Privacy notice (BCP Luxembourg)

1. What types of personal data do we collect?

We, as data controller (namely an entity that determines the purposes and the means of processing of personal data), may collect and process, to the extent necessary in the framework of our activities and to provide you with a high standard of personalized products and services, personal data about you, including:

• personal identification data, such as your name, identification number, date of birth, KYC documents (including a copy of your national identity card or passport), phone number, physical and electronic address and family details;
• financial information, including payment and transaction records and information relating to your assets, financial statements, liabilities, taxes, revenues, earnings and investments (including your investment objectives);
• tax domicile and other tax-related documents and information;
• where applicable, professional information about you, such as your job title and work experience;
• your knowledge of, and experience in, investment matters;
• details of our interactions with you and the products and services you use;
• subject to the requirements of applicable law, any records of phone calls between you and us;
• subject to the requirements of applicable law, video surveillance;
• where applicable, details of your nomination of a mandate;
• identifiers we assign to you, such as your client or account number, including for accounting purposes;
• when you access our website, data transmitted by your browser and automatically recorded by our server. When you visit our website, that website will contain additional information about how we use your information while you are visiting that website; and
• data necessary to fight against over indebtedness.

In certain circumstances, we may collect and use personal data of individuals with whom we could have or previously had a direct relationship, such as prospects.

We may also collect information about you where you do not have a direct relationship with us. This may happen, for instance, when your personal data are provided to us by one of our clients or third parties if you are, for example:

• family members;
• co-borrowers / guarantors;
• legal representatives (power of attorney);
• beneficiaries of payment transactions made by our clients;
• beneficiaries of insurance policies and trusts;
• landlords;
• ultimate beneficial owners;
• clients' debtors (e.g. in case of bankruptcy);
• company shareholders;
• representatives of a legal entity (which may be a client or a vendor); and
• staff of service provider and commercial partners.

Before providing BCP with this information, our clients or third parties should provide a copy of this Notice to you.

We never ask for personal data related to your racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, genetic data, data concerning your sexual orientation or data relating to criminal convictions and offences, unless it is required through a legal obligation.

The data we use about you may be:

• directly provided by you; or otherwise
• obtained from:
  • public registers;
  • public administration or other third-party sources, such as credit reference agencies, fraud prevention agencies, intermediaries that facilitate data portability;
  • websites/social media pages containing information made public by you (e.g. your own website or social media); and
  • databases made publicly available by third parties.

 

2. On which legal basis and for which purposes do we process your personal data?

 

a. To comply with our legal and regulatory obligations (art. 6, 1c GDPR)

We use your personal data to comply with various legal and regulatory obligations, including:

• banking and financial regulations in compliance with which we:
  • set up security measures in order to prevent abuse and fraud;
  • detect transactions which deviate from normal patterns;
  • define your investment profile, credit risk score, etc.;
  • ensure a good risk management of BCP;
  • reporting obligations vis-à-vis the relevant local and foreign authorities,
  • record, subject to the requirements of applicable law, phone calls, email, etc.; and 
  • reply to an official request from a duly authorized public or judicial authority.
• prevention of money-laundering and financing of terrorism;
• compliance with legislation relating to sanctions and embargoes; and
• fight against tax fraud and fulfillment of tax control and notification obligations.

 

b. To perform a contract with you or to take steps at your request before entering into a contract (art. 6, 1b GDPR)

We use your personal data to enter into and perform our contracts, including to:

• provide you with information regarding our products and services;
• assist you and answer your requests;
• evaluate if we can offer you a product or service and under which conditions; and
• provide products or services to our corporate clients of whom you are a member of staff, a shareholder, a beneficial owner or a client.

 

c. To fulfill our legitimate interest (art. 6, 1f GDPR)

We use your personal data in order to deploy and develop our products or services, to improve our risk management and to defend our legal rights, including:

• for the fulfillment of the internal requirements of BCP, including credit- and risk management, audit and management purposes to assure the sound and responsible management of BCP and of BCP Group;
• for the prevention and investigation of crime, as well as fraud prevention;
• for the establishment, exercise and defense of legal claims;
• to assure the safety and continuity of our services;
• to assure a proper IT management including business continuity and IT security;
• for general management and development of our services, systems and products;
• for client advisory services, sales, including profiling; and
• for undertaking transactional and statistical research and market research.

 

d. To respect your choice if we request your consent for specific processing (art. 6, 1a GDPR)

In limited cases, we might require your consent to process your personal data, in particular:

• if we need to carry out further processing for purposes other than those as defined in section 2 hereof, and
• when your consent needs to be obtained where required by applicable laws other than GDPR.

 

3. Who has access to personal data and with whom are they shared?

In order to fulfill the aforementioned purposes, but subject to applicable law relating to information sharing, we only disclose your personal data to the following parties:

 

a. Within BCP Group

Some of your non-identifying personal data may be disclosed to BCP Headquarters for reasons linked to IT support and processing, and risk control.

 

b. Outside BCP Group

The following third parties may receive your personal data:

• other financial institutions, including in particular credit institutions, insurance companies and payment and credit card issuers (as may be consented by you, from time to time);
• external service providers whose participation is necessary for the provision of services to clients, in particular in the information technologies, payments and communication sector.
• independent agents, intermediaries or brokers and specialized partners, with which we have a regular relationship;
• financial, taxation, regulatory or judicial authorities, state agencies or public bodies, upon request and to the extent permitted by law;
• certain regulated professionals, such as lawyers, notaries or auditors;
• any counterparty, custodian, depositary, broker or nominee appointed or instructed by us on your behalf, or on behalf of the entity you represent, or through whom we may deal or transact in relation to your account or for purposes otherwise ancillary to the provision of services provided by us to you or the administration of your account; and
• fraud prevention agencies in order to check the identity of the client or individuals or to investigate or prevent money laundering, fraud or other illegal activity.

In accordance with legal and regulatory obligations concerning the automatic exchange of information with participating countries, BCP may have to disclose some personal data relating to the client's tax residence status to our local tax authorities. Such local tax authorities may disclose the data communicated by BCP to each competent foreign tax authority in accordance with applicable legal and regulatory requirements.

 

4. Transfers of personal data outside Switzerland or the EEA

In principle, we do not transfer your personal data outside Switzerland for the Headquarter and  the European Economic Area (“EEA”) for our Luxembourg Branch, as mentioned in section 3 a) hereof, and ii) as otherwise consented by you from time to time. Subject to the foregoing, BCP will only do so if required pursuant to a legal or regulatory obligation or by a duly empowered public authority or, more generally, within applicable legal limits.

In such cases, BCP will satisfy itself that an adequacy decision has been adopted by the European Commission or, where applicable, that suitable guarantees are in place (for example: the adoption of standard data protection clauses, adherence to a code of conduct or certification).

 

5. How long do we store your data?

We will retain your personal data for the longer of:

(i) the period required by applicable law; or

(ii) such other period necessary for us to meet our operational obligations, such as: proper account maintenance, facilitating client relationship management, and responding to legal claims or regulatory requests.

We will retain your personal data for the longer of:

Most personal data collected in relation to a specified client is kept for the duration of the contractual relationship with such client plus a specified number of years after the end of the contractual relationship or as otherwise required by applicable law. If you would like further information on the period for which your personal data will be stored or the criteria used to determine that period, please contact us by e-mail at the following address: luxinfo@bcp-bank.com.

 

6. What are your rights and how can you exercise them?

You, as data subject, have the following rights:

• to access: you can obtain information relating to the processing of your personal data and a copy of such personal data.
• to rectify: where you consider that your personal data is inaccurate or incomplete, you can require that such personal data be modified accordingly.
• to erase: you can require the deletion of your personal data, to the extent permitted by law.
• to restrict: you can request the restriction of the processing of your personal data.
• to object: you can object to the processing of your personal data, on grounds relating to your particular situation.
• to withdraw your consent: where you have given your consent for the processing of your personal data, you have the right to withdraw your consent at any time.
• to data portability: where legally applicable, you have the right to have the personal data you have provided to us be returned to you or, where technically feasible, transferred to a third party.

If you are a customer of our Luxembourg Branch and you wish to exercise the abovementioned rights, you may submit by post a written and signed request or an e-mail, in both cases with proof of your identity (please include a scan/copy of your identity card for identification purpose) to us, addressed to the Data Protection Officer (“DPO”) of BCP as follows:

- by post, to Banque de Commerce et de Placements S.A., Luxembourg Branch, 140 Boulevard de la Pétrusse, L-2330 Luxembourg; or

- by e-mail, at: luxinfo@bcp-bank.com.

If you are not satisfied with the way in which BCP processes your personal data, you may refer the matter to the DPO (using the aforementioned contact details), which will examine the complaint. If you are not satisfied with BCP's reply, you may lodge a complaint with the Luxembourg National Commission for Data Protection (https://cnpd.public.lu/en.html).

 

7. Security note

We have in place appropriate technical and organizational measures to prevent unauthorized or unlawful access to the personal data you have provided to us. As complete data security cannot be guaranteed for communication via e-mails and similar means of communication. In that respect, we would recommend sending any particularly confidential information by an alternative secure means.

 

8. Changes to personal data

We are committed to keeping your personal data accurate and up to date. Therefore, if your personal data change, please inform us of the change as soon as possible. 

 

9. How to contact us

If you are a customer of our Luxembourg Branch and you have any questions relating to our use of your personal data under this Notice, please contact our DPO

• by post, to Banque de Commerce et de Placements S.A., Luxembourg Branch, 140 Boulevard de la Pétrusse, L-2330 Luxembourg; or
• by e-mail, at: luxinfo@bcp-bank.com.

 

10. Status of this Notice

This Notice is a notice explaining what BCP does, rather than a document that binds BCP or any other party contractually. We reserve the right to amend it from time to time.

We invite you to review the latest version of this Notice online and we will inform you of any material changes through our website or through our other usual communication channels.