Within the meaning of Law No. 124/2024 “On Personal Data Protection”, Credins Bank sh.a. is the controller of the personal data provided by individual natural persons when they use the services we offer through a business relationship or through online services, when using the Credins Online website or application via internet and mobile.
‍
NUIS: K31608801O; Address: “Vaso Pasha” Street, No. 8, Tirana, Albania.
Bank contact details: Tel: +355 4 535 3000; E-mail: info@bankacredins.com.

‍The processing of personal data by Credins Bank is carried out in all cases in compliance with the following principles:

‍Principle of lawfulness, fairness and transparency — meaning that processing is carried out lawfully, fairly and transparently in relation to the data subject.

Principle of purpose limitation — meaning that personal data are collected for a specific and lawful purpose, clearly defined at the time of collection, and are not further processed for another purpose that is incompatible with the original purpose.

‍Principle of data minimization — meaning that personal data are appropriate and necessary for the purpose of processing and limited to what is necessary for achieving that purpose.

‍Principle of data accuracy — meaning that personal data are accurate and updated where necessary and that, in accordance with the purpose of processing, all necessary steps are taken for the immediate deletion or correction of inaccurate or incomplete data.

‍Principle of storage limitation — meaning that personal data are kept in a form that allows identification of data subjects for no longer than is necessary for the purpose for which they are processed. Personal data may be stored for longer periods, provided that they are processed only for archiving purposes in the public interest, research, scientific or historical purposes, or statistical purposes, while applying appropriate technical and organizational measures to protect the rights and freedoms of the data subject.

‍Principle of integrity and confidentiality — meaning that personal data are processed in a manner that ensures the necessary security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, through the use of appropriate technical and organizational measures.

‍Principle of accountability — meaning that the controller is responsible for and must be able to demonstrate compliance with the principles provided for in this law.

On the website of “CREDINS” Bank, www.bankacredins.com, in several sections such as job applications, the “Careers” section, the “Contact Us” section, the “Credins Online” section, “Your Loan Application”, “Properties for Sale” and “Newsletter”, users are required to complete certain personal data. In this context, Credins Bank collects your personal data.

The Bank processes personal data collected in relation to visitors to our website, clients, job applicants, our current and former employees, as well as other individuals who submit various requests for information, consulting, applications, etc.

The Bank processes your personal data mainly to provide and deliver the services and products it offers and relies on a number of legal bases for the processing of such personal data.

The Bank guarantees a high-security system for the storage and further processing of such data, in full compliance with the provisions of Law No. 124/2024 “On Personal Data Protection”. The Client/User confirms the completion and accuracy of the information provided and also declares that all requested information has been completed correctly and truthfully.

Furthermore, by completing the information online, the user declares that they give their consent for the further processing of the information provided to the controller, Credins Bank, and the persons authorized by it.

This page describes the tools for its administration in relation to the handling of information and personal data of users who visit it. The information in this section is presented to individuals who use the Bank’s services provided via the internet, accessible on the website corresponding to the official address www.bankacredins.com.

The data are provided only for this website and not for other websites that may be visited by the user through other links.

The party responsible for the processing of personal data is “CREDINS Bank” sh.a., with its registered office at “Vaso Pasha” Street, No. 8, Tirana, Albania.

By accessing this website, you confirm that you have read and accepted the terms of use provided there in. This document should be understood in accordance with the Bank’s operating terms and the terms of use of this website and constitutes the “Privacy Policy”, which will be subject to further updates.

The Bank processes your personal data mainly when you directly use the services and products we offer or when you use our online platforms. For example:
1.     When you apply for employment or apply for any of our products or services, such as accounts, deposits, loans, e-banking, bankcards, etc.
2.     When you use or view our website through youri nternet browser cookies.
3.     When you visit our branches or offices or use the Bank’s 24/7 service areas.
4.     When you contact the Bank by e-mail, telephone calls or other communication channels.The personal data provided by data subjects, clients/users, are used only for the purpose of providing the service or fulfilling the request and are communicated to “processors”, “sub-processors” and “third parties” only if needed for this purpose, while complying with legal requirements. The Bank processes personal data based on the legal framework in force if:
5.     The data subject has given consent to the processing of his or her personal data for one or more specific purposes. In such a case, the processing of personal data is permitted on the legal basis of your consent, which may be revoked at any time. You may withdraw your consent through the same form by which you gave consent or through our free contact channels. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. “Consent” means any indication of the data subject’s will, freely given, informed and clear, by which the data subject, through a statement or any other unambiguous affirmative expression of will, expresses agreement to the processing of personal data relating to them for one or more specific purposes.
6.     Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. In this case, the processing of personal data is necessary to fulfill contractual and pre-contractual obligations requested by you in order to carry out financial services, banking transactions or other bank services and products.
7.     Processing is necessary for compliance with alegal obligation to which the bank is subject. In this case, the processing of personal data is justified under anti-money laundering legislation, tax lawsand other legal obligations and regulatory requirements to which the bank is subject. Such obligations authorize the bank to process your personal data to verify your identity, prevent money laundering and fraud, verify your credit assessment, report obligations due to tax laws and risk assessment, among others.
8.     Processing is necessary to protect the vital interests of the data subject or another natural person.
9.     Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Bank.
10.  Processing is necessary for the purposes of legitimate interests pursued by the bank or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data, especially where the data subject is a child. In this case, your personal data are processed beyond contractual obligations to protect the legitimate interests of the bank or the legitimate interests of a third party, such as ensuring IT security,preventing fraud through device data processing, preventing criminal actions,and managing and developing services and products.

The bank processes personal data of categories of personal data subjects (clients, employees, job applicants, suppliers, visitors, etc.) in order to provide services to the data subject, including in cases requested by the latter for other closely related purposes.
Data relating to website searches and software procedures responsible for the operation of this website are collected in the context of normal operation and only for the duration of the connection, the transmission of which occurs during the use of internet communication protocols. This website does not include links between this website and other websites. We encourage you to read the privacy rules onother websites you visit.

Personal data relating to electronic banking services of categories of data subjects are stored in a system with a high security standard. The Bank processes the personal data of the user and authorized persons exclusively for the purpose of using electronic banking services. These data are not obtained to establish links with identified parties, but by their nature, through processing or connection with information and data of third parties, they may enable the identification of users.

Data voluntarily provided by the user, including all optional, explicit e-mails voluntarily sent to the addresses specified on this website, involve the subsequent receipt of the sender’s address, which is needed to respond to requests, as well as any other personal data contained in the e-mail. The Bank guarantees each user that, after the submission of information and data to the Bank website server, a high-security standard system is applied for the storage and further processing of such data, in accordance with the requirements provided in Law No. 124/2024 “On Personal Data Protection” and the overall legal framework on information security.

Specific summaries prepared for particular services that may be requested will be progressively displayed or presented on the Bank’s website. For individuals applying for employment with the Bank, we use their information for the application process and to monitor recruitment statistics. When we wish to disclose data to a third party, for example when we wish to obtain a reference or obtain certain data from other relevant institutions, we do not do so without first informing the data subjects, unless such information is required by law.

Personal data relating to applicants who are not successful in the competition are retained until the end of the period determined by the legislation in force, after which they are destroyed or deleted. After the legal retention period has ended, we keep non-personalized information for statistical purposes regarding applicants, to support our recruitment activities, but no applicant is identified from these data.

For individuals employed by the bank, we keep personal data that are necessary only for employment purposes and no more. These data are kept in secure locations,manually and in computer systems, in accordance with the law and our internal rules. When an employee is no longer in an employment relationship with the Bank, we prepare a file relating to the period during which they were employed. The data included there in are kept secure and used only for purposes directly relevant to the person’s employment until the end of the period determined by law, after which the data are destroyed.

The use of personal data to send advertising materials or commercial information for the sale of products or services by the bank requires the prior consent of the data subject. By using the application, you give your consent regarding the further processing of data, while having the possibility, through a dedicated link, to unsubscribe if you do not wish to be informed further, or to appear at the bank counters to complete the relevant form. Withdrawal of consent does not affect the lawfulness of processing based on this consent before its withdrawal.

1.     First name / father’s name / surname
2.     Citizenship
3.     Identification document or passport (personal identification number, type of document, issuing authority, issue date, expirydate)
4.     Date of birth and place of birth
5.     Postal address (country, region, postal code,city, street address)
6.     Contact information (personal e-mail address,telephone/mobile numbers, work telephone number, work e-mail address)
7.     Marital status and family composition
8.     Gender
9.     Profession, position and workplace
10.  Education
11.  Authentication data (signature sample
12.  Photograph13.  FATCA/CRS status and TIN number
14.  PEP status
15.  Data on cookies used by the website
16.  Financial status and income details
17.  Employment status and employment of related persons
18.  Documents for credit assessment and history
19.  Relationship with other banks or financialcompanies
20.  Business documents for self-employed individuals
21.  Tax data
22.  Property documents (property description,property valuation report, collateral insurance, construction documents
23.  Data arising from the fulfillment of contractual obligations
24.  Bank account details
25.  Credit/debit card details
26.  Transaction details and history
27.  Data related to power of attorney/authorization agreements
28.  Information on any third-party beneficiary
29.  Other data relating to the use of products and services offered by the bank
30.  User registration and data for registration in Credins Online
31.  Location data from the mobile device and other data
32.  Unique identifier for your device
33.  IP address of the device from which services are obtained and details about the devices and technology you use
34.  Data about merchants you pay with your card

The bank may use automated data processing to verify persons entering the bank’s premises for the security of the bank’s employees and to verify suspicious individuals,companies and transactions in relation to the prevention of money laundering, fraud and terrorist financing.

With regard to automated individual decision-making, including “profiling” of the client/employee, the bank does not rely solely on automated means but includes the involvement of responsible staff in making the relevant decisions.

Health data
The processing of sensitive “health” data is necessary for the fulfillment of a specific obligation or right of the controller (the bank) or of the data subject in the field of employment, social insurance and social protection, in accordance with the legislation in force in these areas.

Biometric data
The Bank does not process biometric data. Biometric authentication is an optional verification method created by the bank for accessing the bank’s mobile application. It is a fingerprint or facial recognition feature designed, issued and branded by Apple Inc. and Android respectively. The bank will not store biometric authentication in its application and will not collect it. You may enable/disable this type of authentication at any time on your device.

CCTV
Images from security cameras in and around the bank’s premises and 24/7 service areas.

Sounds
Audio recordings may be made for interviews in special areas of the bank’s premises with job candidates or employees.

Telephone calls
When you contact us by telephone, the conversation will be recorded for security purposes and as evidence to enable verification of contractual requests and to prevent and detect fraudulent behavior. Telephone recordings will be retained for as long as necessary for security and evidentiary purposes.

The personal data of subjects are processed electronically and manually in full compliance with the security measures defined in the provisions of Law No. 124/2024 “On Personal Data Protection”.

The bank protects data in secure premises and systems until the end of the period specified in Instruction No. 20 dated 03.08.2012 of the Commissioner for the Right to Information and Personal Data Protection, “On Data Processing in the banking Sector”, after which electronic and physical data aredestroyed/deleted, except where the legislation in force or a decision of competent authorities provides otherwise or provides for another retention period.

The retention period for personal data in electronic and physical form at Credins Bank is provided to be 10 years after the termination of the financial relationship or occasional transaction, except where special legislation requires another period.

However, this also depends on the category of data and the purposes for which they are processed.In any case, personal data are processed for as long as necessary for the bank to perform its obligations for the purpose for which the personal data were obtained, or as required by the applicable special legal framework and regulatory acts.

Credins bank as per banking/financial services in fulfillment of contractual obligations it has with partners and in implementation of the legislation in force, may transfer personal data declared by the client to “processors”, “sub-processors” or “third parties” within and outside the country, while respecting security measures and retaining them until the periods provided by the legislation in force.

Within the meaning of the personal data protection law, “processors” are Bank partners who, for contractual/legal reasons, may process data on behalf of the Bank in its capacity as controller, such as:

Card production companies - Visa/MasterCard/First Data/SIA Slovakia/Nexi Central Europea.s./Nexi Croatia d.o.o./Infocus Europe sro.

Bad loan collection companies - L&K Debt Collection/Micro Credit/New Collection.

External auditors of the Bank - Grant Thornton/Ernst & Young/RSM Albania sh.p.k.

Life and collateral insurance companies - Sicred/Sigal/Sigma/Albsig/Atlantik/Ansig.

Service contractors - Sicred Assistance/Posta Shqiptare/AK Invest/MoneyGram/CapitalInvest/Rural Credit Guaranty/European Investment Fund - EIF/3DInformatica/NOA/ABI Invest/AZ Distribution/Das-Boren-Oil/Alfa Servicesh.p.k./Albanian Smart Business Solutions sh.p.k./3D Informatica/G2 WebServices, Srl/Raz Lee Security (2001) Ltd./Mailchimp/Reply.io.

The bank may also disclose personal data to third parties in relation to and subject to the services offered, where such disclosure includes the transfer of personal datato the branches or subsidiaries of the bank, or other third parties that lawfully process your data.

The bank may transmit your data to supervisory authorities, ministries, municipalities, the Bank of Albania, correspondent banks, the Financial Intelligence Agency, the General Directorate of Taxes, the IRS (Internal Revenue Service), other law enforcement authorities, your authorized representatives, and individuals or authorities that manage accounts, products or services on your behalf, lawyers,intermediaries, joint account holders, co-debtors, mortgagors and guarantors.

Credins bank strives to be as open as possible in providing individuals with access to their personal data. Individuals may find out whether we hold any personal data by sending us a “request for access to personal data”, and pursuant to Law No.124/2024 “On Personal Data Protection”, within a period of 30 days from thedate of receipt of the request, the bank will inform you about the data or explain the reason for not providing the information.

If we hold your personal data, we will:·       

Inform you why we hold them;·       
Tell you to which recipient we may disclose these data;·       
Inform you whether providing personal data is mandatory or voluntary;·       
Provide a description of them and where seen possible, a copy of the information in an understandable form.

For any personal data that we may hold, as well as for any right you enjoy in your capacity as a data subject in accordance with Law No. 124/2024 “On Personal Data Protection”, it is necessary to submit a request to the Bank by providing your legal identification documents.

Individuals whose personal data are processed, pursuant to Law No. 124/2024 “On Personal Data Protection”, have the right at any time to obtain confirmation of the existence or non-existence of personal data and to know their content and source, to verify their accuracy, update or correction, to request information on the purpose of processing, the categories of personal data processed, the blocking of information and data processed in violation of the law, to lodge acomplaint and, in any case, to object, on legitimate grounds, to their processing.

The Bank informs you about the lawful processing of data, as well as about every right you enjoy in your capacity as a data subject in accordance with Law No.124/2024 “On Personal Data Protection”.

1.     “Right to information” - ensuring that the requested information is provided in a concise, transparent, understandable and easily accessible form, especially when the information is addressed to minors.
2.     “Right of access” - guaranteed by offering the opportunity to obtain from the bank a broader category of information if their personal data are being processed.
3.     “Right to rectification and erasure” - the data subject has the right to obtain from the controller the correction of inaccurate personal data relating to them as soon as possible, but no later than 30 (thirty) days from the date of receipt of the request.
4.     “Right to object” - the data subject has the right to object at any time, on grounds relating to their particular situation,to the processing of personal data concerning them.
5.     “Right not to be subject to automated decision-making” - the data subject has the right not to be subject to a decision based solely on automated processing of data, including profiling,which produces legal effects or similarly significant effects concerning them.
6.     “Right to restrict data processing” - the data subject has the right to restrict the processing of data by the controller (the bank) where the grounds set out in Articles 17 and 21 of Law No. 124/2024 exist, specifically indicating the possible reasons for “restriction” ofprocessing.
7.     “Right to be forgotten” - at the request of the data subject, internet search engine operators are obliged to delete from the results displayed after a search performed on the basis of the data subject’s name information that is no longer current over time but which, when found, has a significant negative impact on the reputation of the data subject.
8.     “Right to data portability” - aims to provide the data subject with the opportunity to easily transfer, copy or transmit personal data from one controller to another for specific purposes related to the provision/receipt of information technology services.
9.     “Right to complain” - not with standing other available legal remedies, administrative or judicial, any data subject who claims that the processing of their personal data is carried out in violationof Law No. 124/2024 has the right to file a complaint with the Commissioner, who reviews it in accordance with the provisions of the Code of Administrative Procedures and Law No. 124/2024.

The Bank processes personal data of categories of personal data subjects for the purpose of carrying out its activity and statutory duties in accordance with the legislation in force and internal rules. This may also include confidential information concerning the categories of data subjects whose data are processed. Information is a valuable asset; therefore, steps must be taken to protect information from unauthorized use, alteration, disclosure ordestruction, whether accidental or intentional.

The Bank is committed to ensuring the use of information and information technology systems in order to preserve the integrity and confidentiality of information under its control. The bank uses a risk-based approach when assessing and understanding risks and uses all physical, personnel, technical and procedural means to achieve appropriate security measures. The Bank takes into account technological developments and implementation costs to achieve a level of security appropriate to the nature of the information and the harm that could result from a possible security breach involving personal data.

Data security is achieved through the use of advanced technology, encryption, access control and regular security assessments implemented to protect your personal data from unauthorized access, disclosure, alteration or destruction. All parties involved in the provision of services are certified according to ISO 27001 standards.

All bank employees are subject to the obligation to maintain the confidentiality of information provided to them in order to perform their functions based on their job description, and may disclose it only to lawful authorities. The bank assesses their integrity before they are hired. The bank monitors their compliance with their obligations regarding information security. According to the confidentiality statement signed by them, where by they bear civil and criminal legal liability, Bank employees are obliged to maintain the confidentiality of information even after the end of their function.

Requests for information regarding our privacy policy and personal data protection mattersmay be sent by e-mail to info@bankacredins.com, or by written request to the address of the head office, or you may appear at the counters of “CREDINS” bank sh.a.

The Persona Data Protection Officer may be contacted at dpo@bankacredins.com.

Where the Bank has reasonable doubts regarding the identity of the person submitting a request pursuant to Articles 13-20 of Law No. 124/2024, the Bank shall request additional information in order to verify the identity of the data subject.

The response to a request by a data subject pursuant to Articles 13-20 of Law No. 124/2024 is provided free of charge. However, where requests by a data subject are clearly unfounded or excessive, especially due to their repetitive nature, the bank may: a) charge a reasonable fee, taking into account the administrative costs of providing the information or communication, or of taking the requested action;
or b) refuse to act on the request.

Data subjects also have the right to submit their complaint to the Commissioner for the Right to Information and Personal Data Protection at info@idp.al or through the toll-free number 0800 2050, and to file a complaint with the competent court.