UNITED BULGARIAN BANK AD (hereinafter referred to as UBB AD/UBB/the Bank), Company ID 000694959, 89B, Vitosha Blvd., Sofia. For questions, related to the processing of personal data, please contact the Data Protection Officer at dpo@ubb.bg.

UBB AD is Personal Data Controller and in its capacity of such, conducts its activities in strict compliance with the requirements of the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, in order to ensure confidentiality and lawful collection and processing of clients’ personal data.

UBB AD is part of the KBC Group. The KBC group is a bank-insurance group of companies that through co-operation creates and distributes banking, investment, insurance and pension products and provides related financial services.  The following companies in Bulgaria also belong to the KBC Group: DZI – General Insurance EAD, DZI – Life Insurance EAD, KBC Asset Management – KLON, UBB Interlease AD, KBC Leasing Bulgaria EOOD, UBB Insurance Broker Bulgaria EOOD, UBB Insurance Broker EAD, , UBB – Center Management EOOD, UBB Pension Insurance Company EAD, as well as KBC Group – Branch Bulgaria. KBC group’s main target groups are individuals, SME’s and corporate clients. KBC Group operates mainly in Belgium, the Czech Republic, Slovakia, Hungary, Bulgaria and Ireland.

In general UBB AD is a controller with respect to the personal data of its clients.

There may be cases when UBB acts in its capacity as a personal data processor for other data controllers, for example:

• As an insurance agent on behalf of other legal entities within the KBC Group – DZI – General Insurance EAD, DZI – Life Insurance EAD;
• As a distributor in the sale of products of KBC Asset Management – KLON (legal successor of UBB Asset Management);
•  Upon sale of the products of UBB Pension Insurance company EAD;
• When serving customers - users of household and utility services;
•  When providing other services permitted by law to legal entities – partners within KBC Group.

In these cases, upon performing the respective activity, UBB AD processes data of natural persons by following the personal data controllers’ instructions.

In exceptional cases UBB AD and the KBC Group entities in Bulgaria may act as joint personal data controllers, since they have a common purpose and common means for its achievement.

a. "Personal data" means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a personal identification number, location data, gender, address, telephone number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

b. "Processing of personal data" any operation or set of operations which is performed on personal data whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

If you are a person whose personal data is processed by UBB under the General Data Protection Regulation, effective since 25.05.2018, you have the following rights that you can exercise:

a. Right to access - Upon your request, as a Data Subject, the Bank shall provide information about the categories of personal data relating to you, which are being collected and processed by the Bank, and information about the purposes of the processing, the recipients or categories of recipients to whom your data is disclosed and the sources of this data, except the cases when the data was collected directly from you.

b. Right to rectification – upon your request, as the Data Subject, the Bank is obliged to rectify incorrect and/or to fill incomplete personal data related to you. In such cases the Bank shall notify any third party to whom your personal data has been disclosed, of all rectifications and supplements to your personal data.

c. Right to restriction of personal data processing – upon your request the Bank may restrict the processing of data related to you, upon presence of any of the following conditions:

• in case you dispute the accuracy of the data processed by the Bank for you – for a period necessary to verify their accuracy;
• upon establishment that the data processing is unlawful, but you wish your data not to be erased, but instead its usage to be restricted;
• upon your request, in case the Bank no longer needs the personal data for processing purposes, but you require it for the establishment, exercise or defense of legal claims;
• you have objected to the processing as per Art. 21, Para. 1 of the General Data Protection Regulation and are awaiting the results of the verification whether the Bank’s legitimate interest prevails over your interests as a Data Subject.

d. Right to erasure ("the right to be forgotten") – upon your request the Bank may erase your personal data, generally, when there is lack of or no longer compliance with the ground for its processing, or there are legal grounds for its erasure. Your request for erasure of your data may be refused in case essential circumstances require the processing to be continued. The judgment is made on a case-by-case basis, taking into account the specific circumstances. In this case, the Bank notifies any third party to whom your personal data has been disclosed, of all erasures it carried out, as well as of the events of discontinuation of processing of your personal data.

e. Right to data portability – In your capacity as Data Subject, you have the right to request to receive the personal data concerning you, which you have provided to UBB, in a structured and commonly used and machine-readable format and you have the right to transmit/transfer that data to another Controller without hindrance from UBB as personal data controller, to whom the data was provided, where the processing is based on consent or on a contract or the processing of your personal data is carried out by automated means.

f. Right to object – In your capacity as Data Subject, you have the right to object to the processing of your personal data when the processing of personal data is based on the Bank's legitimate interest. UBB shall review your objection and shall provide its opinion in writing within 30 days unless this term needs to be extended, for which the Bank will notify you in due time. After reviewing the objection, the Bank will generally discontinue the processing of your personal data and will notify all interested parties to whom the personal data have been submitted of the objection received and of the measures taken in this regard. In some cases, however, the Bank has an indisputable legal basis to continue the processing of your personal data even after receiving your objection (for example, in cases of lawsuits, fraud surveillance, etc.). In such cases UBB will contact you to clarify the reasons why it will continue to process your personal data. If your objection concerns the processing of personal data for direct marketing, including also the elaboration of models, based on which various products/services may be offered, the Bank will suspend unconditionally the processing of your data for that purpose.

g. Right not to be the subject of a fully automated decision involving profiling - as a Data Subject you have the right not to be the subject of a decision based solely on automated means, unless you have given your explicit consent to this or in cases where the automated processing is necessary for the conclusion and execution of a contract to which you would be a party. In addition, when there is an automated decision-making, you have the right to express your opinion, to challenge the decision, as well as to request the participation of our employee to perform a reassessment (i.e. human intervention).UBB will inform you in advance if it uses fully automated personal data processing, and will provide clear information about the concepts that the respective software would take into account when making the decision.

h. Right to withdraw the consent given for personal data processing for the purposes outlined in the Declaration of Consent. The withdrawal can be done via a consent withdrawal declaration form that is available at the Bank’s offices or by turning off the consent button (opt-out) in UBB mobile banking. The withdrawal of your consent does not affect the lawfulness of the processing of your data carried out up to that point.

i. Right to lodge a complaint with the Commission for Personal Data Protection (CPDP) – In your capacity as Data Subject, you have the right to lodge a complaint with the Commission for Personal Data Protection (CPDP) against the actions of UBB in connection with the processing of your personal data. In the cases when you exercise your rights in a data subject’s capacity you need to prepare a detailed description of your request submitted to the Bank, as per a sample form, available at any UBB branch throughout its branch network. Upon exercising your rights UBB shall have to verify your identity, to eliminate cases when somebody else pretends to be you. For the purpose the Bank may ask you for an ID card or for another identification document, when providing you with the information, requested by you. The said rights can also be exercised through a third person, who has been explicitly authorized to submit and sign documents on your behalf as a Data Subject.

You can exercise your rights electronically by sending an email to dpo@ubb.bg with a free text application with mandatory indication of full name, identification number (PIN/PNF) and contact details along with a description of your request. You can sign the request in question with a QES, in case you have such. If you do not have a QES, please, note thatprior to sending a reply to your request in the manner, indicated by you, the Bank is obliged to make an additional check and establish contact with you, in order for you to confirm your identity and make sure that it is not another person, pretending to be you.

We will provide a reply to every request of yours without unnecessary delay within a 30-day period of its receipt. If we are unable to fully handle your request within one calendar month (given its complexity, need of assistance by a third person or the number of requests), we may extend the above period and will explain to you the reasons for that. In case you have asked the Bank to send a reply to your query by email, please, bear in mind that the file, containing your personal data will be protected with a password, which password will be send via an alternative channel by a UBB AD employee.

Apart from that, you may ask in writing various questions about the processing of your personal data by the Bank, both in your service office and electronically at dpo@ubb.bg.

If you do not agree with the UBB's opinion regarding your inquiry or if you wish to receive more information, please visit the website of the Commission for Personal Data Protection at www.cpdp.bg where you could file a complaint.

When UBB has received your personal data from third parties, e.g. the National Social Security Institute, the Central Credit Register maintained by the Bulgarian National Bank (www.bnb.bg) or from ESGRAON, maintained by the Ministry of Regional Development and Public Works, you may file a complaint against the actions of these third parties directly to them.

In the cases when the Bank and companies from the Group act as joint personal data controllers, the Data Subjects could exercise their rights with the company, which customers they are, by submitting an inquiry to the following email addresses:

• For UNITED BULGARIAN BANK AD (UBB), Company ID 000694959 – dpo@ubb.bg
• For DZI – LIFE INSURANCE JSC, Company ID 121518328 and for DZI – GENERAL INSURANCE JSC (DZI JSC), Company ID 121718407 - dpo@dzi.bg
• For UBB PENSION INSURANCE COMPANY EAD (UBB PIC), Company ID 121708719 –DPO@ubb-pensions.bg
• For UBB INTERLEASE EAD, Company ID 831257890 – interlease@interlease.bg
• For UBB INSURANCE BROKER EAD, Company ID 175280478 – ubbib@ubb.bg

The KBC Group companies will cooperate in the gathering of information and the elaboration of replies, pertaining to personal data, which data are being processed for the purpose, regarding which the parties act as joint personal data controllers.

The exercise of your rights can not be opposed to the provision of your personal data to the competent authorities for the prevention, investigation and detection of criminal offenses.

In the course of its activity, UBB AD processes various types of personal data, which are grouped into the categories specified below. Depending on the specific products and/or services you use, UBB AD processes some or all of the listed data. Such data may be obtained from you as the data subject, from third parties, or may be generated by the Bank in connection with your customer service. 

4.1. UBB may process different types of data, depending on the purpose of the processing, such as:

A) Basic data 

In order for us to be able to offer standard products and services similar or related to the ones used by you (so-called basic marketing – for more information refer to section 6.4.k of this document):

• full name
• phone number – mobile/fixed/home/business
• email address
• permanent address (street, number, zip code, city, country)
• current address (street, number, zip code, city, country)
• information about the products you use with UBB AD and other banks in relation to application for credit products, 

The specified data is the basic data that UBB processes in order to identify you in its capacity as your service bank. The Bank will mainly use your contact information to make an offer to buy standard banking products that match your expectations as it has an interest in making you offers as a Bank.

B) Extended data:

The Bank may process some or all of the "Extended Data" categories listed below in order to achieve the purposes described below, only if it has a legal basis to do so.

a) to identify you: 

• full name
• place/country of birth
• date of birth
• nationality (citizenship)
• sex
• permanent address (street, number, zip code, city, country)
• current address (street, number, zip code, city, country)
• a previous (old) address
• data from an ID card/another identity document (passport/driving license/document for long-term/permanent residence)
• specimen signature
• client number
• national registration number/Personal ID number/personal number of a foreigner
• VAT number/VAT address
• IP address of a computer/other device used to access bank accounts
• Employer
• Online identifiers, username, password, log data
• your qualification, occupation and professional experience as well as income source
• risk profile
• your marital status/kinship ties
• Details of legal and authorized representatives, owners/beneficial owners of the capital, participating jurisdiction in which the person is resident for tax purposes
• Device-specific information (for example, hardware model, operating system version, unique device identifiers, and mobile network data, including phone number).

b) to contact you: 

• phone number – mobile/fixed
• email address
• permanent address (street, number, zip code, city, country)
• current address (street, number, zip code, city, country)
• similar details of contact persons related to you. 

c) to provide you with the right advice and services:

• your products, account numbers, your financial products (payments, loans, insurance, savings, investments)
• operations and balance on your accounts - this type of data will be processed according to the requirements and restrictions imposed by the applicable laws.
• Your potential interest in UBB products
• History of your financial information and advice we have given you in the past
• Your client profile, created on the basis of information on payment transactions, transactions on your accounts, your investment portfolio, your card, balances and account balances, etc.), UBB can analyze your behavior and identify your needs. The bank may use this profile to analyze more effectively which banking and/or insurance/investment products are best suited to you; ability to bear losses in investments in financial instruments and insurance-based investment products.
• Your marital status, the members of your household collected as data including from external sources such as the ESGRAON register.
• Your financial status – UBB can offer you more appropriate advice if it is aware of your overall financial standing (your total assets, property, income, relatedness between parties, etc.).
• Car registration number data - in connection with the use of bank insurance products and services.
• Data on your indebtedness collected from the Central Credit Register (CCR) databases, as well as data on the amount of your insurance income, the insurer, and other information about your insurance status received from the National Social Security Institute (NSSI). The data is necessary for the Bank to assess your creditworthiness in order to offer you appropriate banking products and services.
• Your education, qualifications, knowledge and professional experience, position held.
• Your health – as a data processor on behalf of DZI General Insurance or DZI Life Insurance UBB may process information in relation to insurances (for example, in order to execute life insurance). Strict procedures are in place for the processing of such information in the amount needed to fulfill the processing purpose and upon presence of legal grounds for this. As a party to Group insurance policies, concluded with DZI, UBB AD acts in its capacity as a policyholder for the purposes of effecting the specific insurance contract and as a personal data controller of the insured persons – clients of the Bank, which provides to the insurer.
• It is possible, on the occasion of restructuring and deferral of your loan obligations for the period of emergency, announced by a decision of the National Assembly of the Republic of Bulgaria in connection with the pandemic of COVID-19 UBB to process personal data about your health, but only after express written consent provided by you to process your data for the specific purpose.
• In other cases, when for the purposes of a specific product (e.g. donation account, etc.) the collection of such information is necessary, the Bank may process data on your health, insofar as there is an explicit legal basis for this.
• Data about your account, names, telephone number and list of contacts from your telephone will be processed by the Bank only upon your explicit consent in line with the registration and use of the Transfer to Mobile Number (Blink P2P) service in the mobile banking app of UBB (UBB Mobile/KBC Mobile). The data will be processed for the particular purpose, respectively after deactivation of the service the Bank shall immediately terminate the access to and the processing of your personal data for the particular service purposes
• Feedback, comments and suggestions, as well as previous complaints. They can definitely help UBB offer you better service in the future.
• Recordings of telephone conversations in the Contact Centre – upon your explicit consent
• Data in line with suspended fund transfers - for security reasons in may be possible that fund transfers, ordered by you through the digital channels of the Bank may be suspended, as a result of which within a conversation, held with a Contact Centre employee of the Bank, which conversation is being recorded, it is possible to have you duly identified by the last 4 digits of your Personal ID Number and the ID Card’s date of issuance, after which a confirmation will be requested of the fund transfer key requisites (beneficiary's names and account, amount and currency, fund transfer date, payer’s names and account

d) in connection with your participation in games and raffles organized by UBB and/or its partners, and for declaring a received cash prize under the Personal Income Tax Act:

• Identification data – three names and Personal ID number (if necessary). Your personal data will be processed by the Bank in connection with the fulfillment of the obligations under the Personal Income Tax Act.
• Contact details
• Transaction details /card number details (depending on the conditions of the specific game/raffle)
• Photo material - with your explicit consent.

4.2. Sources of personal data

UBB AD collects the above data in the following ways:

4.2.1. Information that you provide to us, i.e. directly from you;

4.2.2. Information that third parties provide to us (e.g. our customers, government bodies/institutions, financial institutions, our partners, administrators or shareholders of the Bank, persons related to you and your business, persons performing public functions, payment service counterparty and etc.);

• from members of your family, e.g. when declaring the circumstances, which could be a conflict of interest upon collection of arrears;
• from credit intermediaries in order to prepare a loan proposal, or
• from persons related to you, pursuant to § 1, sections 4 and 5 of the Additional Provisions of the Credit Institutions Act, as well as in connection with item 93 of the EBA Guidelines on loan origination and monitoring;
• from credit applicants when mortgagors do not conclude a loan agreement and their data is necessary for the preparation of mortgage agreements , as well as if you are a guarantor, a co-debtor under a loan agreement concluded with the Bank, a payer under an agreement for factoring or another type of financing provided from the bank;
• from administrators of the Bank in connection with the declaration of a conflict of interest under Art. 51 of the Credit Institutions Act;
• from clients legal entities – in cases of payroll of the legal entity’s employees, payment of dividends to shareholders in the legal entity, etc.
• from clients of an insurance product, which have joined a Group Policy, concluded between UBB and the insurance company – in cases of insurance of a third natural person by a client;
• from our customers - when you are acting in your capacity as a representative (legal or authorized) of our customer or because you yourself are in the process of submitting an application for our product or service;
• when you or a person you represent are the recipient of a payment service performed on the order of our client or a client of a bank for which we are a correspondent bank;
• when you or a person you represent are the orderer of a payment service performed for the benefit of our client or a client of a bank for which we are a correspondent bank;
• when you are a cardholder on the account of our client;
• when you or a person you represent are a beneficiary under a bank guarantee or a documentary letter of credit or a person on whose order the Bank issues a check or in whose favour a check payment is made;
• where you are directly or indirectly involved in the ownership of a legal entity that is or wishes to become our customer, we are required to identify its beneficial owner in fulfillment of our obligations under the DPA;
• when you or a person represented by you are a member of the bodies of a legal entity that is or wishes to become our client and the decisions of the relevant body concern our relations with this legal entity;
• when there is a relatedness (including economic) between you and a person who uses or wishes to use a credit service from us or there are relationships that are a source of repayment of financing provided by us (including in cases where you or the person you represent is a debtor on a receivable that has been or is being acquired by us) or the receivables in connection with these relationships serve or will serve as collateral for financing provided by us, as well as in cases where you are in contractual or pre-contractual relationships with our client on the occasion of entering into a transaction subject to financing by us;
• when you have been named as a contact person by our client or by a person with whom we have a contractual relationship;
• when the bank is a party to a contract under which you are a third-party beneficiary;
• when your data has been provided to us in an inquiry or instruction concerning you or a person represented by you, sent by a state body/institution or a person performing public functions (e.g. a private enforcement agent); ▪

Before you provide us with data belonging to a third party, you must ensure that you have informed them and have their consent or other lawful basis for doing so. It is also necessary to familiarize him/her with the present information applicable to the processing and protection of his/her data within our organization. In the event that it is established, with or without the assistance of the competent authorities, that data about a third party has been provided without the existence of a legal basis or without the consent and/or knowledge of their subject or in another illegal way, UBB AD will delete the personal data, making the necessary efforts to immediately notify the subject of this data, as far as possible.

4.2.3. Information that we receive when our services are being used by you, by a person you represent, or by a client of ours who has provided us with access to your data stored by him/her for the purpose of using a service through our mobile application;

4.2.4. Information available in public records: 

• from official public registers (e.g. Trade Register, Lacorda, Apis), which are responsible for storing this information in a legal manner. Public data may be processed for the purposes listed by UBB in this document to verify the accuracy of the information in the Bank's database;
• through the medium for inter-register exchange (RegiX) – the Bank is provided with the possibility of automatically extracting data from main registers, among which are the National Database "Population", the BULSTAT register, the Property Register, the Commercial Register, the Register of Obligations to the Customs Administration, the Register of Bulgarian identity documents, etc.
• Via Evrotrust in their capacity as a national electronic authentication scheme.

4.2.5. "Cookies" and similar technologies; 

4.2.6. Internet; 

4.2.7. Video and audio monitoring and recording in and around the Bank's premises; 

4.2.8. Other sources

4.3. Location

In case you want to visit an office of UBB or you want to schedule a meeting with a UBB’s employee, your location data will be used to find the closest office of UBB or to arrange a meeting with a representative of the Bank. This data is only processed if you allow access to your location on your device (computer, mobile phone, tablet, etc.). In case you do not wish UBB to process data related to your location, please change the settings of your personal device. 

4.4. Telephone calls 

During the performance of its activity, UBB may record and listen to the conversations with you. Such actions are necessary to ensure security of the processes and also as evidence of the instructions given by you, in relation to training of staff, as well as to improve the quality of products and services. Recordings of phone conversations are stored as evidence of the customer instructions. Records include phone calls with the Contact Center or the Dealer's Office of the Markets and Investment Banking Directorate.

4.5. Video images from security cameras 

UBB can use security and CCTV cameras inside and around the premises of the Bank. UBB fully complies with the legal requirements for installation and use of CCTV cameras. If there are CCTV cameras installed in an office of the Bank, you will be notified via a sticker located in a prominent place. Recordings of CCTV cameras inside and outside UBB offices (indicated with a sticker) are kept for one month. They may be stored for a longer period of time in the following cases:

• the records will be used as proof of a specific relationship, a crime or a misdemeanor;
• records will be used as evidence of damage or to identify a criminal, a public order offender, a witness, or a victim.

4.6. Transaction details 

UBB processes data for your transactions, including amount and reason for the payment, destination, data about the payer / beneficiary, etc. It is possible that the Bank transmits them to other Bulgarian and foreign financial institutions that execute payment or settlement instructions in order to effect the transaction.

The Bank may also process your data, including to provide it to other Bulgarian or foreign financial institutions (correspondent banks), to prevent or detect money laundering, financing of terrorism, frauds or other unlawful practices.

4.7. Data on minors/under-age persons or persons subject to full / partial guardianship

In case the Bank processes data on minors/under-age persons and persons subject to full / partial guardianship, such processing is made upon explicit written consent pursuant to the requirements of the Law of Persons and the Family, as follows:

• for persons under 14 years (minors) – with a written consent of the adult exercising parental care (parent, adopter);
• for persons between 14 and 18 years (under-age)  – with a written consent of the under-age person and confirmation of the person exercising parental care (parent, adopter).
• for persons subject to full guardianship – with a written consent of the legal representative (guardian) of the person subject to full guardianship.
• for persons subject to partial guardianship – with a written consent of the person subject to partial guardianship, and confirmation of his/her legal representative (custodian).

4.8. Data collected via the Bank’s corporate website

UBB processes data of its clients and visitors of the corporate website of the Bank www.ubb.bg and related pages, submitted through digital portals/feedback forms, as well as through forms related to alerts and inquiries, calculators and meeting requests.

According to the case, such data may include:

• full name, personal ID number (depending on the needs of the feedback form, the field could be mandatory, alternative with an option to specify a client number instead, or optional);
• video images – for the purposes of conducted video calls, as a recording of the video conversations is not stored;
• telephone / address / e-mail address/ other contact details;
• information about your capacity as a Client / person, which is not a client of UBB;
• additional information provided at the discretion of the Data Subject (in the form of attached files / free fields / during a video conversation). 

UBB hereby informs you that as a Data Subject you are responsible for the content and the admissibility of provision of additional information at your discretion. We advise you prior to providing information, which contains personal data of third parties, to inform them of your intention. Pursuant to the requirements of the Personal Data Protection Act, when the Data Subject provides the Bank with personal data without legal grounds or data in contradiction to the Regulation, within a one-month period from the moment of becoming aware of it, UBB returns it to the Data Subject, unless this proves impossible or involves a disproportionate effort, it erases or destroys them.

UBB processes the personal data received via the corporate website for the time required for the service and only for the purposes of the specific inquiry /alert/ request, and the video images – for the time of having a video meeting at the initiative of the client or the Bank, without storing a recording of the meeting. The data is submitted voluntarily by the Data Subject once it has been acquainted with the present Information and upon presence of the respective legal grounds it is processed by the Bank (e.g. video images are processed only upon the client’s consent) 

4.9. Social media and third party websites

If you decide to access the official UBB social media page (e.g. Facebook, Instagram, LinkedIn), your profile there can also be shared with us. The scope of the personal information provided depends entirely on the privacy settings you set in your account in the relevant media. In these cases, we advise you to read the privacy statement of the social network provider in advance.

4.10. Data related to the use of the mobile application UBB Mobile (UBB Mobile App)

UBB Mobile and ‘Push’ notifications 

The 'Push' notification is a message from the UBB Mobile application that appears ("pops up") on your mobile device. You could receive a ‘Push’ notification from us for our services, as a reminder to complete a product request through UBB Mobile, as information, etc. When you download or update the UBB Mobile application, you will be asked to give consent to the inclusion of location and notification services. You can choose to turn off these services for your mobile device at any time.

KATE

As a UBB customer, you could, if you wish, take advantage of the personal digital assistant KATE service, available in the UBB Mobile mobile application. At the moment, two versions of Kate are already available - standard (basic) and proactive (advanced) Kate. Each customer can choose a version of the service according to their needs and preferences

• When choosing the standard version of Kate (basic Kate), you can ask her your questions related to the banking and/or insurance products/services you use. The questions that you can ask KATE are predetermined and described in detail in the General Terms and Conditions (GTC) for the use of the service - digital personal assistant (KATE). They can be set on your initiative through voice messages or through written messages in chat. In the event that KATE cannot assist you on a given matter, you will be directed to the Bank's Contact Center. KATE uses a limited amount of your personal data when responding to your inquiries or assisting you to improve your customer experience. They are processed entirely on the basis of the performance of a contract, after acceptance of the Bank's Terms and Conditions for the use of the digital assistant and for the purposes of the specific service. If you do not ask questions to the digital assistant KATE, she will not process your personal data.
• When choosing the proactive Kate version (advanced Kate), the customer will be able to benefit from the personalized assistance of a more advanced digital assistant. In addition to answering the questions posed by the client, Kate will send messages/notices or proposals for the purchase of products and services offered by the Bank or other KBC companies in Bulgaria entirely on her own initiative. In order to be able to provide individualized assistance in accordance with your needs and requirements, Kate will carry out a detailed analysis and process a significant volume of personal data, for example transaction data, UBB products and services used, as well as information about your customer profile. Personal data will be processed in full accordance with the requirements of current legislation in the presence of relevant legal grounds and depending on the type of functionality for which the Digital Personal Assistant service is used, namely - contractual basis or explicit and unequivocal consent. A full description of the functionalities is available both in the Special Terms and Conditions created for the service and in the UBB Mobile mobile application. The proactive version of Kate can be deactivated at any time, thus the customer will be able to continue using the standard version of the digital assistant. Disabling the service will not affect the use of the mobile application.

Conversations with Kate, including the texts of the voice messages are processed by the Bank in connection with the performance of the service and the improvement of customer service. After the specific purpose ceases to exist, in accordance with the requirements of the applicable legislation for the protection of personal data, the information exchanged in the conversations is deleted immediately

4.11. Data collected through the use of cookies 

When using the website information about your stay, behaviour, searches, etc. might be collected through the so-called “cookies”. The amount of such information depends on the cookie settings you have chosen, and the data will be processed for the respective purposes for which you will be notified in the respective electronic channel. More information on the topic can be found in Information on the use of cookies on the UBB website, available at www.ubb.bg. When using electronic channels for UBB services and products like mobile banking, your personal data may be processed in order to improve your customer experience. 

4.12. Automated Individual solution: 

When you apply for certain credit products, including pre-approval of a mortgage loan, the Bank performs automated processing of your data (so-called credit scoring), which is necessary for the purpose of making responsible, fair and informed decisions on granting loans, providing unified standards for the assessment of customers, speeding up the credit approval process with minimized opportunities for mistakes and the elimination of the subjective factor in decision-making. These decisions are individual for each customer and refer to the approval for granting the credit, being based solely on automated processing of your data. As a result of the processing and analysis, we could approve or refuse to provide you with the credit product you have requested.

The assessment uses data from three sources: 

1. Request for a loan, submitted by you and the additional information provided when applying; 

2. data contained in public registers (e.g. Central Credit Register at the BNB, NSSI, Trade Register, Property Register); 

3. data we already hold (e.g. if you are already our customer) – if you have applied for a loan and it has been refused, if you have been included in the lists, prepared in line with the application of the requirements of the Measures Against Money Laundering Act (MAMLA) and the Measures Against Financing of Terrorism Act (MAFTA)..

Credit scoring is a mathematical evaluation method that is based on a thorough statistical analysis of a set of data, including your personal, economic, social information and family identity, including the information available in public registers, and gives an assessment of the probability of performance, respectively non-performance by the client. The basis of the assessment is the comparison between the available customer information with the parameters of the credit policy, the credit limits for the relevant product/service and the possibilities for exceptions. This allows us to determine whether we can provide the respective customer with the credit service we offer, to offer a product/service that meets his/her needs, as well as pricing conditions that match his/her risk profile. Credit risk assessment methods are reviewed periodically to ensure they are fair and adequate.

Personal data is generally processed by the employees of UBB. The processing of personal data may also be carried out by personal data processors with whom the Bank has signed a contract for this purpose and who perform activities forming part of the Bank’s services. Where there is a legitimate reason, personal data may be provided to other Controllers to use them for their legitimate purposes. 

a. Personal Data Controllers to whom UBB may provide personal data:

• Bulgarian National Bank (BNB)
• European Central Bank (ECB)
• Commission for Personal Data Protection (CPDP)
• Commission for Consumer Protection (CCP)
• Commission for the Protection of Competition (CPC)
• Commission for Protection against Discrimination (CPD)
• Central Credit Register (CCR)
• National Revenue Agency (NRA)
• National Social Security Institute (NSSI)
• National Health Insurance Fund (NHIF)
• Card and payment service and system operators like Borica AD, the international card organizations VISA and MasterCard, Bisera, Rings and other persons specialized in processing transactions with payment instruments, including RPC (Regional Processing Center, Bratislava)
• external auditors, which have concluded agreements with UBB
• Specialized Administrative Directorate "Financial Intelligence”, the State Agency for National Security, General Directorate Combating Organized Crime
• Judicial bodies (courts, the Prosecutor's Office, National Investigation Service)
• Supreme Judicial Council
• Central Depository
• Bulgarian Stock Exchange (BSE)
• Financial Supervision Commission (FSC)
• Ministry of Interior
• Commission for Combating Corruption and Confiscation of Illegally Acquired Property (KPCONPI)
• guarantee funds and financial institutions, such as the European Investment Fund, Fund Manager of Financial Instruments in Bulgaria, the National Guarantee Fund, the European Bank for Reconstruction and Development, the European Investment Bank, the Bulgarian Development Bank, with which UBB has concluded guarantee or other financial agreements, the European Commission, the European Court of Auditors, the European Anti-Fraud Office (OLAF), the European Public Prosecutor's Office and any other body or institution of the EU, including such on national level, entitled with functions to monitor, audit and control, as well as their authorized representatives. The above institutions and bodies may access your data in your capacity as customer or a third person, linked to the credit relations in view of the fulfillment on the part of UBB of the obligations under the Agreements and exercising by the institutions and bodies of their functions on monitoring, audit and control on the Agreements, as well as their public disclosure
• Register of bank accounts and safe deposit boxes /RBASDB/
• Assignees with whom the Bank concludes contracts
• Couriers and postal operators
• Mobile operators
• External lawyers and law firms, which have concluded agreements with UBB, public/private enforcement officers
• Notaries, the bodies of the Chamber of Notaries of the Republic of Bulgaria, the Registry Agency, the Central Register of Special Pledges
• KBC Group and the Group entities in line with the fulfillment of the requirements of the legislation on the measures against money laundering – upon the elaboration and use of money laundering ascertainment models
• Other companies within KBC Group, in their capacity as personal data controllers - UBB AD could share your personal data in your capacity as a customer or a supplier with KBC Group companies when the sharing of data is necessary for the purposes of the legitimate interests of UBB AD or another KBC Group company. Without limitation as to the above stated, the Bank may share your personal data with KBC Bank AD for the purposes of preparing and carrying out the integration process, in which both banks are involved.
• Commercial companies with which the Bank has concluded contracts for opening of an account of employees/agents for payment of labour and other remuneration (payroll) - in these cases the Bank provides data for the full name and number of the bank account opened in the name of the employee/Bulgarian and foreign banks and other financial institutions
• Bulgarian and foreign banks and other financial institutions
• Eurotrust Technologies AD as a provider of electronic certification services
• Insurers, including the Bulgarian Export Insurance Agency (BAEZ) EAD, including the sole owner of the capital of BAEZ EAD in the person of the Minister of Economy
• persons to whom the Controller has assigned credit collateral evaluation (external appraisers)
• companies managing databases in which UBB carries out legally regulated checks in connection with compliance with restrictions on accepting clients related to money laundering and/or included in sanction lists - WorldCheck, HIS Markit
• Other recipients of data whose activity is legally regulated.

In the event of changes to the list of personal data controllers to whom personal data is provided, UBB will update this document.

b. Personal data processors are:

Individuals or legal entities, public authorities, agencies or any other body which processes personal data on behalf of the controller.

As part of the KBC Group, UBB may assign certain data processing operations to other processors in the Group. Some of these data processing activities, commissioned by UBB, are related to controlling and support functions such as: 

• financial reporting
• compliance
• risk
• marketing
• ICT management
• internal audit
• a research team that develops models for improvement of services and products. 

UBB may directly or indirectly use other data processors with whom it has signed a contract, such as: 

• persons, who are assigned to draw up, put together and deliver information forms to the Bank;
• persons assisting the bank in relation to servicing and debt collection; 
• persons to whom the Controller has assigned the processing of personal data for organizational reasons;
• suppliers of products and services for the Bank;
• companies, providing information and communication technologies in order to facilitate the work of the operation systems and services;
• companies, providing maintenance of the Bank’s operating systems and/or providing access to registries maintained by primary data controllers through the Regix inter-registry exchange medium, SMS providers, other than the mobile operators;
• agencies for market research / for organizing games and raffles;
• companies, which, assigned by the Bank, on its behalf and at its expense make commercial offers via technical means of communication -  as long as there are legal grounds for such offering;
• companies specializing in archiving digital information and access;
• companies from the KBC Group, in or outside the European Economic Area (EEA) for outsourcing activities by the Bank (in cases of outsourcing (a part) of the activity) in compliance with the requirements of the applicable legislation.
• Companies, offering cloud services - Platform as a Service (PaaS) and Software as a Service (SaaS) in the cloud – Microsoft, Amazon, Google.
• Companies, assisting UBB AD upon the identification and analyzing the behaviour of customers in the applications and on our webpage (Google Analytics) 

UBB AD takes the necessary measures to ensure that the persons involved in the processing of personal data strictly comply with the legislation on the protection of personal data and the Bank's instructions, as well as that they have taken appropriate technical and organizational measures to protect personal data.

c. Recipients outside the European Economic Area (EEA)

• UBB insists that the processing of personal data should be made within the European Union. Given the nature of certain processes (for example, when 24/7 maintenance is required), it is possible that personal data could be transferred to personal data processors outside the European Economic Area. The Bank may transfer personal data to recipients from countries, which are not part of the European Economic Area (third countries), on condition that they have ensured an adequate level of personal data protection as per the local and the European legislation
• Even if the data centre is located within the European Economic Area, it may in certain cases be accessed from countries outside the European Economic Area (for example, in case of technical problems or when 24/7 maintenance is needed). This shall be also deemed transfer of data outside the European Economic Area.
• For certain processes the data centres of the Personal Data Processors may be located outside the European Economic Area or access to those may be effected from territories outside the EEA, as is the case with the United States of America. Even if the transfer of data is subject of an adequacy mechanism (such as the data protection framework between the EU and the USA in the United States of America), UBB shall employ efforts to ensure that the third parties in question provide an adequate level of protection
• Your personal data may be provided to third parties outside the EEA, which are not treated as countries having adequate level of personal data protection, on condition that a detailed assessment has been made of the impact of the transfer of data on the rights of the personal data subjects, and respectively based on the assessment made the agreements for personal data processing and transfer, concluded between the parties shall have to envisage and stipulate Standard Contractual Clauses (SCC) approved by the European Commission, or any other data transfer instrument. UBB shall initiate all necessary measures for the protection of your personal data, if their processing necessitates to have them provided to a third party in or outside the European Economic Area.

Personal Data Processor/ Personal Data Categories:

- Microsoft / Basic data for identification and contact, data linked to owning and using the product, etc.

- Amazon / Basic data for identification and contact, data linked to owning and using the product, financial data, etc.

- Google (Analytics) / Basic data for identification and contact, data linked to owning and using the product, financial data. Data and others.

- Bloomreach (Exponea) / Basic data for identification and contact, data linked to owning and using the product, financial data, etc.

• In a similar manner, in cases when the data is being transferred to another personal data controller in a country outside the European Economic Area, such data transfer shall be checked by UBB and the necessary measures shall be applied.
• Certain examples of personal data controllers outside the European Economic Area, which may receive personal data from KBC, are:

- Personal Data Controler: Google

- Country: USA

- Personal Data Categories: Basic data for identification and contact, data linked to owning and using the product, etc.

Some of the recipients mentioned above may be established outside the European Economic Area. The Bank may transfer personal data to recipients from countries that are not part of the European Economic Area (third countries), provided that an adequate level of personal data protection is ensured in accordance with the local and European laws. Your personal data may be provided to third countries outside the EEA, which are not treated as countries with adequate level of personal data protection, provided that the agreements concluded between the countries for processing and transfer of personal data, include standard contractual clauses (SCC), approved by the European Commission and after a detailed assessment of the impact of the transfer on the rights of the personal data subject is carried out. UBB will take all the necessary measures to protect your personal data if its processing requires their transfer to third parties in or outside the European Economic Area. 

Personal Data, collected by the Bank in its capacity of Personal Data Controller, are processed for different purposes on different lawful basis, as follows:

6.1. Purposes, where personal data processing is based on legal obligations: In cases where a number of statutory obligations provided for in various legislative acts apply to UBB AD, both at the national level and in accordance with EU legislation, with a view to their implementation, the Bank processes your personal data to comply with the relevant obligation that applies towards it. 

a. Your identification as client of the Bank and authentication of your personal data, including identification of persons whose data have been provided in connection with banking products and services offered by the Bank (e.g. guarantor, co-debtor, mortgagee and/or pledged debtor, debtors on receivables acquired by the bank, legal representatives of legal entities, proxies), to identify originators and recipients of payment services and the accurate execution of payment services, to identify third parties using the services provided by the bank (e.g. beneficiary under a bank guarantee or documentary letter of credit, a person in whose favour a payment is made under a check, a third party, in whose favour a bank deposit has been opened), to identify persons using a service through our online and mobile application - the basis for processing the data for this purpose is the Measures Against Money Laundering Act and the Regulations for its Implementation. The Provision of personal data is voluntary or carried out in compliance with a legal requirement. In case of refusal to provide them, UBB AD will not be able to provide the requested banking product or service.

b. Client profiling by the Bank based on risk assessment – Client profiling is made by the Bank pursuant to the Law on the Measures against Money Laundering and the Rules on the Implementation thereof (based on the said legal acts, the Bank performs client and transaction approval and monitoring according to the risk profile). 

c. Controlling data in order to prevent money laundering, embargo and anti-terrorism actions – The processing of your data is related to measures and actions taken by the Bank to prevent, detect, investigate and report suspicious transactions to the Financial Intelligence Agency under the Measures Against Money Laundering Act and the Regulation on its implementation; The entities of KBC Group in Bulgaria are obliged to apply the requirements of the currently effective legislation (Art.80, Para.3 of MAMLA) and the internal rules of the Group, based on which and on condition that they belong to one and the same group they are entitled to exchange certain type of information, collected or pertaining to the prevention of money laundering or to the prevention of the financing of terrorism. To this end the KBC Group companies in Bulgaria shall exchange information about common customers, regarding whom suspicious transaction or suspicious activity reports have been filed, as well as the information about termination of relations with such customers.  

d. Client profiling with the purpose to provide services, connected with financial instruments (stocks, bonds, derivatives, shareholdings, etc.) – The Bank performs client profiling, based on a questionnaire for creating a risk profile with the purpose of providing investment services in compliance with the requirements of the Financial Instrument Markets Act and Ordinance No. 38 of the Financial Supervision Commission on the requirements to the investment intermediries' activity.  

e. Exercising control with the purpose of preventing the cases of non-compliance with the Financial Instrument Markets Act and Ordinance No. 38 of Financial Supervision Commission on the requirements to the investment mediators' activity – the control includes all actions for preventing, detecting, investigating and further implementing the necessary measures to deal with non-compliance cases, connected with the Financial Instrument Markets Act and Ordinance No. 38 of Financial Supervision Commission on the requirements to the investment mediators' activity. These activities could be based on clients’ profiles, created during the provision of investment services pursuant to the Financial Instrument Markets Act and Ordinance No. 38 on the requirements to the investment mediators' activity.

f. Exercising control with the purpose of preventing and disclosing market abuse. The Bank processes your data in order to take action to prevent, detect, investigate and further implement the necessary measures while investigating cases of suspected market abuse under the Market Abuse of Financial Instruments Act.

g. Reporting to government and control bodies – taxes, requirements of the Foreign Account Tax Compliance Act (FATCA) and amendments to the Tax and Social Insurance Procedural Code (TSIPC) relating to the automatic exchange of financial information in the field of taxation (CRS = Common Reporting Standard). In relation to these requirements, your collected personal data will be processed for accounting and tax purposes in compliance with the reporting requirements to the competent authorities on the grounds of legal obligations. It is possible the preparation of the mandatory reports to the BNB regulator to be assigned to a third party- processor, with which the Bank concludes a written agreement in line with the requirements of the Regulation. In the agreement with such a third party, it is mandatorily provisioned that upon hiring of a subcontractor, which is located outside the EEA, the Bank shall be notified in advance and such reassignment shall be carried out only upon the explicit written consent of the Bank on a case-by-case basis, as well as after ensuring that the respective technical and organizational measures related to security and protection of the personal data processed for the specific purpose.

h. Exercising control in order to mitigate security incidents and operational risks in relation to the payment services provided by the Bank pursuant to the Payment Services and Payment Systems Act (PSPSA) – the Bank processes your personal data, including IP address, in order to undertake measures for prevention, disclosure and further application of the necessary measures and mechanisms to monitor and control cases of suspected incidents, suspected unauthorized payment transactions and/or fraudulent operations as per the Payment Services and Payment Systems Act (PSPSA).

i. Assessment/monitoring of your creditworthiness/solvency – in case you apply for a loan in your capacity as an individual borrower or are a representative/owner of/partner in a legal entity borrower, co-debtor/owner of loan collateral, the Bank is obliged to assess your creditworthiness and provide you with a loan that is consistent with your ability to fulfill your obligations under the loan agreement. In order for your creditworthiness assessment to be correct, the Bank will consult the NSSI, CCR, ESGRAON, NRA databases, including through the RegiX inter-registry exchange environment. In the course of fulfilling your credit obligation, the Bank should monitor regularly your ability to repay the debt /your solvency /. 

j. Facilitating the administrative service and facilitating the process of applying for a loan at the Bank by issuing reports on the presence or absence of obligations electronically - on the basis of Art. 87, para. 11 of the Tax-Insurance Procedure Code and in connection with reducing the administrative burden on customers, the Bank has the right to request and receive electronically from the National Revenue Agency (NRA), the Customs Agency and the municipalities information on the presence or absence of obligations of its borrowers/co-debtors , including representing owners of/partners in borrowers legal entities, co-debtors/owners of collateral for a loan, with the exception of obligations under acts that have not entered into force, as well as rescheduled, postponed or secured obligations. A report on the presence or absence of obligations from the National Revenue Agency can be obtained electronically and through the medium for inter-register exchange (RegiX). Competent authorities and other persons defined in the relevant law who have joined the medium for inter-register exchange request and receive the information through it.

6.2. Purposes for which the processing of your personal data is carried out on the basis of performance of a contract.

We process your personal data when this is necessary for taking steps to conclude a contract with you/the person you represent or for the execution of a contract already concluded with the Bank.

a. Drawing up contracts at your request - to enter into a contract with you, as a customer using any bank product (account, deposit, credit, bank card) or as a co-contractor under a service contract, the Bank must have your specific personal data (e.g. name, date of birth, PIN, ID card number) as well as your contact details. It is possible that the Bank would require additional information, depending on the type of the services that are subject of the contract.  

b. Drawing up mortgage contracts (legal or contractual mortgage) – to draw up a notary deed for a contractual mortgage securing your loan or a legal mortgage application, the bank must have both your personal data and the data of your mortgagees (such as names, PIN, ID card number, address). It is possible that the Bank would require additional information, depending on the necessity to draw up the document. 

c. Bank product/service simulation sale – in order to sign a contract suitable for the client and to provide services pertinent to the client's needs, the bank needs to have some specific personal information about the client. For this purpose, based on the specific personal data provided by you, the Bank simulates the sales of a certain product/service, in order to offer particular price and conditions for its purchase, after which the client/borrower would be able to make comparison and to select the most suitable offer (non-binding offer, serving to assess your personal ability to purchase certain products). 

d. Product/service usage – UBB processes the personal data of clients through its various channels with the purpose of ensuring the usage of the Bank products and services purchased by the clients (e.g. processes data for a payment transaction in order to carry out a money transfer ordered by you as a client). 

e. Enforcing the rights of the Bank under a loan agreement – UBB processes your personal data on the basis of the loan agreement signed with you in order to exercise its rights as a creditor and to collect its loan receivables. UBB processes the personal data of the co-debtors in order to make contact with them in exercising its rights as a creditor in the event that it cannot exercise such rights against the borrower. 

f. Sale of DZI insurance products and pension funds of UBB Pension Insurance company – for the cases in which the Bank acts in its capacity as a policy holder under a group policy, concluded between the Bank and DZI. In those cases the Bank, by reaching an individual agreement with a client (insured person), includes the latter to the Group policy. Together with the client, third insured persons, which the client wishes to insure, may be included to the policy. As a result the personal data needed to join the group policy, may be provided personally by the Data Subject or by third persons, which conclude the insurance for them. Upon indirect provision of third persons’ data, the Bank performs the respective impact assessment and risk assessment for the security of the processed personal data. By selling Universal, Professional and Supplementary voluntary Pension fund of UBB Pension insurance company UBB will process identification data and contact details of the pensioners. The activity for selling pension funds is legally regulated and personal data, which is processed by the Bank, is provided directly by the data subjects, who buy the products. 

6.3. Purpose for which the processing of personal data is carried out on the basis of consent received from you as a customer: 

a. The Bank, together with the other KBC Group companies in Bulgaria in their capacity as joint personal data controllers, shall process your personal data, including also receipt by the Bank of your personal data from the information databases of the Central Credit Register with the BNB (CCR) and of the National Social Security Institute (NSSI), in order to create an accurate customer profile of yours and offer you personalized banking, insurance, investment, pension products and services, tailored to your needs and requirements. 

Pursuant to Article 4, item 4 (Definitions) of the General Data Protection Regulation, “PROFILING" means any form of automated processing of personal data consisting of the use of personal data to evaluate and/or analyze certain personal aspects relating to a natural person, in particular aspects concerning that the data subject's health, personal preferences, reliability, behaviour, location, performance at work, economic situation. Profiling and processing of personal data for this purpose gives information about the needs and capabilities of the particular client. It may result in your inclusion in the promotion sales list of a specific product. In order for this specific analytical approach to be applied to you, your consent is necessary. 

In case you have given us your consent at a bank office or through UBB Mobile, UBB will process all your extended data for the above-mentioned purpose.  Detailed information on the extended personal data can be found on pages 4-5 of this document.

The consent, granted by you shall be valid till the date of its withdrawal, respectively by the date of changing your statement in relation to the processing of your personal data for direct marketing purposes. You may withdraw your consent at any time by submitting your refusal to have your personal data processed for the particular purpose at any UBB Branch or via UBB Mobile. 

b. The bank provides your personal data to the Bulgarian Export Insurance Agency (BAEZ) EAD, including to the sole owner of the capital of BAEZ EAD in the person of the Minister of Economy in your capacity as a legal representative/proxy/co-debtor/beneficial owner of the capital of a legal person - credit applicant - based on your express consent for the purpose of concluding a bank credit insurance contract and approval for the insurance coverage.

6.4. Purposes for which the processing of personal data is carried out on the basis of protection of legitimate/legal interests of the controller:

a. Building analytical models – UBB will build analytical models to support the development of its client services and to evaluate the services offered. The collected data of all clients or of a large group of clients are grouped under a specific attribute in order to build models/to find dependencies/ratios/algorithms without affecting the interests of the individual client and without taking action with respect to him (e.g. creating the credit rating of the client). For the creation of such models, UBB uses "pseudonymized" personal data, i.e. data that is masked in such a way that it cannot lead to the identification of a particular client without additional information being required.

b. Historical, statistical or scientific purposes - UBB has a legitimate interest in processing your personal data for the purposes of compiling statistical surveys and reports, conducting research and development, conducting historical reviews and forecasts for the development of economic, financial industry, etc. For these purposes, aggregated data derived from the records of specific personal data of the clients are used.

c. Sending messages for the products and services used – The Bank processes your personal data in order to send messages for the products and services used by you through calls, emails, sms, letters, etc. The messages pertain only to the products and services already used by you; they do not pursue marketing goals, nor do they contain new service offers.

d. Litigations – Establishment, exercise and defense of UBB's rights – UBB will process the data of its clients/ their heirs/ persons related to clients in order to protect its rights in court/litigation/arbitration procedures, when settling claims with the help of hired solicitors/lawyers, consultants etc. This pertains to situations where your personal data is processed in connection with the administration of information related to litigations, judicial warrants, petitions and court decisions.

e. Testing of new and changes in existing software applications, demo platforms and internal gateways for delivery of trainings – The Bank shall use your personal data in the process of work on the creation, testing or updating of software applications for work with operating systems/applications of the Bank with the aim to:

• testing the software code changes of applications in different testing/acceptance environments (e.g. perfecting the distribution channels or ensuring safer protection of the collected personal data).
• testing software applications in a protected environment. In this case it is possible the testing to be assigned to an external provider, with whom the Bank has concluded an agreement. The agreement explicitly governs the rights and obligations of the parties, including the respective technical and organizational measures for security and protection of the personal data processed for the specific purpose.
• incident resolving – replaying incidents
• demo platforms
• employee training.

f. Internal reporting, analysis and development of the offered products and services – UBB uses personal data of its clients in order to improve its market position by offering new or better services and innovative products and optimizing the internal banking processes. It is possible the preparation of reports, used for analysis of the Bank’s market positions, to be assigned to a third party – processor, with whom the Bank concludes a written agreement in line with the requirements of the Regulation. The agreement with such a party explicitly stipulates that upon hiring of a subcontractor, which is located outside the EEA, the Bank shall be notified in advance and such reassignment shall be carried out only upon the explicit consent of the Bank on a case-by-case basis, as well as after envisaging the respective technical and organizational measures related to security and protection of the personal data processed for the specific purpose.

g. Fraud prevention – UBB will process its clients’ personal data in order to protect itself against fraud or criminal actions on their part. UBB has the right not to service clients with a high risk profile, who expose its image to a risk.  Based on certain facts (e.g. a false ID card, certain client behavior) the Bank may assess the potential fraud risk. Certain indicators of the respective client profile, as well as any other information (like a stolen ID card, the choice of a country for e-banking) could serve as a basis for this assessment to indicate potential fraud. The measures for preventing and uncovering fraud are taken in the context of compliance with the internal security procedure rules, control, ensuring reliable protection of information, stored both physically and digitally, as well as in online banking (incl. computer “cyber” crime). For the purposes of prevention and investigation of fraud carried out during cash operations with means of payment at its own automatic teller machines (ATMs), UBB processes information on images from cameras on ATM devices.

h. Customer relationship management – UBB shall process your personal data with the aim to offer you an individualized approach, based on the provided information and the created customer profile. The personal data of customers, stored in different databases, could be grouped, based on a certain criterion and processed through the different channels (direct channels, contact centres, bank offices and branches) at the Bank, with the purpose of such grouping being to facilitate and improve those channels for access to information, as well as to deliver replies to complaints and grievances, submitted by customers.

i. Credit and insurance risk profiling – UBB will use your personal data for building credit and insurance risk profiles in order to mitigate the risk when offering credit/insurance products and services to clients.

j. Direct marketing and surveys on the satisfaction from the used products and services of the Bank - Offering products and services provided by the Bank, as well as participation in surveys on products and services offered, through any of the channels, including bank offices, the contact center, email, SMS, phone, online channels. The Bank will offer you products and services and will only include you in surveys if you are a customer and, therefore, you can reasonably expect that it will process your personal data in order to offer you new and better products and services, similar or related to the ones you use. For these cases, the Bank will only use your Basic Data under 4.1. A herein above.

k. Data transfer with companies within KBC Group in relation to activities, outsourced by UBB to another entity within the Group (outsourcing activity) – for the purposes of preparation of mandatory financial reports as per the Accountancy Act and the applicable national and European legislation.

l. Storage of data in the Bank’s archival systems – there is justified legitimate interest for UBB to store archival data in the Bank’s systems, which is decommissioned and used for reference purposes in the context of non-terminated relations with clients.

m. Assistance in establishing and preventing fraud in the credit process for SMEs and the Corporate and Retail segment – in order to prevent financial losses and retain its financial, operational and reputation image, UBB needs to ensure a secure and transparent credit process. Therefore, it is essential for the Bank to prevent any fraudulent activity whatsoever by establishing effective fraud risk management in the credit process. To ensure the above-mentioned interests, UBB processes a certain set of information, including personal data of clients (natural persons) and natural persons – partners / representatives in clients – legal entities, which data is collected and processes with the ultimate purpose to support the successful prevention and avoidance of abuse and fraud.

n. Risk assessment upon problem loans’ collection – UBB has legitimate interest to process personal data of clients / employees in the process of exercising control, management and collection of risk (problematic) exposures and related problem loans. The purpose of the activities pursuant to the requirements of the Bulgarian legislation is maximum collection of the Bank’s receivables within shortest terms possible, with the least possible expenses.

o. Calculation and preparation of a report on the stable bank-insurance customers of UBB AD and DZI AD, as well as of the stable customers, using banking products and pension funds of UBB AD and UBB PIC AD  – as part of the Group’s strategy for providing a unique customer experience, the companies, acting as joint personal data controllers join hands, while consolidating their efforts and information resources in order to analyze as to what part of their joint customers prefer to use a combination set of products of the Bank, the Insurer and/or the Pension Insurance Company. The purpose of this information is to focus efforts on offering comprehensive services and several products to cover different customer needs. To achieve this goal, a minimum set of data on the used products is used, and the final result of the analysis does not imply marketing messages and does not affect customer relationships. Companies shall provide and guarantee to data subjects whose information falls within the scope of processing for this purpose an unimpeded opportunity to exercise their rights as data subjects through any of them.

p. Participation in promotional campaigns, games and raffles organized by the Bank independently or in partnership with third parties (e.g. Visa, MasterCard, etc.) - UBB may process data about its customers on the occasion of their inclusion in a list of participants in games with awards. As a general rule, customers are included in similar initiatives upon fulfillment of the criteria laid down in the general terms and conditions (GTC) for the relevant promotional campaign, and the relevant GTC specify the order for submitting an objection against inclusion in the campaign and/or participation in the raffle for the selection of winners.

q. Integration between UBB AD and KBC Bank Bulgaria EAD - the merger of UBB AD with KBC Bank Bulgaria EAD is a lengthy process requiring serious preparation before the legal merger of the two banks and continuing after it. For the purposes of integration, the two companies can exchange information about their customers, counterparties, etc. with the aim of smooth, seamless, fast and quality service of the relations with the customers/partners of the two banks, including unification of the approach, products and services that the merged bank will offer. After the finalization of the legal merger and the expiration of the statutory term for separate management, UBB AD and KBC Bank Bulgaria EAD will merge into one bank. This will practically lead to the disappearance of KBC Bank Bulgaria EAD as an independent company and the transfer of all data of its clients/partners to UBB AD. UBB AD in its capacity as a universal legal successor of KBC Bank Bulgaria EAD will bear full responsibility and care for this information as an independent personal data controller. The processing of customer/counterparty data in connection with the integration activities aims to prevent duplicate service and conflicting processes and products offered in the two banks. The performance of this process in a way that is comfortable for customers and counterparties requires the exchange of data for the above-stated purpose, while taking due care and complying with all general requirements for the protection of personal data.

r. Creation, testing, maintenance and improvement of robotic solutions - to optimize and improve our service, product range and offered services, UBB may process data for the purposes of creating innovative robotic solutions.

***

The processing for these purposes is necessary for the protection of the legitimate interest of UBB as personal data controller, given that these interests are related to the bank's main operations as a bank. UBB has conducted tests to determine the balance between its legitimate interests in processing your personal data for each of the purposes described in Section 6.4., and your interests and fundamental rights and freedoms as data subjects, and it has concluded that its legitimate interests as data controller do not violate your interests, fundamental rights and freedoms.

The retention period of your data depends on the legal basis and purpose for its processing. 

Most often, this period is 10 (ten years) as of the end of the respective legal relationship with the Bank. 

The retention period may be longer when it is necessary for us to exercise our rights in accordance with the requirements of the law. Where there is no statutory time limit, this period may be shorter.

UBB uses your personal data as long as there is a clear purpose for processing of your data.

UBB AD most often stores your data for the following reasons:

• To be able to satisfy your requests for information;
• To be able to answer your questions and complaints; 
• In order to be able to prove the fulfillment of our commitments to you;
• In order to fulfill the legal obligations stipulated for the Bank regarding the storage of customer data and documents for the transactions and operations carried out, as well as the documents, related to establishing and maintaining commercial or professional relationships;
• To enable us to fulfill our legal obligations in relation to reporting and capital adequacy;
• To fulfill our legitimate interests, e.g. to establish, present and defend legal claims; process for managing (non)credit fraud and using accounts in the Bank to carry out illegal activities.

After the expiration of the retention period, UBB does not process personal data, but aggregated information, without a direct connection with a specific data subject. When the purpose no longer exists, the Bank does not store personal data (i.e. it deletes or anonymizes your data).

The storage and processing of your data after the expiration of the above-mentioned period is permissible only when their deletion is prevented for legal, regulatory or technical reasons or for reasons related to the implementation of measures to prevent illegal behavior, to minimize the risk of credit fraud and to provide assistance to government bodies/institutions in this regard. This includes cases of court or other disputes arising related to the legal relationship between you and the Bank, a change in the legal requirements regarding the storage of a specific type of information and other objective reasons that require a delay in the deletion of the data.

Personal data of potential customers are processed by UBB for a period of two years, unless in the meantime they have become customers. Potential customers can always request that their data be deleted in case the Bank has no purpose and legal ground for this processing. 

It is possible for UBB to update this information on personal data processing, the latest version of which can be found at www.ubb.bg.

UBB will notify you of any significant changes to this information on its website or through another communication channel.