Information note for candidates and employees

1. IDENTITY OF THE OPERATOR
BC “Moldindconbank” S.A., hereinafter referred to as the “Bank,” IDNO – 1002600028096, licensed by the National Bank of Moldova (NBM), series A MMII No. 004507 dated March 7, 2018, with its registered office at: Chisinau, 38 Armeneasca Street, MD-2012.

2. APLICABLE LEGAL FRAMEWORK

2.1. By processing personal data, the Bank acts in compliance with the legal framework:
a) Law No. 133/2011 on personal data protection;
b) Law No.202/2017 on the activity of banks;
c) Law No. 308/2017 on the prevention and combating of money laundering and terrorist financing;
d) Regulation of the NBM No. 322 of 20.12.2018 on banking activity management framework;
e) Labor Code approved by the Law No. 154/2003;
f) Law No. 1069/2000 on informatics;
g) Law No. 71/2007 on registers;
h) Law No. 186/2008 on occupational safety and health;
i) Government Decision No. 1079/2023 on mandatory preventive medical examinations of workers;
j) Other applicable legislative acts.
2.2. Additionally, in the processing of personal data, the Bank shall be guided by its internal regulatory documents.

3. PURPOSE AND LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA
3.1. The Bank may process the personal data of the subjects referred to in this Information note on the basis of the following grounds:
A) Purpose:
1) recruitment of candidates;
2) conclusion and performance of the individual employment or service agreement at the request of the personal data subject;
3) assessment of the person’s skills and experience in order to determine compatibility with a particular position;
4) verification of job candidates to assess specific risks and compatibility with the status of the Bank’s employee, for the purpose of meeting the Bank’s security requirements and contributing to the creation of a qualified and trustworthy team;
5) compliance with legal obligations provided for by the applicable legislation (tax, labor, occupational safety and health, social security, health insurance, etc.) and for the purpose of calculating and granting annual or additional leave days, calculating and granting personal allowances, carrying out salary payments and other payments related to employment relationships, etc..;
6) protection of assets, ensuring data security, ensuring the safety of employees at the workplace; granting access permits to the workplace, equipment, and IT systems (logging of access);
7) creating summaries regarding employee management issues, building corporate culture, providing opportunities for skills development and continuous training, and promoting the positive growth of the organization’s internal work culture;
8) resolution of disputes;
9 prevention and investigation of fraud and abuse in the context of internal service investigations (disciplinary inquiries), fulfillment of contractual obligations and/or protection of legitimate interests of the Bank or third parties;
10) application of anti-fraud measures;
11) prevention, elimination, documentation, administration, and monitoring/control of conflicts of interest or potential conflicts of interest, including within the processes of managing risks related to conflicts of interest;
12) promotion of the Bank’s image and services during events organized by the Bank or its contractual partners, as well as those illustrating the process of customer service and service provision by the Bank;
13) organization of employee motivation campaigns and award programs, including the subsequent media coverage of award events;
14) internal communication.

B) Legal basis:
1) consent of the personal data subject (art. 5 para. (1) of the Law No. 133/20111).
2) conclusion or execution of an employment/service agreement (art. 5 para. (5) letter a) of the Law No. 133/2011).
This legal basis will apply primarily to the recruitment process, and in the event that an employment agreement is concluded with the individual, it will also be used for fulfilling the obligations undertaken as well as those arising from labor legislation.
3) fulfillment of legal obligations (art. 5 para. (5) letter b) of the Law No. 133/2011). The Bank will process personal data in order to fulfill its legal obligations, including those provided by the Law No. 308/2017 on the prevention and combating of money laundering and terrorist financing, by the regulations of the National Bank of Moldova, as well as by other national regulations, such as (but not limited to):
– submitting reports and information to the State Tax Service, the National Health Insurance Company, the National Social Insurance House, and the National Bureau of Statistics of the Republic of Moldova;
– providing data to control authorities or investigative bodies;
– carrying out processes for identifying and preventing conflicts of interest, eliminating them, or, if this is not possible, documenting, managing, and monitoring them after detection, as well as within the processes of managing risks related to conflicts of interest.
4) fulfillment of a legitimate interest of the Bank (art. 5 para. (5) letter e) of the Law No. 133/2011). This legal basis will apply when personal data is necessary to ensure the fulfillment of other rights and responsibilities arising from relationships established during the recruitment process or from employment relationships, for example, potential disputes.

4. PERSONAL DATA SUBJECTS
4.1. The Bank processes the personal data of subjects as follows:
a) The Bank’s employees and potential employees who have applied for employment;
b) Persons carrying out internships, including volunteers and apprentices.

5. PROCESSED PERSONAL DATA
5.1. The Bank collects personal data from you as part of the recruitment process. Personal data may be provided directly by a candidate or through a third party, for example, a recruitment agency or another employee of the Bank, depending on the specifics of the recruitment processes.
5.2. The information processed by the Bank includes standard details about your education, your professional background, other information regarding your professional activity, and any other information provided through your CV, recommendation letter, or any other recruitment forms that you are asked to complete as part of this process.
5.3. Please do not send information that is irrelevant to the recruitment process, or any information that falls under the special categories of personal data, such as data revealing a person’s racial or ethnic origin, political, religious or philosophical beliefs, social background, data concerning relatives, data concerning sexual life, as well as data related to criminal convictions, procedural coercive measures, or administrative sanctions (with the exception of information specifying special needs of the job applicant).
5.4. If, contrary to the Bank’s request, you include information belonging to the special categories of personal data in the documents of your application file, please note that such data will not be used in any way. They will be stored in the application file until the purpose has been achieved (filling the vacant position or, as applicable, the completion of the selection process). After the purpose for which they were collected has been fulfilled, these data, together with the entire file, will be destroyed, except in the case where an employment contract is concluded.
This rule also applies if you provide other personal data that are irrelevant to the stated purpose.
5.5. An exception to the situation mentioned above is made only for the information included in medical certificates that are mandatory for certain types of employment activities, in accordance with the legislation, or for information that specifies the special needs of the job applicant.
5.6. During the period of the employment relationship, the following personal data will be processed:
a. Data regarding the person’s identity (name, surname, date, day, and year of birth, home/residence address, personal identification number (IDNP), signature, phone/email contact details, and other personal data indicated in the CV);
b. Data regarding education, spoken languages, diplomas, qualification certificates, skills, experience, and other public information available on professional websites (e.g., LinkedIn);
c. Previous workplace and position held;
d. Photograph;
e. Banking data – all information related to financial activity (exclusively for the purposes indicated in point 3.1. letter A), subpoints 5), 9), 10), 11);
f. Data from the driving license (if applicable);
g. Detailed evaluation of professional reputation in the case of holding certain positions (e.g., director, compliance specialist, security officer, etc.), as well as practical tasks provided;
h. Photographs provided at the time of employment or requested and submitted during the term of employment;
i.  Data from the access card used to enter the Bank’s premises;
j. Data from the criminal record and/or medical certificate (if applicable);
k. Data regarding marital status;
l. Data from certificates of death of relatives, marriage certificates, or children’s birth certificates;
m. Data from documents attesting to the incorporation of a family member into the National Army, in cases provided by the Labor Code, for the purpose of granting an additional day of leave;
n. Data obtained from video surveillance, from the global positioning system (GPS), and/or from monitoring employees’ activities (use of applications and devices through software tracking);
o. Voice recordings for the customer support, debt collection, or sales teams, and communications with the Bank’s customers;
p. Information regarding participation in seminars, courses, trainings, conferences, etc.;
q. Information shared during the use of the Bank’s internal communication tools;
r. Call recordings for employees within the support or telesales teams;
s. Special categories of personal data – in the case of medical leave and/or in cases where the candidate/employee is a person with a disability;
t. Other data required in accordance with applicable legislation.

6. PERSONAL DATA COLLECTION
6.1. Personal data may be provided through several channels, namely:
a) Data provided during the recruitment process, upon conclusion of the individual employment agreement, and throughout the entire term of agreement;
b) Data obtained through the use of special means for fulfilling legal obligations, ensuring security, etc. (video surveillance, salary payment processing, performance assessments, etc.);
c) Data received from recruitment service providers (e.g., rabota.md, delucru.md, etc.), from recruitment agencies contracted by the Bank, as well as from the Bank’s employees under the Referral Program;
d) Data collected from public professional websites (e.g., LinkedIn).

7. MONITORING AND VIDEO SURVEILLANCE AT THE WORKPLACE
7.1. In order to ensure security at the workplace, the security of the Bank’s assets, and the protection of data, employees, and customers, the Bank carries out video surveillance.
7.2. Video surveillance cameras are installed in visible locations. Video surveillance is carried out only within the Bank’s headquarters and secondary offices, covering access routes and/or areas intended for public access within the Bank, without capturing other public spaces. Additionally, video surveillance may record areas where money is counted, as well as areas where cash is stored or deposited (vault).
7.3. Video surveillance cameras are positioned in such a way as to avoid capturing photo/video/audio images in areas where an individual may reasonably expect privacy, such as—but not limited to—restrooms, break rooms, cafeterias, locker rooms, etc. You will be informed about any surveillance activities through special informational signs and explanatory notices regarding the processing of personal data.
7.4. Access to the Bank’s premises is granted through the use of an access card. The card is issued individually to each employee; therefore, the Bank processes data related to the use of the access card.
7.5. Because we value the confidentiality of your data and want you to feel comfortable in the workplace, we conduct periodic checks to ensure that only a limited number of persons have access to video recordings, and only when reasonably necessary. We also carry out additional assessments regarding the necessity and appropriateness of continuing video surveillance (see point 7 of the “Procedure for the installation and operation of video surveillance systems in the subdivisions of BC Moldindconbank S.A.”).

8. WHO CAN RECEIVE YOUR PERSONAL DATA?
1.1. To manage various internal processes, we use different service providers — for example, for human resources management, employee recruitment, record keeping, and data storage (such as auditors, occupational health and safety professionals, accounting and legal service providers, out-of-court dispute resolution bodies, IT companies, etc.).
1.2. Certain personal data (such as your name, phone number, work email address, leave period, and photograph) may be visible to all Bank employees when using internal employee management tools, project management systems, and other management or communication platforms (e.g., JIRA, the Bank’s information system, etc.).
1.3. To provide you with opportunities to develop your professional skills, improve and maintain your health, and receive other benefits, we may share your personal data with various service providers, such as health insurance companies, seminar and training organizers, etc.
1.4. In certain situations, we may have a legal obligation to disclose your data to third parties when required by law or when such data is requested by public authorities or institutions.
1.5. For the purpose of carrying out your daily work duties, the Bank’s partners or customers may receive personal data relating to you as a representative of the Bank (such as name, surname, position, and contact information – work phone number and email address). In performing your daily work tasks, this information is considered to be available to individuals or legal entities (public authorities, customers, business partners, etc.) and relates to you in your capacity as a representative of the Bank.
1.6. Additionally, if your work involves business travel, we will need to disclose the necessary information (for example, your name, surname, and other relevant details) to the relevant service providers to arrange transport and accommodation during the trips.
1.7. The recipients referred to in this section will receive your personal data only to the extent reasonably necessary. Furthermore, we inform you that all data recipients are required to comply with confidentiality obligations and applicable data protection laws.

9. RETENTION PERIOD OF PERSONAL DATA
9.1. The Bank processes personal data for the period necessary to identify the data subjects and to achieve the purposes for which the data were collected, throughout the duration of the contractual relationship.
9.2. If you have indicated that you are interested in other job openings or have submitted an unsolicited application (without specifying a particular position), we will retain your data for up to 12 months. After this period, the personal data will be deleted or anonymized and used for statistical purposes.
9.3. The Bank may retain copies of your personal data when it is reasonably necessary for us to fulfill our legal obligations, resolve disputes, or protect our legitimate interests.
9.4. The retention of personal files and personal data is carried out in accordance with the period established by law.
9.5. The data retention periods ensured by the Bank correspond to those provided by the Law No. 308/2017 and Order No. 57/2016 regarding the approval of the Standard Document List and their retention periods for public administration bodies, institutions, organizations, and enterprises of the Republic of Moldova, as well as the Instruction on applying the indicator.

10. RIGHTS OF PERSONAL DATA SUBJECTS
10.1. Right to information – this is the right of the personal data subject to be informed regarding the identity of the controller, the purpose of processing the collected data, the recipients or categories of recipients of the personal data, the existence of the rights of access, rectification, and objection as provided by the Law on personal data protection, as well as the conditions under which these rights may be exercised.
10.2. Right of access – this is the right of the personal data subject to obtain from the Bank, on the basis of a request, confirmation or denial of whether personal data concerning them are being processed by the Bank, as well as information regarding the purposes and categories of data being processed, the recipients or categories of recipients to whom the data are disclosed, the manner in which automated data processing is carried out, the legal consequences generated by the processing of the data for the data subject, and the means of exercising the right to intervene with respect to personal data.
10.3. Right to intervention – this is the right to obtain from the Bank, on the basis of a request, the rectification, updating, blocking, or erasure of data whose processing contravenes the Law on personal data protection, particularly incomplete or inaccurate data. This right may be exercised by sending the respective request to the e-mail address [email protected] or to the Bank’s registered office address.
10.4. Right to object – this is the right of the personal data subject to object at any time, on legitimate and justified grounds relating to their particular situation, to the processing of data concerning them, except in cases where legal provisions stipulate otherwise.
10.5. Right not to be subject to an individual decision – this consists of the possibility to request and obtain the withdrawal, annulment, or re‑evaluation of any decision that produces legal effects concerning the data subject and that has been adopted solely on the basis of automated processing intended to evaluate certain aspects of their personality, such as professional competence, credibility, behavior, or other similar characteristics.
10.6. Right of access to justice – this is the right to bring a case before a court of law in the event of a violation of the rights and legitimate interests related to the field of personal data protection, in order to obtain compensation for the damage suffered.

You may exercise the above-mentioned rights by submitting a written request to the e-mail address [email protected] or to the Bank’s registered office address. The request will be reviewed in accordance with the applicable legislation, and a response will be provided within 10 days from the date of receipt, with the possibility to extend this period by 7 days in more complex cases. Before disclosing any type of information, the Bank verifies the identity of the applicant; therefore, it may be necessary to provide additional data.

If you believe that your personal data have been processed unlawfully, you have the right to file a complaint with the supervisory authority — the National Center for Personal Data Protection, e-mail: [email protected], phone number 022820801.

11. AMMENDMENTS TO THE INFORMATION NOTE ON PERSONAL DATA PROCESSING
The Information note may be amended periodically, depending on changes in the applicable legislation or other influencing factors.