I. INFORMATION ABOUT THE PERSONAL DATA CONTROLLER
1.1. T.C. ZİRAAT BANKASI A.Ş., with registered office in the city of Ankara, Turkey performs bank-ing activity within the territory of the Republic of Bulgaria through T.C. ZIRAAT BANKASI – SOFIA BRANCH”, BRANCH OF FOREIGN MERCHANT, with Unified Identification Code (UIC): 121704731, having its registered office and headquarters address in the city of Sofia, Vazrazhdane municipal dis-trict, Postal (ZIP) Code 1301, 87 Tsar Samuil Street, hereinafter referred to as the Bank, while it is the controller of personal data and is responsible for compliance with the provisions of the General Data Protection Regulation 2016/679.
T.C. ZİRAAT BANKASI SOFIA BRANCH, BRANCH OF FOREIGN MERCHANT is a bank holding a banking activity License issued by the Bulgarian National Bank (BNB) and updated by Orders Nos. РД22-2274/16.11.2009 and РД22-2274/14.06.2010 of the Governor and the Deputy Governor of the Bulgar-ian National Bank (BNB) according to Art. 2, Paragraph 2, Item 1 of the Credit Institutions Act.
II. PURPOSES OF THE PERSONAL DATA PROCESSING
2.1. In order to provide quality banking services, the Bank processes personal data for the following purposes:
• for the performance of the banking activity and for the management of customer relations, the Bank processes personal data upon:
- obtaining information necessary for the conclusion of contracts for deposit collection, financ-ing, securing, etc.
- performing banking consulting operations for clients;
- performing operations for specific banking operations or transactions, economic movements or balance sheet changes;
- conducting audits, assessing the results and trends in banking relations and related risks;
- resolving disputes before the competent authorities.
• assessment of the creditworthiness of its customers, including by means of profiling. During the profiling, information about financial indicators, consumer behaviour and habits is analyzed in order to offer certain products or services;
• assessment of the reliability and timeliness of payments when providing loans;
• review of received signals, objections, complaints, performance of inspections, providing feed-back;
• management of anti-fraud activities. The Bank processes personal data when performing preven-tion, detection, investigation and management of anti-fraud activities, fulfilling its legal obliga-tions to implement measures for prevention of money laundering and terrorist financing.
• security of zones and premises, and access control. Personal data are processed through video surveillance systems; during operations at bank counters and offices, as well as during manage-ment and control of the traffic at entrances and exits from zones protected by electronic control systems.
• defence of the rights and interests of the Bank that justifiably prevail over the interests of the da-ta subject, including conducting direct marketing through researches of offered and/or used products and services, as well as by making proposals by phone, mail or other direct means of products and services of the Bank, for which a reasonable conclusion could be made that the cus-tomer could expects such proposals, taking into account the products and services of the Bank used by the customer.
III. GROUNDS FOR PERSONAL DATA PROCESSING
3.1. The Bank processes only the necessary personal data:
• necessary for the conclusion and performance of a contract – the Bank processes personal data in accordance with Art. 6, littera "b" of Regulation (EU) 2016/679, where the processing is necessary for performance of a contract to which the data subject - customer is party or in or-der to take steps to entering into a contract with the Bank. If the data subject - customer refuses to provide their personal data to the Bank, this may lead to inability of the Bank to provide the services requested by the customer;
• for which there is legal obligation to process;
• for which there is legitimate interest;
• for which the data subject has provided consent.
IV. RECIPIENTS AND CATEGORIES OF RECIPIENTS
4.1. In conjunction with the fulfilment of the above legal obligations and purposes, the Bank provides personal data of data subjects to the following recipients:
• public bodies and institutions supervising the activities of the Bank or the compliance with the applicable laws for banking activities;
• for making inquiries and receiving information from state bodies, registries, etc., e.g. the Na-tional Social Insurance Institute, the Central Credit Registry, the Civil Registration and Adminis-trative Services General Directorate, etc.;
• other state and municipal bodies and/or institutions - in conjunction with legal obligations or in conjunction with legal requests for information containing personal data;
• contractors issuing bank cards;
• persons involved in the process of collecting overdue receivables (e.g. couriers, lawyers, nota-ries, Private collectors)
• subcontractors of the Bank who are Personal Data Processors.
V. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
5.1. In certain cases, during the performance of its activities and in connection with the conclusion and performance of contracts, in order to comply with the internal rules of the Bank, personal data may be transferred to the headquarters of T.C. ZIRAAT BANKASı A.Ş. with registered address in Ankara, Turkey. Such transfer of personal data is carried out in compliance with the provisions of the General Data Pro-tection Regulation, for the purposes of making decisions, administration and control in connection with the provision and performance of the services of the Bank.
VI. USE OF COOKIES
6.1. In order to make the customer experience as functional as possible, we use cookies. The cookies are small text files stored on the hard drive of the user.
6.2. Our web page uses the following cookies for better user experience:
• Cookies necessary for the functioning of user search allowing to use the main functionalities of the site and maintain the identification of the user at all times;
• custom cookies allowing personalized user experience according to the previous visits. Allow-ing faster finding of the right service or product for the respective user;
• advertising cookies allowing the user to receive offers from the Bank on the websites of exter-nal partners.
VII. PRINCIPLES OF THE PERSONAL DATA PROCESSING
Compliance with the provisions of the Regulation
7.1. The policy of the Bank aims ensuring compliance with the provisions of the Regulation.
Personal data are collected and processed lawfully and fairly
7.2. The Bank collects and processes personal data lawfully, fairly and in compliance with the princi-ples and rights of data subjects relating to their personal data processing.
Personal data are processed transparently
7.3. The Bank ensures transparency in the communication about the collected and processed personal data, and this information is short, transparent, understandable and in easily accessible form, and clear and unambiguous wording is used
No personal data are collected and processed that are not necessary for the activity
7.4. The Bank does not collect or process personal data in excess of its legal obligations or its needs for performing its activities.
Personal data processed are correct and updated
7.5. The Bank ensures that personal data processing is carried out with maximum correctness and, if possible, always up to date.
Personal data are processed by the minimum required number of persons
7.6. The Bank ensures that the access to and the personal data processing is performed by the mini-mum necessary number of persons (operators) having the required competence for such processing and the necessary commitment to their protection.
Personal data are stored for the minimum required period of time
7.7. The Bank processes your personal data for the periods regulated by the Bulgarian law and the reg-ulatory supervisory bodies. After the expiration of the legally established periods, the Bank will delete the unnecessary personal data. Personal data for which there is no explicit legal obligation for storing will be deleted after achieving the purposes for which they have been collected and processed. Person-al data may be stored for a certain period after achieving the purposes for which they have been col-lected, where such data are part of documents whose storage is important in order to defend the legit-imate interest of the Bank.
7.8. In any case, the Bank ensures at least annual review of the collected and processed personal data, while personal data that fall into any of the above hypotheses are deleted without undue delay.
VIII. RULES FOR PROCESSING PERSONAL DATA
Personal data are processed with the necessary security levels and measures
8.1.The Bank provides the necessary levels of physical, organizational and technological security measures depending on:
1. the nature, scope, context and purpose of the personal data processed;
2. the likelihood, impact levels and severity of the risk to the rights and freedoms of the data sub-ject in case of personal data breach;
3. its financial and organizational capabilities.
The Bank also provides all necessary measures for timely recovery of collected and processed per-sonal data in case of their loss as a result of accidental, malicious or force majeure events.
Personal data are processed with controlled and traceable access
8.2. The Bank provides the necessary and appropriate technical, organizational and technological measures for controlled and traceable access to personal data.
Personal data are processed with the necessary accountability for compliance with the Reg-ulation
8.3. The Bank provides the necessary accountability and registers to demonstrate compliance with the provisions of the Regulation.
Respect of the rights of the data subjects
8.4. The Bank ensures respect of the rights of the data subjects, including:
1. right to be informed about the personal data processing;
2. right of access to personal data - what data is available;
3. right of rectification of incorrect personal data;
4. right to erasure ('right to be forgotten');
5. right to restriction of processing;
6. right to be informed about actions due to request for correction, deletion or restriction of the processing of personal data;
7. right to data portability;
8. right to object to the processing of personal data;
9. right not to be subject to a decision based solely on automated processing, including profiling
IX. DATA PROTECTION OFFICER
If you have any further questions regarding the processing of your personal data or if you wish to exercise any of the above rights, you may contact the Data Protection Officer of the Bank.
Data Protection Officer of T.C. ZIRAAT BANKASI SOFIA BRANCH FTB is lawyer Nina Stoeva, Managing Partner at Counsel partnership Mikinski and Partners, Sofia.
• Address: 1000 Sofia, 30 Bacho Kiro Street , 1st floor
• E-mail: dpo@ziraatbank.bg
X. COMPETENT SUPERVISORY AUTHORITY
The Commission for Personal Data Protection (CPDP) is the independent state body, which pro-vides protection to the individuals in the processing of their personal data and in the access to these da-ta, as well as control of the compliance with the Personal Data Protection Act in the Republic Bulgaria.
If you suspect that your rights relating to the protection of your personal data have been violated, you can report to the CPDP at:
• Address: 1592 Sofia, 2 Professor 2 Tsvetan Lazarov Blvd.
• E-mail: kzld@cpdp.bg
• Website www.cpdp.bg