Privacy Statement

Privacy Statement

The privacy of your personal data is of paramount importance to us. We protect the security of your information which is why we have adopted policies and implemented processes that guarantee it. Please read the contents of this Notice to understand how and why we process your personal data and what your rights are. We want you to know that your personal data is in safe hands with us.

The privacy statement for processing personal data in relation to the products and services under the brand “PB Personal Finance by Postbank” as offered by the acquired by Postbank “BNP Paribas Personal Finance S.A., Bulgaria Branch ” can be found on

We are Postbank, legally named Eurobank Bulgaria AD (hereinafter referred to as “We” and “The Bank”), registered with the Trade Register of the Registry Agency with UIN 000694749. You can contact us at 1766 Sofia, 260 Okolovrasten pat Str., Tel: 0700 18 555; e-mail:

Our major priority is to work ethically and responsibly, in order to comply with the legislation, including in the field of personal data protection, and to meet your expectations with regard to processing your personal data. We are constantly improving our internal procedures and workflows. Our employees are trained and obliged to protect the privacy of customers’ personal data

The Bank has appointed a special employee who is responsible for complying with the legal requirements for personal data processing and for the application of best international practices. This is our data protection officer and you can contact him by e-mail to or by mail to address 1766 Sofia, 260 Okolovrasten pat Str., Data Protection Department.

The law allows us to process personal data if one or more of the following conditions are present:

  • If we perform a contract to which you are a party or if you have taken action to conclude a contract with us;
  • When we have an obligation stipulated by law;
  • When there is a legitimate interest;
  • When we have your consent.

A legitimate interest is deemed to be the processing of personal data carried out due to economic, commercial or other interest of the Bank or of a third party that is superior to the interest of the person and the processing does not violate their rights including in the event of legal merger, acquisition, etc. Even if there is such interest, our actions in relation to you will always be fair and transparent and in any case they will be subject to a preliminary assessment of the Bank's or the third-party’s interest and the rights of the individuals.

When we process your personal data based on a particular consent you gave to any entity within the group we belong to or the entity which Postbank has become legal successor of, you can always withdraw your consent which would not affect the legally processed data prior to an eventual withdrawal.

We use your personal information to process and assess any customer application for a product of the Bank, to maintain your accounts, to develop and improve our services, and to ensure that we comply with the laws that regulate our business.

We have compiled this detailed list to inform you of the purposes for which we use personal data and what our reasons are. Here you will find out which our legitimate interests are.

Why do we process personal data Reason

To know who you are

Law obliges us to identify our customers. This means that we should collect your personal data, including requiring a copy of your ID card and storing it and, if necessary, updating it. Moreover, this allows us to protect our customers from malicious acts of identity theft and fraudulent use of fraudulent documents.

Legal obligation

To assess risks

We have a legitimate interest in assessing the risks when deciding whether the client is suitable for a credit product. We also have legal obligations on how to make responsible crediting. This means that whenever you apply for a credit product, we will use the information you provide or the information we have with us to check it out and assess the risks.

In connection with your risk assessment and your creditworthiness, we take information about you from the registers kept by state authorities, institutions and establishments (National Social Security Institute, National Revenue Agency, Central Credit Register, the National Population Database with the MRDPW, Ministry of Interior, etc.) in the checks we make on the data you provide. In view of the requirements of some these institutions and only if applicable, we do these checks after receiving your consent to them.

Legitimate interest

Legal obligation

Your consent

To conclude a contract and execute it

We process your personal data in order to enter and maintain contractual relations with you, and our legal obligation is to store these data even after their completion.

Processing your information is a must for us to grant a loan and to ensure its repayment, to detect and secure the servicing of your accounts, including the execution of your payments, to keep a history of your transactions and to provide you with statements, to notify you of changes that concern you and help you when problems arise or when you have filed any complaints.

Legal obligation

A contract with you

To prevent money laundering, terrorist financing and fraud

Our legal obligation is to assist in the fight against threats of terrorism and money laundering.

We also have a legitimate interest in preventing damage to the Bank and its clients from malicious actions (for example, Internet frauds, attempts to use forged and / or fake documents, etc.). Personal data may also be processed to protect the legitimate interest of third parties.

Legitimate interest

Legal obligation

To collect receivables

We have a legitimate interest in collecting the Bank’s receivables due under non-performing loans. This means we can initiate legal procedures to do so.

In addition, our recovery action is also an action to ensure the performance of your contract.

Legitimate interest

A contract with you

To improve our services

We want to be confident that we provide our clients with the best possible and highest quality services. That is why we are developing new products, improving our systems, carrying out tests and analysing information which helps us discover new business opportunities. Also, we constantly update the security level of our information systems and processes.

Legitimate interest

To learn first about products and services  offered by the group we belong to (so called direct marketing)

We are constantly expanding our portfolio of products and services, organising promotional campaigns and setting better conditions for customer satisfaction. When we assume you might be interested in our particular offer, we have the legitimate interest in sharing it with you. We do not want to provide you with unnecessary or annoying advertising content which is why we use your personal information to decide what, how and when to offer to you. This is done by profiling.

We can also send you messages with marketing purpose in case you gave us your explicit consent for this.If you choose not to receive information about our current products and services or you want to withdraw a consent you granted, we will always provide you with the opportunity to inform us about that. When you inform us that you do not want to receive such information, we will endeavour to comply with your request immediately.

Legitimate interest

Your consent

To manage our activity and observe the law

We have a legitimate interest in organising and managing our activity as a financial institution in the best possible way as well as complying with the legal requirements of the Bulgarian financial system. This means that we process personal data to ensure the maintenance of the filing system, to report and communicate with the competent government bodies, auditors or other recipients of information to which personal data may be legally disclosed.

In addition, the Bank assigns processing of personal data to third parties called processors. These are companies and individuals who provide us with services. We will always require the necessary safeguards to protect the privacy of your personal data and control the processors.

Legitimate interest

Legal obligation

ЗTo fulfill a purpose for which you have given your consent

In certain cases, when another condition is not applicable and for the fulfilment of a specific purpose, the Bank will need your consent to process your personal data.

If we need your consent, we will require it from you in a clear and open way. You will be able to withdraw your consent and the Bank will cease processing your information for that purpose.


We believe your personal data is confidential and we value its privacy. Therefore, we pay close attention to processing which is related to disclosing or providing your personal data to third parties. Whenever we disclose your personal data, this is imperative to meet the above goals.

Depending on our relations, we may disclose your personal information to the following categories of recipients:

  • Companies from the financial group the Bank belongs to;
  • Companies and individuals who provide us with services for the implementation and maintenance of information systems, technical services, legal advice, archival, administrative or other similar services which are required directly in the course of your service or for the overall functioning of the Bank;
  • State authorities, institutions and establishments (National Social Security Institute, National Revenue Agency, Central Credit Register, the National Population Database with the MRDPW, Ministry of Interior, etc.) should we need to perform checks in their registers at the time we commence our business relationship, to assess your creditworthiness or for other information needed for signing of contract or its execution
  • Companies that we may assign to collect on our behalf Bank’s receivables on your credit products;
  • Companies that assist us in improving our products and services and that may contact you on our behalf to make you an offer or invite you to participate in a survey;
  • If you use a debit or credit card, we will share information with our partner companies and organisations in order to offer this product;
  • Individuals that we assign to produce, print, collate, deliver (including by SMS or electronically) written correspondence and / or information materials of the Bank;
  • System operators servicing payments;
  • Payment service providers in relation to the Bank’s obligations under Regulation (EU) 2015/847;
  • In case we decide to transfer rights and obligations under a contract we have concluded with you, your personal information will also be provided to the recipient;
  • In case of legal merger or other legal transformation of the Bank or part of its business operations, your personal data will be shared with the respective successor of legal rights or newly incorporated entities;
  • If our relations stipulate the provision of collateral, personal data will be disclosed to notaries, the Registry Agency and/or other registrar authorities that legally require the entry of the collateral;
  • The National Revenue Agency, concerning the automatic exchange of financial information under Art. 142b, para 1 of the Tax and Social Insurance Procedure Code, which requires the provision of information about clients of the Bank, including actual company owners. The information provided includes name, address, tax number, date and place of birth, account number, account balance, and income earned on the account;
  • Other recipients who have legal powers to demand your personal data of the Bank. Such are the Bulgarian National Bank, ministries, commissions, agencies, judicial authorities, law enforcement authorities and others. In some cases, it is the Bank's legal obligation to initiate the provision of your personal data (for example, in the performance of obligations under the Law on Measures against Money Laundering) or due to a legitimate interest, including the legitimate interest of a third party.


The period for storing your personal data depends on the relations you have with the Bank. When you apply for any of our products or services but you are not approved or you decide to withdraw your application, your personal data will be stored for a limited period of time (1 year).

If you are our client and use the Bank’s products and services, we are legally obliged to store your personal data not only for the period of completion of our contractual relations but for a period of 5 years after their completion. In some cases this period may be extended to 7 years if this is required by a competent state authority. If storing your personal data is necessary for pending procedures in which the Bank is a party (for example, court proceedings, administrative proceedings, handling your complaint against the Bank, etc.), then we will keep them until these proceedings are closed.

Moreover, if you have been granted a loan that was not duly repaid, either fully or partially, or we transfer rights and obligations under the contract we have concluded with you (e.g. contract for cession) we will keep your data for a period of 10 years after the completion of our contractual relations.

If you take advantage of your right to limit data processing, the Bank will store your personal data until you specify otherwise.

You can always ask us whether we process your personal data and if so, to be informed about what information we store, why we store it and how we process it. You are also entitled to a copy of this information.

We would like your personal data to be accurate and up-to-date. If any piece of your personal data is inaccurate or out-of-date, please inform us and we will correct it.

You may ask the Bank to delete your personal data, but the relevant legal grounds should apply in order to fulfil the request. We will not delete any information about you that we are legally required to keep as well as if we have grounds not to delete this information. We will have one month to answer your request. If we refuse to delete the information, we will provide the basis for our decision and the legal grounds for it.

In certain cases you may request the Bank not to process your personal data, including deleting them, in order to protect your legal claims.

As we have already stated in this Notice, in certain cases we process your personal data due to the Bank’s legitimate interest. You have the right to object to this processing, including when it is profiling. We will discontinue processing your personal data only if we are convinced that the Bank’s interest has no advantage in the specific situation.

We remind you that at any time you can easily express your will not to receive advertising content. In such case, we will immediately discontinue processing your personal data for the purposes for sending advertising content.

You may request the Bank to put your data in an electronic file and give it to you or to a third party. The data you can request may only be data we have received in connection with a contractual relation or with your consent and is automatically (electronically) processed.

You can exercise any of the abovementioned rights in person or via an explicitly authorised person in any of the Bank’s offices as well as electronically in accordance with the Electronic Document and Electronic Certification Services Act. We have created a special form to make it easier for you to exercise your rights.

Under certain conditions, we may charge you a fee for responding to a request. The fee is specified in our Tariff.

You have the right to withdraw your consent at any time if such was necessary to process your personal data. This withdrawal does not affect the legality of the processing until the withdrawal of the consent. In case you withdraw your consent, this does not affect the processing of your personal data, which is carried out on another basis and for which your consent was not required.

As part of your approval in the credit application process, your personal data may be subject to automated processing and automated decision-making. This means that the Bank’s specialised software will automatically process (without human intervention) the data you have provided and analyse them in terms of the criteria specified in the algorithm of the software. As a result, your application will be evaluated with a certain number of points according to which you may receive an automatic approval or automatic denial. When applying automated decision-making, you have the right to express your opinion, to challenge the decision, and to ask for human intervention.

If for any reason you are not satisfied with the Bank's actions in relation to your personal data, we would like you to tell us first in order to understand what the problem is and try to resolve it.

Our Data Protection Officer will look carefully at your complaint and will answer all of your questions. Nevertheless, if you believe that you have not received adequate assistance from the Bank or that there is a violation of your rights, you have the right to complain to a supervisory authority. In the Republic of Bulgaria this authority is the Commission for Personal Data Protection.

As explained above in this Notice, we collect personal data primarily due to legal obligations or for the needs of concluding and executing contracts as well as for servicing you. If you do not provide us with the necessary personal data when this is compulsory for the intended purpose, it would not be possible for you be a client of the Bank, including you may be denied continuing to use the Bank’s products and services if we have already established relations.

We shall regularly update this Notice so that you can be duly informed about how we process your personal data. If we make any amendments which are essential to the purposes and grounds for processing, we will publish a notification on our website

This Notice on the processing of personal data was last updated on 01.06.2023