Privacy Policy and Data Protection

The information we provide below reflects our approach to the processing of your personal data and your rights under the provisions of data protection legislation - Regulation (EU) 2016/679 ("Regulation" or "GDPR"), regarding the use of our financial services.

TBI Bank EAD, legal entity established and functioning according to Bulgarian laws, with headquarters in Bulgaria, Sofia, str. Dimitar Hadzhikotsev no. 52-54, unique registration code 131134023, 

TBI Bank EAD Sofia - Bucharest Branch, with registered office 8-12 Puţul lui Zamfir St, 4th floor, District 1, Bucharest, registered with the Register of Companies under no J40/11691/2012 VAT-Identification Number RO 30771201, registered in the Register of Credit Institutions under no. RB-PJS-40-068 / 30.08.2012, operator of personal data registered with National Authority for the Supervision of Personal Data Processing under no. 26838, dully represented by Mrs. Florentina-Virginia Mircea in her capacity as Executive Director,

TBI Leasing IFN S.A., a non-banking financial institution, Romanian legal person, with registered office in 12 Puţul lui Zamfir St, 4th floor, District 1, Bucharest, registered with the Register of Companies under no. J40 / 1526/2002, VAT-Identification Number RO14482325, subscribed and paid capital of 1.002.738 lei, non-banking financial institution registered with the National Bank of Romania under no. RG-PJR-41-110032 dated December 08, 2011, operator of personal data registered with National Authority for the Supervision of Personal Data Processing under no. 2448, legally represented by Florentina-Virginia Mircea in her capacity as General Manager,

TBI Credit IFN S.A., a non-banking financial institution, a legal entity of Romanian law, having its registered office in Romania, Bucharest, 1st District, No 8-12, Putul lui Zamfir Street, ground floor and 1st Floor, registered with the Bucharest Trade Registry under No. J40/15329/2003, having Fiscal Registration Code RO15901855, subscribed and paid share capital 7.300.000 lei, registered as a non-banking financial institution with the General Register RG-PJR-41-110014/03.03.2017 and Special Register kept by the National Bank of Romania under No. RS-PJR-41-010001 / 25.09.2006 and registered as payment institution with Payment Institutions Register held by National Bank of Romania under no. IP-RO-0005/28.04.2011, operator of personal data registered with National Authority for the Supervision of Personal Data Processing under no. 1711, legally represented by Mrs. Gergana Staykova in her capacity as General Manager and Mr. Viorel Marculescu in his capacity as Payments Instruments & Self Service Director,

and 4finance Group S.A., registration No. B195643, address: 8-10 Avenue De La Gare 16-10 Luxembourg, Grand Duchy of Luxembourg, and its direct and indirect subsidiaries. 
hereinafter referred to generically as "Companies"

The Companies provide:

a. Financial and credit intermediation services that aim to make available to the client the most suitable financial products according to the information provided and based on the assessment made regarding your payment capacity;

b. A wide range of leasing services, such as leasing for new and used cars, fleet management, equipment purchase financing, mortgage leasing and lease-back services;
The personal data processed by the Companies belong to the clients / potential clients natural persons, clients' agents, natural persons who hold a position in some legal persons that are clients of the bank (founders, associates, shareholders, directors, managers, members of the supervisory / directors’ board, other legal / conventional representatives) persons whose data are provided by the client in order to conclude a contract for obtaining a financial product (e.g. husband, wife, children, parents, the beneficiary of a payment / insurance operation, the guarantee of a credit, natural persons whose data are provided in the documents made available by the clients, etc.).

a. identification data: name, first name, home / residence address, postal code, inland / mobile phone number, e-mail address, personal numeric code, serial number and identity document / passport / driving license (as well as other elements contained therein: date / place of birth, nationality, gender, period of validity, issuer);

b. additional identification data: age, signature, family situation, medical data, quality of publicly exposed person, number of dependents, name and surname of family members, type of resident, data on health status, marital status, military obligations, economic and financial situation, data on the assets held (servitude, cadastral documentation, other data resulting from the ownership documents), CIF, number of the tax residence Land Register (fiscal residence number and certificate series);

c. data regarding the workplace: profession, position, date of employment, vocational training, degrees-studies, name of the employer, salary data, type of employment contract, work program;

d. data resulting from audio / video / electronic recording: voice, image, video / audio recording, computer IP, emails, device ID;

e. transaction data: the unique identifier generated for each client, account number, date / time / amount of the transaction, purpose of the transaction, merchant name, products, geolocation, loyalty card number, as well as other financial data.

f. data and information related to credit, leasing or insurance products: they contain positive data (product type, term of grant, date of grant, due date, amounts granted, amounts due, account status, account closing date, credit currency, frequency of payments, amount paid, monthly rate, name and address of the employer), negative data (type of product, term of grant, date of grant, due date, credits granted, amounts due, outstanding amounts, number of outstanding instalments, due date arrears, number of days late in credit repayment, account status, and information regarding the quality of the guarantor or co-debtor), the history of the loan repayment, the contract number, data regarding possible litigation, data resulting from the investigation of your situation at ANAF / Credit Bureau;

g. data on fraud: the commission of crimes or contraventions in the financial-banking field, established by definitive court decisions, or by uncontested administrative acts, the name of the issuer, data resulting from administrative / criminal investigations, data from the criminal record;

h. data regarding inadvertent findings: inconsistent data and information resulting from the documents presented at the date of the credit application, due to the credit applicant.

i. other data derived from them following the processing: information of social and psychosocial nature, preferences, subscriptions (opt in, opt out), marketing contracts, cookies, customer segmentation according to different criteria, profile, payment conduct, loyalty points;

j. Companies will not process personal data that discloses racial or ethnic origin, political opinions, religious confession or philosophical beliefs, membership in unions, data on sex life or sexual orientation of a natural person, except as provided by applicable law.

a. in order to identify you and to evaluate your payment capacity and your financial-economic behaviour, in case you request the contracting of a loan or other type of financial product offered by the Companies (this may also include the use of face, voice, fingerprint or other biometric technologies, as well as online identification systems);

b. for the conclusion, administration and fulfilment of the credit agreement with the Companies, as well as for the eventual conclusion and fulfilment of other contracts with the Companies in connection with the eventual provision of other financial services (including through the conclusion of the financial services provision contracts at distance);

c. for managing your accounts - if you have opened accounts, for Companies’ internal reports and for purposes and forecasting needs, in order to develop the risk management system and for self-learning software purposes for specialized risk assessment (it also applies if a Contract for granting a loan is not concluded);

d. for direct marketing within the meaning of the legislation on the protection of personal data including for transmitting to you notices and letters containing advertising and information content, promotional SMS and emails, including and related to the offering of other financial or combined products offered by or with the participation of the Companies, the collected data being relevant and not exceeding the purposes for which they are processed and will not be subject to further processing in ways incompatible with these purposes.

e. to identify, prevent and avoid fraud, money laundering, terrorist financing and other criminal activities and to fulfil the legal obligations arising, for example, from the  GEO 99/2006, on credit institutions and capital aptness, the Law 209/2019 Law on payment services and for amending some normative acts, the GEO 50/2010 on credit agreements for consumers, laws regulating accounting activities, etc.;

f. to repay all the funds owed, as well as to inform you of any changes that are relevant to you regarding us, our services or the contractual relationship;

g. to manage the various services we provide, ensure and improve the quality of services, develop and offer new services, manage and improve websites, maintain security and ensure that the entire content is displayed on the screen as efficiently as possible

h. to be able to obtain and use the issued card, as well as for its administration and your information regarding the operations carried out.

i. in order to provide support services for your requests (e.g.: additional information about products, conducting investigations on malfunctions of the products and services offered, solving requests, complaints and petitions formulated), both in the physical locations of the Companies, as well as through the means of communication (e.g. telephone, e-mail, post);

j. for audio recording of telephone calls in order to improve the quality of services, but also to provide proof of the request / agreement / option regarding certain requested / offered services;

k. for the preparation of the evaluation reports and the development of other stages within the enforcement / insolvency procedures, as well as for the physical / electronic archiving of the documents, and for courier activities;

l. in order to resolve investigations, disputes or any other petitions / complaints / requests;

m. for conducting audits or investigations of the Companies and for carrying out risk controls on their procedures and processes or carrying out economic, financial and / or administrative management activities;

n. reporting to the competent institutions according to the applicable legal regulations (e.g.: reporting the payment incidents at the Payments Incident Centre within the NBR, declaring transactions that exceed the amount established by law to the National Office for Preventing and Combating Money Laundering), as well as for monitoring the activity of clients in order to detect unusual and suspicious transactions;

o. for the video recording of the activity from the physical locations of the Companies, in order to maintain a high level of security.

p. for any other legitimate use that is relevant to our relationship with you.

Your personal data will not be made available to third parties, natural or legal persons unless this is required by law or in view of the initiation and conduct of the contractual relationship. Your personal data will only be processed by Companies’ authorized employees and by natural and / or legal persons having the status of “associated operator” or “authorized person” within the meaning and conditions of art. 26 or art. 28 of EU Regulation 679/2016. The authorized persons / operators to whom your data may be disclosed and entrusted are: companies to which the Companies may entrust the collection of receivables in accordance with loans for personal needs or other loans, companies that may carry out activities related to the assessment of your payment capacity, with the administration and management of your contract with Companies or other affiliated services; Credit Bureau, National Bank of Romania, central or local public authorities, contractual partners / providers of services and goods (e.g. IT services, archiving, courier; utilities; audit; support services; payment processing, payment facilitation services, debt recovery services and / or debt collection, appraisers, real estate agents, insurance and reinsurance companies, consultants, auditors, accountants, lawyers).
Companies will not transfer personal data outside Romania or to EU / EEA states unless you request payments outside the EU Member States (based on the execution of a payment agreement concluded between you and one or several companies).

a. your consent, if necessary and / or requested according to the applicable legislation in force (e.g. for direct marketing), pursuant to art. 6 paragraph 1 (a) of GDPR. You may withdraw your consent at any time by submitting a request in accordance with the instructions in section 10.

b. the conclusion and fulfillment of the credit agreement or any other type of contract for the provision of certain services of the Companies, pursuant to art. 6 paragraph 1 (b) GDPR;

c. fulfilling the obligations of the Companies according to the law (e.g. identifying and preventing frauds, reporting the parameters of the financial-banking activity), according to art. 6 paragraph 1 (c) GDPR.

d. the legitimate interest of the Companies to provide current information on available or new products and services (e.g. the development and improvement of products and services, ensuring a high level of security both at the level of the information systems and within the physical locations, etc.) under art. 6 paragraph 1 (f) GDPR;

Personal data can be obtained: (i) directly from you and / or from your authorized person, (ii) by consulting public sources (e.g. Credit Bureau, National Bank of Romania, public institutions and authorities, registries public, databases, information available on the Internet, National Trade Register Office, court portal, etc.)

Under the conditions provided by applicable law (GDPR), you have the following rights:
Right of access: You have the right to be notified, upon request, if your Personal Data are processed, and if so, you have the right to request their access. The information includes, inter alia, the purposes of the Processing, the categories of personal data affected and the recipients or categories of recipients to whom your Personal Data have been disclosed or will be disclosed. You have the right to obtain a copy of the Personal Data processed. For additional copies, we can charge you a reasonable fee, based on administrative costs.
Right to rectification: You have the right to obtain from us the rectification of your incorrect Personal Data. Depending on the purpose of the processing, you have the right to complete incomplete Personal Data, including by means of an additional declaration.
The right to delete ("the right to be forgotten"): You have the right to ask us to delete your Personal Data.
Right to restriction: You have the right to request the restriction of the processing of your personal data. In this case, the data will be marked and can be processed by us only for certain purposes.
The right to data portability: You have the right to receive your personal data that you have provided to us, in a structured, common and machine-readable format, and you have the right to transmit this data to another entity without objections from us=
The right to object: You have the right to object, for reasons related to your situation, at any time, to the processing of your personal data by us, and we may be required to stop processing your personal data. . If you have the right to object and exercise it, we will no longer process your personal data for that purpose. The exercise of this right does not imply any cost. This right may be invalidated in particular if the processing of your personal data is necessary for the formalities related to the conclusion of a contract or for the performance of a contract already concluded.
The right not to be the subject of an automatic decision-making process: You have the right not to be the subject of a decision based solely on automatic processing, including profiling, which produces legal effects or will affect you to a significant extent.
The right of consent withdrawal - if processing is based on consent, it can be withdrawn at any time. Withdrawal of the consent will have effects only for the future; the previous processing based on the consent will remain valid.
Please note that the above rights may be limited based on applicable national data protection law.
You also have the right to file a complaint with the National Supervisory Authority for Personal Data Processing.

Companies will process your personal data during the term of the contract, as well as after its completion in order to comply with the applicable legal obligations.

As part of your approval process in the credit request procedure, your personal data may be subject to an automated decision-making process. This means that a specialized software (scoring software) of the Companies will automatically process (without human intervention) the data made available by you and analyze them from the point of view of criteria set in the software algorithm. As a result, your request will earn a certain number of points depending on which automated approval or automated refusal can be obtained. If your request gets the lowest and the enough number of points for approval, the request will be analyzed by an employee. If a fully automated decision is made regarding your application (without the intervention of an employee), you have the right to request an employee's review and to express your point of view.

For the exercise of the aforementioned rights, as well as for sending any questions or complaints regarding the processing of your personal data, please send your request to the following addresses:
TBI Credit IFN S.A. - Bucharest, str. Puțul lui Zamfir no. 8-12, ground floor + 1st floor, sector 1, Romania or by e-mail DPO@tbicredit.ro.
TBI Bank EAD Sofia – Bucharest Branch - Bucharest, str. Puțul lui Zamfir no. 8-12, 4th floor, sector 1, Romania or by e-mail DPO@tbibank.ro.
TBI Leasing IFN S.A. – Bucharest, str. Puțul lui Zamfir no. 8-12, 2nd floor, sector 1, Romania or by e-mail DPO@tbibank.ro.