Un prestito è un impegno vincolante e deve essere rimborsato. Verifica la tua capacità di rimborso prima di impegnarti.

FLOA Privacy policy

Effective May 2026

Download the PDF file Summary

Introduction

We take the protection of your personal data very seriously.

 

The BNP Paribas Group, of which Floa S.A. is a part, has in fact adopted specific rules on the protection of personal data within its "Charter for the Protection of Personal Data" available on the website https://group.bnpparibas/protection-donnees

 

Floa S.A. ("We"), as the controller of your personal data, is responsible for the collection and processing of your personal data that it carries out as part of its activities.

 

Our task is to help all our customers – private individuals – in their daily banking activities and in the implementation of their projects thanks to our financing solutions.


We are part of an integrated banking-insurance Group and, in collaboration with the different entities of the Group, we provide our customers with a complete range of banking products and services.

 

The purpose of this Privacy Policy is to explain how we process your personal data and how you can control and manage it.

1. ARE YOU THE RECIPIENT OF THIS PRIVACY POLICY?

This Privacy Policy applies in the following cases:

-        you are our customer or have a contractual relationship with us;

-        You have expressed interest in our products or services, providing us with your personal data, for example through our websites or applications, on social networks, or during events or promotional activities, with the aim of being contacted.

If you provide us with personal data relating to other people, we encourage you to inform them that we share their data with us and invite them to read this Policy. We will make every effort to provide them with this information directly if we have the relevant contact details.

2. WHAT ARE YOUR RIGHTS AND HOW CAN YOU EXERCISE THEM ?

You have rights, described below, that you can exercise to meaningfully control your personal data and the

processing of the same by us.

 

If you wish to exercise the rights listed below, you can submit a request:

 

  • with a letter to the following address: Service consommateur – FLOA – 36 rue de Messines – 59 686 Lille Cedex 9
  • or by e-mail to the following address: crc@services.floa.fr

 

 

If you have any questions regarding the use of your personal data under this Privacy Policy, you may contact our Data Protection Officer at the following dpo@floa.com address.

 

2.1.   You can request access to your personal data

You can directly access some of your customer account data on our www.floapay.it website .

If you wish to have access to your personal data, we will provide you with a copy of the personal data you have requested as well as information relating to its processing.

Your right of access may be limited as required by applicable law or regulation. For example, this happens when the legal provisions relating to anti-money laundering and countering the financing of terrorism prohibit giving direct access to personal data processed for this purpose.

2.2.   You can ask for the rectification of your personal data

Where you believe that your personal data is inaccurate or incomplete, you may request that such data be amended or supplemented accordingly. In some cases, you may be asked for supporting documentation.

2.3.   You can request the deletion of your personal data

You may request the deletion of your personal data, within the limits provided for by law and in cases where retention is not necessary in relation to the purposes for which it was collected and is processed.

2.4.   You can object to the processing of your personal data on the basis of legitimate interests

If you do not agree with the processing of your personal data based on our legitimate interests, you may object, at any time, on grounds relating to your particular situation, indicating the processing activity to which you relate and the grounds for objection. We will therefore no longer process your personal data unless there are legitimate grounds for doing so or the processing is necessary for the establishment, exercise or defence of our rights.

2.5.   You can object to the processing of your personal data for marketing purposes


You have the right to object at any time to the processing of your personal data for commercial communication purposes, including profiling, related to this purpose.

2.6.   You can restrict the processing of your personal data


Under certain conditions, you have the right to obtain the restriction of the processing of your data, if it is not relevant for the purpose of the continuation of the contractual relationship or is not necessary by law.


2.7.   You have the right to object against an automated decision

 

In principle, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects you. However, such decisions may be taken when they are necessary for the conclusion or performance of a contract with us, are authorised by applicable law, or are based on your explicit consent.

In any case, you have the right to appeal the decision, express your point of view and request the intervention of a competent person to review the decision.

2.8.  You can withdraw your consent

If you have given your consent to the processing of your personal data, you can withdraw that consent at any time. We remind you that the withdrawal of consent does not affect the legitimacy of the processing carried out up to that moment.

2.9.   You can request portability of your personal data

You have the right to obtain a copy of the personal data you have provided to us, in a structured, commonly used and machine-readable format. If technically possible, you can also request that this data be transmitted directly to another controller.

2.10.                How to lodge a complaint with the Italian Data Protection Authority

 

In addition to the above rights, you can lodge a complaint with the competent supervisory authority, which is usually that of your place of residence, in Italy the Guarantor for the Protection of Personal Data.

3. WHY AND ON WHICH LEGAL BASIS DO WE USE YOUR PERSONAL DATA?

In this section we explain why we process your personal data and the legal basis for doing so. 

3.1. Your personal data is processed to comply with legal obligations to which we are subject


Your personal data are processed where necessary to enable us to comply with the regulations to which we are subject, including banking and financial regulations.  

3.1.1. We use your personal data to: 
  • monitor operations and transactions to identify those that deviate from the normal routine/patterns;
  • manage and report the risks (financial, credit, legal, compliance or reputational, etc.) that the BNP Paribas Group may incur in the course of its activities
  • assisting in the fight against tax fraud and fulfilling tax control and reporting obligations;
  • when mandatory, record transactions for accounting purposes;
  •  prevent, detect and report risks related to Corporate Social Responsibility and sustainable development;
  • detecting and preventing corruption;
  • where appropriate, comply with the provisions applicable to trust service providers issuing electronic signature certificates;
  •  exchange and report different operations, transactions, or orders or respond to an official request from duly authorized local or foreign financial, tax, administrative, criminal, or judicial authorities, arbitrators or mediators, law enforcement agencies, state agencies, or public bodies;
  • respond to requests relating to the exercise of your rights, addressed to FLOA pursuant to Article 2.

3.1.2. We also process your personal data for anti-money laundering and countering the financing of terrorism purposes


As part of a Banking Group, we need to have a robust anti-money laundering and countering the financing of terrorism (AML/TF) system in place in each of our centrally managed entities, as well as a system for the application of local, European and international sanctions.

 

In this context, we are joint controllers with BNP Paribas SA, the parent company of the BNP Paribas Group (the term "We" in this section also includes BNP Paribas SA).

 

The processing activities carried out under the joint controllership regime and carried out to comply with these legal obligations are detailed in Appendix 1. 

3.2. Your personal data is processed for the performance of a contract to which you are a party or pre-contractual measures taken at your request

Your personal data is processed when it is necessary to enter into or perform a contract for: 
  • define your degree of reliability and solvency (so-called credit scoring as better specified in the processing methods referred to in point 4);
  • assess (for example, based on your credit risk score) whether we can offer you a product or service and under what conditions; 
  • provide you with the products and services you have subscribed to under the applicable contract; 
  • to keep proof of operations or transactions, including in electronic format; 
  • manage existing debts, recover any debts, overdue payments and the amicable or judicial recovery of any credit granted. 
  • respond to your requests and assist you; 
  • consider your entry into competitions organised by or in partnership with FLOA, manage your participation, enter prize draws and send you your winnings, if applicable; 
  • communicate with you through the different channels to provide you with service communications relating to the relationships you have with Floa.

3.3. Your personal data is processed to meet our legitimate interest or that of a third party


Where we base a processing activity on a legitimate interest, we weigh that interest against the interests of the data subject or with his or her fundamental rights and freedoms to ensure that there is a fair balance between them. If you would like more information about the legitimate interest pursued by a processing activity, please contact us at the following address: Service consommateur – FLOA – 36 rue de Messines – 59 686 Lille Cedex 9 or at the following email address: dpo@floa.com .


3.3.1       As part of our banking business, we process your personal data on the basis of legitimate interest to:

  •  manage the risks to which we are exposed:
    •  when mandatory, we retain proof of operations or transactions, including in electronic proof;
    • we monitor your transactions to manage, prevent and detect fraud
    • we handle any legal disputes and defend ourselves in the event of disputes
    •  we develop individual statistical models to help define your creditworthiness
    • also through the communication in the Credit Information Systems (SIC) of positive information relating to the punctuality of payments;
  • improve cybersecurity, manage our platforms and websites, and ensure business continuity;
  • improve the automation and efficiency of our operational processes and customer services (e.g., auto-filling forms, tracking your requests, and improving your satisfaction based on personal data collected during our interactions with you, such as phone, email, or chat recordings)
  •  If necessary, carry out financial transactions such as the sale of debt portfolios, securitisations, loans or refinancing of the BNP Paribas Group.
  • conduct statistical studies and develop predictive and descriptive models to:
    •  business purpose: to identify products and services that could best meet your needs, to create new offers or identify new trends among our customers, to develop our commercial policy taking into account the preferences of our customers;
    • safety purposes: preventing potential accidents and improving safety management;
    •  compliance purposes (e.g., anti-money laundering and countering the financing of terrorism) and risk management;
    •  anti-fraud purposes.
  •  organize promotional operations, conduct opinion and customer satisfaction surveys.

 

3.3.2.          We use your personal data to send you commercial offers by email

 

We want to be able to offer you access to the full range of products and services that best meet your needs.

Once you have become our customer, and unless you object, Floa may send you promotional communications in electronic format relating to our products and services, or those intermediated by us, as long as they are similar to those you already use.

 

 

 

 

3.3.3.          We analyse your personal data to perform standard profiling to personalise our products and offers

To improve your experience and satisfaction, we need to determine which customer group you belong to. To do this, we build a standard profile from relevant data that we select from the following information:

  • what you have communicated to us directly during our interactions with you or when you subscribe to a product or service
  •  arising from your use of our products or services
  •  from the use of our various channels: websites and applications. For example, if you are digitally savvy and prefer a customer journey to subscribe to a product or service with greater autonomy (selfcare);

 

Unless you object, we will perform this personalization based on standard profiling.

We may go further to better meet your needs by performing bespoke customisation as described in the paragraph below.

 

3.4.  Your personal data is processed if you have given consent

 

To carry out certain processing of your personal data, we need your consent, which you can withdraw at any time.

 

3.4.1.           Floa may communicate your personal data to third-party companies, belonging to the BNP Paribas Group, which will process them as independent data controllers.


In particular, we may communicate to these companies your contact details, the products you have with us and the customer profile to which you belong (obtained according to the legal bases detailed above for profiling that will be processed by them as independent data controllers) for the purposes of commercial information, direct offers of their products and services,  carried out through automated and traditional methods of contact.

 

Further consents to the processing of your personal data may be requested where necessary to allow us to carry out processing for purposes other than those indicated above.

 

4. METHODS OF PROCESSING

For the purposes described above, personal data may be processed manually, electronically and/or otherwise

automated according to logics strictly related to the purposes of processing and, in any case, in such a way as to guarantee their security and confidentiality even in the case of processing through innovative remote communication tools.

 

The data are always processed in full compliance with the principle of proportionality of processing, according to which all personal data and data

various methods of their processing must be relevant and not excessive in relation to the purposes pursued.

 

For the purposes referred to in Article 3.2, the data are subject to special statistical processing in order to give you a summary judgment or a score on your degree of reliability and solvency (so-called credit scoring), taking into account the following main types of factors: socio-professional data and characteristics of the requested transaction, progress and payment history of existing or terminated relationships. Some additional information may be provided to the data subject in the event of failure to accept a credit application. The credit scoring of the interested party is regularly verified by Floa so that it is kept fair, effective and impartial. In order to better assess Floa's credit risk, for the purposes referred to in art. 3.3, communicates certain data (personal data; type of Contract; amount of credit; repayment methods) to credit information systems ("SIC"), which are governed by the relevant SIC Code of Conduct approved by the Italian Data Protection Authority with Provision no. 163 of 19 September 2019. These systems are large databases set up to assess credit risk, managed by private individuals and available to many parties. This means that other banks or financial institutions from which the interested party will ask for another loan, financing, credit card, etc., even to buy a consumer good in installments, will be able to know if he has submitted a recent loan request to Floa, if he has other loans or financing in progress and if he regularly pays the installments.

 

For the purposes of concluding the contract and for the purposes of credit protection, creditworthiness assessment as well as for the prevention of over-indebtedness, the loan request submitted by you to Floa will also be subject to an automated decision-making process based exclusively on the data you provide, on the so-called credit scoring and on any information present in the SICs. This process may result in the automatic acceptance or rejection of the funding request submitted.

 

In any case, you will always have the right to obtain human intervention in order to be able to express your opinion or contest the decision. The SCIs to which Findomestic adheres are managed by:

 

  •  CRIF S. p.A.: with registered office in Bologna, Public Relations Office: Via Zanardi, n. 41, 40131 Bologna, Fax: 0516458940, Tel: 0516458900, website www.crif.it, positive and negative SIC, which includes, as categories of participants: banks, financial intermediaries, private individuals who, in the exercise of a commercial or professional activity, grant deferrals of payment of the consideration for the supply of goods or services.

 

 

 

Data retention times in SICs

Funding requests

6 months, if the investigation requires it, or 90 days in case of refusal of the request or waiver of the same

Arrears of two installments or two months then remedied

12 months from regularization

Higher delays remedied even on transaction

24 months from regularization

Negative events (i.e. arrears, serious defaults, non-performing loans) not remedied

36 months from the date of expiry of the contract or from the date on which it was necessary to update them (in the case of subsequent agreements or other relevant events in relation to the repayment), in the latter case the term may not exceed 60 months from the date of expiry of the relationship, as shown in the loan agreement

Reports that have been successful (without delays or other negative events)

36 months in the presence of other relationships with negative events that have not been regularized. In the remaining cases, the term will be 60 months from the date of termination of the relationship or expiry of the Contract, or from the first update made in the month following such dates.

 

5. WHAT TYPES OF PERSONAL DATA DO WE COLLECT?

We collect and use your personal data, which is any information that identifies you or allows you to be identified.

 

Depending on the types of products or services we provide to you and the interactions we have with you, we collect various types of personal data about you, including:

·               Identifying information: e.g., marital status, full name, gender, place and date of birth, nationality, ID number (ID card, passport), photograph, digital selfie, signature);

·       Contact information: postal address, email address, landline and mobile phone number;

·       Information about your financial and family situation: e.g. marital status, matrimonial regime, number of children and age, household composition, housing situation: apartment or house owned or rented;

·       Economic, financial and tax information: e.g., country of residence, salary and other income, expenses;

·       Education and employment information: e.g., occupation, seniority, employer's name, and pay;

·       Banking and financial information related to the products and services in your possession/request: e.g., bank details (RIB/IBAN, bank card number, bank card expiration date), banking institution, seniority, products and services requested/owned and used (credit, home protection), amount and duration of products or services requested/held and programs used, credit history,  history of products and services subscribed to or under evaluation, late payments;

·       Transaction data: file number corresponding to the products and services you own/have requested, account movements and balances, transactions including payee data such as full names, addresses and contact details, as well as details of bank transactions, amount, date, time and type of transaction (credit card, transfer, cheque, direct debit);

·       Data relating to your habits and preferences in relation to the use of our products and services;

·               Data collected from our interactions with you: for example, your comments, suggestions, needs collected during our exchanges with you and online during telephone communications (conversation), email discussion, chat, chatbot, exchanges on our social media pages, your latest complaints, and your connection, browsing and tracking data such as cookies and trackers for non-functional purposes. advertising or analytics on our websites, online services, applications, social media pages in accordance with our Cookie Management Policy;

·       Data about your devices (mobile phone, computer, tablet, etc.): IP address, technical specifications and unique identification data;

·               Custom login credentials or security features used to connect you to FLOA websites and apps.

 

We may collect sensitive data such as health data, biometric data or data relating to crimes, subject to the strict conditions set out in data protection regulations.

6. FROM WHOM DO WE COLLECT PERSONAL DATA?

We collect personal data directly from you; However, we may also collect personal data from other sources.

 

We sometimes collect data from public sources:

·       publications/databases made available by official authorities or third parties (e.g. databases maintained by financial sector supervisors);

·       websites/social media pages of legal entities or business customers containing information that the data subject has disclosed (e.g., their own website or social media page);

·       public information such as that published in the press.

 

We also collect personal data from third parties:

·       by other entities of the BNP Paribas Group;

·       from our customers (companies or individuals);

·       from our business partners; third parties with whom you have subscribed to a product or service and/or who you have authorised to communicate your personal data to us;

·       credit information systems ("SICs"), as set out in Annex 2;

·       by payment initiation service providers and account aggregators (account information service providers);

·       from third parties such as credit reference agencies and fraud prevention agencies;

·       by data intermediaries who are responsible for ensuring that they collect the relevant information lawfully.

7. WHO DO WE SHARE YOUR PERSONAL DATA WITH AND WHY?

a.     With the entities of the BNP Paribas Group

As part of the BNP Paribas Group, we work closely with the other companies of the Group around the world. Your personal data may then be shared between BNP Paribas Group entities, where necessary, to:

·       comply with our various legal and regulatory obligations described above;

·       to meet our legitimate interests which are:

o    managing, preventing, detecting fraud;

o    conduct statistical studies and develop predictive and descriptive models for business, security, compliance, risk management and anti-fraud purposes;

improve the accuracy of certain data relating to you, processed by BNP Paribas Group companies. In particular, data will be shared when necessary to fulfil legal obligations incumbent on the various entities (also for anti-money laundering purposes by sharing your anti-money laundering profile at group level with a view to centralised and shared risk monitoring – Appendix 1) and to always have accurate and up-to-date data (e.g. contact details where necessary for an entity to contact you).;

 

b.     With recipients outside the BNP Paribas group and data processors

In order to fulfill some of the purposes described in this Privacy Policy, we may, where necessary, share your personal data with:

·               data processors who perform services on our behalf (e.g. IT services, logistics, printing services, telecommunications, debt collection, consultancy, distribution and marketing) as well as with auditing firms that support our business, and with whom Floa has defined specific obligations regarding the processing of personal data;

·       banking and business partners, independent agents, intermediaries or brokers, financial institutions, counterparties, trade repositories with whom we have a relationship:

o    if such transmission is necessary to enable us to provide you with the services and products or to perform our contractual obligations or transactions (e.g., banks, correspondent banks, payment system operators, payment card issuers or intermediaries);

o    To allow you to use the services/products jointly offered as part of the partnership (e.g. we may notify the Partner of the opening of the relationship with us if necessary to offer you dedicated services that are part of the partnership you wanted to benefit from);

·       credit information systems ("SICs"), as set out in Annex 2;

·       financial, fiscal, administrative, criminal or judicial authorities, local or foreign, arbitrators or mediators, public authorities or institutions, to which we, or any member of the BNP Paribas Group, are required to communicate pursuant to:

o    their request;

o    our defense, action or proceeding;

o    comply with a regulation or recommendation issued by a competent authority that applies to us or any member of the BNP Paribas Group;

·       third-party payment service providers (your bank account information), for the purpose of providing you with a payment initiation or account information service, if you have consented to the transfer of your personal data to that third party;

·       certain regulated professions such as lawyers, bailiffs, notaries or auditors, when necessary in specific circumstances (litigation, auditing, etc.), as well as to our insurers or to an actual or proposed purchaser of the BNP Paribas Group's companies or assets.

 

8. INTERNATIONAL TRANSFERS OF PERSONAL DATA?

In the case of international transfers from the European Economic Area (EEA) to a non-EEA country, the transfer of your personal data may take place. Where the European Commission has recognised that a non-EEA country provides an adequate level of data protection, the data subject's personal data may be transferred on this basis.

 

For transfers to non-EEA countries where the level of protection has not been recognised as adequate by the European Commission, we will either rely on an exception applicable to the specific situation (for example, if the transfer is necessary to perform our contract with you, for example when making an international payment) or implement one of the following safeguards to ensure the protection of your personal data:

·       Standard contractual clauses approved by the European Commission;

·       Binding corporate rules.

 

To obtain a copy of such warranties or detailed information about where they are available, you may submit a written request as indicated in the dpofloa@floa.com.

9. HOW LONG DO WE KEEP YOUR PERSONAL DATA?

We retain your personal data for the following periods:

 

·       If you are one of our customers, your personal data is kept for 5 years from the end of your contract and the closure of your customer account.

 

·       Your contract is kept for 10 years, in accordance with our legal obligations.

 

·       If you are one of our potential customers (you do not have a contract with us), your personal data is kept for 3 years from the date of collection or the last contact by you.

 

·       If your credit application is unsuccessful, your personal data is kept for 6 months from the date of rejection of your application.

 

·       Special case of fraud reports and overt fraud:

 

o In the event of a fraud alert: any external fraud notice that is not qualified within 12 months of issuance is immediately deleted;

o In case of serious fraud: the data relating to serious fraud are kept for a maximum of 5 years from the closure of the fraud file.

 

·       Recordings of phone calls: these are kept for the time necessary to achieve the purpose for which they were made.

 

For example, in order to improve the automation and efficiency of our operational processes and customer service, a part of our telephone exchanges may be retained for a maximum duration of six months (unless the data subject objects).

 

 

- Cookies and tracers: The procedures for placing cookies and other tracers are detailed in our dedicated Policy.

 

When a friendly, administrative or judicial procedure is underway, your personal data is stored until its conclusion. It is then filed in accordance with the applicable statutory statute of limitations. You will be informed of any processing of personal data with a retention period other than those listed above.

 

Subject to legal exceptions, the data subject has the rights over his or her personal data described in Article 2.

10. HOW TO GOLLOW THE EVOLUTION OF THIS PRIVACY POLICY?

 

In a world where technologies are constantly evolving, this Privacy Policy is regularly reviewed and updated as needed.

 

We encourage you to review the latest version of this document online and we will notify you of any significant changes through our website or through our standard communication channels.

Appendix 1
Processing of personal data to combat money laundering and the financing of terrorism

We are part of a Banking Group that must adopt and maintain a robust anti-money laundering and countering the financing of terrorism (AML/CFT) program for all its centrally managed entities, an anti-corruption program, as well as a mechanism to ensure compliance with international sanctions (i.e. any economic or trade sanctions, including associated laws,   regulations, restrictive measures, embargoes and asset freezes issued, administered, imposed or enforced by the French Republic, the European Union, the Office of Foreign Assets Control of the United States Department of the Treasury and any competent authority in the territories in which the BNP Paribas Group is established).

 

In this context, we act as joint controllers together with BNP Paribas SA, the parent company of the BNP Paribas Group (the term "we" or "us" as used in this appendix therefore also includes BNP Paribas SA).

 

To comply with AML/CFT obligations and international sanctions, we perform the processing operations listed below to comply with our legal obligations:

·       A Know Your Customer (KYC) program reasonably designed to identify, verify, and update the identity of our customers, including, where applicable, their beneficial owners and proxy holders;

·       Enhanced due diligence for high-risk clients, Politically Exposed Persons or "PEPs" (PEPs are persons defined by legislation who, due to their function or position (political, judicial or administrative), are more exposed to such risks), and for situations of increased risk;

·       written policies, procedures and controls reasonably designed to ensure that the Bank does not establish or maintain relationships with shell banks;

·       A policy, based on internal assessment of risks and economic situation, not to elaborate or otherwise engage, regardless of currency, in activities or business:

o    for, on behalf of, or for the benefit of any individual, entity or organization subject to Sanctions by the French Republic, the European Union, the United States, the United Nations or, in some cases, other local sanctions in the territories in which the Group operates;

o    involving directly or indirectly sanctioned territories, including Crimea/Sevastopol, Cuba, Iran, North Korea or Syria;

o    involving financial institutions or territories that could be linked or controlled by terrorist organizations, recognized as such by the competent authorities in France, the European Union, the United States or the United Nations.

·       Customer database screening and transaction filtering reasonably designed to ensure compliance with applicable laws;

·       Systems and processes designed to detect and report suspicious activity to the relevant regulators;

·       A compliance program reasonably designed to prevent and detect bribery, bribery, and illicit influence under France's "Sapin II" law, the U.S. FCPA, and the United Kingdom's Bribery Act.

 

In this context, we use:

·       services provided by third-party providers who maintain up-to-date lists of PEPs such as Dow Jones Factiva (provided by Dow Jones & Company, Inc.) and the World-Check service (provided by REFINITIV, REFINITIV US LLC and London Bank of Exchanges);

·       publicly available information in the press on facts related to money laundering, terrorist financing or corruption;

·       knowledge of a risky behaviour or situation (existence of a suspicious transaction report or equivalent) that can be identified at the BNP Paribas Group level.

We carry out these checks when you enter into a relationship with us, but also throughout the relationship we have with you, both about yourself and the transactions you make. At the end of the relationship and if you have been the subject of a report, this information will be retained in order to identify you and to adjust our controls in the event that you enter into a new relationship with an entity of the BNP Paribas Group, or in the context of a transaction to which you are a party. 

 

In order to comply with our legal obligations, we exchange the information collected for AML/CFT, anti-corruption or international sanctions purposes between BNP Paribas Group entities. When your data is exchanged with countries outside the European Economic Area that do not provide an adequate level of protection, the transfers are governed by the European Commission's standard contractual clauses. When additional data is collected and exchanged in order to comply with the regulations of non-EU countries, this processing is necessary for our legitimate interest, which is to enable the BNP Paribas Group and its entities to comply with their legal obligations and to avoid local sanctions.


 

Appendix 2
Automated decisions including profiling

We carry out various types of profiling, the characteristics of which are described below. Profiling, in whole or in part, can be carried out in a fully automated manner, in accordance with Article 2.7.

 

1.                   Defining and implementing scoring rules for marketing purposes

 

Defining scoring rules for marketing purposes allows FLOA to know the interest of its customers and potential customers in a product or service and their preferences, in particular with regard to the communication channel used. FLOA can thus adapt its offer (proposed product or service and characteristics of the offer) and the frequency of contact.

 

The data taken into account for the determination of scoring models can be any data about you, collected directly or indirectly.

Let's select a few fields that are useful for modeling scoring rules for marketing purposes, which can be correlated with one or more others and then associated with a weighting.

 

Scoring rules modeled in this way can be used to:

·       establish segments and categories of customers and prospects (e.g. based on the behavior observed when applying for a loan);

·       identify the desire of customers and potential customers for a product or service;

·       measure the responsiveness of customers and prospects when they receive and open an offer sent by email/SMS and identify the preferences of customers and prospects regarding the communication channel used.

 

FLOA can therefore adapt its offers (products or services proposed and characteristics of the offers), the pace and the communication channel in order to respect the choices of its customers and potential customers, provide them with quality information and services, adapted to their needs, and improve their satisfaction.

 

This purpose may have the effect of excluding certain people from marketing campaigns and/or certain communication channels.

 

 

2.                   Definition and implementation of scoring rules for the purposes of granting and collection

 

The definition and scoring rules for the purposes of granting and collection allows FLOA to control credit risk (in the case of potential customers) and the risk of non-payment (in the case of customers).

 

The data taken into account for the determination of scoring models can be any data about you, collected directly or indirectly.

We select a few fields that are useful for modeling scoring rules for granting and collection purposes, which can then be correlated with one or more others and associated with a weighting.

In order to better assess the credit risk score, in accordance with the procedures defined in paragraph 4 of this policy, we communicate certain data (personal data, type of contract, amount of credit, repayment methods) to the credit information systems ("SICs"), governed by the relevant SIC Code of Conduct approved by the Italian Data Protection Authority with Provision no. 163 of 19 September 2019.

These are large databases set up to assess credit risk, managed by private individuals and available to several subjects.

 This means that other banks or financial institutions from which the interested party will ask for another loan, financing, credit card, etc., even for the installment purchase of a consumer good, will be able to know if he has submitted a recent loan request, if he has other loans or financing in progress and if he regularly pays the installments.

For the purposes of concluding the contract and for the purposes of credit protection, creditworthiness assessment as well as the prevention of over-indebtedness, the loan application submitted by you to us will also be subject to an automated decision-making process based exclusively on the data you provide, so-called credit scoring and any information contained in the SICs.

This process may result in the automatic acceptance or rejection of the funding request submitted. In any case, you will always have the right to obtain human intervention to be able to express your opinion or challenge the decision. The SCI to which we belong is managed by:

CRIF S.p.A.: with registered office in Bologna, Public Relations Office: Via Zanardi, n. 41, 40131 Bologna, Fax: 0516458940, Tel: 0516458900, www.crif.it website, positive and negative SIC, which includes, as categories of participants: banks, financial intermediaries, private individuals who, in the exercise of a commercial or professional activity, grant deferrals of payment of the consideration for the supply of goods or services.

 

The scoring rules modeled in this way can be used to calculate credit risk (in the case of potential customers) and the risk of non-payment (in the case of customers), allowing the person concerned to:

 

·       subscribe to a product appropriate to its borrowing capacity;

·       prevent the risk of debt collection/over-indebtedness;

·       be protected, in the case of customers identified as "fragile".

 

This purpose may have the effect of excluding certain persons from taking out a loan (refusal), of determining a change in the maximum amount of the loan or of generating the proposal of a product better suited to the lending capacity of the person concerned.

 

3.                   Definition and implementation of scoring rules to combat fraud

 

Defining scoring rules to combat fraud allows FLOA to identify signals that can help detect fraud, such as technical and behavioral environments that favor the action of a potential fraudster.

 

The data taken into account for the determination of scoring models can be any data about you, collected directly or indirectly.

We select a few fields that are useful for modeling scoring rules to combat fraud, which can then be correlated with one or more others and associated with a weighting.

 

Implementing scoring rules modeled in this way allows FLOA to:

·       prevent fraudulent behaviour,

·       detect fraudulent behavior,

·       combat fraudulent behavior.

 

This may result in the exclusion of certain persons from taking out a claim (refusal to grant), the termination of ongoing contractual relationships or the initiation of amicable or judicial proceedings.