Data Protection Notice



The protection of your personal data is at the heart of our concerns.


The purpose of this Notice is to inform you about the personal data we collect about you, why we use and share it, how long we keep it, what your rights are (in terms of control and management of your data) and how you can exercise them. Our personal data processing activities are subject to the General Data Protection Regulation of the European Union (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) and/or any other applicable data protection legislation,


As part of its activities, which include capital markets and securities services, we assist all of its corporate and institutional investor clients in their record-keeping and general meeting activities.


As such, UPTEVIA is required to process your personal data either as Data Controller (within the meaning of Article 4 of the GDPR) as described in paragraph 3 below “Why and on what legal basis do we use your personal data?”), or as a Processor on behalf of its customers.



You are affected by this notice, if you are (“You”):

  • An employee, consultant, contractor contractor, legal representative or beneficial owner:

 an Issuing customer;

 a potential customer;

 a customer or counterparty of our customers; or

 counterparty;

  • A shareholder or investor of our clients, in particular issuers of securities;
  • A social media user.

In certain circumstances, we collect information about you even if we do not have a direct relationship with you. This may be the case, for example, for shareholders or investors in our relationships with our clients or counterparties. When you provide us with personal data relating to other people, do not forget to inform them of the communication of their data and invite them to read this Notice, which provides them with useful information about their rights. We will take care to do the same whenever we can (i.e. when we have people’s contact details).




In accordance with applicable data protection legislation, you have rights that allow you to exercise meaningful control over your personal data and how we use it.


2.1. How to contact us?

If you wish to exercise the rights summarised below or if you have any questions about our use of your personal data under this Notice, please contact us at

Depending on our role regarding the processing of your personal data (“Data Controller”, “Processor”), we will respond directly to all your requests within the deadlines provided for by the regulations or will forward all your requests to our customers acting as Data Controller.

2.2. You can request access to your personal data

Upon request, when we act as Data Controller, we will provide you with a copy of your personal data as soon as possible, together with information relating to its use.

Your right of access to your personal data may, in certain cases, be limited by applicable law and/or regulations. For example, anti-money laundering and combating the financing of terrorism regulations prohibit us from giving you direct access to your personal data processed for this purpose. In this case, you must exercise your right of access to the CNIL (whose contact details appear in §2.11), which may ask us to provide it with the data concerned.

2.3. You can request the rectification of your personal data

If you consider that your personal data is inaccurate or incomplete, you may request that it be amended or supplemented. In some cases, you may be asked for a supporting document.

2.4. You can request the erasure of your personal data

If you wish, you can request the deletion of your personal data to the extent permitted by law.

2.5. You can object to the processing of your personal data based on legitimate interest

If you do not agree to processing based on legitimate interest, you may object to it, on grounds relating to your particular situation, indicating precisely the processing concerned and the reasons. We will no longer process your personal data unless there are compelling legitimate grounds for processing them or these are necessary for the establishment, exercise or defence of legal claims.

2.6. You can object to the processing of your personal data for commercial prospecting purposes

You have the right to object at any time to the processing of your personal data for commercial prospecting purposes, including profiling to the extent that it is related to such direct marketing.

2.7. You can suspend the use of your personal data

If you dispute the accuracy of the data we use or object to your data being processed, we will verify or review your request. During the period of study of your request, you have the possibility to ask us to suspend the use of your data.

2.8. You have rights in the face of an automated decision

As a matter of principle, you have the right not to be subject to a fully automated decision based on profiling or not that has a legal effect or significantly affects you. We may, however, automate this type of decision if it is necessary for the conclusion/performance of a contract concluded with us, permitted by regulation or if you have given your consent.

In any case, you have the opportunity to challenge the decision, express your point of view and request the intervention of a human being who can review the decision.


2.9. You may withdraw your consent

If you have given your consent to the processing of your personal data you can withdraw this consent at any time.


2.10. You can request the portability of part of your personal data


You may request to retrieve a copy of the personal data you have provided to us in a structured, commonly used and machine-readable format. Where technically feasible, you may request that we pass this copy on to a third party.


2.11. You can file a complaint with the Personal Data Protection Authority


In addition to the rights mentioned above, you can file a complaint with the Commission nationale de l’informatique et des libertés (CNIL) at the following address:


3 Place de Fontenoy

TSA 80715

75334 PARIS CEDEX 07

Tel: +33 (0)153732222





The purpose of this section is to explain why we process your personal data and on what legal basis we rely to justify it.


3.1 Your personal data is processed to comply with our various legal obligations


Your personal data is processed where this is necessary to enable us to comply with the regulations to which we are subject, including banking and financial regulations.


3.1.1 We use your personal data to:


  • Monitor operations and transactions to manage, prevent and detect fraud;


  • Monitor and report on risks (financial, credit, legal, compliance, reputational, operational, etc.) that we may face;


  • Record, in accordance with the Markets in Financial Instruments Regulation (MiFID 2), the Market Abuse Regulation, communications in any form (including telephone conversations, e-mails, instant messaging discussions), in relation at least to transactions concluded in the context of proprietary trading and the provision of services relating to orders, in particular their receipt, transmission, execution and recording;


  • Disclose, in accordance with the Shareholder Rights Directive (SRD 2), your personal data to issuers, including information allowing your identification as a shareholder, your proxy votes and your register number;


  • Assist in the fight against tax evasion and meet our tax notification and audit obligations, including under the U.S. Foreign Account Tax Compliance Act (FATCA) and automatic exchange of information;


  • Fulfill our obligations regarding the reporting and registration of transactions with the competent authorities (tax, judicial, criminal, etc.);


  • Record transactions for accounting purposes;


  • Detect and prevent corruption;


  • Exchange and report various transactions or requests or respond to an official request from a duly authorized local or foreign judicial, criminal, administrative, tax or financial authority, arbitrator or mediator, law enforcement authorities, government bodies or public bodies.


3.1.2 We also process your personal data to combat money laundering and terrorist financing


We belong to a banking group that must have a robust anti-money laundering and combating the financing of terrorism (AML/CFT) system at the level of our entities, and managed at the central level, as well as a system to apply local, European or international sanctions decisions.

This may require the processing of your personal data primarily in the context of our Know Your Customer (KYC) process, to identify you, verify your identity, verify information about you against sanction lists, before and during the provision of our services.

In this context, we may be required to transmit some of your personal data to BNP Paribas SA.

The processing operations implemented to meet these legal obligations are detailed in Appendix A.


3.2 Your personal data is processed to perform a contract to which you are a party or pre-contractual measures taken at your request or for the purposes of setting up the services


Your personal data is used when it is necessary for the conclusion or performance of a contract to provide our customers with the products and services contracted in accordance with the applicable contract, including access to our digital services.


3.3 Your personal data is processed to meet our legitimate interest or that of a third party


Where we base processing on legitimate interest, we balance that interest with your interests or fundamental rights and freedoms to ensure that there is a fair balance between them. If you would like more information about the legitimate interest pursued by a processing, please contact us at the email address set out in paragraph 2.1 (How to contact us).


3.3.1 As part of our business, we use your personal data for the following legitimate purposes:


  • Manage your access to and use of our web communication channels and applications as part of our contractual and pre-contractual relationships with our customers, counterparts and/or service providers.


  • Communicate with you in connection with services provided to our clients and/or counterparties;


  • Manage our activities and social media presence (see details in section 5.1);


  • Manage the risks to which we are exposed:


  • we retain evidence and sometimes record transactions, transactions and communications when you interact with our employees (for example in our discussion forums, by email or during video conferences);


  • we monitor transactions to manage, prevent and detect fraud, and, if required by law, we compile a fraud list (which will include fraudsters);


  • We manage legal actions and defend our position in the event of a dispute.


  • Improve cybersecurity and data loss prevention measures, manage our platforms and websites, and ensure business continuity.


  • Monitor access to property and prevent bodily injury and harm to persons and property via video surveillance.


  • Monitor compliance with our internal policies and procedures. This may include monitoring voice, email and instant messaging (chat) communications when you interact with our employees.


  • Improve the automation and efficiency of our business processes and customer services (e.g. automatic filling of complaints, follow-up of your requests and improvement of your satisfaction based on data collected during our interactions with you such as phone records, emails or chats).


  • Comply with the provisions applicable to trust service providers issuing electronic signature certificates.


  • Perform our asset management services whenever you are an indirect beneficiary of those services, including for the following purposes:


o the creation and maintenance of your register of shareholders or investors;

o receiving, entering and processing voting instructions from your shareholders;

o the provision of tax services on your behalf (reduction of withholding taxes, tax recovery);

o the retention of your physical titles;

o managing your access to and use of our Internet communication channels and applications;


  • Conduct statistical studies and develop predictive and descriptive models to:


o security: to prevent potential incidents and improve safety management;

o compliance and risk management (such as anti-money laundering and countering the financing of terrorism);

o fight against fraud.



  • Cookies and browsing data


As part of our use of our digital services, we may use your browsing data for the continuous improvement of our tools and the realization of statistical studies, in accordance with our Cookie Policy.

Cookies are small text, image or software files that can be placed and/or read on your device when you access our Site and/or the Application. The term “device” includes computers, smartphones, tablets and any other device used to access the Internet.

As part of our business, we only use cookies called strictly necessary cookies.  These cookies are essential to allow the Site/Application to function properly. They may include, for example, cookies that collect session IDs and identification data, cookies that allow to customize the interface of a Site and/or an Application (for example, for the choice of the language or presentation of a service) or certain audience measurement cookies. This category also includes cookies that enable us to comply with our legal obligations, including ensuring a safe online environment (for example, detecting repeated login failures to prevent unauthorized persons from accessing your account).


3.4 Your personal data is processed if you have consented to it.


For certain personal data processing activities, we will provide you with specific information and ask for your consent. We remind you that you can refuse to give your consent or withdraw it at any time, if necessary.

In particular, we will ask for your consent to:


  • Manage newsletter subscriptions;
  • Manage events;

Further consents to the processing of your personal data may be requested from you where necessary.



We collect and use your personal data, i.e. any information that identifies you or, in conjunction with other information, which identifies you.

Depending in particular on the type of product or service we provide to you and the exchanges we have with you, we collect different types of personal data about you, including:


  • Identifying information (e.g. full name, identity (passport, driver’s license, etc.), nationality, place and date of birth, gender, photo);


  • Contact information (private or professional): postal address, email address, telephone number;


  • Family situation (e.g. marital status, number of children and age, etc.);


  • Economic, financial and tax information (e.g. tax ID, tax status, tax address, salary and other income, amount of wealth);


  • Education and employment information (e.g. level of education, employment, name of employer, remuneration);


  • Banking and financial information (e.g. bank details, products and services owned and used, credit card number, money transfers, assets, declared investor profile, credit history, payment incidents);


  • Transactional data (including but not limited to full names, addresses of beneficiaries and transaction details, including communications relating to bank transfers associated with the relevant transactions;


  • Data collected as part of your interactions with our services, appointment reports), browsing our websites, use of our applications, consultation of our pages or interactions on social networks;


  • Connection and tracking data such as cookies, connection to online services, IP address, collected during meetings, calls, instant messaging chats, emails, interviews, telephone conversations;


  • Login credentials used to log in to the Uptevia website and applications;


  • Video protection system data on our physical sites (including CCTV cameras);


  • Information about your device (technical characteristics and unique identification data).


We may collect sensitive data such as data relating to criminal offences, subject to the strict conditions set out in data protection regulations.

Please note that you are not required to provide the requested personal data. However, if you do not, we may not be able to provide you with our services.




We may collect personal data directly from you as a member of the staff of our customers, counterparties and their service providers in connection with our activities and services.


We sometimes collect data from public sources:


  • publications/databases made available by authorities or official third parties (e.g. the Official Journal of the French Republic, the Trade and Companies Register, databases managed by financial sector supervisory authorities);


  • websites/social media pages of legal entities or business clients containing information that you have made public (for example, your own website or page on a social network);


  • public information such as that published in the press.


We also collect personal data from:


 other entities of the BNP Paribas SA Group, CACEIS SA;

 from our business partners or our customers’ business partners;

 service providers (e.g. payment initiation service providers and account information service providers such as  account aggregators);

 credit reporting agencies and fraud prevention agencies.


5.1. Collection of personal data via social networks


Today, the use of social networks by companies is essential.


In order for us to be able to carry out our mission effectively, it is essential for us to be present on social networks, and this presence may result in the processing of some of your personal data.


In that way, as part of our legitimate interest for our marketing, communication, advertising and publication needs, as well as for crisis management and customer relationship management, we may collect the following personal data:


  • Your interactions with us on our social media pages and posts, including your latest reclamations and complaints;


  • Data from social media pages and posts containing information that you have made public.


More specifically, this personal data will be processed for the following purposes:


  • Crisis management (listening to social networks) and customer relationship management, which includes:


  • Crisis prevention: monitoring and analyzing social networks and the web using keywords to assess Uptevia’s reputation as well as to be informed of what is being said about specific topics in order to be able to communicate accordingly;


  • Crisis management: being able to analyze issues related to certain publications and act accordingly; respond to posts, posts or comments from social media users; detect and report fake accounts and posts; or investigate serious allegations or claims.


Marketing, communication, advertising and publications, including:


  • Data extraction to identify trending topics by collecting publicly available data on social networks;
  • Publication of articles;
  • Suggest posts based on your interests;
  • Segmentation of our prospects and customers and social network users according to their influence;
  • Optimize advertising/targeted marketing through segmentation of advertising/marketing recipients


In this context, we are required to use services provided by external service providers.



6.1. With the entities of the BNP Paribas and CACEIS Groups

As a subsidiary of the BNP Paribas and CACEIS groups, we work closely with our parent entities. Your personal data may thus be shared within the BNP Paribas and CACEIS Groups, when necessary, to:

  • comply with our various legal and regulatory obligations described above, in particular in terms of reporting;
  • fulfil our contractual obligations or serve our legitimate interests described above;
  • conduct statistical studies and develop predictive and descriptive models for business, security, compliance, risk management and anti-fraud purposes;

Data sharing with Group companies may extend to intra-group subcontractors who perform services on our behalf, in particular in India, Poland and Portugal.



6.2. With recipients, third parties to Uptevia and its subcontractors:

In order to achieve some of the purposes described in this Notice, we may, when necessary, share your personal data with subcontractors who perform services on our behalf (for example, IT, logistics, printing, telecommunications, collection, consulting, distribution and marketing services).

When we deem it necessary, we may also share your personal data with other data controllers, such as:


  • Banking and business partners, independent agents, intermediaries or brokers, financial institutions, counterparties, trade repositories with whom we have links if such a transfer is necessary to provide services or products to you or to meet our contractual or legal obligations or process transactions (e.g. banks, correspondent banks, custodians, issuers of securities, paying agents, exchange platforms, insurance companies, payment system operators, payment card issuers or intermediaries, mutual guarantee companies or financial security institutions);


  • Regulators and/or independent agencies, local or foreign financial, tax, administrative, criminal or judicial authorities, arbitrators or mediator, public authorities or institutions or institutions (such as the Bank of France and other central banks), to whom we are required to disclose data:


  • at their request;
  • in connection with our defense, action or proceeding;
  • to comply with a regulation or recommendation from a competent authority that applies to us.


  • Service providers or third party payment service providers (information about your bank accounts), for the purposes of providing a payment initiation service or account information at your request;


  • Certain regulated professions such as lawyers, notaries, or auditors, in particular when specific circumstances so require (litigation, audit, etc.) as well as to our insurers or any current or potential buyer of Uptevia’s companies or activities.




In certain circumstances (e.g. to provide international services or for operational efficiency), your data may be transferred to another country. This includes transfers of personal data to BNP Paribas SA branches and subsidiaries located in Asia Pacific and the Americas.

In case of international transfers from:

  • the European Economic Area (EEA) to a non-EEA country, the transfer of your personal data may take place on the basis of a decision by the European Commission, where the latter has recognised that the country to which your data will be transferred ensures an adequate level of protection;
  • the United Kingdom to a third country, the transfer of your personal data may take place where the UK government has recognised that that third country provides an adequate level of protection for your data;
  • other countries for which international transfers are subject to limitations, we will implement appropriate safeguards to ensure the protection of your personal data.

For other transfers, we will implement an appropriate safeguard to ensure the protection of your personal data, namely:

  • Standard Contractual Clauses approved by the European Commission or the UK Government (as applicable); or
  • binding corporate rules.

In the absence of an adequate decision or an appropriate safeguard, we may rely on a derogation applicable to the particular situation (e.g. if the transfer is necessary for the exercise or defence of legal claims).

You can obtain further information about the scope of our international transfers by sending a written request to




We retain your personal data for the longer of the following periods:


  • the necessary period required by applicable law;


  • the duration defined with regard to our operational constraints, such as proper bookkeeping, effective customer relationship management, as well as to assert legal claims or respond to requests from authorities and regulators.


Telephone records are kept for 5 years from their collection.


Most of the personal data collected in respect of a customer is retained for the duration of the contractual relationship with that customer and for a specified number of years from the end of the relationship or in accordance with applicable law.


For further information about how long your personal data will be stored or the criteria used to determine this period, you can contact us at the address set out in paragraph 2.1 (How to contact us) above.




We regularly review this Notice and update it as necessary.

We invite you to read the latest version of this document online, and we will inform you of any significant changes through our website or via our usual communication channels.


Appendix A

Processing of personal data to combat money laundering and the financing of terrorism.

We belong to the BNP Paribas and CACEIS banking groups, which must have a robust anti-money laundering and combating the financing of terrorism (AML/CFT) system at entity level, managed at central level, an anti-corruption system, as well as a system allowing compliance with international sanctions (this concerns all economic or commercial sanctions, including all laws, regulations, restrictions, embargoes or asset freezes, decreed, governed, imposed or implemented by the French Republic, the European Union, the US Department of the Treasury’s Office of Foreign Asset Control, and any competent authority in the territory where we are established).

In the context of this processing, we act as Data Controllers.

For AML/CFT purposes and compliance with international sanctions, we implement the processing listed below to meet our legal obligations:

  • A Know Your Customer (KYC) device reasonably designed to identify, update and confirm the identity of our customers, including their beneficial owners and agents where applicable;
  • Enhanced identification and verification measures for high-risk clients, “PEPs” (PEPs are persons designated by regulation who, because of their functions or positions (political, jurisdictional or administrative) are more exposed to these risks) as well as high-risk situations;
  • Written policies and procedures, as well as controls reasonably designed to ensure that the Bank does not enter into or maintain a relationship with shell banks;
  • A policy, based on its assessment of risks and economic conditions, of generally not performing or engaging in any business activity or relationship, regardless of currency:
  • on behalf of, or for the benefit of, any person, entity or organization subject to Sanctions by the French Republic, the European Union, the United States, the United Nations, or, in some cases, other local sanctions in the territories in which the Group operates;
  • directly or indirectly involving territories under sanctions including Crimea/Sevastopol, Cuba, Iran, North Korea or Syria;
  • Involving financial institutions or territories that may be linked to, or controlled, by terrorist organizations, recognized as such by the competent authorities in France, within the European Union, the United States or the UN.


  • Screening our customer databases and transactions, reasonably designed to ensure compliance with applicable laws;
  • Systems and processes to detect suspicious transactions and report suspicious transactions to relevant authorities;
  • A compliance program reasonably designed to prevent and detect bribery and influence peddling in accordance with the Sapin II Act, the U.S FCPA, and the UK Bribery Act.

In this context, we are required to appeal to:

  • services provided by external service providers who maintain lists of Politically Exposed Persons (PEPs);


  • public information available in the press on facts related to money laundering, terrorist financing or corruption;


  • knowledge of a risky behavior or situation (existence of suspicious transaction reports or equivalent) that can be identified at Uptevia.

We carry out these checks when entering into a relationship, but also throughout the relationship we have with you, on yourself, but also on the transactions you carry out. At the end of the relationship and if you have been the subject of an alert, this information will be kept in order to identify you and adapt our control if you enter into a relationship with Uptevia again, or as part of a transaction to which you are a party.

To meet our legal obligations, we exchange information collected for AML/CFT purposes, the fight against corruption or the application of international sanctions between entities of the BNP Paribas SA Group and CACEIS. When your data is exchanged with countries outside the European Economic Area that do not have an adequate level of protection, the transfers are governed by the standard contractual clauses of the European Commission. When in order to comply with regulations in non-EU countries, additional data is collected and exchanged, this processing is necessary to enable the BNP Paribas and CACEIS Groups and their entities to comply with both their legal obligations and to avoid sanctions locally, which is our legitimate interest.

For the purpose of sharing data in the context of the fight against money laundering and the financing of terrorism, the entities of the BNP Paribas and CACEIS Groups have organized the sharing of personal data of natural persons related to legal entities that are clients of Uptevia. When exchanging data with another entity, we are jointly responsible for processing with that entity.