Privacy Policy

Table of contents

  • Purpose of this Policy
  • Identity of Data Controllers and Subcontractors
  • Definitions
  • Purposes and Legal Bases of Data Processing
  • Data Processed
  • Data Subjects
  • Data Recipients
  • Data Transfers Outside the European Union
  • Data Security
  • Data Retention Periods
  • Specific Processing: The Application
  • Rights and How to Exercise Them
  • Requirement to Provide Personal Data

Purpose of this Policy

The CORUM Butler Group is committed to protecting your privacy and your personal data.

In this Privacy Policy, CORUM L’Épargne, CORUM Asset Management and CORUM Life form the CORUM Butler Group (“the Group”).

When you visit corum.fr or corumbutler.com (hereinafter the “Sites”), or the mobile application (hereinafter the “Application”) available on Android and iOS certain information may be collected. This information may include personal data about you (“Personal Data”). This Privacy Policy, as well as the Cookie Policy, are available to help you better understand our personal data collection and processing practices.

Identity of Data Controllers and Subcontractors

CORUM L’Épargne SAS, 851 245 183 RCS Paris, Investment Advisor and Insurance Agent collects and processes Personal Data as Data Processor in the context of the management of your subscriptions and contracts.

CORUM L’Épargne is the exclusive distributor of :

  • financial products managed by CORUM Asset Management ;
  • contracts and funds managed by CORUM Life.

Some of the data collected by CORUM L’Épargne are subsequently processed by other Group entities, which then act as separate Data Processors.

CORUM Asset Management SAS, 531 636 546 RCS Paris, producer and manager of Sociétés Civile de Placement Immobiliers (SCPI), collects and processes Personal Data as a Data Controller in the context of the management of your subscriptions.

CORUM Life SA, 852 264 332 RCS Paris, producer of insurance products and funds, collects and processes your Personal Data as Data Controller in connection with the subscription and management of your contracts.

CORUM L’Épargne also operates an exclusive network of wealth management advisors, business introducers and brokers. The processing carried out by wealth management advisors, business introducers and brokers falls within the scope of their own activities in their capacity as separate Data Processors.

Definitions

Please note that for the purposes of this Privacy Policy, if certain terms and expressions used are not defined in this article, they will have the meaning given to them by the applicable regulations relating to the processing of Personal Data.

“Applicable regulations relating to the processing of Personal Data” refers to Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“RGPD”) and Law No. 78-17 of 6 January 1978 known as “Informatique et Libertés”, as amended by Law No.2018-493 of 20 June 2018 and Order No. 2018-1125 of 12 December 2018, as well as the laws, regulations or regulatory texts adopted pursuant to the latter.
“Personal data” means any information relating to an identified or identifiable Client. An “identifiable” person is one who can be determined, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, economic, cultural or social identity.
“Data controller” efers to the natural or legal person who, alone or jointly with others, determines the purposes and means of processing.
“Separate data controllers” refers to entities that share personal data for their own distinct purposes, without any hierarchical relationship or mutual control over the processing carried out by each. Each entity decides autonomously on the purposes and means of the data processing it carries out
“Subcontractor” refers to the natural or legal person who processes Personal Data on behalf of the Data Controller
“Data Protection Officer (DPO)” refers to the person appointed by the Group to manage Personal Data. He or she is the pilot of the Group’s ongoing and dynamic compliance policy, and the Group’s representative in the management of your requests to exercise your rights
“Client” refers to an individual who has a contractual
relationship with the Group.A person may be a client of CORUM L’Épargne and CORUM Asset Management and/or CORUM Life at the same time, depending on the financial and/or insurance product in which he or she invests.
“Prospect” refers to an individual who is not yet a Group client, but who has expressed an interest in the Group’s products or services. This expression of interest can be made by various means, such as requesting contact, subscribing to a newsletter, starting a subscription process or any other interaction with the Group that indicates a potential future commercial relationship.

Purposes and Legal Bases of Data Processing

The Group carries out various data processing activities based on the following legal grounds and purposes:

  • Performance of pre-contractual and contractual measures, enabling the pursuit of the
    following purposes:

    • Managing operations related to the products or services you have subscribed to;
    • Analyzing data, particularly to personalize the products offered based on your
      profile;
    • Managing the Group’s business relationship with you.
  • Your consent, enabling the pursuit of the following purposes:
    • Managing cookies that require consent;
    • Sending personalized or non-personalized electronic communications related to
      the Group’s products, services, and news;
    • Conducting surveys and polls.
  • Compliance with legal obligations, enabling the pursuit of the following purposes:
    • Establishing proof of completed transactions;
    • Complying with the duty to inform and advise;
    • Managing the Group’s general accounting;
    • Managing insurance guarantees;
    • Combating money laundering and terrorist financing;
    • Preventing and combating fraud;
    • Handling official requests from authorized supervisory authorities;
    • Verifying the nature of the service provided and the content of the information communicated to Clients and Prospects, notably through the recording of phone calls;
    • Communicating regulatory information and documents.
  • Legitimate interest, enabling the pursuit of the following purposes:
    • Responding to contact requests you send to the Group;
    • Training employees through the recording of phone calls;
    • Managing cookies that do not require consent (see cookie policy).

The purposes pursued based on the Group’s legitimate interests are carried out with respect for your rights and freedoms.

In any case, and for each defined purpose, the Group will implement all available means to ensure the security and confidentiality of the Personal Data entrusted to it, in compliance with applicable laws and regulations.

Data Processed

Unless otherwise stated, the data collected by the Group is necessary and mandatory for the performance of the contract or compliance with our regulatory obligations.

The following data is notably recorded:

  • Your last name, first name, and date of birth;
  • Postal address, email address, phone number, and connection data;
  • Your tax information, family situation, income, and assets;
  • Your education and professional background;
  • Your banking details.

Your data are collected either directly from you by the Group or from our Partners or Clients (notably in the context of referrals). None of your data are collected by the Group from publicly accessible sources.

Data Subjects

The individuals concerned by the processing are:

  • Prospects who contact the Group to obtain information about the products and services offered;
  • The Group’s Clients;
  • Any user of this website.

Data Recipients

To achieve the purposes described above—and only those purposes—the collected data may be shared with some or all of the following recipients:

  • The Group’s employees;
  • The Group’s contractual Partners and Subcontractors;
  • Competent regulatory and supervisory authorities.

The Group may transfer Personal Data to its entities if such transfer is necessary for the purposes mentioned above.

The Group takes appropriate and reasonable measures to ensure that only employees with a
legitimate need to access Personal Data are able to do so.

Data Transfers Outside the European Union

The data collected and processed by the Group are hosted in France or within the European Union.

However, certain Personal Data may be transferred outside the European Union when using a Subcontractor. In such cases, the Group implements the necessary measures to secure the exchanges. For example:

  • By ensuring that the transfer is made to a country that has been the subject of an
    adequacy decision by the European Commission;
  • By ensuring that the transfer falls under one of the exemptions provided for in Article 49(1)
    of the GDPR;
  • By implementing the European Commission’s standard contractual clauses.

You may obtain a copy of the applicable safeguards by submitting a request to the Data Protection Officer (DPO):

  • By email at: dpo@corumbutler.com
  • By post at the following address: CORUM Butler, Data Protection Officer 1, rue Euler – 75008 Paris

Data Security

The Group implements all necessary physical, technical, and organizational measures to ensure the confidentiality, integrity, and availability of Personal Data. Restricted access systems have been established to ensure that your Personal Data are only accessible to authorized personnel who are aware of data protection issues and receive mandatory and ongoing training.

In the event of a Personal Data breach that poses a risk to your rights and freedoms, the Group will notify the CNIL within the regulatory timeframe. If the breach poses a high risk to your rights and freedoms, the Group will inform you as soon as possible about the nature of the incident and the measures taken to address it.

The Group carefully selects partners and Subcontractors who may process your Personal Data, ensuring they comply with current regulatory obligations regarding Personal Data security.

Data Retention Period

The retention period for your Personal Data varies. It is determined based on the following criteria:

  • The purpose for which the Personal Data is processed — it is retained as long as necessary for that purpose;
  • The duration and nature of your relationship with the Group;
  • Applicable legal and regulatory obligations that may set a minimum retention period for personal data.

Purpose

Data retention period
If you are a Client to manage our commercial relationship with you Contract management (excluding life insurance):

  • Active database: duration of the contractual relationship
  • Archiving: five (5) years

 

Life insurance contract management:

  • Active database: until the insured’s death
  • Archiving: thirty (30) years from the date of death

 

Client relationship follow-up (satisfaction, complaints, after-sales service):

  • Active database: duration of the contract
  • Archiving: five (5) years

 

Pre-contractual checks and legal declarations:

  • Active database: duration of the procedure
  • Archiving: five (5) years from the end of the contract

 

Sales statistics:

  • Active database: as long as necessary to achieve the intended purpose, or until the right to object is exercised

 

Retention of data used for marketing purposes:

  • Three (3) years from the last action by the client (e.g., email response, hyperlink click, login to client area
If you are a Prospect, to manage our commercial relationship with you Retention of data used for marketing purposes:

  • Three (3) years from the last action by the Prospect (e.g., email response, hyperlink click)
General accounting management Retention of data required for tax purposes (invoices): current fiscal year plus ten (10) years from closing
Anti-money laundering and counter-terrorism financing Entire duration of the contractual relationship, then five (5) years from contract termination
Handling official requests from supervisory authorities Retention of data to meet authority requirements (CNIL, AMF, ACPR): until the end of the relevant procedure, then five (5) years after closure
Regulatory reporting to supervisory authorities Retention of reports: five (5) years
Proof of completed transactions Entire duration of the contractual relationship, then five (5) years from contract termination
Recording and transcription of phone conversations to ensure compliance and proper execution of operations Recordings: five (5) years from the call

Transcriptions: twelve (12) months from the call
Complaint file management Five (5) years from collection or last contact from the Prospect
Handling data subject rights
requests		 Requests are retained for five (5) years from the end of the calendar year in which the request was made
Responses to contact requests Retention of requests (excluding rights requests):

  • Active database: three (3) years after last contact
  • Intermediate archiving: five (5) years (civil statute of limitations)

Implementation of Specific Processing: The Application

When you use the Application, CORUM L’Épargne collects the same data as the one collected via the website corum.fr and for the same purposes as those defined for the website.

In addition to these purposes, when using the Application, CORUM L’Épargne requests specific access permissions.

These permissions allow CORUM L’Épargne to access certain resources stored on your device, namely:

Requested Permission

Purpose
Biometric identification device(s) provided and managed by your mobile device This permission is optional and allows for secure user identification
Mobile device notifications This permission is optional and allows you to receive realtime updates and news

Access to these features is solely for the purpose of providing the services within the Application that you choose to use, and their use is governed by your mobile device’s terms and conditions.

Requirement to Provide Personal Data

In accordance with Article 13(2)(b) of the GDPR, every data subject is informed of the rights they may exercise at any time with the Group:

Rights

Additional information
Right of access You have the right to request, free of charge, a copy of your personal data held (directly or indirectly). However, if the request is deemed unreasonable or excessive, the Group reserves the right to charge a fee to respond to the access request.
Right to object You have the right to object at any time to the processing of your Personal Data for commercial communications by email or phone, including product offers and news. You also have the right to withdraw your consent to direct marketing at any time.

In the context of managing your contract, the right to object does not apply, in accordance with legal and regulatory obligations.
Right to rectification You have the right to request that the Group update or correct your personal data.
Right to erasure Prospects and Clients who no longer have a contractual relationship with the Group, beyond the legal and regulatory retention periods, may request the deletion of their personal data.
Right to restriction of processing You have the right to request the restriction of the processing of your personal data if you believe the information held by the Group is inaccurate or if you consider its use to be unlawful. If this right is legitimately exercised, the Group will suspend all processing activities of your personal data until the issue is resolved.
Right to data portability You have the right to request a copy of your personal data from the Group in a structured, commonly used, and machine-readable format. You may also request that your personal data be transferred to another data controller, if it is technically feasible. This right applies under the following conditions:

  1. The Group processes your Personal Data based on your consent or because it is necessary for the performance of a contract with you; and
  2. The processing is carried out by automated means.

To exercise these rights, you may contact the Data Protection Officer (DPO):

CORUM Butler
Data Protection Officer
1, rue Euler – 75008 Paris

If, after contacting the Group’s DPO, you believe your data rights are not being respected, you may file a complaint with the CNIL (French Data Protection Authority) via their online complaint service or by post at:

CNIL – Service des Plaintes – 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07

In accordance with French Law No. 2014-344 of March 17, 2014 on consumer protection, you may opt out of telephone solicitation by registering on the BLOCTEL list at www.bloctel.gouv.fr, a free service.

The Group is committed to ensuring that the collection and processing of personal data—whether through the Website, the Application, contractual documents, digital subscription processes, or any other means—complies with the GDPR and the French Data Protection Act (Loi Informatique et Libertés).

Nature of the obligation to supply personal data

The provision of Personal Data has a regulatory or contractual nature for the purposes listed corresponding to the execution of pre-contractual and contractual measures, as well as for the purposes corresponding to compliance with regulatory obligations. In such cases, if you request the deletion of your Personal Data or refuse to provide it, you will no longer be able to sign or continue the performance of the contract.