Privacy Policy
We're committed to safeguarding your privacy and personal information
Introduction
First Abu Dhabi Bank France (“FAB France”) as a branch of First Abu Dhabi Bank PJSC (“FAB PJSC”) is committed to providing the highest level of protection to the processing of its customers’ personal data based on applicable data protection laws and regulations.
This policy describes how FAB France alone, or jointly with FAB PJSC, may collect, use, store, disclose or otherwise process your personal data including personal data provided when using Bank’s websites (“FAB Websites”). For more information on joint processing, please refer to the "Outline of the Joint Responsibility Agreement" section of this document.
Personal data comprises all the details that FAB France, if applicable with FAB PJSC, collects and processes directly or indirectly about the client as individual client or representative of a corporate client, for instance information about the identity and contact details (such as name, email id, contact number) of the client , his / her transactions, financial information, interactions or dealings with FAB France, including information received from third parties and information collected through use of FAB Websites, cookies or other similar tools and our electronic banking services.
The use of the FAB Websites and any products and services supplied are subject to the Bank’s Terms and Conditions.
If the customer has any questions regarding this data protection policy or the protection of his / her personal data, they may please contact FAB France’s Data Protection Officer and data protection team at the following:
Data Protection Officer France
10 rue Magellan,
75008, Paris, France.
Email: dpofabfrance@bankfab.com
For more information about using of cookies please refer to First Abu Dhabi Bank’s Cookie Policy.
Processing Personal Data
FAB France may process Personal Data as an individual client or a representative of a corporate client for the following purposes in the context of the performance of precontractual or contractual measures concluded with a person as an individual client:
- Processing applications for products and services, including assessing customer suitability and performing necessary checks and risk assessments
- Providing products and services (including electronic banking services), including effecting payments, transactions and completing instructions or requests;
- Establishing and managing banking relationships and accounts, including their financial management, such as the management of late payments and unpaid bills.
FAB France also processes the client’s personal data for the following purposes for compliance with applicable legal or regulatory obligations:
- Preventing, detecting, investigating and prosecuting crimes (including but not limited to money laundering, terrorism, fraud and other financial crimes) in any jurisdiction, identity verification, government sanctions screening and due diligence checks;
- Complying with applicable local or foreign law, regulation, policy, voluntary codes, directive, judgement or court order from any authority, regulator or enforcement agency or body or any request coming from said entities;
- Surveillance of premises;
- Carrying out consultations and/or declarations to the Fichier National des Incidents de remboursement des Crédits aux Particuliers, as well as the Fichier Central des Chèques;
- Administrative management of invoicing;
- Management of the exercise of their data-processing rights and freedoms formulated by the data subjects.
The following processing are based on FAB France legitimate interests to provide the client with adequate and qualitative products and services and to prevent against any excessive risk:
- Pre-litigation and litigation, namely establishing, exercising or defending legal rights in connection with legal proceedings (including any prospective legal proceedings) and seeking professional or legal advice in relation to such legal proceedings;
- Monitoring and improving Bank website and its contents, to enable the proper functioning of Bank website through the use of cookies;
- Conducting market research and surveys with the aim of improving Bank’s products and services.
- Carrying out studies and surveys to establish reports analyzing FAB France's compliance with its internal rules as well as with applicable regulations, in particular banking regulations.
- Ensuring the security of information systems, and consequently preventing, detecting and avoiding any data leakage, sometimes through cookies.
The following processing is based, depending on the case, either on your consent or on FAB France’s legitimate interests, namely the promotion of its image, its activity, as well as its products and services:
- Sending you information about our products and services for marketing purposes and promotions, as well as event organization;
- Monitoring and improving Bank website and its contents, namely:
- to analyze the behavior of Internet users thanks to cookies, in order to optimize and personalize, if necessary, the pages of Bank website;
- to carry out statistics of visits to and use of Bank website thanks to cookies.
Personal data requested by FAB France are adequate, relevant and limited to what is necessary for the purposes for which they are processed. If it is not provided, FAB France will be unable to comply with its legal or regulatory obligations or to provide you with the requested products and services.
Certain personal data, namely nominative, financial and professional information, may be collected indirectly by FAB France. Indeed, depending on the needs of the clients, it may be transmitted by other branches or FAB PJSC to which the client would have initially addressed himself/herself.
These categories of data may also, if need be, be collected from public data sources, where available.
Clients’ personal data processed by FAB France will only be accessible to a limited list of recipients authorized by executive management on a need to know basis or where required by law :
- Employees of the business line(s) concerned by the products and services provided;
- Employees of the compliance department concerned;
- Employees of the accounting department concerned;
- Employees of the IT department(s) concerned;
- Employees of selected service providers who support FAB in the provision of adequate and qualitative products and services, including IT Services providers.
When a client is in a banking relationship with a FAB France, his / her personal data may be transferred to FAB PJSC in United Arab Emirates or any other FAB branches located within or outside the EEA for the purposes mentioned above only or to their local service providers for support in the pursuance of such purposes. Indeed, they may also be transferred to branches in the United Kingdom and Switzerland.
FAB PJSC in Abu Dhabi also acts as a service provider for its branches, in particular for the provision of IT services.
The transfer of personal data outside the European Union can only take place:
- where the country ensures an adequate level of protection as established by a decision of the European Commission;
- where appropriate safeguards are provided;
- subject to specific contractual provisions in compliance with the requirements of the competent supervisory authorities.
In this context, transfers to FAB PJSC outside the EEA are covered by standard data protection clauses. The client may request and receive a copy of such documents o the following address: dpofabfrance@bankfab.com
Finally, in the context of certain international financial operations (such as fund transfers) the client’s data may be transferred outside the EEA. These transfers are necessary for the execution of the contract between the client and FAB France.
The Bank’s policy does not apply to third-party websites where Bank online advertisements are displayed, nor to linked third-party websites which FAB France does not operate or control.
Retention of Personal Information
The customer’s personal data processed by FAB France are kept in a form which permits the customer identification for no longer than is necessary for the purposes for which the personal data are processed in line with legal, regulatory or statutory obligations.
At the expiry of such periods, customer’s personal data will be deleted or archived to comply with legal retention obligations or in accordance with applicable statutory limitation periods.
| Purpose of the processing | Retention period | Processing applications for products and services, including assessing customer suitability and performing necessary checks and risk assessments |
Data are processed for the duration of the contractual relationship plus the duration of legal prescriptions |
|---|---|
| Providing products and services (including electronic banking services), including effecting payments, transactions and completing instructions or requests | Data are processed for the duration of the contractual relationship plus the duration of legal prescriptions |
| Establishing and managing banking relationships and accounts | Data are processed for the duration of the contractual relationship plus the duration of legal prescriptions |
| Preventing, detecting, investigating and prosecuting crimes (including but not limited to money laundering, terrorism, fraud and other financial crimes) in any jurisdiction, identity verification, government sanctions screening and due diligence checks | Data are processed for five years from the closure of the account or the termination of the relationship |
| Complying with applicable local or foreign law, regulation, policy, voluntary codes, directive, judgement or court order from any authority, regulator or enforcement agency or body or any request coming from said entities | Data are processed for the duration of legal prescriptions |
| Surveillance of premises | Data processed through CCTV system are stored for 1 month |
| Establishing, exercising or defending legal rights in connection with legal proceedings (including any prospective legal proceedings) and seeking professional or legal advice in relation to such legal proceedings | Data are processed until the judgment has acquired the authority of a final decision |
| Monitoring and improving our website and its content | Data are processed for a maximum period of 13 months from the date of deposit in the user's terminal equipment unless the data subject objects |
| Conducting market research and surveys with the aim of improving our products and services | The data used for statistical purposes are no longer qualified as personal data once they have been duly anonymized |
| Sending the customer information about our products and services for marketing purposes and promotions | For customers, data are processed for the duration of the contractual relationship plus three years For prospects, data are collected for three years from the last contact For commercial and marketing communication, data are kept until the data subject objects or withdraws its consent |
| Carrying out studies and surveys to establish analysis reports on FAB France's compliance with its internal rules and regulations, in particular banking regulations. | The data is kept for 5 years from the closing of the account or the termination of the relationship |
| Carrying out consultations and/or declarations to the Fichier National des Incidents de remboursement des Crédits aux Particuliers, as well as to the Fichier Centrale des Chèques. |
The information is either kept in the file for five years from the date on which the incident is declared to FICP, or deleted upon full payment of the sums due. The measures relating to a conventional recovery plan are kept for the entire duration of the plan's implementation, without being able to exceed seven years, or are written off as soon as the debts to all creditors included in the plan or in the judgment have been paid in full. The judge's decisions relating to the closure of the personal recovery proceedings are maintained for a period of five years. Information relating to regularized payment incidents must be deleted from the file no later than 48 hours following notification of the adjustment to the merchant. Information relating to unregulated payment incidents can only be kept in the file for a period of 3 years starting from the occurrence of non-payment. |
| Ensure the security of information systems, and consequently prevent, detect and avoid any data leakage. |
The data in the logs are kept for six months and then deleted. |
| Billing management | The accounting records are kept for a period of ten years from the end of the financial year. |
| Management of the exercise of their rights by data subjects | The data is kept for the duration of the management of the rights, increased by the legal prescription periods. |
| Managing the monitoring and improvement of our website and its content | Depending on the type of cookies used, the data is kept between 6 and 13 months maximum. |
Outline of the agreement between joint controllers
Purpose and means of processing
As stated above, FAB France and PJSC jointly carry out certain processing of your data.
These processing operations are as follows:
- Credit management (application management, assignments and closure);
- Management of clients’ onboarding;
- Ensure the security of information systems, and consequently prevent, detect and avoid any data leakage.
The means of processing are defined by FAB France and FAB PJSC, including hardware, software and human resources allocated to the management of the processing.
The duration of data retention is defined by FAB France.
No data may be retained and/or used after the agreed dates and periods.
Data subjects may refer to FAB France with a view to exercising their rights of access, right of inquiry, right of rectification, right to erasure, right to limitation of processing, right to portability and right of objection. However, as the right to define post-mortem directives is a specificity of French law, it must be exercised exclusively with FAB France. In any case, when data subjects contact FAB UAE to exercise their rights, this latter shall inform immediately FAB France.
FAB France shall inform the data subjects of the processing operations carried out jointly with FAB PJSC, in particular by communicating this document to the data subjects.
FAB France and FAB PJSC are required to ensure a level of security appropriate to the risks, depending on the nature of the processing and the type of data processed.
To this end, and taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks, varying in likelihood and severity, to the rights and freedoms of natural persons, FAB France and FAB PJSC must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- pseudonymization and encryption of personal data;
- means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;
- means to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident;
- a procedure to regularly test, analyze and evaluate the effectiveness of technical and organizational measures to ensure the security of processing.
FAB France and FAB PJSC are jointly and severally liable to the data subjects of the processing.
Contact Point
The Data Protection Officer, whose contact details are set out above, is the point of contact for the customers and can be contacted for any questions relating to data processing.
Data Subject Rights Subject to applicable law, regulations and/or banking industry guidelines, the customer may have the right to invoke a data subject right in relation to his / her personal data being processed by FAB France.
FAB France shall provide information on action taken on a request pertaining to the rights above without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. FAB France shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.
To invoke customer’s data subject rights, the customer may send an email or a postal mail to data protection officer (see contact details above).
Finally, the customer is entitled to lodge a complaint with a competent Data Protection Authority where existing, concerning FAB France’s compliance with the applicable data protection laws and regulation.
FAB France may be allowed by law, in particular in case of excessive or manifestly unfounded request, to charge a fee for fulfilling the request of the customer, subject to applicable conditions.
The rights that the customer can invoke as a data subject can be:
Right of Access
The customer has the right to obtain from FAB France, confirmation as to whether or not personal data concerning him / her is being processed, and, where that is the case, access to the personal data and the following information:
- The purposes of the processing;
- The categories of personal data concerned;
- The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine this period;
- The existence of the right to request from FAB France rectification or erasure of the customer’s personal data or restriction of the processing of such data or to object to such processing;
- The right to lodge a complaint with a supervisory authority;
- Where data are not collected directly from the data subject, any available information as to their source;
- The existence of automated decision-making, including profiling, and meaningful information about the logic involved; and
- Where applicable, the transfer of personal outside EEA and appropriate safeguards implemented.
FAB France shall provide a copy of the personal data undergoing processing. For any further copies requested, please note that FAB France may charge a reasonable fee based on administrative costs.
The customer shall have the right to obtain from FAB France without undue delay the rectification of inaccurate and/or incomplete personal data concerning him /her.
Except in very specific cases where provided by law, the customer has the right to obtain from FAB France the erasure of personal data concerning him/her without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the withdrawal of the customer’s consent on which the processing is based and there is no other legal ground for the processing;
- the objection to the processing and there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation to which FAB France is subject;
- the personal data have been collected in relation to the offer of information society services directly to a child.
The customer has the right to obtain from FAB France restriction of processing where one of the following applies:
- The customer contests the accuracy of his / her personal data (in such a case, the restriction will be for a period enabling FAB France to verify the accuracy of said data); the processing is unlawful;
- the processing is unlawful and the customer opposes the erasure of the personal data and requests the restriction of their use instead;
- FAB France no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
- The customer objects to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
If the customer exercises his / her right to restriction, FAB France will no longer be able to process the personal data of the customer, unless:
- The customer has given the consent;
- for the establishment, exercise or defense of legal claims,
- for the protection of the rights of another natural or legal person,
- for important reasons of public interest of the Union or of a Member State.
The customer has the right to receive or to transmit those data to another controller in a structured, commonly used and machine-readable format, the personal data concerning him / her that was provided to FAB France, without hindrance from FAB France, where the processing is based on his / her consent or on a contract and the processing is carried out by automated means.
The customer has the right to object, on grounds relating to his / her particular situation, at any time to processing of personal data concerning him / her when it is based on FAB France’s legitimate interests. FAB France shall no longer process the said personal data unless it demonstrates compelling legitimate grounds for the processing which override the customer’s interests, rights and freedoms or for the establishment, exercise or defense of legal claims.
Such right can be exercised at any time where the customer’s personal data is processed for direct marketing purposes.
Right to object being subject to a decision based solely on automated processing, including profiling
The customer has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him / her or similarly significantly affects him / her, except in specific cases provided by law.
The customer has the right to formulate specific and general directives concerning the storage, erasure and communication of post-mortem data concerning him/her Regarding the general directives, they must be addressed to a third party who will be designated by decree.
Security
The security and confidentiality of the customers’ Personal Data is important to FAB France which has invested significant resources to protect the safekeeping and confidentiality of the personal data. When using external service providers acting as processors, the bank requires that they adhere to the same standards as FAB France. Regardless of where the personal information of the customer is transferred or stored, the Bank takes all steps reasonably necessary to ensure that personal data is kept secure.
Changes to this Privacy Policy
FAB may in its absolute discretion update this policy from time to time.