Protection of Personal Data

This Privacy Notice applies to you if you (‘You’) are:

• One of our customers or have a contractual relationship with us (for example, as a guarantor, underwriter, etc.).
• A member of our customer’s family. Our customers may occasionally share information about their family with us when it is necessary to provide them with a product or service or to get to know them better.
• A person interested in our products or services when you provide us with your personal data (at a branch/office, our websites and applications, at events or sponsorships) so that we can contact you.
• An heir or beneficial owner.
• An authorised representative of one of our customers, as an authorised officer or attorney-in-fact.
• A beneficiary of a payment transaction.
• A beneficiary of an insurance contract or policy and trustee.
• A lessor (rent or lease agreement).
• A customer debtor (for example, in the case of bankruptcy).
• A shareholder of a company/companies.
• Employed by one of our service providers or business partners.

When you provide personal data relating to a third party, please make sure that you inform them that you have disclosed their personal data and that we will process this information, and invite them to read this Privacy Notice. We will also provide these people with information when we have their contact details.

You have rights that allow you to control your personal data and how they are processed.

If you wish to exercise the rights listed below, please send a request to the following address:

BNP Paribas Factor S.A., Sucursal en España, C/ Emilio Vargas 4, 28043 Madrid, Spain, or to our Data Protection Officer in Spain:

Alternatively, you may contact us at DPOdeskSpain@bnpparibas.com

Please attach a scan or copy of your national identity card.

If you have any questions in relation to our use of your personal data under this Privacy Notice, please contact our Data Protection Officer at the following address:

Alternatively, you may email us at DPOdeskSpain@bnpparibas.com

2.1 You may request access to your personal data

If you wish to access your personal data, we will provide you with a copy of the data you requested and information on how they are processed.

Your right of access may be limited in the cases provided for by law. This is the case, for instance, with the anti-money laundering and combating the financing of terrorism regulations, which prohibit us from giving you direct access to your personal data processed for this purpose. In this case, you must exercise your right of access with the Spanish Data Protection Agency, which will subsequently ask us for your data.

2.2 You may request the rectification of your personal data

If you consider that your personal data are inaccurate or incomplete, you may request the rectification of that data and to have the incomplete data completed. In some cases, supporting documentation may be required.

2.3 You may request the erasure of your personal data

To the extent legally possible, you may request the erasure of your personal data if you so wish. However, if you request the erasure of the data before the statutory retention periods have expired, the data will be blocked but they will not be erased until the retention periods have elapsed.

2.4 You may object to the processing of your personal data based on legitimate interests

If you do not agree with a processing operation based on a legitimate interest, you may object to the processing on grounds relating to your particular situation by letting us know which processing activity you object to and the reasons why. We will stop processing your data, except on legitimate compelling grounds or for the establishment, exercise or defence of possible complaints.

2.5 You may object to the processing of your personal data for the purpose of commercial prospecting

You are entitled to object at any time to the processing of your data for commercial prospecting, including profiling, when this is in connection with commercial prospecting.

2.6 You may request that the processing of your personal data be restricted

If you contest the accuracy of the personal data we use or object to the processing of your data, we will review your request. You may also request that we restrict the processing of your data while we review your request.

2.7 You have rights in relation to automated decision-making

In principle, you have the right not to be subject to a decision based solely on automated processing or profiling, which produces legal effects concerning you or similarly significantly affects you. However, the above shall not apply if the decision is necessary for entering into, or performance of, a contract, is authorised by law or is based on your explicit consent.

Where a decision has been based on automated processing for the purpose of entering into, or performance of, a contract or based on your explicit consent, you are entitled to contest the decision, express your point of view and obtain human intervention to review the decision.

2.8 You may withdraw your consent

You have the right to withdraw your consent at any time after giving their consent to the processing of your personal data. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

2.9 You may request the portability of your personal data

Only where the processing is based on consent or a contract may you request a copy of the personal data you provided to us in a structured, commonly used and machine-readable format. In addition, you have the right to have that copy transmitted directly to a third party where technically feasible.

2.10 How to lodge a complaint with the Spanish Data Protection Agency

In addition to the rights indicated above, you may lodge a complaint with the competent supervisory authority, which is the Spanish Data Protection Agency.

In this section, we describe how and why we use your personal data and the legal basis for the processing.

3.1 Your personal data are processed to comply with our various regulatory obligations

We process your data to comply with the regulations to which we are subject, including banking, insurance and financial regulations.

3.1.1 We use your personal data to:

• Monitor operations and transactions to identify any deviations from normal patterns of behaviour (for example, when a large sum of money is withdrawn in a country other than the customer's country of residence, and the payment of claims).
• Manage and report risks (financial, credit, legal, compliance and reputational risks, etc.) to which the BNP Paribas Group may be exposed in the context of its business activities.
• In accordance with securities market, insurance and consumer regulations, record all types of communications relating, at least, to transactions carried out within the framework of dealing on own account and the provision of services in response to customers’ orders, in particular, the receipt, transmission and execution of orders.
• Assess the adequacy and suitability of the products and services provided to each customer in accordance with securities market, insurance and consumer regulations.
• Contribute to the fight against tax fraud and comply with tax control and reporting obligations.
• Record transactions for accounting purposes.
• Prevent, identify and report risks relating to corporate social responsibility and sustainable development.
• Detect and prevent bribery.
• Comply with the provisions applying to trust service providers that issue certificates for electronic signatures.
• Exchange and report different operations, transactions and orders, and respond to official requests from competent local or foreign financial, tax, administrative, criminal and judicial authorities, arbitrators and mediators, law enforcement agencies, and state and public bodies.

3.1.2 We also process your personal data for the purpose of combating money laundering and the financing of terrorism

As a member of a banking and insurance group, we are required to have a robust anti-money laundering and combating the financing of terrorism (AML/CFT) system in place in each of our centrally managed entities, as well as a local, European and international sanctions enforcement system.

In this context, we are joint controllers together with BNP Paribas S.A., the parent company of the BNP Paribas Group (the term ‘Us’ in this section also includes BNP Paribas S.A.).

The processing operations carried out to comply with these legal obligations are set out in Appendix 2.

3.2 Your personal data will be processed for the performance of a contract to which you are party or to take steps at your request prior to entering into a contract

We will process your data when it is necessary for entering into, or performance of, a contract for the following purposes:

• To determine your credit rating and repayment capacity or the insured risk and the applicable premium.
• To assess (based, for example, on your credit or insurance rating) whether we can offer you a product or service and on what terms (for example, the price).
• To furnish you, at your request, with information about our products and services.
• To provide you with the products and services procured under the relevant contract.
• To manage outstanding debts (identification of customers with unpaid debts).
• To respond to your requests and provide assistance.
• To ensure the liquidation of your estate.
• To help you to manage your budget by automatically categorising transaction data.
• To manage and oversee payment irregularities and outstanding debts (identify customers with outstanding debts and, where applicable, prevent them from procuring new products and services).

3.3 Your personal data will be processed based on a legitimate interest

When a processing operation is based on a legitimate interest, we balance our legitimate interest against your interests or fundamental rights and freedoms to ensure that the balance is fair. You may request more information on the legitimate interest pursued in a particular processing operation by writing to our Data Protection Officer at the following address:

Alternatively, you may email us at DPOdeskSpain@bnpparibas.com

3.3.1 In the course of our business as a banking/financial/insurance institution, we use your personal data to:

• Manage the risks we are exposed to:
  • we keep records of operations and transactions, including evidence in electronic format;
  • we monitor your transactions to manage, prevent and detect fraud; in particular, we monitor transactions that deviate from normal patterns of behaviour:
  • we collect debts;
  • we handle legal claims and defences in the event of litigation;
  • we develop individual statistical models to help determine your creditworthiness.
• Improve cybersecurity, manage our platforms and websites and ensure business continuity.
• Use video surveillance to prevent personal injury and damage to property.
• Improve the automation and efficiency of our operational processes and customer services (for example, automatic filing of complaints, follow-up of requests and improvement of your satisfaction based on personal data collected during our interactions, such as telephone recordings, emails and chats).
• Carry out financial operations such as debt portfolio sales, insurance portfolio transfers, securitisations, financing or refinancing of the BNP Paribas Group.
• Conduct statistical studies and develop predictive and descriptive models for:
  • commercial purposes: identify the products and services that best meet your needs, create new proposals or identify new customer trends, take our customers’ preferences into account when developing our commercial policy;
  • security purposes: to prevent potential incidents and improve security management;
  • compliance purposes (for example, to combat money laundering and the financing of terrorism) and risk management;
  • business efficiency (for example, to optimise and automate functional processes);
  • anti-fraud purposes.
• Organise competitions, lotteries, promotions, including invitations to events, and conduct opinion and customer satisfaction surveys.

3.3.2 We use your personal data to send you commercial offers by email, post and phone

As a member of the BNP Paribas Group, we would like to give you access to a whole range of products and services tailored to your needs.

Once you are a customer, and unless you object, we may send you offers electronically in connection with products and services of the company and Group if they are similar to products and services you have already procured.

We will make sure that the commercial offers are for products and services that are relevant to your needs and complement products and services you already have to ensure that our respective interests are balanced.

We may also send you, by phone and post, unless you object, offers concerning our products and services as well as those of the Group and our trusted partners.

3.3.3 We analyse your personal data to create standard profiles to personalise our products and offers

To enhance your experience and satisfaction, we need to determine to which customer group you belong. To do this, we build a standard profile from relevant data that we select from the following information:

• what you tell us during our interactions or when you purchase a product or service;
• information gleaned from your use of our products and services, such as information relating to your accounts, account balances, typical and unusual transactions, use of your card abroad, automatic categorisation of your transaction data (for example, distribution of your expenses and bills by category, just as you see it in your customer area);
• your use of our various channels: websites and applications (for example, if you are digitally literate, if you prefer a customer journey to procure a product, or service with more autonomy (self-care);

Unless you object, we will use standard profiling to personalise your experience. With your consent, we can go a step further to better meet your needs with bespoke customisation as described below.

3.4 Your personal data will be processed if you have given your consent

For some data processing operations, we will provide you with specific information and ask for your consent. Of course, you may withdraw your consent at any time.

In particular, we will ask for your consent to:

• tailor our offers, products and services using more sophisticated profiling to anticipate your needs and behaviours;
• offer products and services electronically that are different from the ones you have procured and offer the products and services of our trusted partners;
• tailor our offers, products and services based on your account data with our partners that are not members of the BNP Paribas Group, but which distribute our products;
• use your browser data (cookies) for commercial purposes or to improve our knowledge of your profile;
• process special categories of data (‘sensitive data’), including biometric data, health data and information about your religious and philosophical beliefs.

We may also ask for your consent to process your personal data for other purposes, where necessary.

We collect and use your personal data, i.e. any information that identifies you or that can be used to identify you.

Depending, among other things, on the types of products or services we provide you with and our interactions, we collect various types of personal data concerning you, including:

• identity information: for example, your full name, gender, date and place of birth, nationality, identity card number, passport number, driving licence number, vehicle registration number, photograph and signature;
• contact information: (private or business), for example, postal address, email address and telephone number;
• information about your financial and family situation: for example, marital status, matrimonial property regime, household composition (number of members, number of children, their ages, education and employment), the real estate property you own (apartment or house), capacity and protection measures (minor, under the supervision of a guardian);
• significant life events: for example, if you are married, divorced, in a relationship or have recently had a baby;
• lifestyle: hobbies and interests, travel, your environment (nomadic or sedentary lifestyle);
• economic, financial and tax information: for example, your tax identification number, tax status, country of residence, salary and other income, value of your assets, debts, financial assets, tax data, mortgages, equity capital subscribed or repaid, over-indebtedness, entitlement to insurance benefits;
• education and employment information: for example, level of studies, sector of activity and, depending on the type of contract: the employer, categories of insured staff, the subsidiary, collective bargaining agreement that applies, the employer’s tax identification number or VAT number, turnover or revenue, approximate retirement age, tax system, professional duties and skills or proof that you are seeking employment;
• banking and financial information in relation to the products and services you have procured: for example, bank account details, products and services you have taken out and use (insurance, savings and investment), customer identification number, insured party, contract, claims file, outstanding claims, provider’s reference, co-insurer or reinsurance undertaking, duration, amounts, direct debit authorisation, data on payment methods or banking transactions, such as the number of transactions, details of the transaction concerning the product or service procured and outstanding amounts;
• transaction data: account transactions and balances, operations, including the beneficiaries’ details such as their full name, address and contact details, details of bank transactions, amount, date, time and type of transaction (credit card, transfer, cheque, direct debit);
• data on your habits and preferences when using our products and services;
• data we collect during our interactions with you: for example, your comments, suggestions, needs collected during our exchanges with you in person in our branches (contact reports) and online, during phone communications (conversations), correspondence by email, chats, chatbots, exchanges on our social media pages and your most recent complaints. Your connection and tracking data, such as cookies and trackers for non-advertising or analytical purposes on our websites, online services, applications and social media pages;
• data collected by our video surveillance system (including CCTV) and geolocation: for example, to show locations of cash withdrawals or payments for security purposes or to identify the location of the branch or service providers nearest to you;
• data on your devices (mobile phone, computer, tablet, etc.): IP address, technical specifications and unique identifiers;
• unique login credentials or security elements used to log in to our website and BNP Paribas applications.

We may collect sensitive data, such as health data, biometric data and criminal record data, subject to compliance with the strict conditions set out in data protection regulations.

We collect personal data directly from you; however, we may also collect personal data from other sources.

Sometimes, we collect data from public sources:

• publications/databases made available by official authorities or third parties (for example, the Official State Gazette, the Companies Registry and databases managed by the financial supervisory authorities);
• the websites/social media pages of legal persons or commercial customers that contain information disclosed by you (for example, your own website or social media pages);
• public information such as information published in the press.

We also collect personal data from third parties:

• from other entities in the BNP Paribas Group;
• from our customers (businesses and private individuals);
• from our business partners:
• from payment initiation and account aggregation service providers (service providers of account information);
• from third parties such as credit reference agencies and fraud prevention agencies;
• from data brokers, which are responsible for ensuring that the relevant information is collected lawfully.

a. With other entities in the BNP Paribas Group

As a member of the BNP Paribas Group, we work closely with the Group’s other companies worldwide. Your personal data may therefore be shared with entities in the BNP Paribas Group, where necessary, to:

• comply with our various legal and regulatory obligations described above;
• fulfil our legitimate interests, which are:
  • to manage, prevent and detect fraud in cases where there are suspicions of fraud and only with the entities in the BNP Paribas Group that may be involved or affected;
  • conduct statistical studies and develop predictive and descriptive models for commercial, security, compliance, risk management and anti-fraud purposes;
  • enhance the reliability of certain data concerning you held by other entities in the Group;
  • offer you access to the products and services of the Group that best meet your needs and preferences;
  • tailor content and the prices of the products and services.

b. With recipients outside the BNP Paribas Group and data processors

In order to fulfil some of the purposes described in this Privacy Notice, we may, where necessary, share your personal data with:

• data processors that provide services on our behalf (for example IT, logistics, printing, telecommunications, debt collection, consulting, distribution and marketing services);
• banking and commercial partners, independent agents, intermediaries or brokers, financial institutions, counterparties, business registers with which we have a relationship when the data disclosure is required to be able to provide you with the products and services or to perform our contractual obligations or transactions (for example, banking institutions, correspondent banks, paying agents, exchange platforms, insurance companies, payment system operators, payment card issuers or intermediaries, mutual guarantee companies and financial guarantee institutions);
• local and foreign financial, tax, administrative, criminal and judicial authorities, arbitrators and mediators, public authorities and institutions, when we or any other member of the BNP Paribas Group are required to disclose the information pursuant to:
  • their request;
  • our defence, action or proceedings;
  • compliance with a regulation or recommendation issued by a competent authority that applies to us or one of the members of the BNP Paribas Group;
• third-party payment service providers (information on your bank accounts) for the provision of a payment initiation or account information service, if you consented to the transfer of your personal data to that third party;
• certain regulated professions such as lawyers, notaries and auditors when this is necessary in specific circumstances (litigation, audits, etc.) and to our insurers or to an actual or proposed purchaser of the companies or businesses of the BNP Paribas Group.

Your personal data may be transferred to countries outside the European Economic Area (EEA). The transfer of your personal data to a third country may take place where the European Commission has decided that the third country ensures an adequate level of protection.

In the case of data transfers to non-EEA countries whose level of protection is not deemed adequate by the European Commission, the transfer will take place on the basis of an exception in a specific situation (for example, if the transfer is necessary to perform our contract with you or to make an international payment) or we will apply one of the following safeguards to ensure the protection of your personal data:

• standard data protection clauses adopted by the European Commission;
• binding corporate rules.

To obtain a copy of these safeguards or details on where they are available, please send a written request to:

Alternatively, you may email us at DPOdeskSpain@bnpparibas.com

We will retain your personal data for the time required to comply with applicable laws and regulations, or for the time required to perform our operational obligations, such as bookkeeping and effective customer relationship management, for the defence of legal claims and to respond to requests by regulatory bodies. For example, in most cases, customer data is retained for the term of the contractual relationship and for 10 years after the contract has expired. In the case of prospective customers, the data is retained for three years.

For more information about retention periods, please see “Retention Annex V20220629”

In a world where technology is constantly evolving, we review this Privacy Notice from time to time and update it as required.

We encourage you to review the latest version of this Notice online, and we will inform you of any significant amendments to it through our website or our standard communication channels.

We are part of a banking group that is required to implement and maintain a robust anti-money laundering and countering the financing of terrorism (AML/CFT) programme for all centrally managed entities, as well as an anti-corruption programme and a mechanism to ensure the enforcement of international sanctions (i.e. economic and trade sanctions including the associated laws, regulations, restrictive measures, embargoes, and asset freezing measures that are enacted, administered, imposed or enforced by the French Republic, the European Union, the U.S. Department of the Treasury’s Office of Foreign Assets Control, and any other competent authority in territories where the BNP Paribas Group is established).

In this context, we act as joint controllers together with BNP Paribas S.A., the parent company of the BNP Paribas Group (the term ‘Us’ in this section also includes the company BNP Paribas S.A.).

In accordance with AML/CFT obligations and international sanctions, we carry out the following processing operations to comply with our legal obligations:

• A Know Your Customer (KYC) programme reasonably designed to identify, verify and update our customers’ identity, including, where applicable, their respective beneficial owners and attorneys-in-fact.
• Improve the due diligence procedures for high-risk customers, politically exposed persons (‘PEPs’ are defined by law as persons who, by virtue of their duties or (political, judicial or government) position present a higher risk), and higher risk situations.
• Written policies, procedures and controls reasonably designed to ensure that the Bank does not establish or maintain relationships with shell banks.
• A policy, based on an internal assessment of the risks and economic situation, to generally not handle or otherwise engage, regardless of the currency, in activity or business:
  • for, on behalf of, or for the benefit of any individual, entity or organisation subject to sanctions imposed by the French Republic, the European Union, the United States, the United Nations, or, in certain cases, other local sanctions in territories where the Group operates;
  • directly or indirectly involving sanctioned territories such as Crimea/Sevastopol, Cuba, Iran, North Korea and Syria;
  • involving financial institutions or territories that may be related to or controlled by terrorist organisations and recognised as such by the relevant authorities in France, the European Union, the U.S. or the United Nations.
• Customer database screening and transaction filtering reasonably designed to ensure compliance with the applicable laws.
• Systems and processes designed to detect and report suspicious activity to the relevant regulatory authorities.
• In particular, to comply with the obligation to report monthly the procurement, cancellation and modification of the products and holders of the products determined by the regulations in force at any given time to the Centralised Banking Account Register (FTF, by its Spanish acronym), which is managed by SEPBLAC.
• A regulatory compliance programme reasonably designed to prevent and detect bribery, corruption and improper influence in accordance with the French Sapin II Law, the U.S FCPA, and the UK Bribery Act.

For this purpose, we engage:

• the services of external providers that keep updated lists of PEPs, such as DJAAMS and the World-Check service (provided by REFINITIV, REFINITIV US LLC and London Bank of Exchanges);
• public information available in the press on issues relating to money laundering, the financing of terrorism and corruption;
• knowledge of risky behaviours and situations (existence of a suspicious transaction report or equivalent) that can be identified at BNP Paribas Group level.

We may need to process special categories of data and data concerning criminal convictions and offences given that the objective is to combat money laundering and the financing of terrorism.

We perform these checks both on you and the transactions you carry out when you enter into a relationship with us and for the duration of the relationship. If you have been the subject of an alert during our relationship, this information will be stored after the relationship has ended in order to identify you and adapt our controls should you enter into a new relationship with any company in the BNP Paribas Group or are a party to a transaction.

To comply with our legal obligations, we exchange the information collected for AML/CFT, anti-corruption and international sanctions purposes with other companies in the BNP Paribas Group. When your personal data are shared with countries outside the European Economic Area that do not offer an adequate level of protection similar to that afforded by the EEA, the data transfers will be governed by the standard contractual clauses (SCCs) adopted by the European Commission. When additional data are collected and exchanged to comply with the regulations of countries outside the European Union, the processing will be necessary to pursue our legitimate interest, which is to enable the BNP Paribas Group and the companies in the Group to comply with their legal obligations and avoid local penalties.