GEO
ABOUT US

ABOUT THE COMPANY
News & Press Releases Our team Committees Ownership Structure Community Centres Liberty Express Centers ATMs & Branches Correspondent Banks CSR Contact Currency Exchange Environment

INVESTOR RELATIONS
Performance Highlights Financial information Credit Ratings IR Contacts
OUR NETWORK
SEE MORE

OUR NETWORK

Find our ATMs, Service-Centers, Cash Payment Terminals and other physical touchpoints on an interactive map
SERVICES

FOR ME
Cards and Accounts Deposits and Certificates Loans Partner Developers Installment Money transfers Remote services Apple Pay Google Pay CashBack Liberty Partner

FOR MY BUSINESS
Operational services Deposits and Certificates Business Loans Remote services Trade Finance Payment Tools Blog

Private Banking
Liberty Wealth

CAREER
CONTACT
ONLINE BANKING
Data Protection Policy
Privacy Policy Web Site Terms & Conditions Code of Conduct and Business Ethics Whistleblowing Policy Anti-Bribery and Corruption Policy Environmental Sustainability Policy Remuneration Policy Charter Cookies Policy

1.    Purpose of the Data Protection Policy

This Data Protection Policy aims to explain how we may process your Personal Data, also what steps we’ll take to make sure your Data remains secure and tell you about your privacy rights.

More specific conditions on the Data processing might be also outlined in separate contract(s), other service related documents and/or on our website(s). Please contact our privacy team using the following email - DPO@lb.ge if you have questions related to this Data Protection Policy.

 

2.    Who are we

JSC Liberty Bank (collectively referred to as “BANK”, “we”, “us” or “our” in this Policy) is a commercial Bank licensed under the Georgian legislation and is the Controller and responsible for processing your Personal Data.

Identification number: 203828304;
Legal address: Chavchavadze ave. №74, Tbilisi, Georgia, 0162
Contact information: +995 32 2 55 55 00; info@lb.ge

 

3.    Scope and amendment of the Data Protection Policy

This Data Protection Policy applies to all our prospective, present and past customers, natural persons and legal entities, non-juridical entities, state or self-government entities, legal entities of public law, job applicants, merchants, agents, payment system providers  or anyone (hereinafter: you, Data Subject)in other way related to any of Bank’s products and services, including those interacting with Bank through one of our channels, such as Email, website, mobile application, or account we operate on social media sites (e.g. Facebook, LinkedIn, Instagram).

This Policy may be updated from time to time. We therefore ask you to consult it on a regular basis. The latest version of the Policy is available at: www.libertybank.ge


4.    Scope of Data Processing

Throughout the period of a relationship with the Bank and after its termination, the Bank shall be entitled to process information about you, including your Personal Data in accordance with the purposes set out in this Policy.

Data processing by the Bank, without any limitation, includes every action executed towards the Data using automated, semi-automated or non-automated means. More precisely, Data Processing means obtaining, collecting Data from you and/or third parties set forth in Annex #1 of the Policy, accessing, recording, photographing, videorecording, audiorecording, organizing, interconnecting, storing, altering, restoring, revoking, using or disclosing (including disclosing information to third parties set forth in Annex #1 of the Policy) for the purpose of transferring, disseminating or making available through different means, grouping or combining, blocking, erasing or destroying.


5.    What Data do we process

Bank uses different types of personal information that we can group into the following categories, which include but may not be limited to the Data indicated below.
Note: Depending on the nature of your relationship with the Bank and the context and purpose of Data Processing, we may process all or only some of the Data specified in the relevant category(ies)

  • Identification – your name, surname, ID number, Date of birth, signature specimen.
  • Contact – four address of registration and/or factual residency, email address, mobile and land phone number (s), contact person(s) information.
  • Financial – for example, your credit history, credit capacity, liabilities, payment schedule, arrears, payment arrears, penalties, administrative fines, your income, Data regarding your family members or other third parties who are financially dependent on you, property value and other assets, information related to insured products, financial products and services you have or had with us.
  • Transactional - such as payment (Bank, e-wallet) account number, payment account statement, balance, deposits, withdrawals, transfers, other information related to your accounts and transactions.
  • Technical - information on the device you use in our services and other technical details e.g. IP address, operating system, log records, etc.
  • Locational - refers to the Data we get about where you are. For example, the information collected from your mobile device's location-aware features when you request certain services that are dependent on your physical location.
  • Audio-vsual - such as recordings of phone calls to/from our remote service centers and/or Bank’s internal phone numbers, Video and Audio monitoring footage, visual images.
  • Usage related - information on how you use our website(s), mobile app(s), products and services, including your feedback and survey responses.
  • Marketing - includes your preferences in receiving marketing from us and third parties and your communication preferences including information related to whether you have exercised Direct Marketing opt in/ opt out mechanisms.
  • Socio-Demographic  - details regarding your citizenship, education, profession, work, family, etc, as well as language, gender, age, social status.
  • Interaction - any information you communicate with us whether face-to-face, by filling in physical forms, by phone, mail, and through other channels (including social media accounts Facebook, Instagram,LinkedIn, etc).
  • Registries and Open Data - refers to the information registered in different databases, as well as Data about you that is in public records (such as the National Agency of Public Registry LEPL), and information about you that is openly available on the internet or otherwise.
  • Special categories of Personal Data – for instance, it may include information regarding your criminal record, health, biometric Data, such as facial image, etc. We will seek your explicit consent to collect such Personal Data unless the law permits us to process this type of Data without your consent.
  • "Know Your Customer" (KYC) - information processed as part of customer due diligence for the purpose of preventing fraudulent behavior, assessing risks with a risk-based approach, as well as combating money laundering, terrorist financing and tax fraud.
  • Contractual - details about the products or services we provide to you.
  • Documentary Data - details about you that are stored in documents in different formats, or copies of them, for example, your passport, driving licence, birth certificate, vehicle license, extracts, etc


In addition, we may process any other type of Data related to the Data Subject which enables to identify and/or characterize and/or group the Data subject by his/her physical, economic, cultural or social qualities or by using transactional and other type of Data in accordance with this Policy.


6.    What we need from you

You’re responsible for making sure the information you give us is accurate and up to date. You must promptly inform us if you believe that the information stored at the Bank is not accurate or complete. Please note, that if you provide us with information regarding third parties (beneficiary, additional Cardholder, guarantor, family member, employer, contact person, employee, coworker, etc.), including, without limitation, their Personal Data, solvency information, information about the assets, etc, you are responsible for obtaining prior consents from respective persons to the processing of their Data by the Bank in accordance with the purposes and conditions set in the present Data Protection Policy. Therefore, the submission of such information to the Bank implies that you have obtained prior consent from these person(s), have ensured that the person is familiar and agrees with the present policy, and the Bank will not be liable to additionally acquire any such consent.

 

7.    If You don’t provide Personal Data

Where we need to collect Personal Data by law, or under the terms of a contract we have with you or in order to enter the contract, and you fail to provide that Data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with products or services).

 

8.    How do We collect Your Personal Data

In this section, we explain the main sources from which we obtain your Personal Data.

Data collected directly from you, for example when you:

  • Apply for or inquire about our products or services;
  • Fill in relevant forms, including those on our web site(s) and digital apps;
  • Interact with our staff via face-to-face meetings, through telephone calls (which may be recorded), our website(s), post, email, online chat, social media or through other channels;
  • Use our products and services, register with our online services;
  • Perform financial transactions, use Open Banking;
  • Sign a contract;
  • Express your preferences regarding Direct Marketing offers;
  • Participate in a competition or survey, etc;
  • Submit your or third party’s Personal Data to us for any other reason.


Data collected from third party (ies) - On the basis defined by the Legislation, including where necessary based on your consent, the Bank may obtain information about you from external sources, including but not limited to the following:

  • Credit information bureau - for example, we check your credit Data at the Credit Information Bureau Creditinfo Georgia JSC (ID 204470740) for the purpose of analyzing your solvency as future borrower, co-borrower/guarantor/owner of security collateral when you apply for a credit. We also use the credit information bureau databases to facilitate the approval process for the credit during the validity term of your credit obligation and/or to ensure monitoring of your existing obligations. For more information about the bureau please visit https://ge.creditinfo.com/en/homepage/
  • Supervisory, controlling and/or state and local authorities and legal entities – For instance, we obtain information about you from the State Services Development Agency LEPL (for the purpose of your identification and verification, as well as to ensure Data update); from the Revenue Service LEPL (for the purpose of analyzing your solvency, for example when you apply for a loan product or service and/or request to receive information about products of interest from the Bank), from the Social Service Agency LEPL (for example, if you are a recipient of social benefits, your Personal Data as of a beneficiary is provided by the Agency for the purpose of opening a personal bank account and depositing the funds transferred from the Agency). Data about you may also be provided to the Bank within the framework of various government projects, for example, when providing financial assistance (subsidy), etc.

Data collected from other Data registries and publicly available sources - We may obtain your Data from public, business, debtors’ registry and other relevant registers and public sources

Note: The categories of third parties providing and/or receiving Data are defined in Annex #1 of this Policy.

 

9.    What are the Purposes of processing Your Personal Data

Depending on the nature of the relationship with you and other specific circumstances, your Personal Data may be processed for different purposes and legal bases, including:

Purpose: your identification/verification, provision of banking products and services (opening an account, transferring funds, carrying out cash and cashless settlement operations, etc.) both at physical service points and remotely. For this, we may need your identification, contact, transactional, socio-demographic, location-related, registries and open data, biometric data, “Know Your Customer” (KYC), documentary data, audio-visual, interaction, contractual or/ and other Data that will help us achieve the said purpose.

Legal Basis: (a) Your consent, for example, to the biometric identification to use the services remotely; to obtain your Data from relevant registries etc (b) entering into or performing a contract; (c) reviewing your application (providing services to you); (d) our legal obligation; (e) our legitimate interest, including: being efficient about how we fulfil our legal and contractual obligations; to prevent, detect, prosecute fraud and potential fraud, money laundering, terrorist financing, unauthorized access and/or misuse of our services and other crimes; to ensure that the records kept about you are true and accurate; to effectively manage our operational risks.

Purpose: To prevent and detect crime, including fraud, terrorist financing and money laundering - To do this, we may need your identification, contact, transactional, socio-demographic, technical, interactive, registries and open data, “Know Your Customer” (KYC), documentary data and any other information obtained through the AML preventive measures.

Legal Basis: (a) our legal obligation; (b) our legitimate interest, including: to prevent, detect, prosecute fraud and potential fraud, money laundering, terrorist financing, unauthorized access and/or misuse of our services and other crimes; to protect our customers, employees, and Bank assets; to ensure network security and proper functioning of electronic channels; to effectively manage our operational risks.

Purpose: credit risk management - For example, we process your Data in the framework of your loan application and business relationship, which may include financial, operational, compliance, insurance risk assessment. To do this, we may need your identification, contact, financial, transactional, socio-demographic, interactive, registries and open data, contractual, documentary and/or other data to help us achieve the said purpose.

Legal Basis: (a) your consent, where necessary; (b) entering into or performing a contract; (c) reviewing your application (providing services to you); (d) our legal obligation; (e) our legitimate interest, including: to effectively fulfill our legal and contractual obligations; to provide you with the products and services you have requested; to protect our business interests; to effectively manage our operational and other risks.

Purpose: Product and service improvement - We analyze the information to identify ways to improve our services and products. To do this, we typically might need usage, marketing, and interaction Data.

Lagel Basis: (a) our legitimate interest, including: to develop products/services and grow our business; to eliminate defects and improve the services.
Purpose: To inform our marketing strategy  - For example, we may use your Personal Data to provide you with the information we feel may interest you, use your feedback about our products and services to improve our offering, as well as to take into account your preferences regarding marketing communications. To do this, we typically might need usage, marketing, and interaction data.

Legal Basis: (a) your consent, where necessary; (b) our legitimate interest, including: to develop products/services and grow our business, to identify categories of users of our products and services and to carry out marketing activities accordingly; to ensure that you are informed about relevant Banking products.

Purpose: To protect our legitimate rights - we may need to use your information to protect our and/or a third party's legal rights, for example, to investigate local or international disputes related to transactions, to recover money owed to us, to commence legal proceedings, to respond to complaints, claims and requests, to relinquish  a claim, to sale portfolio, to protect intellectual property. Your Data may be processed in case of restructuring, sale of share or acquisition, etc. For that, we may need your identification, contact, financial, transactional, socio-demographic, technical, audio-visual, interaction, registries and open data, "Know Your Customer" (KYC), contractual, documentary and/or other Data to help us fulfill the said purpose.

Legal Basis: (a) our legal obligation; (b) our legitimate interest, including: to effectively fulfill our legal and contractual obligations; to develop products/services; to grow our business; to ensure the investigation of complaints; to collect and recover money owed to us; to obtain proof of transactions and other relevant evidence; to protect our business interests.

Purpose: analytics and reporting - We process your Data that help us make informed decisions about products and services, in addition, Data Processing is necessary to fulfill other duties imposed on the Bank as an accountable person and to provide external reporting. For this we may need your identification, contact, transaction, socio-demographic, technical, interaction, "Know Your Customer" (KYC), documentary and/or other data that helps us achieve the said purpose.

Legal Basis: (a) our legal obligation; (b) our legitimate interest, including: to effectively fulfill our legal and contractual obligations; to develop products/services; to grow our business; to protect our customers, employees, and Bank assets; to effectively manage our operational risks; to obtain proof of transactions and other relevant evidence.

Purpose: property and security protection, for which we may need audio-visual, technical and any other information that will help us prevent crime, detect it, protect public and personal safety and property.

Legal Basis: (a) important public and our legitimate interest, including: to prevent, detect, prosecute crime, protect our customers, employees, and Bank assets, ensure network security and proper functioning of electronic channels; to effectively manage our operational risks.

Note: The Bank is entitled to process your Data for any other purpose defined by legislation, also when the further purpose of processing is compatible with the initial one.

 

10.    Who We share Your Personal Data with

In order for the Bank to perform statutory duties, protect its legal interests and to fully and properly provide service to you, based on Data Processing contexts and purposes, the Bank may transfer information about you including but not limited to the following categories of third parties:

  • Credit information bureau – For example, in the cases stipulated by law, Bank is entitled to transfer your credit/non-credit and other relevant information to the credit information bureau Creditinfo Georgia JSC (ID 204470740), which will be available to cooperating users involved in the credit information bureau in the manner established by law (credit organizations and recipients / suppliers of information). The Information transferred to the Bureau shall be determined by the Legislation and may include without any limitations: your identification, financial, contractual data, information on your current fulfilled/outstanding obligations and terms, information on collateral, surety information, other information, etc.
  • Supervisory, controlling and/or state or local authorities and legal entities - The Bank as an accountable entity is required to share Data with government authority(ies) (for example, the Financial Monitoring Service) for fraud and money laundering prevention purposes; If the data subject is a US citizen and/or a US tax resident or under other circumstances in order to comply with the terms of the Foreign Account Tax Compliance Act (FATCA) and the Intergovernmental Agreement (IGA) between the US and Georgia, the Bank is obliged to transfer the Data to the relevant state payment authority (ies). Sharing your Personal Data may also be necessary in response to your claims or complaints, for example to the National Bank of Georgia or the Personal Data Protection Service, etc.
  • International payment system operators (VISA Inc. and MASTERCARD. Inc), international and domestic remittance operators, payment service provider(s) and/or their contractors, with whom information is shared in order to provide banking/payment services to you.

The categories of third parties providing and/or receiving Data are defined in Annex #1 of this policy.

 

11.    International transfer of the Personal Data

In the cases envisaged by the Legislation, including for the purposes of fraud and money laundering prevention, as well as for the purpose of providing Banking services to you/performing the contract, and/or to protect the legitimate interests of the Bank, your Data may be transferred and stored outside of Georgia, including in an organization operating in a country with no adequate safeguards for Personal Data protection as defined by the relevant normative act of the head of the personal data protection service of Georgia/its successor.

The  possible risks of Data sharing in countries without adequate safeguards for Personal Data protection may be related but not be limited to the absense of local supervisiry authority, and no (or only limited) individual Data protection and privacy rights. In some of these countries the privacy and Data protection laws and rules on when Data may be accessed may differ from those in Georgia. In such a case, the Bank ensures the agreement on the Personal Data transfer is at place, which defines the obligations of the receiving party to ensure the protection your Personal Data in accordance with the requirements stipulated by the Legislation.

 

12.    COOKIES  

We may use cookies and similar technologies which help us enhance your user experience while visiting our website. For more information about the cookies we use, please see the Cookies Policy here https://libertybank.ge/en/samartlebrivi-inpormatsia/cookies-policy

You can block or restrict cookies set by any website – including our Bank website(s) – through the browser settings on each browser (Internet Explorer, Mozilla Firefox, Google Chrome, etc.) and device you use to access the Internet. Same way you can delete cookies already stored on your device. Find out more information on how to manage cookies in common browsers by visiting: www.allaboutcookies.org  

 

13.    Direct Marketing

It is our intention to provide you with choices regarding the use of your Personal Data for Direct Marketing and advertising purposes.

The Bank is authorized to independently as well as through Data Processor and/or other authorized/related party(ies), process your  identification, contact, financial and other Personal Data for the purpose of directly offering and providing you with information about Banking, including credit, products, services, promotions, etc. through telephone, mail, email, digital bank, mobile apps, and/or without limitation, through any other electronic means (Direct Marketing).

Consent to the processing of Data for Direct Marketing purposes is not mandatory, however, in the absence of consent to Direct Marketing, Bank will be unable to offer you customized services / products under the above conditions.

Please note, that if you are also an official, representative, an authorized spokesperson of the Bank’s existing or prospective client legal entity or are in any other way related to that legal entity, the Bank is authorized to process your Personal Data as information related to the abovementioned legal entity and use this information for the purposes of providing services to the aforementioned legal entity, including to carry out Direct Marketing.

 

Opting out from Direct Marketing

You may at any time withdraw your consent and request that we stop sending you Direct Marketing messages by email, mobile phone number and/or other electronic means. For this, you can use the available opt-out mechanism provided in each electronic means (so-called SMS off, unsubscribe, etc.), contact our service center, call us on 0 322 55 55 00 and/or use any other form agreed between us and/or prescribed under the Legislation.

For the avoidance of any doubts, Direct Marketing shall not be deemed as and, correspondingly, you shall not be entitled to demand cessation thereof, receiving product, service, etc related information (e.g. advertising banner, flyer, oral offer, etc.) if such information is presented directly by the Bank and/or its representative at the points of banking service provision or in remote channels which belongs to (is associated with) the Bank  (including ATM, digital bank, etc.).

Please note, that upon a request to stop offers as a part of Direct Marketing, only communications of an advertising nature shall be terminated. Bank will further contact you using the contact Data kept in the Bank, regarding the issues/obligations arising in the framework of the relationship between you and the Bank, including, taking into account the requirements of the Legislation, in order to inform you about credit overdue and any other type of debt, to provide information about changes in service/product conditions, deposit insurance, as well as to provide a response to your statements or requests and to deliver other relevant information.

 

14.     Automated individual decision-making

The Bank is entitled to process your Personal Data to make a decision only automatically, including on the basis of Profiling. We may use automated decision-making for example in the following cases:

  • Credit approval - when you apply for a credit product/loan, we process your financial, transactional and other relevant information in order to analyze your solvency, assess risks and, based on this, make an appropriate decision regarding the granting of a loan. This can be done on the basis of automatic scoring.
  • Product Offerings - We may process your financial, transactional, socio-demographic and other relevant data in order to identify and offer tailored products to you.

 

15.    Video and audio monitoring

Based on the objectives of preventing, detecting/investigating crime, protecting public and personal safety and property, protecting secret (confidential) information and to perform other important tasks based on the Bank’s legitimate interest (such as incident management and protection of customer rights, monitoring of processes, risk management, etc.), in compliance with the annex #2 of this Policy and law of Georgia on Personal Data Protection, video and audio monitoring of the external and internal perimeter of the building(s), including meeting rooms, service spaces and workplace(s) is being carried out by the Bank. In addition, monitoring and/or taking photo image is also carried out in the Bank, its service center and/or facility(s) belonging to the Bank's partner organization(s) through an ATM and/or other relevant electronic means. During phone communication with the Bank/Bank’s representative, the incoming and outgoing calls are been recorded/processed through the call recording system (audio monitoring) in order to enhance service performance, to review and respond to statements, complaints, to monitor compliance with the code of ethics and professional conduct standards, as well as to protect other legal interests of the Bank (including creating legal evidence) in compliance with the annex #3 of this Policy and law of Georgia on Personal Data Protection.

 

16.    Data Processing of the job applicants

The Bank is entitled to processing Data subject’s Personal Data which was disclosed for the purpose of considering an initiation of employment and/or internship of such a person (hereinafter – Applicant). If the applicant is rejected, failed to proceed through selection process, unsuccessfully ended the trial period, his/her Data shall be deleted, unless the applicant has agreed to remain on file for a future selection process by the Bank and/or if there is another legal basis for keeping the data.

 

17.    Processing the Personal Data of minors

Minors under the age of 18 who wish to use our services must provide consent from their legal representatives (parents/legal guardians) regarding the processing of their Personal Data, apart from the exceptions provided by law.

 

18.    Copyright

The Data related to you (print, audio and/or visual) published on the Bank’s website, internet banking, mobile banking, mobile applications and other electronic means, shall be deemed as the Bank’s property and the Bank shall own a copyright over such data immediately after its publishing unless it is not classified as your Personal Data.

 

19.     Data Security and Retention period

We have put in place appropriate technical and organizational measures to safeguard your Personal Data from unauthorized access, unlawful processing or disclosure, accidental loss, modification or destruction. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Data on our instructions and they are subject to a duty of confidentiality. In case the Bank transfers (discloses) the Data to the third parties, including the resident(s) of other countries, the Bank ensures the agreement on the Personal Data transfer is at place, which defines the obligations of the receiving party to ensure the protection your Personal Data in accordance with the requirements stipulated by the Legislation.
We will only retain your Personal Data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We’ll normally keep your Data for up to 15 years after you cease your relationship with us. This enables us to comply with legal and regulatory requirements or use it where we need to for our legitimate purposes such as managing your account and dealing with any concerns that may arise. We may need to store your Data for a longer period where we need the information to comply with regulatory or legal requirements or where we may need it for our legitimate purposes, for example, to help us respond to complaints, fighting fraud and financial crime, etc.

 

20.    Your Rights

As a Data subject, you are granted the following rights by law, that may be restricted only in the cases envisaged by the Legislation.

Right to receive information on the processing of Data and to obtain a copy - You have the right to be informed about the collection and usage of your Personal Data. This means, that, upon your request, we must provide details regarding the processing of your Personal Data, including: information on what Personal Data and from which sources is being collected, the purposes and legal grounds for Data processing; Data retention period, the recipients to whom the Personal Data have been or may be provided etc. The present Data Protection Policy document is an example of this. You also have a right to obtain a copy of your Personal Data which is processed in accordance with the Legislation.

Right to the rectification, update and completion of Data - If the Data processed by Bank is incorrect, incomplete, or inaccurate, you can request the Bank to rectify and/or complete Data and provide us with the necessary information for this purpose.

Right to the termination of the processing, erasure or destruction of Data - You have the right to request the termination of Data Processing (including profiling), erasure or destruction of your Data. Please note, that the Bank may not be able to satisfy your request immediately due to the requirements of Laws on Facilitating the Prevention of Money Laundering; on Commercial Bank Activities; Consumer Rights Protection, Tax legislation, as well as other relevant Legislative acts.

Right to the blocking of Data – You have the right to request blocking of Data (restriction of Data Processing), when the accuracy of your Personal Data is contested by you or your request the cessation, deletion, or suspension of processing, for a period that allows us to verify the accuracy of Personal Data and review your request; When the Data Processing is unlawful but you oppose the deletion of Personal Data and request restriction of its use instead; When Bank no longer needs to process the Data for the processing purposes, but it is required by you to file a complaint/claim; When there is a need to retain the Data for use as evidence.

Right to the transmission of Data - You have the right, upon your request, to receive from us Data concerning you which you have provided to us, in a structured, commonly used and machine-readable format, or to require that the Data be transmitted to another Data Controller. Bank is entitled to decline your request if it’s technically impossible to transmit your Data in a requested manner.

Automated individual decision-making and related rights – You have the legal right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or other similarly significant effects concerning you, except where a decision based on profiling is: (a) based on your explicit consent; (b) necessary for entering into, or performing, a contract between you and the Bank; (c) provided for by law or by a subordinate normative act issued within the powers delegated on the basis of the law.

Right to withdraw consent - You can withdraw your consent at any time, if it doesn't conflict with the requirements of the legislation. Please, note, that the withdrawal of consent shall not lead to the cancellation of legal consequences arising before the withdrawal of consent and within the scope of the consent.

Right to appeal -  You can address the Personal Data Protection Service with a claim regarding the processing of your Personal Data by Bank, if you believe, that your Personal Data is being processed unlawfully. For more information you can visit Personal Data Protection Service’s website https://personaldata.ge/en  

 

20.1.    How to contact Us

In order to exercise your rights, you can directly contact our Data Protection Team at the email address: DPO@lb.ge.
Please clearly state your identity and, if possible, send the request using your email address registered in the Bank.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

 

20.2.     No fee is usually required

You will not be required to pay any fee for accessing your Personal Data or exercising any other legal rights, except for exceptions established by law (for example, if the fee is required under the Legislation and/or established by the Bank because of the resources spent on issuing them in a form other than the Data are stored, and/or frequent requests). In case the Data subject makes an unreasonable number of requests, the Bank is also entitled to refuse to comly with the requests.

 

20.3.     Time Limit to Respond

We will respond to all legitimate requests within the time period set by the Legislation.

 

21.    Obligations of Data Controllers, Data Processors and Joint Controllers

Pursuant to the terms of this Policy, taking into account the context and purpose of the Data Processing, while processing certain type of Data, the Bank and/or third parties specified in Annex #1 of the Policy may represent the Data Processor(s) and act on behalf of Data Controller(s), and/or the parties may act as Joint Controllers.

While processing Personal Data, taking into account the nature of processing, if one party is the Data Controller, while the other party acts as the Data Processor, the Data Processor shall:

(a)    Carry out Data Processing only in accordance with the written instructions or guidelines of the Controller, only for the purposes specified under applicable agreement;
(b)    Ensure that all natural persons who directly participate in Data Processing have an obligation to maintain confidentiality;
(c)    Ensure Data security in accordance with the Data Protection Law; including among other things, to take appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, alteration, disclosure, or access, and against any other unlawful form of processing or misuse of Personal Data;
(d)    Ensure that all operations performed in relation to electronic Data (including information on incidents, Data collection, Data alteration, Data access, Data disclosure (transfer), Data links and Data deletion) are fully registered (including the Log files). In addition, Data Processor shall ensure the ability to identify the responsible person for each operation performed in relation to electronic Data. When processing non-electronic Data, the Processor is obliged to ensure that all operations related to Data disclosure and/or alteration (including information on incidents) are registered;
(e)    Without prior consent form the Controller, the Processor shall not transfer Personal Data to another country or international organization that does not belong to the European Economic Area and is not included in the list of countries with adequate guarantees for Personal Data protection as defined by Personal Data Protection Service/its successor’s normative act;
(f)    Provide appropriate information to the Controller in order to ensure compliance with the obligations established by the Law of Georgia on Personal Data Protection and the monitoring of Data Processing by the Controller;
(g)    Take appropriate technical and organisational measures to assist the Controller to promptly respond to the requests from Supervisory and/or other authorized entities regarding Personal Data Processing and to assist the Controller in fulfilling his/her obligations related to the exercise of the rights of  Data subjects’ (Data blocking, deleting, rectifying, updating, etc.) within the timeframes determined by Law of Georgia on Personal Data Protection;
(h)    Processor shall not transfer the right to Data Processing to another party/parties unless there is Data Controller’s permission. In case of the Controller's consent, the Processor is obliged to transfer the right to Data Processing to another party/parties based on written agreement only, which shall determine obligations of each Data recipient (sub)contractor to take every necessary technical and organizational measures to protect Personal Data against accidental or unlawful destruction, alteration, disclosure, or access, and against any other unlawful form of processing or misuse of Personal Data, and therefore all obligations and/or responsibilities of Data Processor determined by applicable agreement and Law of Georgia on Personal Data Protection shall apply to the abovementioned (sub)contractors;  
(i)    Notify the Controller in writting/electronic form in case of unauthorized access to or any other kind of Data breach (incident), immediately or no later than 24 (twenty four) hours of its discovery;
(j)    In the event of a dispute between the Controller and the Processor, Processor is obliged to immediately terminate Data Processing and transfer all tha Data in its possession to the Data Controller upon a request;
(k)    Upon Data Controller’s request, as well as, in the event of the termination of applicable agreement for any reason,  the Processor is obliged to terminate Data Processing and immediately and/or within 10 (ten) calendar days (if the said information is of a significant amount or needs to be searched /collected) transfer  Personal Data and securely delete/destroy all Data shared with the Processor with no possibility of recovery of such Data, including  any electronic or physical copies, unless Data retention is required by the legislation;
(l)    For the avoidance of any doubts the parties agree that the provisions specified in clauses "j-k" does not apply to Personal Data processed by one of the parties in the role of the Data Controller;
(m)    The Data Processor  is obliged to compensate the Controller the damage, including any kind of financial fine imposed (if any), which occurred  as a result of Data Processor's violation of the Personal Data Processing requirements established by this Policy and legislation;
(n)    The provisions related to Personal Data Processing by the Data Processor that are not covered by this Policy, are regulated by the Law of Georgia on Personal Data Protection.

 

While processing Personal Data, taking into account the nature of processing, if parties act as Joint Controllers, each of them shall:

(a)    Take appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, alteration, disclosure, or access, and against any other unlawful form of processing or misuse of Personal Data;
(b)    Restrict access to Personal Data only to its authorized employees, who need the access to Personal Data for the purposes of the relevant agreement and are under the duty of confidentiality both - during their employment and after the termination thereof;
(c)    Collaborate closely with Joint Controller to ensure Data Processing compliance with the law;
(d)    Process Personal Data in the scope of mutual collaboration, ensuring compliance with the relevant agreement and law;
(e)    Within the scope of its competence, assist and provide support to the Joint Controller in conducting Data protection impact assessment where it is required by law and/or relevant normative act;
(f)    Notify the Joint Controller in writting/electronic form in case of unauthorized access to or any other kind of Data breach (incident), immediately or no later than 24 (twenty four) hours of its discovery; Such notification shall contain information on the circumstances, type and time of the incident; the possible categories and volume of Data that have been disclosed, damaged, deleted, destroyed, obtained, lost, or altered in a non-authorized manner as a result of the incident, as well as the possible categories and number of Data subjects that have been exposed to a threat as a result of the incident; the measures taken or planned by the Joint Controller for mitigating or eliminating any possible damage caused by the incident; and whether or not, and within what timeframe the Joint Controller intends to notify Data subject(s) about the incident;
(g)    Immediately inform the Joint Controller in writing/electronically about requests for disclosure of Personal Data processed within the framework of the relevant agreement, regarding appeals received from judicial, law enforcement, regulatory/Supervisory authorities and other agencies;
(h)    Where Data is collected directly from the Data subject, provide the Data subject with all relevant information regarding the purposes, legal basis, period of Data Processing; (Joint) Controller(s), Data Processor(s), Data Protection Officer (if any); as well as, Data subject’s rights (Data blocking, deleting, rectifying, updating, etc.) established by law;
(i)    Ensure the accessibility of information on the distribution of obligations and responsibilities between the Joint Controllers for the Data subjects. Data subject’s rights to apply to Joint Controllers individually shall not be restricted;
(j)    If Data subject contacts any of the Joint Controllers about the rights granted by Law (Data blocking, erasing, rectifying, updating, etc.), the contacted Joint Controller shall identify the responsible Joint Controller and forward the request internally to this Controller within a reasonable period of time to avoid breaking timeframes for responding as established by law. The Joint Controller who was contacted initally shall carry out all necessary communication with the Data subject;
j.a) The responsible Joint Controller shall be determined as follows: If the Data of the Data subject is part of a set of Data which can be attributed to a Joint Controller, this Joint Controller shall be responsible. In all other cases the Controller contacted by the Data subject shall be the responsible Joint Controller.
(k)    Joint Controllers shall assist one another with the execution of Data subjects’ rights granted by Law of Georgia on Personal Data Protection (Data blocking, deleting, rectifying, updating, etc.), in accordance with the provisions and timeframes determined by law;
(l)    Perform other activities as established by law.
(m)    The provisions related to the processing of Personal Data by the Joint Controllers that are not covered by this policy, are regulated by the Law of Georgia on Personal Data Protection.


Annex #1
The categories of third parties providing and/or receiving Data

In order for the Bank to perform statutory duties, protect its legal interests and to fully and properly provide service to you, based on Data Processing contexts and purposes, the Bank may obtain and/or transfer (make available) information about you to third party(ies) which may include but not be limited to the following

  • International payment system operators (such as VISA Inc. and MASTERCARD. Inc. and/or their contractors) that help us manage your accounts and provide services;
  • Payment service provider(s) and correspondents and/or other third parties related to local and international payment systems for the purpose of providing payment service, as well as identification and verification of a person;
  • Anti-money laundering organizations/services (both in Georgia and abroad) to protect Bank’s legitimate interests and perform statutory duties;
  • International and local remittance operators to enable you to receive or send remittances;
  • Professional organizations providing services to the Bank, such as external financial and legal advisors, solicitors, technical support providers, real estate appraisers auditing, research, advertising companies, etc. in order to deliver consulting, research, marketing and other services;
  • Credit information bureau - to analyze your solvency while reviewing your application or within a framework of service provision and to perform statutory duties;
  • Public and private organizations, such as supervisory, independent, judicial, arbitration, investigative and other institutions, state or local self-government bodies and legal entities established by them, including but not limited to: National Bank of Georgia, personal data protection service of Georgia, LEPL Social Service Agency, LEPL Public Services Development Agency, LEPL National Agency of Public Registry of Ministry of Justice of Georgia, LEPL Deposit Insurance Agency, LEPL Revenue Service, the Ministry of Internal Affairs of Georgia, judicial and Tax authorities, Enforcement Bureaus – for the purposes of reviewing application, delivering services, to protect Bank’s legitimate interests, to perform Bank’s statutory duties and reporting;
  • The Bank's contractors and/or corporate clients who use the Bank's payment services to receive payments from their customers (subscribers) (so-called billing);
  • Problem asset management and/or collector organizations which provide collection services and/or purchase the right to claim (cession).
  • Insurance companies, for the purpose of obtaining relevant insurance services for you;
  • Postal companies in order to deliver relevant correspondence to you;
  • Bank's partner merchants – trade and/or service facilities who use Bank’s POS Terminal services under the relevant agreement with the Bank and where card payments settlements are available;
  • Mobile communication network operators - for the purpose of providing services to you, as well as fulfilling legal obligations (including to exchange information regarding opting out from Direct Marketing, etc.);
  •  International and/or local financial institutions for the purpose of receiving (co)financing; to provide Open Banking and other services;
  • Partner companies of the Bank, with whom Bank cooperates commercially, including, development companies, trade facilities, organizations involved in the Payroll Program for the purposes of reviewing your application/providing services and/or fullfiling contractual obligations
  • Any other third parties with who Data sharing is necessary to fulfill Bank's duties related to reporting, ensuring compliance with Legislation and/or the requirements of the agreement signed with the relevant organization, as well as performing audit/monitoring and protecting Bank’s legitimate interests.


The client knows and agrees that the list presented in the current annex and/or web pages administered by the Bank is not complete, exhaustive, and from time to time the number of such third parties may increase or decrease over time. However, the Bank will ensure its actions related to Data Processing remain in compliance with the requirements of Law of Georgia on Personal Data Protection.
 
Protection of the confidentiality of Personal Data is ensured by the third party recipient, therefore the Bank is not responsible for the violation of the duty of confidentiality by the receiving party, unless otherwise prescribed by the legislation.

 

Annex #2
Video Monitoring

Based on the objectives of preventing, detecting/investigating crime, protecting public and personal safety and property, protecting secret (confidential) information and to perform other important tasks based on the Bank’s legitimate interest (including incident management and protection of customer rights, monitoring of processes, risk management, etc.), in compliance with the law of Georgia on Personal Data Protection, video and audio monitoring (hereinafter referred to as “Monitoring”) of the external and internal perimeter of the building(s), including meeting rooms, service areas and workplace(s) is being carried out by the Bank.

Monitoring is being carried out 24/7 and the recordings are stored up to 1 year and/or for as long as necessary for achieving specific legitimate purposes after what they are automatically destroyed if there is no need and relevant lawful grounds to keep the Data for a longer period of time.

To ensure that you are properly informed, the Bank has placed the relevant warning signs which include information about video and audio recording being carried out.

In addition, Bank takes all the appropriate technical and organisational measures to protect recorded Personal Data against accidental or unlawful destruction, alteration, disclosure, or access, and against any other unlawful form of processing or misuse, including:

  • Physical security of the Monitoring system is established; the monitoring system and related technical equipment are located in a restricted area that is accessible for authorized personnel only;
  • Access to the records is only granted to authorized personnel, whose access rights and scope are determined based on their roles and responsibilities at the Bank;
  • The necessary measures to secure information systems are ensured to prevent unauthorized access from the internet and computer networks;
  • All operations performed with regard to the recorded Data in the monitoring systems are fully registered;
  • All the cases regarding disclosure of the records are registered.


In cartain cases, it might be necessary to grant the access to and/or to transfer video recordings to the third parties for various reasons. For example, when there is a reasonable doubt that video recording might contain any evidence of the illegal acts (including administrative offense), an interest arises from relevant authorities for the criminal or administrative investigation purposes. Besides cases mentioned above, access to recordings may also be requested from the Supervisory authority of the Bank - the National Bank of Georgia, as well as Personal Data Protection Service for the purposes of reviewing your complaint and/or in other cases presribed by law.

Bank will present and disclose the recordings to the third parties (including law enforcement bodies) only if there is a relevant legitimate lawful basis, stipulated by the legislation.

The rights of Data Subject are stipulated in Article 20 of this Policy.

 

Annex #3
Audio Monitoring

During phone communication with the Bank/Bank’s representative through the hotline, the incoming and outgoing calls, as well as calls to/from the relevant internal numbers (if any) are been recorded and processed through the call recording system (audio monitoring) in order to enhance service performance, to review and respond to statements, complaints, to monitor compliance with the code of ethics and professional conduct standards, as well as to protect other legal interests of the Bank (including creating legal evidence) or in other cases expressly provided by the legislation as well as based on your consent where necessary in accordance with the requirements of the Law of Georgia on Personal Data Protection.

Prior to or upon starting audio monitoring Bank informs you about carrying out of audio monitoring, and explains to you the right to object (if any). Recordings are stored for at least 15 years, after which they are automatically destroyed, if the specific legitimate purposes are achieved and there is no need and relevant lawful basis to keep the Data for a longer period of time.

In addition, Bank takes all the appropriate technical and organisational measures to protect recorded Personal Data against accidental or unlawful destruction, alteration, disclosure, or access, and against any other unlawful form of processing or misuse, including:

  • Access to records is only granted to authorized personnel, whose access rights and scope are determined based on their roles and responsibilities at the Bank;
  • The necessary measures to secure information systems are ensured to prevent unauthorized access;
  • All operations performed with regard to the recorded Data in the monitoring systems are fully registered.
  • All the cases regarding disclosure of the records are registered.

In cartain cases, it might be necessary to grant the access to and/or to transfer audio recordings to the third parties for various reasons. For example it may be directly requested by the Supervisory authority of the Bank - the National Bank of Georgia, as well as Personal Data Protection Service for the purposes of reviewing your complaint and/or in other cases presribed by law.

The rights of Data Subject are stipulated in Article 20 of this Policy.

 

Annex #4
Processing of Biometric Data

In order to receive and use Banking services remotely, outside Bank service points, in accordance with the rules established by the current Legislation, the Client should undergo the electronic identification and verification procedure, where based on the relevant technical solution, Bank will obtain and process Personal Data, including Biometric Data. The Biometric Data refers to the Data processed using technical means and related to the physical, physiological or behavioral characteristics of a Data subject (such as facial images, voice characteristics or dactyloscopic data), which allow the unique identification or confirmation of the identity of that Data subject.

Facial recognition system of Amazon Web Services, Inc and the technical solution developed by Identomat Inc  ((SR 20204194256; n7977895)), address: USA, 60 Hazelwood Dr, Champaign, IL 61820) are being deployed during the electronic identification and verification processes.

Remote identification process encompasses capturing a photo of the identity document and taking a dynamic selfie, comparing those and checking the information provided in the presented document. As a result, Bank is able to verify the authenticity of the client and the validity of the document provided.
Biometric Data processing is necessary for the purposes of carrying out Bank activities, security, protection of property and prevention of the disclosure of secret information, as well as for fulfilling Bank’s as of an accountable entity’s obligations determined by the legislation, including, for the purpose of checking whether the Data is correct which is necessary to verify client’s identity as well as to combat fraud, money laundering or other illegal acts and to provide requested services to the clients.

In order to process Biometric Data Bank shall obtain client's consent in accordance with the requirements established by the Legislation.

Data processing is being carried out in Georgia, as well as, in the jurisdiction(s) included in the list of countries with adequate guarantees for Personal Data protection as defined by Personal Data Protection Service/its successor’s normative act and where General Data Protection Regulation (GDPR) is enforced.

The Service Provider implements all appropriate technical and organizational measures to protect Personal Data, including, ensuring strong encryption in order to prevent third parties access to the Data abroad, including the server resource provider. Furthermore, the processing of Biometric Data during the electronic identification session is being carried out for no longer than 10 (ten) seconds, access to Biometric Data throughout the process is impossible and it shall be deleted immediately upon delivering the identification result, with no chance of recovery. Other categories of Personal Data will be processed by the Bank for the period necessary to achieve the purposes of Data Processing, to protect Bank’s legitimate interests, and/or for a period of time that is requested by the regulator and/or is envisaged by the Legislation.

The rights of Data Subject are stipulated in Article 20 of this Policy.