DATA PROTECTION NOTICE
 

Preliminary section: Main amendments
 

As a trusted companion, the protection of your personal data is important to the BNP Paribas Group. 
We have enhanced our Privacy Notice by being more transparent on the following information on:
-    processing activities relating to commercial prospection
-    processing activities relating to anti-money laundering and countering the financing of terrorism, and international sanctions (freezing of assets)
 

Introduction


We take the protection of your personal data very seriously; accordingly, the BNP Paribas Group has adopted strong principles in its Personal Data Protection Charter available at : https://group.bnpparibas/uploads/file/bnpparibas_personal_data_privacy_charter.pdf.

BNP Paribas Cardif (GIE BNP Paribas Cardif, Cardif Assurances Risques Divers and Cardif Assurance Vie) ("BNP Paribas Cardif" or "we"), as a controller, are responsible for collecting and processing your personal data in relation to its activities

Our business is to help all our customers – individuals, entrepreneurs, small and medium-sized enterprises, large companies and institutional investors thanks to our investment, savings and insurance solutions. 
As a member of an integrated banking-insurance Group in collaboration with the various entities of the Group, we provide our customers with a complete range of banking, insurance and leasing products and services.

The purpose of this Privacy Notice is to explain how we process your personal data and how you can control and manage them.

Further information may be provided where necessary directly at the time of collection of your personal data
 

1.    ARE YOU SUBJECT TO THIS NOTICE?


This Privacy Notice applies to you if you are ("You"):
•    our customer or in a contractual relationship with us (subscriber, co-subscriber, insured person,);
•     our client or in a contractual relationship with us (subscriber, co-subscriber, insured person);
•    a member of a customer family. Indeed, our customers may occasionally share with us information about their family when it is necessary to provide them with a product or service or to get to know them better;
•    a person interested in our products or services when you provide us with your personal data (on our websites and applications, during events or sponsorship operations) so that we can contact you.
•    an heir or successor;
•    a co-borrower / guarantor;
•    a legal representative of our client under a mandate/delegation of authority;
•    a beneficiary of a payment transaction;
•    a beneficiary of an insurance contract or policy and a trust;
•    a beneficial owner of the Contract ;
•    a beneficial owner (within the meaning of L.561-2-2 of the French Monetary and Financial Code) of a legal entity customer;
•    an officer or legal representative of a corporate client;
•    a donor;
•    a creditor (e.g. in case of bankruptcy);
•    a corporate shareholder.

When you provide us with personal data related to other people, please make sure that you inform them about the disclosure of their personal data and invite them to read this Privacy Notice. We will ensure that we will do the same whenever possible (e.g., when we have the person's contact details).
 

2.    HOW CAN YOU CONTROL THE PROCESSING ACTIVITIES WE DO ON YOUR PERSONAL DATA ?


You have rights that allow you to exercise meaningful control over your personal data and how we process it. 
If you wish to exercise the rights listed below, please submit a request to the following address 
-    BNP Paribas Cardif - DPO, 8 rue du Port, 92728 Nanterre Cedex-France; or
-    Data.protection@Cardif.com; or 
-    on our websites, whenever possible,
-    
with a scan/copy of your identity card where required.If you have any questions relating to our use of your personal data under this Privacy Notice, please contact our Data Protection Officer at the following address:
-    BNP Paribas Cardif – DPO 8 rue du Port, 92728 Nanterre Cedex-France, or
-    Data.protection@Cardif.com.

2.1.    You can request access to your personal data

If you wish to have access to your personal data, we will provide you with a copy of the personal data you requested as well as information relating to their processing.
Your right of access may be limited in the cases foreseen by laws and regulations. This is the case with the regulation relating to anti-money laundering and countering the financing of terrorism, which prohibits us from giving you direct access to your personal data processed for this purpose. In this case, you must exercise your right of access with the CNIL, which will request the data from us.

2.2.    You can ask for the correction of your personal data

Where you consider that your personal data are inaccurate or incomplete, you can request that such personal data be modified or completed accordingly. In some cases, supporting documentation may be required.

2.3.    You can request the deletion of your personal data

If you wish, you may request the deletion of your personal data, to the extent permitted by law.

2.4.    You can object to the processing of your personal data based on legitimate interests

If you do not agree with a processing activity based on a legitimate interest, you can object to it, on grounds relating to your particular situation, by informing us precisely of the processing activity involved and the reasons for the objection. We will cease processing your personal data unless there are compelling legitimate grounds for doing so or it is necessary for the establishment, exercise or defence of legal claims.

2.5.    You can object to the processing of your personal data for commercial prospecting purposes

You have the right to object at any time to the processing of your personal data for commercial prospecting purposes, including profiling, insofar as it is linked to such prospecting.

2.6.    You can suspend the use of your personal data

If you question the accuracy of the personal data we use or object to the processing of your personal data, we will verify or review your request. You may request that we suspend the use of your personal data while we review your request.

2.7.    You have rights against an automated decision

As a matter of principle, you have the right not to be subject to a decision based solely on automated processing based on profiling or otherwise that has a legal effect or significantly affects you. However, we may automate such a decision if it is necessary for the entering into or performance of a contract with us, authorised by regulation or if you have given your consent.
In any event, you have the right to challenge the decision, express your views and request the intervention of a competent person to review the decision.

2.8.    You can withdraw your consent

If you have given your consent to the processing of your personal data, you can withdraw this consent at any time.

2.9.    You can request the portability of part of your personal data

You may request a copy of the personal data that you have provided to us in a structured, commonly used and machine-readable format. Where technically feasible, you may request that we transmit this copy to a third party.

2.10.     How to file a complaint with the CNIL 

In addition to the rights mentioned above, you may lodge a complaint with the competent supervisory authority, which is usually the one in your place of residence, such as the CNIL (Commission Nationale de l'Informatique et de Libertés) in France.
 

3.     WHY AND ON WHICH LEGAL BASIS DO WE USE YOUR PERSONAL DATA?


In this section we explain why we process your personal data and the legal basis for doing so.

3.1.    Your personal data are processed to comply with our various regulatory obligations

Your personal data are processed where necessary to enable us to comply with the regulations to which we are subject, including insurance and financial regulations.

3.1.1.    We use your personal data to:

•    monitor operations and transactions to identify those which deviate from the normal routine/patterns;
•    monitor your transactions and operations to manage, prevent and detect fraud;
•    manage, prevent and report risks (financial, credit, legal, compliance, reputational, etc.) that the BNP Paribas Group may face in the course of its business;
•    meet our obligations to fight against escheatment;
•    conduct an assessment of the appropriateness and suitability for each customer's profile of the products we offer in accordance with the Insurance Distribution Directive (IDD) 2016; 
•    help fight against tax fraud and meet our obligations of notification and tax control;
•    record transactions for accounting purposes;
•    prevent, detect and report risks related to Corporate Social Responsibility and sustainable development;
•    detect and prevent corruption;
•    comply with the provisions applicable to trust service providers issuing electronic signature certificates;
•    exchange and report various operations, transactions or requests or respond to an official request from a duly authorised local or foreign judicial, criminal, administrative, fiscal or financial authority, arbitrator or mediator, law enforcement authorities, governmental bodies or public agencies;
•    meet our obligation of accessibility to services for people with disabilities, for example with tools allowing speech-to-text transcription.

3.1.2.    We also process your personal data for anti-money laundering and countering of the financing of terrorism purposes

As part of a banking and insurance Group, we must have a robust system of anti-money laundering and countering of terrorism financing (AML/TF) in each of our entities managed centrally, as well as a system for applying local, European and international sanctions. 
In this context, we are joint controllers with BNP Paribas SA, the parent company of the BNP Paribas Group (the term "We" in this section also includes BNP Paribas SA). 
The processing activities performed to meet these legal obligations are detailed in Appendix 1. 

3.2.     Your personal data are processed to perform a contract to which you are a party or pre-contractual measures taken at your request

Your personal data are processed when it is necessary to enter into or perform a contract to:
•    define your insurance risk profile and determine an associated rate;
•    assess (e.g. based on your insurance risk profile) whether we can offer you a product or service and under what conditions (e.g. rate);
•    send you information about our products or services at your request; 
•    provide you with the products and services purchased in accordance with the applicable contract;
•    manage your contract (including claims, compensation procedures, settlement follow-up, etc.);
•    answer your requests and assist you in your steps;
•    subscribe (including via a telephone agreement or electronic signature) to our products and services;
•    ensure the settlement of your estate;
•    manage and process payment incidents and non-payments (identification of customers with outstanding balances and, if necessary, exclusion of these customers from new products or services).

3.3.     Your personal data are processed to fulfil our legitimate interest or that of a third party 

Where we base a processing activity on legitimate interest, we balance that interest against your interests or fundamental rights and freedoms to ensure that there is a fair balance between them. If you would like more information about the legitimate interest pursued by a processing activity, please contact us using the contact details provided in section 9 "HOW TO CONTACT US?" above. 

3.3.1.    In the course of our business as a insurer, we use your personal data to:

•    manage the risks to which we are exposed:
o    we keep proof of operations or transactions, including in electronic evidence;
o    we monitor your transactions to manage, prevent and detect fraud, in particular by monitoring those which deviate from the normal routine/patterns;
o    we carry out recoveries;
o    we handle legal claims and defences in the event of litigation;
o    we develop individual statistical models in order to help define your insurance risk. 

•    enhance cyber security, manage our platforms and websites, and ensure business continuity.

•    use video surveillance to prevent personal injury and damage to people and property.

•    enhance the automation and efficiency of our operational processes and customer services (e.g., automatic filling of complaints, tracking of your requests and improvement of your satisfaction based on personal data collected during our interactions with you such as phone recordings, e-mails or chats).

•    carry out financial operations such as debt portfolio sales, securitizations, financing or refinancing of the BNP Paribas Group.

•    conduct statistical studies and develop predictive and descriptive models for:

o    commercial purpose: to identify the products and services that could best meet your needs, to create new offers or identify new trends among our customers, to develop our commercial policy taking into account our customers' preferences

o    safety purpose: to prevent potential incidents and enhance safety management;

o    product risk monitoring and pricing improvement;
o    compliance purpose (e.g., anti-money laundering and countering the financing of terrorism) and risk management;

o    business efficiency: optimise and automate our operational processes;
o    anti-fraud purposes.

•    organize promotional operations, conduct opinion and customer satisfaction surveys.

3.3.2.    We use your personal data to send you commercial offers by electronic means, post and phone

As part of the BNP Paribas Group, we want to be able to offer you access to the full range of products and services that best meet your needs.
Once you are a customer and unless you object, we may send you these offers electronically for our products and services and those of the Group if they are similar to those you have already subscribed to. 
We will ensure that these commercial offers relate to products or services that are relevant to your needs and complementary to those you already have to ensure that our respective interests are balanced.

We may also send you, by phone and post, unless you object, offers concerning our products and services as well as those of the Group and our trusted partners.

3.3.3.    We analyse your personal data to perform standard profiling to personalize our products and offers

To enhance your experience and satisfaction, we need to determine to which customer group you belong. For this purpose, we build a standard profile from relevant data that we select from the following information:
•    that you have directly communicated to us during our interactions with you or when you subscribe to a product or service;
•    gathered from your use of our various channels: websites and applications (e.g. if you are digitally savvy, if you prefer a customer journey to subscribe to a product or service with more autonomy (selfcare)).

Unless you object, we will perform this customization based on standard profiling. We may go further to better meet your needs, if you consent, by performing a tailor-made customization as described below.

3.4.    Your personal data are processed if you have given your consent

For some processing of personal data, we will give you specific information and ask for your consent. Of course, you can withdraw your consent at any time.
In particular, we ask for your consent for:
•    tailor-made customization of our offers and products or services based on more sophisticated profiling, an example being to  to anticipate your needs and behaviours;
•    any electronic offer for products and services not similar to those you have subscribed to or for products and services from our trusted partners;
•    personalization of our offers, products and services based on your account held by our banking partners, distributors of our products ;
•    use of your navigation data (cookies) for commercial purposes or to enhance the knowledge of your profile.
•    process data relating to your religious or philosophical beliefs, in particular when you subscribe to a funeral contract in which you give indications on the type of ceremony you wish to have (civil, religious in accordance with a specific religion, etc.); 
•    Carry out further processing for new purposes incompatible with those for which your data were initially collected;
•    Make a fully automated decision that has legal effect or significantly affects you. We will inform you at the time and separately of the reasons for this decision, as well as the importance and consequences of this processing.

You may be asked for further consent to process your personal data where necessary.
 

4.    WHAT TYPES OF PERSONAL DATA DO WE COLLECT ?

 

We collect and use your personal data, meaning any information that identifies or allows one to identify you.

Depending among others on the category of person you belong to, the types of product or service we provide to you and the interactions we have with you, we collect various types of personal data about you, including:
-    Identification information: e.g., full name, gender, place and date of birth, nationality, identity card number, passport number, driving licence number, photograph, signature);
-    Contact information, private or professional : e.g. postal address, e-mail address, phone number;
-    Information relating to your financial and family situation: e.g., marital status (marriage, civil partnership, marital life, etc.), household composition (number of people, age, employment and studies), the property you own (apartment or house), your capacity and the protection regime (minority, guardianship, curatorship, etc.);
-    Milestones of your life: e.g., when you recently got married, divorced, partnered, or gave birth;
-    Lifestyle: your hobbies and interests, travel, your environment (nomadic, sedentary);
-    Economic, financial and tax information: e.g., tax ID, tax status, country of residence, salary and other income, real estate and personal property, outstanding debts, financial assets, tax data, credits, capital subscribed/repaid, over-indebtedness or entitlement to benefits (CMU-ACS beneficiaries, RSA, etc.);
-    Education and employment information: e.g., socio-professional category, field of activity, occupation; and depending on the contract category: employer, categories of insured personnel, branch, collective agreement, SIRET / SIREN number, company name, income or turnover, expected retirement date, tax system, professional skills and qualifications, proof of employment;
-    information related to the products and services you hold: e.g., bank details, products and services held and used (insurance, savings and investments, etc.), client identification number, policy number, claim file, outstanding claims, references of the provider, co-insurers and reinsurers, duration of the contract, the amounts, the direct debit authorisation, the data relating to the payment method or relating to the transactions such as the transaction number, the details of the operation relating to the product or service subscribed to, unpaid debts, recovery;
-    Information required for the payment of the insurance premium:  cheque number, bank card number, expiry date of the bank card, bank account details (RIB/IBAN);
-    Information relating to the determination or evaluation of damages and benefits: e.g. information about the claim (the nature and circumstances of the claim, the description of the damage to property and/or persons, police reports and other investigation reports, expert reports), the victims (the nature and extent of the damage suffered, the degree of disability/incapacity, the pensions, the death benefit, the amounts of the benefits, data allowing to determine the tax obligations of the person concerned, the terms of settlement, reversion, unemployment benefits, amounts reimbursed by the social security for complementary health care costs), as well as data from internet pages open to the public for the search of beneficiaries of unclaimed contracts;
-    The NIR under the conditions provided for by the decree of 19 April 2019: in the context of social protection, the signing, management and execution of the contract, for the fight against escheatment in life insurance, against money laundering and the financing of terrorism, and against fraud;

-    Claims information: e.g. history of claims, including compensation paid and expert reports, information on victims;
-    Data relating to your habits and preferences in relation to the use of our products and services;
-    Data collected from our interactions with you: e.g., your comments, suggestions, needs collected during our exchanges with you online during phone communications (conversation), discussion by e-mail, chat, chatbot, exchanges on our social media pages and your latest complaints. Your connection and tracking data such as cookies and tracers for non-advertising or analytical purposes on our websites, online services, applications, social media pages;
-    Data collected from the video protection system (including CCTV) and geolocation;
-    Data about your devices (mobile phone, computer, tablet, etc.): IP address, technical specifications and uniquely identifying data;
-    Personalized login credentials or security features used to connect you to our website and apps.
-    Data revealing your state of health when necessary for the conclusion or management of your contract: health questionnaires, additional medical formalities, care sheets, etc.;
-    Religious and philosophical beliefs: when you give indications on the type of funeral ceremony you wish to have as part of a funeral contract.


5.    WHO DO WE COLLECT PERSONAL DATA FROM ?

 

We collect personal data directly from you; however, we may also collect personal data from other sources.

We sometimes collect data from public sources:
•    publications/databases made available by official authorities or third parties (e.g., the Official Journal of the French Republic, the Trade and Companies Register, databases managed by the supervisory authorities of the financial sector);
•    websites/social media pages of legal entities or business clients containing information that you have disclosed (e.g., your own website or social media page);
•    public information such as that published in the press.

We also collect personal data from third parties:
•    other BNP Paribas Group entities; 
•    our customers (companies or individuals); 
•    our commercial partners and in particular the distributors or managers of our products; 
•    our co-insurers;
•    payment initiation service providers and account aggregators (account information service providers); 
•    service providers specialised in data reliability and enrichment;
•    third parties such as fraud prevention agencies;
•    data brokers who are responsible for ensuring that they are collecting relevant information in a legal manner.
 

6.    WHO DO WE SHARE YOUR PERSONAL DATA WITH AND WHY ?
 

a.    With BNP Paribas Group's entities

As a member of the BNP Paribas Group, we work closely with the Group's other companies worldwide. Your personal data may therefore be shared between BNP Paribas Group entities, where necessary, to:
•    comply with our various legal and regulatory obligations described above;
•    fulfil our legitimate interests which are to: 
o    manage, prevent, detect fraud;
o    conduct statistical studies and develop predictive and descriptive models for business, security, compliance, risk management and anti-fraud purposes;
o    enhance the reliability of certain data about you held by other Group entities.
o    offer you access to all the Group's products and services that best meet your needs and wishes;
o    customize the content and prices of products and services;

b.    With the BNP Paribas Group entities that distribute our products

Exchanges of personal data between us and our intra-group distributors are more frequent than with other BNP Paribas Group entities that are not involved in the distribution and/or marketing of our products. 
Your personal data may therefore be shared between our intra-group distributors and us when: 
•    You wish to subscribe to a Cardif insurance contract and have taken steps with a BNP Paribas Group entity acting as a distributor of our products;
•    You have taken out a Cardif insurance policy with a BNP Paribas Group entity;
•    You are the beneficiary of a Cardif insurance policy distributed by a BNP Paribas Group entity.
Personal data shared between our intra-group distributors and us may be:
•    data collected by a BNP Paribas Group entity at the time of subscription or during the execution of one of your Cardif insurance contracts; or 
•    data previously collected by a BNP Paribas Group entity when subscribing to or executing a non-insurance contract. 
In addition to the purposes described above (paragraph 6.a.1.), your personal data may be shared between us and our intra-group distributors for the following purposes:
•    to tailor the distribution, content and pricing of our products and services based on your profile;
•    to allow our intra-group distributors to offer additional contracts and/or guarantees in line with your family, assets and professional situation;
•    to check the suitability of your profile based on the criteria of the defined target market;
•    to facilitate the conclusion and execution of our insurance contracts taken out with an entity of the BNP Paribas Group by limiting your steps;
•    to digitalise our relationship with you, especially when you have already opted for a digitalised relationship with a BNP Paribas Group entity.
The processing that is carried out on the basis of your personal data held by us and our intra-group distributors is subject to a balancing of our legitimate interests against your interests or your fundamental rights and freedoms to ensure that there is a fair balance between them.

c.    With recipients outside the BNP Paribas Group and processors

In order to fulfil some of the purposes described in this Privacy Notice, we may, where necessary, share your personal data with:
•    subcontractors who perform services on our behalf, for example, IT services, printing, telecommunications, collection, consulting, distribution and marketing services;
•    commercial partners who distribute our products, or who are involved in the design and marketing of our products;
•    commercial partners who manage our contracts on our behalf;
•    service providers specialised in data reliability and enrichment;
•    independent agents, intermediaries or brokers, financial institutions, counterparties, trade repositories with whom we have a relationship if such transfer is necessary to provide services or products to you or to fulfil our contractual obligations or to complete transactions (for example: banks, correspondent banks, custodians, securities issuers, paying agents, exchange platforms, insurance companies, payment system operators, payment card issuers or intermediaries, mutual guarantee companies or financial guarantee institutions);
•    financial, tax, administrative, criminal or judicial authorities, local or foreign, arbitrators or mediators, public authorities or institutions (such as the Banque de France, Caisse des dépôts et des Consignation), to whom we or any member of the BNP Paribas Group are required to disclose data:
o    at their request;
o    as part of our defence, an action or proceeding;
o    in order to comply with a regulation or recommendation issued by a competent authority with respect to us or any member of the BNP Paribas Group.
•    third party payment service providers (information about your bank accounts), for the purpose of providing a payment initiation or account information service if you have consented to the transfer of your data to that third party;
•    certain regulated professions such as lawyers, notaries, or statutory auditors when specific circumstances so require (litigation, audit, etc.) as well as to our insurers or any current or potential purchaser of the companies or activities of the BNP Paribas Group;
•    social security agencies when they are involved in claims or when we provide benefits in addition to social security benefits;
•    commercial intelligence agencies;
•    interested parties to the contract such as:
o    the contract holder, the subscriber, the insured parties and their representatives;
o    assignees and sub-assignees of contracts;
o    the persons responsible for the claim, the victims, their representatives and witnesses.
 

7.    INTERNATIONAL TRANSFERS OF PERSONAL DATA
 

In case of international transfers originating from the European Economic Area (EEA) to a non-EEA country, the transfer of your personal data may take place. Where the European Commission has recognised a non-EEA country as providing an adequate level of data protection, your personal data may be transferred on this basis.

For transfers to non-EEA countries where the level of protection has not been recognized as adequate by the European Commission, we will either rely on a derogation applicable to the specific situation (e.g., if the transfer is necessary to perform our contract with you, such as when making an international payment) or implement one of the following safeguards to ensure the protection of your personal data:
•    Standard contractual clauses approved by the European Commission;

To obtain a copy of these safeguards or details on where they are available, you can send a written request to : 
BNP Paribas Cardif - DPO
8 rue du Port, 92728 Nanterre Cedex-France


8.    HOW LONG DO WE KEEP YOUR PERSONAL DATA?


We retain your personal data for the period of time necessary to comply with the applicable laws and regulations, or for a period of time required for operational purposes, such as bookkeeping, effective customer relationship management, and to enforce our legal rights or respond to requests from regulatory bodies.

When a contract is entered into:

Most customer data is retained for the duration of the contractual relationship plus the statutory limitation period for claims under that contract (ranging from 2 years to 30 years for some contracts), unless overriding legal or regulatory provisions require a longer or shorter retention period.

If no contract is entered into:

Your data is kept for 3 years from the date of its collection or the last contact we had with you.

If we have collected data relating to your health, it is kept for a maximum period of 5 years if no contract has been concluded (the objective is to be able to respond to your requests or mainly to provide evidence in the event of a dispute over the decision not to conclude an insurance contract).

Other retention periods:

Your credit card information is kept for a period of 13 months from the date of debit (except for the CVC which is not kept in our system).

Telephone recordings for the purpose of improving the quality of services and training of our staff are kept for 6 months. The analysis documents resulting from these records are kept for 1 year.

The information relating to your identity and delivered at the time of a request to exercise your rights is preserved during the period necessary to respond to your request. 

For more detailed information on the retention periods of your personal data, you can consult Appendix 2.


9.    HOW TO FOLLOW THE EVOLUTION OF THIS PRIVACY NOTICE
 

In a world where technologies are constantly evolving, we regularly review this Privacy Notice and update it as required.

We invite you to review the latest version of this document online, and we will inform you of any significant amendments through our website or through our standard communication channels.

Appendix 1

Processing of personal data for anti-money laundering and countering of the financing of terrorism

We are part of a banking Group that must adopt and maintain a robust anti-money laundering and countering the financing of terrorism (AML/CFT) programme for all its entities managed at central level, an anti-corruption program, as well as a mechanism to ensure compliance with international Sanctions (i.e., any economic or trade sanctions, including associated laws, regulations, restrictive measures, embargoes, and asset freezing measures that are enacted, administered, imposed, or enforced by the French Republic, the European Union, the U.S. Department of the Treasury’s Office of Foreign Assets Control, and any competent authority in territories where BNP Paribas Group is established). 
In this context, we act as joint controllers together with BNP Paribas SA, the parent company of the BNP Paribas Group (the term “we” used in this appendix therefore also covers BNP Paribas SA).  
To comply with AML/CFT obligations and with international Sanctions, we carry out the processing operations listed hereinafter to comply with our legal obligations: 
•    A Know Your Customer (KYC) program reasonably designed to identify, verify and update the identity of our customers, including where applicable, their respective beneficial owners and proxy holders; 
•    Enhanced due diligence for high-risk clients, Politically Exposed Persons or “PEPs” (PEPs are persons defined by the regulations who, due to their function or position (political, jurisdictional or administrative), are more exposed to these risks), and for situations of increased risk; 
•    Written policies, procedures and controls reasonably designed to ensure that the Bank does not establish or maintain relationships with shell banks; 
•    A policy, based on the internal assessment of risks and of the economic situation, to generally not process or otherwise engage, regardless of the currency, in activity or business: 
o    for, on behalf of, or for the benefit of any individual, entity or organisation subject to Sanctions by the French Republic, the European Union, the United States, the United Nations, or, in certain cases, other local sanctions in territories where the Group operates;  
o    involving directly or indirectly sanctioned territories, including Crimea/Sevastopol, Cuba, Iran, North Korea, or Syria; 
o    involving financial institutions or territories which could be connected to or controlled by terrorist organisations, recognised as such by the relevant authorities in France, the European Union, the U.S. or the United Nations. 
•    Customer database screening and transaction filtering reasonably designed to ensure compliance with applicable laws; 
•    Systems and processes designed to detect and report suspicious activity to the relevant regulatory authorities; 
•    A compliance program reasonably designed to prevent and detect bribery, corruption and unlawful influence pursuant to the French “Sapin II” Law, the U.S FCPA, and the UK Bribery Act. 
 
In this context, we make use of:  
o    services provided by external providers that maintain updated lists of PEPs such as Dow Jones Factiva (provided by Dow Jones & Company, Inc.) and the World-Check service (provided by REFINITIV, REFINITIV US LLC and London Bank of Exchanges); 
o    public information available in the press on facts related to money laundering, the financing of terrorism or corruption;  
o    knowledge of a risky behaviour or situation (existence of a suspicious transaction report or equivalent) that can be identified at the BNP Paribas Group level. 
We carry out these checks when you enter into a relationship with us, but also throughout the relationship we have with you, both on yourself and on the transactions you carry out. At the end of the relationship and if you have been the subject of an alert, this information will be stored in order to identify you and to adapt our controls if you enter into a new relationship with a BNP Paribas Group entity, or in the context of a transaction to which you are a party.   
In order to comply with our legal obligations, we exchange information collected for AML/CFT, anti-corruption or international Sanctions purposes between BNP Paribas Group entities. When your data are exchanged with countries outside the European Economic Area that do not provide an adequate level of protection, the transfers are governed by the European Commission’s standard contractual clauses. When additional data are collected and exchanged in order to comply with the regulations of non-EU countries, this processing is necessary for our legitimate interest, which is to enable the BNP Paribas Group and its entities to comply with their legal obligations and to avoid local penalties. 


Appendix 2

Retention Periods
 

The retention periods correspond to the time during which we may need to process the data collected.

In the absence of a contract

Prospecting management

If you are a prospect, we keep your data for a period of 3 years from the date of collection or last contact from you. 
At the end of this period, we may contact you again to ask if you still wish to receive commercial solicitations. If we do not receive a positive response, we will delete your data.

Health data

Health data is kept for a maximum of 5 years from the date of its collection or the last contact from you (2 years in the active database and 3 years in intermediate storage).
This period is justified insofar as we must be able to respond to your requests in the event of a dispute following a refusal or questioning of your responsibility, or in the event of requests for mediation.

Audience measurement statistics

Cookies have a maximum life span of 13 months and the information collected through them is kept for a maximum of 25 months

When a contract is entered into

The shelf life takes into account two parameters: 
-    duration of the commitment;
-    the limitation period (i.e. the period during which the beneficiary of the right can act to claim its benefit, the starting point of which varies according to the action). 
Finally, in general, for accounting purposes, we must be able to present, for a period of 10 years, any document necessary to prove the payment and the amount of the payment. 

1/ Legal or regulatory retention periods applicable to insurance companies

We take into account:

• the time limits for the retention of documents on which the tax authorities' rights of communication, investigation and control may be exercised: 6 years (in some cases 10 years) from the date of the last transaction mentioned in the books or registers or from the date on which the documents or vouchers were drawn up (article L.102 B of the Book of Tax Procedures);

• the time limits for keeping documents and information relating to the client and the operations carried out by them in the context of the fight against money laundering and the financing of terrorism: 5 years from the closing of their accounts or the termination of the relationship or from the execution of the transactions. (article L. 561-12 of the French Monetary and Financial Code). 

• the time limits for the conservation of the written document which establishes the contracts concluded by electronic means and concerning an amount higher than €120: 10 years from the conclusion of the contract (L. 213-1 of the French Consumer Code). 

2/ Retention periods and prescription rules specific to insurance contracts

We take into account, for each type of contract, the limitation periods provided for by the French Civil Code and the French Code of Criminal Procedure and the specific limitation periods provided for by the French Insurance Code.

Civil Liability Coverage

a. In the event of a material loss, the data is kept for the time needed to manage the loss and up to 10 years after its closure.

b. In the event of a bodily injury, the data is kept for the duration of the claim management and up to 50 years from its closure.

c. In the absence of a claim:

• For basic "claim" liability coverage: Depending on the length of the subsequent warranty, contract data may be retained for up to 12 years from the termination of the contract.

• For basic "harmful event" liability coverage: The data related to the contract can be kept for 22 years from the termination of the contract (20 years according to the prescription provided by the French Civil Code for the action of the victim against the responsible party + 2 years according to the prescription provided by the French Insurance Code for the insured party against his or her insurer).

Damage coverages (excluding special cases)

The data is kept for 10 years from the closing of the claim or the termination of the contract.

Life insurance - in the event the party is alive

The data is kept for 30 years from the date of full redemption or termination.

Life Insurance - in the event of death

The data is kept for 30 years from the date of death.

Borrower's Insurance

The data is kept for 20 years from the end of the contractual commitments.

Complementary insurance - life and disability insurance 

The data is kept for 20 years after the payment of the service or the termination of the contract.

Affinity insurance

The data is kept for 5 years from the termination of the contract.