INFORMATION NOTE ON PERSONAL DATA PROCESSING
CEC BANK SA, with the registered office in 13 Calea Victoriei St., 3rd district, Bucharest, registered with the Trade Register under no J40/155/13.01.1997, UTRN: RO 361897, hereby inform you that starting with May 25th, 2018, Regulation No 2016/679/EU on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the "Regulation") shall be enforceable.
In this respect, you must know that, when choosing to acquire a bank product or service offered by CEC BANK SA, the Bank shall process the personal data you provided to us either based on a legal or contractual ground, on a legitimate interest of the Bank, or on your acknowledgement concerning such processing. Your personal data are processed either directly by CEC BANK SA (as “data controller”) or by authorized entities (as “data processors”) that process the personal data on behalf and for the data controller.
For more clarity, you find below few definition:
“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Personal data processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Personal data subject” means the applicant for a product or service offered by the data controller, its processors, as well as any other natural persons whose personal data can be transmitted or collected by the data controller, in view of developing the personal data processing activities, both in own purpose and for and on behalf of its contractual partners, according to the goals established by the later.
“Agreement” means the legal deed concluded with the data controller, based on which the data controller shall provide bank products and services. To the purposes of this Information Note, any references to the Agreement shall be deemed as indicating all agreements to be concluded by the data controller.
We inform you that the Bank may process the following personal data categories:
I. The personal data we are provided by you (as personal data subject), as:
a. Identification data of the natural person/certified natural person: first name, last name, father/mother initial, mother surname before marriage, residence/registered office address, personal numeric code/unique ID code, civil status data, fixed/mobile phone number, ID series and number, driving license number, passport series and number for non-resident natural persons or other identification data, as collected by making copies of the documents containing them or as transmitted by the personal data subject on electronic support;
c. Financial and fiscal information (including revenues gained from any kind of activities: employed activities, authorized/independent/liberal activities, pension, social security and leasing activities, related taxes, duties, contributions and other contributions owed to the State budget);
d. Photo and video images, including closed-circuit television camera (CCTV) monitoring system images, when you come within Bank premises, including to related bank ATM;
e. information on movable/immovable properties (including Real Estate Register registrations, AEGRM registrations, etc.);
f. Specimen signature;
g. Health condition information.
Those personal data are necessary for activities as preparing the financial-banking product and service offers, establishing of the creditworthiness and solvency, conclusion, execution, changing or termination of the Agreement, receipts and payments from/into bank accounts, authentication in Bank systems, settlement of the complaints. For the PNC and other identification data processing, such processing is based on the legal obligation of the data controller, in capacity of bank unit, to identify and know customers in order to prevent money laundering and control terrorism. The PNC is also necessary in case of loan product applications to consult the Credit Office and to determine the FICO score.
Processing of photos and video images is based on the legal obligation of the data controller, in capacity of bank unit, to identify and recognize persons that enter in the Bank locations and to keep the evidence thereof to provide security guard for objects, goods, valuable assets, as well as protection for persons.
Your denial to provide us with those data shall render us in the incapacity to provide you with bank products and services wanted or to reply to your application addressed to the Bank.
II. Personal Data that the Bank process in connection to the provision of banking services, as the following:
a. Data concerning the transactions performed (information on the manner of using bank products and services, credit or debit cards, personal need loans or any services subject-matter of the Agreement);
b. Localizing data (as location of the ATM mainly used);
c. Data concerning the creditworthiness, FICO score (for credit products);
d. Commercial data (as number and type of bank products and services acquired, payment term and history of payments, preferred payment methods for the loan installments).
Your personal data processing can be based on the following ground:
a. Conclusion and execution of the Agreement (i.e., determination of your solvency);
b. legal obligation of the controller (reporting to public authorities, processing of your personal data to comply with the legal obligations imposed by the regulations against money laundering and terrorism control etc.);
c. The legitimate interest of the controller (as prevention and control of bank frauds, recovery of receivables);
d. Acknowledgement of the personal data subject (for, by instance, transmission of marketing communications, launch of new products and services, information on services and related accounts, saving products and advantageous loans, cards, improvements brought to products and services in the portfolio etc.), messages on special occasions (by instance, on the occasion of the Bank Day, customer’s birth day, day of anniversary of the relationship with the Bank), offers of partners (as those of the life insurance providers, travel insurance providers etc).
Your personal data will be processed for the following purposes:
1. Preparation of the financial service offers, conclusion, execution, amendment to or termination of the Agreement, opening of the account, provision of bank products and services, management of accounts, deposits, receipts and payments, reply to customer’s applications or complaints;
2. Provision of Customer Relation Services (including Phone Banking Service), transmission of information notes and notices, provision of technical support/advise services for internet banking, mobile banking and phone banking solutions;
3. Check of the account balance, banking operation history in order to reply to your requests addressed to the Bank;
4. Check and recovery of the debts, including for receivable assignment;
5. Establishing and change of the loan limits;
6. Identification and prevention of the banking frauds;
7. For internal or external audit and control activities;
8. For marketing purposes, by transmission of commercial communications concerning the promoting offers, new or existing products or services, information on accounts and related services, information on saving products and advantageous loans, on card etc.), messages on special occasions (by instance, on the occasion of the Bank Day, customer’s birth day, day of anniversary of the relationship with the Bank), offers of partners (as those of the life insurance providers, travel insurance providers etc.);
9. Carry out of internal researches and statistical studies, market studies, customer satisfaction surveys etc.
When you apply for a lending product from the controller, we will evaluate your solvency and your credit risk potential and fraud risk potential. The solvency and credit/fraud risk potential evaluation procedure may imply taking automatically a decision, based on the risk profile of the personal data subject. Automatic decision-making is necessary to conclude, execute and amend the Agreement with the data controller.
When evaluating the credit and fraud risk, the controller interrogates the Credit Office – a share company with 25 banks as shareholders, which provide information on the debtors having outstanding debts for more than 30 days past due or fraudulent debtors or persons with inconsistencies in their statements, as well as FICO score-type information, as built based on an international statistic model applied to the database of the Credit Office. The Credit Office scoring is a number between 300 and 850, showing whether the relevant natural person is likely to pay his/her loan installments timely in the future. In case of failure to pay the due amounts/guarantees/pre-payments on due dates or in case of fraud, the personal data can be transferred to the Credit Office and such information can be accessed by third-parties with authorized access right (banks, IFN etc.).
Based on the score above, the controller shall decide whether you comply with the requirements for granting a loan or not.
To provide you always with the best products and services, we have constant partnerships with different related service providers, whom we can transmit your personal data to, based on one of the aforementioned grounds, such providers following to process your personal data either as processors or as independent controllers, in such later situation, they following to be directly and fully responsible for complying with the personal data protection laws.
The categories of beneficiaries of your personal data collected by the controller may be:
(a) Other bank product and service providers subcontracted by the controller to execute the Agreement;
(b) Insurance service providers;
(c) Communication editing and enveloping service providers;
(d) Receivable recovery companies/ natural person or legal entity third-parties interested in non-performing receivable assignment (or in purchase of assets mortgaged in favor of the controller, subjected to legal proceedings);
(e) Companies providing mailing/courier services;
(f) Suppliers of cards and payment methods;
(g) Call-center type service and customer support service providers;
(h) Market /customer satisfaction study companies;
(i) Contractual partners of the controller, for promoting their products and services;
(j) Public authorities (NBR, ANAF, Ministry of Public Finances, National Office for Money-laundering Prevention and Control, Court of Auditors, National Authority for Consumer Protection etc.);
(k) Credit Office of the Credit Risk Center, the Electronic Archive for Security Interests in Movable Property;
(l) Contractual partners, in view of performing your instructions, respectively, the obligations to you assumed by CEC Bank (Guarantee Funds, public utility/service providers, insurance companies etc.);
(m) Law courts or arbitral courts, as well as authorities having powers to investigate criminal facts, and, upon their request, receivers and insolvency professionals;
(n) Service providers, contractual partners of the controller, providing support for provision, setup, installation, operation, maintenance of services provided by the controller;
(o) Other controller’s agents/subcontractors (i.e., notary public, legal support companies, promoting event organizing companies etc.).
PERSONAL DATA TRANSFER OUTSIDE EU/EEA: The personal data of the Customers benefiting of banking services performed through SWIFT are transferred abroad (by instance, to USA or Belgium), to the operating centers of SWIFT, where they can be accessed to control terrorism. CEC Bank shall impose to the relevant beneficiaries, by contractual clauses, to protect the relevant personal data according to the requirements of the Regulation.
To establish your personal data processing term, we take into consideration the contractual term until the fulfillment of the contractual obligations and the legal and internal archiving terms.
The personal data collected by the controller shall be processed: (i) throughout the Agreement term; (ii) subsequently the Agreement termination, for a period of time established according to the internal regulations; (iii) subsequently to the expiry of storage term, if keeping further the personal data collected is required according to the laws applicable to the banking industry, but without exceeding the maximum term established by such laws or the storage terms set forth by the banking laws and the data storage policy of the controller.
As general rule, your personal data collected to be transmitted commercial communications to you shall be processed to this purpose until the date of withdraw of your acknowledgement or according to the personal data storage policy of the controller, as the case may be.
a. The right to be informed on the personal data to be processed by the controller;
b. The right to obtain from the controller, the confirmation of the processing of your personal data and, if confirmed, the access to the relevant personal data and information concerning the processing purposes, the personal data classes subjected to processing, the personal data beneficiary(ies), the expected storage term and, if your personal data are not directly collected from you, in addition, information on the source of those data and on automatic decision-making process, if any, including generation of profiles;
c. The right to correct your personal data inaccurate or to complete them;
d. The right to delete your personal data according to the applicable legal provisions concerning the personal data protection;
e. The right to restrict the processing when: the personal data subject challenges the data accuracy, the processing is illegal, the personal data subject opposes to data deletion, the controller do no longer need the personal data for processing them, but the personal data subject request them to find, exercise or defend one of his/her right in court, for the timeframe when it is checked whether the legitimate interests of the controller prevail over the rights of the personal data subject or not;
f. The right to data portability, consisting in the possibility to request the controller to transmit your personal data, under a structured format currently used and automatically readable, as well as in your own possibility to transmit your personal data, to another controller;
g. The right to oppose to the processing of your personal data anytime, for free and without the need for a supporting, in case of: (i) receipt of commercial communications; (ii) adoption of an automatic decision, including generation of profiles; (iii) development of processing activities required to satisfy a legitimate interest of the controller. In case of unjustified opposition, the controller shall be entitled to further process your personal data. If, during the Agreement execution, the concerned personal data subject exercises its opposition right repeatedly and unjustified, the controller hereby reserves the right not to reply to such requests. The opposition right may not be exercised concerning the personal data processing required to execute the Agreement;
h. The right to request the controller not to adopt automatically a decision concerning the generation of profiles and resulting in legal effects that concern or affect the personal data subject to a significant extent. Concerning the adoption of a decision solely based on automatic decision-making process, the concerned person shall have the right to express his/her point of view, to request the intervention of a human controller, as well as to challenge such a decision through the method described in this information notice;
i. The right to lodge a complaint to the National Supervisory Authority for Personal Data Processing (ANSPDCP);
j. The right to refer to the law courts.
To exercise the rights set forth by letters a)-h) above, you can forwarded a written request, dated and signed, to the controller, in any CEC BAMK SA unit or through electronic messaging within the Internet Banking Service - CECONLINE, or by sending it via email, signed under the Electronic Signature Law, to the Personal Data Officer, at the address email@example.com.
The aforementioned information shall be permanently available for you, under updated format, on the website www.cec.ro, respectively, upon request, under printed format, in any territorial CEC BANK SA unit.