Preamble
This privacy policy (the “Policy”) describes how Bedrock Financial Bank (BFB) (hereinafter the “Bank”, “we” or “our”) collects, uses, retains and protects the personal data of clients, prospects, beneficial owners, attorneys-in-fact, legal representatives, guarantors, visitors of our websites and applications, and more generally any natural person entering into a relationship with the Bank (hereinafter the “Data Subjects”).
The Bank carries out a regulated activity and is subject to a dense set of legal and prudential obligations, in particular regarding client identification (KYC), anti-money laundering and counter-terrorism financing (AML/CFT), fraud prevention, transaction monitoring, prudential and tax reporting, and information security. The processing of personal data is therefore inherent to the conduct of our activity.
The Bank undertakes to process personal data fairly, transparently and securely, in strict compliance with the applicable regulations, the principal of which are listed below.
The Bank has chosen a unified approach consisting in applying, to all of its Data Subjects and irrespective of their jurisdiction of residence, the strictest standard of protection among the regulations listed in this Policy. This choice ensures consistent, predictable and auditable processing of personal data and removes the need for the Bank to operationally distinguish between clients based on their governing law. The jurisdictional annexes therefore only set out additional details (competent supervisory authority, local remedies) and shall in no case lower the level of protection thus guaranteed.
1. Scope and applicable regulations
This Policy applies to all processing of personal data carried out by the Bank in the course of its activities, whether performed from its head office, its branches or by service providers acting on its behalf.
The Bank operates in several jurisdictions and applies, where relevant, the corresponding legal framework. The table below summarises the principal regulations to which we are subject:
| Jurisdiction | Main text(s) | Supervisory authority |
|---|---|---|
| European Union / EEA | Regulation (EU) 2016/679 (GDPR); national implementing legislation; PSD2; anti-money laundering directives (AMLD); DORA Regulation | European Data Protection Board (EDPB) and national supervisory authorities |
| United Kingdom | UK GDPR; Data Protection Act 2018; Money Laundering Regulations 2017 | Information Commissioner’s Office (ICO) |
| Switzerland | Federal Act on Data Protection (nFADP); FADP Ordinance; Banking Act (Article 47) | Federal Data Protection and Information Commissioner (FDPIC) |
| United States (federal) | Gramm-Leach-Bliley Act (GLBA) and Safeguards Rule; Bank Secrecy Act; Fair Credit Reporting Act | FTC, OCC, Federal Reserve, FDIC, CFPB, FFIEC |
| United States (states) | California Consumer Privacy Act / CPRA; equivalent state laws (VA, CO, CT, UT, etc.) | California Privacy Protection Agency; State Attorneys General |
| Canada | Personal Information Protection and Electronic Documents Act (PIPEDA); Quebec Law 25 | Office of the Privacy Commissioner of Canada; Commission d’accès à l’information du Québec |
| Singapore | Personal Data Protection Act (PDPA); MAS Notice 655 / 626 on cyber hygiene; Banking Act Section 47 | Personal Data Protection Commission (PDPC); Monetary Authority of Singapore (MAS) |
| United Arab Emirates | UAE Federal PDPL (Law No. 45/2021); DIFC Data Protection Law 2020; ADGM Data Protection Regulations 2021 | UAE Data Office; DIFC Commissioner of Data Protection; ADGM Office of Data Protection |
| Brazil | Lei Geral de Proteção de Dados (LGPD, Law No. 13,709/2018) | Autoridade Nacional de Proteção de Dados (ANPD) |
| Hong Kong | Personal Data (Privacy) Ordinance (PDPO, Cap. 486) | Privacy Commissioner for Personal Data (PCPD) |
| Australia | Privacy Act 1988 and Australian Privacy Principles; CPS 234 (APRA) | Office of the Australian Information Commissioner (OAIC) |
The jurisdictional annexes at the end of this document set out the additional or specific rights to which you are entitled depending on your place of residence.
2. Unified approach — Application of the strictest standard of protection
For reasons of operational consistency, legal predictability and effective protection of Data Subjects, the Bank has chosen a unified policy. It is materially impossible, and operationally risky, for the Bank to tailor its internal processes — collection, retention, rights, security, transfers — based on the jurisdiction of attachment of each individual client. The Bank therefore applies, by default and to all of its Data Subjects, the most demanding level of protection deriving from the regulations listed in section 1.
2.1. Guiding principles adopted as a common baseline
In practice, the Bank uniformly applies the following principles, which correspond to the strictest requirements identified:
- Legal bases and purposes in line with the GDPR (Regulation (EU) 2016/679), considered to be the most demanding standard with regard to lawfulness, fairness, data minimisation and purpose limitation.
- Prior, clear and complete information to Data Subjects in accordance with Articles 12 to 14 GDPR, irrespective of any less stringent local requirement.
- Data subjects’ rights aligned upwards: all rights provided for by the GDPR, the UK GDPR, the Swiss nFADP, Quebec Law 25, the Brazilian LGPD and the CCPA/CPRA are made available to every Data Subject, subject only to limitations imposed by law (in particular AML/CFT and banking secrecy).
- Prior, free, specific, informed and unambiguous consent for marketing and non-strictly-necessary cookies, including in jurisdictions allowing an opt-out regime (e.g. GLBA in the United States or the Australian Privacy Act) — the Bank waives reliance on the less protective regime.
- Personal data breach notification within 72 hours to the competent supervisory authority, and information to Data Subjects without undue delay where there is a high risk, in accordance with Articles 33 and 34 GDPR, regardless of any longer local deadline.
- Framing of all international transfers by the most robust safeguards available (European standard contractual clauses, UK IDTA addendum, BCR, transfer impact assessments), even where the jurisdiction of origin of the data would not require such framing.
- Data retention limited to the shortest period compatible with applicable legal obligations, where competing periods are conceivable.
- Information security aligned with the most demanding prudential standards (DORA, EBA Guidelines, MAS TRM, FFIEC, CPS 234) applied transversally to all of the Bank’s activities.
2.2. Articulation with the jurisdictional annexes
The jurisdictional annexes at the end of this document do not aim to reduce the level of protection enshrined in the general part. Their sole purpose is:
- to identify the competent supervisory authority and the remedies specific to each jurisdiction;
- to mention, where applicable, local rights or mechanisms that supplement the rights already enshrined in the common baseline (for example: post-mortem directives in France, expanded portability rights in California, right to be forgotten as recognised by European case law).
In the event of an apparent inconsistency between the general part and an annex, the Bank shall systematically apply the provision most favourable to the Data Subject.
2.3. Limits of the unified approach
The application of the strictest standard cannot lead the Bank to breach a mandatory local obligation (in particular as regards mandatory minimum retention, communication to public authorities, banking secrecy or international sanctions). Where local regulation imposes a requirement that is stricter than the common baseline, that local requirement applies. The principle remains: the protection actually applied shall, in any event, be at least equal to the strictest of the standards involved.
3. Controller and Data Protection Officer
3.1. Controller
The controller of the personal data is:
Mr Thierry BRACKENIERS, Chief Executive Officer of Bedrock Financial Bank (BFB), info@bfb.bi
3.2. Data Protection Officer (DPO)
In accordance with applicable requirements, the Bank has appointed a Data Protection Officer whose role is to ensure compliance with this Policy and the applicable regulations and to act as the point of contact for Data Subjects and supervisory authorities.
DPO contact details: dpo@bfb.bi
The DPO is appointed in accordance with the strictest requirements, namely those of Articles 37 to 39 GDPR, even where certain jurisdictions to which the Bank is subject would not formally require such appointment. The DPO benefits from the functional independence and absence of conflicts of interest required by those provisions and is competent for all Data Subjects, irrespective of their jurisdiction of attachment.
3.3. Local representatives
Where local regulation so requires (in particular under the GDPR for controllers not established in the European Union, or under Canadian and Swiss laws for transfers outside the relevant jurisdiction), the Bank has designated local representatives or correspondents whose contact details are set out in the jurisdictional annexes.
4. Categories of data collected
The Bank collects only the data strictly necessary to provide its services and to comply with its legal and prudential obligations. The following categories of data may be processed:
4.1. Identification data
- Surname, first names, name in use, aliases and former names
- Date and place of birth, nationality(ies) and country(ies) of tax residence
- Number and copy of an official identity document (passport, identity card, residence permit)
- Tax identification number (TIN), social security number, national identification number, depending on jurisdiction
- Facial image and biometric data linked to remote identity verification, where such process is used
4.2. Contact data
- Postal address, billing address, previous addresses
- Landline and mobile telephone numbers
- Email addresses
4.3. Personal, family and professional situation
- Marital status, matrimonial regime, household composition, status as a politically exposed person (PEP)
- Profession, employer, professional status, declared income, assets and source of funds
- Where applicable, capacity as beneficial owner, attorney-in-fact, legal representative, guarantor or business-related person
4.4. Economic, financial and banking data
- Account numbers, IBANs, balances, transactions and transaction history
- Means of payment, financial instruments held, orders and instructions
- Credit commitments, security interests, internal scoring and data used for risk assessment
- Payment incidents, data from negative files and external databases (credit registers, PEP files, sanctions lists)
4.5. KYC, AML/CFT and compliance data
As part of our obligations regarding know-your-customer (KYC), anti-money laundering and counter-terrorism financing (AML/CFT), compliance with international sanctions and prevention of tax fraud, we process data such as:
- Supporting documents evidencing identity, address, profession and source of funds
- Results of screening checks (sanctions, embargoes, PEPs, watchlists)
- AML/CFT risk profile and history of suspicious transaction reports filed with the competent financial intelligence units
- Data exchanged with tax authorities (FATCA, CRS, DAC)
4.6. Connection, technical and browsing data
- IP address, session identifiers, device identifiers, browser and operating system type
- Connection logs to the client area, mobile application and online banking services
- Approximate geolocation data linked to transaction security
- Cookies and trackers (see Cookies Policy)
4.7. Data from recordings
Telephone communications, electronic exchanges and in-branch interviews may be recorded for evidentiary purposes, security, service quality, training and compliance with regulatory obligations (in particular regarding investment services).
4.8. Data relating to minors
The Bank may process data relating to minors only in connection with products designed for them or in relation to a major account holder. The relevant processing is carried out in accordance with the heightened requirements provided for by applicable regulations and with the consent of the legal representative where required.
4.9. Special categories of data
The Bank processes special categories of data (e.g. health data for insurance underwriting, biometric data for strong authentication) only with your explicit consent or on another authorised legal basis, and strictly to the extent necessary.
The regime for special categories (Article 9 GDPR) is applied uniformly to every Data Subject, including in jurisdictions which would adopt a narrower definition of sensitive data (for example, US state laws).
5. Purposes and legal bases of processing
Each processing operation relies on an identified legal basis. Where several regulations apply, the Bank retains the most appropriate legal basis for each jurisdiction, it being specified that compliance with legal and prudential obligations will prevail in most cases.
Pursuant to the unified approach set out in section 2, the grid of legal bases below is modelled on Article 6 (and, where applicable, Article 9) GDPR, considered to be the most demanding standard. For Data Subjects residing in a jurisdiction allowing a less protective regime (for example, opt-out marketing under the US GLBA), the Bank nonetheless applies the regime of prior explicit consent.
| Purpose | Description | Main legal basis |
|---|---|---|
| Onboarding and contract performance | Assessment of the application, account opening, provision of banking services, management of payment instruments, granting and monitoring of credit facilities | Performance of the contract or pre-contractual measures; consent where applicable |
| KYC / AML/CFT / sanctions compliance | Identification, verification, risk profiling, screening, transaction monitoring, reporting to competent authorities | Legal obligation; public interest in financial crime prevention |
| Prudential and tax reporting | FATCA, CRS, DAC, regulatory reporting, exchanges with tax authorities | Legal obligation |
| Fraud prevention and detection | Transaction monitoring, anti-fraud scoring, blocking of suspicious transactions | Legitimate interest; legal obligation |
| Security of systems and premises | Logging, video surveillance, strong authentication, incident management | Legitimate interest; legal obligation (DORA, MAS, APRA, etc., depending on jurisdiction) |
| Client relationship management | Service communications, complaints handling, mediation, archiving | Performance of the contract; legal obligation; legitimate interest |
| Marketing and prospecting | Sending of commercial offers, satisfaction surveys, marketing segmentation | Prior, free, specific, informed and unambiguous consent, applied uniformly to all Data Subjects (including US and AU residents, by waiver of any opt-out regime) |
| Profiling and automated decision-making | Credit scoring, fraud detection, personalisation of offers | Performance of the contract; legal obligation; explicit consent where required |
| Litigation and legal defence | Debt recovery, judicial proceedings, internal investigations | Legitimate interest; establishment, exercise or defence of legal claims |
Where processing is based on your consent, you may withdraw it at any time, without affecting the lawfulness of any processing carried out beforehand. The withdrawal of consent does not, however, release us from continuing to carry out processing operations imposed by law.
6. Recipients of the data and processors
Personal data is shared only with recipients authorised to receive it. Any disclosure is made under the seal of banking secrecy, confidentiality and security, and is subject to appropriate contractual undertakings.
6.1. Internal recipients
- Authorised staff of the Bank, strictly on a need-to-know basis
- Entities of the Bank’s group for centralised management purposes (risk, compliance, audit, IT, human resources)
6.2. External recipients
- Technical service providers (hosting, IT outsourcing, security, payments, electronic signature, identity verification)
- Correspondent banks, counterparties, financial intermediaries, custodians and clearing houses, in connection with the execution of transactions
- Insurance, financing and brokerage partners and other service providers involved in the supply of products
- External advisers (lawyers, notaries, accountants, statutory auditors, auditors)
- Trusted third parties and credit bureaux, centralised registers and databases authorised by law
6.3. Public authorities
- Prudential and financial supervisory authorities (ECB, ACPR, FSMA, FCA, MAS, CBUAE, FINMA, OSFI, etc., as applicable)
- Financial intelligence units (CTIF/CFI, TRACFIN, FIU, STRO, etc.)
- Tax and customs authorities, in connection with FATCA, CRS, DAC or equivalent obligations
- Judicial and police authorities, upon legally founded request
6.4. Processors
Where the Bank uses processors, they act strictly on its documented instructions and are bound by contractual obligations of confidentiality, security and data protection equivalent to those imposed on the Bank.
Every processing agreement is drafted on the basis of the requirements of Article 28 GDPR, considered to be the most demanding standard regarding the framing of processors, and is applied uniformly to all service providers acting on behalf of the Bank.
7. International data transfers
The Bank’s international activity may require transfers of personal data to third countries, in particular in connection with cross-border transactions, the use of international technology providers, or centralised group management.
Any international transfer is framed, irrespective of the data’s jurisdiction of origin, by the strictest safeguards available, such as:
- Adequacy decisions issued by the competent authorities (European Commission as a priority, United Kingdom, Switzerland, Canada, etc.);
- European Commission Standard Contractual Clauses (SCC) — used as a baseline for any transfer outside the EU/EEA, supplemented where appropriate by the UK IDTA addendum or the ANPD standard clauses;
- Binding Corporate Rules (BCR) where the group has adopted them;
- Transfer Impact Assessments systematically conducted before any flow to a third country, including for Data Subjects whose jurisdiction of origin would not formally require such assessment;
- Additional technical (encryption, pseudonymisation), contractual and organisational measures where the assessment so requires.
A more detailed description of the applicable safeguards and the list of the principal recipient countries can be obtained from the DPO at dpo@bfb.bi.
8. Retention periods
Personal data is retained for the period strictly necessary for the purposes for which it is processed and to comply with applicable legal obligations. Once the active use period has elapsed, data is, as the case may be, archived with restricted access, and then deleted or anonymised.
Where several retention periods are admissible, the Bank applies the shortest period compatible with its regulatory obligations. The indicative periods set out below reflect this principle.
| Data category / purpose | Indicative retention period |
|---|---|
| KYC data and supporting identification documents | 5 years from the end of the business relationship (EU/AMLD), extendable to 10 years depending on jurisdiction and the nature of the transactions |
| Documents and data relating to banking transactions | Duration of the contractual relationship, then 5 to 10 years depending on jurisdiction and accounting obligations |
| Suspicious activity reports and related documents | Period set by the applicable AML/CFT regulation, generally 5 to 10 years from the date of the report |
| Telephone recordings relating to investment services | 5 years, extendable to 7 years upon request of the competent authority |
| Connection data and technical logs | Period set by local regulation regarding cybersecurity, fraud and log retention (generally 6 months to 5 years) |
| Marketing data (clients) | 3 years from the end of the contractual relationship or until withdrawal of consent |
| Marketing data (prospects) | 3 years from the last contact or until withdrawal of consent |
| Litigation and pre-litigation data | Duration of the proceedings, then applicable limitation period |
9. Your rights
Depending on the applicable jurisdiction, you are entitled to all or part of the following rights. The Bank responds to any request within the applicable legal time limits, subject to the limitations expressly provided for by law (in particular regarding professional secrecy, AML/CFT, ongoing judicial proceedings and the rights of third parties).
Pursuant to the unified approach, the Bank makes all of the rights below available to every Data Subject, irrespective of their jurisdiction of attachment, subject only to mandatory legal limitations. No right will be denied on the ground that the Data Subject’s jurisdiction of origin does not provide for it.
9.1. Common rights
- Right of access to your personal data and to obtain a copy
- Right to rectification of inaccurate or incomplete data
- Right to erasure, within the limits provided by law
- Right to restriction of processing
- Right to object to processing, in particular for direct marketing purposes
- Right to data portability, where the legal conditions are met
- Right not to be subject to a decision based solely on automated processing producing significant legal effects, except as legally permitted
- Right to define directives on the fate of your data after your death, in jurisdictions providing for such right
- Right to withdraw your consent at any time, where processing is based on consent
- Right to lodge a complaint with the competent supervisory authority
9.2. Limitations specific to the banking sector
The exercise of certain rights may be limited or deferred due to:
- Banking secrecy and professional secrecy applicable to the Bank
- Legal retention obligations, in particular regarding AML/CFT, taxation and accounting
- The legal prohibition on informing the Data Subject of the existence of a suspicious transaction report or an ongoing investigation (so-called tipping-off prohibition)
- The need to protect the rights and freedoms of other persons, in particular third parties referenced in the transactions
9.3. How to exercise your rights
Your requests can be addressed to the DPO in writing or by electronic means at the contact details set out in section 3.2. Identity verification may be required. The Bank will respond within the time limits provided by applicable regulation and, failing that, within one month, which may be extended in accordance with the law.
The one-month deadline (Article 12 GDPR) is applied uniformly, including in jurisdictions allowing a longer deadline, save for an extension justified by the complexity or number of requests.
To exercise your rights, contact the DPO at dpo@bfb.bi.
10. Security and confidentiality
The Bank is held to high information security standards arising both from data protection regulation and from prudential frameworks (DORA, EBA Guidelines, MAS TRM, FFIEC, CPS 234, etc.). Taking into account the sensitivity of the data processed and the state of the art, it implements appropriate technical and organisational measures, including:
- Encryption of data in transit and at rest
- Strong authentication (MFA) for sensitive accesses
- Segregation of environments and strict need-to-know based access management
- Logging and continuous monitoring of access and operations
- Business continuity and disaster recovery plans, with regular testing
- Continuous staff awareness and training
- Documented incident management procedure and notification to competent authorities and, where applicable, Data Subjects
In the event of a personal data breach likely to result in a risk to your rights, the Bank carries out the notifications required by law within the prescribed deadlines.
The strictest notification deadline — 72 hours from awareness of the breach, in accordance with Article 33 GDPR — is applied uniformly to all data breaches, regardless of the jurisdiction concerned.
12. Updates of the Policy
This Policy may be amended to reflect changes in our activity, in the techniques used or in applicable regulations. The date of the latest update appears at the top of this page. In the event of substantial amendment, you will be informed by an appropriate means (publication on our websites, notification in your client area, electronic or postal communication).
The version history is maintained by the Bank and may be communicated upon request.
13. Contact and remedies
For any question relating to this Policy or the exercise of your rights, you may contact the DPO at the contact details set out in section 3.2 or write to dpo@bfb.bi.
- Email: dpo@bfb.bi
- Address: Bedrock Financial Bank, 9 Chaussée du Peuple Murundi, Bujumbura — for the attention of the DPO
If, after contacting us, you consider that your rights have not been respected, you are entitled to lodge a complaint with the competent supervisory authority. The contact details of the authorities are set out in the jurisdictional annexes below.
Annexes — Jurisdictional specifics
The following annexes set out the additional or specific rules applicable to Data Subjects residing in or having a significant connection with the relevant jurisdictions. They supplement and, in case of conflict, prevail over the general part of this Policy for the jurisdiction concerned.
In accordance with section 2, these annexes shall in no case reduce the level of protection set out in the general part. The Bank shall systematically apply the provision most favourable to the Data Subject.
Annex A — European Union and European Economic Area (GDPR)
In addition to the general part, you benefit from the rights provided for by Regulation (EU) 2016/679 (GDPR), as set out in section 9. You are notably entitled to lodge a complaint with the supervisory authority of the Member State in which you reside, work or where you consider the breach to have occurred.
Annex B — United Kingdom (UK GDPR / DPA 2018)
If you reside in the United Kingdom, your rights are governed by the UK GDPR and the Data Protection Act 2018. Transfers from the United Kingdom are based on UK adequacy decisions, the UK International Data Transfer Agreement (IDTA) or the Addendum to the European Commission’s Standard Contractual Clauses.
Supervisory authority: Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, SK9 5AF, United Kingdom — ico.org.uk.
Annex C — Switzerland (nFADP)
If you reside in Switzerland, the new Federal Act on Data Protection (nFADP), which entered into force on September 1, 2023, applies. Your rights include in particular the right of access, rectification, objection and data delivery or transmission. Swiss banking secrecy, criminally sanctioned under Article 47 of the Banking Act, applies in addition.
Supervisory authority: Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern — edoeb.admin.ch.
Annex D — United States
In the United States, the Bank is subject to the Gramm-Leach-Bliley Act (GLBA) and its Safeguards Rule, as well as to other applicable federal and state regulations. In accordance with GLBA, the Bank delivers a dedicated privacy notice (“GLBA Privacy Notice”) specifying the categories of nonpublic personal information (“NPI”) collected, the non-affiliated recipients to whom they may be disclosed and, where applicable, your right to opt out.
By way of exception to the opt-out regime allowed by GLBA, the Bank applies to US residents the regime of prior explicit consent (opt-in) for marketing purposes and for the sharing of data with non-affiliated third parties, in line with its unified approach.
California residents (CCPA / CPRA)
If you are a California resident, you benefit from the rights provided for by the California Consumer Privacy Act, as amended by the California Privacy Rights Act, subject to the exemption applicable to information covered by GLBA. These rights include in particular the right to know, the right to delete, the right to correct, the right to limit the use of sensitive information and the right not to be discriminated against in the exercise of these rights. The Bank does not “sell” your personal information within the meaning of CCPA/CPRA and does not “share” it for cross-context behavioural advertising purposes.
Equivalent rights exist in several other states (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, etc.). The exercise procedures are identical to those described in section 9.3.
Annex E — Canada
At the federal level, the Bank is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). In Quebec, Law 25 modernising legislative provisions as regards the protection of personal information applies in addition. The Bank has appointed a person in charge of the protection of personal information and carries out the privacy impact assessments (PIA) required before any transfer outside Quebec.
Supervisory authorities: Office of the Privacy Commissioner of Canada (priv.gc.ca); Commission d’accès à l’information du Québec (cai.gouv.qc.ca).
Annex F — Singapore (PDPA)
In Singapore, the Bank is subject to the Personal Data Protection Act (PDPA), the guidelines of the Personal Data Protection Commission (PDPC) and the notices and guidelines of the Monetary Authority of Singapore (MAS), in particular Notice 655/626 on cyber hygiene and the Technology Risk Management Guidelines. Banking secrecy provided for by Section 47 of the Banking Act applies in addition and restricts the disclosure of client information.
Your rights include access, correction and withdrawal of consent, subject to legal exceptions.
Supervisory authority: PDPC (pdpc.gov.sg).
Annex G — United Arab Emirates
In the United Arab Emirates, the applicable framework depends on the place of incorporation: Federal Law No. 45/2021 (UAE PDPL) applies onshore; the DIFC Data Protection Law 2020 and the ADGM Data Protection Regulations 2021 govern the DIFC and ADGM zones respectively. The Bank applies the regime corresponding to the jurisdiction from which the relationship is managed.
Supervisory authorities: UAE Data Office; DIFC Commissioner of Data Protection; ADGM Office of Data Protection.
Annex H — Brazil (LGPD)
If you reside in Brazil, your rights are governed by the General Personal Data Protection Law (LGPD, Law No. 13,709/2018). You are entitled in particular to access, correction, anonymisation, blocking or deletion, portability, information about recipients and withdrawal of consent. The Bank has appointed an Encarregado whose contact details are set out in section 3.2.
Supervisory authority: Autoridade Nacional de Proteção de Dados (gov.br/anpd).
Annex I — Hong Kong (PDPO)
If you reside in Hong Kong, your data is processed in accordance with the Personal Data (Privacy) Ordinance (Cap. 486) and the data protection principles set out therein. Banking secrecy provided for by the Banking Ordinance applies in addition.
Supervisory authority: Office of the Privacy Commissioner for Personal Data (pcpd.org.hk).
Annex J — Australia (Privacy Act)
If you reside in Australia, the Privacy Act 1988 and the Australian Privacy Principles (APP) apply. The Bank also complies with the APRA prudential standard CPS 234 and, where applicable, the Consumer Data Right (CDR) regime.
Supervisory authority: Office of the Australian Information Commissioner (oaic.gov.au).