Protection of Personal Data

We take the protection of your personal data very seriously; to this end, the BNP Paribas Group has adopted sound principles in its Charter for the Protection of Personal Data, which can be found in https://group.bnpparibas/uploads/file/bnpparibas_personal_data_privacy_charter.pdf.

BNP Paribas Factor, as the controller, is responsible for the collection and processing of your personal data with respect to our activities.

Our activity is to help our clients – individuals, entrepreneurs, small and medium-sized companies, large companies and institutional investors – in their day-to-day banking activities and in the implementation of their projects, thanks to our financing, investment, savings and insurance solutions. As a member of an integrated banking and insurance group, in collaboration with the various entities of the Group, we offer our clients a full range of banking, insurance and leasing products and services (rental with purchase option, ALD).

This Privacy Policy is intended to explain how we treat your personal data and how you can control and manage it.

This Privacy Policy applies if you are:

• one of our customers or is in a contractual relationship with us (e.g. as guarantor);
• family member of a client of ours. Our customers may occasionally share information about their family with us when necessary to provide them with a product or provide a service or to get to know them better;
• a person interested in our products or services, who provides us with your personal data (in an agency, on our websites and applications, in events or sponsorship operations) so that we can contact you.
• Legal representatives (delegation of competences);
• Payers or beneficiaries of payment transactions;
• Beneficiaries of an insurance, policy or trust contract;
• Owners;
• Beneficiary owners;
• Creditors (e.g. in the event of bankruptcy);
• Shareholders of companies.

When you provide us with personal data relating to others, please make sure that you inform them of the disclosure of your personal data and invite them to read this Privacy Policy. We guarantee that we will do the same whenever possible (e.g. when we have the person's contact information).

You have rights that allow you to exercise real control over your personal data and how we treat it.

If you wish to exercise the rights listed below, you can submit an application by sending a letter to the following address:

Or by email: bnpfactor.pt@bnpparibas.com with the subject: “Personal Data Protection”.

or on our websites⁽¹⁾ with a scan/copy of your ID card, if requested.

If you have any questions regarding the use of your personal data under this Privacy Policy, you can contact our Data Protection Officer at the following address: ricardo.torrespacheco@bnpparibas.com.

2.1. You can request access to your personal data

If you wish to have access to your personal data, we may provide you with a copy of the personal data you have requested, as well as the information relating to its processing.

Your right of access may be limited in cases provided for by laws and regulations, such as the Anti-Money Laundering and Terrorist Financing Regulation, which prohibits us from providing you with direct access to your personal data processed for this purpose. In this case, you must exercise your right of access with the CNPD (National Data Protection Commission), which will ask us for the personal data in question.

2.2. You can request the rectification of your personal data

Where you believe that your personal data is inaccurate or incomplete, you may request that such personal data be changed or supplemented accordingly. In some cases, additional documentation may be required.

2.3. You can request the deletion of your personal data

If desired, you can request the deletion of your personal data to the extent permitted by law.

2.4. You may owe the processing of your personal data that is processed on the basis of our legitimate interests

If you do not agree to a treatment activity that is carried out on the basis of our legitimate interest, you may opposed it for reasons relating to your particular situation, specifically by indicating to us the processing activity in question and informing us of the reasons for the opposition. We will no longer process your personal data for this purpose unless there are compelling and legitimate reasons to do so or that is necessary for the filing, exercise or defense of a legal action.

2.5. You may owe the processing of your personal data for commercial prospection purposes

You have the right to objects at any time to the processing of your personal data for commercial prospecting purposes, including profiling, provided that they are related to such prospectus.

2.6. You may limit the use of your personal data

If you question the accuracy of the personal data we use, or object to the processing of your personal data, we will verify or review your request. You may request to limit the processing of your personal data while we review your request.

2.7. You have the right to owe an automated decision

As a matter of principle, you have the right not to be subject to a decision taken so only on the basis of automated processing, profiling or otherwise, which has an effect on its legal sphere or affects it significantly. However, we may automate this decision if it is necessary for the conclusion or performance of a contract authorized by law or if you have given us consent.

In any event, you have the right to challenge the decision, express your point of view and request the intervention of a person competent to examine the decision.

2.8. You can withdraw your consente

If you have consented to the processing of your personal data, you can withdraw that consent at any time.

2.9. You may request the portability of part of your personal data

You can request a copy of the personal data that you have provided to us, in a structured format, of current use and automatic reading. Where technically feasible, you can request us to transmit that copy to a third party.

2.10. How to lodge a complaint with the CNPD (National Data Protection Commission) in Portugal

In addition to the above rights, you can lodge a complaint with the competent supervisory authority, which is generally that of your place of residence, CNPD (National Data Protection Commission) in Portugal.

In this section, we explain why we process your personal data and the legal basis for doing so.

3.1. Your personal data is processed to comply with our various regulatory obligations

Your personal data is processed where necessary to enable us to comply with the legal and regulatory requirements to which we are subject, including banking and financial regulations.

3.1.1. We use your personal data to:

• monitor transactions and transactions in order to identify those that stray from the normal routine/standard (e.g. when raising a large amount of money in a country other than your place of residence);
• monitor transactions in order to manage, prevent and detect fraud;
• manage and report risks (financial, credit, legal, reputational, compliance with applicable rules or regulations, etc.) in which the BNP Paribas Group may incur in the course of its activities;
• assist in the fight against tax fraud and comply with tax control and notification obligations;
• record transactions for accounting purposes;
• prevent, detect and report risks related to Corporate Social Responsibility and sustainable development;
• detect and prevent bribes;
• comply with the provisions applicable to trust service providers issuing electronic signature certificates;
• exchange and communicate different transactions, transactions or orders or respond to an official request from a financial, tax, administrative, criminal or judicial authority, arbitrators or mediators, other law enforcement entities, state agencies or public bodies, local or foreign, duly authorized.

3.1.2. We also process your personal data for the purpose of combating money laundering and terrorist financing

As part of a banking group, we should have a robust anti-money laundering and terrorist financing (AML/TF) system in each of our centrally managed entities, as well as a system for implementing local, European and international sanctions.

In this context, we are responsible for the treatment together with BNP Paribas SA, the parent company of the BNP Paribas Group.

The processing activities carried out to comply with these legal obligations are detailed in Annex 1.

3.2. Your personal data is processed to perform a contract of which you are a party or pre-contractual measures at your request

Your personal data is processed when it is necessary to enter into or execute a contract in order to:

• define your credit risk level and repayment capacity;
• assess (e.g. based on your credit risk level) whether we can offer you a product or service and under what conditions (e.g. price);
• provide you with the products and services subscribed to under the applicable contract;
• manage existing debts (identification of customers with unpaid debts);
• respond to your requests and assist you;
• assist in budget management by automatically categorizing transaction data;
• ensure the liquidation of your succession.

3.3. Your personal data is processed on the basis of our legitimate interest or that of third parties

Where a treatment activity is based on a legitimate interest of third party, or ours we consider that interest in the face of their fundamental interests or rights and freedoms to ensure that there is a fair balance between them. If you would like more information about the legitimate interest pursued in the context of a particular processing activity, please contact us at the following address:

Or by email: bnpfactor.pt@bnpparibas.com with the subject: “Personal Data Protection”.

In the course of our activity as a Factor, we use your personal data to:

• manage the risks to which we are exposed:
  • we keep evidence of transactions or transactions, including electronic evidence;
  • monitor transactions to manage, prevent and detect fraud;
  • we collect debts;
  • we deal with lawsuits and defense in case of legal disputes;
  • we develop individual statistical models to help define your credit worthiness.
• increase cybersecurity, manage our platforms and websites, and ensure continuity of activity.
• use video surveillance to prevent personal injury and damage to people and property.
• increase the automation and efficiency of our operational processes and customer services (e.g., automatic complaint completion, tracking your requests and improving your satisfaction based on personal data collected during our interactions with you, such as phone call recordings, emails or chats).
• help manage budgets by automatically categorizing transaction data;
• carry out financial operations, such as debt portfolio sales, securitisations, financing or refinancing of the BNP Paribas Group.
• conduct statistical studies and develop predictive and descriptive models for:
  • commercial purposes: identify the products and services that best meet your needs, create new offers or identify new trends among our customers, develop our commercial policy taking into account the preferences of our customers;
  • security purposes: to prevent potential incidents and improve safety management;
  • appropriateness with applicable rules or regulations (e.g. combating money laundering and terrorist financing) and risk management;
  • anti-fraud purposes;
• organize contests, sweepstakes, promotional operations, conduct opinion and customer satisfaction studies.

3.3.1. We use your personal data to send you business proposals by email, paper mail and telephone

As part of the BNP Paribas Group, we want to be able to provide you with access to the full range of products and services that best suit your needs.

When you become a customer, and unless you object, we may send you these proposals for our products and services and those of the Group electronically if they are similar to those you have already subscribed to.
We will ensure that these commercial proposals relate to products or services that are relevant to your needs and complementary to those you already have, in order to ensure that our respective interests are balanced.

We may also send you, by telephone and mail, unless you object, proposals regarding our products and services, as well as those of the Group and our trusted partners.

3.3.2. We analyze your personal data to create standard profiles that personalize our products and proposals

In order to improve your experience and satisfaction, we need to determine which group of customers you belong to. For this purpose, we have created a standard profile that results from the relevant data we select from the following information:

• data you communicated to us directly in our interactions with you or when you subscribe to a product or service;
• data resulting from the use of our products or services, such as those relating to your accounts, including account balance, regular or atypical movements, the use of your card abroad, as well as the automatic categorization of your transaction data (e.g. the distribution of your expenses and receipts by category, as you can see in your customer area);
• data collected from the use of our various channels: websites and applications (e.g., if you are familiar with digital technologies, if you prefer a customer journey to subscribe to a product or service with more autonomy (self-service);

Unless you object, we will perform this customization based on the creation of standard profiles. To better meet your needs we can go further, consent, performing a customization, as described below.

3.4. Your personal data are processed if you have given your consent to

In relation to some personal data processing activities, we will provide specific information and ask for your consent. Of course you can withdraw your consent at any time.

In particular, we ask your consent to:

• customization of our proposals and products or services, based on more sophisticated profiles to anticipate your needs and behaviors;
• any electronic proposal for products and services that is not similar to those you have subscribed to or products and services from our trusted partners;
• customization of our proposals, products and services based on your account data at other banks;
• use of your browsing data (cookies) for commercial purposes or to improve the knowledge of your profile.

You may be asked for consent to process your personal data when necessary.

We collect and use your personal data, i.e. any information that identifies you or allows someone to identify you.

Depending in particular on the type of product or service we provide to you and the interactions we have with you, we collect various types of personal data about you, including:

• Identification details: e.g. full name, gender, place and date of birth, nationality, citizen card number, passport number, driver's license number, vehicle registration, photograph, signature;
• Contact details: postal address, email address, telephone number (private or professional);
• Information relating to your financial and family situation: e.g. marital status, property regime, number of children and age, study or employment of children, composition of the household, date of death of children, parents or spouse, property you own: apartment or house;
• Milestones of his life: for example, if he married, divorced, joined or had children recently;
• Lifestyle: hobbies and interests, travel, your environment (nomadic, sedentary);
• Economic, financial and tax information: e.g. taxpayer number, tax status, country of residence, salary and other income, value of your assets;
• Information on education and employment: e.g. level of education, employment, employer's name and remuneration;
• Banking and financial information relating to the products and services you own: e.g. bank account details, products and services held and used (credit, insurance, savings and investments, leasing, home protection), credit card number, money transfers, assets, declared investor profile, credit history, payment incidents;
• Transaction data: account movements and balances, transactions including beneficiary data such as full names, addresses and contact details, as well as bank transaction data, amount, date, time and type of transaction (credit card, transfer, cheque, direct debit);
• Data regarding your habits and preferences related to the use of our products and services;
• Data collected in our interactions with you: e.g. your comments, suggestions, needs collected during our interactions with you personally in our Agencies (reports) and online, in telephone communications (conversations), by email, chat, chatbot, exchanges on our social media pages and your most recent complaints. Your link and tracking data, such as cookies and trackers for non-advertising or analytical purposes on our websites, online services, applications, social networking pages;
• Data collected in the video protection system (including CCTV) and geolocation: e.g. show locations of withdrawals or payments for security reasons, or to identify the location of the agency or service provider closest to it;
• Data about your devices (mobile phone, computer, tablet, etc.): IP address, technical specifications and unique identification data;
• Personalized login credentials or security badges used to link you to the BNP Paribas website and applications.

We may collect sensitive data, such as health data, biometric data subject to compliance with the strict conditions set forth in data protection regulations.

We collect personal data directly from you as our Customer; however, we may also collect personal data from other sources.

Sometimes we collect data from public sources:

• publications/databases made available by official authorities or third parties (e.g. Diário da República, Commercial Register, databases managed by financial sector supervisory authorities);
• websites/social media pages of legal persons or commercial customers that contain the information about you that you have disclosed (e.g. your own website or social networking page);
• public information, such as those published in the media.

We also collect personal data from third parties:

• other entities of the BNP Paribas Group;
• of our customers (legal or private persons);
• our trading partners;
• payment initiation service providers and account aggregators (account information service providers);
• third parties, such as credit reference agencies and fraud prevention agencies;
• data brokers who are responsible for ensuring the legitimate collection of relevant information.

a. With entities of the BNP Paribas Group

As a member of the BNP Paribas Group, we work closely with other Group companies around the world. Your personal data may therefore be shared between BNP Paribas Group entities, where necessary, to:

• comply with our various legal and regulatory obligations described above;
• our legitimate interests, which are:
  • to manage, prevent and detect fraud;
  • conduct statistical studies and develop predictive and descriptive models for commercial, safety, compliance with applicable standards or regulations, risk management and anti-fraud;
  • improve the reliability of certain customer data held by other group companies;
  • provide you with access to all factoring products and services that best meet your needs and desires;
  • customize the content and prices of products and services;

b. With recipients outside the BNP Paribas Group and subcontractors

In order to fulfill some of the purposes described in this Privacy Policy, we may, where necessary, share your personal data with:

• subcontractors who provide services on our behalf (e.g. it services, logistics, printing services, telecommunications, debt collection, consulting, distribution and marketing).
• banking and commercial partners, independent agents, intermediaries or brokers, financial institutions, counterparties, repositories of transactions with which we are related, if such transmission is necessary to enable us to provide you with the services and products or to perform our contractual obligations or transactions (e.g. banks, correspondent banks, depositors, securities issuers, payment agents, exchange platforms, insurance companies, payment system operators, issuers or intermediaries of payment cards, mutual guarantee companies or financial guarantee institutions);
• financial, tax, administrative, criminal or judicial local or foreign authorities, arbitrators or mediators, public authorities or institutions (e.g. Banco de Portugal, Banque de France, Caisse des dépôts et des Consignations), to which we, or any member of the BNP Paribas Group, are obliged to disclose to:
  • fulfill your request;
  • exercise our defense, action or process;
  • comply with a regulation or recommendation issued by a competent authority that applies to us or any member of the BNP Paribas Group;
• third-party payment service providers (information on your bank accounts) for the purpose of providing a payment initiation or account information service if you have consented to the transfer of your personal data to that third party;
• professionals of certain regulated professions, such as lawyers, notaries or auditors, when necessary in specific circumstances (litigation, audit, etc.), as well as for our insurers or for a buyer, real or potential, of the companies or businesses of the BNP Paribas Group.

Your personal data may also be covered by international transfers from the European Economic Area (EEA) to a non-EEA country. In situations where the European Commission recognises that a non-EEA country provides an adequate level of protection of personal data, your personal data may be transferred on that basis.

For transfers to non-EEA countries where the level of protection has not been recognised as adequate by the European Commission, we will use a derogation applicable to the specific situation (e.g. if the transfer is necessary to fulfill the contract we have with you, such as when making an international payment) or implement one of the following appropriate safeguards to ensure the protection of your personal data:

• Standard data protection clauses approved by the European Commission;
• Binding rules for companies.

To obtain a copy of the appropriate safeguards adopted, or information on where they are available, you can send us a written request as set out in point 2.

For more information on conservation deadlines, 'DPN annex retention - V20210920 - EN'.

In a world where technologies are constantly evolving, we will regularly review this Privacy Policy and update it whenever necessary.

We invite you to review the latest version of this document online, and we will inform you of any relevant changes through our website or our usual communication channels.

We are part of a Banking Group that must adopt and maintain a robust anti-money laundering and terrorist financing (CBC/FT) programme for all core-managed companies, a counter-corruption programme, as well as a mechanism to ensure compliance with international sanctions (i.e., economic or trade sanctions, including laws, regulations, restrictive measures and associated embargoes, and asset freezing measures that are approved, administered, imposed or enforced by the French Republic, the European Union, the Foreign Assets Control Office of the U.S. Treasury Department, and any competent authority in the territories where the BNP Paribas Group operates).

In this context, we act as data controller solely with BNP Paribas SA, the parent company of the BNP Paribas Group (therefore, the term "we" used in this annex also covers BNP Paribas SA).

In order to comply with CBC/FT's obligations and international sanctions, we carry out the following data processing operations in order to comply with our legal obligations:

• A Know Your Customer (KYC) program designed reasonably to identify, verify and update the identity of our customers, including, where appropriate, their respective beneficial owners and attorneys;
• Enhanced due diligence for high-risk clients, Politically Exposed Persons or "PPE" (PPE are persons defined by regulations who, due to their functions or office (political, judicial or administrative), are more exposed to these risks), and to situations of increased risk;
• Policies, procedures and written controls, designed in a reasonable manner, to ensure that the Bank does not establish or maintain relationships with fictitious banks;
• A policy, based on the internal assessment of risks and the economic situation, of generally not dealing with or otherwise engaging, regardless of currency, in activities or business:
  • for, on behalf of, or for the benefit of, any natural person, legal or organization subject to sanctions by the French Republic, the European Union, the United States, the United Nations or, in certain cases, other local sanctions in territories where the Group operates;
  • involving, directly or indirectly, sanctioned territories, including Crimea/Sevastopol, Cuba, Iran, North Korea or Syria;
  • involving financial institutions or territories that may be related to, or controlled by terrorist organisations, recognized as such by the competent authorities of France, the European Union, the United States and the United Nations.
• Customer database analysis and transaction filtering, reasonably designed to ensure compliance with applicable law;
• Systems and procedures designed to detect and report suspicious activity to the competent regulatory authorities;
• A compliance program designed to prevent and detect bribes, corruption and unlawful influence under the French "Sapin II" Act, the U.S. FCPA, and the Uk Bribery Act.

In this context, we have to resort to:

• the services of external providers that keep updated lists of PEPs, such as DJAAMS and the World-Check service (provided by REFINITIV, REFINITIV US LLC and London Bank of Exchanges);
• (a) public information available in the press on facts relating to money laundering, terrorist financing or corruption;
• the identification of behaviour or risk situations (existence of a suspicious or equivalent transaction complaint) that may occur at the level of the BNP Paribas Group.

We carry out these checks, both on the Client himself and on the transactions he/she carries out, when the Client initiates a relationship with us, but also throughout our relationship with the Client. At the end of the relationship, and if the Client has been alerted, this information will be stored to identify and adapt our controls if the Client enter into a new relationship with a BNP Paribas Group entity, or in the context of a transaction to which he is a party.

To comply with our legal obligations, we exchange information collected for CBC/FT, anti-corruption or international sanctions purposes between BNP Paribas Group entities. Where customer data is shared with countries outside the European Economic Area that do not provide an adequate level of protection, transfers are governed by the European Commission's standard building clauses. When additional data are collected and shared to comply with the laws of countries outside the EU, this processing is necessary for our legitimate interest, which is to allow the BNP Paribas Group and its companies to comply with their legal obligations and avoid local sanctions.