- I. Legal notices
- II. Personal data protection policy (GDPR)
- III. General terms of use of the site (GTU)
I. Legal notices
Publisher of the site: Al Khaliji France S.A
Status Credit institution authorised and regulated by the Autorité de Contrôle Prudentiel et de Résolution (ACPR), 4 Place de Budapest – CS 92459 – 75436 Paris Cedex 09.
Registered office: 49/51 avenue George V, 75008 Paris – France +33 (0)1 49 52 49 52
RCS / SIREN: B 309 033 066
LEI: 9695008XJV2T8GA3P098
Intra-community VAT number: FR 793 090 330 66
Swift: LICOFRPP
CIB: 41829
Publication Director : General Manager
Website hosting :
Host: Al Khaliji France (France, UE)
Server location : France (U.E)
Purpose of the site:
This site provides:
– Institutional information
– Secure access to the online client area
Website design and development:
Society L&B SYNERGIE
SIRET : 412 791 915 00066
Site : letb-synergie.com
II. Personal data protection policy (GDPR)
With reference to the provisions of the General Data Protection Regulation – (EU) 2016/679.
1. Controller
Al Khaliji France, a credit institution licensed by the ACPR, is the Controller for all data collected via this website.
This responsibility applies to all users, regardless of their location, including:
- France
- European Union
- United Arab Emirates
- Qatar
- And any other country from which the site is accessed
In accordance with Article 3 of the GDPR.
2. Contact details of the Data Protection Officer (DPO)
Postal address: Al Khaliji France, DPO, 49/51 avenue George V, 75008 Paris – France
Email address: dpo@alkhaliji.fr
“You can contact the DPO for any questions relating to personal data protection or the exercise of your rights.”
3. Purposes of processing
- Under its legal or regulatory obligations, Al Khaliji France may process Clients’ personal data for the following purposes: reporting (tax package and financial statements, Client identification and list of accounts to be monitored; monthly reporting to the Banque de France of payments outside the euro area; CRS reporting; FATCA reporting, and information recorded in FICOBA; lists of inactive accounts; banking bans and lost or stolen cheques; reporting to Tracfin or to the prudential supervisory authority; annual information on variable-rate mortgage loans and annual information owed to guarantors; annual detailed summary of fees collected for the management of deposit accounts; analysis of transfers and clearing; in the event of death, provision to the notary of the Client’s account balance for estate management and reporting to the tax authorities; review of files submitted for settlement.
- Under the performance of the contract binding the Client to Al Khaliji France, Al Khaliji France may process the Client’s personal data for the following purposes: opening, administration and management of deposit or other accounts; identification of borrowers or account holders; management of exceptional transactions; issuance and management of bank cards and chequebooks; customer relationship management; management of transfers and returned transfers as well as direct debits; SWIFT transfers; card payments; clearing of banking operations and EIC; management of returned cheques; reprinting of bank cheque letters; operations management; printing and sending of statements; funding of accounts, allocation of resources and foreign exchange services; control of bank cheque processing.
- Lastly, on the basis of its legitimate interests, Al Khaliji France may also process the Client’s personal data for the following purposes:
- For its interest in risk assessment, to assess credit applications with human intervention and record any security interests in its system;
- For its interest in managing means of payment, to monitor bank card activity;
- For its interest in securing means of payment and protection against counterparty risk, to manage cheque stops and rejections;
- For its interest in recovery, to manage the enforcement measures register;
- For its interest in monitoring its activity and being able to prove compliance with its contractual obligations, to account for treasury lending operations, request information on a cheque and maintain a list of closed accounts;
- For its interest in protecting against Client default, to maintain a list of suspicious transactions and suspicious clients, a list of loans whose specific conditions preclude standard monitoring, a list of loans to be regularised and unused loan commitments, ensure IFRS reporting and risk centralisation;
- For its interest in monitoring granted credit, to ensure transmission of credit applications to the competent committees for approval, draft and circulate internal assessment reports on granted loans and carry out statistical analyses on granted credit;
- For its interest in tracking its activity, to provide the competent committees with the list of doubtful receivables and names of doubtful Clients for consolidation, maintain a monthly history of the situation of all accounts, provide other entities with accounting information on profitability, control account balances, ensure proper execution of payment procedures, carry out transfers of management data to the accounting department, ensure proper maintenance of account opening files and credit renewals, and ensure compliance with receipt limits.
- More generally, Al Khaliji France may process the Client’s personal data to defend its rights and manage any disputes.
3.1 Contractual purposes – Article 6-1(b)
- Bank account management
- Execution of transactions
- Access to the secure client area
- Follow-up of online forms
3.2 Legal purposes – Article 6-1(c)
- Anti-money laundering and counter-terrorist financing (Article L561-1 of the French Monetary and Financial Code, CMF)
- Anti-fraud measures
- Strong customer authentication evidence (Payment Services Directive 2, PSD2 > Multi Factor Authentication, MFA)
3.3 Legitimate interests – Article 6-1(f)
- Information system security
- Intrusion prevention
- Internal statistics
- Website improvement
3.4 Consent– Article 6-1(a)
- Non-essential cookies
- Advanced statistical analysis
- Newsletter
- Marketing content
No non-essential cookies are placed without your explicit consent.
4. Base légale des traitements
| PURPOSE | LEGAL BASIS | ARTICLE |
|---|---|---|
| Account/requests management | Contract | 6-1(b) |
| KYC / AML / legal obligations | Legal obligation | 6-1(c) |
| IS security / anti-fraud | Legitimate interest | 6-1(f) |
| Non-essential cookies | Consent | 6-1(a) |
| PSD2 MFA | Legal obligation | PSD2 |
Processing of personal data is permitted where it relies on one of the six legal bases stated in Article 6 GDPR:
- Consent: the person has consented to the processing of their data;
- Contract: processing is necessary for the performance or preparation of a contract with the data subject;
- Legal obligation: processing is required by legal texts;
- Public interest task: processing is necessary for the performance of a task carried out in the public interest;
- Legitimate interests: processing is necessary for the pursuit of the legitimate interests of the organisation processing the data or of a third party, with strict respect for the rights and interests of data subjects;
- Vital interests: processing is necessary to protect the vital interests of the data subject or of a third party.
5. Data collected
- Identification data: First name, last name, email address, postal address, phone number.
- Technical data: IP address, technical logs, authentication data, MFA data.
- Banking data: Account number, IBAN, transactions, KYC documents.
- Indirect sensitive data: Information that may be revealed by financial transactions.
6. Source of data
Al Khaliji France collects users’ personal data from the following sources:
- Directly from you: when creating an account, subscribing to a service or communicating with our teams.
- Automatically during browsing: via cookies, trackers and analytics tools to improve user experience and ensure security.
- Intra-group exchanges: in the context of banking operations and services, transfers may take place between group entities located in France, the United Arab Emirates and Qatar, in accordance with applicable data protection rules.
- Via the contact form: when you send us a request or complaint.
Guarantees:
- These processing operations comply with the GDPR and international transfer rules (standard contractual clauses, enhanced security measures).
- Data is used only for the purposes described in the privacy policy.
Contact form:
When you use the contact form available on the site, the following information may be collected and transmitted to Al Khaliji France by email:
- First and last name
- Email address
- Phone number
- Subject of the request
- Message content
- Date and time sent
- Sender’s IP address (for security and fraud prevention).
This data is transmitted to a generic internal Al Khaliji France mailbox, operated in France and protected by Al Khaliji France’s internal security measures.
Purpose:
- Processing, analysis and follow-up of user requests
Legal basis:
- Legitimate interests (Article 6-1(f) GDPR: management of incoming requests)
- Or Article 6-1(b) if the request concerns a contractual relationship
Recipients:
- Authorised Al Khaliji France staff according to the nature of the request
- No external service provider accesses this data.
Retention period:
- Emails received: up to 3 years for requests without follow-up
- If the request leads to a contractual relationship, retention is carried out in accordance with applicable legal requirements (French Monetary and Financial Code, AML/CFT – Know Your Customer)
- Technical logs: 6 to 12 months
Security:
Messages are processed in a secure messaging system protected by:
- Strong authentication (MFA – Multi Factor Authentication)
- TLS encryption
- Access control
- Continuous logging
- Security monitoring
- Anti-phishing/anti-malware filtering
Transfer:
No data transfers outside the European Union are performed in connection with this form.
Messages are hosted and processed within Al Khaliji France’s secure environment.
7. Recipients
- Authorised internal departments (France / UAE)
- Parent company in Qatar (prudential obligations)
- Technical service providers (hosting, security, support)
- Other service providers involved in regulatory compliance assignments
- Parent company internal auditors / external auditors
- Authorities: ACPR, TRACFIN, CNIL (if required)
8. Retention periods
- Contractual data: 5 years
- Security logs: 6 to 12 months
- Analytics cookies: 13 months
- Cookie consent: 6 months
- Cookie data: up to 25 months
9. Automated processing and profiling
In accordance with Article 22 of the General Data Protection Regulation (GDPR), Al Khaliji France informs its clients that no decision producing legal effects or similarly significant effects concerning them is made solely on the basis of automated processing, including profiling.
Use of automated processing
Certain automated processing may be used to facilitate decision-making (e.g., preliminary file analysis, fraud detection, internal scoring), but they are never the sole determining factor. Human intervention is systematically provided to validate or adjust the final decision.
Profiling
Profiling may be used for fraud prevention, regulatory compliance (e.g., anti-money laundering) or to offer tailored services.
These processing operations respect the principles of data minimisation and proportionality.
User rights
In accordance with the GDPR, the user has the following rights:
- Contest a decision made on the basis of automated processing.
- Obtain an explanation of the underlying logic of the processing.
- Request human intervention to review the decision.
To exercise these rights, the user may contact the Data Protection Officer (DPO): dpo@alkhaliji.fr
10. Data relating to minors
The site and services offered by Al Khaliji France are strictly intended for adults. As such:
- Registration prohibited for minors: Minors are not permitted to create an account, subscribe to services or provide personal data via the site.
- No intentional collection: Al Khaliji France does not knowingly collect data concerning minors. If information is transmitted in error, it will be deleted as soon as Al Khaliji France becomes aware.
- Procedure in case of accidental collection: Any legal representative who notes the transmission of data by a minor may contact the Data Protection Officer (DPO) to request deletion.
- Link with the privacy policy: These provisions are consistent with the GDPR and data minimisation principles.
11. Data security (GDPR – PSD2 – DORA)
Al Khaliji France implements a robust security policy to ensure the confidentiality, integrity and availability of data. Measures include:
- Advanced encryption of data in transit and at rest (TLS and AES protocols).
- Multi-factor authentication (MFA) for all sensitive access.
- Strict access control based on the principle of least privilege.
- Continuous logging and traceability of critical operations.
- 24/7 security monitoring with incident detection and response systems (SIEM).
- Network segmentation to limit propagation risks.
- Encrypted backups and regular restoration tests.
- Periodic internal and external audits to assess compliance and resilience.
Al Khaliji France complies with European regulatory requirements:
- GDPR: Protection of personal data and client rights.
- PSD2: Implementation of strong authentication for payments.
- DORA: Strengthening digital operational resilience and continuity plans.
12. Transfers outside the European Union
In accordance with Articles 45 and 46 GDPR, any access to personal data from a country located outside the European Union is strictly regulated.
- Where the country benefits from an adequacy decision (Article 45), access relies on that mechanism.
- Where no adequacy decision exists, such access is governed by Standard Contractual Clauses (Article 46) supplemented by reinforced technical and organisational measures, notably:
- Encryption,
- Access control,
- Strong authentication,
- Full logging,
- Copy prohibition (Article 32 GDPR).
- These guarantees also apply to any future third country involved in the context of:
- Maintenance,
- Support,
- Monitoring,
- Business continuity.
Al Khaliji France will not implement any remote access from a third country without verifying that the level of protection provided is equivalent to that of the European Union and without having put in place appropriate security measures.
- These transfers are carried out only when strictly necessary for:
- Technical maintenance,
- 24/7 monitoring,
- Application support,
- Business continuity.
- Countries not covered by Article 45 (Adequacy Decision):
- United Arab Emirates
- Lebanon (also concerns an outsourced MSSP service)
- Qatar
- Countries covered by Article 45 (Adequacy Decision):
- Canada* (also as part of an outsourced 24/7 Follow The Sun MSSP service)
- South Korea (only concerns an outsourced 24/7 Follow The Sun MSSP service)
Framework:
- South Korea* > Commission Implementing Decision (EU) 2021/2296 of 17 December 2021 – PIPA (Personal Information Protection Act)
- Canada* > Commission Decision of 20 December 2001, in accordance with Article 25(6) of Directive 95/46/EC, recognising the adequacy of protection provided by the Canadian federal law PIPEDA (Personal Information Protection and Electronic Document Act)
*Note: The EDPB (European Data Protection Board) has given a very clear opinion: when an employee of an organisation accesses personal data from a third country, this does not constitute a data transfer within the meaning of the GDPR, as the recipient remains the same organisation.
- United Arab Emirates, Lebanon (concerns an outsourced MSSP), Qatar > Standard Contractual Clauses (Article 46 GDPR) + reinforced measures.
Applied safeguards
- Strong encryption
- Strict access control
- Full logging
- Copy prohibition
- Continuous monitoring
- EU-equivalent protection
No physical transfer:
Data never leaves the EU: only regulated remote access may occur.
13. Your GDPR rights
| RIGHT | OPTIMISED DEFINITION |
| Right to object | You can object at any time to the processing of your personal data: (1) without justification for direct marketing; (2) for processing based on legitimate interests, unless there are compelling legitimate grounds or for the establishment, exercise or defence of legal claims |
| Right of access | You can obtain confirmation that your data is being processed, access that data and the associated information (purposes, recipients, retention periods, etc. ). |
| Right to rectification | You can request the correction of inaccurate data or the update of incomplete data concerning you. |
| Right to erasure (right to be forgotten) | You can request deletion of your data in certain cases: data no longer necessary, withdrawal of consent, objection without compelling legitimate grounds to the contrary, unlawful processing, etc. |
| Right to restriction of processing | You can request suspension of processing (excluding storage) when: (1) you contest the accuracy of the data; (2) processing is unlawful; (3) you object to processing pending verification; (4) we no longer need the data but you need it for legal claims. |
| Right to portability | You can receive the data you have provided to us in a structured, commonly used and machine-readable format, and request their direct transfer to another controller, where: (1) processing is based on your consent or a contract; (2) it is carried out by automated means. |
| Withdrawal of consent | You can withdraw your consent at any time, as easily as you gave it. This withdrawal does not affect the lawfulness of processing carried out before the withdrawal. After withdrawal, we cease processing unless another legal basis applies (e.g., legal obligation). [Commission.europa.eu], [rgpd.com] |
| Post-mortem directives | In accordance with Article 85 of the French Data Protection Act, you may, during your lifetime, define directives regarding the retention, erasure or communication of your data after your death. These directives may be: (1) general, recorded with a trusted third party (e.g., a notary); (2) specific, for a specific service (e.g., social network). Failing that, your heirs may exercise certain rights to settle the estate. |
- Response time: 1 month (extendable to 3 months in case of complexity).
- The GDPR does not apply to deceased persons, but French law provides for this post-mortem right.
Contact :
- Email : dpo@alkhaliji.fr
- Mail: DPO AlKhaliji France, 49/51 avenue Georges V, 75008 Paris, France
14. CNIL complaint
III. General terms of use of the site (GTU)
15. Permitted use
The user undertakes to:
- Use the site in accordance with applicable laws and regulations;
- Not disrupt the operation of the site through malicious or abusive actions;
- Not attempt to access unauthorised areas or protected data;
- Not introduce viruses, spyware, malware or any other harmful code;
- Not impersonate Al Khaliji France, its employees or any third party.
Any breach may result in:
- Immediate suspension of access;
- Civil and/or criminal proceedings.
16. Anti-impersonation/anti-phishing clause (PSD2 – ACPR)
As part of regulatory requirements (PSD2, ACPR), Al Khaliji France reminds you that it will never ask you for:
- Your login credentials;
- Your MFA/OTP codes (Multi-Factor Authentication / One-Time Password);
- Your passwords;
- Your banking data by email, SMS or telephone.
Any such request should be considered fraudulent.
The user is encouraged to:
- Never communicate this information;
- Immediately report any suspicious attempt to customer service or the DPO.
17. Liability in case of non-compliance
The user is solely responsible for consequences related to:
- Voluntary or involuntary disclosure of their credentials;
- Fraudulent use of the site or services;
- Any action contrary to these terms.
Al Khaliji France reserves the right to:
- Block access in case of suspected fraud or violation;
- Initiate proceedings to remedy any damage suffered.
18. Unauthorised use
The user undertakes not to:
- Disrupt site operation or attempt to degrade performance;
- Access or attempt to access any system, account, data or feature without authorisation;
- Introduce or distribute malware, viruses, or any harmful code;
- Impersonate Al Khaliji France, its employees or any third party;
- Use the site for fraudulent, illegal purposes or in breach of these terms;
- Collect or exploit personal data without authorisation.
Sanctions and liability:
Any breach of these prohibitions may result in immediate suspension of site access, account deletion, as well as civil and/or criminal proceedings in accordance with the provisions of the French Penal Code and the Law on Confidence in the Digital Economy (LCEN).
19. Security information (ACPR – PSD2 – DORA compliance)
Al Khaliji France implements enhanced security measures to protect your data and transactions. However, user vigilance is essential to prevent fraud risks.
- Essential user guidelines
- Never share your credentials, MFA/OTP codes, passwords or banking data by email, SMS or telephone.
- Use strong passwords and enable multi-factor authentication.
- Keep your devices up to date (operating system, antivirus, browser).
- Verification of URLs and fraudulent messages
- Ensure that the URL begins with https:// and corresponds to the official Al Khaliji France domain.
- Never click on links received by email or SMS without verification.
- Beware of alarming or urgent messages: they are often fraudulent.
- Immediately report any suspicious message to customer service or the DPO.
- Vigilance against fraud and payment security
- Online payments are subject to strong customer authentication (SCA) in accordance with PSD2.
- Never validate a transaction you did not initiate.
- In case of doubt, immediately contact Al Khaliji France before taking any action.
- Procedure in case of suspicion
In case of a suspicious message or unauthorised transaction:- Do not disclose any information.
- Immediately contact customer service using the official contact details.
- Change your credentials if necessary.
20. No financial advice (MiFID II)
The information on the site is for information purposes only and does not constitute investment advice.
21. Limitation of liability
Al Khaliji France uses all reasonable means to ensure the availability, security and reliability of the site and services. However, Al Khaliji France cannot guarantee:
- The total absence of interruptions, errors or malfunctions;
- Uninterrupted continuity of services in cases of force majeure, technical failure or maintenance;
- The absence of viruses, cyberattacks or other harmful elements on the site or its servers.
Accordingly, Al Khaliji France cannot be held liable for direct or indirect consequences related to:
- Temporary or prolonged unavailability of the site or services;
- Loss of data, operations or profits resulting from interruptions or malfunctions;
- Any damage caused by third parties, events beyond its control or fraudulent use of services by a user or third party.
The user remains responsible for securing their equipment, credentials and access. It is the user’s responsibility to take all appropriate measures to protect their data and systems against intrusions, viruses and other risks.
22. External links
The site may contain links to third-party sites. These links are provided for information purposes only. Al Khaliji France:
- Exercises no control over the content, products or services offered by these sites;
- Cannot be held responsible for their availability, accuracy or legal compliance;
- Disclaims any liability for direct or indirect damage resulting from the consultation or use of these third-party sites.
Users are invited to consult the privacy policies and terms of use of these sites before any interaction.
23. Intellectual property
All elements on Al Khaliji France’s site, including texts, logos, trademarks, trade names, images, photographs, videos, sounds, graphics, icons, software, databases and any other content, are protected by French and international intellectual property laws. As such:
- Any reproduction, representation, modification, adaptation, distribution or exploitation, in whole or in part, of these elements, by any means whatsoever, without prior written authorisation from Al Khaliji France, is strictly prohibited and constitutes infringement punishable under the Intellectual Property Code.
- Use of the site does not confer any intellectual property rights on the user over the content.
- The trademarks and logos displayed are registered trademarks; their reproduction without authorisation is prohibited.
Software, APIs and digital services
- The software, APIs, scripts and other components made available by Al Khaliji France are protected by copyright and/or specific licences.
- Any reverse engineering, decompilation, code extraction, or use not in accordance with the access conditions is strictly prohibited.
- Access to APIs is subject to specific terms defined by Al Khaliji France; any abusive or unauthorised use may lead to access suspension and legal action.
Any unauthorised use may give rise to civil and/or criminal proceedings.
24. Technical logging (CNIL)
Technical logs are recorded for security reasons in accordance with CNIL requirements..
25. Website accessibility
According to the provisions of the LCEN (Law on Confidence in the Digital Economy) and accessibility measures defined in the RGAA (General Accessibility Improvement Framework)
Al Khaliji France’s commitment
Al Khaliji France is committed to making its digital services accessible to all, in accordance with Law No. 2005-102 and Article 47 on digital accessibility, as well as LCEN requirements.
Compliance statement
Al Khaliji’s website is not subject to the legal obligation of RGAA audit, in accordance with the legal framework applicable to private entities. However, the bank undertakes to follow essential best practices in digital accessibility to ensure an inclusive user experience and compliance with the GDPR transparency principle (Article 12).
Non-accessible content
Some content may not be accessible due to:
- Temporary technical limitations.
- Non-compliant third-party documents.
- Videos without transcription or subtitles.
Improvement plan
Al Khaliji France has established a multi-year accessibility plan and an annual action plan, including:
- Correction of non-compliant items.
- Staff training.
- Implementation of continuous control tools.
Contact in case of difficulty
If you encounter an accessibility issue:
- Email: accessibilite@alkhaliji.fr
- Mail: Website Accessibility, Al Khaliji France, 49/51 avenue Georges V, 75008 Paris
- Telephone (switchboard): +33 (0)1 49 52 49 52
We are committed to providing an accessible alternative as soon as possible.
Recourse
If you detect an unresolved accessibility issue, you may contact:
- The Defender of Rights: www.defenseurdesdroits.fr
- The DGCS (General Directorate for Social Cohesion).
26. Governing law and jurisdiction
These General Terms of Use are governed by French law. In the event of a dispute relating to their interpretation or performance, and after attempted amicable resolution, the competent courts will be those within the jurisdiction of the Paris Court of Appeal, unless mandatory provisions provide otherwise.
27. Policy updates
- This policy may be amended to reflect legal or technical developments.
- Last updated: November 2025