Personal data policy BPCE CAR LEASE


Groupe BPCE agrees to ensure that its use of personal data is in compliance with the EU’s General Data Protection Regulation (GPDR) and the French data protection act.

This information notice aims to provide you with detailed information with respect to how these companies:

BPCE CAR LEASE, a simplified joint-stock company with share capital of 5,184,440.00 euros and headquarters located at 8 Rue Vidailhan, 31130 Balma, registered in the Toulouse Trade and Companies Register under no. 977 150 309
BPCE PERSONAL CAR LEASE, a limited company with share capital of 8,000,000.00 euros and headquarters located at 7, promenade Germaine Sablon, 75013 Paris, registered in the Paris Trade and Companies Register under no. 440 330 876

use your personal data responsibly.

It explains how your data is obtained, why it is processed, with whom it may be shared and measures implemented to ensure confidentiality and security are also provided, as well as details of your rights and how to exercise them.

1. Some definitions
2. Who is this information notice for?
3. Who collects your personal data?
4. How do we obtain your personal data?
5. Who has access to your personal data?
6. Why do we process your personal data?
7. For how long is your personal data kept?
8. How do we ensure the safety and confidentiality of your data?
9. Where is your data stored?
10. Our prospection actions
11. Our profiling actions
12. Use of specific processing using specialist technologies
13. Your rights
14. How to exercise your rights?

1. Some definitions

When these terms are used, they mean:

• “Bank”: the banking institution with which you have established yourprimary banking relationship and which introduced you to BPCE CAR LEASE and/or BPCE PERSONAL CAR LEASE
• “Groupe”: the entities belonging to Groupe BPCE
• “We”: the entities of Groupe BPCE involved in the processing of your personal data as the person in charge of processing
• “You”: yourself or any physical person representing you (legal representative, proxy, contact, partner, spouse, etc.)
• “personal data” or “data of a personal nature”, or “data”: can include different sorts of data depending on the context. For example:

– data relative to your identity and/or your contract, such as last name, first name, date and place of birth, postal and email address, telephone number, number of identity documents, age, signature specimen;
– data relative to your family, professional and tax situation;
– identity and authentication data linked to your online services and your online payments
– videosurveillance footage from our premises.

2. Who is this information notice for?

This notice is to inform you as a physical person of the use of your personal data by BPCE CAR LEASE and BPCE PERSONAL CAR LEASE, whether you are acting as an individual in a private capacity or as part of your professional activity.
In particular, it concerns you if you are:

• A client (a tenant)
• A potential or prospective client;
• A physical person acting in whatever capacity in a relationship with a physical or legal person as a client, for example:

– A legal representative;
– A representative or authorized signatory;
– A guarantee provider;
– An authorized contact;
– A member;
– A client partner
– A tenant or sub-tenant;
– A guarantor with respect to any form of collateral or commitment to assume lease undertakings;
– A predisposed or effective beneficiary;
– An heir or beneficiary of a life insurance contract;
– A suppler or a seller;
– A provider of a service related to the lease.

3. Who compiles your personal data?


As part of its business relationship with its clients, BPCE CAR LEASE and BPCE PERSONAL CAR LEASE may need to collect certain personal data. In this respect, we act as party responsible for data processing.

As a commercial company, we are required to uphold certain confidentiality measures and can only share your data under strictly defined conditions or with your approval.

This same confidentiality principle applies to all of the parties involved, be they employees, our service providers, or our partners and their own employees.

Entities belonging to Groupe BPCE

To provide its services and offer you a varied range of products to meet your needs, BPCE CAR LEASE and BPCE PERSONAL CAR LEASE are not alone. They are part of a larger group of companies, Groupe BPCE, and conclude partnerships with companies, and/or economic interest groupings.

All of these companies contribute services which are provided to you or distributed by an intermediary of your Bankand ensure compliance with the same principles. To do so, they may be required to transfer or process your personal data.

Groupe BPCE includes numerous specialized companies. If you require additional information on companies belonging to Groupe BPCE and their different businesses:

Our other partners

The information applicable to the protection of personal data relative to a product subscribed to with one of our partners will usually be transmitted to you by said partner in their capacity as person in charge of personal data processing for the collection and processing of data carried out on their own behalf.

4. How do we obtain your personal data?

As part of our relationship, we collect and process certain personal data. This data can vary depending on the nature of the product or service subscribed to.

Personal data and information that you provide to us

We collect data directly from you that is strictly necessary for your identification, enabling us to contact you, as well as data regarding your family status, work, economic status, together with financial and banking data. This data may be directly collected during interviews with an adviser, using paper or electronic media.

You are informed on the document used to collect your data that your declarations are compulsory and the fact that, in certain cases, failure to respond to a request for information may affect the processing of your application.

When you use our products and services, we collect data about you, including data about your behavior, habits and preferences.

Personal data from third-parties or other service providers 

Your personal data may also come from third-party service providers or suppliers, partners or subcontractors, if their personal data protection policies allow this or if you have authorized them to share this data.

To enable the processing of your dossier or the management of services subscribed to, your Bank may transfer to BPCE CAR LEASE or BPCE PERSONAL CAR LEASE, data relative to your marital status, your family, assets and financial situation, etc.

In specific cases, we may have also collected personal data about you, even though we have not entered into direct relations. This may occur if your contact details have been communicated to us by one of our clients, if, for example, you are one of their legal representatives, a family member, a co-borrower or personal guarantor, or a proxy (holding a power of attorney).

Public personal data

We may also need to collect public personal data about you.

Public personal data are personal data produced or received by an administrative authority as part of its public service mission, published by the administrative authority or transferrable to any person that so requests.

We may use the public personal data or information when it is authorized by legal or regulatory provisions and in compliance with specific transmission and re-use rules covered in said provisions.

Exclusion of certain categories of personal data

Certain categories of personal data which related to racial or ethnical origin, political opinions, religious or philosophical convictions or relative to membership of union organizations, as well as genetic and biometric data to identify a unique physical person, personal information relative health or sex life or sexual orientation of a physical person. In principle, we do not collect such data.
Certain specific situations may, however, exist, notably:

• For the implementation of strong authentication systems enabling you to access online services, to make payments, or to provide an electronic signature, via the use of biometric recognition devices (voice recognition, facial recognition, fingerprints, etc.). The use of such data notably enables the prevention of fraud or identify theft by a third party. These biometric devices are alternatives to other forms of control and are subject to specific security measures to guarantee the security and confidentiality of personal data.

• When the person subscribes to an insurance contract. In this case, the insurer may need items relative to your state of health to provide you with guarantees and define any potential exceptions. The procedures implemented are aimed at ensuring perfect compliance with the partitioning principle: only the insurer receives the data and processes such data in line with its own procedures and in full compliance with applicable regulations, whereas BPCE CAR LEASE or BPCE PERSONAL CAR LEASE are only informed of the acceptance or refusal decision.

In any case, if we had to process data belonging to these particular categories of personal data, provided they are not prohibited for legal or regulatory reasons, your explicit approval would be obtained beforehand.

5. Who has access to your personal data?

Within Groupe BPCE

We may be required to transfer your personal data within Groupe BPCE to:

• BPCE S.A.;
• Any BCPE Group entity with whom you are a client or with whom you enter into contractual relations for the purpose of updating data collected by these entities;
• Any Groupe BPCE entity with a view to presenting products or services managed by these entities to you or for examining or drawing up any type of contract or operation;
• The General Inspectorate of BPCE
• Groupe BPCE entities in the event of sharing technical resources, in particular IT or data governance resources. To this effect, your personal data may be pseudonymized or anonymized for the purpose of research and creating statistical models.

With third parties, we may share your personal data with the following company types:

• Companies that insure or guarantee the financing of our clients (insurance firms, etc.);
• Debt recovery agencies;
• The service providers or subcontractors to which BPCE CAR LEASE and BPCE PERSONAL CAR LEASE assigns operational tasks, services, the performance of surveys or compiling of statistics;
• Third-party companies in the event of assigning debts or securitization transactions;
• Legal and financial authorities, or other government bodies;
• Certain regulated professions, such as lawyers, bailiffs, notaries or auditors.
• Business introducers approved by BPCE CAR LEASE or BPCE PERSONAL CAR LEASE

6.  Why do we process your personal data?

As part of our relationship, we may use all or some of the personal data in our possession for the purposes described below and based on the following principles:

Executing the contract relative products and services to which you have subscribed or to which you wish to subscribe 

We process your data with a view to providing you with products and services. Data is processed as it is necessary for pre-contract measures following your application and/or performance of the contract, such as:

• Subscribing to a product or service;
• Analyzing your lease request;
And this, in particular by means of a credit score.
• The management and execution of a product or related service;
• Managing your claims;
• Managing and tracking debt recovery (amicable recovery, cases of excessive debt and litigation);
• Managing guarantees and bonds.

If BPCE CAR LEASE and BPCE PERSONAL CAR LEASE do not have this data, they will be unable to conclude or perform the contract.

Complying with our legal and regulatory obligations

We are subject to a range of legal obligations and we process data in order to meet these obligations. This includes:

• Knowledge of our clients and their partners;
• Combating money laundering and the financing of terrorism;
• Identifying and protecting fragile clients, in cases of individual clients.

Protecting our legitimate interests

BPCE CAR LEASE and BPCE PERSONAL CAR LEASE pursue a number of legitimate interests, including:

• Improving client knowledge;
• Selecting and targeting our clients, marketing communication;
• Client satisfaction surveys and measurements;
• Proposing customized and tailored services:

o in the context of developments in technology;
o by improving your client experience;
o or to adapt to your requirements;

• Market profiling, including compiling data for the purpose of analysis or anonymization;
• Recording telephone calls for the purposes of training, assessing and improving the quality of our products and services;
• Compiling statistics or for Research and Development actions;
• Improving our products and services;
• Improving our risk management.
• Preventing fraud;
• Avoiding and managing incivility with respect to our employees;
• Ensuring the safety of our networks and information systems, monitoring access to our premises, notably with the use of video surveillance.

Applying certain processing with your approval

We may carry out certain processing of your personal data with your consent for specific purposes.
In these cases, you will be contacted beforehand to provide your consent, in a specific manner, for the collection and processing of data for each specific purpose.

If legally required, BPCE CAR LEASE and BPCE PERSONAL CAR LEASE will subject specific data processing to obtaining your consent, such as:

• Sales canvassing if you are not a client of BPCE LEASE or one of its subsidiaries or if you are a client of BCPE LEASE or one of its subsidiaries but for cases where the canvassing involves products that are not similar to those to which you have already subscribed;
• Transferring your data to third-party partners other than those mentioned above

To this effect, you will be specifically asked to consent to your data being collected and processed for explicit purposes.

7. For how long is your data kept?

Once the purposes for which the data have been acquired have been completed, and in line with potential legal or regulatory provisions in force requiring the conservation of certain data, we will delete or anonymize your data.
The conservation period is variable and depends on the nature of the data and the related final purpose.

Type of processingRetention periodConservation start point
Accounting documents and documentary evidence (account statements, etc…)10 years From the closing date of the relevant financial year
Registration, execution and management of products and services subscribed5 yearsFrom the closing date of the product or service, the termination of our relationship
Registration, execution and management of an insurance contract2 years

Excluding bodily injury, 2 years from the end of the contract or from the closing of the last claim.
For bodily injury stemming from civil liability, data are conserved to the end of the statute of limitations.

Combating money laundering and the financing of terrorism5 yearsFrom the date of execution of the transaction

Prevention and detection of misdemeanors and felonies

5 yearsFrom the date of the offense. When legal proceedings have been initiated, data are kept out to the end of the procedure and up to the end of the applicable statue of limitations.
Commercial prospection (following the conclusion of a contractual relationship: use of last names, first names, address, date and place of birth and features of the product (to which you have already subscribed)5 years From the end of the client relationship or the last incoming contact on your behalf
Commercial prospection (non-client prospect )3 yearsFrom the date of collection or the last incoming contact from the prospect

Information request for a banking product or service;
Simulation request with a view to subscribing to a lease
Processing of risk analysis relative to a lease request
without effective subscription

6 monthsFrom the request date or simulation date.
Cookies, trackers13 months maximumFrom the start date of the use of the tracker
Recording of telephone conversations

For 3 months for simple management calls to 5 years for evidentiary recordings

From the date of the recording
Prevention and detection of offences to prepare and/or carry out legal proceedingsFrom 5 to 20 years depending on the specific caseFrom the date of observation of the offense


8. How do we ensure the safety and confidentiality of your data?

To protect your private life and banking secrecy, the security and confidentiality of data, and particularly the personal data you provide to us, are our priority.

In light of the personal nature of data and the risks involved in processing such data, we take the necessary technical and organizational measures to protect the safety of your personal data, and, notably, to ensure that it is not deformed, damaged or accessible to unauthorized third parties or used for improper purposes.

As a result, we are committed to taking the necessary physical, technical and organizational measures to:

• protect the safety of your personal data against all unauthorized access, modifications, deformation, dissemination or destruction of the personal data we hold;
• protect our activities.

We regularly carry out due diligence in the form of internal audits to ensure the safety of personal data and prevent any unauthorized access to our systems.

Nevertheless, the safety and confidentiality of your personal data is dependent on best practices applied by all involved, and therefore we invite you to remain vigilant also.

In order to protect the confidentiality of your personal data, users are requested, in particular in the rules of use of Internet, to take all measures deemed necessary. In particular, as of the end of your consultation, users are requested to delete the traces of navigation and access is prohibited to unauthorized third parties assuming that such data might be downloaded to management software.

In line with our commitments, we select our subcontracts and our service providers with care and ensure:

• an equivalent level of protection of personal data as applied in-house;
• access and use of personal data restricted solely to the information needed for the services to be provided;
• strict compliance with applicable regulations and legislation in terms of confidentiality, banking secrecy and the protection of personal data;
• the implementation of all appropriate measures to ensure the protection of personal data that they may be called on to process;
• the definition of technical and organizational measures to ensure data protection.

9. Where is your data stored?

Personal data and information relative to our clients is stored in our information systems or those of our subcontractors or service providers.

Subcontractors are legally obliged to present sufficient guarantees in the implementation of their technical and organizational measures regarding data provided, to guarantee the protection of personal data.

In this respect, we apply confidentiality rules to our service providers which are at least as strict as our own.

In principle, we favor technical and storage solutions for personal data in hosting centers located within the European Union. If this is not the case, we take the necessary steps to ensure that the subcontractors and service providers offer the appropriate levels of security and protection as described hereafter.

Is your data transmitted or made available in countries outside the European Union?

The personal data your provide for the purposes agreed may, for various reasons, be transferred to a country located within the European Union or outside the European Union.

In the event of a potential transfer to a country outside the European Union, rules guaranteeing the safety and protection of personal data have been introduced: either the European Commission has adopted an adequacy decision which recognizes the equivalence of regulations governing personal data protection for the country considered, or appropriate guarantees have been introduced such as standard contract clauses approved by the European Commission.

In the event of payments or transfer of funds outside the European Union, certain personal data must be transferred to the beneficiary bank even if it is located in a country outside the European Union for which regulations do not provide equivalent protection to the extent that this transfer of personal data is necessary for the execution of the contract.
This personal data may be transferred, upon request, to official and administrative or legal authorities or to approved third parties.
In all cases, we take the necessary and appropriate measures to ensure the safety and protection of personal data.

10. Our prospection actions

We may contact you to propose new products and services that appear to meet your needs or desires or may meet new needs.
You may, at any time and free of charge, withdraw your approval of the processing of personal data for commercial prospection purposes according to the terms and conditions defined in article 13 hereof.

Commercial prospection by email or robocall

o Physical persons not acting for professional purposes:
We may contact you by email, robocall or text message when you have given your consent at the time of collecting personal data or if you are already a client and the prospection relates to similar products or services to those to which you have already subscribed.
This electronic message contains a link enabling to remove yourself from the list.

o Physical persons acting for professional purposes: 
Your email address may be used for commercial prospection purposes by email for purposes related to your profession. You may, at any time, exercise your right to opt out of commercial prospection.

Generic professional addresses allocated to a legal personality (company) are not subject to the principles of consenting, prior information and do not benefit from the right of opposition. Messages and notifications linked to the administrative management of a product or service already subscribed to (alerts, notifications of availability of electronic documents in your personal account, etc.) are not considered to be commercial prospection. The settings covering these messages and notifications and their use is authorized within the framework of the service contract subscribed to, it being understood that these notifications can relate to regulatory requirements and can therefore be essential.

Telephone prospection

We may also make use of telephone prospection to contact you.
In line with article L 223-2 of the French Consumer Code, we inform you that you can sign up to the Bloctel list prohibiting telephone prospection. However, despite adding your name to this list, you may be contact by telephone if there is an existing ongoing contractual relationships unless you explicitly express your opposition beforehand or during the call.

11. Our profiling actions

Profiling involves using personal data to assess certain aspects of the person concerned, to analyze and predict interests, behavior or other characteristics.

Within the framework of our relationship, we may make use of two types of profiling:

• marketing profiling which does not have any legal implications for you, such as, for example, marketing segmentation to offer you innovative products and services likely to correspond to your expectations/needs, complementary or promotional offers by targeting your needs as well as possible;
• profiling that may could have legal implications for you and could, for example, lead to the decision to assign to you a leasing score.

Regarding marketing profiling, we use techniques for marketing segmentation and selection which do not have any legal implications.

In this respect, the personal data we collect also helps us to personalize and constantly improve your banking relationship and/or our commercial relationship to offer you the products and services best suited to your needs. In this connection, we use different profiling techniques.

We may also aggregate and anonymize this data for marketing models and reports.
When we use such techniques, we take the necessary measures to avoid any risk of error and therefore protect your personal rights and freedoms.

In cases where such profiling has legal implications for your, as, for example, in the case of use for leasing scoring risk assessment purposes, the outcomes of this processing is used solely to help in decision-making by BPCE PERSONAL CAR LEASE and/or BPCE CAR LEASE :

• human intervention is always required in the decision-making process,
• and you have the right to communicate your observations or obtain explanations regarding the decision made as a result of this type of assessment, and to challenge the decision.

12. Use of specific processing using specialist technologies

Video protection

As part of the security measures applied in our premises, we use video protection systems compliant with the provisions of our internal security code and in particular the authorizations granted by the competent bodies relative to personal data protection.

You are informed that these images are recorded and stored and can be used to identify the persons filmed either by the systems used or by agents viewing the images.

Displays in areas under videosurveillance indicate the presence of such devices, the name of the person responsible and the terms and conditions governing access to your recorded images.

The images are stored for a period of one month, except in the vent of legal proceedings. If such proceedings are engaged, the images are extracted from the system (after recording of the processing in a specific log) and stored for the length of the proceedings.

Cookies and other trackers

Cookies or other trackers include tags, instruments and tracking tools that are placed on your device and read when consulting a website, reading an email or installing and using software or a mobile application.
When you visit BPCE PERSONAL CAR LEASE and BPCE CAR LEASE websites, cookies and trackers may be placed on your devices (such as computers, smartphones and computer tablets).

These trackers may be stored for a maximum term of 13 months.
The cookie policy implemented by BPCE PERSONAL CAR LEASE and BPCE CAR LEASE can be consulted on each of these websites, in the Cookies and legal information section or in the page footnote.

Telephone recordings

Telephone calls between you and our departments may be recorded for training or assessment purposes to improve the quality of products and services or as proof of completion of a remote transaction.

Before any recordings are made, you will be duly informed and given a right of refusal. However, refusal would mean that it would not be possible to complete your remote transaction, due to the lack of the possibility to record documentary proof.

Recordings or duplicates are stored for the authorized length of time depending on the purpose of their use (three months for management purposes, five years if the telephone recording is likely to be used as legal proof).

13. Your rights

Within the limits and conditions of current regulations in force, you may:

• Be granted access to some of your personal data;
• Rectify, update or delete your personal data, it being noted that deletion may only occur when:

o the personal data is no longer necessary for the purposes for which it was collected or processed in another manner;
o you have withdrawn your consent on which the processing is based and there is no other legal grounds to warrant its use;
o you have explicitly expressed your opposition to the use of your personal data for reasons related to your personal situation and there is no legitimate reason to continue using your personal data;
o Your personal data have been used in an illicit manner;
o Your personal data must be deleted to comply with legal obligations provided for under European Union or French regulations to which the Bank is subject;

• You explicitly express your opposition to the processing of your personal data for reasons related to your personal situation and there is no legitimate reason to continue using the data;
• You express your explicit opposition to the use of your personal data for commercial prospection purposes, including profiling actions related to such prospection;
• Receiving personal data which you supplied to us for automatic processing relating to your consent or the execution of your contract, the request for portability of this data for third parties;
• Requesting limits on the processing of personal data used by us when:

o you can challenge the accuracy of your personal data to enable the person in charge of processing your personal data to review the accuracy of said data;
o you can call for the deletion of your data if its processing is illicit;
o we no longer have need of the data but the data is still required by you to record, exercise or defend your rights in legal proceedings;
o you withdraw the right to process your personal data, pending verification of whether the legitimate justification presented by the leasor overrides your own.

• In the event of the data processing being subject to your approval, you may withdraw this approval at any time;
• File a claim with the supervisory authority.

In France, the supervisory authority is the Commission Nationale de l’Informatique et des Libertés (CNIL) – the French National Data Protection Authority:

3 Place de Fontenoy
TSA 80715
75334 PARIS CEDEX 07

Furthermore, you have the option of sending us instructions regarding the retention, deletion and communication of your data after your death. These instructions may also be registered with a certified “digital trusted third party.” These instructions may include details of the person nominated to carry them out. However, these rights cannot have the effect of contravening the rights of heirs or enabling the communication of information to which only the latter legitimately have access.

14. How to exercise your rights?

To exercise your rights, you can contact our Data Protection Officer by post or by email, specifying your last name, first name and contact details, and including a photocopy of your ID document.

Data Protection Officer

Postal address


Délégué à la Protection de Données
4 place de la Coupole
94 676 Charenton-le-Pont Cedex

To exercise your rights, you must imperatively provide proof of identity by clearly indicating your first name(s) and last name, the address to which you wish the reply to be sent, sign your request and include a photocopy of your ID document including your signature.

Exercising your right of access, amendment, refusal, deletion or limitation on the processing or transferability of your personal data is free of charge.

Regarding your rights of access to your personal data, we will provide you with a copy of the personal data processed. In the event of a clearly unfounded request, notably relative to their repetitive nature, you may be liable to the payment of reasonable charges to cover administrative costs related to the provision of this information, or you may be required to communicate or take the requested measures or your request may be refused.

This information notice may be subject to change. The latest published version may be viewed on the BPCE Lease website  :

If you want to change your preferences, click here.