Processing of personal data

B.R.D. - Groupe Société Générale S.A., headquartered in Bucharest, Blvd. Ion Mihalache, No. 1-7, Sector 1, registered with the Trade Register under number J/40/608/19.02.1991, Tax Identification Number 361579, registered with the Banks Register under number RB-PJR-40-007/1999 (hereinafter called „The Bank” or „Us/ We”), in the capacity of personal data operator, we would like to inform you about the way We process the personal data in the context of the activity carried out by BRD, as well as about the rights that you have as a data subject, starting with 25th of May 2018 (GDPR effective date).

We process the personal data that you provide Us, directly or indirectly (e.g. through empowered or other persons representing you in your relationship with the Bank, such as, persons who are entrusted with the exercise of parental/ tutorial authority), or that data that We generate or deduct as a result of the interaction with you through any of the channels of communication with the Bank.  

We can also obtain and process your personal data including from external sources, such as:

- public institutions and authorities (e.g. ANAF, FNGCIMM, NBR - Credit Risk Center or Payment Incidents Center (CIP)). For example, We can interrogate the databases of authorities/ public institutions to obtain certain information, such as: your tax situation; the status of your forced execution file; your employee status; information on the status of the claim file by the FNGCIMM; your identification data in the Credit Risk Center, including information on the type of loan contracted, the degree of indebtedness and the affiliation to a group of debtors.

- registries and electronic databases (e.g. portals of Courts, the Credit Bureau, entities empowered to manage databases with designated persons, subject to international money-laundering sanctions and politically exposed persons, etc.). For example, but not limited to, when entering into relationship with the Bank, We interrogate (i) the Court’s portals to verify if you are involved in criminal litigations likely to reveal a certain fraudulent conduct, (ii) the Credit Bureau, to check the Bank’s exposure by reference to your payment behaviour or other incidents in relation with other banks, (iii) if you are included in databases with designated individuals, subject to international sanctions that block the funds.

- entities involved in payment operations (e.g. international cards organizations, such as Visa and Mastercard, economic operators accepting cards payments, banks and other payment institutions involved in payment schemes, the Central Depository). For example, when you make transactions with the card, We can receive some data necessary to make the payments (e.g. the card’s data, transaction amounts) from merchants who accepted the payment with the card.

Also, in other types of operations (e.g. credit card payment, direct debit, debit instruments such as cheque, promissory note), We can receive your data from a bank/ third-party institution where the transaction was initiated, through schemes/ payment systems and interbank communications (such as SEPA, Regis, SENT or SWIFT).

- commercial partners, in particular service providers for the Bank. For example, We may find out your new contact information (e.g. address, phone number) from agencies providing debt recovery services for Us, data that they obtain from their own sources.

-  online platforms (social media and internet) publicly available.

- entities in BRD Group (such as data on customers who had contracts with BRD Finance IFN S.A).

- your employers, for example if We enter into a payroll agreement with your employer.

- other companies for which the Bank provides payment services (securities issuers, insurance companies, etc.).

- Central Depository, as a registry company for the Bank’s shares.

 

For example, in certain situations, We may obtain your personal data from Bank’s customers/ Bank’s customers representatives (e.g. if you are a member of the customer’s family), board members of the Bank (if you are an affliliated person), if such data are necessary in the context of legal relations with the Bank’s customer. 

 

The refusal to provide the Bank with your personal data may, in some cases, result in the impossibility of entering into relationship with the Bank or of contracting the desired product, service.

A. ENTERING INTO RELATIONSHIP WITH THE BANK

We process personal data for:

  1.  Checking your eligibility for entering into relationship with Us and contracting the banking product/ service, as well as for
  2.  Preparing the required documentation for contracting the product/ service.

We check your situation to ensure that you meet the prudential requirements, under the applicable law and internal policies of the Bank (including the risk policies). For example: We apply know your customer procedures; We verify if you meet the requirements concerning the fraud prevention and combating money laundering and terrorist financing; We evaluate your situation as well as, if applicable, of other persons (e.g. co-debtors, guarantors) to analyze the Bank’s exposure to the risk involved by contracting the required  banking product/ service.   

For certain products (such as loan products), We also use automated processing (including scoring) to assess your eligibility for contracting the product (for details, please see Section III below).

Processing basis:

The contract conclusion and execution, including the processing at your request for concluding and executing the contract.

BRD’s legitimate interest to check its customers eligibility in terms of internal policies and standards imposed at BRD Group level. 

Compliance with legal obligations.

 

B. PROVIDING BANKING PRODUCTS AND SERVICES. PRODUCTS AND SERVICES MANAGEMENT 

We process personal data to conclude and execute the contract with you. To prevent and combat fraud and/ or guarantee the banking secrecy: We verify the authenticity of identity documents as well as, if the case, of other documents that you submit; We monitor the way the contract is performed and the associated risks; We apply procedures for managing conflicts of interest. 

We may contact you or, as the case may be, other persons (e.g. co-debtors, guarantors) through various channels (e.g. phone, e-mail, SMS, at home), to communicate you/ them various aspects concerning the contract or the contracted banking product/ service.

For example, if difficulties arise in executing the contract, We may contact you to identify together the optimal solutions to continue the contractual relationship with you in the best possible conditions.

We may also send you notifications regarding payment maturities or concerning changes in the features of the contracted banking product/ service. 

Processing basis:

The contract conclusion and execution.

Compliance with legal obligations.

BRD’s legitimate interest to ensure the contracts performance in an optimal and efficient manner. 

  

C. ECONOMIC, FINANCIAL AND ADMINISTRATIVE MANAGEMENT. ANALYSES AND INVESTIGATIONS FOR INTERNAL USE

We use personal data to optimally organize and streamline the Bank’s activity. In this regard, We may use personal data, among others:

  • to organize some internal databases, to support the activity carried out by structures and departments within the Bank.   
  • to improve and optimize BRD’s network activity, as well as our processes, products and sevices.
  • to efficiently organize, perform and/ or manage debt collection and debt recovery.
  • to prevent and investigate possible fraud/ fraud suspicions in banking operations.
  • to perform various financial analyses, in an aggregated format, regarding the performance of BRD’s network and its staff (including the Bank’s sales force).
  • to prepare various reports, in an aggregated format, on (a) BRD’s activity and performance in fiancial and banking markets, and (b) its exposure to other financial institutions.
  • to support Our position in various investigations, administrative and judicial procedures, litigations, etc. in which the Banks is involved.
  • in the context of various analyses, internal audit procedures and/ or investigations carried out by the Bank, on its own initiative or following the receipt of a complaint from a third party (including public authorities).  
  • managing controls/ investigations triggered by public authorities.

Processing basis:

BRD’s legitimate interest to streamline and optimize its activity.

 

D. SUPPORT-SERVICES AND COMPLAINTS MANAGEMENT

We process you personal data to solve your requests or of other persons, as well as for providing you/ them with additional information about our products and services.

For example, We may contact you by phone to respond to your requests or We may process certain data from the documents you provide Us with to solve your requests or complaints (such as a request to update your data or to block the card).

If you agree, We audio record the conversations with you in order to improve the quality of our services as well as to test (a) your requests/ claims concerning a particular banking product/ service as well as, eventually, our response, respectively (b) your agreement/ option/ preferences for a particular product or service of ours.  If you  do not want to record the conversations above mentioned, you can contact Us on other available channels, such as by e-mail or by writing Us to our dedicate contact address. In this latter case, the effective settlement of your request/ complaint will not be affected in any way, but the settlement may be longer.

Processing basis:

Contract conclusion and execution, including for processing at your request for concluding the contract.

Compliance with specific legal obligations.

BRD’s legitimate interests (i) to comply with a legal obligation and to avoid any negative consequences, and (ii) to carry out its activity in accordance with internal standards and with the standards established at the Group level. 

The data subject’s consent - you can withdraw your consent at any time - for details, please see Section VII d) below.

 

E. DIRECT MARKETING AND COMMERCIAL COMMUNICATIONS

We want to keep you updated with the latest news about the products and services of the Bank and/ or of other companies within BRD Group or of our partners, to invite you to participate in contests or advertising lotteries that We organize on our own or with our partners (co-organizers). Before contacting you, We may also consider our internal analyses and studies (for details, please see Section G below). 

We can also send you commercial communications regarding our partners products/ services (such as market research agencies, insurance companies, pension funds, leasing companies, investment funds).

We are interested in your opinion about our products and services, about Us or other companies within the Group in general or about a particular subject relevant to our activity. We can periodically contact you to receive your feedback and suggestions on how to improve our products and services or how we can better meet your needs and expectations. You are not obliged to respond and if you do not respond, it will not affect in any way your relationship with Us. 

We also carry out market studies; for this purpose, We can work with market research agencies, which will either conduct market studies for Us, or provide us with market research results and other information related to the subject of such studies. Usually, we receive information regarding the market studies from our partners in anonymised format (aggregated data).

If the processed informaion will (also) contain personal data, We will inform you accordingly.

We will only send you these communications if we have obtained your agreement.

Also, if you do not exercise your right to object, We may use your physical address to transmit you by courier or by post commercial communications (leaflets, catalogs, etc) with news about our products and services, invitations to participate in contests or advertising lotteries that We organize on our own or with our partners.

Processing basis:

BRD’s legitimate interest.

Your consent - you can withdraw your consent at any time - for details, please see Section VII d) below.

 

F. PERSONALISED OFFERS  

We want to offer you the most relevant products and services according to your profile and area of interest. Therefore, based on your agreement, We may analyze your data and information from the following sources:

  • Our internal database, such as information from loan records/ other similar documents that We hold as a result of your previous loan requests/ other products and/ or banking services. For example, We are interested in knowing relevant information in order to evaluate your particular situation, such as age, occupation, income, previous transactions or your previous loan application score; and/ or
  • External sources, such as the Trade Registry, Credit Bureau, ANAF. We can also analyze the information you’ve made public on various webpages, including on social networks and forums.  

We analyse and combine this information to provide you with the products and services that best fit your needs and particularities. We may also use the information to avoid sending you offers for products and services that, for various reasons (including our risk policy), are not of interest to you or you would not be able to access by reference to your particular situation. 

Processing basis:

Your consent - you can withdraw your consent at any time - for details, please see Section VII d) below.

 

G. ANALYSES AND INTERNAL STUDIES FOR COMMERCIAL COMMUNICATIONS

We are preoccupied with the constant improvement of our products and services. Based on our legitimate interest, We use the data that we collect from you or other data that we generate/ deduct from the data received from you (such as: age, based on your CNP) for various statistics, analyses and internal studies.

Most internal analyses and internal studies are in anonymous format (aggregated data), providing Us with useful information for improving our products and services. Sometimes, We analyze your data to determine your specific customer profile, to better meet your needs and expectations. For example, We can include you in a campaign that offers a new product that We are addressing only to customers who have made card transactions with a certain frequency.

In the same time, We have a legitimate interest in analyzing your data so as not to disturb you with information that does not fit your profile. For example, We can exclude you from a particular campaign if you exceed the age that We target for a specific product (such as cards dedicated to students).

Processing basis:

BRD’s legitimate interest.

Your consent - you can withdraw your consent at any time - for details, please see Section VII d) below.

 

H. COMPLIANCE WITH LEGAL REQUIREMENTS AND INTERNAL NORMS

We process personal data also for complying with the legal obligations applicable to credit institutions. For example, based on our legal obligations, We submit various reports to relevant institutions and public authorities, such as: (i) FATCA reporting to ANAF, (ii) reporting suspicious transactions to the National Office for the Prevention and Control of Money Laundering (ONPCSB), (iii) reporting payment incidents to the Payment Incidents Center (CIP) within the National Bank of Romania, (iv) notifying ANAF within the Ministry of Economy and Finance, or as the case may be, notifying other competent authorities when identifying persons or designated entities. We also monitor our Customers’ transactions to identify unusual/ suspicious money laundering or terrorist financing transactions, and to prevent fraud.

For additional information concerning the reporting made under our legal obligations, you can request this information.

In order to comply with the legal provisions in force, We process personal data through security systems (closed circuit television and visitor’s management/ access control) or access record registers, the data being kept for intervals regulated by the law. The data collected under the legislation on the protection of persons, goods and values may be made availabe exclusively to the authorities, at their request, respecting the conditions provided by the law.

In addition to the legal obligations, We are also committed to complying with a number of internal requirements/ established at the Société Générale Group’s level on reporting and internal/ external audit that may, in some cases, involve/ have as a source the processing of personal data.

Processing basis:

Compliance with specific legal obligations.

BRD’s legitimate interest and of Société Générale Group to carry out its activity according to internal standars and those established at the Group level.

 

I. DIVIDENDS PAYMENT TO BRD SHAREHOLDERS

Processing basis: Compliance with specific legal obligations.

Sometimes, in our processes We use automated individual decisions, including as a result of creating profiles, which under certain circumstances may have legal effects or, as the case may be, may significantly affect you. In this case, the automated decisions will always be based on one of the legal bases provided by Article 22 GDPR, namely (i) the need to conclude the contract; (ii) the legal authorization; or (iii) the explicit consent of the data subject. 

Thus, We adopt automated individual decisions by virtue of a legal authorization. For example, the law requires Us to implement appropriate know your customer measures for the purpose of preventing and combating money laundering and terrorist financing.

To this end, We check whether you are included in the databases of persons accused of terrorist financing or, as the case may be, in the databases of people with high risk of fraud and, if We will find you in these databases, We will refuse to enter into a business relationship with you. 

For certain banking products, We use automated individual decisions based on scoring to conclude the contract for the product you requested. For example, We use the loan scoring to assess your eligibility for contracting the requested loan. The algorithms that We use for the loan scoring consider different criteria, in line with our risk policy, such as your financial condition, your creditworthiness, exposure, payment behaviour, employer status, debt history, etc.

The criteria and the algorithms that We consider relevant may vary over time.

We use automated individual decisions also for ensuring the security of the Bank’s products and services, as well as to protect you as much as possible against the risk of fraud, thereby ensuring the proper execution of the contract concluded with you.

For example, We monitor the payments you make online or with your card, and if We identify suspicious transactions (such as unusual repetitive payments like frequency, value, etc., or other transactions with illogical sequences - such as payments in different locations (cities) at short intervals, which did not allow the holder to move to those locations in accordance with the current technique), We adopt  measures on automated basis (such as blocking the suspicious transaction, blocking the card, blocking the account, etc.).

Also, if We have obtained your express consent  in this regard, We may use automated individual decisions to transmit you (We or companied within BRD Group, depending on your option) personalized commercial communications (for details, please see Section II F, above)

You will have appropriate guarantees for the automated decisions We take. In particular, you will have the right:  (i) to express your point of view on that particular automated decision; (ii) to request a reassessment of the decision, based on human intervention; respectively (iii) to challenge the automated decision.

We may disclose personal data to:

  1. Our main service providers, such as:
  • interbank payment processing and payment information transmission services through schemes/ payment systems and interbank communications (e.g. SWIFT - Society for Worldwide Interbank Financial Telecommunication, STFD Transfond S.A. and NBR for ReGIS and SENT national payment systems);
  • services provided by international cards organizations (e.g. MasterCard, Visa etc);
  • services provided by payment service providers;
  • services provided by transaction reporting providers to competent authorities or other regulated entities (e.g. Deutsche Boerse, DTCC);
  • cards issuance and personalization services;
  • debt recovery and/ or debt collection services;
  • goods and other assets valuation services;
  • services of capital investment agents/ brokers.
  1. Marketing services providers, such as:
  • Marketing agencies;
  • Market research and surveys agencies;
  • Marketing communication agencies (e.g. e-mailing commercial offers);
  • Parteners specialised in organizing lotteries and contests.
  1. Our support-services and/ or auxiliaries providers, such as:
  • electronic communication services (e.g. e-mailing, SMS etc.);
  • real estate agencies;
  • detectives;
  • bailiffs;
  •  IT services (e.g. maintenance, support, development);
  • audit services;
  • physical and/ or electronic archiving services;
  • courier services;
  • legal, notarial or other consulting services;
  • staff training services. 
  1. Public institutions and authorities in Romania and abroad, such as:
  • National Bank of Romania (NBR);
  • Financial Supervisory Authority (ASF);
  • The National Supervisory Authority for Personal Data Processing (ANSDPCP);
  • National Office for Preventing and Combating Money Laundering (ONPCSB);
  • National Agency for Fiscal Administration (ANAF);
  • Competition Council;
  • National Archives;
  • Courts and other judicial bodies (such as police offices, prosecutor’s offices, The National Anticorruption Directorate - DNA etc.);
  • The Bank Deposit Guarantee Fund, The National Credit Guarantee Fund for Small and Medium Enterprises (FNGCIMM);
  • Deutsche Boerse Approved Reporting Mechanism (ARM).
  1. Certain customers of the Bank with whom you have contractual or legal relationships related to the banking products We provide, such as:
  • Utility services providers (water, electricity, telephony, internet, etc.), for direct debit conventions;
  • Companies with whom you have working relationships and have concluded a payroll convention with Us.
  1. Other partners of the Bank, such as Credit Bureau (including the transmission of negative data), other financial-banking institutions (for example, correspondent banks and other financial-banking entities participating in schemes/ payment systems and interbank communications such as SEPA, ReGIS, SENT, SWIFT), The National Pension House (in the case of pension rights payments through a bank account opened with Us), The Central Depository, pensions and/ or insurance companies, insurance brokers/ damage assessors, investment fund management companies providing for Us or, as the case may be, for which We provide various services.
  2. Entities from the Société Générale Group and BRD Group, under the terms of the law. To check out the complete Group structure, please access https://www.brd.ro/despre-brd/noutati-si-presa/ultimele-noutati

As a rule, We transfer personal data only in states belonging to the European Economic Area (EEA) or states that been recognized as having an appropriate level by a decision of the European Commission.

We may, however, transfer personal data to other countries than those listed above if:

  1. The transfer if made on the basis of appropriate guarantees (such as, through the use of Standard Contractual Clauses adopted by the competent authority, by using other clauses - subject to their approval by the competent authority or the applicable Corporate Rules at BRD level);
  2. The transfer is necessary to execute the contract with you, for example if you want to transfer an amount of money from your account to a bank account located in a third country, We have to disclose your personal data in order to execute the requested bank transaction. 

Note: In order to be able to make a funds transfer abroad, the banks (including the Bank) uses the settlement services offered by SWIFT.

SWIFT temporarily stores SWIFT transaction data on servers located in the E.U., but also in the USA. Under applicable SWIFT legislation, it may be required to disclose to the US authorities data stored on US servers for money laundering prevention and fight against terrorist financing activities.

      3.Other cases allowed by the law.

We keep your personal data as long as necessary to meet the purposes for which it was collected, in compliance with the applicable legal provisions, as well as of the internal procedures on data retention (including the applicable archiving rules at BRD level).

 

For example, if you are our customer, We will keep your personal data, as a rule, throughout your contractual relationship with Us, with an additional period of at least 10 years.

Upon request, you can obtain additional information regarding the retention periods applicable to your personal data.

According to the Law, you benefit from the following rights concerning the personal data processing that We perform:

  1. Right of access to personal data: you may obtain from Us the confirmation that We process your personal data, as well as information regarding the specific nature of the processing, such as: the scope/ the purpose, the categories of personal data processed, the recipients of the data, the period for which the data are kept, the existence of the right to rectification, erasure or restriction of the processing. This right allows you to obtain a copy of the processed personal data, as well as any extra copies for a fee.
  2. Right to rectification: you may ask Us to modify your incorrect personal data or, if the case, to fill in the data that is incomplete.
  3. Right to erasure: you may request the erasure of your personal data when: (i) the data are no longer necessary for the purposes for which We have collected and processed them; (ii) you have withdrawn your consent for processing your personal data and We can not process it for any other legal ground; (iii) the personal data are unlawfully processed, respectively (iv) the personal data have to be erased for compliance with the relevant legislation.
  4. Consent  withdrawal: you may, at any time, withdraw your consent regarding the processing of your personal data, data processed on a consent basis.
  5. Right to object: you may object, at any time, to the processing of personal data for marketing purposes, including profiling for the same purpose and you may also object to processing based on Bank’s legitimate interest, for reasons related to your specifc situation.
  6. Right to restriction of processing: you may request to restrict the processing of your personal data if: (i) you dispute the accuracy of the personal data, for a period enabling Us to verify the accuracy of the personal data; (ii)  the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; (iii) the data is no longer needed for the purposes of processing, but you require them for exercise or defence of legal claims; respectively (iv) if you have objected to processing, for the period of time during which it is verified whether the legitimate rights of the Bank as an operator prevail over your rights as a data subject.
  7. Right to data portability: to the extent that We process personal data by automated means, you may request, under the Law, to provide you with your personal data that you have provided in a structured, commonly used and machine-readable format (e.g. CSV format). If you request this, We can send your personal data to another entity, if possible from a technical point of view.
  8. Rights related to automated decisions that We adopt in our business: for details, please see Section III above. The rights attached to automated decisions that We adopt in our activity: for details, please check, Section III above.
  9. Right to file a complaint with the Supervisory Authority: you have the right to file a complaint with the Supervisory Authority if you consider that your rights have been violated:

National Supervisory Authority for Personal Data Processing

Bld. G-ral. Gheorghe Magheru

28-30 Sector 1, postal code 010336 Bucharest, Romania

anspdcp@dataprotection.ro

FOR EXERCISING THE ABOVE-MENTIONED RIGHTS, ITEMS a) - g), YOU MAY CONTACT US USING THE CONTACT DATA REFERRED TO IN SECTION CONTACT.

Contact

If you have any questions about this information note or if you want to exercise your rights as a data subject, you may contact Us using the following contact details:

 

In the attention of: BRD Data Protection Officer (DPO)

Correspondence address: Blvd. Ion Mihalache, No. 1-7, Sector 1, BRD Tower,

postal code 011171, Bucharest, Romania

E-mail:  dataprotection@brd.ro

Telefon:  021.301.43.81

 

You can access the document here: Information note on the processing of personal data