Asia Pacific Data Protection Notice

Last updated November 2021

The protection of your personal data is important to the BNP Paribas Group, which has adopted strong principles in that respect for the entire Group. The BNP Paribas Group is made up of many different legal entities. If you would like to know which entities within the BNP Paribas Group process your personal data, please contact us at the address given under section 9 below.

This Data Protection Notice provides you with information relating to the protection of your personal data by BNP Paribas and its subsidiaries.

The purpose of this Data Protection Notice is to let you know which personal data we collect about you, the reasons why we use and share such data, how long we keep it, what your rights are and how you can exercise them.

There may be other notices detailing how BNP Paribas Group entities process your personal data applicable in certain territories we operate in. Further information may be provided where necessary when you apply for a product or service. In the event that the provisions of such notices conflict with those within this Data Protection Notice, the territory, product and service notices shall take precedence over this notice.  

If applicable, for ease of reference click on the below territories to note the specific provisions applicable to your personal data.

If you would like to enquire about the data protection notice for BNP Paribas in a territory not listed above, you can contact us at the address detailed in section 9 below. For information about non-Asia Pacific territories, please visit the following link Data Protection Notice – BNP Paribas CIB.

1.   WHICH PERSONAL DATA DO WE USE ABOUT YOU?

We collect and use your personal data, meaning any information that identifies or allows us to identify you, to the extent necessary in the framework of our activities and to achieve a high standard of personalised products and services.

Depending on the type of products or services we provide to you, we collect various types of personal data about you, including:

  • identification information (e.g. full name, identity (e.g. ID card, passport information etc.), nationality, place and date of birth, gender, photograph);
  • contact information private or professional (e.g. postal and e-mail address, phone number etc.);
  • family situation (e.g. marital status, number and age of children etc.);
  • economic, financial and tax information (e.g. tax ID, tax status, income and others revenues, value of your assets);
  • education and employment information (e.g. level of education, employment, employer’s name, remuneration);
  • banking and financial information (e.g. bank account details, product and services owned and used, credit card number, money transfers, assets, declared investor profile, credit history, any defaults in making payments);
  • transaction data (including full beneficiary names, address and transaction details including communications on bank transfers of the underlying transaction);
  • data relating to your habits and preferences (data which relates to your use of our products and services);
  • data from your interactions with us: our branches, our websites, our apps, our social media pages (connection and tracking data such as cookies, connection to online services, IP address), meetings, calls, chats, emails, interviews, phone conversations;
  • video protection (including CCTV) and geolocation data (e.g. showing locations of withdrawals or payments, for security reasons, or to identify the location of the nearest branch or service suppliers for you etc.);
  • information about your device (including MAC address, technical specifications and uniquely identifying data); and
  • login credentials used to connect to BNP Paribas’ website and apps.

We may need to collect the following sensitive personal data:

  • biometric data: e.g. fingerprint, voice pattern or facial recognition which can be used for identification and security purposes; and
  • health data for instance for the pre-contractual due diligence and the performance of some insurance contracts; this data is processed on a strict need-to-know basis.

Unless it is required through a legal or regulatory obligation, we will not ask for any other sensitive personal data such as data related to your racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, genetic data, data concerning your sex life or sexual orientation or data relating to criminal convictions and offences.

Please note that you are not required to provide any of the personal data that we request. However, your failure to do so may result in us being unable to open or maintain your account or to provide you with services.

2.   WHO IS CONCERNED BY THIS NOTICE AND FROM WHOM DO WE COLLECT PERSONAL DATA?

We collect data directly from you as a client or prospective client (when you contact us, visit our website, our apps or us, use our products and services, participate in a survey or an event with us) but also regarding other individuals indirectly. In certain circumstances, we may collect information from you about individuals who do not have a direct relationship with us. This may happen, for instance, when you provide us information about your:

  • Staff (e.g. employees, contractors, consultants);
  • Family members;
  • Successors and right holders;
  • Co-borrowers;
  • Guarantors;
  • Legal representatives (e.g. power of attorney);
  • Beneficiaries of your payment transactions;
  • Beneficiaries of your insurance contracts or policies and trusts;
  • Landlords;
  • Ultimate beneficial owners;
  • Debtors (e.g. in case of bankruptcy); and
  • Company shareholders, directors and other officers.

When you provide us with third party personal data (included but not limited to those listed above), you confirm that such third party receives this Data Protection Notice and understands the information in this Data Protection Notice about how we will use their personal data.  

We may also obtain personal data from:

  • other BNP Paribas Group entities;
  • our clients (corporate or individuals);
  • our business partners;
  • payment initiation service providers and aggregators (account information service providers);
  • third parties such as credit reference agencies and fraud prevention agencies or data brokers which are responsible for making sure that they gather the relevant information lawfully;
  • publications/databases made available by official authorities or third parties (e.g. databases operated by governmental agencies or financial supervisory authorities);
  • websites/social media pages of legal entities or professional clients containing information made public by you (e.g. your own website or social media); and
  • public information such as information from the press.

3.    WHY AND ON WHICH BASIS DO WE USE YOUR PERSONAL DATA?

a. To comply with our various legal and regulatory obligations

We use your personal data to comply with various legal and regulatory obligations, including:

  • banking and financial regulations:
    • monitor transactions to identify those which deviate from normal routine/patterns;  
    • manage, prevent and detect fraud including, where required by law, the establishment of a fraud list (which will include a list of fraudsters); 
    • monitor and report risks (financial, credit, legal, compliance or reputational risks, default risks etc.)  that we/and or the BNP Paribas Group could incur;
    • monitor and record phone calls, chats, email, etc. (we will only record or monitor communications to the extent permitted, and subject to any conditions applied, by applicable law);
    • prevent and detect money-laundering and financing of terrorism and comply with regulation relating to sanctions and embargoes through our Know Your Customer (KYC) process (to identify you, verify your identity, screen your details against sanctions lists and determine your profile);
    • detect and manage suspicious orders and transactions;
    • carry out an assessment of appropriateness or suitability in our provision of investment services to each client in compliance with Markets in Financial Instruments regulations (MiFiD); 
    • contribute to the fight against tax fraud and fulfil tax control and notification obligations (including compliance with FATCA and AEOI requirements);
    • record transactions for accounting purposes;
    • prevent, detect and report risks related to corporate social responsibilities and sustainable development;
    • detect and prevent bribery;
    • exchange information and report on different operations, transactions or orders or reply to official requests from duly authorised local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or meditators, law enforcement, state agencies or public bodies.

b. To perform a contract with you or our corporate clients or to take steps at your request before entering into a contract

We use your personal data to enter into and perform our contracts as well as to manage our relationship with you, including to:

  • define your credit risk score and your reimbursement capacity;
  • evaluate (e.g. based on your credit risk score) if we can offer you a product or service and under which conditions (including price);
  • assist you in particular by answering your requests;
  • provide you or our corporate clients with products or services; and
  • manage outstanding debts (identification and exclusion of customers with outstanding debts).

c. For operational purposes or to improve our service to you

We use your personal data, including your transaction data, for:

  • risk management purposes;
    • proof of transactions including electronic evidence;
    • management, prevention and detection of fraud including, where required by law, the establishment of a fraud list (which will include a list of fraudsters);
    • monitoring transactions to identify those, which deviate from the normal routine/patterns.
    • assessing the creditworthiness or you, guarantors, security providers and/or your ultimate beneficiary owners;
    • debt collection;
    • assertion of legal claims and defence in case of legal disputes;
    • development of individual statistical models in order to help define your creditworthiness of you, guarantors, security providers and/or your ultimate beneficiary owners;
    • consultation and exchange of data with credit agencies to identify credit risks.
  • Personalisation of our offering to you and that of other BNP Paribas entities to:
    • improve the quality of our products or services;
    • advertise products or services that match with your situation and profile;
    • deduce your preference and needs and propose personalised commercial offers;
    • This personalisation can be achieved by:
      • segmenting our prospects and clients;
      • analysing your habits and preferences in our various communications channels (visits to our branches, emails or messages, visits to our website, etc.);
      • sharing your data with another BNP Paribas entity, notably if you, or the entity you represent, are, or are to become, a client of that other entity;
      • matching the products or services that you already hold or use with other data we hold about you (e.g. we may identify that you have children but no family protection insurance yet); and
      • considering common traits or behaviours among current clients, and seeking other individuals who share those same characteristics for targeting purposes.
  • Research and development and analytics consisting of establishing individual statistical/predictive models to:
    • optimise and automate our operational processes (e.g. creating FAQ chatbots);
    • offer products and services that will best meet your needs;
    • adapt products and services distribution, content and pricing in accordance with your profile;
    • create new offers;
    • prevent potential security failures, improve client authentication and access rights management;
    • enhance security management;
    • enhance risk and compliance management;
    • enhance the management, prevention and detection of fraud; and
    • enhance the fight against money laundering and financing of terrorism.
  • Security reasons and IT systems performance, including to:
    • manage IT, including infrastructure management (e.g. shared platforms), business continuity and security (e.g. internet user authentication and data leak prevention); and
    • prevent personal injury and damages to people and goods (for instance video protection).
  • More generally to:
    • inform you about our products and services;
    • carry out financial operations such as debt portfolio sales, securitisations for financing or refinancing of the BNP Paribas Group;
    • organise contests, games, competitions, lotteries or any other promotional campaigns;
    • perform client satisfaction and opinion surveys; 
    • improve process efficiency (train our staff by recording phone calls in our call centres and improve our calling scenario); and
    • automate our processes such as application testing, automatic filling of complaints handling, etc.

d. To respect your choice if we request your consent for specific processing

For certain types of personal data processing, we will provide you with specific information and invite you to consent to the processing of your personal data. Please note that you may revoke your consent at any time.

4.   WHO DO WE SHARE YOUR PERSONAL DATA WITH?

a. Sharing of information within the BNP Paribas Group

We are part of the BNP Paribas Group, which is an integrated bank and insurance group, i.e. a group of companies working closely together all over the world to create and distribute various banking, financial, insurance services and products.

We may share personal data within the BNP Paribas Group for purposes such as:

  • sharing of the data collected for anti-money laundering, counter-financing of terrorism, sanctions, embargoes and for know-your-customer purposes;
  • risk management including credit and operational risks (risk rating /credit scoring etc.;
  • prevention, detection and fight against fraud;
  • research and design activities, particularly for compliance, risk, communication and marketing purposes;
  • global and consistent overview of our clients’;
  • offering the full range of products and services of the Group to enable you to benefit from them.
  • Personalisation of products and services’ (including content and pricing) for our clients’.

If you are a client of our Corporate & Institutional Banking business, this would include, for example, personal data being accessed and/or stored in: jurisdictions where investments are held; jurisdictions in which and through which transactions are effected; and jurisdictions from which you regularly receive or transmit information about your investments or your business with BNP Paribas.

b. Disclosing information outside the BNP Paribas Group

In order to fulfil some of the purposes described in this notice, we may disclose your personal data from time to time to:

  • service providers who perform services on our behalf (e.g. IT services, logistics, printing services, telecommunication, debt collection, advisory and consulting, distribution and marketing).
  • banking and commercial partners, independent agents, intermediaries or brokers, financial institutions, counterparties, trade repositories or exchanges with which we have relationship if such transmission is required to allow us to provide you with the services and products or execute our contractual obligations or transaction (e.g. banks, correspondent banks, depositaries, custodians, issuers of securities, paying agents, exchange platforms, insurance companies, payment system operators, issuers or payment card intermediaries);
  • credit reference agencies;
  • local or foreign financial, tax, administrative, criminal or judicial authorities, regulators, arbitrators or mediators, law enforcement, state agencies, fraud prevention agencies or public bodies, we or any member of the BNP Paribas Group is required to disclose to pursuant to:
    • their request;
    • defending or responding to a matter, action or proceeding; and/or
    • complying with law, regulation or guidance from authorities applying to us or any member of the BNP Group;
  • payment service provider(s) (information on your payment account(s)) based on the authorisation granted by you to this third party; and
  • certain regulated professionals such as lawyers, notaries, rating agencies or auditors when needed under specific circumstances (litigation, audit, etc.) as well as to actual or proposed purchasers of the companies or businesses of the BNP Paribas Group or our insurers.

c. Sharing aggregated or anonymized information

We share aggregated or anonymised information within and outside the BNP Paribas Group with partners such as research groups, universities or advertisers. You will not be able to be identified from this information.

Your data may be aggregated into anonymised statistics that may be offered to professional clients to assist them in developing their business. In this case, your personal data will never be disclosed and those receiving these anonymised statistics will be unable to identity you.

5.   INTERNATIONAL TRANSFERS OF PERSONAL DATA

In certain circumstances, we may transfer your data to another country. It is not reasonably practicable to list all of the countries to which your personal information may be transferred from time to time but it is likely that such countries will include India, Hong Kong SAR, Singapore, the United Kingdom, the United States of America, France, Portugal and other countries in the European Union

If we transfer your data to another country, where there are international transfer restrictions we will implement appropriate safeguards to ensure the protection of your personal data or rely on a derogation applicable to the specific situation (e.g. if the transfer is necessary to perform our contract with you such as when making an international payment, or if the destination territory has been recognised by the originating territory’s relevant authority as providing an adequate level of data protection).

When personal data is transferred to such countries or territories not recognised under applicable law as offering an adequate level of data protection, we put in place appropriate data transfer mechanisms as required under applicable law (such as the EEA Standard Contractual Clauses) or rely on a lawful derogation applicable to the specific situation.

6.   HOW LONG DO WE KEEP YOUR PERSONAL DATA FOR?

We will retain your personal data for the longer of: (i) the period required by applicable law or regulation; or (ii) such other period necessary for us to meet our operational obligations, such as: proper account maintenance, facilitating client relationship management, and responding to legal claims or regulatory requests. Most personal data collected in relation to a specified client is kept for the duration of the contractual relationship with such client plus a specified number of years after the end of the contractual relationship or as otherwise required by applicable law.

7.   WHAT ARE YOUR RIGHTS AND HOW CAN YOU EXERCISE THEM?

Depending on the data protection laws which apply to your situation, you may have the following rights in respect of your personal data:

  • To access: you may have the right to obtain information relating to the processing of your personal data, and a copy of such personal data.
  • To rectify: where you consider that your personal data is inaccurate or incomplete, you can require that such personal data be modified accordingly.
  • To erase: in some circumstances, you can require the deletion of your personal data, to the extent permitted by law.
  • To restrict: in some circumstances, you can request the restriction of the processing of your personal data.
  • To object: in some circumstances, you can object to the processing of your personal data, on grounds relating to your particular situation. You have the right to object to the processing of your personal data for direct marketing purposes.
  • To withdraw your consent: where you have given your consent for the processing of your personal data, you have the right to withdraw your consent at any time.
  • To data portability: where legally applicable, you may have the right to have the personal data you have provided to us, returned to you or, where technically feasible, transferred to a third party.

If you require further information, or if you wish to exercise the rights listed above, please send a letter or e-mail to the address set out in section 9 below, or if related to a particular territory, to the address in section 10 if specified.
Subject to territory laws and regulations, we may charge a reasonable fee for the processing of any data access request. If there is an access fee, we will give you an estimate of the fee and confirm with you whether you would like us to proceed.

In accordance with applicable regulation, in addition to your rights above you are also entitled to lodge a complaint with the competent supervisory authority.

8.   HOW CAN YOU KEEP UP WITH CHANGES TO THIS DATA PROTECTION NOTICE?

In a world of technological change, we may need to update this Data Protection Notice from time to time.

We invite you to review the latest version of this notice online and we will inform you of any material changes through our website or through our other usual communication channels.

9.   HOW TO CONTACT US?

If you have any questions relating to our use of your personal data under this Data Protection Notice, please contact our data protection correspondent using the email address: risk.orc.apac.dpo@asia.bnpparibas.com, or if your relationship with BNP Paribas is specific to a territory, please refer to the contact details in Section 10 below, if different.

You can also contact us by mail using the following address: Data Protection Office C/O Risk ORM, 63/F, Two IFC, 8 Finance Street, Central, Hong Kong

10. TERRITORY-SPECIFIC PROVISIONS

The table below details provisions or practices applicable to some of the Asia Pacific territories we operate in, which are in addition to this Data Protection Notice. These are due to specific laws, regulations or practices, necessitating additional details.

Australia
The privacy policy of BNP Paribas, Australia Branch, BNP Paribas Securities Services, Australia Branch and BNP Paribas Fund Services Australasia Pty Ltd (BNP Paribas Australia) can be found at the link indicated at the start of this notice. Such privacy policy is intended for customers, suppliers, contractors, employees, prospective candidates for employment and any other person who has dealings with BNP Paribas Australia.  

The contact details of the Privacy Officer for BNP Paribas Australia is: Attn: Privacy Officer (Head of Country Compliance), BNP Paribas, Australia Branch Level 6, 60 Castlereagh Street Sydney, NSW 2000 Australia. Email: AU.Compliance@au.bnpparibas.com  
Malaysia
The Personal Data and Information Notice of BNP Paribas Malaysia Entities can be found at the link indicated at the start of this notice.

“BNP Paribas Malaysia Entities” means: Malaysia Berhad, BNP Paribas Labuan Branch, BNP Paribas Capital (Malaysia) Sdn Bhd, BNP Paribas Asset Management Malaysia Sdn Bhd and BNP Paribas Asset Management Najmah Malaysia Sdn Bhd (formerly known as BNP Paribas Investment Partners Najmah Malaysia Sdn Bhd).

The address to which written requests for access to personal data or correction and/or deletion of personal data or for information regarding policies and procedures and types of personal data handled by a BNP Paribas Malaysian entity is: Attn: Admin Manager, BNP Paribas Malaysia Berhad Vista Tower, Level 48A, The Intermark, 348 Jalan Tun Razak, 50400 Kuala Lumpur, Malaysia.  
New Zealand
The privacy policy of BNP Paribas Fund Services Australasia Pty Ltd New Zealand Branch (BNP Paribas New Zealand) can be found at this link indicated at the start of this notice. The privacy policy is intended for clients, suppliers, contractors, employees, prospective candidates for employment and any other person who has dealings with BNP Paribas New Zealand.

The contact details of the Privacy Officer for BNP Paribas New Zealand is: Attn: Privacy Officer (Compliance Manager NZ), BNP Paribas Fund Services Australasia Pty Ltd, New Zealand Branch Level 18 , Aon Centre, 1 Willis St Wellington New Zealand.  
Singapore
The data protection policy of BNP Paribas in Singapore can be found at the link indicated at the start of this notice.

The address for a BNP Paribas entity in Singapore for to which written requests to exercise rights in respect of your personal data is: Data Protection Officer, 20 Collyer Quay #01-01, Singapore 049319, cc: BNP Paribas Singapore Branch COO.  
Thailand
The Data Protection Notice of BNP Paribas, Bangkok Branch can be found at the link indicated at the start of this notice.

The address for a BNP Paribas entity in Thailand to which written requests to exercise rights in respect of your personal data is: Attn: Data Protection Officer, BNP Paribas, Bangkok Branch, 990 Abdulrahim Place, 29th Floor, Rama 4 Road, Silom, Bangrak, Bangkok 10500, Thailand or email: thailand.pdpa@asia.bnpparibas.com  
Vietnam
The address for a BNP Paribas entity in Vietnam to which written requests to exercise rights in respect of your personal data is: Attn: Chief Operating Officer, BNP Paribas Ho Chi Minh City Branch, Saigon Tower, 5th Floor, Suite 504, 29 Le Duan blvd, District 1, Ho Chi Minh City, Vietnam.