Data Protection Notice

This Privacy Notice applies to you if you are ("You"):

• one of our customers or in a contractual relationship with us (e.g., as a guarantor);
• a member of our customer family. Indeed, our customers may occasionally share with us information about their family when it is necessary to provide them with a product or service or to get to know them better;
• a person interested in our products or services when you provide us with your personal data (in an agency, on our websites and applications, during events or sponsorship operations) so that we can contact you.
• a person subject to this Privacy Notice for other reasons, e.g. :
  
  - heirs and assigns of a customer, declarants of a succession;
  
  - originators or beneficiaries of payment transactions;
  
  - customers of a legal entity customer;
  
  - beneficiaries of a contract or an insurance policy and a trust;
  
  - owners;
  
  - creditors (e.g., in the event of bankruptcy).

This Privacy Notice also applies to you, as a professional, if you are:

• legal representative or authorised person (mandates/delegations of power) of a BNP Paribas legal entity customer, a partner, a supplier or a service provider of BNP Paribas;
• employee of a BNP Paribas customer company (e.g., appointed contact person);
• holder of a corporate card subscribed by a BNP Paribas customer company;
• beneficial owner;
• shareholder;
• individual entrepreneur customer or auto-entrepreneur customer (you have chosen to carry out your activity without creating a legal entity).

When you provide us with personal data related to other people, please make sure that you inform them about the disclosure of their personal data and invite them to read this Privacy Notice. We will ensure that we will do the same whenever possible (e.g., when we have the persons contact details).

You have rights which allow you to exercise real control over your personal data and how we process them.

If you wish to exercise the rights listed below, please submit a request by mailing a letter to the following address BNP Paribas, APAC TDC Val de Marne, TSA 30233, 94729 FONTENAY-SOUS-BOIS Cedex or on our websites1 with a scan/copy of your identity card where required.

If you have any questions relating to our use of your personal data under this Privacy Notice, please contact our Data Protection Officer at the following address BNP Paribas - Délégué à la Protection des Données RISK FRB DPO - 163 boulevard MacDonald - 75019 Paris.

2.1. You can request access to your personal data

You can directly access some data from your client account on our website or via the mobile application.2

If you wish to have access to your personal data, we will provide you with a copy of the personal data you requested as well as information relating to their processing.

Your right of access may be limited in the cases foreseen by laws and regulations. This is the case with the regulation relating to anti-money laundering and countering the financing of terrorism, which prohibits us from giving you direct access to your personal data processed for this purpose. In this case, you must exercise your right of access with the Commission Nationale de lInformatique et des Libertés (CNIL), which will request the data from us.

2.2. You can ask for the correction of your personal data

Where you consider that your personal data are inaccurate or incomplete, you can request that such personal data be modified or completed accordingly. In some cases, supporting documentation may be required.

2.3. You can request the deletion of your personal data

If you wish, you may request the deletion of your personal data, to the extent permitted by law.

2.4. You can object to the processing of your personal data based on legitimate interests

If you do not agree with a processing activity based on a legitimate interest, you can object to it, on grounds relating to your particular situation, by informing us precisely of the processing activity involved and the reasons for the objection. We will cease processing your personal data unless there are compelling legitimate grounds for doing so or it is necessary for the establishment, exercise or defence of legal claims.

2.5. You can object to the processing of your personal data for commercial prospecting purposes

You have the right to object at any time to the processing of your personal data for commercial prospecting purposes, including profiling, insofar as it is linked to such prospecting.

2.6. You can suspend the use of your personal data

If you question the accuracy of the personal data we use or object to the processing of your personal data, we will verify or review your request. You may request that we suspend the use of your personal data while we review your request.

2.7. You have rights against an automated decision

As a matter of principle, you have the right not to be subject to a decision based solely on automated processing based on profiling or otherwise that has a legal effect or significantly affects you. However, we may automate such a decision if it is necessary for the entering into or performance of a contract with us, authorised by regulation or if you have given your consent.

In any event, you have the right to challenge the decision, express your views and request the intervention of a competent person to review the decision.

2.8. You can withdraw your consent

If you have given your consent to the processing of your personal data, you can withdraw this consent at any time.

2.9. You can request the portability of part of your personal data

You may request a copy of the personal data that you have provided to us in a structured, commonly used and machine-readable format. Where technically feasible, you may request that we transmit this copy to a third party.

2.10. You have the right to set guidelines with regards to the use of your personal data after your death

You can give us guidelines with regards to the retention, deletion and disclosure of your personal data after your death.

2.11. How to file a complaint with the CNIL

In addition to the rights mentioned above, you may lodge a complaint with the competent supervisory authority, which is usually the one in your place of residence, such as the Commission Nationale de lInformatique et de Libertés (CNIL) in France.

In this section we explain why we process your personal data and the legal basis for doing so.

Your personal data are processed where necessary to enable us to comply with the regulations to which we are subject, including banking and financial regulations.

• monitor operations and transactions to identify those which deviate from the normal routine/patterns (e.g., when you withdraw a large sum of money in a country other than your place of residence);
• manage and report risks (financial, credit, legal, compliance or reputational risks etc.) that the BNP Paribas Group could incur in the context of its activities;
• record, in compliance with the Markets in Financial Instruments Directive (MiFID 2 & MAD/MAR), communications in any form relating to, at the very least, transactions performed within proprietary trading and the provision of services relating to clients’ orders, in particular their receipt, transmission and execution;
• assess the appropriateness and suitability of the investment services provided to each client in compliance with the Markets in Financial Instruments regulations (MiFID 2);
• assist the fight against tax fraud and fulfil tax control and notification obligations;
• record transactions for accounting purposes;
• satisfy our obligations with regard to non-financial reporting and sustainable finance;
• detect and prevent bribery;
• comply with the provisions of eIDAS regulations on electronic signatures;
• exchange and report different operations, transactions or orders or reply to an official request from a duly authorised local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, law enforcement, state agencies or public bodies;
• ensure the secure execution of payment services, including the detection and prevention of fraud by authenticating the payer in the framework of the Payment Services Directive (PSD2);
• provide payment service providers who act at your request with information about your accounts, transactions and their respective beneficiaries or issuers. This includes, e.g., payment initiation service providers and providers of an account information service, also known as account aggregators;
• fulfil our reporting and consultation obligations with the Bank of France: consultation, placement on and removal from the National File of Credit Repayment Incidents for Individuals (FICP), Central Cheques File (FCC chèques) and National File of Irregular Cheques (FNCI);
• identify and ensure the management of inactive accounts and safes for questioning purposes of the National Register of Identification of Natural Persons (“Répertoire national d’identification des personnes physiques”);
• declare the opening, closing or modification of an account or safe to the Directorate General of Public Finance for maintenance of the FICOBA file. In this context, we send certain information about the holder and any agents, legal representatives or beneficial owners;
• assess your financial solvency when granting credit;
• prevent non-payments;
• comply with our duty to advise under the Insurance Distribution Directive (IDD) (in particular Article L. 521-4 of the French Insurance Code);
• propose a specific offer to customers in a situation of financial fragility in application of the provisions of the French Monetary and Financial Code relating to the right to an account and relations with the customer (in particular Articles L312-1, L312-1-3, L312-1-1 B, R312-4-3, D312-5-1, R312-13);
• offer a regulated banking mobility service;
• meet our obligation to make services accessible to people with disabilities, for example with speech-to-text tools.

As part of a banking Group, we must have a robust system of anti-money laundering and countering of terrorism financing (AML/CTF) in each of our entities managed centrally, as well as a system for applying local, European and international sanctions.

In this context, we are joint controllers with BNP Paribas SA, the parent company of the BNP Paribas Group.

The processing activities performed to meet these legal obligations are detailed in Appendix “Processing of personal data to combat money laundering and the financing of terrorism”.

Your personal data are processed when it is necessary to enter into or perform a contract to:

• define your credit risk score and your reimbursement capacity;
• evaluate (e.g., on the basis of your credit risk score) if we can offer you a product or service and under which conditions (e.g., price);
• provide you with the products and services subscribed to under the applicable contract (e.g., asset management for the customers of the Private Banking France (“Banque Privée France”));
• manage existing debts (identification of customers with unpaid debts);
• respond to your requests and assist you;
• apply (including agreeing by phone or electronic signature) to products and services of BNP Paribas or distributed by BNP Paribas; among others, insurance products, telemonitoring, long-term rental, it being understood that the insurer3 or the service provider, as the case may be, remains responsible for the processing necessary for the implementation of the insurance operation and the provision of the service.

Where we base a processing activity on legitimate interest, we balance that interest against your interests or fundamental rights and freedoms to ensure that there is a fair balance between them. If you would like more information about the legitimate interest pursued by a processing activity, please contact us at the following address: BNP Paribas – Délégué à la Protection des Données RISK FRB DPO - 163 boulevard MacDonald - 75019 Paris.

• manage the risks to which we are exposed:
  
  - we keep proof of operations or transactions, including in electronic evidence such as telephone conversations;
  
  - we work to manage, prevent and detect fraud, in particular by monitoring your transactions or by drawing up fraud lists containing the authors of proven frauds;
  
  - we carry out the collection of debts;
  
  - we handle legal claims and defences in the event of litigation;
  
  - we develop individual statistical models in order to help define your creditworthiness;
  
  - we consult, when authorised, the National File of Credit Repayment Incidents for Individuals (FICP) and the Central Cheques File (FCC chèques) maintained by the Bank of France;
  
  - we ensure the management of our environmental, corporate and governance risks;
• enhance cyber security, manage our platforms and websites, and ensure business continuity;
• use video surveillance to prevent personal injury and damage to people and property;
• improve the automation and efficiency of our business processes and customer services;
• enhance the automation and efficiency of our operational processes and customer services (e.g., test of our apps, creation of a chatbot for FAQs, automatic filling of complaints, tracking of your requests and improvement of your satisfaction based on personal data collected during our interactions with you such as phone recordings, e-mails or chats);
• to assist you in managing your budget by automatic categorisation of your transaction data (it being understood that you can deactivate this feature at any time or categorise your transactions manually from your secure personal space). To categorise your transaction data, we carry out profiling taking into account the type of transaction (bank card, wire transfer, cheque direct debit), the amount of the debit or credit transaction, the date, the description of the transaction, the name and category of the merchant, and the type of customer (individual/professional);
• help you manage your accounts by sending you notifications on your devices;
• carry out financial operations such as debt portfolio sales, securitisations, financing or refinancing of the BNP Paribas Group;
• perform statistical studies and develop predictive and descriptive models (which may rely on artificial intelligence in compliance with regulations and guidelines of the competent authorities in this area) for the purposes of:
  
  - commercial purposes: to identify the products and services that could best meet your needs, to create new offers or identify new trends among our customers, to develop our commercial policy taking into account our customers preferences (in particular to adapt the distribution, content and prices of our products and services on the basis of the profile of our customers);
  
  - optimisation and automation of our operational processes (e.g., the creation of a chatbot for FAQs);
  
  - safety purposes: to prevent potential incidents and enhance safety management;
  
  - compliance purposes (e.g., anti-money laundering and countering the financing of terrorism) and risk management;
  
  - anti-fraud purposes.
• organise contests, lotteries, promotional operations, conduct opinion and customer satisfaction surveys;
• carry out sponsorship operations (in particular to allow a customer to invite his/her contacts to benefit from our offers and services, or to join our websites and applications);
• allow the issuance of tax receipts by associations that receive your donations;
• ensure the continuous training of your BNP Paribas advisors with tools and practical cases based on real data;
• allow you to receive transfers without entering an IBAN (Paylib solution with friends or Wero) in the absence of enrolment in these services;
• provide products or services to our corporate clients of which you are an employee or customer (e.g., cash management products);
• meet our sustainability commitments;
• handle the settlement of your estate (including the remittance of funds held by BNP Paribas as part of the estate of the deceased);
• manage our activities and social media presence (see section 5.3 for more details).

As part of the BNP Paribas Group, we want to be able to offer you access to the full range of products and services that best meet your needs.

Once you are a customer and unless you object, we may send you these offers electronically for our products and services and those of the Group if they are similar to those you have already subscribed to.

We will ensure that these commercial offers relate to products or services that are relevant to your needs and complementary to those you already have to ensure that our respective interests are balanced.

We may also send you, by phone and post, unless you object, offers concerning our products and services as well as those of the Group and our trusted partners.

If you are a business client, we may send you, by electronic means, by phone and by post, unless you object, offers concerning our products and services as well as those of the Group and our trusted partners.

To enhance your experience and satisfaction, we need to determine to which customer group you belong. For this purpose, we build a standard profile from relevant data that we select from the following information:

- what you have directly communicated to us during our interactions with you or when you subscribe to a product or service;

- resulting from your use of our products or services such as those related to your accounts including the balance of the accounts, regular or atypical movements, the use of your card abroad as well as the automatic categorisation of your transaction data (e.g., the distribution of your expenses and your receipts by category as is visible in your customer area);

- from your use of our various channels: websites and applications (e.g., if you are digitally savvy, if you prefer a customer journey to subscribe to a product, or service with more autonomy (selfcare));

Unless you object, we will perform this customisation based on standard profiling. We may go further to better meet your needs, if you consent, by performing a tailor-made customisation as described below.

In the course of the activities of our telephone platforms and branches network, we record all interactions (such as telephone conversations, e-mails and chats) between Group employees and their interlocutors.

In addition to the regulatory obligations referred to in 3.1, these records are also made on the basis of our legitimate interests in order to fulfil the following purposes:

• provide evidence in the event of a customer dispute over an operation or transaction;
• improve the automation and efficiency of our business processes and customer services. For example, by testing our applications, creating a chatbot for FAQs, automatic filling of complaints or online forms, tracking your requests and improving your satisfaction, speech-to-text (your voice commands when you call a call centre), interview report;
• support the ongoing training of your BNP Paribas advisors;
• enable technical analyses as part of the continuous improvement of voice quality and acoustic protection of advisers (e.g., presence of crackling).

You can exercise your rights as set out in this notice under Section 2 “How can you control the processing activities we do on your personal data?”.

For some processing of personal data, we will give you specific information and ask for your consent. Of course, you can withdraw your consent at any time.

In particular, we ask for your consent for:

• tailor-made customisation of our offers and products or services based on more sophisticated profiling to anticipate your needs and behaviours;
• any electronic offer for products and services not similar to those you have subscribed to or for products and services from our trusted partners, or any offer by electronic means as an individual who is not a customer;
• personalisation of our offers, products and services based on your account data at other banks;
• use of your navigation data (cookies) for commercial purposes or to enhance the knowledge of your profile.

You may be asked for further consent to process your personal data where necessary.

We collect and use your personal data, meaning any information that identifies or allows one to identify you.

Depending among others on the types of product or service we provide to you and the interactions we have with you, we collect various types of personal data about you, including:

- Identification information: e.g., full name, gender, place and date of birth, nationality, identity card number, passport number, driving licence number, vehicle registration number, photograph, signature;

- Contact information: (private or professional) postal address, e-mail address, phone number;

- Information relating to your financial and family situation: e.g., marital status, matrimonial regime, number of children and age, study or employment of children, composition of the household, property you own: apartment or house, index and detail of the EPD (Energy Performance Diagnosis);

- Milestones of your life: e.g., you recently got married, divorced, partnered, gave birth or lost a closed relative;

- Lifestyle: hobbies and interests, travel, your environment (nomadic, sedentary);

- Economic, financial and tax information: e.g., tax ID, tax status, country of residence, salary and other income, amount of income tax reference, value of your assets;

- Education and employment information: e.g., level of education, employment, position held, employers name and remuneration;

- Banking and financial information related to the products and services you hold: e.g., bank account details, products and services owned and used (credit, insurance, savings and investments, leasing, home protection), credit card number, money transfers, assets, profile of declared investor, credit history, payment incidents;

- Transaction data: account movements and balances, transactions including beneficiarys data such as full names, addresses and contact details as well as details of bank transactions (such as description of transaction, merchant name and category), amount, date, time and type of transaction (credit card, transfer, cheque, direct debit);

- Data relating to your habits and preferences in relation to the use of our products and services;

- Data collected from our interactions with you: e.g., your comments, suggestions, needs collected during our exchanges with you in person in our Agencies (reports) and online during phone communications (conversation), your voice and image during our videocalls, discussion by e-mail, chat, chatbot, exchanges on our social media pages and your latest complaints. Your connection and tracking data such as cookies, pixels and tracers for non-advertising or analytical purposes on our websites, online services, applications, social media pages, electronic communications;

- Data collected from the video protection/surveillance system (including CCTV) and geolocation: e.g., showing locations of withdrawals or payments for security reasons, or to identify the location of the nearest branch or service suppliers for you;

- Data about your devices (mobile phone, computer, tablet, etc.): IP address, technical specifications and uniquely identifying data;

- Personalised login credentials or security features used to connect you to the BNP Paribas website and apps, or carry out a payment service.

We may collect sensitive data such as health data, biometric data, or data relating to criminal offences, subject to compliance with the strict conditions set out in data protection regulations.

• from other BNP Paribas Group entities;
• from our customers (companies or individuals);
• from our business partners;
• from other credit institutions (e.g., for the performance of a payment or a bank transfer);
• from service providers of payment initiation and account aggregators (service providers of account information);
• from third parties such as credit reference agencies and fraud prevention agencies;
• from data brokers who are responsible for ensuring that they collect relevant information in a lawful manner;
• beneficiaries and declarants in the context of an estate;
• certain regulated professions such as lawyers, notaries, when specific circumstances so require (litigation, estate, etc.);
• finally, we may also collect data from authorities or institutions such as: the Banque de France, when consulting files (in particular the National Register of Household Credit Repayment Incidents (“Fichier national des incidents de remboursement des crédits aux particuliers”) or the Central Checks Register (“Fichier Central des Chèques”), the National Register of Identification of Natural Persons (“Répertoire national d’identification des personnes physiques”) as part of our obligations in terms of inactive accounts and safes, and the DGFIP (French Public Finances General Directorate), (“Direction Générale des Finances Publiques”) to verify the absence of multiple holdings of Livret A.

Today, it is essential that companies use social networks.

In order for us to effectively fulfil our mission, it is paramount for us to be present on social networks, and this presence is likely to result in the processing of some of your personal data.

Thus, in the context of our legitimate interests for our needs with regard to marketing, communication, advertising and our publications, as well as for crisis management and customer relationship management, we may collect the following personal data:

• The exchanges you have had with Us on our pages and publications on social networks, including your latest complaints or grievances;
• Data from social media pages and posts containing information that you have made public.

More specifically, this personal data will be processed for the following purposes:

• Crisis management (“listening” to social networks) and customer relationship management, which includes:
  • crisis prevention: monitoring and analysing social networks and the web using keywords to assess the reputation of BNP Paribas and to be informed of what is being said about specific topics to be able to communicate accordingly;
  • crisis management: to be able to analyse issues related to certain publications and act accordingly; to respond to publications, posts or comments from users of social networks; to detect and report fake accounts and publications; or to investigate serious allegations or complaints;
• Marketing, communication, advertising and publications, including:
  • data extraction to identify trending topics by collecting publicly available data on social networks;
  • publication of articles;
  • to suggest publications based on your interests;
  • segmentation of our prospects and customers and social media users according to their influence;
  • optimize targeted advertising /marketing through segmentation of advertising /marketing recipients.

In this context, we use services provided by external service providers.

As a member of the BNP Paribas Group, we work closely with the Groups other companies worldwide. Your personal data may therefore be shared between BNP Paribas Group entities, where necessary, to:

• comply with our various legal and regulatory obligations (see further details in section 3.1);
• fulfil our legitimate interests which are:
  
  - to manage, prevent, detect fraud;
  
  - conduct statistical studies and develop predictive and descriptive models for business, security, compliance, risk management and anti-fraud purposes;
  
  - enhance the reliability of certain data about you held by other Group entities;
  
  - offer you access to all the Groups products and services that best meet your needs and wishes;
  
  - customise the content and prices of products and services;
  
  - facilitate the conclusion and performance of a contract entered with an entity of the BNP Paribas Group by transferring the data we already hold in order to limit your efforts. For example, in the framework of the distribution of insurance products by CARDIF or long-term rental products by ARVAL, it being understood that the insurer or the service provider, as the case may be, remains responsible for the processing necessary for the performance of the insurance operation and the provision of the service;
  
  - our financing and refinancing also constitute a legitimate interest implying your personal data may be shared with entities of theBNP Paribas Group and the Caisse de Refinancement de l’Habitat which are providing our refinancing.

In order to fulfil some of the purposes described in this Privacy Notice, we may, where necessary, share your personal data with:

• processors which perform services on our behalf (e.g., IT services, , printing services, telecommunication, debt collection, advisory and distribution and marketing);
• banking and commercial partners, independent agents, intermediaries or brokers, financial institutions, counterparties, trade repositories with which we have a relationship if such transmission is required to allow us to provide you with the services and products or execute our contractual obligations or transaction (e.g., banks, correspondent banks, depositaries, custodians, issuers of securities, paying agents, exchange platforms, insurance companies, payment system operators, issuers or payment card intermediaries, mutual guarantee companies or financial guarantee institutions);
• local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, public authorities or institutions (e.g., the Banque de France, the Caisse des dépôts et des Consignations, the Direction générale des finances publiques), to which we, or any member of the BNP Paribas Group, are required to disclose pursuant to:
  
  - their request;
  
  - our defence, action or proceeding;
  
  - complying with a regulation or a recommendation issued from a competent authority applying to us or any member of the BNP Paribas Group;
• service providers of third-party payment (information on your bank accounts), for the purposes of providing a payment initiation or account information service if you have consented to the transfer of your personal data to that third party;

• certain regulated professions such as lawyers, notaries, or auditors when needed under specific circumstances (litigation, audit, etc.) as well as to our insurers or to an actual or proposed purchaser of the companies or businesses of the BNP Paribas Group.

   

In case of international transfers originating from the European Economic Area (EEA) to a non-EEA country, the transfer of your personal data may take place on the basis of a decision of the European Commission recognising such non-EEA country as providing an adequate level of data protection.

For transfers to non-EEA countries where the level of protection has not been recognised as adequate by the European Commission, we will either rely on a derogation applicable to the specific situation (e.g., if the transfer is necessary to perform our contract with you, such as when making an international payment) or implement one of the following safeguards to ensure the protection of your personal data:

• Standard contractual clauses approved by the European Commission;
• Binding corporate rules.

To obtain a copy of these safeguards or details on where they are available, you can send a written request to BNP Paribas – Délégué à la Protection des Données RISK FRB DPO - 163 boulevard MacDonald - 75019 Paris.

For more information on retention periods, please refer to the Appendix “Retention periods“.

In a world where technologies are constantly evolving, we regularly review this Privacy Notice and update it as required.

We invite you to review the latest version of this document online, and we will inform you of any significant amendments through our website or through our standard communication channels.

Processing of personal data to combat money laundering and the financing of terrorism

We are part of a banking Group that must adopt and maintain a robust anti-money laundering and countering the financing of terrorism (AML/CFT) programme for all its entities managed at central level, an anti-corruption program, as well as a mechanism to ensure compliance with international Sanctions (i.e., any economic or trade sanctions, including associated laws, regulations, restrictive measures, embargoes, and asset freezing measures that are enacted, administered, imposed, or enforced by the French Republic, the European Union, the U.S. Department of the Treasury’s Office of Foreign Assets Control, and any competent authority in territories where BNP Paribas Group is established).

In this context, we act as joint controllers together with the entities of the BNP Paribas Group (the term “we” used in this appendix therefore also includes the entities of the BNP Paribas Group).

To comply with AML/CFT obligations and with international Sanctions, we carry out the processing operations listed hereinafter to comply with our legal obligations:

• A Know Your Customer (KYC) program reasonably designed to identify, verify and update the identity of our customers, including where applicable, their respective beneficial owners and proxy holders;
• Enhanced due diligence for high-risk clients, Politically Exposed Persons or “PEPs” (PEPs are persons defined by the regulations who, due to their function or position (political, jurisdictional or administrative), are more exposed to these risks), and for situations of increased risk;
• Written policies, procedures and controls reasonably designed to ensure that the Bank does not establish or maintain relationships with shell banks;
• A policy, based on the internal assessment of risks and of the economic situation, to generally not process or otherwise engage, regardless of the currency, in activity or business:
  
  - for, on behalf of, or for the benefit of any individual, entity or organisation subject to Sanctions by the French Republic, the European Union, the United States, the United Nations, or, in certain cases, other local sanctions in territories where the Group operates;
  
  - involving directly or indirectly sanctioned territories, including Crimea/Sevastopol, Cuba, Iran, North Korea, or Syria;
  
  - involving financial institutions or territories which could be connected to or controlled by terrorist organisations, recognised as such by the relevant authorities in France, the European Union, the U.S. or the United Nations
• Customer database screening and transaction filtering reasonably designed to ensure compliance with applicable laws;
• Systems and processes designed to detect and report suspicious activity to the relevant regulatory authorities;
• A compliance program reasonably designed to prevent and detect bribery, corruption and unlawful influence pursuant to the French “Sapin II” Law, the U.S FCPA, and the UK Bribery Act.

In this context, we make use of:

- services provided by external providers that maintain updated lists of PEPs such as Dow Jones Factiva (provided by Dow Jones & Company, Inc.) and the World-Check service (provided by REFINITIV, REFINITIV US LLC and London Bank of Exchanges);

- public information available in the press on facts related to money laundering, the financing of terrorism or corruption;

- knowledge of a risky behaviour or situation (existence of a suspicious transaction report or equivalent) that can be identified at the BNP Paribas Group level.

We carry out these checks when you enter into a relationship with us, but also throughout the relationship we have with you, both on yourself and on the transactions you carry out. At the end of the relationship and if you have been the subject of an alert, this information will be stored in order to identify you and to adapt our controls if you enter into a new relationship with a BNP Paribas Group entity, or in the context of a transaction to which you are a party.

In order to comply with our legal obligations, we exchange information collected for AML/CFT, anti-corruption or international Sanctions purposes between BNP Paribas Group entities. When your data are exchanged with countries outside the European Economic Area that do not provide an adequate level of protection, the transfers are governed by the European Commission’s standard contractual clauses. When additional data are collected and exchanged in order to comply with the regulations of non-EU countries, this processing is necessary for our legitimate interest, which is to enable the BNP Paribas Group and its entities to comply with their legal obligations and to avoid local penalties.

The retention periods for your personal data according to the purpose for processing are presented below.

Legal basis: compliance with our legal obligations.

Legal Grounds: performance of a contract or pre-contractual measures

Legal Ground: to achieve our or a third partys legitimate interest

(1) List of our websites: mabanque.bnpparibas, mabanquepro.bnpparibas, mabanqueprivee.bnpparibas, banqueentreprise.bnpparibas, hellobank.fr, hellobankpro.fr

(2) MesComptes and Hello Bank!

(3) List of insurance companies available in the document “Tarifs et Conditions” on our websites: mabanque.bnpparibas, mabanquepro.bnpparibas, mabanqueprivee.bnpparibas, banqueentreprise.bnpparibas, hellobank.fr, hellobankpro.fr