Introduction

The protection of your personal data is at the heart of our concerns, the BNP Paribas group has adopted strong principles in its Personal Data Privacy Charter available at the following address https://www.icare-service.com/data-protection-notice

ICARE ("We"), as Data Controller, is responsible for collecting and processing your personal data in relation to its activities.

Our business is to help all our customers – individuals, entrepreneurs, small and medium-sized enterprises, large companies and institutional investors thanks to our investment, savings and insurance solutions.

As a member of an integrated banking-insurance group in collaboration with the various entities of the group, we provide our customers with a complete range of banking, insurance and leasing products and services.

The purpose of this Data protection Privacy Notice is to explain how we process your personal data and how you can control and manage them.

Where appropriate, further information may be provided when you subscribe to a particular product or service.

 

1. ARE YOU SUBJECT TO THIS NOTICE?

This Privacy Notice applies to you if you are ("You"):

• One of our customers or prospects or in a contractual relationship with us (e.g., subscriber, co-subscriber, insured person).
• Someone connected to our customer.  Indeed, our customers may sometimes share information with us about individuals who are related to them when it is necessary to provide them with a product or service or to get to know them better. Example:
  • Members of you family.
  • Successors or right holder.
  • Co-borrowers / guarantors.
  • Legal representatives of our client within the framework of a mandate/delegation of authority.
  • Beneficiaries of a payment transaction.
  • Beneficiary of an insurance contract or policy and a trust/fiducia.
  • Owners/Donors.
  • Beneficial owners.
  • Creditors (e.g., in bankruptcy).
  • Shareholders of company.
• a person interested in our products or services when you provide us with your personal data (on our websites and applications, during events or sponsorship operations) so that we can contact you

 

When you provide us personal data related to other people, please make sure that you inform them about the disclosure of their personal data and invite them to read this Personal Data Privacy Notice. We will ensure that we will do the same whenever possible (e.g., when we have the person's contact details).

 

2. HOW CAN YOU CONTROL THE PROCESSING ACTIVITIES WE DO ON YOUR PERSONAL DATA?

You have rights which allow you to exercise real control over your personal data and how we process them.

 

2.1. You can request access to your personal data

If you wish to have access to your personal data, we will provide you with a copy of the personal data you requested as well as information relating to their processing.

Your right of access may be limited in the cases foreseen by laws and regulations. This is the case with the regulation relating to anti-money laundering and countering the financing of terrorism, which prohibits us from giving you direct access to your personal data processed for this purpose. In this case, you must exercise your right of access with French Data Protection Authority (DPA): Commission Nationale de l'Informatique et des Libertés (CNIL), which will request the data from us.

 

2.2. You can ask for the correction of your personal data

Where you consider that your personal data are inaccurate or incomplete, you can request that such personal data be modified or completed accordingly. In some cases, supporting documentation may be required.

 

2.3. You can request the deletion of your personal data

If you wish, you may request the deletion of your personal data, to the extent permitted by law.

 

2.4 You can object to the processing of your personal data based on legitimate interests

If you do not agree with a processing activity based on a legitimate interest, you can object to it, on grounds relating to your situation, by informing us precisely of the processing activity involved and the reasons for the objection. We will cease processing your personal data unless there are compelling legitimate grounds for doing so or it is necessary for the establishment, exercise or defence of legal claims.

 

2.5. You can object to the processing of your personal data for commercial prospecting purposes

You have the right to object at any time to the processing of your personal data for commercial prospecting purposes, including profiling, insofar as it is linked to such prospecting.

 

2.6. You can suspend the use of your personal data

If you question the accuracy of the personal data we use or object to the processing of your personal data, we will verify or review your request. You may request that we suspend the use of your personal data while we review your request.

 

2.7. You have rights against an automated decision

As a matter of principle, you have the right not to be subject to a decision based solely on automated processing based on profiling or otherwise that has a legal effect or significantly affects you. However, we may automate such a decision if it is necessary for the entering into or performance of a contract with us, authorised by regulation or if you have given your consent.

In any case, you have the right to challenge the decision, express your point of view and request the intervention of a competent person to review the decision.

 

2.8. You can withdraw your consent

If you have given your consent to the processing of your personal data, you can withdraw this consent at any time.

 

2.9. You can request the portability of part of your personal data

You may request a copy of the personal data that you have provided to us in a structured, commonly used and machine-readable format. Where technically feasible, you may request that we transmit this copy to a third party.

 

2.10. How to file a complaint with the French DPA: CNIL

In addition to the rights mentioned above, you may lodge a complaint with the competent supervisory authority, which is usually the one in your place of residence, la CNIL (Commission Nationale de l’Informatique et de Libertés) in France.

 

If you wish to exercise the rights described above, please send us a request:

• Priority, to Data Protection Correspondent by:
  • • Electronic mail: dpc.icare@icare-service.com
    • Or mailing letter: DPC ICARE - 93 rue national 92100 Boulogne-Billancourt - France 

 

• • To Data Protection Officer by:
    • Electronic mail: data.protection@icare-service.com
    • Or mailing letter: DPO ICARE – 8 rue du port 92728 Nanterre - France 

If you have any questions relating to our use of your personal data under this Privacy Notice, please contact us using the contact details provided in section 10 « how to contact us? ».
 

3. WHY AND ON WHICH LEGAL BASIS DO WE USE YOUR PERSONAL DATA?

In this section we explain why we process your personal data and the legal basis for doing so.

 

3.1. Your personal data are processed to comply with our various regulatory obligations

We use your personal data to comply with applicable regulations in order to:

• Monitor operations and identify abnormal/unusual ones.
• monitor your transactions to manage, prevent and detect fraud.
• Manage, prevent and report risks (financial, credit, legal, compliance or reputational risks etc.) that we and/or the BNP Paribas group could incur in the context of its activities.
• Record and detect money laundering and terrorist financing risks/incidents and comply with any international sanctions and embargo regulations as part of our Know Your Customer (KYC) procedure (to identify you, verify your identity, information about you against sanctions lists and determine your profile).
• Detect and manage suspicious requests and transactions.
• Assess the suitability and appropriateness of the insurance products we offer in accordance with insurance product distribution regulations.
• Contribute to the fight against tax fraud and meet our tax notification and audit obligations.
• Record transactions for accounting purposes.
• Prevent, detect and report risks related to Corporate Social Responsibility and sustainable development.
• Detect and prevent corruption.
• exchange and report different operations, transactions or orders or reply to an official request from a duly authorized local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, law enforcement, state agencies or public bodies.

 

3.2. To exercise any contract to which you are a party or to carry out pre-contractual measures taken at your request

We use your personal data to conclude and perform our contracts and to manage our relationship with you, including to:

• Define your insurance risk score and determine an associated pricing.

• Assess whether we can offer you a product or service and under what conditions (including price).

• Assist you, by answering to your requests.

• Provide products and services to you or our business customers.

• Manage and process payment incidents and non-payments (identification of customers in a situation of non-payment and, if applicable, exclusion of them from the benefit of new products or services).

 

3.3. Your personal data are processed to fulfil our legitimate interest or that of a third party

We use your personal data, including data relating to your transactions, for the following purposes:

• Risk management:

• • Keep proof of payment of the insurance premium or premium, including in electronic format.

• • Manage, prevent and detect fraud.

• • Monitor operations and identify abnormal/unusual ones.

• • Carry out recoveries.

• • Handle legal claims and defences in the event of litigation.

• • Enhance individual statistical models to improve our risk management or for the purpose of improving existing products and services or creating new ones.

• Personalization of our offers and those of other BNP Paribas group entities:

• • Improve the quality of our products and services.

• • Promote products and services that are relevant to your situation and profile.

• • Deduct your preferences and needs to present a personalised commercial offer.

This customization can be achieved through:

• • • Segmentation of our prospects and customers.

• • • Analysis of your habits and preferences through our various communication channels (emails or messages, our websites and applications, etc.);

• • • Sharing your data with another entity of the BNP Paribas group, if you are a customer or likely to become one, mainly to speed up the contact process.

• • • Correspondence between the products or services you already receive with the data we hold about you (for example, we may identify your need to take out a family protection insurance product because you have indicated that you have children).

• • • Analysing character traits or behaviours in current customers and finding others who share the same characteristics for prospecting purposes.

• Research and development activities for statistics and models to:

• • Improve automation and efficiency of our business processes and customer services (e.g., automatically filling out complaints, tracking your requests, and improving your satisfaction based on data collected from our interactions with you such as phone records, emails, or chats).

• • Offer products and services that enable us to meet your needs.

• • Deploy new services for car dealers and improve our models, by using vehicle data (Registration number and VIN), the content of repairs and maintenance carried out.

• • Adapt the distribution, content and pricing of our products and services based on your profile.

• • Create new offers and services.

• • Prevent potential security incidents, improve authentication, and manage user access.

• • Improve Information security.

• • Improve risk and compliance management.

• • Improve fraud prevention, detection and processing.

• • Improve the anti-money laundering and countering the financing of terrorism process.

• Information security and information system performance objectives, including:

• • Manage information technology, IT infrastructure (e.g., shared platforms), business continuity, and information security (e.g., user authentication).

• More generally:

• • Inform you about our products and services.

• • Conduct financial transactions such as the sales of loan portfolios, securitizations, financing or refinancing of the BNP Paribas group.

• • Organize contests, lotteries and other promotional operations.

• • Achieve customer opinion and satisfaction surveys.

• • Improve process efficiency (train our staff by recording phone conversations in our call centers and improve our call scenarios).

• • Improve the automation of our processes, by testing our applications and handling complaints in an automatic way, etc.

In any case, our legitimate interest remains proportionate, and we assure you, through a balancing test, that your interests or fundamental rights are safeguarded.

 

3.4. Your personal data are processed if you have given your consent

For some processing of personal data, we will give you specific information and ask for your consent. Of course, you can withdraw your consent at any time.

We ask for your consent for:

• tailor-made customization of our offers and products or services based on more sophisticated profiling, an example being to anticipate your needs and behaviours.

• any electronic offer for products and services not like those you have subscribed to or for products and services from our trusted partners.

• personalization of our offers, products and services based on your account held by partners outside of the BNP Paribas group, which handle the distribution of our products.

• use of your navigation data (cookies) for commercial purposes or to enhance the knowledge of your profile.

• certain interactions on social networks, for the purpose of administering competitions or other similar marketing operations

• the processing of special categories of data (or “sensitive data”), including biometric data, health data, religious and philosophical opinion data.

• the processing for other purposes than those described in Section 3, incompatible with another legal basis.

• taking decisions solely based on automated processing, which produces legal effects concerning you or similarly significantly affects you. Where applicable, we will provide you specific information on the logic involved in this decision, the significance and the consequences of such processing

 

You may be asked for further consent to process your personal data where necessary.

 

4. WHAT TYPES OF PERSONAL DATA DO WE COLLECT?

We collect and use your personal data, meaning any information that identifies or allows one to identify you.

 

Depending among others on the category of person you belong to, the types of products or services we provide to you and the interactions we have with you, we collect various types of personal data about you, including:

• Identification information: e.g., full name, gender, place and date of birth, nationality, ID card number, passport number, driver's license number, vehicle registration number, photo, signature.

• Contact information (private or professional): e.g., postal and email address, telephone number.

• Information relating to your insurance or service contract: e.g., customer number, contract number, payment method, warranty, term, amount and discount.

• necessary information for risk assessment: e.g., geographical location, driving licence.

• Claims information: e.g., claims history, claims paid, and adjuster's reports.

• Data relating to your habits and preferences in relation to the use of our products and services: e.g., information about your lifestyle habits and the use of your insured property in connection with our insurance contracts.

• Data collected in the context of our interactions with you on our websites, applications and social media pages: e.g., login and tracking data such as cookies, connection to online services, IP address, during meetings, calls, chat via instant messaging, emails, interviews, telephone conversations.

• Data from the video surveillance system (including video surveillance cameras) geolocation: e.g., payment locations for security purposes or in order to determine the location of the branch or service provider closest to you.

• Information about your device: e.g., IP address, technical characteristics and identification data.

• Login credentials or personalized security features used to logon to ICARE websites and applications.

• Data collected in the context of our interactions with you: e.g., your comments, suggestions, needs collected during our exchanges with you in person in our Branches (reports) and online during telephone communications (conversation), discussion by email, chat, chatbot, exchanges on our social media pages and your latest claims/complaints. Your connection and tracking data such as cookies and trackers for non-advertising or analytical purposes on our websites, online services, applications, social media pages.

• Transaction data: e.g., account transactions and balances, transactions including beneficiary data including full names, addresses and contact details as well as details of bank transactions, amount, date, time and type of transaction (credit card, bank transfer, cheque, direct debit).

 

We may collect sensitive data such as health data, religious and philosophical opinion, or data relating to criminal offences, subject to compliance with the strict conditions set out in data protection regulations.

 

5. WHO DO WE COLLECT PERSONAL DATA FROM?

We collect personal data directly from you; however, we may also collect personal data from other sources.

 

We sometimes collect data from public sources:

• publications/databases made available by official authorities or third parties (e.g., the Official Journal of the French Republic, the Trade and Companies Register, databases managed by the supervisory authorities of the financial sector).

• websites/social media pages of legal entities or business clients containing information that you have disclosed (e.g., your own website or social media page).

• public information such as that published in the press.

We also collect personal data from third parties, from:

• other BNP Paribas group entities.

• our customers (companies or individuals).

• our business partners.

• service providers of payment initiation and account aggregators (service providers of account information).

• third parties such as fraud prevention agencies.

• data brokers who are responsible for ensuring that they collect relevant information in a lawful manner.

 

6. WHO DO WE SHARE YOUR PERSONAL DATA WITH AND WHY?

6.1. Data sharing within the BNP Paribas group

As a member of the BNP Paribas group, we work closely with the group's other companies worldwide. Your personal data may therefore be shared between BNP Paribas group entities, where necessary.

 

We share personal data within the BNP Paribas group for business purposes and to improve our efficiency, in particular based on:

• Compliance with our legal and regulatory obligations:

• • Share data collected to combat money laundering and terrorist financing, for compliance with international sanctions, embargoes and Know Your Customer (KYC) procedures.

• • Manage risks, insurance risks and operational risks.

• Fulfil our Legitimate Interests:

• • manage, prevent, detect fraud.

• • conduct statistical studies and develop predictive and descriptive models for business, security, compliance, risk management and anti-fraud purposes.

• • enhance the reliability of certain data about you held by other group entities.

• • offer you access to all the group's products and services that best meet your needs and wishes.

• • customize the content and prices of products and services.

 

6.2. Data sharing outside the BNP Paribas group

To carry out some of the purposes set out in this notice, we may share your personal data to:

• processors which perform services on our behalf (e.g., IT services, logistics, printing services, telecommunication, debt collection, advisory and distribution and marketing);

• banking and commercial partners, independent agents, intermediaries or brokers, financial institutions, counterparties, trade repositories with which we have a relationship if such transmission is required to allow us to provide you with the services and products or execute our contractual obligations or transaction (e.g., banks, correspondent banks, depositaries, custodians, issuers of securities, paying agents, exchange platforms, insurance companies, payment system operators, issuers or payment card intermediaries, mutual guarantee companies or financial guarantee institutions);

• local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, public authorities or institutions, to which we, or any member of the BNP Paribas group, are required to disclose pursuant to:

• • their request.

• • our defence, action or proceeding.

• • complying with a regulation or a recommendation issued from a competent authority applying to us or any member of the BNP Paribas group.

• certain regulated professions such as lawyers, notaries, or auditors when needed under specific circumstances (litigation, audit, etc.) as well as to our insurers or to an actual or proposed purchaser of the companies or businesses of the BNP Paribas group.

• Social security institutions when they intervene in the context of claims for compensation or when we offer benefits in addition to social benefits.

• Interested parties to the contract such as:  

• • Policyholder, subscriber, insured parties and their representatives.

• • Assignees and subrogations of contracts.

• • Responsible for the incident, the victims, their representatives and witnesses.

• • Information relating to subscriptions (contract number, VIN, Registration) may be communicated to their distributor and possibly to the vehicle manufacturer for reporting and monitoring purposes only.

 

6.3. Sharing Aggregatef or Anonymized Data

We share aggregated or anonymized data within and outside the BNP Paribas group with partners such as research groups, universities or advertisers. However, you will not be able to be identified from this data.

 

Your personal data may be aggregated in the form of anonymized statistics to be offered to business customers to help them grow their businesses. In this case, our business customers will not be able to identify you, and your personal data will never be disclosed to them.

 

7. INTERNATIONAL TRANSFERS OF YOUR PERSONAL DATA?

In case of international transfers originating from the European Economic Area (EEA) to a non-EEA country, the transfer of your personal data may take place. Where the European Commission has recognised a non-EEA country as providing an adequate level of data protection, your personal data may be transferred on this basis.

For transfers to non-EEA countries where the level of protection has not been recognized as adequate by the European Commission, we will either rely on a derogation applicable to the specific situation (e.g., if the transfer is necessary to perform our contract with you, such as when making an international payment) or implement one of the following safeguards to ensure the protection of your personal data:

• Standard contractual clauses approved by the European Commission.

• Binding corporate rules.

 

To obtain a copy of these safeguards or details on where they are available, you can send a written request as set out in Section 10 below

 

8. HOW LONG DO WE KEEP YOUR PERSONAL?

We retain your personal data for the period required to comply with applicable laws and regulations, or another period about our operational requirements, such as proper account maintenance, facilitating client relationship management, and responding to legal claims or regulatory requests.

 

8.1. If you are Client:

Clients’ data is in majority retained throughout the duration of the contractual relation, to which is added the statutory limitation period for claims pursuant to the contract (ranging from 10 years to 30 years for some contracts), unless overriding legal or regulatory provisions require a shorter or longer retention period

 

8.2. If you are Prospect:

Your data are retained for 3 years starting from the time of collection or the last contact with you.

If data relating to your health is collected, it can be retained for a maximum period of five years if no contract has been concluded (the aim is to be able to respond to your requests or provide evidence in the event of a dispute, over the decision not to conclude an insurance contract.).

 

8.3. Regardless of your status:

your banking information is retained for a period of 13 months from the debit date (except for the CVC code which is not kept in our system).

Telephone records aiming to improve the quality of services and training of our staff are retained for 6 months.

Analysis documents resulting from these records are retained for 1 year.

Information related to your identity and issued in a request for the exercise of rights shall be retained for a period of 1 to 3 years depending on the type of right, starting from the date of exercise of the concerned right.

 

9. HOW TO FOLLOW THE EVOLUTION OF THIS PRIVACY NOTICE

In a world where technologies are constantly evolving, we regularly review this Privacy Notice and update it as required.

We invite you to review the latest version of this document online, and we will inform you of any significant amendments through our website or through our standard communication channels.

 

10.HOW TO CONTACT US?

for any questions about the use of your personal data under this Data Protection Privacy Notice, you may contact our Data Protection Officer using the following contact details:

• Priority, the Data Protection Correspondent by:

• • • Electronic mail: dpc.icare@icare-service.com

• • • Or mailing letter: DPC ICARE - 93 rue national 92100 Boulogne-Billancourt - France 

• • The Data Protection Officer by:

• • • Electronic mail: data.protection@icare-service.com

• • • Or mailing letter: DPO ICARE – 8 rue du port 92728 Nanterre - France