Personal data we process

In the course of its activity, Raiffeisenbank (Bulgaria) EAD processes various kinds of personal data that are grouped into the categories listed below.

Depending on the specific products and/or services you use, Raiffeisenbank (Bulgaria) EAD processes some or all of the listed data.

• Personal information (names, PIN / date of birth and place of birth, personal identification number of a foreign national, nationality, address(s), including country, details according to identity document, signature specimen, telephone, e-mail address, customer number, IBAN of client accounts, details for legal representatives and representative by proxy, owners / actual owners of the capital, participating jurisdiction of which the person is considered a resident for tax purposes, details of persons through whom contact is established with a particular natural or legal person, etc.) 
• Economic information (property status and property rights, monthly income, relationship between persons, financial position, including credit history, ability to incur losses on investments in financial instruments and insurance-based investment products, etc.) 
• Social information (education, professional activity, knowledge and previous experience with investments in financial instruments and insurance-based investment products)
• Family identity (marital status, kinship, etc.)
• Information collected when using information and communication technologies
  
  • IP addresses, online identifiers, username, password, log data
  • Location (e.g. from your mobile phone, IP address, or from a merchant where you use your card)
  • Device specific information (such as hardware model, operating system version, unique device identification numbers, and mobile network data, including phone number)
  • Cookies that can uniquely identify your browser
  • Unique mobile banking application number for e-banking
  • Information for contacts in the telephone contact list
• Information about products and / or services used (what products / services you have used and / or are using, your specific requirements)
• Communication information (the information we learn about you from the correspondence between us)
• Special categories of personal data – biometric data (e.g: identity card photo) for the sole purpose of identifying an individual, health condition data only for the purpose of granting and exercising the rights for life insurance or as an evidence for the grounds of a payment order, e.g. when managing funds on a Donor Account, data related to convictions and violations for the purpose of deciding whether to enter into a relationship with you on a particular service.

In a number of cases, we collect and process your data when you are not our client.

For example:

• When you or the person you represent are a guarantor, an avalist, a co-debtor, a mortgagee and / or a pledged debtor under a loan agreement signed with us, you are a payer under a contract for factoring or other kind of financing provided by the bank.
• When a third party request is submitted to us for the provision of a loan or factoring service or other type of financing whereby you or a person you represent will be a guarantor, a co-debtor, a mortgagee and / or a pledged debtor, a payee under a factoring contract.
• When acting as a representative (legal or by virtue of authorization) of our client or because you are in the process of applying for our product or service.
• When you or a person you represent is a payment service recipient executed on the order of our client or a client of a bank in respect of which we are a correspondent bank.
• When you or a person you represent are the ordering party on a payment service performed for the benefit of our client or a client of a bank in respect of which we are a correspondent bank.
• When you are a cardholder on our client's account.
• When you or a person you represent is a beneficiary under a bank guarantee or a documentary letter of credit or person on whose order the bank issues a check or in favor of whom a check payment is made.
• When you participate directly or indirectly in the ownership of a legal entity that is or wishes to become our client, we are obliged to identify its actual owner in fulfillment of our obligations under the MMLA.
• When you or a person represented by you are a member of the bodies of a legal entity that is or wishes to become our client and the decisions of the respective body concern our relations with this legal entity.
• When there is a connection (including economic) between you and a person who uses or wishes to use a credit service from us, or there are relationships that are the source of repayment of funding we provide (including when you or the person you represent is a debtor under receivables received or acquired by us) or the receivables in these relations serve or will serve as collateral for financing we provide as well as in cases where you have a contractual or pre-contractual relationship with our client on the occasion of the conclusion of a transaction subject to our funding.
• When you are referred to as a contact person by our client or by a person with whom we have a contractual relationship.
• When you are an employee of our client and they have or wish to conclude with us a contract for servicing the payments of your due labor and other remunerations.
• When the bank is a party to a contract where you are a third party - beneficiary.
• When your data is provided to us on the occasion os a request or instruction concerning you or a person represented by you by a public authority / institution or a person performing public functions (e.g. a private enforcement agent).
• When you are a relative or a major business partner of a bank’s administrator, or of persons having directly or indirectly a qualifying holding in the bank’s capital or shares entitling them to more than 10 per cent of all votes in the shareholders’ general meeting, or of a shareholder whose representative is a member of a managing or supervisory body of the bank.
• When your data is part of a contac list in our customer’s mobile phone and our customer has granted explicit concent to access the contact list in his/her mobile phone in order the Bank to provide him/her a service in a mobile application of the Bank.

In all cases where we have access to and process your data, we undertake to abide by the principles described in this document and the requirements of the applicable data protection legislation.

Data Sources

We collect the above listed data in the following ways:

• The information you provide to us.
• Information provided by third parties (e.g. state bodies / institutions, financial institutions, our partners, administrators or shareholders of the bank, persons related to you and your business, persons performing public functions, counterparty to payment service, etc.).
• Information we receive when you or a person you represent uses our services and products or a customer of the Bank has granted to us access to your data being stored by him/her in order to use a specific service in our mobile application.
• Information available in public registers.
• Cookies and similar technologies.
• Internet.
• Video and audio surveillance and recording in and around the bank's premises.
• Other sources.

Before you provide us with data belonging to a third party, you must make sure that you have informed them about this and you have their consent or other legitimate grounds to do so. You also need to familiarize them with the current information applicable to the processing and protection of their data within our organization.

In the event that it is established, with or without the assistance of the competent authorities, that third party data is provided without the legitimate ground or without the consent and / or the knowledge of their subject or in any other unlawful manner, Raiffeisenbank (Bulgaria) EAD will delete the personal data by making the necessary efforts to promptly notify the data subject as soon as possible.

For What purposes "Raiffeisenbank (Bulgaria)" EAD process you data

Raiffeisenbank (Bulgaria) EAD processes your personal data for the following purposes:

• Identification of clients and persons with whom the bank may potentially enter into relationship (e.g. as a guarantor, co-debtor, mortgagee and / or pledged debtor, debtors under receivables acquired by the bank, etc.), verification of the identification and provision of the offered by bank banking, insurance, investment products and / or services requested by you / the persons represented by your or third parties, or in view to consider the possibility of providing such service and / or product. The provision of personal data is voluntary or performed in compliance with a statutory requirement. In case of refusal to provide personal data, Raiffeisenbank (Bulgaria) EAD will not be able to provide the requested banking product or service.
• Execution of agreements entered into between the bank and you / a person represented by you.
• Identification of payment service providers and recipients of payment services and the precise execution of payment services (including inquiries / requests from other financial institutions for payment services).
• Identification of third persons benefiting from the services provided by the bank (e.g. a beneficiary under a bank guarantee or a documentary letter of credit, a person in favor of whom a check payment is made, a third person in favor of whom a bank deposit has been opened, etc.).
• Identification of persons using specific services in our mobile application.
• Realization of marketing researches (obtaining information about the brand perception, the behavior, needs and expectations of current and potential clients with a view to developing / improving products and / or services and improving the level of service of the bank's clients).
• Statistical objectives and analyzes (e.g. data processing with a view to maintaining, improving the products / services offered by the bank and developing new ones and in order to meet regulatory requirements).
• Performing legal analysis and assistance with regard to the provision, maintenance and termination of bank products and services offered by us (including in relation to collateral provided to the bank).
• For the purposes of determining the segment (individual clients, micro-enterprises, small businesses and corporate clients) in which you, your business or the business of the person represented by you belong to.
• Preservation and archiving of documents.
• Protecting your vital interests or those of another individual.
• For the purpose of protecting the legitimate interests of the bank (in cases of suspicion of abuse and / or fraud, money laundering, terrorist financing, related to the legal relations between you / the person you represent and the bank; in case of legal disputes related to legal relationships between you / the person you represent and the bank, etc.).
• For the identification, prevention and management of the essential types of risk accompanying the banking activity (credit, operational, market), incl. within the Raiffeisen Group.
• For strategic planning of our business and business process management.
• Investigating and responding to a request, recommendation, complaint or appeal made by you / the person you represent.
• Sending you / the person you represent information on paper and electronic media about banking services and / or products used by you.
• Data quality management in order to correct information in the systems maintained by the bank and to maintain accurate and up-to-date data.
• The organization and control over ensuring the security of the bank and its clients and the control over the implementation, incl. through the establishment of physical protection systems in accordance with the BNB Ordinance on the Organization and Control of Security of banks and Financial Institutions.
• Achieving regulatory compliance of the bank's activities in accordance with the requirements of the applicable legal provisions and the general regulatory framework, including to prevent the use of the financial system for the purpose of money laundering; on measures against terrorist financing, etc.
• Conducting an internal audit within the bank in accordance with the legal and specific minimum national standards that are in line with the International Standards on Internal Audit.
• Auditing the bank's activities, exercising control and reporting by the bank, including on a group level.
• Fulfillment of obligations of the bank originating from instructions, announcements and orders of state bodies / institutions or persons performing public functions (e.g.: BNB, FSC, NRA, private enforcement agents, etc.).
• For the purpose of concluding commercial risk insurance in cases where you as a person performing a certain commercial activity or the person represented by you is a debtor under a commercial claim acquired or to be acquired by us.
• Realization of the process of collection of overdue and court exposures on credit products of individuals, micro enterprises and corporate clients.
• For the purpose of establishing, exercising or defending legal claims of the bank.
• For identifying, monitoring and reporting of internal exposure, as well as for indetifying the persons, who are major business partners of the bank’s administrators, or of persons having directly or indirectly a qualifying holding in the bank’s capital or shares entitling them to more than 10 per cent of all votes in the shareholders’ general meeting, or of a shareholder whose representative is a member of a managing or supervisory body of the bank.

Direct marketing

For the purpose of conducting direct marketing, we use and process your data to inform you about our latest products and services and to offer you:

• Better conditions for products and services already being in use.
• Products you do not use, but we think they would be of any interest to you or your business.
• Special offers prepared by our specialists for you or your business in particular.
• Products and services of our partners, which Raiffeisenbank (Bulgaria) EAD is distributing in its capacity of intermediary (e.g. insurance, supplementary pension insurance, investment in mutual funds).

The information we have about you consists of the data you have provided to us while using our products and services, the data that we collect when you are using information and communication technologies (e.g: you visit the bank's website) to access our products, services, and communications channels as well as the contact details you provide on publicly accessible sites (e.g., the websites that you or the persons you represent support, the contact information that is published in the Commercial Register and the register of non-profit organizations, etc.).

We process this information so that we can form an idea about your needs and interests with regard to the products and services offered by the bank. The assumption made on the basis of the available data is compared to the terms of our products / services or those of our partners in order to determine which of them potentially would be of any interest and use to you as our existing or potential client, with whom we want to build a beneficial partnership.

In case you do not wish to receive marketing communications, you have the right to object to the processing of your personal data for the purposes of direct marketing in one of the following ways:

• By a written statement filed at an office of the bank or sent to e-mail address call.center@raiffeisen.bg, as well as by an electronic statement available in Raiffeisen Online electronic banking - the statement can be received in an office or downloaded from the website of the bank.
• By phone at 0700 1000 ( for Vivacom customers ) / 17 21 (for A1 and Telenor customers).

Upon receiving an objection from you, the bank will cease processing your data for these purposes.

On what grounds Raiffeisenbank (Bulgaria) EAD processes your personal data

Raiffeisenbank (Bulgaria) EAD processes your personal data lawfully on the basis of the legal grounds provided under Article 6 of the General Date Protection Regulation.

Contractual grounds

We process your personal data when it is necessary to take steps to conclude a contract with you / the person you represent or for the performance of a contract already concluded with the bank.
For example, on a contractual grounds, we process personal data for the purposes of identifying the persons requesting the use of the products / services offered by the bank, upon entering into relations with them and in the course of performing our obligations under the contracts concluded between us; also, during the performance of a contract, we process the data of the persons who have submitted a payment order to us so that we can execute the transfers requested by them.

Legal obligation

In the case where a number of statutory obligations are imposed to Raiffeisenbank (Bulgaria) EAD by different legislative acts, both at national level and under EU law, the bank processes your personal data for the purpose of compliance with the relevant obligation.
For example, we process personal data for the purpose of fulfilling our obligations to prevent money laundering and terrorist financing as well as for the purpose of submitting information and statements to the BNB, NRA and other state bodies in accordance with the Law on Credit Institutions, Tax and Social Security Procedure Code, etc.

Legitimate interest

In many cases, the bank processes your data on the basis of its legitimate interests. For example, for the purpose of preventing fraud, establishing, preventing and managing operational risk, strategic planning of our business, direct marketing, but limited only to offers for products and services similar to the ones already used by them. Prior to processing your data for these purposes and in the course of processing, the bank checks whether there is a balance between its legitimate interest and your fundamental rights and freedoms or interests, and in the event that the latter have an advantage, the bank does not undertake or discontinue the processing of your data, unless you expressly consent to the processing. 

Consent

In other cases, e.g. to offer our new products and services that you have not previously used, and the products and services of our partners, the bank processes your personal data only on the basis of and upon receipt of your explicit consent.

The Bank processes only on the basis of and upon receipt of your explicit consent the contacts in the contact list of your mobile phone if you use a service in our mobile application for the provision of which the access to the contact list is necessary.

Third parties to which "Raiffeisenbank (Bulgaria)" EAD provides personal data

Raiffeisenbank (Bulgaria) EAD will not provide your personal data to third parties other than the following recipients / categories of recipients and if one of the following circumstances is present:

Data processing by third party assignes by the bank

We provide data to related or other trusted third parties under a contract between us and they process it for us based on our instructions and in accordance with the applicable data protection legislation.

Here are included the following third parties who process your data on assignment by the bank:

• Bulgarian Posts EAD and / or other persons providing postal services (couriers) for the purpose of the communication between us.
• Partners of the bank under contracts for legal services or document translation services.
• Providers of systems / services for management and maintenance of our activity and the quality of our services, including such related to the information technologies with which the bank has a contract (e.g. marketing and marketing research companies, IT and telecommunication service providers, software vendors, persons supporting the electronic platforms used by the bank in connection with the provision of payment services, debit / credit card manufacturers, computer support providers, printing houses, document storage and destruction companies, administrative service providers, archive service providers, etc.).
• The mobile operator with whom you or the holder of your telephone number has a contract for subscription to provide mobile communication services, Terra Communications AD and / or any other person providing telecommunication, SMS, MMS, JAWA or other related services with which the bank has concluded a contract for carrying out activities for informing its clients about the circumstances regarding the banking services they use.
• Consultants, auditors, related persons of the Raiffeisen Group.
• Subcontractors for different services, e.g. insurance brokerage, debt collection, financial analysis.

Raiffeisenbank (Bulgaria) EAD shall take the necessary measures to ensure that the persons involved in the processing of personal data strictly observe the data protection legislation and the instructions of the bank and that they have taken appropriate technical and organizational measures to protect data.

For the performance of a legal obligation

We share your data with state bodies / institutions, persons with public functions, regulators and supervisors or persons performing public functions (including the ECB, BNB, FSC, NRA, NSSI, SANS, court, prosecutors and investigators authorities, Commission for Consumer protection, Competition Protection Commission, Commission for Personal Data Protection, state and private enforcement agents, etc.), auditors, companies, organizations or external persons, if we have reasonable grounds to believe that the personal data access, use, retention or disclosure is necessary for:

• Implementation of applicable law or other statutory instrument of mandatory nature.
• A response to a request from a supervisory body, regulator or other state institution or a person exercising public functions in relation to or in connection with the performance of its statutory functions or initiated investigation, complaint, audit, etc.
• Detection, prevention or other action in connection with fraud, money laundering, terrorist financing, technical or security issues.
• To serve third parties in favor of which the bank has transferred its claims that may arise against you.
• In the exercise of representative functions – to your representatives by law or by proxy.
• Undertaking measures to protect the rights and property of Raiffeisenbank (Bulgaria) EAD, ensuring the safety of our clients or the public as required and permitted by law.

For the performance of a contract

In order to provide the products and / or services you require or the person represented by you or with a view to fulfilling a contract to which you or a person represented by you is a party, we provide your personal data to third parties without the participation of which the performance of the obligations under the contract would be impossible, e.g. (including correspondent banks), payment system operators and other persons specializing in the processing of transactions in payment instruments, including RPC (Regional Processing Center, Bratislava), and those specialized in the support of payment platforms (including Center for data processing and payment of Raiffeisen (CRISP), Romania), Borika AD, international card organizations Visa and MasterCard, international financing institutions (e.g. European Investment Fund, European Investment Bank, etc.), Ministry of Education and Science (with regard to loans granted to students and doctoral students), notaries, the bodies of the Notary Chamber of Bulgaria, Registry Agency, Central Registry of Special Pledges, Register of bank accounts and safes, Central Depository, insurers, independent appraisers and others.

With your explicit consent

Beyond the above listed cases, we will share your personal data with companies, organizations, or other third parties when we have your consent to do so.

Your rights as a subject of data processed by Raiffeisenbank (Bulgaria) EAD

You have the right to:

• Access your personal data processed by the bank and the right to require the bank to correct and update your personal data; You can do this by submitting an application in the following form (https://www.rbb.bg/media/filer_public/2018/05/25/zaiavlenie-dostap-informatsia-za-lichni-danni-fk011101.pdf ), at the following address dpo@raiffeisen.bg or in any bank office of Raiffeisenbank (Bulgaria) EAD.
• Withdraw at any time the consent you have provided for the processing of your personal data in cases where it is processed only on the basis of consent (e.g. in the case of direct marketing of our products / services you have not previously used or products / services of our partners or for the purpose of marketing research). Withdrawal of your consent does not affect the lawfulness of the data processing so far.
• Submit a request for deletion of your personal data, which is stored and processed by the bank, in cases where there is no longer any reason to process it.
• Request that you limit the storage and processing of your personal data by the bank and file an objection against processing.
• Receive your personal data that you have provided to the bank in a structured, widely used and machine readable format, and transfer this data to another controller when the data is processed on the grounds of your consent or under a contract between you and Raiffeisenbank (Bulgaria) EAD as well as when the processing is carried out in an automated manner.
• Submit a complaint to the Commission for Personal Data Protection at the following address: 1592 Sofia, 2 Prof. Tsvetan Lazarov, tel.: 02/91-53-518, e-mail: kzld@cpdp.bg / or other supervisory/ regulatory body, if you believe there is a violation related to the processing of your personal data by the bank.

We will respond to all your requests without undue delay within 30 days of receipt of your request.

If we are unable to process your request within one calendar month (due to its complexity, need for third party assistance or the number of requests), we may extend this period and explain the reasons for doing so.

Automated analysis

We use systems and mechanisms that allow us to conduct automated analyzes based on the information we have about our clients. In this way, we make informed business decisions, determine the segment in which you or your business fall, improve the quality of our products and services, check the stability and proper functioning of our systems, perform long-term statistical modeling, identify suspicious transactions to prevent fraud, money laundering, terrorist financing, e.g. to find out unusual for you or your business behavior. In addition, an automated approach helps us to ensure that we are able to provide to you and your business fast and efficient service accordingly to your expectations. These automated analyzes can lead to a change in the offers we can address to you about products, services, or their terms now or in the future.

Automated individual decision

When applying for certain credit products, the bank carries out automated data processing (the so-called credit scoring) which is necessary for the purpose of making responsible, fair and informed credit decisions for granting loans, providing unified evaluation standards for our clients, accelerating the credit approval process while minimizing the possibilities of mistakes and eliminating the subjective factor in the decision making process. These solutions are individual to each client and relate to the approval of the loan based solely on the automated processing of your data. As a result of our processing and analysis, we may approve or refuse to provide you with the credit product you have requested.

The evaluation uses data from three sources:

1. The application form submitted by you and the additional information provided when applying.
2. Data available in public registers (e.g. Central Credit Register with BNB, NSSI, Commercial Register, Property Register).
3. Data we already have (e.g. if you are already our client).

Credit scoring is a mathematical method for assessment based on a thorough statistical analysis of a set of data such as your personal, economic, social information and family identity, including the information available in public records, and it evaluates the probability of compliance or noncompliance by the client. The basis for the assessment is the comparison between the available customer information and the parameters of the credit policy, the credit limits for the respective product / service and the possible exceptions. This allows us to determine whether we can provide the respective client with the relevant credit service we offer, to offer a product / service that meets his needs, and define pricing conditions that match his risk profile.
Credit risk assessment methods are periodically reviewed in order to ensure that they are fair and adequate.

Your rights in relation to an automated individual decision:

• You can ask not to be the subject of a decision based solely on automated processing that produces legal consequences for you or in a similar way affects you considerably.
• You can challenge a decision taken solely on the basis of automated processing of your data and ask for human intervention in its review.

Retention period for data collected

We will keep your personal data for a period of time not exceeding 10 years from the year following the year of termination of the relationship in respect of which your personal data has been collected and as long as there is no other reason to process the data.

We will keep your data for the following reasons:

• In order to be able to meet your requests for information.
• In order to be able to answer your questions and complaints.
• In order to be able to prove the fulfillment of our commitments to you.
• In order to fulfill the statutory obligations to the bank regarding retention of client data and the documents relating to the transactions and operations carried out, as well as the documents relating to the establishment and maintenance of business or professional relations.
• In order to be able to fulfill our legal obligations in relation to reporting and capital adequacy.
• In order to exercise our legitimate interests, e.g. for establishing, filing and defending legal claims; a process of managing (not)credit frauds and using accounts with the bank to engage in illegal activities.

The storage and processing of your data after the expiration of the aforementioned period is permissible, if its deletion is prevented due to legal, regulatory or technical reasons, or for reasons related to the implementation of measures to prevent unlawful behavior, minimize the risk of credit frauds and to assist state bodies / institutions in this connection. This includes cases of court proceedings or other disputes arising out of legal relationships between you and the bank, changes in the legal requirements regarding the retention of a specific type of information, and other objective reasons that delay data erasure.

Data protection officer

In order to protect your data in the course of its processing by Raiffeisenbank (Bulgaria) EAD, the bank appoints a Data Protection Officer, e-mail: dpo@raiffeisen.bg.

You can contact the Data Protection Officer on all matters relating to the processing of your personal data and the exercise of your rights under the applicable personal data legislation.

Changes to this information

We will periodically update the text of this document in order to provide up-to-date and accurate information regarding the processing of your data in accordance with our policy and in compliance with the applicable data protection legislation. Any change will be announced on the website of Raiffeisenbank (Bulgaria) EAD and in each office of the bank, and in case of change of essential information, you will be notified via SMS, post or e-mail, when you enter your Raiffeisen Online e-banking or visit a bank office of Raiffeisenbank (Bulgaria) EAD.