Privacy policy regarding personal data
BCR, GDPR* and the use of your data
*General Data Protection Regulation (EU) 2016/679
Welcome to BCR's data protection information center - the administrator of this website. Here you will find information about the processing and security of your data.
Depending on your status, we have prepared informational documents dedicated to clients, representatives, candidates (see section 3), as well as contractual partners, collaborators, and other third parties (see section 4 and following). In these information documents, we explain why and how we process your personal data.
If you just want an overview for now, in section 2 you can find a brief description of the main processing activities. However, we note that the processes vary depending on your status in relation to the bank and the product held (if you are a client), so for a complete understanding, you should access the information that suits you from section 3.
Although each processing activity has its own specificities depending on the product and the person's status, you should know that many of the legal bases and purposes for which we use data are common:
- Legal compliance obligations: if you enter into any business relationship with the bank directly or indirectly, through a company/agent/any other form of representation, the law requires us to conduct certain customer due diligence checks (including validating and updating data from ID cards based on the Protocol with DGEP) from the perspective of money laundering risk, terrorism financing, fraud, international sanctions, or reputational checks. Additionally, your data may be subject to auditing and reporting processes to authorities and the Erste Group (of which BCR is a part). Lastly, your data will be subject to archiving and ensuring their security processes, for example, by creating backups.
- Legitimate interests for processing: depending on the nature of the data, we will analyze them to improve internal processes and applications. We may use your data to respond to requests (if no other applicable legal basis exists). In certain cases, we will retain data for a sufficient period to justify actions in a dispute or litigation or for statistical purposes.
- If you have a business relationship with BCR: for the execution of any contract, we need to use your data to contact you and collaborate. If BCR provides you with products/services, we need to process your customer data to ensure the respective service (such as data from George, Moneyback, or data related to your credit – value, payment status, guarantees, etc.). For loans, we will conduct additional automated checks to determine your eligibility; we will also analyze your income recorded at ANAF, payment behavior data from the Credit Bureau, and data on provided guarantees. For investment products, we will primarily use data related to your transactions.
- If you provide services to us, we will need to use the data you provide as well as data related to your access to BCR's infrastructure (computers, access cards, CCTV systems, IT systems – which are monitored).
- Marketing: we conduct marketing activities and campaigns, primarily with our clients and only if they have given their consent. For individual clients, we offer the possibility of receiving tailored offers based on their profile, if we receive consent for this. If you choose to provide these consents, you can withdraw them at any time. Additionally, BCR organizes contests and raffles open to various categories of individuals (prospects, clients, partners, etc.) involving data processing. Registration involves adherence to regulations where you can access information on data processing.
Other relevant aspects:
- Like any company with multiple processing activities, we have suppliers and partners that assist us with processing your data, such as data storage, notification transmission, or application maintenance. Therefore, besides recipients to whom we have reporting obligations, your data may be accessed by these suppliers and partners – they assume strict contractual obligations regarding data usage, confidentiality, and security. Additionally, the bank's chosen suppliers and partners undergo screening processes and participate in random audits. Some recipients are located or have servers located outside Romania, so your data may reach other countries in the EU/EEA. In certain specific situations, data may be transferred outside the EU/EEA, for example, to the USA, in the case of transfers via SWIFT.
- Depending on your status and relationship with BCR, we will store data in accordance with data retention standards, with different periods (mostly ranging from 3 to 10 years – from the end of the financial year in which the business relationship ended), depending on data categories and legal requirements. However, please note that in some cases, the deadlines start running based on the closure of the business relationship with the bank, i.e., from your last interaction or use of BCR's services/products.
- Data security is a constant concern for BCR, ensured throughout processing activities (collection, storage, use, transfer) considering the respective processing context. In this regard, we implement technical and organizational measures to protect against unauthorized access, unauthorized or illegal processing, as well as against accidental loss, destruction, or damage to personal data. The measures are intended to ensure the confidentiality, integrity, and availability of your data. Obligations regarding ensuring the confidentiality and security of personal data apply to our employees and authorized personnel who access and use this data on our behalf.
- GDPR provides you with certain rights that you can exercise, which are not absolute: access, erasure, rectification, restriction, and the right to lodge a complaint with the ANSPDCP.
If you are a client or a client representative, we have dedicated information documents regarding data processing for you based on the product:
- If you have loans (including Credit Bureau information) – here; Separate Credit Bureau Information - here
- If you have investment products – here
- If you have current accounts or other products/services – here
- If you make occasional transactions – here
- If you are in a contractual relation with a company, a BCR client – here
- If you are a candidate for one of the open positions at BCR, you can find the dedicated information document here.
Last but not least, within the digital services of George, you will find specific information.
Depending on your role (contractual partner, collaborator, third party), BCR processes your data for different purposes and legal bases as follows:
If you are a contractual partner of BCR (including representatives of the partner, participants in media and CSR initiatives, evaluators, agents, service providers, tenants, owners and/or representatives of leased or purchased properties by BCR, insurance agents, brokers, intermediaries, etc.), we will process your data as follows:
A. To fulfill legal obligations, for the following purposes:
- compliance with applicable legal norms in the banking sector to meet customer due diligence requirements, prevent fraud, combat money laundering activities, and counter terrorism financing, daily reporting of transactions according to applicable laws, conflict of interest management, handling of supervisory controls related to the partnership;
- fulfillment of all BCR obligations related to prudential and banking supervision performed over BCR and the Erste Group and reporting to the Erste Group or supervisory authorities;
- administrative and financial management;
- preparation/prior archiving and archiving in accordance with legal provisions of contractual documentation (including ensuring related operations) and/or documents containing personal data;
- internal audit;
- ensuring security within BCR premises and its branches;
- fulfillment of all BCR obligations related to banking supervision conducted over BCR and reporting to supervisory authorities;
- data quality management;
- management of relationships with public authorities or other entities providing public services (judicial executors, notaries, etc.);
- implementation of technical measures to ensure the security of personal data (including creating backups).
- For purposes related to customer due diligence, anti-money laundering, and counter-terrorism financing, processing is also carried out to fulfill a public interest task, according to Article 22 of Law no. 129/2019.
B. For the purpose of concluding and executing contracts, for the following purposes:
- conducting any legal relationships resulting from contracts concluded with BCR;
- debt collection/recovery of receivables (as well as related activities, including due diligence);
- conclusion and/or execution of insurance and reinsurance contracts;
- proper monitoring of all obligations assumed by BCR's contractual partners (natural persons) towards any entity within the BCR Group;
C. For the purpose of fulfilling BCR's legitimate interests, for the following purposes:
- implementing an internal reporting line for non-compliance reported by any persons regarding the financial-banking services offered;
- improving the banking services provided by enhancing internal flows, policies, and procedures;
- ascertaining, exercising, or defending the rights of BCR and/or its subsidiaries in court, as well as gathering evidence in this regard;
- conducting merger and/or acquisition processes in which BCR is involved;
- designing, developing, testing, and using existing or new IT systems and IT services (including storing databases domestically or abroad);
- ascertaining, exercising, or defending the rights of BCR and/or its subsidiaries in court, as well as gathering evidence in this regard;
- managing complaints related to BCR services.
For the processing of data of representatives of companies for the purposes mentioned in section B above, these processing activities are carried out based on BCR's legitimate interest since the contract is concluded with a legal entity.
If you are a third party without a direct contractual relationship with BCR (payment beneficiary, visitor to BCR premises, individuals whose data is requested by certain authorities), in certain situations, BCR processes your data as follows:
A. To fulfill legal obligations, for the following purposes:
- compliance with applicable legal regulations in the banking sector to meet customer due diligence requirements, prevent fraud, money laundering, and counter terrorism financing, manage conflicts of interest, handle controls from authorities
- ensuring security within BCR premises and its branches;
- managing relationships with public authorities or other entities providing public services (bailiffs, notaries, etc.)
- archiving
- internal audit
- fulfilling all BCR obligations related to prudential and banking supervision over BCR and the Erste Group and reporting to the Erste Group, supervisory authorities, or other competent authorities;
- data quality management;
- implementing technical measures to ensure the security of personal data (including creating backups)
- For purposes related to customer due diligence, anti-money laundering, and counter-terrorism financing, processing is also carried out to fulfill a public interest task, according to Article 22 of Law no. 129/2019.
B. To fulfill BCR's legitimate interests in the context of its business activities, for the following purposes:
- implementing an internal reporting line for non-compliances reported by any individuals related to you;
- improving banking services provided by enhancing internal flows, policies, and procedures;
- managing complaints received from you;
- establishing, exercising, or defending BCR's and/or its subsidiaries' rights in court, as well as providing evidence in this regard;
- participating in mergers and/or acquisitions processes involving BCR;
- designing, developing, testing, and using existing or new IT systems and services (including storing databases domestically or abroad).
In addition to the data provided by you directly or indirectly, through representatives, we process several categories of data, as follows:
- Data resulting from the customer due diligence process, anti-money laundering, and counter-terrorism financing (KYC/AML) – including risk profile, identification and contact data, data regarding positions held in certain companies, employer data, data on your or close relatives' public exposure – if you hold certain public exposure functions;
- Data resulting from the lists maintained by the UN, OFAC, and the EU with international sanctions and from consulting public databases such as RECOM and Portaljust;
- Data resulting from alerts or information requests from authorities as well as requests made to certain authorities (Police, Public Prosecutor's Office, National Office for Prevention and Control of Money Laundering – ONPCSB, National Bank of Romania, General Directorate for Persons' Records);
- Data regarding conflict of interest management (interests or kinship relationship with an employee or representative of the BCR Group) Data resulting from consulting warning lists with fraudsters and internal databases regarding interactions with BCR/BCR Group;
- Image and voice if you are captured by CCTV cameras installed in territorial units and BCR headquarters or if you communicate with us through recorded calls;
- Data resulting from the specific aspects of the business relationship with BCR, including data from correspondence, data resulting from service provision (e.g., beneficiary's IBAN or other payment beneficiary information), and monitoring the status of the business relationship, etc.);
Refusing to provide personal data may result in the impossibility of providing banking services or fulfilling other processing purposes by BCR.
What profiling does BCR carry out?
Depending on the status held, BCR may create profiles based on your data or conduct automated decision-making processes regarding you to fulfill the purposes mentioned in this Policy.
Profiling involves the automated processing of your data to evaluate or analyze aspects related to you, such as preferences (such as those in BCR applications), debt level, or transactional behavior. Another example of profiling is the classification into a risk category from the perspective of money laundering, terrorism financing, and international sanctions. Also, the use of cookies may involve creating profiles regarding website users used for traffic analysis or marketing purposes.
What automated decision-making processes does BCR implement?
Automated decision-making processes are regulated by Article 22 of the GDPR and refer to decisions made by BCR without substantial human intervention that can have legal effects or similarly affect you significantly. For example, BCR uses:
- Determining the eligibility to contract a banking product by applying automated elimination criteria, such as identifying a high debt level relative to income for obtaining a loan;
- Checking individuals in international sanctions lists to see if a business relationship can be initiated with them.
Regarding these automated decision-making processes based on your consent or the necessity of entering into or performing a contract, in addition to the rights mentioned below, you have the following rights: the right to obtain human intervention; the right to express your point of view; the right to challenge the decision. These rights can be exercised by making a request at any BCR branch or writing to dpo@bcr.ro.
BCR may disclose certain categories of personal data to the following categories of recipients: your representatives or BCR's representatives, entities within the BCR and Erste Group, judicial authorities or other public authorities of any kind, international organizations, service providers and goods suppliers, banking institutions, debt collection agents or debt recovery agents (including potential ones), assignees of claims held by BCR, insurance and reinsurance companies, professional organizations, market research organizations, your employer as a result of the legal relationships existing between them and BCR, other contractual partners or authorized representatives of BCR.
BCR may transfer certain categories of personal data outside Romania, to countries within the EEA: Austria, Czech Republic, Hungary, Croatia, Belgium, Germany, as well as outside the EEA to the United States of America and the United Kingdom. For transfers outside the EEA, BCR will base the transfer of personal data on the standard contractual clauses adopted by the European Commission (along with additional protective measures, when applicable) or other safeguards recognized by law (such as adequacy decisions – as in the case of data transfer to the United Kingdom).
During its activities, it is possible that the transfer countries may change, in which case the above list will be updated.
BCR will process personal data for the duration of fulfilling the purposes mentioned above, as well as subsequently for compliance with applicable legal obligations, including but not limited to provisions regarding the obligation to archive and BCR's legitimate interests. Following the completion of legal archiving periods, BCR may anonymize the data, thereby removing their personal character, and continue processing anonymized data for statistical purposes.
BCR conducts marketing activities that involve data processing, primarily with our clients and only if they have given consent. For individual clients, we also offer the possibility of receiving tailored offers based on their profile.
Agreements can be provided when contracting our products/services, updating data, or anytime during the business relationship. It is important to note that these agreements can be withdrawn at any time, with the effect being for future actions, meaning previous processing is not affected.
Through marketing activities, we provide personalized information regarding products/services of the BCR Group and Erste under the agreements mentioned below.
Terms of agreements of BCR Group and Erste Group
(1) Marketing Agreement on BCR Channels and Digital Environment
I agree to receive communications about the most suitable products and services from BCR, the BCR Group, or partners and the Erste Group** (such as loans, insurance products, optional pensions, financial/operational leasing products, investments, and/or savings) and to benefit from a communication experience on the bank's communication channels (email, SMS, George) and in the digital environment (social media platforms like Facebook, Instagram, Linkedin, and Google) or other electronic means that may not involve a human operator.
Personalized communications from BCR include opportunities, notifications, and commercial messages transmitted via email, SMS, through the George platform, social media platforms (if you have accounts), or other automated electronic means.
If you do not agree with the above options and personalized offers for you, we will only send you contractual communications or those based on legitimate interests or generic advertisements through other means (e.g., advertising banners on Facebook/Google, through cookie technology).
Personalized Communication on Social Media
We will use contact data only in the form of a securely generated anonymous code to identify and transmit personalized communications accessible to your user when using social media (if you have such accounts). Social media platforms will only receive that anonymized and secured code, which they will match internally.
(2) Profiling Agreement
I agree to receive personalized marketing communications based on my profile created by combining client data held by the BCR/ERSTE Group (products, transactions, how you use George, etc.) and preferences inferred from visited websites (if I also consent to cookies on www.bcr.ro), based on unique identification codes (client code, device code, cookie code).
Your agreement will allow us to use your BCR/ERSTE Group client data and data resulting from browsing history (your inferred preferences from this history via cookies) to offer you personalized opportunities or transmit dedicated commercial messages on websites (ad banners) and communication channels used by BCR (including SMS, email, George app). Thus, we will know not to send you commercial messages for products that we have clues you are not interested in or already own, and we will adapt communication by placing advertising banners for a product we believe you do not own and might be interested in.
We use data related to:
Products held, transaction history, interactions with BCR applications/services such as George or Moneyback, data from legally queried databases such as Credit Bureau, ANAF, Credit Risk Bureau, or Trade Registry, employer, income source, data related to interactions with BCR and relationship history or a company in which there was a shareholder/director association with BCR or companies from the BCR/Erste Group, client code, cookie code, device code, accessed websites.
How do we identify you online on websites?
We correlate three identifiers: your client code; the device code you access George from, and the cookie ID used by your browser.
Examples: creating personalized offers based on transaction data and demographics; actively recommending activation of the Moneyback bonus service based on payments made to operators with active offers on the platform; placing an advertising banner on a visited website advertising a product you do not own; placing a dedicated purpose credit ad (e.g., studies) to a customer who accessed relevant internet domains.
**Based on the agreement, you may receive communications from BCR regarding products from the following group/partner companies: BCR Pensii Societate de Administrare a Fondurilor de Pensii Private SA, BCR Leasing IFN SA, BCR Banca pentru Locuințe, BCR Asigurări de Viață Vienna Insurance Group SA, Omniasig Vienna Insurance Group, BCR Fleet Management SRL, BCR Social Finanace IFN SA.
Note: These versions of agreements are applicable only to customers who have consented to them. If you became a customer in the past, you may have checked previous versions of these agreements.
This site uses cookies. If you want a personalized experience on BCR websites, you can do so by accepting the use of cookie modules. For more details on these modules and how they are used, you can find them here.
BCR places great importance on your personal data. Data security is ensured throughout processing activities (collection, storage, use, transfer) taking into account the specific processing context. In this regard, we implement technical and organizational measures to protect against unauthorized access, unauthorized or illegal processing, as well as against accidental loss, destruction, or damage to personal data.
These measures are intended to ensure the confidentiality, integrity, and availability of your data. Obligations regarding ensuring the confidentiality and security of personal data apply to our employees and authorized personnel who access and use this data on our behalf.
Your rights
- Right to information: regarding the processing activities carried out by BCR;
- Right of access to data: you can request and receive confirmation from BCR regarding data processing (what data we process and for what purpose, where and how long we store it, who has access to it, etc.). The Bank will grant access to data to the data subjects, except where it is impossible for them to identify the requested information or where the data subject's access request is clearly unfounded or excessive;
- Right to rectification: of inaccurate data, as well as the completion of incomplete data (e.g., if you have changed your phone number or email address, you can contact us to update this information);
- Right to erasure: regarding some or all of the data we have about you;
Important! We may not be able to comply with the request in all cases (e.g., the law requires us to retain data for a certain period; the data is useful for a legitimate interest or for defending a right in court);
- Right to restriction: you can request that we do not use your data but only store it until another request from you is resolved, namely:
- you have requested data rectification;
- you have objected to data erasure in the case of unlawful processing;
- you have requested that we provide certain data to defend a right;
- you have objected to data processing - see the right to object below.
- Right to data portability: you can request that your data be provided to you in a commonly used and machine-readable format (e.g., via email). Additionally, you can request that your data be transmitted to another controller;
- Right to object: you can object to data processing carried out on the basis of BCR's legitimate interest;
Important! We will automatically comply with the request only for processing conducted for direct marketing purposes (e.g., if you receive emails with advertisements from BCR, you can request to unsubscribe). In other cases, we will balance our interests and your particular situation to make a final decision. Therefore, we recommend that you explain why you object to the processing when making the request for a quick resolution.
- Rights regarding automated decision-making: as a rule, you have the right not to be subject to automated decisions that produce legal effects concerning you or similarly affect you to a significant extent (e.g., automatic refusal to enter into a contract with you based on data processing).
Important! In certain situations, the law allows us to make such decisions when we have your consent or if the decision is based on the contract we have concluded or for our legitimate interests. In these situations, you will have the right to contest the decision, express your point of view, and obtain human intervention review. Additionally, there are situations where the law requires us to implement such automated decision-making processes.
- Right to withdraw consent: when we process data based on your consent.
Important! Withdrawal of consent will only have effect for the future. Processing carried out on another legal basis, such as contract performance, will not be affected by withdrawal.
- Right to lodge a complaint: if you are dissatisfied, you can always address the National Supervisory Authority for Personal Data Processing or competent courts.
If you make a request regarding any of the above rights, please provide the necessary details for BCR to identify the right exercised and meet the exercise conditions required by law. For example, if you submit an objection request regarding certain processing activities conducted by BCR based on the bank's legitimate interest, please provide information related to your particular situation so that BCR can conduct the required legal assessment.
Exercising your rights
For more details on the processing activities carried out by BCR, as well as on exercising your rights in this context, you can contact us anytime using the following communication channels:
1. Request addressed to BCR's Data Protection Officer at dpo@bcr.ro – dedicated channel for personal data protection matters;
2. Request through Info BCR (24/7) at 0800.801.BCR (0800.801.227), toll-free call from any national network, or at contact.center@bcr.ro;
3. Using the data protection request form on the BCR website, in the Privacy Policy section, using your internet banking credentials;
4. By mail, at our headquarters, or at territorial units;
5. Through the Credit Bureau Portal.
If you wish to exercise any of the rights provided under the policy, please be advised that we have an obligation to authenticate you. Authentication is a procedure through which your identity is verified and confirmed by BCR by asking specific questions to ensure that the information is not requested or disclosed by unauthorized persons. Therefore, after you submit your request, depending on the channel you choose to contact us, authentication will need to be done as follows:
- If you are at a territorial unit or contact us by phone, authentication will be done on the spot by a BCR representative;
- If you contact us via email or by mail, you will be called by a BCR representative who will guide you through the authentication process described above;
- For requests submitted through the contact form on the website, in the Privacy Policy section, authentication is only done at and for logging into the internet banking application, using a password, fingerprint, PIN code, etc., according to the settings you have chosen;
- For requests submitted through the Credit Bureau portal, authentication is done at the time of creating the user account in the portal, according to the instructions that can be accessed at the following link: https://www.birouldecredit.ro/wps/portal/bcro/Home/user-enrollment
It is possible that we may update the information and sections of the policy. By frequently consulting this website, you ensure that you are aware of the processing activities undertaken by BCR.
The BCR website may include links to other websites managed by other entities. The data processing on these websites is not controlled by BCR and is governed by the privacy policies applicable to each website individually.