Regional branch data protection policy
Why do we have a “Data protection policy” and why are you concerned?
This Policy applies to “you” for one or more of the following reasons:
- you are a “Customer”: we are or have been in direct contact with you in your capacity as a natural person customer of the Regional Bank. In this case, you have signed one or more contracts with us.
- you are an “Intermediary”: we process your data if you are in contact with us through one of our Customers, whether a natural or legal person. For example, you may be a Customer’s representative, agent, guarantor, beneficiary, beneficial owner, the instructing party or beneficiary of a transaction, a member of their tax household, a shareholder or a partner.
- you are a “Prospect”: your personal data are processed although you do not have an established contractual relationship with us.
How do we collect your personal data?
We collect your personal data through various communication channels, face to face or remotely, and in various ways:
- directly from you when you sign a contract with us, use our services, complete a form or reply card, browse our websites and mobile apps, or when we record telephone or videoconference conversations (for the purposes of having proof of a transaction, staff training and/or improving the quality of our services), etc.
- or indirectly, through our Customers if you are in contact with them
- or indirectly through public and private external sources, which enable us, in compliance with your rights and the law, to know you better (browsing on third-party sites, sponsorship operations, databases, publications made available by official authorities, etc.)
You can obtain additional information about these collection sources in the tables and inventory that can be accessed via this link.
Why do we process your personal data?
In general, the personal data processing we carry out enables us to provide or promote our various products and services. Certain data we collect or process may be required by law or may be necessary to enter into and perform contracts.
We process your personal data based on the following legal bases, as applicable:
- the performance of contracts for products and services that you have entered into with us, in particular your bank account, or pre-contractual measures taken at your request
- our legal obligations
- our legitimate interests or those of third parties, in accordance with your rights
- your consent
- protecting the vital interests of data subjects
We use your personal data primarily for the following purposes (objectives), which are described in greater detail in the tables below:
- managing the day-to-day relationship with Customers, Intermediaries and Prospects concerning our banking, insurance and real estate products and services
- managing claims, disputes, outstanding payments and debt collection
- prospecting and sales promotion
- assessing and managing credit, financial and other related risks
- assessing and managing internal control, for compliance, fraud prevention, financial security and anti-money laundering purposes, and to ensure the safety of people and property
Certain personal data are processed jointly with one or more other controllers. In such case, you will be informed of this joint responsibility, by us and/or the joint controller(s), and youwill also be informed of the procedures for exercising your rights. Additional information is provided in the tables.
Based on your data, including banking operations and transaction data if you are a customer, we may use targeting, profiling or scoring in order to comply with our statutory and regulatory obligations and to manage our risks. The purpose of this processing, consistently with your interests and rights, is also to coordinate our marketing activities, develop new offers, and offer you advice and personalised offers in order to provide you with a higher quality service.
How long do we keep your personal data?
We will keep and process your personal data for the period necessary to achieve the intended purpose. These time periods are explained in greater detail in the tables below.
At the end of these periods, the personal data may be stored in an intermediate archive (i.e. with restricted access) for evidentiary purposes, for a maximum period equal to the duration of the contractual or business relationship, plus the periods necessary to settle and consolidate rights, legal retention periods, and periods of limitation or for exhaustion of legal remedies.
To whom do we transfer your personal data?
As a credit institution, we are bound by professional confidentiality. However, in compliance with our banking secrecy obligations, we may be required to disclose your personal data to certain recipients.
We may therefore be required to provide documents or information that may include personal data to legally authorised authorities. These transfers are carried out in accordance with the “Compendium of ‘authorised third party’ procedures” published by the French Data Protections Authority (CNIL), which may be accessed here >
We may also use sub-processors, which are entities that may or may not be members of the Crédit Agricole Group, to process your personal data on our behalf and in accordance with our instructions, but which are not entitled to use these data for purposes other than performing the operations outsourced.
Your data may also be disclosed to other controllers, which may or may not be members of the Crédit Agricole Group, in particular:
- in connection with the execution of your transactions or to manage your situation, for example to other credit institutions, surety or debt collection companies, or notaries
- in connection with partnerships, to offer you products and solutions tailored to your needs, for example concerning insurance or savings
- for the purpose of managing our business, for example to measure your satisfaction
You can obtain additional information about the recipients of your personal data in the tables and inventory that can be accessed via this link.
How do we process your personal data if it is transferred outside the European Union?
We take great care to ensure that your personal data is processed and stored within the European Union (or in a country whose legislation has been recognised as adequate by a decision of the European Commission in accordance with Article 45 of the GDPR), which is the case for nearly all processing operations.
Data may nevertheless be transferred outside the European Union, in particular in the following situations (you can obtain the contractual clauses referred to below from our DPO):
- carrying out international transactions (transfers, loans, etc.) outside the EU requested by the customer, as well as in banking mobility situations if there are recurring transfers or direct debits for which the recipients or issuers are located in countries outside the European Union. If applicable, such transfers will take place in accordance with the exemption provided for in Article 49(1)(b) of the GDPR for transfers necessary to perform a bank mobility mandate
- preparing and reporting on customer meetings if a technology for transcribing oral exchanges into written form is used The countries concerned may be the United States, Chile, Singapore and Taiwan. The data will be transferred without being stored. These data concern the identity of the customer and the personal information provided during the meeting. Transfers are governed by dedicated contractual clauses (the European Commission’s Standard Contractual Clauses) and security commitments offering the level of guarantees required by European Union law
- the use of service providers in connection with targeting operations for marketing purposes and opinion surveys These are data hosting services provided by US companies. The data concerned are contact details. These data transfers are covered by dedicated contractual clauses (the European Commission’s Standard Contractual Clauses) and security commitments offering the level of guarantees required by European Union law
- the use of internet trackers/cookies for advertising purposes and to gain knowledge about customers/prospects – in which case the user’s consent is systematically required – or for operational purposes, such as audience measurement These services are provided by US companies. The transfers concern connection data. These data transfers are covered by dedicated contractual clauses (the European Commission’s Standard Contractual Clauses) and security commitments offering the level of guarantees required by European Union law
Furthermore, for IT maintenance operations, service providers may occasionally have access to data, but without being entitled to store it. Such access is covered by dedicated contractual clauses (the European Commission’s Standard Contractual Clauses) and security commitments offering the level of guarantees required by European Union law. The countries concerned are the United States, Switzerland, China and Singapore. The data concerned are incident logs and, if necessary, information hosted in the information system.
What are your rights and how can you exercise them?
At any time, in accordance with the requirements and limits prescribed by law, you may:
- access your personal data: you can obtain your personal data and information about the processing of your personal data
- have your personal data corrected: you may request that your personal data be corrected if it is inaccurate or incomplete
- to the processing of your personal data for reasons relating to your particular situation, if the legal basis for the processing is the legitimate interest of the Regional Bank or third parties (unless the Regional Bank proves that there are legitimate and compelling reasons for such processing that prevail over your interests, rights and freedoms, or to establish, exercise or defend rights in legal proceedings)
- at any time and without justification, to the processing of your personal data for direct marketing purposes by the Regional Bank or third parties
- request the erasure of your personal data: you may request that your personal data be deleted, particularly if the data are no longer necessary for the purposes for which they were collected, with the exception, in particular, of processing necessary to comply with a legal obligation or to establish, exercise or defend rights in legal proceedings
- request that processing be restricted: you may request that the processing of your data be suspended or restricted
- exercise your right to data portability: if processing is automated and based on consent or the performance of a contract or pre-contractual measures, you may request the return of the personal data that you have provided to us and/or that they be transferred to a third party
- provide instructions about what should be done with your personal data after your death: you may provide instructions about the retention, deletion and disclosure of your personal data after your death.
Lastly, if the legal basis for processing operations is consent, you may withdraw your consent for the future and thus put a stop to the processing of your data. However, withdrawing consent will not call into question the lawfulness of processing operations carried out before then.
If you wish to exercise any of your rights, simply write us, indicating the right(s) you wish to exercise and provide us with any information that may be necessary to identify you (identity document, contract number, etc.), by email to the following address: email@example.com, or send us a signed letter by ordinary post to: Service Client du Crédit Agricole Normandie, 15 esplanade Brillaud de Laujardière - CS 25014 - 14050 CAEN CEDEX 4. Please note that, depending on the situation, exercising some of these rights may prevent the Regional Bank from providing certain products or services.
The Regional Bank has appointed a Data Protection Officer, whom you may contact at the following addresses: Caisse Régionale de Crédit Agricole Mutuel de Normandie - DPO, 15 esplanade Brillaud de Laujardière - CS 25014 - 14050 CAEN CEDEX 4 / firstname.lastname@example.org. In the event of a dispute, you may submit a complaint to the French Data Protection Authority (CNIL), whose website can be accessed at the following address: http://www.cnil.fr, and whose main office is located at 3 Place de Fontenoy, 75007 Paris.