Preamble

As part of its activities, CMB Monaco processes personal data in accordance with the applicable Monegasque legislation on the protection of personal data.

The purpose of this policy is to inform CMB Monaco's customers and prospects, in its capacity as data controller, about the collection, recording and processing of their personal data.

This processing is intended to enable the execution of the operations necessary for the business relationship, including those that the Bank, at its discretion, may subcontract, delegate or outsource.

This policy also guarantees the security and confidentiality of personal data.

Definitions

Personal data: Any information that can be used to directly or indirectly identify a natural person. A person is considered identifiable if they can be recognised, in particular by means of an identification number, a postal/email address, a telephone number, etc.

It does not matter whether this information is confidential or public. Processing of personal data: Any operation or set of operations involving personal data, regardless of the process used, including in particular the collection, recording, use, transmission or communication.

Personal data controller: CMB Monaco, which determines the purposes and means of processing, i.e. the objective and the means of achieving it, in accordance with the regulations in force regarding the protection of personal data.
Processor: Any natural or legal person who acts on behalf of the controller, CMB Monaco, in the context of a service or provision.

Security and confidentiality

As the data controller, CMB Monaco determines and implements the technical and organisational measures necessary to protect personal data processing systems aimed at preventing malicious intrusions, loss, alteration or unauthorised disclosure of data.

These measures comply with the applicable legal requirements and include, in particular:

• Specific physical and electronic security devices (firewalls, personal passwords).
• Strict protocols to limit access to authorised employees and third parties only, based on the ‘need to know’ principle.
• Confidentiality obligation imposed on all employees and approved service providers.

Personal data collected

CMB Monaco only collects the data necessary for the establishment and management of the business relationship.

This data may come from the following sources:

• Information provided directly by customers and prospects: data collected when opening a bank account, subscribing to a product or service, or during interactions with the Bank.
• Business introducers: Data transmitted by third parties acting as intermediaries, in compliance with legal and contractual frameworks exclusively to the extent that they are necessary for the initiation or monitoring of the business relationship.
• External sources: information obtained from public registers, the Internet or partners of the Mediobanca Group.

CMB Monaco guarantees that all data collected is processed in accordance with current regulations, within a framework of transparency and for clearly defined purposes.

The categories of data collected by CMB Monaco include, in particular:

• Identification data: Name, address, contact details, date and place of birth, nationality, profession, etc.
• Authentication data: Signature specimen.
• Transactional and contractual data: Information on accounts, deposits and transactions, powers of attorney, etc.
• Correspondence and contact data: Written exchanges, consultation and information notes, specific requests.
• Financial and regulatory data: Information on financial situation and compliance with legal obligations.
• Fiscal data: Information related to taxation.
• Sensitive data: biometrics, health, information relating to religious or political opinions, ideological beliefs, and information relating to convictions or sanctions.
• Data relating to third parties: beneficial owners, employees, family members, authorised signatories, agents and/or representatives.
• Digital data: information relating to the use of the Bank's digital services (IP address, browsing history).

CMB Monaco undertakes to:

• Collect and process this data in an appropriate and relevant manner, and limit it to what is necessary for the intended purposes.
• Ensure that it is accurate, up to date and complete.
• Obtain the consent of the persons concerned whenever this is required and inform them of how their data will be used.

Purposes of the processing

The processing of your personal data by CMB is carried out for specific, explicit and defined purposes, in particular:

• To initiate and manage a business relationship with customers and prospects;
• To manage and follow up on customers and prospects;
• To provide services under a contract between the bank and its customers, and to take the necessary measures prior to the conclusion of contracts;
• Ensuring compliance with banking regulations and current legal obligations;
• Managing telephone recordings as part of service improvement or legal compliance;
• Communicating with customers regarding their requests, potential interests and the Bank's offers;
• Handling customer complaints and managing disputes;
• Preventing and investigating breaches of contract, criminal acts and other non-compliance issues;
• Defending the Bank's legal rights and claims and providing a defence in the event of litigation or pre-litigation;
• Managing risks, in particular for the calculation of equity capital and the management of regulatory requirements relating to the Bank;
• Consolidating and maintaining data on prospects and customers in order to facilitate the management of customer relations.
• Developing sales, advertising and marketing activities, as well as market research and surveys.
• Ensuring IT security, including the Bank's IT systems and infrastructure.
• Ensuring the security of buildings and systems.

CMB Monaco undertakes to collect and process your personal data in a fair, transparent and lawful manner in accordance with the legislation in force.

Legal basis for the processing

CMB Monaco guarantees that data processing is based on several legal bases including:

• The legitimate interests of CMB Monaco: mainly with the aim of continually improving its services according to the needs and expectations of its customers.
• The consent of the persons concerned: when data processing is based on explicit consent, such as in the context of sending newsletters to which the customer has subscribed.
• The fulfilment of contractual obligations: the collection and processing of data necessary to fulfil a contract between the client and the Bank or to take measures prior to the conclusion of a contract.
• Legal requirements: CMB Monaco is required to process certain data in order to comply with legal and regulatory obligations, such as those relating to the fight against money laundering, fraud and other specific legal obligations.

Recipients and transfer of data

The personal data collected by CMB Monaco is intended exclusively for the Bank's authorised personnel, as well as for its service providers and partners involved in the provision of products and services.

This includes in particular:

• Service providers: Involved in the provision, administration or maintenance of banking services;
• Commercial partners and subcontractors: Processing data on behalf of the Bank, within the limits authorised by the contracts concluded between the parties. This includes IT service providers (hosting, platforms, technical support);
• Public authorities or institutions: Where required by law or regulation, particularly in the context of the fight against fraud, money laundering or for any legal requirement.

This includes: the Banque Nationale de France, financial or judicial authorities, supervisory authorities and courts.

This personal data may be shared with other entities of the Mediobanca Group in order to guarantee a consistent, high-quality service throughout the group and to provide you with suitable products and services.

In certain cases, the Bank may be required to share your personal data with third parties to protect its legitimate rights and interests, or when such disclosure is required by law.

Your data may also be processed or transferred outside the European Union. In this case, the Bank takes appropriate measures to guarantee a level of protection in accordance with the regulations in force.

If a service provider is located in a country that does not have equivalent data protection legislation, standard contractual clauses validated by the European Commission are put in place to ensure the protection of your personal data.

Storage of personal data

All personal data collected is stored for a limited period of time, depending on the purpose of the processing and the legal requirements in force concerning its storage.

Rights of the persons concerned

CMB Monaco uses all necessary means to guarantee the effectiveness of your rights relating to your personal data. You have the following rights:

• Right of access: Obtaining confirmation as to whether or not your personal data is processed by CMB Monaco and, if so, obtaining access to and a copy thereof.
• Right of rectification: correction of inaccurate or incomplete data.
• Right to object: refusal of the processing of your data for reasons relating to your particular situation, to the processing of personal data based on the legitimate interest of CMB Monaco.
• Right to restriction of processing: restriction of the processing of your personal data.
• Right to portability: to obtain your data in a structured, commonly used and machine-readable format, or to request its transfer, if technically possible.
• Right to be forgotten and to erasure: erasure of your data, except in the case of legal obligations to retain it. This right is not absolute; CMB Monaco may have legal or legitimate reasons to retain this data. This right only applies when the processing of your personal data is based on your consent or on the execution, and is carried out by automated processes.
• The right to lodge a complaint: You have the right to contact a Supervisory Authority to lodge a complaint about CMB Monaco's practices regarding the protection of your personal data.

How to contact the bank?

If you have any questions regarding the processing of your personal data, or to exercise your rights, you can contact your account manager or the Bank's Data Protection Officer (DPO).

To contact the Data Protection Officer (DPO), please send an email to the following address: dpo@cmb.mc, or send a letter to the following postal address:

CMB Monaco SAM
17, avenue des Spélugues
98000 Monaco

Change to the personal data protection policy

CMB Monaco may need to update this Data Protection Policy to adapt it to new regulations or practices. We encourage you to consult this policy regularly to be aware of any changes. In the event of significant changes, you will be informed by means of an appropriate notification.

Use of cookies

The User is informed that, when accessing and using the Site, certain files (known as cookies) may be temporarily installed and stored in the memory or on the hard disk of his/her personal computer equipment in order to facilitate navigation on the Site. Cookies are data that are sent from the web server to your browser where they are stored for later retrieval.

The User acknowledges having been informed of this practice and authorises the BCA to use it. To find out more about the BCA's use of cookies, the User is asked to consult the page dedicated to cookies.

If the User does not want cookies to be stored on his or her hard drive, he or she has the option of configuring his or her Internet browsers and/or devices to refuse cookies before accessing the Site at this link. In this case, the use of the Site or some of its features may be altered or impeded.

The user is informed that the Site uses Google Analytics, which is a web analytics service provided by Google, which CMB Monaco subscribes to in order to serve you better. The browsing data collected for these purposes is transferred to Google in the USA, a transfer for which CMB Monaco has duly obtained authorisation from the Personal Data Protection Authority (APDP).