Skip to main content
You've reached the end of the results
No results found
Popular searches
  • CREDITS
    CARDS
    ACCOUNTS AND TRANSACTIONS
    SAVING AND INVESTING
    INSURANCES
    PREMIUM BANKING
    Reclama
  • Financing
    ACCOUNTS AND TRANSACTIONS
    CARDS
    Payment solutions
    SAVING AND INVESTING
    Specialised sectors
    Reclama - opens in a new tab
  • Careers
    Newsroom
    Blog
    Podcast
    BT Community
    Reclama
  • We have made a firm commitment to Romanians and local entrepreneurs in supporting their dreams, BT being the partner with whom they can start their journey.
    OMER Tetik
    CEO Banca Transilvania
    • Open online account
    Call Center
    • Call Center status meter dynamic emoji
    High waiting time!

    We are currently experiencing a very high number of calls in our Call Center. If you have an urgent problem, call now, otherwise we'll wait for you later. For quick answers try Ask BT - opens in a new tab or BT Visual Help - opens in a new tab.

    • 0264 308 308 028 or *8028The number is available from any national network. Standard rate.
    0264 303 003Hotline for all Romanians who are out of the country, including assistance in English. Standard tariff.
    Fraud assistance
    If you suspect fraud on your account, quickly call 0264 308 055. Standard rate.
    BT AI Chat acronym - opens in a new tab
    Search with AI Search - opens in a new tab

    AI Search on Ask BT answers all your banking questions.

    - opens in a new tab
    BT Visual Help - opens in a new tab

    Quickly view your account details, call 0264 308 000 and receive an SMS with the access link.

    Privacy Policy

    Policy of Banca Transilvania S.A. regarding the processing and protection of personal data within the banking activity ("Policy" or "Privacy Policy")

    Version valid between 25.05.2018 – 10.07. 2018 Download

    At Banca Transilvania S.A. (hereinafter referred to as "BT" or "the Bank") we are constantly concerned that the personal data of all individuals with whom we interact are processed in full compliance with applicable legal provisions and with the highest standards of security and confidentiality.  

    In order to guide and support us in our work in the field of processing and protection of personal data, we have appointed a data protection officer (DPO), who can be contacted by any person in relation to any issues related to the way BT processes personal data, by sending a complaint to the bank's head office in

    • mun. Cluj-Napoca, str. G. Barițiu, nr. 8, jud. Cluj, with the mention "for the attention of the personal data protection officer" or a message to
    • e-mail dpo@btrl.ro.

    In the following we present our policy in this very important area for any individual, which we undertake to review at certain intervals, with a view to its continuous improvement.

    This Policy is not addressed to Banca Transilvania S.A.'s employees, who shall be informed about their personal data that BT processes as an employer through a separate document, namely through Banca Transilvania S.A.'s Policy on the processing and protection of employee data.

    We will explain in this policy what personal data we process in the course of our business from the people with whom we interact, in what ways, for what purposes we use it, to whom we disclose or transfer it, how we ensure its security, as well as what rights data subjects have in relation to the processing of this data and how they can exercise them.

    • A. Who is Banca Transilvania?

    BANCA TRANSILVANIA S.A. is a credit institution, a Romanian legal person, with its registered office in Cluj-Napoca, str. G. Baritiu, nr 8, Cluj, registered with the Trade Register under no. J12/4155/1993, unique code RO 5022670, having the processing of personal data notified and entered in the Register of personal data controllers under number 8728.

    BT has over 500 units - branches, agencies, work points, which operate in Romania, as well as a branch and two agencies that carry out banking activity in Italy.

    Our official website is www.bancatransilvania.ro (the "BT website").

    The bank also manages other websites, an updated list of which can be found here.

    Banca Transilvania SA is the parent company of the Banca Transilvania Financial Group (hereinafter referred to as "BT Group"), which comprises the Bank's subsidiary entities about which you can find information on the BT website in the BT FINANCIAL GROUP section.

    B. What is personal data and what such data does BT process?

    Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is a person who can be identified, directly or indirectly, on the basis of such information.

    Within the framework of its banking activity, Banca Transilvania processes the following categories of personal data:

    • identification data: name, surname, pseudonym (if applicable), date and place of birth, personal numerical code or other similar unique identifier, national or international identity card/passport number and serial number and copy thereof, domicile and residence (if applicable), telephone number, fax number, e-mail address, nationality,
    • the profession, occupation, name of the employer or nature of his own activity (if applicable),
    • information about the important public office held - if applicable - and political opinions (exclusively in the context of obtaining information related to the person's politically exposed status),
    • information about the family situation (including marital status, number of children, dependent children),
    • information about your economic and financial situation - including income data, data on bank transactions and their history, data on assets owned, as well as data on behavior,
    • the image (contained in the identity documents or captured by video surveillance cameras installed in the bank's premises and ATMs),
    • voice, including in the recordings of telephone conversations. BT audio records telephone conversations in order to improve the quality of services and calls, but also to provide proof of request/agreement/option regarding certain;
    • signature and, in specific cases, a fingerprint (in the case of people who do not know how to read a book or visually impaired people),
    • identification codes, assigned by Banca Transilvania or other banking or non-banking financial institutions, necessary for the provision of services, such as, but not limited to, IBAN codes attached to bank accounts, debit/credit card numbers, card expiration date, 
    • data on health status, processed exclusively in the event that the processing of such data is necessary to prove the difficult situation of the customers or their family members, in order to grant facilities, or in the context of providing insurance products intermediated by the Bank,
    • information relating to fraudulent/potentially fraudulent activity, consisting of data relating to charges and convictions related to offenses such as fraud, money laundering and terrorist financing, 
    • information about the location of certain transactions (in case of transactions at ATMs or POS belonging to Banca Transilvania),
    • data and information related to the products and services offered by the Bank or its collaborators, which data subjects use (such as, but not limited to, credit, deposit, insurance products)

    C. Who are the persons whose personal data is processed by BT?

    In the course of its activity, BT processes primarily the personal data of its regularcustomers, those with whom it has established a long-term contractual relationship, carried out in accordance with Banca Transilvania's General Terms and Conditions of Business applicable - as the case may be - to individuals or legal entities (referred to as business relationship). These regular customers are, in general: individuals - adults or minors - who have at least one current account opened with BT as an individual customer, the authorized persons/legal representatives operating on accounts opened with BT on behalf of individuals or legal entities and their beneficial owners.

    However, BT also offers its services and products to occasional customers. These are people who do not have an account with BT and do not have operating rights on them, but sometimes use BT units or equipment (such as ATMs, BT Express, BT Express Plus etc) for various types of banking transactions (cash deposits into BT accounts, bill payments), money transfers (for example Western Union transfers) or foreign exchange operations, provide us with their personal data when visiting BT websites or units or when using the support services offered by the Bank's Call Center.

    Banca Transilvania is a company listed on the Bucharest Stock Exchange, so it also processes in this capacity personal data of its Shareholders , in accordance with the provisions of the capital market law.

    These Customers or Shareholders sometimes need to provide us - in order to respond to their requests, to obtain a product, to carry out an operation / provide a service - personal data belonging to other persons, such as: husband, wife, life partner, family members, beneficiary of a payment transaction, guarantor of a credit, beneficiary of an insurance, individuals whose data are inserted in the documents provided by the customer.

    If the Customer or the Shareholder is the one who provides BT with information about other persons, it has the obligation to inform those data subjects about the content of this policy in relation to the processing of their personal data.

    In the contracts that BT concludes with any supplier/provider of goods/services (contractual partner) , personal data of the signatories of these contracts (usually name, surname, position held and signature of the legal or contractual representatives of the contractual partners), of the contact persons designated by the contractual partner (usually name, surname, telephone number and e-mail address), of other categories of individuals whose data are disclosed to the Bank by the contractual partner are inserted. This personal data will be processed by BT in connection with the conclusion and performance of these contracts, for the internal administrative and financial management, the storage and archiving of contractual documentation, the testing and use of IT systems and IT services, the handling of complaints, the performance of audit missions. The basis for the processing of personal data belonging to these categories of persons is the Bank's legal obligation, the conclusion/performance of the contract and the legitimate interest of the Bank. The personal data that we become aware of in the context of our relationship with a contractual partner is disclosed, as appropriate: to the contractual partner who provided it to us, to BT Group entities, BT's partners who have a need to know, public authorities and institutions entitled to request it. The data will be processed at BT for the duration of the contract and thereafter until the end of the period for archiving the contractual documentation. In order to fulfill the purposes mentioned above, the Bank may transfer certain categories of personal data that the contractual partner has made available to us outside the EEA European Economic Area. Data subjects concerned by this processing benefit from the rights provided for in this policy for data subjects.

    All these categories of natural persons that we have listed above will hereinafter be referred to as "data subjects" for the processing of personal data.

    D. What does the processing of personal data mean and how does BT get to process this data?

    'Processing' of personal data means any operation or set of operations which is performed upon personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

    The personal data that we use in the course of our activities are usually obtained directly from the data subjects, on various occasions and in various ways:

    • at the time of establishment and during the business relationship with BT
    • when concluding and executing contracts for products/services offered by the bank, in its own name or for third parties
    • by filling in forms available on the BT website, other websites owned by the bank or other Group entities
    • by registering/participating in various contests/campaigns organized by BT in its units, on the BT website or on the bank's social media pages
    • when we are asked for information/receive complaints/complaints on the bank's telephone numbers, e-mail addresses, through messages on the bank's social network pages or received by letter in BT units
    • when to apply for vacancies in the bank (online, by sending/mailing CVs to BT branches or various e-mail addresses, at career fairs or other events)

    Indirectly, we may obtain personal data of data subjects from/through:

    • public authorities and institutions or institutions of public interest, correspondent banks, lawyers, notaries, bailiffs or other persons who send us requests/enquiries
    • proxies of the data subjects in order to open /carry out the business relationship with BT
    • consulting external databases, public or private, directly or through third party providers, such as the National Office of the Trade Register, the Credit Bureau S.A., the portal of the Romanian courts of justice administered by the Ministry of Justice, third party owners of databases of persons accused of terrorism or politically exposed
    • the employers of the data subjects, if we enter into agreements with them for the transfer of salaries or other amounts
    • other BT Group entities with which data subjects enter into contractual relationships and the Bank needs to know their data on the basis of its membership of the BT Group and for the proper conduct of the common economic activity that it carries out with the other BT Group entities
    • employees of the bank, who collect on behalf of the bank data of people who wish to be contacted by BT to present products/services they are interested in
    • Central Depository S.A., in the case of the Bank's Shareholders' data
    • the use by data subjects of the BT website, other websites owned by the bank (via cookies, Google Analytics etc) or other Group entities. For details about these issues and how you can set or block cookies, please consult the website's cookie policy.

    E. What are the grounds on which BT processes personal data?

    The activity carried out by Banca Transilvania, in its capacity as a credit institution, is strictly regulated by various normative acts. Thus, many of the personal data processing operations that BT carries out are imposed by its legal obligations. At the same time, however, BT processes personal data necessary for the conclusion and/or performance of contracts entered into with data subjects, on the basis of its legitimate interest or, where applicable, on the basis of the consent of the data subjects.

    Except in cases where personal data are processed on the basis of the consent of the data subjects, the refusal of data subjects to have their data processed by BT will make it impossible to provide the requested services or to deal with their requests.

    F. What are the purposes for which BT processes personal data?

    I. In order to identify Customers, as well as to establish and conduct the business relationship with BT

    In order to carry out any transaction requested by regular or occasional customers at the counters of BT units, the Bank must go through the identification stage. To this end, BT employees will ask people to show their valid identity card. In some cases required by law, it will also be necessary for BT to make and retain a copy of the identity document for the period required by law.

    The cases in which BT is obliged to apply standard know-your-customer measures, including making and retaining a copy of the identity document, are as follows:

    • when establishing a business relationship;
    • when carrying out occasional transactions with a value of at least EUR 15,000 or equivalent, regardless of whether the transaction is carried out in a single operation or in several operations which appear to be linked;
    • when there are suspicions that the purpose of the operation in question is money laundering or terrorist financing, regardless of the incidence of the provisions derogating from the obligation to apply the standard KYC measures established in this law and the amount of the operation;
    • if there are doubts about the veracity or relevance of the identifying information already held about the client;

    By virtue of the legal obligation to apply the standard know-your-customer measures that any Romanian credit institution has according to the provisions of the NBR Regulation no. 9/2008 on knowing the customer for the purpose of preventing and combating money laundering, Law 656/2002 on preventing and combating money laundering and terrorist financing and HGR 594/2008 implementing Law 656/2002 on combating money laundering and terrorist financing, at the time of establishing a business relationship, it is necessary to collect and keep in BT records at least the following categories of personal data: full name, surname, date and place of birth, personal numerical code or other similar unique identifier, domicile, telephone number, fax number, e-mail address, nationality and, if applicable, pseudonym, residential address, occupation, name of employer or nature of own business, important public office held, name of beneficial owner.

    The same information is also collected if a customer is represented in dealings with the bank by another person acting as attorney, trustee, guardian or in any other capacity and, in addition, data on the nature and limits of the power of attorney.

    In the case of establishing and carrying out the business relationship with a legal entity customer, the data mentioned in the above paragraphs shall be collected in order to identify the persons who, according to the articles of incorporation and/or the decision of the statutory bodies, are vested with the power to manage and represent the entity and on their powers of engagement of the entity, as well as to identify the person acting on behalf of the customer and information to establish that he/she is authorized/empowered to do so. The bank is obliged to verify these data, including in public registers.

    Under the same legal obligations, the identity data of the beneficial owner is collected, if applicable.

    The collected data will be verified on the basis of identity documents, but also by checking other sources.

    Making and retaining a copy of the identity documents of all these persons is also mandatory for the bank.

    As part of the know-your-customer process, the bank has the legal obligation to collect information related to the politically exposed person status of the customers with whom it enters into a business relationship. Exclusively for this purpose, BT will process information that falls into the category of political opinions - personal data of a special nature.

    Also, also in accordance with its legal obligations in this matter, BT will classify customers at the enrollment and account opening stage by risk, based on criteria such as nationality, residence, affiliation, functions or important positions held.

    As part of the know-your-customer process, based on the legal obligations under GEO no. 202/2008 on the implementation of international sanctions and Regulation no. 28/2009 on the supervision of the implementation of international sanctions, as well as on the basis of its legitimate interest not to enter into business relations with persons accused or suspected of breaches of the law, the bank processes information on fraudulent/potentially fraudulent activity (data related to charges and convictions related to offenses such as fraud, money laundering and financing of terrorist acts) 

    BT has the obligation to ensure that all these data are updated in its records throughout the course of the business relationship with customers, meaning that it will ask them to update the data provided at the initiation of the business relationship, whenever necessary, and may even update them on its own initiative, from reliable external sources, public or private, accessed directly or through third party providers.

    All this data is kept in the bank's records in accordance with the legally established time limit, which is at least 5 years after the customer's business relationship with BT has ended.

    If the application for initiating the business relationship is filled in online, in the sections available on the BT website, the applicants will have to provide the same data required by the legal provisions mentioned above, and the enrollment process (establishment of the business relationship) will be finalized only after the signing of the documentation in a bank unit. If, within 60 days from the completion of the online application for opening the business relationship, the applicant does not appear in a BT unit for the signing and finalization of the enrollment process, his/her data will be deleted from the bank's records.

    II. For the purposes of pre-offer of a credit product, analyzing a credit application, concluding and executing contracts for credit products (card or non-card)

    Lending is one of the main activities carried out by a credit institution. The conclusion and execution of a credit agreement with a natural or legal person involves several stages during which personal data are processed on the basis of the Bank's legal obligations, on the basis of the conclusion and execution of the credit/guarantee/assessment agreement, on the basis of the legitimate interest that the Bank justifies, and, in some specific situations, on the basis of the consent of the data subjects concerned by the processing.

    1. 1. Processing of personal data during the pre-offer or analysis of a credit application submitted to Banca Transilvania 

    1.1. Processing of personal data in the Credit Bureau System

    1.1.a.Legal basis and purpose of data processing in the Credit Bureau system

    The Bank has the obligation, according to the legal regulations in force, to assess the applicants' ability to repay the loan before entering into a credit agreement and during the course of the loan. To this end, it processes the information indicated in point 1.1.c below, both in its own records and by transmitting them to the Credit Bureau for processing by this institution and for consultation by any Participant in this system, for the purpose of initiating or carrying out a credit relationship, as well as for the provision of credit products.

    For credit applicants and certain categories of persons in relations with them, the Bank consults the Credit Bureau System during the stage of analyzing a credit application, justifying a legitimate interest in this regard for the conduct of a responsible lending activity.

    Credit Bureau SA is the private law entity that manages the Credit Bureau System, in which personal data are processed in connection with the credit activity carried out by the Participants.

    Participants in the Credit Bureau System are credit institutions, non-bank financial institutions, insurance companies and debt collection companies, which have signed a Participation Agreement with the Credit Bureau.

    1.1.b. The obligation to provide data and the consequences of non-compliance

    The provision of personal data is necessary for the purpose mentioned in paragraph 1.1.a. The refusal of the persons concerned by this processing to provide their personal data, necessary for the realization of the above mentioned purpose, will lead to the impossibility for the Bank to fulfill its legal obligations in relation to the granting of the credit.

    1.1.c. Categories of personal data processed in the Credit Bureau System

    The data processed in the Credit Bureau System are:

    • identification data of the data subject: name, surname, personal numerical code, home/residence and correspondence address, fixed/mobile telephone number, date of birth, country code and passport number/serial in the case of non-residents;
    • data relating to the employer:name and address of the employer;
    • data related to the credit type products requested/granted: type and name of the Participant, type of product, status of the product/account, date of granting, term of granting, amounts granted, amounts due, due date, currency, frequency of payments, amount paid, monthly installment, outstanding amounts, number of outstanding installments, number of days overdue, overdue category, product closing date;
    • data relating to events occurring during the life of the credit product, such as restructuring/refinancing, repayment, assignment of the credit agreement, assignment of the claim;
    • data relating to relations with other accounts: information relating to credit products for which the data subject is a co-borrower and/or guarantor;
    • Insolvency data: information on data subjects in respect of whom insolvency proceedings have been opened;
    • number of queries: indicates the number of Credit Reports issued by the Credit Bureau at the request of one or more Participants;

    1.1.d Recipients of data

    Personal data recorded in the Credit Bureau System are disclosed to the Participants in this system, upon request, for the purposes mentioned in point 1.1.a.

    The personal data processed in the Credit Bureau System will not be disclosed to third parties, except to public authorities and institutions, according to their competences and applicable legislation, such as the National Supervisory Authority for Personal Data Processing, the National Bank of Romania, the National Integrity Authority, courts of law, notaries public, bailiffs, criminal investigation bodies.

    1.2. Processing of personal data in the records of Banca Transilvania S.A.

    1.2.a. Legal basis and purpose of processing personal data 

    In order to pre-offer and, where appropriate, to analyze a credit application formulated, in accordance with the need to carry out a responsible lending activity, in addition to the processing of personal data in the Credit Bureau S.A. system, the Bank processes in its own records such data on the basis of the legal obligations it must comply with, the conclusion of the credit/guarantee/valuation/insurance contract, on the basis of its legitimate interest and, where appropriate, with the consent of the data subjects.

    1.2.b. The obligation to provide data and the consequences of non-compliance

    The provision of personal data is necessary in order to pre-offer/analyze a credit application. Refusal to provide the necessary data for this purpose will make it impossible for Ban Transilvania S.A. to fulfill its legal obligations in relation to the granting of the credit, and the credit application cannot be analyzed.

    1.2.c. Categories of personal data processed within Banca Transilvania S.A.

    The personal data mentioned above as being processed in the Credit Bureau's system are processed by Banca Transilvania S.A. and in its own records. To this data is added information that the Bank learns as a result of the verification of the data subjects in its own records, as well as in public databases such as websites - the portal of the courts of law, ONRC, etc.

    1.2.d.Existence of an automated decision making process, including profiling through the BT scoring application

    For the purpose of objectively verifying the fulfillment of the eligibility conditions for pre-offer and, where appropriate, for analyzing the credit application - BT processes in some cases, based on its legitimate interest, the personal data of the credit applicants (individuals and legal representatives of legal entities) as well as other individuals participating in the credit application analysis stage in its own automated system ("BT scoring application").

    In the BT scoring application are entered and analyzed personal data - identification data, other data filled in the credit application, information resulting from checks carried out in the Bank's own records or in those of the Credit Bureau SA, such as - whether the persons concerned by this processing receive income in an account opened with the Bank or are a regular customer of the Bank, the level of monthly payment obligations, payment history in case of other loans taken out from the Bank, etc. After analyzing this data/information, the BT scoring application issues a score based on a profile of the borrower/potential borrower good or bad payer. The returned score determines the credit risk and the likelihood of paying future installments on time.

    On the basis of the score issued by the BT scoring application, together with the result of the verification of the relevant personal situation in public databases such as websites - the portal of the courts, ONRC, etc - the Bank determines whether the eligibility conditions set by its internal regulations are met and will make the decision to admit or reject the credit application, which is based on the analysis performed by the Bank's employees (human intervention).

    1.2.e At this stage of the credit process, the applicants will be sent a form by signing which they can express their consent for the bank to consult the ANAF database for a limited period of time - maximum 5 working days - regarding the income realized by them, considering that the level of income realized is an essential element for determining the bank's credit conditions.

    Also at this stage, for some types of credit products, the Bank wishes to consult the records of the Central Credit Risk Register, in which case it will send the credit applicant a dedicated agreement form to fill in and sign.

    2. Processing of personal data when concluding and during the course of a credit agreement concluded with the Bank

    2.1. Legal basis and purpose of processing

    For the conclusion and performance of credit agreements and, where applicable, the related guarantee/valuation/insurance contracts, the Bank processes the categories of personal data mentioned in this section at point 2.3, pursuant to its legal obligations, the conclusion and performance of the agreements and its legitimate interest

    2.2. The obligation to provide data and the consequences of non-compliance

    The provision of personal data is necessary for the purpose of concluding and executing credit agreements and, where applicable, ancillary agreements (e.g. guarantee agreements). Refusal to process personal data necessary for the fulfillment of the above-mentioned purpose will make it impossible for the Bank to provide the requested credit.

    2.3. Categories of personal data processed

    The personal data processed by the Bank for the purposes mentioned in point 2.1 of this section are those used during the pre-offer/analysis stage of the credit application, in addition to other such data that have been filled in and/or received on the occasion of/for the conclusion or during the course of the credit and guarantee agreement.

    III. In order to provide other BT products/services, including online

    BT assigns to each of its customers a customer code (Customer ID) on the basis of which the customer is identified in the bank's records, as well as an IBAN code for each account (current, card, savings, etc.) opened in the customer's name with the bank.

    In addition, for each of the cards issued by BT to its customers, a unique number (PAN) is assigned to each card , which BT writes on the card together with its expiry date, the cardholder's name and CVV basket (back). Based on the cardholders' agreement, there is the possibility to write on the card the IBAN code.

    Banca Transilvania constantly strives to offer its customers with whom it has a business relationship online services and products, such as the internet banking service - with the BT24, mobile BT24 or BT24 Invoices variants - the digital wallet payment application - BT Pay, the chat both "Livia de la BT" accessible via Facebook, the Self Serv service that can be called by phone. In order to use these services it is necessary for the bank to process certain categories of personal data in order to identify individuals as BT customers and, subsequently, as users of the services. These data are, as a rule - name, surname, date of birth, customer code, telephone number.

    Some BT applications, which are accessible via mobile devices (e.g. BT24 mobile, BT Pay), may require their users, either at the time of installation or during their use, to access certain additional personal data such as, but not limited to: Camera (e.g. for the option to scan invoice barcodes), location (within certain sections of the applications, to display nearby BT branches and ATMs or to indicate the shops of merchants enrolled in the Star BT loyalty program), contact persons (only when accessing the Email/SMS/P2P payments option to automatically fill in the details of beneficiaries), SMS (to automatically fill in the SMS-OPT codes required in the various sections of the applications), phone status and identity (e.g. The IMEI of the phone is required to activate the MBT24 mobile internet banking application), information related to the existence or non-existence of a method of securing the phone used within the applications.

    Also, when using online services, the IP address of the device you are using will be processed in some situations in order to ensure the security of the transactions made. This data is requested and used strictly for the purpose of ensuring the security of transactions and processed only for the period strictly necessary.

    In order to provide certain banking services, such as, but not limited to, internet and mobile banking - with BT24, BT24 mobile or BT24 Invoices- SMS Alert, BT Alert, the bank will process the telephone number communicated by customers in order to provide those services.

    Also, the telephone number, e-mail address or home/residence/correspondence address provided by the Customers for the conduct of the business relationship, will be processed by the bank in order to inform the Customers about issues of interest related to the functioning of the services/products contracted from BT, such as, but not limited to, interruptions in the functioning of some services, the establishment of garnishments on bank accounts, warnings on the expiration of bank cards issued by BT or identity documents, but also for contacting them in the framework of the debt collection activity.

    In the case of "apply online" services for various BT products/services/contests/events, available as forms on the BT website and other websites controlled by the bank, we usually require the following personal data: name, surname, telephone number and e-mail address, in order to contact the applicants in order to provide them with answers/information regarding these requests.

    Depending on the specifics of the product/service being applied for online, there are, however, situations where it is necessary to provide additional data, either those required by law or those processed by BT in its legitimate interest to identify individuals in order to provide them with the products/services/information requested.

    The data filled in these forms are processed by the bank in order to provide the products/services/information requested, for the period necessary to fulfill these purposes, according to the bank's retention policies developed in accordance with the principles and obligations established by the applicable laws in the field of processing and protection of personal data.

    BT will not collect or store the personal data of those who have completed their online registration unless they have completed their registration.

    IV. For the purpose of depositing cash amounts in accounts opened with BT by occasional Customers

    Any person has the right to deposit cash into accounts held with BT, if the account holders have allowed such deposits to be made by third parties.

    In order to make such a deposit, the bank has the legal obligation to identify the payers on the basis of their identity documents, and to process a series of their personal data - name, surname, identity card number, personal identification number, address, details of the amount deposited and explanations regarding the nature of the payment (what the payment represents).

    In the cases provided for by law, mentioned in pct. I of this section, for cash deposits the Bank shall have to make and keep in its records a copy of the identity document belonging to the occasional depositing Clinet

    In the event that certain occasional customers repeatedly come to the bank's units in order to make cash deposits in the accounts opened with BT, in order to streamline the bank's activity, respectively to reduce the waiting time in the units, the bank has the legitimate interest to use their data collected during previous deposits, and to pre-fill them in the cash deposit receipt form. External depositors' data will not be processed for any other purposes, will be accessed only by staff with a need to know and kept only for the periods provided for in the internal retention policies and in the regulatory acts containing provisions on this issue.

    V. In order to provide information/answer/take action on requests/questions/complaints of any nature addressed to the bank by different persons through any channel

    Any person has the possibility to address requests to the bank, to request the provision of information/to take measures or to submit complaints/complaints, through various channels such as - by sending/mailing complaints to the bank's head office or its territorial units, by calling the BT call center telephone number or any other telephone number allocated to BT units, by sending messages to the e-mail addresses provided to the customers or to the e-mail addresses of the bank's employees, by sending electronic messages within the secure internet banking platform BT24, by filling in dedicated forms on the BT website or on other websites controlled by the bank - for a list of all BT websites, please click here.

    In order to identify the requesting persons, to analyze the situation and to respond to these requests for information / inquiries / complaints, the bank processes a series of personal data - name, surname, telephone number, e-mail or correspondence address from which the request was received, other personal data provided in the messages or which is necessary to be processed in order to formulate the answers / provide the requested information.

    For the purpose of proving the receipt of these complaints/inquiries/information requests/masks, as well as for the quality control of the replies/information/actions transmitted/taken by the bank, and for the purposes of quality control of the supporting services, the messages received will be kept in BT's records both in the format in which they were received and in electronic format, and the telephone calls will be recorded and kept for the period of the business relationship for BT's customers, i.e. for a period necessary to fulfill the purpose for which they were processed (formulating the answer/providing the information), plus a period of 3 years - the legal limitation period in case the data do not belong to persons with whom the bank has established a business relationship.

    VI. For the purpose of monitoring, including video, the security of persons, premises and/or property BT

    According to the provisions of Law no. 333/2003 on the guarding of objectives, goods, valuables and protection of persons, with subsequent amendments and additions and Decision no. 301 of April 11, 2012 for the approval of the Methodological Norms of Law no. 333/2003 on the guarding of objectives, goods, valuables and protection of persons, BT has the legal obligation to monitor the video surveillance of the ATM area, as well as the areas of access roads, hallways and other high-risk areas.

    Based on its legitimate interest, the bank understands to monitor video and other publicly accessible areas that present a potential security risk to persons/spaces or property.

    The activity of video surveillance involves processing the image of persons, and the places where the cameras are located are marked accordingly, by a specific and visible notice accompanied by the icon.

    The video surveillance system is not used for any other purpose other than those mentioned, it is not used to monitor the activity of the public, employees or for time clocking. The system is also not a means of investigating or obtaining information for internal investigations or disciplinary proceedings, except in situations where a physical security incident occurs or criminal behavior is observed (in exceptional circumstances the footage may be transferred to investigative bodies as part of a disciplinary or criminal investigation).

    The system can record any movement detected by the cameras installed in the monitored area, along with the date, time and location. All cameras are operational 24 hours a day, 7 days a week. When necessary, the quality of the images allows the recognition of persons passing through the area covered by the cameras. Video recordings are stored in the bank's internal records.

    In addition to the image processing within the video surveillance activity, in order to allow visitors access to some premises where the bank carries out its activity, the staff with security duties will identify the visitors on the basis of their identity documents, and the name, surname, serial number and ID card number of these persons will be entered in special registers and kept in letric format for the legally established period.

    VII. For the purpose of sending advertising messages about products/services/events offered/organized by the bank, BT Financial Group entities or their partners

    BT wants to inform the interested persons about the products /services/events offered/organized by the bank, by the entities of the BT Financial Group or by their partners, meaning that it processes the personal data of these persons, if they have expressed their consent to receive such advertising messages by filling in the dedicated form, accessible in any unit of the bank and on the website.

    The data processed by BT for the purpose of transmitting advertising messages are the name, surname, telephone number and/or e-mail address or correspondence provided by persons interested in receiving advertising messages.

    The advertising messages will be sent on one or more of the SMS channels, phone call, e-mail address, postal mailing address or internet / mobile banking – BT24 (for customers who have contracted this service).

    In some cases, for the transmission of advertising messages on these channels, BT will contract service providers, who will process the personal data of individuals on behalf of and for BT, only for the transmission of advertising messages established in compliance with BT's instructions and being under the close supervision of the Bank.

    You can choose to receive advertising messages in several categories, including: products and services of BT, products and services of BT's subsidiaries, events organized by BT, products/services of partners, which are related to products/services of BT or BT's subsidiaries and events organized by BT's partners.

    The BT subsidiaries whose products/services and events are to be promoted in the advertising messages sent to the persons who have opted in are the following entities within the Banca Transilvania Financial Group 

    Persons who wish to receive advertising messages about products/services/events of the bank's partners or subsidiaries related to BT's services/products can opt-in on the dedicated form for expressing their marketing agreement.
    The list of BT's and/or BT subsidiaries' current partner categories is available at the link https://www.bancatransilvania.ro//Parteneri_BT_Politica_Confidentialitate_25.05.2018-30.07.2019_Versiunea_1.pdf or at any BT or BT Subsidiaries establishment.

    If it was chosen to receive advertising messages about products / services events offered / organized by BT subsidiaries or by partners, these entities will process personal data for the purpose of transmitting these messages, under the close supervision and coordination of the Bank. For any possible processing of personal data carried out by BT's partners / BT subsidiaries outside or adjacent to the transmission of advertising messages, such as, for example, for the purpose of concluding contracts related to their products / services that have been promoted, these partners are to act as controllers of the processed personal data.

    If BT or its subsidiaries already hold certain personal data of persons who wish to receive advertising messages, with the express consent of the persons concerned, this data may be processed automatically for profiling purposes (taking into account criteria such as age, location, income range, products of BT or BT subsidiaries used) in order to send personalized proposals. If the persons concerned do not expressly consent to receiving personalized advertising messages, they will only be sent information about general offers addressed to the general public. The expression of a refusal to receive personalized messages does not lead to the impossibility of obtaining a personalized offer, at the request of the persons concerned, according to their needs, which may be brought to the attention of one of the bank's employees in BT units or BT subsidiaries.

    Personal data collected for the creation of profiles for the transmission of personalized advertising messages will be processed by BT, as the case may be, until the fulfillment of the purpose detailed in the previous paragraphs or until the withdrawal of the consent granted in this regard.

    The agreement to receive advertising messages may be withdrawn or modified in the following ways:

    • sending a request to that effect to the BT headquarters in mun. Cluj-Napoca, str. G. Barițiu, nr. 8, jud. Cluj, with the mention "to the attention of the Data Protection Officer";
    • by message sent to the e-mail address dpo@btrl.ro;
    • by accessing the dedicated section of the BT - www.bancatransilvania.ro - "unsubscribe / modify advertising message", which you can also find at the following link www.bancatransilvania.ro/acord-prelucrare-date;

    In some concrete cases, with strict respect for the rights and freedoms of individuals, Banca Transilvania will process personal data for the purpose of transmitting advertising messages based on its legitimate interest in promoting the products and services it offers.

    VIII.For the purpose of recruiting persons interested in vacancies available at BT

    BT is one of the companies with one of the largest number of employees in Romania, and advertisements about various vacancies in the bank are posted on recruitment websites. People who access these sites and apply for specific positions available in BT or the "careers" section of the website www.bancatransilvania.ro, will be directed to the secure recruitment platform used by Banca Transilvania.

    Within this platform, whether they want to apply only for a specific position, or if they prefer that the bank can contact them for different positions available within the company, candidates will be asked to create an account, entering their first name, last name, a phone number and an e-mail address where they can be contacted for recruitment purposes and upload at least their CV.

    In the case of applying only for a specific position, the candidate's personal data will be processed by the bank only within the recruitment process for that position, and will be deleted and the account created in the platform when the recruitment process for that position is finalized.

    If, instead, the candidate chooses to be contacted in general for vacancies in BT, he/she will be required to select a set of predefined criteria in the platform, based on which we will notify him/her about the availability of matching positions. In this case, the candidate's data will be kept for recruitment purposes for a period of 1 year from the moment of registering this option.

    The same retention period also applies if the CVs have been delivered/transmitted to the Bank by the candidates through any other channels.

    After the mentioned deadline, BT will anonymize the personal data collected for recruitment purposes, and they will be used only for the generation of statistical reports for the internal use of the bank. Once these records are anonymized, they can no longer identify the person to whom they belong.

    References from candidates' previous employers may become relevant in the recruitment process. If the bank needs these references, it will contact the candidate to request consent to obtain them on his/her behalf. If the candidate does not consent to this, it will be necessary to obtain these references themselves if they wish to continue the recruitment process.

    The candidate has the option to delete at any time the account created within the BT recruitment platform, which will be equivalent to the withdrawal of consent or for the bank to process his personal data for recruitment purposes or. From the moment of deleting the account in the platform, only the candidate will be able to access his/her registered data, not BT.

    In case the bank will receive CVs or job applications through channels other than the recruitment platform indicated above, it will keep these data for the same periods of time mentioned above, namely until the end of the recruitment process for the chosen position, or, as the case may be, for a period of 6 months, which can be extended upon the candidate's request, if he/she wishes to apply for various positions available within the company.

    IX Other purposes for which BT processes personal data

    Besides the purposes detailed in the previous sections, Banca Transilvania processes personal data for other purposes, such as:

    • analyzing and keeping economic, financial and/or administrative management records in the Bank;
    • internal departmental administration of the services and products offered by the bank;
    • assessing and monitoring the financial-commercial behavior of Clients during the course of the business relationship with the Bank; 
    • creating or analyzing profiles to improve BT products/services or BT Group entities;
    • analyzing the behavior of website users through the use of cookies, both BT and third parties, in order to provide general or tailored content, offers tailored to the interests of users (details in the Cookie Policy);
    • conducting internal analysis (including statistical), both on products/services and on the client portfolio, for the improvement and development of products/services, as well as conducting market research and analysis on the Bank's products/services;
    • the calculation of commissions payable to employees working in BT's sales force;
    • archiving of documents in both physical and electronic format, performing registry services for correspondence addressed to and sent by BT, as well as courier activities; 
    • resolving disputes, investigations or any other petitions/complaints/requests in which BT is involved; 
    • carrying out risk controls on BT's procedures and processes, as well as audit or investigation activities;
    • realization and transmission of reports to the institutions competent to receive them in accordance with the legal provisions applicable to BT (e.g.: reports on payment incidents to the Payment Incident Center of the NBR, declaration of transactions exceeding the amount established by law to the National Office for the Prevention and Combating of Money Laundering);
    • for monitoring customer activity to detect unusual transactions and suspicious transactions;

    G. To whom does Banca Transilvania disclose the personal data it processes?

    The personal data of the Bank's Customers shall be disclosed or, as the case may be, transferred, in accordance with the applicable legal grounds, on a case-by-case basis and only under conditions that ensure full confidentiality and data security, to categories of recipients, such as, but not limited to:

    • branches, agencies, work points, representative offices of the Bank,
    • entities within the BT Financial Group mentioned in this policy or on the BT website and others that may join the BT Group in the future
    • Service providers used by the Bank for: IT services (maintenance, software development), archiving in physical and/or electronic format; courier; audit; services related to card issuance and card enrolment in platforms; market research/studies, transmission of advertising messages, monitoring of traffic and behavior of users of online tools, marketing services through social media resources, etc;
    • processing inter-bank payments and transmitting information on inter-bank transactions (e.g. Transfond, Society for Worldwide Interbank Financial Telecommunication - SWIFT);
    • public authorities and institutions (such as, but not limited to, NBR, ANAF*, police, National Office for the Prevention and Combating of Money Laundering**),
    • companies (funds) guaranteeing various types of credit/deposit products (e.g. FNGCIMM, FGDB etc),
    • ONRC, OCPI, AEGRM, notaries public, lawyers, bailiffs;
    • Central Credit Register***;
    • Credit Bureau and Participants in the Credit Bureau system****;
    • insurance companies;
    • valuation companies;
    • companies collecting overdue debts or receivables;
    • entities to which the Bank has outsourced the provision of financial and banking services;
    • partners of the Bank;
    •  international payment organizations (e.g. Visa, Mastercard);
    • banking institutions or state authorities, including from outside the European Economic Area - in the case of SWIFT international transfers or as a result of processing carried out for the purposes of FATCA and CRS legislation, social networking providers, debt recovery and/or debt collection services, valuators, real estate agents.

    *In accordance with the provisions of the Code of Fiscal Procedure (Law 207/2015), in its capacity as a credit institution, BT has the legal obligation to communicate daily to the central tax body - A.N.A.F. - the list of holders of natural persons, legal entities or any other entities without legal personality opening or closing accounts, as well as the identification data of the persons holding the signature right for the accounts opened with them, the list of persons renting safe deposit boxes, as well as the termination of the rental contract. A.N.A.F. may communicate these data to local tax authorities or to other central and local public authorities, in accordance with the law.

    **If the conditions for the transmission by BT of personal data to the National Office for the Prevention and Combating of Money Laundering are fulfilled, according to Law no. 656/2002 for the prevention and sanctioning of money laundering, as well as for the establishment of measures to prevent and combat terrorist financing, republished, with subsequent amendments, they are transmitted simultaneously and in the same format and to the N.A.A.F.

    ***The Bank has the legal obligation to report to the Credit Risk Center (CRC) the credit risk information for each borrower that fulfills the condition to be reported (includes the identification data of a borrower, natural person or non-bank legal entity, and the operations in lei and in foreign currency through which the Bank is exposed to risk with respect to that borrower), i.e. to have registered an individual risk with respect to that borrower, as well as information on card frauds detected.

    ****The Bank has the legitimate interest to report in the Credit Bureau System, to which other Participants (mainly credit institutions and non-banking financial institutions) have access, your personal data in case you will be at least 30 days late in the payment of your credit, after prior notification of the persons concerned in this respect at least 15 days before the reporting date.

    In order to provide the banking services covered by the contracts concluded between the Customer and the Bank, the Bank shall transfer personal data abroad, as the case may be, including to countries that do not ensure an adequate level of protection of personal data. The initiation by the Customer of transactions such as payment orders shall constitute his consent to the transfer of his personal Bank personal data to the states concerned. States which do not ensure an adequate level of protection are states outside the European Union/European Economic Area, with the exception of the states to which the European Commission has recognized an adequate level of protection, namely : Andorra, Argentina, Canada, Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Uruguay (to the extent that no contrary decision will be issued in respect of any of these States).

    H. How long does BT process personal data?

    In order to fulfill the purposes outlined in this Policy, personal data will be processed by BT throughout the contractual relationship with the data subjects and after its termination in order to comply with applicable legal obligations, including archiving.

    The personal data filled in the credit application and the data processed for the purpose of knowing the clientele in order to prevent and sanction money laundering and combating terrorism are stored in BT's records for a period of 3 years from the date of signing the credit application, in case the credit application is rejected, and for a period of 5 years from the date of termination of the credit relationship, in case a credit agreement is concluded following the approval of the credit application.

    As regards the data processed within the framework of BT's activity in the Credit Bureau system, they are stored at the level of this institution and disclosed to Participants for 4 years from the date of update, except for the data of credit applicants who have withdrawn their credit application or who have not been granted credit, which are stored and disclosed to Participants for a period of 6 months.

    Personal data for which BT has a legal obligation to report to the Credit Risk Center (CRC) will be kept in the CRC's records for a period of 7 years from the date of credit registration.

    ANAF database consultation agreements will be kept in the Bank's records for a period of 10 years from the date of their signature -if the credit application has been rejected- and for 5 years from the end of the credit relationship, but not less than 10 years from the date of signing the agreement -if the credit application has been accepted and a credit agreement has been concluded. Upon request, these agreements are to be made available to ANAF.

    For data processed on the basis of the data subject's consent for the purpose of sending advertising messages, the data will be processed until the termination of the business relationship with the Bank or, where appropriate, until the withdrawal of that consent.

    For the purpose of proving that complaints/complaints/inquiries/requests for information/masks have been received and responded to, including for quality control of BT's responses, such messages received through any channel will be kept in BT's records in both paper and electronic format, for the duration of the business relationship for BT's customers, i.e. for a period necessary to fulfill the purpose for which they were processed (formulating the response/providing the information), plus a period of 3 years - the legal limitation period if the data does not belong to persons with whom BT has an established business relationship.

    The personal data processed for recruitment purposes will be kept by BT until the end of the recruitment process for the available position. If the data subjects wish to be contacted for more than one vacancy that would suit them, the data from their CVs and other documents that they have made available to BT for this purpose will be kept for a period of up to 1 year, unless they request their deletion from the Bank's records within this period.

    The duration of storage of data obtained through the video-surveillance system shall be proportionate to the purpose for which the data are processed, i.e. shall not exceed 30 days, after which the recordings shall be deleted by automatic procedure in the order in which they were recorded. In the event of a security incident, the retention period of the relevant footage may exceed the normal limits depending on the time necessary to further investigate the security incident.

    Any other personal data processed by BT for other specified purposes will be kept for the period necessary to fulfill the purposes for which they were collected, to which may be added non-excessive periods, established in accordance with applicable legal obligations in the field, including but not limited to, the provisions on archiving.

    I. What rights can data subjects exercise with regard to personal data processed by Banca Transilvania?

    Any data subject has the following rights regarding the processing of his/her personal data by BT.

    a. Right to be informed:

    It means the right of data subjects to receive from BT clear, transparent information, written in easily understandable language, about how BT uses personal data and about the rights they have. BT intends to fulfill this duty to inform by the details it provides in this document and other information notices inserted in forms and contracts used in its business

    b. Right of access:

    Data subjects have the right of access to their personal data, i.e. to obtain a confirmation as to whether or not BT is processing their personal data, as well as a copy of their personal data, so that they have the possibility to verify whether they are processed by BT in accordance with the provisions of the relevant legislation.

    c. Right to rectification:

    The data subjects have the right to have their personal data corrected if it is contained in BT's records in an incorrect format, inaccurate or incomplete

    d. Right to delete data

    This right is also called the "right to be forgotten". Under it, data subjects can request the erasure of their personal data that BT is processing, if there is no longer a basis for processing them

    is. The right to restrict the processing:

    Data subjects may, in some cases, be able to stop BT from using their data for a certain period of time. Where the processing of such data is restricted, the personal data will continue to be held on BT's records, but will no longer be used during this period and will be marked as restricted from processing.

    f. Right to data portability:

    Data subjects have the right to obtain from BT, in machine-readable format, the data they have provided to us, or they may ask us to transmit the data to another controller of their choice

    g. Right to opposition:

    Data subjects may object to certain processing of personal data concerning them, such as processing for the purpose of receiving advertising messages.

    h. The right of data subjects to apply to the National Authority for the Supervision of Personal Data Processing (ANSPDCP) and to justice.

    On the basis of this right, data subjects may make requests/petitions to the ANSPDCP or to the courts in relation to the processing of their personal data by BT

    The ways in which data subjects can exercise their rights mentioned in points 2-7 above are:

    • by sending a written request by post to BT's headquarters in Mun. Cluj-Napoca, str. G. Baritiu, nr. 8, jud. Cluj, with the mention - "for the attention of the Data Protection Officer (DPO)" or
    • electronically to the e-mail address dpo@btrl.ro.

    Also, for the data processed by BT in the Credit Bureau System, as set out in this policy, the data subjects may also exercise their access and restriction rights as set out above, and at the Credit Bureau S.A., as follows:

    • by a written, signed request sent by post to the Credit Bureau, or
    • by accessing the Credit Bureau (www.birouldecredit.ro) website securely.

    The persons concerned by the processing of their personal data on the Credit Bureau's Website also have the right to obtain, upon request, at the time of the communication of the credit decision, a copy of the Credit Report issued by the Credit Bureau, which was used by BT in analyzing the credit application.

    J. How does BT protect the personal data it processes?

    BT develops an internal framework of standards and policies to keep personal data secure.  They are regularly updated to comply with the regulations that are applicable to the Bank and the highest standards in the field.

    Specifically and in accordance with the law, we take appropriate technical and organizational measures (policies and procedures, IT security, etc.) to ensure the confidentiality and integrity of personal data and the way they are processed.

    BT employees have the obligation to maintain confidentiality and cannot disclose the personal data they process in the course of their activity.

    We ensure that our contractual partners who have access to the personal data we process impose contractual obligations in accordance with the legal provisions and that we verify their compliance with the obligations they have assumed. They will process personal data on behalf of and for BTD, only in accordance with the instructions received from it and only in compliance with security and confidentiality requirements within the limits imposed.

    We warrant that BT does not sell the personal data it collects from the data subjects and does not transmit such data to entities, other than the ones that are entitled to know them, in line with the legally established principles and obligations.

    We draw the attention of the visitors of the BT websites that they may contain links to websites whose privacy/personal data processing policy is different from that of BT. If you send personal data to any of these sites, your information falls under their privacy/personal data processing statement. BT's policy on the processing and protection of personal data does not apply to the information provided on those websites. In this regard, we recommend that you carefully read the privacy policy of any website you visit.

    This policy is regularly reviewed to guarantee the rights of data subjects and to improve the ways of processing and protection of personal data processed.