Privacy policy

TBC Bank Group PLC (hereinafter: TBC Bank Group or Group) and other companies belonging to the Group (hereinafter Group Companies) takes utmost care of personal information and treats it according to personal data protection regulations and applicable laws.


How we use your personal information

Our main purpose is to introduce you to how your personal information is processed and used by Group. The notice explains the principles we follow while processing your personal data and how the law protects you. It covers the data which the group obtains when having you as a customer, which is also used for direct marketing purposes in line with the legislation of Georgia and GDPR/UK GDPR.  


Our privacy promise

We, TBC Bank Group PLC promise:

  • To keep your data safe and private;
  • Not to use your data unlawfully;
  • In case you request, to provide you with complete and exhaustive information with respect to the processing of your personal information.

 

How the law protects you

As well as our Privacy Promise, your privacy is protected by the legislation of Georgia and GDPR/UK GDPR.

Pursuant to the law, you are authorized to request of us the information with regard to the use of your personal data.

The Group shall be obliged to supply this information if requested by you. We are authorized to use the personal data only in case specific contractual and/or relevant legal basis exist.

The Group has a legal basis for using your data, which also implies the existence of business-related and/or commercial purpose. It is important that the information processing by the Group does not aim at harming your interests either in this case.  The processing of personal data of a minor is allowed only in accordance by the legislation of Georgia and GDPR/UK GDPR   taking into account the best interests of the minor.


Sources from which we obtain personal information

We can collect personal information about you from the sources provided by you and listed below:

You provide us with the data in the following cases:

  • When you become a customer/supplier;
  • When you register for our online services;
  • When you apply for our products and services;
  • During a telephone conversation or your visit to us
  • When you use our websites, mobile device apps and web chat;
  • When you send letters by mail or e-mail;
  • When you carry out Banking transactions with our help;
  • When you use the serviced provided by  our Group companies;
  • We collect data from outside organizations such as public registers, payment or transaction processors, credit agencies, other financial institutions or public authorities.

Cookies

We employ Cookies and monitor our visitor behavior on our website to ensure that we provide the best practice to our users while they visit our website and are able to continuously improve the quality of our service.

Cookies are small computer files that get sent down to your PC, tablet or mobile phone by websites when you visit them. They stay on your device and get sent back to the website they came from, when you go there again.

To find out more about how we use cookies, please see our cookies policy which is published on our website.

Your rights

You can receive the following information:

  • Which data are being processed with regard to you;
  • What is the purpose of data processing;
  • Legal basis for the data processing;
  • How the data were processed;
  • Who the data was transferred to;
  • Data issuance ground and purpose.

You can request a copy of the information processed by us.

Under the law, you are authorized to require adjustment, update, addition, blockage, deletion or destruction of your personal data if it appears to be incomplete, incorrect, out-of-date or if the process of information gathering and processing is carried out illegally. We observe the requirements defined by GDPR, UK GDPR Georgian legislation which may prevent us from an immediate deletion of your personal data. Such obligations may be stemming from the laws on anti-money laundering, tax, activities of commercial banks consumer rights protection and other.

Your Personal data is processed in line with the Georgian legislation and GDPR / UK GDPR

Communication security

Electronic messages sent over the Internet cannot be guaranteed to be completely secure as they are subject to possible interception, loss or possible alteration. The users of the Site are reminded that the confidentiality of e-mail messages sent via public network cannot be guaranteed.

The users shall avoid forwarding personal data or other confidential messages to TBC Bank Group and Group Companies via e-mail. TBC Bank Group, Group Companies or other service providers are not liable to carry out orders or instructions submitted via public e-mail. TBC Bank Group and Group Companies are entitled, if requested by the customer, to provide general information via e-mail to the e-mail address defined by the customer. TBC Bank Group PLC, and Group Companies shall not be liable for losses or damages occurred by any disappearance or transformation of such a message.

Information from third parties

We are authorized to request and obtain information from third parties as well, e.g. from TBC Bank Group PLC member companies or Credit Info Bureau, both positive as well as negative information stored in their electronic databases, also from that of LEPL State Service Development Agency. This is carried out pursuant to the GDPR, UK GDPR and Georgian legislation.

Who we share your personal information with

We may have to share your personal data in the cases defined by GDPR, UK GDPR and Georgian legislation with other companies, which are supposed to provide you with the product or service chosen by you, e.g.

When we use other service providers or other third parties to carry out certain activities in the normal course of business, we may have to share personal data required for a particular task. Service providers support us with activities like:

  • Designing, developing and maintaining internet-based tools and applications;
  • IT service providers who may provide application or infrastructure (such as cloud) services;
  • Legal, auditing or other special services provided by lawyers, notaries, trustees, company auditors or other professional advisors;
  • Identifying, investigating or preventing fraud or other misconduct by specialized companies;
  • Carrying out banking/financial arrangements (such as trustees, investors, and the advisers).

We may also share your personal information if the corporate structure of the GROUP changes in the future:

  • We may choose to sell, transfer, or merge parts of our business, or assets.
  • If any of the above discussed processes occur, we may share your data with other parties. However, before sharing such information, the mentioned parties shall mandatorily agree to keep your data safe and confidential.
  • If our group structure changes, other parties may use your data in the manner and within the frames as specified in this notification and regulated by the Law of Georgia GDPR and UK GDPR

Whenever we share your personal data with third parties, we ensure the necessary safeguards are in place to protect it. 

 

International Transfers

In case your Personal Data is transferred outside the EU and the EEA, the Group will take all steps to ensure that the data is treated securely and in accordance with this Privacy Policy and we will ensure that it is protected and transferred in a manner consistent with the legal requirements applicable to the Personal Data.

This can be done in a number of different ways, for example:

  • The country to which we send the Personal Data, a territory or one or more specified sectors within that third country, or the international organization is approved both by the European Commission as having an adequate level of protection and Georgian legislation;
  • The recipient has signed standard data protection clauses which are approved by the European Commission;
  • special permission has been obtained from a supervisory authority;
  • Data subject should be aware of the means of relevant safeguards;
  • The data subject should be informed in which direction his information was transferred in case of such a request;

- In the absence of a decision by commission under GDPR a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards.

- In the absence of an adequacy decision pursuant of the commission or of appropriate safeguards, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

  • the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
  • the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
  • the transfer is necessary for important reasons of public interest;
  • the transfer is necessary for the establishment, exercise or defense of legal claims;
  • the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
  • the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.

How we use your information to make automated decisions

For making automated decisions, including profiling, we sometimes use the personal data we have, or are allowed to collect from other entities based on the legislation, the contract signed with you, or consent given by you. This helps us ensure that our decisions are quick, fair, and efficient. These automated decisions can affect the quality of products and services offered by us now or to be offered in the future. If there are no grounds (legislative, contractual, consent) you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal, financial or other significant effect on you.

Personal data processing for direct marketing purposes

We may use your personal information to tell you about relevant products and offers.

We gather your personal information from what you share with us and what we collect from the sources available to us when you use our services.

We study your data to form a view on what you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you.

We can only use your personal information to send you marketing messages if we have either your consent or a legitimate interest. We promise that our activities will not be unfair, incorrect, or running counter your interests.

You can ask us to stop sending you marketing messages by contacting us at any time. We respect your wishes and will stop using your data for marketing purposes.

Your security is important to us. Therefore, you will continue to receive statements regarding the changes in the facilities proposed to you and in terms of service.

How long we keep personal data

We keep your personal data throughout the whole term of service provided to you and for 15 years from the completion of the service for the following reasons:

  • To respond to any questions and complaints;
  • To show that we treated you fairly;
  • To maintain records according to the regulations that apply to us.

We may keep your personal information for over 15 years if we cannot delete it for legal or regulatory reasons.

How to withdraw your consent

You can withdraw your consent at any time, in case there are no other legislative requirements. Please contact us if you want to do so.

This will only affect the way we use information when our reason for doing so is that we have your consent.

If you withdraw your consent, we may not be able to provide certain products or services to you.  

 

Changes to this Privacy Statement

We may amend this Privacy Statement to remain compliant with any changes in law and/or to reflect how our business processes personal data. This version was created on 10.10.2022

TBC Bank Group PLC reserves the right, at its sole discretion, to change the terms and conditions for the Site any time and without prior notice.

How to contact us

If you have any questions or comments about following Site, or the Terms and Conditions, or you wish to hear more about TBC Bank Group, Group Companies and its partner services and products, please contact us either by email: ir@tbcbank.com.ge, by mail: 100 Bishopsgate, C/O Law Debenture, London, England, EC2N 4AG, United Kingdom or telephone: +44 (0) 7791 569834.

If you are located in the EEA and have questions about your personal data or would like to request to access, update, or delete it, you may contact our representative at:

Bird & Bird GDPR Representative Services SRL
Avenue Louise 235, 1050 Bruxelles, Belgium
EUrepresentative.TBCBank@twobirds.com
Key Contact: Vincent Rezzouk-Hammachi