Byblos Bank Armenia CJSC considers data protection to be a matter of utmost importance and processes personal data only in compliance with the relevant data protection regulations, in particular the Law and General Data Protection Regulation. The Bank shall not process or transfer personal data without data subject’s consent, unless provided by law.

Definitions and abbreviation

Bank - Byblos Bank Armenia CJSC

GDPR - General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC)

Law - Law of the Republic of Armenia on Protection of Personal Data

Personal Data - Any information concerning an individual that allows or may allow the direct or indirect identification of that person, particularly by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.

Data Subject - Any living individual who is the subject of personal data held/processed by the Bank.

Processing - Any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Types and Sources of Data Processed by the Bank

The Bank, its affiliates and service providers may collect and process personal data which mainly includes, but is not limited to:

• Personal information, such as full name, address, phone numbers, email address, marital and family status, employment status and position.
• IP address
• Identification data, such as ID/ passport number, specimen of signature, date and place of birth, gender.
• Tax information: such as country of residence, tax identity number.
• Financial/ transactional data, such as payment orders, transfer orders, credit data, credit/debit cards

Children’s data: the Bank understands and respects the privacy of children, namely individuals under the age of 18. Bank may collect and process the personal data of children only upon parents’ or legal guardian’s consent or unless otherwise permitted under legislation.

Personal Data is collected mainly through:

• Establishing business relations with the data subject per internal legal acts of the Bank
• Bank’s mobile application, internet banking, website
• Whenever the data subject reaches out to the Bank for a service through its branch, call center or sends an email
• Authorized organizations or publicly available resources.

Purposes and Legal Basis for Processing Personal Data

• To abide by any regulatory requirements (e.g. Anti-Money Laundering legislation)
• To safeguard the legitimate interests pursued by the Bank or by a third party (e.g. initiating or responding to a legal claim)
• To proceed with contractual agreements by offering primary banking products and services such as account openings, letter of credit/ letter of guarantee, and credit applications.
• To be able to take the necessary steps so as to enter into a contract with prospective customers
• For internal statistics and reporting purposes
• To safeguard the legitimate interests pursued by the Bank or by a third party (e.g. initiating or responding to a legal claim; setting up CCTV systems) and to protect Bank’s rights, privacy, safety or property, and/or that of its affiliates.
• On the basis of the data subjects consent to processing their personal data for one or more specific purposes.

Duration of Personal Data Retention

• Personal data is processed and retained in the Bank’s databases as long as the data subject is benefitting from Bank’s contractual services. It may be retained even longer, after the business relationship is terminated, for regulatory or legal purposes, for up to ten (10) years.
• The Bank may keep personal data for longer than 10 years if it cannot be deleted for legal, regulatory or technical reasons.
• For prospective customer personal data, the Bank shall keep personal data for 12 months from the date of notification of the rejection of your application for banking services and/or facilities or from the date of withdrawal of such application.

Recipients of Data Subject’s Personal Data

• Data subject’s personal data is shared within Byblos Bank Group and may be transferred to any of Bank’s affiliates (list of affiliates is available on request) in order to process customer’s transactions and fulfill Bank’s contractual obligations, where it is treated with high confidentiality and security. The Bank shall limit access to personal data to those who have a legitimate business reason to have access.
• Other data recipients may include third party service providers following data subject’s contractual consent including, any payment system under which the Bank issues its customer’s card, credit card companies (such as MasterCard, Visa), Bank’s insurance partners.
• Supervisory and other regulatory and public authorities, courts, institutions (such as the Central Bank of Armenia, criminal prosecution authorities, etc.) in as much as a statutory obligation exists.
• Professional service providers, external advisors and consultants. In order to properly safeguard data subject’s personal data, protections such as data protection clauses in the agreement with the third party must be put in place to maintain the confidentiality and security of the personal data
• The Bank shall have the right to disclose, or transfer personal data to a third party in the event of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of its business, assets or stocks (including in connection with any bankruptcy or similar proceedings), provided that such processing is permitted under the relevant applicable laws.

Data Subject's Rights Over Their Personal Data

The data subject shall have the right to

• withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• make subject access requests regarding the nature of information held and to whom it has been disclosed;
• prevent processing likely to cause damage or distress;
• prevent processing for purposes of direct marketing;
• be informed about the mechanics of automated decision-making process that will significantly affect them;
• not to have significant decisions, that will affect them, taken solely by automated process;
• act to rectify, block, erase, including the right to be forgotten, or destroy inaccurate data;
• have personal data provided to them in a structured, commonly used and machine-readable format, and the right to have that data transmitted to another controller;
• object to any automated profiling that is occurring without consent.
• apply to the authorized body for the protection of personal data in case of doubts with regard to the rectification, blocking or destruction of personal data by the Bank,
• appeal actions or inaction of the Bank before an authorized state body for the protection of personal data or through judicial procedure where the data subject considers that the processing of their personal data is carried out in violation of legislation

Failure to provide Personal Data

Where the provision of personal data is a statutory or contractual requirement and the data subject fails to provide such data when requested, the Bank may not be able to enter into a contract with them or continue the business/contractual relationship with or execute an order.

Personal Data transfers to third countries

Personal data will only be transferred to third countries:

• where it is necessary to do so in order to execute data subject’s orders (e.g. for credit transfers to correspondent banks),
• where the Bank is legally obliged to do so (e.g. reporting obligations under Tax Law, such as the FATCA )
• where data subject has given their consent to do so.

Third country processors are under the obligation to comply with the same personal data protection standards and safeguards as the Bank does, on the basis of either an adequacy decision issued by the European Commission pursuant to Article 45 of the GDPR, or contractual clauses between the Bank and them or other appropriate safeguards pursuant to Article 46 of the GDPR.

Automated decision making

The Bank shall have the right to make a decision based on an automated processing, including profiling if the decision is necessary for entering into, or performance of a, contract between the data subject and the Bank or is based on the data subject’s explicit consent. The data subject shall have the right to contest the aforementioned decision and request human intervention.

Changes to Privacy Policy

The Bank shall have the right to modify the present policy from time to time in accordance with any changes in the applicable legal framework. Any amendment to this policy shall enter into effect upon publication on the Bank’s website.