General data protection policy

According to Regulation (EU) no. 679 of April 27th, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the "GDPR"), applicable as of May 25th, 2018, LIBRA INTERNET BANK SA, as the "Controller", processes your personal data in good-faith and for the achievement of the purposes provided by this policy.

You made available to LIBRA INTERNET BANK SA your personal data, in the capacity of data subject, on the date of the conclusion of the General Framework Agreement on Banking Services or on the date of filing the application whereby the provision of services by the Bank is requested.

1. The personal data that LIBRA INTERNET BANK SA can process are the following:
surname and name, nickname, sex, date and place of birth, citizenship, signature, civil status data, phone/fax, address (domicile/residence), e-mail address, profession, workplace, professional training (graduation diplomas, studies), income, income sources, economic and financial status, data on assets held, banking data, public office, political exposure, photo or video recording of facial image, personal numeric code, series and number of the identity card, data on criminal offences. The data are different, depending on products and services provided, as well as on the processing purposes.

2. The purposes of personal data processing can include the following:

  • a) the performance of the know-your-client operation, respectively the operation of reporting suspicious transactions, under art. 6 paragraph 1), letter c) of the GDPR, respectively for the fulfillment of a legal obligation, in cooperation with the legislation on the know-your-client for the prevention of money laundering and terrorism financing (Regulation no. 9/2008 of NBR on the know-your-client for the prevention of money laundering and terrorism financing and law no. 656/2002 on preventing and sanctioning money laundering and establishing measures for preventing and fighting against terrorism financing);
  • b) the assessment of crediting risk, according to art. 6 paragraph 1), letter c) of the GDPR, respectively Regulation no. 5/2013 on prudential requirements for credit institutions and Government Emergency Ordinance no. 99/2006 on credit institutions and capital adequacy;
  • c) the conclusion and execution of financial-banking services agreements concluded with you, according to art. 6 paragraph1, letter b) of the GDPR;
  • d) the performance of credit reporting or the provision of other pieces of information to state institutions according to art. 6 paragraph 1), letter c) of the GDPR and of the applicable special legislation;
  • e) the collection of debts/recovery of debts that you owe to LIBRA INTERNET BANK SA, according to the concluded agreements and to legitimate interest of LIBRA INTERNET BANK SA to recover the debts in connection with the existent contractual relationship, according to art. 6 paragraph 1), letter b) and f) of the GDPR;
  • f) for the purpose of financial-banking assessment and liquidity risk assessment, assessment of lodged securities etc., according to art. 6 paragraph 1), letter c) and letter f) of the GDPR;
  • g) for statistical purposes, according to art. 6 paragraph 1), letter f) and art. 89 of the GDPR;
  • h) for granting certain benefits such as travel insurances, preferential interest rates for certain categories of clients, etc;

3. The term of personal data processing
The data processing (including storage) shall be performed throughout the validity term of the agreements concluded with LIBRA INTERNET BANK SA, and subsequently, according to the provisions of Law no. 656/2002 on preventing and sanctioning money laundering and establishing measures for preventing and fighting against terrorism financing, as well as Regulation no. 9/2008 of NBR on the know-your-client for the prevention of money laundering and terrorism financing.
The data processing (including storage) in case no contractual relationships was concluded with you, shall be performed throughout the term provided by Law no. 656/2002 on preventing and sanctioning money laundering and establishing measures for preventing and fighting against terrorism financing.

4. The need for personal data processing
If you refuse to communicate the aforementioned data for the purposes referred to in letters a) - f) above, you will not be able to have legal relationships with LIBRA INTERNET BANK SA, as it will find itself in the impossibility to comply with the requirements of the special regulations in the financial-banking field on the know-your-client, the prudential requests and other legal provisions, including to assess the request on the provisions of services by LIBRA INTERNET BANK SA, to conclude, perform and execute the agreement requested by you.

5. Data Processors and Recipients
Personal data can be delivered to: data subjects, representatives of data subject, Credit Risk Center, Credit Office, debit collection agencies / debt recovery agency, the Electronic Archive for Secured Transactions, contractual partners (lawyers, notaries, advisors, accountants, censors and auditors and other partners who the obligation of confidentiality on the delivered data is incumbent on), contractual partners involved in the execution of the agreement or who ensure the supply/provision of services in connection with the banking activity (i.e. courier, security, protection and monitoring, insurances, payment processing, card printing, etc), insurance companies, related banking institutions, courts of law and criminal prosecution bodies, Internal Guarantee Funds (i.e. FGDB, FNGCIMM etc) and International Guarantee Funds (i.e. European Investment Fund).
Furthermore, personal data shall be disclosed only to state authorities according to their competences and applicable legislation, such as the National Bank of Romania, ANAF, National Office for Prevention and Control of Money Laundering, etc.
The data delivered to third parties shall be appropriate, relevant and non-excessive in relation to the purpose for which they were collected and which allows the delivery to a third party.

6. International transfer
The data provided can be transferred to entities in the European Union / European Economic Area, in case of external payment operations and European fund financing.
The data shall be transferred to SWIFT (Society for Worldwide Interbank Financial Telecommunication), in the capacity of controller, if you request operations on external payments which include processing by SWIFT system.
There is the possibility that the data transferred to SWIFT, in the capacity of controller, are accessible to the US Treasury Department. We hereby note that for the international transfer in the USA, there is available Decision of the European Commission of July 12th, 2016, pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by UE-US Privacy Shield.
If you are a citizen of the United States of America (USA) or resident on the USA territory, we hereby inform you that, according to the FATCA (the US Foreign Account Tax Compliance Act), you shall be directly bound by the legal provisions on the US tax regime and your data will be delivered to the US tax authorities

7. Data subject rights
In the capacity of data subject, in what concerns your personal data, you shall have the following rights provided by GDPR: right of information and access, data restriction and rectification right, data portability right, data erasure right, the right not to be subject to a decision based exclusively on the automatic processing, including the creation of profiles, which could cause legal effects on you, the right to resort to the National Supervisory Authority for Personal Data Processing and to justice, the right to oppose at any time to the processing of the data, in the situations provided by the law.
In order to exercise these rights, you can submit a written request to LIBRA INTERNET BANK SA by means of Internet Banking/Mobile Banking service, in any of the branches of the bank, at e-mail address protectiadatelor...librabank.ro or at the following address: 4-6 Semilunei St., district 2, Bucharest.
The personal data controller warrants that it processes your data under legitimate terms, by implementing at the same time technical and organizational measures for ensuring data integrity and confidentiality according to art. 25 and 32 of the GDPR.
If the data processing operation is based on art. 6 para 1), letter a) of the GDPR, respectively your consent, the Bank shall inform you under a separate document, according art. 13 of the GDPR, and you will express your option by means of the respective document.