Personal data processing and protection policy - previous versions

Policy of Banca Transilvania S.A. on the processing and protection of personal data within the banking activity ("Policy" or "BT Privacy Policy")

Version valid between 15.08.2019 - 30.09.2019

At Banca Transilvania S.A. (hereinafter referred to as "BT", "the Bank" or "we") we are constantly concerned that the personal data of all individuals with whom we interact are processed in full compliance with applicable legal provisions and with the highest standards of security and confidentiality.

For a better guidance and support of our personal data processing and protection activity we have appointed a data protection officer (DPO), who may be contacted by any data subject regarding to any aspects concerning the way in which BT processes such data, via a notice sent to:

BT headquarters in mun. Cluj-Napoca, str. G. Barițiu, nr. 8, jud. Cluj, with the mention "to the attention of the Data Protection Officer" or of a message to
the e-mail address dpo@btrl.ro

The following is our policy in this very important area, which we are committed to reviewing from time to time with a view to continuous improvement.

With this Policy we intend to fulfill our information obligation to all categories of natural persons whose personal data we process in the framework of our banking activity ("data subjects") in accordance with the provisions of Articles 13-14 of EU Regulation 679/2016 or the General Data Protection Regulation (hereinafter "GDPR").

Whenever we have the objective possibility to directly inform certain categories of data subjects about the processing of their data, we undertake to do so.

In some cases, however, it is either not objectively possible or would involve a disproportionate effort for the bank to fulfill this obligation directly. For all these situations, we fulfill our disclosure obligation through this Privacy Policy.

If you are a regular customer of the bank - BT Client - and you want to consult only the section on the processing of data of this category of data subjects, you can access: General information note on the processing and protection of personal data belonging to BT Customers, which is an integral part of this Policy.

This Policy does not address to the employees of Banca Transilvania, as they shall be informed regarding to their personal data processed by BT as an employer through a distinct document.

We hereby present which categories of personal data we process in our banking activity, who the data subjects are, what are the purposes for which we process personal data, to whom we may disclose or transfer personal data, how long we keep them, in what way we ensure their security, and what rights the data subjects are entitled to exercise in connection with this processing.

Ifyou are not familiar with the meaning of the different specialized terms used in the GDPR or the applicable banking law, we recommend you first to study the following section regarding:

A. Specialized terms used in this Policy

B. Who is Banca Transilvania?

C. What are the categories of personal data that BT processes, who belong to and what are the purposes they are used for?

D. What are the sources from which BT processes the personal data?

E. Which are the bases on which BT processes personal data and the consequences of the refusal to process them?

F. Whom are the personal data processed by Banca Transilvania disclosed/transferred to?

G. Transfers of personal data made by BT to third party countries and/or international organisations

H. Automated decision-making, including profiling

I. How long does BT process personal data?

J. Which are the rights that the data subjects may exercise with regard to the personal data processed by Banca Transilvania?

K. How does BT protect the personal data it processes?

The terms defined in this section will have the following meaning when they are used in this Policy:

'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity
'processing of personal data' or 'data processing' means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC;
"BT Financial Group"- the Bank together with its controlled entities such as, BT Microfinanțare IFN SA ("BT Mic") , BT Asset Management S.A.I. S.A., ("BTAM") , BT Leasing Transilvania IFN S.A. ("BTL") , BT Direct IFN S.A. ("BTD") , BT Capital Partners S.S.I.F. S.A. ("BTCP") , Fundația Clubul Întreprinzătorului Român, Fundația Clujul are Suflet and other entities that may join this group in the future;
"Controller" means a legal person who alone or jointly with others determines the purposes and means of the processing of personal data;
"Data subject" means the natural person whose personal data are processed;
"Recipient" means the natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not a third party;
"Third Party" means a natural or legal person, public authority, agency or other body, other than the Data Subject, the Controller, the Processor, the Processor's Representative and which, under the direct authority of the Controller or the Processor's Representative are authorized to process Personal Data;
"Supervisory Authority" means an independent public authority established by a Member State, responsible for monitoring the application of the GDPR. In Romania the supervisory authority is the National Supervisory Authority for Personal Data Processing - "ANSPDCP";
"Biometric data" means personal data resulting from specific processing techniques relating to the physical, physiological or behavioral characteristics of a natural person which uniquely identify or confirm the identity of that person, such as facial images or dactyloscopic data;
"Health data" means personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information about the state of health of that person;
"Specimen Signature" means the Client's handwritten signature on documents used in his relationship with the Bank and/or the Client's signature captured by an electronic device (SignaturePad), made available to the Bank as a specimen signature;
"Beneficial owner" according to Art. 4 para. 1 of Law no. 129/2019 for the prevention and combating of money laundering and terrorist financing, as well as for amending and supplementing certain normative acts, is any natural person who ultimately owns or controls the customer and/or the natural person on whose behalf a transaction, operation or activity is carried out and includes at least the categories of natural persons referred to in Art. 4 para. 2 of this normative act;
"Publicly exposed person" according to Art. 3 para. 1 of Law no. 129/2019 on preventing and combating money laundering and terrorist financing, as well as amending and supplementing certain normative acts, are natural persons who exercise or have exercised important public functions and includes at least the categories of natural persons referred to in Art. 3 para. 2 of this normative act.

BANCA TRANSILVANIA S.A. is a credit institution, legal person Romanian, registered at the Cluj Trade Register Office under the number J12/4155/1993, having the unique registration code no. RO5022670 and the following contact details: registered office address George Barițiu Street Nr. 8, postal code 400027, Cluj-Napoca, Cluj County, Romania Tel: 0801 01 01 0128 (BT) - callable from Romtelecom network, 0264 30 8028 (BT) - callable from any network, including international, *8028 (BT) - callable from Vodafone and Orange networks, e-mail address: contact@bancatransilvania.ro, website www.bancatransilvania.ro.

The Bank has over 500 units - branches, agencies, work points in Romania, as well as banking units operating in Italy.

Our official website is www.bancatransilvania.ro (hereinafter referred to as the "BT's website").

The Bank also manages other internet pages, the updated list of which you can consult here: https://www.bancatransilvania.ro//site-uri-bt.pdf

Banca Transilvania SA is the parent company of the BT Financial Group (hereinafter referred to as the “BT Group”), which also comprises the following subsidiaries of the Bank: BT Microfinanțare IFN SA (" BT Mic"), BT Asset Management S.A.I. S.A., ( "BTAM"), BT Leasing Transilvania IFN S.A. ("BTL"), BT Direct IFN S.A. ("BTD"), BT Capital Partners S.S.I.F. S.A.("BTCP")

C. What are the categories of personal data that BT processes, who belong to and what are the purposes they are used for?

Within its banking activity, Banca Transilvania processes different categories of personal data, depending on the data subjects’ relationship to BT. The purposes for which we process these data are also directly dependent to the way that different categories of data subjects relate with BT.

Based on the bank- client relationship, we present distinctly below how BT processes personal data:

a. Who is a BT customer?

“BT customer” or “Customer” means any of the below mentioned categories of data subjects:

residents or non-residents, holders of at least one account with the Bank (also referred to as "account-holding individual customer") or who complete the dedicated forms to acquire this status;
the legal or contractual representatives of Customers who are individuals or legal entities account holders, including Customers such as authorized individuals;
individuals authorized to perform operations on the accounts of BT individual/legal entities account holders;
the real beneficiaries of the Clients, natural or legal persons, BT individual account holders;
persons entitled to deposit bank documents, to withdraw account statements and/or to deposit cash on behalf and for the account-holding natural or legal person Customers (also known as "delegates");
any other individuals who are users of a product/service of the bank, who are neither account holders, nor legal representatives, authorized representatives, delegates or beneficial owners, such as, but not limited to: users of additional cards, users of internet services/mobile banking, users of mobile payment applications offered by the bank, individuals with account manager’s securities records opened with the bank, BT meal tickets users);
guarantors of any kind of the payment obligations assumed by the individuals/ legal entities account holders;
persons who request the bank to open a contractual relationship and/or contracting a specific product/service of the bank, even if this request is rejected;
the legal or conventional successors of the aforementioned.

We remind you that complete details, in printable format, about the processing by BT of the data of its regular customers – BT Customers – can also be found in the General Information Note on the processing and protection of personal data belonging to BT Customers

b. Purposes for which we process personal data of BT customers

Upon case, if you are a BT customer, we shall process your personal data as follows:

verifying the identity of individuals, in order to prevent money laundering and terrorism financing, as well as to confirm their quality as BT customers;

The identity verification is performed when establishing and during the performance period of a business relationship, when ordering any transaction or when they request certain information or when carrying out operations such as, but not being limited to: information about bank accounts, submission/transmission of any requests/notifications, handing out debit/credit cards, tokens, expressing options, contracting products/services of the bank, accessing some services of the bank already contracted, but also during the telephone calls initiated by the Customers or by the bank.

In the units of the bank, the identity is verified based on the valid identity documents, which must be presented in original, whereas for the online and the telephone calls initiated by the client or by the bank, the verification is performed by requesting to supply and by validation of the information already registered in the records of the bank in relation to that customer.

applying the know your customer (KYC) rules in order to prevent money laundering and financing of terrorism, including risk-based verification. Applying the KYC rules involves both verification of identity and processing of personal data required by law, both at the moment of becoming a customer (data collection), for the entire time this quality is held (updating the data), as well as thereafter, for the period of time legally established after the moment of ending the quality of customer (data storage and processing for the purposes permitted by law);
- For details on the processing of personal data for the purpose of KYC please visit the following link: https://www.bancatransilvania.ro//Nota-de-informare-privind-prelucrarea-datelor-cu-caracter-personal-in-scop-KYC.pdf
assessing the solvency, reducing the credit risk, determining the degree of indebtedness of the Customers interested in personalized offers in relation to the bank's credit products or in contracting these types of products (credit risk analysis);
- For details on the processing of personal data for the purpose of analyzing a loan request submitted to Banca Transilvania S.A., please visit the following link: https://www.bancatransilvania.ro/Nota-de-informare-privind-prelucrareadatelor-cu-caracter-personal-in-scop-analiza-cerere-credit-BT.pdf
the conclusion and performance of contracts between the bank and the Customers, related to products and services offered by BT in its own behalf (such as, but not limited to: debit/credit cards, deposits, credits, internet and mobile banking, SMS Alert);
- For details regarding the processing of personal data upon the execution and during the performance of a loan agreement (card or non-card) concluded with the Banca Transilvania S.A. please visit the following link: https://www.bancatransilvania.ro//Nota-de-informare-privind-prelucrarea-datelor-cu-caracter-personal-in-contextul-incheierii-executarii-unui-contract-de-credit-BT.pdf
- For details regarding the processing of personal data within the BT Paymobile application, visit the following link: https://www.bancatransilvania.ro/wallet-bt-pay/politica-de-confidentialitate-ro/
For details regarding the processing of personal data within the Self Service Livia from BTservice, please access the following link: https://www.bancatransilvania.ro/files/self-service-livia-de-la-bt/nota_informare_prelucrare_date_caracter_personal_serviciu_livia_de_la_bt.pdf
>For details on the processing of personal data within the BT Visual Help service, please access the following link: https://www.bancatransilvania.ro//Nota-de-informare-privind-prelucrarea-datelor-cu-caracter-personal-in-cadrul-BT-VISUAL-HELP.pdf
the conclusion and performance of contracts related to occasional transactions, as well as, but not being limited to: deposits of cash amounts made by Customers at the counters or by using the devices from the bank units, if the amounts are deposited in the bank accounts on which the respective Customers do not have operating rights (they do not have the quality of account holder, authorized, delegated person on those accounts), money transfer services, foreign currency exchanges;
- For details on the processing of personal data for the purpose of depositing cash please visit the following link: https://www.bancatransilvania.ro//Nota-de-informare-privind-prelucrarea-datelor-cu-caracter-personal-depunere-sume-in-numerar-clienti-ocazionali-BT.pdf
settlement of transactions;
establishing the garnishments, recording the amounts garnished to the creditors and providing answers to the enforcement bodies and/or the competent authorities, according to the legal obligations of the bank;
monitoring of persons security, spaces and/or bank’s assets or the units’ visitor;
- Details about the video surveillance data processing can be found here: https://www.bancatransilvania.ro/supraveghere-video/
- Details about the processing of visitors data for access in some BT units can be found here: www.bancatransilvania.ro/monitorizare.pdf
the preparation and submission of reports to the competent authorities, authorized to receive them in accordance with the legal provisions governing BT’s activity (e.g. payment incident reports to the Office of Payment Incidents within the National Bank of Romania-NBR, declaring the transactions that exceed the amount established by the National Office for Prevention and Control of Money Laundering);
conducting analyzes and the keeping of records for the Bank’s economic, financial and/or administrative management;
management within the internal departments of the services and products provided by the bank;
assessing and monitoring the financial-commercial behavior during the performance of the business relationship with the bank, in order to detect the unusual and suspicious transactions, according to the KYC legal obligations the bank is subject to, in order to prevent money laundering and financing of terrorism;
debit collection and recovery of receivables registered by the customers;
preventing the gaining or regaining of the “Customer” quality, by persons having an inappropriate behavior, which is likely to prevent the performance of a prudent banking activity, according to the legal obligations that the bank has;
defending the bank's rights and interests, the resolution of disputes, investigations or any other petitions/complaints/requests in which the bank is involved;
performance or risk controls regarding the bank’s processes and procedures, as well as the performance of audit activities or investigations;
taking measures/providing information or answers to the requests/claims/complaints of any nature addressed to the bank by any person or by legal authorities or institutions, including electronic communication and internet requests.
proving the requests/agreements/options regarding certain issues requested/discussed/agreed upon during telephone calls initiated by the Customers or by the Bank, by recording the issues discussed and, where appropriate, audio recording of the telephone calls or, where appropriate, audio-video recording;
informing the Customers about the products/services held by them with the bank, for the purpose of proper execution of the contracts (such as, but not limited to, account or card statements, information on the opening hours of the bank's units, information about the insertion of garnishments on accounts, notifications about the existence of unauthorized debits or arrears, information about the approaching termination date of a certain product/service held, information about improvements or new facilities offered in connection with the product/service held);
sending marketing messages, if the Customers have consented to receive such messages on the documents available in the bank’s units, on its web page or within certain online services;
collecting the opinions of the Customers regarding the quality of the services / products / employees of BT (assessment of the services’ quality);
the Customers’ financial education;
conducting internal analyses (statistics included) both with regard to products/services and the client profile and portfolio, for an ongoing improvement of the products/services, as well as market researches, market analysis, customer satisfaction analysis for the Bank’s products/services/employees;
archiving of documents both in physical and electronic format and security back-up;
the performance of registration and secretary services regarding the correspondence addressed to the bank and/or sent by it, as well as for carrying out courier activities;
ensuring the security of the IT systems used by BT and of the premises in which the bank operates its activity;
fraud prevention;
calculation of the fees to which certain categories of bank employees are entitled to.

c. Categories of personal data belonging to BT Customers, processed upon case

identity details: name, surname, alias (if applicable), date and place of birth, national identification number (romanian “cod numeric personal”-CNP) or another unique similar identification element (another unique identification element is allocated by the bank to the Customers who are nonresidents and this is represented by a code consisting of a sequence of figures referring to the year, month, day of birth and the number of the identity document), serial number of the national or international document/passport (ID document), as well as a copy the ID document, domicile and residence address;
contact details - correspondence address (if applicable), telephone number, fax number, e-mail address;
citizenship;
information about the purpose and the nature of the business relationship;
financial data (such as, without being limited to: transactions, including about the amount of expected transactions);
fiscal data (country of fiscal residence);
profession, job, name of employer or nature of the individual activity (if applicable),
information about the important public position held - if applicable - and the political opinions (exclusively in the context of obtaining information related to the quality of the politically exposed persons- PEP);
the quality, the social parts/shares and, as the case may be, the powers of attorney held within legal entities;
information on the family status (including marital status, number of children, number of dependents),
information on the economic and financial status (including data on income, data on banking transactions and their history, data on owned assets, as well as data on the payment behavior);
the image (contained in the identity documents or caught by the video surveillance cameras installed in the bank's units, on the BT equipment, as well as in certain audio video recordings, as the case may be);
the voice, within the calls and recordings of the audio or video calls (initiated by the customers or the bank);
age, to verify the eligibility to contract certain products/services/offers of the bank (e.g. credit products, products dedicated to under-age individuals, etc.);
opinions, expressed through notices/complaints or during conversations, including phone, regarding products/services/employees of the bank;
signature (including within signature samples);
biometric data (such as, but not limited to the situation of illiterate or visually impaired persons, to whom the fingerprint can be processed);
identifiers, including identifiers allocated by Banca Transilvania or other financial-banking or non-banking institutions, necessary for the provision of services, such as, but not limited to: the BT Customer Code (BT CIF), transaction identifiers, IBAN codes attached to bank accounts, debit/credit card numbers, card expiration date, contract numbers, codes and operating system type of mobile phones or other devices used to access mobile banking services/mobile payment applications, as well as the IP address of the device used to access these services. Mobile phone codes, operating system type and IP addresses shall be processed exclusively for the purpose of providing security measures for transactions carried out through these services in order to prevent fraud;
data regarding the health status, only if the processing of such data is necessary for the customers to prove the difficult situation in which they or the members of their families are, in order to provide facilities or in the context of providing/ performing the insurance products/services brokered by the bank.
for credit products: type of product, term of credit, date of credit, due date, amounts and credits granted, amounts owed, account status, date of account closure, currency of credit, frequency of payments, amount paid, monthly installment, name and address of employer, amounts owed, amounts overdue, number of installments overdue, due date of overdue installments, number of days overdue in repayment of credit. These data shall be processed both in the bank's own records and - where applicable - in the Credit Bureau system and/or other such records/systems;
information regarding fraudulent / potentially fraudulent activity, consisting of data regarding accusations and convictions related to crimes such as fraud, money laundering and financing of terrorist acts;
information related to crimes and offences committed in the financial-banking sector, in the direct relation with Banca Transilvania S.A., backed by final and irrevocable court decisions, as applicable, or by uncontested administrative deeds;
information regarding the location of certain transactions (implicitly, in case of operations at the ATMs or POS belonging to the Banca Transilvania);
data and information related to the products and services offered by the bank or its collaborators, which the data subjects use (such as, but not limited to, credit, deposit, insurance products);
any other personal data belonging to the Customers, which are made known to the bank in various contexts by other Customers or by any other persons.

a. Who is/in what situations we process your data as an BT walk-in client?

"BT Occasional Customer" is an individual who orders the following types of transactions at BT counters or through BT equipment:

cash deposits ordered by walk-in clients to third party accounts opened with BT, when the depositor is neither the account holder, nor has any operating rights on that specific BT account (you act as a BT walk-in client whenever you order such cash deposits even if you are a BT customer as well);
FX exchange;
Western Union (WU) money transfers;
payment of utility bills;
payment of different instalments of insurance premiums;
cashing dividends or other types of cash amounts;
cash withdrawals from BT equipment with cards issued by other banking institutions or payment.

The specific Privacy notice on the processing of personal data for the purpose of cash deposits can be found here https://www.bancatransilvania.ro//Politica-privind-prelucrarea-si-protectia-datelor-cu-caracter-personal-versiune-valabila-in-perioada-15-08-2019-30-09-2019.pdf

We process your personal data as a BT walk-in client whenever you make transactions of the type listed above, even if you are also a regular BT Customer of the bank.

b. Purposes for which we process personal data of BT walk-in clients

When you act as BT walk-in client, your data is processed, upon case, for the following purposes:

to verify your identity in order to prevent money laundering and terrorism financing; For the occasional transactions initiated over the counter in BT units, for your identity to be verified you will have to present your original, valid ID document, and, in the case of banking operations you initiate throughBT equipment your identity shall be verified via other information existing in the bank’s evidence.
applying the know your customer (KYC) rules in order to prevent money laundering and financing of terrorism, including risk-based verification;
evaluating and monitoring the financial-commercial behaviour to detect unusual and suspicious transactions, according to the legal KYC obligations in order to prevent money laundering and terrorism financing;
concluding and signing the agreements related to occasional transactions;
settlement of transactions;
the preparation and submission of reports to the competent authorities, authorized to receive them in accordance with the legal provisions governing BT’s activity (such as, but not limited to payment incident reports to the Office of Payment Incidents within the National Bank of Romania - NBR, declaring the transactions that exceed the amount established by the National Office for Prevention and Control of Money Laundering);
conducting analyses and the keeping of records for the bank’s economic, financial and/or administrative management;
management within the internal departments of the services and products provided by the bank;
defending the bank’s rights and interests in court, the resolution of disputes, investigations or any other petitions/ complaints/requests in which the bank is involved;
performance or risk controls regarding the bank’s processes and procedures, as well as the performance of audit activities or investigations;
monitoring/security of persons, premises and/or property of the bank or visitors to its premises;
taking measures/providing information or answers to the requests/claims/complaints of any nature addressed to the bank by any person or by legal authorities or institutions, including electronic communication and internet requests;
performance of internal analysis (including statistics);
archiving of documents both in physical and electronic format and security back-up;
the performance of registration and secretary services regarding the correspondence addressed to the bank and/or sent by it, as well as for carrying out courier activities;
ensuring the security of the IT systems used by BT and of the premises in which the bank operates its activity;
prevention of fraud.

c. Categories of personal data belonging to BT walk-in clients, processed upon case

The following categories of personal data belonging to BT walk-in clients may be processed, upon case:

identification data - name, surname, national or international identity card/passport number and serial number, personal identification number (CNP) or other similar unique identifier, such as CUI for authorized individuals or CIF for self-employed individuals (e.g. another unique identification element is assigned by the bank to customers falling into the "non-resident" category and is represented by a code consisting of a sequence of digits consisting of the year, month, day of birth and the number of the identity document, whole or truncated), home address and - in some cases provided for by law - including a copy of the identity document (usually for cash deposits, foreign exchange, money transfer services above a certain amount or which show indications of suspicion);
details regarding the amount of the transaction and explanations on the nature of payment (what does the payment stand for);
the transaction identifier;
signature;
contact details - phone number and/or e-mail address for cash depositors who are not BT customers and who wish to provide these contact data to be notified in case the transaction is cancelled);
the image (from the identity document, if it is necessary to keep the copy of the ID document, or, as the case may be, caught by the video surveillance cameras);
information regarding the location of certain transactions (by default, in case of banking operations initiated through BT equipment).

a. Who is an individual connected to a BT loan applicant?

They are natural persons related to and forming the same group as the applicant for a credit* (also referred to as the 'applicant' or 'borrower'), any of the persons indicated in the table below:

*A credit applicant is a natural or legal person who applies to BT for credit.
A credit applicant includes the spouse/life partner/life partner/co-borrower/guarantor of the main credit applicant.

The husband/wife/life partner of the loan applicant together with the companies that he/she controls or manages
Other close members of the applicant's family together with the companies over which they control or manage, in so far as a relationship of: direct or indirect control/dominant influence/economic dependence exists between them and the applicant for credit or between the companies they control/manage
The legal entities where the loan applicant exercises direct or indirect control through any of the following:
- Holding at least 50% of the shares/ shares;
  and/or
- Ability to get a majority of votes in the AGA
  and/or
- Has the power to appoint/revoke the majority of the supervisory and/or management body
The legal entities where the loan applicant is a director
The legal entities where the loan applicant is the General Manager, respectively a director of foundations /associations/ public bodies
Parent companies/subsidiaries of companies under 3 and 4;
Companies controlled by companies under 3 and 4.
Directors and persons exercising directly or indirectly the control in legal entities mentioned at points 3, 4 and 6, except for the ones previously mentioned
The natural and/or legal person who guarantees with his/her goods (including with the income of the co-debtor/guarantor) the loan requested by the loan applicant, if the execution of these guarantees would impair it in such a way as to jeopardize its payment capacity. *The loan applicant is an individual or legal entity applying for a BT loan. Is also considered to be an loan applicant his/her, wife/husband/life partner/co-debtor/guarantor.

b. Purposes for processing personal data belonging to individuals who are connected to a BT loan applicant/debtor

If you are such a person, BT processes your data, upon case, for the following main purpose:

solvency assessment, credit risk diminishment, determining the indebtedness degree of loan applicants interested in personalized offers related to BT loan products or the commitment of this type of products (credit risk analysis);

In the context of analyzing the credit application of a natural or legal person applicant, Banca Transilvania S.A. also processes your personal data, if you include yourself in any of the categories of natural persons indicated in the table above (who are part of the borrower group), as the bank is subject to legal obligations to determine and analyze its exposure to groups of connected customers as part of the credit risk analysis.
Also, as a reporting person, the bank will report these exposures and the composition of the debtor groups of connected customers to the NBR, Credit Risk Center (only where applicable).
This data of yours is necessary for the bank to be able to proceed with the analysis of the credit application/request, and refusal by the credit applicant (or you) to provide it or to have it processed may result in the bank being unable to analyze and/or approve the credit.

Your personal data are transmitted/disclosed, upon case, to the Credit Risk Register within the NBR, and, as the case may be, in compliance with the need-to-know principle, to entities from the BT Financial Group and/or to the service providers used by the bank for the process of analyzing the loan applications.

The data retentionwithin the bank's records is equal to that of the existence of a group/groups of connected debtors.

Other related purposes to the main one indicated above, in which we process your data are, as the case may be, the following:

identity verification, including for validate/invalidate your quality of BT customer;
the preparation and submission of reports to the competent authorities, authorized to receive them in accordance with the legal provisions governing BT’s activity (such as, but not limited to: The Credit Risk Register within the NBR);
conducting analyses and the keeping of records for the bank’s economic, financial and/or administrative management;
management within the internal departments of the services and products provided by the bank;
defending the bank's rights and interests, the resolution of disputes, investigations or any other petitions/complaints/requests in which the bank is involved;
performance or risk controls regarding the bank’s processes and procedures, as well as the performance of audit activities or investigations;
taking measures/providing information or answers to the requests/claims/complaints of any nature addressed to the bank by any person or by legal authorities or institutions, including electronic communication and internet requests;
performance of internal analysis (including statistics);
archiving of documents both in physical and electronic format and security back-up;
the performance of registration and secretary services regarding the correspondence addressed to the bank and/or sent by it, as well as for carrying out courier activities;
ensuring the security of the IT systems used by BT and of the premises in which the bank operates its activity;
prevention of fraud.

c. Categories of personal data belonging to an individual connected to a BT loan applicant/debtor, processed upon case

identity detail - name, surname, personal identification number (romanian cod numeric personal CNP/NIN);
the quality, the social parts/shares and, as the case may be, the powers of attorney held within legal entities part of the loan applicant’s/debtor’s group;
as the case may be, other data in the bank's records or publicly available, that need to be processed by the bank for the fulfilment of the main purpose regarding the credit risk analysis.

a. Who is the signatory/contact person acting on behalf of a BT contractual partner?

The signatories are usually, the legal representatives or other representives of BT’s contractual partner, designated to sign the agreements concluded between the bank and that certain contractual partner (regardless of whether the contractual partner is a BT legal entity account holder or just a service provider, collaborator, supplier of goods contracted by the bank);
The contact persons are individuals appointed by the contractual partner to communicate with the bank for the proper contractual performance, even if their data are mentioned or not in the contract.

b. Purposes for processing personal data belonging to signatories/contact persons acting on behalf of BT contractual partners

If you are a signatory/contact person of any contractual partner of the bank, we process your personal data, as the case may be, for:

the conclusion and proper contractual performance of the agreement concluded between BT and that certain contractual partner (usually this is your employer), as well as for other purposes, in close connection with the conclusion and proper performance of the agreement, respectively:
the preparation and submission of reports to the competent authorities, authorized to receive them in accordance with the legal provisions governing BT’s activity;
conducting analyses and the keeping of records for the bank’s economic, financial and/or administrative management;
defending the bank's rights and interests, the resolution of disputes, investigations or any other petitions/complaints/requests in which the bank is involved;
performance or risk controls regarding the bank’s processes and procedures, as well as the performance of audit activities or investigations;
taking measures/providing information or answers to the requests/claims/complaints of any nature addressed to the bank by any person or by legal authorities or institutions, including electronic communication and internet requests;
performance of internal analysis (including statistics);
archiving of documents both in physical and electronic format and security back-up;
the performance of registration and secretary services regarding the correspondence addressed to the bank and/or sent by it, as well as for carrying out courier activities;
ensuring the security of the IT systems used by BT and of the premises in which the bank operates its activity;
fraud prevention;

c. Categories of personal data belonging to signatories/contact persons acting on behalf of BT contractual partners, processed upon case

We usually process the following categories of personal belonging to you, as the case may be:

For signatories:

identity details - name and surname;
position held within the BT contractual partner;
signature.

For the contact persons:

identity details - name and surname;
contact details - telephone number (work number) and/or e-mail address (work e-mail address);
position held within the BT contractual partner.

The privacy notice dedicated to signatories and contact persons acting on behalf of BT's contractual partners can be found here: https://www.bancatransilvania.ro//Nota-de-informare-privind-prelucrarea-datelor-cu-caracter-personal-semnatari-persoane-de-contact-pentru-partener-contractual-BT.pdf

a. Who is a BT shareholder and/or a BT obligor or a person whose data we process in relationship with our shareholder/obligor?

BT shareholder - you are a BT shareholder if you own shares issued by Banca Transilvania S.A., as a natural person or as a legal entity;
BT Bondholder - you are a BT Bondholder if you are an individual or a legal entity holding bonds issued by Banca Transilvania S.A.;
Individuals whose data we process, as a rule, in relation to those of BT shareholders/obligors- legal or conventional representatives of BT shareholders/obligors, persons holding jointly shares/bonds, successors of BT shareholders/obligors.

b. Purposes for processing personal data belonging to BT shareholders/BT obligors or to other persons in relation with the BT shareholders/obligors

If you are a BT shareholder and/or a BT obligor or a person whose data we process in relationship to the BT shareholders/obligors, we shall use your data, upon case, as follows:

to verify your identity in order to confirm or not your quality of shareholder/obligor of the bank, another quality in relationship with the BT shareholders/obligors;
fulfilling the specific legal obligations and activities that derive from the BT’s issuer quality (e.g. organization of GMS, shareholder services, specific communications for investors);
establishing the garnishments, recording the amounts garnished to the creditors and providing answers to the enforcement bodies and/or the competent authorities, according to the legal obligations of the bank;
the preparation and submission of reports to the competent authorities, authorized to receive them in accordance with the legal provisions governing BT’s activity;
conducting analyses and the keeping of records for the bank’s economic, financial and/or administrative management;
management within the internal departments of the services and products provided by the bank;

defending the bank's rights and interests, the resolution of disputes, investigations or any other petitions/complaints/requests in which the bank is involved;
performance or risk controls regarding the bank’s processes and procedures, as well as the performance of audit activities or investigations;
taking measures/providing information or answers to the requests/claims/complaints of any nature addressed to the bank by any person or by legal authorities or institutions, including electronic communication and internet requests;
proving evidence for the requests/agreements/options regarding certain aspects requested/discussed/agreed, including the telephone calls initiated by you or by the bank, by recording the discussed issues and, as the case may be, the audio recording of the telephone calls, or, audio video recording;
performance of internal analysis (including statistics);
archiving of documents both in physical and electronic format and security back-up;
the performance of registration and secretary services regarding the correspondence addressed to the bank and/or sent by it, as well as for carrying out courier activities;
ensuring the security of the IT systems used by BT and of the premises in which the bank operates its activity;
prevention of fraud.

c. Categories of personal data belonging to BT shareholders/obligors/other persons in connection with the latter, processed upon case

If you act as a BT shareholder and/or obligor, or another related person, we usually process, the following personal data categories:

identity details – name and surname, personal identification number (romanian cod numeric personal- CNP/ NIN), the series and number of the national or international identity document/passport (ID document), the postal address and, as the case may be, the copy of the ID document (for the identification of the shareholders in order to issue shareholder certificates or records for the shares they hold with BT);
citizenship;
fiscal data (country of fiscal residence);
information about the economic and financial situation, regarding the assets held - number of BT shares and/or bonds, including the history of the ownership of these assets;
the quality, the social parts/shares and, as the case may be, the powers of attorney held within legal entities;
signature (on the bank’s applications);
telephone number, e-mail address, correspondence address, depending on the communication channel selected in the requests addressed to the bank.

a. Who is a visitor of the BT units and/or user/visitor of BT equipment?

Is an Visitor of BT unit - any individual visiting the bank's units (including its administrative buildings) is a visitor of the BT units, regardless if they perform banking operations or not.
Is an User/visitor of BT equipment - any individual using or standing in front of a BT equipment (ATMs, BT Express, BT Express Plus, etc.), regardless if these equipments are placed inside the BT units or in other locations, regardless if the user/visitor is a BT customer, BT walkin client or any other third party, regardless any banking operations are initiated or if the banking operations initiated through the BT equipment are finalized or not.

b. Purposes for processing personal data belonging to visitors of BT units and/or users/ visitors of BT equipment

The bank processes your personal data, as appropriate, for:

monitoring of persons security, spaces and/or bank’s assets or the units’ visitor;
- Details about the video surveillance data processing can be found here: https://www.bancatransilvania.ro/supraveghere-video/.
- Details regarding visitors’ data processing for the granted access in BT units, can be found here: www.bancatransilvania.ro/monitorizare.pdf
- transactions initiated through the BT equipment;

as well as for other related purposes related to the main purposes indicated above, respectively:

verification of identity, as appropriate, if necessary for your identification at the request of the competent authorities or where the bank has a legitimate interest;
performance or risk controls regarding the bank’s processes and procedures, as well as the performance of audit activities or investigations;
performance of internal analysis (including statistics);
archiving of documents both in physical and electronic format and security back-up;
ensuring the security of the IT systems used by BT and of the premises in which the bank operates its activity;
prevention of fraud.

Regarding the video surveillance, as well as the processing of the data for granting access into certain BT units, the data subjects are informed, including by specific icons and/or specific privacy notices displayed at the entrance into the bank units and respectively on BT equipment.

c. Categories of personal data belonging to visitors of BT units and/or to users/visitors of BT equipments, processed upon case

If you visit the bank's units (including its administrative buildings) and/or use/visit the BT equipment, the bank will process, as appropriate:

your image, as it is captured by the video surveillance cameras installed;
any data required to perform the banking operations initiated through BT equipment or other related purposes (e.g. time spent in units/at BT equipment).

Also, in order to give you access into certain BT units, the security personnel will need to identify you with your original, valid ID document and will insert in special hardcopy registers, the following data concerning you:

identity details - name, surname, the series and number of the national or international identity document/passport (ID document).

a. Who is a visitor of the BT websites/social media pages?

It is a visitor of the BT websites/social media pages any individual who accesses any of the BT's portfolio websites/social media pages has this quality;

b. Purposes for processing personal data belonging to visitors of BT websites/social media pages

Through cookies or other similar technologies, the bank processes your data whenever you visit a BT websites for the purposes described in the cookie policies of each of our websites, as well as within the banners and cookies setting centers.

For the website www.bancatransilvania.ro the Cookies policy found at the following link: https://www.bancatransilvania.ro/politica-de-utilizare-a-cookie-urilor/

If, within the BT websites, you enter your data in the form of notifications/requests/complaints, applications for products/services/campaigns of the bank, subscription to newsletters in various fields, we process the data filled in such forms, as the case may be, for:

taking measures/providing information or answers to the requests/claims/complaints of any nature addressed to the bank by any person or by legal authorities or institutions, including electronic communication and internet requests;
proving evidence for the requests/agreements/options regarding certain aspects requested/discussed/agreed, including the telephone calls initiated by you or by the bank, by recording the discussed issues and, as the case may be, the audio recording of the telephone calls, or, audio video recording;
collecting your opinion in regard to the quality of the services/ products/employees of BT (assessment of the services’ quality);
performance of internal analysis (including statistics);
performance or risk controls regarding the bank’s processes and procedures, as well as the performance of audit activities or investigations;
archiving of documents both in physical and electronic format and security back-up;
the performance of registration and secretary services regarding the correspondence addressed to the bank and/or sent by it, as well as for carrying out courier activities;
ensuring the security of the IT systems used by BT and of the premises in which the bank operates its activity;
prevention of fraud.

Please take into consideration that subscription or unsubscription of any e-mail address entered by you in forms/fields of type/with the name “newsletter”, available on the BT websites to receive informations from various areas of interest is managed by the online forms (subscribing) and from unsuscribing links from the content of the messages received following the subscription (unsubscribe).

We also inform you that subscribing/unsubscribing to/unsubscribing from/to the "newsletters" you opt for on the BT websites does not influence the options regarding the processing of your data for advertising purposes filled in the forms available in the bank's branches or on the BT website (the online form found at the following link: https://www.bancatransilvania.ro/gdpr/ is available only to BT Customers for expressing marketing options in the context of their contractual relationship with the bank).

c. Categories of processed personal data for the visitors of BT websites/social media pages

If you are a visitor of BT website the bank will collect the following categories of personal data:data processed through cookies;

data processed through cookies;
IP Address:
data about the equipment used to access the website.

Also, in the documents available on websites the bank collects, as appropriate:

identity details - name, surname, and, in some cases, only with the consent of the data subjects, the national identification number (CNP);
contact details-e-mail address and/or telephone number.

Please note that BT's websites may contain links to websites whose privacy/personal data processing policy is different from that of BT. Persons who send personal data to any of these websites must be aware that they fall under the privacy/processing policy of those websites, that we recommend to be read. BT's policy on the processing and protection of personal data does not apply to the information provided on those websites, BT has no control over the processing of personal data that the providers of these websites carry out for their own purposes and assumes no liability for these processing.

If you visit any of BT’s social media pages and insert comments, images, opinions and/or value statements to our posts, we will usually process:

your user name on the respective ocial media platform;
the opinions you insert;
images you insert.

In some cases we might ask you to provide – usually when you participate in different contests/campaigns or when you insert comments through which you complain about BT’s banking activity or you ask about any aspects in regard to our activity - other information to help us identify you and/or the situation you bring to our attention and that permit us to send to you an answer to your request. Generally, we might ask you to provide further information regarding:

details on the situation that you bring to our attention;
identity details – usually name, surname;
identifiers: upon case, BT client ID (CIF BT), IBAN;
contact details: upon case, e-mail address and/or telephone number.

When you provide such personal data through the social media platform, we will process them for the above mentioned purposes in this section. For the security of your personal data, please do not insert such data in public posts on our social media platforms.

Please bear in mind that whenever you insert images of yourself or belonging to other individuals or when you “tag” other individuals in the bank’s social media pages, you give your consent to the processing of your data by BT and, respectively you guarantee to us that you have obtained the similar consent of the individuals they belong to.

Last but not least, we inform you that any personal data that you insert in BT’s social media pages will also be processed by the providers of the social media platform and thus they will also fall under the provisions of the privacy policy of that respective platform. BT has no control over the way the providers of these platforms process your personal data for their own purposes and we hold no liability for such processing.

a. Who is a BT prospect?

You may be a “BT prospect” if you have requested, in the bank units, through the BT websites or through some contractual partners of BT, information on BT products/services, you have started contracting them without completing this action or you have been registered in various campaigns organized by the bank.

b. Purposes for processing personal data belonging to BT prospects

If you are a BT prospect, we process your data, upon case, for the following purposes:

verifying your identity, in order to confirm/infirm your quality of BT customer;
taking measures/providing information or answers to the requests/claims/complaints of any nature addressed to the bank by any person or by legal authorities or institutions, including electronic communication and internet requests;
proving evidence for the requests/agreements/options regarding certain aspects requested/discussed/agreed, including the telephone calls initiated by you or by the bank, by recording the discussed issues and, as the case may be, the audio recording of the telephone calls, or, audio video recording;
collecting your opinion in regard to the quality of the services/ products/employees of BT (assessment of the services’ quality);
performance of internal analysis (including statistics);
performance or risk controls regarding the bank’s processes and procedures, as well as the performance of audit activities or investigations;
archiving of documents both in physical and electronic format and security back-up;
the performance of registration and secretary services regarding the correspondence addressed to the bank and/or sent by it, as well as for carrying out courier activities;
ensuring the security of the IT systems used by BT;
fraud prevention;
calculation of the fees to which certain categories of bank employees are entitled.

c. Categories of personal data belonging to BT prospects, processed upon case

If you are a BT prospect, as the case may be, the bank usually processes the following personal data concerning you:

identity details- name, surname, and, in some cases, only with the consent of the data subjects or if the bank justifies with a legitimate interest, the personal identification number (romanian cod numeric personal – CNP);
contact details-e-mail address and/or telephone number.

a. Who is a BT candidate?

You are a candidate for positions available at BT or for internships organized by BT if you have sent to the bank or if the bank has received your CV to be used for recruiting purposes - directly from you or through/from other natural or legal persons - or if you have have brought to our knowledge, in any other way, that you are interested in obtaining certain positions in BT/ participating in BT internships.

b. Purposes for which we process personal data of BT candidates

The bank processes your personal data, as appropriate, for:

recruitment for the position/positions or, as the case may be, for the internship you wish to obtain/participate in within the bank, as well as for purposes closely related to this activity, such as:
taking measures/providing information or answers to the requests/claims/complaints of any nature addressed to the bank by any person or by legal authorities or institutions, including electronic communication and internet requests;
proving evidence for the requests/agreements/options regarding certain aspects requested/discussed/agreed, including the telephone calls initiated by you or by the bank, by recording the discussed issues and, as the case may be, the audio recording of the telephone calls, or, audio video recording;
performance of internal analysis (including statistics);
performance or risk controls regarding the bank’s processes and procedures, as well as the performance of audit activities or investigations;
archiving of documents both in physical and electronic format and security back-up;
the performance of registration and secretary services regarding the correspondence addressed to the bank and/or sent by it, as well as for carrying out courier activities;
ensuring the security of the IT systems used by BT;
prevention of fraud.

If you apply for only one of the vacant positions/internships in BT, your personal data shall be processed by the bank only within the recruitment process for the respective position, and shall be erased upon the completion of that respective recruitment process.

If, instead, you choose to be contacted generally for vacancies/internships in BT, the bank will keep your data and use it for recruitment purposes for a period of 1 year, which may be extended with your consent.

References from previous employers or from professors may become relevant during the recruitment process. If the bank needs this kind of personal data, it will contact you to ask for your consent to obtain these references on your behalf. If you do not give your consent in this regard, you will need to obtain these references yourself if you want to continue the recruitment process.

c. Categories of personal data belonging to BT candidates

To those individuals interested in applying for positions available at BT or in attending the internships programs of the bank, the bank usually processes the following categories of personal data, as indicated in the CV submitted to/transmitted to the bank:

identity details- name, surname;
the age, to verify your eligibility to become an employee or, where applicable, to participate in certain interships of BT;
contact data: e-mail address, phone number;
data on studies and professional experience;
any other relevant data from the CV.

a. Who is/when do we process your personal data as a BT petitioner?

You are such of person if you address to BT any request, on any channel, whether you are a BT customer, an BT walk-in client or you belong to any other category of individuals.

b. Purposes for which we process personal of BT petitioners

Depending on the situation and the relationship you have with the bank, when submitting a request, the bank processes your personal data for the following purposes:

verifying your identity, including in order to confirm/infirm your quality of BT customer;
taking measures/providing information or answers to the requests/claims/complaints of any nature addressed to the bank by any person or by legal authorities or institutions, including electronic communication and internet requests;
proving the requests/agreements/options regarding certain aspects requested/discussed/agreed upon via the telephone calls initiated by you or by the bank, by taking notes of the discussed issues and, as the case may be, the audio recordings of the telephone calls;
collecting your opinion in regard to the quality of the services/ products/employees of BT (assessment of the services’ quality);
performance or risk controls regarding the bank’s processes and procedures, as well as the performance of audit activities or investigations;
performance of internal analysis (including statistics);
archiving of documents both in physical and electronic format and security back-up;
the performance of registration and secretary services regarding the correspondence addressed to the bank and/or sent by it, as well as for carrying out courier activities;
ensuring the security of the IT systems used by BT;
fraud prevention;
calculation of the fees to which certain categories of bank employees are entitled.

c. Categories of personal data belonging to BT petitioners, processed upon case

In order to register, confirm the receipt, analyze, formulate and send answers to any requests/notifications/complaints you send to the bank, we process the following categories of personal data:

identity details - name, surname and any other data from this category that BT petitioners make available to the bank or data that BT needs to process to verify the identify of the BT petitioner in order to prevent disclosure of confidential information (including personal data) to persons who are not allowed to receive them;
contact details – correspondence address, e-mail address, phone number;
voice, from the phone calls as well as from phone call recordings (initiated bypetitioners or by the bank in connection with the petitions);
depending on each case, any other information that the bank is aware of and which are necessary for analyzing the requests.

a. Who is/when do we process your personal data as a BT third party?

Usually, you belong to this category of data subjects if different categories of personal data concerning you are brought to the bank’s knowledge by the BT customers or by the walk-in BT clients in the context of their relationship with BT or by any other person. We process your data in this context as a third party, even if you have your own direct relationships with BT (e.g. a BT loan applicant provides us with the contract of purchase and sale of the building in which you are listed as seller. In this case, the data concerning you in this contract will be processed by the bank given your quality of thirdparty individual, even if you are in fact a BT customer and the bank processes your data for other purposes, specific to the contractual relationship you have established with the bank).

Thus, as an example, we will process your data as BT third party, if you belong any of the following categories of individuals:

family members of a BT customer or BT employee - it is possible that, in certain circumstances, Customers may provide us with data relating to members of their family, especially in the context of formulating and analyzing a credit application or credit agreement.
Also, BT employees may provide us with data relating to family members in various contexts related to their employment relationship with us (e.g. minor children of employees, other family members of BT employees);
non-customer payers: individuals who are clients of other institutions that provide payment services and who order transfers to the customers' accounts opened with BT (interbank transfers ordered by clients of other payment institutions to BT account holders) - it is necessary to process the data of these data subjects to provide the payment services and to fulfill our legal obligations;
beneficiaries of non-customer payments: individuals who are customers of other payment service institutions, to the accounts of which BT customers order transfers (interbank transfers ordered by BT customers towards customers of other payment service institutions) - it is necessary to process the data of this category of idividuals to provide the payment services and to fulfill our legal obligations;
individuals mentioned in the payment details/explanations in apayment order submitted/transmitted/receivedto BT -the completion of the fields related to the explanations/details of a payment is mandatory according to the legal provisions in the field of prevention of money laundering and terrorist financing. In accordance with the principle of data minimization, personal data should be inserted in these fields only when absolutely necessary and only data that is strictly necessary;
authorized persons (other than the ones who are usually authorized to initiate transactions on the accounts of the BT individual/legal entities account holders) to initiate on behalf of a BT customer specific operations – banking or non-banking ones-through the channels offered by BT (e.g. telephone payment instructions);
natural persons whose data are mentioned on various documents made available to the bank - if a BT customer, BT occasional customer or any person with whom the bank interacts submits to the bank various documents, in different situations (e.g. certificates or documents of any type containing personal data of the signatories or, where appropriate, of other persons mentioned in the documents) the bank will process these data taking into account the need to keep these documents, even if it may not need to process the data in any other form than their storage;
persons in relation to whom BT receives information requests from various institutions and/or public authorities, from notaries, lawyers, bailiffs (judicial executors) etc.;
persons participating in various events or actions of social responsibility organized by the bank, whose data is necessary to be processed in order to ensure the logistics of the events;
any other category of individuals whose personal data are made available to us by any person with whom the bank interacts or whose data otherwise enter into the bank’s possession.

b. Purposes for which we process personal data of BT third parties

The bank processes your data as a third parties according to the purpose it needs in our relationship with the person who provided it to the bank, as well as for the following related purposes:

performance of the employment relationship with BT employees, where applicable;
performance or risk controls regarding the bank’s processes and procedures, as well as the performance of audit activities or investigations;
performance of internal analysis (including statistics);
archiving of documents both in physical and electronic format and security back-up;
the performance of registration and secretary services regarding the correspondence addressed to the bank and/or sent by it, as well as for carrying out courier activities;
ensuring the security of the IT systems used by BT;
prevention of fraud.

c. Categories of personal data belonging to BT third parties, processed upon case

The most common categories of personal data that we process if you are a BT third party, by way of example:

identity details: - name, surname, personal identification number (romanian cod numeric personal- CNP);
relationship between you and a BT customer or employee, upon case;
position held within a legal entity;
signature;
any other data that is made available to us by any person we interact with in our activity.

a. Who can be an individual who has expressed his/her options regarding the processing of personal data for marketing purposes (as the case may be, consent or refusal)

Currently, any of the following categories of data subjects are individuals who have expressed their consent at BT for the processing of their personal data for marketing purposes:

BT customers, BT walk-in clients or any third party who have given this consent on the dedicated BT form used in the BT units as of 12.03.2018 and on the BT website www.bancatransilvania.ro (online form is only available to BT customers, to the following link: https://www.bancatransilvania.ro/gdpr/ starting with May 2018;
BT customers, BT walk-in clients or any third party who have given this consent on the forms used in the bank's activity prior to 12.03.2018 and have not modified/withdrawn this consent meanwhile, neither following the notification sent by the bank in May 2018 on this possibility, nor on their own initiative.

Currently there are individuals who have refused to have their personal data processed for marketing purposes BT Customers, BT walk-in clients or any third party who have refused to have their data processed for this purpose from the start, as well as individuals who have withdrawn such consent that they had previously given.

b. Purposes for processing personal data belonging to individuals who have expressed their marketing options (as the case may be, consent or refusal)

If you have given us your consent to have your personal data processed for marketing purposes, we will process your data as follows:

transmission of advertising messages, in accordance with the given consent (advertising purpose);
verifying the identity of the persons, in order to confirm their quality as BT customers;
proving the requests/agreements/options regarding the advertising options, by recording the discussed issues and, as the case may be, the audio recording of the phone calls (initiated by you or by the bank);
performance of internal analysis (including statistics);
archiving of documents both in physical and electronic format and security back-up;
the performance of registration and secretary services regarding the correspondence addressed to the bank and/or sent by it, as well as for carrying out courier activities;
ensuring the security of the IT systems used by BT;
prevention of fraud.

If you have expressed your consent to the processing of your personal data for advertising purposes, we will process your personal data for all the above purposes, except for the purpose of sending advertising messages.
*BT wishes to inform interested persons about products/services/events offered/organized by the bank, BT Financial Group entities or their partners, in which sense it processes personal data of such persons, if they have expressed their consent to receive advertising messages.
The form dedicated to the expression/collection of marketing options currently used by BT, is accessible in any branch of the bank and on the website www.bancatransilvania.ro, or directly at the following link: https://www.bancatransilvania.ro/gdpr/
The online form is available only for BT Customers and can be used by them not only for the initial expression of marketing options, but also for the modification of previously expressed options, as well as, where applicable, for the withdrawal of consent to receive advertising messages.

c. The categories of personal data processed from the persons who have expressed to BT their consent on the processing of their data for advertising purposes, their recipients and the period of their processing

The data processed by BT for sending marketing messages are usually:

identity data: name, surname;
contact details: the telephone number and/or the e-mail address or correspondence address provided by the persons interested in receiving advertising messages or, as the case may be, those stated in the bank's records for the KYC purpose (the development of the contractua l relationship) in case of BT Customers;
for BT Customers: other informations that the Bank finds about customers, in the context in which they use the BT services/BT products (e.g. data about the transactions, age, location, income range, etc.), which the Bank will automatically analyze (profiling) to create an opinion about the products/services/events that would suit BT’s customers (personalized advertising).

The personal data will be processed by the Bank for the transmission of advertising messages until the termination of the contractual relationship with the BT Clients or, as the case may be, until the withdrawal of the agreement to receive such messages (the last version for any other categories of non-BT clients)

In certain cases, in order to send ads via such channels, BT shall contract service providers that will process the personal data of the data subjects on behalf of and for BT, exclusively for the purpose of sending the established ads, strictly observing the instructions from BT and under the Bank’s close supervision.

People willing to receive ads, may opt for ads from several categories, including without limitation: BT products and services, products and services of the BT subsidiaries, events organized by BT, products/services of BT’s partners related to the products/services of BT or of BT’s subsidiaries and events organized by BT’s partners

The BT subsidiaries whose products/services and events are to be promoted in the advertising messages sent to opted-in persons are the following entities within the BT Financial Group:BT Microfinanțare IFN SA ("BT Mic"), BT Asset Management S.A.I. S.A., ("BTAM"), BT Leasing Transilvania IFN S.A. ("BTL"), BT Direct IFN S.A. ("BTD"), BT Capital Partners S.S.I.F. S.A. ("BTCP"), other entities that may join the BT Group in the future.

The list with the categories of current BT/BT’s subsidiaries current partners, whose products/services and events are intended to be promoted within the advertising messages sent to those who have opted for this feature, is accessible at: https://www.bancatransilvania.ro/parteneri.

In case you have opted in to receive advertising messages about products/services events offered/organized by BT subsidiaries or partners, these entities will process personal data for the purpose of sending these messages, under the careful supervision and coordination of the Bank and, where appropriate, jointly with the Bank. For any processing of personal data carried out by BT's partners/BT's subsidiaries outside or adjacent to the transmission of advertising messages, such as, for example, for the purpose of concluding contracts related to their products/services that have been promoted, these partners are to act as controllers of the personal data processed.

Consent to be contacted for advertising purposes may be withdrawn or modified at any time by several means, indicated separately on the form dedicated to the expression of consent to the processing of personal data for advertising purposes.
Withdrawal of consent operates only for the future and does not affect the lawfulness of the data processing carried out before the time of such withdrawal.

Please be aware that subscribing or unsubscribing to any e-mail addresses you enter in forms/fields of the type/name "newsletter", available on BT websites to receive information in various areas of interest, is managed through the respective online forms (subscription) and unsubscribe links in the messages received following subscription (unsubscription).
We also inform you that subscribing/unsubscribing to/unsubscribing from/to the "newsletters" you opt for on BT's websites does not influence your choices regarding the processing of your data for advertising purposes filled in on the forms available in the bank's branches or on BT's website.

As a rule, the personal data belonging to data subjects whose data the Bank processes are collected by the us directly from them, on various occasions and modalities, such as:

upon the establishment and during the performance of the business relationship with BT;
upon the execution and performance of certain agreements for the products/services provided by the Bank, on own behalf or for third-parties;
by the filling-in of certain forms available on BT’s website, on other websites held by the Bank or other Group entities;
by registering for/participating in different contests/campaigns organized by BT in its units, on BT’s website or the Bank’s social network pages;
when inquiries/complaints are received at the Bank’s phone numbers, e-mail addresses, messages on the Banks social network pages or by letter in BT’s units;
when apply to posts available in the Bank (online, by sending/submitting CVs in BT’s units or different e-mail addresses, career fairs or other events);
when accessing websites/social media platforms of BT.

However, there are situations when the data are collected from other sources, such as:

from other Customers, individuals or legal entities, account holders, in situations such as, but not limited to: authorizing other Customers on their accounts opened with the bank, contracting some products/services of the bank by one Customer on behalf of another Customer who authorized him/her on this regard, contracting by the employers who are legal entities Customers of BT of some products / services of the bank for/on behalf of their employees (e.g. meal vouchers, benefits for collecting the salary income in the accounts opened with BT, guarantee accounts management etc);
from the payers - individuals or legal entities, whether or not they are BT Customers - if they transfer/deposit amounts in the accounts opened with BT of the Customers- account holders;
from public authorities or institutions (e.g. courts, prosecutors, judicial executors, NBR, ANPC, ANSPDCP, etc.), notaries, lawyers in the context in which they send to the Bank notices or requests regarding the Clients;
from/through Transfond, SWIFT, international payment organizations, etc.;
from credit institutions with which Banca Transilvania S.A. merged (Volksbank Romania S.A. and Bancpost S.A.);
from partner and correspondent banks, from banks or financial institutions participating in syndicated loans;
from international payment organisations;
from other entities of Banca Transilvania Financial Group etc.;
from public sources, such as but not limited to: the Trade Office Register, the National Registry of Real Estate Publicity, the Cadastre and Real Estate Publicity Office, the courts' portal, the Official Gazette, social media, internet, etc.;
from records such as the Credit Bureau, the Credit Risk Register, if there is a legal basis and a determined and legitimate purpose for consulting them;
from private database providers- e.g. entities empowered to administer databases with persons which is accused for financing terrorist acts and the publicly exposed ones;
from entities in the BT Financial Group, for their use for certain and legitimate purposes, in general for the smooth conduct of the joint economic activity carried out with other entities of the BT Group and for the fulfillment of the legal requirements related to the supervision on the consolidated basis of the BT Financial Group;
from the contractual partners of the bank in various fields;
from debt collection/debt recovery companies (e.g. the Bank can find out the new contact details of the Customers from companies that support the bank in the activity of recovering receivables, data that, the latter obtain based on their own interactions with the Customers or with close persons of them);
from assessment companies;
from insurance companies;
management companies of pension and investment funds
from Depozitarul Central S.A., for the data of the bank’s shareholders;
from any other individuals or legal entities who send us notices/requests containing Customers’ data (e.g. persons notifying us that you no longer have the same contact details as those stated in the bank's records).

The bases on which BT processes personal data are, as appropriate:

the need to process data for the performance of a requirement that is of public interest;
the bank’s legal obligation;
conclusion/performance of the agreements concluded with the data subject;
the legitimate interest of the bank and/or third parties;
the data subject’s consent.

Except for the cases in which the personal data are processed based on the data subjects’ consent, and in some cases in which the basis of the processing is the legitimate interest, the refusal of the persons on processing their personal data by BT shall render the provision of the requested services or the resolution of the submitted requests impossible.

The personal data of the Bank’s Customers and, as applicable, of other data subjects previously mentioned in this Policy, are disclosed by BT or, as applicable, transferred, in accordance with the applicable legal provisions of GDPR, based on the applicable legal bases, depending on the situation, and only under strict confidentiality and security conditions, to the recipient categories, including without limitation:

other Customers who have the right and need to know them;
entities within the BT Financial Group;
assignees;
contractual partners (service providers) used by the bank for the performance of its banking activity, as well as, but not limited to: service providers used by the Bank for: IT services (maintenance, software development), hard-dopy or electronic archiving, courier services, audit,services related to card issuing and enrollment; market research, advertising, monitoring of traffic and behavior of the users of online tools, marketing services via social media, etc.;
companies processing inter-bank payments and transmitting information on inter-bank transactions (eg: Transfond S.A., Society for Worldwide Interbank Financial TelecommunicationSWIFT);
partners of the bank from various fields, whose products/services/events can be promoted to BT Customers based on their consent. The updated list with the bank’s partners can be found at the following web address: https://www.bancatransilvania.ro/parteneri;
international payment organisations (e.g. Visa, Mastercard);
payments processors;
financial-banking entities participating in the payment schemes/systems and interbanking communications channels such as SWIFT, SEPA, ReGIS, financial-banking institutions to which we confirm or request confirmation of signatures and/or certain information that can be found in the bank refference letters, bank guarantee letters, other addresses issued by the Bank's Customers in favor of their business partners, other entities (such as banks or financial institutions) for assignment operations or restructuring of debt portfolios and/or other rights of the Bank born on the basis of the legal relationships with the Customers;
partner banks and correspondent banks, banks or financial institutions participating in syndicated loans;
public authorities and institutions, such as, but not limited to: the National Bank of Romania (BNR), the National Agency for Fiscal Administration (ANAF) *, the Ministry of Justice, the Ministry of Internal Affairs, the National Office for the Prevention and Combating of Money Laundering (ONPCSB ) **, the National Agency for Cadastre and Real Estate Advertising (ANCPI), the National Register of Mobile Advertising (RNPM), the Financial Supervisory Authority (ASF), including, as the case may be, their territorial units;
guarantee companies (funds) for different lending/deposit products (e.g. FNGCIMM, FGDB, etc.);
public notaries, lawyers, bailiffs;
Central Credit Register***;
The Credit Bureau and the Participants in the Credit Bureau system****;
insurance companies;
assessment companies;
companies collecting outstanding debts or receivables;
entities to which the Bank has outsourced the provision of financial-banking services;
banking institutions or government authorities, including authorities outside the European Economic Area - for SWIFT international transfers or as a result of the processing activities for the purpose of observing the FATCA and CRS legislation;
providers of social media.

*In accordance with the provisions laid down in the Fiscal Code (Law No. 207/2015), in its capacity of credit institution, BT in legally bound to report to the central fiscal body - A.N.A.F. - the list of account holders - individuals, legal entities or any other entities without legal personality - that open or close accounts, as well as the identification details of the persons that are authorized to sign for the accounts held by them, the list of persons that rent safe deposit boxes, as well as the termination of the rental agreement. A.N.A.F can trasmit these data to the local fiscal bodies and to other central/local public authorities, under the provisions of the legislation.

**If the conditions for the transmission by BT of personal data to the National Office for Prevention and Control of Money Laundering are met, pursuant to Law No. 129/2019 on the prevention and sanctioning of money laundering and on setting up of certain measures for the prevention and combating terrorism financing, as republished and subsequently amended, such personal data are simultaneously sent, in the same format, to A.N.A.F., as well.

***The Bank is legally obliged to report to the Credit Risk Center (CRC) the credit risk information for each borrower who meets the condition to be reported (it includes the identification data of a borrower, whether a natural person or a non-bank legal entity, and the operations in lei and in foreign currency through which the Bank is exposed to risk with respect to that borrower), i.e. to have registered an individual risk with respect to that borrower, as well as information on card frauds detected.
**** The Bank has a legitimate interest in reporting in the Credit Bureau System, to which other Participants (mainly credit institutions and non-bank financial institutions) have access, the personal data of borrowers who are at least 30 days overdue on their credit payment, after having notified the persons concerned at least 15 days before the date of the report.

Only if it’s necessary for the fulfillment of the purposes of the agreements concluded with the BT Customers or occasional BT Customers, and only in specific situations or on the basis of adequate guarantees, the Bank shall transfer personal data abroad, as applicable, including to countries that do not provide an adequate level of protection of such data. The countries that do not ensure an adequate level of protection are countries outside the European Union/European Economic Area, except for the countries for which the European Commission has recognized an adequate level of protection, such as: Andorra, Argentina, Canada (only companies), Switzerland, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zeeland, Uruguay, Japan, USA - only within the protection granted by the Privacy Shield US-EU (unless a contrary decision of issued for any of these countries).

If BT Customers or BT Occasional Customers order through the bank transactions where the payment recipients are located in countries which do not ensure an adequate level of protection of personal data, the transfer of data to those countries shall be based on the provisions of the General Data Protection Regulation relating to: the transfer which is necessary for the performance of a contract between the bank and the Customer or for the application of pre-contractual measures taken at the request of the Customer, as the case may be, the transfer which is necessary for the conclusion of a contract or the performance of a contract concluded in the interest of the data subject.
Where it is necessary to transfer personal data to third countries/international organizations and in other circumstances, the Bank shall do so only with the safeguards provided by law for such transfers.

In some circumstances, only with the fulfillment of the provisions of the GDPR, in the banking activity carried out by BT, the automated decision-making processes are used, including as a result of the creation of profiles. These are decisions taken by the bank, as the case may be, with or without the intervention of a human factor, which can produce legal effects and/or affect the Customers in a similar way, to a significant extent.

Such situations, presented by way of example, are the following:

for the application of the KYC measures in order to prevent and combat the money laundering and terrorist financing, verifications will be carried out in the databases, for the persons suspected of financing the acts of terrorism or, as the case may be, for the persons with a high risk of fraud; if the Customers are included in these records, the bank reserves the right to refuse to enter into a business relationship with them or to terminate the contractual relationship;
in order to protect BT Customers and Occasional Customers against fraud, as well as for the bank to adequately fulfill its know-your-customer obligations, it monitors their transactions and, if it identifies suspicious transactions (such as payments that are unusual in frequency, amount, including in relation also to the source of funds declared by the Customers account holders or to the purpose and nature of the business relationship, transactions initiated from different locations at short intervals of time, which did not allow traveling between those locations), adopts accordingly measures to block transactions, cards accounts, taking these decisions on an exclusively automatic basis;
according to the legal provisions, the granting of the credit products is conditioned by the existence of a certain degree of indebtedness of the applicants. In order to determine the eligibility to contract a credit product related to the degree of indebtedness, this will be determined on the basis of automatic criteria, starting from the level of the income and expenses that the applicant Customer records;
for the purpose of objectively verifying the fulfillment of the eligibility conditions for pre-offer and, where appropriate, analyzing a credit application made to BT by an applicant, in most cases a scoring application of the bank will be used, which will analyze data filled in the credit application, information resulting from checks carried out in the bank's own records and/or in those of the Credit Bureau S.A. and will issue a score that determines the credit risk and the probability of future repayment of the installments on time. To the issued score will be added the results of other checks on the applicant's situation, which will be analyzed by the bank's employees in order to determine whether the eligibility conditions set by internal regulations are met. The final decision to approve or reject the loan application is, however, based on the analysis carried out by the Bank's employees (human intervention);
in case BT Customers have given their consent on the dedicated form for their personal data to be processed for advertising purposes in order to send personalized messages, these are based on a profile based on various criteria, such as, but not limited to, transaction data, age, location, income range, which the bank will automatically study in order to make a judgment about the products/services/events that would suit the Customers. In some cases, this realized profile will only result in the promotion of a particular product/service to persons determined to meet the profile conditions, and in other cases it will result in only those persons who meet the profile criteria being able to contract/benefit from certain promotional offers.

Personal data processed by the Bank for KYC purpose in order to prevent the money laundering and combat the terrorist financing, including the data regarding the transactions made thru accounts opened at BT, will be kept by the bank, at least 5 years since the termination of the business relationship with the Customer- individuals or legal entities - account holder, according to the legal time period requested by the law and established on behalf of the bank.

Also, if the business relationship is not open, the data contained in the application will be stored at BT level for at least 5 years from the date of the bank's refusal to establish that respective contractual relationship.

Personal data completed in a credit application is kept in BT's records for a period of 3 years from the date of signing the credit application, in case the credit application is rejected, and for a period of 5 years from the date of termination of the business relationship of the borrowing customer with the bank, in case a credit agreement is concluded following approval of the credit application.
With regard to the data processed in the framework of BT's activity in the Credit Bureau system, they are stored at the level of the Credit Bureau and disclosed to Participants for 4 years from the date of the last update, except for the data of credit applicants who have withdrawn their credit application or who have not been granted credit, which are stored and disclosed to Participants for a period of 6 months.

Personal data for which BT has a legal obligation to report to the Credit Risk Center (CRC) will be kept in the CRC's records for a period of 7 years from the date of their registration.
For data processed on the basis of the consent of the data subjects for the purpose of sending advertising messages, they will be processed until the termination of the business/contractual relationship with the bank or, where applicable, until the withdrawal of that consent.

As evidence of the fact that notices/complaints/inquiries/measures have been received and replied to, the received messages shall be kept within BT’s records (both in hard-copy and electronically, during the period of the business relationship for BT clients, and for the period necessary for the fulfillment of the purpose for which they have been processed (preparing the reply/providing the information), plus an additional period of 3 years - the legal prescription period - if the data do not belong to persons with whom the Bank has an established business relationship.

The personal data processed from the BT candidates will be kept until the end of the recruitment process for that available position or, if the candidates have shown interest to be contacted for more suitable positions, the CV data and other documents that have been made available to BT for this purpose, will be kept for a period of up to 1 year, unless during this time period their deletion from the Bank's records is required. This term can be extended with the consent of the candidate.

The retention period for the data obtained via the video surveillance system is commensurate with the purpose for which the data are processed, i.e. it does not exceed 30 days, the period after which the recordings are automatically erased, in the order of their recording. In case of a security incident (including a personal data breach), the retention period for the relevant recorded material can exceed the normal limits depending on the time necessary for the additional investigation of the security incident.

Any other personal data processed by BT for other indicated purposes shall be stored for the period necessary for the achievement of the purposes for which they have been collected, to which non-excessive terms may add up, as established in the applicable legal requirements, including without limitation, the legal provisions in the field of archiving.

Any data subject whose data are processed by the bank, is guaranteed and can benefit from the rights provided by the GDPR, respectively:

the right of access: data subjects can obtain from BT confirmation that their personal data are being processed, as well as information on the specifics of the processing such as: the purpose, the categories of personal data processed, the recipients of the data, the period for which the data are retained, the existence of the right to rectification, erasure or restriction of processing. This right allows data subjects to obtain a copy of the personal data processed free of charge, as well as any additional copies for a fee;
the right to rectification of data: data subjects may request BT to amend incorrect data concerning them or, where appropriate, to complete data which is incomplete;
the right to delete the data: data subjects may request the erasure of their personal data when:
- these are no longer necessary for the purposes for which the bank collected and processed them;
- the consent for the processing of the personal data has been withdrawn and BT can no longer process it on the basis of other grounds;
- the personal data are processed against the law;
- the personal data must be deleted in accordance with the relevant legislation;
Right to withdraw consent: data subjects may withdraw their consent to the processing of personal data processed on the basis of consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before that time.
the right to object: data subjects may object at any time to processing for marketing purposes, as well as to processing based on BT's legitimate interest, on grounds relating to their specific situation;
the right to restriction of processing:: data subjects may request the restriction of the processing of their personal data if:
- disputes the accuracy of the personal data, for a period that allows the bank to verify the accuracy of the data in question;
- the processing is illegal and the Data Subject opposes the deletion of the personal data, requesting instead the restriction of their use;
- the data are no longer necessary for the Bank to be processed, but the data subject ask the Bank to an action in court;
- if the data subject has opposed to the processing, for the period of time in which it is verified whether the legitimate rights of BT as controller prevail over the data subject's rights.
the right to data portability: data subjects may request, in accordance with the law, that the bank provide them with certain personal data in a structured, frequently used and machine-readable form. If the data subjects so request, BT may transmit such data to another entity if technically possible.
the right to file a complaint with the National Supervisory Authority for the Processing of Personal Data: the data subjects have the right to file a complaint with the National Supervisory Authority for Personal Data Processing if they consider that their rights have been violated: National Authority for the Supervision of Personal Data Processing, B-dul G-ral. Gheorghe Magheru 28-30 Sector 1, postal code 010336 Bucharest, Romania anspdcp@dataprotection.ro
For the performance of the rights mentioned in points a) to g) above, or for any questions about the processing of personal data carried out by BT, the data subjects may use the contact details of the Data Protection Officer designated by BT, sending the request:
- by post, at the address in mun. Cluj-Napoca, str. G. Bariţiu, nr. 8, jud. Cluj, with the mention "to the attention of the data protection officer"
- at the following email addressdpo@btrl.ro.

BT prepares an internal framework of standards and policies to ensure the security of the personal data. They are regularly updated in line with the legal regulations applicable to BT and the highest standards in the field.

Specifically and in accordance with the law, the Bank adopts and applies appropriate technical and organizational measures (policies and procedures, IT security, etc.) to ensure the confidentiality and integrity of personal data and the way they are processed.
BT employees are required to maintain confidentiality and may not unlawfully disclose personal data they process in the course of their work.
The Bank shall ensure that its contractual partners who have access to personal data and who act as BT's processor impose contractual obligations on them in accordance with the law and that it verifies their compliance with the obligations they have undertaken.
Contractual partners acting as processors of the bank will process personal data on behalf of and for the bank, only in accordance with the instructions received from the bank and only in compliance with security and confidentiality requirements within the limits imposed.
We guarantee that BT will not sell the personal data it has collected from the individuals visited and will only disclose such data to those entitled to know it, in compliance with the principles and obligations laid down by law.

This policy is regularly reviewed in order to make sure that the rights of the data subjects are guaranted and to improve the ways in which personal data are processed and protected.