This website (the “website”) is operated by BANCA COMERCIALĂ ROMÂNĂ S.A. (“BCR” or the “Controller”). In this Policy, BCR may be referred to as “we”, “us” or “our”.
1. The Object of this Privacy Policy:
This Privacy Policy is intended to inform you of:
(i) the processing activities of your personal data carried out by BCR, as Controller and it applies in the performance of its activities and the fulfillment of its scope of business;
(ii) data security and confidentiality of the processing of personal data
BCR processes the personal data in accordance with the provisions of the General Data Protection Regulation no. 679/2016 (“GDPR”) as well as with the applicable legislation in the personal data protection field.
Our Privacy Policy may be modified and BCR will publish on this page an updated version of the Policy. By regularly consulting this website, you may ensure that you are permanently aware of the processing activities undertaken by BCR.
The BCR website may include links to other websites which are managed by other legal entities / legal persons who are not related to BCR’s activity and with respect to which BCR has no responsibility. Moreover, we may offer links to other websites operated by companies affiliated to BCR, which apply separate privacy policies. If you access these websites through our website, you should consult the privacy policies of these websites in order to understand how they collect, use and disclose your information.
Below, you will find details about the purposes and grounds for the processing of your personal data depending on your capacity (in this respect, please see section 2 below). Moreover, you may also find information about the categories of data processed, the processing for which we need your consent, the decision making processes and profiling we carry out, the categories of recipients and the states to which your data is transferred, the duration of the processing, the use of cookies, the applicable data security norms, as well as the rights you benefit from. These latter sections are common for all data processing, irrespective of your capacity.
Depending on the products offered, the modalities in which these are contracted, as well as on the types of contractual or extracontractual relations you may have with us, BCR may provide the data subjects with notices presenting the particularities of the processing activities carried out.
2. How we process the data depending on your capacity and for which purposes
Depending on your capacity, BCR will process your personal data for different purposes and grounds as follows:
Please read the section regarding the use of cookies available here.
- daily repot of the transactions in accordance with the applicable laws; to manage conflicts of interest; to manage the controls carried out by authorities with regard to the relationship with the employees;
- administrative-financial management purposes;
- to store/deposit (prior to archiving) and to archive pursuant to the legal provisions the contractual documentation (including ensuring the operations connected to these activities) and/or of documents that contain personal data;
- internal audit;
- to ensure security on the premises of BCR and its branches;
- video monitoring of premises and assets by placing surveillance systems to ensure the protection of goods and values according to the law;
- to fulfill all of BCR's obligations regarding the banking supervision obligation over BCR and the reporting obligation towards the supervisory authorities; to comply with the national and European prudential requirements applicable to credit institutions;
- to manage data quality;
- to manage the relations with the public authorities or with other persons who provide a public service (bailiffs, notaries, etc.);
- to implement technical measures for ensuring the security of personal data (including by making back-up copies).
- to conclude and execute labor agreements
- to implement an internal line of reporting non-conformities raised by any person with respect to the offered financial-banking services;
- to find, exercise and defend certain rights of BCR and/or its branches in courts of law, as well as to gather supporting evidence in this respect;
- for recruiting and human resources purposes with respect to candidates and BCR employees; for granting benefits to the relevant persons;
- to carry out mergers and/or acquisitions that involve BCR;
- fraud prevention, know-your-client, money laundering prevention and combating terrorism financing ;
- video monitoring for the security of BCR premises and assets in order to prevent circumstances that may harmfully affect BCR; audio recording of telephone calls to / from BCR contact centers in order to carry out certain requests or investigations requested by or in connection with clients or any other category of data subject (for example whistleblowing), of their probation towards the data subject or in court in the case of a dispute, as well as to improve the quality of services and calls.
A. To fulfill our legal obligations, for the following purposes:
B. In order to conclude and enforce contracts, for the following purposes:
C. In order to fulfill BCR's legitimate interests in the context of performing its scope of business, for the following purposes:
- prevention of frauds, know-your-client, prevention of money laundering and combating terrorism financing and securing the bank secrecy by analyzing / verifying the authenticity of the identity document presented by you and the identity of the Clients according with rules established by the provisions of the Framework Agreement for Banking Services, and the allocation of the risk rating,
- daily report of the transactions according to the applicable legislation, manage the conflicts of interests, manage the inspections carried out by the authorities;
- performance of all BCR’s obligations related to the bank supervision activity carried out with respect to BCR and the Erste group and the obligations of reporting to the Erste group or to the supervision authorities (including by transmitting the data to the Central Credit Register managed by NBR);
- management of the credit risk, the strategic risk, by creating your profile;
- assessment of the eligibility for the purpose of granting certain standard or customized banking products and services (including the granting / approval stage), by creating a profile taking into consideration indicators in the assessment of creditworthiness, of the credit risk and determining the indebtness (in accordance with the obligations provided by NBR Regulation 5/2013 on prudential requirements for credit institutions and NBR Regulation 17/2012 on certain lending conditions);
- administrative – financial management;
- keeping / storing (before archiving) and archiving, according to the legal provisions, of the contractual documentation (including to ensure the operations related to these activities) and / or other documents containing personal data;
- internal audit;
- ensuring the security within the premises of BCR and its branches;
- meeting the national and European prudential requirements applicable to credit institutions (including the effective management of the risk of fraud by keeping a warning list documenting the fraud attempts or suspicions);
- data quality management;
- management of the relations with the public authorities or with other persons who provide a public service (judicial executors, notaries, etc.);
- implementation of technical measures to ensure the security of personal data (including by making backup copies);
- prevention of frauds;
- management of liquidities, optimization of the balance sheet and determination of the transfer pricing; portfolio management.
- video monitoring of premises and assets by placing surveillance systems in order to ensure the protection of the assets and goods according to the law.
- carrying out any legal relations arising from the contracts concluded between you and BCR;
- performance of online banking services; proper performance of the banking transactions, in order to develop / optimize the banking services offered by BCR;
- debt collection / recovery (as well as the activities preliminary thereto, including due diligence activities);
- conclusion and / or performance of insurance and reinsurance contracts;
- proper monitoring of all obligations undertaken by BCR’s contractual partners (natural persons) and / or clients towards any of the entities in the BCR Group;
- data quality management including the transmission and / or transfer of information necessary to determine the payment capacity and the payment behavior;
- carrying out or processing the payment operations through the SWIFT system, if the clients request the use of this system;
- management of the relationship with the Client, transmission of the data to the Credit Bureau for the management of the credit relationship.
- verification and assessment by automatic means of the conditions of eligibility for the online opening of an internet banking account, depending on the information provided by the data subject;
- audio recording of telephone calls and calls to / from the contact centers in order to carry out certain requests, operations, instructions; agreements regarding banking services or investigations requested by clients and their evidences towards the clients;
- granting the salary benefits for the clients who are employees of the companies in Erste Grup.
- implementation of an internal line for reporting the inconsistencies found by any persons in connection with the financial – banking services offered;
- prevention of frauds, know-your-client, to prevent money laundering and the combating of terrorism by analyzing / verifying the authenticity of the identity document presented by you for operations whose value does not reach the limits provided by the applicable legislation;
- taking measures to granting of salary benefits and / or ensuring the payment of the salary entitlements as a result of the legal relations existing between BCR and your employer;
- optimization of the banking services provided by improving the internal flows, policies and procedures;
- marketing, PR and communication activities, surveys with respect to the banking services, the activity of BCR, of the members of the BCR Group and of third contractual partners;
- management of the complaints received from you with respect to the banking services;
- profiling for the purpose of offering the most adequate products / services and for analysis purposes;
- data processing in the Credit Bureau system by transmitting the data to the Credit Bureau and to the Central Credit Register for the management of the credit relation falling under the scope of application of the rules regarding the Credit Bureau; consulting the information registered in your name in the database of the Credit Bureau by any Participant to the Credit Bureau System, for the purpose of providing credit financial-banking services, at your request, and offering you such products;
- ascertainment, exercise or defense of certain rights of BCR and / or of its branches in court, as well as the production of evidence in this respect;
- carrying out mergers and / or acquisitions processes and / or similar transactions in which BCR also participates;
- design, development, testing and use of the existing or new information systems and of the IT services (including the storage of databases in Romania or abroad)
- video monitoring for the security of BCR premises and assets in order to prevent circumstances that may harmfully affect BCR;
- audio recording of telephone calls to / from BCR’s call centers in order to carry out certain requests or investigations requested by or in connection with Clients or any other category of data subject (for example whistleblowing), of their probation towards the data subject or in court in the case of a dispute, as well as to improve the quality of services and calls;
- activities of contacting and managing the requests for banking services through the BCR’s web site;
- profiling and segmentation activities, including assessment of the eligibility for analysis and/or bidding in order to provide certain standard or customized banking products and services (including by consulting the data from the enquiries made at the Credit Office and / or the Central Credit Register or by profiling or analyses based on your transaction data or on the history of your relation or of the relation of a company in which you had the capacity of associate / shareholder or director with BCR or companies in the BCR / Erste group) – we will perform this activity based on our legitimate interest when permitted by the law, respectively when the processing generates legal effects on you or similarly affects you.
- transaction monitoring and contacting the client to prevent fraud.
A: To perform its legal obligations, for the following purposes:
To achieve the purposes in this section, BCR will rely on the controller’s legitimate interest, to streamline the process where certain processing activities exceed what is strictly necessary to comply with the relevant legal provisions.
B. To conclude and perform the contracts, for the following purposes:
If you have or intend to intiate contractual relations with certain companies in the BCR / ERSTE group, it is possible for BCR to process your data according to the instructions given by these companies, as processor. We recommend that you read the privacy notices of the companies in the BCR / ERSTE group for details regarding the manner in which these companies will process your personal data.
C. To fulfill BCR’s legitimate interests in the context of the performance of its activity, for the following purposes:
- to prevent fraud, know-your-client, to prevent money laundering and the combating of terrorism and to guarantee banking secrecy by analyzing/verifying the authenticity of the identity card provided by you and your identity according with rules established by the provisions of the Framework Agreement for Banking Services, and the allocation of the rating risk;
- daily reporting of transactions in accordance with the applicable legislation; to manage conflicts of interests; to manage the controls of the authorities with respect to client relationship;
- to meet all of BCR's obligations regarding banking supervision to which BCR and Erste group are subject and with BCR's reporting obligations towards the Erste group or the supervisory authorities;
- to manage the credit risk and the strategic risk by creating a profile for you;
- to evaluate eligibility for the purpose of offering certain standard or personalized banking products and services (including at the time of the initial offer/approval), by creating a profile that takes into account indicators for evaluating solvability, the credit risk, determining the degree of indebtedness;
- administrative-financial management purposes;
- to store/deposit (prior to archiving) and to archive pursuant to the legal provisions governing contractual documentation (including ensuring the related operations to these activities) and/or documents that contain personal data;
- internal audit;
- to ensure security on the premises of BCR and its branches;
- video monitoring of premises and assets by placing surveillance systems in order to ensure the protection of the assets and goods according to the law;
- to fulfill all of BCR's obligations regarding the banking supervision obligation over BCR and the reporting obligation towards the supervisory authorities; to comply with the national and European prudential requirements applicable to credit institutions;
- to manage data quality;
- to manage the relations with the public authorities or with other persons who provide a public service (bailiffs, notaries, etc.);
- to implement technical measures for ensuring the security of personal data (including by making back-up copies).
- to manage liquidities; to optimize the balance sheet and to establish transfer prices; to manage the portfolio;
- to carry out any legal relations resulting from the contracts concluded between BCR and you or the company that you represent;
- to provide online banking services; to perform the banking transactions in good conditions in order to develop/optimize the banking services offered by BCR;
- to collect/recover debts (as well as preliminary activities, including due diligence activities);
- to conclude and/or enforce insurance and reinsurance contracts;
- to adequately monitor all the obligations undertaken by BCR's contractual partners (natural persons) and/or by the clients towards any of the entities in the BCR Group;
- to manage data quality, including the transmission and/or transfer of information necessary to assess payment capacity and behavior;
- to make or process payments through the SWIFT system, insofar as the clients request the use of this system;
- audio recording of telephone calls and calls to / from the contact centers in order to carry out certain requests, operations, instructions; agreements regarding banking services or investigations requested by clients and their evidences towards the clients;
- granting the salary benefits for the clients who are employees of the companies in Erste Grup.
- to implement an internal line of reporting non-conformities raised by any person with respect to the financial-banking services offered;
- prevention of frauds, know-your-client, to prevent money laundering and the combating of terrorism by analyzing / verifying the authenticity of the identity document presented by you for operations whose value does not reach the limits provided by the applicable legislation;
- to improve the banking services provided by improving the internal flows, policies and procedures;
- PR and communication purposes; general marketing activities (for example, marketing campaigns, raffles, awarding, etc.); taking polls regarding the banking services, the activity of BCR, the members of the BCR group and contractual third parties;
- to handle the complaints received from you regarding the banking services; to create a profile for the purpose of presenting the most appropriate products/services;
- to transmit the data to the Credit Bureau and to the Central Credit Register throughout the management of the credit relation that falls under the purview of the Credit Bureau rules; to consult the information registered in your name in the Credit Bureau's database by any participant in the Credit Bureau system for the purposes of providing crediting financial-banking services at your request, respectively in order to offer you such products;
- to find, exercise and defend certain rights of BCR and/or its branches in court, as well as gather supporting evidence in this respect;
- to carry out mergers and/or acquisitions in which that involve BCR;
- to design, develop, test and use existing or new information systems and IT services (including storing the databases in the country or abroad)
- video monitoring for the security of BCR premises and assets in order to prevent circumstances that may harmfully affect BCR; audio recording of telephone calls to / from BCR contact centers in order to carry out certain requests or investigations requested by or in connection with clients or any other category of data subject (for example whistleblowing), of their probation towards the data subject or in court in the case of a dispute, as well as to improve the quality of services and calls; activities of contacting and managing the requests for banking services through the BCR’s web site;
A: In order to fulfill our legal obligations, for the following purposes:
B. In order to conclude and enforce contracts, for the following purposes:
C. In order to fulfill BCR's legitimate interests in the context of performing its scope of business, for the following purposes:
- In order to fulfill our legal obligations, for the following purposes:
- prevention of frauds, know-your-client, prevention of money laundering and combating terrorism financing; to report daily the transactions in accordance with the applicable laws; to manage conflicts of interest; to manage the controls carried out by authorities with regard to the relationship with the partners;
- to meet all of BCR's obligations regarding banking supervision to which BCR and Erste group are subject and with BCR's reporting obligations towards the Erste group or the supervisory authorities;
- administrative-financial management purposes;
- to store/deposit (prior to archiving) and to archive pursuant to the legal provisions governing contractual documentation (including ensuring the related operations to these activities) and/or documents that contain personal data;
- internal audit;
- to ensure health and security on the premises of BCR and its branches;
- video monitoring of premises and assets by placing surveillance systems to ensure the protection of goods and values according to the law;
- to fulfill all of BCR's obligations regarding the banking supervision obligation over BCR and the reporting obligation towards the supervisory authorities; to comply with the national and European prudential requirements applicable to credit institutions;
- to manage data quality;
- to manage the relations with the public authorities including by providing relevant information in accordance with the legal provisions or with other persons who provide a public service (bailiffs, notaries, etc.);
- to implement technical measures for ensuring the security of personal data (including by making back-up copies).
- to carry out any legal relations resulting from the contracts concluded between BCR and you or the company that you represent;
- to collect/recover debts (as well as preliminary activities, including due diligence activities);
- to conclude and/or enforce insurance and reinsurance contracts;
- to adequately monitor all the obligations undertaken by BCR's contractual partners (natural persons) and/or by the clients towards any of the entities in the BCR Group;
- audio recording of telephone calls and calls to / from the contact centers in order to carry out certain requests, operations, instructions; agreements regarding banking services or investigations requested by clients and their evidences towards the clients;
- to implement an internal line of reporting non-conformities raised by any person with respect to the financial-banking services offered;
- to improve the banking services provided by improving the internal flows, policies and procedures;
- to find, exercise and defend certain rights of BCR and/or its branches in court, as well as gather supporting evidence in this respect;
- to carry out mergers and/or acquisitions in which that involve BCR;
- to design, develop, test and use existing or new information systems and IT services (including storing the databases in the country or abroad)
- video monitoring for the security of BCR premises and assets in order to prevent circumstances that may harmfully affect BCR;
- video monitoring for the security of BCR premises and assets in order to prevent circumstances that may harmfully affect BCR; audio recording of telephone calls to / from BCR contact centers in order to carry out certain requests or investigations requested by or in connection with clients or any other category of data subject (for example whistleblowing), of their probation towards the data subject or in court in the case of a dispute, as well as to improve the quality of services and calls ; activities of contacting and managing the requests for banking services through the BCR’s web site;
- to find, exercise and defend certain rights of BCR and/or its branches in court, as well as gather supporting evidence in this respect;
- health and security assurance on the premises of BCR and its branches;
- to handle the complaints received regarding BCR's services.
A: In order to fulfill our legal obligations, for the following purposes:
B. In order to conclude and enforce contracts, for the following purposes:
C. In order to achieve BCR's legitimate interests in the context of the carrying out its scope of business, for the following purposes:
- to comply with the legal norms applicable in the banking sector in order to comply with the know-your-client requirements; to prevent money laundering activities and to combat terrorism financing; to manage conflicts of interests; to manage the controls of the authorities;
- to meet all of BCR's obligations regarding banking supervision to which BCR and Erste group are subject and with BCR's reporting obligations towards the Erste group or the supervisory authorities;
- administrative-financial management purposes;
- to store/deposit (prior to archiving) and to archive pursuant to the legal provisions governing contractual documentation (including ensuring the related operations to these activities) and/or documents that contain personal data;
- internal audit;
- to ensure security on the premises of BCR and its branches;
- to fulfill all of BCR's obligations regarding the banking supervision obligation over BCR and the reporting obligation towards the supervisory authorities; to comply with the national and European prudential requirements applicable to credit institutions;
- to manage data quality;
- to implement technical measures for ensuring the security of personal data (including by making back-up copies).
- to carry out any legal relations resulting from the contracts concluded between BCR and you or the company that you represent;
- to adequately monitor all the obligations undertaken by BCR's contractual partners (natural persons)
- to implement an internal line of reporting non-conformities raised by any person with respect to the financial-banking services offered;
- to find, exercise and defend certain rights of BCR and/or its branches in court, as well as gather supporting evidence in this respect;
- to carry out mergers and/or acquisitions in which BCR participates
- to design, develop, test and use existing or new information systems and IT services (including storing the databases in the country or abroad)
- to handle the complaints received regarding BCR's projects
- video monitoring for the security of BCR premises and assets in order to prevent circumstances that may harmfully affect BCR; audio recording of telephone calls to / from BCR contact centers in order to carry out certain requests or investigations requested by or in connection with clients or any other category of data subject (for example whistleblowing), of their probation towards the data subject or in court in the case of a dispute, as well as to improve the quality of services and calls; activities of contacting and managing the requests for banking services through the BCR’s web site.
A: In order to fulfill our legal obligations, for the following purposes:
B. In order to conclude and enforce contracts, for the following purposes:
C. In order to fulfill BCR's legitimate interests in the context of performing its scope of business, for the following purposes:
- prevention of frauds, know-your-client requirements; to prevent money laundering activities and to combat terrorism financing; to manage conflicts of interests; to manage the controls of the authorities in case that are stated by the law or requested by the authorities;
- to ensure security on the premises of BCR and its branches;
- video monitoring of premises and assets by placing surveillance systems to ensure the protection of goods and values according to the law;
- to manage the relations with the public authorities or with other persons who provide a public service (bailiffs, notaries, etc.);
- archiving purposes;
- internal audit;
- to fulfill all of BCR's obligations regarding the banking supervision obligation over BCR and the reporting obligation towards the supervisory authorities; to comply with the national and European prudential requirements applicable to credit institutions;
- to manage data quality;
- to implement technical measures for ensuring the security of personal data (including by making back-up copies);
- to meet all of BCR's obligations regarding banking supervision to which BCR and Erste group are subject and with BCR's reporting obligations towards the Erste group or the supervisory authorities.
- to implement an internal line of reporting non-conformities raised by any person regarding you;
- to improve the banking services provided by improving the internal flows, policies and procedures;
- for simple marketing purposes, PR and communication, taking polls regarding the banking services, the activity of BCR, the members of the BCR group and contractual third parties;
- to handle the complaints received from you;
- to find, exercise and defend certain rights of BCR and/or its branches in court, as well as gather supporting evidence in this respect;
- to carry out mergers and/or acquisitions in which BCR participates
- to design, develop, test and use existing or new information systems and IT services (including storing the databases in the country or abroad)
- video monitoring for the security of BCR premises and assets in order to prevent circumstances that may harmfully affect BCR; audio recording of telephone calls to / from BCR telephone exchanges in order to carry out certain requests or investigations requested by or in connection with clients or any other category of data subject (for example whistleblowing), of their probation towards the data subject or in court in the case of a dispute, as well as to improve the quality of services and calls; activities for contacting and managing the request for banking services through the BCR’ web page.
A: In order to fulfill our legal obligations, for the following purposes:
B. In order to achieve BCR's legitimate interests in the context of carrying out its scope of business, for the following purposes:
- direct marketing, advertising through the intermediation / promotion of the most suitable products and services of BCR, of the BCR grop, of the partners and of the Erste group, including the transmission by BCR of commercial communications to this end by e-mail, SMS or other electronic what may not involve means that do not involve a human operator.
- accessing the data held by the Central Credit Register (CCR), ANAF in order to be able to assess your eligibility for offering you certain standard or customized products and services (consent obtained through specific documents according to legal requirements or requesting the authority, if applicable).
- thorough analyses to customize the product and service offers, including through the use and combination of the transaction data and / or consulting the internal, external databases and / or online platforms (such as the data from the Credit Bureau, ANAF and / or the Central Credit Register, the service and transaction data, the data related to your interactions with BCR and the history of your relation or the relation of a company in which you had the capacity of associate / shareholder or director with BCR or with companies in the BCR / Erste group, etc.), if the consent is requested according to the law with respect to the possible legal effects or the similar significant impact (Profiling Consent), to enable us to send you messages regarding the BCR products and services and to offer you customized products and services according to your profile (e.g., the creation of customized offers based on the transaction data, demographic data and products held) ( referred to as the Profiling Agreement).
There are certain processing purposes for which it is necessary, according to the law, that BCR obtains your consent. BCR will obtain this consent by various means, e.g., you sign a privacy notice made available by BCR when you visit a BCR branch, through the BCR website, or BCR’s online applications (such as George or the BCRPlusinCont platform). The consent so granted may be withdrawn anytime and BCR will take into consideration your options expressed with respect to the processing carried out based on your consent. The purposes for which it is most likely that BCR obtains your consent are the following:
The consent expressed with respect to the processing activities listed in the paragraph above can be withdrawn anytime, without affecting the lawfulness of the processing activities carried out before the withdrawal.
BCR processes the personal data that the Data Subject provides directly or found in the interaction with BCR employees (for example, the similarity between the photograph in the identity document and the person present in front of the BCR employee), as well as data generated based on such data, such as the client identification code, transaction data (type, amount, account and / or card data, location of trading orders), voice and behavior captured through video or audio recordings, information resulting from the non-conformities signaled by any person, data related to profiles generated by BCR, and the allocation of the risk rating from KYC/AML perspective or fraud, as well as data resulting from the analyses carried out by our experts concerning compliance with the requirements related to the prevention of fraud in the context of initiating or monitoring a business relation.
We may collect personal data with respect to you when you use our website as well as during the performance of our contractual relations established with you and the period of provision of the services by BCR in which you are involved. Furthermore, depending on the relation you have with BCR, we may collect data from other sources as well (information from public databases, such as Portaljust or Recom, or databases communicated by private providers, contractual partners or companies from the BCR / ERSTE Group, information provided by the BCR clients – for example, providing data related to the relatives or beneficiaries of the payments initiated by such).
Furthermore, in certain cases, we process personal data received from our clients or the representatives thereof (for example, name, first name and data concerning the accounts of the persons having transactions with our clients).
The refusal to provide the personal data may determine the impossibility for BCR to provide the bank services and / or achieve other processing purposes.
The refusal to provide the personal data may determine the impossibility for BCR to provide the bank services, performing banking transactions performing banking transactions and / or achieve other processing purposes.
The data collected for the purposes indicated above may be processed for other subsequent purposes as well, if the subsequent purposes are compatible with the initial ones.
- determining the eligibility for contracting a banking product by applying certain automated eliminatory criteria for example, reaching a level of indebtness that is too high when compared to that of your revenues held in view of contracting a loan or checking risk fraud, situations in which the granting the bank services can be refused;
- processing performed based on Profiling Consent (for example, offering a product based on a profile created based on more sources);
- sending commercial communications to the users of the BCR PlusInCont service with respect to the products promoted through this platform, starting from the profile created based on the transaction data generated by the users’ cards.
What kind of profiling does BCR make?
In certain cases, BCR may create profiles with respect to you and / or use automated decision-making with respect to you in order to achieve the purposes indicated in this Policy.
Creating profiles represents the automated processing of your data in order to asses or analyze aspects related to you such as preferences, level of indebtness, conduct, or identification on public or internal lists regarding terrorist financing, money laundering, criminal or fraud acts . An example of profiling is represented by the level of indebtness of a client resulting from the interrogations made in the database of the Credit Risk Register or risk rating allocated from fraud perspective or know your clients, money laundering and combating the terrorism, which in certain situations, may lead to denial or restriction of access to BCR’s services. Furthermore, use of cookies implies, among others, the creation of profiles with respect to the users of the website used for traffic and / or marketing analysis purposes.
Last but not least, BCR may divide its clients depending on several criteria (age, geographical area, contracted product, card usage frequency, revenues, type of expenses, etc.) in order to classify them in different categories for marketing purposes and / or for analysis purposes. For example, BCR may take into consideration the transaction data (the number and value of the transactions, the industry code of the beneficiaries of payments effected by card, value of the amounts transferred to the accounts) and demographic data (the urban / rural area, age) in order to determine the probability of acquiring a BCR product or service (such as a credit card or a savings product).
What are the automated decision – making processes implemented by BCR?
The automated decision –making processes are regulated in Art. 22 of GDPR and refer to decisions made by BCR without a significant intervention of a human factor and which may produce legal effects and / or similarly may affect you significantly. For example:
With respect to these automated decision-making processes based on your consent or the necessity to conclude and / or perform a contract, you will benefit, in addition to the rights set forth in section 11 below, from the following rights: the right to obtain a human intervention; the right to express your opinion; the right to object to the decision. These rights may be exercised by filing a request in this respect with any BCR branch or by writing an e-mail to dpo@bcr.ro.
In order to achieve the processing purposes, BCR may disclose certain categories of personal data to certain categories of recipients: the data subjects and / or its representatives, the BCR representatives, the entities in the BCR Group, the judicial authorities or other public authorities of any kind, international organizations, services and goods providers, banking companies, credit registers, debt collection or recovery agencies (including (potential) assignees of the debt titles held by BCR), insurance and reinsurance companies, professional organizations, market research organizations, your employer as a result of the legal relations existing between this and BCR, other contractual and / or authorized partners of BCR.
Currently, in order to achieve the purposes indicated above it is possible for BCR to transfer certain personal data outside the territory of Romania, to EU / EEA states: Austria, the Czech Republic, Croatia, Belgium, Germany, the United Kingdom of Great Britain, as well as outside the EU / EEA, to the United States of America. For transfers outside the EU / EEA, BCR will use for the transfer of personal data the standard contractual clauses adopted at the level of the European Commission or other guarantees recognized by the law.
It is possible that when carrying out its activities, the transfer states indicated above to be modified. In this case, the transfer states list indicated above will be updated.
- 5 years from terminations of business relations ship in case of data storage, in order to comply with the legal provisions on know you customer, prevention of money laundering and combating terrorism financing;
- 10 years from the beginning of next year in which were performed/issued/recorded suporting documents in case of data storage, in order to fulfill the provisions regarding the financial - accounting for archive financial book and supporting documents;
- 15 years from the beginning of next year in which the product was terminated in case of data storage in order to prevent crimes, such as Law no.241/2005 for the prevention and combating of tax evasion, and the good administration and enforcement of justice.
In order to achieve the indicated processing purposes, BCR will process the personal data throughout the period of provision of the banking services, and subsequently, in order to ensure conformity with the applicable legal obligations, including, but without being limited to, the provisions related to fulfilling the archiving obligation and the legitimate interests of BCR. It is possible that, in order to comply with the archiving requirements set forth by the law, BCR orders the anonymization of the data, thus depriving it from their personal nature and continuing to process the anonymized data for statistical purposes.
As a general rule, we keep your data for different period of time, after termination the bussines relationship with you in order to be able to respond to your requests or to competent authorities, to exercises a right in the court or to comply with legal provisions. Depending on the purposes above, we exemplify the established durations:
The term of your consent for receiving direct marketing communications and subsequently for the period required to prove the compliance with legal requirements, in case of data base managed for direct marketing purposes.
This website uses cookies. For more details, concerning these modules and the manner in which these are used please click here.
BCR gives an increased importance to your personal data and intends to ensure an adequate security throughout the duration of the processing activities. In this respect, BCR implements technical and organizational measures to ensure protection against the unauthorized or illegal processing thereof, or its accidental destruction or deterioration.
- The right to be informed: with respect to the processing activities carried out by BCR in connection with your data;
- The right of access to the data: you may request and receive a confirmation from BCR with respect to the data processing (which data we process and what is the purpose of processing, where and how long we store them, who has access to the data, etc.);
- The right to rectification: of inaccurate data, and supplement the incomplete data; (example: if you change your telephone number or e-mail address, you may contact us for updating this data;
- The right to erasure: you may request erasure of a part or all of the data we have from you;
- The right to restriction of processing: you may request that we not use your data, except to store it until another request from you is resolved, namely:
- you asked us to rectify the data;
- you objected to the deletion of the data in case of an illegal processing;
- you asked us to provide certain data in order to ensure the defence of a right;
- you objected to the processing of the data – please see the right to object below.
- The right to data portability: you may request that your data be provided in a structured, commonly used and machine-readable format (example: by e-mail). Furthermore, you may ask for your data to be sent to another controller;
- The right to object: you may object to the processing of data carried out pursuant to BCR’s legitimate interest;
- The rights concerning automated decision-making: as a rule, you have the right not to be subjected to an automated decision, if this produces legal effects over you or affects you in a similar way, to a significant extent (example: automated refusal to conclude a contract with you, based on a data processing);
- The right to withdraw consent: in cases where we process your data based on your consent;
- The right to file a complaint: if you are dissatisfied, you may address the National Supervisory Authority for Personal Data Protection or the courts of law at any time.
- If you are in a BCR branch or if you contact us by phone, the authentication shall be performed on the spot by the BCR representative;
- If you contact us by e-mail or post mail, a BCR representative shall contact you by e-mail in order to apply the authentication procedure mentioned above;
- For the requests sent using the contact form from our website, section Privacy Policy, the authentication shall be performed only for logging into the internet banking app, using your preferred settings: password, fingerprint, PIN code etc.;
- For the requests sent thru the Credit Bureau’s portal, the authentication is performed when creating the user account on the portal, according to the instructions which can be accessed under this link: https://www.birouldecredit.ro/wps/portal/bcro/Home/user-enrollment.
Important! We will not process your request in all cases (examples: the law imposes on BCR the obligation to keep the data for a certain period; the data is useful for a legitimate interest such as defending a right in court);
Important! We shall always approve the request only in cases where processing is made for direct marketing purposes (example: if you receive e-mails with commercial information from BCR, you may request to unsubscribe). In all the other cases, we will assess our own interests and your particular situation to make a final decision. Therefore, we recommend that you provide an explanation and reason why you object to the processing when you file the request.
Important! In certain cases, the law allows us to make such decisions in cases where we have your consent or if the decision is made based on the performance of the contract that we have concluded or based on our legitimate interest. In such cases, you will have the right to challenge the decision, to express your opinion and to obtain a verification from a human factor. Furthermore, there are cases where the law sets forth an obligation for us to implement such automated decision – making processes.
Important! The withdrawal of your consent will only produce effects for the future. The processing carried out for a different purpose, such as performance of the contract, will not be affected by withdrawal;
To the extent you exercise any of the rights indicated above, please provide us with the necessary details so that BCR can identify the exercised right and the requirements for its exercise, as set forth by the law. For example, if a request for objection is filed with respect to certain processing carried out by BCR pursuant to the legitimate interest of the bank, we kindly ask you to also provide information concerning your particular situation so that BCR may carry out the assessment required by the law.
Exercising your rights
For further details regarding the processing activities carried out by BCR, as well as with respect to your rights, you may contact us at any time using the following:
1. Request sent to BCR’s data protection officer at dpo@bcr.ro – communication channel especially for data protection matters;
2. Request sent by calling * 2227, number with normal tariff from the national fixed and mobile networks or at contact.center@bcr.ro;
3. Using our request data protection request form from BCR’s website, section Privacy Policy, using internet banking log in credentials;
4. By post mail, to our headquarters, or in any BCR branch;
5. The Credit Bureau’s portal.
In case you wish to exercise any of your rights according to this policy, please be informed that we are under the obligation to perform your authentication. The authentication procedure serves to verify your identity by BCR by asking you specific questions, in order for us to make sure that information is not requested by or disclosed to unauthorized persons. This is why, after you sent your request, depending on the channel you choose to contact us, the authentication procedure shall be performed as follows:
***
If you have any suggestions concerning this Privacy Policy, we encourage you to send these suggestions to: dpo@bcr.ro