1.    Purpose of the Data Protection Policy

This policy explains how we process your Personal Data, the measures we take to ensure its security, and your privacy rights.

Additional details regarding data processing may be specified in separate contracts, service-related documents, or on our website(s). If you have any questions about this policy, please contact our privacy team at DPO@lb.ge.

2.    Who are we

JSC Liberty Bank (referred to as “BANK,” “we,” “us,” or “our” in this Policy) is a commercial bank licensed under Georgian legislation and acts as the Data Controller, responsible for processing your Personal Data.

Identification number: 203828304;
Legal address: Ilia Chavchavadze ave. №74, Tbilisi, Georgia, 0162
Contact information: +995 32 2 55 55 00; info@lb.ge

3.    Scope and amendment of the Data Protection Policy

This Data Protection Policy applies to all individuals and entities associated with the Bank, including prospective, current, and past customers, natural persons, legal entities, non-juridical entities, state or self-government bodies, public law entities, job applicants, merchants, agents, payment system providers, service providers, or anyone else (collectively referred to as "you" or "Data Subject") connected to any of the Bank’s products or services. This includes interactions through various Bank channels, such as email, website, mobile application, or social media accounts (e.g., Facebook, LinkedIn, Instagram).

Please note, this Policy may be updated periodically. We recommend reviewing it regularly. The most recent version of the Policy is available at: www.libertybank.ge.

4.    Scope of Data Processing

During the course of your relationship with the Bank and even after its termination, the Bank is entitled to process information about you, including your Personal Data, in accordance with the purposes outlined in this Policy.

Data processing by the Bank encompasses all actions performed on your data, whether using automated, semi-automated, or manual methods. Specifically, Data Processing includes the collection of data from you and/or third parties as outlined in Annex #1 of this Policy, as well as accessing, recording, photographing, videorecording, audiorecording, organizing, linking, storing, altering, restoring, revoking, using, or disclosing data (including sharing information with third parties listed in Annex #1). This also includes actions such as transferring, disseminating, grouping, combining, blocking, erasing, or destroying the data.

5.    What Data do we process

Bank uses different types of personal information that we can group into the following categories, which include but may not be limited to the Data indicated below.
Note: Depending on the nature of your relationship with the Bank and the context and purpose of Data Processing, we may process all or only some of the Data specified in the relevant category(ies)

• Identification – your name, surname, ID number, Date of birth, signature specimen.
•  Contact – four address of registration and/or factual residency, email address, mobile and land phone number (s), contact person(s) information.
• Financial – for example, your credit history, credit capacity, liabilities, payment schedule, arrears, payment arrears, penalties, administrative fines, your income, Data regarding your family members or other third parties who are financially dependent on you, property value and other assets, information related to insured products, financial products and services you have or had with us.
• Transactional - such as payment (Bank, e-wallet) account number, payment account statement, balance, deposits, withdrawals, transfers, other information related to your accounts and transactions.
• Technical - information on the device you use in our services and other technical details e.g. IP address, operating system, log records, etc.
• Locational - refers to the Data we get about where you are. For example, the information collected from your mobile device's location-aware features when you request certain services that are dependent on your physical location.
• Audio-vsual - such as recordings of phone calls to/from our remote service centers and/or Bank’s internal phone numbers, Video and Audio monitoring footage, visual images.
• Usage related - information on how you use our website(s), mobile app(s), products and services, including your feedback and survey responses.
• Marketing - includes your preferences in receiving marketing from us and third parties and your communication preferences including information related to whether you have exercised Direct Marketing opt in/ opt out mechanisms.
• Socio-Demographic  - details regarding your citizenship, education, profession, work, family, etc, as well as language, gender, age, social status.
• Interaction - any information you communicate with us whether face-to-face, by filling in physical forms, by phone, mail, and through other channels (including social media accounts Facebook, Instagram,LinkedIn, etc).
• Registries and Open Data - refers to the information registered in different databases, as well as Data about you that is in public records (such as the National Agency of Public Registry LEPL), and information about you that is openly available on the internet or otherwise.
• Special categories of Personal Data – for instance, it may include information regarding your criminal record, health, biometric Data, such as facial image, etc. We will seek your explicit consent to collect such Personal Data unless the law permits us to process this type of Data without your consent.
• "Know Your Customer" (KYC) - information processed as part of customer due diligence for the purpose of preventing fraudulent behavior, assessing risks with a risk-based approach, as well as combating money laundering, terrorist financing and tax fraud.
• Contractual - details about the products or services we provide to you.
• Documentary Data - details about you that are stored in documents in different formats, or copies of them, for example, your passport, driving licence, birth certificate, vehicle license, extracts, etc

In addition, we may process any other type of Data related to the Data Subject which enables to identify and/or characterize and/or group the Data subject by his/her physical, economic, cultural or social qualities or by using transactional and other type of Data in accordance with this Policy.

6.    What we need from you

You are responsible for ensuring that the information you provide to us is accurate and up to date. If you believe that the information stored at the Bank is incomplete or inaccurate, you must promptly inform us.

Please note that when you provide information about third parties (such as beneficiaries, additional cardholders, co-borrowers, family members, contact persons, etc.), including but not limited to their personal data, financial solvency, and assets, you are responsible for obtaining their prior consent and/or permission to share and process their Data with the Bank in accordance with purposes and conditions outlined in our Data Protection Policy.

By submitting such third-party information to the Bank, you confirm that you have fully informed the relevant individuals and obtained their consent. Furthermore, these individuals are aware of the contents of the Data Protection Policy. The Bank will not be responsible for separately informing them or obtaining their consent.

7.    If You don’t provide Personal Data

Where we need to collect Personal Data by law, or under the terms of a contract we have with you or in order to enter into a contract with you, and you fail to provide that requested Data, we may be unable to perform the contract we have or are trying to enter into (for example, to provide you with products or services).

8.    How do We collect Your Personal Data

In this section, we outline the main sources from which we collect your Personal Data.

Data collected directly from you includes, but is not limited to, when you:

• Apply for or inquire about products or services;
• Complete relevant forms, including those on our website(s) and digital apps;
• Interact with our staff through face-to-face meetings, telephone calls (which may be recorded), our website(s), post, email, online chat, social media or other communication channels;
• Use our products and services or register for our online services;
• Perform financial transactions or use Open Banking services;
• Sign a contract;
• Express preferences regarding Direct Marketing offers;
• Participate in a competitions, survey, or similar activities;
• Submit your Personal Data or that of third parties for any other reason

Data collected from third party (ies) - As permitted by applicable legislation and, where necessary, with your consent, the Bank may obtain information about you from external sources, including but not limited to the following:

• Credit information bureau - For example, when you apply for credit, we may check your credit data with the Credit Information Bureau, Creditinfo Georgia JSC (ID 204470740), to assess your solvency as a potential borrower, co-borrower, guarantor, or owner of security collateral. We also use the bureau's databases to facilitate the credit approval process during the term of your credit obligation and/or to monitor your existing obligations. For more information about the bureau, please visit https://ge.creditinfo.com/en/homepage/
• Supervisory, controlling, and state or local authorities and legal entities – For example , we obtain information about you from the State Services Development Agency LEPL (for the purpose of your identification and verification, as well as to ensure Data update); from the Revenue Service LEPL (for the purpose of analyzing your solvency, for example when you apply for a loan product or service and/or request to receive information about products of interest from the Bank), from the Social Service Agency LEPL (for example, if you are a recipient of social benefits, your Personal Data as of a beneficiary is provided by the Agency for the purpose of opening a personal bank account and depositing the funds transferred from the Agency), etc. Your Data may also be provided to the Bank within the framework of various government projects, for example, when providing financial assistance (subsidy), etc.
• Third-Party Data Sharing - We may receive certain categories of your Personal Data from other third parties, depending on the nature and scope of your relationship with the Bank. These third parties may include your employer, principal, supervisor, colleagues, family members, or authorized representatives.
  • For example:
    • Employer: Your employer may provide your Personal Data for the purpose of including you in the payroll program.
    • Principal, Employee, Supervisor, Colleague, or Family Member: These individuals may share your information when designating you as their contact person, related individual, or authorized representative in relation to a credit application or other banking services.
    • Know Your Customer (KYC): In compliance with regulatory obligations, certain third parties may share your Personal Data with us for KYC (Know Your Customer) purposes, which include verifying your identity and assessing relevant risk.

In such instances, the third party is responsible for ensuring that you are informed about the submission of your Personal Data to the Bank and its subsequent processing. The third party must provide you with all the necessary information about the purpose and scope of the data sharing, in compliance with this Data Protection Policy and applicable data protection laws.

Data collected from other Data registries and publicly available sources - We may obtain your Data from public, business, debtors’ registry and other relevant registers and public sources

Note: The categories of third parties providing and/or receiving Data are defined in Annex #1 of this Policy.

9.    What are the Purposes of processing Your Personal Data

Depending on the nature of the relationship with you and other specific circumstances, your Personal Data may be processed for different purposes and legal bases, including:

Purpose: Identification/Verification and Provision of Banking Services – This includes services such as opening accounts, transferring funds, and conducting cash and cashless transactions, both in-person and remotely. To achieve this, we may require your identification, contact, transactional, socio-demographic, location-related, registries and open data, biometric data, “Know Your Customer” (KYC), documentary, audio-visual, interaction, contractual, and/or other relevant Data.

Legal Basis: (a) Your consent, for example, to the biometric identification to use the services remotely; to obtain your Data from relevant registries etc (b) entering into or performing a contract; (c) reviewing your application (providing services to you); (d) our legal obligation; (e) our legitimate interest, including: being efficient about how we fulfil our legal and contractual obligations; to prevent, detect, prosecute fraud and potential fraud, money laundering, terrorist financing, unauthorized access and/or misuse of our services and other crimes; to ensure that the records kept about you are true and accurate; to effectively manage our operational risks.

Purpose: To prevent and detect crime - – including fraud, terrorist financing, and money laundering. To achieve this, we may process your identification, contact, transactional, socio-demographic, technical, interactive, registries and open data, “Know Your Customer” (KYC), documentary, and any other information collected through AML preventive measures.

Legal Basis: (a) our legal obligation; (b) our legitimate interest, including: to prevent, detect, prosecute fraud and potential fraud, money laundering, terrorist financing, unauthorized access and/or misuse of our services and other crimes; to protect our customers, employees, and Bank assets; to ensure network security and proper functioning of electronic channels; to effectively manage our operational risks.

Purpose: credit risk management - We process your Personal Data as part of your loan application and ongoing business relationship, which may involve financial, operational, compliance, and insurance risk assessments. To do this, we may require your identification, contact, financial, transactional, socio-demographic, interactive, registry, open data, contractual, documentary, and other relevant Data.

Legal Basis: (a) your consent, where necessary; (b) entering into or performing a contract; (c) reviewing your application (providing services to you); (d) our legal obligation; (e) our legitimate interest, including: to effectively fulfill our legal and contractual obligations; to provide you with the products and services you have requested; to protect our business interests; to effectively manage our operational and other risks.

Purpose: Product and service improvement - We analyze the information to identify ways to improve our services and products. To do this, we typically might need usage, marketing, and interaction Data.

Lagel Basis: (a) our legitimate interest, including: to develop products/services and grow our business; to eliminate defects and improve the services.

Purpose: To inform our marketing strategy  - We may use your Personal Data to offer information we believe may interest you, gather feedback on our products and services to improve our offerings, and consider your preferences for marketing communications. To achieve this, we typically need identification, contact, financial, usage, marketing, socio-demographic, and/or other interaction data, as necessary for these purposes.

Legal Basis: (a) your consent, where necessary; (b) our legitimate interest, including: to develop products/services and grow our business, to identify categories of users of our products and services and to carry out marketing activities accordingly; to ensure that you are informed about relevant Banking products.

Purpose: To protect our legitimate rights - We may process your Personal Data to protect our or third parties' legal rights, such as for investigating disputes (local or international), recovering debts, initiating legal actions, addressing complaints, claims, and requests, relinquishing a claim, selling a portfolio, or protecting intellectual property. Your data may also be processed in the event of restructuring, share sales, or acquisitions. To fulfill these purposes, we may require your identification, contact, financial, transactional, socio-demographic, technical, audio-visual, interaction, registries and open data, "Know Your Customer" (KYC), contractual, documentary, and other relevant Data.

Legal Basis: (a) our legal obligation; (b) our legitimate interest, including: to effectively fulfill our legal and contractual obligations; to develop products/services; to grow our business; to ensure the investigation of complaints; to collect and recover money owed to us; to obtain evidence of transactions and other relevant evidence; to protect our business interests.

Purpose: analytics and reporting - We process your Personal Data to make informed decisions about products and services and to fulfill our obligations as an accountable entity, including external reporting. To achieve this, we may need your identification, contact, transaction, socio-demographic, technical, interaction, "Know Your Customer" (KYC), documentary, and/or other relevant Data.

Legal Basis: (a) our legal obligation; (b) our legitimate interest, including: to effectively fulfill our legal and contractual obligations; to develop products/services; to grow our business; to protect our customers, employees, and Bank assets; to effectively manage our operational risks; to obtain evidence of transactions and other relevant evidence.

Purpose: Property and Security Protection – We may process audio-visual, technical, and other relevant Data to prevent and detect crime, and to protect public and personal safety and property.
Legal Basis: (a) important public and our legitimate interest, including: to prevent, detect, prosecute crime, protect our customers, employees, and Bank assets, ensure network security and proper functioning of electronic channels; to effectively manage our operational risks.

Note: The Bank may process your Data for any other legitimate purpose as defined by legislation, provided the further purpose is compatible with the original one.

10.    Who We share Your Personal Data with

To fulfill its statutory duties, protect its legal interests, and provide you with proper service, the Bank may transfer your information to various third parties, including but not limited to the following categories:

• Credit information bureau –As required by the legislation, the Bank may transfer your credit/non-credit and other relevant information to the Credit Information Bureau, Creditinfo Georgia JSC (ID 204470740). This information will be accessible to authorized users within the bureau, such as credit organizations and information recipients/suppliers, in accordance with the Legislation. The Data transferred may include, but is not limited to, your identification, financial and contractual information, details of your outstanding or fulfilled obligations, collateral and surety information, and other relevant Data.
• Supervisory, Controlling, and State or Local Authorities and legal entities – As an accountable entity, the Bank is required to share your Personal Data with government authorities (e.g., the Financial Monitoring Service) for fraud and money laundering prevention. If you are a U.S. citizen or tax resident, or in other circumstances, the Bank may also need to share your Data with relevant authorities to comply with the Foreign Account Tax Compliance Act (FATCA) and the Intergovernmental Agreement (IGA) between the U.S. and Georgia. Additionally, sharing your Data may be necessary to address claims or complaints, such as with the National Bank of Georgia, the Personal Data Protection Service, or other authorized organizations.
• International Payment System Operators – The Bank may share your Personal Data with international payment system operators (e.g., VISA Inc., MASTERCARD Inc.), domestic and international remittance operators, payment service providers, and their contractors, as necessary to provide banking and payment services to you.

The categories of third parties providing and/or receiving Data are defined in Annex #1 of this policy.

11.    International transfer of the Personal Data

In accordance with applicable legislation, including for fraud and money laundering prevention, the provision of banking services, or to protect the Bank's legitimate interests, your Personal Data may be transferred and stored outside of Georgia, including in the organizations operating in a country with no adequate safeguards for Personal Data protection as defined by the relevant normative act of the head of the personal data protection service of Georgia/its successor.

The  potential risks of Data sharing in countries without adequate safeguards for Personal Data protection may be related but not be limited to the absense of local supervisiry authority, and no (or only limited) individual Data protection and privacy rights. In some of these countries the privacy and Data protection laws and rules on when Data may be accessed may differ from those in Georgia. In such a case, the Bank ensures the agreement on the Personal Data transfer is at place, which defines the obligations of the Data receiving party to ensure the protection your Personal Data in accordance with the requirements stipulated by the Legislation.

12.    COOKIES 

We may use cookies and similar technologies which help us enhance your user experience while visiting our website. For more information about the cookies we use, please see the Cookies Policy here https://libertybank.ge/en/samartlebrivi-inpormatsia/cookies-policy

You can block or restrict cookies set by any website – including our Bank website(s) – through the browser settings on each browser (Internet Explorer, Mozilla Firefox, Google Chrome, etc.) and device you use to access the Internet. Same way you can delete cookies already stored on your device. Find out more information on how to manage cookies in common browsers by visiting: www.allaboutcookies.org  

13.    Direct Marketing

It is our intention to provide you with choices regarding the use of your Personal Data for Direct Marketing purposes.

Direct Marketing refers to the direct and immediate offering of banking products, credit services, promotions, and related information aimed at generating and maintaining interest in, selling, or supporting the Bank’s products or services. This communication occurs via phone (e.g., SMS, calls, voice messages), mail, email, and other electronic means as defined by legislation. It also includes communication through remote banking services (such as ATMs, digital banking, and app notifications) during the period specified by the Bank.

If you consent to Direct Marketing, the Bank may process information storted about you to offer customized products and communicate effectively. Typically, this includes your identification (e.g., first name, surname, date of birth), contact details (e.g., address, phone number, email), and financial Data (e.g., details of products and services you have or had with us).

Depending on the nature and character of our relationship with you, other categories of Personal Data stored about you may be processed to the extent and within the scope necessary for the purposes of Direct Marketing, in accordance with the present Data Protection Policy*

The Bank is authorized to process your Personal Data for Direct Marketing both independently and through authorized Data Processors (e.g., mobile communication operators and other service providers), who are bound by confidentiality obligations.

Consent for Direct Marketing is voluntary and not required to use banking products. However, without your consent, the Bank will not be able to offer direct, tailored marketing, including offers for banking and credit products, services, promotions, and limits.

Please note that if you are an official representative, authorized spokesperson, or otherwise associated with a current or potential Bank client legal entity, the Bank may process your Personal Data in connection with that entity. This Data may be used to provide services to the entity, including for Direct Marketing purposes.

Opting out from Direct Marketing

Consent to Direct Marketing is valid indefinitely until you revoke it.

You can withdraw your consent at any time and stop receiving Direct Marketing notifications via email, mobile phone, or other electronic means. To do so, you can use the opt-out mechanism provided in the relevant communication (e.g., replying with “NOSMS” to the number in an SMS, unsubscribing from email messages, or contacting our service center via hotline at 0 322 55 55 00, or through our remote service channels such as Digital Bank (mobile or internet bank settings) and ATM (main menu);

Where technically possible, you can grant or withdraw consent through electronic channels separately*.

For clarity, Direct Marketing does not include receiving product, service, or related information (e.g., advertising banners, flyers, oral offers, etc.) when such information is provided directly by the Bank or its representatives at banking service points or through remote channels associated with the Bank (including ATMs, digital banking, etc.). In these cases, you are not entitled to request cessation of such communications.

Please note that if you request to stop receiving Direct Marketing offers, only advertising-related communications will be discontinued. The Bank will continue to contact you using the contact information we have on file for matters related to your relationship with the Bank. This includes, in accordance with legal requirements, notifying you about overdue credit, other debts, changes to service/product terms, deposit insurance, responding to your inquiries, and providing other relevant information.

14.     Automated individual decision-making

The Bank is entitled to process your Personal Data to make a decision only automatically, including on the basis of Profiling. We may use automated decision-making for example in the following cases:

• Credit approval - when you apply for a credit product/loan, we process your financial, transactional and other relevant information in order to analyze your solvency, assess risks and, based on this, make an appropriate decision regarding the granting of a loan. This can be done on the basis of automatic scoring.
• Product Offerings - We may process your financial, transactional, socio-demographic and other relevant data in order to identify and offer tailored products to you.
• Fraud Detection – “Know Your Customer” (KYC) Data, along with your transactional and other relevant personal information, helps us identify signs of suspicious activity and detect potential fraud, allowing us to take appropriate actions, such as blocking the transaction.

If a decision related to you is made solely by automated means, resulting in legal or other significant consequences, you have the right to request human involvement in the decision-making process, unless the automated processing is based on your consent, necessary for the performance of a contract, or required by law.

15.    Video and audio monitoring

To prevent and detect crime, protect public and personal safety and property, safeguard confidential information, and carry out other tasks based on the Bank’s legitimate interests (such as incident management, customer rights protection, process monitoring, and risk management), the Bank conducts video and audio monitoring of its service areas, internal and external perimeters, including meeting rooms and workspaces, in compliance with Annex #2 of this Policy and the Law of Georgia on Personal Data Protection.

Additionally, monitoring and photo capture may occur at the Bank, its service centers, or facilities owned by partner organizations via ATMs or other relevant electronic means. Phone calls with the Bank or its representatives are recorded to improve service, address complaints, ensure compliance with the code of ethics, and protect the Bank’s legal interests, including creating legal evidence. This is done in accordance with Annex #3 of this Policy and the Law of Georgia on Personal Data Protection.

16.    Data Processing of the job applicants

Any Personal Data provided during your job application process, including but not limited to the information in your resume and attached documents (hereinafter "Applicant's Personal Data"), will be collected and processed for the purpose of reviewing your application and considering your admission into the selection process, in accordance with this Policy and Georgian legislation. Applicant's Personal Data will be retained for 3 (three) years, unless there is a legal basis for retaining it for a longer period. This period allows us to meet legal and regulatory obligations and support our legitimate interests, such as responding to complaints and defending our rights.

In addition to processing your data for the position you applied for, the Bank may also consider your candidacy for other positions. If you do not wish for your candidacy to be considered for other roles, please contact us using the details provided in this Data Protection Policy or on the Bank's website at www.libertybank.ge.

17.    Processing the Personal Data of minors

Minors under the age of 18 who wish to use our services must obtain consent from their legal representatives (parents or legal guardians) for the processing of their Personal Data, unless exceptions are provided by the legislation.

18.    Copyright

Any data related to you (including print, audio, and/or visual) published on the Bank’s website, digital banking platforms, mobile applications, or other electronic means shall be considered the Bank’s property. The Bank will hold the copyright over such data immediately upon publication, unless it is classified as your Personal Data.

19.     Data Security and Retention period

We have implemented appropriate technical and organizational measures to protect your Personal Data from unauthorized access, unlawful processing, disclosure, accidental loss, alteration, or destruction. Access to your Personal Data is restricted to employees, agents, contractors, and third parties with a legitimate business need to know. They will only process your Personal Data according to our instructions and are bound by confidentiality obligations.

If the Bank transfers your Personal Data to third parties, including entities in other countries, we ensure that an agreement is in place outlining the receiving party's obligations to protect your Personal Data in compliance with applicable legislation.

Your Personal Data will only be retained for as long as necessary to fulfill the purposes for which it was collected, including meeting legal, regulatory, tax, accounting, or reporting obligations. Typically, we retain your Data for up to 15 years after the termination of your relationship with us. This retention period allows us to comply with legal and regulatory requirements and to address any concerns that may arise. In certain cases, we may need to retain your Data for longer periods to meet legal or regulatory obligations or for legitimate purposes, such as responding to complaints, preventing fraud, or combating financial crime.

20.    Your Rights

As a data subject, you are entitled to the following rights under the Law of Georgia on "Personal Data Protection," which may only be restricted in cases provided for by applicable legislation:

Right to Receive Information on the Processing of Data and to Obtain a Copy – You have the right to be informed about the collection and processing of your Personal Data. Upon your request, we are required to provide details regarding the processing of your Personal Data, including: the types of Personal Data being collected and their sources, the purposes and legal grounds for processing, the retention period, and the recipients to whom your data has been or may be disclosed. This Data Protection Policy serves as an example of such information. Additionally, you have the right to obtain a copy of the Personal Data we process, in accordance with the applicable legislation.
Right to Rectification, Update, and Completion of Data – If the Personal Data processed by the Bank is incorrect, incomplete, or inaccurate, you have the right to request that the Bank rectify, update, or complete your Data. To do so, you may provide the necessary information to help us correct the inaccuracies or fill in any gaps.
Right to Termination of Processing, Erasure, or Destruction of Data – You have the right to request the termination of Data processing (including profiling), as well as the erasure or destruction of your Personal Data. However, please note that the Bank may not be able to fulfill your request immediately due to legal obligations under laws related to preventing money laundering, commercial banking activities, consumer rights protection, tax legislation, and other applicable Legislative acts.
Right to the blocking of Data -You have the right to request the blocking (restriction) of your Personal Data processing under certain circumstances: when you dispute the accuracy of your Data and need time for us to verify it, when you request cessation, deletion, or suspension of processing, but prefer the data to be restricted instead, when the Bank no longer requires your Data for processing purposes but you need it for filing a complaint or claim, or when the Data needs to be retained for use as evidence.
Right to the transmission of Data - You have the right to request that we provide your Personal Data, which you have provided to us, in a structured, commonly used, and machine-readable format. You may also request that we transmit this Data to another Data Controller. However, the Bank may decline your request if it is technically impossible to transmit your Data in the requested manner.
Automated individual decision-making and related rights – You have the legal right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects concerning you. However, this right does not apply if the decision is: (a) based on your explicit consent; (b) necessary for entering into or performing a contract between you and the Bank; or (c) provided for by law or a subordinate normative act issued within the powers delegated by law.
Right to withdraw consent - You have the right to withdraw your consent at any time, provided it does not conflict with the requirements of the legislation. Please note that the withdrawal of consent will not affect the legality of any processing carried out before the withdrawal, nor will it affect any legal consequences arising from the consent within its scope prior to its withdrawal.
Right to appeal -  You have the right to file a claim with the court or the Personal Data Protection Service if you believe that your Personal Data is being processed unlawfully by the Bank. For more information, you can visit the Personal Data Protection Service’s website at www.pdps.ge.

• 20.1.    How to contact Us

For any issues related to Data Protection or to exercise your rights, you can directly contact our Data Protection Team at the email address: DPO@lb.ge. Please clearly state your identity, and if possible, send the request using your email address registered with the Bank. To confirm your identity and ensure your right to access your Personal Data (or exercise any of your other rights), we may need to request specific information from you. This is a security measure to ensure that Personal Data is only disclosed to the rightful individual. We may also contact you for further information to expedite our response.

• 20.2.     No fee is usually required

You will not be required to pay any fee for accessing your Personal Data or exercising any other legal rights, except for exceptions established by law (for example, if the fee is required under the legislation and/or established by the Bank due to the resources spent on issuing the data in a form other than the way it is stored, and/or for frequent requests). If a Data subject makes an unreasonable number of requests, the Bank is also entitled to refuse to comply with those requests.

• 20.3.     Time Limit to Respond

 We will respond to all legitimate requests within the time period set by the Legislation.

21.    Obligations of Data Controllers, Data Processors and Joint Controller

Pursuant to the terms of this Policy, and taking into account the context and purpose of Data Processing, while processing certain types of Data, the Bank and/or third parties specified in Annex #1 of the Policy may act as Data Processor(s) on behalf of the Data Controller(s), and/or the parties may act as Joint Controllers.

While processing Personal Data, depending on the nature of the processing, where one party acts as the Data Controller and the other as the Data Processor, the Data Processor shall:

1. Process Data solely in accordance with the written instructions or guidelines of the Controller and only for the purposes specified in the applicable agreement;
2. Ensure that all individuals involved in Data Processing are bound by confidentiality obligations;
3. Ensure the security of Data in accordance with Data Protection Law, including, but not limited to, implementing appropriate technical and organizational measures to protect Personal Data from accidental or unlawful destruction, alteration, disclosure, or access, as well as from any other unlawful processing or misuse;
4. Ensure that all operations related to electronic Data (including incident information, Data collection, alteration, access, disclosure (transfer), linking, and deletion) are fully logged, including log files. Additionally, the Data Processor must ensure the ability to identify the responsible person for each operation performed on electronic Data. For non-electronic Data, the Processor is required to ensure that all operations related to Data disclosure and/or alteration (including incident information) are also properly documented;
5. Within the scope of its responsibilities, assist and support the Controller in conducting a Data Protection Impact Assessment (DPIA) when required by law and/or relevant regulatory acts;
6. The Processor shall not transfer Personal Data to any country or international organization outside the European Economic Area, or to any country not listed as having adequate safeguards for Personal Data protection by the Personal Data Protection Service (or its successor), without prior consent from the Controller;
7. Provide the Controller with appropriate information to ensure compliance with the obligations set forth in the Law of Georgia on Personal Data Protection and to facilitate the monitoring of Data Processing activities by the Controller;
8. Take appropriate technical and organizational measures to assist the Controller in promptly responding to requests from Supervisory and/or other authorized entities regarding Personal Data Processing, and to support the Controller in fulfilling obligations related to the exercise of Data subjects' rights (such as Data blocking, deletion, rectification, updating, etc.) within the timeframes specified by the Law of Georgia on Personal Data Protection;
9. The Processor shall not transfer the right to Data Processing to any other party/parties without the written permission of the Data Controller. In the event of the Controller’s written consent, the Processor is required to transfer the right to Data Processing to another party/parties only through a written agreement, which shall specify the obligations of each Data recipient (sub) contractor to implement all necessary technical and organizational measures to protect Personal Data from accidental or unlawful destruction, alteration, disclosure, access, or any other unlawful form of processing or misuse. As such, all obligations and responsibilities of the Data Processor, as outlined in the applicable agreement and in compliance with the Law of Georgia on Personal Data Protection, shall apply to these (sub) contractors;
10. Notify the Controller in writing or electronic form of any unauthorized access to or other form of Data breach (incident) immediately, and no later than 24 (twenty-four) hours from its discovery;
11. In the event of a dispute between the Controller and the Processor, the Processor is obliged to immediately cease Data Processing and, upon request, transfer all Data in its possession to the Data Controller;
12. Upon the Data Controller’s request, or in the event of the termination of the applicable agreement for any reason, the Processor is obliged to cease Data Processing and, within 10 (ten) calendar days (or sooner, unless the data is of significant volume or requires additional time for collection/search), transfer the Personal Data to the Data Controller and securely delete or destroy all Data shared with the Processor, ensuring that no copies, whether electronic or physical, can be recovered, unless Data retention is required by the Legislation;
13. For the avoidance of any doubt, the parties agree that the provisions specified in clauses "k" and "l" do not apply to Personal Data processed by the Data Processor in its role as the Data Controller, in accordance with the applicable legal basis for Data Processing;
14. The Data Processor is obligated to compensate the Controller for any damages, including any financial fines imposed (if any), resulting from the Data Processor's violation of the Personal Data Processing requirements established by this Policy and applicable legislation;
15. Any provisions related to Personal Data Processing by the Data Processor that are not explicitly covered by this Policy shall be governed by the Law of Georgia on Personal Data Protection.

While processing Personal Data, and taking into account the nature of the processing, if the parties act as Joint Controllers, each of them shall:

1. Take appropriate technical and organizational measures to safeguard Personal Data against accidental or unlawful destruction, alteration, disclosure, or access, as well as any other unlawful form of processing or misuse of Personal Data;
2. Restrict access to Personal Data solely to authorized employees who require access for the purposes of the relevant agreement and are bound by a duty of confidentiality, both during their employment and after its termination;
3. Collaborate closely with Joint Controller to ensure Data Processing complies with the law;
4. Process Personal Data within the scope of mutual collaboration, ensuring compliance with the relevant agreement and law;
5. Within the scope of its competence, assist and support the Joint Controller in conducting a Data Protection Impact Assessment (DPIA) where required by law and/or relevant regulations;
6. Notify the Joint Controller in writing/electronically in case of unauthorized access or any other type of Data breach (incident), immediately or no later than 24 (twenty-four) hours of its discovery. Such notification shall include information on the circumstances, type, and time of the incident; the possible categories and volume of Data that have been disclosed, damaged, deleted, destroyed, obtained, lost, or altered in an unauthorized manner as a result of the incident; the potential categories and number of Data subjects exposed to a threat as a result of the incident; the measures taken or planned by the Joint Controller to mitigate or eliminate any possible damage caused by the incident; and whether, and within what timeframe, the Joint Controller intends to notify the Data subject(s) about the incident;
7. Immediately inform the Joint Controller in writing/electronically about any requests for the disclosure of Personal Data processed under the relevant agreement, including appeals received from judicial, law enforcement, regulatory/supervisory authorities, and other agencies;
8. Where Data is collected directly from the Data subject, provide the Data subject with all relevant information regarding the purposes, legal basis, and duration of Data Processing; the (Joint) Controller(s), Data Processor(s), and Data Protection Officer (if any); as well as the Data subject’s rights (such as Data blocking, deletion, rectification, updating, etc.) established by law;
9. Ensure the accessibility of information regarding the distribution of obligations and responsibilities between the Joint Controllers for the Data subjects. The Data subject’s rights to apply to each Joint Controller individually shall not be restricted;
10. If a Data subject contacts any of the Joint Controllers regarding the rights granted by law (such as Data blocking, erasing, rectifying, updating, etc.), the contacted Joint Controller shall identify the responsible Joint Controller and promptly forward the request internally to ensure compliance with the timeframes for response as established by law. The initially contacted Joint Controller shall remain responsible for all necessary communication with the Data subject;
11. The responsible Joint Controller shall be determined as follows: If the Data subject's Data is part of a dataset that can be attributed to a specific Joint Controller, that Joint Controller shall be responsible. In all other cases, the Controller initially contacted by the Data subject shall be deemed the responsible Joint Controller;
12. Joint Controllers shall assist one another in the execution of Data subjects’ rights granted under the Law of Georgia on Personal Data Protection (such as Data blocking, deleting, rectifying, updating, etc.), in accordance with the provisions and timeframes set by law;
13. Perform any other activities as required by law;
14. Any provisions related to the processing of Personal Data by the Joint Controllers that are not covered by this policy shall be governed by the Law of Georgia on Personal Data Protection.

Annex #1

The categories of third parties providing and/or receiving Data

To perform its statutory duties, protect its legal interests, and provide services to you, the Bank may obtain and/or transfer information about you to third parties, which may include, but are not limited to, the following:

• International payment system operators (such as VISA Inc., MASTERCARD Inc., and/or their contractors) that assist us in managing your accounts and providing services;
• Payment service providers, correspondents, and/or other third parties involved in local and international payment systems for the purpose of providing payment services, as well as for identification and verification of individuals;
• Anti-money laundering organizations/services (both in Georgia and abroad) to protect Bank’s legitimate interests and fulfill statutory duties;
• International and local remittance operators to facilitate the sending and receiving of remittances;
• Professional organizations providing services to the Bank, such as external financial and legal advisors, solicitors, technical support providers, real estate appraisers, auditing firms, research and advertising companies, etc., for the purpose of delivering consulting, research, marketing, and other related services;
• Credit information bureaus, to assess your creditworthiness during the application review process or while providing services, and to fulfill statutory obligations;
• Public and private organizations, including supervisory, judicial, arbitration, investigative, and other entities, as well as state or local self-government bodies and their affiliated legal entities, such as the National Bank of Georgia, the Personal Data Protection Service of Georgia, the LEPL Social Service Agency, the LEPL Public Services Development Agency, the LEPL National Agency of Public Registry of the Ministry of Justice of Georgia, the LEPL Deposit Insurance Agency, the LEPL Revenue Service, the Ministry of Internal Affairs of Georgia, judicial and tax authorities, and Enforcement Bureaus, for the purposes of reviewing applications, providing services, protecting the Bank’s legitimate interests, fulfilling statutory duties, and ensuring compliance with reporting obligations.
• The Bank's contractors and/or corporate clients who utilize the Bank's payment services to receive payments from their customers (subscribers) for billing purposes;
• Problem asset management and/or collection organizations that provide debt collection services and/or purchase the rights to claim (cession);
• Insurance companies, to provide you or the beneficiary with the appropriate insurance services;
• Postal companies, to deliver relevant correspondence to you;
• Bank's partner merchants – trade and/or service establishments that use the Bank’s POS terminal services under the relevant agreement, where card payment settlements are available;
• Mobile communication network operators – for the purpose of providing services to you and fulfilling legal obligations, including exchanging information related to opting out of direct marketing, etc;
• International and/or local financial institutions for the purpose of receiving (co)financing and providing Open Banking and other related services;
• Commercial partners of the Bank, including development companies, retail establishments, and organizations participating in the Payroll Program, for the purpose of processing your application, delivering services, and/or fulfilling contractual obligations;
• Brokerage firms - to provide you with investment services;
• Any other third parties with whom data sharing is necessary to fulfill the Bank's reporting obligations, ensure compliance with legislation, or meet the requirements of agreements with relevant organizations, as well as for audit, monitoring, and protecting the Bank’s legitimate interests;

The Client acknowledges and agrees that the list provided in this Appendix and/or on the Bank's administered websites is not complete or exhaustive, and that the number of third parties and/or categories may change over time. However, the Bank's data processing activities will always comply with the requirements set forth in the Law of Georgia on Personal Data Protection, regardless of any changes to the list.

 The protection of the confidentiality of Personal Data is the responsibility of the third-party recipient. Therefore, the Bank is not liable for any breach of confidentiality by the receiving party, unless otherwise required by law.

Annex #2
Video Monitoring

To prevent and detect crime, ensure public and personal safety, protect confidential information, and fulfill other legitimate interests of the Bank (including incident management, customer rights protection, process monitoring, and risk management), the Bank conducts video and audio monitoring (hereinafter referred to as "Monitoring") in service areas, as well as the internal and external perimeters of its buildings, including meeting rooms and workspaces, in accordance with the Law of Georgia on Personal Data Protection.

Monitoring is carried out 24/7, and recordings are retained for up to one year, or for as long as necessary to achieve specific legitimate purposes. After this period, the recordings are automatically deleted, unless there are legal grounds to retain them for a longer duration.

To ensure transparency, the Bank has placed appropriate signage in relevant areas, informing individuals that video and audio recording is taking place.
Additionally, the Bank implements appropriate technical and organizational measures to safeguard recorded Personal Data from accidental or unlawful destruction, alteration, disclosure, access, or any other unlawful form of processing or misuse. These measures include:

• Physical security of the monitoring system, with related technical equipment stored in a restricted area accessible only to authorized personnel;
• Access to recorded data is strictly controlled and granted only to authorized personnel, with access rights determined according to their roles and responsibilities within the Bank;
• Adequate security measures are in place to protect information systems, preventing unauthorized access from external networks and the internet.
• All actions performed on the recorded data within the monitoring systems are fully logged and registered;
• Any instances of record disclosure are meticulously documented.

In certain situations, it may be necessary for the Bank to grant access to or transfer video recordings to third parties for various reasons. For example, when there is reasonable suspicion that a recording may contain evidence of illegal activities (including administrative offenses), relevant authorities may request access for criminal or administrative investigation purposes.

In addition to the scenarios mentioned above, access to recordings may also be requested by the Bank’s supervisory authority, the National Bank of Georgia, or the Personal Data Protection Service for the purpose of reviewing complaints or for other reasons prescribed by the Legislation.

The Bank will only present or disclose recordings to third parties (including law enforcement agencies) when there is a legitimate legal basis for doing so, as stipulated by applicable legislation.

The rights of Data Subjects are outlined in Article 20 of this Policy.

Annex #3
Audio Monitoring

During telephone communication, the call recording system (audio monitoring) automatically records and processes incoming and outgoing calls to or from the Bank's hotline or other relevant telephone numbers for the purposes of improving and properly performing the service, reviewing and responding to applications and claims, monitoring compliance with the Code of Ethics and professional conduct standards, as well as protecting other legitimate interests of the Bank (including creating legally binding evidence). This may also occur in cases directly provided for by law, or, where necessary, based on your consent, in compliance with the requirements of the Law of Georgia on Personal Data Protection.

Prior to or upon the commencement of audio monitoring, the Bank will inform you that audio monitoring is taking place and will explain your right to object, if applicable. The recordings will be stored for a minimum of 15 years, after which they will be automatically destroyed, provided the specific legitimate purposes for which the recordings were made have been fulfilled, and there is no need or lawful basis to retain the data for a longer period.

In addition, the Bank implements all appropriate technical and organizational measures to safeguard recorded Personal Data against accidental or unlawful destruction, alteration, disclosure, or access, as well as against any other unlawful form of processing or misuse. These measures include, but are not limited to:

• Access to the records is restricted to authorized personnel only, with access rights and scope determined according to their roles and responsibilities within the Bank;
• Appropriate measures are in place to secure information systems and prevent unauthorized access;
• All actions performed in relation to the recorded Data within the monitoring systems are fully logged and tracked;
• Any instances of disclosure of the records are meticulously documented.

In certain cases, it may be necessary to grant access to and/or transfer audio recordings to third parties for various reasons. For example, access may be directly requested by the Bank's Supervisory authority, the National Bank of Georgia, or the Personal Data Protection Service for the purposes of reviewing your complaint, or in other cases as prescribed by law.

The rights of the Data Subject are outlined in Article 20 of this Policy.

Annex #4
Processing of Biometric Data

Biometric Data refers to data processed using technical means that relate to the physical, physiological, or behavioral characteristics of a Data Subject (such as facial images, voice features, or dactyloscopic data) which allow for the unique identification or authentication of that Data Subject.

The processing of Biometric Data is necessary for the Bank’s operations, including security purposes, the protection of property, and safeguarding confidential information. It is also required to fulfill the Bank’s obligations as an accountable entity under applicable legislation. This includes verifying the accuracy of data needed to confirm the client's identity and document authenticity, creating legal evidence, combating fraud and money laundering, and ensuring the proper delivery of services to clients.

In order to process Biometric Data, the Bank shall obtain the Data Subject’s consent, where required, in accordance with the provisions established by applicable legislation.

Biometric Data processing takes place in Georgia, as well as in jurisdictions listed by the Personal Data Protection Service (or its successor) as providing adequate guarantees for Personal Data protection, including countries where the General Data Protection Regulation (GDPR) is enforced.

The Data Subject’s rights are outlined in Article 20 of this Policy.

• 4.1. Electronic Identification

To access and use Banking services remotely, outside of Bank service points, the Client must undergo an electronic identification and verification procedure in accordance with current legislation. As part of this process, the Bank will collect and process Personal Data, including Biometric Data, based on the relevant technical solution.

The facial recognition system of Amazon Web Services, Inc. and the technical solution developed by Identomat Inc. (SR 20204194256; n7977895; info@identomat.com; +1 (304) 804 40 50; for Data Protection matters: legal@identomat.com), located at 60 Hazelwood Dr, Champaign, IL 61820, USA, are employed during the electronic identification and verification processes.

Note: Please note that the contact details of the service provider may change over time. For the most up-to-date information, please refer to their official websites.

The remote identification process involves capturing a photo of the identity document and taking a dynamic selfie. These images are compared to verify the authenticity of the client and the validity of the provided document.

The Service Provider implements strong technical and organizational measures to protect Personal Data, including encryption to prevent third-party access to the Data, including the server resource provider. Additionally, Biometric Data is processed only for a maximum of 10 seconds during the identification session. Access to Biometric Data is not permitted during this process, and it is deleted immediately upon completion of the identification, with no possibility of recovery.

Other categories of Personal Data will be retained by the Bank for as long as necessary to achieve the purposes of Data Processing, to protect the Bank’s legitimate interests, or for the duration required by the regulator and/or legislation.

• 4.2. Electronic signature

To sign documents electronically within the scope of banking services, in accordance with the applicable legislation, the Bank has implemented an electronic signature system using a special device (Signify Pad). This electronic signature serves as an alternative to a physical signature and holds the same legal validity.
The service of "NGT RockIT Solutions" LLC (ID 405432580; address: Georgia, Tbilisi, Saburtalo District, Zh. Shartvava Str, N40; contact: contact@signify.ge; for data protection matters: privacy@signify.ge) (hereinafter referred to as Signify) is used in the electronic signature process.

Note: Please note that the contact details of the service provider may change over time. For the most up-to-date information, please refer to their official websites.

During the signing, the signature characteristics (such as pressure, acceleration patterns, hand movement, etc.) of the signatory are recorded and stored on the signature pad, which is then linked to the content displayed on the signature board at the time of signing.

The aforementioned data is encrypted during the signing process using a unique encryption key issued by the LEPL Public Service Development Agency (hereinafter referred to as the Agency). Each document is encrypted upon being uploaded to the Signify platform. The biometric data related to the signature, including behavioral characteristics, is not accessible to Signify or any third party.

The processing of behavioral (signature) characteristics is a necessary component of the electronic signature process, as it ensures the authenticity of the signature. It also enables the possibility of a forensic examination of the document and signature, should the need arise, by the LEPL Levan Samkharauli National Forensic Bureau (hereinafter referred to as the Bureau).

In the event that a forensic examination is required, Signify, the Agency, and the Bureau (or its successor) will have access to the signatory’s personal data and the content of the signed document.

Note: The signature-related biometric data is shared with the Agency and the Bureau only in the event of a forensic examination related to a biometric signature.

Personal Data will be stored for the duration of the application review or service provision, and/or for the validity period of the relevant contract, and/or for the time necessary to protect the Bank’s legitimate interests, and/or for the period required by regulatory authorities and/or as stipulated by applicable legislation.

 Signify holds ISO/IEC 27001 certification and implements comprehensive organizational and technical measures to ensure data security, including robust encryption protocols.