Confidentiality Policy

JSC "Pasha Bank Georgia" (I/N 404433671, commercial bank licensed in accordance with the legislation of Georgia (hereinafter referred to as “we” or the “Bank”), as a data controller, is intended to inform you about how we process your personal data (hereinafter referred to as the “Data”), the purposes, grounds, your rights, and mechanisms for their protection.

We would like to inform you that we take great responsibility for the proper processing of your data. The Bank fully adheres to the principles provided by the Law of Georgia on Personal Data Protection and your data is processed lawfully, fairly, transparently and without prejudice to your dignity.

 

1. Basis for personal data processing;

We only process your data in the following cases: when reviewing your application /delivering a service to you, when we have your consent, when the data processing is necessary to conclude an agreement with you and to fulfill the obligation assumed by the agreement or when the data processing is provided for by law, including but not limited to in accordance with the Law on Personal Data Protection and Banking Regulations.

 

2. Purposes for the processing of personal data

We process your data for the following purposes: to carry out banking services (including for the purpose of providing remote services), to improve and develop our services and products, to identify products and services of interest to you and to provide relevant information to you, it is possible to process them for the purpose of offering new and/or additional banking products (direct marketing), as well as for the purpose of changing the terms within the existing banking product, to analyze your solvency and/or to monitor your ongoing obligations; to effectively perform our lawful duties and/or contractual obligations to ensure compliance with the law, including the disclosure and/or prevention of fraud, money laundering or other crimes, to ensure the security of you and banking services and products, as well as to perform other legitimate duties established by law, including and but not limited to proceedings, etc.

 

3. What data processing means and what category of data is processed at the bank

Data processing means any action taken with respect to data using automatic, semi-automatic or non-automatic means, including collecting, obtaining, accessing, photographing, video and/or audio monitoring , organizing, grouping, interconnecting, storing, modifying, recovering, requesting, using, blocking, deleting or destroying data, as well as disclosing data by transmitting, publicizing, distributing or otherwise making it available;

In accordance with the basis and goals mentioned in the same policy, the following types of data about you are processed in the Bank:

data required for identification/verification:

  • first name, last name, personal number and/or unique parameters of the electronic ID card, photo, place of birth, date of birth, tax residency, etc.;

contact and communication Data:

  • your postal address, phone number, email address or mobile number and residential address, etc.;

financial/transaction data:

  • economic data, including credit history, immovable and movable items in your ownership and/or possession, information about your income and their origin, information about your employer and employer's terms, creditworthiness, delays, information about your completed transactions, payments/transfers made from your accounts; when and where these transactions were made, etc.;

Related to demographics and social relations:

  • about your family, status, education, profession, contacts, and more

documentary and contractual information:

  • information presented in various documents and agreements about you, e.g., passport, ID, birth certificate, driver's license, information provided in contracts for the use of the Bank's products and services, etc

Related to technology, behavior, location:

  • information about your devices that you use when using our products in the Bank's electronic channels (including web browser, bank website, internet bank, mobile bank, bank mobile applications, payment machines, data transmission and other technical methods)
  • data obtained from observing your activity in these channels about how and how often you use our services.
  • data about your location that we can obtain while using the Bank's electronic channels.

Public information:

  • information about you placed legally in public sources.

special category data (biometric data):

  • The Bank processes your biometric data (facial features, photo-video images) during your identification/verification of remote services and only for this purpose. However, only with your written consent.

 

4. Information obtained through the Bank's website and using mobile banking

During your visit to the Bank's website, the system automatically records details related to your visit, which include your IP address, information about the website from which you directly visited the Bank's website, the type of device and Internet browser used during your visit, as well as information about the duration of your visit, etc. In addition, the Bank collects all your personal data (first name, last name, personal number, contact information, etc.), which you submit to us for the purpose of receiving the service and/or subscribing to the news - by filling in the registration forms on the website.

Your information is collected through the website using technologies such as ready-made records (cookies) or tags. The technology of Cookies or tags helps the Bank to manage and improve the efficiency of the website. Before using the website, make sure that the Cookies policy on your device is set so that you have not selected a type of Cookies that you do not allow the bank to use. You may also refuse to use these technologies at any time, but in this case, you may not be able to use the website in its entirety.

When using mobile and internet banking, your device ID, model, brand, name, OS version, bank application version will be available for applications like Google Analytics and Firebase.

If you agree, when using Mobile Banking to improve service and facilitate transfers, the Bank will have the right to process information about the phone numbers in your mobile device.

 

5. Personal Data Security

To protect data security, the bank has implemented all major technical or software tools required by local laws and regulations, and is constantly re-evaluating and improving them.

The Bank's information/technical resource shall, in accordance with applicable law, ensure the protection of information against accidental or unlawful destruction, alteration, disclosure, acquisition, unlawful use in any other form and accidental or unlawful loss.

 

6. Information about your rights

You have the right to request confirmation of whether the data about you is being processed, whether the data processing is justified, and to receive the following information free of charge within the time limits prescribed by law in accordance with the request:

  • to receive information - to receive information about the data that is being processed, as well as about the basis and purpose of data processing, as well as about the source of data collection /obtaining;
  • the right to receive copies - you have the right to see the personal data about you and receive copies of this data free of charge;
  • correction/update/complete - a request to correct, update and/or complete erroneous, inaccurate and/or incomplete data about you.
  • termination/deletion/destruction - require the termination, deletion, or destruction of data processing (including profiling) about you.
  • blocking - You have the right to request blocking of data if any of the following circumstances exist:
    • you dispute the authenticity or accuracy of the data;
    • data processing is illegal;
    • the data is no longer necessary to achieve the purpose of their processing, however, the Bank needs them to submit a complaint /claim;
    • you have requested that the data processing be terminated, deleted or destroyed and this request is pending;
    • there is a need to store the data for use as evidence.
  • data transfer You have the right to transfer data, which means to receive or request the transfer of data in a structured, commonly used and machine-readable format to someone else responsible for data processing.
  •  
  • opt-out of an automated decision You have the right not to be subjected to an automated decision, including a profiling-based decision, except for the cases when the profiling-based decision is:
    • based on the explicit consent of the data subject;
    • necessary to conclude a contract between the data subject and the person responsible for the processing or to execute the contract;
    • provided for by a by-law issued within the scope of the authority delegated by law or by-law.
  • Refusal of consent - You have the right to withdraw your consent at any time, without any explanation or justification, if there is no other basis for data processing in the Bank (for example, and not limited to, if data storage is necessary to fulfill the obligations assumed by the transaction with the Bank or to conclude a transaction or data processing is required for the Bank to fulfill its obligations under the legislation of Georgia).
  • Appeal - in case of violation of your rights, you have the right to apply to the Personal Data Protection Service, the court and/or the superior administrative body as prescribed by law.

In the case of the Bank's legitimate and statutory grounds, your request for certain actions may be legally denied, e.g., if your data needs to be stored to fulfill obligations imposed on the Bank, it is not possible to terminate/delete/destroy the data. Also, for example, you may be denied a data block if, in the event of a data block, the Bank is unable to fulfill its obligations under the law and/or bylaws. Also, as an example, in case of withdrawal of consent, the request to delete/destroy your data cannot be satisfied as data storage may be necessary to fulfill the obligations assumed by the transaction with the Bank or to conclude the transaction, or data processing may be necessary for the Bank to fulfill the obligations imposed by the legislation of Georgia. However, in all cases within the statutory timeframe, you must receive a written justified refusal to comply with the request.

 

7. Remote Identification (Distance on-Boarding) and Special Category (Biometrics) Data Processing

In order to receive the banking product remotely, in accordance with the rules established by applicable law and only with your consent, you must undergo an identification and verification procedure within which, using technical support, the Bank will obtain and process your personal data, including special categories of data - your biometrics (photo-video images). During your remote identification/verification, the Bank uses Identomat Ltd (ID 85-1497497) and the technical application developed by it, which reads personal information from your identification document in order to compare it with the information stored in the LEPL Service Development Agency, and compares your data with the photo attached to the submitted identification document. If you successfully go through the identification/verification process and the bank is sure that it's you who really wants to use the banking services, you will be able to get any remote services. It should also be borne in mind that Identomat Ltd's system does not create a template for your image or biometric data, nor does it store it. In the process of remote identification/verification, Identomat Ltd uses web services, the servers of which are located in the territory of the European Union and in countries which have adequate guarantees of personal data protection.

 

8. Exporting data outside the country/sharing information with the Bank's founding companies

In order to perform and process the card transactions, the Bank will process your personal data (in particular, first name, last name, personal number, date of birth, telephone number) and relevant information about the transactions you have performed (including bank accounts, account balances, etc.). Transfers them to the processing center in a foreign country to the OJSC "Kapital Bank" (I/C 9900003611), in addition, the relevant authorization about this transfer is obtained from the Personal Data Protection Service in accordance with the procedure established by law.

Since the founding companies of our bank are the companies registered in Azerbaijan, in particular: 1) OJSC Pasha Bank (I/C 1700767721) and 2) Pasha Holding Ltd (I/C 1401007871) , in cases allowed by the law, where the law of personal data protection will be fully respected, the personal data, in relevant size and volume (including but not limited to the general analysis/statistics/assessments obtained as a result of the processing of depersonalized/ pseudonymized/personal data processing and, only if necessary, information containing personal data) can be shared with the above-mentioned (founding) companies in order to provide appropriate supervision, monitoring and inspection.

In addition, we would like to inform you that Azerbaijan is not included in the Personal Data Protection Service's list of countries where adequate data protection guarantees are provided. Consequently, we ask you to take this fact into account in those processes where your consent is the basis for the transfer of your personal data to Azerbaijan.

 

9. Automated decisions

Based on your data, it is possible for the Bank to implement a process where automated decisions can be made, which will help the Bank to provide fast, fair, tailored, insured against human errors, efficient and quality banking services. If there are no grounds (legislative, contractual, consent) you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal, financial, or other significant effect on you.

Example of automated decision we make (ground- the requirements established by law):

  • Your personal data helps us identify risks related to money laundering, terrorist financing and economic sanctions evasion. In case of identifying a risk, we reserve the right to act within the limits provided by the law, including temporarily suspending transactions or refusing to provide the relevant services.

 

10. Video surveillance and audio recording

In order to protect your safety, as well as your property and confidential information, and to monitor compliance with the requirements imposed by our laws, we videotape the progress of work both at the outer perimeter and in the interior of the Bank, including the work process and the provision of services to you. Video recording in the Bank is carried out in full compliance with the requirements established by the Law of Georgia on Personal Data Protection, including, but not limited to, the relevant warning signs are placed on the perimeter to protect your request for information, the video recording is processed only for the purpose of achieving a specific goal, with strict restriction of access to video recordings and with control of retention periods.

Audio recording is carried out during the telephone communication with the Bank in order to monitor the fulfillment of the obligations established by the legislation for the Bank and to protect your rights. You will be informed about the audio recording in the appropriate form before the commencement of each telephone communication. In addition, audio recording fully complies with the requirements set forth by the Law of Georgia on Personal Data Protection, including, but not limited to, processing audio recordings only for a specific purpose, with strict limitation of access to audio recordings and control of retention periods.

 

11. Processing data for direct marketing purposes

Only in case of your consent, the data provided by you at the bank or received during the use of our product at the bank can be processed for the purpose of sending offers tailored to you.

In addition, we inform you that if you consent to receive offers for direct marketing purposes, you will be able to contact us at any time to stop processing your data for the purposes of receiving marketing offers through the channels referred to in Article 15.

Your request will be fulfilled no later than 7 business days after receipt of such notice.

 

12. From whom we obtain and with whom we share personal data

In order for you to receive the Service in a complete, proper and uninterrupted manner, we obtain personal data about you from you, from personal data lawfully posted in public sources, we exchange and receive relevant data to the extent based on your stated consent:

  • with Electronic database of LEPL Public Service Development Agency for your identification/verification purposes
  • with "Credit Information Bureau" - for the purpose of providing and getting credit information.
  • with the Revenue Service to check your solvency.

Your personal data, without your additional consent, may be shared in cases established by law, including but not limited to for the purposes of conducting audits with relevant agencies, legal companies, notaries, interpreters, external auditors, for the purpose of supervising by the National Bank of Georgia, LEPL Finance Monitoring Service, tax authorities, LEPL Service Agency of the Ministry of Internal Affairs of Georgia, LEPL National Agency of Public Registry and other similar agencies.

In addition, we would like to inform you that in each case the transmission will respect the amount of data to be transmitted and its relevance/proportionality to the purpose of the processing.

In addition to the cases already mentioned in the Policy for the purpose of offering you high quality services, uninterrupted and flexible use of our products, your personal data (including the possible transfer in a depersonalized and/or pseudonymized way) may be shared with the following third parties (including, but not limited to) only in relevant scope and volume. We would like to inform you that the confidentiality of the transferred information will be protected by the Agreement or the data transfer will be carried out in accordance with other data processing grounds provided for by the Law of Georgia on Personal Data Protection:

  • with companies providing postal/courier services;
  • with companies providing archiving services;
  • payment service providers for the purpose of receiving services in payment machines;
  • If you receive insurance services with our help with the insurance companies for the purpose of insurance;
  • by transferring relevant volumes of information to the research organizations - for the purposes of the study, in appropriate size and volume.
  • international and local payment service operators, such as, inter alia: International Payment System Operator Visa Inc; International Payment System Operator Mastercard Incorporated and other banking services;
  • with companies interested in acquiring/syndicating the Bank's claims arising from the Agreement and/or other related agreements and/or assignment of the Borrower's liabilities.
  • for the purpose of making utility payments during our services, including but not limited to:- JSC "Telasi";- Georgian Water and Power Ltd, etc.
  • IT service providers in the Bank who can provide application or infrastructure services in the bank;
  • if the Bank decides to sell, dispose of or transfer assets to companies for management in order to exercise this right.

 

13. How long your personal data is stored in the bank

We store your personal data for the entire period of use of our services, as well as for a period of 5 to 15 years after the end of the service, including but not limited to, in accordance with the Law of Georgia on facilitating the prevention of money laundering and the financing of terrorism and the Law of Georgia on the Activities of Commercial Banks. Your data can be stored for more than 15 years if there is a legitimate and/or legal basis.

The basis for keeping your personal data in the bank is:

  • for the fulfilment of the obligations imposed by the legislation on the Bank;
  • to fulfill the obligation assumed by the transaction concluded with us;
  • to prove compliance of the Bank's actions with the legislation;
  • to protect your rights, to effectively review your complaints/claims;
  • for the purposes of possible litigation/trial and the need to retain evidence.

 

14. personal data protection recommendations

When disclosing your personal data, it is necessary to follow all the proper rules in order not to disclose your personal information, therefore, the Bank recommends:

to enter your personal data only on the official website of the Bank - https://rebank.ge/ and www.pashabank.ge and/or on the page of the Internet Bank www.rebanking.ge / www.pashaonline.ge - , in addition, make sure that you are accessing the website through a secure network (you do not use a public network) and that the address of the Bank's website is preceded by the entry - “https://”; do not disclose your personal data/confidential information to third parties; do not store your personal information in devices that are not protected by an appropriate password and that can easily be accessed by third parties; for banking services, use only your personal devices, in addition, do not make the system remember your username and password; use only your personal information as your contact information (use only your personal phone number, e-mail, etc., through which your additional verification will be possible); when conducting remote/online banking operations, make sure that you are using a secure search engine (browser) and that your device is equipped with all the necessary security software (antivirus, etc.);

 

15. Protection of your rights and contacting us

Please contact us immediately if you think your rights are being violated or if you have any questions and/or require advice about the processing of your personal data.

To achieve this, you can visit the Bank's head office as well as a branch of the Bank, contact us via the Internet and/or mobile banking, contact us by telephone hotline or write to the e-mail address below:

JSC "Pasha Bank Georgia" (Identification number - 404433671)

Legal/actual address of the Head Office: Tbilisi, Ilia Chavchavadze Ave. N37m, e-mail: [email protected] / [email protected] Website: https://www.pashabank.ge/en / https://rebank.ge/en Phone number: Tel: (+995 322) 265 000 / (+995 32) 222 25 25 | *2525

 

Bank Branch: Saarbruecken SquareTbilisi, 0102, Georgia

Phone number: Tel: (+995 322) 265 000 Customer Service Hours: Monday – Friday: 10:00 - 18:00

In addition, in connection with the processing of personal data, you can directly contact the Personal Data Protection Officer at the following e-mail address: Personal Data Protection Officer - [email protected]