Privacy Policy
This information note concerns the funding/investment process carried out by BCR Seed Starter SRL, hereinafter referred to as “SEEDSTARTER” (in its capacity of data controller) and applies to data subjects applying for funding or representing companies applying for funding/investment (directors, shareholders, representatives). Please see below the details regarding processing activities performed in the context of our investment analysis.
Although most of the information used in the analysis process refers to your company and is not subject to GDPR, we will process personal data of the company's representatives for the following purposes:
- Legal obligations and compliance purposes: in order to initiate a business relationship, we are required by law to conduct certain know-your-customer checks for money laundering, terrorist financing, fraud, international sanctions and reputational risks. Your data may also be subject to auditing and reporting processes with the authorities and Erste Group (of which SEEDSTARTER is part of). Most checks are done in the final stages of the investment process. In addition, your data will be subject to archiving and security processes, e.g. by making backups.
Important: certain legal obligations are also observed by reference to the prudential obligations of BCR in its capacity of shareholder of SEEDSTARTER.
- Legitimate interests: depending on the nature of the information, we will use personal data in order to determine if the investment is suitable as well as to in order to improve internal processes and applications. We may also process data to respond to your requests (unless we have another applicable ground). We will also in some cases retain data for a sufficient period of time to be able to justify action in a dispute or litigation or for statistical purposes.
Other issues of interest:
- Like any company with many processing activities, we have suppliers and partners who help us with the processing of your data, such as storing data, sending notifications or maintaining applications. Therefore, in addition to the recipients to whom we have reporting obligations, your data may also reach or be accessed by these suppliers and partners - they assume strict contractual obligations regarding data use, privacy and security. In addition, the suppliers and partners chosen by the bank go through a screening process and take part, on a random basis, in audit processes. Some recipients are located or have servers located outside of Romania, so your data may end up in other EU/EEA countries. By way of exception, in certain situations personal data may be also stored or accessed in/from the USA if we use a cloud service located in this territory.
- Depending on your business relationship with SEEDSTARTER, we will store data according to data retention standards. As SEEDSTARTER is a reporting entity for the purposes of Law 129/2019, we will store personal data for a period of 5 years after the termination of the business relationship.
- Security of your data is a constant concern of SEEDSTARTER. Data security is ensured throughout all processing phases (collection, storage, use, transfer) taking into account the context of such processing. In this regard, we implement technical and organisational measures to protect against unauthorised access, unauthorised or unlawful processing, as well as against accidental loss, destruction or damage of personal data. The measures are designed to ensure the confidentiality, integrity and availability of your data. Obligations to ensure the confidentiality and security of personal data apply to our employees and agents who access and use this data on our behalf.
- GDPR provides you with certain rights that you can exercise, but they are not absolute: access, deletion, rectification, restriction, right to lodge a complaint with ANSPDC.
In addition to the data provided by you directly or indirectly through representatives, we process several categories of data, as follows:
- KYC/AML data - including risk profile, identification and contact data, information regarding your role in certain companies, employer, data on public exposure of you or your close relatives - if you hold certain positions with public exposure;
- Data resulting from lists maintained by the UN, OFAC and EU with international sanctions and from consulting public databases such as RECOM and Portaljust;
- Data resulting from warning or information request notices from the authorities and received by BCR (ONPCSB, NBR);
- Data on the management of conflicts of interest (interests or relationship with an employee or representative of BCR Group). In this respect, information on the status of BCR employee (at the time of the assessment or in the last 2 years) is also relevant;
- Data resulting from consultation of fraud alert lists maintained by BCR.
- Data resulting from the particularities of the business relationship with BCR/SeedStarter.
Refusal to provide personal data may make it impossible for SEEDSTARTER to provide banking services or fulfil other processing purposes.
Know-your-customer checks are carried out by BCR, as the shareholder of SEEDSTARTER and as an entity bound to comply with prudential obligations applicable to credit institutions. In this respect, the checks also involve the use of personal data held by BCR, as described above. For these processing operations BCR and SEEDSTARTER act as joint controllers.
For the final funding/investment decision, we will perform profiling in order to determine your risk from KYC/AML/CFT perspective (including fraud).
Profiling is the automatic processing of your data to evaluate or analyse aspects about you (e.g. risk rating for money laundering, terrorist financing and international sanctions).
SEEDSTARTER may disclose certain categories of personal data to the following types of recipients: representatives of the company or SEEDSTARTER, BCR and Erste Group entities, judicial or other public authorities, IT service providers, consultants, other contractual partners or agents of SEEDSTARTER.
SEEDSTARTER will process personal data during the fulfilment of the purposes specified above and thereafter in order to comply with applicable legal obligations, including, but not limited to, the provisions relating to archiving obligations and the legitimate interests of SEEDSTARTER. SEEDSTARTER may, upon expiration of the retention term, anonymise the data, thus depriving them of their personal nature, and continue processing the anonymised data for statistical purposes. As a rule, we will retain the data for a period of 5 years. The 5-year period runs from the termination of the business relationship or receipt of the investment request.
This site uses cookies. If you want a personalized experience on SEEDSTARTER websites, you can do so by accepting the use of cookies.
Data security is ensured throughout the processing activities (collection, storage, use, transfer) taking into account the context of the processing. In this regard, we implement technical and organisational measures to protect against unauthorised access, unauthorised or unlawful processing, as well as against accidental loss, destruction or damage of personal data. The measures are designed to ensure the confidentiality, integrity and availability of your data. Obligations to ensure the confidentiality and security of personal data apply to our employees and agents who access and use this data on our behalf.
- Right to information: about the processing activities carried out by SEEDSTARTER;
- Right of access to data: you can request and receive a confirmation from SEEDSTARTER about data processing (what data we process and for what purpose, where and for how long we store it, who has access to it, etc.);
- The right to rectification: inaccurate data, as well as filling in incomplete data (e.g. if you have changed your phone number or e-mail address you can contact us to update these data);
- The right to erasure: of some or all of the data we hold about you;
Important! We will not be able to comply with your request in all cases (e.g.: we are obliged by law to keep data for a certain period of time; the data is useful for the defence of a right in court);
- Right to restriction: you can request that we do not use your data but only store it until another request from you has been resolved, namely:
- you asked for the data to be corrected;
- you objected to the deletion of data in the event of unlawful processing;
- you have asked us to provide you with certain data to defend a right;
- you have objected to the processing of your data - see right to object below.
- The right to data portability: you can request that your data be provided to you on a commonly used medium, in a readable format (e.g. by email). You can also ask for your data to be sent to another controller;
- Right to object: you can object to data processing carried out on the basis of SEEDSTARTER's legitimate interest;
- Automated decision-making rights: as a rule, you have the right to opt out of an automated decision if it produces legal effects on you or similarly affects you in a significant manner.
Important! In certain situations, the law allows us to make such decisions when we have your consent or if the decision is made on the basis of the performance of the contract we have entered into or for the fulfilment of our legitimate interest. In these situations, you will have the right to challenge the decision, to express your views and to obtain a human review. There are also situations where the law requires us to implement such automated decision-making processes.
- Right to withdraw consent: when we process data based on your consent.
Important! Withdrawal of consent will only have take for the future. Processing carried out on other grounds, such as contract performance, will not be affected by the withdrawal.
- The right to complain: if you deem fit, you can always address the National Supervisory Authority for Personal Data Processing or the competent courts.
To the extent that you make a request for any of the above rights, please provide us with the necessary details so that SEEDSTARTER can identify the right exercised and the fulfilment of the conditions of exercise required by law. By way of example, to the extent that you are objecting to certain processing carried out by SEEDSTARTER on the basis of the bank's legitimate interest, please also provide us with information relating to your particular situation so that SEEDSTARTER can carry out the assessment required by law.
Requests relating to data processing carried out on the basis of this information notice shall be forwarded to SEDSTARTER.
For more details on the processing activities carried out by SEEDSTARTER, as well as on the exercise of your rights in this context, you can contact us at any time using the following communication channels:
1. request to the SEEDSTARTER Data Protection Officer at office@seedstarter.ro.
2. by post, to our office.ts according to the policy, please note that we have an obligation to authenticate you. Authentication is a procedure in which your identity is verified and confirmed by BCR through specific questions to ensure that information is not requested or disclosed by unauthorized persons. Therefore, after you submit your request, depending on the channel you choose to contact us, authentication must be performed as follows:
- If you are in a territorial unit or contact us by phone, authentication will be done on the spot by a BCR representative.
- If you contact us by email or by mail, you will be called by a BCR representative who will guide you through the authentication process described above.
- For requests made through the contact form on the website, in the Privacy Policy section, authentication is done only for connecting to the internet banking application, using a password, fingerprint, PIN code, etc., according to the settings chosen by you.
- For requests made through the Credit Bureau portal, authentication is performed when creating the user account in the portal, according to the instructions that can be accessed at the following link: https://www.birouldecredit.ro/wps/portal/bcro/Home/user-enrollment
It is possible to update the information and policy sections. By consulting this website frequently, you ensure that you are aware of the processing activities undertaken by SEEDSTARTER.
The SEEDSTARTER website may include links to other websites that are operated by other entities. The processing of data on these websites is not controlled by SEEDSTARTER and is governed by the privacy policies applicable to each individual website.
***
To the extent that you have any suggestions regarding this privacy policy, we encourage you to write to us at office@seedstarter.ro.
Updated: 20 November 2023