Personal Data Protection

Information by UBB AD regarding personal data processing

Your privacy is important to us. We have taken all the necessary organizational and technical measures in order to process your personal data in a manner that is lawful, appropriate and transparent. In this privacy statement by UBB, we explain which of your personal details we will process, for what purposes and on what grounds, to whom we could provide them and how long will we store them.

We recommend that you read this information carefully, so that you know more about the manner of processing of your personal data as a client, potential client, related party to a client of ours, counterparty, contact person, representative of a legal entity, or any other interested party. Regardless of what are the purposes and the grounds on which we process your personal data, UBB will treat your data with equal care. This document contains also information about your rights and the manners in which you can exercise them.

UBB may update this privacy statement and its most recent version will be available at www.ubb.bg. UBB will inform you of all material changes to its terms via its website or other communication channels.

You will also find more information about the Bulgarian privacy legislation on the website of the Bulgarian Commission for Personal Data Protection at www.cpdp.bg

1. About the company

2. Definitions

3. Rights of Data Subjects

If you are a person whose personal data is processed by UBB under the General Personal Data Regulation, effective since 25.05.2018, you have the following rights that you can exercise by visiting an office of the Bank.

a. Right to access - Upon your request, as the data subject, the Bank shall provide information about the categories of the personal data relating to you, which are being collected and processed by the Bank, and information about the purposes of the processing, the recipients or categories of recipients to whom your data are disclosed and the sources of this data, except the cases when the data was collected directly from you.

b. Right of rectification, blocking (restriction of processing) and/or erasure (deletion) – Upon your request, the Bank shall correct, erase or cease the processing of your personal data in the cases when its processing would be unlawful. In such cases the Bank shall notify all third parties to whom your personal data has been disclosed regarding all rectifications and erasures that have been made or all cases of restriction of processing of your personal data.

c. Right to data portability – As a data subject, you have the right to request to receive the personal data concerning you, which you have provided to UBB, in a structured and commonly used and machine-readable format and you have the right to transmit/transfer those data to another Controller without hindrance from UBB as personal data controller, to whom the data was provided, where the processing is based on consent or on a contract or the processing of your personal data is carried out by automated means.

d. Right to object – As data subject, you have the right to object to the processing of your personal data when the processing of personal data is based on the Bank's legitimate interest. UBB shall review your objection and shall provide its opinion in writing within 30 days unless this term needs to be extended, for which the Bank will notify you in due time. After reviewing the objection, the Bank will generally discontinue the processing of your personal data and will notify all interested parties to whom the personal data have been submitted of the objection received and of the measures taken in this regard. In some cases, however, the Bank has an indisputable legal basis to continue the processing of your personal data even after receiving your objection (for example, in cases of lawsuits, fraud surveillance, etc.). In such cases UBB will contact you to clarify the reasons why it will continue to process your personal data. If your objection concerns the processing of personal data for direct marketing, the Bank will suspend unconditionally the processing of your for that purpose.

f. Right to withdraw the consent given for personal data processing for the purposes outlined in the Declaration of Consent. The withdrawal can be done via a consent withdrawal declaration form that is available at the Bank’s offices.

g. Right to lodge a complaint with the Commission for Personal Data Protection (CPDP) – as the data subject, you have the right to lodge a complaint with the Commission for Personal Data Protection (CPDP) against the actions of UBB in connection with the processing of your personal data.

In the cases when you are exercising your rights as a data subject, it would be necessary for you to make a detailed description of your request in the application submitted to the Bank. When exercising your rights, UBB will need to verify your identity so as to avoid anyone else trying to impersonate you. For this purpose, the Bank may require an ID card or other identification document when providing you with the information you request.

You may ask in writing various questions about the processing of your personal data by the Bank, both in your service office and electronically at dpo@ubb.bg.

If you do not agree with the UBB's opinion regarding your inquiry or if you wish to receive more information, please visit the website of the Commission for Personal Data Protection at www.cpdp.bg where you could file a complaint.

In the cases when UBB has received your personal data from third parties, e.g. the Central Credit Register maintained by the Bulgarian National Bank (www.bnb.bg) or by ESGRAON, maintained by the Ministry of Regional Development and Public Works, and is processing them for its own purposes, you may file a complaint against the actions of these third parties directly to them.

The exercise of your rights can not be opposed to the provision of your personal data to the competent authorities for the prevention, investigation and detection of criminal offenses.

4. Types of processed personal data

UBB may process different types of personal data related to your physical, social or economic identity. Such data may be obtained from you as the data subject, from third parties, or may be generated by the Bank in connection with your customer service.

4.1. UBB may process different types of data, depending on the purpose of the processing, such as:

A) Basic data
In order for us to be able to offer standard products and services similar or related to the ones used by you (so-called basic marketing – for more information refer to section 6.4.k of this document):
-    full name
-    phone number – mobile/fixed
-    email address
-    permanent address (street, number, zip code, city, country)
-    current address (street, number, zip code, city, country)
-    information about the products you use

These data are the basic data that UBB processes in order to identify you as your service bank. The Bank will only use your contact information to make an offer to buy standard banking products that match your expectations as it has an interest in making you offers as a Bank.

B) Extended data:
The Bank may process some or all of the "Extended Data" categories listed below in order to achieve the purposes described below, only if it has a good reason to do so.

a) to identify you:

-    full name
-    place/country of birth
-    date of birth
-    nationality (citizenship)
-    driving category (driving license)
-    permanent address (street, number, zip code, city, country)
-    current address (street, number, zip code, city, country)
-    a previous (old) address
-    copy of an ID card
-    client number
-    national registration number/EGN
-    VAT number
-    employer
-    your qualification, occupation and professional experience as well as income source
-    risk profile
-    your marital status

b) to contact you:

-    phone number – mobile/fixed
-    email address
-    permanent address (street, number, zip code, city, country)
-    current address (street, number, zip code, city, country)
-    similar details of contact persons related to you.

c) to provide you with the right advice and services:

-    your products, account numbers, your financial products (payments, loans, insurance, savings, investments)
-    operations and balance on your accounts - this type of data will be processed according to the requirements and restrictions imposed by the applicable laws.
-    Your potential interest in UBB products
-    History of your financial information and advice we have given you in the past
-    Your client profile, created on the basis of information on payment transactions, transactions on your accounts, your investment portfolio, your card, balances and account balances, etc.), UBB can analyze your behavior and identify your needs. The bank may use this profile to analyze more effectively which banking and/or insurance products are best suited to you.
-    Your marital status, the members of your household
-    Your financial status – UBB can offer you more appropriate advice if it is aware of your overall financial standing (your total assets, property, etc.).
-    Data on your indebtedness collected from the Central Credit Register (CCR) data bases, as well as data on the amount of your insurance income, the insurer, and other information about your insurance status received from the National Social Security Institute (NSSI). The data is necessary for the Bank to assess your creditworthiness in order to offer you appropriate banking products and services.
-    Your qualifications, knowledge and professional experience
-    Your health – as a data processor on behalf of DZI or UBB Life Insurance EAD. UBB may process information in relation to insurances (for example, in order to execute life insurance). Strict procedures are in place for the processing of such information.
-    Feedback, comments and suggestions, previous complaints. They can definitely help UBB offer you better service in the future.

4.2. Public data and data acquired through third parties

UBB sometimes processes public information such as:
-    Information to be disclosed to a public database, such as if you are appointed as a company director or proxy, or if you are a company owner;
-    UBB may also receive your personal data from third parties:
•    from members of your family,
•    from credit intermediaries in order to prepare a loan proposal, or
•    from persons related to you, pursuant to § 1, sections 4 and 5 of the Additional Provisions of the Credit Institutions Act,
•    from borrowers when mortgage debtors do not conclude a credit agreement and their data are necessary for the preparation of mortgage contracts;
•    from administrators of the Bank in connection with the declaration of a conflict of interest under Art. 51 of the Credit Institutions Act
•    as well as from official public registers, which are responsible for keeping this information legally, or to purchase them from companies that are responsible for the lawful collection of personal data.

Such public data may be processed for the purposes listed by UBB in this document in order to verify the accuracy of the information in the Bank's database.

4.3. Location

In case you want to visit an office of UBB or you want to schedule a meeting with a UBB’s employee, your location data will be used to find the closest office of UBB. This data is only processed if you allow access to your location. UBB will request your permission if you visit certain websites or use UBB applications, for example.

4.4. Telephone calls

UBB may record and listen to the conversations with you. Such actions are necessary to ensure the security of the processes and also as evidence of the instructions given by you, in relation to training of staff, or to improve the quality of products and services. Recordings of phone conversations are stored as long as there is a potential for occurrence of problems, as evidence of the customer instructions. Records include phone calls with the Contact Center or the Dealer's Office of the Markets and Investment Banking Directorate.

4.5. Video images from security cameras

UBB can use security and CCTV cameras inside and outside the premises of the Bank. UBB fully complies with the legal requirements for installation and use of CCTV cameras. If there are CCTV cameras installed in an office of the Bank, you will be notified via a sticker located in a prominent place. Recordings of CCTV cameras inside and outside UBB offices (indicated with a sticker) are kept for one month. They may be stored for a longer period of time in the following cases:

-    the records will be used as proof of a specific relationship, a crime or a misdemeanor;
-    records will be used as evidence of damage or to identify a criminal, a public order offender, a witness, or a victim.

4.6. Transaction details

UBB processes data for your transactions. It is possible to transmit them to other financial institutions that execute payment or settlement instructions.
The Bank may also use your data to prevent or detect money laundering, financing of terrorism, or other unlawful practices.

UBB may also use details of individual transactions for marketing and commercial purposes, customer needs analysis, or usage patterns for particular products.

5. Recipients of personal data

Personal data is generally processed by the employees of UBB. The processing of personal data may also be carried out by personal data processors with whom the Bank has signed a contract for this purpose and who perform activities forming part of the Bank’s services. Where there is a legitimate reason, personal data may be provided to other administrators to use them for their legitimate purposes.

a. Personal Data Administrators to whom UBB may provide personal data:
-    BNB (Bulgarian National Bank)
-    CPDP (Commission for Personal Data Protection)
-    CCP (Commission for Consumer Protection)
-    Central Credit Committee / Register
-    National Revenue Agency
-    National Social Security Institute
-    National Health Insurance Fund
-    Card and payment service and system operators like Borica AD, VISA, Mastercard, Bisera, Rings
-    Specialized Administrative Directorate "Financial Intelligence”, the State Agency for National Security, the Criminal Intelligence Service
-    Judicial bodies (courts, etc.), the Prosecutor's Office
-    Central Depository;
-    Bulgarian Stock Exchange
-    Financial Supervision Commission
-    Ministry of Interior
-    Guarantee funds and financial institutions such as the European Investment Fund, the National Guarantee Fund, the European Bank for Reconstruction and Development, the European Investment Bank, the European Court of Auditors, the European Commission and other bodies of the European Union with audit and control functions.
-    Assignees with whom the Bank concludes contracts
-    Other companies of the KBC Group, in their capacity as personal data controllers

In the event of changes to the list of personal data controllers to whom personal data are provided, UBB will update this document.

b. Personal data processors are:

Individuals or legal entities, public authorities, agencies or any other body which processes personal data on behalf of the controller.

As part of the KBC Group, UBB may assign certain data processing operations to other processors in the Group. Some of these data processing activities, commissioned by UBB, are related to controlling and support functions such as:
-    financial reporting
-    compliance
-    risk
-    marketing
-    ICT management
-    internal audit
-    a research team that develops models for improvement of services and products.

UBB may directly or indirectly use other processors with whom it has signed a contract, such as:

-    persons, who are assigned to draw up, put together and deliver information forms to the Bank
-    persons assisting the administrator and assignees in relation to servicing and debt collection
-    insurers, so as to conclude and service personal and/or property insurance
-    persons to whom the administrator has assigned the processing of personal data for organizational reasons
-    traders who, by virtue of a contract with the Bank, provide goods on credit
-    suppliers of products and services for the Bank
-    companies, providing information and communication technologies in order to facilitate the work of the operation systems and services (IBM, Microsoft, etc.);
-    hired lawyers and law firms which have signed contracts with UBB
-    hired auditors who have signed contracts with UBB
-    SMS providers
-    Card and payment service and system operators like Borica AD, VISA, Mastercard, Bisera, Rings
-    market research agencies
-    companies specializing in archiving digital information and access
-    companies from the KBC Group, in or outside the European Economic Area (EEA), for creation of client profiles for commercial purposes. If there are legitimate reasons, such as the legitimate interest of the administrator, your personal data may also be provided for other purposes to other KBC Group companies in Bulgaria or abroad or processed by the Bank if they have been legally collected by other KBC companies in Bulgaria or abroad.

c. Recipients outside the European Economic Area (EEA)

Some of the recipients mentioned above may be established outside the European Economic Area. The Bank shall forward personal data to non-EEA member countries (third countries), provided that an adequate level of personal data protection is ensured in accordance with the local and European laws, and that the personal data provided are sufficiently protected in the third country concerned, and with the approval of the Commission for Personal Data Protection. Your personal data may be transferred to a third country outside the EEA European Economic Area with your explicit and freely given consent. UBB will take all the necessary measures to protect your personal data by limiting their availability to third parties in or outside the European Economic Area.

6. Purposes of personal data processing

Personal Data, collected by the Bank in its capacity of Personal Data Controller, may be processed for different purposes on different lawful basis, as follows:

6.1. Purposes, where personal data processing is based on legal obligations:

a. Client identification and authentication of personal data pursuant to the Law on the Measures against Money Laundering and the Rules on the Implementation thereof.

b. Client profiling by the Bank based on risk assessment – Client profiling is made by the Bank pursuant to the Law on the Measures against Money Laundering and the Rules on the Implementation thereof (based on the said legal acts, the Bank performs client and transaction approval and monitoring according to the risk profile).

c. Controlling data in order to prevent money laundering, embargo and anti-terrorism actions – The processing of your data is related to measures and actions taken by the Bank to prevent, detect, investigate and report suspicious transactions to the Financial Intelligence Agency under The Law on Measures Against Financing of Terrorism, the Money Laundering Measures Act and its Implementing Regulations.

d. Client profiling with the purpose to provide services, connected with financial instruments (stocks, bonds, derivatives, shareholdings, etc.) – The Bank performs client profiling, based on a questionnaire for creating a risk profile with the purpose of providing investment services in compliance with the requirements of the Financial Instrument Markets Act and Regulation No. 38 on the requirements to the investment mediators' activity.

e. Exercising control with the purpose of preventing the cases of non-compliance with the Financial Instrument Markets Act and Regulation No. 38 on the requirements to the investment mediators' activity – the control includes all actions for preventing, detecting, investigating and further implementing the necessary measures to deal with non-compliance cases, connected with the Financial Instrument Markets Act and Regulation No. 38 on the requirements to the investment mediators' activity. These activities could be based on clients’ profiles, created during the provision of investment services pursuant to the Financial Instrument Markets Act and Regulation No. 38 on the requirements to the investment mediators' activity.

f. Exercising control with the purpose of preventing and disclosing market abuse. The Bank processes your data in order to take action to prevent, detect, investigate and further implement the necessary measures while investigating cases of suspected market abuse under the Market Abuse of Financial Instruments Act.

g. Reporting to government and control bodies – taxes, requirements of the Foreign Account Tax Compliance Act (FATCA) and amendments to the Tax and Social Insurance Procedural Code (TSIPC) relating to the automatic exchange of financial information in the field of taxation (CRS = Common Reporting Standard). In relation to these requirements, your collected personal data will be processed for accounting and tax purposes in compliance with the reporting requirements to the competent authorities on the grounds of legal obligations.

h. Assessment of your creditworthiness – in case you apply for a loan, the Bank is obliged under the Consumer Credit Act and the Consumer Loans for Real Estates Act to assess your creditworthiness and provide you with a loan that is consistent with your ability to fulfill your obligations under the loan agreement. In order for your creditworthiness assessment to be correct, the Bank will consult the NSSI, CCR, ESGRAON databases.

6.2. Purposes for which the processing of your personal data is performed on the basis of performance of a contract

a. Drawing up contracts at your request - to enter into a contract with you, as a customer using any bank product (account, deposit, credit, bank card) or as a co-contractor under a service contract, the Bank must have your specific personal data (e.g. name, date of birth, PIN, ID card number) as well as your contact details. It is possible that the Bank would require additional information, depending on the type of the services that are subject of the contract.

b. Drawing up mortgage contracts (legal or contractual mortgage) – to draw up a notary deed for a contractual mortgage securing your loan or a legal mortgage application, the bank must have both your personal data and the data of your mortgagees (such as names, PIN, ID card number, address). It is possible that the Bank would require additional information, depending on the necessity to draw up the document.

c. Bank product/service simulation sale – in order to sign a contract suitable for the client and to provide services pertinent to the client's needs, the bank needs to have some specific personal information about the client. For this purpose, based on the specific personal data provided by you, the Bank simulates the sales of a certain product/service, in order to offer particular price and conditions for its purchase, after which the client/borrower would be able to make comparison and to select the most suitable offer (non-binding offer, serving to assess your personal ability to purchase certain products).

d. Product/service usage – UBB processes the personal data of clients through its various channels with the purpose of ensuring the usage of the Bank products and services purchased by the clients (e.g. processes data for a payment transaction in order to carry out a money transfer ordered by you as a client).

e. Enforcing its rights under a loan agreement – UBB processes your personal data on the basis of the loan agreement signed with you in order to exercise its rights as a creditor rights and to collect its loan receivables. UBB processes the personal data of the co-debtors in order to make contact with them in exercising its rights as a creditor in the event that it cannot exercise such rights against the borrower.

6.3. Purpose for which the processing of personal data is made on the basis of a customer's consent:

a. To exchange your personal data with other KBC companies in Bulgaria and to receive your personal data from the database of the Central Credit Register (CCR) at the National Bank of Bulgaria and the National Social Security Institute (NSSI) in order to create a precise client profile and to offer you personalized banking, insurance and investment products and services

Pursuant to Article 4, item 4 (Definitions) of the General Data Protection Regulation, “PROFILING" means any form of automated processing of personal data consisting of the use of personal data to evaluate and/or analyze certain personal aspects relating to a natural person, in particular aspects concerning that the data subject's health, personal preferences, reliability, behavior, location, performance at work, economic situation. Profiling and processing of personal data for this purpose gives information about the needs and capabilities of the particular client. It may result in your inclusion in the promotion sales list of a specific product. In order for this specific analytical approach to be applied to you, your consent is necessary.

In case you have given us your consent, UBB will process all your extended data for the above-mentioned purpose. Detailed information on the extended personal data can be found on pages 4-5 of this document.

6.4. Purposes for which the processing of personal data is based on safeguarding the legitimate interests of the controller:

a. Building analytical models – UBB will build analytical models to support the development of its client services and to evaluate the services offered. The collected data of all clients or of a large group of clients are grouped under a specific attribute in order to build models/to find dependencies/ratios/algorithms without affecting the interests of the individual client and without taking action with respect to him (e.g. creating the credit rating of the client). For the creation of such models, UBB uses "pseudonymized" personal data, i.e. data that is masked in such a way that it can not lead to the identification of a particular client without additional information being required.

b. Historical, statistical or scientific purposes - UBB has a legitimate interest in processing your personal data for the purposes of compiling statistical surveys and reports, conducting research and development, conducting historical reviews and forecasts for the development of economic, financial industry, etc. For these purposes aggregated data derived from the records of specific personal data of the clients are used.

c. Sending product and service messages – The Bank processes your personal data in order to send messages for the products and services used by you through calls, emails, sms, letters, etc. The messages pertain only to the products and services already used by you; they do not pursue marketing goals, nor do they contain new service offers.

d. Litigations – Establishment, exercise and defense of UBB's rights – UBB will process its clients data in order to protect its rights in court/ litigation procedures, when settling claims with the help of hired solicitors/lawyers, etc. This pertains to situations where your personal data is processed in connection with the administration of information related to litigations, judicial warrants, petitions and court decisions.

e. Testing software application changes, demo platforms and internal portals for training – the Bank will use your personal data to create or update software applications to be used with the Bank’s operation systems, for:

-    testing the software code changes of applications in different testing/acceptance environments (e.g. perfecting the distribution channels or ensuring safer protection of the collected personal data).
-    incident resolving – replaying incidents
-    demo platforms
-    employee training

f. Internal reporting, analysis and development of the offered products and services – UBB uses personal data of its clients in order to improve its market position by offering new or better services and innovative products and optimizing the internal banking processes.

g. Risk evaluation as a measure for preventing and detecting fraud – UBB will process its clients’ personal data in order to protect itself against fraud or criminal actions on their part. UBB has the right not to service clients with a high risk profile, who expose its image to a risk. Based on certain facts (e.g. a false ID card, certain client behavior) the Bank may assess the potential fraud risk. Certain indicators of the respective client profile, as well as any other information (like a stolen ID card, the choice of a country for e-banking) could serve as a basis for this assessment to indicate potential fraud. The measures for preventing and uncovering fraud are taken in the context of compliance to the internal security rules, control, ensuring reliable information security, stored both physically and digitally, as well as in online banking (incl. computer “cyber” crime).

h. Client relationship management – UBB will process your personal data in order to offer an individual approach based on the submitted information and the client profile created. Customer personal data stored in different databases could be grouped under a specific attribute and processed through the various channels (direct channels, contact centers, bank offices and branches) at the Bank, with the aim of the grouping being to facilitate and refine these channels for accessing information.

i. Credit and insurance Risk profiling – UBB will use your personal data for building credit and insurance risk profiles in order to mitigate the risk when offering credit/insurance products and services to clients.

j. Direct marketing of standard UBB products and services: Offering products and services provided by the Bank, as well as participation in surveys on products and services offered, through any of the channels, including bank offices, the contact center, email, SMS, phone, online channels. The Bank will offer you products and services and will only include you in surveys if you are a customer and, therefore, you can reasonably expect that it will process your personal data in order to offer you new and better products and services, similar or related to the ones you use. For these cases, the Bank will only use your Basic Data under 4.1. A herein above.

***
The processing for these purposes is necessary for the protection of the legitimate interest of UBB as personal data controller, given that these interests are related to the bank's main function as a bank. UBB has conducted tests to determine the balance between its legitimate interests in processing your personal data for each of the purposes described in Section 6.4., and your interests and fundamental rights and freedoms as data subjects, and it has concluded that its legitimate interests as data controller do not violate your interests, fundamental rights and freedoms.

7. Term of storage of personal data