Data Protection Notice
Last update: February 2023
We take the protection of your personal data very seriously.
BNP Paribas S.A. Norway Branch (NUF) in relation to its Corporate and Institutional Banking (CIB) business (“we”, “our”), as a controller, is responsible for collecting and processing your personal data in relation to our banking activities which include capital markets services, securities services, financing, treasury and advisory services.
The business of the BNP Paribas Group is to help all of their clients: individuals; entrepreneurs; small and medium-sized enterprises; large companies; multi-national groups and institutional investors, in all of their activities from their day-to-day banking requirements to their commercial objectives and projects, by providing appropriate financing, investment, multi-asset servicing, savings and insurance solutions.
As a member of an integrated banking and insurance group, in collaboration with the various entities of the Group, BNP Paribas Group provide our clients with a complete range of banking, insurance and leasing products and services.
Whether under the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) and/or other applicable data protection legislation, the purpose of this Data Protection Notice is to inform you of: the personal data we collect about you; the reasons why we use and share such data; how long we keep the data; what your rights are (as to the control and management of your data) and how you can exercise your personal data rights.
Further information may be provided where necessary at the time of collection of your personal data.
The relevant data controller for the processing of your personal data in relation to the BNP Paribas Group’s Corporate & Institutional Banking Business services and activities, in Norway is:
BNP Paribas S.A. Norway Branch (NUF)
Filial of BNP Paribas S.A., France
Org. no. 918 654 496
Visiting address: Støperigata 2, 0250 Oslo, Norway
Postal address: Postbox 106 Sentrum, 0102 Oslo
Telephone no.: +47 22 82 95 65
1. ARE YOU SUBJECT TO THIS NOTICE?
This Data Protection Notice applies to you (“you”) if you are:
- an employee, consultant, contractor, legal representative, shareholder, investor, or beneficial owner of:
- a client;
- a prospective client;
- a client or counterparty of our clients(s); or
- a counterparty;
- a beneficiary of financial transactions (payment or shares) or contracts, policies, or trust;
- an ultimate beneficial owner in the context of our services;
- a company shareholder;
In certain circumstances, we collect information about you even if we do not have a direct relationship with you. This indirect collection of information about you may happen, for instance, in the course of our relationship with our clients or counterparties.
When you provide us with personal data related to other people, please make sure that you inform them about the disclosure of their personal data and invite them to read this Data Protection Notice, as it provides them useful information about their rights. We will ensure that we will do the same whenever possible (e.g., when we have the person’s contact details).
2. HOW CAN YOU EXERCISE YOUR RIGHTS IN THE CONTEXT OF OUR PERSONAL DATA PROCESSING?
You have rights under, and in accordance with, applicable data protection law which allows you to exercise real control over your personal data and how we process it.
Should you wish to exercise the rights summarised below please refer to section 9 (How to contact us).
- You can request access to your personal data
We will provide you with a copy of your personal data promptly upon request, together with information relating to its processing.
Your right of access to your personal data may, in some cases, be limited by applicable law and/or regulation.. In this case, you must exercise your right of access with your data protection authority (details of which are listed in Appendix B), which may request the data from us.
- You can ask for the correction of your personal data
Where you consider that your personal data is inaccurate or incomplete, you can request that we modify or complete such personal data. In some cases, you may be required to provide supporting documentation.
- You can request the deletion of your personal data
If you wish, you may request the deletion of your personal data, to the extent permitted by law.
- You can object to the processing of your personal data based on legitimate interests
If you do not agree with a processing activity based on a legitimate interest, you can object to it, on grounds relating to your particular situation, by informing us precisely of the processing activity involved and the reasons for your objection. We will cease processing your personal data unless we can demonstrate compelling legitimate grounds for processing, which override the interest, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
- You can object to the processing of your personal data for direct marketing purposes
You have the right to object at any time to the processing of your personal data for direct marketing purposes, including profiling, insofar as it is linked to such direct marketing.
- You can suspend the use of your personal data
If you query the accuracy of the personal data we use, we will review and/or verify the accuracy of such personal data. If you object to the processing of your personal data, we will review the basis of the processing. You may request that we suspend the processing of your personal data while we review your query or objection.
- You can withdraw your consent
If you have given your consent to the processing of your personal data, you can withdraw this consent at any time. Should you wish to withdraw your consent, please refer to section 9 (How to contact us).
- You can request the portability of part of your personal data
You may request a copy of the personal data that you have provided to us in a structured, commonly used and machine-readable format. Where technically feasible, you may request that we transmit this copy to a third party.
- How to file a complaint with your supervisory authority
In addition to the rights mentioned above, you may lodge a complaint with the Norwegian Data Protection Authority (No: Datatilsynet)
Visiting address: Tollbugata 3, 0152 Oslo
Postal address: Postboks 458 Sentrum, 0105 Oslo
Tel. +47 22 39 69 00
3. WHY AND ON WHICH LEGAL BASIS DO WE USE YOUR PERSONAL DATA?
In this section we explain why we process your personal data and the legal basis for doing so.
- Your personal data is processed to comply with our various legal and/or regulatory obligations
Your personal data is processed where necessary to enable us to comply with the laws and/or regulations to which we are subject, including banking and financial regulations.
- We use your personal data to:
- monitor operations and transactions to manage, prevent and detect fraud ;
- monitor and report risks (financial, credit, legal, compliance or reputational risks, operational risks etc.) that we/and or the BNP Paribas Group could incur;
- record, in compliance with the Markets in Financial Instruments Directive II, Alternative Investment Fund Managers Directive, the Market Abuse Regulation and/or the Benchmark Regulation, communications in any form, including voice, emails, chats, relating to, at the very least, transactions performed within proprietary trading and the provision of services relating to orders, in particular their receipt, transmission, execution and recording;
- assist the fight against tax fraud and fulfil tax control and notification obligations, including in the context of US Foreign Account Tax Compliance Act and Automatic Exchange of Information obligations;
- fulfil our obligations to declare and register transactions with the competent authorities (tax, judicial, criminal, etc);
- record transactions for accounting purposes;
- prevent, detect and report risks related to Corporate Social Responsibility and sustainable development;
- detect and prevent bribery and corruption;
- detect and manage suspicious orders and transactions;
- exchange and report different operations, transactions or orders or reply to an official request from duly authorized local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, law enforcement, state agencies or public bodies.
- We also process your personal data for anti-money laundering and countering of the financing of terrorism purposes
As part of a banking group, we must have a robust system of anti-money laundering and countering of terrorism financing (AML/TF) in each of our entities managed centrally, as well as a system for applying local, European and international sanctions which may require the processing of your personal data primarily through our Know Your Customer (KYC) process (to identify you, verify your identity and screen your details against sanctions lists, prior to and in the course of our services).
In the context of this processing we, as a branch of BNP Paribas SA, are joint controllers with BNP Paribas SA, the parent company of the BNP Paribas Group (the term “we” in this section also includes BNP Paribas SA).
The processing activities performed to meet these legal obligations are detailed in Appendix A.
- Your personal data is processed to fulfil our legitimate interest or that of a third party
Where we base a processing activity on legitimate interest, we balance that interest against your interests and fundamental rights and freedoms to ensure that there is a fair balance between them. If you would like more information about the legitimate interest pursued by a processing activity, please contact us using the contact details provided in section 9 (How to contact us) below.
- In the course of our business as a bank, we process your personal data to:
- Manage your access to and use of our web communication channels and applications in the context of our contractual and pre-contractual relationships with our clients; counterparts; and/or service providers.
- communicate with you in the context of services provided to our clients and counterparties;
- manage the risks to which we are exposed:
- we keep evidence of, and sometimes record operations, transactions and communications when you interact with our employees (eg. in our chat rooms, via emails, or during video conferences);
- we monitor transactions to manage, prevent and detect fraud including, where required by law, the establishment of a fraud list (which will include a list of fraudsters);
- we manage legal claims and defend our position in the event of litigation.
- enhance cyber security and data leakage prevention measures, manage our platforms and websites, and ensure business continuity.
- use video surveillance to monitor access to property and prevent personal injury and damage to people and property.
- monitor compliance with our internal policies and procedures including but not limited to our code of conduct. This may include monitoring of voice, email and chat communications when you interact with our employees (please refer to section 3.3.3 below).
- enhance the automation and efficiency of our operational processes and client services (e.g., automatic filing of complaints, tracking of your requests and improvement of your satisfaction based on personal data collected during our interactions with you such as e-mails or chats).
- comply with the provisions applicable to trust service providers issuing electronic signature certificates.
- carry out financial operations such as debt portfolio sales, securitizations, financing or refinancing of the Group.
- conduct statistical studies and develop predictive and descriptive models for:
- commercial purposes: to identify the products and services that could best meet our clients’ needs, to create new offers based on trends arising from our web communication channels and application use, to develop our commercial policy taking into account our clients’ preferences
- safety purposes: to prevent potential incidents and enhance safety management;
- compliance and risk management purposes (eg., anti-money laundering and countering the financing of terrorism);
- anti-fraud purposes.
- We use your personal data to send you commercial offers by electronic means, post and phone
As part of the BNP Paribas Group, we want to be able to offer our clients’ access to the full range of products and services that best meet their needs.
If you are identified as a contact or representative of a client; or counterparty, and unless you object, we may send you offers by any means for our products and services and those of the Group.
We will use reasonable endeavours to ensure that these offers relate to products or services that are relevant to our clients or prospective clients’ activities.
We, will only send you marketing material via electronic communications (such as e-mails, SMS, instant messaging services or other equivalent technologies) in accordance with Norwegian law.
- We may record telephone conversations and other electronic communication
We are required to detect and report any suspicious behaviour which is in scope of the EU Market Abuse Regulation (MAR) and the Markets in Financial Instruments Directive II (MiFID II).
Consequently, we record and surveil telephone conversation and electronic communications that you have with our employees in our Global Markets, ALMT, ECM and DCM teams. This recording and surveillance is necessary to satisfy our regulatory requirements to various regulators.
All recordings of telephone conversations will be done in accordance with applicable law.
- Your personal data is processed if you have given your consent
For some personal data processing activities, we will give you specific information and ask for your consent. Of course, you can withhold your consent or, if given, withdraw your consent at any time.
In particular, we ask for your consent to:
- Manage newsletter subscriptions;
- Manage events;
- Use your navigation data to enhance our knowledge of your profile in accordance with our Cookies Policy.
You may be asked for further consent to process your personal data where necessary.
4. WHAT TYPES OF PERSONAL DATA DO WE COLLECT?
We collect and use your personal data, meaning any information that identifies or, together with other information, can be used to identify you.
We collect various types of personal data about you, including:
- identification information (e.g. full name, identity (e.g. copy passport, driving licence), nationality, place and date of birth, gender, photograph);
- contact information private or professional (e.g. postal and e-mail address, phone number etc.);
Employment information (e.gemployer’s name);
- data from your interactions with us or about us: our branches (contact reports), our internet websites and our apps;
- connection and tracking data such as cookies, connection to online services, IP address, meetings, calls, chats, emails, interviews, phone conversations;
- interactions with our employees: meetings, calls, chats, emails, interviews, phone conversations;
- information about your device (including MAC address, technical specifications and uniquely identifying data); and
- login credentials used to connect to BNP Paribas’ website and apps.
We may collect sensitive data such as data relating to criminal offences, subject to compliance with the strict conditions set out in data protection regulations.
Please note that you are not required to provide any of the personal data that we request. However, your failure to do so may result in us being unable to provide our services.
5. WHO DO WE COLLECT PERSONAL DATA FROM?
We may collect personal data directly from you as staff of our clients, counterparties and their service providers in the context of our activities and services.
We sometimes collect data from public sources:
- publications/databases made available by official authorities or third parties (e.g., the Official Journal of the French Republic, the Trade and Companies Register, databases managed by the supervisory authorities of the financial sector);
- websites of legal entities or business clients containing information that you have disclosed (e.g., your own website);
- public information such as that published in the press.
We also collect personal data:
- from other Group entities;
- from our business partners or our clients’ business partners;
- from service providers (e.g. payment initiation providers, service providers of account information such as account aggregators);
- from credit reference agencies and fraud prevention agencies.
6. WHO DO WE SHARE YOUR PERSONAL DATA WITH AND WHY?
- With BNP Paribas Group‘s entities
As a member of the BNP Paribas Group, we work closely with the Group’s other companies worldwide. Your personal data may therefore be shared between Group entities, where necessary, to:
- comply with our various legal and regulatory obligations described above;
- fulfil our contractual obligations or legitimate interests described above; and
- conduct statistical studies and develop predictive and descriptive models for business, security, compliance, risk management and anti-fraud purposes;
Sharing with Group companies may extend to intragroup processors which perform services on our behalf (such as our hubs in India, Portugal and Spain). Please find below details on some of our intra group processors.
BNP PARIBAS INDIA SOLUTIONS PRIVATE LIMITED
Address: Unit number 601, 6th Floor,
Infinity Building Number 04, Off Film city Road,
Malad East, Mumbai
Company number: U72200MH2005PTC151511
BNP Paribas, Portugal Branch
Address: Torre Ocidente, Rua Galileu Galilei, nº 2, 13º piso,
1500-392 Lisboa, Portugal
NIPC: 980 000 416
BNP Paribas Sucurssal ESPANA
Address: C/ Emilio Vargas4
Madrid 28043 Spain
Madrid Commercial Registry: Page M-40.598
- With recipients outside the BNP Paribas Group
In order to fulfil some of the purposes described in this Data Protection Notice, we may, where necessary, share your personal data with data processors which perform services on our behalf (e.g., IT service providers, logistics, printing services, telecommunication, advisory and distribution and marketing).
We may also, where we consider it necessary, share your personal data with other data controllers, as follows:
- banking and commercial partners, independent agents, intermediaries or brokers, financial institutions, counterparties, trade repositories with which we have a relationship if such transmission is required to allow us to provide you with the services and products or execute our contractual or legal obligations or process transactions (e.g., banks, correspondent banks, custodians, issuers of securities, paying agents, exchange platforms, payment system operators, intermediaries, mutual guarantee companies or financial guarantee institutions);
- regulators and/or independent agencies, local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, public authorities or institutions (e.g., the Banque de France and other Central Banks), to which we, or any member of the BNP Paribas Group, are required to disclose pursuant to:
- their request;
- our defence, action or proceeding;
- complying with a regulation or a recommendation issued from a competent authority addressed to us or any member of the BNP Paribas Group;
- service providers or third-party payment providers, for the purposes of providing a payment initiation or account information service;
- certain regulated professions such as lawyers, notaries, or auditors particularly when needed under specific circumstances (litigation, audit, etc.) as well as to our insurers or to an actual or proposed purchaser of the companies or businesses of the Group.
You can obtain more details about sharing with recipients outside the BNP Paribas Group by sending written request to firstname.lastname@example.org.
7. INTERNATIONAL TRANSFERS OF PERSONAL DATA
In certain circumstances (e.g. to provide international services or to ensure operational efficiency), we may transfer your data to another country. This includes transfers of personal data to our branches and subsidiaries in, the United Kingdom, India, APAC and the Americas.
In case of international transfers originating from:
- the European Economic Area (“EEA”) to a non-EEA country, the transfer of your personal data may take place where the European Commission has recognised a non-EEA country as providing an adequate level of data protection. In such cases your personal data may be transferred on this basis;
For other transfers, we will implement an appropriate safeguard to ensure the protection of your personal data, being:
- Standard contractual clauses approved by the European Commission or the UK Government (as applicable); or
- Binding corporate rules.
In the absence of an adequacy decision or an appropriate safeguard we may rely on a derogation applicable to the specific situation (e.g., if the transfer is necessary for the exercise or defence of legal claims).
You can obtain more details about the basis of our international transfers by sending written request to email@example.com.
8. HOW LONG DO WE KEEP YOUR PERSONAL DATA?
We will retain your personal data for the longer of:
- the period required by applicable law;
- such other period necessary for us to meet our operational obligations, such as: proper account maintenance, facilitating client relationship management, and/or responding to legal claims or regulatory requests.
Most personal data collected is kept for the duration of the contractual relationship with our clients plus a specified number of years after the end of the contractual relationship or as otherwise required by applicable law.
In general and unless there are special reasons for a longer retention period, your personal data will be stored for up to 5 years after the contractual relationship with us has terminated or the single transaction conducted pursuant to requirements in the Norwegian Act on Measures to Prevent Money Laundering and Financing of Terrorism (as amended from time to time).
If you would like further information on the period for which your personal data will be stored or the criteria used to determine that period please contact us at the address given under section 9 (How to contact us) below.
9. HOW TO CONTACT US?
If you wish to exercise the rights summarised in Section 2 (How you can exercise your rights in the context of our personal data processing), if you have any questions relating to our use of your personal data under this Data Protection Notice, please contact us at
BNP Paribas S.A. Norway Branch
Org. no. 918 654 496
PO Box 106 Sentrum,
NO- 0102 OSLO, Norway
or for the BNP Paribas Group at firstname.lastname@example.org. In some cases, you may be required to provide evidence of your identity.
10. HOW TO FOLLOW THE EVOLUTION OF THIS DATA PROTECTION NOTICE?
We regularly review this Data Protection Notice and update it as required.
We invite you to review the latest version of this document online, and we will inform you of any significant amendments through our website or through our standard communication channels.
Processing of personal data to combat money laundering and the financing of terrorism
We are part of a banking Group that must adopt and maintain a robust anti-money laundering and countering the financing of terrorism (AML/CFT) programme for all its entities managed at central level, an anti-corruption program, as well as a mechanism to ensure compliance with international Sanctions (i.e., any economic or trade sanctions, including associated laws, regulations, restrictive measures, embargoes, and asset freezing measures that are enacted, administered, imposed, or enforced by the French Republic, the European Union, the U.S. Department of the Treasury’s Office of Foreign Assets Control, and any competent authority in territories where BNP Paribas Group is established).
In the context of this processing we, as a branch of BNP Paribas SA, act as joint controller together with BNP Paribas SA, the parent company of the BNP Paribas Group (the term “we” used in this appendix therefore also covers BNP Paribas SA).
To comply with AML/CFT obligations and with international Sanctions, we carry out the processing operations listed hereinafter to comply with our legal obligations:
- A Know Your Customer (KYC) program reasonably designed to identify, verify and update the identity of our clients, including where applicable, their respective beneficial owners and proxy holders;
- Enhanced due diligence for high-risk clients, Politically Exposed Persons or “PEPs” (PEPs are persons defined by the regulations who, due to their function or position (political, jurisdictional or administrative), are more exposed to these risks), and for situations of increased risk;
- Written policies, procedures and controls reasonably designed to ensure that the Bank does not establish or maintain relationships with shell banks;
- A policy, based on the internal assessment of risks and of the economic situation, to generally not process or otherwise engage, regardless of the currency, in activity or business:
- for, on behalf of, or for the benefit of any individual, entity or organisation subject to Sanctions by the French Republic, the European Union, the United States, the United Nations, or, in certain cases, other local sanctions in territories where the Group operates;
- involving directly or indirectly sanctioned territories, including Crimea/Sevastopol, Cuba, Iran, North Korea, or Syria;
- involving financial institutions or territories which could be connected to or controlled by terrorist organisations, recognised as such by the relevant authorities in France, the European Union, the U.S. or the United Nations.
- Client database screening and transaction filtering reasonably designed to ensure compliance with applicable laws;
- Systems and processes designed to detect and report suspicious activity to the relevant regulatory authorities;
- A compliance program reasonably designed to prevent and detect bribery, corruption and unlawful influence pursuant to the French “Sapin II” Law, the U.S FCPA, and the UK Bribery Act.
In this context, we make use of:
- services provided by external providers that maintain updated lists of PEPs such as Dow Jones Factiva (provided by Dow Jones & Company, Inc.) and the World-Check service (provided by REFINITIV, REFINITIV US LLC and London Bank of Exchanges);
- public information available in the press on facts related to money laundering, the financing of terrorism or corruption;
- knowledge of a risky behaviour or situation (existence of a suspicious transaction report or equivalent) that can be identified at the BNP Paribas Group level.
We carry out these checks when our clients enter into a relationship with us, but also throughout the relationship we have with our clients, both on their representatives and on the transactions our clients carry out. At the end of the relationship and if our client has been the subject of an alert, this information will be stored in order to identify the client and to adapt our controls if our client enter into a new relationship with a BNP Paribas Group entity, or in the context of a transaction to which our client are a party.
In order to comply with our legal obligations, we exchange information collected for AML/CFT, anti-corruption or international Sanctions purposes between BNP Paribas Group entities. When your data are exchanged with countries outside the European Economic Area that do not provide an adequate level of protection, the transfers are governed by the European Commission’s standard contractual clauses. When additional data are collected and exchanged in order to comply with the regulations of non-EU countries, this processing is necessary for our legitimate interest, which is to enable the BNP Paribas Group and its entities to comply with their legal obligations and to avoid local penalties.
For AML/CFT data sharing purpose, entities of the BNP Paribas Group have organized the sharing of personal data of individuals related to legal entities that are clients from BNP Paribas. When exchanging the data with another entity, we are together with this entity joint controller.