Data Protection Policy

In this Data Protection Policy ("Policy"),"Scalexpert", "Société Générale", "SG", "we" and "our" refer to "Société Générale", Société Anonyme with a capital of €1 015 044 435,00  of july 25th, 2024, registered with the RCS under the unique identification number 552 120 222 and domiciled at 29, boulevard Haussmann 75009 Paris.

About this Policy

SG, as a banking institution and insurance broker (registered with the ORIAS under number 07022493), builds strong and lasting relationships with its clients, based on mutual trust. To preserve this trust, we make of the security and protection of your personal data an unconditional priority. To this end, Société Générale complies with all applicable French and European regulations on the protection of personal data, in particular the General Data Protection Regulation (EU) 2016/679. As the controller of your personal data, we inform you more precisely about the types of personal data we collect, the processing we carry out and the reasons why we do so, as well as your rights and the contact or means of recourse at your disposal. This Policy is directed at and applies to SG's individual customers and prospects, potential business relationships, as well as to people related to our customers when warranted (e.g. beneficiary of a transfer, heir in case of inheritance, guarantor, etc.) hereinafter referred to as "you/your". It covers in particular:

  1. The types of personal data we collect and process;
  2. The purposes of the processing (its aims) and the data retention periods associated with each processing operation;
  3. The legal basis on which the processing is carried out;
  4. The recipients and categories of recipients;
  5. Transfers outside the European Economic Area;
  6. Your rights regarding your personal data;
  7. The security of your personal data.

This Policy is updated regularly to reflect changes in SG's practices as well as potential changes in the regulations applicable to personal data. We invite you to consult it regularly to be informed of the latest version in force. If you are a customer, we will inform you of any new version or substantial modification of this Policy.

1. Types of personal data we collect and process

SG collects and processes the following types of personal data:

  • Civil status and identification data: name, first name(s), gender, date of birth, copies of identification documents, examples of signatures, etc.;
  • Contact information: postal addresses, e-mail addresses, telephone numbers, etc. ;
  • Data related to your personal situation: family situation, marital status, number and age of children, etc. ;
  • Data related to your professional situation: position held, name of the employer, place of work, etc;
  • Economic and financial information: income, financial and tax situation, etc;
  • Data on banking operations and transactions (nature of the operations, date, card payments, transfers, direct debits, amount, wording, etc.);
  • Connection data related to the use of our online services: identification and authentication data for your connected spaces, logs, cookies, navigation data on SG sites and applications;
  • Data from correspondence and communications between you and us, whether in the office or remotely (interviews, telephone calls, e-mails, instant messaging, communications on social networks or any other type of communication);
  • Data related to the products and services you subscribed to (type of product, method of payment, maturity, amount, etc.).

This personal data is collected either directly from you or, if necessary, indirectly from (i) Société Générale Group companies; (ii) the Banque de France when consulting files (FICP and/or FCC); (iii) the Répertoire National d'Identification des Personnes Physiques (National Register of Individuals); (iv) the Direction Générale des Finances Publiques (General Directorate of Public Finance), (v) or more generally from public sources relevant to the various purposes described in paragraph 2. Finally, when relevant, some of the data or types of data mentioned above may be matched in order to better meet the purposes described in paragraph 2. Such reconciliations are always carried out while ensuring that only the data strictly necessary to achieve the purpose of the processing is used (in application of the so-called "minimization" principle provided for by the regulations).

2. Purposes of processing and retention period of personal data

The personal data referred to in the previous paragraph are processed, depending on the situation, to meet different objectives or purposes. Each of these purposes is associated with a type of personal data, a period of retention of these data beyond which they are no longer used and are anonymized and / or deleted, except for some of them which may be archived with restricted access for a specified period. The different purposes that lead us to process your personal data are the following:

  • Management of the banking and/or insurance relationship, of the account(s) and/or of the products and services you subscribed to, in particular for evidential purposes. Your personal data may be kept for a period of five (5) years from the end of the commercial relationship or from the end of a possible collection procedure.
  • The realization of opinion and satisfaction surveys and statistical studies. Your personal data may be kept for a period of three (3) years from the time the study is carried out.
  • The fight against fraud (e.g.: establishment of ratings (scores), detection of atypical operations, etc.). Your personal data may be kept for a maximum period of five (5) years from the closing of the file of proven fraud or the issuing of an alert.
  • The collection of information related to the subscription of a credit, a financial product or an insurance product (information on the customer: civil status, family and financial situation). Your personal data may be kept for a maximum period of four (4) months starting from the use of the service. Your personal data may be kept for a maximum of five (5) years from the closing of the file of proven fraud or the issuing of an alert.
  • Compliance with SG's legal and regulatory obligations, in particular obligations related to "Know Your Customer" (KYC), operational risk management (in particular IT network security, customer protection, supervision and internal control, transaction security and security of the use of international payment networks), obligations related to financial security (fight against money laundering and the terrorism funding and obligations related to sanctions and embargoes), obligations related to the integrity of financial markets and activities on financial markets, obligations related to the determination of the tax status of clients and compliance with related tax regulations and the rules of good conduct of French and international regulators, ethics and the fight against corruption, data protection and, in general, obligations related to the management and monitoring of compliance risks.

In the context of these purposes, your personal data may be shared between Group entities. It will be kept for a period of five (5) to ten (10) years from the date of the triggering event provided by the regulations in force (e.g.: in terms of the so-called "FATCA" tax regulations, 5 years from the date of receipt of the duly completed self-certification form).

  • The identification of seriously reprehensible behavior or acts (e.g., physical violence against SG staff). This personal data may be kept for a period of ten (10) years from when the facts are recorded in our systems.
  • The recording of your conversations and communications with SG, regardless of their medium (e-mails, letters, telephone conversations, etc.). This recording may be made and may lead to replaying for the purposes of improving telephone reception, complying with legal and regulatory obligations related to the financial markets, and ensuring the security of transactions carried out or providing proof of orders or operations carried out. Depending on the applicable regulations, your personal data may be kept for various periods of time, which may not exceed five (5) years from the date of recording.
  • Accounting processing: accounting data may be kept for a period of ten (10) years in accordance with the legal provisions in force.,
  • Research or analysis activity for the purpose of improving our procedures and developing our models. Your personal data may be reused in order to:
    • optimize our internal control processes;
    • improve risk and compliance management;
    • offer customized services and products.

These data are kept for a fixed period of five (5) years starting from their registration.

  • Commercial prospecting, proposing commercial offers adapted to your situation and profile, carrying out commercial animations and advertising campaigns.
    • The data may be kept for a maximum of three (3) years from the end of the commercial relationship or for prospects, from the last contact had.
    • SG may anonymize and aggregate this data in order to establish statistical reports.

It is specified that personal data collected and processed in accordance with the above-mentioned purposes may be kept for an additional period of time if the defense of a right or interest requires it, or in order to meet the requirements of authorized authorities such as, for example, a public authority, a French or international regulator. In this case, personal data will not be used for any other purpose and will only be accessible to authorized persons who have a need to know (e.g. legal department, compliance department, audit and inspection bodies).

3. Legal grounds of lead processings

3.1 General rules

The processing carried out by SG is based on one of the following legal bases:

  • The execution of the banking and/or insurance relationship (e.g.: taking out a mortgage). Thus, certain data will be used by Scalexpert Société Générale to provide products or services requested and necessary for the execution of the Contract with the Client or in order to take measures prior to the entry into force of the Contract;
  • Compliance with SG's legal and regulatory obligations (e.g. fight against money laundering and terrorism funding);
  • The pursuit of SG's legitimate interests (e.g.: fight against fraud, research and development activities, commercial prospecting, including profiling). The choice of this legal basis is made after a balancing of the interests pursued by SG with the interests of the data subjects and the assessment of reasonable expectations in this regard. In addition, safeguards will be put in place to protect the interests, rights and fundamental freedoms of individuals (information to individuals, right of objection and security measures in particular);
  • Consent (e.g. data from social networks, collection of health insurance cards as identification);
  • Safeguarding the vital interests of the person concerned or of another individual, when a customer has paid by credit card for a product or service that poses a threat to its personal safety (recall of defective products, health crisis, etc.).

3.2 Specific rules for the profiling process

SG implements profiling processing, i.e. processing that consists of evaluating certain aspects concerning the economic situation of natural persons, their preferences or personal interests, the analysis of their behavior, or their location and movements. These profiling processes have different purposes, mainly to secure your transactions, to fight fraud, to personalize the relationship, to prospect for business or to better meet our obligations related to the management and monitoring of compliance risks. In the case of commercial prospecting, the processing consists in analyzing some of your data in order to establish profiles that correspond to you. These profiles enable SG to send you personalized offers that are better adapted to your needs, expectations or situation (e.g. arrival of exceptional payments, pre-assessment of your borrowing capacity). For certain specific commercial campaigns, these profiles may be enriched with data collected by third-party partners such as advertising agencies. For each of these processing operations, an in-depth analysis is carried out in order to determine whether the processing should be based on your consent, SG's legitimate interest, or on another legal basis:

  • If profiling is based on your consent:

SG ensures that your consent is obtained, after having informed you in an explicit and transparent manner about the use of your data, as well as the logic of the processing. SG also allows you to withdraw your consent at any time.

  • If profiling is based on SG's legitimate interest:

SG will have carried out a prior analysis enabling it to ensure, for each processing envisaged, that your interests or fundamental rights and freedoms are respected and that you can reasonably expect your data to be used in this context.

SG allows you to object to such processing at any time, under the conditions provided by the regulations and in the manner described in paragraph 6.

3.3 Specific rules for fully automated decisions

In cases where SG implements processes involving fully automated decision-making that produce legal effects concerning you or significantly affect you, such processings (i) are based on one of the following legal grounds: the performance of the contract in which the processing is involved or your consent, or SG's legitimate interest; (ii) is authorized by European Union law or French law. Such processings are carried out in compliance with the applicable regulations and are accompanied by appropriate guarantees.

4. Categories of recipients

Your data may be communicated, according to the purposes pursued:

  • To entities of the Société Générale Group, its partners, brokers, intermediaries and insurers, subcontractors and service providers. This communication only takes place within the framework of a processing that pursues one of the purposes described in paragraph 2;
  • In compliance with applicable regulations, to third parties in France or abroad for the purposes of establishing, safeguarding or defending a right in court, in the context of administrative or criminal investigations by one or more regulators, to ensure compliance with commitments made to them or in the context of legal proceedings of any kind;
  • To certain regulated professions such as statutory auditors to provide regulatory reports or lawyers to act in defense of SG's rights;
  • To payment originators and account information service providers (aggregators), only with your consent or at your request.

5. Transfers outside the European Economic Area

Due to the international dimension of the Société Générale Group, the processing operations listed in paragraph 2 above may involve transfers of personal data to countries outside the European Economic Area (EEA), whose laws on the protection of personal data differ from those of the European Union. More precisely, your personal data may, to the extent permitted by the applicable regulations, be communicated to official bodies and authorized administrative and judicial authorities of non-EEA countries, in particular in the context of regulations on the fight against money laundering and terrorism funding, international sanctions and embargoes, the fight against fraud and the determination of your tax status. When personal data is transferred to non-EEA countries, a precise and demanding legal framework governs this transfer, in accordance with the applicable European regulations, through standard contractual clauses signed and approved by the European Commission. In addition, appropriate and complementary security measures may be put in place to ensure the protection of personal data transferred outside the EEA. The Standard Contractual Clauses are available on the CNIL website (www.cnil.fr). For more information, you can send your request to the contact address indicated in paragraph 6. For more information on the specific case of transfer instructions transmitted between banks via secure international interbank telecommunications networks, we invite you to consult the "Swift Information Notice" on the fbf.fr or particuliers.sg.fr websites.

6. Your rights

You have a right to access to your personal data as well as a right to rectify, delete, limit a processing, as well as a right to launch a portability process of some of your data. You may also withdraw your consent at any time, or object, on grounds related to particular circumstances of your own, to your personal data being processed, or define general or specific instructions as to what the fate of your personal data in the event of your death should be. You may also, at any time and at no cost, without having to justify your request, object to your personal data being used for commercial prospecting purposes. If your request to object does not concern commercial prospecting, SG may refuse to comply with your request if:

  • There are legitimate and compelling reasons to process personal data or the data is necessary for the establishment, exercise or defense of legal claims;
  • You have consented to the processing of your data, in which case you must withdraw that consent and not object;
  • The processing in question is necessary for the performance of a contract between you and Scalexpert Société Générale;
  • A legal obligation requires the processing of your personal data;
  • The processing is necessary to safeguard the vital interests of the data subject or of another natural person.

You may exercise your rights as well as contact the personal data protection officer as follows:

  • At the following postal address: SG - Protection des données CPLE/DPO - 189 Rue d'Aubervilliers 75886 PARIS CEDEX 18 France;
  • By e-mail to the following address Protectiondesdonnees@societegenerale.fr

Finally, you have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL), the supervisory authority in charge of compliance with obligations in terms of personal data in France.

7. The security of your personal data

SG takes all physical, technical, and organizational measures to ensure the confidentiality, integrity and availability of personal data, in particular to protect them against loss, accidental destruction, alteration and unauthorized access. In the event of a breach of your personal data, which presents a risk to your rights and freedoms, SG will notify the breach in question to the CNIL within the statutory period. In the event of this violation presenting a high risk to your rights and freedoms, SG will inform you as soon as possible of the nature of this violation and the measures implemented to remedy it.