1. AIM OF THE DATA PROTECTION POLICY

As part of its social responsibility, Idea Group Romania is committed to compliance with data protection laws in force. As a result of this commitment, Idea Bank has adopted this policy and ensure its publication on official website www.idea-bank.ro, so that it can be consulted by any interested party. This data protection policy applies throughout the Idea Group Romania and is based on basic principles accepted at European level on data protection. Ensuring Data Protection is the foundation of Idea Group's trustworthy business relationship and of the reputation of Idea Group as an attractive employer. 

The data protection policy provides one of the conditions necessary to ensure an adequate level of protection of personal data in accordance with the provisions of Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of personal data (hereinafter referred to as GDPR), which is directly applicable in all Member States of the European Union as of 25 May 2018, as well as of the national legislation adopted in the field of data protection.

2. SCOPE AND AMENDMENT OF THE DATA PROTECTION POLICY

Această politică de protecție a datelor se aplică tuturor companiilor din Grupul Idea Romania, adică Idea Bank, tuturor companiilor sale dependente de grup, companiilor afiliate și angajaților acestora. 'Dependente', în acest caz, înseamnă societatile in care Idea Group poate impune adoptarea directă sau indirectă a acestei Politici de Protecție a Datelor, pe baza majorității voturilor in adunarea generala a actionarilor, reprezentării conducerii majoritare sau prin acord. 

The data protection policy is applicable to all processing of personal data.

Individual companies in the Idea Group may adopt own internal regulations to ensure the compliance with this data protection policy. This data protection policy can only be modified under the direct coordination of the Idea Bank Data Protection Office. Changes will be immediately reported to the Idea Group Romania companies using the policy change process.

The latest version of the data protection policy can be accessed on the Idea Bank website: www.idea-bank.ro

3. NATIONAL LAW APPLICATION

This data protection policy is based on the confidentiality principles regulated at European level, without replacing existing national laws. If specific regulations are adopted at national level to implement the General Data Protection Regulation, Idea Group Romania will apply the most restrictive legislation.

Every company of Idea Group Romania is responsible for complying with this data protection policy and with the legal obligations imposed by the regulations in force.

4. PRINCIPLES FOR PERSONAL DATA PROCESSING

a. Fairness and lawfulness

Idea Bank protects individual rights of data subject to process personal data, and personal data are collected and processed legally and correctly.

b. Restriction to a specific purpose

Personal data is processed only for the purpose defined before the data collection is started. Subsequent changes to the purpose are possible only exceptionally, to a limited extent and require a foundation for these changes

c. Transparency

The data subject is informed about the way his or her data is processed. Generally, personal data is collected directly from the person concerned. When data is collected, the data subject must be aware of or be informed about:

• »Identity of the Data Controller,
• »The purpose of data processing,
• »Third parties or categories of third parties to whom data may be transmitted.

d. Data reduction and data economy

Before processing personal data, it must be determined whether and to what extent the processing of personal data is necessary to achieve the purpose for which it is carried out. Where the purpose permits and where the costs involved are proportionate to the pursued purpose, anonymous or statistical data are used. Personal data are not collected in advance and stored for future potential purposes, unless this is required or allowed by applicable law.

e. Deletion

Personal data that is no longer required after the expiration of legal or business processes are deleted. If indications are identified as to the existence of interests that require protection or the historical importance of such data in individual cases, the Bank may retain the data until the interests deserving protection have been legally clarified or the corporate data archive has assessed the data to determine whether it should be kept for historical / archival purposes. When data deletion can impact the bank's computer systems, the data will be irreversibly anonymized, so that there are no longer any information that can lead to the identification of the data subject.

f. Factual accuracy; data updating

Personal data must be accurate, complete and, if necessary, updated. The Bank shall take appropriate measures to ensure that erroneous or incomplete data is deleted, corrected, completed or updated.

g. Data confidentiality and security

Personal data are subject to legal obligations of data privacy. These must be treated as confidential by each employee of the Bank, and appropriate organizational and technical measures are in place to prevent unauthorized access to, processing, or illegal distribution, as well as accidental loss, alteration or destruction.

5. RELIABILITY OF DATA PROCESSING

Personal data processing is allowed only on the legal grounds listed below:  

a.    Customer and partner data

a.1. Data processing for a contractual relationship

Personal data of counterparties, clients and partners can be processed to establish, execute, and terminate a contract. Consultancy services for the partner may also be included in the contract if this is related to the contractual purpose. Prior to the conclusion of the contract - during the contract initiation phase - personal data can be processed to prepare bids or purchase orders or to meet other requirements from the point of view of the conclusion of the contract. Counterparties can be contacted during the contract preparation process using the information they have provided. Any restrictions requested by counterparties must be respected. For additional advertising requirements, the requirements of point 5.a.2 must be met.

a.2. Data processing for advertising purposes

If the data subject contacts an Idea Group company to request information (for example, a request to receive product information), it is allowed to process the data to respond to this request.

Clients' loyalty or advertising activities are subject to additional legal requirements. Personal data may be processed for advertising purposes or for market and opinion research, provided this is compatible with the purpose for which the data was originally collected. The data subject must be informed of the use of his data for advertising purposes. If data is collected for advertising purposes only, disclosure by the data subject is voluntary. The data subject is informed that the provision of data for this purpose is voluntary. When communicating with the data subject, consent is obtained to process the data for advertising purposes. When giving consent, the data subject should be able to choose between the available contact forms, such as regular mail, e-mail and telephone (Consent, see 5.a.3).

If the data subject refuses the usage of its data for advertising purposes, its data may no longer be used for such purposes and must be blocked for use for those purposes.

a.3. Consent to data processing 

Data can be processed after receiving the data subject's consent. Prior to giving consent, the data subject must be informed in accordance with 4.c. of this data protection policy. Consent must be obtained in writing or electronically for documentation purposes. Under certain circumstances, such as phone conversations, consent can be given verbally. It is mandatory to document the granting of consent.

a.4. Data processing according to legal authorization

The processing of personal data is also permitted if the applicable law requires, imposes or allows it. The type and magnitude of the data processing must be necessary for the legal processing of data and must comply with the relevant legal provisions.

a.5. Data processing pursuant to legitimate interest

Personal data may also be processed if this is necessary for a legitimate interest of the Idea Group. Legitimate interests are generally of a legal nature (for example, collecting overdue claims) or commercial (for example, avoiding breaches of contract). Personal data can not be processed for purposes of legitimate interest if, in individual cases, there is evidence that the interests of the data subject has priority. Before processing data, it is necessary to determine whether there are interests that are worth protecting.

a.6. Processing of sensitive data

Sensitive personal data may be processed only if the law so requires or the data subject has given his express consent. These data may also be processed if it is mandatory for the affirmation, exercise or defense of legal claims relating to the data subject. If there are plans to process sensitive data, the Data Protection Officer should be informed in advance.

a.7.  Automated individual decisions

The automated processing of personal data that is used to assess certain aspects can not be the sole basis for decisions that have negative legal consequences or which could significantly affect the data subject. The data subject must be informed of the facts and results of the automated individual decisions and the possibility of responding. To avoid mistaken decisions, an employee must perform the test and check the plausibility of the result.

a.8. User data and internet

If personal data is collected, processed and used on websites or in applications, the data subjects must be informed about this in a privacy statement and, if necessary, cookie information. The privacy statement and any cookie information must be integrated so that it is easily identifiable, directly accessible and consistently available to the data subjects.

If user profiles (tracking) are created to evaluate the use of web sites and applications, the data subjects must always be properly informed according to the privacy statement. Personal tracking may only be carried out if permitted under applicable law or it is subject to the consent of the data subject.. If tracking uses a pseudonym, the data subject should be able to withdraw his / her consent according to the confidentiality statement.

If sites or applications can access personal data in a restricted area to registered users, the identification and authentication of the data subject must provide sufficient protection during access.

b. Employee data

b.1. Data processing for the employment relationship

In employment relationships, personal data can be processed, if necessary, for initiating, executing, and terminating the employment contract. When initiating an employment relationship, the applicant's personal data can be processed. If the candidate is rejected, his or her data must be deleted according to the required retention period, unless the applicant has agreed to remain in the file for a future selection process. Consent is also required for the use of data for additional application processes or before sharing the application with other companies in the group.

In the existing employment relationship, data processing must always refer to the purpose of the employment contract if none of the following circumstances apply to the processing of authorized data.

If the request procedure requires that information about an applicant is necessary to be collected from a third-party, the requirements of the relevant national laws must be fulfilled. In case of doubt, a consent must be obtained from the data subject.

There must be a legal authorization for the processing of personal data related to the employment relationship, but which was not originally part of the performance of the employment contract. These may include legal requirements, collective regulations with employees' representatives, employee consent, or the legitimate interest of the company.

b.2. Data processing according to authorization

The processing of employees personal data is also allowed if national law requires, imposes or authorizes it. The type and magnitude of the data processing must be necessary for the legal processing of data and must comply with the relevant legal provisions. If there is some legal flexibility, consideration should be given to the employee's interests that are worth protecting.

b.3. Collective agreements on data processing

If a data processing activity exceeds the purpose of fulfilling a contract, it may be permitted if it is authorized by a collective agreement. Collective agreements are wage agreements or agreements between employers and employees' representatives, in the limits allowed by labor law.
Agreements must cover the specific purpose of the intended data processing activity and must be drawn up within the parameters of national data protection legislation.

b.4. Consent to data processing

Employee data may be processed after the consent of the data subject. Declarations of consent must be presented on a voluntary basis. The involuntary agreement is null. The approval statement must be obtained in writing or electronically for documentation purposes. Under certain circumstances, consent can be given verbally, in which case it must be properly documented. In the case of the informed and voluntary submission of data by the relevant party, it can be assumed that the agreement does not require express consent. Prior to giving consent, the data subject must be informed in accordance with paragraph 4.c. of this data protection policy.

b.5. Prelucrarea datelor în baza unui interes legitim

Personal data can also be processed if it is necessary to impose a legitimate interest of Idea Group Romania. Legitimate interests are generally of a legal nature (eg filing, enforcing or defending against legal claims) or financial (eg business evaluation).

Personal data can not be processed on legitimate grounds if, in individual cases, there is evidence that the employee's interests deserve protection. Before processing data, you need to determine if there are interests that are worth protecting.

Control measures that require the processing of employee data can be taken only if there is a legal obligation to do so or if there is a legitimate reason. Even if there is a legitimate reason, the proportionality of the control measure should also be examined. The justified interests of the company (for example, compliance with the legal provisions and internal regulations of the company) must be weighed against the employee's interests to be protected and which may be affected by the control measure to be adopted. The legitimate interest of the company and any employee interests that deserve protection must be identified and documented before taking any action. In addition, any additional requirements in national law (eg co-decision rights for employees' representatives and information rights of data subjects) should be considered.

b.6. Processing of sensitive data

Sensitive personal data can only be processed under certain conditions. Sensitive personal data are data related to racial and ethnic origin, political beliefs, religious or philosophical beliefs, membership of a union / formation, and the health and sexual life of the person concerned. In accordance with national law, other categories of data may be considered sensitive or the content of the data categories may be filled in differently. Moreover, data relating to an offense can only be processed in accordance with the specific requirements of national law.

Processing must be expressly permitted or prescribed by national law. In addition, processing may be allowed if the responsible authority is required to fulfill its rights and obligations in the field of labor law. The employee may also expressly consent to the processing.

If there are plans to process sensitive personal data, the Data Protection Officer should be informed in advance.

b.7. Automated decisions

If personal data is automatically processed as part of the employment relationship and personal data is being evaluated (eg in the selection of staff or the assessment of competence profiles), this automatic processing can not be the only basis for decisions that would have negative consequences or significant problems for the affected employee. In order to avoid mistaken decisions, the automated process must ensure that a person evaluates the outcome and that this assessment is the basis for the decision. The person concerned must also be informed of the facts and results of automated individual decisions and the possibility of responding.

b.8. Telecommunications and internet

Phone equipment, e-mail addresses, intranet, and the Internet along with domestic social networks are primarily provided by the company for job-related tasks. They are a tool and a resource for the company. They can be used within the applicable legal regulations and the company's internal policies. In the case of authorized use for personal purposes, telecommunications secret laws and national telecommunication laws must be respected, if applicable.

In order to ensure the confidentiality, integrity and availability of data, the Bank may implement automated safeguards, including traffic analysis, to detect and prevent attack vectors or patterns, as well as responding to computer security incidents. In order to ensure a high degree of IT security and to address computer security incidents, the use of telephone equipment, e-mail addresses, intranet / internet networks and internal social networks can be registered for a temporary period. Evaluations of such data and the identification / profiling of a particular person may be made only in a concrete and justified case of suspected violation of applicable laws or policies of the Idea Group. Evaluations may only be carried out by the investigation departments, while ensuring respect for the principle of proportionality. Relevant national legislation must be respected in the same way as the Group's internal regulations.

The Bank will not process personal data in the absence of any of the above purposes. The same rule also applies if the purpose of the collection, processing and use of personal data is to be altered from the original purpose.

6. TRANSMISSION OF PERSONAL DATA

The personal data transmission to recipients outside or within the Idea Group is subject to the authorization requirements for the processing of personal data in accordance with Section 5. The data beneficiary shall be obliged to use the data only for the defined purposes.

If data is transmitted to a recipient outside of Idea Group Romania to a third country, this country must accept to maintain a level of data protection equivalent to this data protection policy. This does not apply where transmission is based on a legal obligation. A legal obligation of this kind may be based on the laws of the country of residence of the reporting company. In the alternative, the laws of the country of residence of the group company may recognize the purpose of transmitting data under the legal obligation of a third country.

If data is passed on by a third party to an Idea Group company, it must ensure that the data can be used for the intended purpose.

If the personal data are transferred from a company of the Group having its registered office in the European Union / European Economic Area to a company of the Group with its registered office outside the European Economic Area (third country), the company importing the data is obliged to cooperate with any investigation carried out by the competent supervisory authority in the country where the data exporter is established and complying with the supervisory authority's observations on the processing of the data transmitted. The same is applicable for data transmission by companies in groups in other countries. If they are part of an international certification system for complying with mandatory corporate data protection rules, they must ensure cooperation with relevant audit offices and agencies. Participation in such certification systems must be agreed with the Data Protection Officer.

If a data subject claims that this data protection policy has been infringed by the data importing Group company in a third country, the Group of the European Economic Area Exporting Data Company is committed to supporting the party concerned, whose data were collected in the European Economic Area, to establish the facts and to assert his rights under this policy against the group company importing the data. 

7. CONTRACT DATA PROCESSING

Processing data on its behalf means that a supplier is committed to process personal data without assuming responsibility for the affiliate business process. In these cases, a data processing agreement on its behalf must be concluded with external suppliers and among the companies within the Idea Group. The customer retains full responsibility for the correct performance of the data processing. The provider may process personal data only according to the customer's instructions. When issuing an order, the department placing the order must ensure that the following requirements are met:

a. The supplier must be chosen on the basis of his ability to cover the required technical and organizational measures.

b. The order must be sent in writing. Data processing instructions and customer and supplier responsibilities must be documented.

c. Data protection standards provided by the Data Protection Officer should be taken into account.

d. Before the data processing begins, the customer must be confident that the supplier will comply with his obligations. A supplier may document compliance with data security requirements, in particular by providing appropriate certification.

Depending on the risk of data processing, revisions need to be repeated regularly over the duration of the contract.

e. For cross-border contract data processing, the relevant national requirements for the disclosure of personal data abroad must be met. In particular, personal data in the European Economic Area may be processed in a third country only if the provider can prove that he has a data protection standard equivalent to this data protection policy. Appropriate tools can be:

i. Agreement on standard EU contract terms for contract data processing in third countries with the supplier and with any subcontractors.

ii. Supplier's participation in an EU accredited certification system to ensure a sufficient level of data protection.

iii. Recognize the mandatory corporate rules of the supplier to create an adequate level of data protection by the supervisors responsible for data protection.

8. RIGHTS OF THE DATA SUBJECT

Each data subject has the following rights. Their claim must be treated immediately by the responsible unit and can not be a disadvantage for the data subject.

a. The data subject may request information about the personal data that has been stored, how the data was collected, and for what purpose. If there are other rights to view the employer's documents (for example, the staff file) for the employment relationship under the relevant employment laws, they will not be affected.

b. If personal data is passed on to third parties, information about the identity of the recipient or categories of recipients should be provided.

c. If personal data is inaccurate or incomplete, the data subject may request correction or completion.

d. The data subject may contest the processing of his data for advertising or market research / public opinion purposes. Data must be blocked for these types of use.

e. The data subject may request that his data be deleted if the processing of such data has no legal basis or the legal basis is no longer valid. The same applies if the purpose underlying the processing of data has expired or has ceased to be applicable for other reasons. Existing retention periods and conflicting interests to be protected must be respected.

f. The data subject generally has the right to oppose the processing of his data and this must be taken into account if protection of his interests takes precedence over the interest of the data controller following a specific personal situation. This does not apply if a legal provision requires data to be processed.
In addition, each person concerned may claim the rights in points 3.b, 4, 5, 6, 9, 10 and 14.c. as a third party beneficiary if a company that has accepted to comply with the Data Protection Policy does not meet the requirements and violates the rights of the party.

9. CONFIDENTIALITY OF PROCESSING

Personal data is subject to data privacy. Any unauthorized collection, processing or use of these data by employees is forbidden. Any data processing performed by an employee who has not been authorized to perform as part of his / her legitimate duties is considered unauthorized. The 'need to know' principle is applicable. Employees may have access to personal information based on the suitability of this access to the types of data and the intended purpose. This is based on a careful breakdown and segregation of the bank's employees' duties and involves the implementation of roles and responsibilities for each employee.

Employees are prohibited from using personal data for private or commercial purposes, disclosing them to unauthorized persons, or making them available in any other way. Hierarchical superiors inform their employees at the beginning of their work relationship about the obligation to protect data privacy.

In the case of unauthorized use of personal data, employees may be punished in accordance with the laws and regulations in force within the Idea Bank Group.

The obligation to maintain the confidentiality of personal data remains valid after the end of the employment period, the sanctions applicable in case of breach of the confidentiality obligation are those provided by the legal framework in force.

10. PROCESSING SECURITY

Personal data is protected against unauthorized access and against unauthorized processing or disclosure, as well as accidental loss, alteration or destruction. This applies regardless of whether the data are processed electronically, on paper or by other means. Prior to introducing new data processing methods, especially new IT systems, technical and organizational measures for the protection of personal data are defined and implemented. These measures must be based on the technical status, the processing risks and the need to protect the data (determined by the data classification process).

In particular, the responsible organizational structure can consult with the Information Security Officer (OSI) and the Data Protection Officer. The technical and organizational measures for the protection of personal data are part of corporate information security management and are continuously adapted to technical developments and organizational changes.

11. DATA PROTECTION CONTROL

Compliance with data protection policy and applicable data protection laws is regularly verified through data protection audits as well as other controls. Performing these controls is the responsibility of the Data Protection Officer, Data Protection Coordinators and other audit units of the Group or the external auditors. The results of the data protection controls are reported to the Data Protection Officer. Idea Bank's Board of Directors is informed of primary outcomes as part of the reporting tasks of the Data Protection Officer. Upon request, the results of the data protection controls will be made available to the data protection authority. The Data Protection Authority may carry out its own compliance checks with the regulations in this policy, in accordance with national law.

12. DATA PROTECTION INCIDENTS

All employees are required to immediately inform the supervisor or the Data Protection Officer of breaches of this data protection policy or other privacy protection regulations (data protection incidents), whether there is regarding to violation of privacy, data integrity, or their availability. The manager of the organizational structure is required to immediately inform the Data Protection Officer of the data protection incidents.

In cases of:

• »Inappropriate transmission of personal data to third parties,
• »Inappropriate access to personal or private data
• »Loss, destruction or alteration of personal data, 

the manager of the organizational structure in question shall, as a matter of urgency, draw up the referral reports in accordance with established rules for Managing Information Security Incidents so that urgent action can be taken to limit the harm to data holders and to comply with obligations of incidents reporting and notification to the supervisory authority.

13. RESPONSABILITIES AND SANCTIONS

The management of each company in the Idea Group, as well as their employees and their representatives, are responsible for the data processing in their area of responsibility. Therefore, they are required to ensure that the legal requirements for data protection and those contained in the data protection policy (eg national reporting obligations) are met. Management bodies have a responsibility to ensure that there are organizational, human and technical measures in place to ensure that any data processing is conducted in accordance with data protection. Compliance with these requirements is the responsibility of organizational managers.

Data Protection Officer of Idea Bank is immediately informed of the data protection supervisory authorities' controls.

The managing bodies of the Idea Group  companies inform Idea Bank Data Protection Officer of the name of the Data Protection Officer of their company without excluding the possibility that several companies in the group may appoint the same person in the role of the Officer Data Protection.

Data Protection officers are the contact persons listed on the Group companies' websites in the data protection section. They can perform checks and familiarize employees with the content of data protection policies. The departments responsible for business processes and projects inform the Data Protection Officer in good time about new personal data processing. For data processing plans that may pose special risks to the individual rights of the data subjects, the Data Protection Officer is informed before the processing begins. This applies necessarily to sensitive personal data. Managers ensure that their employees are adequately trained in data protection. Inappropriate processing of personal data or other breaches of data protection laws may lead to claims for damages. Violations for which individual employees are responsible may lead to sanctions provided for in labor law.

14. DATA PROTECTION OFFICER (DPO)

The Data Protection Officer, being independent from the point of view of professional orders, carries out his work to comply with the legislation on data protection in force. He is responsible for, and overseeing, data protection policy. The Data Protection Officer has a direct reporting line to the Board of Directors of the company in which he operates.

Idea Group companies in Romania that are legally obliged to appoint a Data Protection Officer will designate a Data Protection Officer.

Data Protection Officers in the Bank's subsidiaries shall promptly inform Idea Bank's Data Protection Officer of any data protection risk.

Any data subject may approach the Data Protection Officer at any time to raise concerns, ask questions, request information, or file complaints about data protection or data security issues. If requested, concerns and complaints will be treated confidentially.

If the Data Coordinator can not resolve a complaint or remedy a breach of the data protection policy, the Data Protection Officer is immediately consulted. Decisions taken by the Data Protection Officer to address data protection violations must be supported by the management of the company concerned. Surveillance authorities' inquiries are always reported to the Data Protection Officer.

The contact details of the Data Protection Officer are as follows:
Idea Group Romania, Data Protection Officer (DPO),
E-mail: dpo@idea-bank.ro

15. DEFINITIONS

• Data is anonymized if personal identity can never be traced by anyone, or if the personal identity could be recreated only with an unreasonable amount of time, expense and labor.
• Consent is the voluntary, legally binding agreement to data processing.
• Data protection incidents are all events where there is justified suspicion that personal data is being illegally captured, collected, modified, copied, transmitted or used. This can pertain to actions by third parties or employees.
• Data subject under this Data Protection Policy is any natural person whose data can be processed. In some countries, legal entities can be data subjects as well.
• The European Economic Area (EEA) is an economic region associated with the EU, and includes Norway, Iceland and Liechtenstein.
• Sensitive data is data about racial and ethnic origin, political opinions, religious or philosophical beliefs, union membership or the health and sexual life of the data subject. Under national law, further data categories can be considered highly sensitive or the content of the data categories can be structured differently. Moreover, data that relates to a crime can often be processed only under special requirements under national law.
• Personal data is all information about certain or definable natural persons. A person is definable for instance if the personal relationship can be determined using a combination of information with even incidental additional knowledge.
• Processing personal data means any process, with or without the use of automated systems, to collect, store, organize, retain, modify, query, use, forward, transmit, disseminate or combine and compare data. This also includes disposing of, deleting and blocking data and data storage media. Processing personal data is required if the permitted purpose or justified interest could not be achieved without the personal data, or only with exceptionally high expense.
• Data Controller is the legally independent company of the Idea Group, whose business activity initiates the relevant processing measure.
• A sufficient level of data protection in third countries is acknowledged by the EU Commission if the core of personal privacy, as unanimously defined in the member countries of the EU is adequately ensured. When making its decision, the EU Commission accounts for all circumstances that play a role in data transmission or a category of data transmission. This includes the opinions under national law and relevant applicable professional standards and security measures.
• Third countries under the Data Protection Policy are all nations outside the European Union/ EEA. This does not include countries with a data protection level that is considered sufficient by the EU Commission.
• Third parties are anyone apart from the data subject and the Data Controller. In a case of Data Processing in Behalf data processors in the EU are not third parties under the data protection laws, because they are assigned by law to the responsible entity.
• Transmission represents all disclosure of protected data by the responsible entity to third parties.

Details regarding the conditions for the processing of personal data may be found here.