Credit Europe Bank Privacy Policy, May 2018 version

Credit Europe Bank Privacy Policy

• Who we are

  Credit Europe Bank (Romania) S.A. is a credit institution part of the Dutch financial group Credit Europe Bank NV, organized as a joint stock company, having a registered capital of 557,609,960.60 lei, registered at the Trade Register attached to the Bucharest Court of law under the number J40 / 18074/1993, identified by the Unique Registration Code 4315966, registered in the Bank Register under no. RB-PJR-40-018 / 1999, headquartered at26Z Timisoara Boulevard, Anchor Plaza building, district 6, postal code 061331, Bucharest, Romania.

• Who do we address through this Policy?

  We aim to inform you about data processing that we carry out when you visit the CEB website, when entering into a dialogue with us to purchase banking products or services, when you are already our customer or have or wish a different kind of collaboration with us.

  If you want to know how we process your Data when you visit our website by using cookies, see the Cookie Usage Policy section.

  If you are a CEB employee or you are in a recruitment process with us, please refer to the Career section.

  If you benefit of a product or service offered by CEB, you are a guarantor of a CEB customer, our contractual partner, or come into contact with us as an employee or representative of a CEB partner, we can process your Data according to the purposes and reasons reflected in the sections below.

  We may process your Data even if you do not have a connection with CEB. For example, surveillance cameras may capture your image when you visit our units. Or some authorities (courts, notaries, tax authorities, criminal investigation bodies, etc.) may send requests and documents to CEB which contain your identification data.

• What DATA we process

  We wish to offer you the right products and services, to communicate quickly and efficiently, to meet your needs. We must also provide you with the convenience of transaction security. For all of these we are bound by law or we need to receive and use your data, such as:

  Identification data and contact details:

  • surname, forename, personal identification code, image and other data contained by identity documents, citizenship, home / correspondence postal addresses, contact details for remote means of communication, IP address (internet protocol) of an electronic device, handwritten signature, electronic signature, unique identification codes (e.g., customer code, user), authentication codes (including in the context of electronic payments);

  Financial data and information:

  • profession, workplace, family situation (to determine the codebtors or the dependents for credit risk assessment purposes), types of income and expenses, criminal or fiscal records (for example, in the context of credit relations, litigation), credit or insurance history information, any other information made available by entities such as the Biroul de Credite SA (Credit Bureau) or the Credit Risk Centre;

  Data and information required for the purpose of providing services by electronic means or by telephone or for the purpose of securing the fraud prevention and security requirements:

  • information regarding the location of transactions through electronic or remote payment instruments, the voice, image and information contained by audio or video recordings of remote communications, as well as by records of video surveillance equipment used in Bank's locations or ATMs (for security and fraud prevention reasons),
  • public office or political exposure, information related to fraudulent / potentialy fraudulent activity of the data subjects (for processing in accordance with the law requirements for fraud prevention, money laundering and terrorism financing through the banking system),
  • information on the inaccuracies found in the documents / statements submitted to the Bank, obtained based on forms, statements and documents of any kind deposited with the Bank or obtained by it from any sources permitted by contract or under the law;

  Other personal data and information:

  • data derived from operations of combining, organizing or extracting the above data,
  • any other data that customers provide to the Bank or which it acquires and processes in accordance with applicable law or customer relationship agreements;

  Special data:

  Commonly, we do not require and do not process sensitive data. However, there may be situations in which we process data on health, for example to provide certain facilities (credit restructuring) or to benefit from an insurance policy through CEB. Or you may include certain details on sensitive data in your payment instructions or communicate with us in the context of other services. We take care to observe our legal or contractual obligations in relation to the processing of such Data.

• Why we process data

  The financial-banking activity is especially regulated by law in most of its aspects, from customer identification, confidentiality of the relationship, prudence and diligence in the provision of services to security measures and even the way we select and work with the contractual partners. We conclude specific contracts with you and we assume obligations regarding the offered products and services. In addition to the law and the contract and always in compliance with them, we also rely on the legitimate interest when we process Data for certain purposes.

  In performing the contracts concluded with you and / or your organization, we process DATA for purposes such as:

  • assessment of eligibility to provide banking products and services;
  • performance of any contractual relationships (with our customers, collaborators, partners or employees);
  • safe and secure performance of banking transactions through any means of instruction: at the counter, internet, card, POS, etc.;
  • monitoring all obligations undertaken towards the Bank or affiliated entities;
  • debit collection / debt recovery (as well as precursor activities);
  • conclusion and / or performance of insurance and reinsurance contracts;
  • establishing, exercising or defending certain rights in court or before other authorities;
  • handling requests / objections / complaints / petitions / investigations in connection with the Bank's activity and its services or products;
  • performing and processing payment transactions through the SWIFT system, WESTERN UNION or online card payment service facilitators, if applicable;
  • the necessary exchange of information for the issuance and use of cards issued by the Visa and MasterCard contractual partners.

  In order to comply with legal obligations, we need to process Data for purposes such as:

  • Identification of and knowledge of clients, prevention of money laundering and counter financing of terrorism, prevention of fraud and guaranteeing banking secrecy;
  • Ensuring the legal rights of the customer in relation to the Bank regarding the information, the services rendered and the data processing carried out by the latter;
  • Compliance with tax obligations, including withholding taxes and duties;
  • Provision of reports and information at the request of the authorities (e.g., courts, investigation bodies, enforcement bodies, notaries, tax authorities);
  • Enforcement of court decisions  and other orders of the authorities (e.g. blocking of accounts by attachment, setting up precautionary measures);
  • Management of audits (including statutory), reporting, as well as controls and investigations by local, European authorities or the parent company;
  • Ensuring security at the premises of the Bank, its territorial units and ATMs;
  • Credit risk management and risk management by creating risk profiles;
  • Client portfolio management and financial administrative management;
  • Keeping / depositing / storing and archiving documents;
  • Implementation of data security measures and managing business continuity in the event of unforseen situations, including by creation of back-up copies;
  • Implementation of means to allow any person to report any inconsistencies in relation to banking services offered by the Bank;
  • Evaluating and managing, at a consolidated financial group level, the risks specific to the activity performed;
  • Fulfilment of information reporting and / or analysis requirements in accordance with international conventions to which Romania is a party, such as the FATCA (Foreign AccountTax Compliance Act,respectively a tax regulation on American tax payers) and CRS(Common Reporting Standard, respectively a tax regulation applicable to residents of the European Union), as well as the fulfilment of the obligations to report and analyse the information recorded in the credit risk centre.

  In pursuing the legitimate interests that CEB has in relation to the good management of its business, we process DATA for purposes such as:

  • Improving the quality of services provided by streamlining workflows, cost optimization, employee training, etc.;
  • Design, development, testing and use of computer systems and services (including database storage / archiving, inland or abroad);
  • Diversifying products and services and adapting them to customer needs, business management, including through mergers, acquisitions, portfolio or business parts transfers, or other similar transactions;
  • Maintaining the reputation, integrity and security of the business;
  • Simple marketing and surveys on the services provided by the Bank and its activity;
  • Identifying the assets and updated contact details of clients and partners for the purpose of exercising the Bank's rights on recovery of debt;
  • Fulfilling the obligations assumed by the Bank by adhering to the system rules of card service providers, clearing-settlement institutions, international practices and customs;
  • Transmitting and receiving, in relationto credit bureau type entities, credit risk information recorded under customers’ names (e.g.: the credit risk situation and outstanding credit status as well as information on credit products or other commitments of the customer) in order to initiate or carry out credit relations with clients;
  • Recruitment and human resources with regard to CEB candidates and employees, awarding benefits.

  Certain Data processing is only performed if you have given us permission to do so. We request your consent to process your Data for purposes such as:

  • direct transmission of advertisement messages (direct marketing) in order to promote the products and services we consider to be most suitable for you or to promote the services of other entities within the CEB Group or contractual partners;
  • analysis of the transaction history, its characteristics, the location of transaction initiation, in order to personalize dedicated offers and exclusive to the client category you are part of;
  • analysis of your behaviour when visiting the CEB website by using cookies (you can consult our cookie policy information on our website www.crediteurope.ro).

  If we have requested and you have expressed your consent either at the beginning of our relationship or later, for certain data processing, you may change your mind at any time and please let us know in any CEB branch or by accessing the contact form. When we request your consent, we also provide details on the purpose of the Data Processing and indicate the simple and practical way in which you can withdraw at any time the given agreement. Withdrawal of consent will not affect the legality of data processing carried out prior to withdrawal.

  Over time, other legal obligations may lie on the Bank, or we may identify the opportunity of pursuing other legitimate interests. We will provide updated information on the categories of Data processed the purposes and the grounds of the processing, the categories of the Data recipients. We are therefore constantly reviewing our privacy policy which you can find published on this page and available at the Bank's premises or which we may otherwise provide on request.

• Do we automatically process the DATA

  We have strict legal obligations in relation to the prevention of money laundering, fraud and terrorism financing. With regard to the tremendous volume of daily transactions, we may perform automated processing to verify suspicious transactions or to identify transactions that may be subject to international sanctions. In order to streamline the process of analysing your requests, we may perform data processing and issue automated decisions in connection with the analysis of a credit request or investment product application. These decisions may also imply the creation of profiles that take into account, inter alia, creditworthiness, credit risk, indebtedness or, in some cases, experience with those products.

• Whom do we share the DATA with?

  In order to be able to provide our products and services at the best standards, in order to be able to conduct our business, in the pursuit of our legitimate interests or because we are bound by law, we need to disclose or transmit Data to certain individuals or entities, legal representatives (e.g.custodian, curator), empowered personsor guarantors of the client or the data subject;

  • corresponding financial institutions, clearing / settlement entities or entities involved in executing or facilitating fund transfer services (such as SWIFT, Western Union, VISA, Mastercard card issuers, banks of merchants which customers paid by card etc.);
  • insurance and reinsurance institutions;
  • entities in the Fiba or Credit Europe group (for purposes of organizing consolidated supervision, abatement of money laundering and terrorist financing, centralizing technical data processing);
  • consultants (legal, tax, etc.), bailiffs, auditors, notaries, experts, translators;
  • contract partners and service providers such as: printing extracts and notifications, courier, IT and telecommunication services, card suppliers, archiving, document disposal, debit collection agencies etc.;
  • professional associations, local surveillance authorities or pertaining to parent banks in the Netherlands, consumer protection authorities, credit bureaus entities such as the Credit Bureau, Credit Risk Centre etc.;
  • law courts and other entities authorized by law to receive bank information (enforcement bodies, tax authorities, payment incident or deposit guarantee fund entities);
  • the National Tax Administration Agency for the purpose of transmitting information under the law to the US or European tax authorities in accordance with the FATCA and CRS rules.

  In some cases the data recipients are legally required to keep professional secrecy (authorities, lawyers, experts, other financial institutions, etc.). In the other cases, we will require contractual confidentiality, including by taking appropriate technical and organizational measures to ensure data security. The Bank will not be able to make disclosure of the Data contingent upon such measures and upon undertaking a confidentiality obligation when the Data are disclosed based on a legal obligation or in defence of a legitimate interest.

• How long do we keep the DATA

  We need to process the Data for as long as it is necessary to provide you with the products and services you benefit of and to achieve the stated goals. Subsequent to such circumstances, we must continue processing the Data to comply with legal obligations, including archiving purposes. The legal deadlines for archiving differ depending on the type of data. In general, transaction data must be kept for 5 years as of the end of the customer relationship. However, the data may be kept for a longer period at the request of the authorities or for the protection of legitimate interests.

  It is possible that after the fulfilment of the legal archiving deadlines, the Bank will dispose anonymization of the Data, thus depriving it of its personal character and continue the processing of anonymous data for statistical purposes.

• Implications of refusal to provide DATA

  You may choose not to provide Data to CEB, however, this option may result in non- compliance with our contractual or legal obligations, it may limit the services that we are able to offer you. It may prevent us from continuing to provide or renew existing products and services.

  In the event that you disagree with the processing of the Data for marketing purposes or for any other purpose for which we have expressly requested your consent, and in case you withdraw the given agreement, your contractual relationship with the Bank will not be altered.

• Data processing outside the European Economic Area (EEA)

  Currently, in order to fulfil the purposes that we have set out in this policy, it is possible the Bank may transfer certain categories of Data outside Romania to EEA countries: the Netherlands, Malta (in the context in which group entities have headquarters in these states), Switzerland (in the case of SWIFT use) or outside the EEA, to the United States of America (in the case of SWIFT and FATCA reporting), Turkey, Dubai (in the context in which group entities have headquarters in these states), as well as for CRS reporting or for settlement of transactions made with MasterCard or Visa. EEA states are all considered by the Regulation to provide an equivalent level of data protection. When transferring Data outside the EEA, we will ensure the safeguards provided by the Regulation (standard contractual clauses adopted by the European Commission or other safeguards recognized by law).

  States to which data is transferred may change over time. Please visit our site periodically to consult our updated Privacy Policy.

• What can you do to help us keep the DATA safe

  We strive constantly to maintain Data Security. However, your vigilance also helps us. We recommend setting strong passwords and please do not disclose them to anyone. Do not leave bank application connectivity devices unattended. Immediately report any suspicious activity on your accounts. For details on data security, please visit the Data Security section of our website.

• Rights of the DATA SUBJECT

  As regards the exclusive processing of your Data, you have certain rights that you may exercise on request and free of charge, within the limits and to the extent that you meet the legal requirements as follows:

  The right to data access - you may check the processing of your Data conducted by the Bank, as well as processing details;

  The right to rectification - you may request correction of inaccurate Data or completion of incomplete Data;

  The right to data deletion ("the right to be forgotten") - which you may exercise to the extent that the conditions provided by the law are met (for example, if the data are no longer necessary for the purpose of processing or have been illegally processed);

  The right to restriction of processing - you may request limiting the processing of the Data, for example in case of challenging the lawfulness of the processing;

  The right to data portability - you may request that Data processed by automated means, on the basis of consent or under a contract, be forwarded to you or to another data controller if this is technically feasible;

  The right to object - you may oppose the processing of your Data at any time, for good and legitimate reasons relating to your particular circumstances, including by creation of profiles; furthermore, you may object at any time, free of charge and without any justification, that the Data be processed for marketing purposes;

  The right not to be subjected to an individual decision - you may request and obtain the withdrawal, cancellation, or reassessment of any decision based solely on automated processing (including profile creation) that produces legal effects with respect to you or will similareffect to a significant extent;

  The right to lodge a complaintwith an authorityor to address the court - you have the right to submita complaint to the National Supervisory Authority for Personal Data Processing,respectively to address the courts for the defence of any rights guaranteed by applicable law in the field of personal data protection that have been violated to the extent you consider it necessary.

• How to contact us. Data protection officer

  You may exercise any legal rights in relation to the processing of the Data by a written, dated and signed handwritten application to any of our territorial units whose addresses you can find on the CEB website here or electronically by e-mail, scanned at office@crediteurope.ro. You can also contact the CEB Data Protection Officer by e-mail at dpo@crediteurope.ro or by letter to: CREDIT EUROPE BANK (ROMANIA) S.A., 26Z Timişoara Blvd., Anchor Plaza Building, district 6, Bucharest.

  Insofar as you have suggestions regarding the present Privacy Policy, we encourage you to forward them to the e-mail address: dpo@crediteurope.ro.

• Changes to this Policy

  We will periodically review and update this Privacy Policy whenever necessary. An updated policy will be made available to you on this web site as well as in our branches and agencies. Update of our policy can also be announced via SMS, ATM, e-mail, or when you connect online to our applications.