Personal Data Protection Policy

1- Preamble

Attijariwafa Bank Group (hereinafter referred to as “the Group”) attaches great importance to the protection of your personal data (or “personal data”). That is the reason why the Group has adopted strong principles concerning the protection of the data.

The aim of this personal data protection Policy is to provide you with clear information concerning the manner in which the Group processes and protects personal data of the interested persons, i.e. any natural person (salaried employee, client, prospective client, user of internet site, shareholder/agent of body corporate), whose personal data is collected by the Group. It informs the interested persons of the reasons why their data is used, possibly shared, or still the length of time this data is stored. It also indicates the rights of the persons as well as the modalities for exercising these rights.

The Group ensures that the collected personal data is processed fairly, lawfully and with full transparency. Each entity of the Group makes this leaflet accessible on its internet site. The latter is regularly updated and the fulfillment of its obligations is monitored. Informative notices relating to the protection of personal data specific to different products and/or services proposed by the Group clarify and supplement this Policy, and this, on different supports used.

The Group undertakes to abide by the regulations in force on personal data processing and in particular the Regulation (EU) 2016/679 of the European Parliament and the Council of 27th April 2016 (General Data Protection Regulation) as well as any applicable national regulation.

2- Organization of personal data management at the level of Attijariwafa bank Group

A Data Protection Office entity has been set up in Attijariwafa bank Group in order to cover all regulatory requirements. This entity is led by a Data Protection Officer (DPO). A similar organization is set up and adapted at the level of the Group’s subsidiaries according to their size, activities and risk profiles.

3- Typologies of personal data processed by Attijariwafa bank Group

A personal data is any information relating to an identified and an identifiable natural person.

The Group complies with the data minimization principle, i.e. only personal data, which is appropriate, pertinent and limited to what is strictly necessary for achieving the objective for which it is collected, is processed. Under this approach, the Group strives also to maintain your personal data accurate and up-to-date.

3.1- Direct collection of personal data

The Group processes mainly personal data which it collects directly from you, or which emanates from the commercial relationship, as such:

  • Your identification data: family name, given name, date of birth, image, identification paper .....;
  • Your contact details (private or professional): home address, email address, phone number.....;
  • Your data on personal life: marital status, number of children, composition of the household.....;
  • Your professional information: employer, function and remuneration, level of studies....;
  • Your data of economic, financial and transactional nature: history of transactions, operations generated on your accounts, bank details, number of bank cards, patrimonial and financial situation......;
  • Your browsing data (internet sites or applications): data collected thanks to online cookies;
  • Your data relating to habits and preferences of the concerned persons: as result of the use of products and services subscribed to or as part of interactions with the Group;
  • Your data collected as part of the exchanges with the Group or its different agencies (appointment reports), during meetings, videoconferences, calls, discussions through instant messenger, emails, interviews, telephone conversations.

As part of its activities, the Group may collect special categories of personal data (or “sensitive data”) such as health data, data relating to religious convictions or even biometric data, only when this is strictly necessary, especially in the context of recruitment of its salaried employees, heritage management or underwriting of insurance contracts.

Otherwise, the Group will never ask you to provide other sensitive data such as data relating to racial or ethnic origin, political or philosophical opinions, trade union membership, your genetic data or data relating to your lifestyle or sexual orientation, unless a legal obligation requires it to do so.

3.2- Indirect collection of personal data

The Group may also have to collect indirectly personal data mentioned above from third parties (suppliers, partners....), publicly available sources (data from publications/databases made available by official authorities, data from internet sites/social networks containing information made public by the person himself....) or administrations and public authorities (tax administration...).

4- Legal grounds for the use of personal data

In accordance with the regulations in force, any processing made by the Group in its capacity as Data Processor must rest on one of the following legal foundations:

  • The implementation of a contract to which the interested person is a party, or the execution of pre-contractual measures taken upon the request of the latter;
  • The fulfillment of legal and regulatory obligations to which the Group or one of its entities is submitted;
  • The safeguard of the vital interests of the concerned person, or another natural person;
  • The performance of a public interest mission;

  • The legitimate interests pursued by the Group as part of the respect for interests, freedoms and fundamental rights of the concerned person.

    4.1- Execution of a contract or pre-contractual measures

    The Group processes your personal data for the conclusion and implementation of contracts such as:

  • The supply of pre-contractual information relating to the Group’s products and services;
  • The supply of products and services requested by the interested persons;

  • The management of contracts entered into with the concerned persons.

    4.2- Fulfillment of legal or regulatory obligations

    As it is composed of entities with regulated professions, the Group is subject to compliance with specific legal and/or regulatory obligations aiming for instance at what follows:

  •  Combating money laundering and terrorism financing;
  • Combating tax fraud;

  • Communication of personal data required by the maintenance of regulatory files (Central file of cheques, Central file of credit card withdrawals, File of Bank Accounts, File of capitalization and life insurance contracts....).

    4.3- Safeguard of the vital interests of the concerned person

    If the processing is necessary for safeguarding the vital interests of the concerned person (for instance, in case of medical emergency), the Group is authorized to process his personal data, and this, even without his consent, in accordance with the regulations in force.

    4.4- Consent of the interested person

    As part of some activities of personal data processing, the Group will supply you with specific information so that you are able to consent or not to such processing. You may withdraw this consent at any time. The matter concerns for instance:

  • insurance services requiring the processing of your health data;

  • commercial prospecting by electronic means (email or text message) for individuals.

    4.5- Legitimate interests of the Group

    The Group and its entities process your personal data on the basis of their legitimate interest in ensuring their development and the security of their services such as:

  • fight against fraud;
  • commercial prospecting by post or by phone, for individuals and for any type of canvassing for legal entities;
  • infrastructure management and information system security;

  • assessing the satisfaction of clients with respect to products and services offered by the

    Group.

    5- Sharing of personal data

    Your personal data may be communicated in particular to the following recipients, in connection with the purposes outlined above:

  • companies of Attijariwafa bank Group;

  • subcontractors, proxies, brokers or other intermediaries, partners or service providers

    who perform operations for the benefit of the Group;

  • empowered administrative or legal authorities or more generally to any authorized third party (lawyer, statutory auditor....) in order to fulfill legal or regulatory obligations to which the Group is submitted.

    5.1- Sharing within the Group

    As companies operating in Bank and Insurance field, all entities of the Group work closely together throughout the world in order to create and distribute different insurance, financial and banking products.

    Personal data collected is shared within the Group for commercial purposes, improvement of its efficiency, control, monitoring and risk control especially on the basis of what follows:

  • compliance with legal and regulatory obligations, in particular:
    • sharing of data collected for client knowledge (Know your client);
    • consolidated risk management;
    • consolidated supervision of internal control;
    • combating money-laundering and terrorism financing, compliance with international sanctions, embargoes;
    • compliance with declarative obligations.
  • Legitimate interests:
    • o    fight against fraud;
    • o securing of network and information systems;
    • o conducting development initiatives for commercial, communication and marketing purposes;
    • o constructing an overall and coherent vision of the portfolio of clients and activities of the Group;
    • o increasing the offer of products and services of the Group adequately;
    • o considerations about steering, supervision and governance within the Group.

5.2- Sharing out of the Group

In order to achieve some of the targets set out in this Policy, the Group may (not systematically) share your personal data with:

  • service providers who supply services for the account of the Group, for instance, computer services, printing, communication, collection, consulting, distribution and marketing services;
  • banking and trading partners, independent agents, intermediaries or brokers, financial institutions, counterparts, trade repositories with which the Group maintains relations, if such transfer is necessary to provide you with services, products, to fulfill the contractual obligations of the group or complete transactions (for instance, banks, corresponding banks, depositories, securities issuers, paying agents, exchange platforms, insurance companies, payment system operators, payment card issuers or intermediaries, mutual guarantee companies, financial security providers);
  • Financial, tax, administrative, penal, legal, local or foreign authorities, arbitrators or mediators, law enforcement authorities, governmental bodies or public bodies, to which the Group or any member of the Group must disclose the data:
    • Upon their request;
    • As part of defense or response to a question, action or procedure;
    • In order to comply with a regulation or a recommendation from a competent authority towards the Group or towards any member of the Group.
  • Third party payment service providers (information about bank accounts) for the purposes of providing a payment initiation service or information about accounts with the consent of the interested person);
  • Some regulated occupations such as lawyers, notaries, rating agencies or statutory auditors, when specific circumstances impose the same (litigation, audit, etc.) as well as any actual or potential purchaser of the companies or activities of the Group or its insurers.

6- Transfer of personal data abroad

The Group would be led to transfer your personal data abroad. In such case, your personal data is communicated strictly for achieving its missions.

In case of transfer of your personal data, the Group implements the appropriate measures available, in the light of the regulations in force, in order to ensure the supervision and the security of these transfers.

7- Storage of personal data

Attijariwafa bank retains your personal data for the time necessary to comply with applicable laws and regulations, or for a defined term, given its operational constraints such as bookkeeping, effective customer relationship management, as well as to enforce rights by legal proceedings or to respond to requests from regulatory bodies.

These storage periods are specified in the documents of information for the interested persons and may be obtained by submitting a request with the Data Protection Officer.

8- Personal data securing

In accordance with the regulations in force, the Group implements technical and organizational measures in order to guarantee a level of security adapted and proportionate to the risk. These measures aim at ensuring personal data confidentiality, integrity, availability and resiliency.

The Group takes all measures necessary to restore the availability of data and allow access for the interested persons within appropriate time frames in case of physical or technical incident. To this end, the Group conducts assessments of its security levels regularly. These assessments take into account the risks of destruction, loss, alteration, access and unauthorized disclosure of personal data.

The Group requires each of the recipients of personal data to comply with adapted security and confidentiality guarantees.

The Group, as a processing officer, informs the competent control authority of the violations of personal data, as soon as possible and, as far as possible, within seventy two (72) hours after taking cognizance of any violation of personal data that may give rise to a risk for your rights and freedoms.

Any violation of your personal data that may give rise to a high risk for your rights and freedoms will be notified to you as soon as possible in accordance with the regulations in force.

9- Exercise of the rights of the interested persons

In accordance with the law, you will be able to exercise your rights with any entities of the Group which process your data.

These rights are as follows:

  • Right of access: You may at any time obtain information about the processing of your personal data as well as a copy of the same;
  • Right to rectification: in the event where you deem that your personal data is inaccurate or incomplete, you may seek to have it modified consequently;
  • Right to deletion: you may request the deletion of your personal data, within the limit authorized by the law;
  • Right to processing limitation: You may request the limitation of your personal data processing;
  • Right of opposition: You may object to the processing of your personal data for reasons relating to your particular situation. You also have the absolute right to object at any time to the use of your personal data for commercial canvassing purposes, or for profiling purposes, if such profiling is related to commercial prospecting;
  • You have the right to define directives relating to the retention, deletion or communication of your personal data, applicable after your death;
  • Right to withdraw your consent: if you have given your consent to the processing of your personal data, you may withdraw the same at any time;
  • Right of data portability: when the law authorizes so, you may request the restoration of the personal data that you have supplied or, when this is technically possible, the transfer of this data to a third party.

If you wish to exercise one of the rights set out above, you may address your request online by submitting the form to exercise rights accessible via the following link Formulaire d'exercice des droits .

In the event where Attijariwafa bank does not reply within the prescribed time limits as a result of exercising a right, you may make recourse to the control authority in order to lodge a complaint.