BNPP Personal Data Management Policy

The purpose of the Personal Data Management Policy is to inform all stakeholders about their commitments in relation to the protection of individual privacy and the collection, storage and use of personal data.

BNPP is committed to implementing necessary security measures for the confidentiality, availability and integrity of the data.

What is the scope of this policy?

This policy applies to any processing involving personal data sponsored by any BNPP Group entity.

What data do we collect about you?

As a data controller, BNPP collects and stores personal data that directly or indirectly identifies a natural person (last name, first name, IP address, pages viewed, cookies, documents downloaded, etc.). They can be analyzed and transmitted to the various departments concerned in the context for the purpose of their activities.

BNPP will within the management of the business relation and in compliance with applicable laws and regulations, collect personal data (identity and other elements of civil status, identity documents, contact details, professional and financial situation) concerning its clients, their legal representatives, managers and other agents.

In order to ensure compliance with its money laundering obligations, BNPP collects additional data relating to transactions and the operations associated to its clients, their associates, beneficiaries and intermediaries.

How do we collect your personal data?

Data collected come from the information directly communicated by the customer when (i) entering the relationship, (ii) subscribing and/or using of products and services, (iii) entering into management mandates, (iv) sending orders (v) or by third parties authorized to disclose information (commercial information files, other public accessible sources to banking and financial institutions).

What use do we make of it?

The collected personal data are processed only for well-defined purposes, including:

- the accounts management, products, subscribed services under the stipulated contractual documentation conditions, as well as the orders management and transactions

- the management of the business relationship, the conduct of animation and commercial development activities, the suggestion of new services, and the conduct of market studies, statistical analysis (including behavioral analysis)

- compliance with regulatory obligations including control, identity check, operations and monitoring of risks , conflicts of interest prevention, prevention of fraud and other prejudicial actions, anti-money laundering and terrorist financing compliance.

BNPP also proceed, in connection with financial services provision, and in accordance with the applicable regulation, to electronic communications records (telephones, instant messages, e-mails and any other means of electronic communication) with its business relations to fulfill its obligations in terms of ethical control, and to ensure transactions control and security

What legal tools do we use to transfer your data outside the European Economic Area?

Due in particular to the international dimension of the Group and in order to optimize the quality of its services, BNPP is required to transfer personal data to countries that are not members of the European Economic Area (notably the United States, Switzerland, Singapore) whose legislation on personal data protection differs from the European Union. Where appropriate, a precise and demanding contractual framework determines the scope of intervention and security conditions applicable to service providers.

BNPP may be required to provide certain personal data to official institutions as well as to competent administrative or judicial authorities, which may be located within or outside the European Economic Area, particularly in the context of anti-money laundering and terrorism financing compliance.

How do we secure your data?

BNPP implements appropriate physical, computer and organizational procedures to ensure personal data security and confidentiality, in particular to protect data against any loss, destruction, accidental or unauthorized alteration, or against unauthorized access to such data.

What are your rights regarding your personal data?

Your personal data processing may be subject to the e right of access, rectification, deletion, limitation, portability and opposition to usage under the conditions provided by the applicable regulation, in particular by the General Data Protection Regulation 2016/679 (GDPR).

The concerned persons have a right to access their personal data as well as the right to request that inaccurate, incomplete or outdated data be rectified, updated or deleted. They may also request that the use of their personal data be limited and oppose the processing of their personal data subject to the continuation of the services and/or the business relationship continuity.

The concerned persons may also, without having to justify their request, object to their data being used for commercial prospecting purpose and communication to third parties.

To exercise these rights, you must submit your request to the address indicated in the section below, "Contact".

How to exercise your rights?

This policy is reviewed from time to time and can be amended at any time. BNPP reserves the right to review its terms and conditions. For any question, you can contact us at the following email address:gdpr.desk.cib@bnpparibas.com