ANUNȚ IMPORTANT! Vă informăm că, începând cu data de 1 mai 2025, Asociația Română a Băncilor și-a schimbat sediul, noul sediu fiind în strada Tudor Arghezi, nr. 21, Clădirea H, etaj 4, sector 2, București.
  1. Overview

THE ROMANIAN ASSOCIATION OF BANKS (hereinafter „ARB”) has established a Privacy and Personal Data Protection Program („Personal Data”), supported by an Information Security Policy that defines policies, standards, procedures, controls and guidelines to protect critical information and information technologies and data collected, processed and stored by ARB. These policies, describe the expectations and outcomes for a successful privacy and personal data protection program.

  • Scope
    • ARB recognises and respects the privacy and data protection rights of individuals. „Personal data” is defined as any information that directly or indirectly identifies a natural person.
    • This Privacy and Data Protection Policy sets out the minimum requirements to ensure ARB’s compliance with domestic and European legislation on privacy and data protection („Data Protection Requirements”).
  • Scope of application

The Privacy and Data Protection Policy („Policy”) is part of the Privacy and Data Protection Programme, which provides policies, processes, procedures and guidance for data protection in accordance with the European Union’s General Data Protection Regulation (GDPR) and relevant national legislation.

  • ARB is committed to complying with data protection requirements and this Policy sets out policies and procedures for meeting these
  • This Policy applies to personal data processed electronically by automated means or held manually by ARB in connection with its business operations.
  • The definition of processing is very broad and includes any operation performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • This Policy therefore applies to all processing of personal data obtained from employees, agents, consultants, contractors, suppliers, service providers, investor clients and other third parties in the European Union.
  • This Policy must be implemented and followed by all ARB employees. Moreover, this Policy must be followed by ARB temporary staff, agents, consultants, contractors, suppliers and service providers when processing personal data on behalf of ARB.
  • This Policy is complemented by other ARB policies and guidance that address specific aspects of data protection requirements.
  • If an employee becomes aware of any laws or regulations that prevent them from complying with this Policy or any breach of this Policy, including any data security breach, they must inform the Data Protection Officer immediately upon becoming aware of such laws, regulations or breaches.
  • Recipients

Unless otherwise stated, all ARB employees (including temporary employees, contract staff and consultants) must comply with the Policy described in this document.

The policy is designed to provide a minimum acceptable level of protection to the organisation, indicating procedures to ensure that these levels are maintained at all times.

The policy must be fully consistent with the needs of ARB’s activities at this time and in the foreseeable future.

  • Exceptions

Exceptions to this Policy must be fully documented and justified by reference to the legitimate interests justifying them and sent to the Data Protection Officer for consideration.

The person requesting the exception must submit the request with supporting documents to the ARB management for review, approval or final rejection. All exceptions must be approved in advance.

All applications will be identified and analysed for potential risks to business and security, and it will be determined whether or not they can be accepted. This process requires a risk acceptance memo signed by a department manager and approved by the Data Protection Officer, IT department and internal audit department.

  • Consequences of non-compliance

All employees, contractors, consultants, service providers, partners and/or entities acting on behalf of ARB or those who have access to personal or confidential data controlled by ARB are bound by this Policy.

Prior to being issued a User ID, employees wishing to use ARB’s computer systems must sign an appropriate User Policy acknowledging that the user has read and understands the obligation to abide by this Policy.

Failure to comply with these and other information security policies may result in disciplinary action, up to and including dismissal. ARB employees found to be in violation of this policy may be subject to the following disciplinary actions:

  1. Verbal warning
  2. Written warning
  3. Placement in a business improvement programme
  4. Suspend
  5. Granting
  6. Termination of individual employment contract
  7. Investigations by competent authorities
    • Compliance

This policy complies with relevant national and European legislation and regulations, specific industry standards, certification and contractual obligations and all ARB safety policies.

  • Monitoring

ARB reserves the right to verify compliance or non-compliance with this Policy, with or without consent and/or prior notice.

  • Support

For any questions, comments or concerns, please contact ARB at the contact details in Annex 1.

  • Update

ARB’s Executive Management is responsible for updating and reviewing this Policy and all policies, procedures, standards and guidelines.

  1. General information

The following information is provided for easier browsing and understanding of this policy.

  • Related references

The policies, procedures, standards and regulations below may be referenced in the policy sections, subsections and statements in this document.

  • ARB policies, procedures, standards and guidelines
  1. Statute of the Romanian Association of Banks (ARB)
  2. ARB’s Organisational and Operational Rules V3.0 approved by the ARB Board of Directors on 25 June 2018 (updated in accordance with the provisions of the GDPR)
  3. Policy of the Romanian Association of Banks (ARB) on Information Security
  4. Computer Use Policy and Electronic Communications Policy of the Romanian Association of Banks
  5. Privacy and personal data protection policy
  • Regulatory requirements:
  1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation)
  2. Guidelines, opinions and other documents issued by European Data Protection Board (EDPB)
  3. Law No 129/2018 on amending and supplementing Law No 102/2005 on the establishment, organisation and functioning of the National Supervisory Authority for Personal Data Processing and repealing Law No 677/2001 on the protection of individuals with regard to the processing of personal data and the free movement of such data
  4. Decisions, guidelines and other documents issued by the National Supervisory Authority for Personal Data Processing
  1. Policy

All ARB information must be properly managed and controlled to protect its confidentiality, integrity and availability. To meet these requirements, ARB will implement privacy principles and security controls. The principles will also protect the personal data that ARB stores and processes in the course of its ongoing business activities.

  • Principles of personal data protection

ARB has adopted the following principles which will be respected in the processing of personal data:

  1. Personal data will be processed fairly and lawfully in accordance with the requirements of data protection legislation.
  2. The processing of sensitive personal data (which is defined in Section 3.3 – Sensitive personal data) is subject to additional data protection requirements and special attention must be paid to the processing of sensitive personal data (e.g. health data).
  3. Personal data will only be processed for specified, explicit, lawful and legitimate purposes and will not be processed in any way incompatible with those purposes, unless: (i) the person whose personal data („Data Subject”) is processed and has given valid consent of the person to whom the personal data relates; or (ii) the processing is necessary for legitimate interests pursued by ARB or a third party, unless the interests or fundamental rights and freedoms of the Data Subject require the protection of personal data.
  4. Personal data must be adequate, relevant and not excessive in relation to the purposes for which personal data are processed.
  5. Personal data must be accurate, complete and kept up to date for the purposes for which personal data are processed.
  6. Personal data must not be kept in a form which permits identification of the data subject for longer than is necessary for authorised purposes.
  7. Personal data are collected and processed in accordance with the rights of Data Subjects. Please refer to section 3.7 – Data Subject Rights of this Policy.
  8. Appropriate technical and organisational measures will be taken with regard to personal data. See section 3.9 – Data Security of this Policy.
  9. Personal data should not be transferred from the European Economic Area („EEA”) to a country outside the EEA unless that country is deemed to offer an adequate level of data protection or unless it is in one of the cases described in section 3.6. 3 (Transfers of Personal Data from the EEA) of this Policy.
    • Consent of the data subject and the right to withdraw consent
      • Where the data subject’s consent is given in the context of a written statement which also covers other matters, the request for consent must be presented in a form which clearly distinguishes it from the other matters, in an intelligible and easily accessible form, using clear and plain language. The data subject must indicate whether or not he or she consents to the processing of his or her personal data. Consent must be expressed in writing or by other lawful means permitted. The data subject has the right to withdraw his or her consent at any time. Withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of consent prior to the withdrawal of consent. Before consent is given, the data subject shall be informed thereof. Withdrawal of consent is as simple as giving consent.
      • ARB, when developing a system for obtaining consent, shall ensure that:

(a) separate consents are obtained for separate processing activities;

(b) consent is clearly distinguished from any other issues in a written document;

(c) the request for consent is in an understandable and accessible form in plain language;

(d) it is equally easy for the Data Subject to give and withdraw his or her consent;

(e) consent is not conditional on the performance of a contract, and data subjects must have a genuinely free choice to give their consent;

(f) the required information and disclosures described in Section 3.4 – Data Protection Notices are provided in the form of consent;

(g) it can be proved that consent, including the form of consent, has been obtained and that no request to withdraw consent has been received; and

(h) consent is given for all purposes when there are multiple purposes and the processing of personal data is limited to those specific purposes and therefore in accordance with the consent obtained.

  • Consents regarding sensitive personal data must also comply with the requirements of Section 3.3 – Sensitive Personal Data of this Policy.
  • Personal data may be held and/or stored if required by legislation, legal investigations or at the request of a legal authority having jurisdiction over the data.
  • Special categories of personal data
    • Special categories of personal data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership and the processing of genetic data, biometric data for the unique identification of a natural person, data concerning health or data concerning the sex life or sexual orientation of a natural person.
    • ARB will generally only be able to process special categories of personal data when:

(a) the data subject has given his or her express consent; or

(b) the processing is necessary in order for ARB to comply with employment law and the processing is specifically authorised or required by law.

  • The processing of special categories of personal data must be kept to a minimum and in any case only to the extent strictly necessary. Thus, where it is possible to process sensitive personal data anonymously or as aggregated data, this should be taken into account.
  • Personal data included in special categories:

(a) must be processed in accordance with the highest security standards as specified in section 3.8 – Data Security of this Policy; and

(b) access to personal data is limited only to those persons who need such data in order to perform their work-related tasks.

  • Data protection notices
    • A data protection notice containing the information in section 3.4.2 – Data protection notices must be provided. To Data Subjects prior to the processing of their personal data or, if received from a third party, as soon as possible after receipt of their personal data, unless the Data Subject already has such information.
    • The data protection notice must be clear and must include the following minimum information:

(a)         the identity and contact details of the controller (i.e. the person who determines the purpose and manner in which personal data are processed) and, if applicable, the Data Protection Officer;

(b)         the purposes and legal basis of the processing, including the legitimate interest(s) pursued through the information, if this is the legal basis of the processing;

(c)         the recipients or categories of recipients of personal data;

(d)         details of international transfers outside the EEA and how to obtain a copy of the relevant guarantees;

(e)         the period of retention of personal data or, if this is not possible, the criteria used to determine this period;

(f)          the existence of Data Subjects’ rights (set out in paragraph 3.7 below) and the right to withdraw consent;

(g)        the right to lodge a complaint with the Data Protection Authority („DPA”);

(h)         whether the provision of personal data is a legal or contractual requirement or a requirement necessary to conclude a contract, as well as whether the Data Subject is obliged to provide personal data and the possible consequences of not providing such information; and

(i)           the existence of an automated decision-making process, including profiling and selection of meaningful information about the logic involved and the significance and expected consequences of such processing.

  • Disclosure of personal data to data controllers and third parties
    • A data controller processes personal data on behalf of and in accordance with the instructions of a data controller, e.g. a supplier who holds personal data for the ARB. Personal data may not be provided by ARB to any data controller unless a data processing agreement has been concluded in writing containing at least the following:

(a)         the data controller will process personal data only in accordance with the documented instructions of ARB;

(b)         the data controller will obtain the consent of ARB before appointing a sub-operator;

(c)         the data controller will take appropriate technical and organisational security measures as specified in the data processing agreement;

<

(d)         the data controller will support the ARB in its obligations to respond to requests from Data Subjects, report security breaches, conduct data protection impact assessments and consult with the DPA;

(e)         the data controller will delete or return all personal data processed on behalf of ARB once processing has ceased;

(f)          ARB has the right to review the technical and organisational security measures implemented and the data controller will make its data processing facilities available to support audit operations carried out by or on behalf of ARB;

(g)         the data controller must comply with this Policy (to the extent relevant) and all other relevant ARB policies and procedures and applicable laws.

  • Standard data processing provisions containing minimum security requirements that all data controllers must agree to comply with can be obtained from the Data Protection Officer.
  • The Data Protection Officer will carry out regular checks on the processing of personal data by data controllers.
  • To the extent that ARB discloses personal data to third parties not acting as data controllers who process such personal data on behalf of ARB (e.g. disclosures in response to a request made by the police or a regulator), ARB will take reasonable and appropriate steps to maintain the required level of confidentiality in accordance with the provisions of this Policy, and the Data Protection Officer should be consulted prior to making such disclosures to determine that all legal conditions have been met.
  • Transfers of personal data from the EEA
    • EU data protection requirements prohibit the transfer of personal data from the EEA to non-EEA countries which do not ensure an adequate level of protection unless certain exemptions apply.
    • A small number of countries are considered by the European Commission to provide an adequate level of protection, including Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.
    • Personal data should not be transferred from the EEA to a country that is not considered to offer an adequate level of protection unless one of the following exceptions applies:

(a)            the data subject has consented to the transfer;

(b)            the transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures taken in response to the data subject’s request;

(c)            the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party;

(d)            the transfer is necessary or required by law on important public interest grounds or for the establishment, exercise or defence of legal claims;

(e)            the transfer is necessary to protect the essential interests of the Data Subjects:

(f)              the EEA data exporter and the non-EEA data importer have committed themselves to the European Union Standard Contractual Clauses („Model Contracts”); or

(g)            The US data importer is certified under the US Privacy Shield („Privacy Shield”) framework.

  • Rights of data subjects
    • Data subjects have certain rights under the Data Protection Requirements which may be subject to limitations and/or restrictions. These rights include the right to:

(a)             request access to and correct or delete their personal information;

(b)             obtain the restriction of processing or object to the processing of personal information;

(c)             the right to data portability ;

(d)             the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the Data Subject or significantly affects the Data Subject.

  • Marketing activities
    • Subject to applicable laws and ARB’s policies and guidance on promotional activities, Personal Data may only be processed to send marketing information to a Data Subject (including any employee) if the requirements of this Policy, including in particular sections 3.2 – Data Subject’s Consent and Right to Withdraw Consent and 3.4 – Data Protection Notices are complied with.
    • Recipients of marketing communications sent by e-mail must be able to object, free of charge, to the use of their electronic contact data at the time of collection of the contact data and when each message is sent.
    • The processing of personal data for direct marketing purposes must stop if requested by the Data Subject.
  • Data security
    • Appropriate physical, technical and organisational measures must be taken to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, taking into account the costs of implementation, the nature of the data and the risks to which they are exposed.
    • These security measures must comply with the requirements of the ARB Information Security Policy.
    • Employees who are required, by virtue of their job description, to process personal data will receive training and guidance on data security. ARB will apply the basic security principles set out in this Policy and the ARB Information Security Policy.
    • It is the responsibility of all employees to report, as soon as possible, all security breaches or potential security breaches related to loss or unauthorised access to data or disclosure of personal data to the Data Protection Officer.
    • ARB will notify the ANSPDCP accordingly without undue delay and no later than 72 hours after a personal data breach is discovered that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.
    • ARB will notify Data Subjects affected by a data breach without undue delay when the breach is likely to result in a high risk factor for the rights and freedoms of Data Subjects, unless:

(a) appropriate technical and organisational safeguards have been implemented with respect to the personal data affected by the breach; and/or

(b) ARB has taken subsequent measures to ensure that the high risk factor for the data subjects is no longer likely to materialise; or

(c) notification would involve a disproportionateeffort. In this case, data subjects will be informed in an equally efficient manner.

  • The content of all data, communications and information transmitted, used, received through or stored on ARB’s phones, computers, emails, instant messaging, voicemail, Internet or intranet connections, cell phones/smart phones, tablets, smart devices, pagers or other systems are records and property of ARB.
  • For the sole purpose of protecting ARB’s employees and cybersecurity interests, ARB reserves the absolute right to monitor, intercept, review, block, filter and disclose to others any data, communications, transactions sent, received or stored on these systems at any time. System monitoring, whether conducted periodically, randomly or otherwise for any maintenance, security, investigative or other purpose, shall be determined by ARB in its sole discretion.
  • Openness, transparency and notification

ARB will make available information related to processing, data controllers and the contact point within ARB for any questions related to data privacy.

  • Reply

ARB will ensure that all employees entrusted with the Data Subject’s data comply with ARB’s legal requirements and policies on privacy and data protection

The Data Protection Officer will monitor (as per the General Data Protection Regulation Application Guidelines for ANSPDCP Controllers) the data privacy policy, procedures, and ensure that controls and processes are in place to ensure a high level of protection to maintain the integrity of data privacy and availability.

  • Incident reporting and response

There will be a formal and communicated process for responding to cybersecurity breaches. A reporting process that will include any Data Subject whose personal data has been affected by the breach. Notification will be made within 72 hours of the confirmed breach. The Data Protection Officer will be responsible for notifying individuals and management.

  • Implementing
    • This Policy will be made available to employees through the Human Resources Department and will be made available to non-employees or by other means of notification as the Data Protection Officer may deem appropriate.
    • This Policy may be revised at any time. Notification of significant revisions is provided to employees through the Human Resources Department and to third parties through appropriate mechanisms.
  • Questions and complaints

This Policy is applied by the Data Protection Officer, the Human Resources Department and the IT Department.

 Any questions or complaints about this Policy, the application of the requirements for the protection or processing of personal data may be addressed to the management of the organisation or, in the event of the appointment of a person in the role of Data Protection Officer, using the ARB contact details.

The EEA comprises the following countries: Austria, Belgium, Bulgaria, Croatia, Czech Republic, Cyprus, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and United Kingdom.