Data Protection Notice

Regulation

Last updated September 5th 2022

If you are an external supplier or partner of a CIB entity based in the EEA / UK / Switzerland, please visit this Data Protection Notice

As a trusted companion, the protection of your personal data is important to the BNP Paribas Group.

We have revised our Data Protection Notice to improve transparency and provide further information on our processing of your personal data, including but not limited to personal data processing in the context of: 

  • business to business and/or direct marketing; and
  • anti-money laundering, countering the financing of terrorism and international sanctions (freezing of assets).
Introduction

We take the protection of your personal data very seriously.

BNP Paribas (including its subsidiaries) in relation to its Corporate and Institutional Banking (CIB) business (“we”, “our”), as a controller, is responsible for collecting and processing your personal data in relation to our banking activities which include capital markets services, securities services, financing, treasury and advisory services.

The business of the BNP Paribas Group is to help all of their clients: individuals; entrepreneurs; small and medium-sized enterprises; large companies; multi-national groups and institutional investors, in all of their activities from their day-to-day banking requirements to their commercial objectives and projects, by providing appropriate financing, investment, multi-asset servicing, savings and insurance solutions.  

As a member of an integrated banking and insurance group, in collaboration with the various entities of the Group, we provide our clients with a complete range of banking, insurance and leasing products and services. 

Whether under the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) and/or other applicable data protection legislation, the purpose of this Data Protection Notice is to inform you of: the personal data we collect about you; the reasons why we use and share such data; how long we keep the data; what your rights are (as to the control and management of your data) and how you can exercise your personal data rights.  

Further information may be provided where necessary at the time of collection of your personal data.

1. Are you subject to this notice?

This Data Protection Notice applies to you (“you”) if you are:

  • an employee, consultant, contractor, legal representative, shareholder, investor, or beneficial owner of:
    • a client;
    • a prospective client;
    • a client or counterparty of our clients(s); or
    • a counterparty;
  • a beneficiary of financial transactions (payment or shares) or contracts, policies, or trust;
  • an ultimate beneficial owner in the context of our services;
  • a company shareholder;
  • a social network user.

In certain circumstances, we collect information about you even if we do not have a direct relationship with you. This indirect collection of information about you may happen, for instance, in the course of our relationship with our clients or counterparties.

When you provide us with personal data related to other people, please make sure that you inform them about the disclosure of their personal data and invite them to read this Data Protection Notice, as it provides them useful information about their rights. We will ensure that we will do the same whenever possible (e.g., when we have the person’s contact details).

2. How can you exercise your rights in the context of our personal data processing?

You have rights under, and in accordance with, applicable data protection law which allows you to exercise real control over your personal data and how we process it.

Should you wish to exercise the rights summarised below please refer to section 9 (How to contact us) and section 11 (Country-specific provisions) as appropriate.

2.1. You can request access to your personal data

We will provide you with a copy of your personal data promptly upon request, together with information relating to its processing.

Your right of access to your personal data may, in some cases, be limited by applicable law and/or regulation. For example, regulations relating to anti-money laundering and countering the financing of terrorism prohibits us from giving you direct access to your personal data processed for this purpose. In this case, you must exercise your right of access with your data protection authority (details of which are listed in Appendix B), which may request the data from us.

2.2. You can ask for the correction of your personal data

Where you consider that your personal data is inaccurate or incomplete, you can request that we modify or complete such personal data. In some cases, you may be required to provide supporting documentation.

2.3. You can request the deletion of your personal data

If you wish, you may request the deletion of your personal data, to the extent permitted by law.

2.4. You can object to the processing of your personal data based on legitimate interests

If you do not agree with a processing activity based on a legitimate interest, you can object to it, on grounds relating to your particular situation, by informing us precisely of the processing activity involved and the reasons for your objection. We will cease processing your personal data unless there are compelling legitimate grounds for doing so or it is necessary for the establishment, exercise or defence of legal claims.

2.5. You can object to the processing of your personal data for direct marketing purposes

You have the right to object at any time to the processing of your personal data for direct marketing purposes, including profiling, insofar as it is linked to such direct marketing.

2.6. You can suspend the use of your personal data

If you query the accuracy of the personal data we use, we will review and/or verify the accuracy of such personal data. If you object to the processing of your personal data, we will review the basis of the processing. You may request that we suspend the processing of your personal data while we review your query or objection.

2.7. You have rights against an automated decision

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or otherwise significantly affects you.  However, we may automate such a decision if it is necessary for the entering into or performance of a contract between us, authorised by law or regulation; or if you have given your explicit consent. 

In any event, you have the right to challenge the decision, express your views and/or request the intervention of a competent person to review the decision.

2.8. You can withdraw your consent

If you have given your consent to the processing of your personal data, you can withdraw this consent at any time.

2.9. You can request the portability of part of your personal data

You may request a copy of the personal data that you have provided to us in a structured, commonly used and machine-readable format. Where technically feasible, you may request that we transmit this copy to a third party.

2.10. How to file a complaint with your supervisory authority

In addition to the rights mentioned above, you may lodge a complaint with the relevant data protection authority, which is usually the one in your place of residence. A list of data protection authorities is set out at Appendix B.

3. Why and on which legal basis do we use your personal data?

In this section we explain why we process your personal data and the legal basis for doing so.

3.1. Your personal data is processed to comply with our various legal and/or regulatory obligations

Your personal data is processed where necessary to enable us to comply with the laws and/or regulations to which we are subject, including banking and financial regulations.

3.1.1. We use your personal data to:

  • monitor operations and transactions to manage, prevent and detect fraud; 
  • monitor and report risks (financial, credit, legal, compliance or reputational risks, operational risks etc.) that we/and or the BNP Paribas Group could incur; 
  • record, in compliance with the Markets in Financial Instruments Directive II, Alternative Investment Fund Managers Directive, the Market Abuse Regulation and/or the Benchmark Regulation, communications in any form, including voice, emails, chats, relating to, at the very least, transactions performed within proprietary trading and the provision of services relating to orders, in particular their receipt, transmission, execution and recording;
  • communicate, in compliance with the Shareholders Rights Directive your personal data to issuers, including your shareholder identification, proxy voting and register information;  
  • assist the fight against tax fraud and fulfil tax control and notification obligations, including in the context of US Foreign Account Tax Compliance Act and Automatic Exchange of Information obligations; 
  • fulfil our obligations to declare and register transactions with the competent authorities (tax, judicial, criminal, etc);
  • record transactions for accounting purposes; 
  • prevent, detect and report risks related to Corporate Social Responsibility and sustainable development; 
  • detect and prevent bribery and corruption; 
  • detect and manage suspicious orders and transactions;
  • exchange and report different operations, transactions or orders or reply to an official request from duly authorized local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, law enforcement, state agencies or public bodies. 

3.1.2. We also process your personal data for anti-money laundering and countering of the financing of terrorism purposes

As part of a banking group, we must have a robust system of anti-money laundering and countering of terrorism financing (AML/TF) in each of our entities managed centrally, as well as a system for applying local, European and international sanctions which may require the processing of your personal data primarily through our Know Your Customer (KYC) process (to identify you, verify your identity and screen your details against sanctions lists, prior to and in the course of our services).

In the context of this processing we, [as a branch or subsidiary of BNP Paribas SA], are joint controllers with BNP Paribas SA, the parent company of the BNP Paribas Group (the term “we” in this section also includes BNP Paribas SA).

The processing activities performed to meet these legal obligations are detailed in Appendix A.

3.2. Your personal data is processed to perform a contract with you in the context of our services to our clients and/or counterparties

Your personal data is processed when it is necessary to enter into or perform a contract to provide our corporate clients with the products and services subscribed to under the applicable contract, including access to our digital services.

3.3. Your personal data is processed to fulfil our legitimate interest or that of a third party

Where we base a processing activity on legitimate interest, we balance that interest against your interests and fundamental rights and freedoms to ensure that there is a fair balance between them. If you would like more information about the legitimate interest pursued by a processing activity, please contact us using the contact details provided in section 9 (How to contact us) below.

3.3.1. In the course of our business as a bank, we process your personal data to:

  • manage your access to and use of our web communication channels and applications in the context of our contractual and pre-contractual relationships with our clients; counterparts; and/or service providers;
  • communicate with you in the context of services provided to our clients and counterparties;
  • manage our activities and our presence on social networks (see more details in section 5.1);
  • manage the risks to which we are exposed:
    • we keep evidence of, and sometimes record operations, transactions and communications when you interact with our employees (eg. in our chat rooms, via emails, or during video conferences);
    • we monitor transactions to manage, prevent and detect fraud including, where required by law, the establishment of a fraud list (which will include a list of fraudsters);
    • we manage legal claims and defend our position in the event of litigation.
  • enhance cyber security and data leakage prevention measures, manage our platforms and websites, and ensure business continuity;
  • use video surveillance to monitor access to property and prevent personal injury and damage to people and property;
  • monitor compliance with our internal policies and procedures including but not limited to our code of conduct. This may include monitoring of voice, email and chat communications when you interact with our employees;
  • enhance the automation and efficiency of our operational processes and client services (e.g., automatic filing of complaints, tracking of your requests and improvement of your satisfaction based on personal data collected during our interactions with you such as phone recordings, e-mails or chats);
  • comply with the provisions applicable to trust service providers issuing electronic signature certificates; 
  • carry out financial operations such as debt portfolio sales, securitizations, financing or refinancing of the Group;
  • perform our asset management services any time you are an indirect beneficiary of these services, including the following purposes:
    • the creation and maintenance of your shareholder or investor register;
    • the receipt, capture and processing of your shareholder’s voting instructions;
    • tax services performed on your behalf (ie relief at source, tax reclaim);
    • the safekeeping of your physical securities;
    • the management of your access and use of our web communication channels and applications;
  • conduct statistical studies and develop predictive and descriptive models for:
    • commercial purposes: to identify the products and services that could best meet your needs, to create new offers based on trends arising from our web communication channels and application use, to develop our commercial policy taking into account our clients’ preferences;
    • safety purposes: to prevent potential incidents and enhance safety management;
    • compliance and risk management purposes (eg., anti-money laundering and countering the financing of terrorism);
    • anti-fraud purposes.

3.3.2. We use your personal data to send you commercial offers by electronic means, post and phone

As part of the BNP Paribas Group, we want to be able to offer you access to the full range of products and services that best meet your needs.

If you are identified as a contact or representative of a client; or counterparty, and unless you object, we may send you offers by any means for our products and services and those of the Group.

We will use reasonable endeavours to ensure that these offers relate to products or services that are relevant to our clients or prospective clients’ activities.

3.4. Your personal data is processed if you have given your consent

For some personal data processing activities, we will give you specific information and ask for your consent. Of course, you can withhold your consent or, if given, withdraw your consent at any time.

In particular, we ask for your consent to:

  • Manage newsletter subscriptions;
  • Manage events;
  • Use your navigation data to enhance our knowledge of your profile in accordance with our Cookies Policy.

You may be asked for further consent to process your personal data where necessary.

4. What types of personal data do we collect?

We collect and use your personal data, meaning any information that identifies or, together with other information, can be used to identify you.

Depending, among others, on the types of product or service we provide to you and the interactions we have with you, we collect various types of personal data about you, including:

  • identification information (e.g. full name, identity (e.g. copy passport, driving licence), nationality, place and date of birth, gender, photograph);
  • contact information private or professional (e.g. postal and e-mail address, phone number etc.);
  • family situation (e.g. marital status, number and age of children etc.);
  • lifestyle (hobbies and interests);
  • economic, financial and tax information (e.g. tax ID, tax status, fiscal address, income and others revenues, value of your assets);
  • education and employment information (e.g. level of education, employment, employer’s name, remuneration);
  • banking and financial information (e.g. bank account details, products and services owned and used, credit card number, money transfers, assets, declared investor profile, credit history, any defaults in making payments);
  • banking and financial information (e.g. bank account details, products and services owned and used, credit card number, money transfers, assets, declared investor profile, credit history, any defaults in making payments);
  • transaction data (including full beneficiary names, address and transaction details including communications on bank transfers of the underlying transactions);
  • data relating to your habits and preferences (in relation to the use of our products and services);
  • data from your interactions with us or about us: our branches (contact reports), our internet websites, our apps and social media pages;
  • connection and tracking data such as cookies, connection to online services, IP address, meetings, calls, chats, emails, interviews, phone conversations;
  • interactions with our employees: meetings, calls, chats, emails, interviews, phone conversations;
  • video protection (including CCTV);
  • information about your device (including MAC address, technical specifications and uniquely identifying data); and
  • login credentials used to connect to BNP Paribas’ website and apps.

We may collect sensitive data such as health data, biometric data, or data relating to criminal offences, subject to compliance with the strict conditions set out in data protection regulations. 

Please note that you are not required to provide any of the personal data that we request. However, your failure to do so may result in us being unable to provide our services.

5. Who do we collect personal data from?

We may collect personal data directly from you as staff of our clients, counterparties and their service providers in the context of our activities and services.

We sometimes collect data from public sources:

  • publications/databases made available by official authorities or third parties (e.g., the Official Journal of the French Republic, the Trade and Companies Register, databases managed by the supervisory authorities of the financial sector);
  • websites/social media pages of legal entities or business clients containing information that you have disclosed (e.g., your own website or social media page);
  • public information such as that published in the press.

We also collect personal data:

  • from other Group entities;
  • from our business partners or our clients’ business partners;
  • from service providers (e.g. payment initiation providers, service providers of account information such as account aggregators);
  • from credit reference agencies and fraud prevention agencies.

5.1. Personal data collection via social network

In today’s context, use of social network is essential to companies.

In order to fulfill efficiently our mission, it is essential for us to be present on social networks, and this presence is susceptible to involve the processing of some of your personal data.

Therefore, in our legitimate interest of needs in marketing, communication, advertising, and publications, as well as for crisis management and interaction with social media users, we are susceptible to collect the following personal data:

  • The exchange that you had with us on our pages and publications on social networks, including your early claims and complaints;
  • Data coming from pages and publications on social networks that contain information that you publicly made available.

More specifically, these personal data will be treated for the following purposes:

  • Crisis management (social listening) and customer relationship management, this includes:
    • Crisis prevention: Monitoring and analysis of social networks and the web by using keywords to assess BNP Paribas reputation and be aware of what is said about a trending/crisis topic in order to communicate accordingly.
    • Crisis management handling: Analyze the problematics raised by some publications and act accordingly; answer to publications, posts or comments of social network users; identify and tackle fake accounts and fake publications; or investigate in case of strong allegations and claims.
  • Marketing and communication/ advertisement and publications which includes:
    • Data extraction to identify trending topics by collecting data publicly available on social networks;
    • Publication of articles; 
    • Suggestion of publications according to your interests;
    • Customer and social network users’ segmentation according to their influence;
    • Advertisement optimization/targeted marketing by segmenting the recipients of the marketing/advertisement.

In order to achieve this, we use external service providers.

6. Who do we share your personal data and why?

a. With BNP Paribas Groups entities

As a member of the BNP Paribas Group, we work closely with the Group’s other companies worldwide. Your personal data may therefore be shared between Group entities, where necessary, to:

  • comply with our various legal and regulatory obligations described above;
  • fulfil our contractual obligations or legitimate interests described above; and
  • conduct statistical studies and develop predictive and descriptive models for business, security, compliance, risk management and anti-fraud purposes;

Sharing with Group companies may extend to intragroup processors which perform services on our behalf (such as our hubs in India, Poland and Portugal).

b. With recipients outside the BNP Paribas Group

In order to fulfil some of the purposes described in this Data Protection Notice, we may, where necessary, share your personal data with data processors which perform services on our behalf (e.g., IT service providers, logistics, printing services, telecommunication, debt collection, advisory and distribution and marketing).

We may also, where we consider it necessary, share your personal data with other data controllers, as follows:

  • banking and commercial partners, independent agents, intermediaries or brokers, financial institutions, counterparties, trade repositories with which we have a relationship if such transmission is required to allow us to provide you with the services and products or execute our contractual or legal obligations or process transactions (e.g., banks, correspondent banks, depositaries, custodians, issuers of securities, paying agents, exchange platforms, insurance companies, payment system operators, issuers or payment card intermediaries, mutual guarantee companies or financial guarantee institutions);
  • regulators and/or independent agencies, local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, public authorities or institutions (e.g., the Banque de France and other Central Banks), to which we, or any member of the BNP Paribas Group, are required to disclose pursuant to:
    • their request;
    • our defence, action or proceeding;
    • complying with a regulation or a recommendation issued from a competent authority addressed to us or any member of the BNP Paribas Group;
  • service providers or third-party payment providers (information on your bank accounts), for the purposes of providing a payment initiation or account information service at your request;
  • certain regulated professions such as lawyers, notaries, or auditors particularly when needed under specific circumstances (litigation, audit, etc.) as well as to our insurers or to an actual or proposed purchaser of the companies or businesses of the Group.
7. International transfers of personal data

In certain circumstances (e.g. to provide international services or to ensure operational efficiency), we may transfer your data to another country. This includes transfers of personal data to our branches and subsidiaries in APAC and the Americas.

In case of international transfers originating from:

  • the European Economic Area (“EEA”) to a non-EEA country, the transfer of your personal data may take place where the European Commission has recognised a non-EEA country as providing an adequate level of data protection. In such cases your personal data may be transferred on this basis;
  • the United Kingdom (“UK”) to a third country, the transfer of your personal data may take place where the UK Government has recognised the third country, as providing an adequate level of data protection.  In such cases your personal data may be transferred on this basis;
  • other countries where international transfer restrictions exist, we will implement appropriate safeguards to ensure the protection of your personal data.

For other transfers, we will implement an appropriate safeguard to ensure the protection of your personal data, being: 

  • Standard contractual clauses approved by the European Commission or the UK Government (as applicable); or
  • Binding corporate rules.  

In the absence of an adequacy decision or an appropriate safeguard we may rely on a derogation applicable to the specific situation (e.g., if the transfer is necessary for the exercise or defence of legal claims).

You can obtain more details about the basis of our international transfers by sending written request to gdpr.desk.cib@bnpparibas.com.

8. How long do we keep your personal data?

We will retain your personal data for the longer of:

  • the period required by applicable law;
  • such other period necessary for us to meet our operational obligations, such as: proper account maintenance, facilitating client relationship management, and/or responding to legal claims or regulatory requests.

Most personal data collected in relation to a specified client is kept for the duration of the contractual relationship plus a specified number of years after the end of the contractual relationship or as otherwise required by applicable law.

If you would like further information on the period for which your personal data will be stored or the criteria used to determine that period please contact us at the address given under section 9 (How to contact us) below.

9. How to contact us?

If you wish to exercise the rights summarised in Section 2 (How you can exercise your rights in the context of our personal data processing), if you have any questions relating to our use of your personal data under this Data Protection Notice, or if you would like a copy of this Data Protection Notice in your native language, please contact gdpr.desk.cib@bnpparibas.com or the email specified for your country under Section 11. In some cases, you may be required to provide evidence of your identity.

10. How to follow the evolution of this data protection notice?

We regularly review this Data Protection Notice and update it as required.

We invite you to review the latest version of this document online, and we will inform you of any significant amendments through our website or through our standard communication channels.

11. Country-specific provisions

Austria
We, BNP Paribas entities registered in Austria, will only disclose your personal data as set out in this Data Protection Notice to the extent this does not violate provisions of the Austrian banking secrecy law and/or other local statutory requirements.

Bahrain
This section applies solely to data owners in the Kingdom of Bahrain as defined under the Bahrain Personal Data Protection Law No. 30 of 2018 (“PDPL”) and  our policies have been developed in line with the provisions of the PDPL which came into effect on 1 August 2019.

In addition to the above disclosures, the following applies to Bahrain data owners protected by the PDPL:

  • In case of transfers of personal data outside the Kingdom of Bahrain, we make sure to transfer your personal data to countries and regions that provide sufficient level of protection for your personal data. Such transfers, to the extent practicable, shall be in accordance with any applicable lists recognized by the relevant authorities and laws.
  • Furthermore, in case of transfers of personal data outside the Kingdom of Bahrain, we will only disclose your personal data to such third party or parties (“Data Processor(s)”) where they have undertaken, in advance and in writing, to maintain the confidentiality, integrity and security of the personal data concerned, in accordance with applicable laws.
  • In some instances, we may be required to transfer your personal data to other countries whose level of protection has not been recognized by the relevant authorities in terms of the PDPL. In such cases, we may rely on (i) the exceptions provided by the PDPL (e.g. if the transfer is necessary to perform our contract with you); as well on (ii) sufficient guarantees regarding the measures to protect the confidentiality and security of the personal data.
  • A controller is described under the PDPL as a data manager and is defined as the person who decides, solely or in association with others, the purposes and means of processing of certain personal data. In the events where such purposes and means are prescribed by Bahrain law, the Data Manager shall be the person who is responsible for the processing of the data. All references in this Notice to “controller” are references to “data manager” as defined under the PDPL.
  • Processing is defined under the PDPL as any operation or set of operations carried out on personal data by automated or non-automated means, such as collecting, recording, organizing, classifying in groups, storing, modifying, amending, retrieving, using or revealing such data by broadcasting, publishing, transmitting, making them available to others, integrating, blocking, deleting or destroying them.
  • Processing of sensitive personal data is also prohibited without the consent of the data owner, except in some instance as outlined under the PDPL, including, without limitation, when the processing is related to the race or ethnicity, if they are necessary to ascertain equal opportunities or treatment of the society’s individuals.
  • Data owners may at any time withdraw a previous approval they had granted to process their personal data.

You have a right to file a complaint with us or any regulator with jurisdiction about an alleged contravention of the protection of your personal data. If you wish to exercise the rights listed above, please send an email to the following address: mea.communications.data.rights@bnpparibas.com; or send a letter to the following address:

Data Protection Office c/o Risk ORC
Bahrain Financial Harbour
West Tower
King Faisal Highway
Manama, Kingdom of Bahrain
P.O Box 5241

In accordance with applicable regulation, in addition to your rights above, you are also entitled to lodge a complaint with the competent supervisory authority.

Belgium
We, BNP Paribas SA, Belgium branch, ask that for any question you may have, as well as to exercise your rights, please send your request to the following email address gdpr.desk.cib@bnpparibas.com.

Brazil
The data controller for the processing of your personal data in relation to the BNP Paribas Group’s Corporate & Institutional Banking Business services and activities in Brazil:

BNP Paribas Brasil S.A
Juscelino Kubitschek, 1909, 9º to 11º Floor.
South Tower of São Paulo Corporate Towers
São Paulo, Brazil

For requests about personal data, please contact your sales department:

For requests about employee data:

If you have any questions about the processing of personal data, please contact the Data Protection Officer at dpo.cib.brazil@br.bnpparibas.com.

Bulgaria
We, BNP Paribas entities registered in Bulgaria, will only disclose your personal data as set out in this Data Protection Notice to the extent this does not violate provisions of the Bulgarian banking secrecy law and/or other local statutory requirements.

BNP Paribas S.A., registration number 662042449 RCS Paris, with its registered office at 5009 Paris, 16 Boulevard des Italiens, France, acting in Bulgaria through its branch office BNP Paribas S.A., Sofia branch, UIC: 175185891, may require you to include a scan/copy of your identity card for identification purposes pursuant to the Bulgarian Measures Against Money Laundering Act.

Canada
This section supplements the Data Protection Notice (herein “DPN”) and applies to the collection, use, disclosure and retention of personal data by BNP Paribas Canada Branch and its Canadian affiliates, obtained in the context of their commercial activities which comprise both services provided to third parties or affiliates and the management and use of providers or partners (including personal data of actual or prospect clients or providers as well as any person who applied for a position with BNP Paribas). Except as noted below, nothing in this Canada-specific section changes or modifies the DPN, in case of conflict between the DPN and this Canada-specific section, the terms of this Canada-section section shall prevail.

Rights
Notwithstanding section 2 of the DPN, as provided by and in accordance with Canadian data protection laws you have the following rights with respect to your personal data:

  • You can request access to your personal data.
  • You can ask for the correction of your personal data if it is inaccurate, incomplete or no longer up to date in accordance with applicable laws.
  • You can withdraw your consent to our collection, use and disclosure of your personal data, except in limited circumstances, including legal or regulatory requirements or as a result of a contractual obligation (for instance, if you are a representative of our client and we need to process your personal data in order to provide services to our client).

Should you wish to exercise these rights, please refer to the “Contact Us” subsection of this Canada-specific section. You can also unsubscribe from receiving commercial electronic messages from us by following the unsubscribe procedure included in these messages.

Collection, use and sharing of personal data
Our collect, use and share your personal data is done on the basis of your consent (which may be implied or obtained by our client or provider rather than by us directly), unless we are otherwise permitted to process your personal data without consent under Canadian data protection laws (for instance, when a consent exception applies). Note that we may use or share personal data in order to comply with Canadian laws and regulations that are equivalent to those mentioned in sections 3 and 6 of the DPN (which relate to jurisdictions other than Canada).

The categories of data processors and service providers which perform services on our behalf and with whom we may share your personal data are: providers offering IT services, accounting services, logistics and procurement services; printing services; telecommunication services; debt collection services; compliance and due diligence services, advisory and distribution services, marketing and communications services as well as financial institutions or brokerage firms providing trade execution, cash management and clearing services, and providers of similar services required to support our activities in Canada.

International transfers of personal data
We may transfer your personal data outside Canada, including when we share personal data with other entities within the BNP Paribas Group or transfer personal data to service providers located in other jurisdictions. As a result of such transfers, your personal data may be available to government authorities under lawful orders and laws applicable in foreign jurisdictions.

Data retention
We may anonymize personal data at the expiration of the retention period described in section 8 of the DPN, so that it can no longer directly or indirectly identify you.

Contact Us
If you wish to exercise the rights set out in the “Rights” subsection of this Canada-specific section, or if you have any questions or complaints relating to this Canada-specific section or our personal data processing practices, please contact our Data Protection Officer at privacy.officer@ca.bnpparibas.com.

Cayman Islands
To the extent a BNP Paribas entity (“we”) (i) is established in the Cayman Islands and (ii) is a controller of your personal data in the context of that establishment, then as and when the Data Protection Act (As Revised) of the Cayman Islands (the “DPL”) comes into force, the DPL will apply to us and you will have rights under the DPL.

The framework and application of the DPL is similar to that of the European General Data Protection Regulation, and accordingly the provisions of the Data Protection Notice broadly apply. In particular, your rights under the DPL are analogous to those listed in section 2 (How can you exercise your rights in the context of our personal data processing?). International data transfers will be subject to the same safeguards as those summarised in section 7 (International transfers of personal data).

The competent supervisory authority for purposes of the DPL is the Ombudsman of the Cayman Islands.

Should you have any questions in respect of the application of the DPL please write to dl.hfsky_legal@us.bnpparibas.com.

Channels Islands
We will use the information you provide in a manner that conforms with the Data Protection (Jersey) Law 2018 and Data Protection (Bailiwick of Guernsey) Law, 2017. For any questions you may have, as well as to exercise your rights, please send your request to the following email address: dataprotectionci@je.bnpparibas.com

Czech Republic
Data Subject Rights

We, BNP Paribas entities registered in Czech Republic, including BNP Paribas S.A., registration number 662042449 RCS Paris, with its registered office at 5009 Paris, 16 Boulevard des Italiens, France, acting in the Czech Republic through its branch office BNP Paribas S.A.pobočka Česká republika, will not require you to include a scan/copy of your identity card for identification purposes, if you wish to exercise the rights listed in section 2 above. Instead, for identification purposes, you can,

  • Visit BNP Paribas entities registered in Czech Republic in person. 
  • Send an original letter with your hand signature which has been verified by a notary public.
  • Send as an email with your qualified electronic signature.

Complaints

In accordance with applicable regulation, you are also entitled to lodge a complaint with the competent supervisory authority. The contact details of the supervisory authority in the Czech Republic is:

ADDRESS: Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů), Pplk. Sochora 27, 170 00 Prague 7, Czech Republic
TELEPHONE NUMBER: +420 234 665 111
EMAIL: posta@uoou.cz
DATA BOX: qkbaa2n

Changes to this Data Protection Notice

We may need to update this Data Protection Notice from time to time. We will inform you of any material changes through our website: https://www.bnpparibas.cz/en/

Denmark
Provided that a contractual relationship exists, the relevant data controller for the processing of your personal data in relation to the BNP Paribas Group’s Corporate & Institutional Banking Business services and activities, as well as certain services of BNP Paribas Securities Services, in Denmark is:

BNP Paribas S.A., Denmark
Filial af BNP Paribas S.A., Frankrig
CVR no. 38 45 16 34
Adelgade 12, 3rd floor
Email: gdpr.desk.cib@bnpparibas.com
Telephone no: + 45 32 71 19 40

Marketing

We, BNP Paribas S.A., Denmark, filial af BNP Paribas S.A., Frankrig will only send you marketing material via electronic communications (such as e-mails, SMS, instant messaging services or other equivalent technologies) in accordance with Danish law.

Recording of telephone conversations

The Bank may record telephone conversations with clients for the purposes of documenting the content of agreements and to ensure the level of client services. All recordings of telephone conversations will be done in accordance with Danish law. Any recordings will be for the Banks own internal purposes and will not be disclosed to any third party, except within the BNP Paribas S.A. group.

Retention periods

In general and unless there are special reasons for a longer retention period, personal data will be stored for up to 5 years after the business relationship with us has terminated or the single transaction conducted pursuant to requirements in the Danish Act on Measures to Prevent Money Laundering and Financing of Terrorism (as amended from time to time).

Questions

We, BNP Paribas S.A., Denmark filial af BNP Paribas S.A., Frankrig, ask that for any complaints you may have, please send your complaint to the following address:

BNP Paribas S.A., Denmark
Filial af BNP Paribas S.A., Frankrig
CVR no. 38 45 16 34
Adelgade 12, 3rd floor
DK-1304 Copenhagen K
Attention DPO

Finland
Provided that a contractual relationship exists, the relevant data controller for the processing of your personal data in relation to the BNP Paribas Group’s Corporate & Institutional Banking Business services and activities in Finland is:

BNP Paribas SA, sivuliike Suomessa
Business ID: 2842938-6
Address:
Mikonkatu 3
00100 HELSINKI
Email: reception.finland@bnpparibas.com

We, BNP Paribas SA, sivuliike Suomessa, will only disclose your personal data as set out in this Data Protection Notice to the extent this does not violate provisions of Finnish banking secrecy law and/or Finnish anti-money laundering obligations and/or other local statutory requirements.

Marketing

We will only send you marketing material via electronic communications (such as e-mails, SMS, instant messaging services or other equivalent technologies) in accordance with Finnish law.

Recording of telephone conversations

BNP Paribas entities registered in Finland will not record any phone communications with you unless we have received your authorisation to such phone recording.

Retention periods

As regards conservation of inherent documentation to the individual In general, and unless there are special reasons for a longer retention period, personal data will be stored for up to 5 years after the business relationship with us has terminated or the single transaction conducted pursuant to requirements in the Finnish Money Laundering and Terrorist Financing Prevention Act (as amended from time to time).

Questions

We ask that for any questions that you may have, please direct such questions to the following address:

BNP Paribas SA, sivuliike Suomessa
Mikonkatu 3
00100 HELSINKI
Attention: DPO
Email: GDPR DESK CIB (gdpr.desk.cib@bnpparibas.com)

Germany
We, BNP Paribas entities registered in Germany, including BNP Paribas Niederlassung Deutschland, will only record phone communications you have with us if we are obliged by statutory law to do so or we have received your prior consent to such phone recording.

We will only disclose your personal data as set out in this Data Protection Notice to the extent this does not violate provisions of German banking secrecy law and/or other local statutory requirements.

Greece
Marketing

We, BNP Paribas, Greek Branch, will only send to you marketing material via electronic communications (such as e-mails, SMS, instant messaging services or other equivalent technologies) in accordance with the Greek law.

Recording of telephone conversations

The BNP Paribas registered in Greece may record telephone conversations with clients for the purpose of documenting the content of agreements and to ensure the level of client services. All recordings of telephone conversations will be performed in accordance with the Greek law. Any recordings will be for the Bank’s own internal purposes and will not be disclosed to any third party, except within the BNP Paribas S.A. group.

Retention periods

Concerning the processing of personal data to combat money laundering and the financing of terrorism, We, BNP Paribas registered in Greece, will store your personal data for up to 5 years after the business relationship with us has terminated or the date of an occasional transaction conducted pursuant to requirements in the Greek law. Records of phone and electronic communications relating to certain transactions are stored for up to 5 years and, if requested by the Hellenic Capital Markets Commission (HCMC), may be stored for a period of maximum 7 years after the business relationship with us has terminated or after the single transaction conducted pursuant to requirements in the Greek law.

Questions

For any questions you may have, as well as to exercise your rights, please send your request to the following address:

BNP Paribas, Greek Branch
2, Lampsakou str.
115 28 Athens
Attention: DPO
Telephone no.: +30 210 746 8000

Hungary
We, as BNP Paribas entities registered in Hungary, will only record phone communications you have with us if we are obliged by statutory law to do so (e.g. mandatory recording of complaints) or we can prove a legitimate interest  to such phone recording.

Notwithstanding the terms of this Data Protection Notice, we will only disclose your personal data, as set out in this Data Protection Notice, to the extent this does not violate provisions of the Hungarian banking secrecy law and/or other local statutory requirements.

In accordance with applicable regulation, you are also entitled to lodge a complaint with the competent supervisory authority. The contact details of the supervisory authority you can find in Appendix B of this Data Protection Notice.

We may need to update this Data Protection Notice from time to time. We will inform you of any material changes through our website: Data protection – BNP Paribas Hungary For any question you may have, please send your request to the following email address: hu.cib.gdpr@bnpparibas.com

Ireland
BNP Paribas entities registered in Ireland, will not record any phone communications with you unless we have received your authorisation to such phone recording. 

We, BNP Paribas Dublin Branch and BNP Paribas Fund Administration Services (Ireland) Limited ask that for any question you may have, as well as to exercise your rights, please send your request to the following email address: dataprotection.bpss.ireland@bnpparibas.com

We, BNP Paribas, Dublin branch, ask that for any question you may have, please send your request to the following email address dataprotectionofficer-roi@bnpparibas.com 

Italy
The data controller for the processing of your personal data in relation to the BNP Paribas Group’s Corporate & Institutional Banking Business services and activities in Italy is:

BNP Paribas Italian Branch
Piazza Lina Bo Bardi, 3
20124 Milan, Italy

For any issues and/or questions relating to our use of your personal data, please contact the Italian Data Protection Officer at italydataprotectionofficer@bnpparibas.com

Marketing

BNP Paribas S.A., Italian Branch, in its quality as Data Controller of data collected through the Italian websites and/or virtual and physical events, will send marketing materials via electronic communications only, in accordance with Italian law.

Recording of telephone conversations

All recordings of telephone conversations will be done in accordance with Italian law.

Retention periods

As regards conservation of inherent documentation to the individual clients operations, burden of conservation of accounting records deriving from fiscal, civil and criminal legislation, fulfilment of due diligence obligations of clients for anti-money laundering purposes, the retention period is 10 years from the date of termination of the relationship, in accordance with Italian Law. Furthermore, personal data will be stored for up to 2 years for the purpose of tracking obligations of banking operations and inquiry operations banking, in accordance with Italian Law.

Kuwait
This section applies solely to data subjects in the State of Kuwait. Although the State of Kuwait does not have a specific personal data protection law, BNPP Group applies international best practice, as noted in our data protection notice above, when collecting, storing, transferring and processing personal and confidential information. Furthermore BNPP Group observes all local laws and regulations as they pertain to private and confidential data relating to personal status, health status, financial information and other personal information.

In case of a complaint/inquiry in regards to the protection of your personal information, please send an email to the following address: mea.communications.data.rights@bnpparibas.com; or send a letter to the following address:

Chief Operating Officer
Dar Al Awadi Complex, 24th floor, Ahmed Al Jaber Street, Sharq
P.O. Box 21188, Safat 13072, State of Kuwait

Luxembourg 
We will only disclose your personal data as set out in this Data Protection Notice to the extent this does not violate provisions of the Luxembourg banking secrecy law and/or other local statutory requirements.

We, BNP Paribas, Luxembourg branch, ask that for any question you may have, as well as to exercise your rights, please send your request to the following email addresses: dpo@bgl.lu and gdpr.desk.securities.lu@bnpparibas.com.

Morocco
This section applies solely to data subjects in the Kingdom of Morocco as defined under Law No 09-08, dated February 18, 2009 relating to the protection of individuals with regard to the processing of personal data and its implementation Decree n° 2-09-165 of May 21, 2009 (together the “DP Law”) and the BNPP Group policies have been adjusted to ensure all applicable personal data will be treated in accordance with the provisions of the DP law.

To the extent BNP Paribas Regional Investment Company, with registered address Lot 57, Tour CFC, 15th floor, Casa Anfa Hassani Street, Casablanca, commercial number 293279, Casablanca, Morocco (“we”) is a controller of your personal data, please be informed of the specific provisions below. The below specific provisions are in addition to the above disclosures noted on this Data Protection Notice:

  • In case of transfers of personal data to a foreign state, we make sure to transfer your personal data to countries and regions with legal frameworks that provide an adequate level of protection for the privacy and fundamental rights and freedoms in respect of the processing of your personal data. Such transfers are done pursuant to the requisite authorizations by the relevant authorities and laws.
  • Furthermore, in case of international transfers, we will only disclose your personal data to such third party or parties (“Data Processor(s)”) where they have undertaken, in advance and in writing, to maintain the confidentiality, integrity and security of the personal data concerned, in accordance with applicable laws.

You have a right to file a complaint with us or any regulator with jurisdiction about an alleged contravention of the protection of your personal information. If you wish to exercise the rights listed above, please send an email to the following address: mea.communications.data.rights@bnpparibas.com; or send a letter to the following address:

Data Protection Officer
Lot 57, Tour CFC,
15th floor,
Casa Anfa Hassani Street,
Casablanca,
Morocco

The competent supervisory authority for purposes of the DP Law is the Data Protection National Commission (Commission Nationale de Protection des Données Personnelles).

Netherlands
The relevant data controller for the processing of your personal data in relation to the BNP Paribas Group’s Corporate & Institutional Banking Business services and activities, as well as certain services of BNP Paribas Securities Services, in the Netherlands is:

Herengracht 595
1017 CE Amsterdam
Email: gdpr.desk.cib@bnpparibas.com
Telephone no: + 31 20 5501212

Questions

For any complaints and/or data protection related questions data subjects can contact our Data Protection Officer:

BNP Paribas S.A., Netherlands
Herengracht 595
1017 CE Amsterdam
Attention DPO
Email: bnpp.nl.dpo@bnpparibas.com

Norway
Provided that a contractual relationship exists, the relevant data controller for the processing of your personal data in relation to the BNP Paribas Group’s Corporate & Institutional Banking Business services and activities, as well as certain services of BNP Paribas Securities Services, in Norway is:

BNP Paribas S.A. Norway Branch (NUF)
Filial of BNP Paribas S.A., France
Org. no. 918 654 496
Visiting address: Støperigata 2, 0250 Oslo, Norway
Postal address: Postbox 106 Sentrum, 0102 Oslo
Email: gdpr.desk.cib@bnpparibas.com
Telephone no.: +47 22 82 95 65

Marketing

We, BNP Paribas S.A., Norway Branch, will only send you marketing material via electronic communications (such as e-mails, SMS, instant messaging services or other equivalent technologies) in accordance with Norwegian law.

Recording of telephone conversations

The Bank may record telephone conversations with clients for the purposes of documenting the content of agreements and to ensure the level of client services. All recordings of telephone conversations will be done in accordance with Norwegian law. Any recordings will be for the Banks own internal purposes and will not be disclosed to any third party, except within the BNP Paribas S.A. group.

Retention periods

In general and unless there are special reasons for a longer retention period, personal data will be stored for up to 5 years after the business relationship with us has terminated or the single transaction conducted pursuant to requirements in the Norwegian Act on Measures to Prevent Money Laundering and Financing of Terrorism (as amended from time to time).

Questions

We, BNP Paribas S.A., Norway Branch ask that for any queries you may have about the Bank’s processing of Personal Data, please send your queries to the following address:

 BNP Paribas S.A. Norway Branch
Org. no. 918 654 496
PO Box 106 Sentrum, NO- 0102 OSLO, Norway
Attention DPO

Poland
This notice is issued by BNP Paribas S.A. Branch in Poland.

We will only disclose your personal data as set out in this Data Protection Notice to the extent this does not violate provisions of the Polish banking and professional secrecy law and/or other local statutory requirements.
 
For any question you may have, as well as to exercise your rights, please send your request to the following email address: pl.cib.iodo@bnpparibas.com and/or to the following address:

BNP Paribas S.A. Oddział w Polsce
ul. Wronia 31
00-846 Warszawa

Portugal
Provided that a contractual relationship exists, the relevant data controller for the processing of your personal data in relation to the BNP Paribas Group’s Corporate & Institutional Banking Business services and activities, in Portugal is:

BNP Paribas, Portugal Branch
Address: Torre Ocidente, Rua Galileu Galilei, nº 2, 13º piso,
1500-392 Lisboa, Portugal
NIPC: 980 000 416

Marketing

We, BNP Paribas, Portugal Branch, will only send you marketing material via electronic communications (such as e-mails, SMS, instant messaging services or other equivalent technologies) in accordance with Portuguese law.

Recording of telephone conversations

The Bank may record telephone conversations with clients for the purposes of documenting the content of agreements and to ensure the level of client services. All recordings of telephone conversations will be done in accordance with Portuguese law. Any recordings will be for the Banks own internal purposes and will not be disclosed to any third party, except within the BNP Paribas S.A. group.

Retention periods

In general and unless there are special reasons for a longer retention period, personal data will be stored for up to 10 years after the business relationship with us has terminated or the single transaction conducted pursuant to requirements in the Portuguese law.

Questions

If you have any questions relating to our use of your personal data under this Data Protection Notice (including for clients of BNP Paribas SA in the context of Securities Services activities), or if you would like a copy of this Data Protection Notice in your native language, please contact our Data Protection Office dpo.portugal@bnpparibas.com.

We, BNP Paribas, Portugal Branch ask that for any queries you may have about the Bank’s processing of Personal Data, please send your queries to the following address:

BNP Paribas, Portugal Branch
Email: dpo.portugal@bnpparibas.com

Qatar
This section applies solely to data subjects in the State of Qatar as defined under Law No. (13) of 2016 Concerning Personal Data Protection (the “QDPL”) and BNPP Group policies that have been adjusted in line with the provisions of the QDPL which took effect in 2017. The QDPL applies to personal data when this data is any of the following: (1) Processed electronically; (2) Obtained, collected or extracted in any other way in preparation for electronic processing; and (3) Processed by combining electronic processing and traditional processing.

Personal data is defined under the QDPL as data relating to a natural person whose identity is identified or is reasonably identifiable, whether through this data or by means of combining this data with any other data or details. In addition to the above disclosures, the following applies to Qatar data subjects protected by the QDPL

  • We will only collect, process and transfer personal data with your consent, unless it deemed necessary for realizing a “lawful purpose”.
  • We make sure to transfer your personal data to countries and regions with legal frameworks that provide an adequate level of protection for the privacy and fundamental rights and freedoms in respect of the processing of your personal data. Such transfers are done pursuant to the provision of the QDPL.
  • Furthermore, in case of international transfers, we will only disclose your personal data to such third party or parties where they have undertaken, in advance and in writing, to maintain the confidentiality, integrity and security of the personal data concerned, in accordance with applicable laws.
  • Unsolicited direct marketing is prohibited under the QDPL, we will always obtain your prior consent to send electronic marketing communications (including by wired or wireless communication).
  • Data subjects may at any time withdraw a previous approval they had granted to process their personal data.
  • Processing of sensitive personal data (related to racial origin, children, health or physical or psychological status, religious beliefs, marital relationship and criminal offence) is prohibited without the consent of the data owner, or the approval of the relevant authority in line with the QDPL.

You have a right to file a complaint with us or any regulator with jurisdiction about an alleged contravention of the protection of your personal information. If you wish to exercise the rights listed above, please send an email to the following address: mea.communications.data.rights@bnpparibas.com; or send a letter to the following address:

BNP Paribas SA – Qatar Branch
Al Fardan Office Tower, 6th Floor,
61 Al Funduq Street
Diplomatic District, West Bay, Qatar
Attention: Data Protection Officer

In accordance with applicable regulation, in addition to your rights above, you are also entitled to lodge a complaint with the competent supervisory authority.

Saudi Arabia
This section applies solely to data subjects in the Kingdom of Saudi Arabia (“KSA”) as defined under the Personal Data Protection Law (“PDPL”) promulgated by Royal Decree No. M/19, dated 09/02/1443H (corresponding to 16 September 2021). BNPP’s Group policies have been adjusted to ensure all applicable personal data will be treated in accordance with the provisions of said PDPL. In addition to the above disclosures, the following applies to data subjects protected by the PDPL:

  • In some instances, we may be required to transfer your personal data outside the KSA, in case of cross-border transfers, we will only disclose your personal data to the extent necessary and to such third party or parties where we can ensure sufficient guarantees regarding the measures to protect the confidentiality, integrity and security of the personal data.
  • We shall notify you on becoming aware of any personal data breach that would have a serious harm to your data or yourself. 

You have a right to file a complaint with us or any regulator with jurisdiction about an alleged contravention of the protection of your personal information. If you wish to exercise the rights listed above, please send an email to the following address: mea.communications.data.rights@bnpparibas.com;or send a letter to the following address:

Information Officer
4th floor of the Al-Faisaliah Tower, King Fahad Road in the Olaya District,
P.O. Box 18771, Riyadh 11425, Kingdom of Saudi Arabia.

Please include a scan/copy of your identity card for identification purpose. In accordance with applicable regulation, in addition to your rights above, you are also entitled to lodge a complaint with the competent supervisory authority.

South Africa
To the extent BNP Paribas SA South Africa Branch, with registered office at 11 Crescent Drive, Melrose Arch, Johannesburg, (“we”) is a controller of your personal data, please be informed of the specific provisions below. The below specific provisions are in addition to the above disclosures noted on this Data Protection Notice:

(a) We will use the information you provide in a manner that conforms with the (i) Promotion of Access to Information Act 2 of 2000 as well as (ii) the Protection of Personal Information Act, 4 of 2013, which regulates and controls the processing of natural and juristic persons’ personal data.

(b) If you are a juristic person:

  • we may collect and use personal data relating to the juristic person’s directors, officers, employees, beneficial owners, partners, shareholders, members, authorised signatories, representatives, agents, payers, payees, customers, guarantors, spouses of guarantors, sureties, spouses of sureties, other security providers and other persons related to the juristic person (hereafter referred to as “Related persons”);
  • you may provide the personal data of a Related Person to us, on condition that you warrant that the Related Person is aware that you are sharing their personal data with us, and that the related person has consented thereto. We will process the personal Data of related persons as stated in this Data Protection Notice, thus references to “you” or “your” in this Data Protection Notice will include related persons with the necessary amendments.

(c) Information we may share with other banks or request from other banks (Banker’s Code)

  • Another bank may ask us, at the request of that bank’s customer or for the bank itself, to provide information about your financial position. This is done by issuing what is known as a “Banker’s Code”. A Banker’s Code will only be provided with your express, implied, or tacit consent.

You have a right to file a complaint with us or any regulator with jurisdiction about an alleged contravention of the protection of your personal information. If you wish to exercise the rights listed above, please send an email to the following address: mea.communications.data.rights@bnpparibas.com; or send a letter to the following address:

BNP Paribas SA – South Africa Branch
4th Floor
11 Crescent Drive
Melrose Arch
2196
Johannesburg
South Africa
Attention: Information Officer

Please include a scan/copy of your identity card for identification purpose. In accordance with applicable regulation, in addition to your rights above, you are also entitled to lodge a complaint with the competent supervisory authority.

Spain
Provided that a contractual relationship exists, please note the legal obligation of Spanish Credit Institutions to inform the legal representatives and authorised persons of the transfer of data to the filing System “Fichero de Titularidades Financieras” whose controller is the Secretaría de Estado de Economía, acting SEPLAC as its data processor.

For any question you may have, as well as to exercise your rights, please send your request to the following email address: DPOdeskSpain@bnpparibas.com.

Sweden
Provided that a contractual relationship exists, the relevant data controller for the processing of your personal data in relation to the BNP Paribas Group’s Corporate & Institutional Banking Business services and activities, as well as certain services of BNP Paribas Securities Services, in Sweden is:

BNP Paribas SA, Bankfilial Sverige
Corporate registration number: 516406-1029
Postal address:
P.O. Box 7763
103 96 Stockholm
Visitors:
Hovslagargatan 3
111 48 Stockholm
Email: gdpr.desk.cib@bnpparibas.com 
Telephone no:  +46 8 562 347 00

We will only disclose your personal data as set out in this Data Protection Notice to the extent this does not violate provisions of Swedish banking secrecy law and/or Swedish anti-money laundering obligations and/or other local statutory requirements.

Recording of telephone conversations

The Bank may record telephone conversations with clients for the purposes of documenting the content of agreements and to ensure the level of client services. Any and all recordings of telephone conversations will be done for the Bank’s internal purpose and in accordance with Swedish law and shall not be disclosed to any third party, except within the BNP Paribas SA Group.

Retention periods

In general, and unless there are special reasons for a longer retention period, personal data will be stored for up to 5 years after the business relationship with us has terminated or the single transaction conducted pursuant to requirements in the Swedish Money Laundering and Terrorist Financing (Prevention) Act (as amended from time to time).

Questions

We, BNP Paribas SA, Bankfilial Sverige ask that for any questions that you may have, please direct such questions to the following address:

BNP Paribas SA, Bankfilial Sverige
P.O. Box 7763
103 96 Stockholm
Attention: DPO

Switzerland
This Data Protection Notice applies to each BNP Paribas entities registered in Switzerland, including BNP Paribas local branch(es) and can be found at http://www.bnpparibas.ch/en/privacy-policy.

Please note that the BNP Paribas entities in Switzerland will only disclose your data as set out in this Data Protection Notice to the extent this does not violate provisions of the Swiss banking secrecy laws and/or other local requirements.

Sharing with Group companies may extend to intragroup processors which perform services on our behalf (such as our hubs in India, Luxembourg, Poland, Portugal and Spain). 

In order to fulfil some of the purposes described in this Data Protection Notice, we may, where necessary, share your personal data with data processors which perform services on our behalf and this include also external clouds solutions including data storage.

TRANSFERS OF PERSONAL DATA OUTSIDE SWITZERLAND

 In case of international transfers originating from Switzerland to a third country the transfer of your personal data may take place where the Swiss competent Authority has recognised the third country, as providing an adequate level of data protection. In such cases your personal data may be transferred on this basis.

For other transfers, we will implement an appropriate safeguard to ensure the protection of your personal data, being Standard contractual clauses approved by the European Commission and recognized by the Federal Data Protection and Information Commissioner (FDPIC) with appropriate Swiss adaptations.

To obtain a copy of these safeguards or details on where they are available, as well as for any other question you may have, including questions related to the exercise of your rights, please contact BNP Paribas Data Protection Officer in Switzerland at the following email address: dataprotection.switzerland@bnpparibas.com.

If you wish to learn more about Cookies and Security, please refer to the concerned policies on our website www.bnpparibas.ch/en/cookies.

UAE – Abu Dhabi Global Market Free Zone
This section applies solely to data subjects in Abu Dhabi Global Market (“ADGM”) as defined under ADGM Data Protection Regulations (“DPR”) enacted on the 11 February 2021. BNPP’s Group policies have been adjusted to ensure all applicable personal data will be treated in accordance with the provisions of the DPR. In addition to the above disclosures, the following applies to data subjects protected by the DPR:

  • In case of transfers of personal data outside the ADGM, we make sure to transfer your personal data to countries and regions that provide sufficient level of protection for your personal data. Such transfers, to the extent practicable, shall be in accordance with any applicable lists recognized by the ADGM commissioner.
  • Furthermore, in case of transfers of personal data outside the ADGM, we will only disclose your personal data to such third party or parties (“data processor(s)”) where they have undertaken, in advance and in writing, to maintain the confidentiality, integrity and security of the personal data concerned, in accordance with the DPR and any applicable laws and regulations.
  • In some instances, we may be required to transfer your personal data to other countries whose level of protection has not been recognized by the ADGM commissioner. In such cases, we may rely on (i) your written consent. (ii) the exceptions provided by the DPR (e.g. transfers subject to appropriate safeguards, binding corporate rules…etc); as well on (iii) sufficient guarantees regarding the measures to protect the confidentiality and security of the personal data.
  • We shall notify you without undue delay and where feasible in case of a data breach that would likely result in a high risk to your data rights.
  • In some instances we may be exempted from complying with your request to rectify or erase data, where such rectification or erasure of personal data is not technically feasible, we must provide explicit, clear and prominent information explaining that rectification or erasure of the personal data would not be feasible.

You have a right to file a complaint with us or any regulator with jurisdiction about an alleged contravention of the protection of your personal information. If you wish to exercise the rights listed above or to raise any queries, you may send an email to the following address: mea.communications.data.rights@bnpparibas.com; or send us a letter to the following address:

BNP Paribas SA – ADGM Branch
Part of 28th floor, 28, Al Khatem Tower,
Adgm Square, Al Maryah Island
P.O. Box 26114, Abu Dhabi
United Arab Emirates
Attention: Data Protection Officer

Or you may directly contact our Data Protection Officer:

Dmitri Hubbard
MEA & APAC Data Protection Officer
BNPP Paribas c/o 18/F Lincoln House
Quarry Bay, Hong Kong
Tel: +852 2909 8888
Email: mea.communications.data.rights@bnpparibas.com

In accordance with applicable regulation, in addition to your rights above, you are also entitled to lodge a complaint with the competent supervisory authority.

UAE – Dubai International Financial Centre
This section applies solely to data subjects in Dubai International Financial Centre (“DIFC“) as defined under DPL No. 5 of 2020 (together the “DIFC DPL”) and  BNPP Group policies have been adjusted to ensure all applicable personal data will be treated in accordance with the provisions of the DIFC DPL. In addition to the above disclosures, the following applies to data subjects protected by the DIFC DPL:

  • We make sure to transfer your personal data to countries and regions that (i) provide sufficient levels of protection for your personal data; and (ii) provide adequate legal remedies. Such transfers, to the extent practicable, shall be in accordance with any applicable lists recognized by the relevant authorities and laws.
  • Furthermore, in case of international transfers, we will only disclose your personal data to such third party or parties where they have undertaken, in advance and in writing, to maintain the confidentiality, integrity and security of the personal data concerned, in accordance with applicable laws.
  • In some instances, we may be required to transfer your personal data to other countries whose level of protection has not been recognized by the relevant authorities in terms of the DIFC DPL. In such cases, we may rely on (i) the exceptions provided by the DIFC DPL (e.g. appropriate safeguards have been provided by the controller or processor of data and that enforceable data subject rights and effective legal remedies for data subjects are available
  • Data subjects may at any time withdraw a previous approval they had granted to process their personal data
  • Processing of special categories of personal data (related to Personal Data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life and including genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person) is prohibited without the consent of the data owner, or one of the exception outlined under the DIFC DPL.

You have a right to file a complaint with us or any regulator with jurisdiction about an alleged contravention of the protection of your personal information. If you wish to exercise the rights listed above, please send an email to the following address: mea.communications.data.rights@bnpparibas.com; or send a letter to the following address:

BNP Paribas Wealth Management (DIFC) Ltd
DIFC, The Gate Building East, Level 12
P.O. Box 506573, Dubai
P.O. Box 506573, Dubai
United Arab Emirates
Attention: Chief Operating Officer

In accordance with applicable regulation, in addition to your rights above, you are also entitled to lodge a complaint with the competent supervisory authority.

United Arab Emirates
This section applies solely to data subjects in the United Arab Emirates (the “UAE”) as defined under the Personal Data Protection Law (“PDPL”) No. 45 of 2022. BNPP’s Group policies have been adjusted to ensure all applicable personal data will be treated in accordance with the provisions of said PDPL. In addition to the above disclosures, the following applies to data subjects protected by the PDPL:

  • We make sure to transfer your personal data to countries and regions that (i) provide sufficient levels of protection for your personal data; and (ii) provide adequate legal remedies. Such transfers, to the extent practicable, shall be in accordance with any applicable lists recognized by the UAE data protection office and the relevant authorities and laws.
  • Furthermore, in case of international transfers, we will only disclose your personal data to such third party or parties where they have undertaken, in advance and in writing, to maintain the confidentiality, integrity and security of the personal data concerned, in accordance with applicable laws.
  • In some instances, we may be required to transfer your personal data to other countries whose level of protection has not been recognized by the relevant authorities in terms of the UAE PDPL. In such cases, we may rely on the exceptions provided by the UAE PDPL (e.g. transferring personal data under a contract that applies the requirements of the PDPL…etc) ); as well on (ii) sufficient guarantees regarding the measures to protect the confidentiality and security of the personal data.
  • We shall notify you on becoming aware of any personal data breach that would prejudice the privacy, confidentiality and security of your personal data.

You have a right to file a complaint with us or any regulator with jurisdiction about an alleged contravention of the protection of your personal information. If you wish to exercise the rights listed above, please send an email to the following address: mea.communications.data.rights@bnpparibas.com or send a letter to the following address:

Data Protection Officer
Abu Dhabi Branch, Etihad Tower-3, Level 12, Unit 1201 & 1206, UAE, Abu Dhabi.
P.O. Box 2742, Abu Dhabi
United Arab Emirates

In accordance with applicable regulation, in addition to your rights above, you are also entitled to lodge a complaint with the competent supervisory authority.

United Kingdom
For other questions relating to our use of your personal data, please contact the BNP Paribas UK Data Protection Officer at the following email address: data.protection@uk.bnpparibas.com.

United States of America
Items in this provision supersede sections above where noted in relation to data processed by BNP Paribas US Wholesale Holdings Corp and US Corporate and Institutional Banking affiliates.

In addition to the categories of persons identified in Section 1 (Are you subject to this notice?), this notice also applies to  suppliers, vendors, and other third parties that provides products or services to or otherwise interacts with us.

In respect to Section 2 above, US residents may retain certain rights to the extent provided by applicable state and federal laws. Imported data may apply foreign standards as applicable.

In addition to the purposes listed in Section 3.1 (Your personal data is processed to comply with our various legal and/or regulatory obligations), we may process the contents of physical mail delivered to us to comply with our various legal and/or regulatory obligations.

California Notice at Collection
BNP Paribas (including applicable subsidiaries) (“we”, “our”), is responsible for collecting and processing your personal information in relation to our banking activities which include capital markets services, securities services, financing, treasury and advisory services.

We may collect personal information and sensitive personal information as described section 4 of our Data Protection Notice for the purposes described in section 3 of our Data Protection Notice.

We do not, and have never, sold the personal information of California residents.  As of July 1, 2023, we do not share personal information to facilitate cross-context behavioral advertising.  In the prior twelve months, we may have shared “online identifiers” and “Internet or other electronic network activity information” with content providers and marketers for the business purpose of delivering content and facilitating cross-context behavioral advertising. To the extent you have questions about this practice, please email us at dataprivacy@us.bnpparibas.com.

We will retain your personal information for the longer of:

  • the period required by applicable law;
  • such other period consistent with our policies and procedures.

Most personal information collected in relation to a specified client is kept for the duration of the contractual relationship plus a specified number of years after the end of the contractual relationship or as otherwise required by applicable law.

If you would like further information on the period for which your personal information will be stored or the criteria used to determine that period please contact us by referring to section 9 of our Data Protection Notice.

If you have any questions about this Notice or need to access it in an alternative format due to having a disability, please contact us by referring to section 9 of our Data Protection Notice.

Click here to view our full Data Protection Notice

Last revised on July 1, 2023.

Additional Information for California Residents
In addition to the above disclosures, the following applies to the personal information of California residents covered by the California Consumer Privacy Act, as amended (“CCPA”):

  • Personal information is defined under the CCPA to include any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked with a particular California consumer or household. Examples include, but are not limited to, social security numbers, bank and credit account information, transaction histories, credit information, and biometric data.
  • In the preceding 12 months, we have disclosed each category of personal information identified in section 4 of this Data Protection Notice (“What types of personal data do we collect?”) with one or more of the categories of recipients identified in section 6 of this Data Protection Notice (“Who do we share your personal data and why?”) for the business purposes described therein.
  • While we do collect sensitive personal information, we do not use sensitive personal information for purposes that the CCPA permits you to limit.
  • A consumer may request that we disclose to you (a) the categories of personal information the we have collected about you, (b) the categories of sources from which the personal information is collected, (c) the purpose for collecting the personal information, (d) the categories of third parties with whom we share personal information, and (e) the specific pieces of personal information that we have collected about you.
  • This notice provides: the purpose for collecting and/or sharing your personal data (section 3); the types of personal data we collect and/or share about you (section 4); the categories of sources from which your personal data is collected (section 5); and the categories of personal data we share with third parties (section 6).
  • A consumer may request to have their personal information deleted, to the extent required by law.
  • A consumer may request that we correct inaccurate personal information that we maintain about that consumer.
  • A consumer has a right to receive non-discriminatory treatment by a covered business for the exercise of privacy rights conferred by CCPA.
  • If you would like to exercise your rights under CCPA, or if you are a parent, guardian or legal representative making a request on behalf of a California resident, you may do so by email at: dataprivacy@us.bnpparibas.com; or by phone at: 212-841-3000.
  • Please note that identities of individuals requesting deletion or disclosure of their personal information must first be verified.  Your request must provide sufficient information to allow us to properly respond to your request. The identifying information provided in your request may be verified against third party databases for identification purposes. We are unable to respond to your request if we are unable to verify your identity.  Some personal information we process may not be subject to the rights described above.  For example, other laws may apply to certain personal information we process.  In that circumstance, we will follow the law that applies to the personal information at issue.