for the exercise of rights related to personal data

This Procedure of First Investment Bank AD (Fibank, the Bank) aims to assist the Bank's current and prospective clients (data subjects) in exercising their personal data protection rights. The procedure shall govern the process of accepting, processing and responding to requests related to protection of personal data.

The Procedure complies with the provisions of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation - GDPR).

Exercising of rights related to protection of personal data

To exercise their rights related to protection of personal data under this Procedure, personal data subjects shall submit to the Bank a signed Request for exercising personal data protection rights.

Submission of a Request for exercising personal data protection rights

Requests for exercising personal data protection rights may be submitted in one of the following ways:

  • Electronically to the following email address:, under the Electronic Document and Electronic Certification Services Act;
  • In person, at an office of Fibank.

Timeframe for responding to the Request

Within one month of receipt of a Request for exercising personal data protection rights, Fibank shall provide information on the actions taken. If the number and complexity of requests submitted by a data subject require a more detailed investigation, the period may be extended by a further two months. The Bank shall inform the data subject of any extension within one month of receipt of the Request, also indicating the reasons for such extension.

Documents required

Identity documents shall be required and, in case of authorization, also the authorization document. Fibank shall only provide personal data if the person has been properly identified, including verification of the authorization documents, if any. The Bank shall not be obliged to respond to Requests if it is unable to identify the data subject or their credentials.

The Bank may require additional information necessary to verify the identity and credentials of the data subject when there are reasonable concerns about the identity of the requestor.

Rights that the data subject may exercise

  • Right of access to personal data (Art. 15 GDPR) - the Bank shall confirm whether or not personal data concerning the data subject are being processed, and provide the necessary information.

    Fibank may refuse to act on a request where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character.

  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object to processing of personal data (Art. 21 GDPR), when processing of personal data is carried out for direct marketing purposes or for pursuing a legitimate interest.

Processing of personal data for direct marketing purposes

Where personal data are processed for direct marketing purposes, data subjects shall have the right to object at any time (via the Contact Center phone: 0700 12 777, or at an office of the Bank) to processing their personal data for such marketing, which includes profiling to the extent that it is related to direct marketing. In this case, the personal data shall no longer be processed by the Bank for such purposes.

Data subjects shall have the right to withdraw their consent for processing of personal data at any time and free of any charges.

You may also contact the Personal Data Protection Commission at the following address: 1592 Sofia, 2 Prof. Tsvetan Lazarov Blvd., e-mail:, website: