Notification on personal data processing

UniCredit Bank S.A. (the "Bank”), a company administered in a two-tier system, having its legal seat in Romania, Bd. Expozitiei nr. 1F, Bucharest, Sector 1, registered with the Trade Register under no. J40/7706/1991 and in the Banking Register under no. RB-PJR-40-011/18.02.1999, sole registration code 361536, fiscal attribute RO, subscribed and paid-in registered capital of RON 455,219,478.30, as Personal Data Controller, processes your personal data ("Personal Data”) in good faith and for the purposes specified in the present Notification, in accordance with the provisions of Law no. 677/2001 on the protection of persons with regard to the processing of personal data and the free movement of such data (Law no. 677/2001”) and Regulation (EU) nr. 679 from 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data and repealing Directive 95/46/CE (the "Regulation”).

You provided the Bank with these Personal Data belonging to you, as a client, and a Data Subject, on the date of execution of the contract with UniCredit Bank and/or of an insurance policy and/or on the date of submitting an application that requires the provision of services by the Bank and/or throughout the performance of the contractual relationship.

1. Depending on the products and banking services you purchased from the Bank, PROCESSED PERSONAL DATA are the following:

a) Name and surname, alias, client code, personal identification code or tax registration number, as applicable, birth date and place, gender, citizenship, marital status, series and number of the identity card/passport, other data in the marital status documents, address (domicile/residence/mailing address), fiscal residence jurisdiction, phone/fax, e-mail, username for Online Banking/Mobile Banking, voice, image, signature;

b) education, professional and fiscal circumstances, occupation, position, workplace, domicile type (e.g., owned property, rental, etc.), as well as their history, political exposure, if applicable, and the public office held, data on penalties, if any, data on the beneficial owner;

c) source of funds, economic and financial circumstances, data on the assets held, banking data, inclusively with regard to the banking products purchased, banking transactions and insurance products, data on liquidity, payment obligations (e.g. monthly expenses, insurances, taxes, duties, etc.), the number of family members and dependants, data on health status, required for the taking out of specific insurance products;

d) in case of credit products, data of the spouse/partner (co-debtors), as mentioned above, as well as the type of commitment, monthly payment amount, data of guarantors and assignees in the relationship with the Bank, contact person, litigations of the applicant and co-debtor, affiliation to a group of clients, other data, as the case may be, negative (e.g., product type, period, amounts and outstanding payments, due date of the outstanding payment, number of delay days, etc.) and/or positive (e.g., product type, period, amounts granted and owed, credit currency, frequency of payments, amount paid, monthly payment, employer's name and address, etc.), information on the position of guarantor, co-debtor or beneficiary of the insurance policy; in case of existence of a group of clients, the Bank shall also process personal data of persons in the group (spouse, relatives and kin up to the second degree), with risk exposure towards the Bank.

2. Personal data are processed by the bank for the following PURPOSES:

a) execution of the contractual relationship with the Bank, based on your application to provide the services and bank products (e.g., bank accounts, Online Banking, Mobile Banking, debit/credit card, DigiPass, Info SMS, safe deposit box rental, credit etc.), according to your request;

b) prevention and control of fraud, funding of terrorism and money laundering, performance of know-your-customer analysis, risk analyses, respectively the reporting of suspicious transactions;

c) reporting to and checking of all databases managed by the Central Credit Register, Biroul de Credit S.R.L. and National Tax Administration Authority;

d) reporting to the state institutions, including for FATCA purposes (The US Foreign Account Tax Compliance Act)/CRS (Common Reporting Standard) and for the performance of activities related to inspections by authorities, such as ANAF, ANPC, BNR, ANSPDCP, etc;

e) collection of debts, recovery of receivables, foreclosure of amounts owed to the Bank, management of garnishments and distraints;

f) reporting within UniCredit Group1 for prudential purposes and for the accounting consolidation in the Group, inclusively for the performance of an effective risk management process within the Group and for the management and monitoring of Group clients;

g) release of contractual insurance documents and establishment of the quantum of payment obligations in case of occurrence of insured risks, in case the contracted banking product involves taking out an insurance (life/assets);

h) monitoring, security and protection of persons, spaces, assets, via the video cameras located in the Bank offices;

i) registration of communications via the fax machine, digital channels (e.g., Online Banking, Mobile Banking, e-mail) and phone calls made by the Contact Centre of the Bank, in order to streamline and improve the services provided to the client, execution and performance of contracts with clients in optimal conditions, respectively the performance of telephone and on-line transactions;

j) performance of reviews that may lead to your profiling for direct marketing purposes (e.g., evaluation of held banking products, history of bank transactions made, calculation of indicators in the evaluation of creditworthiness/credit risk, etc.) and direct marketing, by the use of means of communication, inclusively of the automated calling systems that do not require the intervention of human operators, respectively e-mail, SMS, fax, such as for the receipt of newsletters/other commercial communications, for the promotion of products/services of UniCredit Group (funding/lending/other types), in case you expressed your agreement to such marketing;

k) review of the client satisfaction and quality of services and products purchased, on the ground of the legitimate interest of the permanent improvement of Bank services and products;

l) for statistical purposes.

3. Personal data are processed by the Bank on the following legal GROUNDS:

a) based on your consent (e.g., for direct marketing), on the grounds of art. 6 (1) letter a) of the Regulation;

b) for the performance of a contract where the Data Subject is a party or to take efforts to execute a contract (e.g., provision of the banking product, communication with the Data Subject for the performance of the contract, etc.), on the grounds of art. 6 (1) (b) of the Regulation;

c) for the observance of a legal obligation of the Bank (e.g., preparation of reports to competent authorities, know-your-customer for the prevention of money laundering and funding of terrorism, etc.), on the ground of art. 6 (1) (c) of the Regulation;

d) for the legitimate interests of the Bank (e.g., recovery of receivables related to the concluded contractual relationship, provision of security for persons and goods, etc.), but also in consideration of the protection of interests, rights and fundamental liberties of the Data Subject, on the ground of art. 6 (1) (f) of the Regulation.

4. Personal data are processed for the following periods:

a) during the validity of the contracts executed with the Bank, plus 15 years following the expiry of the contractual relationship, unless an applicable legal provision requires preservation for a longer period;

b) for a period of 5 years, in case there is no contractual relationship with you, according to the legislation for the prevention and penalisation of money laundering (Law no. 656/2002);

c) if the processing is performed for direct marketing purposes - throughout the duration of the contractual relationship with the Bank, plus 1 year following the termination thereof. In case you withdraw your consent for direct marketing, your data shall no longer be processed for this purpose, following the withdrawal of your consent.

5. Data Controllers, Data Processors and Recipients of Personal Data:

Personal Data can be sent to the following categories of recipients:

a) Data Subject, representatives of the Data Subject;

b) entities within the UniCredit Group;

c) insurance companies (who may be Associate Data Controllers of the Bank);

d) debt collection/receivable recovery agencies;

e) public notaries, officers of the court;

f) counsellors, authorised evaluators, accountants, censors, auditors and other types of consultants;

g) miscellaneous service providers, (ex. IT, archiving, printing, couriers, etc.);

h) international organisations (e.g., cards – Visa, MasterCard, etc.);

i) providers of technical services for the processing/facilitation of payments (e.g., Romcard, Transfond, Society for Worldwide Interbank Financial Telecommunication etc.);

j) Central Credit Register, Biroul de Credit S.A., National Credit Guarantee for SMEs (FNGCIMM) (who may be associate Data Controller of the Bank), k) public authorities in Romania (e.g., National Bank of Romania, ANAF, National Office for Prevention and Control of Money Laundering, etc.) and abroad (e.g., European Commission, fiscal authorities, etc.).

Personal data can be transferred to entities in the European Union/EEA. In case of sending personal data to a third party or an international organisation outside the EU, information in the International Transfer section is applicable.

Personal data sent to third parties shall be appropriate, pertinent and non-excessive compared to the purpose of their collection and which allows the transmission to a particular third party.

6. International Transfer:

Personal data shall be transferred to SWIFT (Society for Worldwide Interbank Financial Telecommunication), as Data Controller, in case the performance of payment operations requested by you includes processing via the SWIFT system. To that end, there is a possibility that data transferred to SWIFT, as Data Controller, are accessible to the US Treasury Department. We specify that with regard to the international transfer to the US, there is Decision of the European Committee of 12 July 2016, issued on the ground of Directive 95/46/CE of the European Parliament and Council, on the adequacy of protection provided by the EU-USA Privacy Shield.

In case you are a citizen of the United States of America (USA) or resident on the US territory, please be notified that according to FATCA (The US Foreign Account Tax Compliance Act), you under the direct application of legal dispositions on the fiscal regulations of the USA, and your data are sent to fiscal authorities of the USA.

7. Necessity to process Personal Data:

Should you refuse to have your Personal Data processed for the purposes specified under paras. a) - i) above, the Bank will be unable to commence legal relationships with you or to continue them, as it will be unable to meet the legal requirements in the financial-banking field (e.g., on the know-your-customer requirements, prudential requirements, etc.), inclusively to analyse the request on the provision of services by the Bank, to execute/perform the contract requested by you.

Should you oppose the processing of your Personal Data for statistical purposes, please be informed that this option will be analysed and, depending on the particular circumstances of the Data Subject, you will receive an answer according to art. 21 of the Regulation, your objection against such operation having no effects on the continued relationship with the Bank.

Should you disagree with the processing of Personal Data for direct marketing purposes or to contact you in order to obtain your opinion on the services and products offered or purchased, the contractual relationship between you and the Bank will not be affected in any way.

8. As Data Subject, you have the following RIGHTS related exclusively to your Data:

a) the right to access your data according to art. 15 of the Regulation;

b) the right to rectification of your data according to art. 16 of the Regulation;

c) the right to erasure of your data according to art. 17 of the Regulation;

d) the right to restrict your data according to art. 18 of the Regulation;

e) the right to portability of your data according to art. 20 of the Regulation;

f) the right to object, according to art. 21 of the Regulation;

g) the right to not be subject to automated individual decision-making, including profiling, according to article 22 of the Regulation;

h) the right to contact the National Supervisory Authority for Personal Data processing and the Justice system.

We specify that in accordance with article 7 (3) of the Regulation, you are entitled to withdraw at any time your consent for direct marketing and profiling for marketing purposes.

For the exercise of such rights, you can submit a new written application, dated and signed, send to UniCredit Bank S.A., at the following address: Bulevardul Expozitiei nr.1 F, sector 1, Bucharest, postal code 01210, or by e-mail at, or by calling +40 21 200 2020 (normal charge call on Telekom Romania network) or *2020 (normal charge call in Telekom Romania, Orange, RCS&RDS, Vodafone mobile networks).

Should you submit a request on the exercise of your rights on the protection of data, the Bank will submit an answer to this request within 15 days, according to Law no. 677/2001, and starting with 25 May 2018, within 30 days, according to the terms of the Regulation.

We specify that this Notification is prepared in accordance with article 13 of the Regulation, respectively for your notification, as it is not submitted for the collection of your consent with regard to the processing activities mentioned above. Should your consent be required for the processing operations, it had already been expressed according to the provisions of Law no. 677/2001 on the protection of persons with regard to personal data processing and the free movement of such data.

Starting with 25 May 2018, you may check the Bank website permanently at this address for information on personal data processing.

Please feel free to contact us for any further information.

Respectfully yours, UniCredit Bank

*1 Group/UniCredit Group - UniCredit SpA (Italia) and companies controlled directly/indirectly, including companies in Romania (UniCredit Bank S.A., UniCredit Leasing Corporation IFN S.A., Debo Leasing IFN S.A., UniCredit Leasing Fleet Management S.R.L., UniCredit Insurance Broker S.A., UniCredit Consumer Financing IFN S.A., UCTAM RO S.R.L. etc.) and the legal successors of these entities.

Spinning wheel animation