Data Protection Notice

You have rights which allow you to exercise real control over your personal data and how we process it.

If you wish to exercise the rights listed below, please submit a request by: (i) mailing a letter to the following address 5 Aldermanbury Square, London, EC2V 7BP; or (ii) contacting us via our email address REUK.GDPRBAU@realestate.bnpparibas with evidence of your identity (e.g. a scan/copy of your passport or driving licence) where required.

If you have any questions relating to our use of your personal data under this Data Protection Notice, please contact our Data Protection Officer via (i) a letter  to the following address 10 Harewood Avenue, London, NW1 6AA, or (ii) via the Data Protection Officer email address data.protection@uk.bnpparibas.com

2.1 You can request access to your personal data

If you wish to have access to your personal data, we will provide you with a copy of the personal data to which your request relates and to which you are entitled to as well as the information relating to how such information is processed.

Your right of access to your personal data may, in some cases, be limited by applicable law and/or regulation. For example regulations relating to anti-money laundering and countering the financing of terrorism prohibits us from giving you direct access to your personal data processed for this purpose. In this case, you may raise your right of access with the Information Commissioner’s Office, which may request the data from us.

2.2 You can ask for the correction of your personal data

Where you consider that your personal data is inaccurate or incomplete, you can request that we modify or complete such personal data. In some cases you may be required to provide supporting documentation. ​​​​​​​

2.3 You can request the deletion of your personal data

If you wish, you may request the deletion of your personal data, to the extent permitted by law.

​​​​​​​​​​​​​​2.4 You can object to the processing of your personal data based on legitimate interests

If you do not agree with a processing activity based on a legitimate interest, you can object to it, on grounds relating to your particular situation, by informing us precisely of the processing activity involved and the reasons for your objection. We will cease processing your personal data unless there are compelling legitimate grounds for doing so or it is necessary for the establishment, exercise or defence of legal claims.

​​​​​​​​​​​​​​2.5 You can object to the processing of your personal data for direct marketing purposes

You have the right to object at any time to the processing of your personal data for direct marketing purposes, including profiling, insofar as it is linked to such direct marketing.

​​​​​​​​​​​​​​2.6 You can suspend the use of your personal data 

If you query the accuracy of the personal data we use we will review and/or verify the accuracy of the personal data. If you object to the personal data we process we will review the basis of the processing. You may request that we suspend the use of your personal data while we review your query or objection.

​​​​​​​​​​​​​​2.7 You have rights against an automated decision

As a matter of principle, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or otherwise significantly affects you.  However, we may automate such a decision if it is necessary for the entering into or performance of a contract between us, authorised by law or regulation or if you have given your explicit consent.

In any event, you have the right to challenge the decision, express your views and/or request the intervention of a competent person to review the decision.

​​​​​​​2.8 You can withdraw your consent

If you have given your consent to the processing of your personal data, you can withdraw this consent at any time.

​​​​​​​2.9 You can request the portability of part of your personal data

You may request a copy of the personal data that you have provided to us in a structured, commonly used and machine-readable format. Where technically feasible, you may request that we transmit this copy to a third party.

​​​​​​​​​​​​​​2.10 How to file a complaint with the Information Commissioner’s Office

In addition to the rights mentioned above, you may lodge a complaint with the competent supervisory authority, which is most often that of your place of residence, as such it is the Information Commissioner’s Office in the United Kingdom.

In this section, we explain why we process your personal data and the legal basis for doing so.

3.1 Your personal data is processed to comply with our various legal and/or regulatory obligations

Your personal data is processed, where necessary, to enable us to comply with the laws and/or regulations to which we are subject, including real estate, banking and financial regulations.

3.1.1  We use your personal data to:

• monitor and report risks (financial, credit, legal, compliance or reputational risks etc.) that the BNP Paribas Group could incur in the context of its activities;
• record transactions for accounting purposes;
• prevent, detect and report risks related to Corporate Social Responsibility and sustainable development;
• detect and prevent bribery;
• comply with the provisions applicable to trust service providers issuing electronic signature certificates;
• exchange and report different operations, transactions or orders or reply to an official request from duly authorized local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, law enforcement, state agencies or public bodies.

3.1.2 We also process your personal data for anti-money laundering and countering of the financing of terrorism purposes

As part of a banking group, we must have a robust system of anti-money laundering and countering of terrorism financing (AML/TF) in each of our entities managed centrally, as well as a system for applying local, European and international sanctions. 

In this context, we are joint controllers with BNP Paribas SA, the parent company of the Group (the term "we" in this section includes BNP Paribas Real Estate Advisory & Property Management UK Limited and BNP Paribas SA). 

The processing activities performed to meet these legal obligations are detailed in Appendix 1 “Processing of personal data to combat money laundering and terrorist financing”.

​​​​​​​​​​​​​​3.2 Your personal data is processed to perform a contract to which you are a party or pre-contractual measures taken at your request

Your personal data is processed when it is necessary to enter into or perform a contract to:

• evaluate  if we can offer you a product or service and under which conditions  
• provide you with the products and services subscribed to under the applicable contract;
• manage existing debts (identification of clients with unpaid debts);
• respond to your requests and assist you.

3.3 Your personal data is processed to fulfil our legitimate interest or that of a third party

Where we base a processing activity on legitimate interest, we balance that interest against your interests or fundamental rights and freedoms to ensure that there is a fair balance between them. If you would like more information about the legitimate interest pursued by a processing activity, please contact us using the contact details provided in section 2 “HOW CAN YOU CONTROL WHAT WE DO WITH YOUR PERSONAL DATA” above.

​​​​​​​3.3.1 In the course of our business activity of real estate, we use your personal data to:

• manage the risks to which we are exposed:
  • we keep evidence of operations or transactions, including in electronic evidence;
  • we monitor your transactions to manage, prevent and detect fraud;
  • we carry out the collection of debts;
  • we manage legal claims and defence our position in the event of litigation;
  • we develop individual statistical models in order to help define your creditworthiness.
• enhance cyber security, manage our platforms and websites, and ensure business continuity.
• use video surveillance to prevent personal injury and damage to people and property.
• enhance the automation and efficiency of our operational processes and client services (e.g., automatic filling of complaints, tracking of your requests and improvement of your satisfaction based on personal data collected during our interactions with you such as phone recordings, e-mails or chats).
• carry out financial operations such as debt portfolio sales, securitizations, financing or refinancing of the Group.
• conduct statistical studies and develop predictive and descriptive models for:
  • commercial purposes: to identify the products and services that could best meet your needs, to create new offers or identify new trends among our clients, to develop our commercial policy taking into account our clients' preferences
  • safety purposes: to prevent potential incidents and enhance safety management;
  • compliance purposes (e.g., anti-money laundering and countering the financing of terrorism) and risk management;
• organising contests, lotteries, promotional operations, conduct opinion and client satisfaction surveys.

3.3.2 We use your personal data to send you commercial offers by electronic means, post and phone

As part of the BNP Paribas Group, we want to be able to offer you access to the full range of products and services that best meet your needs.

Once you are a client and unless you object, we may send you marketing materials relating to our products and services and those of the Group provided these are similar to those you have already subscribed to. 

We will ensure that these commercial offers relate to products or services that are relevant to your needs and complementary to those you already have to ensure that our respective interests are balanced.

We may also send you, by phone and post, unless you object, offers concerning products and services of the BNP Paribas Group as well as those of the Group and our trusted partners.

Finally, and with your consent, we may also send you commercial offers electronically concerning the products and services of the entire BNP Paribas Real Estate Group.

​​​​​​​​​​​​​​3.3.3 We analyse your personal data to perform standard profiling to personalize our products and offers

To enhance your experience and satisfaction, we need to determine to which client group you belong. For this purpose, we build a standard profile from relevant data that we select from the following information:

- what you have directly communicated to us during our interactions with you or when you subscribe to a product or service;

- resulting from your use of our products or services such as those related to your accounts including the balance of your accounts, regular or atypical movements, the use of your card abroad as well as the automatic categorization of your transaction data (e.g., the distribution of your expenses and your receipts by category as is visible in your client area);

- from your use of our various channels: websites and applications (e.g., if you are digitally aware, if you prefer a client journey to subscribe to a product, or service with more autonomy (self-care));

Unless you object, we will perform this customization based on standard profiling. If you consent, we may go further to better meet your specific needs by offering you products and services tailored to you.

​​​​​​​​​​​​​​3.4 Your personal data are processed if you have given your consent

For some processing of personal data, we will give you specific information and ask for your consent. Of course, you can withhold your consent or, if given, withdraw your consent at any time.

In particular, we ask for your consent for:

• tailor-made customization of our offers and products or services based on more sophisticated profiling to anticipate your needs and behaviours;
• any electronic offer for products and services not similar to those you have subscribed to or for products and services from our trusted partners;
• use of your navigation data (cookies) for commercial purposes or to enhance the knowledge of your profile.

You may be asked for further consent to process your personal data where necessary.

We collect and use your personal data meaning any information that identifies or, together with other information, can be used to identify you.

Depending, among others, on the types of product or service we provide to you and the interactions we have with you, we collect various types of personal data about you, including:

• identification information (e.g. full name, identity, nationality, place and date of birth, gender, sex, identity card number, passport number, driver’s license number, vehicle registration number, photo, signature);
• contact information private or professional (e.g. postal and e-mail address, phone number etc.);
• property situation and family life information (e.g. marital status,  property, number and age of children, study or employment of children, composition of the household, date of death of parents or spouse, property you own);
• important moments in your life (e.g. you have just married, divorced, lived as a couple, had children);
• economic, financial and tax information (e.g. tax ID, tax status, country of residence, income and others revenues, value of your assets);
• education and employment information (e.g. level of education, employment, employer’s name, remuneration);
• banking and financial information (e.g. bank account details, products and services owned and used (credit, insurance, savings and investments), credit card number, money transfers, assets, declared investor profile, credit history, any defaults in making payments);
• transaction data (including full beneficiary names, address and transaction details including communications on bank transfers of the underlying transaction);
• data relating to your preferences (data which relates to your use of our products and services);
• data from your interactions with us: our branches (contact reports), our internet websites, our apps, our social media pages (connection and tracking data such as cookies, connection to online services, IP address), meetings, calls, chats, emails, interviews, phone conversations;
• video protection (including CCTV);
• information about your device (including technical specifications and uniquely identifying data); and
• log-in credentials used to connect to BNP Paribas’ website and apps.

We may collect sensitive data such as health data, biometric data, or data relating to criminal offences, subject to compliance with the strict conditions set out in data protection regulations.

We collect personal data directly from you; however, we may also collect personal data from other sources.

We sometimes collect data from public sources:

• publications/databases made available by official authorities or third parties (e.g., Companies House, the Financial Conduct Authority);
• websites/social media pages of legal entities or business clients containing information that you have disclosed (e.g., your own website or social media page);
• public information such as that published in the press.

We also collect personal data from third parties:

• from other BNP Paribas Group entities; 
• from our clients (companies or individuals); 
• from our business partners; 
• from service providers of payment initiation and account aggregators (service providers of account information); 
• from third parties such as credit reference agencies and fraud prevention agencies;
• from data brokers who are responsible for ensuring that they collect relevant information in a lawful manner.

6.1 With BNP Paribas Group's entities 

As a member of the BNP Paribas Group, we work closely with the group's other companies worldwide. Your personal data may therefore be shared between Group entities, where necessary, to:

• comply with our various legal and regulatory obligations described above;
• fulfil our legitimate interests which are: 
  • to manage, prevent, detect fraud;
  • conduct statistical studies and develop predictive and descriptive models for business, security, compliance, risk management and anti-fraud purposes;
  • enhance the reliability of certain data about you held by other Group entities
  • offer you access to all of the Group's products and services that best meet your needs and wishes;
  • customise the content and prices of products and services.

6.2 With recipients outside the BNP Paribas Group and processors

In order to fulfil some of the purposes described in this Data Protection Notice, we may, where necessary, share your personal data with:

• processors which perform services on our behalf (e.g., IT services, logistics, printing services, telecommunication, debt collection, advisory and distribution and marketing).
• banking and commercial partners, independent agents, intermediaries or brokers, financial institutions, counterparties, trade repositories with which we have a relationship if such transmission is required to allow us to provide you with the services and products or execute our contractual obligations or transactions (e.g., banks, correspondent banks, depositaries, custodians, issuers of securities, paying agents, exchange platforms, insurance companies, payment system operators, issuers or payment card intermediaries, mutual guarantee companies or financial guarantee institutions); 
• local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, public authorities or institutions (e.g., the Banque de France, Caisse des dépôts et des Consignations), to which we, or any member of the Group, are required to disclose pursuant to:
  • their request;
  • our defence, action or proceeding;
  • complying with a regulation or a recommendation issued from a competent authority applying to us or any member of the BNP Paribas Real Estate Advisory & Property Management UK Limited;
• service providers or third party payment providers (information on your bank accounts), for the purposes of providing a payment initiation or account information service if you have consented to the transfer of your personal data to that third party;
• certain regulated professions such as lawyers, notaries, or auditors when needed under specific circumstances (litigation, audit, etc.) as well as to our insurers or to an actual or proposed purchaser of the companies or businesses of the Group or our insurers.

In case of international transfers from the UK to a third country, the transfer of your personal data may take place on the basis of a decision by the UK Government where the UK Government has recognised that the country to which your data will be transferred ensures an adequate level of protection. In case of transfers of your personal data to a third country where the level of protection has not been recognized as adequate by the UK Government, we will either rely on a derogation applicable to the specific situation (e.g., if the transfer is necessary to perform our contract with you, such as when making an international payment) or implement one of the following safeguards to ensure the protection of your personal data:

• Standard contractual clauses approved by the UK Government;
• Binding corporate rules. 

To obtain a copy of these safeguards or details on where they are available, you can send a written request to the address set out in section 2 above.

For more information on retention periods, please refer to Appendix 2 in the document mentioned above (Data Protection Notice, if you are a Private Individual) for further consultation.

In a world where technologies are constantly evolving, we regularly review this Data Protection Notice and update it as required.

We invite you to review the latest version of this document online, and we will inform you of any significant amendments through our website or through our standard communication channels.