Data Protection Notice

Last updated 20 March 2024

The protection of your personal data is important to us at BNP Paribas Group. We’ve improved our Data Protection Notice to be more transparent about how we:

• process data relating to commercial prospecting
• process data that relates to anti-money laundering and countering the financing of terrorism, and international sanctions (freezing of assets)

Introduction

We take the protection of your personal data very seriously; the BNP Paribas Group which includes Creation Financial Services Limited and Creation Consumer Finance Limited have adopted strong principles to its Personal Data Protection Charter. To access the BNP Paribas Personal Data Privacy Charter please click here.

In this notice you’ll find information on how your personal data is protected by Chadwick House, Blenheim Court, Solihull, West Midlands B91 2AA, and Creation Consumer Finance Limited, 6^th Floor, Wellington Buildings, 2-4 Wellington Street, Belfast, BT1 6HT (‘we’ or ‘us’ or ‘our’ or ‘Creation’).

We're responsible, as a controller, for collecting and processing your personal data in relation to our activities.

Our aim is to help all of our customers – individuals, entrepreneurs, small and medium-sized enterprises, large companies and institutional investors – in their day-to-day banking activities and in achieving their projects thanks to our financing, investment, savings and insurance solutions.

As a member of an integrated banking-insurance Group in collaboration with various businesses within the Group, we provide a complete range of banking, insurance and leasing products and services. 

The purpose of this Data Protection Notice is to explain how we process your personal data and how you can control and manage it. Further information may be provided where necessary at the time of collection of your personal data.

1. DOES THIS NOTICE APPLY TO YOU?

This Data Protection Notice applies to you if you are ("You"):

• one of our customers or in a contractual relationship with us
• applying for one of our products or services and have either been declined or not taken up the offer
• a family member of our customer. Our customers may occasionally share with us information about their family when it is necessary to provide them with a product or service or to get to know them better
• a person interested in our products or services when you provide us with your personal data (in an agency, on our websites and applications, during events or sponsorship operations) so that we can contact you.

When you provide us with personal data related to other people, please make sure you inform them about their personal data that you have shared and invite them to read this Data Protection Notice. We’ll ensure we will do the same whenever possible (e.g. when we have the person's contact details).

2. HOW CAN YOU CONTROL THE PROCESSING ACTIVITIES WE DO ON YOUR PERSONAL DATA?

You have rights which allow you to exercise real control over your personal data and how we process it.

If you wish to exercise the rights listed below, or you have questions relating to how we use your personal data under this Notice, you can request this by:

• emailing us at customerenquiries@creation.co.uk
• telephone by calling 0371 402 8910
• writing to us at Creation, PO Box 14458, Solihull, West Midlands.

You can request access to your personal data

If you’d like access to your personal data, we’ll provide you with a copy of the personal data you requested as well as information relating to their processing.  Contact us:

• by telephone by calling 0371 402 8905
• by writing to us at Creation, PO Box 14458, Solihull West Midlands.
• by emailing us at DSARRequests@Creation.co.uk.

Note: You can directly access some data from your customer account through the My Account online service

Please include your telephone number and if applicable your Account/Agreement number (on your statement) on any correspondence and we’ll contact you by phone to verify your identify and go through the details of your request. For further information on accessing your personal data, please go to www.creation.co.uk/data-subject-rights-request.

Your right of access may be limited in some cases by laws and regulations. This is the case with regulation relating to anti-money laundering and countering the financing of terrorism, which prohibits us from giving you direct access to your personal data processed for this purpose.

You can ask for the correction of your personal data

Where you consider that your personal data is inaccurate or incomplete, you can request that personal data be modified or completed accordingly. In some cases, we may need supporting documentation.

2.1 You can request the deletion of your personal data

If you wish, you can request the deletion of your personal data, to the extent permitted by law.

2.2 You can object to the processing of your personal data based on legitimate interests

If you don’t agree with a processing activity based on a legitimate interest, you can object to it, on grounds relating to your particular situation, by informing us precisely of the processing activity involved and the reasons for your objection. We’ll stop processing your personal data unless there are compelling legitimate grounds for doing so, or it is necessary for the establishment, exercise or defence of legal claims.

2.3 You can object to the processing of your personal data for commercial prospecting purposes

You have the right to object at any time to the processing of your personal data for the purpose of commercial prospecting, including profiling, insofar as it is linked to that prospecting.

2.4 You can suspend the use of your personal data

If you question the accuracy of the personal data we use or object to the processing of your personal data, we’ll verify or review your request. You may request that we suspend the use of your personal data while we review that request.

2.5 You have rights against an automated decision

As a matter of principle, you have the right not to be subject to a decision based solely on automated processing based on profiling or otherwise that has a legal effect or significantly affects you. However, we may automate such a decision if it is necessary for the entering into or performance of a contract with us, authorised by regulation or if you have given your consent.

In any event, you have the right to challenge the decision, express your views and request the intervention of a competent person to review the decision.

2.6 You can withdraw your consent

If you have given your consent to the processing of your personal data, you can withdraw this consent at any time.

2.7 You can request the portability of part of your personal data

You can request a copy of the personal data that you have provided to us in a structured, commonly used and machine-readable format. Where technically feasible, you may request that we transmit this copy to a third party.

 2.8 How to file a complaint with us or the relevant supervisory authority

Our customers really matter to us and we’re committed to providing you with a great customer experience. If issues do arise, our aim is to resolve them as quickly as possible and make sure you're satisfied with the outcome. To make a complaint please contact: Customer Enquiries by calling 0371 402 8910.

If for some reason we’ve not been able to resolve your complaint within eight weeks of receipt, or if you're not satisfied with our final response, UK customers can contact the Information Commissioner UK:

Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Telephone: 01625 545745
Fax: 01625 524510

If for some reason we’ve not been able to resolve your complaint within eight weeks of receipt, or if you're not satisfied with our final response, ROI customers can contact our representative at:

For the Attention of: 

Chief Risk Officer, GREENVAL INSURANCE DAC, 10 -11 Trinity Point, Leinster Street South, Dublin 2, D02 EF85 or email privacy@greenval-insurance.ie

or, alternatively you can contact the Data Protection Commission: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland or by webform: https://forms.dataprotection.ie/contact

3. WHY AND ON WHICH LEGAL BASIS DO WE USE YOUR PERSONAL DATA?

In this section we explain why we process your personal data and the legal basis for doing so.

3.1 Your personal data is processed to comply with our various legal and regulatory obligations

Your personal data is processed where necessary to enable us to comply with the regulations to which we're subject, including banking and financial regulations.

3.1.1. We use your personal data to:

• monitor operations and transactions to identify those that deviate from the normal routine/patterns
• monitor your transactions to manage, prevent and detect fraud and abuse
• manage and report risks (financial, credit, legal, compliance or reputational risks etc.) that the BNP Paribas Group could incur in the context of its activities
• assist the fight against tax fraud and fulfil tax control and notification obligations;
• record transactions for accounting purposes
• exchange and report different operations, transactions or orders or reply to an official request from a duly authorised local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, law enforcement, state agencies or public bodies.
• define your credit risk score and your reimbursement capacity.

3.1.2 We also process your personal data for anti-money laundering and countering of the financing of terrorism purposes

As part of a banking Group, we must have a robust system of anti-money laundering and countering of terrorism financing (AML/TF) in each of our entities managed centrally, as well as a system for applying local, European and international sanctions.

In this context, we're joint controllers with BNP Paribas SA, the parent company of the BNP Paribas Group (the term "We" in this section also includes BNP Paribas SA).

The processing activities performed to meet these legal obligations are:

• prevention of money laundering and financing of terrorism and complying with regulation relating to sanctions and embargoes through our Know Your Customer (KYC) process (to identify you and verify your identity)
• compliance with legislation relating to sanctions and embargoes.

The processing activities performed to meet these legal obligations are detailed in the Appendix.

3.2 Your personal data is processed to perform a contract to which you're a party or pre-contractual measures taken at your request

Your personal data is processed when it is necessary to enter into or perform a contract to:

• evaluate (e.g. on the basis of your credit risk score) if we can offer you a product or service and under which conditions (e.g. price)
• provide you with the products and services subscribed to under the applicable contract
• manage existing debts (identification of customers with unpaid debts)
• respond to your requests and assist you.

3.3 Your personal data is processed to fulfil our legitimate interest or that of a third party

Where we base a processing activity on legitimate interest, we balance that interest against your interests or fundamental rights and freedoms to ensure that there is a fair balance between them. If you’d like more information about the legitimate interest pursued by a processing activity, please contact us using the contact details provided in section 2 above.

3.3.1 In the course of our business as a finance company we use your personal data to:

• manage the risks to which we're exposed:
  • we search applications for credit at credit reference agencies
  • we keep proof of operations or transactions, including in electronic evidence
  • we monitor your transactions to manage, prevent and detect fraud
  • we carry out the collection of debts
  • we handle legal claims and defences in the event of litigation
  • we develop individual statistical models in order to help define your creditworthiness.
  • We manage IT requirements, including infrastructure management (e.g. shared platforms), business continuity and IT security.

• enhance cyber security, manage our platforms and websites.

• enhance the automation and efficiency of our operational processes and customer services (e.g., automatic filing of complaints, tracking of your requests and improvement of your satisfaction based on personal data collected during our interactions with you such as phone recordings, e-mails or chats).

• help you in managing your budget by automatic categorisation of your transaction data

• carry out financial operations such as debt portfolio sales, securitisations, financing or refinancing of the BNP Paribas Group.

• conduct statistical studies and develop predictive and descriptive models for:

• commercial purposes: to identify the products and services that could best meet your needs, to create new offers or identify new trends among our customers, to develop our commercial policy taking into account our customers' preferences

• compliance purpose (e.g., anti-money laundering and countering the financing of terrorism) and risk management;

• anti-fraud purposes.

• organise contests, lotteries, promotional operations, conduct opinion and customer satisfaction surveys.

3.3.2 We use your personal data to send you commercial offers by electronic means, post and phone

We may use your personal information to tell you about relevant products and offers (Marketing). We’ll only use your personal information for marketing if we have either your consent (see section 3.4 below) or a ‘legitimate interest’. Legitimate interest is where we’ve identified from a balancing test that there is a benefit in the information we provide to you as a customer. The balancing test undertaken for our marketing data processes is to ensure our marketing activities have fair and appropriate balance and that the processing does not override your interests and your rights.

As part of the BNP Paribas Group, we want to be able to offer you access to the full range of products and services that best meet your needs.

Once you're a customer and unless you object, we may send you these offers electronically for our products and services and those of the Group if they are similar to those you have already subscribed to.

We’ll make sure these commercial offers relate to products or services that are relevant to your needs and complementary to those you already have to ensure that our respective interests are balanced.

We may also send you, by phone and post, unless you object, offers on our products and services as well as those of the Group and our trusted partners.

3.3.3 We analyse your personal data to perform standard profiling to personalise our products and offers

To enhance your experience and satisfaction, we need to determine to which customer group you belong. For this purpose, we build a standard profile from relevant data that we select from the following information:

- what you have directly communicated to us during our interactions with you, or when you subscribe to a product or service

- resulting from your use of our products or services such as those related to your accounts including the balance of the accounts, regular or atypical movements, the use of your card abroad as well as the automatic categorisation of your transaction data (e.g., the distribution of your expenses and your receipts by category as is visible in your customer area)

- from your use of our various channels: websites and applications (e.g., if you're digitally savvy, if you prefer a customer journey to subscribe to a product, or service with more autonomy (selfcare)

3.4 Your personal data is processed if you have given your consent

For some types of processing of your personal data, we’ll give you specific information and ask for your consent. Of course, you can withdraw your consent at any time.

In particular, we ask for your consent for:

• Providing offers electronically for products and services not similar to those you have subscribed to or for products and services from our trusted partners
• personalisation of our offers, products and services based on your account data at other banks
• use of your navigation data (e.g. cookies) for commercial purposes or to enhance the knowledge of your profile. To find out how we use and manage cookies please go to www.creation.co.uk/about-us/cookie-policy.

We may ask you to confirm or update your marketing preferences if you take out any new products or services with us in future.

You may be asked for further consent to process your personal data where necessary.

4. WHAT TYPES OF PERSONAL DATA DO WE COLLECT?

We collect and use your personal data: personal data being any information that can be used to identify you.

We collect various types of personal data about you, depending on the types of products and services we provide to you or from our interactions with you, including:

• Identification information: e.g., full name, gender, place and date of birth, nationality, passport number, driving licence number, vehicle registration number, photograph, signature)
• Contact information: (private or professional) postal address, e-mail address, phone number
• Information relating to your financial and family situation: e.g., marital status, matrimonial regime, number of children and age, study or employment of children, composition of the household, property you own (apartment or house)
• Economic, financial and tax information: e.g. country of residence, salary and other income, value of your assets
• employment information: e.g. employment, employer's name and remuneration
• Banking and financial information related to the products and services you hold: e.g. bank account details, products and services owned and used (credit, insurance, credit card number, assets, credit history, payment incidents)
• Transaction data: account movements and balances, transactions, amount, date, time and type of transaction (e.g. credit card, transfer, direct debit)
• Data necessary to contest against over indebtedness
• Data relating to your habits and preferences in relation to the use of our products and services
• Data collected from our interactions with you: e.g. your comments, suggestions, needs collected during our exchanges with you in person with our agents (reports) and online during phone communications (conversation), discussion by e-mail, chat, exchanges on our social media pages and your latest complaints. Personal data you give when you participate in surveys, promotions or competitions.
• Your connection and tracking data such as cookies and tracers for non-advertising or analytical purposes on our websites, online services, applications, social media pages; Note: customer call recordings will be collated for a short period of time
• Data about your devices (mobile phone, computer, tablet, etc.): IP address, technical specifications and uniquely identifying data;
• Personalised login credentials or security features used to connect you to the Creation / BNP Paribas website and apps.
• We may collect sensitive data such as your health or your personal circumstances that you share with us to help manage your account, biometric data, or data relating to criminal offences, subject to compliance with the strict conditions set out in data protection regulations.

5. WHO DO WE COLLECT PERSONAL DATA FROM?

We collect personal data directly from you through our financial relationship with you, for example through the application process for our products and services. Note: this may include data provided by a Retailer/Partner with whom we provide products and services for example where we're providing a card and/or loan to you in association with a retailer/partner 

We may also collect personal data from other sources.

We sometimes collect data from public sources:

• websites/social media pages of legal entities or business clients containing information that you have disclosed (e.g., your own website or social media page)
• public information such as that published in the press.

We also collect personal data from third parties:

• from other BNP Paribas Group entities
• from our service providers e.g. our print partner or email distribution agency
• from data brokers who are responsible for ensuring that they collect relevant information in a lawful manner.
• from service providers of payment initiation and account aggregators (service providers of account information)
• from third parties such as credit reference agencies, credit brokers, fraud prevention agencies, employers, family members (in the case of additional cardholders) and people appointed to act on your behalf.

In certain circumstances, we may collect and use personal data of individuals with whom we have, could have, or used to have a direct relationship with such as prospective customers.

6. WHO DO WE SHARE YOUR PERSONAL DATA WITH AND WHY?

a) With BNP Paribas Group's businesses

As a member of the BNP Paribas Group, we work closely with the Group's other companies worldwide. Your personal data may therefore be shared between BNP Paribas Group entities, where necessary, to:

• comply with our various legal and regulatory obligations described above;
• fulfil our legitimate interests which are:

• conduct statistical studies and develop predictive and descriptive models for business, security, compliance, risk management and anti-fraud purposes
• enhance the reliability of certain data about you held by other Group entities
• offer you access to all the Group's products and services that best meet your needs and wishes
• customise the content and prices of products and services

Our financing and refinancing also constitute a legitimate interest implying your personal data may be shared with entities of the BNP Paribas Group which are providing our refinancing.

b) With recipients outside the BNP Paribas Group and processors

In order to fulfil some of the purposes described in this Data Protection Notice, we may, where necessary, share your personal data with:

• processors that perform services on our behalf (e.g., IT services, logistics, printing services, telecommunication, debt collection, advisory and distribution and marketing).
• banking and commercial partners, independent agents, intermediaries or brokers, financial institutions, to allow us to provide you with the services and products or execute our contractual obligations or transaction (e.g., banks, paying agents, exchange platforms, insurance companies, payment system operators, issuers or payment card intermediaries);
• local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, public authorities or institutions (e.g., the Financial Conduct Authority, Financial Ombudsman Service, etc), to which we, or any member of the BNP Paribas Group, are required to disclose pursuant to:
  • their request;
  • our defence, action or proceeding;
  • complying with a regulation or a recommendation issued from a competent authority applying to us or any member of the BNP Paribas Group;
• service providers of third-party payment (information on your  accounts), for the purposes of providing a payment initiation or account information service if you have consented to the transfer of your personal data to that third party;
• certain regulated professions such as lawyers, notaries, or auditors when needed under specific circumstances (litigation, audit, etc.) as well as to our insurers or to an actual or proposed purchaser of the companies or businesses of the BNP Paribas Group.
• Fraud prevention agencies and credit reference agencies for the purposes outlined in section ‘Sharing your data with Fraud Prevention and Credit Reference Agencies’ and 'Consequences of Processing' within this document;
• Central Credit Register for applications undertaken in the Republic of Ireland;
• With any retailer/partner together with whom we provide products and services to fulfil their legitimate interests in relation to the product/services linked to the credit we provide and/or to comply with their legal and regulatory obligations. For example, where we are providing credit via a card and/or loan to you in association with a retailer/partner. Where this is the case, we may share your information with the retailer/partner so that we and they can assess the suitability and success of the products and services that we provide, to enable them to carry out their own internal analysis and research and to assist them with creating appropriate marketing communications for you (where you have consented to receiving such communications from them, or where they have identified a ‘legitimate interest’ to do so). When we share your personal data with such parties, they will also be a controller for the personal data they process. You may therefore wish to access and read their privacy notices carefully to understand how they may process your information;
• Any party connected with any proposed debt sale or securitisation (such parties may process your personal data with the aim of evaluating certain characteristics of yours on an automated basis (known as profiling) or sale of our business or its assets or merger or re-organisation

Sharing your data with Fraud Prevention and Credit Reference Agencies

Before we provide services, goods or financing to you and during the course of your relationship with us, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you.

The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.

Examples of the personal information that will be processed are:

• name,
• address,
• date of birth,
• contact details,
• financial information,
• employment details,
• device identifiers including IP address and vehicle details.

We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.

We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested.

Fraud prevention agencies can hold your personal data for different periods of time, and if you're considered to pose a fraud or money laundering risk, your data can be held for up to six years.

7. AUTOMATED DECISIONS / PROFILING

As part of the processing of your personal data, we use various profiling techniques to assist us with running our business. By “profiling” we mean the automated analysis of personal data about an individual to evaluate certain things about that individual – basically drawing conclusions about an individual based on a statistical model. We may use these techniques in the course of evaluating applications for cards and/or loans for affordability and suitability, undertaking credit limit increase eligibility checks, to manage your account, and for marketing and targeted advertising purposes. We may also automatically decide that you pose a fraud or money laundering risk or if our processing reveals your behaviour to be consistent with that of known fraudsters or money launderers; or is inconsistent with your previous submissions; or you appear to have deliberately hidden your true identity. You have rights in relation to profiling / automated decision making: if you want to know more please see the following section on ‘How to update your information’.

Consequences of Processing

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested, or to employ you, or we may stop providing existing services to you.

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us by email at customerenquiries@creation.co.uk or write to us at Creation, PO Box 14458, Solihull, West Midlands.

In order to process your application we supply your personal information to credit reference agencies (CRAs) and they will give us information about you, such as about your financial situation and financial history. We do this to assess affordability, creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent fraud and criminal activity. We may also search the files of the Land Registry.

We will continue to exchange information about you with CRAs while you have a relationship with us, including about your settled accounts and any debts not fully repaid on time. Where you have a running account credit with us we may also make further periodic checks with CRAs to manage your account. CRAs will share your information with other organisations. Your data will also be linked to the data of your spouse, any joint applicants or other financial associates. The CRAs will have to place a search footprint on your credit file when we make a search and this may be seen by other lenders.

Where an application for credit has been unsuccessful, we may retain the personal information that we need in order to aid our individual statistical models and credit scoring models.  This may include further processing of your data with the CRAs solely for this purpose.  We rely on the legal basis that it is our legitimate interest to do this.  This potential processing should not affect your ability to obtain credit in future nor should it leave any further footprint with the CRAs. Should you wish to object to this particular processing of your data please forward your objection to www.creation.co.uk/data-subject-rights-request.

The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail within the links detailed below:

Trans Union (formally Call Credit): www.transunion.co.uk/crain

Equifax: www.equifax.co.uk/crain

Experian: www.experian.co.uk/crain

In the circumstance where you're based in the Republic of Ireland (ROI) and you have applied for credit through your application process, your data will be shared with the Central Credit Register. Further information on the CCR is available by accessing the link below:  

Central Credit Register: https://www.centralcreditregister.ie/borrower-area/data-protection-statement/

Note: Until 26 September 2021 data on ROI applications was shared with the Irish Credit Bureau (ICB) which ceased to exist on 1 October 2021 and has deleted all its records shortly thereafter that date.

8. INTERNATIONAL TRANSFERS OF PERSONAL DATA

Countries within the European Economic Area (EEA) including the ROI, have similar standards of legal protection for your personal information. We may run your accounts and provide services from centres outside of the UK (such as France) or through Group entities and partners outside the EEA (such as USA or India). For countries outside of the UK and/or EEA who have adequate levels of data protection, your personal data will be transferred on this basis.

For transfers to non-EEA countries where the level of protection has not been recognised as adequate by the UK or the European Commission, we will either rely on a derogation applicable to the specific situation (e.g., if the transfer is necessary to perform our contract with you, such as when making an international payment) or implement one of the following safeguards to ensure the protection of your personal data:

• Standard contractual clauses approved by the European Commission;
• Binding corporate rules.

Whenever fraud prevention agencies transfer your personal data outside of the UK, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the UK. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.

9. HOW LONG DO WE KEEP YOUR PERSONAL DATA?

We will only keep your information for as long as we need to and where we have a legitimate reason to do so for example account maintenance or responding to customer queries. On account closure or after an unsuccessful credit application your data may be held for up to six years. There may be instances where we're asked to retain information for longer due to legal or regulatory reporting requirements.

10. SECURITY

Your personal data is held in secure databases to protect it from theft or being altered. All access to these databases are controlled and monitored to ensure only authorised personnel have access to your data. When your data is sent to a third party that you have agreed to, the data is also sent in an encrypted format and the third party will use the same levels of encryption and security that we use. Our data processing estate is continually monitored and updated to ensure the level of security meets best industry practice and is in accordance with all the laws, regulations and standards required to protect your personal data.

11. HOW TO FOLLOW THE EVOLUTION OF THIS DATA PROTECTION NOTICE

In a world where technologies are constantly evolving, we regularly review this Data Protection Notice and update it as required.

We invite you to review the latest version of this document online, and we will inform you of any significant amendments through our website or through our standard communication channels.

 

Appendix

Processing of personal data to combat money laundering and the financing of terrorism

We're part of a banking Group that must adopt and maintain a robust anti-money laundering and countering the financing of terrorism (AML/CFT) programme for all its entities managed at central level, an anti-corruption program, as well as a mechanism to ensure compliance with international Sanctions (i.e., any economic or trade sanctions, including associated laws, regulations, restrictive measures, embargoes, and asset freezing measures that are enacted, administered, imposed, or enforced by the French Republic, the European Union, the U.S. Department of the Treasury’s Office of Foreign Assets Control, and any competent authority in territories where BNP Paribas Group is established).

In this context, we act as joint controllers together with BNP Paribas SA, the parent company of the BNP Paribas Group (the term “we” used in this appendix therefore also covers BNP Paribas SA).

To comply with AML/CFT obligations and with international Sanctions, we carry out the processing operations listed hereinafter to comply with our legal obligations:

• A Know Your Customer (KYC) program reasonably designed to identify, verify and update the identity of our customers, including where applicable, their respective beneficial owners and proxy holders;
• Enhanced due diligence for high-risk clients, Politically Exposed Persons or “PEPs” (PEPs are persons defined by the regulations who, due to their function or position (political, jurisdictional or administrative), are more exposed to these risks), and for situations of increased risk;
• Written policies, procedures and controls reasonably designed to ensure that the Bank does not establish or maintain relationships with shell banks;
• A policy, based on the internal assessment of risks and of the economic situation, to generally not process or otherwise engage, regardless of the currency, in activity or business:
  • for, on behalf of, or for the benefit of any individual, entity or organisation subject to Sanctions by the French Republic, the European Union, the United States, the United Nations, or, in certain cases, other local sanctions in territories where the Group operates;
  • involving directly or indirectly sanctioned territories, including Crimea/Sevastopol, Cuba, Iran, North Korea, or Syria;
  • involving financial institutions or territories which could be connected to or controlled by terrorist organisations, recognised as such by the relevant authorities in France, the European Union, the U.S. or the United Nations.
• Customer database screening and transaction filtering reasonably designed to ensure compliance with applicable laws;
• Systems and processes designed to detect and report suspicious activity to the relevant regulatory authorities;
• A compliance program reasonably designed to prevent and detect bribery, corruption and unlawful influence pursuant to the French “Sapin II” Law, the U.S FCPA, and the UK Bribery Act.

In this context, we make use of:

• services provided by external providers that maintain updated lists of PEPs such as Dow Jones Factiva (provided by Dow Jones & Company, Inc.) and the World-Check service (provided by REFINITIV, REFINITIV US LLC and London Bank of Exchanges);
• public information available in the press on facts related to money laundering, the financing of terrorism or corruption;
• knowledge of a risky behaviour or situation (existence of a suspicious transaction report or equivalent) that can be identified at the BNP Paribas Group level.

We carry out these checks when you enter into a relationship with us, but also throughout the relationship we have with you, both on yourself and on the transactions you carry out. At the end of the relationship and if you have been the subject of an alert, this information will be stored in order to identify you and to adapt our controls if you enter into a new relationship with a BNP Paribas Group entity, or in the context of a transaction to which you're a party. 

In order to comply with our legal obligations, we exchange information collected for AML/CFT, anti-corruption or international Sanctions purposes between BNP Paribas Group entities. When your data are exchanged with countries outside the European Economic Area that do not provide an adequate level of protection, the transfers are governed by the European Commission’s standard contractual clauses. When additional data are collected and exchanged in order to comply with the regulations of non-EU countries, this processing is necessary for our legitimate interest, which is to enable the BNP Paribas Group and its entities to comply with their legal obligations and to avoid local penalties.