The protection of your personal data is important to the BNP Paribas Group, which has adopted strong principles in that respect for the entire Group.
This Data Protection Notice provides you with detailed information relating to the protection of your personal data by the BNP Paribas Asset Management entities listed in the Appendix, which are all subject to this Data Protection Notice (hereunder referred to as “we”).
We are responsible, as a controller, for collecting and processing your personal data in relation to our activities. The specific entity responsible for the processing of your personal data is identified in the paper or electronic communication which refers to this Data Protection Notice or to which this Data Protection Notice is attached (e.g. in our agreement with your organisation or in any ad hoc letter or email communicated to you). The purpose of this Data Protection Notice is to let you know which personal data we use about you, the reasons why we use and share such data, how long we keep it, what your rights are and how you can exercise them.
Further information may be provided where necessary when you apply for a specific product or service.
WHICH PERSONAL DATA DO WE COLLECT AND USE ABOUT YOU?
We collect and use your personal data to the extent necessary in the framework of our activities and to achieve a high standard of personalised products and services.
We may collect various types of personal data about you, including:
- identification information (e.g. name, ID card and passport numbers, nationality, place and date of birth, gender, photograph, IP address);
- contact information (e.g. postal address and e-mail address, phone number);
- family situation (e.g. marital status, number of children);
- tax status (e.g. tax ID, tax status);
- education, professional activity and employment information (e.g. level of education, employment, function (including existence of political function), employer’s name, remuneration);
- banking, financial and transactional data (e.g. bank account details, money transfers, assets, declared investor profile, credit history, origin of funds, debts and expenses);
- data relating to your habits and preferences :
- data which relate to your interest in and use of our products and services in relation with banking, financial and transactional data;
- data from your interactions with us: our branches (contact reports), our internet websites, our apps, our social media pages, meetings, calls, chats, emails, interviews, phone conversations;
- video surveillance (including CCTV) and geolocation data.
We may collect the following sensitive data only upon obtaining your explicit prior consent:
- biometric data : g. fingerprint, voice pattern or face pattern which can be used for identification and security purposes; and
- health data : for instance for the drawing up of some insurance contracts; this data is processed on a need-to-know basis.
We never ask for personal data related to your racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, genetic data or data concerning your sex orientation, unless it is required through a legal obligation.
The data we use about you may either be directly provided by you or be obtained from the following sources in order to verify or enrich our databases:
- other BNP Paribas Group entities, including BNP Paribas Asset Management companies;
- publications/databases made available by official authorities (e.g. the official journal);
- our corporate clients or service providers;
- third parties such as credit reference agencies and fraud prevention agencies or data brokers in conformity with the data protection legislation;
- websites/social media pages containing information made public by you (e.g. your own website or social media); and
- databases made publicly available by third parties.
SPECIFIC CASES OF PERSONAL DATA COLLECTION, INCLUDING INDIRECT COLLECTION
In certain circumstances, we collect and use personal data of individuals with whom we have, could have, or used to have a direct relationship such as:
- Visitors to our websites;
- Attendees of our events; or
- Service providers
In some cases, we also collect information about you whereas you have no direct relationship with us.
This may happen for instance when your employer provides us with information about you or your contact details are provided by one of our clients if you are, for example:
- Co-borrowers / guarantors;
- Legal representatives (power of attorney);
- Beneficiaries of payment transactions made by our clients;
- Beneficiaries of insurance policies and trusts;
- Ultimate beneficial owners;
- Clients‘ debtors (e.g. in case of bankruptcy);
- Company shareholders, board members and other contact persons for our ‘Know Your Customer’ (KYC) check;
- Representatives of a legal entity (which may be a client or a vendor);
- Advisory persons (e.g. consultants, custodians and lawyers); and
- Staff of service provider and commercial partners.
WHY AND ON WHICH BASIS DO WE USE YOUR PERSONAL DATA?
a. To comply with our legal and regulatory obligations
We use your personal data to comply with various legal and regulatory obligations, including:
- banking and financial regulations in compliance with which we:
- set up security measures in order to prevent abuse and fraud;
- detect transactions which deviate from normal patterns;
- determine the correct investor’s profile;
- carry out the ‘know-your-customer’ (KYC) check;
- define your credit risk score and your reimbursement capacity;
- monitor and report risks that institutions could incur; and
- record, when necessary, phone calls, chats, emails, etc.
- reply to an official request from a duly authorised public or judicial authority;
- prevention of money-laundering and financing of terrorism;
- compliance with legislation relating to sanctions and embargoes; and
- fight against tax fraud and fulfilment of tax control and notification obligations.
b. To perform a contract with you or to take steps at your request before entering into a contract
We use your personal data to enter into and perform our contracts, including to:
- provide you with information regarding our products and services;
- assist you and answer your requests;
- evaluate if we can offer you a product or service and under which conditions;
- managing the accounts and business relationship with our investors of whom you are a representative (for instance, when acting as a contact person in the context of a prospectus); and
- provide products or services to our corporate clients of whom you are an employee or a client (for instance, in the context of cash management).
c. To fulfil our legitimate interest
We use your personal data in order to deploy and develop our products or services, to improve our risk management and to defend our legal rights, including for:
- proof of transactions;
- fraud prevention;
- IT management, including infrastructure management (e.g. shared platforms) & business continuity and IT security;
- establishing individual statistical models, based on the analysis of transactions, for instance in order to help define your credit risk score;
- establishing aggregated statistics, tests and models, for research and development, in order to improve the risk management of our group of companies or in order to improve existing products and services or create new ones;
- centralising your personal data in a database enabling representatives of other BNP Paribas Asset Management entities to have access to it on a strict need to know basis so as to allow us to involve the right level of expertise to deal with your requests and avoid unnecessary administrative duplications;
- training of our personnel by recording phone calls to our call centres;
- personalising our offering to you and that of other BNP Paribas entities through:
- improving the quality of our financial products or services;
- advertising products or services that match with your situation and profile which can be achieved by :
- segmenting our prospects and clients;
- analysing your habits and preferences in the various channels (emails or messages, visits to our website, etc.);
- sharing your data with another BNP Paribas entity, notably if you (or the entity you represent) are – or are to become – a client of that other entity (including via a centralised database as regards other BNP Paribas Asset Management entities);
- matching the products or services that you already hold or use with other data we hold about you; and
- monitoring transactions to identify those which deviate from the normal routine.
Your data may be aggregated into anonymised statistics that may be offered to professional clients to assist them in developing their business. In this case, your personal data will not be disclosed to those receiving these anonymised statistics.
d. To respect your choice if we requested your consent for a specific type of processing
In some cases, we must require your consent to process your data, for example:
- where the above purposes lead to automated decision-making, which produces legal effects or which significantly affects you. At that point, we will inform you separately about the logic involved, as well as the significance and the envisaged consequences of such processing; and
- if we need to carry out further processing for purposes other than those above in section 3, we will inform you and, where necessary, obtain your consent.
WHO DO WE SHARE YOUR PERSONAL DATA WITH?
In order to fulfill the aforementioned purposes, but subject to applicable law relating to information sharing, we only disclose your personal data to:
- BNP Paribas Group entities (e.g. so that you could benefit from our full range of group products and services);
- Service providers which perform services on our behalf;
- Independent agents, intermediaries or brokers, banking and commercial partners, with which we have regular relationship;
- Financial, tax, regulatory or judicial authorities, state agencies or public bodies, upon request and to the extent permitted by law; and
- Certain regulated professionals such as lawyers, notaries or auditors.
TRANSFERS OF PERSONAL DATA OUTSIDE THE EEA
In case of international transfers originating from the European Economic Area (EEA), where the European Commission has recognised a non-EEA country as providing an adequate level of data protection, your personal data will be transferred on this basis.
For transfers to non-EEA countries where the level of protection has not been recognised as adequate by the European Commission, we will either rely on a derogation applicable to the specific situation (e.g. if the transfer is necessary to perform our contract with you such as when making an international payment) or implement the following safeguard to ensure the protection of your personal data:
- Standard contractual clauses approved by the European Commission;
To obtain a copy of these standard contractual clauses or details on where they are available, you can send a written request as set out in Section 9.
HOW LONG DO WE KEEP YOUR PERSONAL DATA FOR?
We will retain your personal data for the longer of the period required in order to comply with applicable laws and regulations or another period with regard to our operational requirements, such as proper account maintenance, facilitating client relationship management, and responding to legal claims or regulatory requests. For instance, most client information is kept for the duration of the contractual relationship and 3 years after the end of the contractual relationship, subject to local laws and regulations; personal data collected in the ‘Know Your Customer’ process are retained 6 years after the end of the contractual relationship, subject to local laws and regulations; for prospects, information is kept for a maximum of 3 years after the last contact, subject to local laws and regulations. If you want more information about our retention policy, you can send a written request as set out in Section 9.
WHAT ARE YOUR RIGHTS AND HOW CAN YOU EXERCISE THEM?
In accordance with applicable regulations, you have the following rights:
- To access: you can obtain information relating to the processing of your personal data, and a copy of such personal data.
- To rectify: where you consider that your personal data are inaccurate or incomplete, you can require that such personal data be modified accordingly.
- To erase: you can require the deletion of your personal data, to the extent permitted by law.
- To restrict: you can request the restriction of the processing of your personal data.
- To object: you can object to the processing of your personal data, on grounds relating to your particular situation. You have the absolute right to object to the processing of your personal data for direct marketing purposes, which includes profiling related to such direct marketing.
- To withdraw your consent: where you have given your consent for the processing of your personal data, you have the right to withdraw your consent at any time.
- To data portability: where legally applicable, you have the right to have the personal data you have provided to us be returned to you or, where technically feasible, transferred to a third party.
If you wish to exercise the rights listed above, please send a letter to the following address Data Protection Officer BNP Paribas Asset Management, RISK Function, 14 rue Bergère 75009 PARIS, FRANCE or an email using email@example.com. To reach your usual counterparty in Luxembourg, you may also address your requests to AMLU.GDPR@bnpparibas.com. Please include a scan/copy of your identity card for identification purpose.
In accordance with applicable regulation, in addition to your rights above, you are also entitled to lodge a complaint with the competent supervisory authority.
HOW CAN YOU KEEP UP WITH CHANGES TO THIS DATA PROTECTION NOTICE?
In a world of constant technological changes, we may need to regularly update this Data Protection Notice.
We invite you to review the latest version of this notice online and we will inform you of any material changes through our website or through our other usual communication channels.
HOW TO CONTACT US?
If you have any questions relating to our use of your personal data under this Data Protection Notice, please contact our data protection officer at Data Protection Officer BNP Paribas Asset Management, RISK Function, 14 rue Bergère 75009 PARIS, FRANCE or via email using firstname.lastname@example.org, who will investigate your query.
If you wish to learn more about cookies, please read our cookies policy.
APPENDIX: List of entities subject to this Data Protection Notice:
BNP PARIBAS ASSET MANAGEMENT Holding
Société anonyme (S.A.)
1 boulevard Haussmann 75009 Paris
BNP PARIBAS ASSET MANAGEMENT France
Société par actions simplifiée (SAS)
1 Boulevard Haussmann 75009 Paris – France
BNP PARIBAS ASSET MANAGEMENT Belgium S.A/N.V.
Société anonyme (S.A.) / Naamloze Vennootschap (N.V.)
55 Rue du Progrès / Vooruitgangstraat 1210 Brussels Belgique
BNP PARIBAS ASSET MANAGEMENT Luxembourg S.A.
Société anonyme (S.A.)
10, rue Edward Steichen L-2540 Luxembourg Luxembourg
BNP PARIBAS ASSET MANAGEMENT Nederland N.V.
Naamloze Vennootschap (N.V.)
Herengracht 595 Postbus 71770 1008 DG Amsterdam Netherlands
BNP PARIBAS ASSET MANAGEMENT UK Limited
5, Aldermanbury Square London EC2V 7BP United Kingdom
BNP PARIBAS Capital Partners
Société par actions simplifiée (SAS)
1 Boulevard Haussmann 75009 Paris – France