Privacy Policy
Kantox Data Protection Notice
Introduction
Kantox in relation to its Corporate business, as a data controller, is responsible for collecting and processing your personal data in relation to our currency management automation solutions, which include foreign exchange payments and a solution to automate your entire FX workflow.
Whether under the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) and/or other applicable data protection legislation, the purpose of this Data Protection Notice is to inform you of: the personal data we collect about you; the reasons why we use and share such data; how long we keep the data; what your rights are (as to the control and management of your data) and how you can exercise your personal data rights.
Whether under the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) and/or other applicable data protection legislation, the purpose of this Data Protection Notice is to inform you of: the personal data we collect about you; the reasons why we use and share such data; how long we keep the data; what your rights are (as to the control and management of your data) and how you can exercise your personal data rights.
Further information may be provided where necessary at the time of collection of your personal data.
1. DATA CONTROLLER
The company Responsible for the processing of your data under this Privacy Policy shall be:
For clients of Kantox European Union S.L: The Data Controller will be Kantox European Union SL, a company incorporated in Spain and identified with CIF number B67369371 and with registered office at Torre Mapfre, Planta 22, Marina, 16-18, 08005 Barcelona, Spain. The company is duly authorised by the Bank of Spain, with registration number 6890.
For customers of Kantox Limited: The Data Controller will be Kantox Limited, a company incorporated in the United Kingdom and identified by registration number 07657495 and having its registered office at 10 Harewood Avenue, London NW1 6AA, United Kingdom. The company is duly authorised by the UK Financial Conduct Authority (FCA) as a payment institution under number FRN 580343 and is registered with HM Revenue & Customs as a money services business under number 12641987.
Both companies are hereinafter referred to as 'Kantox'.
2. ARE YOU SUBJECT TO THIS NOTICE?
This Data Protection Notice applies to you (“you”) if you are:
• an employee, consultant, contractor, legal representative, shareholder, investor, or beneficial owner of:
• a client;
• a prospective client;
• a client or counterparty of our clients(s); or a counterparty;
• a beneficiary of financial transactions (payment) or contracts, policies;
• an ultimate beneficial owner in the context of our services;
• a company shareholder;
• a social network use
In certain circumstances, we collect information about you, even if we do not have a direct relationship with you. This indirect collection of information about you may happen, for instance, in the course of our relationship with our clients or counterparties.
When you provide us with personal data related to other people, please make sure that you inform them about the disclosure of their personal data and invite them to read this Data Protection Notice, as it provides them with useful information about their rights. We will ensure that we will do the same, whenever possible (e.g., when we have the person's contact details).
3. HOW CAN YOU EXERCISE YOUR RIGHTS IN THE CONTEXT OF OUR PERSONAL DATA PROCESSING?
You have rights under, and in accordance with, applicable data protection laws which allows you to exercise real control over your personal data and how we process it. Should you wish to exercise the rights summarised below, please refer to section 9 (How to contact us) and section 11 (Country-specific provisions) as appropriate.
3.1 You can request access to your personal data
We will provide you with a copy of your personal data, promptly upon request, together with information relating to its processing. Your right of access to your personal data may, in some cases, be limited by applicable law and/or regulation. For example, regulations relating to anti-money laundering and countering the financing of terrorism prohibit us from giving you direct access to your personal data processed for this purpose. In this case, you must exercise your right of access with your data protection authority (details of which are listed in Appendix B), which may request the data from us.
3.2 You can ask for the correction of your personal data
Where you consider that your personal data is inaccurate or incomplete, you can request that we modify or complete such personal data. In some cases, you may be required to provide supporting documentation.
3.3 You can request the deletion of your personal data
If you wish, you may request the deletion of your personal data, to the extent permitted by law.
3.4 You can object to the processing of your personal data based on legitimate interests
If you do not agree with a processing activity based on a legitimate interest, you can object to it, on grounds relating to your particular situation, by informing us precisely of the processing activity involved and the reasons for your objection. We will cease processing your personal data unless there are compelling legitimate grounds for doing so or it is necessary for the establishment, exercise or defence of legal claims.
3.5 You can object to the processing of your personal data for direct marketing purposes
At any time, you have the right to object to the processing of your personal data for direct marketing purposes.
3.6 You can suspend the use of your personal data
If you query the accuracy of the personal data we use, we will review and/or verify the accuracy of such personal data. If you object to the processing of your personal data, we will review the basis of the processing. You may request that we suspend the processing of your personal data while we review your query or objection.
3.7 You have rights against an automated decision
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or otherwise significantly affects you. However, we may automate such a decision, if it is necessary for the entering into or performance of a contract between us, authorised by law or regulation, or if you have given your explicit consent. In any event, you have the right to challenge the decision, express your views and/or request the intervention of a competent person to review the decision.
3.8 You can withdraw your consent
If you have given your consent to the processing of your personal data, you can withdraw this consent at any time.
3.9 You can request the portability of part of your personal data
You may request a copy of the personal data that you have provided to us in a structured, commonly used and machine-readable format. Where technically feasible, you may request that we transmit this copy to a third party.
3.10 How to file a complaint with your supervisory authority
In addition to the rights mentioned above, you may lodge a complaint with the relevant data protection authority, which is usually the one in your place of residence. A list of data protection authorities is set out in Appendix B.
4. WHY AND ON WHICH LEGAL BASIS DO WE USE YOUR PERSONAL DATA?
In this section we explain why we process your personal data and the legal basis for doing so.
4.1 Your personal data is processed to comply with our various legal and/or regulatory obligations
Your personal data is processed, where necessary, to enable us to comply with the laws and/or regulations to which we are subject.
4.1.1. We use your personal data to:
• monitor operations and transactions to manage, prevent and detect fraud;
• monitor and report risks (financial, legal, compliance, reputational, operational risks, etc.) that we/and or the BNP Paribas Group could incur;
• communicate, in compliance with the Shareholders Rights Directive, your personal data to issuers, including your shareholder identification, proxy voting and register information;
• assist the fight against tax fraud and fulfil tax control and notification obligations;
• fulfil our obligations to declare and register transactions with the competent authorities (tax, judicial, criminal, etc);
• record transactions for accounting purposes
• detect and prevent bribery and corruption;
• detect and manage suspicious orders and transactions;
• exchange and report different operations, transactions, or orders, or reply to an official request from duly authorized local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, law enforcement, state agencies or public bodies.
4.1.2. We also process your personal data for anti-money laundering and countering of terrorism financing purposes
As part of a banking group, we must have a robust system of anti-money laundering and countering of terrorism financing (AML/CTF) managed centrally in each of our entities, as well as a system for applying local, European and international sanctions, which may require the processing of your personal data, primarily through our Know Your Customer (KYC) process (to identify you, verify your identity and screen your details against sanctions lists, prior to and in the course of our services. The processing activities performed to meet these legal obligations are detailed in Appendix A.
4.2. Your personal data is processed to perform a contract with you in the context of our services to our clients and/or counterparties
Your personal data is processed, when it is necessary to enter into or perform a contract obligation, in order to provide our corporate clients with the products and services subscribed to, under the applicable contract, including access to our digital services.
4.3. Your personal data is processed to fulfil our legitimate interest or that of a third party
Where we base a processing activity on legitimate interest, we balance that interest against your interests and fundamental rights and freedoms, to ensure that there is a fair balance between them.
4.3.1. In the course of our business as a payment institution, we process your personal data to:
• Manage your access to and use of our web communication channels and applications, in the context of our contractual and pre-contractual relationships with our clients, counterparts, and/or service providers.
• communicate with you, in the context of services provided to our clients and counterparties;
• manage our activities and our presence on social networks
• manage the risks to which we are exposed:
we keep evidence of, and sometimes record operations, transactions and communications when you interact with our employees (eg. in our chat rooms, via emails, or during video conferences);
-we monitor transactions to manage, prevent and detect fraud
-we manage legal claims and defend our position in the event of litigation.
• enhance cybersecurity and data leakage prevention measures, manage our platforms and websites, and ensure business continuity.
• monitor compliance with our internal policies and procedures including, but not limited to, our code of conduct.
• enhance the automation and efficiency of our operational processes and client services (e.g., tracking of your requests and improvement of your satisfaction based on personal data collected during our interactions with you, such as phone recordings, e-mails or chats).
- safety purposes: to prevent potential incidents and enhance safety management;
- compliance and risk management purposes (eg., AML, CTF);
- anti-fraud purposes.
4.3.2. We use your personal data to send you commercial offers by electronic means, post and phone
As part of the BNP Paribas Group, we want to be able to offer you access to the full range of products and services that best meet your needs. If you are identified as a contact or representative of a client; or counterparty, and unless you object, we may send you offers by any means for our products and services and those of the Group. We will use reasonable endeavours to ensure that these offers relate to products or services that are relevant to our clients or prospective clients’ activities.
4.4. Your personal data is processed if you have given your consent
For some personal data processing activities, we will give you specific information and ask for your consent. Of course, you can withhold your consent or, if given, withdraw your consent at any time. In particular, we ask for your consent to:
• Manage newsletter subscriptions;
• Manage events;
• Use your navigation data to enhance our knowledge of your profile in accordance with our Cookies Policy. You may be asked for further consent, to process your personal data where necessary.
5. WHAT TYPES OF PERSONAL DATA DO WE COLLECT?
We collect and use your personal data, meaning any information that identifies or, together with other information, can be used to identify you.
Depending, among others, on the types of product or service we provide to you and the interactions we have with you, we collect various types of personal data about you, including:
-identification information (e.g. full name, identity (e.g. copy passport, driving licence), nationality, place and date of birth, photograph);
-contact information private or professional (e.g. postal and e-mail address, phone number etc.);
-banking and financial information (e.g. bank account details, products and services owned and used);
- transaction data (including full beneficiary names, address and transaction details including communications on bank transfers of the underlying transactions);
-data from your interactions with us or about us: our internet websites and social media pages;
-connection and tracking data such as cookies, connection to online services, meetings, calls, chats, emails, and interviews.
-interactions with our employees: meetings, calls, chats, emails, interviews, phone conversations;
-login credentials used to connect to Kantox’ website
6. WHO DO WE COLLECT PERSONAL DATA FROM?
We may collect personal data directly from you as staff of our clients, counterparties and their service providers in the context of our activities and services. We sometimes collect data from public sources:
-publications/databases made available by official authorities or third parties (Commercial Registry, databases managed by the supervisory authorities of the financial sector);
-websites/social media pages of legal entities or business clients containing information that you have disclosed (e.g., your own website or social media page);
- public information such as that published in the press.
We also collect personal data:
- from other Group entities;
- from our business partners or our clients’ business partners;
- from service providers (e.g. payment initiation providers)
6.1 Personal data collection via social network
In today context, use of social network is essential to companies.
In order to fulfill efficiently our mission, it is essential for us to be present on social networks, and this presence is susceptible to involve the processing of some of your personal data.
Therefore, in our legitimate interest of needs in marketing, communication, advertising, and publications, as well as for crisis management and interaction with social media users, we are susceptible to collect the following personal data:
-The exchange that you had with us on our pages and publications on social networks, including your early claims and complaints.
-Data coming from pages and publications on social networks that contain information that you publicly made available. More specifically, these personal data will be treated for the following purposes:
- Crisis management (social listening) and customer relationship management, including:
- Crisis prevention: Monitoring and analysis of social networks and the web by using keywords to assess Kantox reputation and be aware of what is said about a trending/crisis topic in order to communicate accordingly.
- Crisis management handling: Analyze the problematics raised by some publications and act accordingly; answer to publications, posts or comments of social network users; identify and tackle fake accounts and fake publications; or investigate in case of strong allegations and claims.
- Marketing and communication/ advertisement and publications which includes:
-Data extraction to identify trending topics by collecting data publicly available on social networks;
-Publication of articles;
-Suggestion of publications according to your interests;
-Customer and social network users’ segmentation according to their influence;
7. WHO DO WE SHARE YOUR PERSONAL DATA WITH AND WHY?
a. With BNP Paribas Group's entities
As a member of the BNP Paribas Group, we work closely with the Group's other companies worldwide. Your personal data may therefore be shared between Group entities, where necessary, to:
• comply with our various legal and regulatory obligations described above;
• fulfil our contractual obligations or legitimate interests described above; and
• conduct statistical studies for business, security, compliance, risk management and anti-fraud purposes;
b. With recipients outside the BNP Paribas Group
In order to fulfil some of the purposes described in this Data Protection Notice, we may, where necessary, share your personal data with data processors which perform services on our behalf (e.g., IT service providers, logistics, printing services, telecommunication, debt collection, advisory and distribution and marketing).
We may also, where we consider it necessary, share your personal data with other data controllers, as follows:
• banking and commercial partners, with which we have a relationship if such transmission is required to allow us to provide you with the services and products or execute our contractual or legal obligations or process transactions (e.g., banks, correspondent banks);
• regulators and/or independent agencies, local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediators, public authorities or institutions (to which we, or any member of the BNP Paribas Group, are required to disclose pursuant to:
-their request;
-our defence, action or proceeding;
-complying with a regulation or a recommendation issued from a competent authority addressed to us or any member of the BNP Paribas Group;
-service providers or third-party payment providers (information on your bank accounts), for the purposes of providing a payment initiation or account information service at your request;
-certain regulated professions such as lawyers, notaries, or auditors particularly when needed under specific circumstances (litigation, audit, etc.) as well as to our insurers or to an actual or proposed purchaser of the companies or businesses of the Group.
8. INTERNATIONAL TRANSFERS OF PERSONAL DATA
In certain circumstances (e.g. to provide international services or to ensure operational efficiency), we may transfer your data to another country.
In case of international transfers originating from:
• the European Economic Area (“EEA”) to a non-EEA country, the transfer of your personal data may take place where the European Commission has recognised a non-EEA country as providing an adequate level of data protection. In such cases your personal data may be transferred on this basis;
• the United Kingdom (“UK”) to a third country, the transfer of your personal data may take place where the UK Government has recognised the third country, as providing an adequate level of data protection. In such cases your personal data may be transferred on this basis;
• other countries where international transfer restrictions exist, we will implement appropriate safeguards to ensure the protection of your personal data.
For other transfers, we will implement an appropriate safeguard to ensure the protection of your personal data, being:
-Standard contractual clauses approved by the European Commission or the UK Government (as applicable); or
-Binding corporate rules. In the absence of an adequacy decision or an appropriate safeguard, we may rely on a derogation applicable to the specific situation (e.g., if the transfer is necessary for the exercise or defence of legal claims). You can obtain more details about the basis of our international transfers by sending a written request to gdpr@kantox.com.
9. HOW LONG DO WE KEEP YOUR PERSONAL DATA?
We will retain your personal data for the longer of:
- the period required by applicable law;
- such other period necessary for us to meet our operational obligations, such as: proper account maintenance, facilitating client relationship management, and/or responding to legal claims or regulatory requests.
- Most personal data collected in relation to a specified client is kept for the duration of the contractual relationship plus a specified number of years after the end of the contractual relationship or as otherwise required by applicable law.
10. HOW TO CONTACT US?
If you wish to exercise the rights summarised in Section 2 (How you can exercise your rights in the context of our personal data processing), if you have any questions relating to our use of your personal data under this Data Protection Notice, please contact gdpr@kantox.com. In some cases, you may be required to provide evidence of your identity.
11. HOW TO FOLLOW THE EVOLUTION OF THIS DATA PROTECTION NOTICE?
We regularly review this Data Protection Notice and update it as required.
12. COUNTRY-SPECIFIC PROVISIONS
Canada
This section supplements the Data Protection Notice and applies to the collection, use, disclosure and retention of personal data by KANTOX, obtained in the context of their commercial activities which comprise both services provided to third parties or affiliates and the management and use of providers or partners (including personal data or potential clients or providers). Except as noted below, nothing in this Canada-specific section changes or modifies the Data Protection Notice, in case of conflict between the Data Protection Notice and this section, this section shall prevail.
We do not, and have never, sold the personal information of California residents. We do not share personal information to facilitate cross-context behavioral advertising. To the extent that you have questions about this practice, please email us at gdpr@kantox.com.
Rights
As provided by and in accordance with Canadian data protection laws you have the following rights with respect to your personal data:
-You can request access to your personal data.
-You can ask for the correction of your personal data if it is inaccurate, incomplete or no longer up to date in accordance with applicable laws.
-You can withdraw your consent to our collection, use and disclosure of your personal data, except in limited circumstances, including legal or regulatory requirements or as a result of a contractual obligation (for instance, if you are a representative of our client and we need to process your personal data in order to provide services to our client).
Should you wish to exercise these rights, please refer to the “Contact Us” subsection. You can also unsubscribe from receiving commercial emails from us.
Collection, use and sharing of personal data
Our collection, use and sharing of your personal data is done on the basis of your consent (which may be implied or obtained by our client or provider rather than by us directly), unless we are otherwise permitted to process your personal data without consent under Canadian data protection laws (for instance, when a consent exception applies). Note that we may use or share personal data in order to comply with Canadian laws and regulations that are equivalent to those mentioned in sections 2 and 5 of the Data Protection Notice.
The categories of data processors and service providers which perform services on our behalf and with whom we may share your personal data are: providers offering IT services, telecommunication services; compliance and due diligence services, advisory services, marketing and communications services as well as financial institutions, and providers of similar services required to support our activities in Canada.
International transfers of personal data
We may transfer your personal data outside Canada, including when we share personal data with other entities within the KANTOX Group or transfer personal data to service providers located in other jurisdictions. As a result of such transfers, your personal data may be available to government authorities under lawful orders and laws applicable in foreign jurisdictions.
Data retention
We may anonymize personal data at the expiration of the retention period, so that it can no longer directly or indirectly identify you.
We will retain your personal information for the longer of:
-the period required by applicable law;
-such other period consistent with our policies and procedures.
Most personal information collected in relation to a specified client is kept for the duration of the contractual relationship plus a specified number of years after the end of the contractual relationship or as otherwise required by applicable law.
Contact Us
If you wish to exercise the rights set out in the “Rights” of this section, or if you have any questions or complaints related to our personal data processing practices, please contact our Data Protection Officer at gdpr@kantox.com.
United States of America
The regulations in this section supersede previous sections of the Privacy Policy where indicated in relation to data processed by KANTOX in the United States.
In addition to the categories of personally identifiable data, this specific section of the Privacy Policy also applies to suppliers, vendors and other third parties who provide products or services or otherwise interact with us.
With respect to the exercise of rights, U.S. residents may retain certain rights to the extent provided by applicable state and federal laws. Imported data may apply foreign standards as applicable.
In addition to the purposes listed in section 2 of this Data Protection Notice, your personal data is processed to comply with our various legal and/or regulatory obligations.
Appendix A
Processing of personal data to combat money laundering and the financing of terrorism
We are part of BNP Paribas which is a banking Group that must adopt and maintain a robust anti-money laundering and countering the financing of terrorism (AML/CFT) programme for all its entities managed at central level, an anti-corruption program, as well as a mechanism to ensure compliance with international Sanctions (i.e., any economic or trade sanctions, including associated laws, regulations, restrictive measures, embargoes, and asset freezing measures that are enacted, administered, imposed, or enforced by the French Republic, the European Union, the U.S. Department of the Treasury’s Office of Foreign Assets Control, and any competent authority in territories where BNP Paribas Group is established).
To comply with AML/CFT obligations and with international Sanctions, we carry out the processing operations listed hereinafter to comply with our legal obligations:
-A Know Your Customer (KYC) program reasonably designed to identify, verify and update the identity of our clients, including, where applicable, their respective beneficial owners and proxy holders;
- Enhanced due diligence for high-risk clients, Politically Exposed Persons or “PEPs” (PEPs are persons defined by the regulations who, due to their function or position (political, jurisdictional or administrative), are more exposed to these risks), and for situations of increased risk;
- Written policies, procedures and controls reasonably designed to ensure that Kantox does not establish or maintain relationships with shell banks;
- A policy, based on the internal assessment of risks and of the economic situation, to generally not process or otherwise engage, regardless of the currency, in activity or business:
- for, on behalf of, or for the benefit of any individual, entity or organisation subject to Sanctions by the French Republic, the European Union, the United States, the United Nations, or, in certain cases, other local sanctions in territories where the Group operates;
- involving directly or indirectly sanctioned territories, including Crimea/Sevastopol, Cuba, Iran, North Korea, or Syria;
- involving financial institutions or territories which could be connected to or controlled by terrorist organisations, recognised as such by the relevant authorities in France, the European Union, the U.S. or the United Nations
- Client database screening and transaction filtering reasonably designed to ensure compliance with applicable laws;
- Systems and processes designed to detect and report suspicious activity to the relevant regulatory authorities;
- A compliance program reasonably designed to prevent and detect bribery, corruption and unlawful influence.
In this context, we make use of:
- services provided by external providers that maintain updated lists of PEPs
- public information available in the press on facts related to money laundering, the financing of terrorism or corruption; o knowledge of a risky behaviour or situation (existence of a suspicious transaction report or equivalent) that can be identified at the BNP Paribas Group level.
We carry out these checks when you enter into a relationship with us, but also throughout the relationship we have with you, both on yourself and on the transactions you carry out. At the end of the relationship and if you have been the subject of an alert, this information will be stored in order to identify you and to adapt our controls if you enter into a new relationship with Kantox, or in the context of a transaction to which you are a party.
In order to comply with our legal obligations, we exchange information collected for AML/CFT, anti-corruption or international Sanctions purposes between BNP Paribas Group entities. When your data are exchanged with countries outside the European Economic Area that do not provide an adequate level of protection, the transfers are governed by the European Commission’s standard contractual clauses. When additional data are collected and exchanged in order to comply with the regulations of non-EU countries, this processing is necessary for our legitimate interest, which is to enable the BNP Paribas Group and its entities to comply with their legal obligations and to avoid local penalties.
Appendix B
List of data protection authorities
If your claims have not been met through the provisions offered in Section 2 and/or Section 11, you may lodge a complaint with the relevant data protection authority, which is usually the one in your place of residence. Please find the list below.
Spain
Agencia Española de Protección de Datos (AEPD)
C /Jorge Juan, 6
28001 Madrid
Tel. +34 91 266 3517
Fax +34 91 455 5699
Email: internacional@aepd.es
Website: https://www.aepd.es/
United Kingdom
Information Commissioner’s Office
Head Office:
Wycliffe House Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
Website: https://ico.org.uk/
To contact ICO Regional Offices: https://ico.org.uk/global/contact-us/
California
California Privacy Protection Agency
Email: info@cppa.ca.gov