Personal data protection

UniCredit Bank S.A. (''Bank'' or 'Controller'), company managed in a dual system, with headquarters in Romania, Bd. Exhibition no. 1F, Bucharest, Sector 1, registered in the Trade Register under no. J40/7706/1991 and in the Bank Register under no. RB-PJR-40-011/18.02.1999, unique registration code 361536, tax attribute RO, subscribed and paid-up capital 455,219,478.30 lei, as Personal Data Controller, processes your personal data ("Personal data") in good faith and in order to achieve the purposes specified in this Information Notice, hereinafter referred to as "the Information Notice"), in accordance with the provisions of Regulation (EU) no. 679 of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46/EC ("the Regulation").

These Personal Data, belonging to you as a customer, respectively the Data Subject, were provided to the Bank by you on the date of conclusion of the contract with UniCredit Bank and/or of an insurance policy and/or on the date of formulating a request requesting the provision of services by the Bank and/or during the performance of the contractual relationship and/or by a third party payment service provider contracted by you.

1. The Personal Data processed by the Bank are:

· name and surname, pseudonym, mother's name before marriage, client code, CNP (or parts of it in the case of authentication procedures) or NIF (fiscal identification number), as the case may be;

· date and place of birth, sex, citizenship, marital status, CI/BI/Passport number and number, other data from ID documents, tax jurisdiction;

· registered office/address, telephone/fax number, e-mail address;

· professional situation, occupation, position, workplace;

· source of funds, data on the real beneficiary, authorized representatives, economic and financial situation, data on the assets owned;

· bank data, including on purchased bank products and bank transactions, data on liquidity;

· data about other financial obligations, which can be positive data (e.g. product type, grant term, grant date, maturity date, amounts granted, amounts owed, account status, account closure date, credit currency, payment frequency, amount paid, monthly installment) and/or negative (e.g. product type, grant term, grant date, due date, loans granted, amounts owed, outstanding amounts, number of outstanding installments, due date of the outstanding balance, number of days of delay in loan repayment, account status) information related to the capacity of guarantor, co-debtor or insurance policy beneficiary in connection with the granted product;

· data regarding the area of risk management/data modeling such as general data (bank account/client identifier), socio-demographic data (eg: studies, profession), limits and durations of loans granted, existing balances of loans granted, outstanding amounts, information on restructuring / blocking of accounts (e.g. seizure), risk class;

· belonging to a Group pf Clients; in this case, the Bank processes the following Personal Data provided by you: the name, first name and CNP of natural persons who are part of the Group of related clients and who have an exposure to the Bank or a current account opened with the Bank;

· health data, necessary for the provision of specific insurance services, if applicable;

· political exposure, if applicable, and the public position held, information regarding the accusations, investigations and committed acts such as the name of the act committed, the sanction applied (e.g. convictions, related measures), the duration of the sanction, the authority that applied the sanction, the status of the file and other similar data (for reasons regarding compliance with the legislation on preventing and combating money laundering and the financing of terrorism, as well as compliance with the legislation on combating fraud and fraudulent conduct), the quality of a publicly exposed person, according to the definition contained in Law no. 129/2019 for the prevention and combating money laundering and terrorist financing, as well as for the modification and completion of some normative acts, as this legal definition may be modified from time to time;

· data on international sanctions such as the type and content of the sanction, the competent authority, the duration of the sanction, the description of the object of the sanction (e.g.: good category, value, location, data from the land register, the authority responsible for the implementation/monitoring of the sanction, the measures ordered on this asset) and, to the extent that international sanctions involve the processing of data about acts committed by the person concerned, data such as the name of the act committed, the sanction applied and its duration, the competent authority, any other similar information may be processed, according legislation on the implementation of international sanctions;

· signature, voice (eg: in the case of calls recorded with the Bank), image (eg: photo from identity documents, image captured by video surveillance cameras, located in the Bank's locations);

· if you opt for the video identification made by the Bank for your electronic signature service provider, the following will be processed: the frame (background) / environment in which the video call takes place, your image and voice, the content of the recorded video call, the content of any documents presented by you on this occasion, the date of the video call, its duration and the like;

· if you opt for a remote interaction with the Bank's representatives for purposes such as the presentation of the Bank's services and products and those intermediated/promoted by the Bank, a process followed by their possible purchase, through audio and/or audio-video means, they will process: your image, your voice, the discussion held, the setting/environment in which the discussion takes place (which may or may not be recorded), the duration and date of the discussion and the like;

· if you have contracted or will contract a loan from the Bank, relevant information that generates requests for the suspension of payment obligations of the data subject towards the Bank, according to the law, such as: affecting the personal income and/or the income related to the family of the data subject, directly or indirectly, by the serious situation generated by the COVID-19 pandemic compared to the level recorded before the declaration of the state of emergency; the impossibility of honoring the payment obligations related to the credit as a result of the intervention of one/more of the following causes, without being limited to them: the entry of the data subject/members of his family into technical unemployment as a result of the closure/restriction of the employer's activity, the dismissal of the data subject / members of his family, reduction of the salary of the data subject / members of his family, placement of the data subject in institutionalized quarantine or isolation at home, illness with COVID-19 and the like

· the date, hour, minute, second of sending the various communications through any channel to the data subject, the content of these communications; the same data regarding the data subject's responses to the communications sent by the Bank;

· If you apply for a loan from Unicredit Consumer Financing IFN SA ("UCFin"), the Bank will be able to provide UCFin with the following data, with the aim of (i) analyzing your eligibility for granting a financial product by UCFin and (ii) carrying out the statistical modeling activity, as these purposes are detailed in art. 2, lit. z of this Information Notice: data regarding the credit relationship that the Data Subject has with UniCredit Bank SA such as: the maximum daily balance for the last 3 months regarding all transactions on the accounts (current and deposit/savings), total credit transactions relative to the total amount of transactions related to the last month on current accounts; the number of months since the Data Subject has been a UniCredit Bank SA client (he was registered for the first time as a UniCredit Bank SA client); current account balance at the end of the month; the number of months since the current account was closed; the number of months since the last current account was opened; credit card limit; the use of the credit card during the last semester; credit card usage in the last quarter; data regarding the collection of receivables (collection stage/situation of each credit/exposure within UniCredit Bank SA); region code; information on whether the Data Subject transfers his income of a salary nature to the accounts opened at UniCredit Bank SA; the period in which the Data Subject had the salary income transferred to his accounts opened at UniCredit Bank SA, respectively the number of consecutive months, for the last 12 months; the total balance of all unsecured active loans; the total balance of all active loans (secured and unsecured); the total amount representing the next payment installments related to all active loans; the existence of seizures/other similar measures instituted on bank accounts; other similar data;

· the calendar date (day, month, year) and time (hour, minute, second) related to the actions regarding the (strict) authentication of the data subject and, respectively, related to other operations, in order to execute payment services, according to the applicable legislation;

· Online B@nking[i] / Mobile B@nking[ii] username, token device data – DIGIPASS[iii] (series) or Mobile Token (phone number, in order to activate the Mobile Token/ Mobile B@nking applications), other data necessary to access and use these electronic payment instruments (identification codes/ registration/ authentication/ connection/ authorization)[iv];

· data on the authorized person/s of the data subject, the content and limits of the authorization and any other related data highlighted in the document certifying the authorization (eg: power of attorney);

· information used in the Bank's applications available to the Data Subject, necessary for their proper functioning (eg: Mobile B@nking);

· data regarding the electronic signature, the issuance of the digital certificate (qualified) in this regard;

· data regarding the contact person (surname, first name, landline/mobile phone and relationship with him), if you have provided such data to the Operator;

· other similar categories of personal data of the data subject from the Bank's records, related to the contractual relationship with the Bank derived, mainly, from the signed contractual documentation and from the information collected by the Bank, from the execution of the law

2. Purposes of Personal Data processing. The legal basis

a. concluding the contractual relationship with the Bank, based on your request for the provision of banking products, among which we mention the opening of the bank account, the provision of Online Banking and Mobile Banking services, the issuance of the debit card, the DigiPass, the provision of the Info SMS service, the provision safe deposit box rental service, distribution of investment funds, bonds, structured deposits, according to your request, pursuant to art. 6 letter b) of the Regulation. This purpose implies the realization, within the concrete relationship with each client, of all activities related to the conclusion and/or modification and/or execution of the financing/guarantee contract according to art. 6 letter b) of the Regulation, among which we mention: (i) the evaluation of the client/guarantor's possibilities to obtain the requested product or another product or service, (ii) the evaluation of the client/guarantor's possibilities to pay, not to give rise to debts towards the Bank, towards the entities in the Group and possibly towards other partners - joint controllers, the analysis that is also carried out during the execution of the contract concluded with the data subject, which may suppose the existence of an automated decision-making process. In order to conclude or execute the contract related to the financial product or service, as well as in order to reduce the credit risk, the Bank may take decisions based partially or exclusively on automatic processing. The Bank's eligibility criteria are implemented in the automated decision-making process, established in accordance with the internal and legal lending regulations in force. The operator processes the personal data provided by the data subject, as well as the data resulting from the contracts concluded with him or with an entity of the Group and data from public sources, as the case may be, by means of computer techniques and/or algorithms that produce legal effects on the person concerned, such as granting or rejecting credit. Depending on the processed data, the decision-making process can be exclusively or only partially based on automatic processing, in this last situation the intervention of the human factor is necessary to make a decision on the credit request in question. The Bank has appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, at least the right to obtain human intervention from the Bank, to express his point of view and to challenge the decision.

b. carrying out know-your-customer (KYC) analysis, risk analysis, respectively reporting of suspicious transactions, pursuant to art. 6 paragraph 1), letter c) of the Regulation, respectively for the fulfillment of a legal obligation, in conjunction with the KYC legislation in order to prevent money laundering and the financing of terrorism - NBR Regulation no. 2/2019 regarding the prevention and combating of money laundering and financing of terrorism and Law no. 129/2019 for the prevention and sanctioning of money laundering and the financing of terrorism, as well as for the modification and completion of some normative acts. Included in this category are the personal data of customers obtained by the Controller from other entities within the Group, in order to prevent and combat money laundering and the financing of terrorism according to Law no. 129/2019 such as: contact data (email address, telephone number and home address), data from identity documents and copies of these documents, the information and documents related to the risk analysis according to Law no. 129/2019 and the normative acts issued in its execution, etc. Thus, the obtaining by the Controller of updated information of the Data Subject in this way may also lead to the updating of similar data existing in the Controllers's records, if the latter are different;

c. for reporting to state institutions, pursuant to art. 6 paragraph 1), letter c) of the Regulation and of the applicable special legislation, respectively for the performance of activities related to the controls of the authorities, such as ANAF, ANPC, BNR, ANSPDCP, etc.;

d. for the collection of debts/recovery of claims owed to the Bank, according to the concluded contracts and the legitimate interest of the Bank to recover the claims related to the existing contractual relationship with you, pursuant to art. 6 paragraph 1), letter b) and f) of the Regulation;

e. for the enforcement of the amounts owed, as well as the administration of garnishments and seizures, pursuant to art. 6 paragraph 1), letter c) of the Regulation and of the Codes of Civil and Criminal Procedure;

f. for reporting within the UniCredit Group[v], which may include data regarding the person, the property, the activity, the business or the business relations or with the persons within the same group of clients who constitute or may constitute a single risk, respectively for the transactions of the account/accounts opened at the Bank, based on the legitimate interest of the Controller (to ensure prudential measures at Group level), based on art. 6 paragraph 1), letter f) of the Regulation;

g. for checks and reports in/at the Credit Risk Center and checks in the ANAF database pursuant to art. 6 paragraph 1) letter a) and c) of the Regulation and of the BNR Regulation no. 2/2012 regarding the organization and functioning of the Credit Risk Center at the National Bank of Romania, amended and supplemented;

h. issuing and submitting declarations to ANAF, pursuant to art. 6 paragraph 1), letter c) of the Regulation and of the Fiscal Procedure Code;

i. issuing FATCA reports if you are a US citizen or resident on US territory, as well as CRS (Common Reporting Standard) reports to combat tax evasion, pursuant to art. 6 paragraph 1) letter c) of the Regulation;

j. for the issuance of the insurance policy if you requested the issuance of a Visa Gold/MasterCardPlatinum debit card, pursuant to art. 6 letter b) of the Regulation;

k. for the conclusion of the insurance contractual documentation and in order to establish the amount of the obligation to pay the insurance indemnity in the event of the occurence of the insured risks, in the situation where you have requested a group life insurance attached to the loan and/or an insurance of the property brought as a guarantee , based on art. 6 letter b) of the Regulation;

l. for the monitoring, security and guarding of people, spaces, goods, through the video cameras located in the Bank's premises, pursuant to art. 6 letter f) of the Regulation and Law no. 333/2003 regarding the protection of objectives, assets, values and the protection of persons;

m. for recording communications by fax, digital channels (e.g. Online Banking, Mobile Banking, email) and calls and telephone conversations made through the Bank's Contact Center, in order to streamline and improve the services provided to the client, pursuant to art. 6 letter a) of the Regulation, as well as the conclusion and execution in optimal conditions of contracts with customers, respectively of the realization of telephone and online transactions, pursuant to art. 6 letter b) of the Regulation;

n. carrying out analyzes that can lead to your profiling for marketing purposes (such as assessing eligibility in order to grant standard or customized products and services from the Group's portfolio, including by calculating some indicators in the assessment of solvency, credit risk and determining of the degree of indebtedness) and direct marketing, by using the selected means of communication, for receiving communications regarding the products and services of the Controller, entities within the Group (financing/crediting/other types) and their contractual partners (outside the Group), based on your consent according to art. 6 paragraph 1) letter a) of the Regulation), according to your options expressed in the direct marketing agreement provided to the Bank at the opening of the business relationship or during its execution;

o. for monitoring the customer's satisfaction and the quality of the services and products purchased, based on the legitimate interest to permanent improvement of the Bank's services/products, based on art. 6 paragraph 1) letter f) of the Regulation;

p. for statistical purposes, pursuant to art. 6 paragraph 1), letter f) and art. 89 of the Regulation;

q. with the purpose of providing information about the accounts in the case of your requests submitted to the Bank through an account information service provider, processing carried out by the Bank in order to execute a contract which you are part of, pursuant to art. 6 paragraph 1) letter b) of the Regulation, but also in order to fulfill the Bank's legal obligations under the legislation on payment services, pursuant to art. 6, paragraph 1) letter c) of the Regulation;

r. for the purpose of executing payment orders initiated by you through a payment initiation service provider, processing carried out by the Bank in order to execute a contract which you are a part of, pursuant to art. 6 paragraph 1) letter b) of the Regulation, but also in order to fulfill the Bank's legal obligations under the legislation on payment services, pursuant to art. 6, paragraph 1) letter c) of the Regulation;

s. for the purpose of confirming the availability of funds (if an amount required to execute a card-based payment operation is available in the online accessible payment account), at the request of a third-party payment service provider that issues card-based payment instruments, processing carried out by the Bank in order to execute a contract which you are a part of, pursuant to art. 6 paragraph 1) letter b) of the Regulation, but also in order to fulfill the Bank's legal obligations under the legislation on payment services, pursuant to art. 6, paragraph 1) letter c) of the Regulation;

t. for the purpose of guaranteeing the prevention, investigation and detection of fraud in the payments aria (including with regard to the actions carried out regarding you by or through third-party payment service providers, respectively information service providers regarding accounts and providers of payment initiation services), as is allowed according to the legislation on payment services, based on art. 6, paragraph 1) letter c) of the Regulation.

u. the communication of information regarding the functionalities, standard contractual-operational advantages/benefits, the operating mechanisms of the products and services owned by the data subject, of the complementary products and services (provided by the Bank) that optimize the use of the products and services already owned, through ways such as payment programs in (equal) installments, loyalty programs, programs regarding the use of products and services, through means of communication, such as automatic calling systems that do not require the intervention of a human operator, respectively e-mail, SMS, fax, physical mail, telephone conversation (e.g.: Call Center), Online/Mobile B@nking [e.g.: notifications, messages including "push notification" type (notifications/instant messages)], based on the Bank's legitimate interest in providing information adequate, correct and complete of the data subjects regarding the products and services owned or complementary to them, the implementation of a or campaigns to educate the data subjects, so that the data subjects have access to and/or maintain the services and products appropriate to their needs and interests, according to art. 6, para. 1, lit. f of the Regulation;

v. preventing and combating fraud [including by sending information messages that do not contain personal data to the old phone number and/or the old e-mail address and, respectively, on a communication channel (such as e-mail address/SMS) existing in the Bank's records, simultaneously with updating the telephone number and/or email address], based on the Bank's legitimate interest in taking the necessary and appropriate measures to prevent and combat (potentially) fraudulent conduct, including through mechanisms that ensure a high degree of maintaining the security and confidentiality of the processing, according to art. 6, paragraph 1, letter f) of the Regulation and of the legal obligation to take appropriate measures against internal or external fraudulent behavior and violation of discipline, such as violation of internal procedures, violation of limits, as provided by art. 521 of the NBR Regulation no. 5/2013 regarding prudential requirements for credit institutions, as well as other legal provisions with a similar content and art. 6, paragraph 1, letter c) of the Regulation;

w. for the purpose of the proper functioning of the Bank's internal systems/applications (whatever their name may be), through activities (which may also be preliminary) such as testing (e.g.: use of personal data in test environments), design, development, so that the Bank can optimally carry out its current activity, including in areas such as preventing and combating money laundering (eg: Law no. 129/2019 for the prevention and combating of money laundering and the financing of terrorism, as well as for the modification and completion of some normative acts), application of international sanctions (e.g.: GEO no. 202/2008 on the implementation of international sanctions), combating tax evasion (e.g.: for FATCA purposes, according to Law no. 233/2015 on the ratification of the Agreement between Romania and the United States of of America for the improvement of international tax compliance and for the implementation of FATCA, signed in Bucharest on May 28, 2015 and the MFP Order no. 1939/2016), bearing in mind that the previously mentioned activities may be essential in the future functioning of the Bank's internal systems/applications, based on the legitimate interest of the Bank to ensure the proper functioning of the Bank's application systems by taking the necessary measures (such as prior use of personal data in test environments , design, development), so that the Bank's current activity can be carried out optimally, according to the relevant legislation, according to art. 6, paragraph 1, letter f of the Regulation;

x. carrying out analyzes and studies at the Bank level regarding aspects such as the use of products and services, payment or credit standards for the development of analytical models and their periodic review in order to optimize the Bank's business strategy and products and services, based on the legitimate interest of the Bank to take appropriate measures such as studies, analyzes to anticipate the needs and interests of customers, improve the Bank's services and products in line with the needs and expectations of the clientele and the trends in the specific market, according to art. 6, para. 1, letter f of the Regulation;

y. creating a robust internal regulatory framework, carrying out analyzes in the area of anti-fraud and taking appropriate measures (e.g.: consulting public sources) on a current basis, in order to avoid entering into relationships with persons who engage in fraudulent behavior according to art. 6, para. 1 letter c of the EU Regulation, of art. 521 of the NBR Regulation no. 5/2013 and based on the legitimate interest in prudential management of reputational risk, according to art. 6, para. 1, letter f of the Regulation;

z. carrying out analyses, reports, other related operations in the area of application of international sanctions, according to GEO no. 202/2008 on the implementation of international sanctions and art. 6, paragraph 1, letter c of the Regulation, for the performance of a task that serves a public interest, according to art. 6, paragraph 1, letter e of the Regulation and based on the legitimate interest of prudential management of reputational risk, according to art. 6, para. 1, lit. f of the Regulation;

z¹) the undertaking by the Controller of the necessary measures to carry out, in a prudent manner, the consolidated supervision of the entities within the Group (e.g.: UniCredit Consumer Finacing IFN SA hereinafter referred to as "UCFin"), by submitting to the UCFin (on request) of the data regarding common customers, provided for in the corresponding subsection of art. 1 of this Information Notice, so that the Controller (operational leader of the Group): (i) maintains within the optimal parameters of efficiency and effectiveness the credit, financing, model and strategic risks, at the Group level, according to the relevant legislation; (ii) to create for UCFin the necessary conditions for the integrated credit analysis and statistical modeling, by capitalizing on the data held by the Controller, in order to estimate the probability of non-payment; (iii) to avoid the risk of insolvency for joint customers; (iv) to ensure compliance with the relevant legislation and thus reduce the possibility of risks occurrence for the Controller and entities in the Group (which may indirectly affect the Controller), according to art. 6, paragraph 1, lit. f of the Regulation;

z²) franchising of electronic signature services (e.g.: issuance of electronic signatures/qualified digital certificates, display and electronic signing of related documents, management of the application of signatures/marks/qualified electronic seals on electronic documents, management process of transmission of electronic documents to the concerned persons, the transmission of electronically signed documents to the provider of the electronic archiving solution, the monitoring and reporting process and any other similar processes/services and/or accessories, attached to the products and services provided by the Controller and requested by the persons concerned, through the channels provided by the Controller ( art. 6, paragraph 1, letter b of the Regulation);

z³) for the purpose of updating your documents, data and information held by the Controller, it will process the data subject's data, only if you have provided the Controller with such data (art. 6 paragraph 1, letter b) of the Regulation). The data subject has the obligation to inform the contact person about the data processing carried out by the Controller, either by sending the Notice (by email, physical delivery) or by indicating its consultation on www.unicredit.ro, Personal data protection section;

z⁴) for the purpose of defending, enforcing, ascertaining, without limitation, a right/claim/request, etc. in court, before another authority/institution/natural or legal person, auditors without limitation, based on the legitimate interest of the Controller to take all the necessary and appropriate measures (such as documentation, defense, exercise, ascertainment) to protect his rights and interests and ensuring compliance with the applicable legislation (including when there is a legal obligation or public interest in this regard), according to art. 6, para. 1, lit. f of the Regulation and/or, as the case may be, art. 6 para. 1 lit. c or e of the Regulation.

3. Duration of Personal Data processing

a) during the validity period of the contracts concluded with the Bank, to which is added 10 years from the termination of the contractual relationship, except in cases where, by an applicable legal provision, retention is provided for a longer period or when the Bank justifies a legitimate interest, in which case the duration of processing may be extended until that legitimate interest is achieved;

b) for a period of 5 years, to which a period of max. 5 years, at the request of the competent authority, in the event that a contractual relationship has not been concluded in order to provide/provide some banking services/products to you, according to the legislation for the prevention and sanctioning of money laundering (Law no. 129/2019 and BNR Regulation no. 2/2019).

The storage periods mentioned here concern all data processed by the Controller, including those in the area of direct marketing.

4. Controllers/ Authorized Persons and Recipients of Personal Data

Personal data can be transmitted to the following categories of recipients: a) the data subject, the representatives of the data subject, b) entities from the UniCredit Group, c) insurance companies (which may have the status of a joint controller of the Bank), d) collection agencies debts/debt recovery, e) public notaries, bailiffs, f) lawyers, authorized appraisers, accountants, censors, auditors and other types of consultants, g) various service providers (e.g. IT, (e.g. IT services/maintenance and IT infrastructure, providers of electronic signatures/digital certificates (qualified), archiving, printing, couriers, etc.), h) international organizations (e.g. of cards - Visa, Mastercard, etc.), i) providers of technical processing services facilitation of payments (eg Romcard, Transfond, Society for Worldwide Interbank Financial Telecommunication, etc.), j) public authorities in Romania (eg National Bank of Romania, ANAF, National Office for Prevention and Combating Money Laundering, etc.) and from abroad (ex. the European Commission, tax authorities, etc.), k) other public or private law institutions (e.g. the National Credit Guarantee Fund for SMEs), l) third-party payment service providers (if you have contracted specific services provided by them), respectively payment initiation service providers, account information service providers and payment service providers that issue card-based payment instruments.

In the case of transmission of Personal Data to a third party or organization from abroad, the information in the International Transfer section is applicable.

The personal data transmitted to third parties will be adequate, relevant and not excessive in relation to the purpose for which they were collected and which allows the transmission to a certain third party.

5. International Transfer

Personal data will be transferred to SWIFT (Society for Worldwide Interbank Financial Telecommunication), having the capacity of Controller, in case the execution of payment operations requested by you includes processing through the SWIFT system. In this sense, there is a possibility that the data transferred to SWIFT, as the controller, will be accessible to the US Treasury Department. In the situation where you are a citizen of the United States of America (USA) or resident on the territory of the USA, we inform you that, according to FATCA (The US Foreign Account Tax Compliance Act), the legal provisions regarding the tax regime of the US state are directly applicable to you, the data being sent by the Bank to the fiscal authorities in Romania who can then send them to the fiscal authorities in the USA.

In all situations where the international transfer of data will be necessary, this will only be done if in the recipient country an adequate level of personal data protection recognized by decision of the European Commission is ensured, such as the member countries of the European Economic Union ( EEA).

In the absence of such a decision of the European Commission, the Bank will be able to transfer personal data to a third country only if the person who will process the data has offered adequate guarantees provided by law in order to protect personal data.

The bank can be contacted to obtain additional information regarding the guarantees offered for the protection of personal data in case of each transfer of data abroad, through a written request in this regard.

6. The need to process Personal Data

In the event that you refuse the processing of Personal Data for the purposes stipulated in letters a) - k), q) - t), v - z3) above - the Bank will be unable to initiate legal relations with you or to continue those, as it is impossible to comply with the requirements of the special regulations in the financial-banking field regarding KYC, the prudential requirements and other legal regulations, including analyzing the request regarding the provision of some services by the Bank, concluding/ developing/executing the contract requested by you.

In the situation where you object to the processing of Personal Data for statistical purposes, we inform you that this option will be analyzed, and depending on the particular situation of the data subject, you will receive an answer according to art. 21 of the Regulation, your objection to such an operation not having an effect on the continuation of the contractual relationship with the Bank.

In the event that you do not agree with the processing of your Personal Data for direct marketing purposes, or for contacting you in order to obtain your opinion on the services and products offered or purchased, the contractual relationship between you and the Bank will not be affected in any way.

In the situation when you were or are an exclusive customer of UniCredit Consumer Financing IFN SA and you only had/have the right to view in Mobile Banking and considering that the Controller has control over the Mobile Banking application, we inform you that it is possible that the new direct marketing agreement will be made available in Mobile Banking by the Controller based on the Controller's legitimate interest in consolidating the business relationship with Mobile Banking users according to art. 6, paragraph 1, lit. f of the Regulation.

7. As a data subject, you have the following RIGHTS exclusively with respect to your Personal Data:

a) the right to access data according to art. 15 of the Regulation;

b) the right to rectify data, according to art. 16 of the Regulation;

c) the right to delete data, according to art. 17 of the Regulation;

d) the right to data restriction, according to art. 18 of the Regulation;

e) the right to data portability, according to art. 20 of the Regulation;

f) the right to object, according to art. 21 of the Regulation;

g) the right not to be subject to an automated individual decision, including profiling, according to art. 22 of the Regulation;

h) the right to address the National Authority for the Supervision of the Processing of Personal Data (ANSPDCP) and justice.

We mentioned that, according to art. 7 paragraph 3 of the Regulation, you have the right to withdraw your consent at any time for the processing based on consent while maintaining the validity of the processing carried out until the date of withdrawal. With the exception of the right mentioned in letter h) which is exercised through requests addressed to ANSPDCP or the competent court, in order to exercise the other rights, you can apply with a written, dated and signed request, sent to UniCredit Bank SA, at the address: Bulevardul Expozizionei, no. 1 F, sector 1, Bucharest, postal code 012101, or by email at infocenter@unicredit .ro, respectively by calling the number +40 21 200 2020 (normal rate call in the Telekom Romania fixed network) or *2020 (normal rate call in the Telekom Romania, Orange, RCS&RDS, Vodafone mobile networks).

If you make a request regarding the exercise of your data protection rights, the Bank will respond to this request within one month, term which can be extended by two months, under the conditions provided by the Regulation.

In the event that you wish to address a request regarding the exercise of the above rights, in relation to the joint controller - the insurance company - that issued the Insurance Policy, you can address it according to what is mentioned in the Insurance Policy.

Within UniCredit Bank S.A., the data protection officer has the following contact details: Bulevardul Expozitiei no. 1 F, sector 1, Bucharest, postal code 012101, e-mail dpo@unicredit.ro.

You can permanently consult the Bank's website at www. unicredit.ro, SME section, Personal data protection section.

[i] Online B@nking - Payment tool with remote access that is based on an Internet banking IT solution

[ii] Mobile B@nking - Payment tool with remote access that is based on a Mobile banking IT solution

[iii] Token device - DIGIPASS - It is a secure token device that allows access to Online B@nking

[iv] If you choose to use your fingerprint or facial image as the authentication method in Mobile B@nking/Mobile Token, the Bank does not process the biometric data from the biometric system installed on your mobile device. This data is subject to the processing rules established and communicated through the respective device.

[v] UniCredit Group/Group - UniCredit SpA (Italy) and directly/indirectly controlled companies, including Romanian companies (UniCredit Bank SA, UniCredit Leasing Corporation IFN SA, Debo Leasing IFN SA, UniCredit Leasing Fleet Management SRL, UniCredit Insurance Broker SA, UniCredit Consumer Financing IFN SA, UCTAM RO SRL, etc.) and the legal successors of these entities

The app you are looking for Business Mobile

The app you are looking for
Business Mobile