Considering the regulations regarding personal data protection, provided by EU Regulation 2016/679, which represent the basis of the personal data processing legislation and the protection of this data for EU member states, we wish to reconfirm our commitment to process your personal data in a transparent manner and by complying with all the rights from which you benefit according to the law. For this purpose, below we present the main elements we think you should know in this regard, as a “data subject”.
1. What data processing means
According to the EU Regulation 2016/679, “data processing” is understood as any operation or set of operations performed on personal data or on personal data sets with or without the use of automated means, such as the collection, organization, structuring, storage, adjustment or amendment, extraction, consultation, use, disclosure by transmission, dissemination or other supply, alignment or combination, restriction, deletion or destruction. As a personal data controller, Alpha Bank Romania shall always ensure that the processing of data is characterized by legality, fairness and transparency, and that the requested data is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
2. What personal data do we process?
On a case by case basis, the Bank processes personal data such as, without limitation:
- Data used for directly or indirectly identify a natural person (for example, data from identity documents, identification codes, voice from audio recordings and recording telephone conversations conducted with the personnel of the Bank from the customer service and support centers, images from video recordings captured by video surveillance cameras, images from identity document photos);
- Date and place of birth, gender, citizenship, marital status, hand-written or electronic signature;
- Contact data (telephone number, domicile and residence address, correspondence address, e-mail address, fax number, etc.);
- Economic and financial data about assets owned in various forms of possession (data on revenues, balances, collections, payments, owned/leased assets, financially supported persons, pension file number, etc.);
- Data on education and professional training (education, education form, education unit, professions, jobs, etc.);
- Data on jobs (profession, occupation, professional training, filled positions, employers, etc.);
- Data on the current status and history of crediting relationships with financial, banking and non-banking institutions and information that derived therefrom following the processing carried out by financial institutions (e.g. data recorded in systems such as Credit Office, Central Credit Register, information from public databases, etc.);
- Data on fraudulent activities, data regarding suspicions and convictions related to crimes such as fraud, money laundering and terrorism financing (e.g., data from authorities, data from other financial institutions or from public databases such as Down Jones, World Check, court of law portal, etc.);
- Data on a held public position and political exposure;
- Data on the beneficial owner and the membership in a customer group;
- Data on the used banking services and products, their accessories and data on the manner of accessing them or accessing the website of the credit institution (purchased banking products and banking transactions, bank statements, transaction history data, guarantees provided to the credit institution, banking data such as liquidity; system used for operating the device used for accessing online services);
- IP address of the device/equipment (e.g., mobile phone, computer, tablet, etc.) used for accessing Internet Banking services and Bank apps, access files (logs); data on the geographical location, visited websites and traffic in Bank apps, personal preferences and cookies);
- Health data, in case of persons who have an insurance product or request the restructuring of a credit product;
- Biometric data (e.g., facial recognition);
- Data regarding the data subject’s interactions with the Bank on social media networks;
- Data regarding interests and needs communicated by the data subject (e.g., within a call to the Call Center, in case of filling in an online survey or identified following the interactions with the Bank).
The list of this data may vary depending on the characteristics of the services and products contracted by you or in which you show interest, the legal provisions applicable for the activities carried out by Alpha Bank Romania and by the prudential policy of the Bank.
Personal data may be obtained directly from you or from third parties, by information brokerage (for example, credit brokers / lead providers or by querying databases / platforms or public information websites, according to the law (for example, by querying the database of the Division for Persons’ Records and Database Administration, the ANAF database or by querying public information from websites/platforms such as portal.just.ro or RECOM).
3. What are the categories of data subjects whose personal data is / may be processed by the Bank?
Depending on the business relationship and its implementation progress, the Bank processes personal data of the following categories of data subjects, without limitation:
- potential customers / natural-person customers;
- potential customers / freelance customers;
- potential customers / entrepreneurs - natural persons who own individual companies;
- potential customers / natural-person customers who independently carry out, according to the law, a regulated profession;
- former customers, from any of the aforementioned categories;
- legal representatives, including custodians or curators or conventional representatives of customers from the aforementioned categories;
- legal or conventional representatives of legal-entity guarantors, of legal-entity fidejussors, of legal-entity co-debtors;
- guarantors of natural persons, natural-person fidejussors, natural-person co-debtors, natural-person beneficial owners;
- shareholders and/or other categories of natural persons who are relevant in the context of the contractual relationship between a customer and the Bank, whose personal data is disclosed to the Bank directly by them or by customers, for them;
- natural-person contractual partners of the Bank or representatives or employees of legal-entity contractual partners of the Bank, etc.;
- third parties - natural-persons and/or legal entities / authorities, including the legal or conventional representatives thereof, insofar as they are litigation parties in lawsuits in which the Bank is a party.
4. What are the legal grounds based on which we process personal data, and for what purposes?
Personal data is processed by the Bank, as follows:
a) In order to comply with the legal obligations of the Bank, personal data shall be processed for the following purposes, without limitation: applying know-your-customer measures; applying measures for preventing and fighting money laundering and financing terrorism, including by monitoring the business relationship, regarding identity verification, including by querying DEPABD databases (Division for Persons’ Records and Database Administration), carrying out transactions, and also reporting suspicious transactions; consulting relevant databases, such as those managed by the National Agency for Fiscal Administration and the Central Credit Register, RECOM, World Check, Dow Jones or other providers of similar services (Keysfin, ICAP, etc.), the court of law portal, notifications and information from public authorities and institutions, etc.; making endeavors for preventing and fighting fraud; carrying out audit actions or obligations to report to state institutions/bodies, such as NBR, Ministry of Finance, ANAF, ASF, CRC, etc.; processing data from service contracts or in other situations, which are not directly related to banking services and products, in which data subjects are legal representatives of Bank partners; processing data of third parties, from substantiating documents (such as lease contracts, utility contracts) that is necessary for complying with know-your-customer requirements; verifying and confirming the identity of visitors of financial-banking units and processing video images, according to Law no. 333/2003 and Government Resolution 301/2012; resolving applications from competent state authorities/institutions (such as information requests from courts of law, prosecutor’s offices, the Ministry of Internal Affairs and other structures with attributions in this regard, such as DNA, DIICOT, etc.); managing complaints and notifications regarding the banking products and/or services contracted by the data subject and exercising by data subjects the rights regulated by GDPR; sending notifications and notices regarding held products and services and the business relationship or other notices expressly regulated by the law (such as this Notice); assessing the solvability, creditworthiness and eligibility of a customer/guarantor/co-debtor in order to grant a credit.
b) In order to implement a contract signed by the data subject or for actions prior to concluding a contract, the Bank processes personal data as follows, without limitation: collecting data of potential customers in order to initiate the business relationship; processing customer data, which is necessary for endeavors for concluding and implementing the contract, and for providing certain banking services or carrying out transactions after initiating the business relationship; carrying trading operations, depositing/withdrawing amounts, inter-bank and intrabank transfers; collecting instalments via/for partner banks; calculating scores in order to grant a credit; processing data for risk analysis in order to decide the initiation and, as the case may be, manage the relationship with the customer; consulting ANAF databases in order to analyze customer solvability for purchasing creditgranting products; operations and transactions regarding the assets and liabilities of the bank (such as, without limitation, receivable assignments or issuances of guaranteed bonds); collecting debits/recovering receivables and all related activities, including actions of contacting, notifying, foreclosure; processing data representing log-in credentials in the apps used by data subjects in relation to the Bank; processing in order to provide insurance products associated to specific credit-granting products; processing data in order to implement insurance contracts concluded by the Bank or contracted by the customer in order to cover various risks; sending notifications and notices regarding the implementation of the contract for providing banking services; operations of registering security mortgages and publicity for related legal operations.
c) In order to fulfill legitimate interests of the Bank, personal data shall be processed for the following purposes, without limitation: processing data by market surveys or Second-Day Calls carried out in order to improve the products and services of the Bank and optimize flows, policies and internal procedures; processing in IT security tools (such as DLP, firewall); data processing in testing environments (“parallel run”) in the process of designing, developing and using IT systems, in cases where the testing objectives are the quality and/or accuracy of data; data processing carried out in order to optimize flows and dedicated apps, by providing technical support and maintenance activities; consulting public sources, including databases with risk information, in order to ensure an optimal know your-customer level in order to prevent money laundering and fighting terrorism; processing related to managing complaints and notifications, and also for exercising and defending the rights of the Bank in court; operations of reducing fraud risk by monitoring transactions, including communications with involved data subjects; data processing for statistical purposes or conducting analyses based on aggregated information; processing in systems such as the Credit Bureau (in relation to which the Bank is a Joint Controller); activities carried out in order to recover debts, including by using the services of a third-party entity; consulting the records of the Trade Register in order to manage insolvency files for natural persons; audio recording of telephone calls made by the personnel from the Contact Center in order to resolve certain requests, carrying out investigations, proving a litigation, and forimproving the quality ofservices; sending educational and informative notices in order to ensure the correct use of owned products, reminding facilities associated to owned products or increasing the understanding of safety measures for fraud prevention (e.g., awareness messages regarding card skimming, email phishing, etc); automatic processing, without excluding human intervention, in activities of marketing segmenting and profiling in order to offer customized products or configurations of dedicated offers (offers for students, employees, pensioners, etc); sending reports within Alpha Bank Group.
d) Based on data subjects’ expressed consent, data shall be processed for the following purposes: direct marketing, such as, without limitation: participation in campaigns and granting prizes, loyalty programs and special offers launched for customer, including for promoting any products and services of the Bank and its partners, promotion/advertising; processing data within telephone calls made by the Contact Center service; processing candidates’ data within recruitment processes, for determinate periods of time, in order to contact them in the future if there are compatible positions.
5. What happens if you do not want for personal data to be processed by the Bank?
The initiation and implementation of the business relationship and the compliance with the obligations provided in the regulations in force may only be carried out based on the processing of personal data. If you do not wish to provide us with the necessary information or you oppose its subsequent processing, we cannot initiate or continue the business relationship.
Data processing for marketing purposes makesit possible for usto inform you about Alpha Bank Romania news and offers. You may ask us at any time to stop the processing for this purpose, and the relationship with the customer will not be affected.
6. To whom may personal data be transmitted?
The categories of potential data transfer recipients may be:
- partners (e.g., insurance companies contracted by the Bank as a subordinated insurance agent, technology and payment companies such as VISA or MASTERCARD, companies specialized in investment management, brokerage companies, national and international banks and financial institutions (e.g., according to the Agreement on the inter-bank settlement of debit instruments or other inter-bank Agreements));
- third-party subcontractors (e.g., postal service providers, media / marketing research agencies);
- database organization offices (such as the Credit Bureau and the Central Credit Register - if you have contracted credit-granting products) or various service-providing agencies (SWIFT/ Transfond / NBR - for payments in RON / foreign currency, Central Depository / Bucharest Stock Exchange;
- ANAF, in order to comply with FATCA (“Foreign Account Tax Compliance Act”) and CRS (Common Reporting Standard) legislation, if personal data or operations carried out by you fall into the reporting criteria established by FATCA and/or CRS;
- members of Alpha Bank Group;
- other competent authorities (for fulfilling legal obligations, such as ASF, Central Depository, NBR);
- empowered/proxies, in order to fulfil the legitimate interests of the Bank (law firms, receivable collection companies, etc);
- third parties in case of assigning/transferring Bank rights;
- National Public Pension Administration, Ministry of National Defense, Ministry of Internal Affairs, County Agencies for Payments and Social Inspection (for delivering pensions, allowances and/or other indemnifications).
7. May data be transmitted outside the country?
The processing of personal data may involve its transfer abroad, for the aforementioned purposes. Data may be transferred to countries from/outside of the European Union, including the United States of America. In all cases, any transfer shall be carried out by establishing the necessary safeguards that would ensure the protection of personal data against accidental or illegal destruction, loss, modification, disclosure or unauthorized access, as well as against any other type of illegal processing.
8. What are your rights related to personal data protection?
As of May 25, 2018, Regulation (EU) 2016/679 has reviewed and extended the scope of the rights of natural persons with regard to their personal data.
Please find below a detailed description of these rights, for a better understanding of the legal content thereof:
a) Right to be informed: the right to be informed about the data and the characteristics of its processing in your relationship with Alpha Bank Romania;
b) Right to rectification: the right to obtain from the Bank, without undue delay, the rectification/completion of inaccurate personal data concerning you;
c) Right to erasure: you may express the right for your data to be erased from the records of Alpha Bank Romania, in compliance with the applicable legal provisions in the area of personal data protection;
d) Right to restriction of processing: may be exercised when one of the following cases applies: the data subject challenges the accuracy of the data or the lawfulness of the processing, the data subject objects to the deletion of the data when the Bank no longer requires the personal data for processing but the data subject requires them to establish, exercise or defend a right in court or where the data subject objects to the processing for the period of time during which it is checked that the legitimate interests of the Bank override those of the data subject;
e) Right to data portability: consists in the possibility to request the Bank to transmit the personal data you provided in a structured format that is currently used and can be readable automatically; the transmission of data may be done directly to another controller only where this operation is feasible in terms of the technical capabilities used by Alpha Bank Romania;
f) Right to object: the right to object, at any time, based on legitimate and valid grounds relating to your particular situation, to the processing of personal data, except when there are legal provisions stating otherwise. This right may be exercised under the following conditions: a written request is submitted to Alpha Bank Romania, which will include the data that the objection isrequested for and the grounded and legitimate reason relating to your particular situation;
g) Right not to be subject of an automated individual decision-making process: represents your possibility of requesting the Bank not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affecting him or her. With regard to the adoption of a decision based solely on automatic processing, you have the possibility to express your point of view, to request the intervention of a human operator as well as the possibility of challenging such a decision, in the ways described in this information;
h) Right to lodge a complaint with the National Authority of Surveillance of the Personal Data Processing (ANSPDCP);
i) Right to file lawsuits.
9. How long is personal data processed by Alpha Bank Romania?
Data subjects’ personal data indicated in Section 3 shall be processed during the period that is necessary for fulfilling the goals indicated in Section 4, and after this period, according to the legal provisions which regulate terms for processing such data (for example, legal provisions that regulate the archiving of documents).
For any application, information request or notification on exercising your rights, including if you wish to withdraw your consent regarding the processing of data for marketing purposes or regarding the querying the database of the Division for Persons’ Records and Database Administration, you may contact us by using the following communication methods:
- on the website www.alphabank.ro, “Contact” section;
- via e-mail, at the address: DPO@alphabank.ro;
- at the counters of Alpha Bank Romania units by filling in the dedicated form or a written application;
- in writing, at the headquarters of the Bank, located in Platinum Business & Convention Center Building, No 172-176, Sos. Bucuresti-Ploiesti, District 1, Bucharest.
Please note that the information presented above shall be permanently available to you in an updated format, at www.alphabank.ro.