UBB AD (hereinafter referred to as UBB/the Bank), Company ID 000694959, 89B, Vitosha Blvd., Sofia. For questions, related to the processing of personal data, please contact the Data Protection Officer at dpo@ubb.bg.

 

UBB AD is Personal Data Controller and in its capacity of such, conducts its activities in strict compliance with the requirements of the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, in order to ensure confidentiality and lawful collection and processing of clients’ personal data.

 

UBB AD is part of the KBC Group. The KBC group is a bank-insurance group of companies that through co-operation creates and distributes banking, investment and insurance products and provides related financial services.  The following companies in Bulgaria also belong to the KBC Group: DZI – General Insurance, DZI – Life Insurance, KBC Asset Management – Branch Bulgaria, UBB Interlease AD, UBB Insurance Broker EAD, UBB Factoring EOOD,  UBB – Center Management EOOD and UBB Pension insurance company, KBC Bank Bulgaria EAD as well as KBC Group – Branch Bulgaria. KBC group’s main target groups are individuals, SME’s and corporate clients. KBC Group operates mainly in Belgium, the Czech Republic, Slovakia, Hungary, Bulgaria and Ireland.

 

In general UBB AD is a controller with respect to the personal data of its clients.

 

There may be cases when UBB acts in its capacity as a personal data processor for other data controllers, for example:

-          As an insurance agent on behalf of other legal entities within the KBC Group – DZI – General Insurance, DZI – Life Insurance,

-          Upon sale of the products of KBC Asset Management – Branch Bulgaria (legal successor of UBB Asset Management);

-          Upon sale of the products of UBB Pension Insurance company;

-          When serving customers - users of household and utility services;

-          When providing other services permitted by law to legal entities within KBC Group.

 

In these cases, upon performing the respective activity, UBB AD processes data of natural persons by following the personal data controllers’ instructions.

a. "Personal data" means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a personal identification number, location data, gender, address, telephone number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

 

b. "Processing of personal data" any operation or set of operations which is performed on personal data whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

If you are a person whose personal data is processed by UBB under the General Data Protection Regulation, effective since 25.05.2018, you have the following rights that you can exercise by visiting an office of the Bank.

 

a. Right to access - Upon your request, as a Data Subject, the Bank shall provide information about the categories of personal data relating to you, which are being collected and processed by the Bank, and information about the purposes of the processing, the recipients or categories of recipients to whom your data is disclosed and the sources of this data, except the cases when the data was collected directly from you.

 

b. Right to rectification – upon your request, as the Data Subject, the Bank is obliged to rectify incorrect and/or to fill incomplete personal data related to you. In such cases the Bank shall notify any third party to whom your personal data has been disclosed, of all rectifications and supplements to your personal data.

 

c. Right to restriction of personal data processing – upon your request the Bank may restrict the processing of data related to you, upon presence of any of the following conditions:

-          in case you dispute the accuracy of the data processed by the Bank for you – for a period necessary to verify their accuracy;

-          upon establishment that the data processing is unlawful, but you wish your data not to be erased, but instead its usage to be restricted;

-          upon your request, in case the Bank no longer needs the personal data for processing purposes, but you require it for the establishment, exercise or defense of legal claims;

-          you have objected to the processing as per Art. 21, Para. 1 of the General Data Protection Regulation and are awaiting the results of the verification whether the Bank’s legitimate interest prevails over your interests as a Data Subject.

 

d. Right to erasure ("the right to be forgotten") – upon your request the Bank may erase your personal data, generally, when there is lack of or no longer compliance with the ground for its processing, or there are legal grounds for its erasure. Your request for erasure of your data may be refused in case essential circumstances require the processing to be continued. The judgment is made on a case-by-case basis, taking into account the specific circumstances. In this case, the Bank notifies any third party to whom your personal data has been disclosed, of all erasures it carried out, as well as of the events of discontinuation of processing of your personal data.

 

e. Right to data portability – In your capacity as Data Subject, you have the right to request to receive the personal data concerning you, which you have provided to UBB, in a structured and commonly used and machine-readable format and you have the right to transmit/transfer that data to another Controller without hindrance from UBB as personal data controller, to whom the data was provided, where the processing is based on consent or on a contract or the processing of your personal data is carried out by automated means.

 

f. Right to object – In your capacity as Data Subject, you have the right to object to the processing of your personal data when the processing of personal data is based on the Bank's legitimate interest. UBB shall review your objection and shall provide its opinion in writing within 30 days unless this term needs to be extended, for which the Bank will notify you in due time. After reviewing the objection, the Bank will generally discontinue the processing of your personal data and will notify all interested parties to whom the personal data have been submitted of the objection received and of the measures taken in this regard. In some cases, however, the Bank has an indisputable legal basis to continue the processing of your personal data even after receiving your objection (for example, in cases of lawsuits, fraud surveillance, etc.). In such cases UBB will contact you to clarify the reasons why it will continue to process your personal data. If your objection concerns the processing of personal data for direct marketing, the Bank will suspend unconditionally the processing of your data for that purpose.

 

g. Right not to be the subject of a fully automated decision involving profiling - as a Data Subject you have the right not to be the subject of a decision based solely on automated means, unless you have given your explicit consent to this or in cases where the automated processing is necessary for the conclusion and execution of a contract to which you would be a party. In addition, when there is an automated decision-making, you have the right to express your opinion, to challenge the decision, as well as to request the participation of our employee to perform a reassessment (i.e. human intervention). UBB will inform you in advance if it uses fully automated personal data processing, and will provide clear information about the concepts that the respective software would take into account when making the decision.

 

 

h. Right to withdraw the consent given for personal data processing for the purposes outlined in the Declaration of Consent. The withdrawal can be done via a consent withdrawal declaration form that is available at the Bank’s offices or by disabling the opt-out button in the UBB mobile banking app.

 

i. Right to lodge a complaint with the Commission for Personal Data Protection (CPDP) – In your capacity as Data Subject, you have the right to lodge a complaint with the Commission for Personal Data Protection (CPDP) against the actions of UBB in connection with the processing of your personal data.

 

In the cases when you are exercising your rights as a data subject, it would be necessary for you to make a detailed description of your request in the application submitted to the Bank as per a standard application form, available in each branch of UBB’s branch network. When exercising your rights, UBB will need to verify your identity so as to avoid anyone else trying to impersonate you. For this purpose, the Bank may require an ID card or other identification document when providing you with the information you request. The rights may be exercised through a third party, which is explicitly authorized to submit and sign documents on your behalf as a Data Subject. In case you have a qualified electronic signature (QES), you can exercise your rights electronically at dpo@ubb.bg with a free text application with mandatory indication of full name, identification number (PIN/PNF) and contact details.

 

Apart from that, you may ask in writing various questions about the processing of your personal data by the Bank, both in your service office and electronically at dpo@ubb.bg.

 

If you do not agree with the UBB's opinion regarding your inquiry or if you wish to receive more information, please visit the website of the Commission for Personal Data Protection at www.cpdp.bg where you could file a complaint.

 

When UBB has received your personal data from third parties, e.g. the National Social Security Institute, the Central Credit Register maintained by the Bulgarian National Bank (www.bnb.bg) or from ESGRAON, maintained by the Ministry of Regional Development and Public Works, you may file a complaint against the actions of these third parties directly to them.

 

The exercise of your rights can not be opposed to the provision of your personal data to the competent authorities for the prevention, investigation and detection of criminal offenses.

UBB may process different types of personal data related to your physical, social or economic identity. Such data may be obtained from you as the data subject, from third parties, or may be generated by the Bank in connection with your customer service.

 

4.1 UBB may process different types of data, depending on the purpose of the processing, such as:

 

A) Basic data

In order for us to be able to offer standard products and services similar or related to the ones used by you (so-called basic marketing – for more information refer to section 6.4.k of this document):

-          full name

-          phone number – mobile/fixed/home/business

-          email address

-          permanent address (street, number, zip code, city, country)

-          current address (street, number, zip code, city, country)

-          information about the products you use with UBB AD and other banks in relation to application for credit products, as well as using "Access to my accounts with other banks" service

 

The specified data is the basic data that UBB processes in order to identify you in its capacity as your service bank. The Bank will only use your contact information to make an offer to buy standard banking products that match your expectations as it has an interest in making you offers as a Bank.

 

B) Extended data:

 

The Bank may process some or all of the "Extended Data" categories listed below in order to achieve the purposes described below, only if it has a legal basis to do so.

 

a) to identify you:

-          full name

-          place/country of birth

-          date of birth

-          nationality (citizenship)

-          sex

-          permanent address (street, number, zip code, city, country)

-          current address (street, number, zip code, city, country)

-          a previous (old) address

-          copy of an ID card/another identity document (passport/driving license/document for residence)

-          client number

-          national registration number/Personal ID number

-          VAT number/VAT address

-          IP address of a computer/other device used to access bank accounts

-          employer

-          your qualification, occupation and professional experience as well as income source

-          risk profile

-          your marital status

 

b) to contact you:

-          phone number – mobile/fixed

-          email address

-          permanent address (street, number, zip code, city, country)

-          current address (street, number, zip code, city, country)

-          similar details of contact persons related to you.

 

 

c) to provide you with the right advice and services:

-          your products, account numbers, your financial products (payments, loans, insurance, savings, investments)

-          operations and balance on your accounts - this type of data will be processed according to the requirements and restrictions imposed by the applicable laws.

-          Your potential interest in UBB products

-          History of your financial information and advice we have given you in the past

-          Your client profile, created on the basis of information on payment transactions, transactions on your accounts, your investment portfolio, your card, balances and account balances, etc.), UBB can analyze your behavior and identify your needs. The bank may use this profile to analyze more effectively which banking and/or insurance products are best suited to you.

-          Your marital status, the members of your household collected as data including from external sources such as the ESGRAON register.

-          Your financial status – UBB can offer you more appropriate advice if it is aware of your overall financial standing (your total assets, property, income, etc.).

-          Data on your indebtedness collected from the Central Credit Register (CCR) databases, as well as data on the amount of your insurance income, the insurer, and other information about your insurance status received from the National Social Security Institute (NSSI). The data is necessary for the Bank to assess your creditworthiness in order to offer you appropriate banking products and services.

-          Your education, qualifications, knowledge and professional experience, position held.

-          Your health – as a data processor on behalf of DZI General Insurance or DZI Life Insurance UBB may process information in relation to insurances (for example, in order to execute life insurance). Strict procedures are in place for the processing of such information in the amount needed to fulfill the processing purpose and upon presence of legal grounds for this. As a party to Group insurance policies, concluded with DZI, UBB AD acts in its capacity as a policyholder for the purposes of effecting the specific insurance contract and as a personal data controller of the insured persons – clients of the Bank, which provides to the insurer.

It is possible, on the occasion of restructuring and deferral of your loan obligations for the period of emergency, announced by a decision of the National Assembly of the Republic of Bulgaria in connection with the pandemic of COVID-19 UBB to process personal data about your health, but only after express written consent provided by you to process your data for the specific purpose.

In other cases, when for the purposes of a specific product (e.g. donation account, etc.) the collection of such information is necessary, the Bank may process data on your health, insofar as there is an explicit legal basis for this.

-          Feedback, comments and suggestions, as well as previous complaints. They can definitely help UBB offer you better service in the future.

 

 

d) in connection with your participation in games and raffles organized by UBB and/or its partners, and for declaring a received cash prize under the Personal Income Tax Act:

 

- Identification data - three names and PIN (if necessary). Your personal data will be processed by the Bank in connection with the fulfillment of the obligations under the Personal Income Tax Act.

- Contact details

- Transaction details (depending on the conditions of the specific game/raffle)

- Photo material - with your explicit consent

 

4.2 Public data and data acquired through third parties

 

UBB sometimes processes public information such as:

-         from official public registers (e.g. Commercial Register, Lacorda, Apis), which are responsible for the lawful storage of this information. Public data may be processed for the purposes, listed by UBB herein, to verify the accuracy of the information in the Bank’s database.

-         through the environment for inter-registry exchange (RegiX) – the Bank has been provided with the opportunity to automatically extract data from the main registers, including  National Population Database, BULSTAT Register, Property Register, Commercial Register, Register of Liabilities to the Customs Administration, Register of Bulgarian identity documents, etc.

-         UBB may also receive your personal data from third parties – clients, counterparties, partners or Bank employees:

·        from members of your family, e.g. when declaring the circumstances, which could be a conflict of interest upon collection of arrears;

·        from credit intermediaries in order to prepare a loan proposal, or

• from persons related to you, pursuant to § 1, sections 4 and 5 of the Additional Provisions of the Credit Institutions Act, as well as in connection with item 93 of the EBA Guidelines on loan origination and monitoring;
• from borrowers when mortgage debtors do not conclude a loan agreement and their data is necessary for the preparation of mortgage agreements;
• from administrators of the Bank in connection with the declaration of a conflict of interest under Art. 51 of the Credit Institutions Act;
• from clients legal entities – in cases of payroll of the legal entity’s employees, payment of dividends to shareholders in the legal entity, etc.
• from clients of an insurance product, which have joined a Group policy, concluded between UBB and the insurance company – in cases of insurance of a third natural person by a client;
• from official public registers, which are responsible for keeping this information legally. 

 

The public data may be processed for the purposes listed by UBB in this document in order to verify the accuracy of the information in the Bank's database.

 

4.3 Location

 

In case you want to visit an office of UBB or you want to schedule a meeting with a UBB’s employee, your location data will be used to find the closest office of UBB or to arrange a meeting with a representative of the Bank. This data is only processed if you allow access to your location on your device (computer, mobile phone, tablet, etc.). In case you do not wish UBB to process data related to your location, please change the settings of your personal device.

 

4.4  Telephone calls

 

During the performance of its activity, UBB may record and listen to the conversations with you. Such actions are necessary to ensure security of the processes and also as evidence of the instructions given by you, in relation to training of staff, as well as to improve the quality of products and services. Recordings of phone conversations are stored as evidence of the customer instructions. Records include phone calls with the Contact Center or the Dealer's Office of the Markets and Investment Banking Directorate.

 

4.5  Video images from security cameras

 

UBB can use patrol reaction service and CCTV cameras inside and around the premises of the Bank, including cameras on its own cash machines (ATM devices). UBB fully complies with the legal requirements for installation and use of CCTV cameras. If there are CCTV cameras installed in an office of the Bank, you will be notified via a sticker located in a prominent place. Recordings of CCTV cameras inside and outside UBB offices (indicated with a sticker) are kept for one month or for a longer period when the case requires so or for a longer period when the case requires so. They may be stored for a longer period of time in the following cases:

-          the records will be used as proof of a specific relationship, a crime or a misdemeanor;

-          records will be used as evidence of damage or to identify a criminal, a public order offender, a witness, or a victim.

 

The recordings captured with cameras installed on ATM devices are stored for a period necessary for achieving security, prevention and fraud detection purposes.

 

4.6 Transaction details

 

UBB processes data for your transactions, including amount and reason for the payment, destination, data about the payer / beneficiary, etc. It is possible that the Bank transmits them to other Bulgarian and foreign financial institutions that execute payment or settlement instructions in order to effect the transaction.

The Bank may also process your data, including to provide it to other Bulgarian or foreign financial institutions (correspondent banks), to prevent or detect money laundering, financing of terrorism, frauds or other unlawful practices.

 

4.7 Data on minors/under-age persons or persons subject to full / partial guardianship

 

In case the Bank processes data on minors/under-age persons and persons subject to full / partial guardianship, such processing is made upon explicit written consent pursuant to the requirements of the Law of Persons and the Family, as follows:

-          for persons under 14 years (minors) – with a written consent of the adult exercising parental care (parent, adopter);

-          for persons between 14 and 18 years (under-age)  – with a written consent of the under-age person and confirmation of the person exercising parental care (parent, adopter).

-          for persons subject to full guardianship – with a written consent of the legal representative (guardian) of the person subject to full guardianship.

-          for persons subject to partial guardianship – with a written consent of the person subject to partial guardianship, and confirmation of his/her legal representative (custodian).

 

4.8 Data collected via the Bank’s corporate website

 

UBB processes data of its clients and visitors of the corporate website of the Bank www.ubb.bg and related pages, submitted through digital portals/feedback forms, as well as through forms related to alerts and inquiries, calculators and meeting requests.

 

According to the case, such data may include:

-          full name, personal ID number (depending on the needs of the feedback form, the field could be mandatory, alternative with an option to specify a client number instead, or optional);

-          video images – for the purposes of conducted video calls, as a recording of the video conversations is not stored;

-          telephone / address / e-mail address/ other contact details;

-          information about your capacity as a Client / person, which is not a client of UBB;

-          additional information provided at the discretion of the Data Subject (in the form of attached files / free fields / during a video conversation).

 

UBB hereby informs you that as a Data Subject you are responsible for the content and the admissibility of provision of additional information at your discretion. We advise you prior to providing information, which contains personal data of third parties, to inform them of your intention. Pursuant to the requirements of the Personal Data Protection Act, when the Data Subject provides the Bank with personal data without legal grounds or data in contradiction to the Regulation, within a one-month period from the moment of becoming aware of it, UBB returns it to the Data Subject, unless this proves impossible or involves a disproportionate effort, it erases or destroys them.

 

UBB processes the personal data received via the corporate website for the time required for the service and only for the purposes of the specific inquiry /alert/ request, and the video images – for the time of having a video meeting at the initiative of the client or the Bank, without storing a recording of the meeting. The data is submitted voluntarily by the Data Subject once it has been acquainted with the present Information and upon presence of the respective legal grounds it is processed by the Bank (e.g. video images are processed only upon the client’s consent)

 

4.9 Social media and third party websites

 

If you decide to access the official UBB social media page (e.g. Facebook, Instagram, LinkedIn), your profile there can also be shared with us. The scope of the personal information provided depends entirely on the privacy settings you set in your account in the relevant media. In these cases, we advise you to read the privacy statement of the social network provider in advance.

 

 

4.10 Data related to the use of the mobile application UBB Mobile (UBB Mobile App)

 

UBB Mobile and ‘Push’ notifications

“Push” notification is a message from the UBB Mobile application, which appears (“pops up”) on the screen of your mobile device, including when you have not signed in to the application. You could receive a ‘Push’ notification from us for our services, as a reminder to complete a product request through UBB Mobile, as information, etc. When you download or update the UBB Mobile application, you will be asked to give consent to the inclusion of location and notification services. You can choose to turn off these services for your mobile device at any time.

 KATE 

As an UBB client you can use the service "Personal Digital Assistant KATE", acessable in the UBB Mobile app. Currently, two versions of Kate are already available - standard (basic) and proactive (advanced) Kate. Each client can choose a version of the service according to his/her needs and preferences.

• By selecting the standard version of Kate (basic Kate), you can ask her questions related to your banking and/or insurance products/services. The questions you can ask Kate are predefined and described in detail in the General Terms and Conditions (GTC) for the usage of the service - Digital Personal Assistant (Kate).They can be set entirely on your own initiative via voice messages or via written chat messages. In the event that KATE is unable to assist you in any matter, you will be redirected to the Bank's Client Contact Center. KATE uses a limited amount of your personal data when responding to your inquiries or assisting you to improve your customer experience. They are processed entirely on the basis of a contract, after you have accepted the Bank's GTC for the use of the digital assistant and for the purposes of the specific service. If you do not ask questions to KATE, she will not process your personal data.
• By selecting the proactive version of Kate (advanced Kate), the customer will be able to benefit from the personalized assistance of a more advanced digital assistant. In addition to answering questions raised by the customer, entirely on her own initiative, Kate will send messages/notifications or offers to purchase products and services offered by the Bank or other KBC Group entities in Bulgaria. In order to be able to provide individualized assistance in accordance with your needs and requirements, Kate will carry out a detailed analysis and process a substantial amount of personal data, such as transaction data, information about UBB products and services used, as well as information about your customer profile. The personal data will be processed in full compliance with the requirements of the applicable legislation, when relevant legal grounds exist and depending on the type of functionalities for which the Digital Personal Assistant service is used, namely contract execution or explicit and unambiguous consent. A full description of the functionalities is available both in the General Terms and Conditions (GTC) for the usage of the service - Digital Personal Assistant (Kate) and in UBB Mobile application .The proactive version of Kate can be deactivated at any time, thus the client will be able to continue using the standard version of the Digital Personal Assistant. Disabling the service will not affect the use of the mobile app UBB Mobile.

Conversations with Kate, including voice message texts, are processed by the Bank in connection with service performance and customer service improvement. Once the specific purpose has been removed, in accordance with the requirements of applicable data protection legislation, the information exchanged in the conversations is deleted immediately.

 

4.11 Data collected through the use of cookies

 

When using the website information about your stay, behavior, searches, etc. might be collected through the so-called “cookies”. The amount of such information depends on the cookie settings you have chosen, and the data will be processed for the respective purposes for which you will be notified in the respective electronic channel. More information on the topic can be found in Information on the use of cookies on the UBB website, available at www.ubb.bg. When using electronic channels for UBB services and products like mobile banking, your personal data may be processed in order to improve your customer experience.

Personal data is generally processed by the employees of UBB. The processing of personal data may also be carried out by personal data processors with whom the Bank has signed a contract for this purpose and who perform activities forming part of the Bank’s services. Where there is a legitimate reason, personal data may be provided to other Controllers to use them for their legitimate purposes.

 

a. Personal Data Controllers to whom UBB may provide personal data:

-          BNB (Bulgarian National Bank)

-          CPDP (Commission for Personal Data Protection)

-          CCP (Commission for Consumer Protection)

-          CCR (Central Credit Register)

-          National Revenue Agency

-          National Social Security Institute

-          National Health Insurance Fund

-          Card and payment service and system operators like Borica AD, VISA, Mastercard, Bisera, Rings

-          external auditors, which have concluded agreements with UBB

-          Specialized Administrative Directorate "Financial Intelligence”, the State Agency for National Security, General Directorate Combating Organized Crime

-          Judicial bodies (courts, the Prosecutor's Office, National Investigation Service)

-          Supreme Judicial Council

-          Central Depository

-          Bulgarian Stock Exchange

-          Financial Supervision Commission

-          Ministry of Interior

-          Commission for Illegal Assets Forfeiture (CIAF)

-          Guarantee funds and financial institutions such as the European Investment Fund, the National Guarantee Fund, the European Bank for Reconstruction and Development, the European Investment Bank, the European Court of Auditors, the European Commission and other bodies of the European Union with audit and control functions, Fund Manager of Financial Instruments in Bulgaria (FMFIB).

-          Assignees with whom the Bank concludes contracts

-          Couriers and postal operators

-          Mobile operators

-          External lawyers and law firms, which have concluded agreements with UBB, public/private enforcement officers;

-          Other companies within KBC Group, in their capacity as personal data controllers.

-          Commercial companies with which the Bank has concluded contracts for opening of an account of employees/agents for payment of labour and other remuneration (payroll) - in these cases the Bank provides data for the full name and number of the bank account opened in the name of the employee/agent.

-Bulgarian and foreign banks and other financial institutions

-          Eurotrust Technologies AD as a provider of electronic certification services

-          Bulgarian Export Insurance Agency (BAEZ) EAD, including the sole owner of the capital of BAEZ EAD, who is the Minister of Economy

-          Other recipients of data whose activity is legally regulated.

 

In the event of changes to the list of personal data controllers to whom personal data is provided, UBB will update this document.

 

b. Personal data processors are:

 

Individuals or legal entities, public authorities, agencies or any other body which processes personal data on behalf of the controller.

 

As part of the KBC Group, UBB may assign certain data processing operations to other processors in the Group. Some of these data processing activities, commissioned by UBB, are related to controlling and support functions such as:

-          financial reporting

-          compliance

-          risk

-          marketing

-          ICT management

-          internal audit

-          a research team that develops models for improvement of services and products.

 

UBB may directly or indirectly use other data processors with whom it has signed a contract, such as:

 

-          persons, who are assigned to draw up, put together and deliver information forms to the Bank;

-          persons assisting the bank in relation to servicing and debt collection; 

-          persons to whom the Controller has assigned the processing of personal data for organizational reasons;

-          suppliers of products and services for the Bank;

-          companies, providing information and communication technologies for facilitating the work of the operational systems and services;

-          companies, providing maintenance of the Bank’s operational systems and/or providing access to registers, maintained by primary controllers via the environment for inter-registry exchange Regix, SMS providers other than the mobile operators;

-          companies, providing information and communication technologies in order to facilitate the work of the operation systems and services;

-          companies, providing maintenance of the Bank’s operating systems;

-          SMS providers, other than the mobile operators;

-          Agencies for market research / for organizing games and raffles;

-          companies, which, assigned by the Bank, on its behalf and at its expense make commercial offers via technical means of communication -  as long as there are legal grounds for such offering;

-          companies specializing in archiving digital information and access;

-          companies from the KBC Group, in or outside the European Economic Area (EEA) for outsourcing activities by the Bank (in cases of outsourcing (a part) of the activity) in compliance with the requirements of the applicable legislation.

 

c. Recipients outside the European Economic Area (EEA)

 

It is possible that some of the above listed recipients may be established outside the European Economic Area. The Bank may transfer personal data to recipients from countries that are not part of the European Economic Area (third countries), provided that an adequate level of personal data protection is ensured in accordance with the local and European laws. Your personal data may be provided to third countries outside the EEA, which are not treated as countries with an adequate level of personal data protection, provided that the agreements concluded between the countries for processing and transfer of personal data include standard contractual clauses approved by the European Commission, and after a detailed assessment of the impact of the transfer on the rights of the personal data subject is carried out. UBB will take all the necessary measures to protect your personal data if its processing requires their transfer to third parties in or outside the European Economic Area.

Personal Data, collected by the Bank in its capacity of Personal Data Controller, may be processed for different purposes on different lawful basis, as follows:

 

1.1.      Purposes, where personal data processing is based on legal obligations:

 

a. Client identification and authentication of personal data pursuant to the Law on the Measures against Money Laundering and the Rules on the Implementation thereof.

 

b. Client profiling by the Bank based on risk assessment – Client profiling is made by the Bank pursuant to the Law on the Measures against Money Laundering and the Rules on the Implementation thereof (based on the said legal acts, the Bank performs client and transaction approval and monitoring according to the risk profile).

 

c. Controlling data in order to prevent money laundering, embargo and anti-terrorism actions – The processing of your data is related to measures and actions taken by the Bank to prevent, detect, investigate and report suspicious transactions to the Financial Intelligence Agency under The Law on Measures Against Financing of Terrorism, the Money Laundering Measures Act and its Implementing Regulations. 

 

d. Client profiling with the purpose to provide services, connected with financial instruments (stocks, bonds, derivatives, shareholdings, etc.) – The Bank performs client profiling, based on a questionnaire for creating a risk profile with the purpose of providing investment services in compliance with the requirements of the Financial Instrument Markets Act and Ordinance No. 38 of Financial Supervision Commission on the requirements to the investment mediators' activity. 

 

e. Exercising control with the purpose of preventing the cases of non-compliance with the Financial Instrument Markets Act and Ordinance No. 38 of Financial Supervision Commission on the requirements to the investment mediators' activity – the control includes all actions for preventing, detecting, investigating and further implementing the necessary measures to deal with non-compliance cases, connected with the Financial Instrument Markets Act and Ordinance No. 38 of Financial Supervision Commission on the requirements to the investment mediators' activity. These activities could be based on clients’ profiles, created during the provision of investment services pursuant to the Financial Instrument Markets Act and Ordinance No. 38 on the requirements to the investment mediators' activity.

 

f. Exercising control with the purpose of preventing and disclosing market abuse. The Bank processes your data in order to take action to prevent, detect, investigate and further implement the necessary measures while investigating cases of suspected market abuse under the Market Abuse of Financial Instruments Act.

 

g. Reporting to government and control bodies – taxes, requirements of the Foreign Account Tax Compliance Act (FATCA) and amendments to the Tax and Social Insurance Procedural Code (TSIPC) relating to the automatic exchange of financial information in the field of taxation (CRS = Common Reporting Standard). In relation to these requirements, your collected personal data will be processed for accounting and tax purposes in compliance with the reporting requirements to the competent authorities on the grounds of legal obligations. It is possible the preparation of the mandatory reports to the BNB regulator to be assigned to a third party- processor, with which the Bank concludes a written agreement in line with the requirements of the Regulation. In the agreement with such a third party, it is mandatorily provisioned that upon hiring of a subcontractor, which is located outside the EEA, the Bank shall be notified in advance and such reassignment shall be carried out only upon the explicit written consent of the Bank on a case-by-case basis, as well as after ensuring that the respective technical and organizational measures related to security and protection of the personal data processed for the specific purpose.

 

h. Exercising control in order to mitigate security incidents and operational risks in relation to the payment services provided by the Bank pursuant to the Payment Services and Payment Systems Act (PSPSA) – the Bank processes your personal data, including IP address, in order to undertake measures for prevention, disclosure and further application of the necessary measures and mechanisms to monitor and control cases of suspected incidents, suspected unauthorized payment transactions and/or fraudulent operations as per the Payment Services and Payment Systems Act (PSPSA).

 

i. Assessment/monitoring of your creditworthiness/solvency – Assessment/monitoring of your creditworthiness/solvency – in case you apply for a loan in your capacity as a Borrower - an individual, or if you are a representative/owner of/partner in a Borrower - a legal entity or a co-debtor/owner of a collateral under a loan, the Bank is obliged to assess your creditworthiness and provide you with a loan that is consistent with your ability to fulfill your obligations under the loan agreement. In order for your creditworthiness assessment to be correct, the Bank will consult the databases of the National Social Security Institute, the Central Credit Register, the Unified System for Civil Registration and Administrative Service of Population, the National Revenue Agency, including a check via the environment for inter-registry exchange RegiX. In the course of fulfilling your credit obligation, the Bank should monitor regularly your ability to repay the debt /your solvency/.

j. Facilitating the administrative servicing and the process of applying for a loan with the Bank by electronically issuing references on availability or lack of liabilities – by virtue of Art. 87, Para 11 of the Tax Insurance Procedure Code and in relation to minimizing the administrative burden on the clients, the Bank shall have the right to require and receive ex officio as an electronic file from the National Revenue Agency (NRA), the Customs Agency and the municipalities, information about availability or lack of liabilities of its Borrowers/co-debtors, including representatives of owners of/partners in Borrowers - legal entities, co-debtors/owners of a collateral under a loan, except for liabilities under regulations which have not entered into force, as well as re-scheduled, deferred or secured liabilities. Reference about the existence or lack of liabilities from the NRA can be received as an electronic file also via the environment for inter-registry exchange (RegiX).

 

The competent authorities and other persons indicated in the relevant law which have joined the environment for inter-registry exchange require and receive such information through it.

 

1.2.      Purposes for which the processing of your personal data is performed on the basis of performance of a contract

 

a. Drawing up contracts at your request - to enter into a contract with you, as a customer using any bank product (account, deposit, credit, bank card) or as a co-contractor under a service contract, the Bank must have your specific personal data (e.g. name, date of birth, PIN, ID card number) as well as your contact details. It is possible that the Bank would require additional information, depending on the type of the services that are subject of the contract. 

 

b. Drawing up mortgage contracts (legal or contractual mortgage) – to draw up a notary deed for a contractual mortgage securing your loan or a legal mortgage application, the bank must have both your personal data and the data of your mortgagees (such as names, PIN, ID card number, address). It is possible that the Bank would require additional information, depending on the necessity to draw up the document.

 

c. Bank product/service simulation sale – in order to sign a contract suitable for the client and to provide services pertinent to the client's needs, the bank needs to have some specific personal information about the client. For this purpose, based on the specific personal data provided by you, the Bank simulates the sales of a certain product/service, in order to offer particular price and conditions for its purchase, after which the client/borrower would be able to make comparison and to select the most suitable offer (non-binding offer, serving to assess your personal ability to purchase certain products).

 

d. Product/service usage – UBB processes the personal data of clients through its various channels with the purpose of ensuring the usage of the Bank products and services purchased by the clients (e.g. processes data for a payment transaction in order to carry out a money transfer ordered by you as a client).

 

e. Enforcing the rights of the Bank under a loan agreement – UBB processes your personal data on the basis of the loan agreement signed with you in order to exercise its rights as a creditor and to collect its loan receivables. UBB processes the personal data of the co-debtors in order to make contact with them in exercising its rights as a creditor in the event that it cannot exercise such rights against the borrower.

 

f. Sale of DZI insurance products/pension funds of UBB Pension Insurance company – for the cases in which the Bank acts in its capacity as a policy holder under a group policy, concluded between the Bank and DZI. In those cases the Bank, by reaching an individual agreement with a client (insured person), includes the latter to the Group policy. Together with the client, third insured persons, which the client wishes to insure, may be included to the policy. As a result the personal data needed to join the group policy, may be provided personally by the Data Subject or by third persons, which conclude the insurance for them. Upon indirect provision of third persons’ data, the Bank performs the respective impact assessment and risk assessment for the security of the processed personal data. By selling Universal, Professional and Supplementary voluntary Pension fund of UBB Pension insurance company UBB will process identification data and contact details of the pensioners. The activity for selling pension funds is legally regulated and personal data, which is processed by the Bank is provided directly by the data subjects, who buy the products.

 

1.3.      Purpose for which the processing of personal data is made on the basis of a customer's consent:

 

a. The Bank to exchange your personal data with other KBC companies in Bulgaria and to receive your personal data from the database of the Central Credit Register (CCR) at the National Bank of Bulgaria and the National Social Security Institute (NSSI) in order to create a precise client profile and to offer you personalized banking, insurance and investment products and services

 

Pursuant to Article 4, item 4 (Definitions) of the General Data Protection Regulation, “PROFILING" means any form of automated processing of personal data consisting of the use of personal data to evaluate and/or analyze certain personal aspects relating to a natural person, in particular aspects concerning that the data subject's health, personal preferences, reliability, behavior, location, performance at work, economic situation. Profiling and processing of personal data for this purpose gives information about the needs and capabilities of the particular client. It may result in your inclusion in the promotion sales list of a specific product. In order for this specific analytical approach to be applied to you, your consent is necessary.

               

In case you have given us your consent at an office of the Bank or via UBB Mobile, UBB will process all your extended data for the above-mentioned purpose.  Detailed information on the extended personal data can be found on pages 4-5 of this document.

 

b. The Bank to provide access to your bank accounts in other bank institutions on the territory of the Republic of Bulgaria, with which UBB has an agreement about this ("Access to my accounts with other banks" service) – based on your explicit written consent UBB will provide you with possibility to access your accounts with other Bulgarian banks via a single online-based platform, accessed through a personalized username and password of your choice.  

 

c. UBB provides your personal data as legal representative/proxy/co-debtor/beneficial owner of the capital of the legal entity – borrower to Bulgarian Agency for export insurance (BAEZ), including to the Ministry of economy in its capacity of sole owner of the capital of BAEZ  - based on your explicit consent for the purpose of conclusion of contract for insurance of a loan and approval of insurance coverage.

 

1.4.      Purposes for which the processing of personal data is based on safeguarding the legitimate interests of the controller:

 

a. Building analytical models – UBB will build analytical models to support the development of its client services and to evaluate the services offered. The collected data of all clients or of a large group of clients are grouped under a specific attribute in order to build models/to find dependencies/ratios/algorithms without affecting the interests of the individual client and without taking action with respect to him (e.g. creating the credit rating of the client). For the creation of such models, UBB uses "pseudonymized" personal data, i.e. data that is masked in such a way that it cannot lead to the identification of a particular client without additional information being required.

 

b. Historical, statistical or scientific purposes - UBB has a legitimate interest in processing your personal data for the purposes of compiling statistical surveys and reports, conducting research and development, conducting historical reviews and forecasts for the development of economic, financial industry, etc. For these purposes aggregated data derived from the records of specific personal data of the clients are used.

 

c. Sending product and service messages – The Bank processes your personal data in order to send messages for the products and services used by you through calls, emails, sms, letters, etc. The messages pertain only to the products and services already used by you; they do not pursue marketing goals, nor do they contain new service offers.

 

d. Litigations – Establishment, exercise and defense of UBB's rights – UBB will process the data of its clients/ their heirs/ persons related to clients in order to protect its rights in court/litigation/arbitration procedures, when settling claims with the help of hired solicitors/lawyers, consultants etc. This pertains to situations where your personal data is processed in connection with the administration of information related to litigations, judicial warrants, petitions and court decisions.

 

e. Testing software application changes, demo platforms and internal portals for training – the Bank will use your personal data to test, create or update software applications to be used with the Bank’s operation systems, for:

-          testing the software code changes of applications in different testing/acceptance environments (e.g. perfecting the distribution channels or ensuring safer protection of the collected personal data).

-          testing software applications in a protected environment. In this case it is possible the testing to be assigned to an external provider, with whom the Bank has concluded an agreement. The agreement explicitly governs the rights and obligations of the parties, including the respective technical and organizational measures for security and protection of the personal data processed for the specific purpose.

-          incident resolving – replaying incidents

-          demo platforms

-          employee training

 

f. Internal reporting, analysis and development of the offered products and services – UBB uses personal data of its clients in order to improve its market position by offering new or better services and innovative products and optimizing the internal banking processes. It is possible the preparation of reports, used for analysis of the Bank’s market positions, to be assigned to a third party – processor, with whom the Bank concludes a written agreement in line with the requirements of the Regulation. The agreement with such a party explicitly stipulates that upon hiring of a subcontractor, which is located outside the EEA, the Bank shall be notified in advance and such reassignment shall be carried out only upon the explicit consent of the Bank on a case-by-case basis, as well as after envisaging the respective technical and organizational measures related to security and protection of the personal data processed for the specific purpose.

 

g. Fraud prevention – UBB will process its clients’ personal data in order to protect itself against fraud or criminal actions on their part. UBB has the right not to service clients with a high risk profile, who expose its image to a risk.  Based on certain facts (e.g. a false ID card, certain client behavior) the Bank may assess the potential fraud risk. Certain indicators of the respective client profile, as well as any other information (like a stolen ID card, the choice of a country for e-banking) could serve as a basis for this assessment to indicate potential fraud. The measures for preventing and uncovering fraud are taken in the context of compliance to the internal security procedure rules, control, ensuring reliable information security, stored both physically and digitally, as well as in online banking (incl. computer “cyber” crime). For the purposes of prevention and investigation of frauds, committed upon cash operations with means of payment at own cash machines (ATMs), UBB processes information, posing images from cameras on ATM devices.

 

h. Client relationship management – UBB will process your personal data in order to offer an individual approach based on the submitted information and the client profile created. Customer personal data stored in different databases could be grouped under a specific attribute and processed through the various channels (direct channels, contact centers, bank offices and branches) at the Bank, with the aim of the grouping being to facilitate and refine these channels for accessing information.

 

i. Credit and insurance Risk profiling – UBB will use your personal data for building credit and insurance risk profiles in order to mitigate the risk when offering credit/insurance products and services to clients.

 

j. Direct marketing of standard UBB products and services - Offering products and services provided by the Bank, as well as participation in surveys on products and services offered, through any of the channels, including bank offices, the contact center, email, SMS, phone, online channels. The Bank will offer you products and services and will only include you in surveys if you are a customer and, therefore, you can reasonably expect that it will process your personal data in order to offer you new and better products and services, similar or related to the ones you use. For these cases, the Bank will only use your Basic Data under 4.1. A herein above.

 

k. Data transfer with companies within KBC Group in relation to activities, outsourced by UBB to another entity within the Group (outsourcing activity) – for the purposes of preparation of mandatory financial reports as per the Accountancy Act and the applicable national and European legislation.

 

l. Storage of data in the Bank’s archival systems – there is justified legitimate interest for UBB to store archival data in the Bank’s systems, which is decommissioned and used for reference purposes in the context of non-terminated relations with clients.

 

m. Assistance in establishing and preventing fraud in the credit process for SMEs and the Corporate and Retail segment – in order to prevent financial losses and retain its financial, operational and reputation image, UBB needs to ensure a secure and transparent credit process. Therefore, it is essential for the Bank to prevent any fraudulent activity whatsoever by establishing effective fraud risk management in the credit process. To ensure the above-mentioned interests, UBB processes a certain set of information, including personal data of clients (natural persons) and natural persons – partners / representatives in clients – legal entities, which data is collected and processes with the ultimate purpose to support the successful prevention and avoidance of abuse and fraud.

 

n. Risk assessment upon problem loans’ collection – UBB has legitimate interest to process personal data of clients / employees in the process of exercising control, management and collection of risk (problematic) exposures and related problem loans. The purpose of the activities pursuant to the requirements of the Bulgarian legislation, is maximum collection of the Bank’s receivables within shortest terms possible, with the least possible expenses.

 

o. Calculation and preparation of a report for the stable bank-insurance clients of UBB AD and DZI AD - as part of the group strategy for providing an unique customer experience, the two companies, acting as joint data controllers, join hands, combining efforts and information resources, to analyze what part of their common customers prefer to use a set of products of the bank and the insurer. The purpose of this information is to focus efforts on offering comprehensive services and several products to cover different customer needs. To achieve this goal, a minimum set of data on the used products is used, and the final result of the analysis does not imply marketing messages and does not affect customer relationships. Companies shall provide and guarantee to data subjects whose information falls within the scope of processing for this purpose an unimpeded opportunity to exercise their rights as data subjects through any of them.

 

p. Participation in promotional campaigns, games and raffles, organized by the Bank independently or in partnership with third parties (e.g. Visa, Mastercard, etc.) - UBB may process data of its clients for the purposes of including the latter in lists participants in games with non-cash awards.  As a general rule, clients are included in such initiatives upon fulfillment of the criteria set forth in the General Terms (GT) for the respective promotional campaign, where the respective GT specify the procedure for submitting an objection against inclusion in the campaign and/or for participation in the raffle for selection of winners.

 

q. Integration between UBB AD and KBC Bank Bulgaria EAD - the integration of UBB AD and KBC Bank Bulgaria EAD is a long-term process requiring a serious preparation prior to the legal merger of the two banks and will continue after it as well. For the purposes of the integration, the two companies can exchange information about their clients, counterparties, etc. in order to ensure the smooth, problem-free, fast and high-quality servicing of the relations with the two banks’ clients/partners, including the alignment of the approach and of the products and services which the united bank will offer. After the legal merger has been finalized and the legally stipulated period for separate management has expired, UBB AD and KBC Bank Bulgaria EAD will unite into one bank. . As a result, KBC Bank Bulgaria EAD will cease to exist as a separate company and all data of its clients/partners will be transferred to UBB AD. UBB AD, in its capacity as a universal successor of KBC Bank Bulgaria EAD, shall bear full responsibility and shall act with the due care about that information as a standalone personal data controller. Processing the personal data of clients/counterparties in relation to the integration activities aims to prevent double servicing as well as to avoid the offering of any contradictory processes and products by the two banks. Performing this process in a way which is convenient for the clients and counterparties requires that data is exchanged for the specified purpose, while acting with the due care and complying with all general data privacy requirements.

 

***

The processing for these purposes is necessary for the protection of the legitimate interest of UBB as personal data controller, given that these interests are related to the bank's main operations as a bank. UBB has conducted tests to determine the balance between its legitimate interests in processing your personal data for each of the purposes described in Section 6.4., and your interests and fundamental rights and freedoms as data subjects, and it has concluded that its legitimate interests as data controller do not violate your interests, fundamental rights and freedoms. 

The retention period of your data depends on the legal basis and purpose for its processing.

 

Most often, this period is ten years as of the end of the respective legal relationship.

 

The retention period may be longer when it is necessary for us to exercise our rights in accordance with the requirements of the law. When there is no legally specified period, this period may be shorter.

 

UBB uses your personal data as long as there is a clear purpose for processing of your data.

 

After the expiration of the retention period, UBB does not process personal data, but aggregated information, without a direct connection with a specific data subject.

 

When the purpose no longer exists, the Bank does not store personal data (i.e. it deletes or anonymizes your data).

 

Personal data of potential customers are processed by UBB for a period of two years, unless in the meantime they have become customers. Potential customers can always request that their data be deleted in case the Bank has no purpose and legal ground for this processing.