Data Protection

Last updated  : 29th june 2023

Data protection notice

Preliminary section: Main amendments

As a trusted companion, the protection of your personal data is important to the BNP Paribas Group.

We have enhanced our Privacy Notice by being more transparent on certain processing operations we implement.

Introduction

The protection of your personal data is at the heart of our concerns.

BNP Paribas SA (Communication Groupe) ("We"), as a controller, through our various brands, including for example BNP Paribas, We Are Tennis, We Love Cinéma, Echonet, are responsible for the collection and processing of your personal data that we use in the context of our activities.

The purpose of this Privacy Notice is to explain how we process your personal data and how you can control and manage them


1. Are you subject to this notice

This Privacy Notice applies to you if you are ("You"):

  • A person interested in our products, services or content (newsletters...), who subscribes to email alerts of our news and press releases, who interacts directly or indirectly with us (through the contact form on our websites or our social networks), or who consults our websites or participates to an event organized by BNP Paribas.
  • A candidate interested in job offers published by the BNP Paribas Group, subscribing to our alerts via email.
  • A journalist in contact with our press teams.
  • A user of social networks, who may post a publication related to the activity of the BNP Paribas group.

When you provide us with personal data related to other people, please make sure that you inform them about the disclosure of their personal data and invite them to read this Privacy Notice. We will ensure that we will do the same whenever possible (e.g., when we have the person's contact details).

2. How can you control the processing activities we do on your personal data?

You have rights which allow you to exercise real control over your personal data and how we process them.

Depending on the case that concerns you and given the diversity of situations, businesses and services related to the activities of the BNP Paribas group, several channels are provided to address your request as directly as possible. They are described below.

Please follow the instructions appropriate to your situation:

A) If you wish to exercise your rights, in a context related with BNP Paribas Group’s activities described below because:

B) If your request relates to your data processed by Group Communication and you are in one of the situations specified below:

  • Your personal data have been collected on the https://group.bnpparibas/ website (subscription to a newsletter, email alert to be informed of the new job offers, question asked through the contact form),
  • Your data have been collected by Group Communication as part of an event organized by BNP Paribas or of which BNP Paribas is a partner
  • Your data have been collected by us through one of BNP Paribas Group Communication's websites (specifically  We Are TennisWe Love CinemaCercle des actionnairesHistoire)
  • You are a journalist, and your request concerns your data held by BNP Paribas
  • You wish to exercise your rights related to the use of your personal data on social networks
  • Your data have been collected by BNP Paribas Group Communication in another context: please fill out and return the attached form below to us according to the conditions specified in it. 

2.1.  You can request access to your personal data

If you wish to have access to your personal data, we will provide you with a copy of the personal data you requested as well as information relating to their processing.

2.2. You can ask for the correction of your personal data

If you consider that your personal data are inaccurate or incomplete, you can request that such personal data be modified or completed accordingly. In some cases, supporting documentation may be required.

2.3. You can request the deletion of your personal data

If you wish, you may request the deletion of your personal data, to the extent permitted by law.

2.4. You can object to the processing of your personal data based on legitimate interests

If you do not agree with a processing activity based on a legitimate interest, you can object to it, on grounds relating to your personal situation, by informing us precisely of the processing activity involved and the reasons for the objection. We will cease processing your personal data unless there are compelling legitimate grounds for doing so or it is necessary for the establishment, exercise, or defence of legal claims.

2.5. You can object to the processing of your personal data for commercial prospecting purposes

You have the right to object at any time to the processing of your personal data for commercial prospecting purposes, including profiling, insofar as it is linked to such prospecting.

2.6. You can suspend the use of your personal data

If you question the accuracy of the personal data we use or object to the processing of your personal data, we will verify or review your request. You may request that we suspend the use of your personal data while we review your request.

2.7. You have rights against an automated decision

As a matter of principle, you have the right not to be subject to a decision based solely on automated processing based on profiling or otherwise that has a legal effect or significantly affects you. However, we may automate such a decision if it is necessary for the entering into or performance of a contract with us, authorised by regulation or if you have given your consent.

In any event, you have the right to challenge the decision, express your views and request the intervention of a competent person to review the decision.

2.8. You can withdraw your consent

If you have given your consent to the processing of your personal data, you can withdraw this consent at any time.

2.9. You can request the portability of part of your personal data

You may request a copy of the personal data that you have provided to us in a structured, commonly used and machine-readable format. Where technically feasible, you may request that we transmit this copy to a third party.

2.10.  You can arrange the management of your personal data after death

You can give us instructions on the retention, erasure and communication of your data after death.

2.11. How to file a complaint with the data protection supervisory authority

In addition to the rights mentioned above, you may lodge a complaint with the competent supervisory authority, which is usually the one in your place of residence, (e.g., CNIL (Commission Nationale de l'Informatique et de Libertés) in France.

If you have any questions regarding the use of your personal data under this Notice, please contact us at :  Request Information

3. Why and on which legal basis do we use your personal data?

In this section we explain why we process your personal data and the legal basis for doing so.

3.1. Our personal data are processed to comply with our various regulatory obligations

Your personal data are processed when this is necessary to enable us to comply with the regulations to which we are subject, such as banking and financial regulations, and in particular in the following context:

  • replying to an official request from a duly authorised public or judicial authority.

3.2. Your personal data are processed to perform a contract to which you are a party or pre-contractual measures taken at your request

Your personal data are processed when it is necessary to enter into or perform a contract to:

  • Provide you with information related to our products and services.
  • Access our digital services.
  • Respond to your requests and assist you.

3.3. Your personal data are processed to fulfil our legitimate interest or that of a third party

Where we base a processing activity on legitimate interest, we balance that interest against your interests or fundamental rights and freedoms to ensure that there is a fair balance between them. If you would like more information about the legitimate interest pursued by a processing activity, please contact us using the contact details provided in section 2 above.

We use your personal data in order to deploy and develop our products or services, to improve our risk management and to defend our legal rights, and also for:

  • IT management, including infrastructure management (e.g.: shared platforms) & business continuity and IT security,
  • Taking the necessary measures in the event of suspicion and/or breach of IT security rules,
  • Managing security of our IT systems and preventing fraud,
  • Establishing aggregated statistics and /or tests (e.g., A/B testing), to improve existing products and services or create new ones or to improve your experience on our websites,
  • Communicating and interacting with you via our various communication channels (emails or messages, visits to our websites, etc.),
  • Managing our activities and our presence on social networks (see more details in section 5.3),
  • Analysing your habits and preferences in our various communication channels (emails or messages, visits to our website, social networks, etc.),
  • Sharing your data with another BNP Paribas entity, notably if you are – or are to become – a client of that other entity,
  • Administering a contest, sweepstakes, giveaway, competition, or other similar marketing campaign or offering promotional games and managing events,
  • Managing and sending prices won by participating to one of our contests,
  • Communicating about our news, and what we generally do at BNP Paribas or in other brands managed by Group Communications,
  • Responding to your inquiries,
  • Improving and personalising your experience on our websites and applications,
  • Administering any consumer loyalty or rewards programs that are associated with your user account.

Your data may be aggregated into anonymized statistics that may be shared with our partners and service providers. In this case those receiving your personal data will be unable to ascertain your identity.

3.4. Your personal data are processed if you have given your consent

 For some processing of personal data, we will give you specific information and ask for your consent. Of course, you can withdraw your consent at any time.

Especially, we ask for your consent for:

  • Sending email notifications and newsletters if you have subscribed to them (e.g., BNP Paribas Group news)
  • Administering contests or other similar marketing campaigns.

You may be asked for further consent to process your personal data where necessary.

4. What types of personal data do we collect?

We collect and use your personal data, meaning any information that identifies or allows one to identify you.

Depending among others on the types of products or service we provide to you and the interactions we have with you, we collect various types of personal data about you, including:

  • Identification information: (e.g., full name, identity card or passport number, place and date of birth, nationality, gender, photograph)
  • Contact information: (private or professional) postal address, e-mail address, phone number.
  • Information relating to your family situatione.g., marital status, number of children,
  • Education and employment information: e.g., level of education, employment, employer's name.
  • Status as customer or prospect
  • Information related to your devices and digital activities (e.g., PC, mobile phone, tablet, IP address, browsing activity, geolocation)
  • Data relating to your habits and preferences in connection with the use of our products and services:
    • Data collected from our interactions with you: e.g., your comments, suggestions, needs collected during our exchanges with you online or during phone communications (conversation), your voice and your image during videoconferences, discussion by e-mail, chat, chatbot, exchanges on our websites, applications, social media pages and your latest complaints.
    • Connection and tracking data such as cookies and trackers on our websites, our online services, our apps, and our social network pages
  •  Data concerning your hobbies and your interests.
We may collect sensitive data published as part of the monitoring of social media monitoring activities (see section 5.3 below), carried out in compliance with the strict conditions defined by data protection regulations.

5. Who do we collect personal data from?

We collect personal data directly from you; however, we may also collect personal data from other sources.

5.1. We sometimes collect data from the following public sources: 

  • Publications/databases made available by official authorities or third parties (e.g., the Official Journal of the French Republic, the Trade and Companies Register, databases managed by the supervisory authorities of the financial sector)
  • Websites/social media pages of legal entities or business clients containing information that you have disclosed (e.g., your own website or social media page)
  • Databases made publicly accessible by third parties. For journalists, we benefit from the data recorded in the "Hors Antenne" database of the company CISION (first name, last name, email address(es), social network accounts, phone number(s), media contributions, function(s), favourite subjects).

5.2. We also collect personal data from third parties.

This may be the case, for example, when your employer provides us with information about you, or when your contact details are provided to us by one of our customers or service providers because you are, for example:

  • A family member.
  • Legal representative (mandates/delegations of authority).
  • Shareholder(s) of companies.
  • A member of staff of our service providers and business partners.
  • Journalist(s).
  • Personal contact(s).

5.3. Collection of personal data via social networks

Today, the use of social networks by companies is essential.

In order for us to effectively carry out Our mission, it is essential for us to be present on social networks, and this presence may result in the processing of some of your personal data.

Thus, as part of our legitimate interest for our marketing, communication, advertising and publication needs, as well as for crisis management and customer relationship management, we may collect the following personal data:

  • Your interactions with Us on our social media pages and posts, including your latest claims and complaints.
  • Data from social media pages and posts containing information that you have made public.

More specifically these personal data will be processed for the following purposes:

  • Crisis management (social listening) and customer relationship management, which includes:
    • Crisis prevention: monitoring and analysing social networks and the web using keywords to assess BNP Paribas' reputation as well as to be informed of what is being said about specific topics in order to be able to communicate accordingly.
    • Crisis management: being able to analyse issues related to certain publications and act accordingly, respond to publications or comments from social media users; detect and report fake accounts and publications; or investigate serious allegations or claims
  • Marketing, communication, advertising and publications, including:
    • Data extraction to identify trending topics by collecting publicly available data on social networks
    • Publication of articles.
    • Suggest posts based on your interests.
    • The segmentation of our prospects and customers and social network users according to their influence.
    • Optimize advertising/targeted marketing through segmentation of advertising/marketing recipients.

In this context, we use external services providers.

6. Who do we share your personal data with and why?

A) With BNP Paribas Group's entities

As a member of the BNP Paribas Group, we work closely with the Group's other companies worldwide. Your personal data may therefore be shared between BNP Paribas Group entities, where necessary, to:

  • comply with our various legal and regulatory obligations described above.
  • fulfil our legitimate interests as describe above.

B) With recipients outside the BNP Paribas Group and processors

In order to fulfil some of the purposes described in this Privacy Notice, we may, where necessary, share your personal data with:

  • processors which perform services on our behalf (e.g., IT services, logistics, printing services, telecommunication, debt collection, advisory and distribution and marketing).
  • banking and commercial partners, independent agents, intermediaries or brokers, financial institutions, counterparties, trade repositories with which we have a relationship if such transmission is required to allow us to provide you with the services and products or execute our contractual obligations.
  • local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, public authorities or institutions (e.g., the Banque de FranceCaisse des dépôts et des Consignations), to which we, or any member of the BNP Paribas Group, are required to disclose pursuant to:
    • their request.
    • our defence, action or proceeding.
    • complying with a regulation or a recommendation issued from a competent authority applying to us or any member of the BNP Paribas Group.
  • certain regulated professions such as lawyers, notaries, or auditors when needed under specific circumstances (litigation, audit, etc.) as well as to our insurers or to an actual or proposed purchaser of the companies or businesses of the BNP Paribas Group.

7. International transfers of personal data

In case of international transfers originating from the European Economic Area (EEA) to a non-EEA country, the transfer of your personal data may take place. Where the European Commission has recognised a non-EEA country as providing an adequate level of data protection, your personal data may be transferred on this basis.

For transfers to non-EEA countries where the level of protection has not been recognized as adequate by the European Commission, we will either rely on a derogation applicable to the specific situation (e.g., if the transfer is necessary to perform our contract with you, such as when making an international payment) or implement one of the following safeguards to ensure the protection of your personal data:

  • Standard contractual clauses approved by the European Commission.
  • Binding corporate rules.

To obtain a copy of these safeguards or details on where they are available, you can send a written request as set out in section 2 above

8. How long do we keep your personal data?

We will retain your personal data for the period required to comply with applicable laws and regulations or for the period that meets our operational requirements, such as proper account maintenance, facilitating customer relationship management and responding to legal or regulatory requests.

In any case, your personal data is kept for the duration needed to pursue the purposes of the processing.

9. How to follow the evolution of this privacy notice

In a world where technologies are constantly evolving, we regularly review this Privacy Notice and update it as required.

We invite you to review the latest version of this document online, and we will inform you of any significant amendments through our website or through our standard communication channels.