Bankmed sal Privacy Notice

1. General

   Bankmed sal, a banking institution organized under the Laws of Lebanon with Beirut Commercial Register number 5261 and registered on the Lists of Banks issued by the Lebanese Central Bank under number 22, having its registered offices at Clemenceau Street, Beirut, Lebanon, and its local and foreign branches, are committed to the privacy of the data of their clients and visitors in accordance with any data protection, confidentiality or banking secrecy requirements which may be applicable to them, particularly without limitation the requirements of the European Union’s General Data Protection Regulation (the “GDPR”), the Lebanese Banking Secrecy Law dated 3 September 1956 (the “LBSL”), the personal data protection provisions of Lebanese Law number 81 dated 10 October 2018 (“Law 81”) and the DIFC Law No. 1 of 2007 (the “DIFC Law”), to the extent any of these laws and regulations is applicable to your relationship with Bankmed or any of its branches.

   It is to be noted that the protection afforded by the GDPR, Law 81 and the DIFC Law only applies to the data of identified or identifiable natural persons and does not apply to the data relating to legal entities.

   Bankmed acts as data controller, i.e. as the entity that, alone or jointly with others, determines the processing and means of the processing of the Data.

   Please note that if you do not agree to provide us with the requested Data, it may not be possible for us to establish a relationship with you or to continue to operate your account and/or provide our products or services to you.

2. Definitions

    When we refer to “Data”, we mean any data that we process in relation to Data Subjects, as such are defined below.

   The term “Sensitive Data” means personal data of you as an individual which may reveal information about your racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life and genetic or biometric data.

   The term “Data Subject” shall include either natural persons only or naturals persons and legal entities as may be applicable under the relevant law or regulation subject of this privacy notice, who are  Clients of Bankmed or visitors of its branches or websites, as well as any Relevant Persons, as defined in Section 4 below, and the term “Client” refers to past, current or prospective clients of Bankmed.

   In this privacy notice, any reference to “you” or “your” and other wording referring to you is a reference to you as a Data Subject; the reference to “we”, “us”, or “our” or other wording referring to us is a reference to us as Bankmed.

   The term “processing” or “process” is used herein to refer to actions such as the collection, retention, use, disclosure, transfer, deletion or destruction of Data.

   The term “Bankmed” or “Bank” shall include Bankmed sal and its local and foreign branches including branches located in the European Union unless otherwise specified in or deduced from the context.

3. How We Collect Your Data

   We obtain your Data mainly through any information you provide directly to us in person or via your representatives/agents or through our website, either in the context of our prospective or existing business relationship or when you contact us for any enquiries. We may also collect your Data through information provided by third parties or other entities within the Bankmed Group (the “Group”). Below is a non-exhaustive list of ways in which we collect your Data.

   Data collected directly from you, including:

   • when you apply for our products or services;
   • when you contact us for an enquiry, complaint or for any other reason;
   • when you use our branches, telephone services, websites or mobile applications; and/or
   • when you use or manage your accounts.

   Data collected from other sources, including:

   • your authorized representatives, agents, lawyers or introducers;
   • other organizations or people with which you may have a relationship such as a joint account holders or your employer;
   • other entities within the Group;
   • third parties who provide services to you or us, credit reference agencies, debtors’ directories, fraud prevention or government agencies, and other banks and financial institutions such as correspondent banks; and/or
   • publicly available resources, such as commercial and real estate registrars, central banks, databases maintained by local and foreign regulatory and supervisory authorities (such as the sanctions list), the press, the media, online search engines and other online resources.
4. Processing of Data
1. Types of Data

   The types of Data that Bankmed may process include the following:

   1. Personal information regarding you or relevant to persons connected to you (such as introducers, authorized representatives/agents, lawyers, family members, associates, employers, partners, shareholders, administrators, trustees, authorized signatories,non-client counterparties, owners of beneficial economic rights and securities providers. Such connected persons are collectively referred to as the “Relevant Persons”) required in your account opening and customer profile application or in your contracts with Bankmed or in applications you submit to benefit from our services, or in any requests, complaints or simulations you submit to Bankmed (including through our websites), or in any other means or services, such as name, surname, passport, identity card, social security number, gender, marital status, dependents, nationality, date and place of birth, residential status and addresses, phone numbers, educational status, employment and business information, personal and financial information, annual income, assets and liabilities, source of funds, personal net worth and origin of wealth, emails and mailing addresses, politically exposed persons information, purpose of the relation with Bankmed, relationship with other banks, information relating to the beneficial owner of the economic rights relating to the accounts held with Bankmed, information relating to taxation status such as in connection with US FATCA, OECD Common Reporting Standards (CRS) or other information relating to legal or regulatory requirements;
   2. In connection with payment services such as transfers or payment and credit cards, you or the Relevant Persons will also be required to provide and we process in addition to all the above mentioned Data, Data relating to your payment transaction or card transaction such as account numbers and balances, IBAN, nature, purpose and type of payment, beneficiaries thereof, card number, card code number and PIN, type of merchandise or service you bought or transacted and any other information needed or could arise in connection with such payment transaction or card transaction;
   3. If you access or use our website and electronic/digital services, you or the Relevant Persons will also be required to provide and we process in addition to all the above mentioned Data, Data such as the IP address, your login Data, type of device you use and the relevant access time and location;
   4. If you apply for or benefit from banking facilities, you or the Relevant Persons will also be required to provide and we process in addition to all the above mentioned Data, Data as to the purpose of such banking facilities, securities and guarantees of such facilities, personal and financial information relating to the security providers, and Data relating to insurance coverage for the benefit of the Bank;
   5. If you benefit from services relating to dealing and trading in financial instruments and investments, you or the Relevant Persons will also be required to provide and we process in addition to all the above mentioned Data, Data as to your classification and suitability for such trading such as age, number of dependents, employment status, net worth and income, investment horizons, objectives and investment approach, investible assets, financial status, types of investments, experience in investments and risk tolerance;
   6. If you contact us by telephone for any purpose whatsoever, including without limitation to issue instructions in relation to your accounts held with us, submit a complaint or contact our Data Protection Officer, your telephone conversations may be recorded;
   7. In order to optimize the functionality of our website, we also use cookies. Please visit our cookies policy.
2. Purposes for Processing of Data

   We will only use and share your information where it is necessary for us to carry out our lawful business activities. Most commonly, we will process your Data for one or more of the following reasons:

   1. For the performance of a contract with you or a third party

   We may process your Data where it is necessary in order to enter into a contract with you for the provision of our products or services or to perform our obligations under that contract. Please note that if you do not agree to provide us with the requested information, it may not be possible for us to continue to operate your account and/or provide our products or services to you. This may include processing to:

   • perform client acceptance procedures for products or services you are interested in purchasing;
   • create, maintain, support and administer our products and services including opening, servicing or closing Client's accounts, collecting and issuing all necessary documentation, executing your instructions, processing your transactions, transferring money between accounts, making payments to third parties and resolving any discrepancies and/or any queries or concerns you may have;
   • manage and maintain our relationship with you;
   • identify you as a Client, counterparty and accountholder and assess the risks involved with the services and transactions we provide or engage you with and to understand your needs and eligibility for services;
   • facilitate operational actions in connection with our business relationship (e.g. processing of payments);
   • respond to Bankmed counterparties, correspondents, custodians, clearing houses, funds and other similar institutions' requests in connection with transactions relating to you as a Client or with investments made by you or on your behalf;
   • dispatch card transactions notifications;
   • administer any credit facilities or debts, including agreeing repayment options; and
   • communicate with you about your account(s) or other products and/or services you receive from us.

   The purpose of processing your Data will in each case depend on the requirements for each product or service.

   2. For compliance with a legal obligation to which Bankmed is subject

   We are subject to various legal, regulatory, statutory and judicial requirements and obligations, including without limitation, compliance with regulatory requirements, court orders and laws (particularly relating to money laundering, terrorism financing, sanctions and tax laws).  The purposes of processing may include:

   • Identity, money laundering and “Know Your Customer” checks, fraud and financial crime detection. If fraud is detected, you could be refused certain services;
   • fulfilling reporting and other requirements in relation to our licenses and regulatory permissions;
   • handling requests from administrative, regulatory and judicial authorities;
   • fulfilling taxation, credit controls and reporting obligations;
   • pending or ongoing litigation proceedings; and/or
   • complying with regulatory record keeping obligations.

   Our branches located in the European Union will use the above legal basis for the processing of your Data where such legal obligations relate to European Union laws or the laws of Member States of the European Union in which our aforementioned branches are located.

   As for our branches located outside the European Union, they will use the above legal basis for the processing of your Data only where it is in our legitimate interest to abide by such local laws and regulations or where the processing is necessary for the performance of our contracts with you or in order to take steps at your request prior to entering into a contract with you.

   We will also use the above legal basis for the processing of your Data where your consent was given for such processing.

   3. For the purposes of safeguarding our legitimate interests or those of a third party

   In some cases we may process your Data so as to safeguard and pursue legitimate interests of our own or those of third parties. Such processing may involve the sharing of your Data between members of the Group and/or with external parties. For example, we may process your Data in order to:

   • carry on our business relationships with our Clients and with other parties;
   • ensure compliance with licensing requirements and regulatory requests or guidance related to such licenses;
   • ensure compliance with applicable laws, regulations and judicial orders outside the European Union and European Union Member States as such are more specifically set out in Section 4(b)(ii) above;
   • ensure compliance with regulatory guidance, internal policies, best practice and controls in connection with our business;
   • facilitate and/or respond to regulatory requests and audits, and act in a collaborative manner with any competent supervisory authorities;
   • protect our legal rights and interests (such as initiating legal claims and preparing our defense in litigation procedures, which may include the disclosure of your Data to your or our lawyers or consultants);
   • understand our customers’ actions, preferences, expectations and feedback in order to improve our products and services, develop new products and services and to improve the relevance of offers of products and services by the Group;
   • advertise our campaigns and inform you about goods, services or events that may be of interest to you;
   • prevent and/or investigate suspected financial crime, including fraud, terrorism financing and money laundering and to comply with sanctions, including know your customer and politically exposed persons (PEP) screenings;
   • assess risk and detect and prevent fraud and to protect you from fraud and errors;
   • perform statistical analysis particularly for regulatory purposes and for managerial reports;
   • ensure network and information security, including monitoring authorized users’ access to our information technology for the purpose of preventing cyber-attacks and unauthorized use of our telecommunications systems and websites;
   • manage and monitor our properties, offices and branches by setting up CCTV systems, for the purpose of safeguarding against trespassers, gathering evidence in the event of a robbery or fraud and documenting disposals and deposits and transactions such as on ATMs;
   • manage risk across the Group including carrying out financial, credit and insurance risk assessments;
   • share data with credit control and credit reference agencies, fraud prevention agencies and law enforcement agencies;
   • centralize appropriate Data in order to co-ordinate the services of different members of the Group;
   • enable a sale, reorganization, transfer or other transaction relating to our business;
   • ensure business continuity and disaster recovery and respond to information technology and business incidents and emergencies;
   • assess the quality of our customer services and provide staff training;
   • perform analysis of the your requests or complaints for the purposes of preventing errors and process failures and rectifying negative impacts on Clients and other parties we deal with;
   • perform general, financial and regulatory accounting and reporting;
   • address any of your complaints or claims;
   • trace debtors and recover outstanding debts;
   • check that our website and other electronic services are being used appropriately and to optimize their functionality;
   • assess your particular situation using profiling, as described in further detail in Section 11 below; and
   • carry out marketing or market and opinion research, including sending you research, event invitations or other information relating to the Bank which may be of interest to you, unless you have objected to the use of your Data in this way.
   4. You have provided your consent

   Where your consent to process your Data is given, such as for example when we wish to send you marketing information about our products or services or when we need to obtain your Sensitive Data, please note that you can withdraw such consent at any time, by using the contact details set out in Section 15 below, however, if you do so, we may no longer be in a position to continue providing you with any related services.

   Any processing of Data prior to the receipt of your revocation will not be affected.

5. Processing of Sensitive Data

We will only process your Sensitive Data in the following circumstances:

• when we need to obtain your trade union or syndicate or order membership details, where such membership is connected to the services provided to the members of such union, syndicate or order;
• when we use your biometric information in order to ensure the security of our electronic services, for example when you use the IRIS recognition system at our ATMs.

In order to be able to lawfully collect and process the abovementioned Sensitive Data we will need to first obtain your consent. You will be able to withdraw such consent at any time; however, if you do so, we may no longer be in a position to continue providing you with any related services.

In certain cases, we may be able to collect your Sensitive Data, where such have been made manifestly public by you.

During our business relationship with you, we may come across other Sensitive Data, such as for example your racial or ethnic origin or your religious status, where such information is displayed on any identification documentation (such as your ID or passport). When such information is provided to us, we will not use it in any way nor will we disclose it to any third parties.

6. External Recipients of Data

We will disclose your Data in the course of conducting our usual business, or if legal or regulatory requirements demand it or for the purposes and considerations mentioned in Section 4(b) (Purposes for Processing of Data) to the following recipients and for the following purposes:

• Within Bankmed, to the relevant units/departments and divisions and persons that are authorized to process the Data for the purposes of the services we provide you or for the analysis of any requests or complaints submitted by you;
• To funds and other institutions in connection with your investments;
• To relevant receivers, for the purposes mentioned in Section 4(b) (Purposes for Processing of Data) above;
• To institutions and persons assigned by Bankmed to conduct assessments of its clients’ statuses, particularly risk and/or compliance related assessments;
• To relevant receivers for the purposes of any formality or measure which Bankmed might take either to procure guaranties from third parties or to protect and implement and collect its rights under a contract or document or by virtue of law or regulations;
• To Bankmed local or foreign branches and to institutions particularly banking and financial institutions in the Group for the purposes of providing and improving its and their services and providing you with necessary or required banking and financial services;
• To local and foreign authorities that are empowered to implement provisions of treaties or laws or regulations imposing the exchange of Data and for the purposes of such treaties or laws or regulations;
• To the foreign or local supervisory, control or regulatory or tax and other authorities for the purposes of their supervision, control and regulatory activities;
• To institutions providing information and credit checking for the purpose of allowing Bankmed to obtain and exchange information relating to prospective borrowers;
• To Clients' guarantors and security providers for the purposes of the guaranteed indebtedness;
• To other banks and financial institutions or similar institutions for the purposes of performing our contractual obligations or for the purposes of transactions related to the Clients;
• To entities providing credit or debit or payment cards services such as VISA and MasterCard and other entities providing services for such cards or in connection with such cards or related to such cards;
• To valuators, appraisers, surveyors and experts in connection with your requests, complaints and transactions and the services provided to you;
• To non-performing loan management companies and debt collection agencies;
• To insurance companies in connection with insuring Bankmed’s business and risks or in connection with banking and financial services we provide;
• To service providers in connection with providing services to Bankmed and/or to its Clients for the purposes of financial services and operations provided by Bankmed to its Clients particularly without limitation in connection with electronic financial trading platforms, payment and other types of cards and related services, electronic services, notification of correspondences, archiving and such other services that necessitate engaging service providers;
• To Bankmed's correspondents, and to exchanges, clearing institutions, custodians and counterparties involved with the Client's transactions, and to counterparties within the scope of or in connection with (a) any financing obtained by Bankmed in connection with or based on or against the Client’s transactions and/or (b) any credit facilities granted by Bankmed to the Client and which are financed or refinanced through such counterparties and/or if and when required under any laws or regulations applicable to the transactions;
• To your transaction counterparties, and to any persons or institutions involved with your transactions;
• To Bankmed’s counterparty insurance companies particularly for the purpose of insuring the bank accounts, operations and liabilities;
• To courier service providers and other notification service providers for the purposes of notifying you with all correspondences, documents and statements and/or services and campaigns by all types of courier services or by any other means including without limitation through regular or fast courier service providers, notary public or by electronic means, SMS, WhatsApp or whatever technical support at the addresses and coordinates provided by you to Bankmed;
• To the relevant US authorities and bodies, upon their request, in case the Client is classified as Recalcitrant Accountholder under FATCA;
• To relevant authorities and bodies in connection with the implementation of the OECD Common Reporting Standards for the purposes of the CRS requirements (OECD CRS);
• To courts and arbitral bodies for the purpose of any litigation or claim;
• To your lawyers and representatives;
• To Bankmed’s lawyers, consultants, legal advisers, officers and representatives;
• To Bankmed’s auditors, shareholders and board members;
• To third countries or international organizations for the purposes of executing your transactions or in connection with legal requirements such as FATCA or OECD CRS;
• To marketing companies and market research companies;
• To potential or actual purchasers and/or transferees and/or assignees of any of Bankmed’s benefits, rights, titles or interests under any agreement between the Client and Bankmed, and their professional advisors, service providers and financiers;
• To website and advertising agencies;
• To other recipients if required by applicable laws and regulations; and
• To other agents working on our behalf from time to time.

The Data Subject also acknowledges that some banking services particularly electronic services require channeling of information through third party service providers and that such information may be viewed by such third parties.

7. Data Transfers
1. Data Transfers to countries or organizations outside of the European Economic Area (EEA) or otherwise outside the scope of the GDPR

Data will only be transferred to recipients who are outside the EEA or are otherwise outside the scope of the GDPR where:

• it is necessary to do so in order to carry out your orders, requests, operations and transactions (such as investment transactions, transfer orders, letters of credit, letters of guarantees); or
• we are legally obliged to do so (e.g. the Bank is obliged to disclose information to the appropriate authorities which may in turn disclose it to the US authorities pursuant to the legal framework implementing the US Foreign Account Tax Compliance Act (FATCA) and the OECD CRS); or
• subsidiaries located in the EEA transfer Data to their mother company in Lebanon; or
• we have obtained your consent to do so; or
• in accordance and for the uses and purposes mentioned under Section 4 (Processing of Data) and Section 6 (External Recipients of Data); or
• in the context of Data processing undertaken by third parties on behalf of Bankmed and according to Bankmed’s instructions.

Where the Bank intends to transfer your Data on a regular basis to recipients outside the EEA and/or organizations who fall outside the scope of the GDPR, it will make sure that your Data is protected in one of the following ways:

• Send it to a third country with privacy laws that give the same protection as the EEA, as certified by an adequacy decision of the European Commission.
• Put in place a contract with the recipient (commonly known as Standard Contractual Clauses) putting obligations on them to protect your Data to the same standards as applicable in the EEA.
• Transfer it to organizations that comply with an approved code of conduct or certification mechanism that requires its protection to the same standards as applicable in the EEA.

Please contact our Data Protection Officer if you would like to request to see a copy of the specific safeguards applied to the export of your Data, by using the contact details set out in Section 15 below.

2. Data Transfers from Bankmed (DIFC Branch) out of the DIFC
   1. Transfers to a jurisdiction having an adequate level of protection:

      Data will only be transferred from Bankmed (DIFC Branch) outside of the DIFC if:

      • An adequate level of protection for that Data is ensured by laws and regulations that are applicable to the recipient of the Data, i.e. the transfer is made to a jurisdiction which is listed as an acceptable jurisdiction under the Regulations (as defined in the DIFC Law) or any other jurisdiction as approved by the DIFC Commissioner of Data Protection; or
      • In accordance with Section 7(b)(ii) below.
   2. Transfers in the absence of an adequate level of protection:

      A transfer of Data from Bankmed (DIFC Branch) out of the DIFC to a recipient which is not subject to laws and regulations which ensure an adequate level of protection within the meaning set out in Section 7(b)(i) above may take place on condition that:

      • the DIFC Commissioner of Data Protection has granted a permit or written authorization for the transfer or the set of transfers and adequate safeguards are applied with respect to the protection of this Data;
      • you have given your written consent to the proposed transfer;
      • the transfer is necessary for the performance of a contract between you and us or the implementation of precontractual measures taken in response to your request;
      • the transfer is necessary for the conclusion or performance of a contract concluded in your interest between us and a third party;
      • the transfer is necessary or legally required on grounds important in the interests of the DIFC, or for the establishment, exercise or defense of legal claims;
      • the transfer is necessary in order to protect the vital interests of the Data;
      • the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case;
      • the transfer is necessary for compliance with any legal obligation to which we are subject or the transfer is made at the request of a regulator, police or other government agency;
      • the transfer is necessary to uphold our legitimate interests recognized in the international financial markets, provided that such is pursued in accordance with international financial standards and except where such interests are overridden by your legitimate interests relating to your particular situation; or
      • the transfer is necessary to comply with any regulatory requirements, auditing, accounting, anti-money laundering or counter terrorism financing obligations or the prevention or detection of any crime that apply to us.
8. Data Subject’s Rights

We want to make sure you are aware of your rights in relation to the Data we process about you. We have described those rights and the circumstances in which they apply further below.

1. Data Subject’s Rights under GDPR

Under GDPR, you have the following rights in terms of your Data:

• Receive access to your Data. This enables you to receive access or receive a copy of the Data we hold about you and to check that we are lawfully processing it.
• Request correction of the Data we hold about you. If you believe that any of the information that we hold about you is inaccurate or incomplete, you have a right to request that we correct the inaccurate personal information.
• Request erasure of your Data. You may request that we delete your Data if you believe that:
  1. we no longer need to process your information for the purposes for which it was provided;
  2. we have requested your permission to process your Data and you wish to withdraw your consent; or
  3. we are not using your Data in a lawful manner.

Please note that if you request us to delete your Data, we may have to suspend the operation of your account and/or the products and services we provide to you.

• Object to processing of your Data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground. If you exercise your right to object, we will no longer process your Data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

  You also have the right to object where we are processing your Data for direct marketing purposes. This also includes profiling in as much as it is related to direct marketing.

  If you object to processing for direct marketing purposes, then we shall stop the processing of your Data for such purposes.

  Depending on the circumstances, we may need to restrict or cease the processing of your Data altogether or, where requested, delete your Data. Please note that if you object to us processing your Data, we may have to suspend the operation of your account and/or the products and services we provide to you.

• Request the restriction of processing of your Data. This enables you to ask us to restrict the processing of your Data, i.e. use it only for certain things, if:
  1. it is not accurate; or
  2. it has been used unlawfully but you do not wish for us to delete it; or
  3. it is not relevant anymore, but you want us to keep it for use in possible legal claims; or
  4. you have already asked us to stop using your Data but you are waiting for us to confirm if we have legitimate grounds to use your Data.

     Please note that if you request us to restrict the processing of your Data, we may have to suspend the operation of your account and/or the products and services we provide to you.

• Request the transfer of your Data. Where we have requested your permission to process your Data or you have provided us with information for the purposes of entering into a contract with us, you have the right to receive the personal information you provided to us in a portable format. You may also request us to provide it directly to a third party, if technically feasible. We are not responsible for any such third party’s use of your personal and account information, which will be governed by their agreement with you and any privacy statement they provide to you.
• Withdraw the consent that you gave us at any time with regard to the processing of your Data for specific purposes, such as to process your Sensitive Data. We will always make it clear where we need your consent to undertake specific processing activities. Please note that any withdrawal of consent shall not affect the lawfulness of processing based on consent before it was withdrawn or revoked by you.
• Lodge a complaint

  If you have exercised any or all of your data protection rights or otherwise feel that your concerns about how we use your Data have not been adequately addressed by us, you have the right to complain by submitting a request to our Data Protection Officer using the contact details set out in Section 15 below.

  You also have the right to complain to a competent supervisory authority for data protection within the European Union.

2. Data Subject’s Rights under the DIFC Law

   Where the DIFC Law, you as a Data Subject have the following rights in terms of your Data:

   • Right to access to and eectification, erasure or blocking of Data. This enables you to obtain:
     • confirmation in writing as to whether or not your Data is being processed and information at least as to the purposes of the processing, the categories of Data concerned, and the recipients or categories of recipients to whom the Data are disclosed;
     • communication in an intelligible form of the Data undergoing processing and of any available information as to its source;
     • as appropriate, the rectification, erasure or blocking of your Data the processing of which does not comply with the provisions of the DIFC Law.
   • Right to object to the processing. This enables you:
     • to object at any time on reasonable grounds relating to your particular situation to the processing of Data relating to you;
     • to be informed before your Data is disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object to such disclosures or uses.
3. Data Subjects’ Rights under Law 81

   Under Law 81, you as a Data subject have the right to (i) access your processed Data and (ii) object, for legitimate reasons, to the collection and processing of your Data unless you have already provided your consent to such collection or Bankmed is legally bound to collect or process such Data. You also have the right to access and object to the data and solutions used in the automated processing related to you and evoked against you.

   In addition, Data Subjects or their successors shall have the following rights:

   • To enquire about whether the Data Subject’s Data is processed, the purposes of the processing, the types of processed Data, its source, the nature and object of the processing, the parties to which the Data is transferred or who can have access to it as well as the timing and purposes of such access and to obtain readable copies of the processed Data;
   • To request rectification, completion, updating or erasure of the Data Subject’s inaccurate, incomplete, unclear or outdated Data or Data which is not in line with the processing purposes or is unlawfully collected, processed, used, stored or transferred; and
   • to lodge a complaint with the competent courts to enforce their rights.

   To exercise any of your above rights under GDPR, the DIFC Law or Law 81, as the case may be, or if you have any other questions about our use of your Data, please visit any branch of Bankmed or contact our Data Protection Officer using the contact details set out in Section 15 below.

   We will endeavor to address all of your requests promptly.

9. Data Retention and Security of Data
1. Data Retention

   We will keep your Data, whether during our relationship with you or after its termination, for as long as necessary (i) to fulfill the purposes we collected it for, (ii) to satisfy any legal, regulatory, accounting or reporting requirements, or (iii) to safeguard the legitimate interests of Bankmed. We may also retain your Data in case of litigation, complaint or if we reasonably believe there is a prospect of litigation in respect of our relationship with you for as long as necessary for the purposes of such litigation or complaint.

   To determine the appropriate retention period for certain Data, we consider the amount, nature and sensitivity of the Data, the potential risk of harm from unauthorized use or disclosure of your Data, the purposes for which we process your Data and whether we can achieve those purposes through other means, and the applicable legal and regulatory requirements.

   Cyprus branch

   Where your Data are collected from or are kept at the Cyprus branch of Bankmed, your Data will be retained as long as you have a business or financial relationship with the Bank (as an individual or in respect of our dealings with a legal entity you are authorized to represent or are beneficial owner, signatory or officer of). Once your business relationship with the Bank has ended, we may keep your Data for up to ten (10) years in accordance with guidance 1/2017 and 2/2017 of the Data Protection Commissioner (http://www.dataprotection.gov.cy). After the expiration of the ten (10) year retention period, the Bank will erase and/or destroy your Data via secured procedures.

   For website visitor and prospective customer Data (or authorized representatives/agents or beneficial owners of a legal entity that is a website visitor or prospective customer) we shall keep your Data for six (6) months from the date of notification of the rejection of your application for banking services and/or facilities or from the date of withdrawal of such application, as per guidance 1/2017 and 2/2017 of the Data Protection Commissioner (http://www.dataprotection.gov.cy).

   Where we no longer need to process your Data for purposes set out in this privacy notice, we will delete your Data from our systems. However, we may keep your Data for longer if we cannot delete it for legal, regulatory or technical reasons. If we do, we will make sure that your privacy is protected and that your Data are only used for those purposes.

   If you have any questions about our data retention practices, please contact us electronically by using the contact details set out in Section 15 below.  

2. Security

   We implement and maintain reasonable, commercially acceptable security procedures and practices appropriate to the nature of the information we store in order to protect it from unauthorized access, use or disclosure. However, please be advised that we cannot fully eliminate security risks associated with the storage and transmission of Data as we cannot guarantee that our security measures will prevent third-party hackers from illegally obtaining this information.

   You are responsible for maintaining the secrecy of your unique password and account information at all times and for compliance with all other security measures of which we make you aware. We are not responsible for circumventions of any privacy settings or security measures contained on any of our websites.

10. Automated Decision Making

    In principle, we do not make decisions based solely on automated processing to establish and implement the business relationship. However, we may use certain automated processing when this is requested to comply with local and international laws and regulations or internal policies and procedures in certain cases such as certain classification of accounts including classification of credit cards, loans and delinquent or doubtful or blacklisted accounts. Please note that such automated processing is made to assist us in our decisions in relation to our prospective or existing business relationship with you, but is not the only tool used for our decision making. We assess the situation of all customers on an individual basis and take decisions only following the review of each case by an authorized member of our staff.

11. Profiling

    In some cases, we process your Data automatically with the goal of assessing certain personal aspects (profiling). For example, we use profiling when we use scoring to assess your creditworthiness or your investment knowledge or your risk tolerance profile, or when we calculate the likelihood of you meeting your contractual payment obligations or for accounts classification or for outbound marketing. Scoring is based on a mathematically and statistically recognized and proven procedure. The calculated score values assist us as one tool in our global decision-making process but are not solely relied on and are incorporated into ongoing risk management procedures.

12. Newsletters and Marketing emails, SMS and WhatsApp

    We may process your Data in order to inform you about our products, services and offers that may be of interest to you or your business. We can only use your Data to promote our products and/or services to you if we have your consent to do so or, in certain cases, if we consider that it is in our legitimate interest to do so.

    You have the right to object at any time to the processing of your Data for marketing purposes, by contacting your personal banker at any time or any branch of the Bank either in person or in writing or by clicking on the option to opt out of receiving marketing information in any future marketing communication you receive from us.

    Even if you inform us that you no longer wish to receive marketing material, you will still receive other important information from us from time to time, such as changes or updates to your existing products or services.

13. Third-Party Websites

    We have established relationships with other parties, websites and platforms to offer you the benefit of products and services, and we offer you access to these other parties and their websites through the use of links on our website. In some cases you may be required to submit your Data to register or apply for products or services provided by such third parties. This privacy notice does not apply to these third party sites. The privacy policies of those other parties may differ from ours, and we have no control over the information that you submit to them. You should read the relevant privacy policy for those third party sites before responding to any offers, products or services advertised by those parties.

14. Effectiveness and Amendments

    This privacy notice will remain in effect until such time as we notify you otherwise. We reserve the right to update or change our privacy notice at any time. If we make any material changes to this privacy notice, we will notify you either through the email address you have provided us or by placing a prominent notice on our website or by requesting you to sign off on it.

15. Contact Details

    If you have any questions, comments and/or requests regarding this privacy notice or wish to obtain more details in relation to the Data we process about you, please contact our Data Protection Officer (and/or any other officer as may be notified to you by Bankmed from time to time) through the following communication means:

1. By registered mail addressed to the Data Protection Officer at 482 Clemenceau Street, P.O. Box: 11-348 Riad El-Solh, Beirut, Lebanon;
2. By email at or, for Bankmed’s Iraq branches, at ;
3. By telephone on:
   1. (00961) 1 708090 if you are calling from Lebanon or you are a Bankmed (Lebanon) client;
   2. (00964) 780 4230303 if you are calling from Iraq or you are a client of one of Bankmed’s Iraq branches;
   3. (00971) 4 3889787 if you are calling from the UAE or you are a Bankmed (DIFC branch) client;
   4. (00357) 253 64964 if you are calling from Cyprus or you are a Bankmed (Cyprus branch) client;
4. Through the dedicated sections of our websites or online applications, if any; or
5. By using any other contact details as may be notified to you by Bankmed to this effect from time to time.