* Current account exchange ratesFind out more
|EURIBOR 12 LUNI
|EURIBOR 6 LUNI
|ROBOR 3 LUNI
|ROBOR 6 LUNI
Information notice regarding the processing of personal data that are performed in the context of SARS-Cov2Find out more
We know that you are concerned about how information about your person is used.
The information herein presents you our approach, that of Credit Europe Bank (Romania) SA (hereinafter "CEB" or "Bank") regarding the privacy and management of personal data ("Data").
Starting with May 25, 2018, the most recent European regulation on the protection of personal data, the General Regulation on Data Protection no. 679/2016 (the "Regulation") entered into force. We reassure you of the importance we give to Data and compliance with their security obligations, and we would like to inform you of your rights under the new Regulation.
Processing and protection of personal data
Who are we?
Credit Europe Bank (Romania) SA is a credit institution, part of the Dutch financial group Credit Europe Bank NV, organized in the form of a joint stock company, with a registered capital of 557,609,960.60 lei, registered at the Trade Register attached to the Bucharest Court of Law under number J40/ 18074/1993, identified by the Unique Registration Code 4315966, registered in the bank register under no. RB-PJR-40-018 / 1999, based in Timișoara Boulevard no. 26Z, Anchor Plaza Building, sector 6, code 061331, Bucharest, Romania. We own the following sites: www.crediteurope.ro, www.cardavantaj.ro, www.optimocard.ro.
To WHOM is this Policy addressed?
Mainly, we process personal data for the provision of services and the supply of financial-banking products, conducting a prudent and healthy banking activity, in a highly professional manner, in this respect observing the regulations, the commitments to which the Bank is a party or which they are applicable, as well as the codes of conduct, users and industry standards, in accordance with the requirements of the General Data Protection Regulation no. 679/2016, as well as the other applicable regulations regarding data processing and protection.
The specific terms of the organization, functioning, activity of a credit institution, as well as of the financial-banking products and services and whose meaning is not defined in the General Business Conditions or does not result from this document will have the meaning assigned to them according to the applicable regulations and / or users banking. In this regard, at the express request of the client, if necessary, the Bank will provide additional details or explanations.
The personal data that are processed by the Bank belong to the data subjects, such as: the client the natural person, the registered sole trader or the natural person who carries out activities individually or independently in any of the forms provided by law, the natural persons related to the client the legal person (such as associates, shareholders, directors, administrators, delegates, employees and any other natural persons who in any way represent the client in relation to the Bank, including the natural persons holding such capacities for the administrator, the legal administrator, the liquidator or the legal person representatives of the client), the legal representatives, conventions or powers of the client, the real beneficiaries, co-debtors, guarantees, additional users, the contact persons, as well as the family members of some data subjects (such as the client as natural person), the natural persons whose data are provided in documents made available by or for any clients, other persons who use or benefit in any way from the services of the Bank, the beneficiary of a payment operation, the beneficiary of an insurance, persons subject to the procedure of garnishment, the visitors of a site belonging to the Bank or the visitors of the physical locations of the Bank. These personal data are included in the documents and / or information obtained / received by the Bank, directly from the client or from any other natural or legal persons in compliance with the law, in order to initiate business relations with the client, whether a transaction / relationship negotiated or discussed with the client or for it is completed or not, and subsequently during the course of business relations with the Bank.
At the same time, the capacity of data subject belongs to natural persons who interact or communicate with the Bank in their capacity as representatives (in the broad sense), employees, delegates, and consultants of the Bank's partners. Their personal data are provided or obtained by the Bank on the occasion of the negotiation, conclusion and subsequent development of business relations with these partners, including, without limitation, service providers, consultants, experts, partners in some business projects, municipalities, beneficiaries of sponsorships, etc.
In certain situations, for the purpose of initiating and carrying out various business relationships with the client, the Bank may process personal data belonging to certain categories of data subjects (for example, real beneficiaries, delegates, spouses, persons whose incomes are analyzed to be taken into consideration when granting products / services by the Bank, the recipients of payments ordered by clients, clients of the Bank`s clients, including assessed debtors or debtors of mortgaged receivables) without benefiting from the practical way of directly ensuring the information of these categories of persons or even without being able to ensure full confidentiality of customer relationship. In this regard, it is the responsibility of the client to ensure that he/ she has properly informed the data subject about the processing of his data according to this document or by consulting the Bank's confidentiality policy, as well as obtaining his/ her express agreement, to the extent which this consent is requested by the Bank as necessary according to the applicable legal provisions
It is also possible to process your Data even if you do not have a connection with CEB. For example, surveillance cameras may catch you on camera when you visit our premises. Details can be found in the sections below. Or some authorities (courts, notaries, tax authorities, criminal investigation bodies, etc.) may send CEB requests and documents containing your identification data (such as unavailability or enforcement measures, requests to provide information, etc.).
We intend to inform you through this document about the processing of Data, which we do if you visit CEB sites or offices, enter into dialogue with us in order to purchase banking products or services, you are already our client either you have a relevant relationship in relation to the products or services offered by the Bank to a client or potential client (co-payer, guarantor, representative, etc.) or you have or want another kind of collaboration with us, directly or for someone else. In the same conditions, we will carry out the processing of personal data, as a person authorized on the basis of mandate relationships or services, and on the data of the data subjects who have a legal relationship with another entity from the Credit Europe group and which processes data as an operator.
If you would like to find out how we process your Data when you visit our sites using cookies, see our section Cookies policy.
If you are in a recruitment process with us, please see the section Careers.
Whenever you visit the Bank's units or use its ATMs, please also consult the additional information made available locally regarding data processing through the video monitoring system.
Also, at the time of data collection, if and to the extent necessary in addition to the provisions of this policy, the Bank will inform the client to what extent the data thus collected are necessary to provide a product or service or to comply with a legal obligation or contractual, as well as regarding the possible consequences of non-compliance with this obligation.
What data do we process?
We process personal data as an operator, directly, but also through authorized persons, such as subcontractors of various services. Also, the Bank may process data together with other personal data operators who have the status of associated operators, for example, in the case of co-branded cards or insurance products or with other contractual partners who hold the status of independent operator, such as other financial institutions involved in the execution / settlement of the operations instructed by the client or in the performance of other services.
- Identification and contact details, necessary for the purpose of identifying and communicating in order to initiate, negotiate and develop the contractual relations until all their effects are extinguished, including for the collection of debts:
- name, first name, nickname, personal number code, serial and identity document number, passport number, driving license, social insurance or health number; the image and the other data contained in the identity documents, citizenship, home address, residence and correspondence, telephone number and other contact data for distance communication means, IP address (internet protocol) of an electronic device, the holographic signature, the electronic signature, unique identification codes in relation with the Bank (for example: client code, user, passwords declared for identification in case of telephone contact), the current account number (IBAN), authentication codes (including in the context of payments by electronic means);
- Financial data and information, necessary mainly for the purpose of evaluating the granting of credit products and the development of the credit relationship:
- profession, job, held position, professional qualifications, family situation (to determine debtors or dependents for the purpose of credit risk assessment), types and levels of income and expenses, criminal record or tax information (for example, in the context of credit relationships, litigation), solvency, information related to credit history, utilities / telephony or insurance, any other information made available by entities such as the Credit Bureau SA or the Credit Risk Center, the National Agency of Fiscal Administration, data made available by public registers such as the National Trade Register Office, the Land Book Office, the National Movables Publicity Register or publicly available data in mass media, the Internet or on professional or social networks ;
- Data and information required for the purpose of providing the services by electronic means, online or by telephone or in order to ensure the security and fraud prevention requirements:
- information related to the location of transactions through electronic payment instruments or with remote access, voice, image and information contained in audio or video recordings of communications by distance means (to improve the quality of services and to provide proof of requests / agreements / the options thus expressed by or for the client) as well as in the recordings related to the video surveillance means used at the Bank's premises or at the ATMs (for security reasons and fraud prevention),
- held public office or public exposure or policy, relationship with entities in the Bank's group, information regarding the fraudulent / potentially fraudulent activity of the data subjects (for processing in accordance with the law requirements for fraud prevention, money laundering and terrorist financing through the banking system),
- information related to the inadvertencies found in the documents / statements presented to the Bank, obtained on the basis of the forms, declarations and documents of any kind submitted to the Bank or obtained by it from any sources allowed contractually or under the law;
- Other personal data and information:
- data obtained through operations of combining, segmenting, organizing or extracting the above data,
- any other categories of data that the client provides to the Bank or that it acquires and processes in compliance with the law or the applicable contracts for the relationship with the client;
- Special data:
The Bank does not process special categories of data in the normal course of its dealings with the Customer or the other data subject. However, the Bank may process, in compliance with the obligations and legal and contractual guarantees of the Bank, data on the health status in the context of the services offered regarding insurance policies related to the services and products contracted by the Bank or offered by the Bank as an affiliated agent - secondary intermediary for insurance products or in the context of providing facilities at the client's request (for example, credit restructuring, payment commitments). The Bank may also process special data insofar as it is included by the Data Subject in the details provided to the Bank upon the provision of services by the Bank (for example, explicit details contained in Customer's Payment Instructions).
In order to fulfill the purposes mentioned in this section, the Bank processes personal data that it obtains directly from the data subject or indirectly from other persons with whom the Bank interacts directly regarding the data subject, depending on the concrete relationship between them, as shown by the above explanations. Also, including on the basis of the processing of the data thus obtained, the Bank may generate (for example, codes or customer identifiers) or deduce (for example, the degree of solvency) itself new personal data or it may obtain / receive it from external sources, such as:
- institutions, public authorities or other entities that manage publicly available or restricted access databases, in particular: the National Agency for Fiscal Administration - ANAF, the National Credit Guarantee Fund for Small and Medium Enterprises - FNGCIMM relevant entity for example in the case of First House type loans, the Credit Risk Center - CRC or the Payment Incident Center - CIP organized by the National Bank of Romania, the trade register, the portal of the courts, the Credit Bureau, the national notarial registers, official databases with persons subject to international sanctions in the matter of preventing and combating money laundering and terrorist financing, etc.;
- entities involved in the execution of payment operations or in the operation of payment instruments, such as: international card organizations (Mastercard, Visa), economic operators that accept payment by cards or other remote payment instruments, banks and other payment institutions involved in payment schemes, Transfond, SENT, Regis, Central Depository, SWIFT etc.;
- business partners, such as collaborators or service providers for the Bank, as well as entities to which the Bank provides payment services, securities issuers, insurance companies, random other legal person from which the Bank may acquire receivable rights in relation to the clients etc;
- online platforms accessible to the public, including social and professional networks, Internet networks;
- other entities from the Credit Europe Group;
- employers of the data subjects, partners or counterparties of the client, who make payments of salaries or other income to customer or request payment from the client's accounts under automatic debit arrangements (direct debit).
WHY do we process data?
The processing carried out by the Bank for the purposes detailed below is primarily required for the Bank's compliance with its statutory obligations or the execution/ preparation of a contract which the Data Subject is/ will be a party to. At the same time, however, the Bank has a legitimate interest in ensuring the best quality standards, prudence and professional diligence, in order to be able to fully carry out the activities that are allowed by law, to develop and carry out business strategies, so as to constantly meet the expectations and needs of its clients and to adapt to the demands, trends and evolution of the market not always preceded by express legal regulations, in order to maintain their competitiveness in the market. The bank needs to process personal data based on its legitimate interest, the related data processing cannot always be limited in texts expressed by law or in contractual clauses.
Therefore, with regard to a certain purpose, depending on its broader or narrower formulation and interpretation, the processing grounds for the various actual activities it implies may be cumulated. Before any processing, however, the Bank analyzes its soundness in accordance with the principles of the General Data Protection Regulation (GDPR), always ensuring the existence of the legal basis and compliance with the conditions imposed by the regulations in force for the legality and security of the processing of personal data.
The Bank processes the data and information of the data subjects, necessary in the execution of contracts concluded with the data subject and for the purpose of providing to the customer the products and services, carrying out in this respect processing mainly for the purpose of:
- assessment of eligibility for the provision of standard or customized banking products and services (including in the approval / granting stage) or for accepting requests for restructuring, rescheduling, etc.;
- the carrying out of any legal relations between the Bank and the data subject which derives from the current account relationship or from another special contract concluded between the Bank and the data subject, in order to provide the financial - banking services;
- managing the relationship with the data subject, including any subsequent changes regarding the characteristics, terms and conditions of the product or service;
- execution in good and safe conditions of banking transactions, by any means of instruction: at the counter, Internet, card, POS, etc.;
- monitoring of all the obligations assumed by the data subject towards the Bank or other entities from its group;
- debt collection / receivable recovery (as well as their pre-payment activities);
- conclusion and / or execution of insurance and reinsurance contracts (including for the situation in which the data subject, as an insured, benefits from insurance in case of producing the insured risk);
- finding, exercising or defending some rights of the Bank in court or in relation to other authorities;
- management of requests / complaints / claims / petitions / investigations regarding the Bank's activity and its services or products;
- performing and processing the payment operations through the SWIFT, WESTERN UNION system or facilitators of online card payment services, if applicable;
- necessary exchange of information in order to issue and use by the client the cards issued through the contractual partners Visa and MasterCard;
- communication with the data subject for the fulfillment of any of the above purposes, by using any contact details.
The Bank processes personal data necessary to comply with legal obligations in its charge, carrying out in this respect processing mainly with the purpose of:
- identification and knowledge of the clients, prevention of money laundering and combating terrorist financing, fraud prevention and guarantee of bank secrecy, including by collecting in the computer system of records the data contained in the client's identity documents;
- guaranteeing the legal rights of the client / data subject in relation with the Bank, regarding the information, the services provided and the data processing performed by it or in connection with the provision of services through third party payment service providers;
- fulfillment of the obligations in fiscal matter, including regarding fees and withholding tax;
- providing reports and information at the request of the authorities (for example, courts, research bodies, enforcement bodies, public notaries, tax authorities);
- implementation of judgments and other orders of the authorities (for example, blocking of accounts through seizure, the imposition of insurance measures);
- managing conflicts of interests;
- management of audits, controls and investigations by the local, European or parent supervisory authorities (for example, the National Bank of Romania, the Central Bank of the Netherlands, the competent tax authorities, the consumer protection authority, the supervisory authority competition, supervising the processing of personal data);
- management of statutory, internal and external audits;
- ensuring the security (in the Bank's premises, its territorial units, ATMs);
- credit risk management and risk management by creating risk profiles;
- client portfolio management and financial administrative management;
- meeting the prudential reporting requirements at the group level and the transaction reporting requirements in relation to the supervisory or fiscal authorities;
- keeping / storing / preserving and archiving documents;
- implementation of security measures of personal data and management of the continuity of the activity in case of occurrence of unforeseen situations, including by making backups;
- implementation of means that allow any person to signal the inconsistencies detected in connection with the banking services offered by the Bank;
- assessment and management at a consolidated level, of a financial group, of the risks specific to the activity carried out, in accordance with the European and international regulations, regarding the minimum capital requirements, the supervision of the capital adequacy and the market discipline of the banking institutions;
- fulfilling the reporting obligations and / or analyzing the information in accordance with the international conventions to which Romania is a party, such as FATCA and CRS, as well as fulfilling the reporting obligations and analyzing the information highlighted in the Credit Risk Central database, upon the initiation and during the management of the contractual relationship;
- communication with the client/ data subject for the fulfillment of any of the above purposes, by using any contact details.
In pursuit of the legitimate interests that the Bank has in relation to the proper management of its activity as detailed above, the Bank performs personal data processing mainly for the purpose of:
- improving the quality of the services provided by increasing the efficiency of flows, optimizing costs, preparing employees, improving response times to the client, including by creating and managing internal databases, processing data regarding customer preferences;
- design, development, testing and use of computer systems and services (including database storage / archiving, in the country or abroad);
- diversification of products and services and adapting them to the needs of clients, business planning;
- maintaining the reputation, integrity and security of the business, resources and equipment;
- liquidity management, balance sheet optimization;
- organization, administration and / or archiving in physical and / or electronic format of the documents for their efficient access and management;
- marketing activities, including the transmission of advertising materials not directly addressed, as well as conducting surveys regarding the services offered by the Bank and its activity;
- business management, including through the alienation / transfer or acquisition of assets, such as through mergers, acquisitions, transfers, sales / purchases of contract portfolios, performing or non-performing receivables or parts of the business, or through other similar transactions, performed both with entities in the Bank's group, as well as with any other third parties, both in the framework of auctions procedures, selection of offers, negotiations, related evaluation procedures (due diligence), as well as in its context in order to conclude such transactions, whether or not they are completed; implementation and execution of such transactions, irrespective of their actual structure, whether or not they involve the subsequent provision of services by the Bank in respect of the relevant portfolio;
- analyzing preferences by reference to the products and services contracted from the Bank, from other entities in the group or from other financial service providers (according to the data obtained from consulting external databases such as the Credit Bureau, etc.), analyzing the solvency, the credit risk and / or other details regarding the history and characteristics of the transactions, insofar as such profiling does not produce any legal effects or a similar impact in a significant way, in order to promote other products and services offered by the Bank, designing dedicated or exclusive services and products, as well as assessing credit risk;
- identification of the goods and the updated contact details of the client / data subject bound to the Bank, in order to exercise the Bank's rights regarding the recovery of debts;
- fulfillment of the obligations assumed by the Bank by adhering to system rules of the card service providers, of the clearing-settlement institutions, to international practices and uses;
- data processing for statistical and research purposes, to understand customer behavior and preferences, to identify and manage operational risks, to optimize flows;
- transmission and reception in relation to entities such as the Credit Bureau, the Credit Risk Center, the Payment Incident Center of the credit or payment risk information registered on the name of the relevant client / data subject (for example, the credit risk situation and the status of the outstanding loans, as well as information about the credit products, or other commitments that the client / relevant data subject benefits from, in order to initiate or carry out credit relations with the client or to issue credit or payment securities (bills of exchange, promissory notes, checks, etc.);
- communication with the data subject for the fulfillment of any of the above purposes, by using any contact details.
To the extent that under the laws the consent of the data subject is required (regardless of the type of client), the Bank will obtain such consent when initiating the business relationship of the client / data subject with the Bank or later, by means such as filling and correspondingly checking the Bank's forms when requesting a product or service, signing information notes or through the Bank's website or online banking applications or related to other services and products offered by the Bank. Most likely, the Bank performs personal data processing based on consent for purposes such as:
- direct transmission of advertising messages by email, SMS or other means that does not involve a human operator, in order to promote the most suitable products and services of the Bank or to promote the services of other entities in the group or of contractual partners outside the group;
- in-depth analysis by automated means, including the use and combination of more data such as those regarding the transaction history, their characteristics, the location of the transaction initiation, other data obtained by consulting internal, external databases and / or online platforms (for example, regarding the lending history, the history of the relationship with the Bank or entities in its group, etc.) and the creation of profiles in order to customize dedicated and exclusive offers, insofar as according to the applicable regulations the consent of the data subject is required by reference to the possible legal effects or have a similar impact in a significant way;
The consent expressed regarding the processing of data based on the agreement of the data subject can be withdrawn at any time, without affecting the legality of the processing carried out before the withdrawal, the information of the data subject regarding the said processing or the legality of the processing based on another legal grounds as it appears from the present section. Also, the withdrawal of the consent will not affect the Bank's supply of the contracted products or services. It is possible however that in the future we cannot keep you updated with the latest offers, respectively, we cannot communicate personalized offers. When collecting the consent, the Bank will provide the Customer with additional information on the purpose of the data processing, the possibility of transferring it to third parties, and a simple way to withdraw it.
Processing for further purposes
The Bank will process personal data also for other purposes in relation to its legal obligations or future legitimate interests. The client has access and can check any additional updated information regarding the categories of data, the purposes and grounds of the processing, the categories of recipients of the data through the confidentiality policy in the version available on this site, at the Bank's offices or provided on request in paper or electronic form.
It is possible that, after the fulfillment of the processing purposes, after the fulfillment of the legal archive deadlines or following the request for deletion of the data, the Bank may order the anonymization of the data (thus removing their personal nature) and continue the processing of anonymous data for statistical purposes.
Direct marketing and commercial communications
As detailed above, it is the legitimate interest of the Bank to further promote its products and services towards the client, being able to do this by sending commercial materials to a data subject (client or natural person representative of a client) through simple courier / postal services or through telephone calls with a human operator. At any time during the relationship with the Bank, the data subject has the right to refuse the processing of his/ her data for direct marketing purposes, by exercising the right of opposition, according to the details offered in the section below - Rights of the data subject.
Also in its legitimate interest, the Bank may use the e-mail address obtained directly from the data subject when selling a product or service to him/ her, in order to make commercial communications regarding similar products or services offered by the Bank. In all these cases, the data subject will have the opportunity to object simply and free of such use, both at the time of providing the e-mail address and at any time thereafter.
IF we process data automatically
In compliance with the appropriate legal basis, the Bank uses automated individual decision processes, including as a result of the creation of profiles and which in certain circumstances may produce legal effects on the data subject or may similarly affect it to a significant extent.
Thus, the Bank has strict legal obligations regarding the prevention of money laundering, fraud and terrorist financing. Compared to the huge volume of transactions carried out daily, the Bank can carry out automatic processing in order to verify suspicious transactions or to identify transactions that may be subject to international sanctions. In this regard, the Bank verifies databases that include persons subject to such sanctions or who are at high risk of fraud, refusing business relations or certain transactions with the client / other data subject as a result of such checks. Also, in order to comply with the legal obligations regarding the security of the payment instruments, but also to ensure the proper execution of the contract, the Bank monitors the payments made with its card or online through other tools with remote access and adopts automatic protection measures, such as: for example, blocking the payment instrument or account, restricting the transaction, in case of identifying operations that do not correspond to the client's transactional profile (such as, repetitive payments unusual in frequency, value, etc. or other transactions with illogical sequences by means of timely reporting. and location).
For the conclusion or execution of a contract with the client, in order to streamline the process of analyzing his/ her requests, by assessing the eligibility related to the incident regulations, as well as to evaluate and monitor the possibility of repaying the contracted debts, the Bank can perform data processing and issue automated decisions regarding the analysis of an applications for granting credit or providing investment products. These decisions may also involve the creation of profiles that take into account, in accordance with the Bank's risk policy, among others, the financial status, the creditworthiness, the credit risk, the degree of indebtedness, the payment behavior, the debt history or, in some cases, experience regarding the respective products. Thus, for example, the client's requests for credit will be rejected if his/ her risk profile does not meet the minimum criteria envisaged by the Bank in accordance with its policies and the applicable prudential regulations. Relevant criteria and algorithms, as well as prudential regulations, may vary over time.
Individual automated decisions can also be used to transmit personalized business communications based on the consent of the data subject expressed in the terms set out above.
Under the Regulation, however, the data subject has the right to obtain a reassessment of the decision on the basis of a human intervention, the right to express his / her point of view regarding the automated decision, as well as the right to challenge that decision.
Recording of telephone calls and video monitoring
The Bank may record and keep any telephone calls made with the data subjects in accordance with its internal rules, in order to prove various operations, instructions or agreements expressed by or for the client or another data subject, including in the case of remotely concluded contracts, in order to prove the content of the requests and / or the complaints made by telephone, as well as the Bank's response, to use them as evidence in demonstrating compliance with the legal or contractual obligations of the Bank or in case of disputes, to investigate various situations or to improve the quality of its services .
The data subject will be informed about the recording of a telephone call by means of pre-recorded messages or, as the case may be, by information to this effect by a human operator, the continuation of the call confirming the agreement of the data subject for recording the call.
The refusal of the data subject to accept the recording of a telephone conversation may determine the Bank's inability to offer certain products or services or to accept and execute certain instructions (such as those concluded even through the telephone as a means of remote communication). In the other cases, the refusal of the data subject to accept the registration will not affect the settlement of the requests or the complaints, but they will have to be sent to the Bank through the other communication channels made available (email, postal address), in which case the response time from the Bank may take longer.
In order to ensure a high level of security, in accordance with the legal requirements regarding the safety and security of the financial-banking activity, the Bank video monitors all the premises of the units in which it operates, as well as the area of its own ATMs. Video monitoring is signaled by appropriate signs, and the records are kept for the period provided by law or for a longer period at the request of the authorities or in case of a legitimate interest derived for example from investigations or disputes in progress.
If you have requested a product or service by distance means, for which there is also the possibility of identifying you by image processing, you will be notified separately.
WHOM do we share data with?
In order to carry out the activity and ensure the provision / supply of banking services to the client to the best standards or in order to fulfill its legal obligations or in pursuit of its legitimate interests as detailed in this policy, the Bank may disclose personal data to certain persons or entities, in particular to:
- the data subjects themselves (for example for data deduced by the Bank or received from third parties), legal representatives (for example: guardian, curator), the attorneys-at-law of the data subject or the client;
- third parties such as the corresponding financial institutions, clearing / settlement entities or entities involved in the execution or facilitation of the funds transfer services (such as: SWIFT, Western Union, STFD Transfond SA, ReGIS, SENT, card issuers - VISA, Mastercard, the merchant banks to which the customer made the card payment, the payment institutions of the beneficiaries of the funds transfers from the Bank clients’ accounts);
- insurance and reinsurance institutions of the Bank's risks;
- insurance-reinsurance institutions of the client's risks, when, for example, the client benefits from an insurance policy, whether or not it is related to a product offered by the Bank or requires the facilitation of its conclusion;
- the persons who guarantee a client obligation assumed by the Bank;
- any of the persons / entities belonging to the group to which the Bank belongs, including any entities from the Fiba group or Credit Europe where, for example, the technical processing or business strategy at group level of the data is located, analyzed, decided and / or centralized;
- the majority shareholder of the Bank and other entities in its group, in particular for the purposes of organizing supervision on a consolidated basis and for combating money laundering and terrorist financing, as well as for ensuring uniformity and implementation of internal strategies and standards at group level and / or of group-level recommendations from authorities, auditors, consultants;
- any of the consultants of the Bank and / or of the entities belonging to the group to which the Bank belongs or even to the data subject (for example, in legal, fiscal / financial, economic, technical matters), as well as judicial administrators, liquidators, judicial executors, auditors, lawyers, mediators, arbitrators, notaries, evaluators, experts, translators;
- any other third person / entity, insofar as the disclosure is necessary for the provision of the services contracted by the client from the Bank or the respective person / entity is directly or indirectly involved in providing services to the Bank, such as in the case of service providers entities or outsourced services or contracted by the Bank from specialized suppliers or in order to optimize the business, such as: extraction and notification printing services, courier services, transmission of messages, collection of debts, hosting and administration of web services, maintenance and software development services, IT services, card providers and services related to the issuance / operation / use of cards or other payment instruments with remote access, data and / or transaction security service providers, archiving, document destruction, data collection agencies debt collection, ATM / POS maintenance service providers, real estate agencies, notary services, legal or other kind of consultancy, assistance or representation);
- professional associations, such as the Romanian Association of Banks and local financial and banking supervisory authorities or of the mother bank in the Netherlands (for example, National Bank of Romania, Central Bank of the Netherlands, Financial Supervisory Authority, etc.), competent authorities at the level local or European tax matters, consumer protection authorities, competition monitoring, personal data processing supervision;
- credit agencies, mainly for assessing the credit risk of the Bank or the parent company;
- any entities within or outside the Bank's group, with which the Bank is in tender procedures, offers selections, related evaluation procedures (due diligence), negotiations in order to transfer to them or to acquire from them some rights and / or obligations that they have in relation with the Client / data subjects individually or as part of a portfolio of clients, including consultants of these entities, regardless whether or not the respective transaction is finalized, and subsequently for the implementation / execution of the respective transaction, regardless of its structure;
- entities such as the Credit Bureau, the Credit Risk Center, the Payment Incident Center, any other entities / institutions (for example: credit, leasing, insurance and utility companies),
- courts, alternative dispute resolution centers, arbitration courts and other authorities or entities authorized according to the law to request and receive information from credit institutions (for example, forced enforcement bodies, structures set up as a central bank, the payment incident center or the deposit guarantee fund);
- The National Agency for Fiscal Administration, for the purpose of transmitting information, in accordance with the law to the tax authorities of the United States of America or Europe, in compliance with the FATCA and CRS rules, and / or other entities with similar role.
HOW LONG DO WE KEEP THE DATA?
The Bank shall process personal data during the course of the Banking Services and the processing of the aforementioned processing purposes and subsequently in order to comply with the applicable legal obligations, including the provisions on archiving. According to the applicable legal provisions, there are different archiving deadlines, depending on the type of data.
For example, according to the regulations, the data regarding the transactions must be kept up to 10 years from the end of the relationship with the client. The databases managed for the purpose of direct marketing will be processed while maintaining the agreement of the data subject for receiving such communications, as well as for a period considered by the Bank necessary to demonstrate compliance with the legal requirements (for example, the limitation period of 3 years since the withdrawal of the agreement). The data may be stored for a longer period of time at the request of the authorities or for the protection of legitimate interests (such as disputes or ongoing investigations).
IMPLICATIONS OF THE REFUSE TO PROVIDE DATA
You may choose not to provide Data to CEB, but this option may in some cases result in a failure to comply with our contractual or legal obligations and, as a result, may prevent us from continuing to provide or renew your existing products and services. In other cases, it may limit the services we are able to offer you or the promptness or flexibility of communication with the Bank.
If you do not agree with the processing of the Data for marketing purposes, as well as in the event that you withdraw the processing agreement for the marketing purpose previously expressed, your contractual relationship with the Bank will not be damaged.
TRANSFER OF PERSONAL DATA ABROAD
At present, in order to achieve the above-mentioned purposes, the Bank may transfer certain categories of personal data outside Romania, in the EU / EEA states: the Netherlands, Malta (in the context in which these entities have group headquarters), Switzerland (in the case of SWIFT use) or outside the EU / EEA, to the United States of America (in the case of SWIFT and maybe FATCA reports), Turkey (in the context in which they have group entities), Dubai (in the context of business relations) as well as for CRS reporting. For transfers outside the EU / EEA, the Bank will establish the transfer of personal data either on the basis of some adequate data protection guarantees, such as the standard contractual clauses adopted at the level of the European Commission or other guarantees acknowledged by the law, or based on the fulfillment of other conditions according to the applicable regulations. For example, the Bank will transfer your personal data abroad when this transfer is necessary in the execution of a contract which it has concluded with the client / data subject, when executing instructions for transferring funds from the client to third countries.
It is possible that during the course of the activity the transferring states mentioned above change. Through this policy, which we will review periodically, we will ensure the updated information of clients and other data subjects regarding the list of states where personal data are transferred.
WHAT YOU CAN DO TO HELP US KEEP YOUR DATA SECURE
We make constant efforts to maintain data security. However, your vigilance also helps. We recommend setting strong passwords and please do not disclose them to anyone. Do not leave the devices connected to the banking applications unattended and keep in mind that any communication to the Bank, via email or other similar channels, is not under the control of the Bank. Report any suspicious activity to your accounts immediately. For details regarding data security, please visit the section Data security.
RIGHTS OF DATA SUBJECTS
In the context of the processing of personal data, the data subjects benefit of certain rights in relation to the Bank that can be exercised upon request and free of charge, and to the extent that the legal conditions are fulfilled, such as:
The right to be informed – the right to be informed about the identity and contact details of the Bank and of the data protection officer, the purposes of the processing, the categories of data processed, the recipients of the data, the existence of the rights provided by the applicable law and the conditions under which they can be exercised;
The right of access to data - the right to obtain confirmation that the personal data are processed or not by the Bank;
The right to rectification – the right to request and obtain the correction of inaccurate data, as well as the completion of incomplete data;
The right to erasure („the right to be forgotten”) – the right to obtain the erasure of personal data;
The right to restrict processing – the right to obtain the marking of stored personal data, in order to limit their further processing;
The right to data portability – the right to receive personal data in a structured way, commonly used and in an easy-to-read format, as well as the right to have such data transmitted by the Bank to another data operator;
The right to opposition - the right to oppose at any time, for reasons related to the particular situation, that personal data should be processed based on the public or legitimate interest, including processing for direct marketing purposes or by creating profiles;
The right not to be subject to an individual decision – the right to request and obtain the withdrawal, annulment or reassessment of any decision based exclusively on processing carried out by automatic means (including the creation of profiles) that produces legal effects or similarly affects, to a significant extent, the data subjects;
The right to lodge a complaint with an authority or to refer to the justice – The client has the right to lodge a complaint to the National Supervisory Authority for the Processing of Personal Data, respectively to refer to the justice for the defense of any rights guaranteed by the applicable legislation in the field of personal data protection, which have been violated, to the extent in which the data subject considers it necessary.
HOW TO CONTACT US. Data protection officer
For more details regarding the personal data processing activities carried out by the Bank or in the situation in which you wish to exercise any of the legal rights in relation to the processing of the Data as the data subject, you can submit a written and dated request signed (by hand) holograph, sent in paper format to any of our territorial units whose addresses you can find on the CEB website (here) or electronically by e-mail, scanned, at email@example.com.
You can also address the CEB responsible for data protection by e-mail at firstname.lastname@example.org or by letter at: CREDIT EUROPE BANK (ROMANIA) SA, Timișoara Boulevard no. 26Z, Anchor Plaza Building, District 6, Bucharest.
CHANGES TO THIS POLICY. Complete information.