Notification on personal data processing
UniCredit Bank S.A. (the "Bank”), a company administered in a two-tier system, having its legal seat in Romania, no 1F Expozitiei Boulevard, Bucharest, Sector 1, registered with the Trade Register under no. J40/7706/1991 and in the Banking Register under no. RB-PJR-40-011/18.02.1999, sole registration code 361536, fiscal attribute RO, subscribed and paid-in registered capital of RON 455,219,478.30, as Personal Data Controller, processes your personal data ("Personal Data”) in good faith and for the purposes specified in the present Notification, in accordance with the provisions of Regulation (EU) nr. 679 from 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data and repealing Directive 95/46/CE (the "Regulation”).
These Personal Data belonging to you, as a client and a Data Subject, were provided to the Bank by you on the date of execution of the contract with UniCredit Bank and/or of an insurance policy and/or on the date of submitting an application that requires the provision of services by the Bank and/or throughout the performance of the contractual relationship and/or by a payment services provider that you contracted.
1. Depending on the products and banking services you purchased from the Bank, PROCESSED PERSONAL DATA are the following:
a) Name and surname, alias, client code, personal identification code or tax registration number, as applicable, birth date and place, gender, citizenship, marital status, series and number of the identity card/passport, other data in the marital status documents, address (domicile/residence/mailing address), fiscal residence jurisdiction, phone/fax, e-mail, username for Online Banking/Mobile Banking, data regarding the token device – DIGIPASS (series) or Mobile Token (phone number, for activating Mobile Token/Mobile Banking applications), other data necessary for accessing and using these electronic payment instruments (identification /registration /authentication /connecting /authorization codes), voice, image, signature;
b) education, professional and fiscal circumstances, occupation, position, workplace, domicile type (e.g., owned property, rental, etc.), as well as their history, political exposure, if applicable, and the public office held, data on penalties, if any, data on the beneficial owner;
c) source of funds, economic and financial circumstances, data on the assets held, banking data, inclusively with regard to the banking products purchased, banking transactions and insurance products, data on liquidity, payment obligations (e.g. monthly expenses, insurances, taxes, duties, etc.), the number of family members and dependants, data on health status, required for the taking out of specific insurance products;
d) in case of credit products, data of the spouse/partner (co-debtors), as mentioned above, as well as the type of commitment, monthly payment amount, data of guarantors and assignees in the relationship with the Bank, contact person, litigations of the applicant and co-debtor, affiliation to a group of clients, other data that will be communicated to and processed through the Credit Bureau System, as the case may be, negative (e.g., product type, period, amounts and outstanding payments, due date of the outstanding payment, number of delay days, etc.) and/or positive (e.g., product type, period, amounts granted and owed, credit currency, frequency of payments, amount paid, monthly payment, employer's name and address, etc.), information on the position of guarantor, co-debtor or beneficiary of the insurance policy; in case of existence of a group of clients, the Bank shall also process personal data of persons in the group (spouse, relatives and kin up to the second degree), with risk exposure towards the Bank.
e) data regarding the suspension of the payment obligations towards the Controller, according to the relevant legislation (eg: GEO no. 37/2020 on granting facilities for loans granted by credit institutions and non-banking financial institutions to certain categories of borrowers and the methodological norms issued in applying GEO no. 37/2020, approved by GD no.270/2020), information that will be communicated and processed in the Credit Bureau System;
f) relevant information that generates the requests for suspension of the payment obligations of the Data Subject to the Controller, according to the law, such as: affecting the Data Subject’s personal income and / or the Data Subject’s family income, directly or indirectly, by the serious situation generated by the COVID-19 pandemic versus the level registered prior to the declaration of the emergency state; the impossibility to honor the payment obligations related to the credit as a result of the intervention of one or more of the following causes, but not limited to: the entry of the data subject / his family members into technical unemployment as a result of the closing / restriction of the activity of the employer, the dismissal of the data subject / members of his family, reduction of the salary of the data subject / members of his family, placement of the data subject in institutionalized quarantine or isolation at home, becoming ill with COVID-19 and the like.
g) only to the extent that you provided an agreement to this effect, the Bank will be able to provide the following data to group companies for the purpose of analyzing your eligibility for a financial product offered by these companies: data on the credit relationship that the data subject has with UniCredit Bank SA such as: the maximum daily balance related to the last 3 months regarding all transactions on accounts (current and deposit / savings), total credit transactions related to the total amount of transactions related to the last month on current accounts; the number of months since the data subject is the client of UniCredit Bank SA (he was first registered as a client of UniCredit Bank SA); current account balance at the end of the month; the number of months since the current account was closed; the number of months since the last current account was opened; credit card limit; credit card use for the last semester; credit card usage for the last quarter; data regarding the collection of receivables (collection stage / situation of each loan / exposure within UniCredit Bank SA); region code; information if the data subject transfers his / her salary income to the accounts opened with UniCredit Bank SA; the period in which the data subject had the salary income transferred to his accounts opened with UniCredit Bank SA, respectively the number of consecutive months, for the last 12 months; the total balance of all active loans without guarantees; the total balance of all active loans (guaranteed and unsecured); the total amount representing the following payment rates related to all active loans;
h) data in the area of risk management / data modeling such as general data (bank / customer account identifier), socio-demographic data (eg studies, profession), limits and durations of loans granted, existing balances of loans granted, outstanding amounts, information on restructuring / blocking of accounts (eg seizure), risk class.
i) Additional info regarding how Mobile Banking application is processing the personal data can be found HERE
2. Personal data are processed by the bank for the following PURPOSES:
a) conclusion of the contractual relationship with the Bank, based on your application to provide the services and bank products (e.g., bank accounts, Online B@nking, Mobile B@nking, debit/credit card, DigiPass, Info SMS, safe deposit box rental, credit etc.), according to your request and the execution of the respective contractual relationship, including carrying out the necessary formalities for the analysis, approval and implementation of the suspension of your payment obligations resulting from the mortgage credit agreements, according to the law, when appropriate;
b) prevention and control of fraud, funding of terrorism and money laundering, performance of know-your-customer analysis, risk analyses, respectively the reporting of suspicious transactions;
c) reporting to and checking of all databases managed by the Central Credit Register, Biroul de Credit S.R.L. and National Tax Administration Authority;
d) reporting to the state institutions, including for FATCA purposes (The US Foreign Account Tax Compliance Act)/CRS (Common Reporting Standard) and for the performance of activities related to inspections by authorities, such as ANAF, ANPC, BNR, ANSPDCP, etc;
NOTE: taking into account the provisions of GEO no. 37/2020 according to which starting with 09.04.2020, the registration of the information regarding the credits granted to the natural persons to whom the request to suspend the obligations to pay the installments, for all the credits registered with the Credit Bureau is suspended and suspended on payment by the creditors, the Controller will record the comment "Suspended on payment". Subsequently, in the payment suspension period, the Controller will transmit at each maturity date the information regarding the fact that the installment and the amount paid are zero. The credit score will not be affected by the comment "Suspension on payment", as it does not influence the calculation algorithm. The payment suspension is an information that belongs to the category "Data regarding events that occur during the period of the credit product development", which can be processed in the Credit Bureau System based on the legitimate interest and for which the data subjects were informed. previous according to art. 13 and 14 of the EU Regulation. Details on www.birouldecredit.ro;
e) collection of debts, recovery of receivables, foreclosure of amounts owed to the Bank, management of garnishments and distraints;
f) reporting within UniCredit Group1 for prudential purposes and for the accounting consolidation in the Group, inclusively for the performance of an effective risk management process within the Group and for the management and monitoring of Group clients;
g) conducting a complex, accurate and integrated assessment of your eligibility in the context in which one of the group companies will analyze the possibility of offering you a financial product, in order to optimize the credit analysis process and estimate as accurately as possible the probability of default, in compliance with the relevant legislation, only if you have provided an agreement to this effect;
h) carrying out statistical modeling activities in the area of risk management, based on the legitimate interest of the Controller to take all necessary actions to ensure a more efficient risk management at Group level, including by facilitating the prudential control of UniCredit Bank SA over its subsidiaries with risk-weighted exposure values;
i) release of contractual insurance documents and establishment of the quantum of payment obligations in case of occurrence of insured risks, in case the contracted banking product involves taking out an insurance (life/assets);
j) monitoring, security and protection of persons, spaces, assets, via the video cameras located in the Bank offices;
k) registration of communications via the fax machine, digital channels (e.g., Online Banking, Mobile Banking, e-mail) and phone calls made by the Contact Centre of the Bank, in order to streamline and improve the services provided to the client, execution and performance of contracts with clients in optimal conditions, respectively the performance of telephone and on-line transactions;
l) performance of reviews that may lead to your profiling for direct marketing purposes (e.g., evaluation of held banking products, history of bank transactions made, calculation of indicators in the evaluation of creditworthiness/credit risk, etc.) and direct marketing, by the use of means of communication, inclusively of the automated calling systems that do not require the intervention of human operators, respectively physical mail, phone call, email, SMS, fax, Online / Mobile B@nking, such as for the receipt of newsletters/other commercial communications, for the promotion of products/services of UniCredit Group (funding/lending/other types), in case you expressed your agreement to such marketing;
m) review of the client satisfaction and quality of services and products purchased, on the ground of the legitimate interest of the permanent improvement of Bank services and products;
n) for statistical purposes;
o) in order to provide account information in case you request it through account information service providers;
p) in order to execute payment orders that you initiate through payment initiation service providers;
q) in order to confirm the availability of funds (if an amount necessary for the execution of a card based payment operation is available in the payment account accessible online), at the request of a payment service provider issuing the card based payment instrument;
r) in order to safeguard the prevention, investigation and detection of payment fraud (including as regards the actions that concern you or carried out for you by third party payment service providers, respectively account information service providers, payment service providers that issue card based payment instruments, payment initiation service providers).
3. Personal data are processed by the Bank on the following legal GROUNDS:
a) based on your consent (e.g., for direct marketing, for the assessment by one of the group companies of your eligibility for a financial product), on the grounds of art. 6 (1) letter a) of the Regulation;
b) for the performance of a contract where the Data Subject is a party or to take efforts to execute a contract (e.g., provision of the banking product, communication with the Data Subject for the performance of the contract, providing account information, confirming the availability of funds, executing payment orders initiated by the data subject through a third party payment service provider, suspension of payment obligations under GEO 37/2020, etc.), on the grounds of art. 6 (1) (b) of the Regulation;
c) for the observance of a legal obligation of the Bank (e.g., preparation of reports to competent authorities, know-your-customer for the prevention of money laundering and funding of terrorism, honoring a request received from a third party payment service provider, contracted by the data subject, applying the provisions of GEO 37/2020 regarding the granting of facilities for loans granted by credit institutions and non-financial institutions to certain categories of borrowers, etc.), on the ground of art. 6 (1) (c) of the Regulation;
d) for the legitimate interests of the Bank (e.g., recovery of receivables related to the concluded contractual relationship, provision of security for persons and goods, carrying out statistical modeling activities in the risk management area, communicating information regarding the functionalities, the standard contractual and operational benefits and the operation mechanisms of the products and services owned by the data subject, by means such as payment programs in installments, loyalty programs, programs regarding the use of products and services, so that the data subjects has access to and / or maintain the services and products adapted to their needs and interests, etc.), but also in consideration of the protection of interests, rights and fundamental liberties of the Data Subject, on the ground of art. 6 (1) (f) of the Regulation;
e) for reasons of substantial public interest, namely taking measures to combat the negative effects of COVID 19 virus, which influence the economic situation of certain categories of debtors, based on GEO 37/2020 (eg regarding the health data provided for motivating the request for suspension of the payment obligations of the data subject) under art. 9, para. 2, lett. g of the Regulation.
4. Personal data are processed for the following periods:
a) during the validity of the contracts executed with the Bank, plus 10 years following the expiry of the contractual relationship, unless an applicable legal provision requires preservation for a longer period;
b) for a period of 5 years, in case there is no contractual relationship with you, according to the legislation for the prevention and sanctioning of money laundering (Law no. 129/2019);
c) if the processing is performed for direct marketing purposes - throughout the duration of the contractual relationship with the Bank, plus 1 year following the termination thereof. In case you withdraw your consent for direct marketing, your data shall no longer be processed for this purpose, following the withdrawal of your consent.
5. Data Controllers, Data Processors and Recipients of Personal Data:
Personal Data can be sent to the following categories of recipients:
a) Data Subject, representatives of the Data Subject;
b) entities within the UniCredit Group;
c) insurance companies (who may be Associate Data Controllers of the Bank);
d) debt collection/receivable recovery agencies;
e) public notaries, officers of the court;
f) counsellors, authorised evaluators, accountants, censors, auditors and other types of consultants;
g) miscellaneous service providers, (ex. IT, archiving, printing, couriers, etc.);
h) international organisations (e.g., cards – Visa, MasterCard, etc.);
i) providers of technical services for the processing/facilitation of payments (e.g., Romcard, Transfond, Society for Worldwide Interbank Financial Telecommunication etc.);
j) Central Credit Register, Biroul de Credit S.A., National Credit Guarantee for SMEs (FNGCIMM) (who may be associate Data Controller of the Bank), k) public authorities in Romania (e.g., National Bank of Romania, ANAF, National Office for Prevention and Control of Money Laundering, etc.) and abroad (e.g., European Commission, fiscal authorities, etc.).
k) third-party payment service providers (if the data subject has contracted specific services provided by these third parties), respectively the payment initiation service providers, the account information service providers and the payment service providers who issue card-based payment instruments.
In the case of transfers of Personal Data to a third party or organization abroad, the information in the International Transfer section is applicable.
Personal data sent to third parties shall be appropriate, pertinent and non-excessive compared to the purpose of their collection and which allows the transmission to a particular third party.
6. International Transfer:
Personal data shall be transferred to SWIFT (Society for Worldwide Interbank Financial Telecommunication), as Data Controller, in case the performance of payment operations requested by you includes processing via the SWIFT system. To that end, there is a possibility that data transferred to SWIFT, as Data Controller, are accessible to the US Treasury Department. We specify that with regard to the international transfer to the US, there is Decision of the European Committee of 12 July 2016, issued on the ground of Directive 95/46/CE of the European Parliament and Council, on the adequacy of protection provided by the EU-USA Privacy Shield.
In case you are a citizen of the United States of America (USA) or resident on the US territory, please be notified that according to FATCA (The US Foreign Account Tax Compliance Act), you under the direct application of legal dispositions on the fiscal regulations of the USA, and your data are sent to fiscal authorities of the USA.
In all situations where international data transfer will be required, this will only be achieved if an adequate level of personal data protection recognized by a decision of the European Commission, such as the member states of the European Economic Union, is ensured in the recipient country (EEA).
In the absence of such a decision of the European Commission, the Bank may transfer personal data to a third country only if the person processing the data has provided adequate guarantees provided by law in order to protect personal data.
The bank can be contacted for obtaining additional information regarding the guarantees offered for the protection of personal data in the case of each transfer of data abroad, through a written request for this purpose.
7. Necessity to process Personal Data:
Should you refuse to have your Personal Data processed for the purposes specified under paras. a) - i) above, the Bank will be unable to commence legal relationships with you or to continue them, as it will be unable to meet the legal requirements in the financial-banking field (e.g., on the know-your-customer requirements, prudential requirements, etc.), inclusively to analyze the request on the provision of services by the Bank, to execute/perform the contract requested by you.
Should you oppose the processing of your Personal Data for statistical purposes, please be informed that this option will be analyzed and, depending on the particular circumstances of the Data Subject, you will receive an answer according to art. 21 of the Regulation, your objection against such operation having no effects on the continued relationship with the Bank.
Should you disagree with the processing of Personal Data for direct marketing purposes or to contact you in order to obtain your opinion on the services and products offered or purchased, the contractual relationship between you and the Bank will not be affected in any way.
8. As Data Subject, you have the following RIGHTS related exclusively to your Data:
a) the right to access your data according to art. 15 of the Regulation;
b) the right to rectification of your data according to art. 16 of the Regulation;
c) the right to erasure of your data according to art. 17 of the Regulation;
d) the right to restrict your data according to art. 18 of the Regulation;
e) the right to portability of your data according to art. 20 of the Regulation;
f) the right to object, according to art. 21 of the Regulation;
g) the right to not be subject to automated individual decision-making, including profiling, according to article 22 of the Regulation;
h) the right to contact the National Supervisory Authority for Personal Data processing and the Justice system.
We specify that in accordance with article 7 (3) of the Regulation, you are entitled to withdraw at any time your consent for direct marketing and profiling for marketing purposes.
For the exercise of such rights, you can file a written application, dated and signed, submitted to UniCredit Bank SA, at the following address: no.1F Expoziției Boulevard, sector 1, Bucharest, postal code 012101, or via e-mail at email@example.com, respectively by calling +40 21 200 2020 (regular rate number for Telekom Romania fixed network) or *2020 (regular rate number in Telekom Romania, Orange, RCS&RDS, Vodafone networks).
Should you submit a request for the exercise of your rights on data protection, the Bank shall answer such request within one month, term that may be extended with two months, according to the provisions of the Regulation.
Should you intend to file an application to exercise the rights mentioned above, with regard to the Associated Data Controller - the insurance company that issued the insurance Policy, you can contact the Associated Controller according to the data in the insurance policy.
In UniCredit Bank S.A, the data protection officer has the following contact details: no.1F Expozitiei Boulevard, sector 1, Bucharest, postal code 012101, e-mail firstname.lastname@example.org.
We specify that this Notification is prepared in accordance with article 13 of the Regulation, respectively for your notification, as it is not submitted for the collection of your consent with regard to the processing activities mentioned above. Should your consent be required for the processing operations, it had already been expressed or it will be collected during future interactions with the Bank.
*1 Group/UniCredit Group - UniCredit SpA (Italia) and companies controlled directly/indirectly, including companies in Romania (UniCredit Bank S.A., UniCredit Leasing Corporation IFN S.A., Debo Leasing IFN S.A., UniCredit Leasing Fleet Management S.R.L., UniCredit Insurance Broker S.A., UniCredit Consumer Financing IFN S.A., UCTAM RO S.R.L. etc.) and the legal successors of these entities.