Data protection notice

This notice applies to you if you are (“You”):

• one of our clients or in a contractual relationship with us (e.g. as guarantor and/or co-borrower);
• a member of our client's family. Indeed, our clients may sometimes share information about their family with us to the extent necessary to provide them with a product or service or to get to know them better;
• an heir and/or successor of our client;
• a legal representative of our client (e.g. by virtue of a power of attorney or a delegation of authority);
• a beneficial owner;
• a creditor (e.g. in case of bankruptcy);
• a person interested in our products or services whenever you provide us with your personal data (in a bank agency, on our websites and applications, during sponsorship events or operations) so that we may contact you;
• a beneficiary or beneficiaries of an insurance contract or policy or a trust.

If you provide us with personal data pertaining to other individuals, please inform them of the disclosure of their data and invite them to read this Notice. We will endeavour to do the same whenever possible (i.e., if we have the persons' details).

You have rights that allow you to exercise reasonable control over your personal data and the way we process it.

If you wish to exercise the rights described below, please send a request by post to the following address: BNP Paribas Factor - Marketing & Corporate Management - ACI : FFAC007 - Immeuble Allegro, 160-162 Boulevard MacDonald - ZAC Claude Bernard - CS 70011 - 75146 Paris Cedex 19 - France or to the following e-mail address: factor-donneespersonnelles@bnpparibas.com

If you have any questions regarding the use of your personal data under this Notice, please contact our Data Protection Officer at the following address : Data Protection Officer BNP Paribas Factor - Risk Management France - DPO - FFAC016- Immeuble Allegro, 160-162 Boulevard MacDonald - ZAC Claude Bernard - CS 70011 - 75146 Paris Cedex 19.

2.1 You may request access to your personal data

If you wish to get access to your personal data, we will provide you with a copy of the personal data to which you are requesting access and information about the processing of that data.

Your right of access may be limited where required by law. This is the case with the regulations on combating money laundering and terrorist financing, which prevent us from giving you direct access to your personal data processed for this purpose. In this case, you must exercise your right of access with the French CNIL (Commission Nationale de l'Informatique et de Libertés) which will refer to us.

2.2 You may request the rectification of your personal data

If you find that your personal data is either inaccurate or incomplete, you may request that it be amended or completed. In some cases, you may be asked to provide supporting documentation.

2.3 You may request the deletion of your personal data

If you wish, you may request the deletion of your personal data to the extent permitted by law.

2.4 You may object to the processing of your personal data based on legitimate interests

If you do not agree with a data processing based on legitimate interest, you may object to it, on grounds relating to your particular situation, by telling us exactly what processing is involved and why. We will no longer process your personal data unless there are compelling legitimate grounds for doing so or unless it is necessary for the asserting, exercising or defending any right in Court.

2.5 You may object to the processing of your personal data for commercial prospecting purposes

You have the right to object at any time to the processing of your personal data for commercial prospecting purposes, including profiling to the extent that it is related to such prospecting.

2.6 You may suspend the use of your personal data

If you question the accuracy of the data we use or object to your data being processed, we will verify or investigate your request. During the period in which your request is being considered, you may ask us to suspend the use of your data.

2.7 You have certain rights in relation to an automated decision

As a matter of principle, you have the right not to be subject to a fully automated decision based on profiling or otherwise which has a legal effect or significantly affects you. However, we may make such an automated decision if it is necessary for the conclusion/performance of an agreement with us, to the extent permitted by law, or if you have given your consent to it.

In any case, you have the right to challenge the decision, express your views, and request the intervention of a human being who may review the decision.

2.8 You may withdraw your consent

If you have given your consent to the processing of your personal data you may withdraw that consent at any time.

2.9 You may request the portability of some of your personal data

You may request a copy of the personal data you have provided to us in a structured, commonly used, and machine-readable format. Where technically feasible, you may request that we transfer this copy to a third party.

2.10 You may organise the handling of your personal data after your death

You may give us instructions on the retention, deletion and disclosure of your data after your death.

2.11 How to file a complaint with the CNIL

In addition to the rights mentioned above, you can lodge a complaint with the competent supervisory authority, which is usually that of your place of residence, the CNIL.

The purpose of this section is to explain why we process your personal data and the legal basis for doing so.

3.1 Your personal data is processed to comply with our various legal obligations

Your personal data is processed to the extent that such processing if necessary for us to comply with our regulatory obligations, including banking and financial regulations.

3.1.1 We use your personal data to:

• monitor transactions and operations to identify unusual activities (e.g. withdrawing a large sum of money in a country other than your country of residence);
• manage and report the risks (financial, credit, legal, compliance, reputational, etc.) that the BNP Paribas Group may encounter in the course of its business;
• record, in accordance with the Markets in Financial Instruments Directive (MIFID 2), communications in any form relating, at least, to transactions concluded in the context of proprietary trading and the supply of services relating to client orders that concern the receipt, transmission and execution of client orders;
• assess the suitability and adequacy of each client's profile for the provision of investment services in accordance with the Markets in Financial Instruments Regulation (MiFID 2);
• contribute to combating tax evasion and to fulfill our reporting and tax audit obligations;
• record transactions for accounting purposes;
• prevent, detect, and report risks related to Corporate Social Responsibility and sustainable development;
• detect and prevent corruption;
• comply with the provisions applicable to trust service providers issuing electronic signature certificates;
• exchange and report various operations, transactions or requests or respond to an official request from a duly authorised local or foreign judicial, criminal, administrative, tax or financial authority, arbitrator or mediator, law enforcement authorities, government bodies or public agencies.

3.1.2 We also process your personal data to combat money laundering and terrorist financing

We belong to a banking group that must maintain a robust anti-money laundering and anti-terrorist financing (AML/CFT) system at entity level, managed centrally, as well as a comprehensive framework for the implementation of local, European and international sanctions decisions.
In this context, we are joint data controllers with BNP Paribas SA, the parent company of the BNP Paribas Group (the term “we” in this section also includes BNP Paribas SA).

The processing operations implemented to meet these legal requirements are detailed in Appendix 1.

3.2 Your personal data is processed for the purpose of performing an agreement to which you are a party or pre-contractual measures taken at your request

Your personal data is processed whenever necessary for the conclusion or performance of an agreement and to:

• define your credit risk score and repayment capacity;
• assess (e.g. on the basis of your credit risk score) whether we can offer you a product or service and on what terms (e.g. price);
• supply you with the products and services purchased in accordance with the applicable agreement;
• manage existing debts (identification of clients in arrears);
• respond to your requests and assist you with your procedures;
• ensure the settlement of your estate.

3.3 We process your personal data for our legitimate interests or those of a third party

Where we rely on legitimate interests for processing, we balance this interest against your interests or fundamental rights and freedoms to ensure that there is a fair balance between them. If you want more information on the legitimate interest pursued by a processing operation, please contact us at the following address: BNP Paribas Factor Data Protection Officer –Risk Management France – DPO FFAC016-Immeuble Allegro, 160-162 Boulevard MacDonald – ZAC Claude Bernard – CS 70011 – 75146 Paris Cedex 19.

3.3.1 In connection with our factoring, banking and insurance activities, we use your personal data to:

• Manage the risks we encounter:
  • we keep records of transactions, including in electronic format;
  • we monitor your transactions to manage, prevent and detect fraud;
  • we collect debts;
  • we handle legal claims and defences in the event of litigation;
• Improve cyber security, manage our platforms and websites, and ensure business continuity.
• Prevent personal injury and damage to people and property through video surveillance.
• Improve the automation and efficiency of our operational processes and customer services (e.g. automatic filling of complaints, follow-up of your requests and satisfaction improvement based on data collected during our interactions with you such as telephone recordings, e-mails or chats).
• Help you manage your budget by automatically sorting your transaction data.
• Conduct statistical studies and develop predictive and descriptive models for:
  • marketing purposes: to identify the products and services we could offer you to better respond to your needs, create new offers or identify new trends among our clients, and to develop our marketing policy based on our clients' preferences;
  • safety purposes: to prevent potential incidents and improve safety management;
  • for compliance (such as anti-money laundering and combating the financing of terrorism) and risk management purposes;
  • for combatting fraud.
• Organise competitions, lotteries, promotional events, conduct opinion and client satisfaction surveys;

3.3.2 We use your personal data to send you commercial offers by e-mail, paper mail and telephone

As part of the BNP Paribas Group, we want to offer you access to our full range of products and services to better respond to your needs.

Once you are a client and unless you object to it, we may send you these offers electronically for our products and services and for those of the Group if they are similar to those you have already subscribed to.

We ensure that these commercial offers are for products or services that are relevant to your needs and complementary to those you already have, to match our respective interests.

We may also send you by telephone and post, unless you object to it, offers concerning our products and services and those of the Group and our trusted partners.

3.3.3 We analyse your personal data for standard profiling and to customise our products and offers

To improve your experience and satisfaction, we need to know which type of client you belong to. To this end, we build a standard profile from relevant data that we select from:

• data that you have directly communicated to us during our interactions with you or when you subscribe to a product or service;
• data resulting from the use of our products or services such as, for example, the data associated with your visits and interactions on your client's personal space;
• data from your use of our various online and offline channels (e.g. whether you are digitally inclined, whether you prefer a more autonomous client experience to subscribe to a product or service;

Unless you object, we will carry out this customization based on standard profiling. We may go further to better respond to your needs, if you agree, by making a customized proposal as indicated below.

3.4 Your personal data is processed if you have given your consent

For certain processing of personal data, we will provide you with specific information and ask for your consent. We remind you that you may withdraw your consent at any time.

In particular, we ask for your consent to use your browsing data (cookies) for commercial purposes or to enrich the knowledge of your profile.

You may be asked for further consent to process your personal data where necessary.

We collect and use your personal data, which is any information that identifies you or allows you to be identified.

Depending mainly on the type of product or service we provide to you and the interactions we have with you, we collect different types of personal data about you, including:

• Identification data: e.g. full name, gender, place and date of birth, nationality, identity card number, passport number, driving licence number, vehicle registration number, photo, signature;
• Contact information: (private or business) postal address, e-mail address, telephone number;
• Information about your financial situation and family life: for example, marital status, matrimonial regime, number of children, property you own: flat or house;
• Important moments in your life: e.g. recently married, divorced, in a relationship, having children;
• Lifestyle: hobbies and interests, travel, your environment (nomadic, sedentary);
• Economic, financial and tax information: e.g. tax ID, tax status, country of residence, salary and other income, amount of assets;
• Education and employment information: e.g. level of education, job, name of employer and salary;
• Banking and financial information relating to the factoring products and services provided to you: e.g. bank details, products and services purchased and used, card number, money transfers, assets, declared investor profile, credit history, payment incidents;
• Transaction data: account transfers and balances, transactions including beneficiary data including full names, addresses and contact details as well as details of bank transactions, amount, date, time and type of transaction (credit card, transfer, cheque, direct debit);
• Data about your habits and preferences in relation to the use of our products and services;
• Data collected in the course of our interactions with you: your comments, suggestions, needs from our exchanges with you in person and online during telephone communications (conversation), email discussions, chat, chatbot, exchanges on our social network pages and your latest complaints/requests. Your login and tracking data such as cookies and trackers for non-advertising or analytical purposes on our websites, online services, applications, social networking pages;
• Data about your devices (mobile phone, computer, tablet, etc.): IP address, technical characteristics and unique identification data;
• Personalized login credentials or security features used to connect you to the BNP Paribas Factor website and applications.

We will never ask you to provide us with sensitive data such as health data, biometric data, or data relating to criminal offences, unless we are legally required to do so and in accordance with the strict requirements of data protection regulations.

We collect personal data directly from you, however we may also collect personal data from other sources.

We sometimes collect data from public sources:

• publications/databases made available by official authorities or third parties (e.g. the Journal Officiel de la République Française, the Registre du Commerce et des Sociétés, databases managed by financial sector supervisory authorities);
• websites/social network pages of legal entities or business clients containing information that you have made public (for example, your own website or social network page);
• public information such as that published in the press.

We also collect personal data from third parties:

• other BNP Paribas Group entities;
• our clients (companies or individuals);
• our business partners;
• payment initiation service providers and account aggregators (account information service providers);
• third parties such as credit reference agencies and fraud prevention agencies;
• data brokers who are responsible for ensuring that they collect relevant information in a lawful manner.

a. With BNP Paribas Group entities

As a member of the BNP Paribas Group, we work closely with other companies in the group worldwide. Your personal data may therefore be shared between BNP Paribas Group entities, where necessary, to:

• comply with the various legal and regulatory requirements described above.
• meet our legitimate interests which are:
  • manage, prevent and detect fraud;
  • conduct statistical studies and develop predictive and descriptive models for business, security, compliance, risk management and anti-fraud purposes;
  • improve the reliability of certain data about you held by other Group entities;
  • offer you access to all the Group's products and services that best match your expectations and needs;
  • customise the content and prices of factoring products and services for the client;

b. With recipients outside the BNP Paribas Group and subcontractors

In order to fulfil some of the purposes described in this Notice, we may, where necessary, share your personal data with:

• subcontractors who perform services on our behalf, e.g. IT services, printing services, telecommunication services, debt collection, consulting, distribution and marketing services;
• banking and business partners, independent agents, intermediaries or brokers, financial institutions, counterparties, trade repositories with whom we have a relationship if such transfer is necessary to provide services or products to you or to fulfil our contractual obligations or complete transactions (e.g. banks, correspondent banks, custodians, securities issuers, paying agents, trading platforms, insurance companies, payment system operators, payment card issuers or intermediaries, mutual guarantee companies or financial guarantee organisations);
• local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, public authorities or institutions (such as the Banque de France, Caisse des dépôts et des Consignations), to whom we or any member of the BNP Paribas Group are required to disclose data:
  • at their request;
  • as part of our defence, any legal action or proceeding;
  • to comply with any regulation or recommendation issued by a competent authority to us or any member of the BNP Paribas Group;
• third party payment service providers (information about your bank accounts), for the purposes of providing a payment initiation or account information service if you have consented to the transfer of your data to that third party;
• certain regulated professions such as lawyers, notaries, or statutory auditors when specific circumstances so require (litigation, audit, etc.) as well as our insurers or any current or potential purchaser of BNP Paribas Group companies or activities.

In case of international transfers from the European Economic Area (EEA) to a non-EEA country, the transfer of your personal data may take place on the basis of a decision by the European Commission, where the Commission has recognized that the country to which your data will be transferred provides an adequate level of protection. If we transfer your data to a country where the level of protection of your data has not been recognised as adequate by the European Commission, we will either rely on an exemption applicable to the specific situation (for example, if the transfer is necessary to perform an agreement with you, such as the execution of an international payment) or we will take one of the following measures to ensure the protection of your personal data:

• standard contractual clauses approved by the European Commission;
• binding corporate rules.

To obtain a copy of these data protection measures or to receive details of where they are available, you can send a written request to:
BNP Paribas Factor Data Protection Officer –Risk Management France DPO FFAC016 -Immeuble Allegro, 160-162 Boulevard MacDonald – ZAC Claude Bernard – CS 70011 – 75146 Paris Cedex 19.

For more information, see Appendix 2 “Retention Period”.

In a constantly evolving technological world, we regularly review this Notice and update it as necessary.

Please check the latest version of this document online, and we will keep you informed of any significant changes via our website or through our usual communication channels.

We belong to a banking group that must have a robust anti-money laundering and anti-terrorist financing (AML/CFT) system at entity level, managed centrally, an anti-corruption policy, as well as a comprehensive framework for compliance with International Sanctions (this refers to all economic or trade sanctions, including all laws, regulations, restrictive measures, embargoes or asset freezes enacted, governed, imposed or enforced by the French Republic, the European Union, the US Department of the Treasury's Office of Foreign Asset Control, and any competent authority in the territory in which we are established).
In this context, we are joint data controllers with BNP Paribas SA, the parent company of the BNP Paribas Group (the term “we” in this section therefore also includes BNP Paribas SA).

For AML/CFT purposes and to comply with international Sanctions, we carry out the following processing operations to meet our legal obligations:

• A reasonable Know Your Customer (KYC) framework designed to identify, update and confirm the identity of our clients, including their beneficial owners and agents where applicable;
• Enhanced identification and verification measures for high-risk clients, Politically Exposed Persons (PEPs) (PEPs are persons who are meant by the regulations to be more exposed to these risks, because of their functions or position (political, jurisdictional or administrative)) as well as for high-risk situations;
• Written policies and procedures and controls reasonably designed to ensure that the Bank does not enter into or maintain relationships with shell banks;
• A policy, based on its assessment of the risks and the economic situation, not to engage in any activity or business relationship in any currency:
  • for, on behalf of, or for the benefit of any person, entity or organisation subject to Sanctions by the French Republic, the European Union, the United States, the United Nations or, in some cases, other local sanctions in the territories in which the Group operates;
  • directly or indirectly involving territories under sanctions including Crimea/Sevastopol, Cuba, Iran, North Korea or Syria;
  • involving financial institutions or territories that may be related to, or controlled by, terrorist organisations, recognised as such by the competent authorities in France, the European Union, the United States or the UN.
• Screening of our client base and transactions, reasonably designed to ensure compliance with applicable laws ;
• Systems and processes to detect suspicious transactions, and to report suspicious transactions to the relevant authorities;
• A compliance programme reasonably designed to prevent and detect bribery and influence peddling in accordance with the Sapin II Law, the U.S FCPA, and the UK Bribery Act.

In this context, we rely upon:

• services provided by external providers such as Dow Jones services (Dow Jones & Company, inc, and its subsidiaries) which maintain lists of PEPs, sanction and adverse media;
• public information available in the press on facts related to money laundering, terrorist financing or corruption;
• knowledge of a risky behaviour or situation (existence of a suspicious transaction report or equivalent) that can be identified at BNP Paribas Group level.

We carry out these checks when entering into a relationship, but also throughout the relationship we have with you, both on yourself and on the transactions you carry out. At the end of the relationship and if you have been the subject of an alert, this information will be kept in order to identify you and to adapt our control if you enter into a new relationship with a BNP Paribas Group entity, or in the context of a transaction to which you are a party.

To meet our legal obligations, we exchange information collected for AML/CFT, anti-corruption or international sanctions purposes between BNP Paribas Group entities. When your data is exchanged with countries outside the European Economic Area that do not provide an adequate level of protection, the transfers are governed by the European Commission's standard contractual clauses. When additional data is collected and exchanged in order to comply with the regulations of non-EU countries, this processing is necessary to enable the BNP Paribas Group and its entities to comply with their legal obligations and to avoid local sanctions, which constitutes our legitimate interest.