Privacy Policy

PRIVACY POLICY

 National Commercial Bank is committed to respect and protect the privacy and personal data of every individual, including its employees, suppliers, customers, business partners, customers. Click here for more information about our Data Privacy Policy.


“Personal data” means any information relating to a data subject.

“Sensitive data” is any information about the physical person, related to his origin, racial or ethnic, political opinions, trade union membership, faith, religious or philosophical, criminal conviction, as well as data about health and sex life.

“Controller” is any physical or legal person, public authority, agency or any other body that, alone or together with others, determines the purposes and methods of personal data processing, in accordance with the laws and by-laws of the field, and responsible for the fulfillment of the obligations defined in this law.

“Processor” refers to any natural or legal person, as well as any public authority, that processes personal data on behalf of the Controller.

“Commissioner” refers to the Commissioner for the Right to Information and Protection of Personal Data, the independent authority responsible for monitoring and supervising the right to personal data protection, in accordance with the applicable legislation.

“Data subject” is any physical person whose personal data is processed.

“Processing” refers to any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Personal Data Breach” means any breach of security that may result in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

“Profiling” refers to any form of automated processing of personal data consisting of the use of such data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

“Pseudonymization” means the processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

“Recipient” refers to any natural or legal person, or public authority, to whom personal data are disclosed or made available, whether or not they are a third party.

“Processing of personal data” is any action or group of actions performed on personal data, by automatic or non-automatic means, such as collection, recording, organization, storage, adaptation or modification, retrieval, consultation, use, transmitting, distributing or otherwise making available, extending or combining, photographing, mirroring, discarding, completing, selecting, blocking, annihilating or destroying, even if they are not registered in a database.

“International transfer” is the provision of personal data to recipients in foreign countries.

“Third Party” refers to any natural or legal person, or public authority, other than the data subject, the controller, the processor, or persons who, under the direct authority of the controller or processor, are authorized to process personal data.

“Standard Data Protection Clauses” are model contractual clauses approved and published by the Commissioner, intended to ensure adequate protection of personal data during international transfers, through agreements between the data exporter in the Republic of Albania and the data recipient in a foreign country or international organization.

“Restriction of Processing” means the marking of stored personal data with the aim of limiting their processing in the future.

“Consent” refers to any freely given, informed, and unambiguous indication of the data subject’s wishes, by which they, through a statement or other clear affirmative action, signify agreement to the processing of personal data relating to them for one or more specific purposes.

 

This Policy outlines the methods of collection, use, and dissemination of information by the Data Bank when you use our official website www.bkt.com.al and services (hereinafter, “Services”) that we provide and/or store on our servers, in accordance with Law 124/2024 “On the protection of personal data”.

The Bank understands the importance of informing its customers, employees, and partners about the handling of their personal data. Therefore, this policy aims to explain how the Bank collects, uses, shares, and protects your personal data, and to clarify your rights regarding the processing of your personal information. Please note that this Privacy Policy applies only to personal information received by us and does not include personal information collected from your communications with third parties.

 

"National Commercial Bank" sh.a. (hereinafter referred to as "BKT", "Bank"). BKT is an Albanian legal entity, registered with the National Business Center (with NIPT J62001011Q).

BKT is a Financial Banking Institution that, in application of modern technology, always tries to offer services and innovations in the financial field, using also digital ones, in order to fulfill the current and future needs of its customers.

The Bank will act as the Data Controller for those data that you have agreed to make available to us and is also registered as a controlling entity with the Office of the Commissioner for the Right to Information and Protection of Personal Data (IDP) in accordance with the requirements of Law No. 124/2024, "On the Protection of Personal Data".

 

BKT considers the protection of the privacy of your personal data as a matter of special importance, so it is committed every day to rigorously implement the entire legal framework in its protection and respect.

The Bank will act as the Data Controller for those data that you have agreed to make available to us and is also registered as a controlling entity with the Office of the Commissioner for the Right to Information and Protection of Personal Data (IDP) in accordance with the requirements of Law No. 124/2024, "On the Protection of Personal Data", as amended.

Personal data is processed only for that period of time that is consistent with the specific purposes for which these data were collected by the Bank.

Personal data protection is based on:

  1. processing in a fair, lawful and transparent manner with respect to the data subject;
  2. collecting data for specific, clearly defined and legitimate purposes, as well as processing in accordance with these purposes;
  3. in the sufficiency of the data, which must be related to the purpose of the processing and not exceed this purpose;
  4. in the accuracy that the data must have and when necessary the data must be updated; every reasonable step must be taken to delete or correct inaccurate or incomplete data in relation to the purpose for which it was collected or for which it is further processed;
  5. in keeping it in a form that allows the identification of data subjects but not more than is necessary for the purpose for which they were collected or further processed;
  6. processing in such a way as to guarantee the necessary security of personal data, including protection from unauthorized or illegal processing and accidental loss or damage.

 

 

Purpose of processing

As the controller of personal data collected for the purposes of exercising its activity and providing financial services, the Bank processes the categories of personal data as follows:

I. Customers

For the purpose of customer relationship management, which may cover any type of processing and includes the development of new business relationships, sales, marketing, contract negotiation, market research, management of existing business relationships, invoicing, customer services, handling claims and fulfilling legal requirements and regulatory obligations.

Such processing covers the customer's personal data, including but not limited to:

  • generalities (eg full name);
  • contact address (e-mail, phone number, address)
  • photo-video information (eg CCTV images);
  • financial information that may include details related to bank accounts, credit or debit cards, or other payment instruments;
  • account credentials (eg username);
  • Others depending on the service/product requested by the client.
II. Candidates and Trainees

For the purpose of Human Resources Management as well as within the internship program, the Bank may process data to meet the needs of recruitment and management of interns.

Such processing covers the personal data of Human Resources, including but not limited to:

  • generalities (eg full name, age and date of birth);
  • contact address (e-mail, phone number, address)
  • education, professional experience and qualifications (eg education and training history, languages);
  • basic details of human resources (eg job position, role, location, etc.);
  • photo-video information (eg CCTV images);
  • Others depending on the fulfillment of this purpose;
III. Third parties/others

The bank collects only those personal data of individuals (not clients) and/or third parties with whom it enters into contractual relations due to its financial activity and which are necessary for the realization of activities or for meeting the needs of as a commercial legal entity.

Such processing covers the personal data of third parties, including but not limited to:

  • generality (eg full name);
  • business activities (eg goods or services provided);
  • financial details (eg bank account information);
  • photo-video information (eg CCTV images);
  • Others depending on the fulfillment of this purpose;

Methods of data collection by the Bank

Personal data controlled by the Bank is collected through the following channels:

I.Directly from the data subject
  • By completing any form/application related to any banking service or product at the Bank's branches in the territory of Albania;
  • By contacting a Personal Banker via phone or e-mail;
  • During phone calls with the Bank Staff and/or when you contact the Call Center;
  • Through participation in contests, draws, events or surveys;
  • Employment applications near the Bank's structures.  
II.Through electronic channels
  • During the promotion of banking services and products through electronic channels such as: SMS, e-mail or Social Media (Instagram, Facebook, Linkedin, Twitter, etc.);
  • By directly contacting the data subject through electronic channels: email, Social Media (Instagram, Facebook, LinkedIn, Twitter, etc.)
  • When they use other electronic tools or platforms such as websites or Bank applications (BKT SMART, Dega Internet);
  • Employment applications via Linkedin or via e-mail, etc.;
  • Subscriptions to newsletters, notices or other online services we offer.
III.Through third parties
  • When you enter into a relationship with the bank through third parties regarding the provision of banking services or products;
  • When you have given consent to a third party to share your information;
  • Your information is publicly accessible;
  • Or for any other purpose related to one of the options mentioned above.
IV.Through video surveillance of the Bank's premises
The Bank may collect information about you through CCTV cameras when you visit our premises, or through other security cameras as part of our security and crime prevention measures.
 

Principles of Personal Data Processing

The principles that the Bank follows for the processing of personal data are in full compliance with the laws in force, the standards required by the Commissioner for the protection of personal data, guaranteeing at the same time high security standards.
The bank has implemented security policies, rules, techniques that protect personal information from inappropriate use or unauthorized access, etc. All our employees and data processors, who have access to or are connected with the processing of your information, are obliged to respect the confidentiality of personal data. They are obliged to maintain confidentiality and reliability even after the end of their function.


The processing of personal data occurs when the Bank:
  • It has a legitimate interest, for example, preventing fraud, maintaining the security of our network and services, direct marketing and improving our services. Whenever we rely on this legitimate basis to process your data, we carry out an assessment of our business interest to ensure that this latter does not overlap with your rights. Furthermore, in some cases you have the right to object to this processing. For more information, visit the "Your Rights" section of this Policy.
  • Complies with a legal obligation, including for example accounting and tax requirements and regulations relating to electronic communications and financial services, subject to internal policies, procedures and your right to restrict the use of your data.
  • Carry out the fulfillment of legal obligations in the public interest, for example, to assist in the detection and prevention of fraud, tax evasion and financial crime, or to protect the economic well-being of certain individuals.
  • Obtain your consent for one or more specified purposes*;
  • Transparently explained the reason for the processing, together with the controller's contacts at the time of data collection;
  • It is ensured that your personal data is sufficient and not excessive in relation to the purposes for which it is processed. It is your responsibility to inform the Bank of any inaccuracies or updates to your personal data. However, the Bank will make reasonable efforts to ensure that its databases are as accurate and up-to-date as possible, including deleting your inaccurate personal data;
  • It is ensured that your personal data will not be kept for longer than necessary.
When processing sensitive personal data, the Bank is committed to ensuring their security by regularly informing and instructing employees involved in such processing, safeguarding the data within secure physical and electronic environments, and applying appropriate encryption or pseudonymization measures during transmission.

   *Where the data subject is under the age of 16, personal data shall not be processed without obtaining consent for such processing from a parent or legal guardian.
 

Sharing of personal data with third parties

Dissemination of personal data to third parties will only take place if these parties are legitimate (law and/or contract) and act in accordance with our instructions. The Bank does not disclose your personal data to third parties who are not authorized or who do not act as service providers to the Bank, unless such disclosure is lawful or you have explicitly provided your consent for it. In all cases, the Bank ensures that these third parties comply with confidentiality obligations and implement appropriate technical and organizational measures to maintain a level of security appropriate to the risk, particularly in relation to data processing, in accordance with applicable legislation.
When necessary, the Bank shares your information primarily with:
  • Supervisory authorities;
  • Partners, suppliers or agents involved in providing the products and services you use;
  • Companies engaged to provide services for and on behalf of BKT;
  • Legitimate entities to execute the obligations you have towards third parties or other organizations for debt recovery;
  • Law enforcement agencies, government bodies, regulatory organizations, courts or other public authorities if necessary, or if we are authorized by law;
  • A third party where such dissemination is necessary to comply with any applicable law or other legal or regulatory requirements;
  • Its shareholder, part of the "Çalik Holding" group.

International Data Transfer

For the purpose of providing services, the Bank may carry out international transfers of personal data to countries that ensure an adequate level of security and data protection, based on an adequacy decision.
In cases of International Transfer of personal data to a country that does not have a sufficient level of protection of personal data and in the absence of an adequacy decision, the Bank may carry it out if:
  • International instruments ratified by the Republic of Albania and directly applicable.
  • Binding Corporate Rules (BCRs) approved by the Commissioner, applicable within corporate groups.
  • Standard Data Protection Clauses published by the Commissioner, ensuring adequate safeguards.
  • An approved Code of Conduct issued by the Commissioner, accompanied by binding commitments from the data recipient in a country lacking adequate protection.
  • An approved Certification Mechanism issued by the Commissioner, together with binding commitments from the data recipient in a country without adequate protection.
In the absence of an adequacy decision or the appropriate safeguards mentioned above, international data transfers shall only be carried out if one of the following conditions is met:
  • The data subject has provided explicit and informed consent, acknowledging the risks associated with international transfer.
  • The transfer is necessary for the performance of a contract between the data subject and the controller, or for the implementation of pre-contractual measures taken at the data subject’s request; or it is necessary for the conclusion or performance of a contract between the controller and a third party in the interest of the data subject.
  • Transfer is necessary to protect the vital interests of the data subject.
  • The transfer is required by law or is necessary for reasons of important public interest, or for the establishment, exercise, or defense of legal claims.
  • The transfer is made from a register that is lawfully open to consultation and provides information to the public.
In all cases, the Bank ensures the following when conducting international data transfers a contract/agreement is in place that clearly defines the obligations of all parties involved in the transfer of personal data. International transfers may be carried out to entities with which the Bank collaborates to enable the provision of various services, in compliance with international standards.
 

Data Storage and Archiving Terms

Personal data will be stored for as long as is necessary according to the main purpose of their collection. Data retention periods will be in full compliance with the applicable legal framework and relevant regulations. The Bank will not retain your personal information longer than necessary for the purpose of processing, and in accordance with the applicable Albanian legislation, including but not limited to:
  • The Civil Code of the Republic of Albania;
  • Law No. 9662/2006 “On Banks in the Republic of Albania,” as amended;
  • Law No. 9917/2008 “On the Prevention of Money Laundering and Terrorist Financing,” as amended;
  • The Labour Code of the Republic of Albania;
  • Law No. 9154/2003 “On Archives,” and other applicable laws;
Data collected through the Bank’s video surveillance systems is retained for 60** (sixty) days. Upon expiration of this period, all recordings are automatically deleted and cannot be recovered.

   **Bazuar në udhëzimin nr. 20 datë 03.08.2012 pika 14 - Afati i ruajtjes për të dhënat audio-vizive të mbledhura nga sistemi i video survejimit të bankës nuk do të tejkalojë një afat maksimal prej 2 muaj.  

Cookies

A Cookie is a small file that can be placed on your device in order to get to know you better and to remember you the next time you visit our site. It is sent to your browser and stored on the hard drive of your computer, tablet, or other mobile devices and can be removed at any time.
The main purpose of using Cookies is the most effective functionality of our website. When you visit bkt.com.al, we may automatically collect information from you through cookies. This information does not directly identify you, but it provides a more personalized online experience based on your navigation data on the site, which is used to remember your preferences or searches when you return to our site. Cookies help us better understand our visitors and the type of users so that we can improve our website by giving you a better browsing experience.
When you enter the BKT website, a dialogue window will appear where you can choose whether or not to accept the activation of Cookies.
At any moment, you can deactivate cookies through your browser settings, taking into account the fact that this action will delete your preferences from memory.
 

The Bank is aware of the importance and sensitivity of personal data, strictly respects the security measures provided for in Law No. 124/2024 "On the Protection of Personal Data" as well as the highest IT Security standards.  
The Bank will implement appropriate technical and organizational security measures to protect your personal data from accidental loss, alteration, disclosure or unauthorized access, especially when the Processing involves the transmission of data over a network and against all other forms of illegal processing.
The Bank has taken measures to guarantee an adequate level of security, such as may include, as the case may be:
  • Pseudonymization and encryption of your personal data;
  • The ability to ensure the confidentiality, integrity, availability and continued stability of processing systems and services;
  • The ability to restore availability and access to your personal data in a timely manner in the event of a physical or technical incident; OR
  • Processes for regular testing and evaluation of the effectiveness of technical and organizational measures to guarantee the security of Processing.
The Bank's security standards are in compliance with applicable privacy and data protection laws and regulations, as well as with any contractual requirements of interested parties.
 

Links to other sites

The Bank's website may have a link to another website (such as: www.idp.al). : www.idp.al). Maintaining privacy to achieve personal data protection does not include links between this site and other sites. The Bank is not responsible for the content of these sites and encourages you to read the relevant privacy statements for these other websites that you visit, as the conditions of these sites (websites) may differ from those of BKT.
 

Pursuant to Law No. 124/2024 "On the Protection of Personal Data", in relation to the personal data that the Bank processes, the data subject enjoys several rights, as follows:

The right to be informed regarding the purpose and legal basis for processing, the contact details of the data controller, information on the existence and logic of automated decision-making and profiling, as well as the rights available to the data subject.

The right to access: you have the right to request at any time a confirmation as to whether personal data relating to you is being processed by BKT.

Right to Rectification and Erasure: If you become aware that your personal data is inaccurate, incomplete, or outdated, you have the right to request its correction or deletion.

Right to Be Forgotten: You may request the deletion of any link, copy, or reproduction of your personal data. Additionally, you may request that internet search engine operators remove results that appear in searches based on your name, where the information is no longer relevant over time and has a significantly negative impact on your reputation.

Right to Restrict Processing: You may request the restriction of processing in cases where: you contest the accuracy of the data; The processing is unlawful and you prefer restriction over deletion; The controller no longer needs the data but you require it for legal claims; A legitimate interest assessment is pending; A preliminary restriction order has been issued by the Commissioner.

Right Not to Be Subject to Automated Decisions: You have the right to request not to be subject to decisions that produce legal effects or significantly affect you, where such decisions are based solely on automated processing of personal data.

Right to Data Portability: You have the right to request the transfer of your personal data to another controller, where technically feasible, or to request its deletion if it was collected or processed unlawfully.

Right to Object: You have the right, under certain circumstances, to object to the processing of your personal data for specific purposes, such as direct marketing.

To exercise the rights outlined above, data subjects may contact the Bank through the following channels and contact details:
 
 

To exercise the rights outlined above, data subjects may contact the Bank through the following channels and contact details:

Contact Method Details
Postal Address Banka Kombëtare Tregtare sh.a. 
Rruga e Vilave, Lundër 1, Tiranë, Shqipëri
e-mail info@bkt.com.al and/or dpo@bkt.com.al  
Dedicated Website Section: https://www.bkt.com.al/sugjerime-ankesa
Data Protection Officer: Blerina Tushe

*Note: Please include your name, address and mobile number with the request. Also, for security reasons, please use only the email address that you declared to BKT at the time of registration as its client for sending the request. BKT will take all necessary measures to identify your identity before releasing a copy of the information.
Within 30 days of receiving the request/complaint, we will send you the requested information or the reason for not granting or not executing your request. 
In case of dissatisfaction with the handling of requests by BKT, you always have the right to contact the Office of the Commissioner for Personal Data Protection, at the address Rr. "Abdi Toptani", n.d. 5, Tirana. For more information, visit the Commissioner's website www.idp.al .

 

 

This Privacy Policy is under continuous review to reflect changes in relation to the growth and expansion of the Bank's activity. Any updates to this Policy shall be made in compliance with the applicable legal framework and will be published on the Bank’s official website, ensuring transparency and alignment with regulatory requirements.

This Policy must be understood in compliance with the General Conditions of this Website and the General Conditions applied by BKT sh.a. for its customers.

The bank reserves the right to change or modify this regulation at any time, in accordance with any possible change in legislation in the field of personal data protection and privacy.