One of the main concerns of Bulgarian Development Bank ЕAD is the security of personal data of natural persons – our clients and partners, and for that we have taken the necessary measures to bring the activities of all our offices/branches and employees in line with the best practices and legal requirements for data protection and privacy.
When collecting personal data of our clients, we follow the principle of data minimization, lawfulness, transparency and security. The Bank (hereinafter referred to as the "Company") seeks to process only the personal data that are essential and suitable to achieve the Bank‘s objects.
Categories of personal data being processed and objectives
BDB processes such personal data that are necessary and associated with its business, acting as administrator or co-administrator of personal data.
Regardless of why you share your personal data with us, we recommend that you not disclose any sensitive personal information such as data on racial or ethnic origin, religion, membership of trade unions, sexual orientation, health status, etc. unless is a necessary condition for you to be provided with a service by the Bank.
Personal data processed in connection with the direct or indirect granting and securing of loans and provision of other banking services
Depending on the specific product/service we offer, we process the following types of personal data:
- Personal data for the purposes of identification and contact with the person, such as full name, Personal ID Number, identity card number, nationality, address and telephone, signature specimen, client number, bank account number, information about legal representatives and representatives contained in powers of attorney, marital status and family ties, workplace and job details, online banking certificate details;
- Personal data about individual‘s financial position, such as property status, credit indebtedness, salary, insurances, participation in business companies, information about the products of the BDB Group used by you, etc.;
- Personal data of related persons, such as family status and family ties; names, address and property status of related persons (guarantors, partners, family members); company legal relations in respect of participation in legal entities;
- Personal data related to special legal requirements. When we are legally obliged we collect data on conflicts of interest, origin of funds, copy of identity document, connectivity data, etc.
- Personal data when concluding transactions by phone - in addition to identification data, we also collect and record the voice and the content of the conversation with a representative of the Bank;
- Other personal data that you disclose to us, such as personal data contained in the on-lending resource portfolio of sub-deals contained in the individualization of property pledged in favor of the Bank and contained in your letters or communications to us, in complaints or signals;
The processing of personal data by the Company is always related to a product/service provided by it or directly/indirectly requested by the data subject at present or earlier, with such data processing being necessary for the achievement of any of the following purposes:
- identification of the person and their representative power;
- preparation and performance of a contractual agreement concluded by and between the Company and the data subject (for example, in connection with an application for granting or securing a loan, maintaining a payment account, executing payment transactions, participating, reporting the results and providing security in connection with the implementation of funding programs using a BDB resource); legal and financial analysis, and assistance with a view to the provision, maintenance and termination of any bank products and services offered by us (including in respect of any security provided to the bank);
- Mandatory data processing under a legal obligation (to prevent money laundering and terrorist financing, to fulfill certain tax obligations, to transmit data to the Central Credit Register, Central Register of Registered Pledges, Registry Agency, or to implement any international conventions and treaties);
- to fulfill our obligation to provide information to public authorities and institutions, such as the Bulgarian National Bank, the National Social Security Institute, the National Revenue Agency, the State Agency for National Security, judiciary and prosecution authorities, etc.;
- to protect our rights and legitimate interest in collecting receivables (including enforcement collection and with the assistance of judicial authorities, advisers and enforcement agents) under contractual agreements made by and between the Company and the data subject, in person or as a legal representative, or, as the case may be, by and between BSB’s on-lending partner and the data subject;
- Risk management based on legitimate interest (data for analysis, assessment, compliance with regulatory and legal requirements for capital adequacy, fraud prevention, strategic planning and management of the Bank’s portfolio);
- client classification based on MiFID and MiFID II;
- credit assessment and rating, client profiling; assessing whether they are eligible for a loan under the relevant funding program;
- statistical analyzes and evaluations;
- handling complaints;
- making contact with data subjects and their representatives about a bank account opened with the Company in connection with any important announcements and notifications that need to be made and given;
- other purposes set out in the client agreement or in the relevant General Terms and Conditions for the Bank Services offered by the Company (where such are available);
Personal data processed for the purpose of improving customer service and advertising
Based on your prior consent and if requested, we may disseminate information about a project of yours funded with the help of BDB Group, details about your name, location and photo (for example, by publishing such on the BDB Group websites). We use such personal data to encourage more citizens, small and medium-sized enterprises to develop their business with the help of BDB Group.
Personal data processed when visiting the website and offices of the Company
When you visit our offices and to protect your and our security, we use physical security measures such as surveillance with CCTV cameras and access control by registering visitors at a reception desk.
The personal data we process are visitor names, date and time of access to the building as well as video image. We store these data in a safe place, allowing only a limited circle of people to access them, and only when needed.
Personal data of individuals who are not clients of the Bank
In certain cases, BDB will process personal data of individuals who are not clients of the Bank, such as:
- When the person provides any security in favor of the bank. In such cases we collect personal data about that person, such as name, Personal ID Number, identity card details, current residence information, property data, bank accounts and financial indebtedness;
- When the person visits an office of our Bank (for example, as an accompanying person), we will record that person and/or register him/her at the reception desk by requesting two names, who he/she wishes to meet, and the date and time of the visit;
- When the person performs bank transfers in favor of clients of the Bank to their accounts opened with the Bank, we will obtain information about the account number, transfer amount, reason for the transfer, date and time;
- When the person is designated as an attorney-in-fact/contact person by a client or employee of the Bank;
- When the bank is a party to a contract to which you are/represent a third party beneficiary;
- When information about the person is shared to us by a government/municipal body, by a client of the Bank (and/or an employee of such client), or by an employee of the BDB Group.
Personal data processed when applying for a job
The personal data we collect in the selection process is used only to identify candidates with the closest profile to the requirements for the particular position. Upon completion of the selection process, the information provided shall be kept for 3 months and then destroyed.
The personal data we process for the purposes of the selection are name, prior professional experience, education and acquired qualifications, as well as any other information relevant to the job application.
How long do we store your personal data?
BDB stores your personal data only for the minimum period necessary to achieve the objectives set out in this Policy and when, by virtue of a law or international agreement, it is obliged or has the right to keep it for a longer period.
We determine the data storage period by taking into account several factors, including the duration of the provision of services (for example, in case of loan rescheduling and restructuring) if necessary in order to establish, exercise or defend our legal claims (for example, for the collection of overdue debts), or whether we have a legal obligation to store the data (for example, accounting documents for a period of 5 years or 10 years).
We a required to store personal data related to programs implemented by international funding for up to ten years after the completion of the contract we sign with the partner International Bank.
Video surveillance and access control data in the BDB Group offices are stored for a short period of time, usually 30 days, unless longer processing time is required to protect our legal claims - for example, for the purposes of additional investigation of incidents.
Who do we share your personal data with?
Regarding the applicable legal requirements, we are obliged to pass on your personal data to registers such as the Central Credit Register, Central Register of Registered Pledges, the Companies Register and the Register of Non-profit Organizations, as well as public authorities and institutions, such as the Bulgarian National Bank, the National Social Security Institute, the National Revenue Agency, the State Agency for National Security, judiciary and prosecution authorities, etc.;
Your personal data are subject to automatic exchange to comply with the data exchange requirements under the Tax and Social Security Procedure Code (TSSPC) and the Agreement between the Government of the Republic of Bulgaria and the Government of the United States of America to improve international tax compliance, with regard to an initiative also known as FATCA.
With respect to the programs and products of the BDB Group, which are provided jointly and in cooperation with local and international partners of the Group (list of international partners is available here), personal data of clients is exchanged to the extent necessary for the relevant service, for the execution of a loan agreement or a security agreement, for the monitoring of the fulfillment of contractual obligations, for accountability purposes to the Bank's partners and for the protection of their interests.
You can find a list of commercial banks and non-bank credit institutions that are partners of BDB on the territory of the Republic of Bulgaria here.
For the phone deals, we use PBX services provided by the mobile operator MTel/A1.
When we protect our rights and legitimate interests, and if we use any services of external advisers, lawyers, translators, auditors, etc., we reveal to them the amount of personal data that is needed for them to cooperate with us.
BDB will not share or disseminate your personal data for marketing or other purposes to any third parties.
In other cases and to the extent necessary, personal data is provided only to our trusted partners, such as technical providers of marketing and web design services, IT support, courier service providers, for which we have made sure that they comply with the highest standards for data security and privacy.
Providing data to our partners is necessary to enable us to provide you with the services you have requested and to improve the functioning of our website.
How do we protect your rights?
BDB processes your personal data only in accordance with the aforementioned purposes and deadlines.
When collecting personal data, we do so in a minimum volume and only for predetermined and clearly defined purposes and storage times. Data access is only available to a limited number of individuals who are pre-trained and instructed how to work with the data.
In connection with the entry into force of new European Data Protection Policies, the Company has undertaken a detailed analysis and audit of all our processes related to the processing of personal data. As part of this analysis, we check our partners, revise our procedures and rules, train our employees, use experienced information security consultants to ensure compliance with the highest standards of privacy and security of your information.
What are your rights?
As the data subject you are entitled to receive confirmation and/or detailed information, incl. a copy of the personal data processed for you (access right).
In addition, you can object to the collection and further processing of your personal data, and you can request that your personal is corrected (updated) or deleted (when there is no valid legal basis for us to continue processing them).
It is important to know that you can withdraw your consent to personal data processing at any time: [specify method; for example: see the contact details below/by clicking on this link].
If you believe that your data protection rights have been infringed, you have the right to file a complaint with the Personal Data Protection Commission, at Prof. Tsvetan Lazarov Blvd., 1592 Sofia, phone: 02/91-53-518, e-mail: firstname.lastname@example.org, and/or other supervisor/regulator when you believe there is a violation in connection with the processing of your personal data by the Bank.
To ask questions about your rights, or if you want to exercise one of them, please contact us at: [insert] [possibly, we can upload fill-in forms in the future or create a fill-in platform].
We will consider any of your requests without undue delay within 30 days of receipt of such request. If we are unable to do so for reasons beyond our control, we will notify you in good time, specifying the reasons for the delay.
Changes to this policy
Any change to this policy will be announced on the Bank's website and in any of our offices. In the event of a substantial change of the information, we will further inform you by sending an email or a text message. Users of our online banking services will also be notified when logging in.
Contact details of a personal data administrator
Company under company number (UI: Bulgarian Development Bank ЕAD, UIC 121 856 059)