Privacy policy - TBC Bank

Who we are?

JSC TBC Bank holds a commercial banking license in compliance with Georgian legislation, serving as a data processor as outlined in this policy.

TBC Bank's identification code is 204854595.

Its legal address is situated at K. Marjanishvili St. No. 7, Chugureti District, Tbilisi, Georgia.

You can find out more about us here.

We, TBC Bank do affirm the following:

We are committed to safeguarding the confidentiality of your information;
Your data will not be processed in an unlawful manner;
Upon your request, we will furnish you with comprehensive and thorough details regarding the processing of your personal data.

Purpose of the Document

Our primary objective is to acquaint you with the procedures involved in the processing and utilization of your personal information by TBC Bank JSC (the Bank). The notification delineates the guiding principles we adhere to during the processing of your personal data and highlights the legal safeguards in place for your protection.

It encompasses the information that the Bank acquires as part of its customer relationship with you, and this data is also utilized for direct marketing purposes, adhering to the regulations of Georgia and GDPR/UK GDPR as applicable.

How is your protection ensured by the law?

Your rights are safeguarded under the laws of Georgia and the General Data Protection Regulation (GDPR/UK GDPR). You are entitled to receive information regarding the processing of your personal data, as stipulated by law, within the determined timeframe therein.

We will only process your personal data if:

You have explicitly given consent for the processing of data for one or more specific purposes;
Processing is essential to fulfill an obligation arising from a transaction concluded between us or to engage in a transaction at your request;
Processing is mandated by law;
Processing is necessary to fulfill obligations imposed on us by law/regulation;
As per legislation your information is accessible to the public or if you have voluntarily made it publicly accessible;
Processing of data is essential for safeguarding significant public interests;
Processing of data is imperative for reviewing your application (to render services), and/or
Processing of data is grounded on other legal basis.

We handle the personal data of minors in compliance with Georgian legislation, considering the best interests of such minors.

The table below outlines the objectives of processing your personal data for each particular scenario, referencing the applicable legal grounds:

TYPE OF PERSONAL INFORMATION	WHAT DO WE USE YOUR PERSONAL INFORMATION FOR	OUR LEGITIMATE INTERESTS:	LEGAL BASIS
Contact information, socio-demographic, transaction-related, behavioral data, technological, communication, location-related data	To manage our relationship with you	Updating information, identifying products and services tailored to your interests, and delivering pertinent information to you; Developing new products and services; Establishing a client focus group to introduce innovative products and services; Efficiently fulfilling our legal obligations.	Your consent; Implementation of contractual obligations; Our lawful Interests; Our legal responsibilities.
	To meet your requests, explore novel ways of collaboration, and advance the development of our business.
	To plan and execute marketing activities.
	To study how customers use our products and services.
	To conduct various surveys for the purpose of product and service improvement/development.
	To receive the advice or recommendations related to our products and services.
	For the developent and management of our brands, products, and services.
Financial data, contact information, transaction-related information, contractual, communication data, location-related data, documentary records, open data and public records; Special categories of data (including biometrics).	To provide products and services.	To adequately fulfill our legal responsibilities and contractual commitments; Ensuring adherence to pertinent regulations on our part.	Your consent; Implementation of contractual obligations; Our lawful Interests; Our legal responsibilities.
	To handle and oversee customer payments.
	To administer fees and additional interest charges on customer accounts.
	For the management and provision of financial and treasury products and services.
Financial data, contact information, socio-demographic details, transaction-related information, contractual, location-related data, open data and public records, social relations-related data, documentary records, communication data; Special categories of data (including biometrics).	To identify, investigate, report, and prevent financial crimes.	Enhancing and refining measures against financial crime, along with meeting other legal requirements.	Our lawful Interests; Our legal responsibilities.
	For the management of risks associated with us and our clients.
	To comply with relevant laws and regulations for us.
	To respond to complaints and to find the ways for their resolution.
Financial data, contact information, socio-demographic details, transaction-related information, contractual, location-related data, open data and public records, social relations-related data, documentary records, communication data; Special categories of data (including biometrics).	To conduct our business effectively and efficiently, including managing our financial position, business opportunities, planning, communications, corporate governance and auditing.	Ensuring adherence to regulations applicable to us; To efficiently fulfill our legal and contractual obligations.	Our lawful Interests; Our legal responsibilities.
Financial data, contact information, socio-demographic details, transaction-related information, contractual, location-related data, open data and public records, social relations-related data, documentary records, communication data; Special categories of data (including biometrics).	Exercising rights and fulfilling obligations under the agreement	Implementation of contractual obligations.	Implementation of contractual obligations; Our lawful Interests; Our legal responsibilities.

Personal Data Groups

We process different types of personal information, which we group as follows:

Personal data types	Description
Financial	Details regarding your financial status, encompassing completed transactions, credit history, creditworthiness, your financial products, payment arrears and information concerning your employment and income.
Contact information	Actual and legal address, telephone number, email and/or other contact information.
Socio-demographic	Details regarding your employment or profession, along with information about your citizenship, education, and social status.
Transaction related	Information related to accounts, bank account number, information about operations carried out on accounts.
Contractual	Information about your products and provided services.
Locational	Data regarding your location collected by the bank when you utilize electronic devices.
Behavioural	Details about how you use our products or services.
Technological	Details about the technology or devices you utilize while using our products or services.
Open Data and Public Records	Infromation about you collected from public sources, which may include data from public voter lists, along with other legally accessible information on the internet.
Communications	Infromation about you acquired by the bank, gathered from both physical documents and through communication channels such as emails and telephone.
Social Relations	Details regarding your family members (marital status) and individuals for emergency contact.
Documentary	Information about you reflected in various documents and their copies. Such documents include passport, identity document, birth certificate, driver's license and other documents that identify you.
Special categories of data (including biometrics)	Genetic and biometric data (including voice biometrics and behavioral characteristics); Health-related data; Details about convictions, administrative detentions, application of preventive measures, entering into plea agreements, diversion, acknowledgment as a crime victim, or recognition as a victim.

Security of your data in digital channels

Within the scope of service provision, the Bank is empowered to observe your actions while utilizing its digital platforms, which encompass mobile and internet banking. The objective of this observation is to study and analyze consumer behavior.

When utilizing the Bank's electronic platforms, including TBC Mobile and Internet Bank, your device ID, model, brand, name, OS version, and TBC application version may be accessible to programs such as Google Analytics, Xtremepush.com, WVO Facebook Pixel, and Firebase.

While using the Mobile Bank, the Bank is authorized to process information about the phone numbers stored in your mobile device and selected by you, aiming to enhance the service. Moreover, these numbers will be used only with your consent and solely for predetermined purposes.

How do we collect your personal data?

We collect your personal information from the following sources:

When you become our customer and engage with our products or services;
Upon registration for our online services;
During telephone conversations or visits to the branch;
Through the use of our digital channels;
When you submit documentation to us or send letters via mail or email;
When utilizing open banking services;
Through transactions with third parties, where we obtain personal data from them;
From publicly available sources.

Cookies

On our website, we track user behavior through "cookies" to facilitate the user's experience and enhance the quality of website functionality.

"Cookies" are small files stored on the user's computer, tablet, or mobile device during site visits. They persist on the device and are sent to the website when the same address is accessed again.

To find out more about how we use "Cookies", please see our cookies policy which is published on our website.

Your rights

You have the right to receive information about the collection and processing of your personal data, obliging us to provide comprehensive details upon your request.

You can request access to your data as well as the transfer of their copies.

In accordance with the law, you also possess the right to request blocking, modification, correction, update, completion, addition, transfer, termination of data processing, erasure, or destruction of your data if they are incomplete, inaccurate, outdated, or if their collection and processing were conducted unlawfully.

It is important to note that we operate in compliance with the legislation of Georgia. Consequently, there may be limitations on the deletion of personal data. These limitations may arise from anti-money laundering, tax, commercial banking, consumer protection laws, and/or other legal acts.

Information Obtained from Third Parties

In accordance with the law and within the legally defined boundaries, we retain the right to request and receive your personal data from third parties. This includes credit information bureaus (comprising both positive and negative information stored in their electronic databases) and electronic data from the State Services Development Agency's database and other administrative bodies.

Who do we share your data with?

Personal information about you may be disclosed as mandated by law or to entities involved in delivering the product or service you have chosen. For instance:

If you possess our company's debit, credit, and/or other card types, we may furnish comprehensive transaction information to entities assisting us in offering these services (such as international and/or local payment systems, correspondent/intermediary banks).
If you apply for insurance through us, we might share your personal or business data with your chosen insurance company and the relevant reinsurer.

Your information may also be shared with member companies of the Bank Group for the purpose of providing services, creating and developing products, and offering.

In the event that we use the services of third parties or other providers as part of our core business, we may need to share your personal data with them to perform specific tasks. Services that we may receive from third parties requiring us to share your data may include, but are not limited to, the following areas:

Designing, developing and maintaining internet-based tools and applications;
IT service providers who may provide application or infrastructure (such as cloud) services;
Legal, auditing or other special services provided by lawyers, notaries, trustees, company auditors or other professional advisors;
Identifying, investigating or preventing fraud or other misconduct by specialised companies;
Carrying out banking/financial arrangements (such as trustees, investors and the advisers).

If you use credit products, throughout the entire credit relationship, we are obligated to share your personal data, including payment information, details of closed and overdue loans, with credit information bureaus to fulfill legal obligations. Subsequently, the credit bureau discloses this information to other entities as per applicable legislation.

Your personal data may also be shared if there are any structural changes within the Bank in the future. For instance, if the Bank decides to fully or partially divest its assets or undergo a reorganization.

Under the outlined circumstances, data will only be transferred to third parties if all legal requirements are met, and these third parties commit to proper data processing and confidentiality.

In the event that you decline to share data with third parties in accordance with the applicable legislation, the provision of services to you may be interrupted.

International Transfer

If your personal data is transferred internationally, it will be executed in adherence to the regulations set forth by the applicable legislation. Nevertheless, during such transfers, we will exert every effort to ensure that data is transferred securely and with complete confidentiality, fully complying with this Privacy Policy.

If you are living in EU/EEA and fall under the definition of a data subject according to the General Data Protection Regulation (GDPR), and if the data is shared outside the European Union and the European Economic Area, the data may be shared under various circumstances, including:

The country receiving the information ensures adequate protection guarantees in line with the legislation of Georgia and/or the decision of the European Commission.
In cases where legislation does not stipulate appropriate safeguards, and/or there is no relevant decision by the European Commission, we may transfer personal data to a third country or international organization only if we implement suitable measures as per the applicable legislation and/or GDPR. Furthermore, information about these measures can be obtained through the communication channels specified in this policy.

If the applicable legislation lacks appropriate provisions, and/or there is no decision by the European Commission or relevant guarantees, or there are no approved and applicable Binding Corporate Rules of European Commission, the transfer of personal data to a third country or international organization is carried out only in the following cases:

With the explicit consent of the data subject after providing detailed information about the risks associated with data transfer;
If the transfer is essential for the performance of an existing contract between the data subject and the data processor or for the implementation of preliminary contractual measures at the request of the data subject;
If the transfer is necessary for the conclusion or performance of a contract in alignment with the interests of the data subject;
If the transfer is necessary due to significant public interest;
If the transfer is necessary to comply with legal requirements or for protective purposes;
If the transfer is necessary to protect the vital interests of the data subject or other individuals, and the data subject is unable to provide consent.

Automated Decision-Making Process (Profiling)

Data collected in accordance with the law may undergo processing in an automated decision-making process (profiling). The processing of your data through automated means may be based on your consent, the fulfillment of obligations imposed on us by law, and/or the agreement between us.

You possess the right not to be subjected to a decision solely made by automated means, including profiling, that leads to legal or other significant consequences for you, except when the profiling decision:

Relies on your explicit consent;
Is necessary for the conclusion of a contract between us or the fulfillment of an existing contract;
Is mandated by the law or a subordinate regulatory act issued based on the law.

Processing of Personal Data for Direct Marketing Purposes

We process your personal data for marketing purposes, deeming it necessary to provide you with information about products and offers tailored to your preferences.

We process your data to comprehend your preferences and interests, aiming to offer content that aligns with your needs.

Your personal data for direct marketing purposes is processed with your explicit consent.

You retain the right to contact us at any time and request the termination of data processing for direct marketing purposes. We commit to fulfilling your request within 7 (seven) business days upon receiving such a request.

However, it is important to note that you will continue to receive mandatory notices concerning products and services already available to you, including notifications of any changes to such products and/or services.

Retention Period of Your Personal Data

We process and retain your data for the duration mandated by law and to fulfill our obligations.

Withdrawal of Consent

You have the option to submit a request to withdraw your consent for the processing of personal data, including direct marketing, to the Bank at any time. Consent can only be revoked if the basis for processing your data is your consent.

In the event of withdrawing consent, there is a possibility of service interruption, and we may be unable to provide you with an optimal service.

If you choose to withdraw your consent for data processing, kindly reach out to us through one of the communication methods specified in this policy.

Privacy Policy Changes

This document undergoes periodic updates by the Bank.

Modifications to the document will be implemented by publishing them on the Bank's website, and it is advisable to regularly review these changes. Personal notification of alterations will only be provided if required by applicable law.

How to Contact Us

If you wish to exercise your rights as granted by legislation and this document, you can visit any branch of the Bank, reach out to us via Internet and/or Mobile Banking, or correspond with us via the email address provided below.

For matters concerning personal data, you may also get in touch with the Personal Data Protection Officer - Ani Getiashvili, using the following channels: privacycommittee@tbcbank.com.ge. When reaching out to the Data Protection Officer, please include your contact information.

You can also engage with our consultant through the online chat.

Feel free to contact us at any time, any day of the week, and any part of the day, using the following phone number: + (995 32) 227 27 27.

You can personally visit any of our branches during regular business hours.

If you are in the EEA and have questions about your personal data or would like to request to access, update, or delete it, you may contact our representative at:

Bird & Bird GDPR Representative Services SRL

Avenue Louise 235, 1050 Bruxelles, Belgium

EUrepresentative.TBCBank@twobirds.com

Main contact person: Vincent Rezuk-Hamachi Bird & Bird GDPR Representative Services UK United Kingdom, London, EC4A 1JP, 12 New Feather Lane UKrepresentative.TBCBank@twobirds.com