close

We would like to draw your attention to the increase in fraud attempts, both through phishing and spoofing, where attackers send emails with malicious links or call potential victims from a phone number that appears to be the bank's and pose as employees of financial institutions. We advise you to be vigilant and not to share confidential data such as bank account access credentials (IB) or bank card security data with anyone.

Privacy policy

Dear clients,

Please see hereinafter the information regarding the processing of personal data, namely when and why we collect your personal data, how we use it, the terms pursuant to which we may disclose it to others, how we store it safely and what are your rights in connection with such processing according to the law. 
 

1. Controller of personal data / Contact details of the controller

OTP BANK ROMANIA SA, a two-tier company, based in Romania, Bucharest, sector 1, str. Buzesti nr. 66-68, registered in the Bank Register under no. RB-PJR-40-028/1999, EUID: ROONRCJ40/10296/1995,  registered with the Trade Register Bucharest, under no. J40/10296/1995, tax registration code RO7926069, controller of personal data registered with the National Supervisory Authority for Personal Data Processing based on notification no. 2689,  telephone: 0800 88 22 88 /(+4) 021 308 57 10,  e-mail: office@otpbank.ro, processes your personal data as a controller in accordance with the provisions of the (EU) Regulation No. 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (Regulation) and Law no. 190/2018 regarding the measures to implement the Regulation, in good faith and in achieving the purposes specified in this information.

2. Data protection officer / Contact details of the data protection officer

Within the controller, the data protection officer may be contacted at the headquarters of the aforementioned controller or by e-mail at dpo@otpbank.ro. If you have any questions or suggestions/complaints or if you want to exercise any of the rights you have, as a data subject, regarding the data protection, we are at your disposal at the headquarters of the aforementioned controller, at dpo@otpbank.ro or you may use the call centre number 0800 88 22 88 or + 4021 308 57 10. Please note that in order to properly identify you so we could respond to your request, we may ask you for additional documents or information. All requests shall be resolved promptly, in accordance with the applicable legislation and free of charge. However, if the requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive nature, according to the law, the controller may: (a) either charge a reasonable fee, taking into account the administrative costs of providing the information or the notification or for taking the measures requested, (b) or refusing to comply with the request.

3. Personal data

The processed data, depending on the service/product and/or the contract concluded with the controller (hereinafter the Bank), is, as the case may be, the following:

i.    identification data: name, surname, pseudonym (if applicable), date and place of birth, personal identification number (CNP/NIF) or another similar unique identification element such as the CUI (sole registration number) for self-employed individuals or CIF (tax identification number) for individuals who carry out liberal professions, date and place of birth, citizenship, marital status, country of tax residence, series and number  of the ID card/Passport, other data from the identity or civil status documents as well as copies thereof, the address of domicile/ residence, profession, occupation, the name of the employer or the nature of its own activity, information about the important public office held, if applicable, political opinions (exclusively in the context of obtaining information related to the quality of the publicly exposed person - PEP), expressed including in the complaints/grievances/conversations related to products/services/employees of the bank, the quality, the holdings and, as the case may be, the representation powers held within legal entities, data regarding the beneficial owner, as the case may be, the image (contained in the identity documents or captured by the video surveillance cameras installed in the bank's units or at the OTP equipment, including that transposed in the biometric template), the voice (within the conversations and recordings of the telephone or audio/video conversations,  initiated by you or by us), the signature/specimen signature, handwritten or digital, as the case may be; 
ii.    contact details: correspondence address (if applicable), telephone number, fax number, e-mail address; 
iii.   identification codes: allocated by OTP or by various providers, necessary for the provision of services, such as, but not limited to: client code, internet banking username, the series and no. of the allocated token, transaction identifiers, including related logs, IBAN codes attached to the bank accounts, debit/ credit card numbers, card expiration date, contract numbers, traffic data and the IP address of the device used to access our services exclusively in order to ensure the security measures for the transactions carried out through these services, so as to prevent fraud; 
iv.    data regarding the fraudulent/potentially fraudulent activity, consisting of data regarding crimes such as fraud, money laundering and financing of terrorist acts, including data regarding the inaccuracies found in the documents/statements submitted to the Bank, obtained based on the forms, statements and documents submitted, drafted or filled-in; 
v.    financial data related to the source of the funds, your account activity opened with our bank, invoices, recurring payment commitments that may occur including from garnishments or foreclosures communicated to the Bank as a garnished third party; 
vi.    any other data necessary or useful in order for the Bank to perform its activity for the purposes described, according to the law; 

For lending products, the Bank also processes data such as: 

i.    data regarding the requested/granted credit products: the type of product, the status of the product/account, the date of granting, the granting term, the amounts granted, the amounts due, the due date, the currency, the frequency of payments, the amount paid, the monthly instalment, the outstanding amounts, the number of outstanding instalments, the number of days of delay, the category of delay, the date the product is closed; 
ii.    data about the economic and financial status related to the source, type, fluctuation and level of your income, seniority, data on the assets held/owned, the number of dependents, the monthly payment commitments, other loans you own; 
iii.    data regarding your creditworthiness: credit score, payment / saving/indebtedness behaviour; 
iv.    health data, only if the processing of such data is necessary in the context of the provision/development of insurance products/services intermediated by the bank or owned by customers and the coverages provided by them or for the customers to prove the difficult situation in which they or their family members find themselves, in the context of the insurance products held or that are to be purchased; 
v.    any other data that results necessary or useful in order for the Bank to carry out its activity for the purposes described, according to the law.
 

4. Data source

The processed personal data constitute data: i. communicated to the Bank either directly, by you, or indirectly (by the authorised representative or by other persons representing you in your relation with the Bank) made available in order to initiate the contractual relationship/update the data/purchase of products and services/ordering operations/formulating requests in connection with the contractual relationship, regardless of the communication channel used; ii. obtained, depending on the service/product chosen and/or the contract to be concluded with the Bank, by consulting public sources, such as: public institutions and authorities (for example, ANAF, BNR – Central Credit Risks or The Payment Incidents Central Office, FNGCIMM), registers and electronic databases (for example, the portal of the courts, the Credit Bureau), entities involved in payment operations (e.g. international card organizations Visa and Mastercard, the Central Depository).

5. Legal grounds and purposes of personal data processing

The bank processes your personal data as a potential client, client, borrower, debtor, co-debtor, guarantor, beneficial owner, user, authorised person, delegated person or legal/conventional representative (hereinafter "data subject"), as the case may be, based on the following legal grounds: 

a. In order to conclude and carry out the contractual relationship with the Bank according to Art.6 paragraph 1 letter. b) of the Regulation for the following purposes: 

  • providing credit products and/or services and credit access products (current account, internet banking, cards) as well as in order to be able to subsequently execute your instructions regarding the functioning of the respective products/services (e.g. processing receipts/payments/other types of operations with the specificities of the transactional channel used – counter, internet/mobile banking, telephone, specific ATM equipment,  performing currency exchanges, performing card operations, carrying out transactions specific to treasury products/services/ capital market/mutual funds/custody, etc.); 
  • monitoring the fulfilment of the contractual obligations, notifying you with regard to the concluded contracts (e.g. modification/completion of features/costs/functionalities/product benefits/services, information about due/overdue instalments, insurance premiums due, monitoring guarantees, etc.), taking the necessary measures as a result of non-compliance with the respective contractual obligations (e.g. debt collection/debt recovery/ declaring the anticipated maturity, reporting the negative data to monitoring systems such as credit agencies, as well as activities prior to them, foreclosures for the amounts due as well as of the administration of garnishments and seizures, reporting to the authorities, etc.); 
  • reporting and transmitting the necessary information/documents to the guarantee funds (e.g. FNGCIMM, FGCR);
  • intermediation of the conclusion, monitoring and subsequent administration of the insurance contracts. 

b. In order to fulfil the legal obligations according to art.6 para.1 letter c) of the Regulation for the following purposes:  

  • carrying out the analysis regarding the information about the clientele, risk analysis, reporting of suspicious transactions, fraud prevention, according to the applicable legislation on the information about the clientele in order to prevent money laundering and terrorist financing, as well as to establish measures to prevent and combat the financing of terrorist acts; 
  • making reports, submitting statements, carrying out activities related to the audits carried out by the authorized authorities / institutions, such as: ANAF, ANPC, BNR, CRC, ANSPDCP, ASF/BVB, Competition Council, etc.; 
  • to obtain the due amounts using foreclosures as well as the administration of garnishments and liens, according to the provisions of the special laws in the field; 
  • carrying out audit missions; 
  • making reports under FATCA (The US Foreign Account Tax Compliance Act), if you are a U.S. citizen/resident;  
  • managing customer complaints;  
  • reassessment of guarantees, calculation of provisions; 
  • auditing the Financial Statements of the Bank; 
  • approval of the documents transmitted/submitted to the capital market institutions; 
  • administration of internal registers; 
  • record-keeping and management of operational risk events; 
  • ensuring physical security through video monitoring (including ATM), access cards and visitor register (reception); 
  • making backup copies of the information; 
  • keeping and archiving documents, complying with the prudential requirements applicable to credit institutions, related to the services contracted by you, as well as other operations necessary for the execution of the contract(s) concluded. 

c. In order to carry out the legitimate interests of the Bank according to art.6 para.1 letter f) of the Regulation for the following purposes: 

  • performing internal analyses (including statistical analysis)/market surveys, both on products/services and on the customer portfolio, to monitor customer satisfaction and the quality of the purchased services and products in order to continually improve and develop the internal products/services/processes; 
  • design, development, testing and use of the existing or of the new information systems and of the IT services, storage of databases in the country/EU, as the case may be; 
  • direct marketing, as the case may be; 
  • planning a strategic development, making forecasts on the portfolio dynamics, making business forecasts on the performance indicators, establishing budgets, establishing cost elements for the Bank's products/services; 
  • determining the payment structures for intermediaries; 
  • analysing and minimizing the risks to which the Bank is exposed; 
  • monitoring transactions to prevent fraud and to investigate the potentially fraudulent ATM withdrawals; 
  • carrying out internal reports to the bank's management bodies and the OTP business group to which the Bank belongs in order to ensure prudential measures;  
  • ensuring a high level of security both in terms of information systems and within the physical locations (e.g. territorial units, headquarters); 
  • setting up the archive and its management; 
  • the conclusion and management of financing contracts or assignments of receivables; 
  • debt collection/debt recovery;
  • establishing, exercising or defending in court some  of the Bank’s rights; 
  • recording interactions through official communication channels, in order to provide proof of the request /agreement/option regarding certain financial-banking services, as the case may be.  

d. Based on your consent according to art.6 para.1 letter a) of the Regulation for the following purposes: 

  • for the verifications/interrogations underlying the analysis of credit risks within the databases represented by the Credit Bureau, the Credit Risk Central Office and ANAF, if the data subject has requested a credit, which will be obtained through a separate document, as the case may be, in case a separate legal basis is not operated in order to achieve the credit conditions; 
  • for direct marketing purposes in order to achieve commercial communications, as the case may be; 
  • in order to make the audio/video recording of the conversations with the Bank; 
  • in order to process health data only if it is necessary in the context of providing/carrying out the insurance products/ services intermediated by the bank or owned by the clients and the coverages provided by them or for the clients to prove the difficult situation in which they or their family members find themselves, in the context of the insurance products owned or that are to be purchased. If you have not agreed to these operations, these will not be performed by the Bank.

The refusal to correctly and completely provide the personal data for the purposes mentioned above may prevent the Bank from properly fulfilling its contractual or legal obligations and may entail your impossibility to contract the Bank's services or those intermediated by the Bank, the cessation or restriction of the banking/intermediated services, as the case may be.

6. Categories of recipients of personal data

In order to be able to offer you the best services and to maintain our competitiveness in the banking sector, we communicate certain data within and outside OTP, only to the extent that it is necessary in order to carry out a certain legitimate task, observing the principles of legitimacy of data processing operations and, in particular, the principle of minimizing personal data, this being limited to what is strictly necessary in order to achieve the legitimate goals pursued by the controller. The recipients may be:

  • OTP entities for operational, regulatory or reporting purposes, including in a centralized storage system or for global processing such as, for example, to perform the verification of the new clients, to comply with certain laws, to guarantee the security of information systems or to provide certain services (See the section "About us. OTP Group" for the complete list). 
  • Government authorities to comply with our regulatory obligations, for example in order to combat acts of terrorism and to prevent money laundering. In some cases, we are required by law to communicate your personal data to external parties, including: • Public, tax, regulatory authorities and supervisory bodies. • Judicial/investigative authorities, such as the police, public prosecutors, courts and arbitration/mediation bodies, upon their express and legal request. • Lawyers, for example, in case of bankruptcy, notaries public, for example, in the case of granting a mortgage loan, administrators who manage the interests of other parties and auditors of the company. 
  • Financial institutions, partner banks and correspondent banks, banks or financial institutions participating in syndicated loans. If you withdraw cash, pay by debit card or make a payment in an account opened with another bank, the transaction will always involve another bank or a specialized financial company for processing inter-banking payments and transmitting information on inter-banking operations (e.g.: Transfond S.A., Society for Worldwide Interbank Financial Telecommunication - SWIFT). In order to process payments, we must communicate to the other bank information about you, such as your name and your account number. Sometimes, we communicate personal information to banks or financial institutions in other countries; for example, if you make or collect an external payment. We also communicate information to business partners whose products we sell, such as insurance companies. 
  • Service providers. If we use other service providers, we only communicate personal data that is necessary so as to perform a certain task. Service providers support us with activities such as: • telecommunications, IT/internet banking, marketing and managing the communication with the clients, archiving in hard paper and/or electronic format, freight, audit, technical maintenance of CCTV equipment, digital certification related to electronic signatures, payment processing, issuing and enrolling cards (eg. Mastercard, Visa) etc.
    Details about the recipients (name/denomination) can be found on our web page, accessing the www.otpbank.ro. 

7. Transfer to third countries and safety measures

Depending on the locations where the OTP servers or those of its representatives are located, on which the data will be stored or depending on the location of certain recipients of the data, the personal data could be transferred, as the case may be, to other Member States of the European Union, respectively of the European Economic Area.

Unless the law expressly requires otherwise or unless it is strictly necessary for the fulfilment of the contract by the Bank, respectively of the obligations assumed towards you, we will not transfer the personal data outside the European Economic Area. In the event that the Bank has to transfer data to third countries, we will transfer only that personal data that is strictly necessary for the execution of the contract and/or of the obligations assumed (for example, you order us to make an international bank transfer or you use the bank card in states outside the European Economic Area). We recommend that, prior to ordering the execution of some contractual obligations (before ordering transfers, using the card abroad, etc.) you check whether the state complies with certain minimum measures and ensures an adequate level of data protection.

In situations other than those mentioned above, if, exceptionally, in order to execute a contract with a third party and/or the obligations assumed towards third parties, the Bank performs, on its own initiative or at the initiative of a third party, a transfer of personal data concerning you, to a third state, determined protection measures will be implemented in the event of such a transfer, and the data subjects will be notified accordingly.
 

8. Data storage period / Criteria for determining the storage period

We will keep your personal data for the period of time necessary to comply with the contractual obligations assumed towards you, respectively for the period of time necessary to comply with the applicable legal obligations. The Bank will periodically conduct review sessions of the processed personal data in order to ensure that the data or certain categories of processed personal data is not kept for any longer periods than necessary. In order to determine the period for which the data will be stored, we take into account the contractual duration, until the execution /expiration of the contractual obligations, as well as the archiving deadlines. Thus, the Bank will store personal data, as the case may be, for a period of: 

  • 5 years from terminating the business relationship with the client for keeping the identification documents, monitoring and the verifications performed, based on the provisions of Art. 21 para. (1) Law no.129/2019 for the prevention and combating of money laundering and terrorism financing, as well as for the amendment and completion of some normative acts; 
  • 10 years for keeping the supporting documents as of performing the operations on the accounts, including the logs related to the transactions, based on the provisions of Art. 25 of the Accounting Law no. 82/1991; 
  • 30 days after recording the data processed through the video surveillance systems, based on the provisions of Art. 93 Methodological Norms for the application of Law no. 333/2003 on the protection of objectives, goods, values and the protection of persons; 
  • If you have expressed your consent to the processing of your data for direct marketing purposes, including profiling for direct marketing purposes, we inform you that the data processing, for this purpose, will take place during the contractual relationship with OTP Bank Romania SA, as well as 1 year after its termination. If you withdraw your direct marketing consent, OTP Bank Romania SA will no longer process your data for this purpose. 

9. Rights of the data subject with regard to personal data

As a data subject, you have the rights provided by Articles 7 (3) and 15-22 of the (EU) General Regulation on data protection no.2016/679 ("GDPR"), as follows:

Right of access under Article 15 of GDPR

You have the right to obtain from us a confirmation that the personal data concerning you is being processed or not and, if so, access to the respective data and to the following information:

a)    the purposes of the processing;
b)    the categories of data concerned;
c)    the recipients or categories of recipients to whom the data has been or is to be disclosed, in particular recipients from third countries or international organizations;
d)    where possible, the period for which the data is expected to be stored or, if this is not possible, the criteria used to determine this period;
e)    the right to request from the Bank the rectification or deletion of the data or the restriction of the processing of the data regarding the data subject or of the right to oppose the processing;
f)    the right to file a complaint with a supervisory authority; 
g)    if the data is not collected from you, any available information on its source;
h)    the existence (if applicable) of an automated decision-making process including the creation of profiles, as well as, at least in the respective cases, relevant information on the logic used and on the importance and expected consequences of such processing for the data subject
i)    in case of a transfer of your data to a third country or to an international organization, the appropriate safeguards under Article 46 of the GDPR regarding such a transfer.

The Bank shall provide upon request a copy of the personal data subject to processing. For any other copies requested, the Bank may: (a) either charge a reasonable fee, taking into account the administrative costs of providing the information or the notification or taking the measures requested, (b) or refusing to comply with the request if it is manifestly unfounded or excessive, in particular because of its repetitive nature. 

If you enter the request in electronic format and unless you request another format, the information will be provided to you in a commonly used electronic format.

Right to rectification under Article 16 of the GDPR

You have the right to obtain from the Bank, without undue delay, the rectification of inaccurate personal data concerning you. Taking into account the purposes for which the data was processed, you have the right to obtain the completion of personal data that is incomplete, including by providing an additional statement.

Right to erasure ("right to be forgotten") under Article 17 of the GDPR

You have the right to obtain from the Bank the deletion of the personal data concerning you, without undue delay, in case of any of the following reasons:
a)    the personal data is no longer necessary for the purposes for which it was collected or processed;
b)    you withdraw your consent according to which the processing takes place and there is no other legal basis for the processing;
c)    you exercise, at any time, the right to opposition, for reasons related to the particular situation in which you find yourself, the processing based on the legitimate interest of the Bank, including the creation of profiles based on the respective processing and there are no legitimate reasons that prevail regarding the processing;
d)    you exercise, at any time, the right to object, with regard to the processing for direct marketing purposes, including the creation of profiles, to the extent that it is related to the respective direct marketing;
e)    the personal data has been unlawfully processed;
f)    personal data must be deleted in order to comply with a legal obligation incumbent on the Bank.

In certain situations, the law provides for certain limitations regarding the exercise of this right, for example, by way of exception, the deletion of data will not be possible immediately, and the Bank may refuse to delete the data, if the processing (storage) is necessary for the observance of a legal obligation (for example, activities related to the Bank's archive of documents), for the establishment, exercise or defence of a right in court by the Bank or for the exercise of the right to free expression and  to the information. Also, we will not delete the data in case the Bank has a legitimate interest to process the data, an interest that prevails according to article 6 paragraph (1) letter (f) of the GDPR over your rights and freedoms.

The right to restrict the processing according to Art. 18 of the GDPR

You have the right to obtain the restriction of processing if one of the following cases applies:
a)    you question the accuracy of the data – its restriction will apply for a period that allows the Bank to verify the accuracy of the data;
b)    the processing is illegal, and you oppose the deletion of personal data, requesting instead the restriction of its use;
c)    The bank no longer needs the personal data for processing purposes but you ask for the data in order to establish, exercise or defence a right in court;
d)    you have opposed the processing, for reasons related to the particular situation in which you find yourself, the processing based on the legitimate interest of the Bank, including the creation of profiles based on the respective processing – the restriction will apply for a period that allows the Bank to verify whether the legitimate rights of the controller prevail over those of the data subject.

If the processing has been restricted according to the above, such personal data may, except for storage, be processed only with your consent or for the establishment, exercise or defence of a right in court or for the protection of the rights of another natural or legal person or for reasons of public interest.

Right to data portability under Article 20 of the GDPR

You have the right to receive your personal data that you have provided to the Bank, in a structured format, currently used and which can be read automatically and you have the right to transmit this data to another controller, without obstacles from the Bank, if the processing is based on your consent or the need to execute a contract, and the processing is carried out by automatic means.
In exercising the right to portability you have the right for personal data to be transmitted directly by the Bank to another controller, where this is technically possible.

The exercise of this right does not prejudice the right to erasure of data and the rights and freedoms of others.

The right to opposition under Article 21 of the GDPR and the right to withdraw your consent under Art. 7 (3) of the GDPR

At any time, you have the right to oppose, for reasons related to the particular situation in which you find yourself, the processing based on the legitimate interest of the Bank, including the creation of profiles based on the respective processing. In such a case, the Bank will no longer process the data, unless it demonstrates that its legitimate reasons justifying the processing prevail over the interests, rights and freedoms of the data subject or that the purpose of processing your data is to establish, exercise or defend a right in court.

When the purpose of the processing is the direct marketing, you have the right to oppose at any time such processing of data concerning you, including the creation of profiles, to the extent that it is related to direct marketing, and the Bank will cease processing personal data for such purposes.

Moreover, in all cases where the processing is based on your consent, you have the right to withdraw your consent at any time, without being prejudiced in any way. According to the law, the withdrawal of the consent will not affect the legality of the processing carried out by the Bank before the withdrawal of such consent.

The right not to be subjected to an automated individual decision, including profiling under Article 22 of the GDPR

As a data subject, you have the right not to be subjected to a decision based solely on automatic processing, including the creation of profiles, which produces legal effects that concern you or similarly affect you to a significant extent. This prohibition does not apply if the decision:
a) is necessary for the conclusion or execution of a contract between you and the Bank;                                                      
b) is authorized by the Union law or the national law that applies to the Bank and which also provides appropriate measures to protect your legitimate rights, freedoms and interests, or          
c) is based on your explicit consent.

If you are subjected to an automated individual decision, including profiling, according to the above, you will also have the right to obtain human intervention from the Bank, to express your point of view and to challenge that decision.

You may exercise at any time, any of these rights, you can access and update your data at any time or obtain additional information using the contact details in the section Data Protection Officer / Contact details of the data protection officer. You will receive information on the actions taken following a request regarding your rights, without undue delay and in any case no later than one month after receiving the request. According to the law, this period can be extended by two months when necessary, taking into account the complexity and number of applications. You will be informed of any such extension within one month after the receipt of the request, including the reasons for the delay. If the data subject submits a request in electronic format, the information shall be provided in electronic format where possible. Also, if we do not take action on the application submitted to us, you will be informed, without delay and within a maximum of one month from the receipt of the request, about the reasons why the Bank does not take action and about the possibility of filing a complaint before the supervisory authority and of introducing a judicial remedy.

The right to file a complaint and to address the court

If you consider that the rights you benefit from as a data subject have been violated, you may address at any time, a complaint or notification in this regard, to the National Supervisory Authority for Personal Data Processing, based in B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, postal code 010336, Bucharest, Romania (fax: +40 318 059 602, email: anspdcp@dataprotection.ro).
You may also initiate a legal action before the competent courts of law.
 

10. The security of personal data

The Bank shall make every effort to protect your personal data in our possession or control by establishing the appropriate security measures to prevent unauthorized access, collection, use, disclosure, copying or modification, as well as other similar risks.

11. Specific situations of processing personal data 

By accessing the links below you will find specific information on the processing of personal data, depending on the banking product or service that you have contracted from us or that you want to contract from us, respectively depending on certain specific situations of your relation with us.

a.    If you are or wish to become a client of the Bank for products such as: current accounts and associated products (non-credit), please review the Notice on the protection of personal data - current accounts and associated products (non-credit).
b.    If you are or wish to become a client of the Bank for products such as: loans and credit products (such as: credit cards, personal loan, refinancing, mortgage, overdraft, etc.), please review the Notice on the protection of personal data - loans and credit products.
c.    In case you enter into an occasional relation with the Bank, such as for deposits of amounts in cash made at the bank's counters - to the OTP Bank Romania S.A. accounts for which you do not have the capacity of account holder, authorised representative, delegated with rights to deposit amounts in cash - money transfer services, currency exchanges, etc., please review the Notification on the protection of personal data - non-clients;
d.    Insurance and processing of health data. In order to be able to intermediate a life or life insurance policy and unemployment policy or in the context of submitting an insurance policy to the Bank that, independently, you conclude if you opt for a bank credit product with an insurance policy attached, from the Bank's offer, we draw your attention that,  within the purposes thus mentioned (especially to process your application, to facilitate the start of the contractual relationship, to verify the eligibility criteria related to the issuance and/or management of the insurance policy), we process special personal data regarding your health status. The processing of this data is based on your consent, without which we find ourselves unable to offer you such insurance services. For details, please review the Agreement on the processing of health data.
e.    Direct marketing. If you want to be up to date with the Bank's products and services, with our campaigns and to receive commercial communications from us, we gladly offer you such information through newsletters or similar communications by e-mail, phone or post. OTP Bank Romania S.A. will send marketing communications only on the basis of the explicit marketing agreement expressed by you. For details, please review the Agreement on the processing /profiling for direct marketing purposes.
f.    You are the supplier of the Bank's clients, contractor contracted by the Bank's clients, debtor ceded by the clients to the Bank

Purposes of processing

The Bank collects, uses and discloses your personal data for the following purposes:

i.    performing the administrative and support processes related to the collection of cheques and/or promissory notes endorsed and/or invoices assigned in favour of the Bank, performing the necessary banking operations in this regard and/or performing banking operations in accordance with the clients’ instructions (receiving funds, transferring funds, obtaining information on the situation of accounts and operations performed through accounts, etc.);
ii.    in connection with any claim, action or procedure (including, but not limited to, drafting and reviewing documents, drawing up the documentation necessary to carry out a transaction, obtaining legal advice and facilitating the settlement of disputes) and/or for the protection or exercise of our contractual and legal rights and obligations;
iii.    management and preparation of reports for internal purposes, internal audit;
iv.    economic, financial and administrative management, in order to organize and manage the financial accounting of the Bank and to manage the relationship with the client and the contracted services;
v.    debt collection and recovery of receivables owed to the Bank;
vi.    fulfilment of the legal obligations of auditing the Bank;
vii.    fulfilling the legal obligations of the Bank regarding the archiving of documents and information;
viii.    combating tax evasion, preventing fraud attempts and frauds, knowing the clientele, preventing and combating money laundering, as well as preventing and combating the financing of terrorist acts, as well as fulfilling and complying with other legal obligations applicable to credit institutions;
ix.    cooperation with the relevant authorities in law enforcement and in the investigations carried out (including, but not limited to, disclosure to regulatory bodies, carrying out audit controls, for surveillance and research or for checking the creditworthiness of clients);
x.    compliance with any rules, laws and regulations, codes or practices applicable to the Bank;
xi.    the prevention, detection and investigation of criminal offences, including fraud and money laundering or terrorist financing, as well as the analysis and management of commercial risks;
xii.    conducting research and/or analysis for statistical purposes.

Legal basis of processing

The personal data provided will be processed by the Bank, as the case may be, based on:

a)    the necessity of fulfilling a legal obligation incumbent on the Bank, for the purposes indicated at points vi-xi, above;
b)    legitimate interests, more precisely the interest of the Bank to accurately execute the contracts concluded with its clients, to recover its receivables, to carry out its commercial activity in good faith, in accordance with the standards applicable in the banking industry and in compliance with the laws and regulations of tax and/or financial, the internal or corporate regulations applicable, as well as the regulations related to customer relations, for the purposes indicated at points i-v and xii above.

g.    You have contacted us or wish to contact us online (via our website or via Facebook) by phone or any other means, to ask us for information or assistance, to file a complaint or for other similar purposes 

OTP Bank Romania SA observes the privacy of the personal data and undertakes to protect it, including with regard to the personal data that the bank collects and processes through the contact form available on the bank's website, its Facebook account or whenever you write to us or contact us in order to send us requests, applications, suggestions, complaints, etc. (regardless of the method of communication you choose - e-mail, phone, etc.).

When you use the contact form on our site, you reveal data to us through the social platform Facebook or whenever you write to us or contact us to send us requests, applications, suggestions, complaints, etc., we collect, process and use the personal data provided, entering it into a database managed by our bank and by our authorised representatives. This data will not be disclosed to third parties, except for the authorised representatives and contractual partners of OTP Bank Romania SA, who have access/need access to this information in the context of their services, and when the bank must comply with the obligations imposed by the legislation in force. However, we inform you that Facebook will have access to your data through the applications used by it, such as the Like button of the page, being possible to transfer it outside the EU, to the USA. At this time, in the USA there is no adequate level of protection of personal data confirmed by a decision of the European Commission. More information about how data is processed by Facebook can be found on its website https://www.facebook.com/privacy/explanation/.

The personal data offered by you or of which we are aware as a result of the interaction with you will be processed for the administration of the relationship with the bank's clients/potential clients, respectively in order to formulate answers to the requests, applications, suggestions or individual complaints or for the undertaking of appropriate actions as a result of such requests or other client/consumer/potential client support activities by the bank.

Please note that in order to properly identify you to respond to your request, we may ask you for additional documents or information. If you want to be up to date with the Bank's products and services, with our campaigns and to receive commercial communications from us, we gladly offer you such information through newsletters or similar communications by e-mail, phone or post. OTP Bank Romania S.A. will send marketing communications only based on the explicit marketing Agreement expressed by you at the time of your subscription, by accessing the dedicated sections of the www.otpbank.ro website.

You have the right to withdraw your consent or unsubscribe at any time, without being prejudiced in any way. According to the law, the withdrawal of the consent will not affect the legality of the processing carried out by the Bank before the withdrawal of such consent.

The bank will continue to send you notifications and information regarding the products/services you benefit from at the time you withdraw your consent, for other purposes than those related to direct marketing or profiling for direct marketing purposes. 

Your rights as a data subject are detailed in section 9 and we assure you of our entire collaboration if you have any questions or suggestions/complaints or you want to exercise any of the rights you have regarding the protection of personal data.