Processing of personal data within Garanti Bank SA
This document presents the types of personal data collected and processed within GARANTI BANK SA, the purposes and the reasons for such processing, the recipients of the data, the storage periods, the rights of the persons subject to the data processing.
GARANTI BANK SA is a company headquartered in Bucharest, no. 5 Sos. Fabrica de Glucoza, Novo Park 3, Business Center, Building F, 5th and 6th floors, sector 2, with order number in the Trade Register J40 / 4429/2009, fiscal registration code 25394008, registered in the credit institutions register no. RB-PJR-40-066 / 2009, Registered in FSA Register with no. PJR01INCR/400019, hereinafter referred to as "the Bank".
This information is intended for individuals, such as:
Note: The information presented below differs according to the quality of the person concerned, to the types of products and services chosen or benefited by the data subject, the nature of the purpose of the request addressed to the bank by the data subject, the purpose of the processing, the data recipient.
Personal data processed: name, surname, personal numeric code (CNP), health status, citizenship, address, fixed and mobile phone number, e-mail address, profession, workplace, family, economic and financial situation, preferences / payment / saving / debt behavior, image, voice, information about fraudulent activity, information regarding the inaccuracies found in the documents / statements submitted to the Bank, obtained on the basis of the forms, statements and documents submitted, drafted or completed, data taken from a telephone conversation;
The purposes and bases of the processing. Recipients of personal data
(i) for the purpose of concluding and performing a contract to which the data subject is a party or to take action upon their request prior to the conclusion of a contract, the Bank will process the personal data as follows:
o for the conclusion and execution of the current account contract and, depending on the banking services chosen by the data subject, of the savings account contract, of the deposit contract, of the internet / mobile banking services, the payment of the related payment services and the carrying out of the contractual relation with the Bank, for this purpose the latter being able to perform the following activities (as an example):
- carrying out payment operations, cashes, transfers, foreign exchange, direct debit services, scheduled payment orders, etc. (the recipients of the payment data may be recipients of payment transactions, the corresponding banks, interbank trade clearing services providers - eg TRANSFOND SA, the national payment system paid in Ron offered by BNR-ReGIS, etc. .);
- Transmitting data to Turkyie Garanti Bankasi A.S., a Turkish company, an indirect shareholder of the Bank, which manages its IT system, and to any of its legal successors;
- Transmitting data to the contractual partners of the Bank (from Romania or abroad) in order to provide outsourced services, made for and on behalf of the Bank for the purpose of concluding and performing the current account contract (eg sending notifications, archiving, clients services, etc.);
- the transfer to the payers of the monetary rights (salaries, allowances, pensions, etc.) for me, of the name and surname, CNP and IBAN codes of the current accounts opened in my name, in order for such institutions (employer / Paying Agency / Pension House, etc.) to be able to pay the relative rights in their current account opened with the Bank
o for the conclusion and performance of the credit agreement, of the credit card contract, of the overdraft and of the guarantee contracts, and for this purpose the Bank may perform the following actions (as an example):
- Automatically assessing the eligibility of the person concerned for granting the credit and the issuing of an automated exclusive decision; to the extent that the decision is negative, the credit request will be rejected. To the extent that the decision is a positive one, the Bank will continue the analysis of the possibility of granting the credit, the final decision not being based solely on automatic processing. The above mentioned automatic rating is based on a score calculated at the level of each credit applicant indicating the probability of repayment or non-repayment of the credit, a score developed based on both the socio-demographic characteristics of the applicant and on the behavioral characteristics of the applicant, with the aim of separating the applicants with high potential to be good payers, from those with inappropriate payment behavior;
- analyzing the credit repayment capacity;
- assessment of the goods registered as guarantee (in which case the recipient of the data is the Assessor);
- analysis of the documents related to the real estate proposed as guarantee (in which case the recipient of the data is the notary office);
- the transmission of notifications regarding the modification of the contractual clauses, notifications regarding the delay in payment of the installments, etc.
- sending data to Turkyie Garanti Bankasi A.Ş. (and any of its legal successors), a Turkish company, an indirect shareholder of the Bank, which manages its IT system;
- Transmitting data to the contractual partners of the Bank (from Romania or abroad) in order to provide outsourced services, made for and on behalf of the Bank (eg transmission of notifications, archiving, customer service, etc.).
- if the loan requested by the client is guaranteed by the National Credit Guarantee Fund for Small and Medium Enterprises - FNGCIMM IFN SA or by the Rural Credit Guarantee Fund - FGCR IFN SA, the Bank shall transmit to the latter non-bank financial institutions the data necessary for the approval and execution of the guarantee related to the respective credit facility
o for the conclusion of the insurance contract, if the conclusion of the insurance is a condition for the granting of the credit or the credit product has an insurance attached, in which case the Bank will transmit the data to the insurance companies;
o for the refinancing of the loan, if the person concerned requests this service to another financial institution, in which case the Bank will send to the latter the data necessary for the refinancing.
(ii) for the Bank's performance of legal obligations, such as:
o establishing the identity of the person concerned in order to fulfill the legal obligations of the Bank in the field of customer knowledge, money laundering prevention and combating terrorism;
o Transmitting information to law enforcement authorities to request and receive such information, for example courts of law, prosecutor's offices, bailiffs, the National Office for the Prevention and Control of Money Laundering (ONPCSB), tax authorities, notaries, authorities with supervisory and control role in banking, etc .;
o the transmission by the Bank of information about the credit granted to the Credit Risk Center, the database functioning at the National Bank of Romania;
o transmitting mandatory notifications based on legal provisions, for example, but not limited to notifications of starting the forced execution procedure, the notification of the debt assignment;
o the transmission by the Bank to another credit institution of the information required for the provision of the account change service, based on the legislation on the comparability of commissions related to the payment accounts, the change of payment accounts and the access to the basic services payment accounts, in case the holder will require the provision of such a service;
o the transmission by the Bank to the payment service providers and to the information service providers of the information required for the provision of such services under the payment services legislation, if the holder requests the provision of such services. The Bank will not be able to refuse the transmission of personal data in such situations; consequently, if the data subject does not agree to the transmission of the data to a particular provider / providers, I assume that the Bank will not initiate information operations on accounts or on payment transactions through them.
o video surveillance of the Bank's premises, representing access areas, both from the outside and from the inside, working areas with the public, driving routes and access to the storage areas of the values.
(iii) in order for the Bank to exercise a legitimate interest, as follows:
o the transmission of personal data to the entities belonging to the Garanti group (all affiliated entities, as well as all the direct and indirect shareholders of GARANTI BANK SA), formed at this time by: Garanti Holding B.V. and G Netherlands B.V. (The Netherlands), Garanti Bilişim Teknolojisi ve Ticaret TAS., Turkyie Garanti Bankasi AS (Turkey), Banco Bilbao Vizcaya Argentaria SA (Spain), Ralfi IFN SA, Motoractive IFN SA, Motoractive Multiservices SRL (for the legitimate purpose of consolidated supervision at group level, for example, analyzing the financial situation of the entities in the group, identifying the risks associated with the group's activity, etc.)
o the use of the data by the Bank for statistical purposes, subject to their pseudonymization;
o transmitting information to debt recovery companies in order to collect outstanding amounts on credit;
o periodical reporting and consulting of data (identification data: name, surname, personal identification number, home address / residence and mailing address, fixed / mobile phone number, date of birth, country code and passport series/ number for non-resident persons; employer's name and address; data concerning the credit-type products required/granted: the type and name of the Participant, the type of product, the status of the product / account, the date of granting, the grant period, the amounts granted, the amounts due, the maturity date, currency, payment frequency, amount paid, monthly installment, outstanding amounts, number of outstanding installments, number of days of delay, delay category, date of closing of the product; data about events occurring during the course of the credit product, such as those relating to restructuring / refinancing, payment, assignment of the credit agreement, assignment of the claim; data concerning the relations with other accounts: information on credit type products to which I am the co-debtor and / or guarantor; insolvency data: information on the data persons against whom an insolvency procedure has been opened; number of queries: the number of Credit Reports issued by the Credit Bureau, at the request of one or more Participants) to the Biroul de Credit SA, headquartered in Bucharest, no. 29 Sfanta Vineri Street, 4th floor, sector 3, a private law entity administering the Credit Bureau System, in which personal data are processed in relation to the lending activity of the Participants (credit institutions, non-banking financial institutions, insurance companies and debt recovery which signed a Participation Contract with Biroul de Credit) for the carrying out of a responsible crediting activity companies under the protection, facilitation of access to credit and prevention of excessive indebtedness of the data subjects, under compliance with the legal framework for the assessment of creditworthiness and of the credit risk diminishing, and of preventing the use of the financial and banking system in order to carry out activities contrary to the law; The Bank has the obligation, in accordance with the legal regulations in force, to assess the ability of the data subject to repay the loan before concluding a credit agreement and during the course of the credit. For this purpose, the Bank processes the above-mentioned information, registered on your name in the Registries, and transmits it to the Credit Bureau for the purpose of processing by this institution and for the purpose of consulting it by any Participant for the purpose of initiating or conducting a credit relation, and for credit-type insurance.
The above-mentioned personal data may be processed by the Credit Bureau, also with the purpose to calculate, at the Participant's request, the FICO® Score from the Credit Bureau.
The Bank and the other Participants use the FICO® Score from the Credit Bureau to reduce the credit risk associated with a debtor / potential borrower. FICO® Score from the Credit Bureau is a number between 300 and 850 obtained from the statistical process that processes the information recorded by the Participants in the Credit Bureau System and indicates the likelihood that the data subject will pay his interest rates in the future. The main causes of the FICO® Score decrease from the Credit Bureau are displayed under the form of reason codes. FICO® Score from the Credit Bureau takes into consideration the following elements that give predictability: payment history, current debt, duration of the account / credit accounts (the average number of months from the granting of credits), the demand for new credits (the number of queries and credits granted over the past 6 months), credit mix (types of credits granted), age of the data subject. The influence of these elements on the FICO® Score from the Credit Bureau may vary depending on the information recorded at the Credit Bureau for each data subject. FICO® Score from the Credit Bureau is a highly predictive analytical tool that, along with the Credit Report data and the information obtained from the Participants from other sources, competed for the correct assessment of the creditworthiness of the data subject for the conclusion/ performance of the contract credit.
o Enrollment of the Real Estate Guarantees Electronic Archive (A.E.G.R.M.) of the real estate guarantees established for the Bank, for the guarantee of the credit, in order to carry out the pratices for advertising thereof and to ensure the Bank's priority in the performance;
o transmitting data to the assignors of the receivables, if the Bank will assign the receivables related to the credit contract / agreements in which the data subject is / was a party;
o transmission of data to the judicial executors in order to execute the guarantees and to recover the debts related to the credit contract;
o video surveillance of bank machines in order to prevent fraud and to solve any complaints
(iv) processing of personal data on the basis of the consent of the data subject:
o for the purpose of consulting the information registered with the Biroul de Credit SA on behalf of the data subject, such as information about the credit products, similar or insurance products, or other commitments that which they benefit from or benefited from, such as the credit limit, the duration of the credit, payment history, current balance, outstanding value and any information related thereto, for the purpose of assessing solvency, of reducing the credit risk, and of determining the indebtedness degree.
o for the purpose of consulting the information registered in the database of the National Agency of Tax Administration (ANAF), regarding the quality of the person targeted by the taxpayer and of the level of the income thereof, for the purpose of evaluating the eligibility for granting the requested loan (Agreement on Interrogation and Processing of Information). The Bank may request on behalf of the taxpayer, tax information about the applicant for the period of the last 2 completed tax years, including the information related to the period between the last fiscal year ended and the date of their request.
o for the purpose of consulting, in order to initiate the credit relationship, the banking risk information, such as the situation of the global risk and the situation of the outstanding loans recorded at the Credit Risk Center, the structure functioning at the National Bank of Romania, in relation to the data subject
o for publicity, marketing and advertising purposes, profile creation and personalized offers (according to the person's options).
The processing of personal data required by Garanti Bank SA to initiate a business relationship / by other forms / channels is mandatory, except as a rule, where the processing of the data is based on the consent of the person concerned (eg. In case of marketing or automated decision making that produces significant legal effects or significant similar effects and which are not necessary for the performance of a contract or the fulfillment of a legal obligation). In other cases, the refusal of the data subject will cause Garanti Bank SA to be unable to provide services or financial-banking products.
The Transfer of Personal Data Abroad
In fulfilling the above purposes, Garanti Bank SA will transfer the personal data abroad only if, in the recipient country, is ensured an adequate level of personal data protection recognized by a European Commission decision such as the countries of the European Economic Area (EEA).
In the absence of such a decision of the European Commission, the Bank may transfer personal data to a third country only if the person processing the data on behalf of the Bank offered adequate safeguards provided by the law to protect personal data.
The Bank may be contacted to obtain additional information on the guarantees offered for the protection of personal data in case of any transfer of data to foreigners through a written request to do so.
The period for personal data storage
The Bank will store personal data for periods of up to 10 years from the termination of the contractual relationship / transaction / data provision (depending on the quality of the data subject, of the products and services they benefit from, of the relationship thereof with the bank, etc.) given the banking legislation provisions on customer knowledge, money laundering prevention and terrorism financing, the provisions of the Accounting Law, the need to defend / preserve the rights of the Bank in a possible litigation, the provisions of the legislation regarding the guarding of objectives, goods, values and protection of persons, the legitimate interest of the Bank to perform video surveillance of the bank machines in order to prevent fraud and to resolve any complaints.
For the purpose of archiving the data under the National Archives Act and taking into account the Archival Nomenclature (approved by the National Archives) applicable at the level of the Bank and for the data processing by the Bank for statistical purposes, the data may be stored for periods longer than those indicated above.
As far as the processing for marketing purposes is concerned, it will cease at the moment of withdrawal of the consent granted to the Bank for this purpose, regardless of whether the above-mentioned storage periods have been fulfilled or not.
Rights of the person concerned
The person concerned has the possibility to exercise, under the conditions and in the cases provided by the law, the following rights regarding the personal data processed by the Bank:
(i) the processing of personal data is based on basis of the consent granted for processing or is based on the performance of a contract; and
(ii) the processing is carried out by automatic means;
(i) the personal data are no longer required for the purposes for which they were collected or processed;
(ii) I withdraw the consent on the basis of which the processing takes place and there is no other legal basis for the processing;
(iii) I exercise my right of opposition with regard to the processing of personal data and there are no legitimate reasons to prevail in the processing;
(iv) I exercise my right of objection with regard to the processing of personal data for the purposes of direct marketing;
(v) the personal data were processed unlawfully;
(vi) the personal data must be deleted to comply with a legal obligation of the Bank.
There may be situations where the Bank will not be able to respond to the data deletion request, namely:
(i) in cases where the Bank has a legal obligation to store personal data;
(ii) in cases where data are stored for purposes of archiving in the public interest or for statistical purposes;
(iii) in cases where the data are necessary for the establishment, exercise or defense of a right in Court.
(i) where the data subject challenges the accuracy of the processed data; the restraint will operate for a period that will allow the Bank to verify the accuracy of the data;
(ii) if the processing is illegal and the data subject will object to the deletion of personal data, requesting instead the restriction of their use;
(iii) The Bank no longer requires personal data for processing, but the data subject will request them for the establishment, exercise or defense of a right in Court,
(iv) if the data subject has exercised his right to oppose data processing, unless the processing is for direct marketing purposes; the restraint will operate / will apply for the period of time to verify that the legitimate rights of the Bank override the rights of the data subject.
The above-mentioned rights may be exercised by sending a request to GARANTI BANK SA, at its headquarters, to any of the branches of the Bank, as well as by electronic means, to e-mail firstname.lastname@example.org, providing sufficient data to allow the applicant to identify the applicant by the Bank.
The contact details of the Data Protection Officer are:
GARANTI BANK SA, with headquarters in Bucharest, Sos. Fabrica de Glucoza nr. 5, Novo Park 3, Business Center, Building F, 5ht and 6th floors, 2nd District, number in the Trade Registry J40/4429/2009, tax registration number 25394008, registered in the Credit Institutions Registry with no. RB-PJR-40-066/2009, hereinafter referred to as the „Bank”, , shall process your personal data provided in relation with this request, as follows:
Personal data processed: surname, name, personal code (CNP), address, phone number, e-mail address and any other data provided to the Bank based on this suggestions and complaints form;
Processing purposes. Personal data recipients.
(i) In order to register your suggestion / complaint and to take steps to resolve it, the Bank will process your personal data as follows:
(ii) for the Bank's performance of legal obligations, such as:
(iii) in order for the Bank to exercise a legitimate interest, as follows:
Transfer of personal data abroad
In fulfilling the above purposes, Garanti Bank SA will transfer the personal data abroad only if an adequate level of personal data protection recognized by a European Commission decision such as the countries of the European Economic Area (EEA) is ensured in the recipient country.
In the absence of such a decision of the European Commission, the Bank may transfer personal data to a third country only if the person processing the data on behalf of the Bank offered adequate guarantees provided by the law to protect personal data.
The Bank may be contacted to obtain additional information on the guarantees offered for the protection of personal data in case of any transfer of data to foreigners through a written request for this purpose.
The period of personal data storage
As long as you are a customer of the Bank, the Bank will store the personal data for the duration of our contractual relations and after the termination of these relationships for a period of maximum 10 years, taking into account: the banking legislation on customer knowledge, the provisions of the Accounting Law on keeping the supporting documents underlying the records in financial accounting, the need to protect / preserve the Bank's rights in a possible litigation;
Unless you are a Bank customer, the Bank will store your personal data for a period of 3 years considering the need to protect / preserve the Bank's rights in a possible litigation.
For the purpose of archiving the data under the National Archives Act and taking into account the National Bank Archival Nomenclature (approved by the National Archives) applicable by the Bank and for the data processing by the Bank for statistical purposes, the data may be stored for periods longer than those indicated above.
You will be able to exercise, in the cases and under the conditions provided by the law, the following rights regarding the personal data processed by the Bank:
There may be situations where the Bank will not be able to respond to the data deletion request, namely:
The above-mentioned rights may be exercised by sending a request to GARANTI BANK SA, at its headquarters, to any of the branches of the Bank, as well as by electronic means, to e-mail email@example.com, providing sufficient data to allow the identification of the applicant by the Bank.