This Privacy Policy is issued by:
Societe Generale a French société anonyme incorporated in France, under registration number RC2 552 120 222, acting through its London Branch, whose principal place of business is at One Bank Street, Canary Wharf, London E14 4SG; and

Societe Generale International Limited a company registered in England and Wales under number 05407520 and whose registered address is at One Bank Street, Canary Wharf, London E14 4SG,

(together or singularly referred to as “we, “us” or “our”), each acting as a data controller (as defined in UK Data Protection Laws*).

This Privacy Policy is addressed to individuals associated with organisations or third parties with whom we interact in the areas of our investment banking, global finance, global markets (including prime brokerage) and Securities Services activities, as well as individuals associated with our clients and prospective clients, including: their legal representatives, signatories, authorised personnel, directors, beneficial owners, trustees, other employees, associates of and any other person duly authorised to act on behalf of the customer (together, “you”).

As a data controller, we may collect and process personal data about you. This personal data will be collected directly from you or from the organisation that you represent, from publicly available sources, or from third parties providing services to us.
This Policy sets out:

1. Information about the types of personal data we process, how and why we process personal data and our lawful basis for processing your personal data;
2. Information on Communication to third parties and data sharing;
3. Transfers outside the European Economic Area;
4. Information about your rights under UK Data Protection Laws; and
5. Information on data security.

This Policy may be amended or updated from time to time to reflect changes in practices with respect to the processing of personal data or changes in applicable law. 

Data protection principles

We will comply with data protection law. This says that the personal data we hold about you must be:

1. Used lawfully, fairly and in a transparent way.
2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
3. Relevant to the purposes we have told you about and limited only to those purposes.
4. Accurate and kept up to date.
5. Kept only as long as necessary for the purposes we have told you about.
6. Kept securely.

The kind of information we hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

* UK Data Protection Laws means the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018;

1 - Processing Purpose

1.1 Categories of Personal Data

During our banking relationship with you, we will, in compliance with UK Data Protection Laws, collect and process the following personal data relating to you:

• Identification data: name, address, date of birth, nationality, identity documents, images in the form of photographs and/or video recordings.
• Personal data: marital/civil status, special category data (as defined by Articles 9 and 10).
• Professional data: professional contact details, job title.
• Data related to incident prevention and management
• Economic and financial information.
• Conversations and communications with us.

1.2 Processing Purposes

We have set out the purposes for which we process your personal data in the Appendix to this Policy entitled “List of Personal Data Processing” (the “Appendix (List of Personal Data Processing)”)

1.3 Lawful Basis for Processing

• Contract performance: we will use your personal data to provide you with products or services that you request, in order to perform contracts to which you are a party or have an interest in, or in order to take steps at your request prior to entering into a contract.
• Legal obligation: personal data is also processed for the purposes of complying with statutory and regulatory requirements to which we are subject to, particularly in matters concerning financial market obligations, identification controls, checking transactions, operational risk management, the prevention of conflicts of interests, the prevention of the fraud, the fight against money laundering and financing of terrorism.
• Legitimate interests: some of the processing we carry out is necessary for our legitimate interests or those of third parties.
• Consent: your consent will be obtained for processing that requires such consent, and in particular where the fundamental rights of individuals override our legitimate interest. Your consent is not obtained where processing is necessary to provide services and products, or in connection with compulsory and regulatory processing.

Further information regarding our lawful basis for processing is provided in the Appendix (List of Personal Data Processing).

1.4 Retention of Data

We will only retain personal data for as long as necessary to fulfil the purposes that we collected it for, including for the purposes of satisfying any legal, accounting, reporting requirements, or to comply with internal policy requirements. The criteria used to determine the retention periods are detailed in the Appendix (List of Personal Data Processing).

2 - Communication with Third Parties

We will disclose personal data to other legal entities within the Societe Generale Group for the purpose of managing our banking relationship, managing products and services, executing the account holder’s orders and transactions, managing accounting procedures of the Group, notably when pooling resources and services within the Societe Generale Group.

In addition, we entrust certain operational functions to other entities of the Societe Generale Group or to service providers, chosen for their expertise and reliability to provide specific services. In such cases, we will take all physical, technical and organizational measures necessary to ensure the security and confidentiality of your personal data. In addition, third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

3 - Transfers of Personal Data Outside the European Economic Area (EEA)

Given the international dimension of the Societe Generale Group, and in order to optimize the quality of our services, the communication of information mentioned above may involve the transfer of personal data outside the EEA, whose legislation on the protection of personal data is different from that of the European Union and/or United Kingdom.

Where we transfer personal data outside the EEA (except where the concerned country has been officially recognized by the European Commission as ensuring that personal data has an adequate level of protection equivalent to the European standard), we will ensure that the transferred data is protected by suitable Standard Contractual Clauses or other appropriate safeguards referred to in UK Data Protection Laws.

If you require further information about safeguards applied to international transfers of personal data, please send your queries to the email address in section 5 below.

We may also disclose personal data, upon request, to the official bodies and administrative or judicial authorities of a country, located within or outside the EEA, particularly in the context of the fight against money laundering and terrorist financing.

4 - Security of Processing

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instruction, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

5 - Your rights under UK Data Protection Laws

Under certain circumstances, by law you have the right to:

• Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
• Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your personal information to another party.

If you would like to review, verify, correct, request erasure or object to the processing of your personal information; request that we transfer a copy of your personal information to another party; or if you have any general queries about how we handle your personal data, please email: [email protected]

6 - Data Protection Officer

We have appointed a data protection officer (DPO) to oversee compliance of data protection laws. Our DPO can be contacted by:

Email: [email protected]
Post: UK Data Protection Officer, UK Data Protection Office, Societe Generale London Branch, One Bank Street, London E14 4SG

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues at the following address:

Information Commissioner’s Office, Wycliffe House,Water Lane, Wilmslow, Cheshire SK9 5AF