Personal data processing and protection policy

Policy of Banca Transilvania S.A. on the processing and protection of personal data personal data within the framework of banking activities ("Policy" or "Privacy Policy")

Version valid between 25.05.2018 – 10.07. 2018

At Banca Transilvania S.A . (hereinafter referred to as "BT" or "Bank") we are constantly concerned that the personal data of all individuals individuals with whom we interact are processed in full compliance with the applicable legal provisions and with the highest standards of security and confidentiality.

To guide and support us in our work in the field of data processing and data protection with personal data we have appointed a data protection officer (data protection officer or DPO), who can be contacted by any person in relation to any issues relating to the way in which how BT processes such data, by sending a complaint to the bank's head office in

mun. Cluj-Napoca, G. Barițiu street, no. 8, jud. Cluj, marked "for the attention of the person responsible for personal data protection officer" or a message to
e-mail address dpo@btrl.ro.

In the following we present our policy in this very important area for any person which we undertake to review at intervals with a view to its continuous improvement.

This Policy is not addressed to Banca Transilvania's employees, who shall be informed in writing. about their personal data that BT processes as an employer through a separate document, i.e. the Policy of Banca Transilvania S.A. on data processing and data protection. of employees.

We will explain in this policy what personal data we process in the framework of our activity of the people with whom we interact, in what ways, for what purposes we use it, to whom we disclose it or transfer it, how we ensure its security, and what rights individuals have to access it. data subjects have in relation to the processing of this data and how they can exercise them.

A. Who is Banca Transilvania?

B. What is personal data and what such data does BT process?

C. Who are the persons whose personal data is processed by BT?

D. What is the processing of personal data and how does BT come to process this data?

E. What are the grounds on which BT processes personal data?

F. What are the purposes for which BT processes personal data?

G. To whom does Banca Transilvania disclose the personal data it collects? processes?

H. How long does BT process personal data?

I. What rights can data subjects exercise with personal data processed by Banca Transilvania?

J. How does BT protect the personal data it processes?

BANCA TRANSILVANIA S.A. is a credit institution, a Romanian legal person, with its registered office in Cluj-Napoca, str. G. Baritiu, nr 8, Cluj, registered with the Trade Register under no. J12/4155/1993, unique code RO 5022670, having the processing of personal data notified and entered in the Register of personal data controllers under number 8728.

BT has over 500 units - branches, agencies, work points, which operate in Romania, as well as a branch and two agencies that carry out banking activity in Italy.

Our official website is www.bancatransilvania.ro (hereinafter referred to as the "BT website").

The bank manages other websites, whose updated list you can consult here.

Banca Transilvania SA is the parent company of Banca Transilvania Financial Group (referred to in hereinafter "BT Group"), which comprises the Bank's subsidiary entities about which you can find information on the BT website in the section BT FINANCIAL GROUP.

Personal data means any information relating to an identified natural person or identifiable individual. An identifiable natural person is one who can be identified, directly or indirectly on the basis of such information.

Within the framework of its banking activity, Banca Transilvania processes the following categories of personal data:

identification data: name, surname, pseudonym (if applicable), date and place of birth, code personal identification number or other similar unique identifier, the series and number of the national or international identity card/passport and a copy thereof, address and residence (if applicable), telephone number, fax number, e-mail address, nationality,
the profession, occupation, name of the employer or nature of his own activity (if applicable),
information about the important public office held - if any - and political opinions (exclusively in the context of obtaining information related to political exposure),
information about the family situation (including marital status, number of children, dependent children),
information on the economic and financial situation - including income data, data on transactions and their history, data on assets held, as well as data on the relating to behaviour,
the image (contained in identity documents or captured by video surveillance cameras installed in the bank's premises and ATMs),
voice, including in the recordings of telephone conversations. BT audio records telephone conversations in order to improve the quality of services and calls, but also to provide proof of request/agreement/option regarding certain;
signature and, in specific cases, fingerprint (in the case of people who do not know the card or visually impaired persons),
identification codes, assigned by Banca Transilvania or other financial banking institutions or non-banking financial institutions, necessary for the provision of certain services, such as, but not limited to IBAN attached to bank accounts, debit/credit card numbers, expiry date cards,
health data, processed only if the processing of such data is carried out in accordance data is necessary to prove the client's distressed situation their family members, in order to grant them facilities, or in the context of the the provision of insurance products intermediated by the Bank,
information relating to fraudulent/potentially fraudulent activity, consisting of data related to allegations and convictions for offences such as fraud, money laundering and terrorist financing,
information on the location of certain transactions (in the case of operations at ATMs or POS belonging to Banca Transilvania),
data and information related to the products and services offered by the Bank or its collaborators its employees, which the data subjects use (such as, but not limited to credit, deposit, insurance products)

As part of its activities, BT primarily processes the personal data of regular customers, those with whom it has established a relationship contractual relationship, carried out in accordance with the General Business Conditions of Banca Transilvania applicable - as the case may be - to natural or legal persons (referred to as the business relationship). These regular customers are, in general: natural persons - major or minors - who have at least one current account opened with BT as an individual customer natural persons, authorised representatives/legal representatives operating on accounts opened with BT on the name of natural or legal persons and their beneficial owners.

However, BT also offers its services and products for use by customers customers. These are persons who do not have an account with BT and who do not have the rights of rights on them, but sometimes use BT units or equipment (such as ATMs, BT Express, BT Express Plus, etc.) to carry out various types of banking transactions (cash deposits into BT accounts, bill payments), money transfers (e.g. Western Union) or currency exchange operations, provide us with their personal data on the occasion of visit BT websites or units or when they use the support services offered by BT. the Bank's Call Center.

Banca Transilvania is a company listed on the Bucharest Stock Exchange, so it processes in personal data of its Shareholders , in accordance with the law. with the provisions of the capital market law.

These Customers or Shareholders sometimes need to provide us with - in order to be able to answer some of their requests, to obtain a product, to carry out an operation/provide a service - data with personal data belonging to other persons, such as: husband, wife, life partner, members family members, beneficiary of a payment transaction, guarantor of a credit, beneficiary of an insurance, natural persons whose data are included in documents provided by the client.

If the Customer or Shareholder is the one who provides BT with information about other persons, it has inform those data subjects of the contents of this policy in in relation to the processing of their personal data.

In the contracts that BT enters into with any supplier/provider of goods/services (partner contract) personal data of the signatories of these contracts are inserted in the contracts (usually name, surname, position held and signature belonging to the legal representatives or contractual partners), of the contact persons designated by the contracting the contracting partner (usually name, surname, telephone number and e-mail address), of other categories of natural persons whose data are disclosed to the Bank by the contracting partner contractual partner. This personal data will be processed by BT in connection with the conclusion and the execution of these contracts, for the internal administrative-financial management, storage and archiving of contractual documentation, testing and use of IT systems and the IT services, managing complaints, carrying out audit missions. Basis of processing personal data belonging to these categories of persons is the legal obligation to Bank, the conclusion/execution of the contract and the legitimate interest of the Bank. Personal data personal data that we become aware of in the context of the performance of the relationship with a contractual partner are disclosed, as the case may be: to the contractual partner who provided it to us, to entities of the BT Group, BT partners who have a need to know, public authorities and institutions entitled to request them. The data will be processed at BT within the contract period and subsequently, until the expiry of the archiving period of the contractual documentation. In order to purposes it is possible that the Bank will transfer certain categories of data to the BT for the purpose of personal data that the contractual partner has made available to us outside the European Space. The data subjects concerned by this processing benefit from the rights provided for in under this policy for data subjects.

All these categories of natural persons we have listed above will be referred to below as "datasubjects" of the processing of personal data.

"Processing" of personal data means any operation or set of operations performed on data, such as collecting, recording, organizing, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction

The personal data that we use in our activities we usually obtain, directly from the data subjects in various occasions and ways:

at the time of establishment and during the business relationship with BT
on the occasion of the conclusion and execution of contracts for products/services offered by the bank, on its own behalf or on behalf of third parties
by filling in forms available on the BT website, on other websites owned by the bank or other Group entities
by entering/participating in various competitions/campaigns organised by BT in its units, on the BT website or on the bank's social media pages
when we are asked for information/receive complaints/requests at the telephone numbers of e-mail addresses, through messages sent on the bank's pages in the networks, through social networks or received in BT units
when applying for available positions in the bank (online, by sending/submitting CVs to BT units or on various e-mail addresses, at career fairs or other events)

Indirectly, we can find out personal data of the data subjects from / through:

public authorities and institutions or of public interest, correspondent banks, lawyers, notaries, bailiffs or other persons who send us requests
proxies of the data subjects in order to open /carry out the business relationship with BT
consultation of external databases, public or private, directly or through third party providers, such as the National Trade Register Office, Credit Bureau S.A., the portal of the Romanian courts administered by the Ministry of Justice, third parties holders of databases of persons accused of terrorism or politically exposed persons
the employers of the persons concerned, if we enter into agreements with them for the transfer of salaries or other amounts
other BT Group entities with which the data subjects enter into contractual relations and is the Bank needs to know their data on the basis of its membership of the BT Group and for the proper the common economic activity which it carries out with the other entities of the BT Group
bank employees who collect data on behalf of the bank on individuals who wish to to be contacted by BT to present products/services in which they are interested
Central Depository S.A., in the case of the Bank's Shareholders' data
the use by the data subjects of the BT website, of other websites owned by the bank (through cookies, Google Analytics, etc.) or by other entities in the Group. For details about these aspects and the ways in which you can launch or block cookies, please refer to the website's cookie policy.

The activity carried out by Banca Transilvania, in its capacity as a credit institution, is strictly regulated by various normative acts. Thus, many of the processing of personal data BT carries out are imposed by the legal obligations it has. At the same time, however, BT processes personal data necessary for the conclusion and/or performance of contracts concluded with the data subjects, on the basis of its legitimate interest or, where applicable, in on the basis of the data subject's consent.

Except where personal data are processed on the basis of consent of the data subjects, the refusal of individuals to have their data processed by BT will make it impossible to the provision of the requested services or the resolution of their requests.

Carrying out any operation requested at BT's counters by customers. or occasional customers, requires the Bank to go through the stage of identifying the customer's these persons. In this respect, BT employees will ask people to present their valid identity card. In some cases required by law, it will be necessary to include BT to make and retain a copy of the identity document for the period provided by law.

The cases in which BT is obliged to apply the standard measures of knowledge of customers, including making and retaining a copy of the identity card, are the following:

when establishing a business relationship;
when carrying out occasional transactions of at least EUR 15,000 or more equivalent, irrespective of whether the transaction is carried out in a single operation or several transactions which appear to be linked;
where there is a suspicion that the operation in question is for the purpose of money laundering or financing of terrorism, irrespective of the scope of the provisions derogating from the obligation to apply the standard customer due diligence measures laid down in the this law and the amount of the operation;
if there are any doubts as to the veracity or relevance of the information already held about the customer;

Pursuant to the legal obligation to apply standard know-your-customer measures, that any Romanian credit institution has according to the provisions of the Regulation Regulation no. 9/2008 on customer due diligence for the purpose of preventing and combating money laundering, Law 656/2002 on the prevention and combating money laundering and the financing of terrorism and HGR 594/2008 implementing Law 656/2002 on and the fight against money laundering and terrorist financing, at the time of establishing a business relationship, it is necessary to collect and keep in BT's records at least the following categories of personal data: name, surname, date and place of birth, personal numerical code or similar unique identifier, address, telephone number, fax number, e-mail address, nationality and, if if applicable, pseudonym, residence address, occupation, employer's name or nature own activity, important public office held, name of the beneficial owner.

The same information is also collected if a client is represented in relationship with the bank by another person, acting as a proxy, trustee, guardian or in any other capacity and, in addition, data relating to the nature and limits of the of the power of attorney.

In the case of establishing and carrying out a business relationship with a legal entity client, the data mentioned in the above paragraphs will be collected for the identification of the persons who, according to the articles of association and/or the decision of the statutory bodies, are entrusted with with the power to manage and represent the entity and on their powers to the entity, and to identify the person acting on behalf of the entity. client and information to establish that he/she is authorised/empowered in this purpose. The bank is obliged to check this data, including in the records public registers.

Under the same legal obligations, if applicable, the data of of the beneficial owner.

The verification of the collected data will be done on the basis of identity documents, but also through verification of other sources.

Making and retaining a copy of the of all these persons is also mandatory for the bank.

As part of the know-your-customer process, the bank has a legal obligation to collect including information related to the politically exposed person status of the clients with whom enters into a business relationship. Exclusively for this purpose, BT will process information that category of political opinions - special personal data.

Also, in accordance with its legal obligations in this matter, in the enrolment and account opening stage, BT will classify customers by risk level, in based on criteria such as nationality, residence, affiliation, functions or positions positions held.

As part of the customer knowledge process, based on the legal obligations of GEO no. 202/2008 on the implementation of international sanctions and the Regulation No 28/2009 on the supervision of the implementation of sanctions international sanctions, as well as on the basis of its legitimate interest not to enter into business relations with persons accused or suspected of breaches of the law, the bank processes information relating to fraudulent/potentially fraudulent activity (data related to charges and convictions for offences such as fraud, money laundering, fraudulent money laundering and terrorist financing)

BT has an obligation to ensure that all such data is updated in its records throughout the course of the business relationship with the customers, in which sense it will require customers to update the data provided at the initiation of the business relationship, whenever whenever necessary, and may even update them on its own initiative, from sources external reliable, public or private, accessed directly or through third parties suppliers.

All these data are kept in the bank's records according to the legal term established, which is at least 5 years from the termination of the customer's business relationship with BT.

If the application to initiate the business relationship is completed online, in sections available on BT's website, applicants will have to provide the same information data required by the legal provisions mentioned above, and the process of enrolment will (establishment of the business relationship) will be completed only after signing the documentation in a bank unit. If, within 60 days of completing the application application for the establishment of the business relationship, the applicant does not appear in a BT for the signature and completion of the enrolment process, his data will be deleted from the bank's records.

Lending is one of the main activities carried out by a credit institution. The conclusion and execution of a credit agreement with a natural or legal person, involves going through several stages during which data of a personal nature is processed. the Bank's legal obligations, by virtue of the conclusion and execution of a credit agreement credit/guarantee/valuation contract, on the basis of the legitimate interest that the Bank justified by the Bank and, in some specific situations, on the basis of the consent of the of the persons concerned by the processing.

1.1. Processing of personal data in the Credit Bureau System

1.1.a.Legal basis and purpose of data processing in the Bureau of Credit

The bank is obliged, according to the legal regulations in force, to assess applicants' ability to repay the loan before concluding a loan agreement. credit agreement and during its execution. To this end, processes the information indicated in point 1.1.c below, both in records and by transmitting them to the Credit Bureau in order to processing by this institution and their consultation by the Credit Bureau. any Participant in this system, for the purpose of initiating or carrying out a credit relationship, as well as for the provision of credit products.

For credit applicants and certain categories of persons in a relationship with them, the Bank shall, during the analysis stage of a credit application, consult Credit Bureau System, justifying a legitimate interest in this respect for to carry out responsible lending activities.

Credit Bureau SA is the private law entity that manages the Credit Bureau System, in which personal data are processed in in connection with the credit activity of the Participants.

Participants in the Credit Bureau System are credit institutions, non-bank financial institutions, insurance companies and credit which have signed a Participation Agreement with the Credit Bureau and which have signed a Credit Bureau.

1.1.b. Obligation to provide data and consequences of non-compliance acesteia

The provision of personal data is necessary for the purpose mentioned in 1.1.a. Refusal of the data subjects to provide the data personal data necessary to achieve the purpose mentioned above will lead to the the impossibility for the Bank to fulfil its legal obligations in relation to granting of credit.

1.1.c. Categories of personal data processed in the System Credit Bureau System

The data processed in the Credit Bureau System are:

identification data of the data subject: surname, first name, code personal number, home/residence and correspondence address, telephone telephone/mobile number, date of birth, country code and passport series/number in in the case of non-residents;
data relating to the employer:name and address of the employer;
data relating to the credit products applied for/granted: type and name of Participant, type of product, status product/account, date granted, term granted, amounts granted, amounts due, due date, currency, frequency of payments, amount paid, monthly instalment, amounts outstanding, number of instalments outstanding, number of days of arrears, category of arrears, closing date of the product;
data relating to events occurring during the period of the credit product, such as those relating to restructuring/refinancing, repayment, assignment of the credit agreement credit agreement, assignment of the claim;
data relating to relationships with other accounts: information relating to credit-type products for which the data subject is the co-creditor and/or guarantor;
insolvency data: information on data subjects against whom insolvency proceedings have been opened;
number of queries: indicates the number of Credit Reports issued by the Credit Bureau, at the request of one or more Participants;

1.1.d Recipients of data

The personal data recorded in the Credit Bureau System are disclosed to Participants in this system, upon request, for the purpose mentioned in point 1.1.a.

Personal data processed in the Credit Bureau System will not be disclosed to third parties, with the exception of public authorities and institutions, in accordance with their competences and applicable legislation, such as the Authority National Supervisory Authority for the Processing of Personal Data, the Bank National Bank of Romania, the National Integrity Authority, the courts courts, notaries public, bailiffs, investigation bodies criminal prosecution authorities.

1.2. Processing of personal data in the records of Banca Transilvania S.A.

1.2.a. The legal basis and purpose of the processing of personal data

For the purpose of pre-offer and, where appropriate, credit application analysis made, in accordance with the need to carry out a credit responsible lending, in addition to the processing of personal data in system of the Credit Bureau S.A., the Bank processes in its own records such data on the basis of the legal obligations it must comply with, of conclusion of the credit/guarantee/assessment/insurance contract, on the basis of legitimate interest and, where appropriate, with the consent of the data subjects.

1.2.b. Obligation to provide data and consequences of non-compliance acesteia

The provision of personal data is necessary for the purpose of pre-offer/analysis of a credit application. Refusal to provide data necessary to achieve this purpose will make it impossible for the Bank to Transilvania S.A. from fulfilling its legal obligations in connection with the granting of credit, and the credit application will not be considered.

1.2.c. Categories of personal data processed within the Bank Transilvania S.A.

The personal data mentioned above as being processed in the system of the Credit Bureau are processed by Banca Transilvania S.A. and in its own records. To this data is added information that the Bank learns as a result of verification of the data subjects in its own records and in databases public databases such as websites - court portals, ONRC, etc.

1.2.d.Existence of an automated decision-making process, including the creation of profiling via the BT scoring application

For the purpose of objective verification of compliance with the eligibility conditions for the pre-offer and, where applicable, the analysis of the credit application - BT processes in some cases, on the basis of its legitimate interest, personal data of loan applicants (natural persons and legal representatives of legal entities) as well as other natural persons participating in the analysis of the credit application in its own automated system ("credit application"). scoring BT").

In the BT scoring application, data of the following nature are entered and analysed personal identification data, other data filled in the credit application, information resulting from checks carried out in the Bank's own records or in those of the Credit Bureau SA, such as - if the persons concerned by the this processing receives income in an account opened with the Bank or are regular customer of the Bank, the level of monthly payment obligations, the history payment history in the case of other loans contracted with the Bank, etc. Following analysis of this data/information, the BT scoring application issues a score which is based on a profile of the borrower/potential borrower good or bad debtor. The returned score thus determines the credit risk and probability of future payment of instalments on time.

Based on the score issued by the BT scoring application, to which the result is added the verification of the relevant personal situation in public databases such as websites - court portals, ONRC, etc. - the Bank establishes whether the eligibility conditions set by the Bank are met. internal regulations and will take the decision of admission or rejection of the credit application, which is based on the analysis carried out by the Bank's employees. Bank employees (human intervention).

1.2.e At this stage of the lending process, applicants shall will be given a form by which they can express their agreement that the bank to consult the ANAF database, for a limited period - maximum 5 days working days- regarding the income they have earned, taking into account that the level of income is an essential element for the determination of the bank's credit conditions.

Also at this stage, for some types of loan products the Bank wishes to to consult the records of the Credit Risk Centre, in which case it will send the credit applicant to complete and sign an agreement form dedicated.

2.1. Legal basis and purpose of processing

For the conclusion and execution of credit agreements and, where appropriate, of guarantee/assessment/insurance contracts, the Bank shall process the categories of personal data referred to in this section under point 2.3, in its legal obligations, the conclusion and performance of the contracts and in its legitimate interest

2.2. Obligation to provide data and consequences of non-compliance acesteia

The provision of personal data is necessary for the purpose of the conclusion and the conclusion of credit agreements and, where applicable, ancillary agreements Refusal of persons to process personal data is prohibited. necessary to achieve the mentioned purpose, will lead to the impossibility of the Bank to to provide the requested credit.

2.3. Categories of personal data processed

Personal data processed by the Bank for the purposes mentioned in paragraph 2.1 of the section 2.1 of this section are those used within the framework of the pre-offer/analysis phase of the credit application, to which are added other such data that have been completed and/or received on the occasion of/for the conclusion or during the contract credit and guarantee agreement.

BT allocates to each of its customers a customer code (Customer ID) on the basis of which they identified in the bank's records, as well as an IBAN code for each customer. account (current, card, savings, etc.) opened in the customer's name at bank.

In addition, for each of the cards issued by BT to its customers, it is a unique number (PAN), which BT writes on the card together with the expiry date the cardholder's first and last name and the CVV basket (reverse side). agreement of the cardholders, there is the possibility to write on the card also the IBAN code.

Banca Transilvania is constantly striving to offer its clients with whom it has concluded a business relationship online services and products, such as internet banking service - with the BT24, mobile BT24 or BT24 Invoices- the digital wallet payment application - BT Pay, chat both-ul "Livia from BT" accessible via Facebook, the Self Serv service callable by phone. For use of these services requires the bank to process certain categories of personal data in order to identify persons as BT customers and, subsequently as users of the services. These data are, as a rule - name, surname, date of birth, customer code, telephone number.

Some of the BT applications, which are accessible via mobile devices (e.g. mobile BT24, BT Pay), may require their users to either installation or during their use, access to certain data with additional personal data such as, but not limited to, the following: camera (for example for example for the option to scan bar codes on invoices), location (within certain sections of the applications, for displaying certain establishments and ATMs nearby or for showing shops of retailers registered in the Star BT loyalty programme), contact persons (only when accessing the Email/SMS/P2P payment option for automatic filling in of beneficiary details), SMS (for automatically filling in the SMS-OPT codes required for the various application sections), phone status and identity (e.g. Phone IMEI is required to activate the mobile internet banking application MBT24), information related to whether or not there is a method of securing the phone being used within the applications.

Also, when using online services, to ensure security transactions will be processed in some cases the IP address of the device on which the you use. This data is requested and used strictly for the purpose of ensuring security of transactions and processed only for the period strictly necessary.

In order to provide certain banking services, such as, but not limited to internet and mobile banking - with BT24, mobile BT24 or BT24 Invoices- SMS Alert, BT Alert, the bank will process the telephone number communicated by the customers in order to provide those services.

Also, the telephone number, e-mail address or address/residence/correspondence provided by the customer for the purpose of the business relationship, will be processed by the bank for the purpose of informing the Clients about aspects of interest related to the functioning of the services/products contracted by BT, such as, but not limited to, interruptions in the functioning of some of the services, establishment of bank account seizures, warnings on the expiry of services, etc. bank cards issued by BT or identity documents, but also for contacting them as part of debt collection activities.

In the case of services such as "apply online" for various BT products/services/contests/events, available in the form of forms on BT website and on other websites controlled by the bank, we usually request to fill in the following personal data: name, surname, telephone number and address e-mail address, in order to contact the applicants to provide them with answers/information in relation to these requests.

Depending on the specific product/service for which you apply online, there are however situations where it is necessary to provide additional data, either among those required by legal provisions or those processed by BT on the basis of the legitimate interest to identify persons in order to provide/supply the products/services/information to them requested.

The data filled in these forms are processed by the bank for the purpose of providing products/services/information requested, for the period necessary for the fulfilment of purposes, in accordance with the bank's retention policies drawn up in accordance with the principles and obligations established by the applicable laws in the field of processing and protection of personal data.

BT will not collect or store the personal data of those who have completed online if they have not completed their registration.

Any person has the right to deposit cash in accounts opened with BT if the holders of such accounts have allowed such deposits to be made by third parties.

In order to make such a deposit, the bank is legally obliged to identify on the basis of their identity documents, and to process a series of information on their their personal data - name, surname, series and number of their identity card, and identity card, personal number code, address, details of the amount deposited and explanations the nature of the payment (what the payment represents).

In the cases provided for by law, mentioned in point. I of this section, for cash deposits, the Bank shall carry out and keep in safe custody its records a copy of the identity card belonging to the occasional Clerk who making the deposit

In the event that certain occasional customers repeatedly come to the units bank's units to make cash deposits into the accounts opened with BT, for to make the bank's activity more efficient, i.e. to reduce the waiting time in the bank has a legitimate interest in using their data collected in the course of the previous deposits, and that these data will be pre-filled in the receipt form deposit slip. External depositors' data will not be processed for other purposes, will only be accessed and stored by staff who have a need to know. only for the periods specified in the internal retention policies and in the regulations containing provisions on this matter.

Any person has the possibility to address requests to the bank, to ask for the provision of information/measures or to send it complaints/complaints on various subjects. channels such as - by sending/submitting complaints by letter to the bank's head office or its territorial units, by calling the call centre telephone number BT's call centre or any other telephone number assigned to BT units, by sending messages to the e-mail addresses made available to customers or to the e-mail addresses of the e-mail addresses of the bank's employees, by sending electronic messages in within the secure Internet banking platform BT24, by filling in forms on the BT website or on other websites controlled by the bank-for the list of all BT websites go here.

In order to identify the applicants, to analyse the situation reported and to to respond to these requests for information/submissions/complaints, the bank processes a personal data - name, surname, telephone number, address, telephone number address from which the request was received, other personal data, name, surname personal data provided in the messages or which is required to be processed for the purpose of formulating replies/providing the requested information.

For the purpose of proving the receipt of these complaints/requests/requests for information/messages, as well as for quality control purposes responses/information/inquiries transmitted/taken by the bank, as well as for the purposes of control of the quality of the support services, the messages received will be kept in the records of the BT both in the format in which they were received and in electronic format, and telephone calls will be recorded and retained for the duration of the business relationship for BT customers, i.e. for a period necessary to fulfil the purpose for which processed (the formulation of the answer/provision of information), plus a period of 3 years - the legal limitation period if the data do not belong to persons with bank has established a business relationship.

According to the provisions of Law 333/2003 on the security of objectives, goods, values and the protection of persons, as amended and supplemented, and the Decision no. 301 of 11 April 2012 for the approval of the Methodological Rules of Law no. 333/2003 on the security of objectives, goods, values and protection of persons, BT has legal obligation to video monitor the ATM area, as well as the areas of the access areas, lobbies and other high-risk areas.

Under its legitimate interest, the bank intends to monitor video and other areas accessible to the public that present a potential security risk to the persons/spaces or property.

Video surveillance work involves processing images of people, and the places where the cameras are located are marked accordingly, by a specific and visible announcement accompanied by the icon.

The video surveillance system is not used for any other purpose than that mentioned, not used to monitor the activity of the public, employees or time clocking. From system is also not a means of investigating or obtaining information for internal investigations or disciplinary proceedings, except where a physical security incident occurs or criminal behaviour is observed (in exceptional circumstances images may be transferred to investigative bodies in disciplinary or criminal investigation).

The system can record any movement detected by cameras installed in the area area under surveillance, together with the date, time and location. All cameras are operational 24 hours a day. hours, 7 days a week. When necessary, the quality of the images allows recognition of people passing through the cameras' area of action. Recordings video recordings are stored in the bank's internal records.

In addition to image processing in the video surveillance activity, in order to allow visitors access to some of the premises where the bank operates, security personnel will identify visitors based on the documents their identity, and the name, surname, series and number of the identity card of the visitor. persons shall be recorded in special registers and kept in a format that is for the legally established period.

BT wants to inform the interested persons about the products /services/events offered/organized by the bank, by the entities of the BT Financial Group or by their partners, meaning that it processes the personal data of these persons, if they have expressed their consent to receive such advertising messages by filling in the dedicated form, accessible in any unit of the bank and on the website.

The data processed by BT for the purpose of transmitting advertising messages are the name, surname, telephone number and/or e-mail address or correspondence provided by persons interested in receiving advertising messages.

The advertising messages will be sent on one or more of the SMS channels, phone call, e-mail address, postal mailing address or internet / mobile banking – BT24 (for customers who have contracted this service).

In some cases, for the transmission of advertising messages on these channels, BT will contract service providers, who will process the personal data of individuals on behalf of and for BT, only for the transmission of advertising messages established in compliance with BT's instructions and being under the close supervision of the Bank.

Willing persons can choose to receive advertising messages from several categories, including: products and services of BT, products and services of BT subsidiaries, events organized by BT, products / services of partners, related to products / services of BT or BT subsidiaries and events organized by BT partners.

The subsidiaries of BT whose products/services and events are intended to be promoted within the advertising messages sent to the persons who have opted for this purpose are the following entities within the Banca Transilvania Financial Group

BT Microfinance IFN SA ("BT Mic")
BT Asset Management S.A.I. S.A. ( "BTAM")
BT Leasing Transilvania IFN S.A. ("BTL")
BT Direct IFN S.A. ("BTD")
BT Capital Partners S.S.I.F. S.A.("BTCP")
other companiesthat can jointhis group inthe future

Persons who wish to receive advertising messages about products / services / events of the bank's partners or subsidiaries related to BT's services / products can also choose in this regard on the dedicated form for expressing the marketing agreement.
The list of current categories of partners of BT and/or BT subsidiaries is accessible at the https://www.bancatransilvania.ro//Parteneri_BT_Politica_Confidentialitate_25.05.2018-30.07.2019_Versiunea_1.pdf link or in any BT or BT subsidiaries.

If it was chosen to receive advertising messages about products / services events offered / organized by BT subsidiaries or by partners, these entities will process personal data for the purpose of transmitting these messages, under the close supervision and coordination of the Bank. For any possible processing of personal data carried out by BT's partners / BT subsidiaries outside or adjacent to the transmission of advertising messages, such as, for example, for the purpose of concluding contracts related to their products / services that have been promoted, these partners are to act as controllers of the processed personal data.

If BT or its subsidiaries already hold certain personal data of the persons who wish to receive advertising messages, based on the express consent of the persons concerned, these data can be processed automatically to make profiles (taking into account criteria such as age, location, income range, products of BT or of the BT subsidiaries used) in order to submit personalized proposals. If the persons concerned do not expressly consent to receiving personalized advertising messages, they will be sent only information about general offers, addressed to the general public. Expressing a disagreement to receive personalised messages does not lead to the impossibility of obtaining a personalized offer, at the request of the interested persons, depending on their needs, which can be brought to the attention of one of the bank's employees within the BT units or of BT's subsidiaries.

Personal data collected for the creation of profiles for the transmission of personalized advertising messages will be processed by BT, as the case may be, until the fulfillment of the purpose detailed in the previous paragraphs or until the withdrawal of the consent granted in this regard.

The agreement to receive advertising messages may be withdrawn or modified in the following ways:

sending a request to that effect to the BT headquarters in mun. Cluj-Napoca, str. G. Barițiu, nr. 8, jud. Cluj, with the mention "to the attention of the Data Protection Officer";
by message sent to the e-mail address dpo@btrl.ro;
by accessing the dedicated section of the BT - www.bancatransilvania.ro - "unsubscribe / modify advertising message", which you can also find at the following link www.bancatransilvania.ro/acord-prelucrare-date;

In some concrete cases, with strict respect for the rights and freedoms of individuals, Banca Transilvania will process personal data for the purpose of transmitting advertising messages based on its legitimate interest in promoting the products and services it offers.

BT is one of the companies with the largest number of employees in Romania, and the ads about various vacancies in the bank are posted on recruitment websites. People who access these sites and apply for specific positions available in BT or the "careers" section of the www.bancatransilvania.ro website, will be directed to the secure recruitment platform used by Banca Transilvania.

Within this platform, whether they only want to apply for a particular job or prefer that the bank can contact them for the various positions available within the company, candidates will be asked to create an account by entering their name, first name, a phone number and an e-mail address where they can be contacted. contact for recruitment purposes and to upload at least their CV.

In case of applying only for a specific job accessed, the personal data of the candidate will be processed by the bank only in the recruitment process for the respective position, and the data and the account created in the platform will be deleted when the end of the recruitment process for that position.

If, instead, the candidate chooses to be contacted in general for vacancies in BT, it will be necessary to select a series of predefined criteria in the platform, based on which we will notify him about the availability of the matching positions. In this case, the candidate's data will be kept for recruitment purposes for a period of 1 year from the moment of registration of this option.

The same retention period applies if the CVs have been handed over/transmitted to the Bank by the candidate through any other channels.

After the expiry of the aforementioned period, BT will anonymise the personal data collected for recruitment purposes and will only be used for the generation of statistical reports for the bank's internal use. Once these records become anonymised, they can no longer identify the person to whom they belong.

In the recruitment process, references from employers may become relevant previous employers. If the bank needs this, it will contact the candidate to ask for their agreement to obtain them on their behalf. consent, it will be necessary for the candidate to obtain these records himself. references if he/she wishes to continue the recruitment process.

The candidate has the option to delete at any time the account created within the BT recruitment platform, which will be equivalent to the withdrawal of consent or for the bank to process his personal data for recruitment purposes or. From the moment of deleting the account in the platform, only the candidate will be able to access his/her registered data, not BT.

If the bank receives CVs or job applications through channels other than recruitment platform indicated above, it will keep these data for the same period of time as the time mentioned above, i.e. until the end of the recruitment process. for the chosen position, or, if applicable, for a period of 6 months, which may be extended at the candidate's request, if he/she wishes to apply for various positions available within the company.

In addition to the purposes detailed in the previous sections, the Bank Transilvania also processes personal data for other purposes, such as:

carrying out analyses and keeping economic and financial management records and/or administrative management in the Bank;
administration within internal departments of the services and products offered by the bank;
evaluation and monitoring of the financial-commercial behaviour of Clients on during the course of the business relationship with the Bank;
creating or analysing profiles to improve BT products/services or BT Group entities;
analysing the behaviour of website users using cookies, both of BT and third parties, in order to provide general content or tailored offers tailored to users' interests (details in Cookie Policy);
conducting internal analyses (including statistical), both on products/services as well as on the customer portfolio, for the improvement of and development of products/services, as well as carrying out studies and analyses of market studies on the Bank's products/services;
the calculation of commissions to which employees acting within the framework of the BT's sales force;
archiving both in physical and electronic format of documents, the realization of registration services for correspondence addressed to and sent by BT, as well as carrying out courier activities;
the resolution of disputes, investigations or any other petitions/complaints/requests in which BT is involved;
performing risk controls on BT's procedures and processes, and performing audit or investigation activities;
making and sending reports to the competent institutions to in accordance with the legal provisions applicable to BT (e.g.: reports about payment incidents to the Payment Incident Centre of the NBR, declaring transactions exceeding the amount established by law to the National National Office for the Prevention and Combating of Money Laundering);
for monitoring client activity to detect transactions and suspicious transactions;

The personal data of the Bank's Customers are disclosed or, where appropriate, transferred in in accordance with the applicable legal grounds, depending on the situation and only under conditions that ensure full confidentiality and data security, to categories of recipients such as, but not limited to:

branches, agencies, work points, representative offices of the Bank,
entities within the BT Financial Group referred to in this policy or on BT website and others that may join the BT Group in the future
Service providers used by the Bank for: IT services (maintenance, software development), archiving in physical and/or electronic format; courier services; auditing; card issuing related services and enrolment in platforms; market research/studies, transmission of information to the advertising messages, monitoring of user traffic and behaviour online tools; marketing services via social media resources, etc;
inter-bank payment processing and transmission of information on inter-bank transactions (e.g. Transfond, Society for Worldwide Interbank Financial Telecommunication- SWIFT);
authorities and public institutions (such as, but not limited to, the NBR, ANAF*, the police, the National Office for Preventing and Combating Money Laundering**),
guarantee companies (funds) for various types of loan/deposit products (e.g. FNGCIMM, FGDB etc),
ONRC, OCPI, AEGRM, notaries public, lawyers, bailiffs;
Central Credit Register***;
Credit Bureau and Participants in the Credit Bureau system****;
insurance companies;
valuation companies;
companies collecting overdue debts or receivables;
entities to which the Bank has outsourced the provision of financial and banking services;
partners of the Bank;
international payment organizations (e.g. Visa, Mastercard);
banking institutions or state authorities, including from outside the European Economic Area - in international SWIFT transfers or as a result of processing in the purpose of the application of FATCA and CRS legislation, social network providers, the debt recovery and/or debt collection services, valuers, real estate agents.

*According to the provisions of the Tax Procedure Code (Law 207/2015), in its capacity as credit institution, BT has the legal obligation to communicate daily to the central tax authority - A.N.A.F. - the list of holders - natural persons, legal entities or any other entities without personality opening or closing accounts, as well as the identification data of the persons holding the right of signature for the accounts opened with them, the list of persons who rent cassettes safe deposit boxes, as well as the termination of the rental contract. A.N.A.F. may communicate these data to local tax bodies or to other central and local public authorities, in accordance with the law.

**If the conditions for the transmission by the BT of data with personal data to the National Office for Preventing and Combating Money Laundering, according to Law no. 656/2002 for the prevention and sanctioning of money laundering, as well as for measures to prevent and combat the financing of terrorism, republished, with subsequent amendments, they shall also be sent to the A.N.A.F. at the same time and in the same format.

***The bank has a legal obligation to report to the Credit Risk Centre (CRC) the information of credit risk information for each borrower that qualifies for reporting (includes data identification of a borrower, whether an individual or a non-bank legal entity, and the transactions in RON and foreign currency whereby the Bank is exposed to risk vis-à-vis that borrower), i.e. to be registered an individual risk against it, as well as information on card fraud detected.

****The Bank has a legitimate interest in reporting in the Credit Bureau System, to which the following have access other Participants (mainly credit institutions and non-bank financial institutions) the data personal data in the event that you are in arrears with the payment of credit of at least 30 days, after giving at least 15 days' prior notice to the persons concerned before the reporting date.

For the purpose of providing banking services covered by the contracts concluded between the Client and the Bank, the Bank shall transfer personal data abroad, where appropriate, including to countries which do not ensure an adequate level of data protection. Initiation by the Client of operations of payment orders represents the Client's consent to the transfer of his personal data. personal banking data to those countries. States that do not ensure an adequate level of protection States outside the European Union/European Economic Area, with the exception of States outside the which the European Commission has recognised as providing an adequate level of protection, namely : Andorra, Argentina, Canada, Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Uruguay (to the extent that a contrary decision is not issued in respect of any of these countries). States).

For the purposes set out in this Policy, personal data will be processed by BT throughout the contractual relationship with the data subjects and after the end of the relationship in order to comply with applicable legal obligations, including those in archiving.

Personal data filled in the credit application and those processed for the purpose of knowing customers for the purposes of preventing and sanctioning money laundering and combating terrorism, are stored in BT's records for a period of 3 years from the date of signature of the credit application. application, if the application is rejected, and for a period of 5 years from the date of the date of termination of the credit relationship, if a credit agreement is to be concluded following the approval of the credit application.

Regarding the data processed in the BT activity in the Credit Bureau system, they are stored at the level of this institution and disclosed to Participants for 4 years from the date of updating, except for data of credit applicants who have withdrawn their application for credit application or who have not been granted credit, which are stored and disclosed to Participants for a period of 6 months.

Personal data for which BT is legally obliged to report to the Credit Risk Centre (CRC) will be kept in the CRC records for a period of 7 years from the date of credit registration.

The ANAF database consultation agreements will be kept in the Bank's records for a period of 10 years from their signature -if the credit application has been rejected- and for 5 years from the date of the the termination of the credit relationship, but not less than 10 years from the date of signing the agreement - for if the credit application has been accepted and a credit agreement has been concluded. On request, these agreements are to be made available to ANAF on request.

For data processed with the consent of the data subject for the purpose of transmission advertising messages, they will be processed until the termination of the business relationship with Bank or, where applicable, until the withdrawal of such consent.

For the purpose of proving that complaints/complaints/requests for information/measures have been received and that replies to them have been formulated, including for quality control of the replies provided by BT, messages of this type received through any channel will be kept in BT's records both in paper and electronic for the duration of the business relationship for BT's customers, i.e. for one year. period necessary to fulfil the purpose for which they were processed (formulation of answering/providing information), plus a period of 3 years - the legal limitation period in if the data do not belong to persons with whom BT has an established business relationship.

Personal data processed for recruitment purposes will be kept by BT until the end of the the recruitment process for the available position. If data subjects wish to be contacted for more than one suitable position, the data in the CVs and other documents that they have submitted to the made available to BT for this purpose will be kept for a maximum period of 1 year, if during this period time, they are not requested to be deleted from the Bank's records.

The storage duration of the data obtained through the video surveillance system is proportionate to the purpose for which the data is processed, i.e. not exceeding 30 days, after which the recordings are deleted by automatic procedure in the order in which they were recorded. In the event of a security incident, the retention period of the material relevant footage may exceed normal limits depending on the time required for further investigation of the security incident.

Any other personal data processed by BT for other purposes will be kept for the period necessary to fulfil the purposes for which it was collected and to which it may be subject. non-excessive time limits set in accordance with applicable legal obligations, including but not limited to without limitation, to archiving provisions.

Any data subject has the following rights with regard to the processing of his/her personal data personal data by BT.

a. Right to be informed:

It means the right of data subjects to receive clear, transparent, written information from BT in language that is easy to understand, about how BT uses data personal data and about their rights. BT understands that it will this information obligation by the details it provides in this document, such as and by other information notes inserted in the forms and contracts used in its business

b. Right of access:

Data subjects have the right of access to personal data, i.e. to obtain a confirmation of whether or not BT is processing their personal data, as well as a copy thereof, so that they can check whether they are processed by BT in accordance with the provisions of the relevant legislation.

c. Right to rectification:

Data subjects have the right to have their personal data corrected if they are are recorded in BT's records in an erroneous format, if they are inaccurate or incomplete

d. Right to delete data

This right is also called "the right to be forgotten". Under this right, data subjects may request their personal data processed by BT to be deleted if they no longer there is a basis for their processing

is. The right to restrict the processing:

Data subjects may, in some cases, be able to stop BT's use of data relating to them. data concerning them for a certain period of time. When the processing of such data is restricted, personal data will continue to be kept in BT's records, but will not be processed by BT. used during this period and will be marked as restricted from processing.

f. Right to data portability:

Data subjects have the right to obtain from BT, in a machine-readable format, the following data data they have provided to us or they may request us to transmit these data to another controller of their choice. them

g. Right to opposition:

Data subjects may object to certain processing of personal data relating to them processing for the purpose of receiving advertising messages.

h. The right of data subjects to address the National Supervisory Authority Processing of Personal Data (ANSPDCP) and to the courts.

On the basis of this right, data subjects may apply to the ANSPDCP or to the courts for requests/petitions regarding the processing of their personal data by BT

The ways in which data subjects may exercise the rights referred to in points 2 to 7 above above are:

by sending a written request by post to the BT office in Mun. Cluj-Napoca, str. G. Baritiu, nr. 8, jud. Cluj, with the mention - "for the attention of the person responsible for the protection Data Protection Officer (DPO)" or
electronically to the e-mail address dpo@btrl.ro.

Also, for the data processed by BT in the Credit Bureau System, as they were provided for in this policy, data subjects may exercise their rights under the data processing access and restriction rights as provided above, and to the Credit Bureau S.A., as follows:

by a written, signed request, sent by post to the Credit Bureau, or
by accessing the Credit Bureau (www.birouldecredit.ro) website securely.

The data subjects of the processing of their personal data in the Credit Bureau Website have also have the right to obtain, upon request, at the time of communication of the credit decision, a copy of the Credit Report issued by the Credit Bureau, which has been used by BT in the analysis of the credit application.

BT develops an internal framework of standards and policies to keep personal data secure. They are regularly updated to comply with the regulations that are applicable to the Bank and the highest standards in the field.

Specifically and according to the law, we take appropriate technical and organizational measures (policies and procedures, IT security, etc.) to ensure the confidentiality and integrity of personal data and the way they are processed.

BT employees have the obligation to maintain confidentiality and cannot disclose the personal data they process in the course of their activity.

We ensure that our contractual partners who have access to the personal data we process impose contractual obligations in accordance with the legal provisions and that we verify their compliance with the obligations they have assumed. They will process personal data on behalf of and for BTD, only in accordance with the instructions received from it and only in compliance with security and confidentiality requirements within the limits imposed.

We warrant that BT does not sell the personal data it collects from the data subjects and does not transmit such data to entities, other than the ones that are entitled to know them, in line with the legally established principles and obligations.

We draw the attention of the visitors of the BT websites that they may contain links to websites whose privacy/personal data processing policy is different from that of BT. If you send personal data to any of these sites, your information falls under their privacy/personal data processing statement. BT's policy on the processing and protection of personal data does not apply to the information provided on those websites. In this regard, we recommend that you carefully read the privacy policy of any website you visit.

This policy is regularly reviewed to guarantee the rights of data subjects and to improve the ways of processing and protection of personal data processed.

High waiting time!

Search with AI Search

BT Visual Help

Privacy Policy