The purpose of this personal data protection notice (the "Notice") is to explain how Crédit Agricole CIB ("we") complies with this regulation in the management of its commercial activity with its corporate and institutional customers (or prospects) ("you"), as well as within the framework of the related legal and regulatory obligations. In particular, this Notice explains the nature of the data collected, the categories of data subjects, the legal purposes and bases of processing operations, the recipients of the data, the mechanisms for supervising the transfer of data outside the European Economic Area (EEA), the storage periods and the procedures governing how data subjects may exercise their rights.
Crédit Agricole CIB, data controller
Acting within the framework of a regulated activity, we offer you and provide products and services requiring the collection and use, as data controller, of the personal data of individuals related to you (for example: employees, shareholders, agents, legal representatives, beneficial owners, family members, third-party representatives, etc.) (the "Data Subjects").
It is your responsibility to inform these Data Subjects about the way in which we process their personal data.
Before sending us the personal data of a Data Subject, you undertake to inform that Data Subject beforehand of the contents of this Notice and you assure us that we may collect, use and transmit such data in accordance with the conditions set out in the Notice.
In order to offer you our services, we collect, use and may even transmit personal data of several kinds:
- Civil status and identification data (name, date and place of birth, nationality, address/country of residence, passport and/or identity card number, photo, etc.)
- Private life (family situation, ...)
- Professional life (occupation/function, employer, contact data, certifications/authorisations, telephone conversations/emails/chats/..., etc.)
- Economic and financial information (income, assets, tax situation, ...)
- Technical information relating to the use of our services (IP address, connection logs, cookies, ...)
Only information relevant to the purposes pursued is collected.
Categories of data subject
In the course of our activities, and in connection with the products and services we offer, we may collect, use and transmit the personal data of the following categories of persons related to you (this list is not exhaustive): employees, shareholders, agents, legal representatives, beneficial owners, family members, third-party representatives, etc.
Purposes of the processing
The processing we are required to perform requires the collection and use of personal data in order to ensure:
- The management of the business relationship (customer knowledge, designation of correspondents, information on our products, etc.);
- The management of risk, the fight against money laundering and the financing of terrorism, the determination of tax status, the prevention of fraud;
- Commercial prospecting, targeted event campaigns and commercial events;
- The performance of services or contracts (structured finance, flows, investment, corporate finance, international activity, etc.);
- Transaction management (identification of counterparty contacts for payments and confirmation correspondence, sample signatures of authorised signatories, etc.).
Legal bases for processing
In accordance with the applicable regulations, we may only use your personal data for at least one of the following reasons:
- for the performance of a contract that we intend to enter into or have entered into with you, or
- if a legal obligation compels us to use your personal data for a particular reason, such as in connection with customer knowledge management, the prevention of money laundering and the financing of terrorism, to comply with embargoes or asset freezing measures, or
- where such use corresponds to our legitimate interests, for example, the processing of personal data for fraud prevention purposes, or
- when you consent thereto, for example, the consent of the data subject in respect of a newsletter for communication purposes.
Recipients of your data
Your personal data may be communicated to:
- our entities in and outside the EEA;
- any entity of the Crédit Agricole Group for the purpose of pooling resources or grouping companies;
- our subcontractors for the sole requirements of operational or technical subcontracting;
- independent agents, intermediaries or brokers;
- French and foreign supervisory authorities, French and foreign administrative and judicial authorities, public bodies on request and within the limits of what is permitted by the regulations;
- certain regulated professions such as statutory auditors, lawyers and notaries.
When we use subcontractors, we ensure that they have sufficient safeguards to guarantee that the processing complies with the principles of GDPR and to ensure the confidentiality and security of personal data.
How is the security of personal data ensured?
Ensuring the security of the data you entrust to us is one of our most important responsibilities. To ensure the security and confidentiality of the personal data we collect and use, we have been implementing technical and organisational measures for a long time, including:
- Control of access and authorisations for IT equipment relative to the processing of personal data;
- Measures to secure technical infrastructure (workstation, network, server) and data (backup, business continuity plan);
- Taking data security and processing into account in the design of a product or solution;
- Restricting the persons authorised to process personal data according to purpose and the processing means provided for in each case;
- Strict confidentiality obligations imposed on our subcontractors;
- Raising the awareness of all our employees worldwide and training those employees most concerned by the collection or management of personal data;
- The establishment of procedures making it possible to react promptly in the event of a personal data security incident.
Data transfer outside the European Economic Area (EEA)
In order to perform our services or meet our legal and regulatory obligations, we may have to transfer Data Subjects' personal data to a country outside the EEA.
Appropriate measures are implemented to ensure a sufficient level of protection as required by the GDPR: countries whose legislation provides adequate protection; for companies established in the United States, observance of the Privacy Shield (self-certification mechanism recognised by the European Commission); guarantees to ensure this level of protection.
These guarantees may be the Standard Contractual Clauses for the protection of personal data adopted by the European Commission (i.e. a contract of transfer between the data controller and a recipient specifying the obligations of the data controller and of the recipient in the case of a transfer of personal data outside the European Union).
How long we keep your data
We keep Data Subjects' personal data for the duration necessary to achieve the intended purpose.
We only keep this information for the time during which we need it. This length of time depends on why we use it, such as to provide our services, to pursue our legitimate interests, to comply with our legal and regulatory obligations, or to exercise or defend our rights in court. It may also be kept or archived for statutory limitation periods.
How you can exercise your rights
You have the following rights in relation to your personal data that we collect and process as a data controller:
- right of access, rectification and erasure (inaccurate, incomplete, unclear or obsolete data);
- right to object to the processing of your data at any time in connection with commercial prospecting;
- right to restrict the processing of your data as provided by the regulations;
- right to data portability;
- right to withdraw your consent at any time;
- right to lodge a complaint with the supervisory authority.
You may exercise these rights:
- by contacting your relationship manager or your usual commercial contact;
- by writing to the following address: Crédit Agricole CIB – Direction de la Conformité / Data Protection – 12, place des Etats-Unis – 92127 Montrouge Cedex
- or by contacting the Data Protection Office: firstname.lastname@example.org
When you send us a request in order to exercise a right, in order to facilitate its examination and allow us to reply quickly to you, please specify where possible (i) the scope of the request, (ii) the nature of the request/type of right exercised, (iii) the processing of personal data concerned, and provide any other relevant information on the context.
You will first be asked to provide proof of your identity.
This Notice is regularly updated to take into account regulatory evolutions and the processing we operate.
Last update: May 23, 2018