Personal data protecction notice
As from the 25 May 2018, Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR") has replaced Directive 95/46/EC ("the Directive"). The GDPR confirms certain founding principles of the Directive and also introduces new obligations that substantially revise the existing framework for the protection of personal data within and outside the EU.
The purpose of this personal data protection notice (the "Notice") is to explain how the UBAF ("we") complies with this regulation in the management of its commercial activity with (i) its corporate and institutional customers (or prospects) ("clients"), (ii) our services providers ("partners") and (iii) the job applicants ("applicants"). In particular, this Notice explains the nature of the data collected, the categories of data subjects, the legal purposes and bases of processing operations, the recipients of the data, the mechanisms for supervising the transfer of data outside the European Economic Area (EEA), the storage periods and the procedures governing how data subjects may exercise their rights.
1) UBAF, data controller
Acting within the framework of a regulated activity, we offer you and provide products and services requiring the collection and use, as data controller, of the personal data of individuals related to you (for example: employees, shareholders, agents, legal representatives, beneficial owners, family members, third-party representatives, etc.) (the "Data Subjects").It is the responsibility of our clients and partners to inform these Data Subjects about the way in which we process their personal data.
Before sending us the personal data of a Data Subject, our clients and partners undertake to inform that Data Subject beforehand of the contents of this Notice and you assure us that we may collect, use and transmit such data in accordance with the conditions set out in the Notice.
2) Personal data
In order to offer our commercial services or to enter into a service agreement, we collect, use and may even transmit personal data of several kinds:
- Civil status and identification data (name, date and place of birth, nationality, address/country of residence, passport and/or identity card number, photo, etc.),
- Professional life (occupation/function, employer, contact data, certifications/authorizations, etc.),
- Economic, judicial and financial information (income, assets, tax situation, ...).
Only information relevant to the purposes pursued is collected.
With regard to the job applicants, the data concern all the information they communicate to us (CV, cover letter, etc.) and, where appropriate, the screening data in relation to the International Sanctions lists.
3) Categories of data subject
In the course of our activities, and in connection with the products and services we offer to our clients, we may collect, use and transmit the personal data of the following categories of persons related to you (this list is not exhaustive): employees, shareholders, agents, legal representatives, beneficial owners, family members, third-party representatives, etc.
4) Purposes of the processing
The processing we are required to perform requires the collection and use of personal data in order to ensure:
- The management of the business or partner relationship (customer or service provider knowledge, designation of correspondents, information on our products, etc.),
- The management of risk, the fight against money laundering and the financing of terrorism, the determination of tax status of our clients, the prevention of fraud,
- Commercial prospecting, targeted event campaigns and commercial events,
- The performance of services or contracts related to trade finance,
- Transaction management (identification of counterparty contacts for payments and confirmation correspondence, sample signatures of authorized signatories, etc.),
- Management of access to the premises and any video monitoring devices for the premises,
- For job applicants, the management of applications, including the implementation and follow-up of interviews and the selection process, in particular in compliance with the obligations in terms of the fight against financial crime (screening of certain applicants against the lists of International Sanctions), the management of recommendations and references, the pool of applicants and the pre-recruitment and the establishment of hiring promises and contracts.
5) Legal bases of processing
In accordance with the applicable regulations, we may only use your personal data for at least one of the following reasons:
- for the performance of a contract that we intend to enter into or have entered into with you, or
- if a legal obligation compels us to use your personal data for a particular reason, such as in connection with customer knowledge management, the prevention of money laundering and the financing of terrorism, to comply with embargoes or asset freezing measures, or
- where such use corresponds to our legitimate interests, for example, the processing of personal data for fraud prevention purposes, or
- when you consent thereto, for example, the consent of the data subject in respect of a newsletter for communication purposes.
6) Recipients of the data
The personal data of our clients or partners may be communicated to:
- our entities in and outside the EEA;
- our subcontractors for the sole requirements of operational or technical subcontracting;
- independent agents, intermediaries or brokers;
- French and foreign supervisory authorities, French and foreign administrative and judicial authorities, public bodies on request and within the limits of what is permitted by the regulations;
- certain regulated professions such as statutory auditors, lawyers and notaries.
When we use subcontractors, we ensure that they have sufficient safeguards to guarantee that the processing complies with the principles of GDPR and to ensure the confidentiality and security of personal data.
As regards the job applicants, for the purposes of the processing described above, their personal data may in certain cases be communicated to the following recipients :
- The entities of the UBAF,
- IT subcontractors, recruitment test publishers or subcontractors in charge of managing access to the premises and any video surveillance devices,
- Public authorities within the framework of compliance with obligations in the fight against financial crime.
7) How is the security of personal data ensured ?
Ensuring the security of the data you entrust to us is one of our most important responsibilities. To ensure the security and confidentiality of the personal data we collect and use, we have been implementing technical and organizational measures for a long time, including:
- Control of access and authorizations for IT equipment relative to the processing of personal data;
- Measures to secure technical infrastructure (workstation, network, server) and data (backup, business continuity plan);
- Taking data security and processing into account in the design of a product or solution;
- Restricting the persons authorized to process personal data according to purpose and the processing means provided for in each case;
- Strict confidentiality obligations imposed on our subcontractors;
- Raising the awareness of all our employees worldwide and training those employees most concerned by the collection or management of personal data;
- The establishment of procedures making it possible to react promptly in the event of a personal data security incident.
8) Data transfer outside the European Economic Area (EEA)
In order to perform our services or meet our legal and regulatory obligations, we may have to transfer Data Subjects' personal data to a country outside the EEA. Appropriate measures are implemented to ensure a sufficient level of protection as required by the GDPR .These guarantees may be the Standard Contractual Clauses for the protection of personal data adopted by the European Commission (i.e. a contract of transfer between the data controller and a recipient specifying the obligations of the data controller and of the recipient in the case of a transfer of personal data outside the European Union).
9) How long we keep the data
Regarding to our clients and partners, we keep Data Subjects' personal data for the duration necessary to achieve the intended purpose.
We only keep this information for the time during which we need it. This length of time depends on why we use it, such as to provide our services, to pursue our legitimate interests, to comply with our legal and regulatory obligations, or to exercise or defend our rights in court. It may also be kept or archived for statutory limitation periods.
Regarding job applicants, their personal data is kept under the following conditions:
1. when the applicant is not selected:
- Retention in the active base for eighteen (18) months from the last use of internal recruitment tool by the applicant,
- At the end of the eighteen (18) months, destruction of the data.
At any time, the applicant can ask to delete his data immediately.
2. when the applicant is selected:
- During the duration of the employment relationship: retention in the active base,
- Upon termination of the employment contract, depending on the treatment considered and subject to special texts:retention in the active base for five (5) years, - then intermediate archiving for a maximum period of fifty (50) years (for all data:employment contracts, interviews, payslips, all documents related to retirement, etc.), - then destruction of the data.
The personal data collected for the management of access to the premises is kept for a period of three (3) months. The personal data collected for the management of any video surveillance devices are kept for a period of thirty (30) days. Throughout the retention period of this personal data, access to applicants' personal data is limited to only those who need to access it, and who have the authorizations, according to the purposes of the planned processing.
At the end of this period, the applicants' personal data will be permanently erased or irreversibly anonymized.
10) How can the Data Subjects exercise their rights
The Data Subjects have the following rights in relation to their personal data that we collect and process as a data controller:
- right of access, rectification and erasure (inaccurate, incomplete, unclear or obsolete data);
- right to object to the processing of your data at any time in connection with commercial prospecting;
- right to restrict the processing of your data as provided by the regulations;
- right to data portability;
- right to withdraw your consent at any time;
- right to lodge a complaint with the supervisory authority.
They may exercise these rights:
- by contacting our relationship manager or our usual commercial contact;
- by writing to the following address: UBAF – Compliance Department - 2 avenue Gambetta - 92066 Paris La Défense cedex (France)
- or by contacting the Data Protection Officer: firstname.lastname@example.org
When the Data Subjects send us a request in order to exercise a right, in order to facilitate its examination and allow us to reply quickly, they should please specify where possible (1) the scope of the request, (2) the nature of the request/type of right exercised, (3) the processing of personal data concerned, and provide any other relevant information on the context. They will first be asked to provide proof of their identity.
In certain cases, complaint may also be sent to the French authority for data protection (CNIL), whose registered office is at 3 Place de Fontenoy - 75 007 Paris, France, in the event that it is considered that a treatment personal data does not comply with the regulations on the protection of personal data.
11) Notice update
This Notice is regularly updated to take into account regulatory evolutions and the processing we operate.
Last update : November 2020