PERSONAL DATA PROTECTION CHARTER.
1 July 2018
We recommend that all persons concerned read the present document (hereafter the “Charter”) carefully.
The French Banking Federation (hereafter the “FBF”) places great importance on protecting the personal data it collects.
The present Charter stipulates the conditions under which the FBF collects and processes personal data on its website (www.fbf.fr) (hereafter “the FBF Website”), and the methods it uses to do so, as well as the services it provides (“Services”).
The FBF may change the provisions of the Charter at any time, it being specified that any rollback in the rights of concerned data subjects will not be applied without their prior consent. We will thus publish updated versions of the Charter on the FBF Website and send email alerts to the data subjects, thereby giving them an opportunity to consult them. In general, the Charter is easily accessible from the various pages of the FBF Website.
The Charter does not apply to services provided by third parties operating websites for FBF partners or other websites accessible via our services. The FBF is not liable for the way in which third parties use personal data.
2. Compliance with applicable legislation
The processing of personal data by the FBF in the provision of its Services is notably subject to EU Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free circulation of such data (otherwise known as “GDPR”) and also to the modified French law n°78-17 of 6 January 1978 on computers, files and freedoms (known as the Law on Information Technology and Civil Liberties) (hereafter “Personal Data Protection Regulations”).
For the purposes of the present Charter, the following terms are given the meaning assigned to them under the GDPR: “personal data”, “processing”, “controller”, “subcontractor”, “data subject”, etc. On this basis, personal data is defined as any information relating to a natural person that directly or indirectly identifies them, such as a surname, a first name, an email or postal address, a telephone number, an online identifier, or a password, etc. (hereafter “Personal Data”).
In addition, with respect to these Personal Data Protection Regulations, and in its capacity as controller, the FBF is committed to fulfilling its obligations in respect of these Personal Data Protection Regulations. For this purpose, the FBF notably keeps an up-to-date register of processing activities listing the required information.
3. Processing of Personal Data and Purpose of Use
The FBF conducts the following data processing operations: direct and indirect data collection, consultation, usage, storage and other operations required for the provision of its services.
The Personal Data is collected and processed in accordance with explicit and legitimate predefined purposes and is not processed at a later stage in a manner incompatible with these purposes. The purposes are as follows:
– Answering requests for information
Contact forms are made available to visitors on the FBF Website, enabling them to ask questions and find out more about the services it provides. The data collected from these forms is only used to reply to visitors’ questions.
The FBF can provide anyone who so desires with updates on banking sector news, banking services (savings, loans, etc.), applicable regulations, the FBF’s activities, as well as on working groups or events that the FBF organises or sponsors etc. This information may be issued via newsletters, email alerts, information letters, press releases, guidelines, activity reports, etc. These are sent either by email or post.
The news is published free of charge, as is all information on events promoted by the FBF. In order to receive several news sources, the person must subscribe to each one individually. Any Personal Data gathered is used solely for the purpose of providing the data subject with the news in question. It is not used for other services provided by the FBF.
-Fulfilling our missions (e.g. following up press relations);
-Improving our quality of service;
-Ensuring Personal Data security (e.g. prevent digital identity theft);
-Resolving any disputes or problems arising from the use of our Services.
Your Personal Data will not be used for any purpose other than those expressed above without your express prior consent. The FBF undertakes not to access or use Personal Data for purposes other than for the provision of its Services or as stipulated in any contract agreed between the data subject and the FBF.
4. Personal Data Categories and Data Subjects
In general, the FBF undertakes to collect and process Personal Data that is adequate, relevant and restricted to the information required to fulfil the purposes for which it is being processed. This Personal Data can be collected either directly by the FBF or indirectly via third parties.
The FBF does not collect sensitive Personal Data within the meaning of the GDPR. At most, and depending on the Service concerned, this will involve data required to:*
-File information requests: surname, first name, email address when the data subject contacts the FBF via the online contact form;
-Receive news: email address, when the data subject subscribes to the news service provided on the FBF’s Websites;
-Gain access to other FBF services or to enable us to fulfil our missions: surname, first name, email address (e.g. for managing press and institutional relations).
In addition, cookies or other trackers may be placed on the data subject’s hard drive when they browse the FBF’s Websites (see section 9 hereunder).
The data subjects concerned by the collection and processing of Personal Data have varying profiles: natural or legal persons, subscribers, professionals, retired people, students, journalists, members of Cabinet, social welfare groups, etc.
5. Duration of Personal Data Storage
The FBF undertakes to only store Personal Data for as much time as is strictly necessary to process the information in respect of the goals listed above, and in any event, within the limits imposed by applicable laws and regulations.
The FBF therefore undertakes to, for instance:
-Collect and process data required to answer requests for information
This Personal Data is stored for six months after the end of any exchanges resulting from the initial request to enable the FBF to track these exchanges in the event the same person files a fresh request.
-Collect and process data for the publication of news articles
This Personal Data is stored until such time as the data subject cancels their subscription with the FBF. In that case, the Personal Data regarding the data subject will be deleted automatically.
-Collect and process data required to provide access to other services or fulfil the FBF’s missions
Depending on the individual case, the Personal Data is stored for one (1) year starting from when the data subject has stopped using the service or during the time needed to fulfil the FBF’s mission, unless the data subject expressly requests that the data be deleted.
However, the FBF may store some Personal Data for longer periods in order to fulfil various obligations (e.g. for accounting and tax purposes), within statutory periods of limitation, and to reply to any requests for information it receives from authorised third parties (tax authorities, police, etc.).
6. Confidentiality and Data Sharing
The FBF ensures that employees authorised to process Personal Data under Contract are bound by a duty of confidentiality and are fully aware of the need for Personal Data protection.
The Personal Data gathered will under no circumstances be transferred or sold to third parties without the express prior consent of the data subject.
Where required, Personal Data may be transferred to third-party service providers involved in the provision of our services (e.g. providers of technical and hosting services, customer tracking and customer satisfaction surveys, security incident or fraudulent activity management services, etc.). The FBF undertakes to only transfer the Personal Data it gathers to authorised and trusted third parties, which use that data on our behalf in accordance with our instructions and the present terms and conditions.
Furthermore, the Personal Data may be disclosed to a third party in the event that the FBF is obliged to do so by law, a regulatory provision, or a court order, or where disclosure is required for the purpose of an investigation, injunction or legal proceedings, either in France or abroad. Similarly, we may share the Personal Data gathered with third-party consultants or other persons in order to apply the present Charter, including for the purposes of identifying any potential breach of the latter and to defend the FBF’s rights, property and safety and the Personal Data, in accordance with and respect of the law.
7. Security of Personal Data
a) Measures and guarantees provided by the FBF
The FBF ensures a standard level of security in protecting Personal Data from any accidental or illegal incidents, accidental loss, alteration, dissemination or unauthorised access, and against all forms of illegal processing or the provision of such data to unauthorised persons.
To that end, the FBF and its technical service providers have implemented the appropriate measures (physical, technical and organisational) to ensure the integrity and confidentiality of Personal Data, notably:
-A logging system and dedicated equipment protection;
-Workstation security for all FBF employees (locking system, anti-virus, firewall, encryption, regular back-ups, etc.);
-Server and website security;
-A user authentication system;
-Authentication management procedure;
-Application of data protection principles, whether in terms of tools, applications or services, as of the design stage and on a default basis;
-A general security policy;
The Personal Data is stored on servers located in France.
In general, and despite all of the security efforts deployed by the FBF, we cannot guarantee that communications and other Personal Data will not be intercepted or disclosed by a third party.
b) Breach of Personal Data protection
In the event the FBF is made aware of an incident affecting the Personal Data it collects (unauthorised access, loss, disclosure or alteration of data), it undertakes to inform the CNIL (National Commission for Information Technology and Civil Liberties) within 72 hours of incident discovery at the latest. In the event of a Personal Data breach posing a high risk to a data subject’s rights and freedoms, the FBF undertakes to inform that person as soon as possible, and in accordance with the terms and conditions provided for in Data Protection Regulations.
8. Rights of Data Subjects
All persons of whom the FBF processes Personal Data shall have the following rights:
-Right of access (e.g. to check the data stored by us and obtain a copy);
-Right of rectification (e.g. to update or correct data that is incomplete or incorrect);
-Right to object, at all times, to the collection and processing of all or part of their data for the purposes of, for example, commercial prospection, including profiling, in as much as the latter is connected with such prospection. As such, this right allows the data subject to alter their notification preferences at all times;
-Right to restrict processing (e.g. in certain cases provided for by law, and where the data subject contests the processing of some of their data, that person may demand that usage of their data be restricted while the dispute is managed);
-Right to data portability (e.g. the data subject has the right to recover their data or demand that it be transferred to third-party controllers);
-Right to erasure (e.g. the data subject may demand that their user account be definitely deleted via the extranet);
-Right to not be subjected to decisions based solely on automated processing, (including profiling), with ensuing legal effects or significant similar effects for the data subject.
Data subjects may exercise these rights at any given time by sending us their requests by email or by post to the addresses given in section 10 hereunder. In the event the data subject exercises these rights, we will do our utmost to reply as soon as possible and, in any event, within the legal time limit i.e. one to two months, depending on the case.
9. Cookies and other trackers
a) What are cookies?
A “cookie” (or “tracker”) is a small piece of computer code that designs a text file, which may then be saved in a dedicated space on a device’s hard disk (PC, tablet or smartphone) when the user browses an online service. A cookie enables the issuer to identify the device in which it is saved either for the duration of its validity or for the time taken to save the cookie. As such, a cookie cannot identify a person as such: it is used to record information about that person’s browsing on the FBF Website.
b) FBF cookies
When you visit the FBF Website, information relating to your browsing patterns may be recorded in the “Cookie” files installed on your device, subject to your preferences concerning cookies and which may be changed at any time.
These cookies enable customised browsing and are used for statistical and analytical purposes (qualitative and quantitative audience measurement). Cookies enable us to recognise site visitors when they return to the FBF Website, to memorise the data entered when you browsed our website (type of browser used, etc.) and to avoid asking you the same questions several times. Cookies are also used to record and, sometimes, monitor Personal Data (e.g. surveys and quizzes).
c) Information and settings
Visitors will be advised of the existence of cookies and their purpose(s) as soon as they connect to the FBF Website via an information banner placed either at the bottom or top of the page visited.
If the user refuses to accept cookies, or in the event that the saved cookies are deleted, the user will no longer be able to take advantage of certain functions that are required to browse some sections of the FBF Website. In this case, we decline all responsibility for the consequences of any deterioration in the functionality of our services as a result of our being unable to install or consult the cookies required to run these services and that the user has refused or deleted.
d) Third-party cookies
Finally, it is important to distinguish between the cookies issued on the FBF Website from those issued by third parties. Note that, from time to time, third parties may place cookies on certain pages of the FBF Website (advertisers, social network “share” buttons, or other).
If you have any questions concerning the present Charter or wish to assert any of your Personal Data rights, please contact that FBF via:
– email, at the following address: firstname.lastname@example.org
– or by post, at the following address: 18, rue La Fayette, 75009 Paris, FAO the General Secretary – SI.