DATA PROTECTION NOTICE

Last updated August 2021

The protection of your personal data is important to the BNP Paribas Group[1], which has adopted strong principles in that respect for the entire Group. The BNP Paribas Group is made up of many different legal entities.  If you would like to know which entity/ies within the BNP Paribas Group process your personal data, please contact us at the address given under section 9 below.

To the extent that the European General Data Protection Regulation and/or any other data protection laws apply, this Data Protection Notice provides you (as further defined in section 2) with transparent and detailed information relating to the protection of your personal data by BNP Paribas and its subsidiaries, primarily in relation to our Corporate & Institutional Banking Business, and services of BNP Paribas Securities Services, but as fully detailed below (“we”).

We are responsible, as a controller, for collecting and processing your personal data in relation to our activities. The purpose of this Data Protection Notice is to let you know which personal data we collect about you, the reasons why we use and share such data, how long we keep it, what your rights are and how you can exercise them. There may be other notices or policies detailing how we process your personal data applicable in certain territories outside of the EEA. In the event that the provisions of such notices or policies conflict with those within this Data Protection Notice, the former notices or policies shall take precedence.

Further information may be provided where necessary when you apply for a specific product or service.

1.   WHICH PERSONAL DATA DO WE USE ABOUT YOU? 

We collect and use your personal data, meaning any information that identifies or allows us to identify you, to the extent necessary in the framework of our activities and to achieve a high standard of personalised products and services. 

Depending on the type of products or services we provide to you, we collect various types of personal data about you, including:

  • identification information (e.g. full name, identity (e.g. ID card, passport information etc.), nationality, place and date of birth, gender, photograph);
  • contact information private or professional (e.g. postal and e-mail address, phone number etc.);
  • family situation (e.g. marital status, number and age of children etc.);
  • economic, financial and tax information (e.g. tax ID, tax status, income and others revenues, value of your assets);
  • education and employment information (e.g. level of education, employment, employer’s name, remuneration);
  • banking and financial information (e.g. bank account details, product and services owned and used, credit card number, money transfers, assets, declared investor profile, credit history, any defaults in making payments);
  • transaction data (including full beneficiary names, address and transaction details including communications on bank transfers of the underlying transaction);
  • data relating to your habits and preferences (data which relates to your use of our products and services);
  • data from your interactions with us: our branches (contact reports), our internet websites, our apps, our social media pages (connection and tracking data such as cookies, connection to online services, IP address), meetings, calls, chats, emails, interviews, phone conversations;
  • video protection (including CCTV) and geolocation data (e.g. showing locations of withdrawals or payments, for security reasons, or to identify the location of the nearest branch or service suppliers for you etc.);
  • information about your device (including MAC address, technical specifications and uniquely identifying data); and
  • login credentials used to connect to BNP Paribas’ website and apps.

We may collect the following sensitive data only upon obtaining your explicit prior consent:

  • biometric data: g. fingerprint, voice pattern or facial recognition which can be used for identification and security purposes; and
  • health data for instance for the pre-contractual due diligence and the performance of some insurance contracts; this data is processed on a strict need-to-know basis.

We never ask for any other sensitive personal data such as data related to your racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, genetic data, data concerning your sex life or sexual orientation or data relating to criminal convictions and offences (“Criminal Record Data”) unless it is required through a legal obligation.

Please note that you are not required to provide any of the personal data that we request. However, your failure to do so may result in us being unable to open or maintain your account or to provide you with services.

2.   WHO IS CONCERNED BY THIS NOTICE AND FROM WHOM DO WE COLLECT PERSONAL DATA?

We collect data directly from you as a client or prospect (when you contact us, visit our website, our apps or us, use our products and services, participate in a survey or an event with us).

In certain circumstances, we may collect information from you about individuals who do not have a direct relationship with us. This may happen, for instance, when you provide us with information about your:

  • Staff (employees, contractors, consultants);
  • Family members;
  • Successors and right holders;
  • Co-borrowers / guarantors;
  • Legal representatives (power of attorney);
  • Beneficiaries of your payment transactions;
  • Beneficiaries of your insurance contracts or policies and trusts;
  • Landlords;
  • Ultimate beneficial owners;
  • Debtors (e.g. in case of bankruptcy); and
  • Company shareholders.

When you provide us with third party personal data (including but not limited to those listed above), you confirm that such third party receives this Data Protection Notice and understands the information in this Data Protection Notice about how we will use their personal data.

We may also obtain personal data from:

  • other BNP Paribas entities;
  • our clients (corporate or individuals);
  • our business partners;
  • payment initiation service providers and aggregators (account information service providers);
  • third parties such as credit reference agencies and fraud prevention agencies or data brokers which are responsible for making sure that they gather the relevant information lawfully;
  • publications/databases made available by official authorities or third parties (e.g. the French Official Journal, databases operated by financial supervisory authorities);
  • websites/social media pages of legal entities or professional clients containing information made public by you (e.g. your own website or social media); and
  • public information such as information from the press.

3.    WHY AND ON WHICH BASIS DO WE USE YOUR PERSONAL DATA?

 a. To comply with our various legal and regulatory obligations

 We use your personal data to comply with various legal and regulatory obligations, including:

  • banking and financial regulations:
    • monitor transactions to identify those which deviate from normal routine/patterns[2];
    • manage, prevent and detect fraud including, where required by law, the establishment of a fraud list (which will include a list of fraudsters)[3];
    • monitor and report risks (financial, credit, legal, compliance or reputational risks, default risks etc.) that we/and or the BNP Paribas Group could incur;
    • monitor and record phone calls, chats, email, [4] notwithstanding other usages described hereafter;
    • prevent and detect money-laundering and financing of terrorism and comply with regulation relating to sanctions and embargoes through our Know Your Customer (KYC) process (to identify you, verify your identity, screen your details against sanctions lists and determine your profile);
    • detect and manage suspicious orders and transactions;
    • carry out an assessment of appropriateness or suitability in our provision of investment services to each client in compliance with Markets in Financial Instruments regulations (MiFiD);
    • contribute to the fight against tax fraud and fulfil tax control and notification obligations (including compliance with FATCA and AEOI requirements);
    • record transactions for accounting purposes;
    • prevent, detect and report risks related to Corporate Social Responsibilities and sustainable development;
    • detect and prevent bribery;
    • exchange information and report on different operations, transactions or orders or reply to official requests from duly authorised local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or meditators, law enforcement, state agencies or public bodies.
     

b. To perform a contract with you or our corporate clients or to take steps at your request before entering into a contract

We use your personal data to enter into and perform our contracts as well as to manage our relationship with you, including to:

  • define your credit risk score and your reimbursement capacity;
  • evaluate (e.g. based on your credit risk score) if we can offer you a product or service and under which conditions (including price);
  • assist you in particular by answering your requests;
  • provide you or our corporate clients with products or services; and
  • manage outstanding debts (identification and exclusion of clients with outstanding debts).

 c. To fulfil our legitimate interest

We use your personal data, including your transaction data, for:

  • risk management purposes;
    • proof of transactions including electronic evidence;
    • management, prevention and detection of fraud including, where required by law, the establishment of a fraud list (which will include a list of fraudsters)[5];
    • monitoring transactions to identify those, which deviate from the normal routine/patterns [6].
    • debt collection;
    • assertion of legal claims and defence in case of legal disputes;
    • development of individual statistical models in order to help define your creditworthiness;
    • consultation and exchange of data with credit agencies to identify credit risks.Personalisation of our offering to you and that of other BNP Paribas entities to:
      • improve the quality of our products or services;
      • advertise products or services that match with your situation and profile;
      • deduce your preference and needs and propose personalised commercial offers;
      • This personalisation can be achieved by:
  • segmenting our prospects and clients;
  • analysing your habits and preferences in our various communications channels (visits to our branches, emails or messages, visits to our website, etc.);
  • sharing your data with another BNP Paribas entity, notably if you, or the entity you represent, are, or are to become, a client of that other entity;
  • matching the products or services that you already hold or use with other data we hold about you (e.g. we may identify that you have children but no family protection insurance yet); and
  • considering common traits or behaviours among current clients, and seeking other individuals who share those same characteristics for targeting purposes.

 

  • Research & Development (R&D) and analytics consisting of establishing individual statistical/predictive models to:
    • optimise and automate our operational processes (e.g. creating FAQ chatbots);
    • offer products and services that will best meet your needs;
    • adapt products and services distribution, content and pricing in accordance with your profile;
    • create new offers;
    • prevent potential security failures, improve client authentication and access rights management;
    • enhance security management;
    • enhance risk and compliance management;
    • enhance the management, prevention and detection of fraud; and
    • enhance the fight against money laundering and financing of terrorism.
  • Security reasons and IT systems performance, including to:
    • manage IT, including infrastructure management (e.g. shared platforms), business continuity and security (e.g. internet user authentication and data leak prevention); and
    • prevent personal injury and damages to people and goods (for instance video protection).
  • More generally to:
    • inform you about our products and services;
    • carry out financial operations such as debt portfolio sales, securitisations for financing or refinancing of the BNP Paribas Group;
    • organise contests, games, competitions, lotteries or any other promotional campaigns;
    • perform client satisfaction and opinion surveys;
    • improve process efficiency (train our staff by recording phone calls in our call centres and improve our calling scenario)[7]; and
    • automate our processes such as application testing, automatic filling of complaints handling, etc.

 

Where relying on legitimate interest, we ensure the processing remains proportionate and that your interests, fundamental rights and freedoms are preserved. Should you wish to obtain more information about such balancing test, please contact us using the contact details provided in section 9 “How to contact us” below.

d. To respect your choice if we request your consent for specific processing

For certain types of personal data processing, we will provide you with specific information and invite you to consent to the processing of your personal data. Please note that you may revoke your consent at any time.

4.   WHO DO WE SHARE YOUR PERSONAL DATA WITH?

a. Sharing of information within the BNP Paribas Group

 We are part of the BNP Paribas Group, which is an integrated bank and insurance group, i.e. a group of companies working closely together all over the world to create and distribute various banking, financial, insurance services and products.

We share personal data within the BNP Paribas Group for commercial and efficiency needs such as:

  • based on our legal and regulatory obligations:
    • sharing of the data collected for AML/FT, sanctions, embargoes and for KYC;
    • risk management including credit and operational risks (risk rating /credit scoring/etc.);
  • based on our legitimate interest:
    • prevention, detection and fight against fraud;
    • R&D activities, particularly for compliance, risk, communication and marketing purposes;
    • global and consistent overview of our clients’;
    • offering the full range of products and services of the Group to enable you to benefit from them.

If you are a client of our Corporate & Institutional Banking business, this would include, for example, personal data being accessed and/or stored in: jurisdictions where investments are held; jurisdictions in which and through which transactions are effected; and jurisdictions from which you regularly receive or transmit information about your investments or your business with BNP Paribas.

  • Personalisation of products and services’ (including content and pricing) for our clients’.

b. Disclosing information outside the BNP Paribas Group

In order to fulfil some of the purposes described in this notice, we may disclose your personal data from time to time to:

  • service providers who perform services on our behalf (e.g. IT services, logistics, printing services, telecommunication, debt collection, advisory and consulting, distribution and marketing).
  • banking and commercial partners, independent agents, intermediaries or brokers, financial institutions, counterparties, trade repositories with which we have relationship if such transmission is required to allow us to provide you with the services and products or execute our contractual obligations or transaction (e.g. banks, correspondent banks, depositaries, custodians, issuers of securities, paying agents, exchange platforms, insurance companies, payment system operators, issuers or payment card intermediaries);
  • credit reference agencies;
  • local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, law enforcement, state agencies, fraud prevention agencies or public bodies, we or any member of the BNP Paribas Group is required to disclose to pursuant to:
    • their request;
    • defending or responding to a matter, action or proceeding; and/or
    • complying with regulation or guidance from authorities applying to us or any member of the BNP Group;
  • payment service provider(s) (information on your payment account(s)) based on the authorisation granted by you to this third party; and
  • certain regulated professionals such as lawyers, notaries, rating agencies or auditors when needed under specific circumstances (litigation, audit, etc.) as well as to actual or proposed purchasers of the companies or businesses of the BNP Paribas Group or our insurers.

c. Sharing aggregated or anonymized information

We share aggregated or anonymised information within and outside the BNP Paribas Group with partners such as research groups, universities or advertisers. You will not be able to be identified from this information.

Your data may be aggregated into anonymised statistics that may be offered to professional clients to assist them in developing their business. In this case, your personal data will never be disclosed and those receiving these anonymised statistics will be unable to identify you.

5.   INTERNATIONAL TRANSFERS OF PERSONAL DATA

a. Transfers outside the EEA

In certain circumstances, we may transfer your data to another country. This includes transfers of personal data to BNPP Group entities in India (processor), the United States of America etc.

In case of international transfers originating from the European Economic Area (EEA), to a non-EEA country, where the European Commission has recognised a non-EEA country as providing an adequate level of data protection, your personal data may be transferred on this basis.

 For transfers to non-EEA countries where the level of protection has not been recognised as adequate by the European Commission, we will either rely on a derogation applicable to the specific situation (e.g. if the transfer is necessary to perform our contract with you such as when making an international payment) or implement one of the following safeguards to ensure the protection of your personal data:

  • Standard contractual clauses approved by the European Commission;
  • Binding corporate rules.

To obtain a copy of these safeguards or details on where they are available, you can send a written request to us as set out in section 9.

b. Others international transfers

 Where there are other international transfer restrictions e.g. transfer from Turkey to another country, we will implement appropriate safeguards to ensure the protection of your personal data.

6.   HOW LONG DO WE KEEP YOUR PERSONAL DATA FOR?

We will retain your personal data for the longer of: (i) the period required by applicable law; or (ii) such other period necessary for us to meet our operational obligations, such as: proper account maintenance, facilitating client relationship management, and responding to legal claims or regulatory requests. Most personal data collected in relation to a specified client is kept for the duration of the contractual relationship with such client plus a specified number of years after the end of the contractual relationship or as otherwise required by applicable law. If you would like further information on the period for which your personal data will be stored or the criteria used to determine that period please contact us at the address given under section 9 below.

7.   WHAT ARE YOUR RIGHTS AND HOW CAN YOU EXERCISE THEM?[8]

Depending on the data protection laws, which apply to your situation, you may have the following rights in respect of your personal data:

  • To access: you may have the right to obtain information relating to the processing of your personal data, and a copy of such personal data.
  • To rectify: where you consider that your personal data is inaccurate or incomplete, you can require that such personal data be modified accordingly.
  • To erase: in some circumstances, you can require the deletion of your personal data, to the extent permitted by law.
  • To restrict: in some circumstances, you can request the restriction of the processing of your personal data.
  • To object: in some circumstances, you can object to the processing of your personal data, on grounds relating to your particular situation. You have the absolute right to object to the processing of your personal data for direct marketing purposes, which includes profiling related to such direct marketing.
  • To withdraw your consent: where you have given your consent for the processing of your personal data, you have the right to withdraw your consent at any time.
  • To data portability: where legally applicable, you may have the right to have the personal data you have provided to us, returned to you or, where technically feasible, transferred to a third party.

If you require further information, or if you wish to exercise the rights listed above, please send a letter or e-mail to the address set out in section 9 below. Please include a scan/copy of your identity card for identification purposes when required[9].

 In accordance with applicable regulation, in addition to your rights above you are also entitled to lodge a complaint with the competent supervisory authority.

8.   HOW CAN YOU KEEP UP WITH CHANGES TO THIS DATA PROTECTION NOTICE?

In a world of technological change, we may need to update this Data Protection Notice from time to time.

We invite you to review the latest version of this notice online and we will inform you of any material changes through our website or through our other usual communication channels.

9.   HOW TO CONTACT US?

If you have any questions relating to our use of your personal data under this Data Protection Notice, or if you would like a copy of this Data Protection Notice in your native language, please contact our Data Protection Office gdpr.desk.cib@bnpparibas.com and for clients of BNP Paribas Securities Services, please contact our Data Protection Office gdpr.desk.bp2s@bnpparibas.com[10]

If you wish to learn more about Privacy and Security, please refer to our cookies policy.

10. COUNTRY-SPECIFIC PROVISIONS

Austria

We, BNP Paribas entities registered in Austria, will only disclose your personal data as set out in this Data Protection Notice to the extent this does not violate provisions of the Austrian banking secrecy law and/or other local statutory requirements.

Bahrain

This section applies solely to data owners in the Kingdom of Bahrain as defined under the Bahrain Personal Data Protection Law No. 30 of 2018 (“PDPL”) and our policies have been developed in line with the provisions of the PDPL which came into effect on 1 August 2019.

In addition to the above disclosures, the following applies to Bahrain data owners protected by the PDPL:

  • In case of transfers of personal data outside the Kingdom of Bahrain, we make sure to transfer your personal data to countries and regions that provide sufficient level of protection for your personal data. Such transfers, to the extent practicable, shall be in accordance with any applicable lists recognized by the relevant authorities and laws.
  • Furthermore, in case of transfers of personal data outside the Kingdom of Bahrain, we will only disclose your personal data to such third party or parties (“Data Processor(s)”) where they have undertaken, in advance and in writing, to maintain the confidentiality, integrity and security of the personal data concerned, in accordance with applicable laws.
  • In some instances, we may be required to transfer your personal data to other countries whose level of protection has not been recognized by the relevant authorities in terms of the PDPL. In such cases, we may rely on (i) the exceptions provided by the PDPL (e.g. if the transfer is necessary to perform our contract with you); as well on (ii) sufficient guarantees regarding the measures to protect the confidentiality and security of the personal data.
  • A controller is described under the PDPL as a data manager and is defined as the person who decides, solely or in association with others, the purposes and means of processing of certain personal data. In the events where such purposes and means are prescribed by Bahrain law, the Data Manager shall be the person who is responsible for the processing of the data. All references in this Notice to “controller” are references to “data manager” as defined under the PDPL.
  • Processing is defined under the PDPL as any operation or set of operations carried out on personal data by automated or non-automated means, such as collecting, recording, organizing, classifying in groups, storing, modifying, amending, retrieving, using or revealing such data by broadcasting, publishing, transmitting, making them available to others, integrating, blocking, deleting or destroying them.
  • Processing of sensitive personal data is also prohibited without the consent of the data owner, except in some instance as outlined under the PDPL, including, without limitation, when the processing is related to the race or ethnicity, if they are necessary to ascertain equal opportunities or treatment of the society’s individuals.
  • Data owners may at any time withdraw a previous approval they had granted to process their personal data.
  • You have a right to file a complaint with us or any regulator with jurisdiction about an alleged contravention of the protection of your personal data. If you wish to exercise the rights listed above, please send a letter to the following address:

 

Data Protection Office c/o Risk ORC
Bahrain Financial Harbour
West Tower
King Faisal Highway
Manama, Kingdom of Bahrain
P.O Box 5241
mea.communications.data.rights@bnpparibas.com

In accordance with applicable regulation, in addition to your rights above, you are also entitled to lodge a complaint with the competent supervisory authority.

Belgium

To the extent one of BNP entities registered in Belgium (“we”) is a controller of your personal data, please be informed of the specific provisions below:

In addition to any recording of electronic communications that is either permitted or required by applicable law or to which you have consented, we may record electronic communications with you, including the related traffic data, in the course of our lawful business practice for the purposes of:

  • training and supervision of our personnel and improving the quality of our services; and/or
  • providing evidence of commercial transactions, or communications that took place through these electronic communications including the content of these communications (including any advice being given by us).

We may retain such records as long as legally required or permitted including for the period of time during which a dispute may arise further to the electronic communication recorded between you and us.

The above applies to phone conversations as well as all other electronic communications (such as e-mails, SMS, instant messaging services or other equivalent technologies) with our call center, (independent) branches, private banking and business centres, dealing rooms and other bank’s representatives.

We, BNP Paribas Fortis SA/NV ask that, for any questions you may have, as well as to exercise your rights, please contact us through one of the following channels:

We, BNP Paribas Securities Services Brussels ask that for any question you may have, please send your request to the following email address gdpr.desk.bp2s@bnpparibas.com. In a purpose to exercise your rights, please send a message to our Data Protection Office gdpr.desk.bp2s@bnpparibas.com .

 Brazil

We, BNP Paribas entities registered in Brazil, will only process personal data in accordance with the Brazilian Federal Data Protection Law 13.709/2018 (LGPD).

A translated version of this Data Protection Notice can be found at: Aviso de Privacidade e Proteção de Dados – CIB (bnpparibas.com.br)

For any question you may have, as well as to exercise your rights, please send your request to one of the following email addresses:

– Corporate & Institucional Banking (CIB): br-client.service@br.bnpparibas.com

– Security Services (Custodia & Administração de Fundos): atendimentoafs@br.bnpparibas.com

– Cash Management (Cliente do Serviço de Cobrança e Adiantamento a Fornecedores): operations.cashmanagement@br.bnpparibas.com

In case you have any problem, please contact the Data Protection Officer at dpo.cib.brazil@br.bnpparibas.com.

California Residents

(This section applies solely to Consumers who reside in the State of California as defined under the California Consumer Privacy Act of 2018 (“CCPA”))

In addition to the above disclosures, the following applies to California residents protected by the CCPA:

  • Personal information is defined under the CCPA to include any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked with a particular California consumer or household. Examples include, but are not limited to, social security numbers, bank and credit account information, transaction histories, credit information, and biometric data.
  • A consumer may request that we disclose to you (a) the categories of personal information the we have collected about you, (b) the categories of sources from which the personal information is collected, (c) the purpose for collecting the personal information, (d) the categories of third parties with whom we shares personal information, and (e) the specific pieces of personal information that we have collected about you
  • A consumer has a right to receive non-discriminatory treatment by a covered business for the exercise of privacy rights conferred by CCPA. For example, a business must not offer a consumer unfair services or pricing because they have exercised their CCPA rights.
  • Currently we do not sell personal information. If, in the future, we seek to sell the personal information of California residents, we will provide notice and the opportunity to opt out.
  • If you would like to contact us to exercise your rights under CCPA, you may do so by email at: dataprivacy@us.bnpparibas.com; or by phone at: 212-841-3000.
  • If you would like to contact us to exercise your rights under CCPA, or if you are a parent, guardian or legal representative making a request on behalf of a California resident, you may do so by email at: dataprivacy@us.bnpparibas.com; or by phone at: 212-841-3000.
  • Please note that identities of individuals requesting deletion or disclosure of their personal information must first be verified to protect you and the Bank from fraud and identity theft.
  • Please note that not all personal information is eligible to be deleted.

[Canada

We, as BNP Paribas Canada, may collect certain personal information for the purposes of performing appropriate screening if we are obliged by statutory law to do so (e.g. for security and fraud prevention reasons).

We will only disclose your personal data as set out in this Data Protection Notice to the extent this does not violate provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs local statutory requirements in relation to personal data.

We, BNP Paribas Canada, ask that for any question you may have, as well as to exercise your rights, please send your request to the following email address: privacy.officer@ca.bnpparibas.com

Cayman Islands

To the extent a BNP Paribas entity (“we“) (i) is established in the Cayman Islands and (ii) is a controller of your personal data in the context of that establishment, then as and when the Data Protection Law, 2017 of the Cayman Islands (the “DPL“) comes into force, the DPL will apply to us and you will have rights under the DPL.

The framework and application of the DPL is similar to that of the European General Data Protection Regulation, and accordingly the provisions of the Data Protection Notice broadly apply. In particular, your rights under the DPL are analogous to those listed in section 7 (What are your rights and how can you exercise them?).  International data transfers will be subject to the same safeguards as those summarised in section 5 (Transfers of personal data outside the EEA).

The competent supervisory authority for purposes of the DPL is the Ombudsman of the Cayman Islands (www.ombudsman.ky).

Should you have any questions in respect of the application of the DPL please write to dl.hfsky_legal@us.bnpparibas.com.

Channels Islands 

We will use the information you provide in a manner that conforms with the Data Protection (Jersey) Law 2018 and Data Protection (Bailiwick of Guernsey) Law, 2017.

For any questions you may have, as well as to exercise your rights, please send your request to the following email address: dataprotectionci@je.bnpparibas.com

Czech Republic

Data Subject Rights

We, BNP Paribas entities registered in Czech Republic, including BNP Paribas S.A., registration number 662042449 RCS Paris, with its registered office at 5009 Paris, 16 Boulevard des Italiens, France, acting in the Czech Republic through its branch office BNP Paribas S.A., pobočka Česká republika, will not require you to include a scan/copy of your identity card for identification purposes, if you wish to exercise the rights listed in section 7 above. Instead, for identification purposes, you can,

  • Visit BNP Paribas entities registered in Czech Republic in person.
  • Send an original letter with your hand signature which has been verified by a notary public.
  • Send as an email with your qualified electronic signature.

 Complaints

In accordance with applicable regulation, you are also entitled to lodge a complaint with the competent supervisory authority. The contact details of the supervisory authority in the Czech Republic is:

ADDRESS: Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů), Pplk. Sochora 27, 170 00 Prague 7, Czech Republic

TELEPHONE NUMBER: +420 234 665 111

EMAIL: posta@uoou.cz

DATA BOX: qkbaa2n

Changes to this Data Protection Notice

We may need to update this Data Protection Notice from time to time. We will inform you of any material changes through our website: https://www.bnpparibas.cz/en/ 

Denmark

Provided that a contractual relationship exists, the relevant data controller for the processing of your personal data in relation to the BNP Paribas Group’s Corporate & Institutional Banking Business services and activities, as well as certain services of BNP Paribas Securities Services, in Denmark is:

BNP Paribas S.A., Denmark

Filial af BNP Paribas S.A., Frankrig

CVR no. 38 45 16 34

Adelgade 12, 3rd floor

DK-1304 Copenhagen K

Email: noortje.cramer@bnpparibas.com

Telephone no: + 45 32 71 19 40

Marketing

We, BNP Paribas S.A., Denmark, filial af BNP Paribas S.A., Frankrig will only send you marketing material via electronic communications (such as e-mails, SMS, instant messaging services or other equivalent technologies) in accordance with Danish law.

Recording of telephone conversations

The Bank may record telephone conversations with clients for the purposes of documenting the content of agreements and to ensure the level of client services. All recordings of telephone conversations will be done in accordance with Danish law. Any recordings will be for the Banks own internal purposes and will not be disclosed to any third party, except within the BNP Paribas S.A. group.

Retention periods

In general and unless there are special reasons for a longer retention period, personal data will be stored for up to 5 years after the business relationship with us has terminated or the single transaction conducted pursuant to requirements in the Danish Act on Measures to Prevent Money Laundering and Financing of Terrorism (as amended from time to time).

Questions

We, BNP Paribas S.A., Denmark filial af BNP Paribas S.A., Frankrig, ask that for any complaints you may have, please send your complaint to the following address:

BNP Paribas S.A., Denmark

Filial af BNP Paribas S.A., Frankrig

CVR no. 38 45 16 34

Adelgade 12, 3rd floor

DK-1304 Copenhagen K

Attention DPO

 Germany

We, BNP Paribas entities registered in Germany, including BNP Paribas Niederlassung Deutschland, will only record phone communications you have with us if we are obliged by statutory law to do so or we have received your prior consent to such phone recording.

We will only disclose your personal data as set out in this Data Protection Notice to the extent this does not violate provisions of German banking secrecy law and/or other local statutory requirements.

 Does Profiling Take Place?

We partly process your data in an automated manner with the objective to evaluate certain personal aspects (profiling). Profiling is used by us, for instance, in the following cases:

  • We are obliged, due to statutory and regulatory requirements, to combat money laundering, terrorist financing and criminal offences endangering financial assets. In doing so, we also perform data evaluation (amongst other things, in payment transactions). At the same time, these measures serve for your protection.
  • To be capable to purposefully informing you about products and providing you with advice, we use evaluation instruments. These allow for a demand-focused communication and advertising, including market research and opinion research.

Hungary

We, as BNP Paribas entities registered in Hungary, will only record phone communications you have with us if we are obliged by statutory law to do so (e.g. mandatory recording of complaints) or we can prove a legitimate interest  to such phone recording.

Notwithstanding the terms of this Data Protection Notice, we will only disclose your personal data, as set out in this Data Protection Notice, to the extent this does not violate provisions of the Hungarian banking secrecy law and/or other local statutory requirements.

For any question you may have, as well as to exercise your rights, please send your request to the following email address: hu.cib.gdpr@bnpparibas.com

 Ireland

BNP Paribas entities registered in Ireland, will not record any phone communications with you unless we have received your authorisation to such phone recording.

We, BNP Paribas Securities Services Dublin Branch and BNP Paribas Fund Administration Services (Ireland) Limited ask that for any question you may have, as well as to exercise your rights, please send your request to the following email address: dataprotection.bpss.ireland@bnpparibas.com.

We, BNP Paribas, Dublin branch, ask that for any question you may have, as well as to exercise your rights, please send your request to the following email address dataprotectionofficer-roi@bnpparibas.com

Italy

For other questions relating to our use of your personal data, please contact the Italian Data Protection Officer at italydataprotectionofficer@bnpparibas.com

 Kuwait

This section applies solely to data subjects in the State of Kuwait. Although the State of Kuwait does not have a specific personal data protection law, BNPP Group applies international best practice, as noted in our data protection notice above, when collecting, storing, transferring and processing personal and confidential information. Furthermore BNPP Group observes all local laws and regulations as they pertain to private and confidential data relating to personal status, health status, financial information and other personal information.

 Luxembourg
We will only disclose your personal data as set out in this Data Protection Notice to the extent this does not violate provisions of the Luxembourg banking secrecy law and/or other local statutory requirements.

We, BNP Paribas, Luxembourg branch, ask that for any question you may have, as well as to exercise your rights, please send your request to the following email address: dpo@bgl.lu.

We, BNP Paribas Securities Services, Luxembourg branch, ask that for any question you may have, as well as to exercise your rights, please send your request to the following email address: gdpr.desk.securities.lu@bnpparibas.com.

Morocco

This section applies solely to data subjects in the Kingdom of Morocco as defined under Law No 09-08, dated February 18, 2009 relating to the protection of individuals with regard to the processing of personal data and its implementation Decree n° 2-09-165 of May 21, 2009 (together the “DP Law”) and the BNPP Group policies have been adjusted to ensure all applicable personal data will be treated in accordance with the provisions of the DP law.

To the extent BNP Paribas Regional Investment Company, with registered address Lot 57, Tour CFC, 15th floor, Casa Anfa Hassani Street, Casablanca, commercial number 293279, Casablanca, Morocco (“we”) is a controller of your personal data, please be informed of the specific provisions below. The below specific provisions are in addition to the above disclosures noted on this Data Protection Notice:

  • In case of transfers of personal data to a foreign state, we make sure to transfer your personal data to countries and regions with legal frameworks that provide an adequate level of protection for the privacy and fundamental rights and freedoms in respect of the processing of your personal data. Such transfers are done pursuant to the requisite authorizations by the relevant authorities and laws.
  • Furthermore, in case of international transfers, we will only disclose your personal data to such third party or parties (“Data Processor(s)”) where they have undertaken, in advance and in writing, to maintain the confidentiality, integrity and security of the personal data concerned, in accordance with applicable laws.

You have a right to file a complaint with us or any regulator with jurisdiction about an alleged contravention of the protection of your personal information. If you wish to exercise the rights listed above, please send a letter to the following address:

Data Protection Officer
Lot 57, Tour CFC,
15th floor,
Casa Anfa Hassani Street,
Casablanca,
Morocco

The competent supervisory authority for purposes of the DP Law is the Data Protection National Commission (Commission Nationale de Protection des Données Personnelles).

 Norway

Provided that a contractual relationship exists, the relevant data controller for the processing of your personal data in relation to the BNP Paribas Group’s Corporate & Institutional Banking Business services and activities, as well as certain services of BNP Paribas Securities Services, in Norway is:

BNP Paribas S.A. Norway Branch (NUF)

Filial of BNP Paribas S.A., France

Org. no. 918 654 496

Visiting address: Støperigata 2, 0250 Oslo, Norway

Postal address: Postbox 106 Sentrum, 0102 Oslo

Email: noortje.cramer@bnpparibas.com

Telephone no.: +47 22 82 95 65

Marketing

We, BNP Paribas S.A., Norway Branch, will only send you marketing material via electronic communications (such as e-mails, SMS, instant messaging services or other equivalent technologies) in accordance with Norwegian law.

Recording of telephone conversations

The Bank may record telephone conversations with clients for the purposes of documenting the content of agreements and to ensure the level of client services. All recordings of telephone conversations will be done in accordance with Norwegian law. Any recordings will be for the Banks own internal purposes and will not be disclosed to any third party, except within the BNP Paribas S.A. group.

Retention periods

In general and unless there are special reasons for a longer retention period, personal data will be stored for up to 5 years after the business relationship with us has terminated or the single transaction conducted pursuant to requirements in the Norwegian  Act on Measures to Prevent Money Laundering and Financing of Terrorism (as amended from time to time).

Questions

We, BNP Paribas S.A., Norway Branch ask that for any queries you may have about the Bank’s processing of

Personal Data, please send your queries to the following address:

BNP Paribas S.A. Norway Branch

Org. no. 918 654 496

PO Box 106 Sentrum, NO- 0102 OSLO,

Norway

Attention DPO

 Poland

This notice is issued by BNP Paribas S.A. Branch in Poland and BNP Paribas Securities Services SKA Branch in Poland.

We will only disclose your personal data as set out in this Data Protection Notice to the extent this does not violate provisions of the Polish banking and professional secrecy law and/or other local statutory requirements.

For any question you may have, as well as to exercise your rights, please send your request to the following email address: pl.cib.iodo@bnpparibas.com.

Qatar

This section applies solely to data subjects in the State of Qatar as defined under Law No. (13) of 2016 Concerning Personal Data Protection (the “QDPL”) and BNPP Group policies that have been adjusted in line with the provisions of the QDPL which took effect in 2017. The QDPL applies to personal data when this data is any of the following: (1) Processed electronically; (2) Obtained, collected or extracted in any other way in preparation for electronic processing; and (3) Processed by combining electronic processing and traditional processing.
Personal data is defined under the QDPL as data relating to a natural person whose identity is identified or is reasonably identifiable, whether through this data or by means of combining this data with any other data or details. In addition to the above disclosures, the following applies to Qatar data subjects protected by the QDPL

  • We will only collect, process and transfer personal data with your consent, unless it deemed necessary for realizing a “lawful purpose”.
  • We make sure to transfer your personal data to countries and regions with legal frameworks that provide an adequate level of protection for the privacy and fundamental rights and freedoms in respect of the processing of your personal data. Such transfers are done pursuant to the provision of the QDPL.
  • Furthermore, in case of international transfers, we will only disclose your personal data to such third party or parties where they have undertaken, in advance and in writing, to maintain the confidentiality, integrity and security of the personal data concerned, in accordance with applicable laws.
  • Unsolicited direct marketing is prohibited under the QDPL, we will always obtain your prior consent to send electronic marketing communications (including by wired or wireless communication).
  • Data subjects may at any time withdraw a previous approval they had granted to process their personal data.
  • Processing of sensitive personal data (related to racial origin, children, health or physical or psychological status, religious beliefs, marital relationship and criminal offence) is prohibited without the consent of the data owner, or the approval of the relevant authority in line with the QDPL.

You have a right to file a complaint with us or any regulator with jurisdiction about an alleged contravention of the protection of your personal information. If you wish to exercise the rights listed above, please send a letter to the following address:

BNP Paribas SA – Qatar Branch
Al Fardan Office Tower, 6th Floor,
61 Al Funduq Street
Diplomatic District, West Bay, Qatar
Attention: Data Protection Officer

In accordance with applicable regulation, in addition to your rights above, you are also entitled to lodge a complaint with the competent supervisory authority.

Saudi Arabia

This section applies solely to data subjects in the Kingdom of Saudi Arabia. Although the Kingdom of Saudi Arabia does not have a specific personal data protection law, BNPP Group’s applies international best practice, as noted in our data protection notice above, when collecting, storing, transferring and processing personal and confidential information. Furthermore BNPP Group observes all local laws and regulations as they pertain to private and confidential data relating to personal status, health status, financial information and other personal information.

South Africa

To the extent BNP Paribas SA South Africa Branch, with registered office at 11 Crescent Drive, Melrose Arch, Johannesburg, (“we”) is a controller of your personal data, please be informed of the specific provisions below. The below specific provisions are in addition to the above disclosures noted on this Data Protection Notice:
(a) We will use the information you provide in a manner that conforms with the (i) Promotion of Access to Information Act 2 of 2000 as well as (ii) the Protection of Personal Information Act, 4 of 2013, which regulates and controls the processing of natural and juristic persons’ personal data.
(b) if you are a juristic person:

  • we may collect and use personal data relating to the juristic person’s directors, officers, employees, beneficial owners, partners, shareholders, members, authorised signatories, representatives, agents, payers, payees, customers, guarantors, spouses of guarantors, sureties, spouses of sureties, other security providers and other persons related to the juristic person (hereafter referred to as “Related persons”);
  • you may provide the personal data of a Related Person to us, on condition that you warrant that the Related Person is aware that you are sharing their personal data with us, and that the related person has consented thereto. We will process the personal Data of related persons as stated in this Data Protection Notice, thus references to “you” or “your” in this Data Protection Notice will include related persons with the necessary amendments.

(c) information we may share with other banks or request from other banks (Banker’s Code)

  • Another bank may ask us, at the request of that bank’s customer or for the bank itself, to provide information about your financial position. This is done by issuing what is known as a “Banker’s Code”. A Banker’s Code will only be provided with your express, implied, or tacit consent.

You have a right to file a complaint with us or any regulator with jurisdiction about an alleged contravention of the protection of your personal information. If you wish to exercise the rights listed above, please send a letter to the following address:

BNP Paribas SA – South Africa Branch
4th Floor
11 Crescent Drive
Melrose Arch
2196
Johannesburg
South Africa
Attention: Information Officer

Please include a scan/copy of your identity card for identification purpose. In accordance with applicable regulation, in addition to your rights above, you are also entitled to lodge a complaint with the competent supervisory authority.

Spain

For any question you may have, as well as to exercise your rights, please send your request to the following email address: DPOdeskSpain@bnpparibas.com.

Sweden

Provided that a contractual relationship exists, the relevant data controller for the processing of your personal data in relation to the BNP Paribas Group’s Corporate & Institutional Banking Business services and activities, as well as certain services of BNP Paribas Securities Services, in Sweden is:

BNP Paribas SA, Bankfilial Sverige

Corporate registration number: 516406-1029Postal address:    P.O. Box 7763

103 96 Stockholm

Visitors: Hovslagargatan 3

111 48 Stockholm

Email:                    noortje.cramer@bnpparibas.com

Telephone no:      +46 8 562 347 00

We will only disclose your personal data as set out in this Data Protection Notice to the extent this does not violate provisions of Swedish banking secrecy law and/or Swedish anti-money laundering obligations and/or other local statutory requirements.

Recording of telephone conversations

The Bank may record telephone conversations with clients for the purposes of documenting the content of agreements and to ensure the level of client services. Any and all recordings of telephone conversations will be done for the Bank’s internal purpose and in accordance with Swedish law and shall not be disclosed to any third party, except within the BNP Paribas SA Group.

Retention periods

In general, and unless there are special reasons for a longer retention period, personal data will be stored for up to 5 years after the business relationship with us has terminated or the single transaction conducted pursuant to requirements in the Swedish Money Laundering and Terrorist Financing (Prevention) Act (as amended from time to time).

Questions

We, BNP Paribas SA, Bankfilial Sverige ask that for any questions that you may have, please direct such questions to the following address:

BNP Paribas SA, Bankfilial Sverige

P.O. Box 7763

103 96 Stockholm

Attention: DPO

Switzerland

We, BNP Paribas Suisse, kindly ask you to read the BNP Paribas (Suisse) SA data protection notice (the “BNPPS Notice”) which refers to Swiss data protection legislation and is found at http://www.bnpparibas.ch/en/privacy-policy. The BNPPS Notice is similar to this Data Protection Notice but, where personal data is controlled by BNP Paribas (Suisse) SA, the BNPPS Notice will, in the event of a conflicting term, prevail over the Data Protection Notice.

Please note that BNP Paribas (Suisse) SA will only disclose your data as set out in the BNPPS Notice to the extent this does not violate provisions of the Swiss banking secrecy laws and/or other local requirements.

Clause 5 of the BNPPS Notice reads as follows:

TRANSFERS OF PERSONAL DATA OUTSIDE SWITZERLAND OR THE EEA

In case of international transfers to a country for which the competent Authority has recognised that it provides an adequate level of data protection, your personal data may be transferred on this basis.

For transfers to a country where the level of personal data protection has not been recognised as “adequate” by the competent Authority, we will either rely on a derogation applicable to the specific situation (e.g. if the transfer is necessary to perform our contract with you such as when making an international payment) or implement standard contractual clauses approved by the competent Authority to ensure the protection of your personal data.

To obtain a copy of these safeguards or details on where they are available, you can send a written request as set out in this section.

For any question you may have, as well as to exercise your rights, please contact BNP Paribas (Suisse) SA at the following email address: dataprotection.switzerland@bnpparibas.com.

UAE – Abu Dhabi Global Market Free Zone

This section applies solely to data subjects in Abu Dhabi Global Market (“ADGM”) as defined under ADGM Data Protection Regulations 2015 (DPR 2015) as amended by Data Protection (Amendment) Regulation 2018 (together the “DPR”) and the Bank’s policies have been adjusted to ensure all applicable personal data will be treated in accordance with the provisions of the DPR. In addition to the above disclosures, the following applies to data subjects protected by the DPR:

  • We make sure to transfer your personal data to countries and regions that provide sufficient levels of protection for your personal data. Such transfers, to the extent practicable, shall be in accordance with any applicable lists recognized by the relevant authorities and laws.
  • Furthermore, in case of international transfers, we will only disclose your personal data to such third party or parties where they have undertaken, in advance and in writing, to maintain the confidentiality, integrity and security of the personal data concerned, in accordance with applicable laws.

You have a right to file a complaint with us or any regulator with jurisdiction about an alleged contravention of the protection of your personal information. If you wish to exercise the rights listed above, please send a letter to the following address:

BNP Paribas SA – ADGM Branch
Part of 28th floor, 28, Al Khatem Tower,
Adgm Square, Al Maryah Island, Abu Dhabi
United Arab Emirates
Attention: Data Protection Officer

In accordance with applicable regulation, in addition to your rights above, you are also entitled to lodge a complaint with the competent supervisory authority.

UAE – Dubai International Financial Centre

This section applies solely to data subjects in Dubai International Financial Centre (“DIFC”) as defined under DPL No. 5 of 2020 (together the “DIFC DPL”) and BNPP Group policies have been adjusted to ensure all applicable personal data will be treated in accordance with the provisions of the DIFC DPL. In addition to the above disclosures, the following applies to data subjects protected by the DIFC DPL:

  • We make sure to transfer your personal data to countries and regions that (i) provide sufficient levels of protection for your personal data; and (ii) provide adequate legal remedies. Such transfers, to the extent practicable, shall be in accordance with any applicable lists recognized by the relevant authorities and laws.
  • Furthermore, in case of international transfers, we will only disclose your personal data to such third party or parties where they have undertaken, in advance and in writing, to maintain the confidentiality, integrity and security of the personal data concerned, in accordance with applicable laws.
  • In some instances, we may be required to transfer your personal data to other countries whose level of protection has not been recognized by the relevant authorities in terms of the DIFC DPL. In such cases, we may rely on (i) the exceptions provided by the DIFC DPL (e.g. appropriate safeguards have been provided by the controller or processor of data and that enforceable data subject rights and effective legal remedies for data subjects are available
  • Data subjects may at any time withdraw a previous approval they had granted to process their personal data
  • Processing of special categories of personal data (related to Personal Data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life and including genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person) is prohibited without the consent of the data owner, or one of the exception outlined under the DIFC DPL.

You have a right to file a complaint with us or any regulator with jurisdiction about an alleged contravention of the protection of your personal information. If you wish to exercise the rights listed above, please send a letter to the following address:

BNP Paribas Wealth Management (DIFC) Ltd
DIFC, The Gate Building East, Level 12
P.O. Box 506573, Dubai
United Arab Emirates
Attention: Chief Operating Officer

In accordance with applicable regulation, in addition to your rights above, you are also entitled to lodge a complaint with the competent supervisory authority.

United Arab Emirates
This section applies solely to data subjects in the United Arab Emirates (the “UAE”). Although the UAE does not have a comprehensive data protection law at its federal level, there are a number of laws in place that govern privacy law and data security. BNPP Group applies international best practice, as noted in our data protection notice above, when collecting, storing, transferring and processing personal and confidential information. Furthermore BNPP Group observes all local laws and regulations as they pertain to private and confidential data relating to personal status, health status, financial information and other personal information.

[1] https://group.bnpparibas/en/group/bnp-paribas-worldwide

[2] Depending on the country, the legal basis may be to comply with legal and regulatory obligation or to fulfil our legitimate interest.

[3] Depending on the country, the legal basis may be to comply with legal and regulatory obligation or to fulfil our legitimate interest.

[4] We will only record or monitor communications to the extent permitted, and subject to any conditions applied, by applicable law (including any requirement to obtain your prior consent to such recording). Please also see country-specific schedules at the end of this Data Protection Notice, particularly relating to data subjects in Germany.

[5] Depending on the country, the legal basis may be to comply with legal and regulatory obligation or to fulfil our legitimate interest

[6] Depending on the country, the legal basis may be to comply with legal and regulatory obligation or to fulfil our legitimate interest

[7] We will only record or monitor communications to the extent permitted, and subject to any conditions applied, by applicable law (including any requirement to obtain your prior consent to such recording). Please see country-specific schedules at the end of this Data Protection Notice, particularly relating to data subjects in Germany.

[8] For the avoidance of doubt, in the event that the European General Data Protection Regulation applies, such as where a BNP Paribas entity within the EEA controls your personal data, in accordance with applicable law you will have the following rights in respect of your personal data. Right to: access; rectification; erasure; restriction, objection, withdraw of consent and data portability.

[9] We will only request a scan/copy of your identity card for identification purposes to the extent permitted, and subject to any conditions applied, by applicable law. Please also see country-specific schedules at the end of this Data Protection Notice, particularly relating to Czech Republic.

[10] For local contact details, where applicable, please see country-specific schedules.

  • BNP Paribas