INFORMATION NOTICE CONCERNING THE PROTECTION OF PERSONAL DATA
Last updated: 30 June 2022.
FOREWORD: MAIN CHANGES
As a trusted partner, we place great importance on protecting your personal data. We have made this Notice more transparent by improving information on:
- Processing linked to commercial prospecting
- Processing to combat money laundering and the financing of terrorism, and international sanctions (asset freezing)
The protection of your personal data is at the heart of what we do. The BNPParibas Group has adopted strong principles in its Personal Data Privacy Charter available at https://group.bnpparibas/uploads/file/bnpparibas_personal_data_privacy_charter.pdf.
BNP Paribas SA (“We”), as data controller, are responsible for collecting and processing your personal data in the context of our activities.
Our job is to help all our clients – private individuals, entrepreneurs, VSEs (Very Small Enterprises), SMEs (Small and Medium-sized Enterprises), large companies and institutional investors – in their daily banking activities, as well as to realise their projects with our financing, investment, savings and insurance solutions.
As a member of an integrated banking and insurance group in collaboration with the various Group entities, we provide our clients with a comprehensive range of products and services in banking, insurance and leasing (leases with/without an option to purchase).
The purpose of this notice is to explain how we process your personal data and how you can control and manage them.
Where applicable, additional information may be provided to you when we collect your personal data.
1. IS THIS NOTICE RELEVANT TO YOU?
This notice is relevant to you (“You”) if you are:
- one of our clients or are in a contractual relationship with us (e.g. as guarantor);
- a family member of our client. Our customers may sometimes be required to share information about their family with us when this is necessary to provide them with a product or service or to get to know them better;
- someone who is interested in our products or services when you provide us with your personal data (in branch, on our websites and apps, during events or sponsorship activities) so that we can contact you.
When you provide us with personal data relating to other persons, do not forget to inform them that their data has been shared and invite them to read this Notice. We will take care to do the same when we can (i.e. when we have the contact details of the relevant people).
2. HOW CAN YOU CONTROL THE PROCESSING THAT WE CARRY OUT ON YOUR PERSONAL DATA?
You have rights that allow you to exercise significant control over your personal data and how we process it. We draw your attention to the fact that these rights may be limited when the regulations so provide. This is the case with the regulations relating to the fight against money laundering and the financing of terrorism, which prohibit us from letting you exercise your various rights with regard to your personal data processed for this purpose.
If you wish to exercise the rights described below, please send us a request by post to
Permanent Control – Right Management
Code ACI : CVA06A3
35 rue de la Gare – 75019 Paris
or on our website https://group.bnpparibas/en/data-protection with a scan/copy of your identity document when necessary.
If you have any questions regarding the use of your personal data under this Notice, please contact our Data Protection Officer at the following address:
Permanent Control – Right Management
Code ACI : CVA06A3
35 rue de la Gare – 75019 Paris
2.1. You can request access to your personal data
If you wish to have access to your personal data, we will provide you with a copy of the personal data to which your request relates and the information relating to their processing.
2.2. You can request the rectification of your personal data
Should you consider that your personal data is inaccurate or incomplete, you can request that it be changed or completed. In certain cases, you may be asked for supporting documentation.
2.3. You can ask for your personal data to be deleted
If you wish, you can request the deletion of your personal data, to the extent permitted by law.
2.4. You can object to the processing of your personal data based on legitimate interest
If you do not agree with a form of processing based on a legitimate interest, you can object to it for reasons relating to your particular situation by informing us precisely about the processing and the reasons. We will no longer process your personal data unless there are compelling legitimate grounds for the processing or if the data are necessary for establishing, exercising or defending legal claims.
2.5. You can object to the processing of your personal data for marketing purposes
You have the right to object at any time to the processing of your personal data for marketing purposes, including profiling to the extent it is related to such marketing.
2.6. You may suspend the use of your personal data
If you dispute the accuracy of the data we use or object to the processing of your data, we will verify or review your request. During the period that your request is under review, you have the option of asking us to suspend the use of your data.
2.7. You have rights with regard to automated decisions
In principle, you have the right not to be subject to a fully automated decision, based on profiling or not, which has a legal effect or significantly affects you. However, we can automate this type of decision if it is necessary for the conclusion/performance of a contract with us, authorised by regulations or if you have given your consent.
In any event, you have the option of disputing the decision, expressing your point of view and requesting the intervention of a human being who can review the decision.
2.8. You can withdraw your consent
If you have consented to your personal data being processed, you have the right to withdraw this consent at any time.
2.9. You can request portability of some of your personal data
You can ask to be provided with a copy of the personal data you have provided to us in a structured, commonly used and machine-readable format. Where technically possible, you can ask us to forward this copy to a third party.
2.10. You can decide what happens to your personal data after your death
You can give us instructions on how to store, erase and share your data after your death.
2.11. How can you lodge a complaint with the Data Protection Authority?
In addition to the rights mentioned above, you may lodge a complaint with the competent supervisory authority. In France, this is the CNIL (Commission Nationale de l’Informatique et de Libertés).
3. WHY AND ON WHAT LEGAL BASIS DO WE USE YOUR PERSONAL DATA?
The purpose of this section is to explain to you why we process your personal data and on what legal basis we justify doing so.
3.1. Your personal data are processed so that we comply with our various legal obligations
Your personal data are processed when necessary to enable us to comply with the regulations to which we are subject, including banking and financial regulations.
3.1.1. We use your personal data to:
- monitor activity and transactions and to identify those which are unusual (for example, when you withdraw a large sum of money in a country other than that of your place of residence);
- manage and report risks (financial, credit, legal, compliance or reputational, etc.) that the BNP Paribas Group may encounter in its activities;
- record, in accordance with the Markets in Financial Instruments Directive (MiFID II), communications in any form whatsoever in relation to, as a minimum, transactions entered into for proprietary trading and the provision of services relating to client orders in terms of the receipt, transmission and execution of client orders;
- assess the suitability and adequacy with each client profile of the provision of investment services in accordance with the Markets in Financial Instruments regulations (MiFID II);
- contribute to the fight against tax fraud and meet our tax reporting and monitoring obligations;
- record transactions for accounting purposes;
- prevent, detect and report risks related to Corporate Social Responsibility and sustainable development;
- detect and prevent corruption;
- respect the provisions applicable to trusted service providers issuing electronic signature certificates;
- exchange and report various activities, transactions or requests or respond to an official request from a duly authorised local or foreign judicial, criminal, administrative, tax or financial authority, an arbitrator or mediator, law enforcement authorities or government or public bodies.
3.1.2. We also process your personal data to combat money laundering and terrorist financing
We belong to a banking Group which must have a robust anti-money laundering and counter-terrorist financing (AML/CFT) system at the entity level while directed centrally, as well as a system that allows local, European and international sanction decisions to be applied.
The processing undertaken to meet these legal obligations is detailed in Appendix (see end of the page).
3.2. Your personal data are processed for the performance of a contract to which you are a party or for precontractual measures taken at your request
Your personal data are processed when they are needed for the conclusion or performance of a contract in order to:
- define your credit risk score and your ability to repay;
- assess (for example, based on your credit risk score) whether we can offer you a product or service and under which conditions (for example, price);
- provide you with the products and services subscribed to in accordance with the applicable contract;
- manage existing debts (identifying clients in default);
- respond to your requests and assist you with your activities;
- ensure the settlement of your estate.
3.3. Your personal data are processed in order to fulfil our legitimate interests or those of a third party
When we base processing on legitimate interest, we weight up that interest against your interests or fundamental rights and freedoms so that we are comfortable that there is a fair balance between them. If you would like more information about the legitimate interest pursued by any processing, please contact us at the following address:
Permanent Control – Right Management
Code ACI : CVA06A3
35 rue de la Gare – 75019 Paris
3.3.1. As part of our activity as a bank-insurer, we use your personal data to:
- Manage the risks to which we are exposed:
- we keep proof of activities or transactions, including in electronic format;
- we monitor your transactions to manage, prevent and detect fraud;
- we carry out debt collection;
- we process legal claims and aspects of defence in the event of litigation;
- we develop individual statistical models to help establish your borrowing capacity.
- Improve cybersecurity, manage our platforms and websites, and ensure business continuity.
- Prevent physical injury and harm to persons and property through CCTV (videosurveillance).
- Improve the automation and efficiency of our operational processes and customer services (e.g. automatic completion of complaints, follow-up of your requests and improvement of your satisfaction based on the data collected during our interactions with you such as telephone recordings, e-mails or chats).
- Support you in managing your budget by automatically categorising your transaction data
- Carry out financial transactions such as the sale of debt portfolios, securitisations, financing or refinancing of the BNP Paribas Group.
- Make statistical studies and develop predictive and descriptive models for the purposes of:
- marketing: to identify products and services that we could offer you to best meet your needs, to create new offers or to identify new trends among our clients, to develop our marketing policy taking into account our clients’ preferences;
- security: to prevent potential incidents and improve security management;
- compliance (such as combating money-laundering and financing of terrorism) and risk management;
- combating fraud.
- Organise competitions, lotteries, promotional activities, conduct customer opinion and satisfaction surveys;
3.3.2. We use your personal data to send you commercial offers electronically, by post and by telephone
As a BNP Paribas Group entity, we want to be able to offer you access to our full range of products and services that best meet your needs.
As soon as you are a client and unless you object, we may send you these offers for our products and services and those of the Group electronically when they are similar to those that you have already subscribed to.
We make sure that these marketing offers concern products or services that are related to your needs and that they complement those you already have, to ensure the right balance between our respective interests.
Unless you object, we may also send you offers relating to our products and services as well as those of the Group and of our trusted partners by telephone and post.
3.3.3. We analyse your personal data to perform standard profiling in order to customise our products and offerings
In order to improve your experience and satisfaction levels, we need to determine to which group of customers you belong. To do this, we create a standard profile based on the relevant data that we select from the information:
- that you have shared directly with us during our interactions with you or when subscribing to a product or service;
- that results from your use of our products or services, such as those linked to your accounts, such as account balances, regular or atypical movements, use of your card abroad and the automatic categorisation of your transaction data, i.e. the breakdown of your expenses and receipts by category as it appears in your client area;
- that results from your use of our various channels: sites and applications (for example, if you are digitally minded, or if you prefer a customer journey to subscribe to a product or service with more autonomy (selfcare));
Unless you object, we will carry out this personalisation based on standard profiling. We will be able to go further to better meet your needs, if you consent, by performing made-to-measure personalisation as set out below.
3.4. Your personal data will be processed if you have given your consent
For certain processing of personal data, we will give you specific information and ask for your consent. We remind you that you can withdraw your consent at any time.
In particular, we shall request your consent for:
- Made-to-measure personalisation of our offers and products or services based on more sophisticated profiling that helps anticipate your needs and behaviour;
- Any offer by electronic means for products and services that are not similar to those to which you have subscribed or for products and services of our trusted partners;
- Personalisation of our offers, products and services based on data for your accounts with other banks;
- Using your browsing data (cookies) for commercial purposes or to enrich our understanding of your profile.
Further consent to the processing of your personal data may be requested from you when necessary.
4. WHICH TYPES OF PERSONAL DATA DO WE COLLECT?
We collect and use your personal data, namely any information that identifies you or allows you to be identified.
Depending on the type of product or service we provide to you and the interactions we have with you, we collect various types of personal data about you, including:
- Identification data: for example, full name, gender, place and date of birth, nationality, ID card number, passport number, driving licence number, vehicle registration number, photo, and signature;
- Contact information: (private or professional) postal address, e-mail address, telephone number;
- Information relating to your assets and family life: for example, marital status, matrimonial regime, number of children and their age, study or employment, household composition, and assets you own: apartment or house;
- Important moments in your life: for example, you have just got married, divorced, started living as a couple, or had children;
- Lifestyle: hobbies and interests, travel, your environment (nomad, sedentary);
- Economic, financial and tax information: for example, tax identification number, tax status, country of residence, salary and other income, and value of your assets;
- Education and employment information: for example, level of education, employment, employer’s name and remuneration;
- Banking and financial information relating to the products and services you have: for example, bank details, products and services held and used (credit, insurance, savings and investments, leasing, home protection), card number, transfers of funds, assets, declared investor profile, credit history, and payment incidents;
- Transaction data: accountmovements and balances, transactions and the data relating to beneficiaries, including full names, addresses and contact details as well as details of bank transactions, amount, date, time and type of transaction (bank card, transfer, cheque, direct debit);
- Data about your habits and preferences relating to the use of our products and services;
- Data collected in the context of our interactions with you: your comments, suggestions, and needs gathered during our face-to-face interactions with you in our Branches (reports) and online during telephone calls (conversation), discussion by e-mail, chat, chatbot, exchanges on our social media pages and your recent claims/complaints. Your login and tracking data such as cookies and trackers for non-advertising or analytical purposes on our websites, online services, our applications, our social media pages;
- Data from the video protection system (including CCTV cameras) and geolocation: for example, locations of withdrawals or payments for security purposes, or to determine the location of the branch or service provider closest to you;
- Data about your devices (mobile phone, computer, tablet, etc.): IPaddress, technical specifications and unique identification data;
- Personalised login details or security devices used to log in to the BNP Paribas website and applications.
We may collect sensitive data such as health data, biometric data, or data relating to criminal offences, subject to the strict conditions defined by data protection regulations.
5. FROM WHOM DO WE COLLECT PERSONAL DATA?
We collect personal data directly from you, however we may also collect personal data from other sources.
We sometimes collect data from public sources:
- publications/databases made available by official authorities or third parties (for example, the Official Gazette of the French Republic, the Trade and Companies Register, and databases managed by the financial sector supervisory authorities);
- websites/social media pages of legal entities or professional clients containing information made public by you (for example, your own website or your page on a social media network);
- public information such as that published in the press.
We also collect personal data from third parties:
- other BNP Paribas Group entities;
- our clients (corporate or individual);
- our business partners;
- payment initiation service providers and account aggregators (account information service providers);
- third parties such as credit reference agencies and fraud prevention agencies;
- data brokers who are responsible for ensuring that they gather relevant information in a lawful manner.
6. WHO DO WE SHARE YOUR PERSONAL DATA WITH AND WHY?
a. With BNP Paribas Group entities
As a member company of the BNP Paribas Group, we work closely with other group companies worldwide. Your personal data may therefore be shared between BNP Paribas Group entities, when necessary, in order to:
- comply with our various legal and regulatory obligations described above.
- respond to our legitimate interests which are:
- to manage, prevent and detect fraud;
- to conduct statistical studies and develop predictive and descriptive models for marketing, security, compliance, risk management and anti-fraud purposes;
- to improve the reliability of certain data about you held by other Group entities;
- to offer you access to all the Group’s products and services that best meet your wishes and needs;
- to personalise the content and prices of products and services.
b. With recipients, third parties to the BNP Paribas group and subprocessors
In order to fulfil some of the purposes described in this Notice, we may, when necessary, share your personal data with:
- subprocessors who perform services on our behalf, for example IT, printing, telecommunication, recovery, advisory, distribution and marketing services;
- banking and commercial partners, independent agents, intermediaries or brokers, financial institutions, counterparties, trade repositories with which we have links if such a transfer is necessary to provide you with services or products or to meet our contractual obligations or to perform transactions (for example, banks, correspondent banks, custodians, issuers of securities, paying agents, exchange platforms, insurance companies, payment system operators, payment card issuers or intermediaries, and mutual guarantee or financial guarantee institutions);
- local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, and public authorities or institutions (such as the Banque de France, the Caisse des Dépôts et des Consignations), to which we or any member of the BNP Paribas Group are required to disclose data:
- at their request;
- in the context of our defence, an action or proceeding;
- to comply with any regulation or recommendation issued by a competent authority to us or to any member of the BNP Paribas Group;
- third-party payment service providers (information about your bank accounts), for the purposes of providing a payment initiation or account information service if you have consented to the transfer of your data to this third party;
- certain regulated professions such as lawyers, notaries or auditors when required by specific circumstances (litigation, audit, etc.) as well as our insurers or any buyer, whether actual or potential, of companies or activities of the BNP Paribas Group.
7. INTERNATIONAL TRANSFERS OF PERSONAL DATA
In the event of international transfers from the European Economic Area (EEA) to a country outside the EEA, the transfer of your personal data may take place on the basis of a decision issued by the European Commission, when the Commission has recognised that the country to which your data will be transferred ensures an adequate level of protection. If your data is transferred to a country whose level of data protection has not been recognised as adequate by the European Commission, we will either rely on a derogation applicable to the specific situation (for example, if the transfer is necessary to perform a contract with you, such as when making an international payment) or we will take one of the following measures to ensure the protection of your personal data:
- standard contractual clauses approved by the European Commission;
- binding corporate rules.
To obtain a copy of these measures designed to ensure the protection of your data or to receive details of where they are accessible, you can send us a written request to
Permanent Control – Right Management
Code ACI : CVA06A3
35 rue de la Gare – 75019 Paris
8. HOW LONG DO WE KEEP YOUR PERSONAL DATA FOR?
We will retain your personal data for the period required in order to comply with applicable laws and regulations or for a period defined with regard to our operational requirements, such as proper account management, efficient client relationship management, and responding to legal claims or regulatory requests.
Otherwise, your personal data will usually be kept for 2 years.
9. HOW CAN YOU KEEP UP WITH THE CHANGES TO THIS PERSONAL DATA PROTECTION NOTICE?
In a world where technology is constantly evolving, we regularly review this Notice and update it if necessary.
We invite you to review the latest version of this document online and we will inform you of any significant changes through our website or through our usual communication channels.
PROCESSING PERSONAL DATA TO COMBAT MONEY LAUNDERING AND TERRORIST FINANCING
We belong to a Banking Group that must have a robust anti-money laundering and counter-terrorist financing (AML/CFT) system at the entity level while directed centrally, a system to combat corruption, as well as a system to comply with international Sanctions (this means all economic or trade sanctions, including all laws, regulations, restrictions, embargoes or asset freezes, decreed, governed, imposed or enforced by the French Republic, the European Union, the US department of the Treasury’s Office of Foreign Asset Control, and any competent authority in the territory in which we are established).
For the purposes of AML/CFT and compliance with international Sanctions, we carry out the processing listed below to meet our legal obligations:
- A Know Your Customer (KYC) system reasonably designed to identify, update and confirm the identity of our clients, including that of their ultimate beneficial owners and their representatives, where applicable;
- Enhanced identification and verification measures for high-risk clients, and Politically Exposed Persons (PEPs are persons designated by the regulations who, due to their function or position (political, judicial or administrative) are more exposed to these risks) as well as high-risk situations;
- Written policies and procedures, and controls reasonably designed to ensure that the Bank does not enter into – nor maintain – relationships with shell banks;
- A policy, based on assessment of the risks and the economic situation, consisting generally of not performing or engaging in a business activity or relationship, regardless of the currency:
- for, on behalf of, or for the benefit of any person, entity or organisation subject to Sanctions by the French Republic, the European Union, the United States, the United Nations, or, in certain cases, other local sanctions in the territories in which the Group operates;
- involving, directly or indirectly, territories under sanctions including Crimea/Sevastopol, Cuba, Iran, North Korea and Syria;
- involving financial institutions or territories that could be linked to, or controlled by, terrorist organisations, recognised as such by the competent authorities in France, the European Union, the United States or the United Nations.
- Screening of our client bases and transactions, reasonably designed to ensure compliance with applicable laws;
- Systems and processes for detecting suspicious activity and for reporting suspicions to the relevant authorities;
- A compliance programme reasonably designed to prevent and detect corruption and trading of influence in accordance with the “Sapin II” Act, the U.S. FCPA, and the UK Bribery Act.
In this context, we are required to call on:
- services provided by external providers such as Dow Jones Factiva (provided by Dow Jones & Company, Inc.) and the World-Check service (provided by REFINITIV, REFINITIV US LLC and London Bank of Exchanges) which maintain PEP lists;
- publicly available information in the press on facts relating to money laundering, terrorist financing and corruption;
- knowledge of a risky behaviour or situation (existence of a suspicious activity report or equivalent) that can be identified at BNP Paribas Group level.
We carry out these checks when entering into a relationship, but also throughout the relationship we have with you, on you and on the transactions you carry out. At the end of the relationship and if you have been the subject of an alert, this information will be kept in order to identify you and adapt our monitoring if you re-enter into a relationship with a BNP Paribas Group entity, or in the context of a transaction to which you are a party.
In order to comply with our legal obligations, we share with BNP Paribas Group entities information collected for the purposes of AML/CFT, anti-corruption or the application of international Sanctions. When your data is shared with countries outside the European Economic Area that do not have an adequate level of protection, the transfers are governed by the European Commission’s standard contractual clauses. Where, in order to comply with regulations of non-EU countries, additional data is collected and shared, such processing is necessary to enable the BNP Paribas Group and its entities both to comply with their legal obligations and to avoid sanctions locally, which is our legitimate interest.