Note on terminology

For the purposes of this document:

  • The term “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  • The capitalised terms “Data Controller, Processor, Personal Data” used in this article will have the meaning given to them in the GDPR. - The term “Customer” refers to the customers (exclusively legal entities) of Arkéa Banking Services.
  • The term “Prospect” refers to prospects (exclusively legal entities) that are the subject of direct marketing by Arkéa Banking Services. - The term “End Customer” refers to customers and prospects, whether natural persons or legal entities, of ABS Customers.
  • The term “Group” refers to the companies that are members of the Crédit Mutuel Arkéa group.

 

Introduction

Arkéa Banking Services ensures respect for privacy and the protection of personal data, in accordance with the regulations in force, and in particular with the GDPR and the French Data Protection Act of 6 January 1978, as amended.

This Policy sets out the conditions under which Arkéa Banking Services collects, processes, stores, archives and deletes the personal data of Data Subjects or its Customers.

In its relations with its Customers, Arkéa Banking Services acts only on a Business to Business (hereinafter “BtoB”) basis. Arkéa Banking Services Customers are exclusively legal entities governed by French law or foreign law with legal capacity. In this context:

  • It should be noted that the GDPR does not cover the processing of personal data concerning legal entities;
  • It should be noted that, for the services provided to its Customers, Arkéa Banking Services acts solely as a Processor of Personal Data concerning End Customers and that the Customer acts as the Data Controller;
  • In its relations with its Customers, Arkéa Banking Services may be required to process Personal Data, in particular data relating to its Customers’ employees (natural persons). In this case, Arkéa Banking Services is the Data Controller.

 

1. What is Personal Data?

It is any information that directly or indirectly identifies a natural person (e.g. name, address, registration number, telephone number, photograph, date of birth, IP address, etc.).

 

2. What categories of Personal Data are processed by Arkéa Banking Services?

The main categories of Personal Data processed between Arkéa Banking Services and its Customers are as follows:

  • in connection with the contractual relationship as processor:
    •    declarative personal data: i.e. data that Arkéa Banking Services may collect directly from prospects and customers or data collected indirectly from third parties with which Arkéa Banking Services has a contractual relationship;
    • personal data relating to the operation of products and services, generated in particular when using online services;
    • personal data from public information, in compliance with the regulations in force (for example: the public part of social networks);
    • personal data inferred or calculated by Arkéa Banking Services (e.g. credit risk assessment);
  •    in connection with the business relationship, complaints, disputes as data controller:
    •    professional personal data of Customers’ employees to allow access to the Information System

 

3. What are the purposes and basis for collecting Personal Data?

Arkéa Banking Services processes or sub-processes personal data for the purposes and on the basis shown below.

As processor:

Purposes Basis
  • Manage contracts and the banking relationship in general: current account, credit, savings, pricing, securities, investment product, mobile and/or contactless payment solutions, complaint management.
  • Complete payments: cheque, bank card, bank transfer, transactions on financial instruments.
 Complete payments: cheque, bank card, bank transfer, transactions on financial instruments.
  • Respond to requests from administrative and judicial authorities
  • Combat money laundering and terrorist financing
  • Combat market abuse and insider trading
  • Regulatory reporting (FICOBA, FACTA, TRACFIN, etc.)
  • Implement the regulation on inactive accounts (Eckert law)
  • Implement the best execution policy
  • Record transactions negotiated by operators in the financial trading room with customers to be able to justify completed transactions
  • Count customers classified as non-professional that will be offered a structured EMTN private placement
  • Manage operational risks
  • Implement the right to a bank account procedure
 This processing is done on the basis of legal or regulatory requirements with which Arkéa Banking Services must comply.

 

As data controller:

Purposes Basis
  • Improve how interactions with customers or prospects are handled
  • Monitor the premises for security purposes
  • Collect unpaid invoices
  • Manage IT incidents
  • Use Customer receivables as collateral
  • Manage litigation and pre-litigation
  • Manage customer complaints
 This processing is done on the basis of a legitimate interest pursued by Arkéa Banking Services (for example, to ensure the security of its premises and infrastructure or to improve its services) without adversely affecting fundamental rights and freedoms.
  • Carry out marketing activities: coordinating communities on social networks, direct marketing, conducting statistical studies to offer products and services tailored to the needs of prospects and Customers, conducting satisfaction surveys, managing customer portfolios, producing newsletters
 This processing is done on the basis of a legitimate interest pursued by Arkéa Banking Services or on the basis of the customer’s consent, without adversely affecting the fundamental rights and freedoms of account holders (for example, to improve the company’s results)

 

Direct marketing

Personal data collected when entering into a relationship with BtoB customers may be used for direct marketing purposes by Arkéa Banking Services or any company in its Group. If you wish to object to such use, you can contact us by email: contact-abs@arkea.com or at the following address: Arkea Banking Services - Personal Data Protection Officer - 27 rue des murs du parc - bâtiment le bristol - 94300 Vincennes

Personalisation of the banking relationship

Arkéa Banking Services may take measures to optimise the banking relationship by analysing the Personal Data collected, in particular to offer products and services that meet the needs and expectations of its Customers.

 

4. Who are the recipients of the Personal Data processed by Arkéa Banking Services?

Arkéa Banking Services is bound by professional secrecy with regard to the Personal Data disclosed to it. However, by transmitting personal information, Arkéa Banking Services Customers authorise the sharing of banking secrecy relating to their data, within the limit of the aforementioned purposes, with legally authorised administrative and judicial authorities (countries of the European Union or non-member of the European Union), member companies of the Group, its service providers and subcontractors.

Arkéa Banking Services is not responsible for the processing of Personal Data which the data subject may have authorised with third parties and which is not shared with them (for example, bank account aggregation applications or social networks). It is the responsibility of the data subject to refer to the data protection policies of such third parties to verify the conditions of such processing or to exercise their rights in respect of such processing.

 

5. What security measures are taken by Arkéa Banking Services?

Banking regulations require a high level of security and confidentiality with regard to the customer’s personal data. In this respect, Arkéa Banking Services considers all Personal Data concerning the data subject to be confidential data subject to the professional secrecy to which the bank is subject. This data may be transmitted, used or stored in accordance with the security framework described below. Given the nature of Personal Data and the risks posed by processing, Arkéa Banking Services takes the necessary measures to preserve the security of this data and prevent it from being altered, damaged, made inaccessible or accessed by unauthorised third parties. These may include:

  • technical measures (for example, data encryption)
  • physical measures (for example, building access control)
  • organisational measures (for example, dedicated teams trained in information security).

To ensure this level of security, additional security measures such as audit trails may be necessary.

In addition, Arkéa Banking Services educates its employees about Personal Data protection and ensures that they comply with the regulations in force and the company’s code of ethics.

Arkéa Banking Services selects subcontractors or service providers that have sufficient safeguards regarding the implementation of appropriate technical and organisational measures to ensure that data processing meets the requirements of the applicable regulations on the protection of Personal Data.

Prospects, Customers and other stakeholders that interact with Arkéa Banking Services can also contribute effectively to maintaining the level of Personal Data protection by complying with the rules recommended by Arkéa Banking.

If Arkéa Banking Services notes an incident that has an impact on personal data, as data processor, it will ensure that its Customers are informed as quickly as possible, in accordance with the framework imposed by the regulations.

 

6. How long is personal data stored?

Arkéa Banking Services has established rules regarding the storage periods for personal data.

To determine these periods, Arkéa Banking Services has taken into account the various purposes for which this data is collected, the data subjects concerned, and compliance with the legal, regulatory or professional obligations by which Arkéa Banking Services is bound. These periods do not exceed that which is strictly necessary for the proper performance of the processing.

 

7. What rights does the data subject have?

Data subjects have specific rights to their data, such as the right of access, rectification, objection, restriction, erasure and portability of their Personal Data. Data subjects also have the right to give advance instructions concerning the storage, erasure and disclosure of their Personal Data after their death. Finally, data subjects have the right to file a complaint with the competent authority.

How do I exercise my rights?

  By post to the following address: Arkéa Banking Personal Data Protection Officer - 27 rue des murs du parc - bâtiment le bristol - 94300 Vincennes (1) By email to the following address: contactabs@arkea.com (2)
Right of access X X
Right to rectification X X
Right to object (particularly to direct marketing) X X
Right to erasure (or right to be forgotten) X X
Right to portability X X
Right to restriction (3) X X

 

(1) For this channel, proof of identity must be attached to your request.

(2) For this channel, enhanced security measures are implemented.

(3) For this right, please indicate the processing concerned and the reason for your request.

 

For the exercise of the right to portability, Arkéa Banking Services will return the declarative data, i.e. data that Arkéa Banking Services may collect directly from the data subject or data collected indirectly from third parties with which Arkéa Banking Services has a contractual relationship. Data related to the operation of products and services, personal data from public information and personal data inferred or calculated by Arkéa Banking Services will not be returned.

A request to exercise the right to object may be made by the data subject for processing based on a legitimate interest or a task carried out in the public interest. The data subject must specify the reasons for his or her request. However, the right to object to direct marketing may be exercised by the data subject at any time without the data subject having to justify their request.

The right to be forgotten request may, in certain cases, not be successful for regulatory or contractual reasons.

To meet the requirements of the GDPR, Arkéa Banking Services has appointed a Data Protection Officer (DPO). Its role is to inform and advise Arkéa Banking Services on all matters relating to the protection of personal data. It ensures compliance with regulations on the protection of personal data within the Group. It is also the contact person for the CNIL, the supervisory authority, for any question relating to the management of personal data.

The data subject can contact our DPO at the following addresses: