Business
Individual
Business
Quick links
Individual
Quick links
Business Individual

Personal Data Protection Policy

Personal Data Protection Policy

 

Personal Data Protection Policy of JSC “Isbank Georgia”

 

Preamble

JSC Isbank Georgia, while processing personal data, respects fundamental human rights and freedoms, including the rights to privacy of personal and family life, personal space and communication. For the Bank, as a financial institution, protection of personal data in accordance with the applicable legislation and international standards is one of the main priorities.

The purpose of the Personal Data Protection Policy of JSC “Isbank Georgia” is to provide information to the interested parties on the general rules and principles of personal data processing by the Bank in the course of its activity, including providing the data subjects with information on their rights and mechanisms of realization of these rights.

 

Who are we?

JSC "Isbank Georgia" (hereinafter - the Bank/We) represents a commercial Bank licensed in accordance with the legislation of Georgia. The Bank offers a wide range of banking products and services to corporate as well as small and medium business customers.

Identification code: 404496611

Address: 72a Ilia Chavchavadze Av., 10th Floor, Vake Plaza Business Center, 0179 Tbilisi, Georgia

Contact information: +995 322 44 22 44

info@isbank.ge

Website: www.isbank.ge

 

 

 

 

Scope and purpose

This Personal Data Protection Policy applies to the Bank's processing of personal data (hereinafter - data) about individuals, including the processing of data through the persons responsible for co-processing with the persons entitled to processing. The mentioned processes may apply to the Bank's clients (as well as potential and former clients) and persons using the Bank's various services, their representatives, persons related to them, persons interested in the Bank's services, job seekers, service providers and any other physical person who is in any way connected with the Bank or whose data processing is necessary in the course of the Bank's activities, also, those who communicate with the Bank through various channels, including when visiting the central office or branch, remotely - through a hotline, website, social networks, etc.

 

Definition of terms

The terms used in this Document have the following meanings:

Personal data - any information related to an identified or identifiable natural person. A natural person is identifiable when he/she may be identified directly or indirectly, including by name, surname, identification number, geolocation data, identifiable electronic communication data, physical, physiological, mental, psychological, genetic, economic, cultural or social features.

Data processing - any action performed in relation to data, including their collection, retrieval, access to them, their photographing, video monitoring and/or audio monitoring, organization, grouping, interconnection, storage, modification, restoration, retrieval, use, blocking, deletion or destruction, as well as disclosure of data by transmission, disclosure, distribution or otherwise making available.

Data blocking - temporary suspension of data processing (except storage).

Data subject - any natural person whose data is being processed.

Person responsible for co-processing - a natural person, legal entity or public institution, which together with the Bank determines the purposes and means of data processing.

Person authorized to process - a natural person, legal entity or public institution that processes data for the Bank or on its behalf (except for the Bank's employee).

Video monitoring - visual image data processing using installed/placed technical means, in particular, video monitoring and/or video recording.

Other terms used in this Document have the meaning defined by the Law of Georgia on "Personal Data Protection" and the legislation of Georgia.

 

Principles of data processing

The Bank processes personal data:

  • Legally, fairly and transparently;
  • Only for specific, clearly defined and legitimate purposes;
  • Only to the extent necessary to achieve the relevant legitimate purpose, proportionate and adequate to the purposes for which it is processed;
  • Following the principle of accuracy;
  • During the period necessary for the purposes of data processing;
  • Following the principles of privacy and security protection.

 

What data do we process?

The Bank processes various types of data within the scope of its activities, mainly:

Identification and contact information of a person (for example, first name, last name, personal number, signature, date of birth, identity/citizenship document data, contact details, including email address and phone number, address/place of residence, information about contact persons, gender, photograph);

Socio-demographic information (for example, employment/profession, employer information, citizenship information, salary/income information, marital status and family member information); Special categories of data (for example, information about state of health, information on criminal records, administrative detention, putting a person under restraint, plea bargains, abatement, recognition as a victim of crime or as a person affected);

Financial information (for example, Bank account information, credit/debit card information, financial activity history, income(s) information and related history, property information, as well as credit history, solvency, loans and other banking products information and arrears);

Information related to the transaction (for example, Bank account number; income/expenditure to/from the accounts; payments/transfers to/from the accounts; when and where the mentioned transactions, deposits, withdrawals were made);

Visual data (video recordings);

Know Your Customer (KYC) information (information processed as part of customer due diligence for the purposes of fraud prevention, risk-based risk assessment, and the fight against money laundering, terrorist financing, and tax fraud);

Contractual information (for example, information about the Bank's products and services you use);

Documentary information (information stored about you in various documents or their copies, for example, your passport, driving license, birth certificate, vehicle license, extracts, etc.);

Data created by the Bank (for example, data created as a result of the analysis of client data; data about the client's behavior, preferences, risk rating, etc.);

 

Where do we collect data from?

The Bank collects data mainly from the following sources:

  • From the data subject himself/herself - when applying/inquiring about the bank's service/product; when visiting a Bank branch; when communicating remotely with the Bank (by telephone, e-mail, social network, website); when concluding/filling out relevant agreements/application forms; when using banking services; when carrying out banking transactions; when submitting a complaint/application to the Bank and in other cases when the data subject provides information to the Bank in various forms;
  • From public sources and third parties (in case of appropriate need and legal basis), including public, entrepreneurial, debtor and other state registers, credit information bureau, state bodies (LEPL - National Agency of Public Registry, LEPL - State Services Development Agency, LEPL - National Bureau of Enforcement, judicial bodies), business information directories, legal entities and natural persons (for example, from a Bank client about his/her family members, guarantors, contact persons), etc.
  • From international payment system operators, payment service providers and correspondents, anti-money laundering organizations/services, international money transfer operators, and various service providers (including real estate/movable property appraisers, auditing, legal, tax and insurance service providers).

As a rule, the processing of data by the Bank within the framework of banking activities is necessary to comply with the requirements of the legislation or to comply with the terms of the contract between the Bank and the client or to conclude a contract. In the event that the person refuses to provide the data, the Bank may be deprived of the opportunity to conclude or perform the contract that the data subject has applied for.

 

For what purpose do we process data?

The Bank may process data for various purposes:

  • For the purpose of identification and verification of a person;
  • For the purpose of providing banking services/products;
  • For the purpose of managing credit risks and analyzing the solvency of a person;
  • For the purpose of compliance with regulations and legal obligations, including the fulfillment of the duties imposed on the Bank as an accountable person;
  • For the purpose of preventing and detecting crime, including fraud, terrorist financing and money laundering;
  • For the purpose of monitoring the full and proper fulfillment of the Bank's obligations under the agreement and/or the client's fulfillment of the obligations under the agreement;
  • For the purpose of protecting the Bank's legal rights and legitimate interests, including the recovery of the loan amount, litigation;
  • For the purpose of sending and delivering relevant correspondence/notices to the client;
  • For marketing purposes, which means the periodic offering of various products and services by the Bank, development of marketing activities;
  • For analytics and reporting, including, in cases established by law, for the purpose of making data available to the regulator/supervisory authority and the audit company;
  • To protect the property and safety of the Bank and other persons;
  • To ensure data security;
  • To improve digital products and services;
  • For other legitimate purposes that are compatible with the original purpose of data processing

 

Legal basis for data processing

The Bank processes data on the following legal grounds provided for by the Law of Georgia on Personal Data Protection:

  • With the consent of the data subject;
  • If data processing is necessary to fulfill an obligation assumed by a transaction concluded between the Bank and the data subject, or to conclude a transaction at the request of the data subject;
  • If data processing is provided for by law;
  • If data processing is necessary to fulfill obligations imposed on the Bank by legislation/regulations;
  • If, according to the law, the data is publicly available, or if the data subject has made the data publicly available;
  • If data processing is necessary to protect the important interests of the Bank or a third party and there is no overriding interest in protecting the rights of the data subject;
  • If data processing is necessary to protect an significant public interest;
  • If data processing is necessary to consider the application/provide services to the data subject.

Special categories of data are processed on the following grounds:

  • With the written consent of the data subject;
  • If the processing of special categories of data is directly and specifically regulated by law;
  • If the processing of special categories of data is necessary due to the nature of employment obligations and relationships, including for making employment decisions or assessing the employee's work skills.

In individual cases, special categories of data may be processed in other cases expressly provided for by law.

In cases where the data is processed by the Bank to protect the important legitimate interests of the Bank or a third party, such interest may be:

  • Effectively fulfill legal and contractual obligations;
  • Prevent, detect, and prosecute fraud and potential fraud, money laundering, terrorist financing, unauthorized access and/or misuse of Bank services and other crimes;
  • Ensure the authenticity and accuracy of records maintained by the Bank;
  • Effectively manage banking operations, operational and other types of risks;
  • Protect the Bank's clients, employees and assets;
  • Maintain proof of transactions and other relevant evidence;
  • Protect business interests;
  • Ensure network security and proper functioning of electronic channels;
  • Develop banking products and services, grow business, define customer categories and implement relevant marketing activities and improve service.

 

Withdrawal of consent

The data subject may submit a request to the Bank at any time, without giving any explanation or justification to withdraw his/her consent to the processing of his/her data. In the event of withdrawal of consent, the processing of the data will be stopped and/or the processed data will be deleted/destroyed only if such consent is the sole basis for the processing of the data. Withdrawal of consent may result in restrictions on the use of some of the Bank's services.

 

Third parties receiving data

In the course of its activities, the Bank transfers data to third parties if there is the consent of the data subject, if this is provided for by law, if it is necessary to provide the relevant service and/or to protect the legitimate interests of the Bank. Such third parties may be:

  • JSC Credit Information Bureau Creditinfo Georgia (I.C.: 204470740);
  • Bodies specified by law, including supervisory, controlling and/or state and local self-government bodies, for example, the National Bank of Georgia, the Financial Monitoring Service, if the data subject is a US citizen and/or a US taxpayer resident or there are other circumstances in order to comply with the Foreign Account Tax Compliance Act (FATCA) and the Intergovernmental Agreement (IGA) between the US and Georgia, the Bank is obliged to transfer data to the relevant state payment authority(ies);
  • The Bank's founding company - JSC "Isbank Turkey" (I.C.: 4810058590, registry number: 431112), its external audit and regulatory authorities;
  • Parties to the transaction;
  • Insurance companies;
  • Service providers, including the Bank's external auditors, legal, audit, tax consultants, advisors, courier and/or research organizations, IT service and electronic systems/program providers (for example, cloud infrastructure services), and/or other service providers;
  • Financial organizations (for example, correspondent banks, intermediary banks, international payment system operators Visa, Mastercard, money transfer operators);
  • Specialized companies that detect, investigate and prevent fraud and other types of crime and misconduct;

Personal data may also be shared if the Bank's structure changes in the future, for example, if the Bank decides to sell or dispose of its assets, or to carry out a merger or reorganization in another manner provided for by law.

Data is shared by the Bank with third parties only to the extent necessary to fulfill the relevant legal obligation/transaction.

 

 

Procedure for implementing video monitoring

In order to prevent and detect crime, ensure public safety; ensure the safety (including health and property safety) of the Bank's clients, visitors, third parties and employees and protect property; protect confidential information; perform tasks related to the Bank's other legitimate interests (including incident management, protection of consumer rights, process monitoring, risk management), the Bank conducts video monitoring using technical means located/installed in the buildings and structures of the head office and branch(es). In this regard, appropriate warning signs are displayed in the spaces subject to monitoring.

 

Processing of data about the job seeker (applicant)

The CV and/or other application documentation sent by the job seeker to the Bank may contain personal data, including special categories of data, which may be processed by the Bank for the purpose of making a decision on employment. The basis for the processing of data by the Bank is the candidate's consent (expressed through a response to a vacancy), as well as the consideration of the application for the purpose of establishing an employment relationship and the establishment of a contractual relationship. This is a necessary condition for considering a candidate for a vacant position at the Bank.

The information submitted by the candidate may be stored for a period of up to 2 years (including for consideration for another relevant position), except where there may be a legal obligation to store the information for a longer period.

 

Data retention periods

The Bank stores data only for the period necessary to achieve the purposes for which it was collected/processed, including for the purposes of satisfying legal, regulatory, tax, accounting or reporting requirements.

Each information asset has a data retention period, which is determined both by legal obligations and by the relevant needs of the Bank. Based on legal and regulatory requirements, data is generally stored for the entire period of service and, in addition, for 15 (fifteen) years from the moment the person terminates the business relationship with the Bank. In individual cases, data may be stored for a longer or shorter period if this is established by law, is necessary to satisfy the Bank's legal requirements, or the Bank has determined an appropriate period for the relevant information asset (for example, a video recording).

 

International data transfer

The Bank may transfer data to a country and/or international organization that, according to the legislation of Georgia, has adopted appropriate guarantees for data protection and protection of the rights of the data subject. In addition, the Bank may carry out international data transfer in cases and in accordance with the procedure provided for by the legislation, for example:

  • If the transfer of data is provided for by an international treaty and agreement of Georgia;
  • If the transfer of data is provided for by a normative act adopted on the basis of the Organic Law of Georgia “On the National Bank of Georgia” or the Law of Georgia on “Facilitating the Suppression of Money Laundering and Terrorism Financing”;
  • If the data subject consents to the transfer of data after being informed about the absence of appropriate guarantees for data in the relevant country/international organization and possible threats;
  • If the transfer of data is necessary for reasons of important public interest (including the prevention, investigation, detection and prosecution of crimes, the execution of sentences and the implementation of operational-search measures).

In addition, the Bank may transfer and store data outside Georgia, provided that appropriate guarantees of data protection are provided by an agreement concluded between the Bank and the data recipient. In accordance with the procedure established by law, the Bank has obtained the relevant permits from the Personal Data Protection Service: for the purpose of carrying out banking transactions, to JSC “Fineksus Bilisim Cozumleri Ticaret A.S.” (I.C.: 479661) in the Republic of Turkey, and for the purpose of providing infrastructure services related to information technologies when providing banking services - to JSC “Isbank Turkey” (I.C.: 4810058590, registry number 431112).

In the event of data transfer, the Bank takes the necessary organizational and technical measures for the secure transfer of data.

 

Data subject rights

The data subject may exercise the rights guaranteed by the legislation of Georgia regarding the protection of personal data processed by the Bank.

In accordance with the request of the data subject, the Bank shall ensure:

  • Familiarization with the processing of data concerning him/her: which data are being processed; the purpose of data processing; the legal basis for data processing; the source(s) of data collection; the period of data storage/criteria for determining the period; the rights of the data subject; the transfer of data to another state or international organization and the relevant grounds; the category of data recipient(s) and the grounds and purpose of data transfer; automated data processing and its expected results (if any).
  • Familiarization with the data stored in the Bank about him/her and reception of this data free of charge, except for data for which a fee is provided for by the legislation of Georgia.
  • ​​To have data corrected, updated, supplemented, blocked, deleted, destroyed or to have processing terminated if they are incorrect, inaccurate, incomplete, not up-to-date or if their collection and processing were carried out in violation of the law.
  • The right to data portability – to have the data transmitted to the data subject or to another controller in a structured, commonly used and machine-readable format, where technically feasible.
  • The right to have the data processed be stopped and/or destroyed, if they are processed solely on the basis of the data subject’s consent and there is no other legitimate basis for the processing.

Before responding to such a request, the Bank may require the data subject to be identified by various means.

In accordance with the legislation, the rights of the data subject may be restricted to the appropriate extent if their implementation poses a threat, including:

  • State security, information security and cybersecurity and/or defense interests;
  • Public safety interests;
  • Crime prevention, crime investigation, criminal prosecution, administration of justice, operational-searching activities;
  • Important financial or economic (including monetary, budgetary and tax), public health and social security interests of the country;
  • Detection of a violation of professional, including regulated profession, ethical norms by the data subject and imposition of liability on him/her;
  • Rights and freedoms of the data subject or others;
  • Protection of state, commercial, professional and other secrets provided for by law;
  • Substantiation of a legal request or response.

On issues related to personal data, the Bank has provided access to the Personal Data Protection Officer at e-mail: dpo@isBank.ge.

The Bank's Personal Data Protection Officer is: LTD Privacy Logic Group

I.C.: 405222619

https://www.privacy.ge

 

The legality of the Bank's data processing may also be challenged to the Personal Data Protection Service and/or in court.

 

Policy Updates

This Document is subject to update as necessary.