Data Protection Notice

The protection of your personal data is important to the BNP Paribas Group.

This Data Protection Notice is directed to the clients, direct relationships and services providers/vendors of BGL BNP Paribas as well as the persons set out in section 2 ("you").

This Data Protection Notice provides you with detailed information relating to the protection of your personal data by BGL BNP Paribas S.A., 50, avenue J.F. Kennedy, L-2951Luxembourg ("we").

We are responsible, as a controller, for collecting and processing your personal data in relation to our activities. The purpose of this Data Protection Notice is to let you know which personal data we collect about you, the reasons why we use and share such data, how long we keep it, what your rights are and how you can exercise them.

Further information may be provided where necessary when you  apply for a specific product or service.

1. WHICH PERSONAL DATA DO WE USE ABOUT YOU?

We collect and use your personal data to the extent necessary in the framework of our activities and to achieve a high standard of personalised products and services.

We may collect various types of personal data about you, including:

  • personal identification data (e.g. name, postal address (private and professional), phone number (private and professional));
  • official identification data (e.g. ID card and passport numbers, tax ID);
  • personal details (e.g. place and date of birth, gender, marital status, nationality);
  • data concerning household composition (e.g. family situation, number of children);
  • electronic identification data (e.g. e-mail address, IP address, electronic signature, remote connection data);
  • banking and financial data (e.g. bank account details, credit or debit card number financial situation data (income, assets, credit history, debts and expenses), transactional data, insurance data, declared investor profile, professional activity);
  • data relating to housing characteristics (e.g. housing type, rent, rental expenses);
  • education, training and qualification data (e.g. level of education, professional qualification);
  • career and employment data (e.g. employment, employer’s name, remuneration);
  • data relating to your habits and preferences:
  • data which relates to your use of our products and services (banking, financial and transactional data);
  • data from your interactions with us: our branches (contact reports), our websites, our apps, our social media pages, meetings, calls, chats, e-mails, interviews, phone conversations;
  • data relating to your lifestyle and consumption habits;
  • image recording data (e.g. video surveillance (including CCTV), photograph, digital photos);
  • phone recording data;
  • geolocation data (e.g. showing locations of withdrawals and payments, or the location of the branch nearest to you; for the security of ATMs and branches).

As a general rule, we do not collect personal data related to your racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, genetic data or data concerning your sex life or sexual orientation.

Only upon obtaining your explicit prior consent, we may collect and use biometric data (e.g. fingerprint, voice pattern or facial recognition which can be used for identification and security purposes).

As part of our activities as insurance intermediary, we may process health data on behalf and under the responsibility of the insurance undertaking with which you have concluded an insurance contract.

We only process data relating to criminal convictions and offences if required through a legal obligation. The data we use about you may be directly provided by you or obtained from other sources in order to verify or enrich our databases, such as:

  • publications/databases made available by official authorities (e.g. the "registre de commerce et des sociétés");
  • our corporate clients or service providers/vendors;
  • third parties such as credit reference agencies and fraud prevention agencies or data brokers in conformity with the data protection legislation;
  • websites/social media pages containing information made public by you (e.g. your own website or social media);
  • databases made publicly available by third parties.

2. SPECIFIC CASES OF PERSONAL DATA COLLECTION, INCLUDING INDIRECT COLLECTION

In certain circumstances, we may collect and use personal data of individuals with whom we could have (prospects) or used to have a direct relationship (former clients and former services providers/vendors).

We may also collect information about you even if you do not have a direct relationship with us. This may happen for instance when your employer provides us with information about you, or when your contact details are provided by one of our clients if you are for example:

  • a family member;
  • a successor or a right holder;
  • a police holder;
  • a co-borrower/guarantor;
  • a legal representative (power of attorney);
  • a beneficiary of payment transactions made by our clients;
  • a beneficiary of insurance policies and trusts;
  • a landlord;
  • an ultimate beneficial owner;
  • a client’s debtor (e.g. in case of bankruptcy);
  • a company shareholder;
  • a representative of a legal entity (which may be a client or a service provider/vendor);
  • a staff member of one of our service providers/vendors or commercial partners.

3. WHY AND ON WHICH BASIS DO WE USE YOUR PERSONAL DATA?

a. To comply with our Legal and regulatory obligations

We use your personal data to comply with various legal and regulatory obligations, including:

  • banking and financial regulations in compliance with which we: set up security measures in order to prevent abuse and fraud; detect transactions which deviate from normal patterns;
  • define your credit risk score and your reimbursement capacity; monitor and report risks that institutions could incur;
  • record, when necessary, phone calls, chats, e-mails, etc.;
  • reply to an official request from a duly authorised public or judicial authority;
  • prevention of money-laundering and financing of terrorism;
  • compliance with legislation relating to sanctions and embargoes;
  • fight against tax fraud and fulfilment of tax control and notification obligations.

b. To perform a contract with you or to take steps at your request before entering into a contract

We use your personal data to enter into and perform our contracts with you, including to:

  • manage our products (e.g. deposits, credits, payment instruments, insurance) and our services (e.g. transaction execution of any type, advice, wealth management, insurance intermediary);
  • manage our relationship with you;
  • provide you with information regarding our products and services;
  • assist you and answer your requests;
  • evaluate if we can offer you a product or service and under which conditions;
  • provide products or services to our corporate clients of whom you are an employee or a client (for instance, in the context of cash management).

c. To pursue our legitimate interests

We use your personal data in order to deploy and develop our products and services, to improve our risk management and to defend our legal rights, and as well to:

  • keep proof of transactions;
  • perform behavioural and transaction alanalysis in order to detect fraud;
  • prevent personal injury and damage to goods;
  • ensure the security of persons and property;
  • perform IT management, including infrastructure management (e.g. shared platforms) & business continuity and IT security;
  • establish aggregated statistics, tests and models, for research and development, in order to improve the risk management of our Group or in order to improve existing products and services or create new ones;
  • perform client satisfaction and opinion surveys;
  • personalise our product and service offering by:
  • improving the quality of our banking, financial and insurance products and services;
  • advertising products or services that match your situation and profile as defined by us.

d. To respect your choice if we request your consent for specific processing

In some cases, we require your consent to process your data, for example:

where the above purposes lead to automated decision-making, which produces legal effects or which significantly affects you. At that point, we will inform you separately about the logic involved, as well as the significance and the envisaged consequences of such processing;

if we need to carry out further processing for purposes other than those outlined in section 3, we will inform you and, where necessary, obtain your consent.

4. WHO DO WE SHARE YOUR PERSONAL DATA WITH?

In order to fulfil the aforementioned purposes, we communicate your personal data to:

  • service providers/vendors that perform services on our behalf;
  • independent agents, intermediaries or brokers, financial institutions, banking and commercial partners with which we have a regular relationship (e.g. banks, insurance companies, debit and credit card issuers);
  • supervisory, financial, taxation, administrative or judicial authorities, state agencies or public bodies, upon request and to the extent permitted by law;
  • certain regulated professionals such as lawyers, notaries or auditors;
  • certain BNP Paribas Group entities (e.g. in case of consolidated risk management).

5. DO WE TRANSFER YOUR PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA?

In case of international transfers originating from the European Economic Area (EEA) to a non-EEA country, the transfer of your personal data may take place where the European Commission has decided that the non- EEA country ensures an adequate level of data protection.

For transfers to non-EEA countries where the level of protection has not been recognised as adequate by the European Commission, we  will either rely on a derogation applicable to the specific situation  (e.g. if the transfer is necessary to perform our contract with you such as when making an international payment) or implement standard contractual clauses approved by the European Commission to ensure the protection of your personal data.

To obtain a copy of these standard contractual clauses or details on where they are available, you can send a written request to us as set out in section 9.

6. FOR HOW LONG DO WE KEEP YOUR PERSONAL DATA?

We will retain your personal data for the period required in order to comply with applicable laws and regulations, or for the period defined by our operational requirements, such as proper account maintenance, facilitating client relationship management, and responding to legal claims or regulatory requests. For instance, most client information is kept for the entire duration of the contractual relationship and for 10 years after the end of the contractual relationship.

7. WHAT ARE YOUR RIGHTS AND HOW CAN YOU EXERCISE THEM?

In accordance with applicable regulations, you have the following rights to:

  • access: you can obtain information relating to the processing of your personal data, and a copy of such personaldata.
  • rectify: where you consider that your personal data is inaccurate    or incomplete, you can require that such personaldata be modified accordingly.
  • erase: you can require the deletion of your personal data, to the extent permitted by law.
  • restrict: you can request the restriction of the processing of your personal data.
  • object: you can object to the processing of your personal data, on grounds relating to your particular situation. You have the absolute right to object to the processing of your personal data for direct marketing purposes, which includes profiling related to such direct marketing.
  • withdraw your consent: where you have given your consent for the processing of your personal data, you have the right to withdraw your consent at any time.
  • data portability: where legally applicable, you have the right to  have the personal data you have provided to us be returned to you or, where technically feasible, transferred to a third party.

If you wish to exercise the rights listed above, please send a letter or an e-mail to the address set out in section 9. Please include a scan/ copy of your identity card for identification purposes.

In accordance with applicable regulation, in addition to your rights above, you are also entitled to lodge a complaint with the competent supervisory authority: the "Commission nationale pour la protection des données" (cnpd.lu).

8. HOW CAN YOU KEEP UP WITH CHANGES TO THIS DATA PROTECTION NOTICE?

In a world of constant technological changes, we will update this Data Protection Notice regularly.

We invite you to review the latest version of this notice online and   we will inform you of any material changes through our website or through our other usualcommunication channels.

9. HOW TO CONTACT US?

If you have any questions relating to our use of your personal data under this Data Protection Notice, please contact our data protection officer by letter to BGL BNP Paribas -D l guala Protection des données - 50, avenue J.-F. Kennedy, L-2951 Luxembourg or by e-mail to dpo@bgl.lu.

If you wish to learn more about cookies, please read our "Cookies Policy" available on our website http://www.bgl.lu.