INTRODUCTION
BLC is committed to conduct its activities in compliance with Banking Secrecy Law and Data Protection obligations. BLC is aiming to protect the Individuals’ personal data by enforcing a Data Protection Policy that provides the highest level of privacy and security regarding collection and use of data.
This policy describes how the Bank may collect, use, protect and disclose Individuals’ personal information. Personal information comprises all the details BLC holds or collects directly or indirectly about Individuals , their transactions, financial information, interactions or dealings with BLC, including information received from third parties and information collected through the use of BLC website and electronic banking services.
LEGAL & REGULATORY FRAMEWORK
The main legal basis establishing data protection requirements at BLC Bank is the provisions of national law no# 81/2018 , General Data Protection Regulation (GDPR), and BDL circular no # 146/2018 that intend to:
- Protect individuals from having their personal data misused or mishandled and assure to them that their personal information is being securely protected.
- Establish individuals’ rights by creating responsibilities for businesses by setting guidelines for the way to handle and store their personal data.
- Give individuals control over their personal data.
- Improve the level of compliance by introducing significant penalties on organizations that fail to meet their regulatory obligations.
BLC will ensure that the data collected, are effectively protected in order to fulfill individuals’ reasonable expectations of privacy by complying with the applicable laws and regulations.
PURPOSE & SCOPE
The purpose of this policy is to set out the principles of data protection that BLC Bank shall follow and to provide a managed framework for fulfilling BLC Bank business needs, accountability and legal responsibilities.
This policy applies to the personal data of individuals, being current and former employees, representatives, shareholders, BOD members, prospective, current and former customers, authorized signatories, beneficial owners, guarantors, advisers, contractors, service providers, partners, payers, payees and security providers. It applies also to personal data gathered in respect of onboarding customers at the outset of any business relationship and after its conclusion.
This policy covers all personal data processed regardless of the mean on which that personal data is stored.
GENERAL DATA PROTECTION PRINCIPLES
BLC will be guided by data protection Principles relating to processing of personal data.
BLC will only process Personal Data fairly and lawfully and for specified purposes. These restrictions are not intended to prevent processing but to ensure that BLC processes Personal Data for legitimate purposes.
BLC must provide detailed, specific information to data subjects about what happens to their Personal Data. This information will be provided through appropriate privacy notices that must be concise, transparent, intelligible, easy accessible and in clear and plain Language to allow the data subjects to easily understand the status of their Personal Data.
Explicit consent will be obtained in situations where serious data protection risk emerges, hence, where a high level of individual control over personal data is deemed appropriate. The consent must be freely given, specific, and includes an unambiguous indication whether a clear statement or affirmative action from the data subject to process his/her personal data.
When BLC processes personal data that are necessary to conduct a service requested by a customer, under the agreed terms and conditions the processing is considered legitimate and no further consent is needed.
Written consent shall be presented in an understandable and easily accessible form, using clear and plain language.
Data subjects shall be able to withdraw their consents to processing based on the Bank’s internal procedure. BLC shall maintain a record of all consents obtained to demonstrate compliance.
Personal Data will be collected only for specified, explicit and legitimate purposes. It will not be further processed in a manner incompatible with those purposes unless the data subject is informed of the new purpose followed by his written consent.
BLC shall make sure that the processed Personal Data is adequate and relevant to the purpose for which it is intended to be processed and will not accumulate Personal Data that is not relevant for those purposes. BLC shall draft a retention policy to ensure that when Personal Data is no longer needed for specified purposes, it is securely destroyed or anonymised.
It is the responsibility of the data subject to provide accurate and updated personal data to BLC. BLC will take all reasonable steps to check the accuracy of any personal data at the point of collection and follow the procedure for reviewing the data at regular intervals thereafter. Incorrect or misleading data will be corrected or deleted as appropriate.
Personal Data will be retained for as long as reasonably necessary and/or as required or permitted by Law .BLC will take the reasonable steps to destroy or erase all personal data that is no longer required by national laws and regulations.
BLC Bank shall take the reasonable necessary measures to protect the personal data it processes and to prevent its distortion, alteration, damage or unauthorized access through the implementation of a robust security program including but not limited to policies, controls, monitoring methods, recovery techniques, training and awareness.
Personal data shall be protected against unauthorized access using appropriate organizational, operational and technical measures. BLC will perform regular controls to ensure the effectiveness of these measures.
PROCESSING PERSONAL DATA
Personal data may or will be collected, stored, used processed, transferred or disclosed in or outside Lebanon for the following purposes:
- To perform contractual agreements with customers, suppliers and employees.
- To manage the business relationship with the customers & suppliers.
- To conduct marketing research and surveys that aim to improve BLC products and services.
- To perform internal audit and compliance control.
- To fulfill examiners’ demands in the course of external audit missions carried out at the Bank.
- To prevent, detect, investigate and prosecute crimes including without limitation money laundering, terrorism financing, fraud and other financial crime, identity verification, government sanctions screening and due diligence checks.
- To comply with local & applicable foreign laws, rules, regulations, decisions, judgments or court orders.
- To comply with agreements between BLC and any public authorities.
- To comply with BLC Bank policies and Code of Conduct.
- To monitor and record calls and electronic communications with data subjects for quality, training, investigation, complaints and crime/ fraud prevention.
- To defend BLC Bank’s rights, participating in potential or actual litigation, arbitration or other legal process.
- To seek professional advice, including in connection with any legal proceedings for obtaining legal advice.
- Other purposes for which data subject has given his or her expressed consent.
PROCESSING SENSITIVE DATA
BLC will only process sensitive personal data where it is strictly necessary to be carried out for a specific purpose. BLC will take special care when processing sensitive personal data because it represents a greater intrusion in individual privacy than when processing non sensitive data, in particular in ensuring the necessity of the Processing and security of the Sensitive Personal Data. Access to a data subject personal Data is limited to authorized persons whose status, duties and responsibilities specifically require or justify access to such data.
REPORTING A PERSONAL DATA BREACH
BLC shall put in place a procedure to be followed by all employees to deal with any suspected personal data breaches. The suspicious case will be reported immediately to the DPO for further investigation and conclusion. A log of personal data breaches will be maintained and submitted periodically to Senior Management.
DISCLOSURE AND TRANSFER OF DATA
BLC may disclose and/or transfer a data subject’s Personal Data both inside and outside Lebanon for the purposes highlighted in this policy and allowed or required by applicable laws and regulations to the following:
- FRANSABANK “ Mother Company”
- Third parties to whom BLC is required to transfer data under the obligations of national Law and regulations, such as: BDL, BCC, CMA, SIC & MOF.
- Third parties to whom BLC is required to transfer data under the obligations of International treaties and/or binding agreements.
- Banks, agents, Financial Institutions, contractors or service providers that deal with BLC under the duty to keep the personal data confidential.
- Credit related companies or agencies which have dealings with BLC.
- Third parties involved in or in connection with potential or actual litigation, arbitration or other legal process with BLC.
BLC will reasonably make sure that third parties who receive personal data of a data subject shall treat the personal data with confidence and in accordance with Data protection law and regulations. BLC will not transfer data of the data subject to any third party to be used for direct marketing purposes without obtaining the prior consent of the data subject.
DATA SUBJECTS’ RIGHTS AND REQUESTS
Data subjects have rights when it comes to how BLC handle their personal data. These include rights to:
- Withdraw consent to processing personal data based on the Bank’s internal procedure.
- Request access to their personal data.
- Prevent the use of their personal data for direct marketing purposes.
- Ask the Bank to erase personal data if and when it is no longer necessary. However BLC may deny a request of an individual if the request constitutes an abuse of rights or the request entails a deletion of data required by national Law or regulations.
- Rectify or complete personal data.
- Be notified of any personal data breach.
- File a complaint with the appropriate Legal authority.
- Receive or ask for their personal data to be transferred to a third party in a structured, commonly used and machine readable format.
THIRD PARTY AGREEMENTS
BLC must impose direct compliance obligations on data processors by including specific contractual requirements in any agreement with the data processor. BLC will consider the following requirements when dealing with a third party:
- To process personal data based on documented instructions from BLC Management.
- To have appropriate technical and organizational measures to ensure an appropriate level of security.
- To delete or return all the personal data at the sole discretion of BLC at the end of the service provided.
- Delete any existing soft or hard copies of the personal data unless required by national Laws & regulations.
- Avoid involving another processor without the prior authorization of BLC Management.
ROLES & RESPONSIBILITIES
- Promote & maintain a culture that respects customer privacy & personal data across BLC & related entities.
- Review & approve the Data Protection Policy.
- Oversee the level of readiness of the Bank for compliance with data protection requirements.
- Promote and enforce high standards of data protection.
- Ensure that Data Protection Policy is properly and timely implemented.
- Ensure that management and employees are aware of, understand and adhere to data protection standards.
- React promptly and effectively to compliance issues that arise whenever a data protection breach is detected or suspected.
- Data Protection Officer –DPO
The Head of Compliance is appointed as DPO who shall be entrusted with the duty to perform the following tasks:
- Develop and update the Data Protection Compliance Program and ensure its proper implementation.
- Provide advices where requested on data protection obligations.
- Monitor compliance with data protection law and regulations.
- Raise awareness on data protection requirements.
- Ensure coordination between the supervisory authorities and BLC Bank.
- Act as a contact point for data subjects and the supervisory authority.
- Submit periodic reports to BOD Compliance & AML/CFT Committee & Senior Management.
- Coordinate with the Organization Department to align existing and new procedures with data protection regulations.
- Group / Departments Heads
- Ensure that all staff working under their responsibilities adheres to the instructions reflected in this policy.
- Ensure incorporation of data protection requirements & best practices into business processes.
- Information Security Department
- Develop and maintain an information and cyber security program including policies, procedures, controls, as well as awareness activities to ensure data protection commensurate with the level of acceptable risk as established by the Bank’s General Management.
- Address cyber security incidents and ensure that appropriate actions are taken to prevent recurrence.
- Report cyber security incidents involving personal data breaches to the DPO.
- Amend BLC existing contracts, agreements and terms & conditions to include all data protection requirements.
- Make sure that contracts, agreements, legal forms are aligned with data protection requirements.
- Assist DPO in proper handling of conflictual situations arising from data breach.
- Perform regular compliance audits to determine the level of compliance of Business & control functions with data protection requirements.
- Inform the DPO about identified potential compliance weaknesses.
- Submit periodic reports to BOD Audit Committee & Senior Management on the effectiveness of implemented security measures.