Privacy Policy for the Whistleblowing Channel

This privacy policy explains what personal data is processed, how, and for what purposes, in connection with the observation reporting platform (“Whistleblowing Channel”), which has been developed pursuant to European Union Directive 2019/1937, on the protection of persons who report breaches of Union Law (“Whistleblowing Directive”) and relevant national laws. 4finance Group, a closed limited liability company registered in Luxembourg, including all its directly or indirectly controlled legal entities, acts as personal data controller or co-controller, depending on relevant national laws. The process includes the Whistleblowing Channel and any reports submitted therein and the actions and investigations resulting therefrom, all in accordance with the General Data Protection Regulation (“GDPR”).


1. Co-controllers
Where an observation relates to employees or other related persons of a TBI Bank Group subsidiaries or its branches abroad, processing of personal data in the context of that process will be jointly controlled by TBI Bank EAD and VIVUS.BG EOOD, TBI Bank EAD Sofia – Bucharest Branch Bucharest, TBI Bank EAD – Branch Greece, TBI Money IFN S.A. TBI Asset Management and Servicing IFN S.A. and tbi Insurance Intermediaries Insurance Agency SINGLE MEMBER S.A.



2. Purpose
The purpose of processing personal data is to set up and maintain the Whistleblowing Channel and to receive, investigate and resolve any breaches, misconduct or other matters reported through the Whistleblowing Channel in accordance with Co-controller internal policies and the requirements of the Whistleblowing Directive and national laws. Although in the report 4finance Group may receive any kind of information, including incorrect or excessive, the aim is to establish evidence which then is reviewed.



3. Legal basis
All processing is based on the Whistleblowing Directive transposed in the Whistleblowing law of Bulgaria, Romania and Greece. Further, the processing of personal data pertaining to the observation subjects, Whistleblowers and the observation investigators is based on the Controller’s legitimate interest of preventing, detecting, investigating and addressing wrongdoing. Without intention, the Co-controllers might be exposed to special categories of personal data contained in the Whistleblowing report according to exceptions permitted by Article 9 of the GDPR, such as in the field of employment and social security and social protection law (Art.9.2(b)) and for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity (Art.9.2(f)). Any irrelevant or excess personal data is deleted, according to Art. 17 of the Whistleblowing Directive.



4. Categories of data subjects and data
4.1. Whistleblowers
As a rule, the Whistleblower reports their observation anonymously. The Whistleblower may also include personal information (such as their name, location, department, age, gender, financial information etc.) if it assists the investigation. Information provided by the Whistleblower may also contain special categories of personal data (such as information about a person’s health, biometrics, beliefs, sexuality, criminal convictions). The circumstances of the case may allow identifying the Whistleblower indirectly. The whistleblowers may include employees of TBI Bank Group and external stakeholders, such as persons other than workers, who encounter the entity through their work-related activities, such as service-providers, distributors, suppliers, and business partners.


4.2.Subjects of observations
Observations of misconduct may contain information about other relevant persons (e.g., name, surname, position, location, financial information, pictures, or video footage), their behavior and circumstances, and other personal information. Exceptionally, observations may contain special categories of personal data.


4.3. Case managers
The person responsible for the investigation receives the information contained in the observation. These persons are employees specifically assigned by the Co-controllers to process the observation. Their name, title, username, and log data are processed.



5. Access to and disclosure of personal data
Only Case managers have direct access to personal data in observations, except for the cases when the report is filed against them. Personal data may be disclosed to third parties, such as the authorities or external auditors, in case of a legal obligation or legitimate interest. When reporting from a computer on a public or work network, the visited webpages are logged in the browser’s history and/or the system log, allowing deanonymization in exceptional circumstances, therefore, the Whistleblower is encouraged to use a private network and the browser in incognito mode.



6. Processing of personal data in EU/EEA countries
The administrator of the Whistleblowing Channel is an external service provider: Falcony Ltd., Finnish Trade Register business ID: 2900763-6, Annankatu 27 A, 00100 Helsinki, Finland, +358 20 131 0611,, (Processor). The Co-controllers have the necessary agreements in force to ensure that the Processor only uses personal data collected by means of the Whistleblowing Channel as permitted by the applicable data protection laws. The Processor has a sub-contractor which provides technical data storage – Amazon AWS, Ireland (Sub-processor). The data is processed and stored only in the EU/EEA.



7. Data storage periods
The observation data is stored for a period of five (5) years after the end of each investigation. It is possible for the data to be stored for longer periods due to legal obligations arising from, for example, initiated criminal, civil, labor, or administrative proceedings, related to the submitted signal, with the storage period in these cases being 5 (five) years after the completion of the proceedings.



8. Rights of the Whistleblower

The Whistleblower has the right to:

– obtain from the Controller confirmation as to whether personal data concerning him or her is being processed, and, where that is the case, access to the personal data;
– request from the Controller rectification of their personal data;
– request from the Controller restriction of processing of their personal data in the circumstances referred to in Article 18 of the GDPR;
– request from the Controller erasure of their personal data; or
– object to the processing of their personal data in the circumstances referred to in Article 21 of the GDPR.


These rights may be limited in specific circumstances, according to the GDPR.



9. Information security
All data is transmitted and stored encrypted. No unencrypted information is sent over the open Internet. The risk of breach and indirect identification is negligible.


10. Inquiries on personal data and the legal basis of the Whistleblowing Channel
Should you have any inquiries about the processing of personal data, please contact the TBI Bank Group Data Protection Officer at For questions regarding the legal framework of the Whistleblowing Channel and observation investigation, please contact TBI Bank Group Compliance Officer: