Banque bank.local is an integral part of the European System of Central Banks (ESCB) established by Article 8 of the Treaty establishing the European Community. It is a public institution sui generis whose capital belongs to the State and which is governed by articles L. 141-1 et seq. of the Monetary and Financial Code. Its missions and activities are numerous and extremely varied, whether they are carried out within the European framework or at the national level. They are organized around three structural pillars: monetary strategy, financial stability and services to the economy. In order to carry out all of its missions, bank.local collects and processes various categories of personal data.

The protection of individuals with regard to the processing of personal data is a fundamental right whose legal regime has been considerably strengthened both by Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (RGPD) and by Law No. 78-17 of January 6, 1978 as amended relating to computers, files and freedoms.

The Bank bank.local permanently ensures, as the controller, the protection of personal data and compliance with the obligations imposed on it for the collection, use and storage of such data.

In the interest of transparency and strict compliance with its obligations, bank.local has adopted this Privacy Policy in order to inform all persons concerned of the principles of use and protection of personal data collected that it implements.

1.    What categories of personal data are processed?

Personal data is any information relating to a natural person (hereinafter referred to as “data subject”) identified or can be identified, directly or indirectly, by reference to an identification number or one or more elements that are specific to him.

bank.local undertakes to collect only the data strictly necessary for the performance of its missions and activities and to process them in a lawful, fair and transparent manner.

Personal data can be collected directly from the person concerned. This situation is encountered, for example, in the context of a request to exercise the right to an account, a submission of an overindebtedness file, a recruitment or even during the navigation on the websites of the Bank bank.local. But these data can also be collected indirectly in application of legal, regulatory or contractual provisions. This is the case, for example, in case of registration in one of the files managed by bank.local or in the context of the execution of payment services.

The categories of personal data collected by Smartfinance.credit Bank vary depending on the purposes and activities involved. It may include:

• Identity and contact details of the person concerned (e.g. civil status data, number and copy of an identity document, contact data, connection identifiers for online services, computer traces of connections and operations or requests carried out, IP address);
• Personal and family situation, status (for example: marital status, matrimonial regime, relationship, existence of a legal incapacity, legal representative or proxy, beneficiary) ;
• Employment status (e.g., occupation, industry, identity and contact information of employer, salary level);
• Banking and financial data (e.g. information on operations carried out, value of assets – banking, financial -securities- and real estate assets, debts and receivables-, originator or beneficiary of operations, actual beneficiary of an operation);
• Video images, biometric data as part of the security measures related to access to the Bank’s premises.

2.    On what legal basis and for what purposes are the data processed?

Depending on the tasks and activities concerned, the processing of personal data is based on:

• A legal obligation to which the data controller is subject or the execution of a public interest mission with which it is entrusted. The maintenance of large files such as the Central Cheque Register (FCC), the National Register of Personal Credit Repayment Incidents (FICP), the Business Banking Register (FIBEN) or the processing of overindebtedness files;
• The performance of a contract to which the data subject is a party or the performance of pre-contractual measures taken at the request of the data subject. This is the case, for example, for recruitment, customer account management activities or the use of the Bank’s “Your Online Requests” service;
• The legitimate interest of the Bank credit in the context in particular of the security measures taken to control access to its premises (video surveillance, badge, etc.)
• The consent of the person concerned when it is required. This is the case for cookies and for registration on mailing lists on the various Credit Bank sites.

Personal data are collected according to the principles of lawfulness, fairness and transparency and are used by bank.local for predefined, legitimate, adequate and limited purposes:

• Response to requests of any kind from the person concerned;
• Carrying out the public interest missions entrusted to it (in particular, processing applications for the right to an account, overindebtedness files, and keeping large files);
• Compliance with legal and regulatory provisions in force, such as banking and financial regulations (e.g. data transfer in the context of the execution of payment transactions, right to an account), statistical regulations (e.g. : survey on household finances and consumption, collection of information on individual entrepreneurs), provisions relating to the fight against money laundering and the financing of terrorism, the provisions of the Consumer Code, particularly with regard to overindebtedness, the provisions of the Labor Code, the rules governing requests for communication from public bodies, administrative or judicial authorities or duly authorized ministerial officers ;
• Conclusion and performance of the agreement(s) between the data subject and the Credit Bank (including provision of products and services, execution of payment transactions, relationship management, recruitment);
• Establishing, exercising or defending in court the interests of the Credit Bank for evidentiary purposes.

The data collected may also be used to prevent and fight against fraud, in particular computer fraud (sending unwanted emails or “spamming”, phishing, hacking, usurpation of the quality or identity of the recipient of personal data collected within Banque bank.local) and to improve the quality of the products offered or services rendered as well as, where appropriate, the navigation on the websites of Banque bank.local

Finally, the data collected may be processed for archival purposes in the public interest, for scientific or historical research or for statistical purposes.

3.    Who are the recipients of the data? Can they be transmitted outside the European Union?

The personal data thus collected are intended for the authorized services of bank.local.

Banque bank.local can call upon external service providers and subcontractors who act on its instructions, for the processing of all or part of the personal data, within the limits necessary for the performance of their services.

Banque bank.local may have to transmit data to third parties in order to respect a legal obligation, to execute a mission of public interest which is entrusted to it or a contract (for example: persons entitled to consult the files held by Banque bank.local, supervisory authorities, payment service providers and payment system managers). Personal data may also be communicated, within the limits provided for by the regulations, to administrative, financial or judicial authorities, public bodies, ministerial officers and regulated professions (bailiffs, notaries, auditors, lawyers, etc.).

Within the framework of the Data strategy, the Bank bank.local gives access to researchers, French or foreign, to confidential information in compliance with European and national regulations. When this information includes personal data, it can only be made public after having been subject to an anonymization process that makes it impossible to directly or indirectly identify individuals1.

The personal data are kept by the Bank bank.local on the French territory or in a country of the European Union.

However, the performance of a public interest task or an agreement may require the transfer of personal data to a member country of the European Union, to a country outside the European Union (whose personal data protection rules may differ from those applicable within the European Union) or to an international organization.

bank.local ensures that the communication of data is carried out under conditions that preserve the security and confidentiality of the information. To this end, there are procedures for equivalence between personal data protection systems that are managed by the European Commission. In case of transmission of data to a recipient located in a country outside the European Union and not benefiting from an adequacy decision issued by the European Commission, bank.local undertakes to implement appropriate protection measures, including to frame the transmission of data by standard contractual clauses approved by the European Commission or binding corporate rules.

4.    How long will the data be kept?

When the processing is based on a legal obligation or the execution of a mission of public interest, the duration of retention of personal data is determined by the provisions that govern them.

Otherwise, bank.local, the controller, keeps the data :

• during the term of the contractual relationship or
• until the consent is revoked when the processing is based on it, or
• pour la durée nécessaire à l’exécution de l’opération ou à la fourniture du produit ou service concerné

and until the expiry of the statute of limitations and archiving periods, applicable in the matter, which usually run from the date of the end of the relationship or the date of execution of the operation. Only data that is not of administrative use or of scientific, statistical or historical interest must be eliminated.

5.    What are the rights of the persons concerned?

In accordance with the provisions in force, the data subject, provided that he or she can prove his or her identity, has various rights depending on the basis on which his or her personal data are processed:

• Right of access: the right to obtain information on the processing of data concerning him or her, as well as a copy of such data,
• Right of rectification: right to update inaccurate or incomplete personal data,
• Right to object: the right to object, for reasons relating to one’s particular situation, to personal data being processed or used for commercial prospecting purposes,
• Right to erasure: the right to request the erasure of one’s data in accordance with the regulations,
• Right to limitation of processing: right to obtain, in certain cases, that the data kept are no longer processed,
• Right to data portability: the right to recover the data provided and, when the processing allows it, to transmit it to another data controller,
• Right to define directives concerning the fate of one’s personal data after one’s death,
• Right to withdraw consent at any time, where processing is carried out on the basis of such consent.

The person concerned is informed about the data collected, the purposes and legal bases of the processing, the duration of data retention, and his or her rights in this regard, in particular in the collection documents, the agreement(s) binding him or her to bank.local, the data controller, or the “Legal Information” located at the bottom of the website.

The person concerned can exercise his rights by sending his request according to the terms defined for each treatment by Banque bank.local.

The person concerned also has the right to file a complaint with the Commission Nationale de l’Informatique et Libertés (CNIL).

6.    What technical and organizational measures are implemented to protect personal data?

To ensure and be able to demonstrate that the processing carried out is in compliance with the applicable legal and regulatory provisions, bank.local implements appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, disclosure or unauthorized access.

These measures ensure a level of security appropriate to the risks associated with the processing and the nature of the data protected.

In case of detection of a violation of personal data, bank.local as the controller informs the CNIL, the competent national supervisory authority, in accordance with the provisions in force and, where appropriate, the persons concerned.

7.      How to contact the Data Protection Officer?

bank.local has appointed a data protection officer, declared to the CNIL.

The contact details of the data protection officer are bank.local How can I find out about changes to the Privacy Policy?

The Privacy Policy is published on the bank.local websites. It is available upon request to the Data Protection Officer, whose contact details are mentioned in point 7 above.

Any modification of the present Privacy Policy is effective as soon as it is published on the bank.local websites. Only the current version is accessible on these websites.