DATA PROTECTION NOTICE

The protection of your personal data is important to the BNP Paribas Group, which has adopted strong principles in that respect for the entire Group in its Group Privacy Policy. This Information Notice provides you with detailed information relating to the protection of your personal data set up by BNP PARIBAS CARDIF (“we”).

We are responsible, as a controller, for collecting and processing your personal data in relation to our activities. The purpose of this Data Protection Notice is to let you know which personal data we collect about you, the reasons why we use and share such data, how long we keep it, what your rights are and how you can exercise them.

Further information may be provided where necessary in the data protection clause of the information notice joined to your insurance contract.

1. WHICH PERSONAL DATA DO WE USE ABOUT YOU?

We collect and use your personal data to the extent necessary in the framework of our activities and to achieve a high standard of personalised insurance contracts.

Depending among others on the type of insurance contracts we provide to you, we may collect various types of personal data about you, including:

• identification information (e.g. name, ID card and passport information, driving licence information, residence permit or visa information, nationality, place and date of birth, gender, photograph, IP address) ;
• contact information (e.g. postal address and e-mail address, phone number, fax number) ;
• family situation (e.g. marital status, specific legal regime applicable to your family, identity of ascendants and descendants, number of persons composing the household, number and age of children, number of pets) ;
• economic, financial and tax information (e.g. tax ID, tax status, income and other revenues, value of your assets, bank account details, bank cards numbers and validity) ;
• education and employment information (e.g. level of education, employment, employer’s name, remuneration) ;
• data relating to the insurance contract (e.g. client identification number, contract number, methods of payment, guarantees, duration, amounts and discounts) ;
• data relating to risk assessment (e.g. housing location, information about insured assets, use of insured vehicle for business) ;
• data relating to insurance claims (e.g. insurance claim history, including paid indemnities and expert reports, information about victims) ;
• data relating to your life habits and use of the insured assets :
  • data which relate to your life habits (e.g. hobbies, sport and outdoor activities, number of kilometres travelled) ;
  • data which relate to your use of the insured assets in connection with our products and services (e.g. main and secondary residence) ;data from your interactions with us (e.g. our branches (contact reports), our internet websites, our apps, our social media pages, meeting, call, chat, email, interview, phone conversation, correspondence, requests for information or documents, method of commercialisation) ;
• video surveillance (including CCTV) ;
• location or geolocation data (e.g. showing locations of insured vehicles for security reasons or for identifying the location of the nearest branch or service suppliers for you) ;
• connection and tracking data (e.g. audit trail, timestamping, cookies, connection to online customer service, pseudonyms used in connection with your participation in online surveys) ;
• data relating to your participation in prize competition, lotteries and promotional campaigns (e.g. date of participation, your answers, your picture and the type of prizes) ;
• data necessary for fighting insurance fraud, money laundering and terrorist financing.

We may collect the following sensitive data only upon obtaining your explicit prior consent, where required:

• biometric data (e.g. fingerprint, voice pattern or face pattern) which can be used for identification and security purposes ;
• health data: for instance for the drawing up of some specific insurance contracts; this data is processed on a need-to-know basis ;
• religious and philosophical beliefs: for drawing up funeral coverage insurance contracts; this data is processed on a need-to-know basis.

We never ask for personal data related to your racial or ethnic origins, political opinions, trade union membership, genetic data or data concerning your sexual orientation, unless it is required through a legal obligation.

The data we use about you may either be directly provided by you or be obtained from the following sources in order to verify or enrich our databases:

• publications/databases made available by official authorities (e.g. the official journal) ;
• our corporate clients or service providers ;
• third parties such as fraud prevention agencies or data brokers in conformity with the data protection legislation ;
• websites/social media pages containing information made public by you (e.g. your own website or social media) ;
• databases made publicly available by third parties.

SPECIFIC CASES OF PERSONAL DATA COLLECTION, INCLUDING INDIRECT COLLECTION

For some reasons, we may also collect information about you whereas you have not had direct relationship with us.

This may happen for instance when your employer provides us with information about you or your contact details are provided by one of our client or partner if you are for example:

• beneficiary of an insurance contract ;
• family members (covered by a family insurance concluded by one of our clients) ;
• Co-borrowers ;
• legal representatives (power of attorney) ;
• service provider personnel and commercial partners.

WHY AND ON WHICH BASIS DO WE USE YOUR PERSONAL DATA?

a. To comply with our legal and regulatory obligations

We use your personal data to comply with various legal and regulatory obligations, including:

• prevention of insurance fraud ;
• prevention of money-laundering and financing of terrorism ;
• fighting tax fraud and fulfilment of tax control and notification obligations ;
• monitoring and reporting risks that institution could incur ;
• replying to an official request from a duly authorised public or judicial authority.

b. To perform a contract with you or to take steps at your request before entering into a contract

We use your personal data to enter into and perform our contracts, including to:

• defining your insurance risk profile and the corresponding fees ;
• managing insurance claims and perform contract guarantees ;
• providing you with information regarding our insurance contracts ;
• assistance and answering requests ;
• evaluating if we can offer you a insurance contract and under which conditions.

c. To fulfil our legitimate interest

We use your personal data in order to deploy and develop our insurance contracts, to improve our risk management and to defend our legal rights, including:

• proof of premium or contribution payment ;
• fraud prevention ;
• IT management, including infrastructure management (e.g. : shared platforms) & business continuity and IT security ;
• establishing individual statistical models, based on the analysis of the number and occurrence of losses, for instance in order to help define your insurance risk score ;
• establishing aggregated statistics, tests and models for research and development, in order to improve the risk management of our group of companies or in order to improve existing products and services or create new ones ;
• rolling out of prevention campaigns, for instance creating alerts in connection with natural disasters or traffic or road hazards ;
• training of our personnel by recording phone calls to our call centres ;
• personalising our offering to you and that of other BNP Paribas entities through :
• improving the quality of our insurance contracts ;
• advertisement of our insurance contracts that match with your situation and profile.
  This can be achieved by:
  • segmenting our prospects and clients ;
  • analysing your habits and preferences in the various channels (visits to our branches, emails or messages, visits to our website, etc.) ;
  • sharing your data with another BNP Paribas entity notably if you are – or are to become – a client of that other entity ; and
  • matching the data from your insurance contracts that you have already subscribed for or for which you received a quote with other data we hold about you (e.g. we may identify that you have children but no family protection insurance yet).
• organising prize competitions, lotteries and promotional campaigns.

Your data may be aggregated into anonymised statistics that may be offered to BNP Paribas Group entities to assist them in developing their business. In this case your personal data will never be disclosed and those receiving these anonymised statistics will be unable to ascertain your identity.

d. To respect your choice if we requested your consent for a specific processing

In some cases, we must require your consent to process your data, for example :

• unless we can rely on other legal grounds, where the above purposes lead to automated decision-making, which produces legal effects or which significantly affects you. At that point, we will inform you separately about the logic involved, as well as the significance and the envisaged consequences of such processing ;
• if we need to carry out further processing for purposes other than those above in section 3, we will inform you and, where necessary, obtain your consent.

4. WHO DO WE SHARE YOUR PERSONAL DATA WITH?

In order to fulfill the aforementioned purposes, we only disclose your personal data to the following individuals and entities:

• our staff in charge of managing your contract(s) ;
• intermediaries and partners for managing insurance contracts ;
• co-insurers, re-insurers and guarantee funds ;
• interested parties to the insurance contract such as :
• contract holders, subscribers and insured parties as well as their representatives ;
• contract assignees or beneficiaries of subrogation ;
• persons responsible for incidents, victims, their representatives and witnesses.
• social security agencies when involved in insurance claims or when we provide benefits complementary to social benefits ;
• BNP Paribas Group entities (e.g. you can benefit from our full range of group products and services) ;
• our service providers ;
• banking, commercial and insurance partners ;
• financial or judicial authorities, arbitrators and mediators, state agencies or public bodies, upon request and to the extent permitted by law ;
• certain regulated professionals such as healthcare professionals, lawyers, notaries, trustees and auditors.

5. TRANSFERS OF PERSONAL DATA OUTSIDE THE EEA

In case of international transfers originating from the European Economic Area (EEA), where the European Commission has recognised a non-EEA country as providing an adequate level of data protection, your personal data will be transferred on this basis. In this situation, no specific authorization is needed.

For transfers to non-EEA countries whose level of protection has not been recognised by the European Commission, we will either rely on a derogation applicable to the specific situation (e.g. if the transfer is necessary to perform our contract with you such as when making an international payment) or implement one of the following safeguards to ensure the protection of your personal data:

• standard contractual clauses approved by the European Commission ;
• if applicable, binding corporate rules (for intra-group transfers).

To obtain a copy of these safeguards or details on where they are available, you can send a written request as set out in Section 9.

6. HOW LONG DO WE KEEP YOUR PERSONAL DATA FOR?

If you are a prospect:

Your information is kept for three years from the date of collection, or from the last contact we had with you in the event no contract has been concluded.
If we have collected data concerning your health, it is kept at most five years from its collection (two years in the current archive and three years in the intermediary archive) in the event no contract has been concluded (so that evidence may be provided in case of dispute regarding our decision not to enter into an insurance contract).

If you are a client :

The retention period is the term of your (or your company’s) insurance contract, plus the period of time until the legal claims under that contract become time-barred, unless overriding legal or regulatory provisions require a longer or shorter retention period. When this period expires, your personal data is removed from our systems.

Bank details are kept for 13 months from date of debit (except the CVC code, which is not stored on our system).

ID information provided in connection with a request to exercise one of the rights set out in Section 7 is kept for one to three years depending on the right.

Cookies and other connection and tracking data stored on your device are kept for a period of 13 months from their collection date.

For purposes of quality services and employee training, audio recordings are kept for 6 months. Any analysis document resulting from those recordings is kept for one year.

7. WHAT ARE YOUR RIGHTS AND HOW CAN YOU EXERCISE THEM?

In accordance with applicable regulations, you have the following rights:

• To access: you can obtain information relating to the processing of your personal data, and a copy of such personal data.
• To rectify: where you consider that your personal data are inaccurate or incomplete, you can require that such personal data be modified accordingly.
• To erase: you can require the deletion of your personal data, to the extent permitted by law.
• To restrict: you can request the restriction of the processing of your personal data.
• To object: you can object to the processing of your personal data, on grounds relating to your particular situation. You have the absolute right to object to the processing of your personal data for direct marketing purposes, which includes profiling related to such direct marketing.
• To withdraw your consent: where you have given your consent for the processing of your personal data, you have the right to withdraw your consent at any time.
• To data portability: where legally applicable, you have the right to have the personal data you have provided to us be returned to you or, where technically feasible, transferred to a third party.

If you wish to exercise the rights listed above, please send a letter or e-mail to the following address:

• BNP Paribas CARDIF - DPO
• 8, rue du Port, 92728 Nanterre Cedex-France, or
• group_assurance_data_protection_office@bnpparibas.com
• Please include a scan/copy of your identity card for identification purpose.

In accordance with applicable regulation, in addition to your rights above, you are also entitled to lodge a complaint with the competent supervisory authority.

8. HOW CAN YOU KEEP UP WITH CHANGES TO THIS INFORMATION NOTICE?

In a world of constant technological changes, we may need to regularly update this Information Notice.

We invite you to review the latest version of this notice online and we will inform you of any material changes through our website or through our other usual communication channels.

9. HOW TO CONTACT US?

If you have any questions relating to our use of your personal data under this Information Notice, please contact our data protection officer who will investigate your query:

• BNP Paribas CARDIF - DPO
• 8 rue du Port, 92728 Nanterre Cedex-France, or
• data.protection@cardif.com