Notice regarding the processing and protection of personal data for the provision of the Internet and Mobile Banking service by Banca Transilvania (“NeoBT Privacy Policy”)
Version applicable from January 21, 2025
General Provisions
Banca Transilvania SA – (hereinafter referred to as “BT”) provides its customers with the NeoBT Internet and Mobile Banking service (hereinafter referred to as “NeoBT”).
Through this specific privacy notice, Neo BT users (hereinafter also referred to as "data subjects") are informed about the personal data that will be processed by BT for various purposes related to accessing/using NeoBT, about the legal grounds on which such data are processed, about the recipients of the data (whom we disclose the data to), the data retention period (how long we keep the data) and about the rights of the data subjects.
This policy is supplemented by the provisions of the General Privacy Notice on the Processing and Protection of Personal Data Belonging to BT Customers, which is an integral part of BT’s Privacy Policy, available on BT’s website www.bancatransilvania.ro, including in the Privacy Hub section.
BT may revise the NeoBT Privacy Policy from time to time. Data subjects shall be notified of such changes via NeoBT secure messaging.
1. What Data Do We Collect for the Identification/Authentication of NeoBT Users?
In order for you to use Neo BT, according to the provisions applicable in the field of payment services and because we have the legitimate interest to prevent fraud, we need to check your identity and identify you as an authorized user of this service, respectively. This identification is made based on the NeoBT login ID (hereinafter referred to as the “user ID”) and a password. The password required for the first login is the one sent via SMS to the phone number you declared to the bank. We shall send unique codes (SMS-OTP, one time password) to this phone number for each login, as well as for some transactions, along with messages about the transaction.
If you use the mobile version of NeoBT and log into the app with biometric data (e.g. fingerprint, face-ID), please note that BT does not have access to this information, which is stored in the device you are using. BT is only informed whether or not the authentication method has been validated by the device you are using.
2. What Data Do We Collect for the Security of NeoBT?
In order to protect your login data and other information available in NeoBT, it is necessary for us to also process information about your geographical location and the devices with which you access NeoBT (where applicable, the model, operating system and its version, RAM memory, total bandwidth, type of connection used - WI-FI or mobile data, including the operator from which you use mobile data, device identifier, such as device ID or IMEI, depending on the device's operating system and its version, including the history of devices used, i.e. the date of addition/deletion in NeoBT). We process this data, both because the legislation in the field of payment services obliges us to establish monitoring mechanisms that allow us to identify unauthorized or fraudulent payment operations, and because we have a legitimate interest in preventing fraud.
To prevent fraud, in accordance with the legal obligation and our legitimate interest, we check whether there is malware on the device with which you connect, including applications such as those that allow remote connection. While using the application, if you perform operations, we also check whether the device is or has been recently used for calls, without finding out details about the numbers/people you would have used them with.
If such applications are identified, an alert is sent to the bank and, depending on the situation, the transaction will be processed or you will be contacted to establish the conditions for its processing.
If you refuse to process the above data, you will not be able to use NeoBT.
Optionally, you will also be able to upload a profile picture to NeoBT. If you choose to upload it, we will process the image for additional protection of your data in NeoBT.
3. What Data Do We Process in the Use of NeoBT?
To provide you with the NeoBT service that contracted from BT, and given our legitimate interest or, as the case may be, the consent of the users to send them messages related to this service, we use:
3.1 Data Related to Accounts, Cards and Transactions
When you use different functionalities of NeoBT we shall process data related to: name, banking accounts (of the customer who contracted NeoBT and of the payment beneficiaries), the cards attached to the accounts opened with BT, transaction ordered via the accounts (payments/ collections), as well as information classified as personal data of the customer who has contracted NeoBT, of the NeoBT user who uses this service and/or of other persons (such as payment beneficiaries, persons whose data you enter in the NeoBT fields for specific payments, e.g. prepay card charging, payments of road tax vignettes and utilities), data entered in the fields dedicated to transaction descriptions, in the ones used to add predefined beneficiaries, in the messages sent via the secured messaging of NeoBT.
To provide the Beneficiary Name Display Service (BNDS) for the purpose of fraud prevention in the case of interbank payments initiated from payment/internet banking applications, your personal data are processed as detailed in the Privacy Notice on the Processing of Personal Data within the Beneficiary Name Display Service (BNDS) which you can find at the following address: https://en.bancatransilvania.ro/nota-de-informare-sanb.
For the prevention of fraud in the case of intrabank payments initiated from its own payment/internet banking applications, BT processes - as an independent controller - the same categories of personal data that are also used within the BNDS, but without the involvement of other participating banks and without the involvement of Transfond. The grounds for the processing of your data are BT's legitimate interest to prevent fraud in the case of intra-bank (BT-BT) payments. Your full first name (one or more, as appropriate) and the initial of your surname registered with BT shall be displayed to other BT customers who initiate a payment to your BT account from one of the bank’s applications, whether or not the payment is completed.
If you use the open banking functionality, BT shall also have access to the following information which is, where applicable, personal data belonging to you or to other persons to/from whom you have transferred/received amounts through the accounts with the financial institutions where the accounts you are integrating into Neo BT are opened: balance of the selected non-BT accounts, IBANs of these accounts, transaction history of the selected payment accounts, including the following details: transaction date, transaction amount, transaction details (transaction details and transaction authorization code, person from whom amounts have been collected on that account or person to whom amounts have been transferred from that account, respectively).
3.2 Contact details
If you use the SMS-OTP login method, we shall use your phone number to send you messages about the transactions initiated via NeoBT, including codes based on which you will approve the transactions (if applicable).
We may use your phone number or email address to inform you/request additional information about the transactions you initiate from NeoBT or to prevent fraud attempts (e.g. phishing).
We shall also use the inbox of the secured messaging service to send you different informative messages regarding BT and/or the bank’s products and services (e.g. messages about the amendment of the general terms and conditions, of privacy policies, working hours of the bank’s units or possible malfunctions of the bank’s systems, non-banking working days, etc.) or advertising messages, if you have consented to this via the dedicated form (e.g. via NEO Radar).
If you submit different requests via NeoBT, such as requests for the issue of a card or debt instrument, or if you contract certain BT services available via NeoBT (e.g. SMS Alert, deposits, Mobile Banking, card-free cash withdrawals, etc.) we shall use your phone number in order to inform you when the services are activated, or, as applicable, when the products arrive in the BT unit you have selected to pick them up from.
For the transmission of documents such as bank statements, proofs of payment, CIP queries or vignettes, we shall process the e-mail address entered in the dedicated field. The e-mail address may be your own or that of a third party. BT shall not held liable if you provide incorrect addresses, which may lead to the disclosure of the data contained in such documents to unauthorized persons, nor for the case where the persons to whom you have chosen to send these documents are disturbed by the receipt of the message (they consider they should not have received it).
3.3 Photo Camera or Geolocation
If you wish to use functionalities of the mobile NeoBT version, which require access to the device camera (e.g. barcode scan for invoice payments) or to the geolocation (e.g. to display the nearest BT ATMs or BT units), you shall be asked whether you want to allow such access or not. If you decline the access you shall not be able to use that functionality.
3.4 Use of Cookies in NeoBT
NeoBT uses cookies as detailed in the NeoBT Cookie Policy. Cookies strictly necessary for the operation of NeoBT can be placed on the user’s device without their consent. Other types of cookies shall only be placed if/when the user has given his/her consent.
3.5. Recording and Viewing Choices about the Processing of Personal Data for Marketing Purposes
In Neo BT you can express your choices about the processing of your personal data for marketing purposes (consent or refusal, as appropriate), and view the marketing choices you have previously made with BT regarding the processing of your data for this purpose. Details about such processing are available in section C(12) of BT’s Privacy Policy.
4.To Whom May We Disclose the Data Resulting from the Use of NeoBT?
- other Customers who have the right and the need to know them
a. Neo BT users (all NeoBT users are BT customers)
If you have granted NeoBT user rights to other people for all or some of the BT accounts, we shall disclose to them - within Neo BT - the banking data (accounts, transactions, account and transaction identifiers, etc.) related to the accounts you have granted them NeoBT user rights.
b. BT customers to whom you order payments from NeoBT
When you order transactions via NeoBT to the accounts of other BT customers, the related data (usually the first and last name, the amount, IBAN of the BT account, payment description) shall be accessible to the beneficiaries of the payment that you have ordered.
- contractual partners (service providers) used in BT's business
NeoBT allows for the purchase of certain goods and services from the bank’s contractual partners. If you use these functionalities, the data required for the purchase/activation of these services are disclosed to these partners who are also BT customers.
Likewise, your data processed in NeoBT can be accessed, on a need-to-know basis and only subject to adequate personal data protection safeguards, by the Bank’s contractual partners that assist us in the provision of the Internet/Mobile Banking service.
The list of recipients above is supplemented by the one in the General Privacy Notice On the Processing and Protection of Personal Data Belonging to BT Customers, section VIII.
5. How Long Do We Keep the Data Processed in the Accessing/Use of the NeoBT Service?
Your data, in your capacity of BT client, as well as the data regarding the operations carried on the accounts (including via NeoBT) are subject to the retention periods laid down in the applicable regulations, imposing a retention period of at least 5 years as of the termination of the business relationship with the Bank/your capacity of BT customer, unless longer legal retention periods are set, which can extend up to 10 years as of the termination of the business relationship/capacity of BT customer.
6. How Do We Protect Personal Data in NeoBT?
Banca Transilvania takes all the appropriate technical and organizational measures to protect the personal data in NeoBT. Despite these precautions, the Bank cannot guarantee that unauthorized persons shall not gain access to your personal data via the devices you use to access NeoBT, if such devices are not protected or are improperly protected, or if you knowingly or negligently provide your login or other banking data to unauthorized persons. You are solely responsible for the confidentiality and safety of the device that you use to access NeoBT (phone, PC, etc.) and particularly of the login ID and/or login passwords (password, fingerprint or other security method provided by the device).
7. What are the Rights of the Data Subjects?
In accordance with the provisions of the General Data Protection Regulation (“GDPR”), in your capacity of data subject accessing/using NeoBT, you are guaranteed the following rights: the right to be informed (we fulfill our obligation to inform you through this privacy notice), the right of access to data, the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability, the right to object, the right to withdraw your consent, and the right to address the National Supervisory Authority for the Processing of Personal Data (ANSPDCP) and the court authorities. Details about these rights and the ways in which you can exercise them are provided in the General Privacy Notice On the Processing and Protection of Personal Data Belonging to BT Customers.
