Protection of Personal Data

We use and collect your personal data, namely any information that identifies you or allows you to be identified, necessary in the context of our activities, and to offer you personalized and quality products and services.

Depending on the type of product or service we provide to you, we may collect different types of personal data about you, including:

• Identifying information (e.g. full name, identity card, passport number, nationality, place and date of birth, gender, photo);
• Private or professional contact information (e.g. postal address, e-mail address, telephone number);
• Information regarding your family situation (e.g. marital status, number of children);
• Economic and tax information (e.g. tax identifier, tax status, salary and other income, amount of assets);
• Information relating to employment (e.g. professional situation, position held within the company);
• Financial information (e.g. factoring products and services owned and used, assets, capital holdings in other legal entities);
• Transactional data (e.g. transfer data, data relating to beneficiaries such as their full name, address and contact details);
• Data relating to your habits and preferences (e.g. factoring products and services that you have subscribed with us);
• Information about your computer (e.g. IP address, technical characteristics, unique identification data);
• Connection identifiers or personalized security devices used to connect to the BNP Paribas Factor website and applications.

We will never ask you to provide us with sensitive data such as: health data, data relating to your racial or ethnic origin, your political opinions, your religious or philosophical beliefs or relating to your trade union membership, genetic data, sexual orientation, unless a legal obligation requires us to do so.

We collect data directly from you whether you are a client or a prospect (i.e. when you contact us, visit one of our branches, visit our website or one of our applications, use our products and services of factoring, participate in a survey or an event that we organize), but also data concerning other people in an indirect way. We collect data from people even if they do not have a direct link to us because they have a link to you, whether you are a customer or a prospect, a few examples are:

• Members of your family;
• Heirs and beneficiaries;
• Co-borrowers/Guarantors;
• Legal representatives (delegation of powers);
• Originators or beneficiaries of payment transactions;
• Beneficiaries of an insurance contract, policy or trust;
• Owners;
• Beneficial owners;
• Creditors (e.g. in the event of bankruptcy);
• Shareholders of companies.

When you send us the personal data of third parties such as the ones mentioned above, remember to inform the person to whom these data belong to that we are processing their personal data and and refer them to this Notice. When possible, we will provide this information directly to them (e.g. in the cases where we have their contact information).

In order to verify and enrich our databases, we may also collect personal data from:

• Other BNP Paribas entities;
• Our customers (companies and individuals);
• Our business partners;
• Payment initiation service providers and accounts aggregators;
• Third parties such as credit bureaus, anti-fraud agencies, and data brokers, who must ensure that they collect the relevant information in a legal manner;
• Publications/databases made available by authorities or official third parties;
• Websites/social media platforms of legal entities or corporate clients containing information that you have made public (e.g. your own website or social media profile);
• Public information published by the press.

In this section, we explain how and for what purposes we use your personal data. We also draw your attention to certain processing activities that we consider likely to have more significant consequences for you and, in some cases, require your consent.

a. To comply with our legal and regulatory obligations

We use your personal data to comply with applicable regulations, including banking and financial regulations, in order to:

• Monitor transactions and identify those that are abnormal/unusual (e.g. when you withdraw a large amount of money in a country where you do not live);
• Manage, prevent and detect fraud;
• Monitor and report risks (financial, credit, legal, compliance or reputational, default, etc.) to which the BNP Paribas Group is likely to be confronted about;
• Record, if necessary, telephone conversations, instant messaging chats, e-mails, etc. notwithstanding any other use described below;
• Prevent and detect money laundering and terrorism financing, and comply with any regulations on international sanctions and embargoes as part of our Know Your Customer (KYC) procedure, in order to identify you, verify your identity, check your information against the sanctions lists and determine your profile;
• Detect and manage suspicious requests and transactions;
• Carry out an assessment of the suitability of each client and the appropriateness of the provision of investment services in accordance with the market regulations on financial instruments;
• Contribute to the fight against tax fraud and meet our notification and tax audit obligations;
• Record transactions for accounting purposes;
• Prevent, detect and report risks related to Corporate Social Responsibility and sustainable development;
• Detect and prevent corruption;
• Exchange and report various operations, transactions or requests from a duly authorized local or foreign judicial, criminal, administrative, fiscal or financial authority, an arbitrator or mediator, the authorities responsible for the application of law, government bodies or public bodies.

b. To perform any contract to which you are a party of or to perform pre-contractual measures taken at your request

We use your personal data to enter into and perform our contracts as well as to manage our relationship with you, in particular in order to:

• Define your credit risk score and your borrowing capacity;
• Assess (e.g. based on your credit score) whether we can offer you a product or service and on what terms (including price);
• Assist you, in particular by responding to your requests;
• Provide you with information about our products and services;
• Manage and process payment incidents and unpaid debts (identification of unpaid customers and, if applicable, excluding them from benefiting from new products and services;
• Allow the subscription of BNP Paribas Factor’s products and services.

c. To serve our legitimate interests

We use your personal data to set up and develop our factoring products and services, to optimize our risk management and to defend our interests in court, for the purposes of:

• Risk Management
  • Keep proof of operations or transactions, including in electronic format;
  • Manage, prevent and detect fraud;
  • Carry out debt collection;
  • Assert legal rights and defend ourselves in litigation.
• Establish anonymized statistical models, tests, for research and development, with the aim of optimizing BNP Paribas Factor’s risk management or improving our offer
• Customization of BNP Paribas Factor’s commercial offers:
  • Improve the quality of our factoring products and services;
  • Promote factoring products or services corresponding to your situation and profile;
  • Deduce your preferences and needs in order to present you with a personalized commercial offer.
  
  This customization can be achieved through:
  • The segmentation of our prospects and customers;
  • Analysis of your habits and preferences through our communication channels (e.g. e-mails, messages, visits to our website, etc.);
  • Sharing your data with another BNP Paribas entity, particularly if you are a client of this entity or are likely to become one, in order to speed up the onboarding process;
  • Analyzing character traits or behaviors of current customers and finding people who share the same characteristics for prospecting purposes;
  • Adapting the offer of factoring products and services taking into account the products or services that you already own or use.
   
• Research and Development (R&D) activities consisting in developing statistics and models to:
  • Optimize and automate our operational processes (e.g. the creation of a chatbot for FAQs);
  • Offer factoring products and services that allow us to best meet your needs;
  • Adapt the distribution, content, and prices of our factoring products and services based on your profile;
  • Create new offers;
  • Prevent potential security incidents, improve customer authentication and manage access;
  • Improve safety management;
  • Improve risk and compliance management;
  • Improve the management, prevention, and detection of fraud;
  • Improve the fight against money laundering and terrorism financing.
• IT systems security and performance management objectives, which include:
  • Managing information technology, including infrastructure (e.g. shared platforms), business continuity, and security (e.g. user authentication);
• In a more general manner:
  • Inform you about our products and services;
  • Organiza contests, lotteries, and other promotional events;
  • Carry out customer opinion and satisfaction surveys;
  • Improve process efficiency (e.g. train our staff by recording phone conversations in our call centers);
  • Improve the automation of our processes, in particular by testing our applications, processing complaints automatically, etc.

In any case, our legitimate interest remains proportionate and we ensure, through a balancing test, that your interests and fundamental rights are preserved. If you would like more information about the balancing test, please contact our services using the contact information given in section 9 “How to contact us” below.

d. To respect your choice when we ask for your consent to a specific processing activity

In the context of certain personal data processing activities, we will send you specific information and invite you to consent to this process. Note that you can withdraw your consent at any time (see section 7 below to find out how to exercise your rights).

a. Sharing data within the BNP Paribas Group

As a subsidiary of the BNP Paribas Group in the field of banking and insurance, we work closely with companies all over the world to offer financial, banking, and insurance products and services.

We share personal data within the BNP Paribas Group to improve our efficiency and for commercial purposes, particularly on the basis of:

• Compliance with our legal and regulatory obligations:
  • Sharing data collected for the fight against money laundering and terrorism financing, for compliance and international sanctions, embargoes and Know Your Customer (KYC) procedures;
  • Manage risks, including credit risk and operational risk (e.g. risk category, risk score, etc.).
• Our legitimate interests:
  • Prevent, detect and fight against fraud;
  • R&D activities, in particular for compliance, risk management, communication and marketing purposes;
  • Obtain a global and coherent vision of our customers;
  • Offer a full range of factoring products and services for the client’s benefit;
  • Customize the content and prices of our products and services.

b. Sharing data outside the BNP Paribas Group

In order to achieve some of the purposes mentioned in this Notice, we may, from time to time, share your personal data with:

• Service providers working on our behalf (e.g. I.T., printing, etc.);
• Banking and business partners, independent agents, intermediaries, financial institutions, counterparties trade repositories with whom we have links if such a transfer is necessary to provide you with services or products, to meet our contractual obligations, or to carry out transactions (e.g. banks, correspondent banks, depositories, securities issuers, paying agents, exchange platforms, insurance companies, payment system operators, issuers of intermediaries of payment cards);
• Business intelligence agencies;
• Local or foreign financial, fiscal, administrative, criminal or judicial authorities, arbitrators or mediators, law enforcement authorities, government agencies or public bodies, to whom we or any member of the BNP Paribas Group are required to disclose data:
  • At their request;
  • As part of the defense or response to a question, action or proceeding;
  • In order to comply with any regulations or recommendations issued by a competent authority with regards to us or any member of the BNP Paribas Group;
• Third-party payment service providers (information about bank accounts), for the purposes of providing a payment initiation or account information service if you have consented to the transfer of your data to this third-party part;
• Certain regulated professionals such as lawyers, notaries, rating agencies or auditors when specific circumstances require it (litigation, audit, etc.), as well as any current or potential buyer of companies or activities of the BNP Paribas Group or our insurers.

c. Sharing of anonymized or aggregated data

We share aggregated or anonymized data within the BNP Paribas Group and outside the Group with partners such as research groups, Universities, or advertisers. However, it is not possible to identify you from that data.

Your personal data may be aggregated in the form of anonymized statistics to be offered to corporate clients in order to help them develop their activities. In this case, our corporate clients will not be able to identify you and your personal data will never be disclosed to them.

a. Transfers outside the EU/EEA

In the event of international transfers from the European Economic Area (EEA) or the European Union (EU) to a country outside the EU/EEA, the transfer of your personal data may take place on the basis of a decision made by the European Commission, when it has recognized that the country to which your data will be transferred provides an adequate level of protection.

If, however, your personal data is transferred to a country whose level of protection of your data has not been recognized to be adequate by the European Commission, either we will rely on a derogation applicable to the specific situation (e.g. if the transfer is necessary to perform a contract struck with you, such as when executing an international payment), or we will take one of the following measures to ensure the protection of your personal data:

• Standard contractual clauses approved by the European Commission;
• Binding corporate rules.

To obtain a copy of these measures or to receive details of where they are accessible, you can send us a written request as indicated in section 9 below.

We keep your personal data for the time necessary to comply with applicable laws and regulations, or for a period of time defined with regard to our operational constraints, such as keeping our accounts, efficient management of the customer relationship, as well as to assert legal claims or respond to requests from regulatory bodies. For example, most customer data is kept for the duration of the contractual relationship and for 10 years after it ends. When it comes to prospects, the data is kept for 3 years.

According to the legislation applicable to your situation, you can exercise the following rights, if applicable:

• Right of access: you can obtain information regarding the processing of your personal data as well as a copy of it;
• Right to rectification: if you believe that your personal data is inaccurate or incomplete, you can request that it be amended accordingly;
• Right to erasure: you can request the deletion of your personal data, to the extent permitted by law;
• Right to restriction of processing: you can request restriction of processing of your personal data;
• Right to object: you can object to the processing of your personal data for reasons relating to your particular situation. You have the absolute right to object at any time to your data being used for commercial prospecting purposes, or for profiling purposes if this profiling is linked to commercial prospecting;
• Right to withdraw your consent: if you have given consent to the processing of your personal data, you can withdraw it at any time;
• Right to portability of your data: when authorized by law, you can request the return of personal data you have provided to us, or, when technically possible, the transfer of these to a third party.

If you wish to exercise the rights mentioned above, please send us a non-electronically written request to the following address:

Please include a scan/copy of your identity document, where necessary, so that we can identify you.

In accordance with the applicable law, in addition to the rights mentioned above, you can lodge a complaint with a competent supervisory authority.

In a world where technologies are constantly evolving, we may need to regularly update this Notice.

We invite you to read the latest version of this document online, and we will inform you of any significant changes through our website or through our usual communication channels.

If you have any questions regarding our use of your personal data under this Privacy Notice, you can contact our Data Protection Officer, who will process your request, at the following address:

Information regarding our cookie policy and I.T. security is available on our websites.