Information note on the rights of data subjects

1.1. BC ,,Moldindconbank” S.A., hereinafter referred to as “the Bank”, IDNO – 1002600028096, NBM license series A MMII no.004507 of 07.03.2018, with legal address in Chisinau, 38 Armeneasca st., MD-2012, as a personal data operator has established the purposes and, where appropriate, the means of processing the personal data, indicated in this Information note.

1.2. Data subjects may contact the Data Protection Officer on matters relating to the processing of their data and the exercise of their rights under Law no. 133/2011 at the following email address: protectiadatelor@micb.md or telephone number 022 576750.

2. LEGAL FRAMEWORK AND PROCESSING PERSONAL DATA BASIS

2.1. When processing personal data, the Bank acts in compliance with the legal framework:

1. a) Law no.202/2017 on the activity of banks (https://www.legis.md/cautare/getResults?doc_id=121176&lang=ro#);
   b) Law no. 133/2011 on personal data protection
   (https://www.legis.md/cautare/getResults?doc_id=110544&lang=ro);
   c) Law no.308/2017 on preventing and combating money laundering and terrorist financing (https://www.legis.md/cautare/getResults?doc_id=110418&lang=ro);
   d) Other applicable legislation.

2.2. Processing basis:

1. a) performance of the contract concluded between the Bank and the customer – data subject;
2. b) consent of the data subject;
3. c) fulfilment by the Bank of a legitimate interest.

2.3. The storage of personal data is carried out on the Bank’s servers located in the Republic of Moldova.

3. DATA SUBJECTS

The Bank processes the data of data subjects (individuals) as follows:

3.1 Individuals – customers of the Bank, who benefit from the services/products offered by the Bank;

3.2. Individuals – potential customers of the Bank, who intend or are about to establish contractual relations with the Bank and former customers, who have terminated business relations with the Bank;

3.3. Bank employees and potential employees, who have applied for employment, persons who are doing an internship;

3.4. Representatives (legal or conventional) and beneficial owners of customers (existing, potential or former);

3.5. Visitors to the Bank subdivisions where video recording cameras are installed.

4. CATEGORIES OF PERSONAL DATA PROCESSED

4.1. The Bank processes the following categories of personal data:

(a) Name, surname,

(b) Date and place of birth,

(c) Number and serial number of identity card,

1. d) IDNP (personal identification number),
2. e) Domicile/residence,

(f) Electronic and holographic signature,

1. g) Bank details and financial situation,
2. h) Categories of data required for precautionary measures;
3. i) Credit history,
4. j) Landline/mobile telephone number and e-mail address,
5. k) Photo/video image,
6. l) Voice (in the case of telephone calls via call center or card support),
7. m) IP address,
8. n) Confirmation codes for the services requested,
9. o) Other data necessary for business purposes.

4.2. Refusal by the data subject to provide the categories of data set out in point 4.1 (according to the standard forms) or the provision of inaccurate or erroneous information shall make it impossible to provide the requested services or to process the requests submitted.

4.3. The personal data specified in point 4.1 shall be processed by the Bank for the entire duration of the contractual relationship, except in the event of their updating or deletion in accordance with the law.

5. RECORD-KEEPING SYSTEMS AND PROCESSING METHODS

5.1. The bank processes data provided by the data subjects, data generated after the provision, data made public by the data subjects:

(a) within the record-keeping systems:

1. Obtained through the completion by the data subjects of the standardized forms in electronic format (online submission of a credit application);
2. Obtained by the manual completion by the data subjects of the contract or inquiry, concerning the request for a service (initiation of a business relationship), by means of written correspondence.
3. b) within the video surveillance and access control record systems.

5.2. In all cases of collection of personal data, they are processed by the Bank within its security perimeter, with organizational and technical measures being taken to ensure an adequate level of protection of personal data. The mechanism for ensuring the protection of personal data is set out in the Bank’s Personal Data Processing Security Policy including the accompanying regulations and instructions, which describe the processes and protection measures.

5.3. The organizational and technical measures provided by the Bank are within the applicable legal limits and have been assessed by the National Centre for Personal Data Protection as to their adequacy.

6. PURPOSE OF PERSONAL DATA PROCESSING

6.1. The Bank processes personal data for the following purposes:

1. a) Actions necessary for the conclusion and performance of contractual relations with customers, suppliers, partners, etc., for the purpose of providing banking services, purchases of goods and services;
2. b) Actions necessary for the conclusion and performance of contractual relations with employees;
3. c) Offering of (advertising) services/products by the Bank;
4. d) Conducting know-your-customer procedures;
5. e) Other purposes related to the Bank’s activity in compliance with the applicable legal framework.

7. TERM OF PERSONAL DATA PROCESSING

7.1. The Bank processes the personal data for the period necessary to identify the data subjects, to achieve the purposes for which they were collected, throughout the period of contractual relations and provision of services.

7.2. Personal data are kept by the Bank for 5 years after the termination of the business relationship (termination of the contractual relationship, completion of the provision of services).

8. RECIPIENTS OF PERSONAL DATA

8.1. The Bank may disclose personal data to the following recipients:

a) Persons authorized by the Bank;

b) Data subject or his/her representative;

c) Contractual partners, within the limits of the needs generated by the business relations initiated;

d) Law enforcement, tax, supervisory, control and other bodies empowered by law with the right to request from the Bank and to process personal data, at their reasoned request.

9. RIGHTS OF THE DATA SUBJECTS

9.1. Right to information – a right of the data subject to be informed about the identity of the operator, the purpose of the processing of the collected data, the recipients or categories of recipients of the personal data, the existence of the rights of access, intervention and objection provided for in the Personal Data Protection Act and the conditions under which they may be exercised.

9.2. Right to access – a right of the data subject to obtain from the Bank, on the basis of a request, confirmation or denial that personal data concerning him/her are processed by the Bank, information on the purposes and categories of data processed, the recipients or categories of recipients to whom the data are disclosed, the manner in which the automated processing is carried out, the legal consequences of the processing for the data subject and how to exercise the right of intervention on the personal data.

9.3. Right to intervention – a right to obtain from the Bank, upon request, the rectification, updating, blocking, deletion of data who’s processing contravenes the Personal Data Protection Act, in particular incomplete or inaccurate data.

9.4. Right to objection – a right of the data subject to object at any time, on compelling legitimate grounds relating to his or her particular situation, to the processing of data relating to him or her, unless otherwise provided for by law.

9.5. Right not to be subject to an individual decision – consists of the possibility to request and obtain the withdrawal, annulment or review of any decision which produces legal effects concerning the data subject and which has been taken solely on the basis of automated processing intended to evaluate certain personal aspects relating to the data subject, such as his or her professional competence, credibility, conduct or other such aspects.

9.6. Access to justice – a right to go to court in case of violation of legal rights and interests related to personal data in order to seek redress.

10.1 Cookie notification.

Cookie – information that is collected when accessing the web pages www.micb.md, www.transfer.md, direct.micb.md, wb.micb.md, pudracard.micb.md, actionari.micb.md, credit.micb.md, to identify the user who has accessed certain information content. The Bank’s server and the computer on which the data subject’s browser operates generate this. The information contained in the cookie is set by the server and can be used by that server whenever the user visits the website. A cookie can be considered as an Internet user’s identity card, which indicates to a website when the user has returned. Similar technologies are also applicable to mobile devices (tablet, smartphone) from which the information on the respective website is accessed.