The protection of your personal data is important to the BNP Paribas Group.
This Privacy Notice provides you with detailed information relating to the protection of your personal data by BNP Paribas Fortis SA/NV, with its head office at Montagne du Parc/Warandeberg 3, 1000 Brussels ("we").
We are responsible, as a controller, through our various brands (BNP Paribas Fortis, Hello bank! and Fintro), for the processing of your personal data in relation to our activities. The purpose of this Privacy Notice is to inform you which of your personal data we use, the reasons why we use and share such data, how long we keep it and how you can exercise your rights.
Further information may be provided where necessary when you apply for a specific product or service.
1. Which personal data do we use about you?
We collect and use your personal data to the extent necessary in the framework of our activities and to achieve a high standard of personalised products and services.
We collect various types of personal data about you, including:
- identification information (e.g. name, ID card and passport numbers, nationality, place and date of birth, gender, picture, IP address);
- contact information (e.g. postal address and e-mail address, phone number);
- family situation (e.g. marital status, number of children);
- tax status (e.g. tax ID, tax residence);
- education and employment information (e.g. level of education, employment, employer's name, remuneration);
- banking, financial and transactional data (e.g. bank account details, credit card number, money transfers including communications on bank transfers, assets, declared investor profile, credit history, debts and expenses);
- data relating to your habits and preferences:
- data which relate to your use of our products and services;
- data from your interactions with us: through our branches (contact reports), our internet websites, our apps, our social media pages, meetings, calls, chats, emails, interviews.
- video surveillance (including CCTV) and geolocation data (e.g. showing locations of withdrawals and payments, for security reasons, or to identify the location of the nearest branch or service suppliers for you);
- data that are provided by official authorities (i.e. to fight against over-indebtedness, we may also access to public or semi-public data about your global level of debt).
We collect the following sensitive data only on a need to know basis and upon obtaining your explicit prior consent:
- biometric data: e.g. fingerprint, voice pattern or face pattern which can for instance be used for identification and security purposes;
- health data: for instance for the drawing up of some insurance contracts.
Unless it is a legal obligation or it results from products and services we provide (e.g. if you have put this information in a payment instruction), we never process personal data related to your racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, genetic data or data concerning your sex life or orientation.
The data we use about you may either be directly provided by you or be obtained from the following sources in order to verify or enrich our databases:
- publications/databases made available by official authorities (e.g. the official journal);
- our corporate clients or service providers;
- third parties such as credit reference agencies and fraud prevention agencies or data brokers;
- websites/social media pages containing information made public by you (e.g. your own website or social media); and
- databases made publicly available by third parties.
2. Specific cases of personal data collection
In certain circumstances, we may collect and use personal data of individuals with whom we could have (such as prospects) or used to have a direct relationship.
We may also collect information about you whereas you do not have a direct relationship with us, for instance when a client (e.g. your employer), a service provider or a commercial partner provides us with information about you. This may happen if you are for example:
- a family member;
- a co-borrower / guarantor;
- a (legal) representative;
- a beneficiary of payment transactions made by our clients;
- a beneficiary of an insurance policy;
- an ultimate beneficial owner;
- a debtor (e.g. in case of bankruptcy);
- a shareholder;
- a staff member.
3. Why and on which basis do we use your personal data?
a. To comply with our legal and regulatory obligations
We use your personal data to comply with various legal and regulatory obligations, including:
- prevention of money-laundering and the financing of terrorism;
- compliance with legislation relating to sanctions and embargoes;
- fight against tax fraud and fulfilment of tax control and notification obligations;
- replying to an official request from a duly authorised public or judicial authority.
- banking and financial regulations under which we notably:
- establish security measures in order to prevent abuse and fraud;
- detect transactions which deviate from the normal patterns;
- define your credit risk score and your reimbursement capacity; and
- monitor and report risks that we could incur;
b. To perform a contract with you or to take steps at your request before entering into a contract
We use your personal data to enter into and perform our contracts, including to:
- provide you with information regarding our products and services;
- assist you and answer your requests;
- evaluate if we can offer you a product or service and under which conditions; and
- provide products or services to our corporate clients of whom you are an employee.
c. To fulfil our legitimate interest
We use your personal data in order to deploy and develop our products or services, to improve our risk management and to defend our legal rights, including:
- proof of transactions;
- fraud prevention;
- IT management, including infrastructure management (e.g. shared platforms), business continuity and IT security;
- establishing statistical models, based on the analysis of transactions, for instance in order to help define your credit risk score; we also carefully aggregate your personal data to the stage where they can no longer be linked to you, in order to create insights (e.g. aggregated spending habits) which we may offer in the market;
- establishing aggregated statistics, tests and models, for research and development;
- training of our personnel for instance by recording phone calls to our call centres;
- personalising our offering, and that of other BNP Paribas entities, to you, through:
- improving the quality of our banking, financial or insurance products or services;
- advertising products or services that match with your situation and profile.
This can be achieved by:
- segmenting our prospects and clients;
- analysing your habits and preferences (in your use of our products and services or in your interaction with us through the various channels (visits to our branches, emails or messages, visits to our website, etc.));
- sharing your data with another BNP Paribas entity, notably if you are - or are to become - a client of that other entity;
- matching the products or services that you already hold or use with other data we hold about you (e.g. we may offer family protection insurance for families with children who do not have an insurance yet); and
- monitoring transactions to identify those which deviate from the normal routine (e.g. when you receive a large amount deposited into your bank account).
d. To respect your choice if we requested your consent for a specific processing
In some cases, we must require your consent to process your data, for example:
- where an abovementioned processing leads to automated individual decision-making, which produces legal effects or which significantly affects you. At that moment, we will inform you about the logic involved, as well as the significance and the envisaged consequences of such processing;
- if we carry out further processing for purposes other than those above in this Section 3, we will inform you and obtain your consent where necessary.
e. To process data from electronic communications
In addition to any recording of electronic communications that is either legally authorised or imposed or to which you have consented, we may record electronic communications with you, including the related traffic data, if we do so in the course of lawful business practice for the purpose of:
- ensuring the training and supervision of employees and improving the quality of the service; and/or
- providing evidence of commercial transactions, or communications that took place through these electronic communications including the content of these communications (including any advice being given by us).
We may retain such records as long as legally required or permitted including for the period of time during which a dispute may arise further to the electronic communication recorded between you and us.
The above applies to phone conversations as well as all other electronic communications (such as e-mails, SMS, instant messaging services or other equivalent technologies) with our call center, (independent) branches, private banking and business centres, dealing rooms and other Bank's representatives.
4. Who do we share your personal data with?
In order to fulfill the aforementioned purposes, we only disclose your personal data to:
- BNP Paribas Group entities (e.g. you can benefit from our full range of group products and services);
- Service providers which perform services on our behalf;
- Independent agents, intermediaries or brokers;
- Banking, insurance and other commercial partners (e.g. AG Insurance, Swift, Visa, Master Card)
- Financial or judicial authorities, state agencies or public bodies, upon request and to the extent permitted by law;
- Certain regulated professionals such as lawyers, notaries or auditors.
5. Transfers of personal data outside the European Economic Area ("EEA")
In case of international transfers originating from the EEA to a non-EEA country which the European Commission has recognised as providing an adequate level of data protection, your personal data will be transferred on this basis.
For transfers to non-EEA countries which level of protection has not been recognised by the European Commission as adequate, we will either rely on a derogation applicable to the specific situation (e.g. if the transfer is necessary to perform our contract with you such as when making an international payment) or implement one of the following safeguards to ensure the protection of your personal data:
- Standard contractual clauses approved by the European Commission;
- Binding Corporate Rules.
To obtain a copy of these safeguards or details on where they are available, you can send us a written request as set out in Section 9.
6. How long do we keep your personal data for?
We will retain your personal data for the longer of the period required in order to comply with applicable laws and regulations or another period with regard to our operational requirements, such as account maintenance, facilitating client relationship management, and responding to legal claims or regulatory requests. For instance, most of clients' information is kept for the duration of the contractual relationship and 10 years after the end of the contractual relationship. For prospects, information is kept for maximum 1 year.
7. What are your rights and how can you exercise them?
In accordance with applicable regulations, you have the following rights:
- To access: you can obtain information relating to the processing of your personal data, and a copy of such personal data.
- To rectify: where you consider that your personal data are inaccurate or incomplete, you can require that such personal data be modified accordingly.
- To erase: you can require the deletion of your personal data.
- To restrict: you can request the restriction of the processing of your personal data.
- To object: you can object to the processing of your personal data, on grounds relating to your particular situation. You have the absolute right to object to the processing of your personal data for direct marketing purposes, which includes profiling related to such direct marketing.
- To withdraw your consent: where you have given your consent for the processing of your personal data, you have the right to withdraw your consent at any time.
- To data portability: where legally applicable, you have the right to have the personal data you have provided to us be returned to you or, where technically feasible, transferred to a third party.
You can exercise the rights listed above:
- via our electronic form (you are required to provide your identity card details);
- by logging into Hello bank! web or the Hello bank! app (for rights regarding access, rectify, withdraw your consent and data portability);
- by calling the Hello team.
You can also submit your application by:
- letter to BNP Paribas Fortis SA – Data Protection and Privacy Office, 1MA4B, Montagne du Parc 3, 1000 Brussels;
- email to firstname.lastname@example.org.
Please also include a copy or a scan of your identity card.
In accordance with the applicable regulations, you are entitled to lodge a claim with the competent supervisory authority.
8. How can you keep up with changes to this privacy notice?
In a world of constant technological changes, we may need to regularly update this Privacy Notice.
We invite you to review the latest version of this notice online and we will inform you of any material changes through our website or through our other usual communication channels.
9. How to contact us?
Should you have any questions relating to our use of your personal data or this Privacy Notice, please contact our data protection officer by email to email@example.com or by letter to BNP Paribas Fortis SA/NV Data Protection and Privacy Office - 1MA4B, Montagne du Parc/Warandeberg 3, 1000 Brussels, who will investigate your query.
Last update: 25 May 2018