Data protection

Introduction

The protection of your personal data is at the heart of our concerns, and the BNP Paribas Group has adopted strong principles in its Personal Data Privacy Charter, which is available at the following address: https://group.bnpparibas/uploads/file/bnpparibas_charte_confidentialite_des_donnees_personnelles.pdf

Karapass Courtage (“we”, “us”), as the data controller, is responsible for the collection and processing of your personal data in the course of its activities.

Our broker’s job is to put our partners’ clients – individuals, entrepreneurs, VSEs (Very Small Enterprises), SMEs (Small and Medium-sized Enterprises), large companies – in touch with BNP Paribas Cardif in order to provide affinity insurance solutions.

As a member of an integrated banking and insurance group in collaboration with the various entities of the Group, we provide our clients with a complete range of affinity insurance products.

The purpose of this notice is to explain how we process your personal data and how you can control and manage it.

If necessary, additional information may be provided to you directly at the time of collection of your personal data.

1. ARE YOU CONCERNED BY THIS NOTICE?

You are concerned by this notice, if you are (“you”):

  • our customer or in a contractual relationship with us (insured/beneficiary);
  • a family member of a client. Indeed, our customers may sometimes be required to share information about their family with us when it is necessary to provide them with a product or service or to get to know them better;
  • a beneficial owner (within the meaning of L.561-2-2 of the Financial Monetary Code) of a client who is a legal person;
  • an officer or legal representative of a legal person client;

When you provide us with personal data relating to other people, please remember to inform them of the provision of their data and invite them to read this Notice. We will take care to do the same whenever we can (i.e. when we have the contact details of the people and we are authorised to do so).

2. HOW CAN YOU CONTROL THE PROCESSING WE CARRY OUT ON YOUR PERSONAL DATA?

You have rights that allow you to exercise meaningful control over your personal data and how we process it.

If you wish to exercise the rights described below, please send us a request to:

  • Karapass – DPO, 93 Rue Nationale, 92100 Boulogne-Billancourt; or
  • data.protection@karapass.eu; or
  • on our websites, where possible, with a scan/copy of your ID when required.

If you have any questions about the use of your personal data under this Notice, please contact our Data Protection Officer at:

  • Karapass – DPO, 93 Rue Nationale, 92100 Boulogne-Billancourt; or
  • data.protection@karapass.eu;

2.1. You can request access to your personal data

If you wish to have access to your personal data, we will provide you with a copy of the personal data to which your request relates as well as information relating to its processing.

Your right of access may be limited when the regulations provide for it. This is the case of the regulations relating to the fight against money laundering and the financing of terrorism, which prohibit us from giving you direct access to your personal data processed for this purpose. In this case, you must exercise your right of access to the CNIL, which will question us.

2.2. You can request the rectification of your personal data

If you consider that your personal data is inaccurate or incomplete, you can request that it be amended or supplemented. In some cases, you may be asked to provide supporting documentation.

2.3. You can request the erasure of your personal data

If you wish, you can request the deletion of your personal data to the extent permitted by law.

2.4. You may object to the processing of your personal data based on legitimate interest

If you do not agree to processing based on legitimate interest, you may object to it, on grounds relating to your particular situation, by telling us precisely what processing is relevant and why. We will no longer process your personal data unless there are compelling legitimate grounds for processing it or these are necessary for the establishment, exercise or defence of legal claims.

2.5. You may object to the processing of your personal data for commercial prospecting purposes

You have the right to object at any time to the processing of your personal data for the purpose of commercial prospecting, including profiling insofar as it is related to such direct marketing.

2.6. You may suspend the use of your personal data

If you dispute the accuracy of the data we use or object to your data being processed, we will verify or review your request. During the period of consideration of your request, you have the option of asking us to suspend the use of your data.

2.7. You have rights in relation to an automated decision

As a matter of principle, you have the right not to be subject to a fully automated decision, whether based on profiling or not, which has a legal effect or significantly affects you. We may, however, automate this type of decision if it is necessary for the conclusion/performance of a contract with us, permitted by regulation or if you have given your consent.

In any case, you have the opportunity to contest the decision, express your point of view and request the intervention of a human being who can reconsider the decision.

2.8. You may withdraw your consent

If you have given your consent to the processing of your personal data, you can withdraw this consent at any time.

2.9. You can request the portability of part of your personal data

You may request to retrieve a copy of the personal data you have provided to us in a structured, commonly used and machine-readable format. Where technically feasible, you can request that we pass this copy on to a third party.

2.10. How do I file a complaint with the CNIL?

In addition to the rights mentioned above, you can lodge a complaint with the competent supervisory authority, which is most often the one in your place of residence, such as the CNIL (Commission Nationale de l’Informatique et de Libertés) in France.

3. WHY AND ON WHAT LEGAL BASIS DO WE USE YOUR PERSONAL DATA?

The purpose of this section is to explain why we process your personal data and what legal basis we rely on to justify it.

3.1. Your personal data is processed to comply with our various legal obligations

Your personal data is processed where necessary to enable us to comply with regulations to which we are subject, including regulations specific to insurance and financial activities.

3.1.1. We use your personal data to:

  • monitor operations and transactions and thus identify those that are abnormal or unusual;
  • monitor your transactions and operations to manage, prevent and detect fraud;
  • managing, preventing and reporting risks (financial, credit, legal, compliance or reputational, etc.) that the BNP Paribas Group may face in the course of its activities;
  • meet our obligations to combat escheat;
  • To carry out an assessment of the suitability and suitability of the products we offer to each customer’s profile in accordance with the Insurance Distribution Directive (IDD) of 2016;
  • contribute to the fight against tax fraud and meet our tax notification and audit obligations;
  • record transactions for accounting purposes;
  • preventing, detecting and reporting risks related to Corporate Social Responsibility and sustainable development;
  • detect and prevent corruption;
  • comply with the provisions applicable to trust service providers issuing electronic signature certificates;
  • exchange and report various transactions, transactions or requests or respond to an official request from a duly authorized local or foreign judicial, criminal, administrative, tax or financial authority, arbitrator or mediator, law enforcement authorities, government bodies or public bodies;
  • meet our obligation to provide accessible services for people with disabilities, for example with tools that allow speech-to-text.

3.1.2. We also process your personal data to combat money laundering and terrorist financing

We belong to a banking and insurance group that must have a robust anti-money laundering and countering the financing of terrorism (AML/CFT) system at the level of our entities, and managed at the central level, as well as a system for applying local, European and international sanctions decisions.

In this context, we are joint controllers with BNP Paribas SA, the parent company of the BNP Paribas Group (the term “we” or “us” in this section also includes BNP Paribas SA).

The processing operations implemented to meet these legal obligations are detailed in Appendix 1.

3.2. Your personal data is processed for our legitimate interest or that of a third party

Where we base processing on legitimate interest, we balance that interest against your interests or fundamental rights or freedoms to ensure that there is a fair balance between them. If you would like more information about the legitimate interest pursued by processing, please contact us using the contact details provided in section 2 “HOW TO CONTACT US?” above.

3.2.1. In the course of our business as an insurer, we use your personal data to:

  • Conduct statistical studies and develop predictive and descriptive models to:
    • compliance (such as anti-money laundering and countering the financing of terrorism) and risk management;

4. WHAT TYPES OF PERSONAL DATA DO WE COLLECT?

We collect and use your personal data, which is any information that identifies or allows you to be identified.

Depending on the category of person you are a part of, the type of product or service we provide to you and the interactions we have with you, we collect different types of personal data about you, including:

  • Identification data: e.g., full name, gender, place and date of birth, nationality, ID card number, passport number, photo, signature;
  • Private or business contact information: e.g., postal address, email address, telephone number;

5. FROM WHOM DO WE COLLECT PERSONAL DATA?

We collect personal data directly from you, however we may also collect personal data from other sources.

We sometimes collect data from public sources:

  • publications/databases made available by authorities or official third parties (e.g. the Official Journal of the French Republic, the Trade and Companies Register, databases managed by financial sector supervisory authorities);
  • websites/social media pages of legal entities or business clients containing information that you have made public (e.g., your own website or social media page);
  • public information such as that which appeared in the press.

We also collect personal data from third parties:

  • other entities of the BNP Paribas Group;
  • our customers (companies or individuals);
  • our business partners, in particular the distributors or managers of our products;
  • the co-insurers of the BNP Paribas Cardif Group;
  • payment service providers;
  • third parties such as fraud prevention agencies;

6. WITH WHOM DO WE SHARE YOUR PERSONAL DATA AND WHY?

a. With the entities of the BNP Paribas Group

As a member of the BNP Paribas Group, we work closely with the other companies in the group around the world. Your personal data may thus be shared between entities of the BNP Paribas Group, when necessary, to:

comply with our various legal and regulatory obligations described above;

  • To meet our legitimate interests which are: to carry out statistical studies and develop predictive and descriptive models for security and compliance purposes;

b. With recipients, third parties to the BNP Paribas Group and subcontractors

In order to achieve the purpose described in this Notice, we may share your personal data with:

  • subcontractors who perform services on our behalf;
  • local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, authorities or public institutions or institutions, to whom we or any member of the BNP Paribas Group are required to disclose data:
    • at their request;
    • in connection with our defense, action or proceeding;
    • in order to comply with a regulation or recommendation issued by a competent authority in respect of us or any member of the BNP Paribas Group.
  • certain regulated professions such as lawyers, notaries, or statutory auditors when specific circumstances require it (litigation, audit, etc.) as well as to our insurers or any current or potential buyer of the companies or activities of the BNP Paribas Group;
  • parties interested in the contract such as: the policyholder, the policyholder, the insured parties and their representatives;

7. INTERNATIONAL TRANSFERS OF PERSONAL DATA

In the case of international transfers from the European Economic Area (EEA) to a non-EEA country, the transfer of your personal data may take place on the basis of a decision issued by the European Commission, where the latter has recognised that the country to which your data will be transferred provides an adequate level of protection.

In the event of a transfer of your data to a country where the level of protection of your data has not been recognised as adequate by the European Commission, we will either rely on a derogation applicable to your specific situation (for example, if the transfer is necessary to perform a contract with you, such as when making an international payment) or we will take one of the following measures to ensure the protection of your data. personal data:

  • standard contractual clauses approved by the European Commission.

To obtain a copy of these measures to ensure the protection of your data or to receive details of where it is accessible, you may send us a written request to:

  • Karapass – DPO, 93 Rue Nationale, 92100 Boulogne-Billancourt; or
  • data.protection@karapass.eu;

8. HOW LONG DO WE KEEP YOUR PERSONAL DATA?

We retain your personal data for as long as necessary to comply with applicable laws and regulations, or for a period defined in light of our operational constraints, such as bookkeeping, effective customer relationship management, as well as to enforce our legal rights or respond to requests from regulatory bodies.

In the context of the processing of your personal data for the fight against money laundering and the financing of terrorism (AML-CFT), the retention period of your personal data is five (5) years under Article L. 561-12 of the Monetary and Financial Code. “The persons mentioned in the said article shall keep for five (5) years from the closure of their accounts or the termination of their relations with them the documents and information, whatever the medium, relating to their business relationships or occasional customers, as well as to the vigilance measures implemented”.

Other storage periods:

The information relating to your identity and issued when a request to exercise your rights is kept for the period necessary to respond to your request.

9. HOW CAN I FOLLOW THE CHANGES TO THIS PERSONAL DATA PROTECTION NOTICE?

In a world where technologies are constantly evolving, we regularly review this Notice and update it as needed.

We invite you to read the latest version of this document online, and we will inform you of any material changes through our website or through our usual communication channels.

Appendix 1

Processing of personal data to combat money laundering and terrorist financing

We belong to a banking group that must have a robust anti-money laundering and countering the financing of terrorism (AML/CFT) system at the entity level, centrally managed, an anti-corruption system, as well as a system allowing compliance with international sanctions (these are all economic or trade sanctions,  including all laws, regulations, restrictive measures, embargoes or asset freezes, decreed, governed, imposed or implemented by the French Republic, the European Union, the US Department of the Treasury’s Office of Foreign Asset Control, and any competent authority in the territory in which we are established).

In this context, we are joint controllers with BNP Paribas SA, the parent company of the BNP Paribas Group (the term “we” or “us” used in this section therefore also includes BNP Paribas SA).

For AML/CFT purposes and compliance with International Sanctions, we implement the processing operations listed below to meet our legal obligations:

  • A Know Your Customer (KYC) device reasonably designed to identify, update and confirm the identity of our customers, including their beneficial owners and agents where applicable;
  • Enhanced identification and verification measures for high-risk clients, Politically Exposed Persons (PEPs are persons designated by regulation who, due to their functions or positions (political, judicial or administrative), are more exposed to these risks) as well as high-risk situations;
  • Written policies and procedures, as well as controls reasonably designed to ensure that the Bank does not enter into – or maintain – a relationship with Shell Banks;
  • A policy, based on its assessment of risks and economic conditions, generally not to execute or engage in any business activity or relationship, regardless of currency:
    • for, for the contract, or for the benefit of any person, entity or organization subject to Sanctions by the French Republic, the European Union, the United States, the United Nations, or, in certain cases, other local sanctions in the territories in which the Group operates;
    • involving, directly or indirectly, territories under sanctions including Crimea/Sevastopol, Cuba, Iran, North Korea or Syria;
    • involving financial institutions or territories that could be linked to, or controlled, by terrorist organizations, recognized as such by the competent authorities in France, the European Union, the United States or the UN.
  • Filtering of our customer bases, reasonably designed to ensure compliance with applicable laws;
  • Systems and processes to detect suspicious transactions, and to report suspicious transactions to the relevant authorities;
  • A compliance program reasonably designed to prevent and detect bribery and influence peddling in accordance with the Sapin II Act, the U.S. FCPA, and the UK Bribery Act.

In this context, we are required to call on:

  • services provided by external service providers such as Dow Jones Factiva (provided by Dow Jones & Company, Inc.) and the World-Check service (provided by service providers REFINITIV, REFINITIV US LLC and London Bank of Exchanges) that maintain lists of PEPs;
  • public information available in the press on facts related to money laundering, terrorist financing or corruption;
  • knowledge of a risky behaviour or situation (existence of a report of suspicions or equivalent) that can be identified at the level of the BNP Paribas Group.

We carry out these checks when you enter into a relationship, but also throughout the relationship we have with you, on yourself, but also on the transactions you carry out. At the end of the relationship and if you have been the subject of an alert, this information will be kept in order to identify you and adapt our control if you re-enter into a relationship with an entity of the BNP Paribas Group, or in the context of a transaction to which you are a party.

To meet our legal obligations, we exchange information collected between entities of the BNP Paribas Group for AML/CFT purposes, anti-corruption or the application of international sanctions. When your data is exchanged with countries outside the European Economic Area that do not have an adequate level of protection, the transfers are governed by the European Commission’s standard contractual clauses. When, in order to comply with regulations of non-EU countries, additional data is collected and exchanged, this processing is necessary to enable the BNP Paribas Group and its entities to comply with their legal obligations and to avoid sanctions locally, which is our legitimate interest.