Data Protection Notice
This Data Protection Notice provides you with detailed information relating to the protection of your personal data by BNP Paribas Factor – Sociedade Financeira de Crédito SA (“we”).
We are responsible, as a controller, BNP Paribas Factor, for the processing of your personal data in relation to our activities. The purpose of this Data Protection Notice is to let you know which personal data we use about you, the reasons why we use and share such data, how long we keep it and how you can exercise your rights.
Further information may be provided where necessary when you apply for a specific product or service.
We collect and use your personal data to the extent necessary in the framework of our activities and to achieve a high standard of personalized products and services.
We may collect various types of personal data about you, including:
- Identification information (name, surname, place and date of birth, photograph, ID card and passport numbers, gender and signature);
- Contact information (postal address, e-mail address and phone number);
- Family situation (marital status, matrimonial property scheme, number of children, children’s age);
- Banking, financial and transactional data (bank account details, assets);
- Identification and alert data, related to the online service (creation, computer tracking, security installations, IP address).
Unless it is a legal obligation we never process personal data related to your racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, genetic data or data concerning your sex life or orientation.
The data we use about you may either be directly provided by you or be obtained from the following sources in order to verify or enrich our databases:
- Publications / data bases made available by official authorities (e.g. the official journal) ;
- Our clients, prospects or service providers;
- Thirds parties such as credit reference agencies and fraud prevention agencies or data brokers in conformity with the data protection legislation;
- Websites / social media pages containing information made public by you (e.g. your own website or social media); and
- Databases made publicly available by third parties.
In certain circumstances, we may collect and use personal data of individuals with whom we have, could have, or used to have a direct relationship such as:
For some reasons, we may also collected information about you whereas you have not direct relationship with us.
This may happen for instance when your employer provide us with information about you or your contact details are provided by one of our client if you are for example:
- Guarantor / mandatary;
- Legal representatives (power of attorney);
- Beneficiaries of payment transactions made by our clients;
- Beneficiaries of insurance policies;
- Ultimate beneficial owners;
- Clients‘ debtors (e.g. in case of bankruptcy);
- Company shareholders;
- Representatives of a legal entity (which may be a client or a vendor);
- Staff of service provider and commercial partners.
a. To comply with our legal and regulatory obligations
We use your personal data to comply with various legal and regulatory obligations, including:
- Prevention of money-laundering and financing of terrorism;
- Compliance with legislation relating to international sanctions and embargoes;
- Fight against tax fraud and fulfilment of tax control and notification obligations;
- set up security measures in order to prevent abuse and fraud;
- detect transactions which deviate from the normal patterns;
- define your credit risk score and your reimbursement capacity; and
- monitor and report risks that institution could incur;
- Reply to an official request from a duly authorised public or judicial authority.
b. To perform a contract with you or to take steps at your request before entering into a contract
We use your personal data to enter into and perform our contracts, including to:
- Provide you with information regarding our products and services;
- Subscribe (including electronic signature) of factoring products and services provided by BNP Paribas Factor;
- Assist you and answer your requests; and
- Evaluate if we can offer you a product or service and under which conditions.
In the context of customer relationship management, including:
- Management and execution of factoring products and services;
- Assessment of your factoring needs and knowledge; and
- Security of the online services you use.
c. To fulfil our legitimate interest
We use your personal data in order to deploy and develop our products or services, to improve our risk management and to defend our legal rights, including:
- Proof of transactions;
- Fraud and abuse prevention (security measures, control of unusual transactions);
- IT management, including infrastructure management (e.g. : shared platforms) & business continuity and IT security;
- Establishing individual statistical models, based on the analysis of transactions, for instance in order to help define your credit risk score;
- Establishing anonymous aggregated statistics, tests and models, for research and development, in order to improve the risk management of our group of companies or in order to improve existing products and services or create new ones;
- Personalizing our offering to you through:
- Improving the quality of our products and services of factoring;
- Advertising products or services that match with your situation and profile which we achieve.
These commercial propositions can be carried out through the following measures:
- Segmenting our prospects and clients;
- Analysing your habits and preferences in the various channels (visits to our branches, emails or messages, visits to our website, etc.);
- Sharing your data with another BNP Paribas entity, notably if you are – or are to become – a client of that other entity;
- Matching the products or services that you already hold or use with other data we hold about you.
d. To respect your choice if we requested your consent for a specific processing
In some cases, we must require your consent to process your data, for example:
- Where the above purposes lead to automated decision-making, which produces legal effects or which significantly affects you. At that point, we will inform you separately about the logic involved, as well as the significance and the envisaged consequences of such processing;
- If we need to carry out further processing for purposes other than those above in section
In order to fulfill the aforementioned purposes, and only if necessary, we disclose your personal data to:
- BNP Paribas group entities (e.g. so that you may benefit from the group full range of products and services);
- If you are a client of Corporate & Institutional Banking business, this would include, for example, personal data being accessed and/or stored in: jurisdictions where investments are held; jurisdictions in which and through which transactions are effected; and jurisdictions from which you regularly receive or transmit information about your investments or your business with BNP Paribas.
- Service providers which perform services on our behalf;
- Independent agents, intermediaries or brokers, banking and commercial partners, with which we have a regular relationship;
- Financial or judicial authorities, state agencies or public organizations, upon request and to the extent permitted by law;
- Certain regulated professionals such as lawyers, notaries or auditors; and
- In particular, in relation to Corporate & Institutional Banking business, we may disclose your personal data:
- to any counterparty, custodian, depositary, broker or nominee appointed or instructed by us on your behalf, or on behalf of the entity you represent, or through whom we may deal or transact in relation to your account or for purposes otherwise ancillary to the provision of services provided by BNP Paribas to you or the administration of your account;
- to any licensed credit agency in order to perform a credit assessment for any credit or mortgage-based products requested by or applied for by you and to tracing agents to recover debt;
- to any rating agency, insurer or other provider of credit protection to BNP Paribas;
- to fraud prevention agencies ('FPAs') in order to check the identity of the client or individuals or to investigate or prevent money laundering, fraud or other illegal activity; and
- if the disclosure relates to the actual or potential transfer or novation of one or more transactions pursuant to any applicable Terms of Business (or risks relating to such transactions) by us.
In case of international transfers originating from the European Economic Area (EEA), where the European Commission has recognized a non-EEA country as providing an adequate level of data protection, your personal data will be transferred on this basis.
For transfers to non-EEA countries whose level of protection has not been recognized by the European Commission, we will either rely on a derogation applicable to the specific situation (e.g. if the transfer is necessary to perform our contract with you such as when making an international payment) or implement one of the following safeguards to ensure the protection of your personal data:
- Standard contractual clauses approved by the European Commission;
- Binding corporate rules.
To obtain a copy of these safeguards or details on where they are available, you can send a written request as set out in Section 9.
We will retain your personal data for the longer of the period required in order to comply with applicable laws and regulations or another period with regard to our operational requirements, such as proper account maintenance, facilitating client relationship management, and responding to legal claims or regulatory requests.
With regard to customers, most of the information is maintained during the contractual relationship period and for 10 years after the conclusion of the contractual relationship. In relation prospects, the information is kept for 3 years from the moment of its collection or from our last contact with the prospect.
In accordance with applicable regulations, you have the following rights:
- To access: you can obtain information relating to the processing of your personal data, and a copy of such personal data.
- To rectify: where you consider that your personal data are inaccurate or incomplete, you can require that such personal data be modified accordingly.
- To erase: you can require the deletion of your personal data, to the extent permitted by law.
- To restrict: you can request the restriction of the processing of your personal data, to the extent permitted by law.
- To object: you can object to the processing of your personal data, on grounds relating to your particular situation. You have the absolute right to object to the processing of your personal data for direct marketing purposes, which includes profiling related to such direct marketing.
- To withdraw your consent: where you have given your consent for the processing of your personal data, you have the right to withdraw your consent at any time.
- To data portability: where legally applicable, you have the right to have the personal data you have provided to us be returned to you or, where technically feasible, transferred to a third party.
- To establish guidelines for the retention, elimination or disclosure of your personal data, applicable after your death.
If you wish to exercise the rights listed above, please send a letter to the following address:
Torre Ocidente, Centro Colombo
Rua Galileu Galilei Nº2, 1500-392 Lisboa
In accordance with applicable regulation, in addition to your rights above, you are also entitled to lodge a complaint with the competent supervisory authority, CNPD (Comissão Nacional de Proteção de Dados) in Portugal.
In a world of constant technological changes, we may need to regularly update this Data Protection Notice.
We invite you to review the latest version of this notice online and we will inform you of any material changes through our website or through our other usual communication channels.
If you have any questions relating to our use of your personal data under this Data Protection Notice, please contact our data protection officer, who will investigate your query, sending a letter to the following address:
Torre Ocidente, Centro Colombo
Rua Galileu Galilei Nº2, 1500-392 Lisboa
Data Protection Notice - V1 - December 2018