Information on personal data processing of data of natural persons by DSK Bank AD
1.1. DSK Bank AD is a commercial company, registered in the Commercial Register and the Register of Non-Profit Legal Entities with the Registry Agency with UIC number 121830616 with headquarters and address of management: 1000 Sofia, 19 Moskovska Str., tel. *2375 / 0700 10 375; fax: (+359 2)
9076 499; e-mail: call_center@dskbank.bg; website www.dskbank.bg. As a Data Controller it operates in strict compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the Personal Data Protection Act. DSK Bank is part of OTP Group which provides financial services in Central and Eastern Europe.
DSK Rodina, DSK Leasing, OTP Leasing, DSK Asset Management, DSK Dom and DSK Ventures are part of DSK Group in Bulgaria.
Contact details of the Data Protection Officer: e-mail: DPO@dskbank.bg.
1.2. This information applies to the processing of personal data of:
(a) persons who conclude a bank financing agreement and /or a contract for securing such an agreement (guarantee, pledge, mortgage), or who apply for such a contract, incl. request for personalized and non-personalized offers;
(b) persons submitting a request for conclusion of an agreement other than the one under letter (a) or who apply for such a contract, incl. request for personalized and non-personalized offers;
(c) persons who conclude single performance contracts with the Bank, for example, contracts under which single payment services are provided;
(d) persons who submit a complaint/ request/ offer without being customers of the Bank;
(e) seller of real property - where the buyer of the property which will be used as collateral under the loan agreement receives financing;
(f) persons whose debts to another creditor are refinanced with a loan from the Bank;
(g) persons who submit a request for verification of liabilities for local taxes and charges;
(h) heirs of the persons under the above points;
(i) representatives of the persons (natural and legal) under the above points;
(j) persons-non-clients of the Bank, whose data are processed in connection with the use of payment systems and payment schemes, including the use of P2P service by mobile number.
2.1.1. DSK Bank processes the following personal data and categories of personal data of individuals referred to under p. 1.2. letters (c) to (i):
(a) names, identification number, date and place of birth, nationality, type, number and copy of identity document;
(b) contact details, for example: addresses, landline/mobile phone, e-mail;
(c) demographic data, for example: gender, age, place of residence;
(d) physical identity data - facial images, voice, handwriting.
(e) data on the economic situation, for example, existence of credit obligations;
(f) tax and social security information, such as public payment obligations and place of employment.
2.1.2. In addition to the data under p. 2.1.1., in respect of clients of the Bank under p. 1.2. letters "a" and "b", the Bank also process the following data:
(a) location;
(b) data about place of employment, position/occupation;
(c) student information, for example: educational institution, faculty number, professional field, specialty, course, full-time/ part-time education;
(d) data about used and rejected products/services of the Bank and of third parties - contractors of the Bank;
(e) for persons who have expressed a wish or use payment services for providing information on account and for initiating payments - financial information on accounts, account movements and stocks with other payment service providers;
(f) biometric data.
2.2. For the purposes of bank financing, as well as for direct marketing of products and services of the Bank, besides the data under p. 2.1.1. and 2.1.2., DSK Bank also processes the following personal data of individuals under p. 1.2. letters "a" and "b":
(a) data on the economic situation which DSK Bank possesses in connection with previously used products and services of the Bank as well as data obtained from the NSSI information databases /only with the consent of the client for this purpose/, CCR, NRA and the Commercial Register and the Register of Non- Profit Legal Entities, for example: income, owned property, indebtedness; existence of public payment obligations, related legal entities;;
(b) civil status data available to DSK Bank in connection with used products and services of the Bank, for example: marital status, including those obtained from the information databases of DG GRAO (only with the client's consent to this)..
2.3. In respect of the representatives of natural persons and corporate customers, the Bank processes the following data:
(a) name and identification number;
(b) date and place of birth, citizenship;
(c) identity document;
(d) contact details, for example: addresses, landline/mobile phone, e-mail;
e) location;
(f) data relating to place of employment, position/occupation;
(g) physical identity data - facial images, voice, handwriting.
2.4. DSK Bank processes the following personal data of the actual owners of a corporate customer: name, identification number, date and place of birth, citizenship, identity document, permanent address.
2.5. For the persons under p. 1.2. letter (j) the Bank processes the following personal data: names and phone numbers included in the list of contacts on a DSK Bank customer's mobile device under p. 1.2., letter (b).
3.1. The personal data of natural persons under p. 1.2., letter (a), (b) and (h) is processed for the purposes of:
(a) conclusion and execution of a contract with the Bank to which the individual is a party/representative of another person; execution of a contract under which the Bank or the natural person subrogates to the rights/succeeds in the rights and/or obligations another person, as well as for actions preceding and warranting the conclusion of a contract;
(b) exercise of legal rights and obligations of the Bank in connection with the conclusion and performance of the contracts under letter (a);
(c) realization of the rights and interests of the Bank which has justified advantage over the interests of natural persons, including performing of direct marketing trough research on proposed and/or used products and services, as well as offering by telephone, mail or other direct means products and services of the Bank for which it is assumed that the client could have expected offers, considering the Bank's products and services already used.
(d) direct marketing of products and services of the Bank, except for the cases of letter "c" as well as third party products and services, incl. subsidiaries of the Bank offered by it under a contract with these persons - only with the consent of the individual;
(e) automatic exchange of financial information under Chapter XVI, Section IIIa of the Tax and Social Insurance Code, comprising of automated processing of personal data by applying the due diligence procedures under the Tax and Social Insurance Code.
3.2. In connection with the conclusion of a bank financing agreement and /or a contract for securing such an agreement (guarantee, pledge, mortgage), except for the purposes under p. 3.1., the personal data of natural persons upon point 1.2. letter (a), (b) and (h) is processed also for the purposes of:
(a) consideration of a request for financing, valuation of collateral, performance of a creditworthiness analysis which includes, among other checks, requesting and receiving data from official national registers, such as registers maintained by the NSSI, the CCR, the NRA, from databases of the Bank, etc., and other preparatory steps for the conclusion of a financing agreement and agreements for the establishment of collateral;
(b) establishment and renewal of the collateral under the contract;
(c) taking out and maintaining property insurance as required under the contract or if the Bank, at its own discretion, takes out insurance against the risk assumed.
3.3. The representative’s data under p. 1.2., letter (i) is processed for the purposes of p. 3.1., letters (a), (b) and (e) for the for the realization of rights and interests of the Bank that have a justified advantage over the interests of natural persons, and in the cases of concluding a contract for bank financing and / or a contract for its collateral (guarantee, pledge, mortgage) on behalf of the represented person - and for the purposes of:
(a) consideration of a request for the use of funding and other preparatory actions for the conclusion of a financing contract and contracts for the establishment of collateral;
(b) the establishment and renewal of the collateral under the contract;
(c) the conclusion and maintenance of property insurance where required under the contract or when the Bank, at its own discretion, undertakes insurance of the risk assumed.
3.4.1. The Bank processes personal data to individuals under p. 1.2. letter "c" to "g" for the following purposes:
a) conclusion and performance of single performance contracts under which the natural person to whom the data relate is a party to or has concluded such a contract as a representative of another person, including for actions that preceded and warranted the conclusion of such a contract;
(b) taking preparatory steps for the conclusion of a bank financing agreement for refinancing of credit obligations of the natural person whose personal data are being processed;
(c) requesting and obtaining data from official national registers (e.g., the NRA register for public liabilities) relating to the owner of the real estate, for example, in the event of financing received by the buyer of the property where the property will also be a used as collateral under the loan agreement;
d) analysing issues raised in a complaint/ request/ proposal and preparing an answer;
e) execution of legal rights and obligations of the Bank.
3.4.2. The Bank processes personal data and categories of personal data under p. 2.1.2, letter (f) only for the following purposes:
a) for the purposes of remote identification upon initial registration for access to electronic channels and use of the Bank's products and services through a mobile application, only after receiving explicit consent from the data subject.
b) for the purpose of signing documents in front of an employee of the Bank with an electronic pen, with the consent of the data subject.
3.4.3. The Bank processes personal data under p. 2.5. for the purposes of using payment systems and payment schemes, including using a P2P service by mobile number.
3.5. The personal data of the actual owners of a corporate customer is processed for identification purposes and for the purposes of enforcement of anti-money laundering and terrorist financing measures in fulfillment of the Bank's legal obligations.
3.6. For security purposes and in compliance with the normative requirements, video surveillance is carried out in Banks offices.
4. The processing of personal data shall be based on:
(a) a contract with the Bank or a third party through the Bank, to which the natural person is a party/representative of another person, including for actions that preceded and warranted the conclusion of such a contract and undertaken at the request of the person; or (b) the consent of the natural person, or (c) realization of rights and interests of the Bank which have justified advantage over the interests of natural persons, or (e) execution of legal rights and obligations of the Bank.
5.1. The personal data of the individuals under p.1.2., letters (a), (b) and (h) as well as data of representatives of natural and legal persons, collected and processed by the Bank, may be provided to the following categories of recipients of personal data:
(a) persons entrusted with the preparation, printing, assembling, delivery (including via SMS/Viber communications or electronically) of written correspondence and/or information materials of the Bank;
(b) persons entrusted with bank card issuance;
(c) persons with whom the Bank has concluded a contract for joint development and servicing of products and/or provision of services;
(d) persons whose services the Bank uses in providing investment and additional services to clients;
(e) persons and institutions with which the Bank has concluded loan portfolio guarantee contracts and/or individual loan guarantee contracts;
(f) persons entrusted by virtue of a contract to assist the Bank in the management and collection of its receivables;
(g) persons to whom the Bank proposes to sell its receivables;
(h) persons to whom the Bank has given notice of early repayment under loan agreements or other form of financing (e.g., notaries, private enforcement agents);
(i) external contact centers;
(k) traders who are intermediaries in the provision of loans or other banking products and services by virtue of a contract concluded with the Bank;
(l) other companies from the group of DSK Bank (OTP Group) where it is required for the purposes of decision-making, administration and control in connection with the provision and execution of the services provided by the Bank, or these companies;
(m) persons to whom in connection with the processing for the purposes specified under p. 3 the Bank has entrusted the processing of personal data for organizational reasons other than those mentioned above, for example: development and maintenance of the Bank's systems; storage of data; control of access to the premises of the Bank, etc;
(n) bodies, institutions, regulated markets of which the Bank is a member – with regard to the realization and protection of the rights and interests of the Bank or as well as other persons to whom the Bank is required to provide personal data in accordance with a statutory requirement;
(o) payment organizations and systems serving cashless payments and transfers, including with payment instruments, as well as external providers, through applications of which bank cards issued by DSK Bank are digitized, when the data subject has requested the digitization service;
(p) payment service providers for providing information on an account, payment service providers for initiating payments and providers granting a payment service upon confirmation of the availability of funds when using a payment instrument, which are integrated into the Bank's systems in accordance with the law this;
(r) insurers with whom the Bank has a contract and their partners for the purpose of concluding, maintaining and realizing property insurance, as well as persons to whom the Bank assigns a valuation of collateral.
5.2.1. The personal data of individuals under p. 1.2., letters (c) to (g) and letter (j) collected and processed by the Bank may be provided to the following categories of recipients of personal data:
(a) bodies, institutions, regulated markets of which the Bank is a member – with regard to the realization and protection of the rights and interests of the Bank (e.g., conciliation commissions, courts) or as well as other persons to whom the Bank is required to provide personal data in accordance with a statutory requirement;
(b) persons entrusted with the preparation, printing, assembling, delivery (including via SMS/Viber communication or electronically) of written correspondence;
(c) external contact centers;
(d) other companies from the group of DSK Bank (OTP Group) where it is required for the purposes of decision-making, administration and control in connection with the provision and execution of the services provided by the Bank, or these companies;
(e) payment organizations and systems serving cashless payments and transfers, including with payment instruments.
(f) persons to whom the Bank assigns the performance of real estate appraisals.
5.2.2. Depending on the respective legal assumption, the personal data of natural persons under p. 1.2., letters (c) to (h) and letter (j) may be provided to DSK Bank by the data subjects themselves or through the following groups of third parties:
(a) the personal data of individuals whose liabilities will be refinanced shall be obtained from the creditor through the borrower.
(b) the personal data of natural persons receiving funds in the Bank (e.g., from dividend payments, rent, indemnities, etc.) shall be obtained from the originator of the transfer with whom the Bank has contractual relations for the provision of services related to remittance of amounts payable to the recipient;
(c) the personal data of the heirs of the Bank's clients may be obtained by other heirs, notaries, executors of wills, bodies engaged in the collection of receivables of the bank within their legal powers;
(d) the personal data of the natural persons under item 1.2., letter (i) may be obtained from institutions or legal entities offering access to publicly available registers such as the Commercial Register and the Register of Non-Profit Legal Entities and similar.
(e) the personal data of individuals under p. 1.2., letter (j) are received by a customer of DSK Bank under p. 1.2., letter (b).
6. For the purposes of assessment by the Bank of the possibilities for use of products and services of the Bank, which are the most suitable products and services for the client, as well as the specific conditions for using these products and services, the personal data of the persons may be subject to automated processing, as a result of which an automated decision is made. Automated processing is also a way to assess the creditworthiness of individuals. It includes performing various checks, including in official registers for the country, as well as databases of the Bank, which, based on pre-set criteria, lead to a positive or negative decision to use a banking product or service. This type of data processing is necessary for the conclusion of the contract for the respective product, and in some cases, it can also be applied for the purposes of preparing marketing offers with credit limit.
Personal data of individuals may also be subject to automated processing in connection with the application of measures against money laundering and terrorist financing. In the latter case this type of processing is necessary to comply with the requirements of applicable legislation in this area that leads to to the entry or termination of business relationships and the prevention of fraud.
In case of applied automated decision-making, the persons under point 1.2., letter (a) and (b) have the right to express their point of view on the decision, to challenge it, as well as to request human intervention in the decision-making process.
7.1. The provision of personal data is voluntary where such data are necessary for the conclusion of a contract with the Bank. If the data is not provided, the Bank will not be able to provide a product or a service. In the case of already established commercial or professional relations with the Bank, the provision of personal data may constitute a contractual or statutory requirement. In such cases, failure to provide the required data may result in termination of the contract or the established commercial relationship.
The consequences of non-consent are specified in the document in which consent is given or are expressly mentioned by the Bank prior to the consent being given.
7.2 The Bank does not consider anonymous complaints/ requests/ proposals.
8.1. Data subjects have the right of access, the right to request correction, deletion or limitation of the processing of their personal data processed by the Bank, as well as to object to the processing of their data when it is processed on the basis of the realization of rights and interests of The Bank, which have a justified advantage over the interests of natural persons.
8.2. Data subjects have the right to receive the data from the Bank in the form and manner specified in the law and transfer them to another controller. Data subjects have the right to request the Bank to transfer directly their data to another controller where technically feasible.
8.3. Data subjects may at any time object to the processing of their data for the purposes of direct marketing, and to withdraw the consents given by them in one of the following ways:
1. By making a call to: 0700 10 375
2. By sending an e-mail to: call_center@dskbank.bg 3. At each office of the Bank.
4. Through the Feedback section of DSK Bank's electronic channels in case they have a contract for access to them.
Withdrawal of consent does not affect the lawfulness of the processing of personal data prior to withdrawal. Despite withdrawal of consent, personal data may be processed by the Bank for other purposes if there is legal basis to process the data under p. 4 other than consent.
8.4. Natural persons may exercise their rights under item 8.1. and 8.2. on the addresses for correspondence as referred to under p. 1.1. (Personal Data Protection Officer) and p. 8.3. after proper identification, as well as through DSK Bank's electronic channels. When exercising rights by e-mail, requests should be signed with a qualified electronic signature (QES)..
9. Natural persons may exercise their right of appeal to the Commission for Personal Data Protection, which is a data protection supervisory authority.
Personal Data Protection Commission:
Address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.,
e-mail: kzld@cpdp.bg website: www.cpdp.bg
10. DSK Bank stores collected personal data within the following time frames:
(a) where the data is processed on the basis of a request for use of a product/ service, for a maximum period of 5 years as of the date of submission of the request for conclusion of a contract, if the request is not approved;
(b) where the data is processed on the basis of a contract - for a period of 5 years as of the beginning of the calendar year following the year of termination of the relationship; transfer of receivable - 5 years after repayment of the claim to the transferee, but not earlier than 5 years after the final settlement of all legal proceedings related to it; 5 years from the beginning of the calendar year following the year of the termination of the relations between the Bank and the buyer of real estate - in the event of processing the data of a seller of a real estate;
(c) where the data is processed on the basis of consent, until withdrawal of the consent;
(d) where the data are processed in connection with realization of rights and interests of the Bank which have a justified advantage over the interests of the natural persons - until the right is extinguished and/or the interest disappears;
(e) a period of 5 after the provision of the respective single service;
(f) a period of 3 years after the preparation of a reply to a complaint/ request/ proposal;
(g) a period of 5 years from the beginning of the calendar year following the year of termination of the relationship between the Bank and the person who has refinanced another party's credit obligation, in the case of processing the data of individuals whose credit obligations have been refinanced.(h) a period of 3 years for the recordings of the calls in the Contact Center.
(i) a period of 2 months for the recordings from the performed video surveillance.
(j) a period of 5 years from the beginning of the calendar year in which the transfer was made.
Once the deadlines have expired, if there is no other legal basis for processing of the data, it shall be deleted. In order to obtain and analyze information related to the products and services used and to improve the service, the Bank may delete only part of the data. In such a case, it shall continue to store a portion of the data that prevents natural persons from being subsequently identified.
Updated on 01 October 2023.