Data protection

Depending among others things on the type of products or services we provide to you, we may collect various types of personal data about you, including:

• personally identifiable information (e.g. name, identity (e.g. ID card and passport information), nationality, place and date of birth, gender, photograph);
• contact information private or professional (e.g. postal and e-mail address, phone number);
• family situation (e.g. marital status, number and age of children, etc.);
• economic, financial and tax status (e.g. tax ID, tax status, income and others revenues, value of your assets);
• education and employment information (e.g. level of education, employment, employer’s name, remuneration);
• banking and financial information (e.g. bank account details, products and services owned and used, credit card number, money transfers, assets, declared investor profile, credit history, debts and expenses);
• transaction data (including full beneficiary names, address and details of the underlying transaction);
• data relating to your habits and preferences:
  • data which relates to your use of our products and services;
  • data from your interactions with us: our branches (contact reports), our internet websites, our apps, our social media pages (connection and tracking data such as cookies, connection to online services, IP address), meetings, calls, chats, emails, interviews, phone conversations;

• video protection (including CCTV) and geolocation data (e.g. showing locations of withdrawals and payments, for security reasons, or to identify the location of the nearest branch or service suppliers for you); and
• data necessary to evaluate solvency/over indebtedness fraud, money laundering and terrorist financing;
• connection and tracking data (e.g. cookies, connection to online services);
• information about your device (IP address, technical specifications and uniquely identifying data);
• login credentials for phone and online and mobile apps.

We may collect the following sensitive data only upon your express prior consent:

• biometric data: e.g. fingerprint, voice pattern or facial metrics which can be used for identification and security purposes; and
• health data: for instance for the pre-contractual due diligence and the performance of some insurance contracts; this data is processed on a strict need-to-know basis.

We never ask, collect nor store any other sensitive personal data such as data related to your racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union memberships, genetic data, data concerning your sexual orientation or data relating to criminal convictions and offences, unless required by law.

To comply with our various legal and regulatory obligations

We monitor and use your personal data to comply with:

• banking and financial regulations:
  • monitor transactions to identify those which deviate from normal routine/patterns (e.g. when you withdraw a large amount of money in a country where you do not live);
  • manage, prevent and detect fraud including the establishment of a fraud list and the inclusion of fraudsters in such list;
  • monitor and report risks (financial, credit, legal, compliance or reputational risks, default risks etc.) that we and/or the BNP Paribas Group could incur;
  • monitor and record phone calls, chats, email, etc. notwithstanding other usages described hereafter;
  • prevent and detect money-laundering and financing of terrorism and comply with legislation relating to sanctions and embargoes, through our Know Your Customer (KYC) process (to identify you, verify your identity, screen your details against sanctions lists and determine your profile);
  • detect and manage suspicious orders and transactions and report them to the authority in charge;
  • carry out an assessment of appropriateness or suitability in our provision of investment services to each client in compliance with markets in financial instruments regulations (FinSA, MiFid where applicable, etc.);
  • contribute to the fight against tax fraud and fulfil tax control and notification obligations.
• general regulations :
  • record transactions for accounting purpose;
  • exchange information for the purposes of tax law;
  • prevent, detect and report risks related to Corporate Social Responsibilities and sustainable development;
  • detect and prevent bribery;
  • exchange information and report on different operations, transactions or orders or reply to official requests from a duly authorised local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, law enforcement, state agencies or public bodies.

To perform a contract with you or our corporate clients or to take steps at your request before entering into a contract

We use your personal data to enter into and perform our contracts, as well as to manage our relationship with you, including to:

• define your credit risk score and your reimbursement capacity;
• evaluate (e.g. based on your credit risk score) if we can offer you a product or service and under which conditions (including price);
• assist you in particular by answering your requests;
• provide you or our corporate clients with products or services;
• manage outstanding debts (identification and exclusion of customers with outstanding debts).

To fulfil our legitimate interests

We use your personal data including your transaction data, for:

• Risk management purposes:
  • proof of transactions including electronic evidence;
  • management, prevention and detection of fraud including the establishment of a fraud list and the inclusion of fraudster in such list;
  • monitoring of transactions to identify those which deviate from the normal routine
  • debt collection
  • assertion of legal claims and defense in case of legal disputes;
  • development of individual statistical models,  for instance in order to help define your credit worthiness;
  • consultation and exchange of data with credit agencies to identify credit risks
• personalisation of our offering to you or the entity you represent and that of other BNP Paribas entities to:
  • improve the quality of our products or services;
  • advertise products or services that match with your situation and profile;
  • deduct your preferences and needs and propose personalised commercial offers;

This personalisation can be achieved by:

–      segmenting our prospects and clients;

–      analysing your habits and preferences in our various communications channels (visits to our branches, emails or messages, visits to our website, etc.);

–      sharing your data with another BNP Paribas entity, notably if you, or the entity you represent, are, or are to become, a client of that other entity in particular to speed up the onboarding;

–      matching the products or services that you already hold or use with other data we hold about you (e.g. we may identify that you have children but no family protection insurance yet); and

–     considering common traits or behaviors among current customers, and seeking others individuals who share those same characteristics for targeting purposes.

• Research & Development (R&D) and analytics:
  • optimise and automate our operational processes (e.g. creating FAQ chatbot);
  • offer products and services that will best meet your needs;
  • adapt products and services distribution, content and pricing in accordance with your profile:
  • create new offers;
  • prevent potential security failures, improve customer authentication and access rights management ;
  • enhance security management;
  • enhance risk and compliance management;
  • Enhance the management, prevention and detection of fraud; and
  • Enhance the fight against money laundering and financing of terrorism.
• Security reasons and IT systems performance, including to:
  • manage IT, including infrastructure management (e.g. shared platforms), business continuity and security (e.g. internet user authentication and data leak prevention); and
  • prevent personal injury and damages to people and goods (for instance video protection).
• More generally to:
  • inform you about our products and services ;
  • carrying out financial operations such as debt portfolio sales,  securitisations for financing or refinancing of the BNP Paribas Group;
  • organise contests, games, competitions, lotteries or any other promotional campaigns ;
  • perform client satisfaction and opinion surveys;
  • improve process efficiency (train our staff by recording phone calls in our call centres and improve our calling scenarios); and
  • implement the automation of our processes such as application testing, simulation monitoring, automatic filling of complaints handling, etc.

Where relying on legitimate interest, we ensure the processing remains proportionate and that your interests, fundamental rights and freedoms are preserved.

To respect your choice if we request your consent for a specific processing

For certain types of personal data processing, we will provide you with specific information and invite you to consent to the processing of your personal data. Please note that you may revoke your consent at any time.

Sharing of information within the BNP Paribas Group

We are part of the BNP Paribas Group which is an integrated banking & insurance group, i.e. a group of companies working closely together all over the world to create and distribute various banking, financial, and insurance services and products.

We may share personal data within the BNP Paribas Group for commercial and efficiency needs, such as:

• risk management, including credit and operational risks (risk rating/credit scoring/etc.)
• prevention, detection and fight against fraud;
• sharing of the data collected for AML/FT and sanctions and embargoes purposes and sharing of certain information for KYC purposes;
• R&D activities, particularly for compliance, risk, communication and marketing purposes ;
• Global and consistent overview of our clients:
• Disclosing the full range of products and services of the Group to enable you to benefit from them;
• Personalization of products and services’ (including content and pricing) for our clients.

If you are a client of our Corporate & Institutional Banking business, this would include, for example, personal data being accessed and/or stored in jurisdictions where investments are held; jurisdictions in which and through which transactions are effected; and jurisdictions from which you regularly receive or transmit information about your investments or your business with BNP Paribas.

We may also share personal data to other entities of the BNP Paribas Group that process personal data on our behalf and/or to which we outsource certain activities, in particular for the purposes of responding to certain commercial and efficiency needs as well for further improving the level of services that we provide. These activities may include:

• IT activities;
• administrative and operational activities in connection with payment, credit and clearing operations, as well as securities and foreign exchange transactions;
• certain tasks related to portfolio management and custody of securities and other assets;
• risk management, including credit and operational risks (risk rating/credit scoring/etc.);
• prevention, detection and fight against fraud and activities undertaken to comply with regulations on AML/FT, sanctions and embargoes and for KYC purposes;
• R&D activities;
• activities and customer services that ensure a global and consistent level of services to clients, including the offering of products and services of the Group.

Disclosing information outside the BNP Paribas Group

In order to fulfill some of the purposes described in this notice, we may disclose from time to time your personal data to:

• service providers which perform services on our behalf (e.g. IT services, logistics, printing services, telecommunication, debt collection, advisory and consulting and distribution and marketing).
• banking and commercial partners, independent agents, intermediaries or brokers, financial institutions, counterparties, trade repositories, with which we have relationship if such transmission is required to allow us to provide you with the services and products or execute our contractual obligations or transaction (e.g. banks, correspondent banks, depositaries, custodians, issuers of securities, paying agents, exchange platforms, insurance companies, payment system operators, issuers or payment card intermediaries);
• credit reference agencies;
• local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, law enforcement, state agencies, fraud prevention agencies or public bodies, we or any member of the BNP Paribas Group is required to disclose to pursuant to:
  • their request;
  • defending or responding to a matter, action or proceeding, and/or
  • complying with regulation or guidance from authority applying to us or any member ot the BNP Group;

• service payment provider(s) (information on your payment account(s)) based on the authorisation granted by you to this third party; and
• certain regulated professionals such as lawyers, notaries, rating agencies or auditors when needed under specific circumstances (litigation, audit, etc.) as well as to actual or proposed purchasers of the companies or businesses of the BNP Paribas Group or our insurers.

Sharing aggregated or anonymized information

We share aggregated or anonymised information within and outside the BNP Paribas Group with partners such as research groups, universities or advertisers. You won’t be able to be identified from this information.

Your data may be aggregated into anonymised statistics that may be offered to professional clients to assist them in developing their business. In this case your personal data will never be disclosed and those receiving these anonymised statistics will be unable to identify you.