Privacy policy on the collection and processing of personal data.

Protecting your personal data is one of the priorities of the B.C. Victoriabank S.A. The Bank informs you that it is registered with the National Centre for Personal Data Protection as a personal data controller under number 0000092.

B.C. Victoriabank S.A. informs you that, when providing financial-banking services, your personal data are collected, processed, stored and kept in accordance with Law no. 133 of 08.07.2011 on the protection of personal data.

Collection and use of information.

The Bank shall process its Customers’ personal data in good faith, in accordance with the Law on Personal Data Protection, other legislation and any guidelines, policies or codes of practice or conduct applicable to it or to which it is a party, under conditions that ensure their technical security and confidentiality, for the following purposes:

  • the provision of financial-banking products and services through all channels available for this purpose (e.g. Bank offices, internet, telephone, etc.);
  • identification of Customers;
  • carrying out preliminary checks (e.g. analysis of the risk exposure involved in the provision of a product/service of the Bank), aimed at assessing the Customer/other person concerned, in order to decide on the conclusion of certain banking operations or the contracting of certain products or services;
  • to get to know the Customers in order to prevent and combat money laundering and terrorist financing, both at the time of establishing the business relationship with the Bank and during the entire period of the relationship;
  • conclusion and execution of contracts concluded between the Bank and Customers;
  • fulfilment of legal reporting/evidence obligations imposed on the Bank by applicable legislation;
  • assessing creditworthiness, reducing credit risk, determining the level of indebtedness of Customers interested in the Bank's credit products;
  • collection and recovery of unperformed or improperly performed Monetary Obligations by Customers;
  • taking action/providing information, support services or responses to requests/complaints/claims of any nature addressed to the Bank by Customers through any channel, including electronic communication and internet services. The processing of Customer data for this purpose includes recording and storing any messages or telephone calls, whether initiated by the Customer or the Bank;
  • contacting and informing Customers in relation to products/services held by them with the Bank, for the purpose of proper performance of contracts (such as, but not limited to, account or card statements, information on opening hours of the Bank's branches, information on the insertion of seizures/restrictions on the accounts, notifications of unauthorized debits or overdue instalments, etc.);
  • audio recording of telephone conversations with the Bank in order to improve the quality of services, but also to provide proof of request/agreement/option regarding certain financial-banking services;
  • video recording of the presence of persons on the Bank's premises in order to maintain a high level of security of the Bank's customers, employees and property and to monitor the security of persons, premises and/or property of the Bank or visitors to its territorial units;
  • monitoring of the Customer’s activity and transactions;
  • centralizing operations, maintaining and updating an internal database in which information on Customers and other data subjects is stored for use by the Bank's employees in their work and in the Bank's internal applications, producing statistical reports and carrying out economic, financial and/or administrative management activities within the Bank;
  • the legal defense of the Bank's rights and interests;
  • creating or analyzing profiles for the improvement of the Bank's products/services, for personalized/general promotion by the Bank of its products/services or for carrying out marketing activities through any means of communications (e.g. communication by mail, telephone, e-mail, SMS of advertisements directly and specifically addressed to a specific person), including through/by entities within BT Financial Group;
  • carrying out general marketing or advertising activities, customer loyalty activities and surveys, including through/by entities within the BT Financial Group;
  • identify situations where social media users are also Customers of the Bank, in order to carry out personalized marketing, according to the Customer's choice;
  • analyzing the behavior of the Customer/any person accessing the Bank's website, through the use of cookies, both of the Bank and of third parties, in order to provide general or personalized content, offers tailored to users' interests;
  • for secondary purposes (e.g. archiving, internal or external audit, etc.), which are always compatible with the main purposes for which the data were originally collected by the Bank.

The Bank processes personal data (including biometric data) relating to the Customer obtained directly from the Customer, as well as data that is generated on the basis of such data or consulted from other official sources.

The categories of Customer personal data processed by the Bank for the above purposes are as follows:

  • identification data: surname, first name, patronymic, pseudonym (if applicable), date and place of birth, personal identification number or similar unique identifier, series and number of identity card/passport and copy thereof, domicile and residence (if applicable), telephone number, e-mail address, nationality, profession, occupation, name of employer or nature of own activity (if applicable), important public function held (exclusively in the context of obtaining information related to the status of politically exposed person), family situation (including marital status, number of children, dependent children), economic and financial situation, data on assets owned, financial data (including copies of income tax returns, confirmed by tax authorities, where their submission is mandatory under tax law), image, voice, specimen signature, Card number, Card expiry date, IBAN code. Some provisions of this paragraph (within the limits of the identification data required to be obtained according to NBM regulations) also apply with reference to the categories of persons affiliated to the Bank's Customers, according to legal and regulatory provisions;
  • data and information related to credit-type or credit-like products: type of product, term of grant, date of grant, due date, amounts granted, amounts due, status of account, date of account closure, currency of credit, frequency of payments, amount paid, monthly rate, name and address of employer, amounts outstanding, number of instalments outstanding, due date of arrears, number of days in arrears in repayment of credit, information relating to the individual's status as guarantor, co-obligor or beneficiary of an insurance policy in relation to the product granted.
  • data  (related to fraudsters) on fraudulent activities: information relating to the commission of offences or contraventions in the financial-banking field, in direct relation with B.C. "VICTORIABANK" S.A., established by irrevocable court decisions or by uncontested administrative acts.

The grounds on which the Bank processes the Customer's personal data are, as appropriate:

  • the Customer's consent, if it has been granted (e.g. in the case of direct marketing or automated decision making which produces significant legal or similar effects and which is not necessary for the performance of a contract or the fulfilment of a legal obligation). Customer consent to the processing of personal data is not required in cases where the basis for their processing by the Bank is a legal obligation, the conclusion/performance of the contract, the legitimate interest of the Bank or overriding public interest, as well as in other cases provided for by law.
  • to perform a contract to which the Customer is a party (e.g. to provide financial-banking services, to provide support services for the Customer's requests, to send notifications about the products held, etc.) or to take pre-contractual steps at the Customer's request to conclude a contract (to carry out preliminary assessment and acceptance checks on the Customer) or to provide the Customer with information about the products held or support for their use;
  • the legal obligation incumbent on the Bank (e.g. identification and knowledge of the Customer, identification and prevention of fraud, reporting of financial-banking activity parameters, FATCA provisions);
  • the legitimate interest of the Bank (e.g. centralizing operations and maintaining an internal database, exploring ideas for streamlining the way the Bank's entire network and all banking processes operate, carrying out statistical analysis of the Bank's customer portfolio, performing day-to-day operations for the Bank's financial-banking business by carrying out relationship management with the Bank, analyzing and minimizing the financial and reputational risks to which the Bank is exposed in connection with the provision of financial-banking services and products, accumulating a high level of knowledge of the financial-banking market, planning the strategic development of the Bank, developing and improving the Bank's products and services, ensuring a high level of security both at the level of the IT systems (e.g.: applications, network, infrastructure, website) as well as in the physical locations (e.g. back office, front office, head office), maintaining the stability of the financial system, in particular in terms of detecting and minimizing fraud risks that may affect the Bank);
  • substantial public interest (e.g.: mitigating the risk related to the business relationship with a politically exposed person, as mentioned in Law 308/2017 on preventing and combating money laundering and terrorist financing).

For the fulfilment of the legal obligations to know the Customer, if the Customer omits or refuses to update his/her personal data in its records, the Bank may update his/her data on its own initiative, based on information obtained from other reliable sources, or directly from the Customer if he/she has provided it to the Bank for other purposes (e.g., if a Customer has not declared an e-mail address to the Bank when establishing or during the business relationship, but provides such an address for use by the Bank for the purpose of sending advertising messages, the Bank will process the Customer's e-mail address also for the purpose of conducting the business relationship with that Customer).

The processing of the Customer's personal data is mandatory, so that the Customer's refusal to provide it will make it impossible for the Bank to provide the banking services or products, unless the data processing is based on the Customer's consent (e.g. in case of direct marketing), in which case the Customer will be informed that the provision of the data or consent is optional.

If the Customer is the one who provides the Bank with information about other persons, the Customer is obliged to inform those data subjects of the purpose of the processing, the recipients of the processing and the data processed.

Recipients of the Customer's personal data processed by the Bank. 

Personal data of the Bank's Customers are disclosed or, where appropriate, transferred, including across borders, in accordance with the applicable legal grounds depending on the situation, and only under conditions that ensure full confidentiality and data security, to categories of recipients such as, but not limited to: Customers, branches, agencies, workplaces, representative offices of the Bank, entities within the BT Financial Group, assignees, authorized representatives and partners of the Bank, public authorities and institutions, bailiffs, notaries, lawyers, courts, entities to which the Bank has outsourced some banking services/products, shareholders, affiliates of the Bank, record-keeping systems such as the Credit Histories Bureau, entities set up for the purpose of monitoring banking risks, IT service providers, archiving, courier, interbank payment processing, bank card providers, social networking providers, social media marketing service providers, insurance companies, international payment organizations, non-bank banking or financial institutions, including from outside the European Economic Area - in the case of international SWIFT transfers or as a result of processing for FATCA purposes.

The Customer's initiation of transactions such as payment orders constitutes his/her consent to the transfer of his/her personal data to the respective countries.

Customer Rights.


Any Customer benefits from the rights offered by the legislation in the field of processing and protection of personal data, namely:

  • Right to information - the right to receive information on the purpose of the processing carried out by the Bank, the recipients of the personal data, the existence of special rights of the data subject with regard to his/her personal data;
  • Right of access – The customer may request and obtain confirmation as to whether or not his/her personal data are processed by the Bank, and if so, may request access to them and certain information. Upon request, the Bank will also issue a copy of the personal data processed, and additional copies may be charged at the Bank's actual cost;
  • Right to intervention – in cases strictly provided for by law, the right to obtain the rectification, updating, blocking or erasure of personal data processed unlawfully;
  • Right to objection – The customer may at any time, for reasons relating to his or her particular situation, object to processing based on the legitimate interest of the Bank (including profiling) or carried out in the exercise of a public interest or an authorization vested in the Bank, or object to the processing of his or her data for commercial purposes, unless otherwise provided by law;
  • Right to lodge a complaint – The customer may lodge a complaint with the National Centre for Personal Data Protection about the way personal data are processed by the Bank;
  • Right to withdraw consent – where processing is based on  consent, consent may be withdrawn at any time. Withdrawal of consent will only be effective for the future, the processing carried out prior to the withdrawal will remain valid;
  • The right not to be subject to an individual decision – the right to request the annulment, in whole or in part, of any individual decision which produces legal effects on the Customer's rights and freedoms, based solely on the automated processing of personal data intended to evaluate certain aspects of his or her personality, such as professional competence, credibility, conduct and the like.
  • Right of access to justice – the right to bring an action before the courts for compensation for material and non-material damage in the event of damage directly related to the processing of Customer’s personal data.

Data protection and security. 

Data security is a priority concern for us and we take the appropriate measures to protect Customers' personal information from unauthorized access, use or disclosure. The security measures we have implemented and which shall be applied are:

  • The Bank ensures a comprehensive system of personal data security measures and continuously develops technical and organisational measures for the protection of personal data, including a Data Loss Prevention System).
  • IT/Security controls are applied within the Bank on a permanent basis in accordance with the legislation in force.
  • The Bank uses security solutions and technologies (antivirus solutions, firewall, data encryption, etc.), strict policies and procedures applied to Bank employees and working procedures.
  • All personal data collection and processing systems run on secure environments so that information is protected against unauthorized access. Access to the Bank's information/systems is granted only to authorized persons in strict accordance with internal security policies.
  • Bank employees are trained on the confidentiality of personal data, on the control of data processing and informed that unauthorized processing/disclosure of data is sanctioned in accordance with the applicable legislation.
  • The authentication of users accessing personal data in the Bank's information system and the logging of personal data access events is applied in the Bank.
  • The rooms in which personal data are processed are equipped with access control systems ensuring that only authorised persons have access. Access is restricted, being allowed only to employees/persons who have the necessary authorization. The bank uses access control system, video monitoring to identify attempts of unauthorized access/entry.
  • The Bank uses technologies that allow monitoring of events and detection of attacks, including on personal data collection/processing systems.
  • The Bank ensures a secure process for creating backup copies of personal data related to the systems in which personal data are collected/processed. Backups are created to ensure that they are protected against data loss and/or corruption. In the event of a security incident or system failure, customer data can be restored quickly and efficiently.
  • The Bank ensures continuous monitoring of internal systems to detect and prevent possible security incidents. We also conduct regular audits to ensure compliance with security standards and to identify any vulnerabilities.
  • The Bank ensures that personal data collection/processing systems are maintained with the latest security patches and updates to address known vulnerabilities and protect customer data from cyber-attacks.

Data retention period.

According to the legislation, the Bank must retain all documents and information necessary to comply with the customer and beneficial owner safeguards. This includes information obtained by electronic means of identification or any other secure remote or electronic identification process regulated, recognized or accepted by national authorities empowered by the law.

Copies of identification documents, all data relating to national and international transactions, business correspondence and other data required by the law must be retained for 5 years from the termination of the business relationship or the date of a one-off transaction respectively. In accordance with the provisions of the legislation on the Prevention and Combating of Money Laundering and Financing of Terrorism, for certain types of documents and information, the 5-year period may be extended for an additional 5 years period at the request of the Money Laundering Prevention and Combating Service or other bodies.

When the storage period expires, the data is deleted and/or destroyed.

If you visit bank branches or use the VB equipment  as ATMs, etc., your image is captured by the video surveillance system. The data collected by the video surveillance cameras which is placed inside the ATM is kept for 6 months, in the Bank's branches the panoramic video recordings are kept for 30 days, and for restricted access areas (operational counters) the storage period of the collected data is 6 months, after which the stored images are deleted by automatic procedure.

Victoriabank may revise this Privacy Policy from time to time, but will not create less favorable conditions for the users of the application in terms of processing and protection of personal data. Any changes to this Privacy Policy shall be posted on our website

If you have any questions or concerns about this Privacy Policy or how Victoriabank collects and processes your personal data, please contact us at one of the Bank's territorial units or by email at