and the address of the employer, the amounts owed, the outstanding amounts, the number of outstanding installments, the due date of the outstanding, the number of overdue days in the repayment of the loan. Data related to credit products are processed both in the bank's own records, and - as the case may be - in the records of the Credit Bureau and/or other records/systems of this type);
    • image (contained in the identity documents or captured by the video surveillance cameras, as well as captured in certain video recordings);
    • voice, within the calls and recordings of the audio/video calls (initiated by the Customers or the bank);
    • biometric data (e.g. face recognition, used in remote identification processes by video means, in methods of unlocking devices on which you have BT apps installed, if you have set up methods such as facial or fingerprint-based recognition – in the latter case BT does not have access to your biometric data, but only relies on it to allow you to access/use some BT applications);
    • age, to verify the eligibility to contract certain products/services/offers of the bank (e.g. credit products, products dedicated to under-age individuals, etc.);
    • opinions, expressed through notices/complaints or during conversations, including phone, regarding products/services/employees of the bank;
    • identifiers, allocated by BT or by other banking or non-banking institutions, such as, but not being limited to: the BT client code (CIF BT), references/identifiers of transactions, IBAN codes of bank accounts, the numbers of the credit/debit cards, contract numbers, identifiers allocated by the bank to the Customers who are “nonresidents”, consisting of a sequence of figures referring to the year, month, day of birth and the number of the identity document), IP addresses, identifiers of the devices (e.g. mobile phones) and of the operating system of the devices used to access mobile banking services/mobile payment applications;
    • data concerning health, if such information is provided to us as part of banking documentation, results from transactions or if the processing of such data is necessary for customers to prove the difficult situation in which they or their family members find themselves, especially with a view to granting facilities for lending products;
    • information regarding fraudulent / potentially fraudulent activity;
    • information regarding the location of certain transactions (implicitly, in case of operations at the ATMs or POS belonging to the Banca Transilvania);
    • any other personal data belonging to the Customers, which brough to the bank’s knowledge in various contexts by other Customers or by any other person.

    a. Who is/in what situations we process your data as an BT walk-in client  

    “BT walk-in client” is any of the below mentioned categories of natural persons, who process over the counter banking operations or banking operations through BT equipment:

    • cash deposits to third party accounts opened with BT on which the depositor has no quality. Details in the specific privacy notice on Privacy Hub;
    • FX exchange;
    • Western Union (WU) money transfers;
    • cash payments of amounts that you owe to legal entities with whom BT has concluded agreements for the collection of these amounts (e.g. utility providers);
    • withdrawal of cash at the bank's counters of amounts owed to you by legal entities with whom BT has signed sum distribution agreements (e.g. for payment of dividends);

    We process your personal data as a BT walk-in client whenever you make transactions of the type listed above, even if you are also a regular BT Customer of the bank.

    b. Purposes for which we process personal data of BT walk-in clients

    When you act as BT walk-in client, your data is processed, upon case, for the following purposes:

    • applying the know your customer (KYC) measures in order to prevent money laundering and terrorism financing. Details in thespecific privacy notice in the Privacy Hub.
    • concluding and performance of the contract for the occasional transaction (including the processing/settlement of such transaction);
    • reporting to the competent authorities, in accordance with the legal obligations that the bank is subject to (e.g. reports to the National Bank of Romania – N.B.R. - including to the National Office for Prevention and Control of Money Laundering, the Credit Risk Register and the Office of Payment Incidents within N.B.R.);
    • conducting analyses and the keeping of records for the bank’s economic, financial and/or administrative management;
    • management within the internal departments of the services and products provided by the bank;
    • defending the bank’s rights and interests in court, the resolution of disputes, investigations or any other petitions/ complaints/requests in which the bank is involved;
    • performance or risk controls regarding the bank’s processes and procedures, as well as the performance of audit activities or investigations;
    • monitoring the security of persons/premises/assets of BT and of the visitors of BT units/equipment. Details about the processing of personal data in this purpose can be found in the specific privacy notice regarding video surveillance  in the Privacy Hub section.
    • taking measures/providing information or answers to the requests/claims/complaints of any nature addressed to the bank by any person, including by legal authorities or institutions.
    • performance of internal analysis (including statistics);
    • physical/electronic archiving of documents/information, including back-up;
    • providing registry and secretarial services for correspondence addressed to and/or dispatched by the bank;
    • ensuring the security of the IT systems used by BT and of the premises in which the bank operates its activity;
    • prevention of fraud.

    c. What personal data of BT walk-in clients we process 

    The following categories of personal data belonging to BT walk-in clients are processed, upon case:

    • identity data - name, surname, personal identification number (romanian cod numeric personal- C.N.P.), series and number of the identity document/passport, domicile address, citizenship and - in some cases provided by law - including copy of identity document/passport (usually for cash deposits, currency exchanges, money transfer services over a certain amount or suspicious transactions), signature (handwritten or electronic);
    • financial data regarding the occasional transaction (e.g. the sum of the transaction, currency, the payment beneficiary, explanations/details of the transaction, the transaction reference/identifier, information regarding the location of certain transactions, implicitly in case of banking operations initiated in BT units or through BT equipment);
    • fiscal data (e.g. country of residence)
    • contact data: phone number, e-mail address for cash depositors who are not BT customers and provide these contact data to be notified in case the transaction is cancelled, respectively the phone number/e-mail address declared in the bank system for walk-in clients who are also BT Customers;
    • image (from the identity document, if the bank has the legal obligation to make/retain a copy of the ID document, or, as the case may be, the image caught by the video surveillance cameras);
    • other personal data required by law, depending on the specifics of the the transaction

    a. Who is an individual connected to a BT loan applicant

    Individuals in connection to a BT loan applicant/debtor, who are part of a “group of related customers” together with the loan applicant, means any of the individuals listed here: Group of related customers.

    b. Purposes for which we process personal data of individuals who are part of a BT debtor’s group 

    If you are such a person, BT processes your data for the following main purpose:

    • solvency assessment, credit risk diminishment, determining the indebtedness degree of loan applicants interested in personalized offers related to BT loan products or the commitment of this type of products (credit risk analysis);

    When analyzing a credit application of an individual or a legal entity applicant, BT also processes your data, as it is subject to the legal obligation to establish and analyze its exposure to groups of related customers as part of its credit risk analysis. Your data is necessary so that the bank is able to analyze the applicant's credit request, and their (or your) refusal to provide your data or to have id processed may determine the bank’s impossibility to analyze and/or approve the credit.

    Also, a secondary purpose for which your personal data is processed is that of:

    • reporting to the competent authorities, in accordance with the legal obligations that the bank is subject to;

    As a reporting person, the bank will report these exposures and the membership of the groups of connected debtors to the N.B.R. - Credit Risk Register (if applicable).

    Your personal data can also be disclosed, in compliance with the need-to-know principle, to entities from the BT Group and/or to the service providers used by the bank for the process of analyzing the loan applications.

    Other purposes related to the ones indicated above, for which we process your data are, as the case may be, the following:


    • to validate/invalidate your quality of BT customer;
    • conducting analyses and the keeping of records for the bank’s economic, financial and/or administrative management;
    • management within the internal departments of the services and products provided by the bank;
    • defending the bank’s rights and interests in court, the resolution of disputes, investigations or any other petitions/ complaints/requests in which the bank is involved;
    • performing risk controls on the bank’s procedures and processes, as well as carrying out audit or investigation activities, including for the prevention and management of conflicts of interest;
    • taking measures/providing information or answers to the requests/claims/complaints of any nature addressed to the bank by any person, including by legal authorities or institutions;
    • performance of internal analysis (including statistics);
    • archiving in physical/electronic format of documents/information, including back-up copies;
    • providing registry and secretarial services for correspondence addressed to and/or dispatched by the bank;
    • ensuring the security of the IT systems used by BT and of the premises in which the bank operates its activity;
    • prevention of fraud.

    c. What personal data of individuals who are part of a BT loan applicant’s group we process

    • identity data: name, surname, personal identification number (romanian cod numeric personal C.N.P./NIN);
    • professional data (e.g. job title, quality, social parts/shares held within legal entities that are part of the debtor’s group);
    • as the case may be, other data in the bank's records or publicly available, that we need to process for the fulfilment of the main purpose regarding the credit risk analysis.

    a. Who is the signatory/contact person acting on behalf of a BT contractual partner  

    The signatories are any of the following:

    • legal representatives or other representatives of BT’s contractual partner, designated to sign the agreements concluded between the bank and that certain contractual partner (regardless of whether the contractual partner is a BT Customer or just a service provider, collaborator, supplier of goods contracted by the bank);
    • legal representatives or other representatives of institutions/authorities who sign documents transmitted to the bank

    The contact persons are any of the following:

    • individuals appointed by the contractual partner to communicate with the bank for the proper collaboration for the negociation/conclusion/ performance of the contract, regardless of whether or not their data is mentioned in the contract;
    • individuals who are nominated as contact point by institutions/authorities who send different requests to the bank

    b. The purposes for which we process data of signatories/contact persons from BT contractual partners/institutions/authorities

    The bank processes your personal data, upon case, for:

    • to negotiate, conclude and carry out the contract concluded between the bank and the contractual partner (usually your employer) or, where applicable, to handle requests addressed to the bank by the institution/authority where you work;
    • reports to the institutions competent to receive them, in accordance with the legal provisions applicable to the bank;
    • conducting analyses and the keeping of records for the bank’s economic, financial and/or administrative management;
    • defending the bank’s rights and interests in court, the resolution of disputes, investigations or any other petitions/ complaints/requests in which the bank is involved;
    • performing risk controls on the bank’s procedures and processes, as well as carrying out audit or investigation activities, including for the prevention and management of conflicts of interest;
    • taking measures/providing information or answers to the requests/claims/complaints of any nature addressed to the bank by any person, including by legal authorities or institutions.
    • performance of internal analysis (including statistics);
    • archiving in physical/electronic format of documents/information, including back-up copies;
    • providing registry and secretarial services for correspondence addressed to and/or dispatched by the bank;
    • ensuring the security of the IT systems used by BT and of the premises in which the bank operates its activity;
    • fraud prevention;

    c. What personal data of signatories/contact persons acting on behalf of BT contractual partners/institutions/authorities we process

    We usually process the following categories of personal belonging to you, as the case may be:

    For signatories:

    • identity data: name, surname, signature (handwritten or electronic);
    • professional data: job title/professional capacity, employer;

    For the contact persons:

    • identification data: name and surname;
    • contact data: (work) phone number, e-mail address;
    • professional data: job title/professional capacity, employer;

    In the Privacy Hub you can find the specific privacy notice dedicated to signatories/contact persons acting on behalf of BT's contractual partners.

    a. Who is a BT shareholder and/or a BT obligor or a person whose data we process in relationship with our shareholder/obligor

    • BT Shareholder - you are a BT shareholder if you own or you have owned shares issued by Banca Transilvania S.A., as a natural person or as a legal entity;
    • BT Obligor - you are a BT obligor if you own or you have owned bonds issued by Banca Transilvania S.A. as a natural person or as a legal entity;
    • Individuals whose data we process, as a rule, in relation to those of BT shareholders/obligors - legal or conventional representatives of BT shareholders/obligors, persons holding jointly shares/bonds, successors of BT shareholders/obligors.

    b. Purposes for processing personal data belonging to BT shareholders/BT obligors or to other persons in relation with the BT shareholders/obligors  

    If you are a BT shareholder and/or a BT obligor or a person whose data we process in relationship to the BT shareholders/obligors, we shall use your data, upon case, as follows:

    • to verify your identity in order to confirm or not your quality of shareholder/obligor of the bank, another quality in relationship with the BT shareholders/obligors;
    • the performance of specific legal obligations and activities arising from BT's status as an issuer (e.g. organisation of AGMs, shareholder services, specific investor communications);
    • establishing the garnishments, recording the amounts garnished to the creditors and providing answers to the enforcement bodies and/or the competent authorities, according to the legal obligations of the bank;
    • reports to the institutions competent to receive them, in accordance with the legal provisions applicable to the bank;
    • conducting analyses and the keeping of records for the bank’s economic, financial and/or administrative management;
    • defending the bank’s rights and interests in court, the resolution of disputes, investigations or any other petitions/ complaints/requests in which the bank is involved;
    • performing risk controls on the bank’s procedures and processes, as well as carrying out audit or investigation activities, including for the prevention and management of conflicts of interest;
    • taking measures/providing information or answers to the requests/claims/complaints of any nature addressed to the bank by any person, including by legal authorities or institutions;
    • proving evidence for the requests/agreements/options regarding certain aspects requested/discussed/agreed, including the phone calls initiated by you or by the bank, by recording the discussed issues and, as the case may be, the audio recording of the phone calls, or audio video recording;
    • performance of internal analysis (including statistics);
    • physical/electronic archiving of documents/information, including back-up;
    • providing registry and secretarial services for correspondence addressed to and/or dispatched by the bank;
    • ensuring the security of the IT systems used by BT and of the premises in which the bank operates its activity;
    • prevention of fraud.

    c. What personal data of BT shareholders/obligors/other persons in connection with the latter we process 

    If you act as a BT shareholder and/or obligor, or another person related to them, we usually process the following personal data categories:

    • identity data: name, surname, personal identification number (romanian cod numeric personal- C.N.P./ NIN), the series and number of the identity document/passport (ID document), citizenship, the postal address and, upon case, the copy of the ID document (for the identification of the shareholders in order to issue shareholder certificates or records for the shares they hold with BT), signature (handwritten or electronic);
    • fiscal data: country of fiscal residence, tax registration number;
    • information about the economic and financial situation, regarding the assets held: number of BT shares and/or bonds, including the history of the ownership of these assets;
    • professional data: the quality, the social parts/shares and, upon case, the powers of attorney held within legal entities;
    • contact data: phone number, e-mail address, postal address.

    a. Who is a visitor of the BT units and/or user/visitor of BT equipment 

    • Visitor of BT unit- any individual visiting the bank's units (including its administrative buildings), regardless of whether they perform banking operations or not.
    • User/visitor of BT equipment- any individual using or standing in front of a BT equipment (ATMs, BT Express, BT Express Plus, etc.), regardless of the location where the equipment is placed, regardless of whether the user/visitor is a BT customer, a BT walk-in client or a third party, regardless of whether any banking operations are initiated/processed through the BT equipment

    b. Purposes for which we process personal data of visitors of BT units and/or users/ visitors of BT equipment  

    The bank processes your data, upon case, for:

    • monitoring the security of BT persons/spaces/assets and visitors to BT units/equipment;
    • processing/settlement of transactions ordered on BT equipment;
    • verification of identity, as appropriate, if necessary for your identification at the request of the competent authorities or where the bank has a legitimate interest;
    • performance or risk controls regarding the bank’s processes and procedures, as well as the performance of audit activities or investigations;
    • performance of internal analysis (including statistics);
    • physical/electronic archiving of documents/information, including back-up;
    • defending the bank’s rights and interests in court, the resolution of disputes, investigations or any other petitions/ complaints/requests in which the bank is involved;
    • ensuring the security of the IT systems used by BT and of the premises in which the bank operates its activity;
    • prevention of fraud.

    Information about the processing of personal data through our video surveillance system or to allow you access to some of the bank's premises can be found in specific pictograms and/or privacy notices displayed at the entrance of the bank's premises and on BT equipment. You will also find details in specific privacy notice on video surveillance and in the specific privacy notice referring to visits in some of the BT offices in the Privacy Hub section.

    What personal data of visitors of BT units and/or to users/visitors of BT equipments we process

    If you visit the bank's units (including its office buildings) and/or use/visit the BT equipment, BT processes your data as follows, upon case:

    • image, as it is captured by the video surveillance cameras;
    • any data required to process the banking operations initiated through BT equipment or other related purposes mentioned above (e.g. time spent in units/at BT equipment).

    Also, according to the legal obligation that we are subject to, in order to grant you access into certain BT offices, the security personnel will need to identify you based on your identity document and some of your identity data: name, surname, the series and number of your identity document/passport will be registered and kept, usually for 2 years.

    a. Who is a visitor of the BT websites/social media pages  

    A visitor of BT websites/social media pages means any individual who accesses any of the BT portfolio’s websites/social media pages. The websites from BT's portfolio are https://bancatransilvania.ro/ and those found here: https://www.bancatransilvania.ro/site-uri-bt.pdf ("BT Websites").

    Our social media pages are: Facebook, Instagram, Twitter, TikTok, YouTube, LinkedIn ("BT social media pages").

    b. Purposes for processing personal data belonging to visitors of BT websites/social media pages 

    Through cookies or other similar technologies, the bank processes your data whenever you visit a BT website for the purposes described in the cookie policies of each of our websites and in short within the banners and cookies setting centers.

    For the website https://bancatransilvania.ro/, the Cookie Policy can be found in the footer of the site or by clicking on the following link: https://www.bancatransilvania.ro/politica-de-utilizare-a-cookie-urilor .

    If you fill in data on BT websites in forms for complaints/applications/complaints, applications for bank products/services/campaigns, subscriptions to newsletters in various fields, we process the data entered in these forms, as appropriate, for:

    • taking measures/providing information or answers to the requests/claims/complaints of any nature addressed to the bank by any person, including by legal authorities or institutions;
    • proof of requests/agreements/opinions on certain requested/agreed issues;
    • evaluating/improving the quality of services (asking/collecting your opinion on the quality of BT services/products/employees);
    • performance of internal analysis (including statistics);
    • performance or risk controls regarding the bank’s processes and procedures, as well as the performance of audit activities or investigations;
    • archiving in physical/electronic format of documents/information, including back-up copies;
    • providing registry and secretarial services for correspondence addressed to and/or dispatched by the bank;
    • ensuring the security of the IT systems used by BT;
    • prevention of fraud.

    Please take into consideration that subscription or unsubscription of any e-mail address that you fill in forms/fields of type/with the name “newsletter”, available on the BT websites in order to receive information from various areas of interest is managed through the online forms (subscribing) and from the unsuscribe links from the e-mails received following the subscription (unsubscribe).

    c. What personal data of BT websites/social media pages visitors we process  

    If you are a visitor of BT website the bank will process the following categories of personal data:

    • data processed through cookies;
    • IP Address:
    • data about the devices used to access the website (e.g. if you access the website from a laptop, PC or a phone and, in the last case the type of operating system of the phone);

    Also, when you fill in data in forms available on BT websites, we collect, upon case:

    • identity data: name, surname, and, in some cases, only with the consent of the data subjects, the national identification number (C.N.P.);
    • contact data: e-mail address, phone number, postal address.

    Before accessing our social media pages, we recommend that you read the Social Media Data Protection Guide in the Privacy Hub section.

    If you insert comments, images, opinions and/or reactions on BT social media pages, we will usually process:

    • your user name on the respective social media platform and the profile picture;
    • the opinions/reactions you post;
    • images you insert.

    In some cases – usually when you participate in different contests/campaigns or when you insert comments through which you ask/complain about certain aspects related to our activity - we might ask you to provide further information to help us identify/verify the situation you bring to our attention so that we can answer your request. We usually ask for:

    • details on the situation that you bring to our attention;
    • identification data: usually name, surname;
    • identifiers: (e.g. BT client ID - CIF BT-, IBAN);
    • contact details (e.g. e-mail address, phone number).

    To protect your data, please do not insert them in public posts on BT social media pages. If we notice that you have entered data in public posts, we reserve the right to delete it.

    Also, if you insert pictures of yourself or other people or if you tag other people in your comments on BT social media pages or if you disclose them to us in private messages, by posting/tagging you express your consent to their processing by the bank.

    Please note that any data you enter on BT's social media pages is also accessible to the providers of the social media platforms and is also subject to the provisions of their privacy policies. BT has no control over the data processing that the social media providers carry out for their own purposes and assumes no responsibility for such processing.

    Please be aware that BT websites/BT social media pages may contain links to websites/social media pages managed by other controllers, which have their own privacy/personal data processing policy. If you access the respective websites/social media pages or provide personal data on any of them, the processing of your data falls under the provisions of the privacy/personal data processing policy of those websites/social media pages and we recommend that you read it. BT does not assume any liability in regard to the processing of your data on websites/social media pages that are not controlled by the bank.

    a. Who is a BT prospect

    You are a “BT prospect” if you are not a BT Customer and you have requested, in the bank units, through the BT websites or through some contractual partners of BT, information on BT products/services or you have requested an appointment in a BT unit through our online platform.

    Details about the processing of personal data for online appointments with BT can be found in the specific privacy notice in the Privacy Hub section.

    b. Purposes for processing personal data belonging to BT prospects 

    If you are a BT prospect, we process your data, upon case, for the following purposes:

    • verifying your identity;
    • taking measures/providing information or answers to the requests/claims/complaints of any nature addressed to the bank by any person, including by legal authorities or institutions;
    • proving evidence for the requests/agreements/options regarding certain aspects requested/discussed/agreed, including the phone calls initiated by you or by the bank, by recording the discussed issues and, as the case may be, the audio recording of the phone calls, or audio video recording;
    • performance of internal analysis (including statistics);
    • performance or risk controls regarding the bank’s processes and procedures, as well as the performance of audit activities or investigations;
    • archiving in physical/electronic format of documents/information, including back-up copies;
    • providing registry and secretarial services for correspondence addressed to and/or dispatched by the bank;
    • ensuring the security of the IT systems used by BT;
    • fraud prevention;

    c. What personal data of BT prospects we process 

    If you are a BT prospect, we process, upon case, your

    • identity data: name, surname, and, in some cases, only with the consent of the data subjects or if the bank justifies with a legitimate interest, the personal identification number (romanian cod numeric personal – C.N.P.);
    • contact data: e-mail address, phone number;
    • voice (if you request information through phone calls)

    a. Who is a BT candidate

    You are a candidate for positions available at BT or for internships organized by BT if you have sent us/we have received your CV from other persons to use it for recruiting purposes or if you have have brought to our knowledge, in any other way, that you are interested in obtaining certain positions in BT/ participating in BT internships.

    b. Purposes for which we process personal data of BT candidates 

    The bank processes your data, upon case, for:

    • recruitment;
    • taking measures/providing information or answers to the requests/claims/complaints of any nature addressed to the bank by any person, including by legal authorities or institutions;
    • evidence of requests/agreements/options on certain matters requested/discussed/agreed, including in telephone calls initiated by you or the bank, by recording the matters discussed and, where appropriate, audio-recording of telephone calls or, where appropriate, audio-video;
    • performance of internal analysis (including statistics);
    • performing risk controls on the bank’s procedures and processes, as well as carrying out audit or investigation activities, including for the prevention and management of conflicts of interest;
    • archiving in physical/electronic format of documents/information, including back-up copies;
    • providing registry and secretarial services for correspondence addressed to and/or dispatched by the bank;
    • ensuring the security of the IT systems used by BT;
    • prevention of fraud.

    If you apply for only one of the vacant positions/internships in BT, we will process your personal data only within the recruitment process for the respective position and we shall erase or anonymize it after the completion of that respective recruitment process. If, instead, you choose to be contacted generally for vacancies/internships in BT, we will keep your data and use it for recruitment purposes for a period of 1 year, which may be extended with your consent.

    During the recruitment process, if we need references from previous employers or from profesors we will ask for your consent to obtain these references on your behalf. If you do not give your consent in this regard, you will need to obtain these references yourself and sent them to us if you want to continue the recruitment process.

    c. What personal data of BT candidates we process

    We usually process the following categories of personal data of BT candidates:

    • identity data: name, surname;
    • the age, to verify your eligibility to become an employee or, where applicable, to participate in certain interships of BT;
    • contact data: e-mail address, phone number;
    • professional data (e.g. profession, job, previous employers, data on education, professional experience and training, references from previous employers/teachers);
    • any other relevant data from the CV.

    In case you have already been selected to fill a BT position, we process your data in order to present the employment offer and, if you accept it, to go through the necessary formalities for employment as you are informed in detail through the the specific privacy notice in the Privacy Hub.

    a. Who is/when do we process your personal data as a BT petitioner

    You are a BT petitioner if you address to BT any request/notice/complaint (“petition”), on any channel, wether or not you are a BT customer, an BT walk-in client or if you belong to any other category of data subjects.

    b. Purposes for which we process personal of BT petitioners  

    Depending on the situation and the relationship you have with the bank, when submitting a request, the bank processes your personal data for the following purposes:

    • verifying your identity, including in order to confirm/infirm your quality of BT Customer;
    • taking measures/providing information or answers to the requests/claims/complaints of any nature addressed to the bank by any person, including by legal authorities or institutions;
    • evidence of requests/agreements/options on certain matters requested/discussed/agreed in telephone calls initiated by you or the bank, by recording the matters discussed and, where appropriate, audio recording of telephone calls;
    • evaluation/improvement of the quality of service (soliciting/collecting the views of BT petitioners on the quality of responses to petitions);
    • performing risk controls on the bank’s procedures and processes, as well as carrying out audit or investigation activities, including for the prevention and management of conflicts of interest;
    • performance of internal analysis (including statistics);
    • reporting to the competent authorities, in accordance with the bank's legal obligations;
    • management within the internal departments of the services and products provided by the Bank, as well as management of the human resources;
    • archiving in physical/electronic format of documents/information, including back-up copies;
    • providing registry and secretarial services for correspondence addressed to and/or dispatched by the bank;
    • ensuring the security of the IT systems used by BT;
    • prevention of fraud.

    c. What personal data of BT Petitioners we process 

    In order to register, confirm the receipt, analyze, formulate and send responses to any petitions you address to us, we process, upon case, the following categories of personal data:

    • identity data: name, surname and any other data from this category that you make known to us or data that BT needs to process to identify you, to identify and verify the situation in regard to which you addressed the petition to us, to formulate the answer to the petition, to prevent disclosure of confidential information (including personal data) to persons who are not allowed to receive them;
    • contact data: postal address, e-mail address, phone number;

    Please note that if you are a BT Customer and you send us a petition using contact details that you have not registered with the bank, unless we can confirm beyond reasonable doubt that the petition was sent to us by you, in order to protect your data that must be included in the response to the petition, we reserve the right to send this response to the contact data you have declared at the bank;

    • voice, from the phone calls as well as from phone call recordings (initiated by BT petitioners or by the bank);
    • upon case, any other information that the bank is aware of and which are necessary for analyzing the petitions.

    a. Who is/when do we process your data as a BT third party

    We process your data as a third party BT (even if you have other qualities mentioned in this Policy) when you are a natural person in situations such as those presented by way of example below:

    • you are a customer of another bank/financial institution and make a transfer to a BT account from your account at the other bank;
    • you are a customer of another bank/financial institution and a BT customer initiates a transfer to your account from that bank. In this case, based on some payment schemes which BT can join, we may find out your surname and initial of your name as they appear in the records of the other bank, even if the BT customer enters a different name associated with the IBAN code when initiating the transfer to your account from another the bank;
    • you make online payments with cards issued by other banks/financial institutions on websites that use payment solutions offered by BT. We process your data according to the rules of international payment organizations
    • data concerning you are mentioned in the details/explanations of the payment in a payment order submitted/transmitted/received at BT – filling in the fields related to the explanations/details of a payment is mandatory according to the legal provisions in the field of payment services;
    • a BT customer submits supporting documents for transactions to the bank or constitutive acts for BT Customers who are legal entities and your data are inserted in these documents;
    • a BT loan applicant must provide us with the sale-purchase contract of the property for which they are applying for the loan or which they bring as a guarantee, and your data appears in that contract or the loan applicant submits an extract from the land register of the property which also includes your data;
    • BT customers use open baking services and integrate into their BT applications transactions from other financial institutions where your data is also found;
    • you use cards issued by other banks/financial institutions at BT equipment (ATMs, BT Express, BT Express Plus), including when these cards are captured and we need to return them to you;
    • we receive requests from various persons, including institutions/authorities, notaries, lawyers, bailiffs, in which your data is mentioned;
    • you are an authorized person (other than authorized persons or delegates on accounts) to order/initiate operations – banking or non-banking – on behalf of a BT Customer through the channels offered by BT (e.g. phone payment instructions);
    • a BT employee provides us with data concerning you because you are a dependent family member or BT employees benefit from holidays/days off based on the relationship they have with you (e.g. days off for marriage, leave for raising a child, sick leave for children, etc.) or to provide you with benefits that we offer to family members of BT employees;
    • we collect data concerning you in the process of preventing and managing the conflict of interest – either from BT employees in their declaration regarding the conflict of interest, or following the checks we carry out – and we collect you data because you are related to a BT employee (e.g. you are a relative, husband, wife, life partner, business partner of the employee or their close family members, etc.);
    • you participante in various events, press conferences, social responsibility actions, etc. organized by the bank;
    • your data is mentioned on various documents submitted to BT in different situations (e.g. certificates or documents of any type that contain personal data of the signatories or, as the case may be, of other persons mentioned in the documents). We will process this data considering the need to keep these records, even if we may not need to process them in any form other than their storage;
    • your personal data is made available to us by any other person with whom we interact or comes into our possession in any other way.

    b. Purposes for which we process personal data of BT third parties  

    We process your data as a BT third party according to the purpose we need to use them in relationship with the person who provided it to us, as well as for the following related purposes, upon case:

    • performance of the employment relationship with BT employees, where applicable;
    • performing risk controls on the bank’s procedures and processes, as well as carrying out audit or investigation activities, including for the prevention and management of conflicts of interest;
    • performance of internal analysis (including statistics);
    • archiving in physical/electronic format of documents/information, including back-up copies;
    • the performance of registration and secretary services regarding the correspondence addressed to the bank and/or sent by it, as well as for carrying out courier activities;
    • ensuring the security of the IT systems used by BT;
    • prevention of fraud.

    c. What personal data of BT third parties we process

    The most common categories of personal data that we process, upon case, if you are a BT third party are the ones presented by way of example in the following lines:

    • identity data: name, surname, personal identification number (romanian cod numeric personal- C.N.P.), signature (handwritten or electronic);
    • relationship between you and a person who has provided us your data;
    • position held within a legal entity;
    • any other data that is made available to us by any person we interact with in our activity.

    a. Who are the data subjects who express/have expressed options regarding the processing of personal data for marketing purposes (as the case may be, consent or refusal)  

    Currently, any of the following categories of data subjects are individuals who have expressed their consent at BT for the processing of their personal data for marketing purposes:

    • natural persons of age – BT customers or non-customers (BT walk-in clients or any other person) – who have expressed options regarding the processing of their data for marketing purposes (as the case may be, consent or refusal) – hereinafter referred to as “marketing options” on the dedicated BT form, starting from 12.03.2018.

    Consenting to the processing of your data for marketing purposes is optional. We guarantee that any person’s refusal to express this consent does not affect their right to become or remain a BT Customer. Likewise, this consent can be withdrawn at any time. In this case, we will no longer contact you for marketing purposes.

    BT Customers can find the dedicated form for expressing their marketing options in any BT unit, in NeoBT, as well as by accessing the online form available on the bank's website in the Privacy Hub section. This form can be used for the initial expression of marketing options, for the modification of previously expressed options or for the withdrawal of marketing consent.

    If you are a BT Customer, please note that any option expressed through this form, including the withdrawal of your marketing consent:

    - does not refer to and does not affect messages of general interest or of particular interest to Customers, which are sent by BT based on its legitimate interests for the proper performance of the business relationship or based on its legal obligations;

    - are not applicable to and do not affect notifications/ commercial messages sent within BT’s mobile applications, which have their own marketing option management system available in dedicated settings or privacy sections;

    Non-customers can find the dedicated form for expressing their marketing options in any BT unit. Non-customer marketing consent can be withdrawn in any BT unit as well as online, by completing the form for non-customer marketing consent withdrawal available on Privacy Hub.

    Please be aware that, regardless of whether you are a BT customer or a non-customer any marketing choice expressed through the aforementioned BT forms, including the withdrawal of marketing consent:

    - does not influence the subscription/unsubscription of any e-mail address entered by you in forms available on BT websites to receive information from various fields of interest. The subscription to the respective newsletters is done through the respective online forms and you can manage their unsubscription by following the unsubscribe link in the messages received after the subscription.

    b. Purposes for which we process personal data of individuals who express their marketing options (as the case may be, consent or refusal)  

    If you consent to have your personal data processed for marketing purposes, we will process them as follows:

    • sending marketing messages*, in accordance with your consent (advertising/marketing purpose);
    • verifying the identity of the persons, in order to confirm their quality as BT customers;
    • proving the requests/agreements/options regarding the advertising options, by recording the discussed issues and, as the case may be, the audio recording of the phone calls (initiated by you or by the bank);
    • performance of internal analysis (including statistics);
    • archiving in physical/electronic format of documents/information, including back-up copies;
    • ensuring the security of the IT systems used by BT;
    • prevention of fraud.

    If you have refused to have your personal data processed for marketing purposes, we will process your data for all purposes above, except for the purpose of *sending marketing messages.

    c. What personal data of individuals who express marketing options we process 

    The data processed by BT for sending marketing messages are usually:

    • identity data: name, surname;
    • contact details: phone number, e-mail or postal address
    • only for BT Customers: other information that we find out about them when they use BT services/products, to send them personalized marketing messages.

    If you refuse to have your data processed for marketing purposes, we process your identity and contact data mentioned above and, if you are a BT Customer, your Customer ID- CIF BT – only to mark and respect your option.

    As a rule, the personal data we process is collected directly from the data subjects (e.g. when they become BT Customers, update their data in the bank’s records, perform transactions, visit or fill in forms on BT websites etc.).

    However, there are situations when data is collected from other sources, from:

    • other BT Customers (e.g. authorization of other Customers on their accounts opened at the bank, contracting of some bank products/services by a Customer on behalf of another Customer who authorized him in this regard, contracting by employers who are BT Customers of some products/services of the bank for/on behalf of their employees – meal vouchers, collection of salary income in accounts opened at BT, managed guarantee accounts, etc.);
    • persons who are not BT customers (e.g. persons who deposit cash amounts in the accounts of BT Customers, persons who sent petitions in which they claim to use data declared at the bank by BT Customers);
    • public authorities or institutions (e.g. The Directorate General for Personal Records - D.G.E.P. - from whom we receive current data on the identity card of customers/people who take the steps to become BT customers, which we process for the purpose of customer knowledge according to the details in section Privacy Hub section of the website, subsection "Know Your Customer", courts, public prosecutors, police, bailiffs, B.N.R., A.N.P.C., A.N.S.P.D.C.P., etc.), notaries, lawyers;
    • institutions involved in the field of payment services (e.g. Transfond, S.W.I.F.T, international payment organizations, etc.);
    • other credit institutions with which Banca Transilvania S.A. merged (Volksbank România S.A. and Bancpost S.A.) or from which some contracts were assigned (Idea::Bank);
    • other banks/financial institutions, including partner banks and correspondent banks or banks/financial institutions participating in syndicated loans;
    • other entities of the BT Financial Group, for determined and legitimate purposes, in general for the performance of the financial/economic activity and to fulfill the legal requirements related to the supervision on consolidated basis of the BT Group;
    • public sources, such as but not limited to: the National Office of the Trade Register (O.N.R.C.), the National Register of Property Advertising (R.N.P.M.), the Office of Cadastre and Real Estate Advertising (O.C.P.I.), the court portal (portaljust), the Official Gazette , social media, internet, etc.;
    • records of the type of the Credit Bureau, the Credit Risk Center within the B.N.R., if there is a legal basis and a determined and legitimate purpose for their consultation;
    • database providers (e.g. entities authorized to administer databases with persons accused of financing acts of terrorism, publicly exposed persons, providers that aggregate and redistribute data collected from public sources, etc.);
    • contractual partners of the bank from various fields (e.g. evaluation companies, insurance companies, pension and investment fund management companies);
    • debt collection/debt recovery companies (e.g. we can find out the new contact details of the Clients from the companies that support us in the debt recovery activity);
    • Depozitarul Central S.A., Bucharest Stock Exchange (B.V.B) in case of bank shareholder data;

    The legal grounds on which BT processes personal data are, upon case:

    • the legal obligation of the bank (processing is necessary for compliance with a legal obligation to which the bank is subject);
    • conclusion/execution of contracts (processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract);
    • the legitimate interest of the bank and/or third parties;
    • processing is necessary for the performance of a task carried out in the public interest (e.g. application of the know your customer measures to prevent money laundering and terrorist financing);
    • consent of the data subject.

    When we are required by law to process certain data in a certain situation or if your data is necessary to conclude or perform contracts for BT products/services/occasional transactions, if you refuse their proccessing you will not be able to become/remain a BT Customer or we will not be able to process the transactions you request.

    If we process your data for the legitimate interests pursued by us or third parties, you can object to that processing for reasons related to your particular situation (e.g. if you are a BT Customer and no longer wish to receive messages of general interest or messages asking you to rate the quality of our services/products, we will accommodate your request without affecting your business relationship with BT). In some cases, our legitimate interest or that of third parties may prevail over yours and we will not be able to accommodate the request through which you object to the processing (e.g. data processing in the Credit Bureau system, if there are no other reasons for accommodating the opposition request).

    If we process your data based on your consent, you have the right to withdraw this consent at any time. However, the withdrawal will not affect previous processing operations performed of your data (e.g. we process your data under consent for marketing purposes and you have the right to withdraw this consent. Withdrawal of marketing consent does not affect your right to become or remain a BT Customer; the processing of data through some of the cookies is based on your consent. If you do not express your consent to the placement of these cookies, you can use the BT websites without any negative consequences for you).

    The personal data that we process, may sometimes be disclosed/transferred by BT in accordance with the GDPR principles, based on the applicable legal grounds depending on the situation and only under conditions that ensure their full confidentiality and security.

    We commit to respect the fundamental human rights and freedoms in the event of such disclosures, in particular the right to the protection of personal data and the right to privacy, and to periodically evaluate our work in this area to ensure that these rights are always respected.

    You can find below in this section (* -> *** ) details about legal provisions that require us to report/communicate personal data concerning you to some authorities.

    Also, when public authorities/institutions request us to provide personal data, we commit to only disclose them if we have a legal obligation or a legitimate interest, only based on clear internal procedures and only with the approval of persons in a management position.

    We will only make available to the authorities the strictly necessary data and if it is demonstrated that we have made such disclosures of personal data in violation of human rights, we commit to repair the damage caused to the data subjects.

    The categories of recipients to whom we may disclose personal data are, upon case:

    • other Customers who have the right and need to know them;
    • other entities within the BT Financial Group;
    • companies involved in payment processing (e.g. Transfond S.A., payment processors);
    • financial-banking entities (e.g. participants in payment schemes/systems and interbank communications such as S.W.I.F.T., S.E.P.A., ReGIS, partner banks and correspondent banks, banks or financial institutions participating in syndicated loans);
    • international payment organisations (e.g. Visa, Mastercard);
    • contractual partners (service providers) used in BT's activity, such as but not limited to providers/suppliers of: services for issuing digital certificates (for the application of the qualified/extended electronic signature), overdue/receivables collection services, IT services (maintenance, implementation, support, cloud), services of archiving in physical and/or electronic format, courier, audit, card-related services, market studies/research, e-mail/SMS/phone call transmission, marketing services, other services offered by providers to whom BT has outsourced certain financial-banking services, etc.);
    • insurance companies;
    • real estate evaluation companies;
    • management companies of pension and investment funds;
    • companies (funds) guaranteeing various types of credit/deposit products (e.g. F.N.G.C.I.M.M., F.G.D.B., etc.);
    • partners of the bank in various fields, whose products/services/events we can promote to BT Customers based on their consent. The updated list of the bank's partners can be found here: https://www.bancatransilvania.ro/parteneri;
    • providers of social media platforms;
    • assignees;
    • national public authorities and institutions, such as, but not limited to: the National Bank of Romania (B.N.R.), the National Tax Administration Agency (A.N.A.F.)*, the Ministry of Justice, the Ministry of Internal Affairs (M.A.I.), the General Directorate for Personal Records (D.G.E.P.), the Ministry of the Interior (M.A.I.), the Ministry of Justice (M.A.I.), the Ministry of the Interior (M.A.I.)) to whom we send the names, surnames and CNP of the customers/persons who complete the steps to become BT customers for the validation of these data and for the provision of additional information from their current identity documents, which we process for the purpose of customer knowledge according to the details in section Privacy Hub of the website, subsection "Know Your Customer", the National Office for the Prevention and Combating of Money Laundering (O.N.P.C.S.B.) **, the National Agency for Cadastre and Real Estate Publicity (A.N.C.P.I.), the National Registry of Real Estate Publicity (R.N.P.M.), the Financial Supervisory Authority (A.S.F.), including, where applicable, their territorial units;
    • banking institutions or state authorities, including from outside the European Economic Area - in the case of S.W.I.F.T.-type international transfers or as a result of the processing carried out for the purpose of applying F.A.T.C.A legislation. and C.R.S.;.
    • public notaries, lawyers, bailiffs;
    • Central Credit Register***;
    • The Credit Bureau and the Participants in the Credit Bureau system****;

    * disclosing personal data to A.N.A.F.

    According to the provisions of the Fiscal Procedure Code (Law no. 207/2015), in its capacity as a credit institution, BT has the legal obligation to:

    1. Communicate daily to A.N.A.F.:

    - the list of holders of natural persons, legal entities or other entities without legal personality that open or close at BT bank or payment accounts, the persons who have the right to sign for the opened accounts, the persons who claim to act on behalf of the client, the real beneficiaries of the account holders, together with the identification data provided for in art. 15 para. (1) from Law no. 129/2019 for the prevention and combating of money laundering and the financing of terrorism, as well as for the modification and completion of some normative acts, with subsequent amendments and additions, or with the unique identification numbers assigned to each person/entity, upon case, as well as with the information regarding the number IBAN and date of opening and closing for each individual account.

    - the list of people who rented safe deposit boxes, accompanied by the identification data provided in art. 15 para. (1) from Law no. 129/2019, with subsequent amendments and additions, or by the unique identification numbers assigned to each person/entity, as the case may be, together with the data related to the termination of rental contracts.

    2. Communicate, at the request of A.N.A.F., for each account owner who is the subject of the request, all turnovers and/or balances of the accounts opened at the bank, as well as the information and documents regarding the operations carried out through those accounts.

    3. Submit to A.N.A.F. – on occasion of a request to open a bank account or to rent a safe deposit box - the request for the assignment of the fiscal identification number/fiscal registration code for non-resident natural persons that do not have a fiscal identification code. The request sent by BT to A.N.A.F. will include the following data of the non-resident: name, surname, date and place of birth, gender, home address, data and copy of the identity document, tax identification code from the country of residence (if any). BT can also send to A.N.A.F. the proving documents of information submitted in the request. Based on the data submitted, the Ministry of Finance assigns the fiscal identification number or, as the case may be, the fiscal registration code, fiscally registers the respective person and communicates the information related to the fiscal registration to BT.

    ** O.N.P.C.S.B. - If the conditions are met for the transmission by BT of some personal data to the National Office for the Prevention and Combating of Money Laundering, according to the legislation for the prevention and combating of money laundering and the financing of terrorism, they are transmitted simultaneously and in the same format and to A.N.A.F.

    *** C.R.C. - The bank has the legal obligation to report to the Credit Risk Register (C.R.C) within the B.N.R. credit risk information for each debtor that meets the condition to be reported (includes the identification data of a natural person debtor and operations in lei and in foreign currency through which the Bank exposes itself to the risk of that debtor) , respectively to have registered against him an individual risk, as well as the information about detected card frauds.

    **** Biroul de Credit S.A./participants in the Credit Bureau system - the Bank has the legitimate interest to report in the Credit Bureau System, to which the other Participants also have access (mainly credit institutions and non-banking financial institutions, as joint controllers of the bank and the Credit Bureau) the personal data of the Customers who have contracted loans, as well - under certain conditions- of Customers who register delays in loan payment of at least 30 days. The data is disclosed to these recipients also in the case of queries of this system, carried out by the bank in the process of analyzing a credit request or application.

    Some of the contractual partners who provide us with services necessary for the proper performance of our activity and/or their subcontractors are not located in the European Union (E.U.) or in the European Economic Area (E.E.A), but in other states ("third countries").

    When these partners/their subcontractors or international organizations may have access to the personal data that we process, we will only allow the transfer of data when strictly necessary and only on the basis of adequacy decisions or, in the absence of such decisions, based on appropriate safeguards provided by the GDPR.

    To ensure that these transfers respect human rights, in particular the right to adequate protection of personal data wherever it is processed, we comit that - both before allowing the transfer of data to third countries or international organizations, and throughout the period in which the transfer is carried out, including when there are changes in the circumstances originally envisaged – we shall carry out assessments to see whether there are risks for the rights and freedoms of the data subjects and to manage those risks accordingly, including by taking necessary supplementary measures, so that the data benefit from the same level of protection they would have in the E.U./.E.E.A.

    The European Commission may decide that some third countries, some territories or some sectors of a third country provide an adequate level of protection for personal data. The European Commission has issued adequacy decisions for the following third countries/sectors: Andorra, Argentina, Canada (companies only), Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Uruguay, Japan, United Kingdom, South Korea. To these countries/sectors (unless a contrary decision is issued in respect of any of them), as well as to other countries to which the Commission will in the future recognize an adequate level of protection, transfers of personal data do not require special authorizations and are assimilated to disclosures of personal data to recipients from the E.U./S.E.E. states. The updated list of third countries to which an adequacy decision has been issued is the one mentioned on the website of the European Comission.

    To any other third country or international organization we will transfer personal data only on the basis of adequate guarantees provided by the GDPR, usually those consisting of Standard Contractual Clauses approved by the European Commission which you can find here and, if these guarantees will not be sufficient, we will also take other supplementary measures for adequate data protection.

    By way of exception, if BT Customers or occasional BT Customers order through the bank transactions in which the beneficiaries are located in third countries that have not been recognized to provide an adequate level of personal data’s protection, the transfer of data to those countries is based on the following provisions of the GDPR: the transfer that it is necessary for the performance of a contract between the bank and the Customer or for the application of certain pre-contractual measures, adopted upon the Customer’s request or, as the case may be, the transfer is necessary for the conclusion of a contract or for the performance of a contract concluded in the interest of the data subject.

    In some circumstances, only in respect of GDPR provisions, in ouractivity we use automated decision-making processes, including as a result of profiling.

    These are decisions taken by the bank based on automated processing of personal date, , with or without the intervention of a human factor, which can produce legal effects and/or affect the Customers in a similar way, to a significant extent.

    Such situations are the following:

    • for the implementation of Know Your Customer measures for the purpose of preventing and combating money laundering and terrorist financing (including for the implementation of international sanctions), as required by our legal obligation, we will carry out checks against databases of persons suspected of terrorist financing, international sanctions lists or fraud alert lists of persons at high risk of fraud. If the persons concerned are included in these records, the bank reserves the right to refuse to enter into a business relationship with them or to terminate the contractual relationship or, where appropriate, to refuse to process the occasional transaction they have initiated. For the same purpose, we will send and receive from the D.G.E.P. data from the identity card of customers/persons who go through the steps to become BT customers. The data received from the D.G.E.P. we will record or, where applicable, update in our records as customer identity card data. BT will not take any action that would produce legal effects or similarly affect customers to a significant extent solely on the basis of the automatic processing of data provided by D.G.E.P., unless the provisions of Article 22 of the General Data Protection Regulation (GDPR) are complied with.
    • to protect BT Customers and BT walk in clients against fraud, as well as for the bank to properly fulfill its KYC obligations, it monitors the Customers transactions and, if it identifies, suspicious transactions (such as unusual payments as frequency, value, reported to the source of funds declared or the purpose and nature of the business relationship, transactions initiated from different cities at short time intervals, which did not allow the travelling between those cities, transactions whose details generate suspicions of money laundering or terrorist financing, attempts to use BT cards on suspicious websites), may take measures to block the transactions, accounts’ cards, taking these decisions solely based on automatic processing;
    • according to the legal provisions, the granting of the credit products is conditioned by the existence of a certain degree of indebtedness of the applicants. The eligibility to contract a credit product in relationship to the degree of indebtedness will be determined based on automated criteria, starting from the level of the income and expenses that the applicant Customer records;
    • in order to objectively verify the fulfillment of the eligibility conditions for the pre-offer and, as the case may be, to analyze a credit application ofan applicant- individual or legal entity to BT, in most cases, a scoring application of the bank will be used, which will analyze the data from the credit application, the information resulting from the verifications carried out in the bank's own records and/or those of the Credit Bureau S.A. and will issue a score that determines the credit risk and the probability of paying the installments in time. The result of other verifications of the applicant's status, will be added to the issued score, which will be analyzed by the bank's employees, to determine if the eligibility conditions established by the internal regulations, are met. The final decision to approve or reject the credit application is based on the analysis performed by the Bank's employees (human intervention). Exceptions to human intervention are in situations when you request credit products exclusively online. In these cases, we will take the decision to grant credit or, upon case, to reject the credit application based on solely automatic data processing. Taking the decision through such means is necessary in order to quickly analyze the request and conclude the credit agreement. However, you are guaranteed the right to request human intervention, meaning the analysis of the loan application by a bank employee, to express your point of view and to contest the solely automated decision;
    • to confirm your identity in the case of opening a remote business relationship, in the case of updating data by online means or for remote identification by video means, certain information of your face (taken from a still image or video) is compared with the picture from identity and, if you are already a BT Customer, the information extracted based on your face and from the identity document is compared with the ones we already have in the bank's records. Also, as part of these online processes, your access to your phone number, email address is checked and the contact data are also checked against those already declared to BT (if you are a BT Customer). If following these automated processes we identify inadvertences we will carry out checks through our employees and, if necessary, we will ask you to repeat the enrollment/update/identification process in a BT unit;
    • if the BT Customers have expressed, on the dedicated form, their consent for the processing of personal data for marketing purposes, we shall create thei profile based of different criteria (e.g. data on transactions, age, location, income range), which we will automatically study to assess what marketing messages would be relevant for them. In some cases, this profile will only have as consequences that only the Customers fulfilling the conditions of the profile will be sent a certain marketing message. In other cases it will determine that only the persons who fulfill the criteria of the profile will be able to contract/benefit from certain promotional offers. However, the rest of the Customers can benefit from the products/services under standard conditions.

    1. Retention period for data of BT Customers and BT walk in clients

    According to the legal obligation we have, the personal data we process for the application of know your customer (KYC) measures to prevent money laundering and terrorist financing, together with all the records obtained by applying these measures, such as monitoring and verifications carried out by the bank, documents supporting documents and records of transactions, including the results of any analysis carried out in relation to the Customer, which determines the Customer’s risk profile, must be kept for 5 years after the termination of the Customers’s business relationship with the bank  or, upon case, from the date of the occasional transaction. We are subject to the legal obligation to keep this data for the above mentioned period even if the Customer’s request to open the business relationship with the bank is rejected or in case the Customer waives the request, or, upon case, if the occasional transaction could not be processed or the walk-in Client was withdrawn in. In this case, the 5-year retention period will be calculated from the date of rejection of the request or the Customer’s withdrawal, respectively from the date of the occasional transaction.

    At the request of the competent authorities, the initial legal period of 5 years mentioned above may be extended, up to a maximum of 10 years after the termination of the business relationship/date of the occasional transaction.

    Upon expiry of the legal retention period (initial or extended, as the case may be), the bank will delete or anonymize such data, unless other legal provisions require their continued retention. Other legal provisions that require us to retain Customer or, where applicable, Occasional Customer data for a longer period of time are those in:

    • The Fiscal Procedure Code, which provides that part of the data processed for the application of KYC measures must also be processed for reporting to A.N.A.F. The legal retention period for this data is 10 years from the termination of the business relationship or from the occasional transaction date;
    • the financial and accounting legislation provides that the relevant accounting documents for the financial records and the supporting documents, including the contracts based on which the accounting entries were made (implicitly the personal data contained in them) must be kept for up to 10 years from the end of the financial year in which they were created;
    • the national legislation applicable in the field of electronic signature obliges the suppliers who issue digital certificates to keep the information regarding a qualified certificate for a period of at least 10 years from the date of its expiry. In cases where the Romanian providers we collaborate with in this field process personal data as joint controllers with the bank, we may need to keep the data regarding the certificates for this period;
    • for the Customers whose personal data were queried in the A.N.A.F. records (according to the consent they expressed), the legal term imposed for keeping the query consent forms (by default also for the personal data contained therein) is 8 years;

    As for the data that the bank has the legal obligation to report to the Credit Risk Register (C.R.C.), the documents containing the credit risk information and the information about the reported card frauds (including the personal data from them) are kept for a period of 7 years.

    Regarding the data processed in the Credit Bureau system based on the legitimate interest of the Participants in this system, they are stored at the level of this institution and disclosed to the Participants for 4 years from the date of the last update, with the exception of the data of credit applicants who have abandoned their application of credit or whose application was rejected, which are stored and disclosed to Participants for a period of 6 months.

    For all cases where your data is subject to more than one retention period, the longest of these will apply. After the longest term, the data will be deleted or anonymized.

    2. Retention period for data captured by video surveillance cameras

    The data collected by video surveillance cameras are kept for 30 days, after which they are automatically deleted. In well-justified specific cases, only in compliance with the applicable legal provisions, the retention period of the relevant video recordings can be extended up to 6 months from the end of the month in which the images were recorded or, if necessary, for a longer period, up to completion of investigations of the incident that led to the extension of the storage period. In the case of video images that are the subject of access requests to data, the retention periods for BT petitioners' personal data apply.

    3. Retention period for the data of persons who have expressed their marketing options

    The data of BT Customers who have expressed their consent to receive marketing messages are processed for this purpose until the consent is withdrawn or, otherwise, until the termination of their quality as a BT Customer. The data of non-customers who have expressed this consent are processed for this purpose until the consent is withdrawn.

    4. Retention period for the data of BT candidates

    The personal data of BT candidates will be kept until the end of the recruitment process for the position they applied for or, if the candidates have shown interest in being contacted for other suitable BT positions, the data will be kept for 1 year. This term can be extended with the consent of the candidate.

    The data of BT candidates who become BT employees are subject to the retention periods for BT employee data set out in the dedicated BT employee privacy notice

    5. Retention period for the data of BT petitioners

    In order to prove that notifications/complaints/requests for information/measures have been received and that responses to them have been formulated and sent, the data related to these petitions will be kept (together with the personal data contained therein) as follows: petitions of BT customers for the duration of their business relationship with the bank to which 3 years are added, respectively for petitioners who were/are not BT customers for 3 years starting with the date of submission of the response to the petition (legal limitation period).

    Any other personal data processed by BT for other purposes indicated in this Policy will be kept for the period necessary to fulfill the purposes for which they were collected, to which non-excessive terms may be added, established according to the applicable legal obligations in the field, including but not limited to to the provisions on archiving, or established internally, according to the legitimate interests of the bank.

    All data subjects are guaranteed the following rights with regard to their personal data processed by BT.

    You should know that we treat these requests with the highest degree of professionalism and their situation is regularly brought to the attention of the Bank's management.

    Each of the requests is carefully analyzed, the responses to the requests are documented and, whenever necessary, we take corrective measures to ensure that we respect the rights you have regarding the legal processing and proper protection of your data, which is an essential component of our obligation to respect human rights

    a) right of access: the data subjects can obtain from BT the confirmation that their personal data are processed, as well as information regarding the reasoning of the processing such as: purpose, categories of personal data processed, data recipients, period for which the data are kept, the existence of the right of rectification, erasure or restriction of the processing. This right allows the data subjects to obtain for free a copy of the personal data processed;

    b) the right to rectification: the data subjects can request BT to modify the incorrect data concerning them or, as the case may be, to complete the data which are incomplete

    c)  right to erasure ("right to be forgotten"): data subjects may request the erasure of their personal data when:

    • these are no longer necessary for the purposes for which the bank collected and processed them;
    • the consent for the processing of the personal data has been withdrawn and BT can no longer process it on the basis of other grounds;
    • the personal data are processed against the law;
    • the personal data must be deleted in accordance with the relevant legislation;

    d)  withdrawal consent: the data subjects may withdraw their consent at any time regarding the processing of personal data processed on this legal ground. Withdrawal of consent does not affect the lawfulness of the processing carried out before the withdrawal;

    To withdraw consent for data processing for marketing purposes, you can also use the following online forms available in the Privacy Hub section:

    e)  right to object: the data subjects can, at any time, object to the processing for marketing purposes, as well as to processing based on the legitimate interest of BT, for reasons related to their specific situation;

    f)  right to restriction of processing: the data subjects may request the restriction of processing of their personal data if:

    • disputes the accuracy of the personal data, for a period that allows the bank to verify the accuracy of the data in question;
    • the processing is illegal and the data subject opposes the erasure of the personal data, requesting instead the restriction of their use;
    • the data are no longer necessary to us, but the data subject asks for them for an action in court;
    • if the data subject has opposed to the processing, for the period of time in which we verify whether the legitimate rights of BT as a controller prevail over the data subject's rights.

    g)  right to portability: the data subjects may request, according to the law, the bank to provide certain personal data in a structured form, commonly used and machine-readable format. If the data subjects request, BT may transmit the respective data to another entity, if this is technically possible.

    (h) rights regarding solely automated decision-making:as a rule, data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects on them or similarly significantly affects them. They have the right to express their point of view, to contest the decision and to request human intervention (review of the automated decision by a BT employee).

    i) the right to file a complaint with the National Supervisory Authority for the Processing of Personal Data: the data subjects have the right to file a complain with the National Supervisory Authority for the Processing of Personal Data if they consider that their rights have been violated:

    National Supervisory Authority for the Processing of Personal Data, B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, postal code 010336, Bucharest, România, e-mail: anspdcp@dataprotection.ro

    To exercise any of the rights mentioned in points a) - h) above at BT, the data subjects should use the contact details of the data protection officer designated by BT (BT DPO), by sending the request in any of the below mentioned methods

    • at the e-mail address dpo@btrl.ro
    • by mail, at the following address: Cluj-Napoca, str. Calea Dorobanților, no. 30-36, Cluj County, with the mention "in the attention of the data protection officer"

    Before sending us your request, we recommend that you read the instructions in the "How to exercise your GDPR rights at BT" section available in the Privacy Hub.

    BT has developed an internal framework of policies, procedures and standards to keep personal data secure. They are reviewed periodically to comply with the regulations applicable to the Bank and the highest standards in the field of data security.

    Specifically, the Bank adopts and applies appropriate technical and organizational measures (policies and procedures, IT security rules, etc.) to ensure the confidentiality, integrity and availability of personal data and that their processing takes place only in accordance with the applicable legal provisions in the field of personal data.

    BT employees have a under duty of confidentiality and cannot unlawfully disclose personal data to which they have access in the course of their professional activity.

    All employees are regularly trained in the field of personal data processing and protection.

    If your data is involved in incidents that are personal data breaches and if following the asessment we carry out we reach the conclusion that the personal data breach is likely to result in a high risk to your rights and freedoms, as a data subject, we comit to inform you of the occurrence of the data breach and to make available to you all the information provided by law for these cases.

    At BT we ensure - both before entering into contractual relations with partners/suppliers who need to have access to personal data (as our processors), as well as during the entire period in which they have access to the data - that they:

    • process the data only in the name and under the instructions of the bank (unless they have a legal obligation to process them);
    • have implemented adequate technical and organizational measures to ensure adequate data security;
    • assume contractual obligations in accordance with the provisions of the GDPR and that these obligations are respected;
    • do not disclose personal data to other processors except with BT’s prior authorization;
    • if they cannot ensure data processing only in the E.U./E.E.A, they transfer data to third countries or international organizations only on the basis of adequacy decisions or adequate safeguards provided by the GDPR, including by taking supplementary measures if necessary for adequate data protection.

    We guarantee that BT will not sell the personal data of any data subject and that it will only disclose this data to those who have the right to know it, in compliance with the established legal principles and obligations.

    This policy is reviewed regularly to guarantee the rights of data subjects and to improve the ways of processing and protecting personal data.