Personal Data Protection Policy

1 - Preamble

The Attijariwafa Bank Group (referred to below as “the Group”) attaches great importance to the protection of your personal data. This is why the Group has adopted robust principles regarding data protection. 

The purpose of this Personal Data Protection Policy is to provide you with clear information regarding the way in which the Group processes and protects the personal data of those concerned, which includes any natural person (employee, customer, prospect, website user, shareholder/representative of legal entities, etc.) whose personal data is collected by the Group. It informs data subjects about the reasons for which their data is used or potentially shared as well as the retention period for that data. In addition, it specifies the rights of individuals along with how to exercise those rights. 

The Group ensures that the personal data collected is processed fairly, lawfully and with complete transparency. Each of the Group’s entities has made this notice accessible on its website. It is updated regularly and compliance with its provisions is monitored. Information relating to the protection of personal data specific to the various products and/or services offered by the Group clarifies and supplements this policy across the various media in use. 

The Group is committed to compliance with the regulations in force regarding the processing of personal data and in particular Regulation (EU) 2016/679 of the European Parliament and the Council of April 27, 2016 (General Data Protection Regulation) as well as any applicable national regulations. 

2 - Organization of personal data management at the Attijariwafa bank Group 

A Data Protection Office has been set up within the Attijariwafa Bank Group in order to cover all regulatory requirements. This entity is led by a Data Protection Officer (DPO). A similar organization has been implemented and adapted for the Group's subsidiaries according to their size, their activities and their risk profiles. 

3 - Classification of personal data processed by the Attijariwafa bank Group

Personal data includes any information related to an identified or identifiable natural person.   

The Group respects the principle of data minimization, namely that only personal data that is adequate, relevant and limited to what is strictly necessary to achieve the objective for which it was collected is processed. As part of this procedure, the Group also strives to keep your personal data accurate and up to date. 

  3.1 - Direct collection of personal data

The Group mainly processes personal data that it collects directly from you, or that arises from the commercial relationship, such as:

• Your identification data: first and last name, date and place of birth, photo, proof of identity, etc.;
• Your contact data (private or professional): home address, email address, telephone number, etc.;
• Your domestic data: marital status, number of children, household composition, etc.;
• Your occupational data: employer, position, remuneration, level of education, etc.;
• Your economic, financial and transactional data: transaction history, operations executed on your accounts, bank details, bank card number, assets and financial situation, etc.;
• Your browsing data (websites or applications): data collected using online cookies;
• Your data related to the habits and preferences of the people concerned: resulting from useof the products and services to which you’ve subscribed or your interactions with the Group;
• Your data collected as part of exchanges with the Group or its various branches (contact reports) over the course of meetings, video conferences, calls, instant messaging discussions, emails, interviews, telephone conversations. 

As part of its activities, the Group may collect special categories of personal data (or “sensitive data”) such as health data, data related to religious beliefs or even biometric data only when this is strictly necessary, particularly as it relates to employee recruitment, inheritance management or the purchase of insurance policies.

Otherwise, the Group will never ask you to provide other sensitive data such as data related to racial or ethnic origin, political or philosophical opinions, union membership, your genetic data or data related to your sexuality or orientation, unless a legal obligation compels it to do so. 

   3.2 - Indirect collection of personal data

The Group may also be required to indirectly collect the personal data mentioned above from third parties (suppliers, partners, etc.), from sources accessible to the public (data from publications/databases made accessible by official authorities, data from websites/social networks containing information made public by the individual themselves, etc.) or from public administrations and authorities (tax administration, etc.). 

4 - Legal grounds for the use of personal data

In accordance with current regulations, all processing carried out by the Group in its role as data controller must be predicated on one of the following legal bases:

• The execution of a contract to which the data subject is a party, or the execution ofpre-contractual measures taken at the request of the data subject;
• Compliance with legal and regulatory obligations to which the Group or one of its entities is subject;
• Protection of the vital interests of the data subject, or of another natural person;
• The execution of a task carried out in the public interest;
• The legitimate interests pursued by the Group within the framework of respecting the interests, freedoms and fundamental rights of the data subject. 

   4.1 - Execution of a contract or pre-contractual measures

The Group carries out processing of your personal data for the conclusion and execution of contracts   such as:

• Provision of pre-contractual information related to the Group's products and services;
• Provision of products and services requested by data subjects;
•  Management of contracts concluded with data subjects.  

   4.2 - Compliance with regulatory or legal obligations

As the Group is made up of entities with regulated professions, it is subject to compliance with specific legal and/or regulatory obligations aimed, for example, at:

• Combating money laundering and terrorism financing;
• Combating tax fraud;
• Communicating personal data required for the maintenance of regulatory files (Central Check File, Central Bank Card Withdrawal File, Bank Account File, Endowment/Capitalisation Contract File and Life Insurance Policy File, etc.). 

   4.3 - Protecting the data subject’s vital interests

When processing is necessary to protect a person's vital interests (for example, in the event of a medical emergency), the Group is authorized to process their personal data, even without their consent, in accordance with the regulations in force. 

   4.4 - Consent of the data subject 

As part of certain personal data processing activities, the Group will send you specific information so that you are able to consent to this processing. You may withdraw this consent at any time. For example, this could involve:   

• Insurance services requiring the processing of your health data;
• Commercial prospecting by electronic means (email and text messages) for individuals.     

   4.5 - Legitimate interests of the Group

The Group and its entities process personal data on the basis of their legitimate interest in ensuring their development and the security of their services, such as:  

•  Fraud prevention;   
• Commercial prospecting by post or by telephone, for individuals and for any type of prospecting for legal entities;   
•  Management of IT infrastructure and system security;   
• Evaluation of customer satisfaction with the products and services offered by the Group. 

5 - Sharing personal data

For the purposes stated above, your personal data may be conveyed to the following recipients inparticular:

• To Attijariwafa bank Group companies;
• To subcontractors, authorized representatives, brokers or other intermediaries, partners or service providers who render services on behalf of the Group;
• To authorized administrative or judicial authorities or more generally to any authorized third party (lawyers, auditors, etc.), in order to meet the legal or regulatory obligations to which the Group is subject. 

   5.1 - Sharing within the Group

As companies in the fields of Banking and Insurance, each of the Group’s entities work closely together, around the world, to create and distribute a wide range of insurance, financial and banking products and services.The personal data collected is shared within the Group for commercial purposes and to improve its efficiency as well as to control, monitor and manage risks, particularly on the basis of:

Compliance with legal and regulatory obligations, including:

• Sharing of data collected for Know Your Customer (KYC) procedures;
• Consolidated risk management;
• Consolidated Internal Control Monitoring;
• Combating money laundering and terrorism financing, compliance with international sanctions and embargoes; 
• Compliance with reporting obligations.

Legitimate interests:

• Fraud prevention;
• Network and information systems security;
• Leading development initiatives for commercial, communication and marketing purposes;
• Gaining a comprehensive and coherent overview of the client portfolio and the Group's activities;
• Development of the Group’s product lines and services in an appropriate manner;
• Management, supervision and governance considerations within the Group.

   5.2 - Sharing outside the Group 

In order to achieve some of the aims mentioned in this Policy, the Group may (non-systematically) share your personal data with:

• Service providers who render services on behalf of the Group, for example IT, printing, telecommunications, collections, consultancy, distribution and marketing services;
• Banking and commercial partners, independent representatives, intermediaries or brokers, financial institutions, counterparties and trade repositories with which the Group maintains links, if such transfer is necessary to provide you with services, products, fulfill the group's contractual obligations or carry out transactions (e.g. banks, correspondent banks, depositories, issuers of securities, paying agents, exchange platforms, insurance companies, payment system operators, payment card issuers or intermediaries, mutual guarantee companies or financial guarantee organizations)
• Financial, fiscal, administrative, criminal, judicial, or local or foreign authorities, arbitrators or mediators, law enforcement authorities, government agencies or public bodies, to which the Group or any member of the Group is required to disclose data:
  • At their request ;
  •  In connection with the defense or response to a question, action or proceeding ;
  •  In order to comply with a regulation or recommendation emanating from a competent authority with regard to the Group or with respect to any member of the Group.
• Third party payment service providers (bank account information), for the purposes of providing a payment initiation service or account information upon consent of the data subject
•  Certain regulated professions such as lawyers, notaries, rating agencies or auditors, when specific circumstances require it (litigation, audit, etc.), as well as to any current or potential buyer of companies or activities affiliated with the Group or its insurers. 

6 - International transfers of personal data

The Group may transfer your personal data internationally. In this case, your personal data is communicated for the strict purposes of carrying out the Group’s services.      

 In the event of an international transfer of your personal data, the Group implements the appropriate measures available, with regard to current regulations, to ensure the supervision and security of these transfers. 

7 - Retention of personal data

Attijariwafa bank retains your personal data for the period necessary to comply with applicable laws and regulations, or for a period defined with regard to its operational constraints, such as bookkeeping, effective customer relationship management as well as to assert legal rights or respond to requests from regulatory bodies.

These retention periods are specified in the information documents given to the data subjects and can be obtained by submitting a request to the Data Protection Officer (DPO). 

8 - Securing personal data

In accordance with current regulations, the Group implements appropriate technical and organizational measures to guarantee a level of security which is suitable and proportionate to the risk. These measures aim to ensure the confidentiality, integrity, availability and resilience of personal data.

The Group implements all necessary measures to restore the availability of data and allow the data subjects access within appropriate time frames in the event of a physical or technical incident. In order to do so, the Group regularly carries out assessments of its security levels. These assessments take into account the risks of destruction, loss and alteration as well as unauthorized access to and disclosure of personal data.

The Group requires each recipient of personal data to respect appropriate security and confidentiality guarantees. 

The Group, as data controller, reports personal data breaches to the competent supervisory authority at the earliest opportunity and, when possible, seventy-two (72) hours after becoming aware of any personal data breach likely to create a threat to your rights and freedoms.   

Any violation of your personal data likely to create a threat to your rights and freedoms will be reported to you as soon as possible in accordance with current regulations. 

9 - Exercise of data subjects’ rights

In accordance with the applicable legislation, you have the ability to exercise your rights with all Group entities which process your data.

These rights are as follows:

• Right of Access: you can obtain information regarding the processing of your personal data (as well as a copy of it) at any time;
• Right of rectification: in the event that you believe that your personal data is inaccurate or incomplete, you can request that it be amended accordingly;
•  Right to erasure: you can request the deletion of your personal data, to the extent permitted by law;
• Right to restriction of processing: You can request restriction of the processing of your personal data; 
• Right to object: You can object to the processing of your personal data for reasons relating to your specific situation. You also have the absolute right to object at any time to your data being used for commercial prospecting purposes, or for profiling purposes, if this profiling is linked to commercial prospecting;
• You have the right to set guidelines relating to the retention, erasure or communication ofyour personal data, applicable after your death;
• Right to withdraw your consent: if you have given your consent to the processing of your personal data, you can withdraw it at any time;
• Right to data portability: where permitted by law, you may request the return of the personal data you have provided or, where technically possible, the transfer thereof to a third party;If you wish to exercise any of the rights mentioned above, you can send your request as follows:
• Specify your request using the rights exercise form then send it to the following address:  Data Protection Office Attijariwafa bank   2, Boulevard Moulay Youssef   Casablanca, 20250, Maroc        
• You may also send the same form by email to the Attijariwafa bank Group Data Protection Officer at the following address:[email protected] 

In the event of non-response from Attijariwafa bank within the regulatory deadlines following the  exercise of a right, you can contact the supervisory authority in order to lodge a complaint.