DATA PROTECTION NOTICE (Privacy Policy)

Updated in July 2024

The protection of personal data of clients and relevant personal information subjects (collectively referred to as “you”) is important to BNP Paribas (China) Limited (the “Bank”, “we” or “us”). “Relevant Information Subjects” used herein means you (in case you are an individual client of the Bank) and any individuals associated with you, including without limitation, staff (e.g. employees, contractors, consultants); directors, supervisors and other officers; shareholders, actual controllers, beneficial owners; legal representatives, authorized signatories; co-borrowers, guarantors; beneficiaries of your payment transactions; beneficiaries of your insurance contracts or policies and trusts; family members; successors and right holders; landlords; debtors (e.g. in case of bankruptcy), etc.

This Data Protection Notice provides you with transparent and detailed information relating to the protection of your personal data by the Bank.

We are responsible, as a personal data processor, for collecting, using and otherwise processing your personal data in relation to our activities. The purpose of this Data Protection Notice is to let you know which personal data we collect about you, our purposes and methods for processing the personal data, how long we keep it, what your rights are and how you can exercise them. You are advised to carefully read this Data Protection Notice and pay particular attention to the contents in bold.

This Data Protection Notice is applicable to all personal data involved when you contact us, visit our website, our Apps or us, use our products and services, participate in a survey or an event with us, or your communication or contact with us in any manner. Further information may be provided where necessary when you apply for a specific product or service, and we may enter into separate agreements with you regarding the processing of personal information for specific product or service. In case of any inconsistency between this Data Protection Notice and the separate agreements on processing of personal information for specific product or service, the latter shall prevail.

Contents of this Data Protection Notice:

1. How we collect and use your personal information
2. How we share, entrust processing, transfer or disclose your personal information
3. Special circumstances of personal information processing
4. How we use Cookies and other technologies
5. Personal information protection of minors
6. How we retain and protect your personal information
7. Your rights in relation to personal information
8. How we update this Data Protection Notice
9. How to contact us
10. Appendix: Personal Information Cross-Border Transfer List

1. How we collect and use your personal information?

Your personal information refers to all kinds of information in relation to an identified or identifiable individual that is recorded electronically or otherwise, excluding anonymized information; we collect and use your personal information to the extent necessary in the framework of our activities and to achieve a high standard of personalised products and services. For certain sensitive personal information as defined by applicable laws and regulations (i.e. personal information that, once leaked or illegally used, may easily harm the personality and dignity of or endanger the personal or property safety of the relevant individual, including but not limited to biometric information, information on religion, specific identity, medical care and health, financial account and whereabouts, as well as the personal information of minors under the age of 14), unless in accordance with applicable laws and regulations, regulatory requirements, or where we have obtained the necessary consent, we will not collect or use your sensitive personal information.

(1) Source of personal information

We collect personal information directly from your or Relevant Information Subjects’ voluntary submission. In certain circumstances, we may also collect personal information of Relevant Information Subjects indirectly. If the client provides any personal information of Relevant Information Subjects or other third parties, the client shall ensure that the personal information is from legitimate sources and that the client has obtained the legal and valid consent from Relevant Information Subjects or third parties; the client shall further ensure that the Relevant Information Subjects and third parties have received this Data Protection Notice, and understand and agree to the contents herein.

Subject to the applicable laws and regulations, or your consents, we may also obtain personal information from:

• other BNP Paribas Group entities;
• our clients (corporate or individuals);
• our business partners;
• payment initiation service providers and aggregators (account information service providers);
• third parties such as credit reference agencies and fraud prevention agencies or data brokers which are responsible for making sure that they gather the relevant information lawfully;
• publications/databases made available by official authorities or third parties (e.g. databases operated by governmental agencies or financial supervisory authorities);
• websites/social media pages of legal entities or professional clients containing information made public by you (e.g. your own website or social media); and
• public information such as information from the press.

(2) Personal information we collected and used

Depending on the type of products or services we provide to you, we collect personal information including:

Purposes	Specific scenarios	Types of personal information
Comply with our various legal and regulatory obligations	Monitor transactions to identify those which deviate from normal routine/patterns Manage, prevent and detect fraud including, where required by law, the establishment of a fraud list (which will include a list of fraudsters) Monitor and report risks (financial, credit, legal, compliance or reputational risks, default risks etc.)  that we/and or the BNP Paribas Group could incur Monitor and record phone calls, chats, email, etc. (we will only record or monitor communications to the extent permitted, and subject to any conditions applied, by applicable law) Prevent and detect money-laundering and financing of terrorism and comply with regulation relating to sanctions and embargoes through our “Know Your Customer” (KYC) process (to identify you, verify your identity, screen your details against sanctions lists and determine your profile) Detect and manage suspicious orders and transactions Carry out an assessment of appropriateness or suitability in our provision of investment services to each client in compliance with Markets in Financial Instruments regulations (MiFiD)  Contribute to the fight against tax fraud and fulfil tax control and notification obligations (including compliance with FATCA and AEOI requirements) Record transactions for accounting purposes Prevent, detect and report risks related to corporate social responsibilities and sustainable development Detect and prevent bribery Exchange information and report on different operations, transactions or orders or reply to official requests from duly authorised local or financial, tax, administrative, criminal or judicial authorities, arbitrators or meditators, law enforcement, state agencies or public bodies	Basic personal information: name, date of birth, gender, ethnic group, nationality, family relation, address, personal phone number, email address, marital status, etc. Personal identity: ID card, passport, visa, driver license, working permit, signature, photo, etc. Personal biometric information: audio and video recording, etc. Personal communication information: communication records and contents, SMS, MMS and emails of you/Relevant Information Subjects with us Web surfing records: operation records of you/Relevant Information Subjects using our website or Apps, including browsing records, software usage records, click records, etc. Information of devices: MAC address, technical specifications, uniquely identifying data, etc.
Perform our contract with you or take relevant measures at your request prior to entering into a contract	Define your credit risk score and your reimbursement capacity Evaluate (e.g. based on your credit risk score) if we can offer you a product or service and under which conditions (including price) Assist you in particular by answering your requests Provide you with products or services Manage outstanding debts (identification and exclusion of clients with outstanding debts)	Basic personal information: name, date of birth, gender, ethnic group, nationality, family relation, address, personal phone number, email address, marital status, etc. Personal identity: ID card, passport, visa, driver license, working permit, signature, photo, etc. Personal biometric information: audio and video recording, etc. Personal communication information: communication records and contents, SMS, MMS and emails of you/Relevant Information Subjects with us
Fulfil our legitimate interests	Risk management purposes: o   Proof of transactions, including electronic evidence o   Management, prevention and detection of fraud including, where required by law, the establishment of a fraud list (which will include a list of fraudsters) o   Monitoring transactions to identify those, which deviate from the normal routine/patterns o   Assessing the creditworthiness or you, guarantors, security providers and/or your ultimate beneficiary owners o   Debt collection o   Assertion of legal claims and defence in case of legal disputes o   Development of individual statistical models in order to help define your creditworthiness of you, guarantors, security providers and/or your ultimate beneficiary owners o   Consultation and exchange of data with credit agencies to identify credit risks Security reasons and IT systems performance： o   Manage IT, including infrastructure management (e.g. shared platforms), business continuity and security (e.g. internet user authentication and data leak prevention)	Basic personal information: name, date of birth, gender, ethnic group, nationality, family relation, address, personal phone number, email address, marital status, etc. Personal identity: ID card, passport, visa, driver license, working permit, signature, photo, etc. Personal communication information: communication records and contents, SMS, MMS and emails of you/Relevant Information Subjects with us Web surfing records: operation records of you/Relevant Information Subjects using our website or Apps, including browsing records, software usage records, click records, etc.

Please note that the above information (including sensitive personal information) is necessary for the purposes of provision of the relevant products or services to you, performance of our contracts with you, and fulfilment of our statutory duties and obligations. The processing of your sensitive personal information in the above list would not illegally affect your personal rights and interests. Your failure to provide the personal information required for each of the above scenarios may result in us being unable to provide you with relevant products or services.

In addition, you may allow us to collect the following personal information (including sensitive personal information) at your discretion. The collection of sensitive personal information in the list below is necessary for the purpose of improving our services for you, and the processing of such sensitive personal information would not illegally affect your personal rights and interests. Your failure to do so will only prevent you from enjoying the corresponding convenience or function, while your normal use of our other products or services will not be affected:

Purposes	Specific scenarios	Types of personal information
Personalisation of our services to you	Personalisation of our services to you: o   Improve the quality of our products or services More generally: o   Inform you about our products and services o   Perform client satisfaction and opinion surveys	Basic personal information: name, date of birth, gender, ethnic group, nationality, family relation, address, personal phone number, email address, marital status, etc. Personal identity: ID card, passport, signature, photo, etc. Personal communication information: communication records and contents, SMS, MMS and emails of you/Relevant Information Subjects with us Web surfing records: operation records of you/Relevant Information Subjects using our website or Apps, including browsing records, software usage records, click records, etc.

While we make every effort to ensure that all personal information we hold about you is accurate, complete and up to date, you can help us considerably in this regard by promptly notifying us if there are any changes to your personal information. To the extent permissible under applicable laws and regulations, we shall not be responsible for the authenticity of any personal information or any losses arising from any inaccurate or deficient personal information that you supply to us.

Where relying on legitimate interest, we ensure the processing remains proportionate and that your interests, fundamental rights and freedoms are preserved. Should you have any objection to use your personal information for such purpose or wish to obtain more information about such balancing test, please contact us using the contact details provided in section 9 “How to contact us” below.

2.   How we share, entrust processing, transfer or disclose your personal information?

(1) Sharing and entrusted processing

a. Sharing or entrusted processing of information within the BNP Paribas Group

We may share or entrust processing of personal information listed in section “Personal information we collected and used” of  this Data Protection Notice within the BNP Paribas Group via systems and/or email with BNP Paribas Group member(s) as the recipient(s) for purposes such as:

• for the purposes of performing AML/CFT obligations, sharing or entrusted processing of the data collected for anti-money laundering, counter-financing of terrorism, sanctions, embargoes and KYC;
• risk management including credit and operational risks (risk rating /credit scoring/etc.);
• prevention, detection and fight against fraud;
• research and design activities, particularly for compliance, risk, communication and marketing purposes;
• global and consistent overview of our clients;
• offering the full range of products and services of the Group to enable you to benefit from them.

If you are a client of our Corporate & Institutional Banking business, this would include, for example, personal information being accessed and/or stored in: jurisdictions where investments are held; jurisdictions in which and through which transactions are effected.

• Personalisation of products and services (including content and pricing) for our clients.

b. Sharing or entrusted processing of information outside the BNP Paribas Group

In order to fulfil the purposes described in this Data Protection Notice, we may share or entrust processing of your personal information listed in section “Personal information we collected and used” of this Data Protection Notice to the following recipients from time to time via systems and/or email:

• service providers who perform services on our behalf (e.g. IT services, logistics, printing services, telecommunication, debt collection, advisory and consulting, distribution and marketing);
• banking and commercial partners, independent agents, intermediaries or brokers, financial institutions, counterparties, trade repositories with which we have relationship if such transmission is required to allow us to provide you with the services and products or execute our contractual obligations or transaction (e.g. banks, correspondent banks, depositaries, custodians, issuers of securities, paying agents, exchange platforms, insurance companies, payment system operators, issuers or payment card intermediaries);
• credit rating agencies, credit institutions and other identity verification service providers subject to permission by applicable laws and regulations;
• other parties in accordance with applicable laws, regulations or mandatory requirements of government authorities, regulators, tax authorities, courts and other competent authorities.

If you have any queries on how we share or entrust processing your personal information, please contact us through the way listed in this Data Protection Notice.

(2) Transfer

We will not transfer your personal information to any other company, organization or individual, unless:

• we have obtained the necessary consent;
• such transfer is required by applicable laws, regulations, legal proceedings, litigation or mandatory requirements of competent governmental authorities; or
• such transfer occurs due to any merger, acquisition, business/asset transfer, restructuring, disposal (including asset securitization), division, dissolution, declared bankruptcy or other similar circumstances, and we will request the new company or organization in possession of the personal information of you to continue to be bound by this Data Protection Notice; otherwise, we will request such company or organization to obtain necessary authorization or consent again.

(3) Public disclosure

We will disclose your personal information to the public only if:

• we have obtained the necessary consent; or
• such disclosure is required by applicable laws, regulations, legal proceedings, litigation or mandatory requirements of competent governmental authorities.

(4) Cross-border transfer of personal information

When and only when the aforesaid recipient is an offshore entity/individual, will the personal information be transmitted to a jurisdiction outside the PRC, including transmission to or access by the offshore entity/individual. It is likely that such countries/regions will include India, Hong Kong SAR, Singapore, France and other countries in the European Union. Your personal information would be protected by confidentiality and security measures of the Bank and of the recipients in accordance with their respective applicable laws and regulations, whether the personal information is processed within or outside the PRC.

When personal information is transmitted to such countries or regions not recognised under applicable law as offering an adequate level of information protection, we have put in place appropriate data transfer mechanisms as required under applicable law, (as the case may be, including but not limited to the EU Standard Contractual Clauses or clauses approved by the Cyberspace Administration of China), to ensure personal information remains protected.

For details about the cross-border transfer of your personal information, please refer to the Appendix Personal Information Cross-Border Transfer List, including the name, the contact method, the processing methods and purposes of the overseas recipients, types of personal information involved and the method and procedure of the individual exercising rights as stipulated in the PRC Personal Information Protection Law.

3. Special circumstances of personal information processing

To the extent permitted by applicable laws and regulations, we may process your personal information without prior consent under the following circumstances:

• necessary for entering into or performing a contract to which you are a party;
• necessary for the performance of statutory duties or obligations;
• directly related to national security or national defense security;
• directly related to public security, public health or significant public interests;
• directly related to criminal investigation, prosecution, trial or judicial enforcement;
• necessary for the response to a public health emergency or for protecting the life or property of you or other individuals in an emergency;
• carrying out news reporting, public opinion monitoring and other actions in the public interest, and to process personal information within a reasonable range;
• processing the personal information publicized by yourself or otherwise legally made public within a reasonable range in accordance with applicable laws and regulations; or
• other circumstances prescribed by laws and regulations.

4. How we use Cookies and other technologies

Your visit, browse, use of any of our website, Apps and other online platforms may be recorded by text files such as Cookies for analysis on the number of visitors and general use patterns to the website and Apps, to help you reduce the number and frequency of information entry, or to assist in checking the security of your account. Please note the information collected by Cookies is de-identified statistical information. You can manage or disable Cookies based on your own preference. Should you wish to disable the Cookies, you may do so by changing the setting on your browsers and Apps. However, after changing the setting you may not be able to use some of the functions of our website and Apps.

5. Personal information protection of minors

Minors are not allowed to use our products or services. However, personal information of a minor may be collected in your use of certain services. Please ensure that any personal information of a minor provided to us is from legitimate sources and that you have obtained the corresponding authorization or consent from his/her parent or guardian. We will provide special protection for personal information of minors in accordance with applicable laws, regulations, and this Data Protection Notice. If it is found that the personal information of a minor has been processed without the necessary authorization or consent, we will endeavour to delete the relevant personal information as soon as possible.

6. How we retain and protect your personal information?

We will retain your personal information for the minimum period as long as necessary for achieving the purpose of processing in accordance with applicable laws, regulations, regulatory requirements and purposes (such as: proper account maintenance, facilitating client relationship management, and responding to legal claims or regulatory requests) specified herein. Most personal information collected in relation to a specified client is kept for the duration of the contractual relationship with such client plus a specified number of years after the end of the contractual relationship or as otherwise required by applicable laws and regulations. Upon expiration of the retention period, we will delete or anonymize your personal information, and if it is technically difficult to do so, we will cease our processing activities other than storing and taking necessary security measures.

We maintain appropriate physical, technical and procedural safeguards designed to protect any information that you provide to us from accidental or unauthorised loss, misuse, damage, modification, access or disclosure. We will not disclose your personal information to any third party, unless the disclosure is made to comply with laws, regulations and regulatory requirements or according to this Data Protection Notice or other agreement (if any) or based on your consent or authorisation. When we use services provided by external service providers (entities or individuals), we also impose strict confidentiality obligations on them and request them to abide by the security standards of this Data Protection Notice when processing personal information.

The network environment is not 100% secure. In the case of any unfortunate personal information security incident, we will notify you of relevant information in a timely manner as required by applicable laws and regulations, or if it is difficult to notify you in person, publish an announcement in a reasonable and effective manner. In addition, we will also take the initiative to report our disposal of such incident in accordance with the requirements of regulatory authorities. Please note, in accordance with applicable laws and regulations, we may choose not to notify you if we have taken measures to effectively avoid harm caused by divulgence, tampering with or loss of information; however, if the regulatory authorities consider the harm may be caused and require us to notify you, we will make the notification accordingly.

7. Your rights in relation to personal information

To the extent provided by applicable law and subject to exemptions thereunder, you have the following rights in respect of your personal information:

• To access: you may have the right to obtain information relating to the processing of your personal information, and a copy of such personal information.
• To copy: you have the right to download your personal information in order to obtain a copy of the corresponding personal information.
• To rectify: where you consider that your personal information is inaccurate or incomplete, you can require that such personal information be modified accordingly.
• To erase: in some circumstances, you can require the deletion of your personal information, to the extent permitted by law.
• To restrict: in some circumstances, you can request the restriction of the processing of your personal information.
• To object: in some circumstances, you can object to the processing of your personal information, on grounds relating to your particular situation.
• To withdraw your consent: where you have given your consent for the processing of your personal information, you have the right to withdraw your consent at any time.
• To data portability: where legally applicable, you may have the right to have the personal information you have provided to us, returned to you or, where technically feasible, transferred to a third party.

If you require further information, or if you wish to exercise the rights listed above, please send a written request to us or use other methods to prove your identity. We may request you to verify your identity before processing your request. We will not charge you for your reasonable requests in principle. However, a fee to reflect the cost will be imposed as appropriate on repeated requests beyond reasonable scope. If there is an access fee, we will give you an estimate of the fee and confirm with you whether you would like us to proceed.

Notwithstanding the foregoing, we may refuse certain requests that are submitted repeatedly in an unreasonable manner, in need of excessive technical means, or at the risk of others’ legitimate rights and interests, beyond the reasonable extent or technically impractical. In addition, we may be unable to respond to your requests under the following circumstances:

• in connection with the performance of statutory duties or obligations by us;
• directly related to national security or national defense security;
• directly related to public security, public health or significant public interests;
• directly related to criminal investigation, prosecution, trial or judicial enforcement;
• there is sufficient evidence to prove that you have malicious intentions or abuse the rights;
• necessary for protecting the life, property or other major lawful rights and interests of you or other individuals, where it is difficult to obtain the consent of data subjects;
• response to the request from you will cause material damage to the legal rights and interests of you, other individuals or organizations; or
• trade secrets are involved.

8. How we update this Data Protection Notice?

In a world of technological change, and in accordance with the changes of applicable laws and regulations, we may need to update this Data Protection Notice from time to time. We will not reduce or limit your rights under this Data Protection Notice without your consent. We invite you to review the latest version of this Data Protection Notice online and we will inform you of any material changes through our website or through our other usual communication channels. “Material changes” referred to herein include but not limited to:

• material change of our service modes, such as the purpose of personal information processing, the types of personal information we process and the manner we use personal information;
• material change of our ownership structure, organizational structure or other aspects, such as change of ownership due to business adjustment, bankruptcy or merger and acquisition, etc.;
• change of the main parties with or to whom the personal information are shared, transferred or disclosed;
• material change of your rights to participate in personal information processing or the way of exercise thereof;
• change of our department responsible for the security of personal information processing, its contact manner or complaint channels;
• other changes that may have a significant impact on your rights and interests to the personal information.

The client understands and acknowledges that by continuing to use our products or services, the client will be deemed as having accepted the updated Data Protection Notice, and having informed Relevant Information Subjects of the updates and obtained the necessary authorization or consent accordingly.

9. How to Contact us?

If you have any questions relating to our processing of your personal information under this Data Protection Notice, please contact our data protection correspondent using the following contact details:

By Email: dl.prc.pdp2@asia.bnpparibas.com

By Phone: 86-21-28962688

Appendix: Personal Information Cross-Border Transfer List

Name of the Offshore Recipient: BNP Paribas S.A.; BNP Paribas, Singapore Branch

Contact Information: dl.prc.pdp2 @asia.bnpparibas.com

Purposes of Processing	Methods of Processing	Types of Personal Information
To maintain client relationships, enhance service quality and user experience, fulfill the relevant compliance obligations of client management and conduct unified client management relationship.	Receive data through system access for unified client relationship management.	Basic personal information: name, birthday, nationality, address, telephone number, mailing address, email address   Personal identification information: Type/Number/Validity Period of Identity Document   Personal financial information: account, account balance, shareholding status
To carry out bills-related business.	Receive data through system access for bills-related business management.	Basic personal information: name, phone number, email address
Process financing instructions, conduct unified supply chain financing management.	Receive data via system access in order to process financing instructions and conduct unified supply chain financing management.	Basic personal information: name, telephone number   Personal identification information: ID number
Conduct unified trade and transaction business management, promote trade and transaction operations.	Receive data through system access, conduct unified trade and transaction business management, and enhance trade and transaction operations.	Basic personal information: name, telephone number, email address, signature/seal
Perform risk screening and compliance analysis, conduct unified business and risk compliance management.	Receive data via email, conduct risk screening and compliance analysis, carry out unified business and risk compliance management.	Basic personal information: name, address   Personal identification information: ID number, passport information   Personal financial information: bank account number, account opening bank, account name
Conduct global financial market business operations and implement unified management global financial market business management.	Receive data either through system access or via email to carry out global financial market business operations and conduct unified global financial market business management.	Basic personal information: name, email address
Conduct credit business management.	Receive data through system access for credit business management	Basic personal information: name, basic introduction, age   Personal education information: educational experience, work experience
Financial Management	Receive data through system access for financial management	Basic personal information: telephone number   Personal financial information: financial control information

Retention Period: The Personal Information is retained for as long as necessary to fulfil the purpose of the processing, in accordance with relevant retention policies of the BNP Paribas Group and applicable contract.

Methods and Procedures for Exercising rights: You may contact us directly through the contact information listed in this Notice to exercise your rights.