OUR NETWORK
Find our ATMs, Service-Centers, Cash Payment Terminals and other physical touchpoints on an interactive map
1. Purpose of the Data Protection Policy
This Data Protection Policy aims to explain how we may process your Personal Data, also what steps we’ll take to make sure your Data remains secure and tell you about your privacy rights.
More specific conditions on the Data processing might be also outlined in separate contract(s), other service related documents and/or on our website(s). Please contact our privacy team using the following email - DPO@lb.ge if you have questions related to this Data Protection Policy.
2. Who are we
JSC Liberty Bank (collectively referred to as “BANK”, “we”, “us” or “our” in this Policy) is a commercial Bank licensed under the Georgian legislation and is the Controller and responsible for processing your Personal Data.
Identification number: 203828304;
Legal address: Chavchavadze ave. №74, Tbilisi, Georgia, 0162
Contact information: +995 32 2 55 55 00; info@lb.ge
3. Scope and amendment of the Data Protection Policy
This Data Protection Policy applies to all our prospective, present and past customers, natural persons and legal entities, non-juridical entities, state or self-government entities, legal entities of public law, job applicants, merchants, agents, payment system providers or anyone (hereinafter: you, Data Subject)in other way related to any of Bank’s products and services, including those interacting with Bank through one of our channels, such as Email, website, mobile application, or account we operate on social media sites (e.g. Facebook, LinkedIn, Instagram).
This Policy may be updated from time to time. We therefore ask you to consult it on a regular basis. The latest version of the Policy is available at: www.libertybank.ge
4. Scope of Data Processing
Throughout the period of a relationship with the Bank and after its termination, the Bank shall be entitled to process information about you, including your Personal Data in accordance with the purposes set out in this Policy.
Data processing by the Bank, without any limitation, includes every action executed towards the Data using automated, semi-automated or non-automated means. More precisely, Data Processing means obtaining, collecting Data from you and/or third parties set forth in Annex #1 of the Policy, accessing, recording, photographing, videorecording, audiorecording, organizing, interconnecting, storing, altering, restoring, revoking, using or disclosing (including disclosing information to third parties set forth in Annex #1 of the Policy) for the purpose of transferring, disseminating or making available through different means, grouping or combining, blocking, erasing or destroying.
5. What Data do we process
Bank uses different types of personal information that we can group into the following categories, which include but may not be limited to the Data indicated below.
Note: Depending on the nature of your relationship with the Bank and the context and purpose of Data Processing, we may process all or only some of the Data specified in the relevant category(ies)
In addition, we may process any other type of Data related to the Data Subject which enables to identify and/or characterize and/or group the Data subject by his/her physical, economic, cultural or social qualities or by using transactional and other type of Data in accordance with this Policy.
6. What we need from you
You’re responsible for making sure the information you give us is accurate and up to date. You must promptly inform us if you believe that the information stored at the Bank is not accurate or complete. Please note, that if you provide us with information regarding third parties (beneficiary, additional Cardholder, guarantor, family member, employer, contact person, employee, coworker, etc.), including, without limitation, their Personal Data, solvency information, information about the assets, etc, you are responsible for obtaining prior consents from respective persons to the processing of their Data by the Bank in accordance with the purposes and conditions set in the present Data Protection Policy. Therefore, the submission of such information to the Bank implies that you have obtained prior consent from these person(s), have ensured that the person is familiar and agrees with the present policy, and the Bank will not be liable to additionally acquire any such consent.
7. If You don’t provide Personal Data
Where we need to collect Personal Data by law, or under the terms of a contract we have with you or in order to enter the contract, and you fail to provide that Data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with products or services).
8. How do We collect Your Personal Data
In this section, we explain the main sources from which we obtain your Personal Data.
Data collected directly from you, for example when you:
Data collected from third party (ies) - On the basis defined by the Legislation, including where necessary based on your consent, the Bank may obtain information about you from external sources, including but not limited to the following:
Data collected from other Data registries and publicly available sources - We may obtain your Data from public, business, debtors’ registry and other relevant registers and public sources
Note: The categories of third parties providing and/or receiving Data are defined in Annex #1 of this Policy.
9. What are the Purposes of processing Your Personal Data
Depending on the nature of the relationship with you and other specific circumstances, your Personal Data may be processed for different purposes and legal bases, including:
Purpose: your identification/verification, provision of banking products and services (opening an account, transferring funds, carrying out cash and cashless settlement operations, etc.) both at physical service points and remotely. For this, we may need your identification, contact, transactional, socio-demographic, location-related, registries and open data, biometric data, “Know Your Customer” (KYC), documentary data, audio-visual, interaction, contractual or/ and other Data that will help us achieve the said purpose.
Legal Basis: (a) Your consent, for example, to the biometric identification to use the services remotely; to obtain your Data from relevant registries etc (b) entering into or performing a contract; (c) reviewing your application (providing services to you); (d) our legal obligation; (e) our legitimate interest, including: being efficient about how we fulfil our legal and contractual obligations; to prevent, detect, prosecute fraud and potential fraud, money laundering, terrorist financing, unauthorized access and/or misuse of our services and other crimes; to ensure that the records kept about you are true and accurate; to effectively manage our operational risks.
Purpose: To prevent and detect crime, including fraud, terrorist financing and money laundering - To do this, we may need your identification, contact, transactional, socio-demographic, technical, interactive, registries and open data, “Know Your Customer” (KYC), documentary data and any other information obtained through the AML preventive measures.
Legal Basis: (a) our legal obligation; (b) our legitimate interest, including: to prevent, detect, prosecute fraud and potential fraud, money laundering, terrorist financing, unauthorized access and/or misuse of our services and other crimes; to protect our customers, employees, and Bank assets; to ensure network security and proper functioning of electronic channels; to effectively manage our operational risks.
Purpose: credit risk management - For example, we process your Data in the framework of your loan application and business relationship, which may include financial, operational, compliance, insurance risk assessment. To do this, we may need your identification, contact, financial, transactional, socio-demographic, interactive, registries and open data, contractual, documentary and/or other data to help us achieve the said purpose.
Legal Basis: (a) your consent, where necessary; (b) entering into or performing a contract; (c) reviewing your application (providing services to you); (d) our legal obligation; (e) our legitimate interest, including: to effectively fulfill our legal and contractual obligations; to provide you with the products and services you have requested; to protect our business interests; to effectively manage our operational and other risks.
Purpose: Product and service improvement - We analyze the information to identify ways to improve our services and products. To do this, we typically might need usage, marketing, and interaction Data.
Lagel Basis: (a) our legitimate interest, including: to develop products/services and grow our business; to eliminate defects and improve the services.
Purpose: To inform our marketing strategy - For example, we may use your Personal Data to provide you with the information we feel may interest you, use your feedback about our products and services to improve our offering, as well as to take into account your preferences regarding marketing communications. To do this, we typically might need usage, marketing, and interaction data.
Legal Basis: (a) your consent, where necessary; (b) our legitimate interest, including: to develop products/services and grow our business, to identify categories of users of our products and services and to carry out marketing activities accordingly; to ensure that you are informed about relevant Banking products.
Purpose: To protect our legitimate rights - we may need to use your information to protect our and/or a third party's legal rights, for example, to investigate local or international disputes related to transactions, to recover money owed to us, to commence legal proceedings, to respond to complaints, claims and requests, to relinquish a claim, to sale portfolio, to protect intellectual property. Your Data may be processed in case of restructuring, sale of share or acquisition, etc. For that, we may need your identification, contact, financial, transactional, socio-demographic, technical, audio-visual, interaction, registries and open data, "Know Your Customer" (KYC), contractual, documentary and/or other Data to help us fulfill the said purpose.
Legal Basis: (a) our legal obligation; (b) our legitimate interest, including: to effectively fulfill our legal and contractual obligations; to develop products/services; to grow our business; to ensure the investigation of complaints; to collect and recover money owed to us; to obtain proof of transactions and other relevant evidence; to protect our business interests.
Purpose: analytics and reporting - We process your Data that help us make informed decisions about products and services, in addition, Data Processing is necessary to fulfill other duties imposed on the Bank as an accountable person and to provide external reporting. For this we may need your identification, contact, transaction, socio-demographic, technical, interaction, "Know Your Customer" (KYC), documentary and/or other data that helps us achieve the said purpose.
Legal Basis: (a) our legal obligation; (b) our legitimate interest, including: to effectively fulfill our legal and contractual obligations; to develop products/services; to grow our business; to protect our customers, employees, and Bank assets; to effectively manage our operational risks; to obtain proof of transactions and other relevant evidence.
Purpose: property and security protection, for which we may need audio-visual, technical and any other information that will help us prevent crime, detect it, protect public and personal safety and property.
Legal Basis: (a) important public and our legitimate interest, including: to prevent, detect, prosecute crime, protect our customers, employees, and Bank assets, ensure network security and proper functioning of electronic channels; to effectively manage our operational risks.
Note: The Bank is entitled to process your Data for any other purpose defined by legislation, also when the further purpose of processing is compatible with the initial one.
10. Who We share Your Personal Data with
In order for the Bank to perform statutory duties, protect its legal interests and to fully and properly provide service to you, based on Data Processing contexts and purposes, the Bank may transfer information about you including but not limited to the following categories of third parties:
The categories of third parties providing and/or receiving Data are defined in Annex #1 of this policy.
11. International transfer of the Personal Data
In the cases envisaged by the Legislation, including for the purposes of fraud and money laundering prevention, as well as for the purpose of providing Banking services to you/performing the contract, and/or to protect the legitimate interests of the Bank, your Data may be transferred and stored outside of Georgia, including in an organization operating in a country with no adequate safeguards for Personal Data protection as defined by the relevant normative act of the head of the personal data protection service of Georgia/its successor.
The possible risks of Data sharing in countries without adequate safeguards for Personal Data protection may be related but not be limited to the absense of local supervisiry authority, and no (or only limited) individual Data protection and privacy rights. In some of these countries the privacy and Data protection laws and rules on when Data may be accessed may differ from those in Georgia. In such a case, the Bank ensures the agreement on the Personal Data transfer is at place, which defines the obligations of the receiving party to ensure the protection your Personal Data in accordance with the requirements stipulated by the Legislation.
12. COOKIES
We may use cookies and similar technologies which help us enhance your user experience while visiting our website. For more information about the cookies we use, please see the Cookies Policy here https://libertybank.ge/en/samartlebrivi-inpormatsia/cookies-policy
You can block or restrict cookies set by any website – including our Bank website(s) – through the browser settings on each browser (Internet Explorer, Mozilla Firefox, Google Chrome, etc.) and device you use to access the Internet. Same way you can delete cookies already stored on your device. Find out more information on how to manage cookies in common browsers by visiting: www.allaboutcookies.org
13. Direct Marketing
It is our intention to provide you with choices regarding the use of your Personal Data for Direct Marketing and advertising purposes.
The Bank is authorized to independently as well as through Data Processor and/or other authorized/related party(ies), process your identification, contact, financial and other Personal Data for the purpose of directly offering and providing you with information about Banking, including credit, products, services, promotions, etc. through telephone, mail, email, digital bank, mobile apps, and/or without limitation, through any other electronic means (Direct Marketing).
Consent to the processing of Data for Direct Marketing purposes is not mandatory, however, in the absence of consent to Direct Marketing, Bank will be unable to offer you customized services / products under the above conditions.
Please note, that if you are also an official, representative, an authorized spokesperson of the Bank’s existing or prospective client legal entity or are in any other way related to that legal entity, the Bank is authorized to process your Personal Data as information related to the abovementioned legal entity and use this information for the purposes of providing services to the aforementioned legal entity, including to carry out Direct Marketing.
Opting out from Direct Marketing
You may at any time withdraw your consent and request that we stop sending you Direct Marketing messages by email, mobile phone number and/or other electronic means. For this, you can use the available opt-out mechanism provided in each electronic means (so-called SMS off, unsubscribe, etc.), contact our service center, call us on 0 322 55 55 00 and/or use any other form agreed between us and/or prescribed under the Legislation.
For the avoidance of any doubts, Direct Marketing shall not be deemed as and, correspondingly, you shall not be entitled to demand cessation thereof, receiving product, service, etc related information (e.g. advertising banner, flyer, oral offer, etc.) if such information is presented directly by the Bank and/or its representative at the points of banking service provision or in remote channels which belongs to (is associated with) the Bank (including ATM, digital bank, etc.).
Please note, that upon a request to stop offers as a part of Direct Marketing, only communications of an advertising nature shall be terminated. Bank will further contact you using the contact Data kept in the Bank, regarding the issues/obligations arising in the framework of the relationship between you and the Bank, including, taking into account the requirements of the Legislation, in order to inform you about credit overdue and any other type of debt, to provide information about changes in service/product conditions, deposit insurance, as well as to provide a response to your statements or requests and to deliver other relevant information.
14. Automated individual decision-making
The Bank is entitled to process your Personal Data to make a decision only automatically, including on the basis of Profiling. We may use automated decision-making for example in the following cases:
15. Video and audio monitoring
Based on the objectives of preventing, detecting/investigating crime, protecting public and personal safety and property, protecting secret (confidential) information and to perform other important tasks based on the Bank’s legitimate interest (such as incident management and protection of customer rights, monitoring of processes, risk management, etc.), in compliance with the annex #2 of this Policy and law of Georgia on Personal Data Protection, video and audio monitoring of the external and internal perimeter of the building(s), including meeting rooms, service spaces and workplace(s) is being carried out by the Bank. In addition, monitoring and/or taking photo image is also carried out in the Bank, its service center and/or facility(s) belonging to the Bank's partner organization(s) through an ATM and/or other relevant electronic means. During phone communication with the Bank/Bank’s representative, the incoming and outgoing calls are been recorded/processed through the call recording system (audio monitoring) in order to enhance service performance, to review and respond to statements, complaints, to monitor compliance with the code of ethics and professional conduct standards, as well as to protect other legal interests of the Bank (including creating legal evidence) in compliance with the annex #3 of this Policy and law of Georgia on Personal Data Protection.
16. Data Processing of the job applicants
The Bank is entitled to processing Data subject’s Personal Data which was disclosed for the purpose of considering an initiation of employment and/or internship of such a person (hereinafter – Applicant). If the applicant is rejected, failed to proceed through selection process, unsuccessfully ended the trial period, his/her Data shall be deleted, unless the applicant has agreed to remain on file for a future selection process by the Bank and/or if there is another legal basis for keeping the data.
17. Processing the Personal Data of minors
Minors under the age of 18 who wish to use our services must provide consent from their legal representatives (parents/legal guardians) regarding the processing of their Personal Data, apart from the exceptions provided by law.
18. Copyright
The Data related to you (print, audio and/or visual) published on the Bank’s website, internet banking, mobile banking, mobile applications and other electronic means, shall be deemed as the Bank’s property and the Bank shall own a copyright over such data immediately after its publishing unless it is not classified as your Personal Data.
19. Data Security and Retention period
We have put in place appropriate technical and organizational measures to safeguard your Personal Data from unauthorized access, unlawful processing or disclosure, accidental loss, modification or destruction. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Data on our instructions and they are subject to a duty of confidentiality. In case the Bank transfers (discloses) the Data to the third parties, including the resident(s) of other countries, the Bank ensures the agreement on the Personal Data transfer is at place, which defines the obligations of the receiving party to ensure the protection your Personal Data in accordance with the requirements stipulated by the Legislation.
We will only retain your Personal Data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We’ll normally keep your Data for up to 15 years after you cease your relationship with us. This enables us to comply with legal and regulatory requirements or use it where we need to for our legitimate purposes such as managing your account and dealing with any concerns that may arise. We may need to store your Data for a longer period where we need the information to comply with regulatory or legal requirements or where we may need it for our legitimate purposes, for example, to help us respond to complaints, fighting fraud and financial crime, etc.
20. Your Rights
As a Data subject, you are granted the following rights by law, that may be restricted only in the cases envisaged by the Legislation.
Right to receive information on the processing of Data and to obtain a copy - You have the right to be informed about the collection and usage of your Personal Data. This means, that, upon your request, we must provide details regarding the processing of your Personal Data, including: information on what Personal Data and from which sources is being collected, the purposes and legal grounds for Data processing; Data retention period, the recipients to whom the Personal Data have been or may be provided etc. The present Data Protection Policy document is an example of this. You also have a right to obtain a copy of your Personal Data which is processed in accordance with the Legislation.
Right to the rectification, update and completion of Data - If the Data processed by Bank is incorrect, incomplete, or inaccurate, you can request the Bank to rectify and/or complete Data and provide us with the necessary information for this purpose.
Right to the termination of the processing, erasure or destruction of Data - You have the right to request the termination of Data Processing (including profiling), erasure or destruction of your Data. Please note, that the Bank may not be able to satisfy your request immediately due to the requirements of Laws on Facilitating the Prevention of Money Laundering; on Commercial Bank Activities; Consumer Rights Protection, Tax legislation, as well as other relevant Legislative acts.
Right to the blocking of Data – You have the right to request blocking of Data (restriction of Data Processing), when the accuracy of your Personal Data is contested by you or your request the cessation, deletion, or suspension of processing, for a period that allows us to verify the accuracy of Personal Data and review your request; When the Data Processing is unlawful but you oppose the deletion of Personal Data and request restriction of its use instead; When Bank no longer needs to process the Data for the processing purposes, but it is required by you to file a complaint/claim; When there is a need to retain the Data for use as evidence.
Right to the transmission of Data - You have the right, upon your request, to receive from us Data concerning you which you have provided to us, in a structured, commonly used and machine-readable format, or to require that the Data be transmitted to another Data Controller. Bank is entitled to decline your request if it’s technically impossible to transmit your Data in a requested manner.
Automated individual decision-making and related rights – You have the legal right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or other similarly significant effects concerning you, except where a decision based on profiling is: (a) based on your explicit consent; (b) necessary for entering into, or performing, a contract between you and the Bank; (c) provided for by law or by a subordinate normative act issued within the powers delegated on the basis of the law.
Right to withdraw consent - You can withdraw your consent at any time, if it doesn't conflict with the requirements of the legislation. Please, note, that the withdrawal of consent shall not lead to the cancellation of legal consequences arising before the withdrawal of consent and within the scope of the consent.
Right to appeal - You can address the Personal Data Protection Service with a claim regarding the processing of your Personal Data by Bank, if you believe, that your Personal Data is being processed unlawfully. For more information you can visit Personal Data Protection Service’s website https://personaldata.ge/en
20.1. How to contact Us
In order to exercise your rights, you can directly contact our Data Protection Team at the email address: DPO@lb.ge.
Please clearly state your identity and, if possible, send the request using your email address registered in the Bank.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
20.2. No fee is usually required
You will not be required to pay any fee for accessing your Personal Data or exercising any other legal rights, except for exceptions established by law (for example, if the fee is required under the Legislation and/or established by the Bank because of the resources spent on issuing them in a form other than the Data are stored, and/or frequent requests). In case the Data subject makes an unreasonable number of requests, the Bank is also entitled to refuse to comly with the requests.
20.3. Time Limit to Respond
We will respond to all legitimate requests within the time period set by the Legislation.
21. Obligations of Data Controllers, Data Processors and Joint Controllers
Pursuant to the terms of this Policy, taking into account the context and purpose of the Data Processing, while processing certain type of Data, the Bank and/or third parties specified in Annex #1 of the Policy may represent the Data Processor(s) and act on behalf of Data Controller(s), and/or the parties may act as Joint Controllers.
While processing Personal Data, taking into account the nature of processing, if one party is the Data Controller, while the other party acts as the Data Processor, the Data Processor shall:
(a) Carry out Data Processing only in accordance with the written instructions or guidelines of the Controller, only for the purposes specified under applicable agreement;
(b) Ensure that all natural persons who directly participate in Data Processing have an obligation to maintain confidentiality;
(c) Ensure Data security in accordance with the Data Protection Law; including among other things, to take appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, alteration, disclosure, or access, and against any other unlawful form of processing or misuse of Personal Data;
(d) Ensure that all operations performed in relation to electronic Data (including information on incidents, Data collection, Data alteration, Data access, Data disclosure (transfer), Data links and Data deletion) are fully registered (including the Log files). In addition, Data Processor shall ensure the ability to identify the responsible person for each operation performed in relation to electronic Data. When processing non-electronic Data, the Processor is obliged to ensure that all operations related to Data disclosure and/or alteration (including information on incidents) are registered;
(e) Without prior consent form the Controller, the Processor shall not transfer Personal Data to another country or international organization that does not belong to the European Economic Area and is not included in the list of countries with adequate guarantees for Personal Data protection as defined by Personal Data Protection Service/its successor’s normative act;
(f) Provide appropriate information to the Controller in order to ensure compliance with the obligations established by the Law of Georgia on Personal Data Protection and the monitoring of Data Processing by the Controller;
(g) Take appropriate technical and organisational measures to assist the Controller to promptly respond to the requests from Supervisory and/or other authorized entities regarding Personal Data Processing and to assist the Controller in fulfilling his/her obligations related to the exercise of the rights of Data subjects’ (Data blocking, deleting, rectifying, updating, etc.) within the timeframes determined by Law of Georgia on Personal Data Protection;
(h) Processor shall not transfer the right to Data Processing to another party/parties unless there is Data Controller’s permission. In case of the Controller's consent, the Processor is obliged to transfer the right to Data Processing to another party/parties based on written agreement only, which shall determine obligations of each Data recipient (sub)contractor to take every necessary technical and organizational measures to protect Personal Data against accidental or unlawful destruction, alteration, disclosure, or access, and against any other unlawful form of processing or misuse of Personal Data, and therefore all obligations and/or responsibilities of Data Processor determined by applicable agreement and Law of Georgia on Personal Data Protection shall apply to the abovementioned (sub)contractors;
(i) Notify the Controller in writting/electronic form in case of unauthorized access to or any other kind of Data breach (incident), immediately or no later than 24 (twenty four) hours of its discovery;
(j) In the event of a dispute between the Controller and the Processor, Processor is obliged to immediately terminate Data Processing and transfer all tha Data in its possession to the Data Controller upon a request;
(k) Upon Data Controller’s request, as well as, in the event of the termination of applicable agreement for any reason, the Processor is obliged to terminate Data Processing and immediately and/or within 10 (ten) calendar days (if the said information is of a significant amount or needs to be searched /collected) transfer Personal Data and securely delete/destroy all Data shared with the Processor with no possibility of recovery of such Data, including any electronic or physical copies, unless Data retention is required by the legislation;
(l) For the avoidance of any doubts the parties agree that the provisions specified in clauses "j-k" does not apply to Personal Data processed by one of the parties in the role of the Data Controller;
(m) The Data Processor is obliged to compensate the Controller the damage, including any kind of financial fine imposed (if any), which occurred as a result of Data Processor's violation of the Personal Data Processing requirements established by this Policy and legislation;
(n) The provisions related to Personal Data Processing by the Data Processor that are not covered by this Policy, are regulated by the Law of Georgia on Personal Data Protection.
While processing Personal Data, taking into account the nature of processing, if parties act as Joint Controllers, each of them shall:
(a) Take appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, alteration, disclosure, or access, and against any other unlawful form of processing or misuse of Personal Data;
(b) Restrict access to Personal Data only to its authorized employees, who need the access to Personal Data for the purposes of the relevant agreement and are under the duty of confidentiality both - during their employment and after the termination thereof;
(c) Collaborate closely with Joint Controller to ensure Data Processing compliance with the law;
(d) Process Personal Data in the scope of mutual collaboration, ensuring compliance with the relevant agreement and law;
(e) Within the scope of its competence, assist and provide support to the Joint Controller in conducting Data protection impact assessment where it is required by law and/or relevant normative act;
(f) Notify the Joint Controller in writting/electronic form in case of unauthorized access to or any other kind of Data breach (incident), immediately or no later than 24 (twenty four) hours of its discovery; Such notification shall contain information on the circumstances, type and time of the incident; the possible categories and volume of Data that have been disclosed, damaged, deleted, destroyed, obtained, lost, or altered in a non-authorized manner as a result of the incident, as well as the possible categories and number of Data subjects that have been exposed to a threat as a result of the incident; the measures taken or planned by the Joint Controller for mitigating or eliminating any possible damage caused by the incident; and whether or not, and within what timeframe the Joint Controller intends to notify Data subject(s) about the incident;
(g) Immediately inform the Joint Controller in writing/electronically about requests for disclosure of Personal Data processed within the framework of the relevant agreement, regarding appeals received from judicial, law enforcement, regulatory/Supervisory authorities and other agencies;
(h) Where Data is collected directly from the Data subject, provide the Data subject with all relevant information regarding the purposes, legal basis, period of Data Processing; (Joint) Controller(s), Data Processor(s), Data Protection Officer (if any); as well as, Data subject’s rights (Data blocking, deleting, rectifying, updating, etc.) established by law;
(i) Ensure the accessibility of information on the distribution of obligations and responsibilities between the Joint Controllers for the Data subjects. Data subject’s rights to apply to Joint Controllers individually shall not be restricted;
(j) If Data subject contacts any of the Joint Controllers about the rights granted by Law (Data blocking, erasing, rectifying, updating, etc.), the contacted Joint Controller shall identify the responsible Joint Controller and forward the request internally to this Controller within a reasonable period of time to avoid breaking timeframes for responding as established by law. The Joint Controller who was contacted initally shall carry out all necessary communication with the Data subject;
j.a) The responsible Joint Controller shall be determined as follows: If the Data of the Data subject is part of a set of Data which can be attributed to a Joint Controller, this Joint Controller shall be responsible. In all other cases the Controller contacted by the Data subject shall be the responsible Joint Controller.
(k) Joint Controllers shall assist one another with the execution of Data subjects’ rights granted by Law of Georgia on Personal Data Protection (Data blocking, deleting, rectifying, updating, etc.), in accordance with the provisions and timeframes determined by law;
(l) Perform other activities as established by law.
(m) The provisions related to the processing of Personal Data by the Joint Controllers that are not covered by this policy, are regulated by the Law of Georgia on Personal Data Protection.
Annex #1
The categories of third parties providing and/or receiving Data
In order for the Bank to perform statutory duties, protect its legal interests and to fully and properly provide service to you, based on Data Processing contexts and purposes, the Bank may obtain and/or transfer (make available) information about you to third party(ies) which may include but not be limited to the following
The client knows and agrees that the list presented in the current annex and/or web pages administered by the Bank is not complete, exhaustive, and from time to time the number of such third parties may increase or decrease over time. However, the Bank will ensure its actions related to Data Processing remain in compliance with the requirements of Law of Georgia on Personal Data Protection.
Protection of the confidentiality of Personal Data is ensured by the third party recipient, therefore the Bank is not responsible for the violation of the duty of confidentiality by the receiving party, unless otherwise prescribed by the legislation.
Annex #2
Video Monitoring
Based on the objectives of preventing, detecting/investigating crime, protecting public and personal safety and property, protecting secret (confidential) information and to perform other important tasks based on the Bank’s legitimate interest (including incident management and protection of customer rights, monitoring of processes, risk management, etc.), in compliance with the law of Georgia on Personal Data Protection, video and audio monitoring (hereinafter referred to as “Monitoring”) of the external and internal perimeter of the building(s), including meeting rooms, service areas and workplace(s) is being carried out by the Bank.
Monitoring is being carried out 24/7 and the recordings are stored up to 1 year and/or for as long as necessary for achieving specific legitimate purposes after what they are automatically destroyed if there is no need and relevant lawful grounds to keep the Data for a longer period of time.
To ensure that you are properly informed, the Bank has placed the relevant warning signs which include information about video and audio recording being carried out.
In addition, Bank takes all the appropriate technical and organisational measures to protect recorded Personal Data against accidental or unlawful destruction, alteration, disclosure, or access, and against any other unlawful form of processing or misuse, including:
In cartain cases, it might be necessary to grant the access to and/or to transfer video recordings to the third parties for various reasons. For example, when there is a reasonable doubt that video recording might contain any evidence of the illegal acts (including administrative offense), an interest arises from relevant authorities for the criminal or administrative investigation purposes. Besides cases mentioned above, access to recordings may also be requested from the Supervisory authority of the Bank - the National Bank of Georgia, as well as Personal Data Protection Service for the purposes of reviewing your complaint and/or in other cases presribed by law.
Bank will present and disclose the recordings to the third parties (including law enforcement bodies) only if there is a relevant legitimate lawful basis, stipulated by the legislation.
The rights of Data Subject are stipulated in Article 20 of this Policy.
Annex #3
Audio Monitoring
During phone communication with the Bank/Bank’s representative through the hotline, the incoming and outgoing calls, as well as calls to/from the relevant internal numbers (if any) are been recorded and processed through the call recording system (audio monitoring) in order to enhance service performance, to review and respond to statements, complaints, to monitor compliance with the code of ethics and professional conduct standards, as well as to protect other legal interests of the Bank (including creating legal evidence) or in other cases expressly provided by the legislation as well as based on your consent where necessary in accordance with the requirements of the Law of Georgia on Personal Data Protection.
Prior to or upon starting audio monitoring Bank informs you about carrying out of audio monitoring, and explains to you the right to object (if any). Recordings are stored for at least 15 years, after which they are automatically destroyed, if the specific legitimate purposes are achieved and there is no need and relevant lawful basis to keep the Data for a longer period of time.
In addition, Bank takes all the appropriate technical and organisational measures to protect recorded Personal Data against accidental or unlawful destruction, alteration, disclosure, or access, and against any other unlawful form of processing or misuse, including:
In cartain cases, it might be necessary to grant the access to and/or to transfer audio recordings to the third parties for various reasons. For example it may be directly requested by the Supervisory authority of the Bank - the National Bank of Georgia, as well as Personal Data Protection Service for the purposes of reviewing your complaint and/or in other cases presribed by law.
The rights of Data Subject are stipulated in Article 20 of this Policy.
Annex #4
Processing of Biometric Data
In order to receive and use Banking services remotely, outside Bank service points, in accordance with the rules established by the current Legislation, the Client should undergo the electronic identification and verification procedure, where based on the relevant technical solution, Bank will obtain and process Personal Data, including Biometric Data. The Biometric Data refers to the Data processed using technical means and related to the physical, physiological or behavioral characteristics of a Data subject (such as facial images, voice characteristics or dactyloscopic data), which allow the unique identification or confirmation of the identity of that Data subject.
Facial recognition system of Amazon Web Services, Inc and the technical solution developed by Identomat Inc ((SR 20204194256; n7977895)), address: USA, 60 Hazelwood Dr, Champaign, IL 61820) are being deployed during the electronic identification and verification processes.
Remote identification process encompasses capturing a photo of the identity document and taking a dynamic selfie, comparing those and checking the information provided in the presented document. As a result, Bank is able to verify the authenticity of the client and the validity of the document provided.
Biometric Data processing is necessary for the purposes of carrying out Bank activities, security, protection of property and prevention of the disclosure of secret information, as well as for fulfilling Bank’s as of an accountable entity’s obligations determined by the legislation, including, for the purpose of checking whether the Data is correct which is necessary to verify client’s identity as well as to combat fraud, money laundering or other illegal acts and to provide requested services to the clients.
In order to process Biometric Data Bank shall obtain client's consent in accordance with the requirements established by the Legislation.
Data processing is being carried out in Georgia, as well as, in the jurisdiction(s) included in the list of countries with adequate guarantees for Personal Data protection as defined by Personal Data Protection Service/its successor’s normative act and where General Data Protection Regulation (GDPR) is enforced.
The Service Provider implements all appropriate technical and organizational measures to protect Personal Data, including, ensuring strong encryption in order to prevent third parties access to the Data abroad, including the server resource provider. Furthermore, the processing of Biometric Data during the electronic identification session is being carried out for no longer than 10 (ten) seconds, access to Biometric Data throughout the process is impossible and it shall be deleted immediately upon delivering the identification result, with no chance of recovery. Other categories of Personal Data will be processed by the Bank for the period necessary to achieve the purposes of Data Processing, to protect Bank’s legitimate interests, and/or for a period of time that is requested by the regulator and/or is envisaged by the Legislation.
The rights of Data Subject are stipulated in Article 20 of this Policy.