Home Note on personal data

Information note on the rights of data subjects

Note on personal data

1. IDENTITY OF THE OPERATOR AND CONTACT DETAILS OF THE PERSON RESPONSIBLE FOR THE PROTECTION OF PERSONAL DATA

1.1. BC “Moldindconbank” S.A., hereinafter referred to as the “Bank,” IDNO ā€“ 1002600028096, licensed by the National Bank of Moldova (NBM), series A MMII No. 004507 dated March 7, 2018, with its registered office at: Chisinau, 38 Armeneasca Street, MD-2012, in its capacity as a personal data operator, has established the purposes and means of processing personal data as indicated in this Information note.

1.2. Personal data subjects may contact the person responsible for data protection regarding issues related to the processing of their data and the exercise of their rights under Law No. 133/2011 at the email address: [email protected].

2. LEGAL FRAMEWORK AND BASIS FOR THE PROCESSING OF PERSONAL DATA

2.1. By processing personal data, the Bank acts in compliance with the legal framework:
a) Law No.202/2017 on the activity of banks
(https://www.legis.md/cautare/getResults?doc_id=121176&lang=ro#);
b) Law No. 133/2011 on personal data protection
(https://www.legis.md/cautare/getResults?doc_id=110544&lang=ro);
c) Law No. 308/2017 on the prevention and combating of money laundering and terrorist financing
(https://www.legis.md/cautare/getResults?doc_id=110418&lang=ro);
d) Other applicable legislative acts.

2.2. Legal basis for processing:

a) performance of the contractĀ concluded between the Bank and the customer ā€“ the data subject;
b)Ā consentĀ of the data subject, where the processing is carried out solely on this basis;
c)Ā legitimate interestĀ pursued by the Bank, insofar as it does not override the fundamental rights and freedoms of the data subject;
d)Ā compliance with a legal obligationĀ to which the Bank is subject under applicable legislation.

2.3. The storage of personal data is carried out on servers owned by the Bank and located within the territory of the Republic of Moldova.

3.PERSONAL DATA SUBJECTS

The Bank processes the personal data of subjects (individuals) as follows:

3.1. Individuals ā€“ customers of the Bank who benefit from the services provided and/or products offered by the Bank;

3.2. Individuals ā€“ potential customers of the Bank who intend or are about to establish contractual relationships with the Bank, as well as former customers whose business relationships with the Bank have ended;

3.3. Representatives (legal or authorized) and beneficial owners of the Bankā€™s customers (current, potential, or former);

3.4. Visitors to the Bankā€™s offices where video surveillance systems are installed, as well as visitors to the Bankā€™s web pages;

3.5. The Bankā€™s shareholders;

3.6. Third parties who do not have a direct relationship with the Bank (for example, participants in various events organized by the Bank; persons whose data have been made available to the Bank by any other person with whom the Bank interacts; persons mentioned in conflict-of-interest declarations; persons whose data are included in payment orders processed by the Bank, etc.);

3.7. Individuals connected to a credit applicant of the Bank;

3.8. Users of the technical solutions (electronic identification means) related to the Bankā€™s digital onboarding services;

3.9. Contractual partners.

*This Note does not apply to:

a) The Bankā€™s employees and potential employees who have applied for employment;

b) Persons carrying out internships, including volunteers and apprentices.

They are informed about the processing of their personal data carried out by the Bank, in its capacity as employer, through a separate document.

4. CATEGORIES OF PERSONAL DATA PROCESSED

4.1. The Bank processes the following categories of personal data:

a) name and surname;

b) date and place of birth;

c) identity document number and series;

d) personal identification number (IDNP);

e) domicile/residence;

f) electronic and handwritten signature;

g) bank details and financial situation;

h) categories of data required for due diligence measures;

i) credit history;

j) landline/mobile phone number and e-mail address;

k) photographic/video image;

l) voice (in the case of telephone calls made to the call center or card support services);

m) IP address, IP-based location;

n) biometric data;

o) confirmation codes related to the requested services;

p) card number, expiration date, CVV/CVC code, and cardholder name;

q) transaction data (amount, date, location, beneficiary, IBAN, etc.);

r) other data necessary for business purposes.

4.2. The refusal of the data subject to provide the categories of personal data specified in paragraphā€Æ4.1 (according to the standard templates), or the provision of false or inaccurate information, shall result in the impossibility of delivering the requested services or processing the submitted applications.

4.3. The period during which the Bank processes the personal data specified in paragraphā€Æ4.1 shall not exceed the time necessary for the fulfillment of the purposes for which such data are processed.

5. RECORD-KEEPING SYSTEMS AND METHOD OF PROCESSING

5.1. The Bank processes the data provided by personal data subjects, the data generated after such provision, as well as the data made public by the subjects:

a) Within recordā€‘keeping systems:

1. Obtained through the completion by personal data subjects of standardized electronic forms (for example, the online submission of a credit application);

2. Obtained through the physical completion by personal data subjects of a contract or questionnaire related to the request for a service (the initiation of a business relationship), including through written correspondence.

b) within video surveillance recordā€‘keeping systems and the access control record system.

c) within the manual recordā€‘keeping systems for temporary visitors of the Bank.

5.2. In all cases of personal data collection, such data are processed by the Bank within its security perimeter, with the necessary organizational and technical measures being implemented to ensure an appropriate level of personal data protection. The mechanism for ensuring the protection of personal data is established in the Bankā€™s Personal Data Processing Security Policy, including in the related regulations and instructions that describe the relevant processes and protection measures.

5.3. The organizational and technical measures ensured by the Bank fall within the applicable legal limits and have been assessed by the National Center for Personal Data Protection regarding their compliance.

6. PURPOSE OF PERSONAL DATA PROCESSING

6.1. The Bank processes personal data for the following purposes:

a) Actions necessary for the conclusion and performance of contractual relationships with customers, suppliers, partners, etc., for the purpose of providing banking services and acquiring goods and services;

b) Actions necessary for the negotiation, conclusion, and performance of employment contracts with employees and/or service agreements with service providers;

c) Identification and verification of customersā€™ identity through electronic means; the remote identification of a person by electronic means is a process of identifying and verifying the identity of an individual based on the identity documents presented, the measurement of biometric facial features, the comparison of images, and the information provided by the individual and/or obtained from external data sources, using digital means (digital onboarding);

d) Provision by the Bank of services/products (advertising purposes);

e) Carrying out customer due diligence (ā€œKnow Your Customerā€ procedures);

f) Support communication with customers, users of the MICB Mobile Banking application, and third parties, including during the digital onboarding process;

g) Prevention of fraud and ensuring information and physical security;

h) Use of the MICB Mobile Banking application;

i) Sharing of data with other licensed banks and other mobile applications within the Open Banking system;

j) Assessment of solvency, reduction of credit risk, and determination of the level of indebtedness of customers interested in personalized offers related to the Bankā€™s lending products or in contracting such products (credit risk analysis);

k) Other purposes related to the Bankā€™s activity, in compliance with the applicable legal framework.

7. DURATION OF PERSONAL DATA PROCESSING

7.1. The Bank processes personal data for the period necessary to identify the personal data subjects and to achieve the purposes for which the data were collected, throughout the duration of the contractual relationships and the provision of services.

7.2. The personal data provided during the digital onboarding process will be processed by the Bank for a period of 5 days, for the purpose of providing support to successfully complete the steps of the remote identification process.

7.3. The personal data are retained by the Bank for a period of 5 years from the termination of the business relationship (cessation of contractual relations or completion of the provision of services).

8. RECIPIENTS OF PERSONAL DATA

8.1. The Bank may disclose, transfer, or grant access to personal data to the following recipients:

a) persons authorized by the Bank;

b) another personal data subject or their representative, based on a legal ground;

c) contractual partners, to the extent necessary for the business relationships established;

d) law enforcement, tax, supervisory, or control authorities, and other entities authorized by law to request and process personal data from the Bank, upon their duly justified request.

9. RIGHTS OF PERSONAL DATA SUBJECTS

9.1. Right to informationā€“ this is the right of the personal data subject to be informed regarding the identity of the controller, the purpose of processing the collected data, the recipients or categories of recipients of the personal data, the existence of the rights of access, rectification, and objection as provided by the Law on personal data protection, as well as the conditions under which these rights may be exercised.

9.2. Right of accessā€“ this is the right of the personal data subject to obtain from the Bank, on the basis of a request, confirmation or denial of whether personal data concerning them are being processed by the Bank, as well as information regarding the purposes and categories of data being processed, the recipients or categories of recipients to whom the data are disclosed, the manner in which automated data processing is carried out, the legal consequences generated by the processing of the data for the data subject, and the means of exercising the right to intervene with respect to personal data.

9.3. Right to interventionā€“ this is the right to obtain from the Bank, on the basis of a request, the rectification, updating, blocking, or erasure of data whose processing contravenes the Law on personal data protection, particularly incomplete or inaccurate data.

9.4. Right to objectā€“ this is the right of the personal data subject to object at any time, on legitimate and justified grounds relating to their particular situation, to the processing of data concerning them, except in cases where legal provisions stipulate otherwise.

9.5. Right not to be subject to an individual decisionā€“ this consists of the possibility to request and obtain the withdrawal, annulment, or reā€‘evaluation of any decision that produces legal effects concerning the data subject and that has been adopted solely on the basis of automated processing intended to evaluate certain aspects of their personality, such as professional competence, credibility, behavior, or other similar characteristics.

9.6. Right of access to justiceā€“ this is the right to bring a case before a court of law in the event of a violation of the rights and legitimate interests related to the field of personal data protection, in order to obtain compensation for the damage suffered.

10. COOKIE

10. Notification regarding cookies. Cookie represents information collected when accessing web pages micb.md, www.transfer.md, direct.micb.md, wb.micb.md, pudracard.micb.md, actionari.micb.md, credit.micb.md, used to identify the user who has accessed certain informational content. This process is generated by the Bankā€™s server and the computer on which the personal data subjectā€™s browser operates. The information contained in a cookie is set by the server and can be used by that server each time the user visits the website. A cookie may be regarded as an Internet userā€™s identity card, indicating to a website when the user has returned. Similar technologies also apply to mobile devices (tablet, smartphone) used to access information on the respective web page.