Data Protection Notice
Last updated: December 2022
Preliminary section: Main amendments
As a trusted companion, the protection of your personal data is important to the BNP Paribas Group.
We have enhanced our Privacy Notice by being more transparent on the following information on:
- processing activities relating to commercial prospection
- processing activities relating to anti-money laundering and countering the financing of terrorism, and international sanctions (freezing of assets) (dedicated appendix)
Introduction
We take the protection of your personal data very seriously; accordingly, the BNP Paribas Group has adopted strong principles in its Personal Data Protection Charter available at https://group.bnpparibas/protection-donnees
BNP Paribas Wealth Management Monaco ("We"), as a controller, are responsible for collecting and processing your personal data in relation to its activities.
Our business is to help all our customers in their day-to-day banking activities and in achieving their projects thanks to our financing, investment, savings and insurance solutions.
As a member of an integrated banking-insurance Group in collaboration with the various entities of the Group, we provide our customers with a complete range of banking, insurance and leasing products and services.
The purpose of this Privacy Notice is to explain how we process your personal data and how you can control and manage them.
This Notice applies universally to all products and services of BNP Paribas, bearing in mind additional information may be communicated to you if required when you subscribe to a specific product or service.
1. ARE YOU SUBJECT TO THIS NOTICE?
This Privacy Notice applies to you if you are ("You"):
· One of our customers or in a contractual relationship with us (e.g., as a guarantor);
· A member of our customer family. Indeed, our customers may occasionally share with us information about their family when it is necessary to provide them with a product or service or to get to know them better;
· Heirs or beneficiaries,
· Legal representatives and authorised persons of a legal entity or a provider (mandate/power of attorney),
· Initiators or beneficiaries of a transaction carried-out in relation to our customer,
· Employees of a company who is a customer of the Bank, holder(s) of a card issued for said company,
· Beneficiaries of a contract or an insurance policy and of a trust,
· Owners,
· Beneficial owners,
· Creditors,
· Shareholders or associates of companies who are customers of the Bank,
· Members of staff of our service providers and commercial partners,
· A person interested in our products or services when you provide us with your personal data (in an agency, on our websites and applications, during events or sponsorship operations) so that we can contact you.
When you provide us with personal data related to other people, please make sure that you inform them about the disclosure of their personal data and invite them to read this Privacy Notice. We will ensure that we will do the same whenever possible (e.g., when we have the person's contact details).
2. HOW CAN YOU CONTROL THE PROCESSING ACTIVITIES WE CARRY-OUT ON YOUR PERSONAL DATA?
You have rights which allow you to exercise real control over your personal data and how we process them.
If you wish to exercise the rights listed below, please submit a request by mailing a letter to the following address BNP Paribas Wealth Management Monaco, a Monegasque limited company whose address is 15/17 avenue d’Ostende, 98000 Monaco.
If you have any questions relating to our use of your personal data under this Privacy Notice, please contact us at the following address: BNP Paribas Wealth Management Monaco, a Monegasque limited company whose address is 15/17 avenue d’Ostende, 98000 Monaco.
2.1. You can request access to your personal data
If you wish to have access to your personal data, we will provide you with a copy of the personal data you requested as well as information relating to their processing.
Your right of access may be limited in the cases foreseen by laws and regulations. This is the case with the regulation relating to anti-money laundering and countering the financing of terrorism, which prohibits us from giving you direct access to your personal data processed for this purpose. In this case, you must exercise your right of access with Commission de Contrôle des Informations Nominatives (CCIN) (Monaco authority for the protection of personal data), which will request the data from us.
2.2. You can ask for the correction of your personal data
Where you consider that your personal data are inaccurate or incomplete, you can request that such personal data be modified or completed accordingly. In some cases, supporting documentation may be required.
2.3. You can request the deletion of your personal data
If you wish, you may request the deletion of your personal data, to the extent permitted by law.
2.4. You can object to the processing of your personal data for commercial prospecting purposes
You have the right to object at any time to the processing of your personal data for commercial prospecting purposes, including profiling, insofar as it is linked to such prospecting.
2.5. You can suspend the use of your personal data
If you question the accuracy of the personal data we use or object to the processing of your personal data, we will verify or review your request. You may request that we suspend the use of your personal data while we review your request.
In any event, you have the right to challenge the decision, express your views and request the intervention of a competent person to review the decision.
2.6. you may lodge a complaint with the CCIN
If you have given your consent to the processing of your personal data, you may lodge a complaint with the CCIN, at the following address: “Le Suffren”,Bloc B, 4 ème étage,7 rue Suffren Raymond.
2.7. You can request the portability of part of your personal data
You may request a copy of the personal data that you have provided to us in a structured, commonly used and machine-readable format. Where technically feasible, you may request that we transmit this copy to a third party.
2.8. How to file a complaint with CCIN
In addition to the rights mentioned above, you may lodge a complaint with the competent supervisory authority, which is usually the one in your place of residence: « Le Suffren », Bloc B, 4ème étage, 7 rue Suffren Reymond.
3. WHY AND ON WHICH LEGAL BASIS DO WE USE YOUR PERSONAL DATA?
In this section we explain why we process your personal data and the legal basis for doing so.
3.1. Your personal data are processed to comply with our various regulatory obligations
Your personal data are processed where necessary to enable us to comply with the regulations to which we are subject, including banking and financial regulations.
3.1.1. We use your personal data to:
· Monitor operations and transactions to identify those which deviate from the normal routine/patterns (e.g., when you withdraw a large sum of money in a country other than your place of residence);
· Manage and report risks (financial, credit, legal, compliance or reputational risks etc.) that the BNP Paribas Group could incur in the context of its activities;
· Record, in compliance with the Markets in Financial Instruments Directive (MiFID 2), communications in any form (telephone, electronic) relating to all services and transactions carried-out by the Bank for your account with regard to the financial activities for which it is authorised. The recording is kept even when the conversation or communication does not generate a transaction or the provision of a service;
· Assess the appropriateness and adequacy of the profile of each customer to whom the investment service is provided, in accordance with regulations on financial activities;
· Communicate to payment service providers acting upon your request, information on your accounts, transactions and their respective beneficiaries or initiators;
· Record transactions for accounting purposes;
· Prevent, detect and report risks related to Corporate Social Responsibility and sustainable development;
· Detect and prevent bribery;
· Comply with the provisions applicable to trust service providers issuing electronic signature certificates;
· Exchange and report different operations, transactions or orders or reply to an official request from a duly authorized local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, law enforcement, state agencies or public bodies.
· Ensure the security of the execution of payment services, notably by identifying the initiator;
· Report the opening, closing or changing of an account to the SICCFIN to update the FICOBAM database. In this respect, we send some information pertaining to the account holder, his/her potential agents or legal representatives;
· Assess your financial solvency;
· Comply with our duty to advise,
3.1.2. We also process your personal data for anti-money laundering and countering of the financing of terrorism purposes
As part of a banking Group, we must have a robust system of anti-money laundering and countering of terrorism financing (AML/TF) in each of our entities managed centrally, as well as a system for applying local, European and international sanctions.
In this context, we are joint controllers with BNP Paribas SA, the parent company of the BNP Paribas Group (the term "We" in this section also includes BNP Paribas SA).
The processing activities performed to meet these legal obligations are detailed in Appendix [1].
3.2. Your personal data are processed to perform a contract to which you are a party or pre-contractual measures taken at your request
Your personal data are processed when it is necessary to enter into or perform a contract to:
· Define your credit risk score and your reimbursement capacity;
· Evaluate (e.g., on the basis of your credit risk score) if we can offer you a product or service and under which conditions (e.g., price);
· Provide you with the products and services subscribed to under the applicable contract;
· Manage existing debts (identification of customers with unpaid debts);
· Respond to your requests and assist you;
· Ensure the settlement of your succession.
· Subscribe (notably by telephone or via electronic signature) to products and services of BNP Paribas or distributed by BNP Paribas;
· Allow, in the context of the management of the customer relationship, notably:
- to manage and execute the products and services such as payment instruments and the granting of loans;
- to measure your requirements and needs, your knowledge and experience notably in terms of financial instruments;
- wealth management;
- to distribute, among others, insurance products, bearing in mind that either the insurer or service provider remains responsible for the processing required for the setting-up of the insurance transaction or the provision of the service;
- the security of the payment services you use.
3.3. Your personal data are processed to fulfil our legitimate interest or that of a third party
Where we base a processing activity on legitimate interest, we balance that interest against your interests or fundamental rights and freedoms to ensure that there is a fair balance between them. If you would like more information about the legitimate interest pursued by a processing activity, please contact us at the following address: BNP Paribas Wealth Management Monaco or via the contact form on our internet site BNP Paribas Wealth Management Monaco.
3.3.1. In the course of our business as a bank, we use your personal data to:
· Manage the risks to which we are exposed:
- we keep proof of operations or transactions, including in electronic evidence;
- We endeavour to deal with, prevent and detect frauds, notably by monitoring your transactions or via the production of lists of frauds including the perpetrators of proven fraud;
- we monitor the IP address from which you connect to carry-out transactions remotely in order to block, if required, the transactions which may be carried-out from unauthorised countries or to ensure that they are not fraudulent
- we carry out the collection of debts;
- we handle legal claims and defences in the event of litigation;
- we develop individual statistical models in order to help define your creditworthiness.
· Enhance cyber security, manage our platforms and websites, and ensure business continuity.
· Use video surveillance to prevent personal injury and damage to people and property.
· Enhance the automation and efficiency of our operational processes and customer services (e.g., automatic filling of complaints, tracking of your requests and improvement of your satisfaction based on personal data collected during our interactions with you such as phone recordings, e-mails or chats).
· Carry out financial operations such as debt portfolio sales, securitizations, financing or refinancing of the BNP Paribas Group.
· Conduct statistical studies and develop predictive and descriptive models for:
- commercial purpose: to identify the products and services that could best meet your needs, to create new offers or identify new trends among our customers, to develop our commercial policy taking into account our customers' preferences
- safety purpose: to prevent potential incidents and enhance safety management;
- compliance purpose (e.g., anti-money laundering and countering the financing of terrorism) and risk management;
- anti-fraud purposes.
· Conduct opinion and customer satisfaction surveys.
3.3.2. We use your personal data to send you commercial offers by electronic means, post and phone
As part of the BNP Paribas Group, we want to be able to offer you access to the full range of products and services that best meet your needs.
Once you are a customer and unless you object, we may send you these offers electronically for our products and services and those of the Group if they are similar to those you have already subscribed to.
We will ensure that these commercial offers relate to products or services that are relevant to your needs and complementary to those you already have to ensure that our respective interests are balanced.
We may also send you, by phone and post, unless you object, offers concerning our products and services as well as those of the Group and our trusted partners.
3.3.3 We record our interactions with you based on our legitimate interest
In the course of our activities, we record all interactions (notably telephone conversations, emails) between the Bank’s employees and their correspondents. In addition to regulatory obligations detailed in article 3.1, such recordings are also made based on our legitimate interest for the following purposes:
· Constitute proof in the event of a dispute by the Customer over a transaction,
· Constitute proof in the event of a legal dispute,
· Improve the effectiveness of our operational processes.
You may exercise your rights in accordance with the terms of the present Notice, point 2 “how you can control the processing activities we carry-out on your personal data”.
3.4. Your personal data are processed if you have given your consent
For some processing of personal data, we will give you specific information and ask for your consent. Of course, you can withdraw your consent at any time.
In particular, we ask for your consent for:
· tailor-made customization of our offers and products or services based on more sophisticated profiling to anticipate your needs and behaviours;
· any electronic offer for products and services not similar to those you have subscribed to or for products and services from our trusted partners;
4. WHAT TYPES OF PERSONAL DATA DO WE COLLECT?
We collect and use your personal data, meaning any information that identifies or allows one to identify you.
Depending among others on the types of product or service we provide to you and the interactions we have with you, we collect various types of personal data about you, including:
- Identification information: e.g., full name, gender, place and date of birth, nationality, identity card number, passport number, driving licence number, vehicle registration number, photograph, signature);
- Contact information: (private or professional) postal address, e-mail address, phone number;
- Information relating to your financial and family situation: e.g., marital status, matrimonial regime, number of children and age, study or employment of children, composition of the household, property you own: apartment or house;
- Milestones of your life: e.g., you recently got married, divorced, partnered, or gave birth;
- Lifestyle: hobbies and interests, travel, your environment (nomadic, sedentary);
- Economic, financial and tax information: e.g., tax ID, tax status, country of residence, salary and other income, value of your assets;
- Education and employment information: e.g., level of education, employment, employer's name and remuneration;
- Banking and financial information related to the products and services you hold: e.g., bank account details, products and services owned and used (credit, insurance, savings and investments, leasing, home protection), credit card number, money transfers, assets, profile of declared investor, credit history, payment incidents;
- Transaction data: account movements and balances, transactions including beneficiary's data such as full names, addresses and contact details as well as details of bank transactions, amount, date, time and type of transaction (credit card, transfer, cheque, direct debit);
- Data relating to your habits and preferences in relation to the use of our products and services;
- Data collected from our interactions with you: e.g., your comments, suggestions, needs collected during our exchanges with you in person in our Agencies (reports) and online during phone communications (conversation, contemporaneous notes), discussion by e-mail, chat, chatbot, exchanges on our social media pages and your latest complaints. Your connection and tracking data such as cookies and tracers for non-advertising or analytical purposes on our websites, online services, applications, social media pages;
- Data collected from the video protection system (including CCTV) and geolocation: e.g., showing locations of withdrawals or payments for security reasons, or to identify the location of the nearest branch or service suppliers for you;
- Data about your devices (mobile phone, computer, tablet, etc.): IP address, technical specifications and uniquely identifying data;
- Personalized login credentials or security features used to connect you to the BNP Paribas website and apps.
We may collect sensitive data such as health data, biometric data, or data relating to criminal offences, subject to compliance with the strict conditions set out in data protection regulations.
5. WHO DO WE COLLECT PERSONAL DATA FROM?
We collect personal data directly from you; however, we may also collect personal data from other sources.
We sometimes collect data from public sources:
· publications/databases made available by official authorities or third parties (e.g., the Journal de Monaco, the Trade and Companies Register, databases managed by the supervisory authorities of the financial sector);
· websites/social media pages of legal entities or business clients containing information that you have disclosed (e.g., your own website or social media page);
· public information such as that published in the press.
We also collect personal data from third parties:
· from other BNP Paribas Group entities;
· from our customers (companies or individuals);
· from our business partners;
· from service providers of payment initiation and account aggregators (service providers of account information);
· from third parties such as credit reference agencies and fraud prevention agencies;
· from data brokers who are responsible for ensuring that they collect relevant information in a lawful manner.
6. WHO DO WE SHARE YOUR PERSONAL DATA WITH AND WHY?
a. With BNP Paribas Group's entities
As a member of the BNP Paribas Group, we work closely with the Group's other companies worldwide. Your personal data may therefore be shared between BNP Paribas Group entities, where necessary, to:
· comply with our various legal and regulatory obligations described above;
· fulfil our legitimate interests which are:
- To deal with, prevent and detect frauds;
- conduct statistical studies and develop predictive and descriptive models for business, security, compliance, risk management and anti-fraud purposes
- enhance the reliability of certain data about you held by other Group entities
- offer you access to all the Group's products and services that best meet your needs and wishes;
- customize the content and prices of products and services;
- Enable us to reach the aims described within the present notice through other entities of the Group providing services for our account;
- Facilitate the conclusion and execution of a contract subscribed with an entity of the BNP Paribas Group by supplying information already held by us in order to limit information requested from you;
b. With recipients outside the BNP Paribas Group and processors
In order to fulfil some of the purposes described in this Privacy Notice, we may, where necessary, share your personal data with:
· Processors which perform services on our behalf (e.g., IT services, logistics, printing services, telecommunication, debt collection, advisory and distribution and marketing).
· Authorised organisations and public institutions (e.g. ACPR, SICCFIN, French or Monegasque supervisory authorities, Monegasque legal authorities or financial guarantee organisations) in accordance with a legal obligation;
· Banking and commercial partners, independent agents, intermediaries or brokers, financial institutions, counterparties, trade repositories with which we have a relationship if such transmission is required to allow us to provide you with the services and products or execute our contractual obligations or transaction (e.g., banks, correspondent banks, depositaries, custodians, issuers of securities, paying agents, exchange platforms, insurance companies, payment system operators, issuers or payment card intermediaries, mutual guarantee companies or financial guarantee institutions);
· Local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, public authorities or (such as ACPR, SICCFIN, CCAF), to which we, or any member of the BNP Paribas Group, are required to disclose pursuant to:
- their request;
- our defence, action or proceeding;
- complying with a regulation or a recommendation issued from a competent authority applying to us or any member of the BNP Paribas Group;
· Service providers of third-party payment (information on your bank accounts), for the purposes of providing a payment initiation or account information service if you have consented to the transfer of your personal data to that third party;
· Certain regulated professions such as lawyers, notaries, or auditors when needed under specific circumstances (litigation, audit, etc.) as well as to our insurers or to an actual or proposed purchaser of the companies or businesses of the BNP Paribas Group.
7. TRANSFERS OF PERSONAL DATA OUTSIDE THE PRINCIPALITY OF MONACO
International transfers of personal data outside the Principality of Monaco may only take place if the country or organisation to which the data is transferred provides an adequate level of protection or, if that is not the case, with the special authorisation of the CCIN (Commission de Contrôle des Informations Nominatives), the Monaco authority for the protection of data, on the basis of a substantiated request demonstrating that all technical and organisational measures have been taken in order to ensure the safety and confidentiality of the transferred personal data, strictly within the limits of the Bank’s activities.
The adequateness of the level of protection offered by the third-party country must be assessed with regard to all the circumstances of a personal data transfer, notably the nature of the information, the purpose, the duration of the proposed processing(s), the legal rules in place in the country as well as the professional rules and security measures which are adhered to in said country.
Without prejudice to the above terms, the CCIN maintains at the disposal of any interested party the list of countries with an adequate level of protection in accordance with the previous paragraph.
8. FOR HOW LONG DO WE KEEP YOUR PERSONAL DATA?
We retain your personal data either in accordance with the necessary duration under applicable regulations, or for a period defined according to our operational obligations, such as for accounting purposes, efficient management of the client relationship, as well as to enable you to exercise your legal rights or to answer requests from authorities and regulators.
In a majority of cases, your personal data will be retained for the duration of the contractual relationship followed by a period of ten years, either after the end of the business relationship in the case of customers, or as of the last contact date in the case of prospects.
In certain cases, the retention period is shorter and starts as of the collection date. For example, this is the case for telephone conversations recordings.
In the event that information is no longer necessary for the execution of contractual or legal obligations, the data will be periodically destroyed, unless it remains required for maintaining short-term processing. Such a case may occur for the following reasons:
· In the event of the non-execution of retention obligations regarding taxation,
· In the event of the non-execution of special limitations forcing us to retain the personal data for an indeterminate duration, for example when anticipating legal disputes.
9. HOW TO FOLLOW THE EVOLUTION OF THIS PRIVACY NOTICE
In a world where technologies are constantly evolving, we regularly review this Privacy Notice and update it as required.
We invite you to review the latest version of this document online, and we will inform you of any significant amendments through our website or through our standard communication channels.
Appendix 1
Processing of personal data to combat money laundering and the financing of terrorism
We are part of a banking Group that must adopt and maintain a robust anti-money laundering and countering the financing of terrorism (AML/CFT) programme for all its entities managed at central level, an anti-corruption program, as well as a mechanism to ensure compliance with international Sanctions (i.e., any economic or trade sanctions, including associated laws, regulations, restrictive measures, embargoes, and asset freezing measures that are enacted, administered, imposed, or enforced by the Principality of Monaco, the European Union, the U.S. Department of the Treasury’s Office of Foreign Assets Control, and any competent authority in territories where BNP Paribas Group is established).
In this context, we act as joint controllers together with BNP Paribas SA, the parent company of the BNP Paribas Group (the term “we” used in this appendix therefore also covers BNP Paribas SA).
To comply with AML/CFT obligations and with international Sanctions, we carry out the processing operations listed hereinafter to comply with our legal obligations:
- A Know Your Customer (KYC) program reasonably designed to identify, verify and update the identity of our customers, including where applicable, their respective beneficial owners and proxy holders;
- Enhanced due diligence for high-risk clients, Politically Exposed Persons or “PEPs” (PEPs are persons defined by the regulations who, due to their function or position (political, jurisdictional or administrative), are more exposed to these risks), and for situations of increased risk;
- Written policies, procedures and controls reasonably designed to ensure that the Bank does not establish or maintain relationships with shell banks;
- A policy, based on the internal assessment of risks and of the economic situation, to generally not process or otherwise engage, regardless of the currency, in activity or business:
- for, on behalf of, or for the benefit of any individual, entity or organisation subject to Sanctions by the Principality of Monaco, the European Union, the United States, the United Nations, or, in certain cases, other local sanctions in territories where the Group operates;
- involving directly or indirectly sanctioned territories, including Crimea/Sevastopol, Cuba, Iran, North Korea, or Syria;
- involving financial institutions or territories which could be connected to or controlled by terrorist organisations, recognised as such by the relevant authorities in Monaco, the European Union, the U.S. or the United Nations.
- Customer database screening and transaction filtering reasonably designed to ensure compliance with applicable laws;
- Systems and processes designed to detect and report suspicious activity to the relevant regulatory authorities;
- A compliance program reasonably designed to prevent and detect bribery, corruption and unlawful influence pursuant to the French “Sapin II” Law, the U.S FCPA, and the UK Bribery Act.
In this context, we make use of:
- services provided by external providers that maintain updated lists of PEPs such as Dow Jones Factiva (provided by Dow Jones & Company, Inc.) and the World-Check service (provided by REFINITIV, REFINITIV US LLC and London Bank of Exchanges);
- public information available in the press on facts related to money laundering, the financing of terrorism or corruption;
- knowledge of a risky behaviour or situation (existence of a suspicious transaction report or equivalent) that can be identified at the BNP Paribas Group level.
We carry out these checks when you enter into a relationship with us, but also throughout the relationship we have with you, both on yourself and on the transactions you carry out. At the end of the relationship and if you have been the subject of an alert, this information will be stored in order to identify you and to adapt our controls if you enter into a new relationship with a BNP Paribas Group entity, or in the context of a transaction to which you are a party.
In order to comply with our legal obligations, we exchange information collected for AML/CFT, anti-corruption or international Sanctions purposes between BNP Paribas Group entities. When your data are exchanged with countries outside the European Economic Area that do not provide an adequate level of protection, the transfers are governed by the European Commission’s standard contractual clauses. When additional data are collected and exchanged in order to comply with the regulations of non-EU countries, this processing is necessary for our legitimate interest, which is to enable the BNP Paribas Group and its entities to comply with their legal obligations and to avoid local penalties.