Notification on the protection of personal data - Current Accounts and Relates Products (NON-LENDING)

This document explains when and why we collect personal data, how we use it, the conditions in which we may disclose it, how we store it safely, and what your rights are in relation to such processing under the law. Information related to the processing and protection of personal data by OTP Bank Romania S.A. (the “Bank”, “we” or “OTP”) is also available on the webpage www.otpbank.ro, Privacy section.

1. Controller/contact details of the controller

OTP BANK ROMANIA S.A., managed in a two-tier system, seated in Romania, Bucharest, Sector 1, str. Buzești, nr. 66-68, registered with the Bank Register under no. RB-PJR-40-028/1999, EUID: ROONRCJ40/10296/1995, registered within the Trade Register Office of Bucharest under no. J40/10296/1995, VAT Reg. No. 7926069, personal data controller registered with the National Supervisory Authority for Personal Data Processing under notification no. 2689, tel.: 0800 88 22 88/+ 4021 308 57 10, email: office@otpbank.ro, processes your personal data as controller in accordance with the Regulation (EU) 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (The Regulation) and Law no. 190/2018 on implementing the Regulation, in good faith and for the purposes specified herein.

2. Data Protection Officer (DPO)/Contact details of the Data Protection Officer

The data protection officer appointed by the controller can be contacted at the controller’s registered office, at the address mentioned above, or via email at dpo@otpbank.ro. If you have any questions or suggestions/complaints or wish to exercise any of your rights related to data protection as data subject, please contact the Data Protection Officer using the contact details above. We may request additional documents or information to properly identify you in order to answer your request. All requests will be resolved in accordance with the applicable law, and free of charge. However, if the requests are manifestly unfounded or excessive, particularly because of their repetitive nature, the Bank may: (a) charge a reasonable fee, taking into account the administrative costs of providing information or communication or taking the required measures; (b) refuse to answer the request.

3. Processed personal data

The processed data, depending on the service/product and/or the contract concluded with the Bank, is, as the case may be, the following:

i. identification data: last name, first name, pseudonym (if applicable), date and place of birth, personal identification number (CNP/NIF) or other similar unique identification element, such as the single registration number for authorised natural persons or the tax registration number for natural persons carrying out liberal professions, citizenship, marital status, country of tax residence, ID document/passport series and number, other data in the identification or civil status documents as well as copies, home/residence address, profession, occupation, name of the employer or nature of activity, information about any important public position held, if applicable, political opinions (exclusively in the context of obtaining information related to the capacity of publicly exposed person - PEP), expressed inclusively in notifications/complaints/conversations about products/services/employees of the Bank, capacity, holdings and, as the case may be, powers of representation held within some legal entities, data on the beneficial owner, as the case may be, image (contained in the identification documents or captured by the video surveillance cameras installed in the Bank units or on the OTP equipment, including transposed in biometric templates), voice (recordings of telephone or audio/video calls initiated by you or us), signature/specimen signature, by hand or digital, as appropriate; ii. contact details: correspondence address (if applicable), telephone number, fax number, email address; iii. identification codes: allocated by OTP or various providers, necessary for the provision of services, such as, but not limited to: client code, internet banking username, series and number of the assigned token, transaction identifiers, including their logs, IBAN codes attached to bank accounts, debit card numbers, card expiration date, contract numbers, traffic data and IP address of the device used to access our services exclusively for ensuring security measures for transactions carried out through these services, in order to prevent fraud; iv. data on the fraudulent/potentially fraudulent activity, consisting of data relating to crimes such as fraud, money laundering and terrorist financing, including data related to inconsistencies found in documents/statements submitted to the Bank, obtained from forms, statements and documents submitted, drafted or completed; v. financial data related to the source of funds, turnover in your accounts opened with our Bank, invoices, recurring payment commitments, including garnishments or enforcements communicated to the Bank as a third-party garnishee; vi. health data, exclusively if the processing of such data is necessary in the context of providing insurance products/services brokered by the Bank or held by clients and the coverages provided by them or for clients to prove the difficult situation in which they or members of their families are, in the context of insurance products held or to be taken out; vii. any other data that may be necessary or useful for the Bank's activity for the purposes described, in accordance with the law.

4. Data source

The personal data processed is data: i. communicated to the Bank either directly, by you, or indirectly (by proxies or other persons representing you in relation with the Bank) made available in order to initiate the contractual relationship/update data/purchase products and services/order transactions/file requests in connection with the contractual relationship, regardless of the communication channel used; ii. obtained by consulting some public sources, such as: public institutions and authorities (for example, ONRC, ANAF, Payment Incidents Register), electronic registers and databases (for example, the courts’ portal), entities involved in payment transactions (for example, international Visa and Mastercard card organizations, Central Depository). 

5. Legal grounds and purposes of personal data processing

The Bank processes your personal data as a potential client, client, beneficial owner, user, proxy, delegated person or legal/contractual representative (hereinafter the “data subject”), as the case may be, based on the following legal grounds:

a. To conclude and carry out the contractual relationship with the Bank according to Article 6 (1) (b) of the Regulation for the following purposes:

• to provide lending products and/or services (current account opening, internet banking, cards, savings products) as well as to be subsequently able to carry out your instructions related to the operation of such products/services (e.g. processing collections/payments/other types of transactions with the specificities of the transactional channel used - counter, internet/mobile banking, telephone, specific ATM equipment, foreign exchange, card transactions, transactions specific to treasury/capital market/mutual funds/custody products/services, etc.);
• to monitor the fulfilment of contractual obligations, to notify you about the concluded contracts (e.g. amendment/supplementation of characteristics/costs/functionalities/benefits products/services, information about charges and fees due/outstanding, etc.), to take the required measures for non-compliance with the contractual obligations (e.g. debt collection/debt recovery, as well as activities prior to them, enforcement of amounts due and administration of garnishments and seizures, reporting to the authorities, etc.);
• to report and submit the necessary information/documents to the guarantee funds (e.g. FGDB).

b. In order to fulfil the legal obligations provided in Article 6 (1) (c) of the Regulation for the following purposes:

• to carry out the KYC analysis, the risk analyses, to report suspicious transactions, to prevent fraud according to applicable KYC laws in order to prevent money laundering and terrorist financing and to establish measures to prevent and combat terrorist financing;
• to prepare reports, submit declarations, perform the activities related to the inspections conducted by authorized authorities/institutions, such as: ANAF, ANPC, NBR, ANSPDCP, ASF/BVB, Competition Council, etc;
• to collect by enforcement the amounts due as well as to manage garnishments and seizures, according to the special laws in the matter;
• to carry out audit missions;
• to report under FATCA (The US Foreign Account Tax Compliance Act), if you are a US citizen/resident;  to handle client complaints;
• to audit the financial statements of the Bank;
• to endorse the documents sent/submitted to the capital market institutions;
• to manage the internal registers;
• to record and manage operational risk events;
• to ensure physical security through video monitoring (including ATM), access cards and visitor register (reception desk);
• to backup information;
• to keep and archive documents, in compliance with the prudential requirements applicable to credit institutions, related to the services contracted by you, as well as other operations necessary for the performance of the concluded contract(s).

c. In order to fulfil the legitimate interests of the Bank, as provided in Article 6 (1) (f) of the Regulation, for the following purposes:

• to conduct internal reviews (including statistical reviews)/market studies, both with regard to products/services and with regard to the client portfolio, to monitor client satisfaction and the quality of services and products purchased, to improve and continuously develop internal products/services/processes;
• to design, develop, test and use existing or new IT systems and IT services, the storage provided by databases in the country/EU, as appropriate;
• for direct marketing, as appropriate;
• to plan a strategic development, to make forecasts on portfolio dynamics, to make business forecasts by performance indicators, to set budgets, to set cost elements for the Bank's products/services;
• to establish payment structures for intermediaries;
• to analyse and minimize the risks to which the Bank is exposed;
• to monitor transactions to prevent fraud and to investigate potentially fraudulent ATM withdrawals;
• to prepare internal reports to the Bank's management bodies and the OTP business group of which the Bank is a part, in order to ensure prudential measures;
• to ensure a high level of security both at the level of information systems and within the physical locations (e.g. territorial units, headquarters);
• to create the archive and manage it;
• to conclude and manage financing contracts or assignments of receivables;
• to collect debts/recover debts;
• to establish, exercise or defend rights of the Bank before court;
• to record interactions through official communication channels, in order to provide proof of the request/consent/option regarding certain financial-banking services, as the case may be. 

d. Based on your consent, according to Article 6 (1) (a) of the Regulation, for the following purposes:

• for direct marketing purposes for commercial communications, as appropriate;
• for the audio/video recording of the conversations with the Bank;
• to process the health data, exclusively if the processing of such data is necessary in the context of providing insurance products/services brokered by the Bank or held by clients and the coverages provided by them or for clients to prove the difficult situation in which they or members of their families are, in the context of insurance products held or to be taken out. If you have not expressed your consent to the carrying out of these operations, they will not be performed by the Bank.

Refusal to provide personal data correctly and completely for the above-mentioned purposes may prevent the Bank from properly meeting its contractual or legal obligations and may prevent you from contracting the services provided or brokered by the Bank and it may lead to the termination or restriction of the provided/brokered banking services, as appropriate.

6. Categories of recipients of personal data

In order to be able to offer you the best services and to keep our competitiveness in the banking sector, we communicate certain data inside and outside OTP. These include:

• OTP entities, for operational, regulatory or reporting purposes, including in centralized storage system or for global processing, such as to verify new clients, comply with certain laws, guarantee the security of information systems or provide certain services (see section “About us. OTP Group” for the full list).
• Government authorities, to comply with our regulatory obligations, for example in order to counter terrorism and prevent money laundering. In some cases, we are required by law to disclose your data to external parties, including:
  • Public, tax, regulatory authorities and supervisory bodies.
  • Judicial/investigative authorities, such as the police, public prosecutors, courts and arbitration/mediation bodies, at their express and legal request.
  • Lawyers, for example, in case of bankruptcy, administrators managing the interests of other parties and the company's auditors.
• Financial institutions, partner banks and correspondent banks. If you withdraw cash, pay by debit card or make a payment to an account opened with another bank, the transaction always involves another bank or financial company specialized in processing interbank payments and transmitting information on interbank transactions (e.g. Transfond S.A., Society for Worldwide Interbank Financial Telecommunication - SWIFT). In order to process payments, we must provide the other bank information about you, such as your name and account number. We sometimes communicate personal information to banks or financial institutions in other countries; for example, if you make or collect an external payment. We also communicate information to the business partners the products of which we sell, such as insurance companies.
• Service providers. If we use other service providers, we only communicate the personal data necessary to perform a certain task. Service providers support us with activities such as: telecommunications, IT/internet banking, marketing and client communication management, archiving in physical and/or electronic format, courier, audit, technical maintenance of CCTV equipment, digital certification related to electronic signatures, payment processing, card issuance and enrolment (e.g. Mastercard, Visa) etc.

7 . Transfer to third countries and safety measures

Depending on the location of the servers of OTP or of its processors, where the data will be stored, or the location of certain data recipients, personal data could be transferred, as appropriate, to other Member States of the Union European and European Economic Area respectively. Except as otherwise expressly required by the law or where strictly necessary for the Bank to fulfil the contract and the obligations assumed towards you, we will not transfer your personal data outside of the European Economic Area. In the event that the Bank must transfer data to third countries, we will only transfer the personal data strictly necessary for the performance of the contract and/or the obligations assumed towards you (e.g. your order to make an international bank transfer or your use of the bank card in states outside of the European Economic Area). The Bank will make every effort to protect your personal data in our possession or under our control by establishing appropriate security measures to prevent unauthorized access, collection, use, disclosure, copying, modification or placement/storage, and other similar risks.

8 . Data storage period/criteria for determining the storage period

We will keep your personal data for the period of time necessary to comply with the contractual obligations assumed towards you, respectively for the period of time necessary to comply with the applicable legal obligations. The Bank will periodically conduct sessions to review of the processed personal data in order to ensure that data or certain categories of processed personal data is/are not retained for longer than necessary. In order to determine the period for which the data will be stored, we take into account the contractual period until the performance/expiry of contractual obligations, as well as the archiving deadlines. Thus, the Bank will store personal data, as appropriate, for a period of:

• 5 years from the date of termination of the business relationship with the client for keeping the identification documents, the monitoring and verifications performed, as provided by Article 21 (1) of Law no. 129/2019 on preventing and combating money laundering and terrorist financing, and amending and supplementing some legal acts;
• 10 years for keeping the supporting documents from the date of carrying out the operations in the accounts, including the logs related to the transactions, as provided by Article 25 of the Accounting Law no. 82/1991;  30 days from the date of recording the data processed by the video surveillance systems, as provided by Article 93 of the Methodological Norms for the application of Law no. 333/2003 on the security of facilities, assets, values and on the security of persons;
• If you have expressed your consent to the processing of your data for direct marketing purposes, including profiling for direct marketing purposes, the data processing for this purpose will take place during the contractual relationship with OTP Bank Romania S.A., as well as 1 year from its termination. Should you withdraw your consent for direct marketing purposes, OTP Bank Romania SA will no longer process your data for this purpose. For details on the processing for marketing purposes, please refer to the marketing consent section.

9. Your rights as a data subject with respect to personal data

In accordance with the Regulation, your rights as a data subject with regard to the processing of personal data are as follows: the right of access, the right to rectification, the right to erasure (“the right to be forgotten”), the right to restriction of  processing, the right to data portability, the right to object (in the case of data processing based on our legitimate interest or on your consent, with the mention that the withdrawal of consent will have effects only for the future, the processing performed previously remaining valid), the right not to be subject to an automated individual decision, including profiling.

If you believe that your rights as a data subject have been breached, you may lodge at any time a complaint or notice to that effect with the National Supervisory Authority for Personal Data Processing, seated in B-dul Gral. Gheorghe Magheru 28-30, Sector 1, Post code 010336, Bucharest, Romania (fax: +40 318 059 602, email: anspdcp@dataprotection.ro). You can also bring an action before the competent courts.