Български

Privacy Policy


I. Information about the Company


Investbank JSC (Investbank/the Bank) with seat and registered office in the city of Sofia, 85, Bulgaria Blvd., with UIC 831663282. For further questions related to the processing of personal data, please contact our Data Protection Officer at e-mail: dpo@ibank.bg or at tel: 0700 12 555 for Vivacom subscribers at the price of one city call from the whole country or 17 555 for mobile operators subscribers at the price according to their tariff plan.

Investbank is registered as a personal data controller with identification No. 33115/19.07.2017 in a register maintained by the Commission for Personal Data Protection. Investbank, as a personal data controller, carries out its activities in strict compliance with the requirements of the Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, in order to ensure the confidentiality and lawful processing of its customers' data.

In addition to banking and investment activities, Investbank, together with Bulgaria Insurance Company, distributes insurance products to individuals and legal entities in the country.


II. General definitions


1. “Personal data” means any information relating to an identified or identifiable individual (‘data subject’); an identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual;


2. “Processing” means any operation or set of operations which is performed upon personal data or a set of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.


3. “Controller” means an individual or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means for the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its determination may be laid down in Union or Member State law.


4. “Data protection officer” means an individual or legal person having the necessary competence who is authorised or appointed by the controller by an appropriate written act setting out his/her rights and obligations in relation to ensuring the minimum necessary technical and organisational measures for the protection of personal data when they are processed.


III. Data Subjects Rights


Individuals whose personal data is processed by Investbank have the following rights, which they can exercise by submitting an application on paper or by e-mail (e-mail - dpo@ibank.bg), addressed to the personal data protection officer at Investbank, indicating their names and contact details in order to receive a written communication.


1. Right of access of individuals (data subjects). The data subject shall have the right to obtain from the Bank confirmation as to whether personal data relating to him or her are being processed and, if so, to obtain access to the data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed; where possible, the intended period for which the personal data will be kept and, if this is not possible, the criteria used to determine that period; the right to lodge a complaint with a supervisory authority; where the personal data are not collected by the data subject, any available information about their source; the existence of automated decision-making, including profiling, or, at least in those cases, substantial information about the logic used, and the significance and intended consequences of that processing for the data subject.

2. Right to rectification of personal data of individuals (data subjects). Each data subject shall have the right to request the Bank to correct, without undue delay, inaccurate personal data relating to him or her. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by adding a declaration.


3. The right to erasure of personal data (“right to be forgotten”) is a legal possibility of the data subject to request the Bank to erase the personal data related to him/her, and the Bank has the obligation to erase the personal data without undue delay where any of the following applies:

a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

b) the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;

c) the data subject objects to the processing and there are no legitimate grounds for the processing which override;

d) the personal data have been unlawfully processed;


4. Right to restriction of processing of personal data.


The data subject shall have the right to require the Bank to limit the amount of his or her data processed in the following cases:

a) the accuracy of the personal data is contested by the data subject. In this case, the restriction of processing is for a period that allows the Bank to verify the accuracy of the personal data;

b) the processing is unlawful but the data subject does not wish his or her personal data to be erased but requests instead that their use be restricted;

c) the Bank no longer needs the personal data for processing purposes but the data subject requires them for the establishment, exercise or defence of legal claims;

d) the data subject has objected to the processing pending verification (balancing test) whether the legitimate grounds of the Bank override his or her interests.


5. Right to object and automated individual decision-making

The data subject shall have the right, at any time and on grounds relating to his or her particular situation, to object to processing of personal data concerning him or her, including profiling. The Bank shall terminate the processing of personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or continues the processing for the establishment, exercise or defence of legal claims. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.


6. The right to withdraw consent that has been provided for the processing of personal data for the purposes described in the Declaration of Consent. The withdrawal can be executed by written application at the Bank offices.


7. Right to lodge a complaint with the Commission for Personal Data Protection - the data subject may lodge a complaint with the regulatory competent authority against actions of Investbank in relation to the processing of his or her personal data. The applications referred to in items 1-7 shall be submitted in person or by a person expressly authorized by the client, by notarized power of attorney. An application may also be made electronically, in accordance with the Law for The Electronic Document and Electronic Signature. Investbank shall act on a customer's request within 30 days of its submission. Where a longer period is objectively necessary - in order to collect all requested data and this seriously hinders the Bank's activity, this period may be extended to 60 days. In its decision, Investbank shall grant or refuse access and/or the information requested by the applicant, and shall always state the reasons for its response.


IV. Types of personal data processed at the Bank


Investbank may process personal data of data subjects concerning physical identity, social identity or economic/financial identity. The data may be collected from the data subject, third parties or may be created in the process of banking services. Where the Bank processes personal data for the purposes of providing products and services, for their repayment, for the fulfilment of your requests for services, and in order to comply with regulatory obligations, this processing is mandatory for the fulfilment of these purposes. Without the provision of this data, the Bank would not be able to provide information about the relevant services and to enter into a product or service contract with a customer.

1. Investbank may process various data for your identification - names; gender; date of birth; nationality (citizenship); permanent residence; current address; other data from an identity document; customer number; Personal Identification Number; tax number; qualifications, profession, previous professional experience.

2. The Bank may process your personal data (including when using the blink P2P service after obtaining your consent):

- identification data;

- contact data including list with names and telephone numbers) from your contacts list (Contacts) in your mobile device;

- other information constituting personal data within the meaning of the GDPR

This data is processed and shared due to the requirement for establishing a unique correspondence between the registered mobile number of the originator/recipient and the number of his payment account with the payment service provider.

3. Data processing in the provision of proper advice and services:

- the financial services you use (accounts, credit products, insurance, deposits and holdings; investments in financial instruments); account movements and balances; potential interest in the Bank's products; history of financial information and advice given in previous periods. The Bank can use this data to analyse more effectively which payment, credit or insurance product is most suitable for you;

- marital status; household composition;

- general financial situation in order to provide appropriate advice if needed to improve your status (general assets, property, etc.);

- health status in connection with offering credit-related insurance products;

- feedback, comments and suggestions, past complaints. The information is needed to improve the Bank's services.

4. Investbank may process data from public official registers and data collected from third parties. The information is used in order to verify the accuracy of the information held by the Bank and to support the credit assessment process and direct marketing campaigns for banking products and services.

5. Investbank may record telephone conversations with you in order to improve services, provide process security and as evidence of compliance with instructions by service staff. The Bank retains records of telephone calls as evidence for the period necessary to resolve service disputes. Telephone records shall include communication with the service call centre as well as with central management for ongoing customer service.

6. Investbank uses a security surveillance system in and around its financial centres and premises where it conducts its core business. The installed system and its operation comply with the requirements of the current legislation on the use of security equipment. The security cameras are marked with a clearly visible sticker. Recorded images may be used as evidence to settle specific relationships relating to the detection of crime and the identification of an offender, witness or victim.


V. Recipients of personal data to whom your personal data have been or may be disclosed

Personal data is mainly processed by employees of Investbank. In connection with the performance of its core business, the Bank may receive and transfer personal data to other controllers for the purpose of fulfilling a contractual obligation or complying with an obligation under a special law. The Bank shall not disclose customer personal data to third parties before it has verified that all technical and organisational measures have been taken to protect such data and shall endeavour to exercise strict control to this end. In this case, Investbank remains responsible for the confidentiality and security of customer data.

1. List of personal data administrators to whom the Bank transfers/receives data: Bulgarian National Bank; National Revenue Agency; National Social Insurance Institute; Commission for Personal Data Protection; Financial Supervision Commission; Commission for Consumer Protection; National Statistical Institute; Financial Intelligence Agency, the State Agency for National Security; Court; Prosecutor's Office; Investigation; Ministry of Interior; Central Depository; Bulgarian Stock Exchange; External Auditors.

2. List of other administrators with which Investbank has contractual relations in connection with the performance of its activities:

- Advertising agencies for the preparation of promotional terms for banking products and related games and sweepstakes

- Collection agencies to support the Bank's loan collection activities

- Insurers when offering banking products or offering other insurance products

- Providers of information and communication technologies for the development and maintenance of banking systems.

- Lawyers and law firms

- Notary Publics

- Central Credit Register - for creditworthiness assessment

- Card payment operators - Borica AD and international card organizations - VISA, Mastercard when executing card payments.

- Payment system operators and correspondent banks - when executing bank transfers

- Providers of electronic certification services where a document related to the provision of a product or service is signed with an electronic signature

- Security companies licensed to carry out private security activities in connection with the processing of video recordings from Investbank's premises and/or ensuring the access regime at the premises

- Cash transfer companies and other providers of operational services and services closely related to the payment services provided by the Bank.


VI. The purposes for which the personal data are processed and the legal basis for the processing

(1) Purposes for which personal data are processed on the basis of the Bank's legal obligations

1. In order to comply with anti-money laundering and terrorist financing, in accordance with the AML Act, the Measures Against the Financing of Terrorism Act and the Implementing Regulations:

- customer identification and verification of customer personal data;

- preparation of a customer profile based on a risk assessment;

- implementing controls to prevent money laundering and terrorist financing through actions to detect, investigate and report suspicious transactions.

2. In order to comply with the requirements of Markets in Financial Instruments Act, Measures Against Market Abuse with Financial Instruments Act and Regulation No. 38 of the FSC:

- preparation of a client profile for the delivery of services related to financial instruments through a risk profile questionnaire.

- controlling the prevention, detection, investigation of cases and taking future measures to comply with regulatory requirements and current legislation.

- exercising controls to prevent and detect market abuse of financial instruments.

3. Reports to government regulators - to comply with the automatic exchange of financial information under the FATCA Agreement and the Common Reporting Standard (CRS), the Bank prepares monthly reports to the NRA containing personal data of its individual customers. The processing of data is carried out in accordance with the Tax and Social Insurance Procedure Code.

4. Obligations stipulated in the Accountancy Act and the Tax and Social Insurance Procedure Code and other related normative acts in connection with keeping proper and lawful accounting;

5. Provision of information to the Commission for Consumer Protection or third parties provided for in the Law of Consumer Protection;

6. Provision of information to the Commission for Personal Data Protection in relation to obligations under the legal framework for personal data protection - Personal Data Protection Act, Regulation (EU) 2016/679 of 27 April 2016, etc.

(2) Purposes relating to the processing of personal data in the performance of contractual obligations

1. Regarding the preparation of contracts at the request of customers whose data is processed - to sign a contract for a banking service, the Bank needs customer data (for identification and contact with the data subject). Depending on the nature of the different services and banking products, the Bank may also require additional data.

2. Testing of banking products/services - in order to sign an appropriate contract and offer a banking service that meets the needs of its customers, the Bank uses personal data provided by the customer. The Bank organises a simulation sale of banking products/services in order to offer the most advantageous price and terms of sale, on the basis of which the customer can compare the offer and choose the most suitable product.

3. Use of banking products/services - Investbank processes personal data of its customers in order to provide improved conditions during the life cycle of existing banking products/services and execution of transfers and payments.

4. Verification and validation of customer data in the Central Credit Register, credit bureaus, NHIF, NSSI, National Population Database at the Ministry of Regional Development and Public Works. The Bank obtains personal data from the above registers in order to perform mandatory verification for the offering of its products and services, using automated algorithms to determine credit rating by performing initial and/or ongoing credit assessment of customer solvency, when purchasing and using banking or insurance products and services. For the purpose of determining credit rating, Investbank uses your payment history data. The algorithm aims to assess how likely it is that you will regularly pay amounts due on time for the products and services you use and how likely it is that a customer will be or become insolvent. In case of a low credit rating or lack of assessment, the Bank may postpone the signing of the contract or request additional payment guarantees.

(3) Purposes for which the processing of personal data is based on customer consent

1. Direct marketing of products and services organized by the Bank - organizing and conducting promotional campaigns for offering bank products and services through any official channel including bank offices, call center, email, SMS, phone and online channels.

2. Individual/personal approach to direct marketing and profiling for commercial purposes - creating a customer profile to deliver a new service or product that is designed for specific needs and customers. The Bank may use partially automated algorithms and methods to process customer personal data in order to continuously improve its products and services, to give customers a more personal touch, to tailor our products and services to customers' needs in the best possible way or to calculate. This process is called profiling. Consent to the processing of personal data is governed by the subject of a separate Declaration of Consent for customers.


(4) Purposes for which the Bank processes personal data based on the protection of the Bank's legitimate interests


1. Statistical purposes - Investbank has a legitimate interest to process customer personal data in order to describe statistical summaries and reports required for submission to the BNB regarding the Register of Bank Accounts and Safe Deposit Boxes pursuant to Regulation No. 12. For these purposes, data obtained from customer personal data is stored and may be used.

2. Establishing, exercising or defending the Bank's rights - Investbank processes personal data in order to defend its rights before competent courts and complaint handling bodies and with the assistance of external lawyers and law firms. The purpose is relevant when data is used in connection with complaints, applications and judgments in court cases.

3. Testing of software programs and platforms, internal portal and training - The Bank may use personal data when creating or updating software applications of the Bank's information systems, while applying data minimisation and pseudonymisation principles.

4. Internal reporting, analysis and development of offered products and services - Investbank uses customer data to improve its market position by offering new, improved and innovative products, as well as to improve internal processes.

5. Risk assessment for fraud prevention and detection - Investbank processes customer data to protect against fraud or criminal acts. The Bank is entitled to refuse to serve high-risk customers who may damage its reputation. Based on specific facts and internal procedures, the Bank assesses the potential risk of fraud.

6. Customer service and relationship management - Investbank uses customer personal data to offer an individual approach based on the information collected and the customer profile created. Customer personal data can be grouped by certain criterion through different distribution channels in the Bank in order to improve information access to the channels and their capabilities.

7. Credit and insurance risk profiling - personal customer data is used to assess the risk of credit and insurance offers in order to reduce risk.

The processing of personal data for the above purposes is necessary for the protection of the legitimate interests of Investbank, as a personal data controller, where the interests are related to the normal course of its core business. Where necessary, Investbank may prepare tests to assess the balance between the legitimate interests of the Bank and the interests, rights and freedoms of data subjects for each of the purposes set out in items 1 to 7.


VII. Period of storage of personal data

In accordance with the applicable legislation, the Bank shall cease processing personal data for the purposes related to the contractual relationship after termination of the contract, but shall not delete them before the expiration of 5 years from the termination of the contract or until the final settlement of all financial obligations and the expiration of statutory data retention obligations, such as obligations under the Law on Payment Services and Payment Systems. For the storage and provision of information for the purposes of detecting and investigating crime and preventing money laundering and terrorist financing for a period of 5 years. For obligations under the Accountancy Act to store and process accounting data (10 years), expiry of the limitation periods for making claims set out in the Obligations and Contracts Act (5 years), obligations to provide information to the court, competent state authorities and other grounds provided for in the legislation in force (5 years). Customers should note that Investbank will not delete or anonymise their personal data if it is necessary for pending judicial, administrative or complaint proceedings before the Bank.


VIII. Personal data protection


To ensure adequate protection of the data of the credit institution and its customers, the Bank applies all necessary organizational and technical measures provided for in the Personal Data Protection Act, as well as best practices from international standards (ISO 27001, TOGAF®, OWASP, ITIL, etc.), banking practices, etc. Investbank has established structures to prevent misuse and security breaches, has appointed a Data Protection Officer as well as a Data Protection Committee to support the processes of safeguarding and securing customer data. In order to maximize security in the processing, transmission and storage of customer data, the Bank uses additional protection mechanisms such as encryption, pseudonymization, etc.


IX. Updates and Changes to the Privacy Policy (personal data protection policy)


In order to ensure that the most up-to-date protection measures are applied and to comply with applicable law, the Bank will update this Privacy Policy regularly. If any changes it makes are material, it may post notice of the changes on its official website, mobile applications and call centre. Investbank invites its customers to regularly inform themselves about the care taken by the Bank to protect the data it collects and processes.


This Privacy Policy was last updated in January 2024.