Data Protection Notice

Last updated- March 2023
As a trusted companion, the protection of your personal data is important to the BNP Paribas Group (the “Group”).  
We have revised our Data Protection Notice to improve transparency and provide further information on our processing of your personal data, including but not limited to personal data processing in the context of: 
  • commercial prospection; and
  • anti-money laundering, countering the financing of terrorism and international sanctions (freezing of assets) 
The protection of your personal data is at the heart of our concerns, and the group BNP Paribas has adopted strong data privacy principles. BNP Paribas’ Personal Data Confidentiality Charter is available at the following address: BNP Paribas - Personal Data Privacy Charter (
BNP Paribas 3 Step IT (a company owned by BNP Paribas Lease Group SA and
Our job is to help all our clients – the liberal professions, entrepreneurs, TPE (Very Small Enterprises), SMEs (Small and Medium Enterprises), large enterprises – in their day-to-day activities by financing their investments, developing their professional equipment sales or by financing their stock, and outsourcing management
As a member of an integrated banking and insurance group in collaboration with the various Group entities, we provide our clients with a full range of banking, insurance and leasing products and services.
The purpose of this Data Protection Notice is to inform you of the personal data we collect about you; the reasons why we use and share such data; how long we keep the data; what your rights are (as to the control and management of your data) and how you can exercise your personal data rights. 

This Data Protection Notice applies to you (“you”) if you are:

  • one of our customers (or it employee) or in a contractual relationship with us (e.g. as a guarantor); 
  • a member of our customer’s family. Indeed, our customers may occasionally share with us information about their family when it is necessary to provide them with a product or service or to get to know them better; 
  • a prospect interested in our products or services when you provide us with your personal data (in a branch, on our websites and applications, during events or sponsorship operations) so that we can contact you. 


When you provide us with third party personal data please ensure you inform such third parties about the disclosure of their personal data and invite them to read this Data Protection Notice.  We will use our reasonable endeavours to do the same when possible (e.g. when we have the person's contact details).


You have rights which allow you to exercise real control over your personal data and how we process it.   


If you wish to exercise the rights listed below, please submit a request by:


If you have any questions relating to our use of your personal data under this Data Protection Notice, please contact our Data Protection Officer by completing the form at the following address or via the following contact details:


1. You can request access to your personal data 

We will provide you with a copy of your personal data promptly upon request, together with information relating to its processing. 

Your right of access to your personal data may, in some cases, be limited by applicable law and/or regulation. For example regulations relating to anti-money laundering and countering the financing of terrorism prohibits us from giving you direct access to your personal data processed for this purpose. In this case, you must exercise your right of access with the CNIL (Commission Nationale de l’Informatique et des Libertés), which may request the data from us. 


2. You can ask for the correction of your personal data 

Where you consider that your personal data is inaccurate or incomplete, you can request that we modify or complete such personal data. In some cases you may be required to provide supporting documentation. 


3. You can request the deletion of your personal data 

If you wish, you may request the deletion of your personal data, to the extent permitted by law. 


4. You can object to the processing of your personal data based on legitimate interests 

If you do not agree with a processing activity based on a legitimate interest, you can object to it, on grounds relating to your particular situation, by informing us precisely of the processing activity involved and the reasons for your objection. We will cease processing your personal data unless there are compelling legitimate grounds for doing so or it is necessary for the establishment, exercise or defence of legal claims. 


5. You can object to the processing of your personal data for direct marketing purposes 

You have the right to object at any time to the processing of your personal data for direct marketing purposes, including profiling, insofar as it is linked to such direct marketing. 


6. You can suspend the use of your personal data  

If you query the accuracy of the personal data we use we will review and/or verify the accuracy of the personal data.   If you object to the personal data we process we will review the basis of the processing.  You may request that we suspend the use of your personal data while we review your query or objection. 


7. You have rights against an automated decision 

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or otherwise significantly affects you.  However, we may automate such a decision if it is necessary for the entering into or performance of a contract between us, authorised by law or regulation or if you have given your explicit consent. 

In any event, you have the right to challenge the decision, express your views and/or request the intervention of a competent person to review the decision. 


8. You can withdraw your consent 

If you have given your consent to the processing of your personal data, you can withdraw this consent at any time. 


9. You can request the portability of part of your personal data 

You may request a copy of the personal data that you have provided to us in a structured, commonly used and machine-readable format. Where technically feasible, you may request that we transmit this copy to a third party. 


10. How to file a complaint with the CNIL  

In addition to the rights mentioned above, you may lodge a complaint with the competent supervisory authority, the CNIL (Commission Nationale de l’Informatique et des Libertés) in France at CNIL – Service des Plaintes- 3 Place de Fontenoy- TSA 80715 – 75334 PARIS CEDEX 07 or on the CNIL website :



In this section we explain why we process your personal data and the legal basis for doing so. 


3.1    Your personal data is processed to comply with our various legal and/or regulatory obligations 


Your personal data is processed, where necessary, to enable us to comply with the laws and/or regulations to which we are subject, including banking and financial regulations.  


3.1.1         We use your personal data to: 

  • monitor operations and transactions to identify those which deviate from the normal routine/patterns; 
  • prevent and detect money laundering and financing of terrorism and comply with regulations relating to sanctions and embargoes through Know Your Customer (“kyc”) processes (to identify you, verify your identity, screen your details against sanctions lists and determine your profile);
  • monitor and report risks (financial, credit, legal, compliance or reputational risks etc.) that BNP Paribas, 3 Step IT Group OY and their respective groups could incur in the context of their  activities; 
  • assist the fight against tax fraud and fulfil tax control; 
  • record transactions for accounting purposes; 
  • prevent, detect and report risks related to Corporate Social Responsibility and sustainable development; 
  • detect and prevent bribery; 
  • detect and manage suspicious orders and transactions;
  • comply with the provisions applicable to trust service providers issuing electronic signature certificates; 
  • exchange and report different operations, transactions or orders or reply to an official request from duly authorized local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, law enforcement, state agencies or public bodies. 

3.1.2         We also process your personal data for anti-money laundering and countering of the financing of terrorism purposes 


As part of a banking group, we must have a robust system of anti-money laundering and countering of terrorism financing (AML/TF) in each of our entities managed centrally, as well as a system for applying local, European and international sanctions.  

In this context, we are joint controllers with BNP Paribas SA, the parent company of the Group (the term "We" in this section also includes BNP Paribas SA).  

The processing activities performed to meet these legal obligations are detailed in Appendix 1.  


3.2 Your personal data is processed to perform a contract to which you are a party or pre-contractual measures taken at your request 

Your personal data is processed when it is necessary to enter into or perform a contract to: 

  • define your credit risk score and your reimbursement capacity; 
  • evaluate (e.g., on the basis of your credit risk score) if we can offer you a product or service and under which conditions (e.g., price); 
  • provide you with the products and services subscribed to under the applicable contract; 
  • manage payment incidents and unpaid amounts; 
  • respond to your requests and assist you; 
  • Assist you in the context of your inheritance planning. 


3.3    Your personal data is processed to fulfil our legitimate interest or that of a third party  

Where we base a processing activity on legitimate interest, we balance that interest against your interests or fundamental rights and freedoms to ensure that there is a fair balance between them. If you would like more information about the legitimate interest pursued by a processing activity, please contact us using the contact details provided in section 2. HOW CAN YOU EXERCISE YOUR RIGHTS IN THE CONTEXT OF OUR PERSONAL DATA PROCESSING? above. 


3.3.1         In the course of our business as a financial institution, we use your personal data to: 

  • manage the risks to which we are exposed: 
    • we keep evidence of operations or transactions, including in electronic evidence; 
    • we carry out the collection of receivables; 
    • we manage legal claims and defend our position in the event of litigation; 
    • we develop individual statistical models in order to help define your creditworthiness.  
  • enhance cyber security, manage our platforms and websites, and ensure business continuity. 
  • use video surveillance to prevent personal injury and damage to people and property. 
  • enhance the automation and efficiency of our operational processes and customer services. 
  • carry out financial operations such as debt portfolio sales, securitizations, financing or refinancing of the Group. 
  • conduct statistical studies and develop predictive and descriptive models for: 
    • commercial purposes: to identify the products and services that could best meet your needs, to create new offers or identify new trends among our customers, to develop our commercial policy taking into account our customers' preferences. 
    • safety purposes: to prevent potential incidents and enhance safety management; 
    • compliance purposes (e.g., anti-money laundering and countering the financing of terrorism) and risk management;. 
    • anti-fraud purposes. 
  • organising contests, lotteries, promotional operations, conduct opinion and customer satisfaction surveys. 

3.3.2. We use your personal data to send you commercial offers by electronic means, post and phone 

As part of the BNP Paribas and the 3 Step IT Group OY group of companies, we want to be able to offer you access to the full range of products and services that best meet your needs. 


Unless you object, we may send you offers electronically for our products and services and those of BNP Paribas, 3 Step IT Group OY and their respective groups provided these are related to your professional activity.  


We may also send you, by phone and post, unless you object, offers concerning our products and services as well as those of the BNP Paribas and/or 3 Step IT Group OY group of companies and our trusted partners. 


3.3.3 We analyse your personal data to perform standard profiling to personalize our products and offers 

To enhance your experience and satisfaction, we need to determine to which customer group you belong. For this purpose, we build a standard profile from relevant data that we select from the following information: 

  • what you have directly communicated to us during our interactions with you or when you subscribe to a product or service; 
  • resulting from your use of our products or services; 
  • from your use of our various channels: websites and applications (e.g., if you are digitally aware, if you prefer a customer journey to subscribe to a product, or service with more autonomy (selfcare)); 


Unless you object, we will perform this customization based on standard profiling. If you consent, we may go further to better meet your specific needs by offering you products and services tailored to you.


3.4    Your personal data are processed if you have given your consent 

For some processing of personal data, we will give you specific information and ask for your consent. Of course, you can withhold your consent or, if given, withdraw your consent at any time. 


In particular, we ask for your consent for: 

  • tailor-made customization of our offers and products or services based on more sophisticated profiling to anticipate your needs and behaviours; 
  • any electronic offer for products and services not related to your professional activity; 
  • use of your navigation data (cookies) for commercial purposes or to enhance the knowledge of your profile. 

You may be asked for further consent to process your personal data where necessary. 




We collect and use your personal data meaning any information that identifies or, together with other information, can be used to identify you. 


Depending, among others, on the types of product or service we provide to you and the interactions we have with you, we collect various types of personal data about you, including:

  • identification information (e.g. full name, identity (e.g. copy passport, driving licence), nationality, place and date of birth, gender, photograph);
  • contact information private or professional (e.g. postal and e-mail address, phone number etc.);
  • family situation 
  • economic, financial and tax information (e.g. tax ID, tax status, income and other revenues, financial data);
  • banking and financial information (e.g. bank account details, products and services owned and used, credit card number, credit history, any defaults in making payments);
  • transaction data (including full beneficiary names, address and transaction details including communications on bank transfers of the underlying transaction);
  • data relating to your habits and preferences (data which relates to your use of our products and services);
  • data from your interactions with us: our branches (contact reports), our internet websites, our apps, our social media pages (connection and tracking data such as cookies, connection to online services, IP address), meetings, calls, chats, emails, interviews, phone conversations; 
  • video protection (including CCTV) and geolocation ;
  • information about your device (including MAC address, technical specifications and uniquely identifying data); and
  • login credentials used to connect to BNP Paribas’ website and apps.


We may collect sensitive data such as health data, biometric data, or data relating to criminal offences, subject to compliance with the strict conditions set out in data protection regulations. 


Please note that you are not required to provide any of the personal data that we request. However, your failure to do so may result in us being unable to open or maintain your account or to provide you with services.



We collect personal data directly from you; however, we may also collect personal data from other sources. 


We sometimes collect data from public sources: 

  • publications/databases made available by official authorities or third parties (e.g., the Official Journal of the French Republic, the Trade and Companies Register, databases managed by the supervisory authorities of the financial sector); 
  • websites/social media pages of legal entities or business clients containing information that you have disclosed (e.g., your own website); 
  • public information such as that published in the press. 


We also collect personal data from third parties: 

  • from other BNP Paribas and/or 3 Step IT Group OY group entities;  
  • from our customers;  
  • from our business partners or business introducers;  
  • from third parties such as credit reference agencies and fraud prevention agencies; 
  • from data brokers who are responsible for ensuring that they collect relevant information in a lawful manner;



a. With BNP Paribas, 3 Step IT Group OY and their respective group entities.

As a member of the groups BNP Paribas and 3 Step IT Group OY, we work closely with these groups’ other companies worldwide. 

Your personal data may therefore be shared between the BNP Paribas and/or the 3 Step IT Group OY, group of companies, where necessary, to: 

  • comply with our various legal and regulatory obligations described above; 
  • fulfil our legitimate interests which are:  conduct statistical studies and develop predictive and descriptive models for business, security, compliance, risk management and anti-fraud purposes; 
    • enhance the reliability of certain data about you held by other Group entities 
    • offer you access to all of the Group's products and services that best meet your needs and wishes.  This may include, for example, personal data being accessed and/or stored in: jurisdictions where investments are held; jurisdictions in which and through which transactions are effected; and jurisdictions from which you regularly receive or transmit information about your investments or your business with BNP Paribas; 
    • customize the content and prices of products and services; 


b.With recipients outside the BNP Paribas and/or the 3 Step IT Group OY, group of companies  and processors 

In order to fulfil some of the purposes described in this Data Protection Notice, we may, where necessary, share your personal data with: 

  • processors which perform services on our behalf (e.g., IT services, logistics, printing services, telecommunication, debt collection, advisory and distribution and marketing). 
  • banking and commercial partners, business introducers, independent agents, intermediaries or brokers, financial institutions, counterparties, trade repositories with which we have a relationship if such transmission is required to allow us to provide you with the services and products or execute our contractual obligations or transactions (e.g., banks, correspondent banks, paying agents, exchange platforms, insurance companies, payment system operators, issuers or payment card intermediaries, mutual guarantee companies or financial guarantee institutions);  
  • local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, public authorities or institutions (e.g., the Banque de FranceCaisse des dépôts et des Consignations), to which we, or any member of the Group, are required to disclose pursuant to: 
    • their request; 
    • our defence, action or proceeding; 
    • complying with a regulation or a recommendation issued from a competent authority applying to us or any member of the BNP Paribas Group; 
  • service providers or third party payment providers (information on your bank accounts), for the purposes of providing a payment initiation; 
  • certain regulated professions such as lawyers, notaries, or auditors when needed under specific circumstances (litigation, audit, etc.) as well as to our insurers or to an actual or proposed purchaser of the companies or businesses of the BNP Paribas and/or the 3 Step IT Group OY, group of companies. 




In case of international transfers originating from: (i) the European Economic Area (“EEA”) to a non-EEA country, the transfer of your personal data may take place where the European Commission has recognised a non-EEA country, as providing an adequate level of data protection; or (ii) the United Kingdom (“UK”) to a third country, the transfer of your personal data may take place where the UK Government has recognised the third country, as providing an adequate level of data protection.  In such cases your personal data may be transferred on this basis. 


For transfers to: (i) non-EEA countries where the level of protection has not been recognized as adequate by the European Commission; or (ii) third countries where the level of protection has not been recognized as adequate by the UK Government; we will either rely on a derogation applicable to the specific situation (e.g., if the transfer is necessary to perform our contract with you, such as when making an international payment) or implement one of the following safeguards to ensure the protection of your personal data: 

  • Standard contractual clauses approved by the European Commission or the UK Government (as applicable); or
  • Binding corporate rules.  

To obtain a copy of these safeguards or details on where they are available, you can send a written request as set out in section  2. HOW CAN YOU EXERCISE YOUR RIGHTS IN THE CONTEXT OF OUR PERSONAL DATA PROCESSING? above.  



We retain your personal data for the period necessary to comply with applicable laws and regulations, or for a period defined by our operational constraints, such as keeping our accounts, effective management of the client relationship, as well as to assert rights in court or to respond to requests from regulatory bodies. 



In a world where technologies are constantly evolving, we regularly review this Data Protection Notice and update it as required. 

We invite you to review the latest version of this document online, and we will inform you of any significant amendments through our website or through our standard communication channels. 


Our Commitments


We assume that the personal data of our clients are confidential and should not be disclosed without legitimate cause.


Privacy by design

We are committed to taking appropriate technical and organisational measures to protect your personal data against illicit, accidental or unauthorised access to, disclosure, or loss of your personal data.



As a data controller and processor, we know personal data should be managed with special care. We have a duty to protect it and to implement procedures and solutions allowing you to assert your rights.



In the event of any issues relating to your personal data, we are committed to reacting as quickly as possible to prevent and/or reduce any impact on you.

Your personal data and us

What we collect
  • Your personal details when you interact with us or when you sign up to receive any information or service
  • The data related to your activity on our website (cookies)
  • The data you give to our subsidiaries and partners
How we use it

We may use the personal data we collect for different reasons, including contractual or legal purposes, to deliver better services and new solutions or to send you communications that you have requested or that may be of interest to you in accordance with your activity.

Why we share it

We may share your data:

  • For external processing to our affiliates or other trusted businesses
  • For legal reasons


How we keep it secure
  • We secure your data with technical and organisational measures
  • We will inform you in the event of any incident related to your personal data
  • We limit access to your personal data to our personnel, subsidiaries or commercial partners who reasonably need access to it.


How long we keep it

We will keep your personal data for the length of the period required in order to comply with applicable laws and regulations or another period with regard to our operational requirements.

Your rights

Right to be forgotten / erasure

You can ask us to erase any personal data we may hold about you where such data is unnecessary, where the processing is unlawful or where you have withdrawn your consent to the processing (where applicable).


Right not to be submitted to automated decision

If a decision is made through a solely automated process, and that decision affects you significantly, you have the right to object to such a decision. You also have the right to access the criteria of such a decision.


Please be aware that we use credit scoring to help us assess credit risk and that we also use a DMM (Decision-Making Matrix) as a deal acceptance tool. This processing is legitimate to enable us to provide finance. It is not an entirely automated decision-making process as any negative answer from us will be manually confirmed by a member of our team.


Right to restrict processing / Right to object

You can ask us to restrict the processing of any of your personal data if you think the data is inaccurate, the processing is unlawful or you think we no longer need the data. You can object to the processing of your personal data on grounds relating to your particular situation. You have the absolute right to object to the processing of your personal data for direct marketing purposes.


Right to access

You can ask us for a copy of the personal data held by BNP Paribas Leasing Solutions about you.


Right to rectification

You can ask us to correct any incorrect personal data we may hold about you.

Exercise Your Rights

Access our contact forms for any requests related to your personal data by clicking your location below:


More Information