Credit Agricole Bank Romania SA: information of a data leak that occurred last year

The incident which occurred last year involved the publication of the names, surnames and addresses of 14 people on a printed document informing applicants that their request for credit was approved.

No other information was revealed.

The proactive measures allowed us to discover the incident

Under the national regulations, CA Romania, through the Data Protection Officer, announced the National Supervisory Authority for Personal Data Processing and took the measures in accordance.

In addition, our teams have been retrained regarding the way they have to handle this kind of information and settings on our printers have been changed to one side printing.

The Authority asked CA Romania to post the information regarding the incident and the measures that were taken on its official website.

Privacy Policy

Your data shall be processed by Credit Agricole Bank Romania SA, part of the Credit Agricole Group. You can find more information on the Group at

How we use your personal data

Credit Agricole Bank Romania SA is part of the Credit Agricole Group. This privacy notice informs you on the manner in which Group companies are committed to protecting your personal data. This includes what you tell us about you, what we learn from your relationship with you as a customer and your choices with respect to the advertising materials you want us to send. This notification explains how we handle your personal data and informs you of your privacy rights and how you are protected under the law.

Our privacy commitment

We commit to:

  • Keeping your data confidential and secure
  • Not selling your data
  • Provide at any time ways in which to manage and review your choices with respect to the advertising materials you want to receive.

The General Data Protection Regulation enters into force on the 25th of May 2018

This notification provides for most of your rights under the new law.

Who we are

Crédit Agricole Romania is part of one of the most powerful financial institutions in the world, the Group with the same name, which at international level offers a wide range of services: current banking services, loans, savings, insurance, asset management, real estate, leasing, factoring, financial services for large companies, services for investors, etc.

At Crédit Agricole Romania we address individual consumers, small and medium sized enterprises, large corporations and professional farmers through specialized subsidiaries or digital channels.

You can learn more about us at

If you have questions or want to learn more about how we use your personal data, you can ask us using the secure online contact form.

Or you can contact us at 021 30 40 300.


How the law protects you.

Why we use your personal data What we rely on Our purpose
• To manage our relationship with you or with your business
• To develop new ways to meet our clients’ needs and to grow our business.
• To develop and organise marketing activities
• To study how our customers use our products and services and those of other organizations.
• To provide advice or guidance on our services and products.
• Your consent
• Executing contracts.
• Our legitimate interests.
• Legal obligation.
• Maintaining up-to-date records, identifying which of our products and services may be of interest to you and providing information about them.
• Developing products and services and setting prices.
• Defining customer types for new products or services.
• Asking for your consent when we have to contact you.
• Ensuring efficiency on how we meet our legal obligations.
• To develop and manage our brands, products and services.
• To test new products
• To manage how we work with other companies that provide services to us and our customers
• Executing contracts.
• Our legitimate interests.
• Legal obligation.
• Developing products and services and setting prices.
• Defining customer types for new products or services.
• Ensuring efficiency on how we meet our legal and contractual obligations.
• To deliver the products and services that we offer.
• To make and manage customers’ payments.
• To manage commissions, taxes, and interest rates on customer accounts.
• To collect and recover the amounts due.
• To manage and deliver treasury and investment products and services.
• Executing contracts.
• Our legitimate interests.
• Legal obligation.
• Ensuring efficiency on how we meet our legal and contractual obligations.
• Complying with the regulations to which we are subject.
• To detect, investigate, report and prevent financial crimes.
• To manage risks for us and for our clients.
• To comply with the laws and regulations to which we are subject.
• To respond to complaints and try to solve them.
• Executing contracts.
• Our legitimate interests.
• Legal obligation.
• Develop and improve the manner in which we handle financial crimes and how we fulfil our legal obligations in this respect.
• Complying with the regulations to which we are subject to.
• Ensuring efficiency on how we fulfil our legal and contractual obligations.
• To conduct our business in an efficient and proper manner. This includes managing our financial position, business capacity, planning, communication, corporate governance and audit activities. • Our legitimate interests.
• Legal obligation.
• Complying with the regulations to which we are subject .
• Ensuring efficiency on how we fulfil our legal and contractual obligations.
• To exercise our rights under agreements or contracts. • Executing contracts.

In addition to our Privacy Policy, your privacy is protected under the law. This section explains how this protection works.

According to the Data Protection Act, we may use your personal data only if we have good reason to do so. This includes the distribution of data outside the Credit Agricole Group. According to the law, we must have one or more of the following reasons:

  • To meet the provisions of the contract concluded with you, or
  • When it is our legal obligation, or
  • When it is in our legitimate interest, or
  • When you give your consent.

We can argue legitimate interest when we have a commercial or business reason to use your data but even in this case the use of your data should not be in conflict with what is right and good for you. If our reasons are of legitimate interest, we will inform you.

We have provided a list of all the ways in which we can use your personal data and the reasons why we can proceed as such. In this document we shall also inform you on our legitimate interests.

Groups of personal data

We use many types of personal data and we group them as follows:

Type of personal data Description
Identification Data that allows us to identify you as a person, including: Name, Surname, data from identification documents, signature, place and date of birth.
Financial Your financial situation, your financial status and your financial history, assets owned, personal assets.
Contact information Your address and contact [email, phone number, other addresses, etc.].
Sociodemographic These include, without limitation, details of your workplace, profession, nationality, education and the position you have in general demographic social groups or income-based demographic groups.
Transactional Details on payments made to and from your accounts and your insurance claims.
Contractual Details on the products or services that we offer you.
Pertaining to locations Data obtained with regard to your location, which may come from your mobile phone, the address where you connect a computer to the internet or a store from which you pay for something with your card.
Behavioural Details of how you use our products and services.
Technical Details on the devices and technology you use.
From communication What we find out about you from your letters, emails or from the conversations we have with you.
Social relations Your family, friends and other relations
Data accessible to the public Data about you included in public records such as the Trade Registry, the Electronic Archive for Security interests in Movable Property, other such databases and data available on the Internet about you.
Usage data Other data about how you use our products and services.
Data from documents Details about you stored in documents of various formats or in copies thereof. These could include documents such as your ID card, your passport, or your birth certificate.
Special types of data Legal provisions treat certain types of personal data as special. We will collect and use these data types only if the law allows us to do so:
• Racial or ethnic origin
• Religious or philosophical beliefs
• Union membership
• Genetic and biometric data
• Health data
• Sex
• History of convictions and criminal offenses
Approvals/Preferences Any permissions, approvals or preferences you provide us with. These include the manner in which you prefer that we contact you, if you receive lettered documents or large letters format.
National identifier A number or code allotted to you by a government to identify you, such as the national identification number.


Where do we collect personal data from?

We may collect personal data about you (or your business) from other companies within the Credit Agricole Group and from the following sources:

The data you provide us with:

  • When applying for our products and services
  • When you talk to us on the phone or at our headquarters
  • When using our web sites, our mobile apps or online channels
  • In emails and letters
  • In insurance claims or other documents
  • In financial assessments and interviews
  • In customer surveys
  • If you participate in our competitions or promotions.

The data we collect when you use our services. These include the amount, frequency, type, location, origin and recipients:

  • Payment and transaction data.
  • Profile and usage data. These include the profile you create to identify yourself when you connect to our mobile, internet, and telephone services. Other data on how you use these services are also included.

We collect this data from the devices you use to connect to these services, such as computers and mobile phones, the use of cookies and other Internet traffic monitoring programs.

Data from third parties we work with:

  • Third parties who recommend you
  • Card associations
  • Entities managing payment behaviour data
  • Insurers
  • Traders
  • Social networks
  • Authorities with attributions in preventing and combating fraud
  • Tax authorities
  • Payroll service providers
  • Cadastre and land register, as well as evaluators
  • Public information sources such as the Trade Registry, the Electronic Archive for Security Interests in Movable Property, the Land Registry, the Insolvency Proceedings Office, the Court Portal, etc.
  • Operators of loyalty programmes
  • Agents working on our behalf
  • Market researchers
  • Revenue agents, Officers of the court
  • Participants in payment systems or other financial institutions
  • Government agencies and law enforcement agencies.


Who we share your personal data with

We can share your personal data with Credit Agricole Group companies and the following organizations:

  • Agents and advisors we call upon to help us manage your accounts and services, collect the amounts due, and explore new ways to do business
  • NAFA (National Agency for Fiscal Administration), regulatory authorities as well as other authorities that by law have the possibility to request such data;
  • FGDB – Deposit Guarantee Fund in the banking system – FNGCIMM (National Guarantee Fund for Small and Medium sized Enterprises), other guarantee funds
  • Credit Bureau (BC), Credit Risk Center (CRC)
  • BNR (National Bank of Romania), TRANSFOND, SWIFT
  • Any third party related to you or the products or services provided by your company
  • Companies with which we have concluded a joint venture or a co-operation agreement
  • Organizations that will recommend you
  • Companies we recommend
  • Market researchers
  • Price comparison websites and similar companies that offer ways to research and request our financial products and services
  • Companies that ask us to share your data with them.
  • Other entities such as lawyers and debt recovery companies

On the other hand, it may be necessary to share your personal data with other organizations in order to be able to offer you the product or service that you have chosen:

  • If you have a credit, debit, or deferred payment card from us, we will share the transaction details of the companies that help us deliver this service (such as Visa and Mastercard).
  • If you use direct debit, we will share your data with partners with the help of whom we provide you this direct debit service
  • If you require us to provide insurance services then it is necessary that we share your personal or commercial data with the insurer or other reinsurers.
  • If you have a mortgage or mortgage guaranteed credit from us, we will share the data with other creditors who also own a mortgage on your property.
  • If you take a loan from us we shall share both your positive and negative data with entities that manage data on payment behaviour. The data shall be processed by these entities and made available to other credit institutions.

We can also share your personal data if the administration of Credit Agricole Bank Romania SA or Credit Agricole Group changes in the future:

  • We may choose to sell, transfer or merge parts of our business or our assets, or we might try to buy other businesses or merge with them.
  • During such a process, we may share your data with third parties. We will do so only if the third parties agree to keep your data confidential and safe.
  • If changes occur at Group level, other entities may use your data in the same way we use them as per this notice.

How we use your data to make automated decisions

Sometimes we use systems to make automated decisions based on the personal data we hold – or we can collect from other parties – about you and your business. This helps us make sure that our decisions are fast, objective, efficient and accurate, based on the data we have. These automated decisions can affect the products, services, or features that we may be able to offer you today or in the future, or the price we can charge you for them.

Here are the types of automated decisions we make:

We can decide the price charged for some products and services based on the data we have.

Personalising products and services
We can place you in similar customer groups. These are called customer segments. We use them to study and find out about our clients’ needs and make decisions based on what we find out. This helps us design products and services for different customer segments and manage our relationship with them.

Detecting fraud
We use your personal data to help us decide whether there are indications of fraudulent use or money laundering in your personal or business accounts. We may detect that an account is being used in ways specific to fraudsters. Or, we can see if an account is used in an unusual manner for you or for your business. If we believe there is a risk of fraud, we can block accounts or refuse access to them.

Opening accounts
When you open an account with us, we check whether the product or service is relevant to you based on the data we have. We also check whether you or your business meet the conditions required to open such account. This may include checking your age, residence, nationality or financial situation.

Approving credits
We use a system to decide whether or not to credit you or your business when you apply for loans, in the form of a loan or credit card. It uses previous data to assess the estimated payment behaviour until the amounts credited are repaid. These include data on similar products that you have previously owned.

The credit assessment system uses data from three sources:

  • The application form and documents provided by you
  • Institutions / Agencies / Authorities that hold data on credits, payment behaviour and earnings
  • The data we already have.

It provides a global assessment based on that data. Banks and other creditors use this system to help us make responsible, accurate and informed credit decisions.

Credit assessment methods are periodically tested to ensure their fairness and objectivity.

Your rights

As a natural person, you have rights over automatic decisions.

  • You can ask that we do not base our decision solely on the automatic score.
  • You can challenge an automatic decision and request it be reviewed by a physical person.

If you chose not to allow us to use the automatic processing then this shall prevent us from fulfilling the obligations we have towards the oversight authority and our clients. This can also mean that we cannot perform the required services in order to offer the product or service that you have required.

If you wish to learn more about these rights, please contact us.

Entities managing payment behaviour data

We perform credit and identity checks when requesting a product or services for you or your business. We can use the Institutions that hold credit data to help us in this respect.

If you use our services, we may periodically request other data that these institutions hold to help us manage such accounts.

We will share your personal data with the Institutions and they will provide us with data about you. Data exchange may include:

  • Identification data
  • Contacts
  • Financial data
  • Transactional data
  • Data calculated by the institution
  • Public data, from sources such as, but not limited to, the Trade Registry, the Insolvency Proceedings Bulletin

We shall use this data to:

  • Assess whether you or your business can afford to reimburse the amounts
  • Ensure that the data you have provided us is accurate and correct
  • Help us detect and prevent financial crimes
  • Manage the accounts you hold with us
  • Track and recover debts
  • Ensure that we inform you of the relevant offers.

We will continue to share your personal data with these Institutions throughout the entire period in which you are our client. These will include details on open accounts and any debts that have not been fully repaid in time. They will also include details of funds entering your account and the account balance. If you borrow amounts, they will also include details of your refunds and whether you have repaid the amounts in full and on time. These institutions could provide these data to other organizations wishing to check the credit situation. We shall also inform these institutions when you open your accounts with us.

When requesting data about you or your business from these Institutions they will record such request in your file. This is called a credit inquiry. Other creditors can see this, just as we can see the number of inquiries.

If you request a product together with other individuals or legal entities, we will link the data we have about you to those of such person. We will do so, including but without limitation to the case in which you inform us that you have a husband, wife, partner or civil partner – or business partners.

In this sense, you should inform the above mentioned persons of this before requesting a product or service. It is important for these people to know that your data will be linked to theirs and that inquiries can be made about their activities.

Institutions that hold credit data can link the data on you to your partners. These connections may remain in your files unless you or one of the above mentioned persons ask us or the Institution in question to disconnect them. Normally, for such a disconnection, you must provide evidence that there is no relevant relationship between you.

You can learn more about the Institutions that hold credit data on their websites. These include details on:

  • Who they are
  • The part they play in credit risk assessment
  • The data they own and the way they use it
  • How they share personal data
  • How long they keep data
  • Your rights with respect to personal data.


Authorities with attributions in Fraud Prevention and Control

We may be required to check your identity before providing products or services to you or your business. Once you have become our customer, we will share your personal data as needed to help detect fraud and money laundering risks. To help us with this mission, we appeal to the Authorities with jurisdiction in Fraud Prevention and Control. Both we and these Authorities can only use your personal data if we have a good reason to do so. It must be necessary either to abide by the law or in the purpose of a “legitimate interest”.

We can talk about a legitimate interest when we have a business interest to use your information but even in this case, the use of your data must not be in conflict with what is right and good for you.

We shall use your data to:

  • Check identities
  • Help prevent fraud and money laundering
  • Execute contracts concluded with you or in connection with your business.

We or a competent Authority in this respect can allow law enforcement agencies to access your personal data. We can do so to support their attributions to detect, investigate, prevent and punish such offenses.

Authorities may keep personal data for various lengths of time. They can keep your data if they identify any risk of fraud or money laundering.

The data we use

Below, we list some of the types of personal data we use:

  • Identification data
  • Contact data
  • Financial data
  • Transactional data
  • Technical data
  • Usage data.

Automated decisions for fraud prevention

The data we have about you or your business consists of the data that you provide to us and the data that we collect when you use our services or provide data to third parties with whom we work.

We and the Fraud prevention and control authorities can process your personal data in systems that detect fraud by studying data patterns. We can discover that an account is being used in a manner specific for fraudsters or we can notice that an account is being used in an unusual manner for you or your business. Any of these cases is indicative of a potential fraud risk or money laundry.

How this affects you

If we or such Authority decide that there is a fraud risk we can cease any account activity or we can block the access to them. The Authorities shall also keep a record of the risk that you or your business can represent.

This can determine other organisations to refuse to supply products or services or to contact your services.

Sharing data outside of the EEA

We shall share your data outside of the European Economic Area (‘EEA’) to:

  • Follow your instructions
  • Comply with a legal provision
  • Work with our partners and advisors to manage your accounts and the services that you use.

If we share data with our partners and advisors outside of the EEA we shall make sure that they are protected in a manner identical with the level of security ensured within the EEA. We shall use one of the following security measures:

  • We shall share the data to a non-EEA state with privacy laws that provide the same protection as the EEA. We shall conclude a contract with the recipient, meaning that it shall have the obligation to protect the data received in the same standards as the EEA.
  • We shall share the data with organisations that are part of the Privacy Shields. This is a framework that determines privacy standards for data shared between the U.S. and the E.U. countries. It ensures that standards are similar to the ones used at EEA level.

If you chose not to provide personal data

We may be required to collect personal data, either by the law or by a contract concluded with you.

If you choose not to provide us with personal data this may delay or impede the fulfilment of our obligations. This may also mean that we cannot execute the necessary services to administer accounts or products. It can also mean that we will cancel a product or service that we had to provide you with.


We can use your personal data to keep you informed on relevant products and offers. This is what we mean when we use the term ‘marketing’.

The data we have about you consists of the data that you provide to us and the data that we collect when you use our services or the services of third parties with whom we work.

We study this data to make a general picture of the services and products that we think you want or you might need or that can be of interest for you. This is how we decide what products, services and offers might be relevant for you.

We can use your personal data to send you marketing messages only if we have your consent or on the grounds of ” legitimate interest”, or when we have a business interest to use your data without being in conflict with what is right and good for you.

You can ask us not to send you marketing messages by contacting us anytime.

Regardless of your choice, you shall still receive your bank statements and important data such as changes to existing products and services.

We can ask you to confirm or update your choices if you acquire new products or services from us in the future. We can also ask you to do so if there are any changes in the law, regulations or the structure of our business.

If you change your mind we can update your choices anytime by contacting us.

How long we keep your personal data

We shall keep your personal data as long as you are a CREDIT AGRICOLE BANK ROMANIA SA client.

After you stop being a client, we can keep your data for another 10 years for one of the following reasons:

  • To answer any questions or complaints
  • To prove that we have treated you with fairness.
  • To keep records on the grounds of the regulations we are subject to.


The 10 years period can be exceeded if we cannot delete them for legal, regulatory or technical reasons. We can also keep your data for research or statistical purposes. If we do so we will ensure that your privacy is protected and that we can only use the data for the above mentioned purposes.

How you can obtain a copy of your personal data

You can access your personal data by filling this form or by sending us a request at:

Credit Agricole Bank Romania S.A., Bucharest, District 2, 40-40bis Vasile Lascar street
Conect Customer Service: tel. 021 30 40 300, email

How you can inform us that your personal data are incorrect

You have the right to question any data we have about you if you consider it to be wrong or incomplete. Please contact us if you want to do so.

If you do so, we will take reasonable steps to verify the accuracy of the data and correct it.

 What to do if you do not want us to use your personal data

You have the right to oppose our using of your data or you can request that we delete, erase or stop using your personal data. This right is known as the “veto right” or “the right to erasure” or “the right to be forgotten”.

There may be legal grounds or other reasons for which we are required to keep or use your data but please let us know if you think we should no longer use it.

Sometimes we can restrict your data usage. This means the data can only be used for certain purposes, such as legal claims or the exercise of legal rights. In this case, we will not share or use your data in other ways during the restriction period.

You may request that we restrict the use of your personal data if:

  • They are inaccurate
  • They were used illegally but you do not want us to delete them.
  • They are no longer relevant but you want us to keep them so they can be used in legal claims.
  • You have already requested that we stop using your data but you are waiting for us to confirm if we are allowed to continue using them.

If you want to object to the manner in which we use the data or request that we delete them or restrict their use, please contact us.

How to withdraw your consent

You can withdraw your consent anytime. Please contact us if you wish to do so.
If you wish to withdraw your consent it is possible that might not be able to supply certain products or services to you. If this happens we shall let you know.

How to file a complaint

Please let us know if you are dissatisfied with the way we use your personal data. You can contact us using the secure online contact form, or the Conect Customer Service: tel. 021 30 40 300, email
You also have the right to file complaints with the National Supervisory Authority for Personal Data Processing. Learn from its website how to report a problem.

Future data portability formats

Data privacy laws shall change starting the 25th of May, 2018. Starting with this date, you will have the right to receive your personal data from us in an easy-to-use format.
You may also ask us to share your personal data in this format to other organizations.