Personal Data Notice

Home

Back

DATA PROTECTION NOTICE

The privacy of your personal data is of paramount importance to us. We protect the security of your information which is why we have adopted policies and implemented processes that guarantee it. We want you to know that your personal data is in safe hands with us.

Please read the contents of this Notice to understand how and why we process your personal data and what your rights are.

WHO ARE WE?

We are Postbank, legally named Eurobank Bulgaria AD (hereinafter referred to as “We” and “The Bank”), registered with the Trade Register of the Registry Agency with UIN 000694749. You can contact us at 1766 Sofia, 260 Okolovrasten pat Str., Tel: 0700 18 555; e-mail: klienti@postbank.bg; www.postbank.bg .

Our major priority is to work ethically and responsibly, in order to comply with the legislation, including in the field of personal data protection, and to meet your expectations with regard to processing your personal data. We are constantly improving our internal procedures and workflows. Our employees are trained and obliged to protect the privacy of customers’ personal data

The Bank has appointed a special employee who is responsible for complying with the legal requirements for personal data processing and for the application of best international practices. This is our data protection officer and you can contact him by e-mail to dpo@postbank.bg or by mail to address 1766 Sofia, 260 Okolovrasten pat Str., Data Protection Department.

ARE YOU SUBJECT TO THIS NOTICE?

This Privacy Notice applies to you if we process your personal data for any of the purposes listed below, when you are ("You"):

in a contractual relationship with us (i.e., you are our client);
a family member of our client, as our clients sometimes need to share information about their family with us, or a representative/proxy, when it is necessary for us to provide them with a product or service or to get to know them better;
a person who has shown interest in one of our products and/or services, when you have provided us with your personal data (e.g., at our office, through our websites and applications, during events or sponsorships, etc.) so that we can contact you.

When you provide us with personal data related to other people, please make sure that you inform them about the disclosure of their personal data and invite them to read this Privacy Notice. We will ensure that we will do the same whenever possible.

WHEN CAN WE PROCESS YOUR PERSONAL DATA?

Eurobank Bulgaria AD may process your personal data if one or more of the following conditions are met:

Legal Obligation – Based on Article 6(c) of Regulation (EU) 2016/679 (GDPR), Eurobank Bulgaria AD processes personal data in order to comply with its legal obligations as a data controller. This includes, but is not limited to, compliance with the following laws: Measures Against Money Laundering Act, Credit Institutions Act, Consumer Credit Act, Payment Services and Payment Systems Act, Real Estate Consumer Credit Act, Obligations and Contracts Act, Civil Procedure Code and any other applicable statutory or regulatory framework governing the Bank’s activities.
Contract – In accordance with Article 6(b) of Regulation (EU) 2016/679 (GDPR), Eurobank Bulgaria AD may process your personal data when the processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract.
Consent – In accordance with Article 6(a) of Regulation (EU) 2016/679 (GDPR), in certain cases Eurobank Bulgaria AD may require your freely given, informed, and explicit consent to process your personal data for a specific purpose.
When the processing of your personal data for a specific purpose is based on your consent, you may withdraw that consent at any time, without affecting the lawfulness of the processing carried out before its withdrawal.
Legitimate Interest – In accordance with Article 6(f) of Regulation (EU) 2016/679 (GDPR), Eurobank Bulgaria AD may process your personal data for the purposes of pursuing a legitimate interest—economic, commercial, or other—of the Bank or a third party, which takes precedence over the interests of the data subjects and does not infringe their rights. This includes, for example, cases of corporate restructuring, business transactions, or similar activities.

Despite the presence of a legitimate interest, our actions toward you will always be fair and transparent, and in every case, a prior assessment will be conducted to evaluate the balance between the Bank’s or third party’s interest and the rights of the data subjects.

FOR WHAT PURPOSE DO WE PROCESS YOUR PERSONAL DATA?

In order to provide quality banking services and carry out our banking activities, as well as to maintain our relationships with clients and partners, it is necessary for us to process personal data for specific purposes. We use your personal information to process and assess any customer application for a product of the Bank, to maintain your accounts, to develop and improve our services, and to ensure that we comply with the laws that regulate our business.

We have compiled this detailed list to inform you of the purposes for which we use personal data and what our reasons are.

Why do we process personal data	Reason
To know who you are We use your personal data to fulfill our regulatory obligations related to the conduct of our business and the services we provide, including: To enter into and maintain contractual relationships, the law requires us to identify our clients. This means we must collect your personal data, including requesting a copy of your identity document, storing it, and updating it when necessary. This also helps us protect our clients from malicious actions such as identity theft and fraud attempts using fake documents; We also have legal obligations regarding responsible lending. This means that whenever you apply for a credit product, we will use the information you provide or that we already have. In connection with risk assessment and your creditworthiness, we may obtain information about you from registers maintained by government bodies, institutions, and agencies, such as the National Social Security Institute (NSSI), the National Revenue Agency (NRA), the Central Credit Register (CCR), the National Population Database at the Ministry of Regional Development and Public Works (GRAO), the Ministry of Interior (MoI), and others; Your personal data is processed to enter into and maintain contractual relationships, and we are legally obligated to retain this data even after those relationships end. Processing your information is a mandatory condition for granting credit and ensuring its repayment, opening and servicing your accounts, executing your payments, maintaining a history of your transactions, providing you with statements, notifying you of relevant changes, and assisting you in case of problems or complaints; The law requires us to implement security measures and assist in combating threats such as terrorism and money laundering, and to take actions in accordance with the criminal law of the Republic of Bulgaria. This includes monitoring, detecting, verifying authenticity/accurate execution, and reporting transactions, including those that deviate from normal patterns; Your personal data is processed for the collection of receivables under granted contracts, including through legal proceedings, enforcement of court decisions and/or orders. It also covers the transfer of receivables and obligations under the Obligations and Contracts Act (OCA), and the processing of your personal data by any new creditor of the receivable; Your personal data is processed to review and respond to your complaint, report, and/or other request, or such complaint, report, and/or other request submitted by an authorized state/public/judicial authority. Your personal data is processed in accordance with the requirements of the legislation to which we are subject, including through sharing your data with companies within the group to which we belong.	Legal and regulatory obligations
To conclude a contract and execute it We use your personal data to take steps at your request for a banking product or for the conclusion and performance of our contracts, and for this purpose: You have taken pre-contractual steps to enter into a contract; To conclude a contract with you, as a client using a banking product or service, or as a counterparty under a service agreement, the Bank must have specific personal data about you, as well as contact details; We may obtain additional personal information about you, which serves to confirm the accuracy of the information you have provided, including, but not limited to, from your employer; We confirm, verify, obtain, analyze, use, and store information and documents from/about you regarding social security income and payments, employment and income, financed projects, including but not limited to data from/to NSSI, NRA, lists (registers) under the AML/CFT laws, GRAO, employer, Commercial Register, and others; The creditor (current or future) has the right, at its discretion and as needed, at any time until full repayment of the credit, to verify the accuracy, truthfulness, and completeness of the information received, including through independent sources and registers such as, but not limited to, NSSI, NRA, GRAO, Commercial Register, etc., and to store it; Transfer of the creditor’s rights (current or future) to a third party of their choice under a contract concluded with the borrower.	A contract with you
To assess risks In the course of our activity as a bank, we use your personal data to: Assess risks when making decisions about whether a client is suitable for a particular product; Prevent harm to the Bank and its clients from malicious actions (e.g., online fraud, attempts to use forged and/or fake documents, etc.). Personal data may also be processed to protect the legitimate interests of third parties; Conduct statistical research and develop predictive and descriptive models for commercial purposes: to identify products and services that best meet your needs as our client, to create new offers or identify new trends among our clients, and to develop our commercial strategy based on client preferences; Improve our services – we want to ensure that we provide our clients with the best possible service and high-quality offerings. Therefore, we develop new products, improve our systems, conduct tests, and analyze information that helps us discover new business opportunities. We also continuously update the security level of our information systems and processes; Inform you about products and services offered by the group to which we belong (so-called “direct marketing”) – we constantly expand our portfolio of products and services, organize promotional campaigns, and create better conditions for customer satisfaction. When we believe you may be interested in a specific offer, we have a legitimate interest in sharing it with you. We do not want to present you with unnecessary or annoying advertising content, so we use the information we have about you to decide how, when, and what to introduce to you. This is done through profiling; Maintain a record-keeping system, report to and communicate with competent state authorities, auditors, or other lawful recipients of information to whom personal data may be disclosed. Additionally, the Bank assigns personal data processing to third parties known as processors. These are companies and individuals who provide services to us. We always require appropriate guarantees for the protection of your personal data and monitor the processors.	Legitimate interest
To fulfill a purpose for which you have given your consent In certain cases, when another condition is not applicable and for the fulfilment of a specific purpose, including for "direct marketing", the Bank will need your consent to process your personal data. If we need your consent, we will require it from you in a clear and open way. We may send you marketing-related messages in cases where you have provided your consent. If you choose not to receive information about our current products and services or decide to withdraw your previously given consent, we will always provide you with the opportunity to inform us of this. Once you notify us that you do not wish to receive such information, we will promptly honor your request, and the Bank will cease processing your data for that specific purpose.	Your consent

WHICH PERSONAL DATA DO WE PROCESS?

We collect and use your personal data to the extent necessary and within the scope of our activities, as well as to achieve a high standard of personalized products and services.

We may collect various types of personal data from you, including: Identification information (e.g., full name, personal identification number, ID document number including a copy, nationality, place and date of birth, gender, photo, IP address);
Contact information (e.g., phone numbers to reach you, including those of third parties/related persons, postal address, and email address);
Marital status and related persons (e.g., marital status, data about related persons, number of children);
Education and employment information (e.g., level of education, employment, employer's name, salary);
Banking, financial, and transactional data (e.g., bank account details, credit card number, money transfers, assets, declared investor profile, credit history, debts, and expenses);
Tax status (e.g., tax identification number, tax residency status);
Data collected through the use of cookies;
Data related to your habits and preferences: usage data of our products and services in connection with banking, financial, and transactional data; data from your interactions with us: our offices (contact reports), our websites, our apps, our social media pages, meetings, calls, chats, emails, interviews, phone conversations;
Video images (e.g., showing locations of withdrawals and payments for security reasons) or geolocation data to determine the location of the nearest branch or service provider, if you have consented;
Data from national institutions related to clients’ credit indebtedness and bank accounts (e.g., Central Credit Register, Register of Bank Accounts and Safe Deposit Boxes).

We may collect the following sensitive data only after obtaining your explicit prior consent:

Health data: for example, for the preparation of certain insurance contracts; such data is processed based on the necessity to know.

The data we use about you may be provided directly by you or obtained from the following sources to verify or enrich our databases: Registers/databases/publications provided by national or public institutions/authorities (e.g., Central Credit Register, National Social Security Institute, Ministry of Interior, GRAO, etc.); our corporate clients or service providers; third parties, such as fraud prevention agencies or data brokers, in accordance with data protection legislation;

websites/social media pages containing information you have published (e.g., your own website or social media), only for verification purposes unless we have your consent to enrich our data;

publicly accessible databases from third parties.

SPECIFIC CASES OF PERSONAL DATA COLLECTION, INCLUDING INDIRECTLY

Under certain circumstances, we may collect and use personal data of individuals with whom we have, may have, or have had a direct relationship—for example, loan applicants.

For various reasons, we may also process information about you without having a direct relationship with you. This may occur, for example, when your employer provides us with information about you, or when your contact details are provided by one of our clients, if you are, for instance: a family member, an attorney/legal representative, a beneficiary or originator of payment transactions made for/by our clients, an ultimate beneficial owner, a beneficiary of insurance policies, a landlord, a shareholder/partner/person in the ownership, control, or management structure of a company, a seller of real estate, a representative of a legal entity (which may be our partner), staff of a service provider or business partner.

We process personal data about children if they hold a product with the Bank or if you provide us with personal data about your children in connection with a product you receive from us. We will request your consent when required by local legislation.

WHO DO WE SHARE YOUR PERSONAL DATA WITH?

We believe your personal data is confidential and we value its privacy. Therefore, we pay close attention to processing which is related to disclosing or providing your personal data to third parties. Whenever we disclose your personal data, this is imperative to meet the above goals.

Depending on our relations, we may disclose your personal information to the following categories of recipients:

Companies from the financial group the Bank belongs to;
Companies and individuals who provide us with services for the implementation and maintenance of information systems, technical services, legal advice, archival, administrative or other similar services which are required directly in the course of your service or for the overall functioning of the Bank;
State authorities, institutions and establishments (National Social Security Institute, National Revenue Agency, Central Credit Register, the National Population Database with the MRDPW, Ministry of Interior, etc.) should we need to perform checks in their registers at the time we commence our business relationship, to assess your creditworthiness or for other information needed for signing of contract or its execution;
Companies that we may assign to collect on our behalf Bank’s receivables on your credit products;
Companies that assist us in improving our products and services and that may contact you on our behalf to make you an offer or invite you to participate in a survey;
If you use a debit or credit card, we will share information with our partner companies and organisations in order to offer this product;
Individuals that we assign to produce, print, collate, deliver (including by SMS or electronically) written correspondence and / or information materials of the Bank;
System operators servicing payments;
Payment service providers in relation to the Bank’s obligations under Regulation (EU) 2015/847;
In case we decide to transfer rights and obligations under a contract we have concluded with you, your personal information will also be provided to the recipient;
In case of legal merger or other legal transformation of the Bank or part of its business operations, your personal data will be shared with the respective successor of legal rights or newly incorporated entities;
If our relations stipulate the provision of collateral, personal data will be disclosed to notaries, the Registry Agency and/or other registrar authorities that legally require the entry of the collateral;
The National Revenue Agency, concerning the automatic exchange of financial information under Art. 142b, para 1 of the Tax and Social Insurance Procedure Code, which requires the provision of information about clients of the Bank, including actual company owners. The information provided includes name, address, tax number, date and place of birth, account number, account balance, and income earned on the account;
Other recipients who have legal powers to demand your personal data of the Bank. Such are the Bulgarian National Bank, ministries, commissions, agencies, judicial authorities, law enforcement authorities and others. In some cases, it is the Bank's legal obligation to initiate the provision of your personal data (for example, in the performance of obligations under the Law on Measures against Money Laundering) or due to a legitimate interest, including the legitimate interest of a third party.

Other credit and financial institutions or comparable entities, to whom we transfer your personal data for the purpose of executing transactions related to our business relationships (depending on the agreement, for example, correspondent banks, depositary banks, stock exchanges).

FOR HOW LONG WE WILL KEEP YOUR PERSONAL DATA?

The period for storing your personal data depends on the relations you have with the Bank. Personal data of potential clients who apply for a product or service but you are not approved or you decide to withdraw your application, your personal data will be stored for a limited period of time (1 year).

The Bank processes your personal data for the periods established by applicable national legislation and regulatory supervisory authorities, while preserving the Bank’s legitimate interests. The retention periods depend on the type of service used and the related documents.

These periods may be extended, for example, in cases of legal proceedings, extension of the limitation period due to interruption, or in compliance with legal provisions and requirements from supervisory authorities.

After the expiration of the legally or regulatorily established retention periods, the Bank will delete your personal data.

Personal data for which there is no explicit legal or regulatory obligation to retain will be deleted once the purposes for which the data was collected and processed have been fulfilled.

If you take advantage of your right to limit data processing, the Bank will store your personal data until you specify otherwise.

YOUR RIGHTS

RIGHT TO ACCESS

You can always ask us whether we process your personal data and if so, to be informed about what information we store, why we store it and how we process it. You are also entitled to a copy of this information.

RIGHT TO CORRECT

We would like your personal data to be accurate and up-to-date. If any piece of your personal data is inaccurate or out-of-date, please inform us and we will correct it.

RIGHT TO DELETION

You may ask the Bank to delete your personal data, but the relevant legal grounds should apply in order to fulfil the request. We will not delete any information about you that we are legally required to keep as well as if we have grounds not to delete this information. We will have one month to answer your request. If we refuse to delete the information, we will provide the basis for our decision and the legal grounds for it.

RIGHT TO RESTRICT DATA PROCESSING

In certain cases you may request the Bank not to process your personal data, including deleting them, in order to protect your legal claims.

RIGHT TO OBJECTION

As we have already stated in this Notice, in certain cases we process your personal data due to the Bank’s legitimate interest. You have the right to object to this processing, including when it is profiling. We will discontinue processing your personal data only if we are convinced that the Bank’s interest has no advantage in the specific situation.

We remind you that at any time you can easily express your will not to receive advertising content. In such case, we will immediately discontinue processing your personal data for the purposes for sending advertising content.

RIGHT TO DATA PORTABILITY

You may request the Bank to put your data in an electronic file and give it to you or to a third party. The data you can request may only be data we have received in connection with a contractual relation or with your consent and is automatically (electronically) processed.

HOW TO EXERCISE YOUR RIGHTS?

You can exercise any of the abovementioned rights in person or via an explicitly authorised person in any of the Bank’s offices as well as electronically in accordance with the Electronic Document and Electronic Certification Services Act. We have created a special form to make it easier for you to exercise your rights.

Under certain conditions, if your request is clearly unfounded or excessive—particularly due to its repetitive nature—we may charge you a fee for responding to the request. The fee is specified in our Tariff.

WITHDRAWAL OF CONSENT

You have the right to withdraw your consent at any time if such was necessary to process your personal data. This withdrawal does not affect the legality of the processing until the withdrawal of the consent. In case you withdraw your consent, this does not affect the processing of your personal data, which is carried out on another basis and for which your consent was not required.

AUTOMATED DECISION-MAKING

As part of your approval in the credit application process, your personal data may be subject to automated processing and automated decision-making. This means that the Bank’s specialised software will automatically process (without human intervention) the data you have provided and analyse them in terms of the criteria specified in the algorithm of the software. As a result, your application will be evaluated with a certain number of points according to which you may receive an automatic approval or automatic denial. When applying automated decision-making, you have the right to express your opinion, to challenge the decision, and to ask for human intervention.

COMPLAINT TO A SUPERVISORY AUTHORITY

If for any reason you are not satisfied with the Bank's actions in relation to your personal data, we would like you to tell us first in order to understand what the problem is and try to resolve it.

Our Data Protection Officer will look carefully at your complaint and will answer all of your questions. Nevertheless, if you believe that you have not received adequate assistance from the Bank or that there is a violation of your rights, you have the right to complain to a supervisory authority. In the Republic of Bulgaria this authority is the Commission for Personal Data Protection.

WHAT WILL HAPPEN IF YOU REFUSE TO PROVIDE YOUR PERSONAL DATA

As explained above in this Notice, we collect personal data primarily due to legal obligations or for the needs of concluding and executing contracts as well as for servicing you. If you do not provide us with the necessary personal data when this is compulsory for the intended purpose, it would not be possible for you be a client of the Bank, including you may be denied continuing to use the Bank’s products and services if we have already established relations.

UPDATING AND AMENDING THE NOTICE

We shall regularly update this Notice so that you can be duly informed about how we process your personal data. If we make any amendments which are essential to the purposes and grounds for processing, we will publish a notification on our website www.postbank.bg.

This Notice on the processing of personal data was last updated on 01.12.2025