Adopted by a decision of the Management Board dated 09.06.2016, amended by a decision of the Management Board dated 17.05.2018 and by a decision of the MB of 29.09.2022
I. General Provisions and Definitions
Art. 1. This Data protection policy of "Bulgarian-American Credit Bank" AD /the Bank/ applies to the Bank and its subsidiaries and is based on the data protection requirements and principles set out in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Regulation (EU) 2016/679 or the General Data Protection Regulation).
"Bulgarian-American Credit Bank" AD (BACB AD or the Bank) entered in the Trade Registry with the Registry Agency, UIC 121246419, having its seat and registered address at: Sofia 1000, Sredets region, 2 Slavyanska St. is data controller within the meaning of Regulation (EU) 2016/679 and the Personal Data Protection Act.
The Bank has appointed a Data Protection Officer operating at the following address: Sofia 1000, Sredets region, 16 Krakra Street; e - mail: dpo@bacb.bg. The data protection officer meets the requirements of the General Data Protection Regulation and reports directly to the Management Board of BACB AD.
Art. 2. Within the meaning of Regulation (EU) 2016/679 (General Data Protection Regulation) and this Policy, the terms used in this document shall have the following meaning:
(a) Personal Data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(b) Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
(c) Personal data registry means any structured set of personal data that is accessed pursuant to certain criteria, whether centralized, decentralized or allocated based on a functional or geographical principle.
(d) Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by the Union law or the law of the Republic of Bulgaria, the controller or the specific criteria for its nomination may be provided for by the Union law or the law of the Republic of Bulgaria;
(e) Data subject - is a natural person who is directly or indirectly identified or identifiable based on certain information representing personal data;
(f) Legitimate interest of BACB AD or of a third party, where the latter has priority over the interests or fundamental rights and freedoms of the data subject /client/, for example for the purpose of preventing crimes including fraud, preventing money laundering and terrorist financing, other lawful purposes.
Art. 3. "Bulgarian-American Credit Bank" AD recognizes the privacy of natural persons and makes efforts to ensure protection against any unlawful processing of personal data of natural persons. In compliance with the provision of the applicable legislation, the Bank implements the relevant technical and organizational measures to protect the personal data of natural persons.
Art. 4. This Data protection policy of "Bulgarian-American Credit Bank" AD is aimed at informing the natural persons about the purposes and grounds for processing personal data, the rights of data subjects, the categories of recipients to whom the data may be disclosed, the mandatory or voluntary nature of providing such data, the right of access and the right to rectify the collected data pursuant to the requirements of the Personal Data Protection Act.
II. Data Processing
Art. 5. "Bulgarian-American Credit Bank" AD, as a data controller, processes personal data in a way that guarantees an appropriate level of security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by applying appropriate technical and/or organizational measures in compliance with the following principles:
(a) processing lawfully, fairly and in a transparent manner in relation to the data subject (lawfulness, fairness and transparency)
(b) The data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes ("appropriateness of personal data processing and purpose limitation")
(c) proportionality and limitation of personal data processing in relation to the purposes for which they are processed ("data minimization");
(d) accuracy and timeliness of data processing.
(e) limitation of the storage for a period not longer than necessary for the purposes for which the personal data are processed ("storage limitation")
(f) Processing in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures ("integrity and confidentiality")
Art. 6. "Bulgarian-American Credit Bank" AD processes personal data only if and to the extent that at least one of the following conditions applies:
(a) the processing is necessary for the performance of a contract with the Bank to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract.
(b) processing is necessary for compliance with a legal obligation to which the Bank in its capacity as a data controller, is subject.
(c) The data subject has consented to the processing of their personal data for one or more specific purposes. In cases where personal data is processed solely on the basis of consent, the data subject has the right to withdraw their consent at any time. The withdrawal of consent by the data subject is not applicable in cases where data processing is also based on items "a" and "b" above.
"Bulgarian-American Credit Bank" AD processes personal data independently or by assigning such processing to data processors. Processors acting on behalf of the Bank also include the Bank's employees, whose rights and obligations are duly set out in the Bank's internal regulations.
Art. 7. The bank, as a controller, does not process personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation, unless the data subject has given his explicit consent to the processing of such personal data for one or more specific purposes.
III. Purpose of personal data processing.
Art. 8. " Bulgarian-American Credit Bank" AD as a licensed credit institution processes personal data for the purpose of providing banking products and services and/or carrying out banking and other commercial transactions pursuant to the Credit Institutions Act, including investment services and activities under the Markets in Financial Instruments Act, with the persons whose data are processed /data subjects/ or for the purpose of considering the possibility of providing such services to the data subjects. The provision of personal data by individuals is voluntary. If the natural person refuses to provide his or her personal data, "Bulgarian-American Credit Bank" AD will not provide the requested banking or investment product or service or carry out the relevant banking or trade transaction, insofar as the processing of personal data to the largest extent is required for compliance with the legal and regulatory obligations of the Bank.
Art. 9. The personal data that individuals provide to "Bulgarian-American Credit Bank" AD upon the submission of a request for a banking product or service and/or for carrying out banking and other commercial transactions, are processed for the purpose of analyzing whether such individuals meet of the conditions for providing the relevant product or service, as well as for the purpose of proper identification of the parties to the banking and commercial transactions carried out in pursuance of the legal and regulatory obligations of the Bank.
Art. 10. Data processing is most often required for the fulfillment of statutory obligations of the Bank, resulting from the legal requirements regulating the banking and other accompanying commercial activities, financial and accounting activities, activities for the prevention of money laundering and terrorist financing, for the purposes of the automatic exchange of financial information within the meaning of the Tax and Social Security Procedure Code, pension, health and social security activity, human resource management, etc.
Art. 11. In addition to the cases where it is required for the fulfillment of a legally established obligation of the data controller, data processing is also allowed when it is necessary for the fulfillment of obligations under a contract with the Bank, to which the natural person to whom the data relate is a party, as well as for actions preceding the conclusion of a contract with the Bank, taken at the request of the person or when the natural person to whom the data refer has explicitly given his or her consent for the processing. Apart from the above cases, processing of personal data of data subjects is allowed in the presence of a legitimate interest of BACB AD or of a third party, where such interest overrides the interests or fundamental rights and freedoms of the data subject /client/, for example for the purpose of preventing crimes, including fraud, preventing money laundering and terrorist financing, other legitimate purposes.
Art. 12. The personal data of data subjects are stored for the statutory periods in compliance with the requirements of the applicable special laws.
Art. 13. Persons under 18 (eighteen) years of age are data subjects with the right to a higher level of protection of their personal data. In connection with the direct offering of information society services to children, the processing of a child's data is lawful if the child is at least 16 years old. If the child is under 16 years of age, this processing is lawful only if and to the extent that such consent is given or authorized by the holder of parental responsibility over the child.
IV. Data subjects’ rights (clients – natural persons to whom the data refers)
Art. 14 . Right to information (in relation to the processing of the subject’s personal data by the Bank - the natural person who is a data subject, has the right to receive information* about the Bank as a data controller, as well as about the processing of his or her personal data. This information includes: data identifying the Bank as well as its contact details, including the contact details of the data protection officer; The purposes and legal basis for the processing; The recipients or categories of recipients of the personal data, if any; The intention of the controller to transfer the personal data to a third party/third country (if applicable); The period for which the personal data will be stored; The existence of automated decision-making, including profiling (if any); Information about any rights that the data subject has; The right to lodge a complaint with a supervisory authority *The above information is not provided if the data subject already has it.
Art. 15. Right to access to his or her personal data – the data subject has the right to receive from the Bank confirmation as to whether personal data relating to him or her are being processed and, if so, to obtain access to the data and the following information: Purpose of processing; The relevant categories of personal data; The recipients or categories of recipients of the personal data, if any; The controller's intention to transfer the personal data to a third party (where applicable); The period of storage of personal data; Existence of the right to rectification of personal data, as well as the right to object to the processing of personal data; The existence of automated decision-making, including profiling (if any); Information about any rights that the data subject has; The right to lodge a complaint with a supervisory authority.
Art. 16. Right of rectification of personal data (if the data is inaccurate) – the data subject has the right to request the Bank to rectify any inaccurate personal data relating to him or her without undue delay.
Art. 17. Right to erasure of personal data (right "to be forgotten") - The data subject may request erasure by the Bank if any of the following conditions are met:
➢ The personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
➢ The data subject withdraws his or her consent, which constitutes the sole basis of data processing and there is no other legal basis for the processing /processing pursuant to a legal obligation of the Bank, a contract concluded with the bank/;
➢ The data subject objects to the processing and there are no overriding legitimate grounds for the processing;
➢ The personal data have been unlawfully processed;
➢ The personal data have to be erased in compliance with a legal obligation under the Union law or the law of the Republic of Bulgaria, to which the Bank in its capacity as a controller, is subject;
➢ Personal data was collected in relation to the offer of information society services to children and consent was given by the holder of parental responsibility over the child.
Art. 18. Right to restriction of processing by the Bank or the data processor – the exercise of this right requires the existence of specific conditions, such as:
➢ The accuracy/validity of the personal data is contested by the data subject. In this case, the processing shall be restricted for a period that allows the Bank to verify the accuracy of the personal data;
➢ the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
➢ The bank no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
➢ The data subject has objected to the processing pending the verification of whether the Bank's legitimate grounds override those of the data subject.
Art. 19. Right to portability of personal data between individual controllers - the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Bank in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Bank to which the personal data have been provided, where the processing is based on consent or a contractual obligation and the processing is carried out by automated means. In exercising his or her right to data portability, the data subject has the right to have the personal data transmitted directly from the Bank to another controller, where technically feasible.
Art. 20. Right to object to the processing of their personal data - data subjects shall have the right to object to the Bank against the processing of their personal data, and the Bank will terminate the processing, unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims. In case of an objection to the processing of personal data for the purposes of direct marketing, the Bank will terminate such processing immediately.
Art. 21. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her;
Art. 22. Right to judicial or administrative protection, in the event that the data subject's rights have been violated - if the data subject considers that his or her right to data protection and privacy has been violated, he or she can lodge a complaint with the relevant supervisory body - Commission for Personal Data Protection or to seek protection of his or her rights in court.
V. Disclosure of Personal Data
Art. 23. "Bulgarian-American Credit Bank" AD may disclose personal data to the following categories of persons:
(a) The persons to whom the data refer, namely: persons using banking services or products or who have submitted a request for the use of banking services, as well as persons who are parties to banking and/or other commercial transactions and contractual relations with the Bank;
(b) Persons who have the right to access personal data by virtue of a law or other regulatory act;
(c) Persons for whom the right arises by virtue of a contract concluded with the Bank.
VI . Procedure for Exercising Rights
Art. 24. (1) Upon exercising their right of access, natural persons have the right at any time to request from "Bulgarian-American Credit Bank" AD:
1. confirmation of whether data relating to them are processed by the Bank, information on the purposes of processing of such data, the categories of data and the recipients of such data or the categories of recipients to whom the data are disclosed;
2. The bank shall send them a message in an understandable form, containing the personal data being processed and any available information about the source of such data;
3. information on the logic of any automated processing of personal data relating to natural persons, at least in the case of automated decision-making under the General Data Protection Regulation and the Personal Data Protection Act;
(2) Upon request, " Bulgarian-American Credit Bank" AD provides the information under para. 1 for free.
(3) Natural persons have the right at any time to request "Bulgarian-American Credit Bank" AD to:
1. erase, rectify or block their personal data, the processing of which does not meet the requirements of the applicable legislation
2. The Bank to notify the third parties to whom the personal data of the natural persons were disclosed, about any erasure, rectification or blocking carried out in accordance with item 1, except for cases where this is impossible or requires disproportionate effort by the Bank.
Art. 25. (1) Natural persons exercise their rights by submitting a written request to the Bank containing at least the following information:
1. name, PIN, address and other identification data of the relevant natural person;
2. description of the request;
3. preferred form of providing the information /oral or written- on paper or electronically/;
4. signature, date, mailing address and telephone number.
(2) The submission of the request is free of charge.
(3) Where the request is submitted by an authorized person, an explicit notarized power of attorney shall be applied to the request.
(4) In case of death of the natural person, his or her rights may be exercised by his or her heirs, and a certificate of heirs shall be applied to the request.
Art. 26. The request shall be considered and the Bank shall take a decision within 14 days. Where a longer period is needed in order to collect data and information, the request shall be considered and the Bank shall take a decision within 1 month of receiving the request. If necessary, this period can be extended by another two months. The bank shall inform the data subject of any such extension within 1 month of receiving the request, indicating the reasons for the delay. Where the data subject submits a request by electronic means, the information shall be provided by electronic means whenever possible, unless the data subject has requested otherwise.
Art. 27. The Bank shall provide a response to the applicant, taking into account the applicant's preferred form of receiving information /orally or in writing - on paper or electronically/.
Art. 28. Where the data do not exist or their provision is prohibited by law, the applicant will be denied access to them.
Art. 29. In the event that the applicant is not satisfied with the response received and/or considers that his or her rights related to data protection have been violated, the applicant has the right to exercise his or her right of protection.
VII. Information about the data subject:
Controller: Bulgarian-American Credit Bank AD
UIC: 121246419
Seat and registered address: Sofia 1000, Sredets Region, 2 "Slavyanska" St.
telephone: 070014488
E- mail: bacb@bacb.bg
Official website: www.bacb.bg
Data protection officer at BACB AD:Lilia Mileva
Email: dpo@bacb.bg
Supervisory body: Commission for Personal Data Protection
Address: Sofia 1592, 2 Prof. Tsvetan Lazarov" Blvd. Telephone +359 2 915 3519
E- mail: kzld@cpdp.bg
Official website: www.cpdp.bg
Final provision
This policy was adopted by a Decision of the Management Board of "Bulgarian-American Credit Bank" AD dated 09.06.2016 and was amended by a decision of the Management Board dated 17.05.2018 and a decision of the Management Board dated 29.09.2022.
This Policy applies to the activities of BACB AD and its subsidiaries.
