Information regarding the processing of personal data

General Data

CEC BANK SA, with its headquarters in 13 Calea Victoriei, district 3, Bucharest, registered with the Trade Register under no J40 /155/13-01-1997, tax ID number RO 361897, hereinafter referred to as the "Bank" or the "Controller", hereby inform you that as of 25 May 2018, the Regulation 2016/679/EU on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the "Regulation") shall be enforceable.

In this regard, you should know that when you choose to purchase a banking product or service offered by CEC BANK SA, the Bank will process the personal data that you provide to us either based on a contractual or legal basis, on a legitimate interest of the Bank, or on the basis of your consent to such processing. The data are processed directly by CEC BANK SA, or by empowered entities (hereinafter referred to as the "Processors"), who process the data for and on behalf of the Controller.

Definitions

 

Personal Data: ("Personal Data"): means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal Data Processing:means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data subject: may be an applicant for a product or service offered by the Controller or its Processors, as well as any other natural persons whose Personal Data may be transmitted or collected by the Controller for the purpose of carrying out Processing activities, both on own interest and for and on behalf of its contractual partners, according to the determined purposes.

Contract: means the legal act concluded with the Controller, based on which the Controller shall provide banking products and services. For the purposes of this Information, any reference to the "Contract" shall be understood to indicate all the contracts to be concluded with the Controller.

Profiling: means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

Processed Data

We inform you that the Bank may process the following categories of Personal Data:

i. Personal Data that you (the Data Subject) provide us with, such as:


a. Identification data of the natural person/certified natural person: first name and surname, father/mother's initial, mother's name before marriage, home/residence address, personal identification code/unique tax reference code, marital status data, fixed/mobile phone number, ID document series and number, driving license number, passport series/number for non-resident persons or other details, as collected by making copies of documents containing them or as transmitted by the Data Subject on electronic support;


b. Profession/workplace;


c. Financial and tax information (including income, taxes, fees, contributions and other charges owed to the State budget from any kind of activities: salaried, authorized / independent / liberal, pensions, social security, rent, etc.);


d. Photo and video images, including closed-circuit video surveillance systems (CCTV) images, when you attend the bank locations, including the related ATMs;


e. Information on movable / immovable property (including enrollment with the Land Register, AEGRM etc.);


f. Signature specimen;


g. Data concerning health.

Those data are required for activities such as preparation of the offer of financial and banking products and services, determination of creditworthiness and solvency, conclusion, execution, amendment or termination of the Contract, collection of money and their payment into bank accounts, authentication in the Bank systems, solving complaints. Regarding the Processing of SSN and other identification data, such Processing is based on the legal obligation of the Controller, as a banking unit, to identify and know its customers in order to prevent money laundering and to fight against terrorism. Also, SSN is required in case of loan product applications, for consulting the Credit Bureau and determining the FICO score.

Photographic and video image Processing is based on the legal obligation of the Controller as a banking unit to identify / recognize people and to keep the evidence of their access to the Bank's locations in order to ensure the security of the objects, assets, values, as well as the protection of individuals.

Your refusal to provide us with such Data will make it impossible for us to provide you with the desired banking products or services or to respond to your applications addressed to the Bank.

ii. Personal Data that the Bank processes in connection with the provision of banking services, such as:


a. Transaction data (information on how banking products and services are used, on credit or debit cards, personal loans or any services subject to the Contract);


b. Location data (such as, particularly, the location of used ATMs);


c. Data on creditworthiness, FICO score (for credit products);


d. Commercial data (such as the number and type of purchased banking products / services, payment methods, payment term and payment history, preferences regarding payment methods for credit installments).

Processing Grounds

Processing of your Personal Data may have as grounds the following:


a. Conclusion and execution of the Contract (e.g. determining your solvency, determining the value of the movable / immovable property over which a guarantee in favor of the Bank is lodged);


b. The legal obligation of the Controller (reporting to public authorities, Personal Data Processing for complying with the legal obligations imposed by the regulations applicable in the banking sector and to customer relationships, normative acts in the field of prevention and combating money laundering and terrorist financing etc.);


c. The legitimate interest of the Controller (e.g., preventing and combating fraud in the banking sector, recovery of claims);


d. The consent of the Data Subject (e.g. for the transmission of marketing communications as promotional offers, launches of new products and services, information about related accounts and services, advantageous savings and credit products, cards, improvements in product and service portfolio, etc., as well as for transmission of messages on special occasions (e.g. Bank Day, client's birthday, anniversary of the relationship with the Bank) or messages on partners’ offers, etc.).

Purpose of Processing

Your Personal Data will be processed for the following purposes:


1. Preparation of the financial service offers and carry out of the specific banking products related pre-provision activities, including those provided either for granting loans, or during the lending periods, as well as for their restructuring;


2. Conclusion, execution, amendment or termination of the Contract, opening the account, provision of banking products and services, account administration, deposits, receipts and payments, replies to applications / complaints;


3. Provision of customer service (including Phone Banking), transmission of information and notifications, provision of technical assistance / advisory services for Internet Banking, Mobile Banking, Phone Banking Apps;


4. Check of the account balance, banking transaction history, to respond to the requests addressed to the Bank;


5. Verification and recovery of debts, including for receivable assignments;


6. Establish and change of the credit limit;


7. Detection and prevention of frauds in banking sector;


8. Internal and external audit and control activities;


9. Marketing, either by sending commercial communications on promotional offers, new or existing products and services, information about accounts and related services, advantageous savings and credit products, cards etc.), or by sending messages on special occasions (e.g. Bank Day, client's birthday, anniversary of the relationship with the Bank), or on partners’ offers (such as those of life or travel insurance providers etc.);


10. Conducting internal studies and statistics, market studies, application of satisfaction questionnaires etc.

Automatic Decisions

If you are applying for a Loan Product from the Controller, we will assess your creditworthiness and potential credit and fraud risks. The process of assessing creditworthiness and credit and fraud risk levels may involve making Automated Decisions based on the risk profile of the Data Subject. Automated decision making is necessary for the conclusion, execution and amendment of the Contract with the Controller.

In assessing credit and fraud risks, the Controller interrogates the Credit Bureau - a joint-stock company, having 25 banks as shareholders, which provide information about debtors with outstanding debts for more than 30 days, fraudsters or persons having inconsistencies in statements, as well as information about FICO score, based on an International Statistical Model applied to the Credit Bureau database. The Credit Bureau score is a figure between 300 and 850, indicating the likelihood that an individual will pay timely his/her installments in the future. In the case of non-payment of due sums / guarantees / advance payments requested on due date or in case of fraud, Personal Data of such debtor may be transferred to the Credit Bureau and the information may be accessed by third parties with right of access to it (banks, non-financial institutions).

Based on such score, the Controller will decide whether or not you qualify for receiving a credit product.

Transmission of Personal Data to Third Parties

In order to always provide you with the best products and services we have constant partnerships with various related service providers to which we may transmit your Personal Data based on one of the above mentioned grounds and which may Process them either as Processors or as Independent Controllers, in the latter case being directly responsible for compliance with the Personal Data protection laws.

The categories of Recipients of Personal Data collected and processed by the Controller may be:


(a) Other banking product/service provider – subcontractors of the Controller in order to execute the Contract;


(b) Insurance and cadastral service providers, external assessors and auditors (selected by the Bank's customers to perform the valuation of the assets admitted as guarantee by the Bank);


(c) Communication printing and enveloping service providers;


(d) Receivable recovery companies / third party natural and legal persons for the purpose of assigning non-performing debts (or for the acquisition of assets mortgaged in favor of the controller subjected to proceedings);


(e) Postal / courier service providers;


(f) Card and payment related service providers;


(g) Call Center and Customer Support service providers;


(h) Market / customer satisfaction research service providers;


(i) Controller’s contractual partners, in order to promote the products and services marketed by them;

 

(j) Public authorities (NBR, National Agency for Tax Administration, Ministry of Public Finance, National Office for Preventing and Combating Money Laundering, Court of Auditors, National Authority for Consumer Protection etc.);


(k) Credit Bureau, Credit Risk Center, Electronic Archive for Security Interests;


(l) Contractual partners, in order to fulfill your instructions, respectively the obligations assumed by CEC BANK towards you (Guarantee funds, utilities/ services suppliers, insurance companies etc.);


(m) Courts or arbitral tribunals, as well as authorities and bodies having the legal competence to carry out criminal investigation and to investigate criminal offenses at the request of the former, bailiffs and insolvency practitioners;


(n) Service providers being contractual partners of the Controller that provide assistance in the provision, activation, installation, operation, maintenance of the services provided by the Controller;


(o) Other agents /subcontractors of the Controller (as notary, law firms, companies organizing promotional events with lottery etc.

Transfer of Personal Data outside the EU / EEA: Personal Data of customers benefiting of banking services performed via SWIFT are transferred abroad to SWIFT Operational Centers (as those in USA or Belgium) where they can be accessed to combat terrorism. CEC BANK requires those Recipients, through specific contractual clauses, to protect the Personal Data received in accordance with the requirements of the Regulation GDPR.

Duration of Personal Data Storage

In order to determine the period for which Personal Data will be processed, we take into account the contractual duration until the expiry of the contractual obligations and the archiving deadlines, both legal and domestic.

Personal Data collected by the Controller will be processed: (i) throughout the Contract execution term, (ii) after the termination of the Contract, for a period established in accordance with the applicable domestic or legal regulations, (iii) after the expiry of the storage period, if storage of the Personal Data collected is required in accordance with applicable banking legislation, but without exceeding its maximum duration, or storage deadlines, as provided for by the banking legislation and the Personal Data Storage Policy established by the Controller.

As a general rule, Personal Data collected for the purpose of transmitting commercial communications will be processed for that purpose until the date of withdrawal of the consent expressed by the Data Subject or, as the case may be, according to the Personal Data Storage Policy established by the Controller.

We keep your Personal Data on our servers. We use appropriate technical and organizational measures to protect your Personal Data and prevent unauthorized access. Once we receive your Personal Data, we use strict procedures and security policies to prevent unauthorized access.

Data subject rights

a. The right to be informed about Personal Data processed by the Controller;


b. The right to obtain from the Controller the confirmation that it is processing the Personal Data of the Data Subject and, if so, the access to the relevant Personal Data and information such as the purposes of the Processing, the categories of Personal Data concerned, the Recipients or the categories of Recipients, if possible, the expected storage period. In addition, if Personal Data is not collected directly from the Data Subject, the source of such data and, where appropriate, the existence of an automated decision-making process, including the Profiling;


c. The right to rectify inaccurate Personal Data or to supplement it;


d. The right to delete Personal Data in accordance with the legal provisions applicable in the field of Personal Data protection;


e. The right to restrict Processing when one of the following cases occurs: the Data Subject challenges the accuracy of the Data, the Processing is illegal, the Data Subject opposes the deletion of the Data when the Controller no longer needs the Personal Data for Processing, but the Data Subject requests them for the establishment, exercise or defense of a right in court or, when the Data Subject opposes Processing, for the period of time necessary to verify that the legitimate interests of the Controller prevail over those of the Data Subject;


f. The right to Data portability, which consists in requesting to the Controller the transmission of Personal Data provided by the Data Subject in a structured, commonly used, readable format, and the transmission by the Data Subject of such Data to another controller;


g. The right to object to the Processing of Personal Data at any time, free of charge and without justification, for situations such as: (i) receiving commercial communications; (ii) adopting an Automated Decision, including Profiling; (iii) carrying out the necessary Processing activities in order to achieve a legitimate interest of the Controller. In case of unjustified opposition, the Controller is entitled to further process Personal Data. In the event that, during the Contract Term, the Data Subject exercises his/her right of opposition on a repeated and unjustified basis, the Controller reserves the right to no longer respond to such requests. The right of opposition shall not be exercised with respect to the Processing of the Personal Data necessary for the execution of the Contract;


h. The optional right of the Data Subject to require the Controller not to be the subject of a decision based solely on automatic Processing, including profiling, and producing legal effects that significantly affect the Data Subject. With regard to the adoption of a decision based solely on automatic Processing, the Data Subject has the opportunity to express his / her point of view, to request the intervention of a human controller and the possibility to challenge such a decision in the ways described in this information;


i. The right to lodge a complaint with the National Authority for the Supervision of Personal Data Processing (ANSPDCP);


j. The right to appeal to justice.

In order to exercise the rights provided in letters a) - h) above, you may submit to the Controller a written, dated and signed application in any territorial unit of CEC BANK SA, or you may submit such a request by email to the Personal Data Protection Officer, at dpo@cec.ro, signed under the Electronic Signature Law, or through the website with the address www.cec.ro/contact/ GDPR page.

 

The above information will be permanently at your disposal, in an up-to-date format, on the website with the address www.cec.ro, or on request, in hardcopy format, in any territorial unit of CEC BANK SA.