Privacy Notice

The protection of your privacy is extremely important to BNP Paribas Fortis. We undertake to protect and process your personal data in strict compliance with the law, and to make sure you have the latest information. The purpose of this privacy notice is to fully inform you about this topic and to explain how we collect, use and store your personal data. The contractual provisions we agreed with you remain unchanged.

We invite you to take the time to read this notice in order to become aware of how we handle this subject. You may object to the processing of your data, as explained in Chapter 6 of this notice.

1. What does this notice cover?

A. What does "processing your data" mean, and who is the controller?

"Processing" means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by means of transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of personal data.

BNP Paribas Fortis SA/NV, with its head office at Montagne du Parc/Warandeberg 3, 1000 Brussels is responsible for processing the personal data it deems necessary to process.

We are therefore the party whom you, as well as the supervisory authorities (for example the Privacy Commission), should contact for any questions you may have relating to the way our bank uses your data.

For some services, we rely on specialised partners which, when necessary, act as processors. They therefore have to follow our instructions and adhere to our policy on personal data protection. In some other cases, these partners may also act as joint controllers for processing data and must comply with their own legal obligations in this area.

We ensure that our partners receive only the data that are strictly necessary to perform their contractual duties.

Examples of usual partners in the financial sector:

• SWIFT (global messaging system);
• VISA, MasterCard and Atos Worldline;
• (sub)-custodians of financial instruments;
• clearing houses.

We also act as a processor for other entities which may or may not belong to the BNP Paribas Group. In this case, those entities act as controllers for processing personal data. We are thus only following their instructions.

B. To whom is it addressed?

Those affected by this notice are:

• all present customers and prospects of BNP Paribas Fortis who are natural persons;
• all other natural persons who are involved in any transaction with our bank as guarantors or representatives of our customers, whether private individuals or legal entities (for example company directors, agents, legal representatives, other contact persons).

This notice does not affect:

• legal entities.

C. What data are covered by this notice?

The data covered by this notice are personal data of natural persons, which means any data that directly or indirectly enable the person to be identified.

Whenever you interact with BNP Paribas Fortis, we may collect various personal data:

• identification data: your name, address, date and place of birth, picture, account number, phone number, e-mail address, IP address , profession, household composition, etc.;
• the data needed to execute a contract: your salary, the value of your real estate, etc.;
• transactional data: data relating to your banking transactions, comprising account names and numbers, communication, and more generally, any data about a deposit, transfer or withdrawal, etc. which took place on your bank accounts;
• data relating to your behaviour and habits when using our channels: our branches, our internet websites, our apps for tablet and smartphone, etc.;
• data relating to your preferences and interests, which you directly or indirectly provide to us, for example by taking part in competitions or events that we organise, your real estate projects, your hobbies etc.;
• data from third parties;
• data from your interactions on our social media pages.

In accordance with the law, we will not process any sensitive data, namely those relating to

• racial or ethnic origins;
• political opinions;
• religion or beliefs;
• trade union membership;
• genetic features;
• health;
• sex life;
• criminal convictions or related security measures;
• biometric data.

If we had to process this type of data, we would always request your prior consent.

D. Which legislation applies in Belgium?

The protection of your personal data is covered by the law of 8 December 1992 (known as "The Privacy Law") and its implementing royal decrees. We undertake to comply with our obligations and respect your rights whenever we process your data. If you wish to learn more about this subject, we advise you to visit the Privacy Commission's website.

2. When are your personal data collected?

Some of your data can, in particular, be collected by BNP Paribas Fortis:

• whenever you become a customer;
• whenever you register to use our online services (each time you log in or each time you use them);
• whenever you fill in forms and contracts that we send to you;
• whenever you use our services and products;
• whenever you subscribe to our newsletters, reply to our invitations (conferences, etc.);
• whenever you contact us via the various channels we offer you;
• when your data are published or transferred by:
  • authorised third parties (Belgian Official Gazette, agents or brokers, companies that belong to our Group);
  • professional data providers;
• whenever you are filmed by our surveillance cameras located in or near our branches/premises. These images are recorded solely for the purpose of protecting property and people’s safety, and for preventing abuse, fraud or other criminal activities from which our customers and ourselves could also become victims (the presence of the cameras are indicated by stickers with our contact details).

3. For which purposes are your data processed?

We process your personal data for different purposes. For each processing, only the data that are relevant to the intended purpose will be processed.

Generally, we will use your personal data either:

• whenever we have obtained your consent;
• as part of performing a contract or taking pre-contractual steps;
• in order to comply with all the legal and regulatory provisions that govern us; or
• for reasons relating to the legitimate interests of the bank. When we carry out this type of processing, we always seek to maintain the balance between this legitimate interest and the protection of your privacy.

You will find below a more detailed explanation of the purposes we are pursuing:

• prevention of money-laundering and the financing of terrorism, compliance with legislation relating to embargoes;
• implementation of MiFID legislation;
• fight against tax fraud (international conventions on assistance and exchange of information including FATCA, AEOI and others);
• reply to an official request from a public or judicial authority with the necessary authorisation;
• provision of banking services;
• proof of transactions (for example an order to buy securities);
• prevention of abuse and fraud:
  - we process and manage contact and security data (card reader, password, etc.) in order to validate, track and ensure the security of transactions and communications made over our remote channels;
  - we use security cookies on our websites;
• supply of services and products using processors (for example Atos Worldline for credit card transactions);
• training of our staff by recording some phone calls to our call centres;
• tracking of our activities (measuring sales, number of appointments, number of calls, visits to our website etc.);
• improvement of our existing products and services (or those under development) by means of customer and non-customer surveys, statistics, tests, comments that you send us directly or that you publish on our YouTube, Twitter and Facebook pages, etc.;
• improvement of the quality of personal service to our customers:
  - we segment our customers in order to provide them with the most appropriate service. This segmentation involves, in particular, customers' professional activities (so a doctor would be advised by a specialist in the liberal professions), banking needs (an investor will always be able to contact one of our investment experts), the value of the assets to be managed (from a certain wealth level, customers are offered our private banking service);
  - we take into account your preferences in terms of means of communication (phone, e-mail, etc.);
  - we review the frequency of our contacts with you in order to keep them at a reasonable level;
• definition of your credit risk score (risks of defaulting on repayment, etc.). For this purpose, we use statistical models that identify the major risk factors based on the bank's lending history;
• direct marketing relating to banking, financial or insurance products, or other products that we promote or that are promoted by companies that form part of the BNP Paribas Group.
  In order to provide you with relevant products and services,
  - we make sure that our offers match your family situation and the products or services that you already hold, by reviewing the products that you use and your sociodemographic data (age, household composition, income, etc.), for example family protection insurance for families with children who do not have insurance yet;
  - we analyse your behaviour in the various channels (visits to our branches, e-mails or messages opened in Easy banking, visits to our website, etc.) in order to draw conclusions about your preferences (which channel you use most, for example) and to incorporate this by personalising information, the website pages you visit and online advertising;
  - we analyse your potential needs in relation to the use of a product or service in order to optimise our product range (for example, the type of current account);
  - we evaluate key moments when specific financial products and services might be relevant and commercially appropriate. For example, you open an account for your two-year-old child, and we suggest you might wish to subscribe to a family protection insurance to cover any third-party liability;
  - we evaluate your interest in a product or service based on certain identified characteristics within our customer base, applied anonymously (age, lifestyle, assets, income, etc.). This is mainly done by developing predictive models that use anonymised data from previous purchasers of the same products and services, which enable us to determine the offers most likely to be of interest to you;
  - we monitor transactions to identify those which deviate from the normal routine (for example, you receive a large amount deposited into your bank account). We can then contact you and offer you appropriate products and services (for example, suggest an appointment to discuss investment opportunities suited to your profile);
  - we enrich our database with the assistance of external specialised companies;
  - we improve the usability of the tools and channels of communication we offer you by automatically filling in some data that we already hold (first name, surname, address, etc.) and by then asking you to confirm them;
  - we listen to the signals you give us indirectly about a particular service or product, for example when you take part in a competition or an event linked to a given service or product (for example, Batibouw trade show and your interest in a mortgage loan);
  - we contact you if you carry out a simulation on our website (for example, for a loan to purchase a vehicle);
  - we will send you personalised information following the processing of data described above.

4. How do we protect your data?

Access to your personal data is only granted to people who need it in order to perform their mission. They are required to apply strict professional discretion and must comply with all the technical instructions foreseen to ensure the confidentiality of personal data.

We have set up technical processes and specialised teams who are dedicated to the protection of your personal data. By so doing, we want to prevent any unauthorised person from gaining access to, processing, altering or deleting said data.

Here is some advice on how to keep your data secure:

• Try to always use the most recent version you can of the operating system on your computer. Change it before the provider stops issuing updates and supporting a given operating system.
• Take care to always apply all the (security) updates for your operating system. You can also automate this procedure.
• Always use the most recent version of your browser (Internet Explorer, Firefox, etc.). Here as well, always make sure you install the security updates.
• Make sure that a firewall is activated on your computer to keep a constant check on incoming and outgoing information flows.
• Install a quality antivirus program on your computer. Viruses can seriously damage your computer. Moreover, they can compromise the security of your PC banking. Make sure you keep your antivirus up to date at all times, preferably each time you log in.
• Do not give viruses any chance of getting onto your computer. When buying on-line, only visit the websites of well-known and reputable vendors. Avoid websites or networks that illegally distribute programs, music, films, etc.
• Remember to regularly carry out a full scan of your computer with a fully up-to-date antivirus program.
• Secure your wireless (Wi-Fi) connection, preferably using a WPA2 key.
• Set up your keyboard to lock automatically if your device remains inactive for more than a few seconds, and set a PIN number to then unlock it. Do not use obvious words or numbers, and create a good mixture of numbers and letters.
• Never leave your device unattended.

Our websites may sometimes contain links to third-party websites (social media, organisers of events that we are sponsoring, etc.) whose conditions of use fall outside the scope of this privacy notice. We therefore recommend that you read their privacy notice carefully, to find out how they protect your privacy.

5. Who has access to your data and to whom are they transferred?

The people who are authorised to access your data are specifically defined depending on their role.

We transfer your data to our staff, associated companies and those that are part of the group to which we belong, for the same purposes as those listed in point 3. We do not transfer your data to third parties outside the BNP Paribas Group for commercial use unless we have received your explicit prior approval.

As far as international transfers are concerned, we also make sure we protect your personal data applying the level of security required by European legislation. If we transfer your data outside the European Union to a country that cannot guarantee this level, we increase the IT security and add contractual clauses which are intended to increase their protection. We also inform the Privacy Commission.

6. What are your rights and how can you exercise them?

A. Right to access, rectify and erase

You have the right to access your data. You can ask us:

• if we are processing your personal data or not;
• for what purpose we are processing them;
• what categories of data are being processed;
• to what categories of recipients they are being transferred;
• where the data being processed came from;
• what the basic logic is for the automated processing of some of your personal data.

If you discover that your data are inaccurate or incomplete, you can ask us to rectify them. In some very specific cases, the law also allows you to have them erased or restricted.

In the interests of keeping your data properly up to date, we ask you to inform of us of any change (moving house, renewing your identity card, for example).

B. Right to object to the processing of your data

You have the right to object to some processing of your personal data that we may want to carry out. In particular, you have the right to object, without giving any reason, to the use of your data for direct marketing purposes.

However, this right can only be exercised under certain conditions:

1. Your request must be dated and signed.
2. For other cases than objecting to direct marketing, you need to have serious and legitimate reasons relating to your specific situation in order to object to processing being carried out. In the case of a valid objection, said processing will no longer be permitted for these data.
3. However, you cannot object to processing that is necessary:

• for the performance of a contract agreed upon with you or the execution of pre-contractual steps taken at your request; or
• for compliance with legal or regulatory provisions that apply to us.

C. Right to object to a channel of communication used for marketing purposes (direct marketing)

Even when we have the right to process your personal data, we will ask for your explicit consent to use electronic messaging (e-mail, SMS, etc.) for marketing purposes.

When sending marketing messages by SMS or e-mail about products that have no connection with those you already hold, we are required to ask for your explicit consent. You can change your mind at any time by replying to the SMS or e-mails we have sent.

The marketing offers sent by post or communicated by telephone are not subject to the same prior consent. But again, you can object to them:

• by contacting us through our usual channels, as mentioned in the section below;
• for advertising sent by post: by registering on the Robinson list;
• for advertising by phone: by registering on the Do not call me list.

If you wish to start receiving our marketing information again, you can inform your branch.

We do however reserve the right to keep contacting you electronically for the performance of your contract or if required by law.

D. Whom should I contact?

In order to exercise your rights, all you need to do is contact your branch.

In relation to your right to access, you can send us your signed and dated request, together with a copy of your identity card. Please be as accurate as possible:

• by post to
  BNP Paribas Fortis SA
  Data Protection and Privacy Office – 1MA4B
  Montagne du Parc/Warandeberg 3
  1000 Brussels
• by e-mail to privacy@bnpparibasfortis.com

In case of disagreement relating to the processing of your personal data, you can submit a request for mediation to the Privacy Commission at the following address:

Privacy Commission
Rue de la Presse 35
B-1000 Brussels
Tel.: +32 2 274 48 00
E-mail: commission@privacycommission.be

7. How long do we store your data?

We may not keep your personal data for longer than what is necessary for the processing for which they were collected. In practice, we differentiate between a retention period and an archiving period.

• The retention period is the maximum period during which we use your data for specific processing. When this period expires, your data are deactivated. The data relating to prospects, for example, are kept for a maximum of one year, depending on the lifecycle of the project for which they were collected (a project to buy a car, for example, would have a shorter retention period than the one to buy real estate). Some personal data have very short retention periods. This is particularly the case for images recorded by surveillance cameras (CCTV) which are generally kept for a month.

• The archiving period is determined by our legal obligation or the legal requirement to keep your data beyond the retention period for evidence purposes. The archived data are only accessible for reasons of proof in justice, control by an authorised body (for example, the tax authorities), internal audit, etc. The archiving period may vary depending on the circumstances, and may sometimes be lengthy (data relating to a mortgage loan, for example, are archived for thirty years).

8. Your use of our websites and of our mobile apps

Regarding our internet website: If you are not a customer and you visit one of our websites, you agree that we use the data generated during your visit. For more information, please consult the general terms of use of our websites.

Besides the data that you voluntarily provide us with whenever you use our websites, we also use the following technological means to collect data:

A. Cookies

A cookie is a small file sent by the server at our bank to the hard disk on your computer, tablet or smartphone, which allows us to identify your device for navigation.
In particular, we use functional and performance cookies. To find out more, please read our cookie policy.

B. Other technological means

Besides cookies, we sometimes use other technological means for statistical purposes. For example, web beacons or action tags count the number of visitors coming to our website or our apps after seeing our advertising on a third-party site. The only purpose of these beacons is to assess how successful our marketing campaigns are, not to access any of your personal data.

We also use technologies such as pictures or QR codes which are read by a picture reader installed by Shazam. When you scan them on our website, we do not collect your personal data, only the information on how you accessed said website.
The app that lets you read these pictures or QR codes does not belong to the bank. We therefore advise you, before any download, to find out about the privacy policy for data collected by the third party.

9. BNP Paribas Fortis and the Group

BNP Paribas Fortis SA/NV is a bank that sells a comprehensive range of financial services on the Belgian market to private individuals, self-employed, those in liberal professions, and SMEs. It has 3 separate brands with different specificities: BNP Paribas Fortis, Hello bank! and Fintro. We also offer specialised solutions to wealthy individuals, large companies and public and financial institutions. Our registered office is at Montagne du Parc/Warandeberg 3, B-1000 Brussels.

Since May 2009, we have been part of the BNP Paribas Group, which is present in many countries, both in Europe and worldwide.

10. How can I keep up with changes to this privacy notice?

In a changing world, where technology never stands still, this privacy notice may be subject to amendments. We invite you to review the latest version of this notice online and we will inform you of any changes through the website or other usual communication channels.

Last update: February 26, 2016