BLC is committed to conduct its activities in compliance with Banking Secrecy Law and Data Protection obligations. BLC is aiming to protect the Individuals’ personal data by enforcing a Data Protection Policy that provides the highest level of privacy and security regarding collection and use of data.
This policy describes how the Bank may collect, use, protect and disclose Individuals’ personal information. Personal information comprises all the details BLC holds or collects directly or indirectly about Individuals, their transactions, financial information, interactions or dealings with BLC, including information received from third parties and information collected through the use of BLC website and electronic banking services.
2. LEGAL & REGULATORY FRAMEWORK
The main legal basis establishing data protection requirements at BLC Bank is the provisions of national law no# 81/2018, General Data Protection Regulation (GDPR), and BDL circular no # 146/2018 that intend to:
BLC will ensure that the data collected, are effectively protected in order to fulfill individuals’ reasonable expectations of privacy by complying with the applicable laws and regulations.
3. PURPOSE & SCOPE
The purpose of this policy is to set out the principles of data protection that BLC Bank shall follow and to provide a managed framework for fulfilling BLC Bank business needs, accountability and legal responsibilities.
This policy applies to the personal data of individuals, being current and former employees, representatives, shareholders, BOD members, prospective, current and former customers, authorized signatories, beneficial owners, guarantors, advisers, contractors, service providers, partners, payers, payees, and security providers. It applies also to personal data gathered in respect of onboarding customers at the outset of any business relationship and after its conclusion.
This policy covers all personal data processed regardless of the mean on which that personal data is stored.
4. GENERAL DATA PROTECTION PRINCIPLES
BLC will be guided by data protection principles relating to the processing of personal data.
I. LAWFULNESS &FAIRNESS
BLC will only process Personal Data fairly and lawfully and for specified purposes. These restrictions are not intended to prevent processing but to ensure that BLC processes Personal Data for legitimate purposes.
BLC must provide detailed, specific information to data subjects about what happens to their Personal Data. This information will be provided through appropriate privacy notices that must be concise, transparent, intelligible, easy, accessible and in clear and plain language to allow the data subjects to easily understand the status of their Personal Data.
III. INDIVIDUAL CONSENT
Explicit consent will be obtained in situations where serious data protection risk emerges, hence, where a high level of individual control over personal data is deemed appropriate. The consent must be freely given, specific, and includes an unambiguous indication of whether a clear statement or affirmative action from the data subject to process his/her personal data.
When BLC processes personal data that are necessary to conduct a service requested by a customer, under the agreed terms and conditions the processing is considered legitimate and no further consent is needed.
Written consent shall be presented in an understandable and easily accessible form, using clear and plain language.
Data subjects shall be able to withdraw their consents to processing based on the Bank’s internal procedure. BLC shall maintain a record of all consents obtained to demonstrate compliance.
IV. PURPOSE LIMITATION
Personal Data will be collected only for specified, explicit and legitimate purposes. It will not be further processed in a manner incompatible with those purposes unless the data subject is informed of the new purpose followed by his written consent.
V. DATA MINIMIZATION
BLC shall make sure that the processed Personal Data is adequate and relevant to the purpose for which it is intended to be processed and will not accumulate Personal Data that is not relevant for those purposes. BLC shall draft a retention policy to ensure that when Personal Data is no longer needed for specified purposes, it is securely destroyed or anonymized.
VI. ACCURACY OF DATA
It is the responsibility of the data subject to provide accurate and updated personal data to BLC. BLC will take all reasonable steps to check the accuracy of any personal data at the point of collection and follow the procedure for reviewing the data at regular intervals thereafter. Incorrect or misleading data will be corrected or deleted as appropriate.
VII. STORAGE LIMITATION
Personal Data will be retained for as long as reasonably necessary and/or as required or permitted by Law. BLC will take reasonable steps to destroy or erase all personal data that is no longer required by national laws and regulations.
VIII. SECURITY OF DATA
BLC Bank shall take the reasonable necessary measures to protect the personal data it processes and to prevent its distortion, alteration, damage or unauthorized access through the implementation of a robust security program including but not limited to policies, controls, monitoring methods, recovery techniques, training, and awareness.
Personal data shall be protected against unauthorized access using appropriate organizational, operational and technical measures. BLC will perform regular controls to ensure the effectiveness of these measures.
5. PROCESSING PERSONAL DATA
Personal data may or will be collected, stored, used processed, transferred or disclosed in or outside Lebanon for the following purposes:
6. PROCESSING SENSITIVE DATA
BLC will only process sensitive personal data where it is strictly necessary to be carried out for a specific purpose. BLC will take special care when processing sensitive personal data because it represents a greater intrusion in individual privacy than when processing non-sensitive data, in particular in ensuring the necessity of the processing and security of the Sensitive Personal Data.
Access to a data subject personal data is limited to authorized persons whose status, duties and responsibilities specifically require or justify access to such data.
7. REPORTING A PERSONAL DATA BREACH
BLC shall put in place a procedure to be followed by all employees to deal with any suspected personal data breaches. The suspicious case will be reported immediately to the DPO for further investigation and conclusion. A log of personal data breaches will be maintained and submitted periodically to Senior Management.
8. DISCLOSURE AND TRANSFER OF DATA
BLC may disclose and/or transfer a data subject’s Personal Data both inside and outside Lebanon for the purposes highlighted in this policy and allowed or required by applicable laws and regulations to the following:
BLC will reasonably make sure that third parties who receive personal data of a data subject shall treat the personal data with confidence and in accordance with Data Protection law and regulations. BLC will not transfer data of the data subject to any third party to be used for direct marketing purposes without obtaining the prior consent of the data subject.
9. DATA SUBJECTS’ RIGHTS AND REQUESTS
Data subjects have rights when it comes to how BLC handle their personal data. These include rights to:
BLC must impose direct compliance obligations on data processors by including specific contractual requirements in any agreement with the data processor. BLC will consider the following requirements when dealing with a third party:
11. ROLES & RESPONSIBILITIES
I. Board of Directors
II. Senior Management
III. Data Protection Officer –DPO
The Head of Compliance is appointed as DPO who shall be entrusted with the duty to perform the following tasks:
IV. Group / Departments Heads
V. Information Security Department
VI. Legal Department
VII. Audit Department