Personal Data Protection Policy

Introduction

Drawing on its values of close client relations, trust and modernity serving all interests, La Banque Postale Group has made personal data protection a top priority. This focus on the security of your personal data contributes, much like the focus on corporate social responsibility and on information system security, to the Group’s good citizenship practices in the banking and insurance sector.

La Banque Postale Asset Management (LBPAM), a subsidiary of La Banque Postale Group, also prioritises personal data protection in its corporate purpose and the services it offers.

The purpose of this Personal Data Protection Policy (hereafter the “Policy”) is to provide you with information (clients, prospects, website users, intermediaries, counterparties or natural persons mandated by professional clients such as executive managers, guarantors, beneficial owners, authorised representatives and authorised signatories) on the processing operations carried out by LBPAM.

In accordance with our commitment to personal data protection, we hereby inform you of:

How and why LBPAM collects, uses and stores your personal data; The legal grounds on which your personal data are processed; Your rights and our Obligations in the implementation of these processing operations.

This policy applies to all personal data collected and processed under the responsibility of LBPAM in its capacity as Data Controller. Furthermore, disclaimers on the protection of personal data specific to the different products and/or services offered by LBPAM are provided to clarify and supplement this Policy, on the various media used. You are thus informed of the implementation of a processing operation, the identity of the data controller, the purposes of the processing operation, the recipients of the information, your rights as a data subject, and any data transfers.
 

1. What type of personal data do we collect?

The regulations in force on data protection (European Regulation (EU) 2016/679 of the Parliament and of the Council of 27 April 2016, i.e. the GDPR, and Act No. 78-17 of 6 January 1978, i.e. the French Data Protection Act, as amended) define personal data as any information pertaining to a natural person who can be identified or is identifiable directly or indirectly (as opposed to a legal person such as a company).

LBPAM follows the principle of data minimisation, which means that it only processes adequate, relevant personal data limited to what is strictly necessary to achieve the purpose for which the data are collected. To that end, LBP AM also undertakes to keep your personal data accurate and up to date.

1.1 Direct collection of Personal Data

The regulations in force on data protection (European Regulation (EU) 2016/679 of the Parliament and of the Council of 27 April 2016, i.e. the GDPR, and Act No. 78-17 of 6 January 1978, i.e. the French Data Protection Act, as amended) define personal data as any information pertaining to a natural person who can be identified or is identifiable directly or indirectly (as opposed to a legal person such as a company). LBPAM follows the principle of data minimisation, which means that it only processes adequate, relevant personal data limited to what is strictly necessary to achieve the purpose for which the data are collected. To that end, LBPAM also undertakes to keep your personal data accurate and up to date. Depending on the product or service requested or provided, LBPAM collects and processes your personal data, including:

• Identification data such as your name, date of birth and KYC (Know Your Customer) documents, including a copy of your national ID card or your passport;
• Contact data such as your telephone number, postal address and e-mail address;
• Professional data such as your job title and professional experience, your investment knowledge and experience, or the details of your appointment if you hold a corporate office;
• Economic and financial data such as transaction history, financial situation and assets;
• Tax data such as your tax domicile and other tax documents or information;
• Data on your interactions with LBPAM when you use our products or services;
• Connection data transmitted by your browser and automatically saved by our server when you access our Website. 


Specific categories of personal data: specific personal data categories are data that reveal a data subject’s race or ethnicity, political opinions, religious or philosophical beliefs or union membership, genetic data, biometric data for the purposes of uniquely identifying a natural person, personal data on health or personal data on the sexuality or sexual orientation of a natural person.

As a matter of principle, we do not collect or process these specific categories of personal data. In any event, if we were to process these specific categories of personal data, you would be notified and your consent would be obtained beforehand.
 

1.2 Indirect collection of Personal Data

In addition to directly collecting personal data from you, we may collect your personal data indirectly in order to meet a legal or regulatory obligation, or to verify or expand our databases. We collect personal data indirectly from the following sources: 

  • Publications and databases made accessible by the official authorities (e.g. the Journal Officiel);
  • Files that LBP AM is required to consult, under specific regulatory conditions, to provide certain services (e.g. register of beneficial owners);
  • LBP AM corporate clients or service providers; 
  • Websites or social media pages containing information that you have made public (e.g. your own website or social media accounts).

In some circumstances, we may also need to collect information from persons that are not our clients, with which we have no direct relationship, for example when your employer provides information about you or when your contact information is provided by one of our clients, because you are (for example):

  • A member of the client’s family; 
  • A legal representative (mandates/delegations of power) or agent(s);
  • A company shareholder(s);
  • A representative(s) of a legal entity (which may be a client or provider); 
  • An employee of our service providers and business partners.

 2. For what purposes and on what legal grounds are your personal data processed?

LBP AM needs to process your personal data, whether using automated means or not, for the purposes for which they have been collected. Accordingly, each data processing operation is carried out for a specific, legitimate and explicit purpose on the following legal grounds: 


2.1 To perform the contract relating to the products and services that you have acquired or wish to acquire:

First and foremost, we process your personal data in order to provide the products and services that you have acquired or wish to acquire. The processing operation is implemented because it is necessary to perform the contract, or to perform precontractual measures taken at your request as a client, within the framework of an already established relationship, or as a prospect if no business relationship has yet been established (precontractual measures such as the provision of advice, a proposal or a simulation). The processing operation implemented for the purpose of managing our relationship serves in particular to:

  • Provide you with information about our products and services; 
  • Assist you and answer your requests;
  • Determine if we can offer you a product or service and, where applicable, under what conditions;
  • Provide products or services to our corporate clients having you as an employee or client. 
  • Without such processing operations, we would be unable to conclude or perform the contract.

2.2 To meet our legal and regulatory obligations:

As an asset management company, our business is strictly governed by a complex and demanding regulatory environment. We use your personal data to meet our various legal and regulatory obligations, such as: 

  • Banking and financial regulations, in accordance with which we detect atypical transactions, supervise and report the risks we are liable to incur;
  • Responses to official requests by the duly authorised supervisory or judicial authorities;
  • Prevention of money laundering and terrorist financing, prevention of FATCA-CRS tax evasion, management of alerts and supervision of market abuse;
  • Management and handling of complaints or requests for information from our clients or prospects.

2.3 To satisfy our legitimate interests

We may have a "legitimate interest" in processing your data, in particular where we are faced with situations that may present risks to our business such as preventing fraud and managing potential legal claims, ensuring the safety of property and persons, combating financial crime both in relation to the financial sector and in relation to our customers and employees, ensuring the security of our networks and information or defending our rights.

Our legitimate interests may also be associated with the management of our business as a company (general accounting, invoicing, asset-liability management, reporting, statistical research and satisfaction surveys, management of persons at our offices), management of our client relationship or for our audit and inspection activities.

These processing operations are implemented with respect for your interests and basic rights. To that end, they are accompanied by measures and guarantees to ensure a balance between the protection of your interests and rights and the pursuit of our legitimate interests.

2.4  To respect your choices when we have asked for your consent to perform a specific processing operation:

We may carry out processing operations when you have given your consent for one or more specific purposes. In such cases, you will be contacted beforehand to specifically give your consent to the collection and processing of your data for one or more identified purposes.

Accordingly, if we plan to conduct a direct marketing campaign via e-mail, we obtain your consent prior to sending our commercial offers.

3. Who receives your data?

In the interest of achieving the purposes referred to in Point 2, we may need to transmit your personal data to:

  • Entities belonging to La Poste Group and La Banque Postale Group (e.g. to give you the opportunity to take advantage of our full range of products and services, to present you with products of services managed by these entities – in cases where technical resources are pooled, such as IT resources for LBP AM);
  • Providers, agents, brokers or other intermediaries, partners, regulated professionals (lawyers, statutory auditors, etc.) or service providers that perform services for LBP AM and La Poste Group;
  • Authorised administrative or judicial authorities or, in general, any authorised third party in order to meet the regulatory obligations imposed on LBP AM.

4. Can your personal data be transferred outside the European Union?

LBP AM conducts all personal data processing operations in the European Union (EU). However, for some specific services, LBPAM may call on service providers established outside the EU. In such case, your personal data are transmitted to them strictly for the purposes of completing their tasks. In the event your personal data are transferred to a non-EU country, LBPAM undertakes to implement all appropriate guarantees available, in accordance with applicable regulations, to ensure the supervision and security of such transfers.

For more information about the guarantees aimed at ensuring the protection of your data, or to find out how to learn about these guarantees, you may submit a written request as described in Point 9 below.

5. How long do we store your data?

The length of time your personal data are stored is determined on the basis of the products and services acquired. LBPAM undertakes not to store your personal data for any longer than the time necessary to provide the products and services acquired in accordance with your contract.

Some of your personal data may be stored for longer periods, in accordance with specific legal or regulatory provisions, or in response to requests from the authorities or authorised third parties.

The legal time frames applicable to LBP AM include:

As regards the prevention of money laundering and terrorist financing, the storage periods for your documents and information on your identity are five (5) years from the date on which your accounts are closed or our banking relations are terminated. For the same reason, documents and information on your bank transactions are stored for a period of five (5) years from their date of execution.
The storage periods for accounting documents and supporting documents are ten (10) years from the date of your transactions.
In accordance with the statute of limitations under common law governing civil and commercial matters, the storage periods are five (5) years from the date on which your accounts are closed.

These periods are subject to change if required by legal and regulatory obligations.
Personal data which, due to their usage, for various processing operations, are subject to multiple storage periods, are subject to the longest of such storage periods. Except for the aforementioned cases, the storage of any personal data is limited by the sole purpose or purposes for which the data are subject to a processing operation, unless you are notified otherwise.

At the end of these periods, LBP AM destroys the data in accordance with its internal policy or anonymises the data in order to use them for statistical purposes.

6. Implementation of specific processing operations based on specific technology

6.1 Cookies and other trackers:

y cookies and other trackers, we mean the trackers stored and read, for example, when a website is consulted, an e-mail read or a software program or mobile app installed or used, irrespective of the type of terminal used. 

You are hereby informed that, when you visit our website, cookies and trackers may be installed on your terminal. You may consult the cookie policy implemented by LBPAM. When necessary, we obtain your consent prior to installing such trackers on your terminal, but also when we access data stored on your terminal.

To learn more, read our Cookies information memorandum, available here.
 

6.2Telephone recording for evidentiary purposes:

LBP AM records the telephone conversations of some of its employees and their professional contacts. In the interest of securing the transactions and investment services provided, and to ensure compliance with market integrity rules (both in the event of a dispute and in the event of an audit of the compliance of said transactions and investment services performed internally or by the supervisory authorities), telephone conversations by employees doing business with issuers or performing issues, taking orders, taking instructions, confirming orders or working with existing or prospective clients for the purpose of an investment service, must be recorded.

Telephone conversations are recorded for evidentiary purposes or for orders by LBPAM in its capacity as Data Controller. The legal grounds for this type of processing operation is a legal obligation imposed on the data controller (Article 6.1 c of the GDPR).

Prior to making such recordings, we notify you by playing a recorded message.

The data collected from telephone recordings (identification data, professional data, technical and financial data) are stored in accordance with the legal and regulatory provisions applicable to LBPAM; accordingly, the data are stored for a maximum period of 5 years (this period may be extended at the request of a supervisory authority) from the date of recording.
 

6.3 Vidéo surveillance

LBP AM

has placed its premises at 36, Quai Henri IV in Paris (75004) under video surveillance in order to ensure the safety of its staff and property. The legal basis for the processing is the legitimate interest of the company (see article 6.1.f of the RGPD). Notice boards in the filmed locations inform the persons concerned of the existence of the system. 

The personal data collected and processed are the images from the video surveillance system. The recordings made are viewed only when the situation requires it (such as an intrusion, a theft, etc.) by LBPAM's authorised personnel and, in the event of an incident, by the authorised public authorities. In addition, the staff of external service providers mandated by LBPAM, for example those in charge of security or remote surveillance, have access to the images within the limits of their authorisations. On an ad hoc basis, the staff of the service provider in charge of the maintenance of the video surveillance system may also access the images for the sole purpose of carrying out their mission.

The images are kept for one month. In the event of an incident linked to the security of persons and property, the video surveillance images may nevertheless be extracted from the system. They are then kept on another medium for the time needed to settle the procedures linked to this incident and are accessible only to persons authorised in this context.

7. How are your personal data protected?

Pursuant to regulations in force, LBPAM undertakes to implement all appropriate technical and organisational measures in order to guarantee an appropriate and risk-proportionate level of security for your personal data. These measures (e.g. partitioning, anonymisation, encryption, access restriction ,etc.) are aimed at guaranteeing the confidentiality, integrity, availability and resilience of your personal data.

LBP AM undertakes to implement all necessary measures to restore availability and enable you to access your personal data in a timely manner, in the event of a physical or technical incident. To that end, LBP AM regularly conducts assessments of its security levels. These assessments factor in the risks of the destruction, loss, alteration, access and unauthorised disclosure of your personal data.

LBP AM requires all recipients of your personal data to observe the appropriate security and confidentiality guarantees.

As Data Controller, LBP AM reports personal data breaches to the competent supervisory authorities, i.e. the Commission Nationale de l’Informatique et des Libertés (CNIL - French Data Protection Agency), in a timely manner and, where possible, within seventy-two (72) hours of learning of said personal data breaches liable to generate a risk for your rights and freedoms. You will be notified of any breach of your personal data liable to generate a major risk for your rights and freedoms in a timely manner, in accordance with applicable regulations.
 

8. Data Protection Officer

The designation of a Data Protection Officer testifies to the importance that LBPAM and La Banque Postale Group place on protecting the Personal Data of their clients.
For more information on the provisions of this policy, contact the Data Protection Officer at the following address:

La Banque Postale - Délégué à la Protection des Données 115 rue de Sèvres 75275 Paris cedex 06

9. hat are your rights and how do you exercise them?

When we collect your personal data, you receive (through disclaimers) clear and transparent information on the processing operations carried out and on how you can exercise your rights.

In compliance with the GDPR, you are entitled to exercise your rights by contacting LBPAM, which processes your data in its capacity as Data Controller. These rights are:

  • Right of access: you may ask LBPAM if it holds personal data on you, in which case LBPAM will provide you with these data in an easy-to-understand format, or in a format at your request within the limits of available technical resources, where applicable.
  • Right of rectification: you have the right to rectify, supplement, update or erase incomplete, inaccurate or obsolete data.
  • Right of objection: you may object at any time to LBPAM using certain personal data by indicating the reasons pertaining to your individual situation, except in cases of direct marketing, where you may object without giving a reason.
  • Right of erasure: you may request the erasure of your personal data, subject to compliance with a legal obligation for the entity that processes your data.
  • Right of restriction: you may request the suspension of processing of your personal data, particularly if you dispute the accuracy of the data used or if you object to your data being processed.
  • Right of portability: you may ask LBPAM to recover the personal data you have provided, if they were necessary for a contract or for the processing to which you gave your consent, in order to have said data at your disposal or to transmit them to a third party.
  • Right of withdrawal of consent: you may withdraw your consent at any time, in cases where it was given beforehand.

To exercise your rights with LBPAM, please write to the following postal address:
La Banque Postale Asset Management
36, Quai Henri IV
75004 Paris

To exercise your rights with LBPAM, please write to the following e-mail address: privacy@labanquepostale-am.fr 
Any such request should indicate your last name, first name, the address at which you would like to receive the answer to your request and a double-sided copy of your ID card.
We undertake to answer your requests to exercise your rights in a timely manner, and in any event in accordance with legal deadlines.

Please submit any complaints to the Commission Nationale Informatique et Libertés (CNIL) at the following address:
CNIL
3 Place de Fontenoy
75007 PARIS

Your rights of access, rectification, objection erasure, restriction of processing or portability of your personal data are exercised free of charge. Nevertheless, in the event of clearly unfounded or excessive requests, particularly due to their repetitive nature, we may call for payment of reasonable expenses in light of the administrative costs incurred to provide this information, issue the communications or take the measures requested, or reject your request.
 

10. How can you be notified of changes to the Data Protection Policy?

In a world of constantly evolving technologies, we regularly update this Policy. Please read the most recent version of this document on our website. We will notify you of any significant changes to the policy on our website or via our usual communication channels. 


Last updated: May 2023