The purposes and bases of the processing. Recipients of personal data

Transcription

1 Processing of personal data This document presents the types of personal data collected and processed within GARANTI BANK SA, the purposes and the bases of such processing, the recipients of the data, the storage periods, the rights of the data subjects. GARANTI BANK SA is a company headquartered in Bucharest, Sos. Fabrica de Glucoza nr. 5, Novo Park 3, Business Center, Cladirea F, et.5 si 6, sector 2, with registration number with the Trade Register J40/4429/2009, tax registration code , registered in the credit institutions register with no. RB-PJR /2009, hereinafter referred to as the Bank. This information is intended for individuals, such as: Former customers and current clients of Garanti Bank SA Individuals applying for a product/service of the Bank or they communicate the data to be contacted in connection with their request Any natural person involved in any transaction with Garanti Bank SA, either personally or as a representative of a legal person Payers in the accounts of individuals and legal entities Representatives who are natural persons (associates, shareholders, delegates, authroized persons), of some clients who are legal persons Persons who contact us to obtain various information about our products and services to submit a suggestion, request or claim by filling out an application, an online form or by contacting us on the phone, thus providing us with their personal data. Note: The information presented below differs according to the position of the data subject, the types of products and services chosen or benefited by the data subject, the nature of the purpose of the request addressed to the bank by the data subject, the purpose of the processing, the data recipient. The processed personal data: name, surname, personal identification number (CNP), health status, citizenship, address, fixed and mobile phone number, address, profession, workplace, family, economic and financial situation, habits/preferences/payment/savings/debt behaviour, image, voice, information about fraudulent activity, information regarding the inaccuracies found in the documents/statements submitted to the Bank, obtained on the basis of the forms, statements and documents submitted, drafted or completed, obtained during telephone conversations; The purposes and bases of the processing. Recipients of personal data (i) in order to conclude and execute a contract to which the data subject is a party or take action upon his request prior to the conclusion of a contract, the Bank shall process the personal data as follows: o for the conclusion and execution of the current account contract and, depending on the banking services chosen by the data subject, the savings account contract, the deposit contract, the internet/mobile banking services, the performance of the related payment services and the unfolding of the contractual relation with The Bank, for this purpose, the latter can perform the following activities (as an example): - performing payment operations, receipts, transfers, foreign exchange, direct debit services, scheduled payment orders, etc. (the recipients of payment data may be recipients of the payment transactions, correspondent banks, interbank trade payment clearing services 1

2 providers ex. TRANSFOND SA, the national payment system offered by BNR-ReGIS, etc..); - transmission of data to Turkyie Garanti Bankasi A.S., a Turkish company, an indirect shareholder of the Bank, which manages its IT system, and to any of its legal successors; - transmission of data to the contractual partners of the Bank (from Romania or abroad) in order to provide outsourced services, made for and on behalf of the Bank for the purpose of concluding and executing the current account contract (ex. sending notifications, archiving, customer service, etc.); - transmission to the payers of money rights (payroll, allowances, pensions, etc.) owed to me (the employer/paying Agency/Pension House, etc.) of the name and surname, the CNP and the IBAN codes of the current accounts opened in my name, in order to be able to pay the respective rights in the current account opened with the Bank. o for the conclusion and execution of the credit agreement, the credit card contract, the overdraft and the guarantee contracts, for this purpose the Bank may perform the following actions (as an example): - automatically assessthe eligibility of the data subject for the granting of the credit and issuing an automated exclusive decision; to the extent that the decision is negative, the credit request shall be rejected. To the extent that the decision is a positive one, the Bank shall continue the analysis of the possibility of granting the credit, the final decision not being based solely on automatic processing. The above mentioned automatic assesment is based on a score calculated at the level of each credit applicant indicating the probability of repayment or nonrepayment of the credit, a score developed based on both the socio-demographic characteristics of the applicant and the behavioral characteristics of the applicant, with the aim of separating applicants with high potential to be good payers, compared to those with inappropriate payment behavior; - analyze the credit repayment capacity; - assessment of the assets brought into the warranty (in which case the recipient of the data is the assesor); - analysis of the documents related to the building propsed as warranty (in which case the recipient of the data is the notary office); - transmission of notifications regarding the modification of the contractual clauses, notifications regarding the delays in the payment of the installments, etc. - transmission of data to Turkyie Garanti Bankasi A.Ş. (and any of its legal successors), a Turkish company, an indirect shareholder of the Bank, which manages its IT system; - transmission of data to the contractual partners of the Bank (from Romania or abroad) in order to provide outsourced services for and on behalf of the Bank (ex. transmission of notifications, archiving, customer service, etc.) - if the loan requested by the client is guaranteed by the National Credit Guarantee Fund for Small and Medium Enterprises - FNGCIMM IFN SA or the Rural Credit Guarantee Fund - FGCR IFN SA, the Bank shall transmit to the latter non-bank financial institutions the necessary data in order to approve and execute the guarantee of the said credit facility. o for the conclusion of the insurance agreement, if the conclusion of the insurance is a condition for the granting of the credit or the credit product has an insurance, situation in which the Bank shall transmit the data to the insurance companies; o for the refinancing of the credit, if the data subject requests this service to another financial institution, the Bank wshall send to the latter the data necessary for the refinancing. (ii) for the Bank's performance of legal obligations, such as: 2

3 o establishing the identity of the data subject in order to fulfill the legal obligations of the Bank in the field of customer knowledge, prevention of money laundering and combating terrorism; o the transmission of information to law enforcement authorities to request and receive such information, for example courts of law, prosecutors' offices, bailiffs, the National Office for the Prevention and Control of Money Laundering (O.N.P.C.S.B.), tax authorities, notaries public, supervision and control authorotoes in the banking field, etc.; o the transmission by the Bank of information about the credit granted to the Credit Risk Center, the database functioning at the National Bank of Romania; o the transmission of mandatory notifications based on legal provisions, for example but not limited to notifications regarding the commencement of the forced execution procedure, the notification on the assignment of receivables; o the transmission by the Bank to another credit institution of the information required to provide the account change service, based on the legislation on the comparability of fees related to payment accounts, the change of payment accounts and access to basic payment accounts, should the holder request the provision of such a service; o the transmission by the Bank to the payment service providers and the providers of information service with regards to accounts, the information required for the provision of such services under the payment service legislation where the holder requests the provision of such services. The Bank shall not be able to refuse the transmission of personal data in such situations; consequently, if the data subject does not agree to the transmission of the data to a particular provider/providers, I understand that the Bank will not initiate information operations on accounts or payment transactions through this/those. o video surveillance of the Bank's premises, representing access areas, both from the outside and from the inside, working areas for working with the public, driving routes and access to the values storage. (iii) in order for the Bank to exercise a legitimate interest, as follows: o the transmission of personal data to entities belonging to the Garanti group (all affiliated entities, as well as all direct and indirect shareholders of GARANTI BANK SA), formed on this date by: Garanti Holding B.V. and G Netherlands B.V. (The Netherlands), Garanti Bilişim Teknolojisi v Ticaret TAS., Turkyie Garanti Bankasi AS (Turkey), Banco Bilbao Vizcaya Argentaria SA (Spain), Ralfi IFN SA, Motoractive IFN SA, Motoractive Multiservices SRL (Romania) for internal administrative urposes (for the legitimate purpose of carrying out consolidated supervision at group level, for example, analyzing the the financial situation of the entities in the group, identifying the risks associated with the group's activity, etc.) o the use of data by the Bank for statistical purposes, subject to their pseudonymization; o transmission of information to debt recovery companies, in order to collect outstanding credit amounts; o reporting and periodic consultation of the data (identification data: name, surname, personal identification number, home/residence and mail address, fixed/mobile phone number, date of birth, country code and passport number/series in the case of nonresidents; employer data: employer's name and address, data on the credit type products requested: type and name of the Participant, type of product, status of the product/account, grant date, grant term, amounts granted, amounts owed, currency, payment frequency, paid amount, monthly rate, outstanding amounts, number of outstanding installments, number of days of delay, delay category, closing date of the product; data relating to events occurring during the course of the credit type product such 3

4 as those refering to restructuring/refinancing, datio in solutum, assignment of the credit agreement, assignment of the claim; data relating to relationships with other accounts: information on credit products to which I am the co-debtor and/or guarantor; insolvency data: information on the targeted persons against whom an insolvency procedure has been opened; number of queries: the number of Credit Reports issued by the Credit Bureau, upon the request of one or more Participants) to the Credit Bureau SA, headquartered in Bucharest, str. Sfanta Vineri, nr. 29, etaj 4, sector 3, a private law entity administering the Credit Bureau System, in which personal data are processed in relation to the lending activity of the Participants (credit institutions, non-banking financial institutions, insurance companies and company for receivables recovery, who have signed a Participation Agreement with the Credit Burreau) for conducting a responsible lending activity, while protecting, facilitating access to credit and preventing excessive indebtedness of data subjects, respecting the legal framework for creditworthiness assessment and reducing credit risk, as well as preventing the use of the financial-banking system for carrying out activities which are against the law; the Bank has the obligation, in accordance with the legal regulations in force, to assess the ability of the data subject to repay the credit before concluding a credit agreement and during the course thereof. For this purpose, the Bank processes the above-mentioned information, registered on your behalf, and transmits it to the Credit Bureau for the purpose of processing and consulting it by any Participant for the purpose of initiating or conducting a lending relationship, as wellas to provide a credit type products. The above-mentioned personal data may be processed by the Credit Bureau, including to calculate, at the Participant's request, the FICO Score from the Credit Bureau. The Bank and the other Participants use the FICO Score from the Credit Bureau to reduce the credit risk associated with a debtor/potential borrower. The FICO Score from the Credit Bureau is a number between 300 and 850 obtained from the statistical process that processes the information recorded by the Participants in the Credit Bureau System and indicates the likelihood that the person concerned will pay his/her interest rates in time in the future. The main causes of the FICO Score from the Credit Bureau are displayed as reason-codes. FICO Score from the Credit Bureau takes into consideration the following elements that give predictability: payment history, current debt, duration of the credit account/accounts (the average number of months starting from the granting of credits), the demand for new credits (the number of queries and credits granted over the past 6 months), credit mix (types of credits granted), age of the target person. The influence of these elements on the FICO Score value of the Credit Bureau may vary depending on the information recorded at the Credit Bureau for each person concerned. FICO Score from the Credit Bureau is a highly predictive analytical tool that, along with the Credit Report data and the information obtained from Participants from other sources, competes the correct assessment of the creditworthiness of the person concerned in order to conclude/carry out the credit contract. o The registration with the Electronic Archive for Security Interests in Movable Property (A.E.G.R.M.) of the securities drawn in favour of the Bank in order to guarantee the credit to carry out the formalities for their advertising and to ensure the Bank s priority upon the execution; o the transmission of data to the assignor of the receivables, in case the Bank will assign the claims related to the credit agreement/agreements to which the person concerned is/was a party; o the transmission of the data to the bailiffs in order to execute the guarantees and the recovery of the debts related to the credit agreement; 4

5 o the video surveillance of the bank machines in order to prevent fraud and in order to solve potential complaints. (iv) the processing of personal data based on the consent of the person concerned: o in order to consult the information registered with the Biroul de Credit SA in the name of the data subject, such as the information about credit products, similar or insurance products, or other commitments from which benefits or has benefited, such as credit limit type, credit duration, payment history, current balance, due value and any information related thereto for the purpose of assessing the solvency, for the mitigation of the credit risk and and determine the level of indebtedness o in order to check the information registered in the database of the National Agency for Tax Administration (ANAF) regarding the quality of the person targeted by the taxpayer and the level of his/her income, for the purpose of evaluating the eligibility for granting the requested loan (Interaction and Information Processing Agreement) the Bank may request on behalf of the taxpayer the tax information on th eapplicant for the period of the last 2 completed fiscal years, including the information related to the period between the last fiscal year ended and the date of their request. o for checking purposes, in order to initiate the credit relationship, the bank risc information, depending on the type of the overall risk situation and the situation of the outstanding loans recorded with the Credit Risk Center, the structure operating at the National Bank of Romania, in relation to the person concerned o for advertising, marketing and publicity purposes, for profiling and for addressing personalized offers (according to the options of the concerned person) The processing of personal data required by Garanti Bank SA in order to initiate a business relationship/through other forms/channels is mandatory, except, usually, where the processing of the data is based on the consent of the person concerned (for example: for marketing purposes or in taking automated decisions making that produces significant legal effects or significant similar effects and which produce significant legal effects or similar effects and which are not necessary for the performance of an angreement or the fulfillment of a legal obligation). In other cases, the refusal of the person concerned will cause Garanti Bank SA to be unable to provide services or financialbanking products. Transfer of the personal data abroad In fulfilling the above purposes, Garanti Bank SA will transfer the personal data abroad only if an adequate level of personal data protection recognized by a European Commission decision such as the countries of the European Economic Area (EEA) is ensured in the recipient country). In the absence of such a decision of the European Commission, the Bank may transfer personal data to a third country only if the person processing the data on behalf of the Bank provided adequate safeguards stipulated by the law in order to protect the personal data. The Bank may be contacted to obtain additional information on the guarantees offered for the protection of the personal data in case of any transfer of data to foreigners through a written request to do so. The period of personal data storage The Bank will store personal data for periods of up to 10 years from the termination of the contractual relationship/transaction/data provision (depending on the quality of the person concerned, the products and services he/she benefits from, the relationship with the bank, etc.) taking 5

6 into account: the banking legislation provisions on customer knowledge, the prevention of money laundering and terrorism financing, the provisions of the Accounting Law, the need to defend/preserve the rights of the Bank in an alleged litigation, the provisions of the legislation regarding the guarding of the objectives, goods, values and protection of the persons, the legitimate interest of the Bank to perform video surveillance of bank machines in order to prevent fraud and to settle any possible complaints. For the purpose of archiving the data under the National Archives Act and taking into account the Archival Nomenclature (approved by the National Archives) applicable at Bank level and for data processing by the Bank for statistical purposes, the data may be stored for periods longer than those indicated above. As far as the processing for marketing purposes is concerned, it will cease upon the withdrawal of the consent granted to the Bank in this respect, regardless of whether the above mentioned storage periods have been fulfilled or not. Rights of the person concerned The person concerned has the possibility to exercise, under the conditions and in the cases provided by the law, the following rights regarding the personal data processed by the Bank: the right to access the collected personal data - the right to obtain from the Bank a confirmation as to whether it processes or not the personal data and, if so, to ensure the access to the data; For this purpose, the Bank will provide a copy of the personal data which are subject to processing; the right to oppose - for serious and legitimate reasons related to my particular situation, the right to oppose at any time the processing of my personal data by the Bank; The Bank will no longer process the personal data unless it demonstrates that it has legitimate and compelling reasons that justify such processing and which prevail over the interests, rights and freedom of the concerned person, or that the purpose of the processing is to establish, exercise or defend a right in court. the right to data portability - the right to receive the personal data I have provided to the Bank and to transmit it to another operator; this right may be exercised only when: (i) the processing of personal data is based on the consent granted for the or it is based on the execution of an agreement (ii) the processing is done by automatic means; the right to withdraw consent to data processing - this right may be exercised at any time, without costs, only when the processing of personal data is made based on the consent granted for the processing of the data; the withdrawal of consent does not affect the lawfulness of the processing performed up to that point; the right to rectify the data: the right to request and obtain the rectification of inaccurate personal data and/or to obtain the completion of incomplete personal data, including by providing a supplementary statement; the right to delete data ( the right to be forgotten ) - this right can be exercised in the following cases: (i) personal data are no longer required to meet the purposes for which they were collected or processed; (ii) I withdraw my consent based on which the processing takes place and there is no other legal basis for the processing; (iii) exercise my right to oppose with regards to the processing of personal data and there are no legitimate reasons to prevail regarding the processing; 6

7 (iv) (v) (vi) I exercise my right of opposition with regards to the processing of personal data that is aimed at direct marketing; personal data has been processed illegally; the personal data must be deleted for the compliance with a legal obligation of the Bank. There may be situations where the Bank will not be able to meet the data deletion request, namely: (i) in cases where the Bank has a legal obligation to store the personal data; (ii) in cases where data is stored for purposes of archiving for the public interest or for statistical purposes; (iii) in cases where the data are necessary for the establishment, exercise or defense of a right in court. the right to restrict data processing - this right may be exercised under the following conditions: (i) in the situation where the person concerned challenges the accuracy of the processed data; the restraint will operate for a period that will allow the Bank to verify the accuracy of the data; (ii) if the processing is illegal and the person concerned will object to the deletion of the personal data, requesting instead the restriction of their use; (iii) The Bank no longer requires the personal data for processing purposses, but the person concerned will request such date in order establish, execute and defend a right in court, (iv) in the situation where the person concerned will exercise his/her right of opposition with regard to data processing, except when the processing is done for direct marketing purposes; the restraint will operate/will apply only for the period of time needed to verify that the legitimate rights of the Bank prevail over the rights of the person concerned; the right to obtain human intervention from the Bank, to express his/her views and to challenge the decision made by the Bank exclussively automatically on the eligibility of the person concerned for the granting of the loan The above-mentioned rights may be exercised by sending a request to GARANTI BANK SA, to its headquarters, to any of the branches of the Bank, as well as by electronic means, to e- mail dpo@garantibank.ro, providing sufficient data in order to allow the Bank to identify the applicant. the right to file a complaint with the supervisory authority for the processing of personal data - this right may be exercised if the person concerned considers that the processing of personal data violates the legal provisions in the field of data protection, without prejudice to any other administrative or judicial means of appeal; the complaint may be filed with the supervisory authority of the Member State of the European Union in which the person concerned has his usual residence or where his place of work is or where the alleged infringement has occurred. In Romania, the complaint is filed with the National Supervisory Authority for Personal Data Processing (A.N.S.P.D.C.P.), headquartered in G- ral. Gheorghe Magheru 28-30, Sector 1, postal code , Bucharest, in the form of a written letter, sent to the headquarters of the institution or electronically, on the address anspdcp@dataprotection.ro. The contact details of the Data Protection Officer are: 7

8 address: post address: Bucharest, Sos. Fabrica de Glucoza nr. 5, Novo Park 3, Business Center, Cladirea F, et.5 si 6, sector 2 8