Regulations on the use of the API Portal of BNP Paribas Bank Polska S.A.
§ 1. INTRODUCTION
1. These Regulations set out the terms and conditions of use of the API Portal of BNP Paribas Bank Polska S.A.
2. The services specified in the Regulations are provided by BNP Paribas Bank Polska Spółka Akcyjna with its registered office in Warsaw, at ul. Kasprzaka 2, 01-211 Warsaw, entered in the Register of Entrepreneurs of the National Court Register (KRS) by the District Court for the Capital City of Warsaw in Warsaw, 13th Commercial Division of the National Court Register, under KRS number: 0000011571, NIP (taxpayer identity number): 526-10-08-546, with a fully paid share capital of PLN 147 676 946, supervised by the Polish Financial Supervision Authority (hereinafter referred to as “the Bank”).
3. These Regulations are regulations within the meaning of Article 8 of the Act of 18 July 2002 on the provision of services by electronic means.
§ 2. DEFINITIONS
Terms used in the Regulations shall mean:
1) API Portal – the Bank’s web-based application (dedicated interface) enabling access to:
a) the Sandbox Environment, as well as connection and functional testing of the Application with regard to the Services within the meaning of the Legal Provisions;
b) the Production Environment, as well as the use of the connection and functionality of the Application within the meaning of the Legal Provisions;
2) Application – a User application for mobile devices or a User solution deployed on the website, which is:
a) subject to the testing of Services by the User
b) a product used live as part of the Services;
3) Entrepreneur – an entity other than the Bank that lawfully engages in business activity;
4) Legal Provisions – the applicable provisions of the law, including but not limited to:
a) “PSD2” – Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC,
b) “RTS PSD2” – Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication,
c) “Amendment Act” – the Act of 10 May 2018 amending the Act on payment services and certain other acts (Journal of Laws 2018, item 1075), introducing the provisions of PSD2 into Polish law,
d) “Act” – the Act of 19 August 2011 on payment services (Journal of Laws 2022, item 2360 as amended);
5) Regulations – these Regulations on the use of the API Portal of BNP Paribas Bank Polska S.A.;
6) PSD2 Regulations – the regulations setting out the terms and manner of use of PSD2 services at the Bank;
7) Premium Regulations – the regulations on the use of premium services at the Bank;
8) Technical Specification – the interface documentation specifying a set of routines, protocols and tools, as referred to in Article 30(3) of the RTS PSD2;
9) Production Environment – the go-live environment (access interface) available in the API Portal, as referred to in Article 30(1) of the RTS PSD2;
10) Sandbox Environment – the testing environment available in the API Portal, as referred to in Article 30(5) of the RTS PSD2;
11) Agreement – the agreement on the use of the API Portal concluded by the Bank with the User pursuant to these Regulations;
12) Service – the services made available by the Bank within the API Portal and provided pursuant to these Regulations and the regulations applicable to the specific services selected by the User (if provided/made available by the Bank):
a) PSD2 services – the services specified in, and provided in accordance with, the PSD2 and the Act:
• AIS – Account Information Service,
• PIS – Payment Initiation Service,
• CAF – Confirmation of the Availability of Funds,
b) Premium services – the services carried out using services and technologies in the area of finance, based on open application programming interfaces (Open API) which allow third parties to build new applications and services using data or services made available by financial institutions via the aforementioned PSD2 services;
13) User – the Entrepreneur who has registered in the API Portal in accordance with § 4 in order to use the Sandbox Environment or Production Environment, acting through an individual authorised by them;
§ 3. CONCLUSION OF THE AGREEMENT
1. The Agreement shall be concluded upon confirmation of the registration of the Entrepreneur or the individual who intends to use the Sandbox Environment, via a link, in accordance with § 4(4).
2. The Agreement shall be for an indefinite term.
3. Use of the API Portal shall be free of charge. The User shall bear the cost of Internet access, including data transfer, at the applicable rates and tariffs.
§ 4. ACCOUNT REGISTRATION IN THE API PORTAL
1. In order to properly register an account in the API Portal, the Entrepreneur shall:
a) Fill in the registration form at https://gopsd2.bnpparibas.pl/;
b) Submit the statement specified upon account registration at the API Portal, including accepting the Regulations;
c) Send the documents specified in the separate regulations applicable to the Service applied for by the Entrepreneur, or requested by the Bank, necessary for the registration of the account in the API Portal or the provision of the Service selected by the Entrepreneur.
2. The Bank reserves the right to verify the data provided by the Entrepreneur and mailed to open-banking@bnpparibas.pl.
3. Unless the data referred to in sub-para. 2 are not successfully verified at the registration stage, the Bank shall send a confirmation of account registration to the e-mail address provided in the form.
4. In order to complete the account registration process in the API Portal, the Entrepreneur shall confirm the registration via the link in the message sent by the Bank to the e-mail address provided in the form.
5. The Entrepreneur may access the API Portal from more than one account subject to fulfilment of the registration requirement by the individual authorised to act on the Entrepreneur’s behalf in accordance with this paragraph.
6. In order to log in to the API Portal, the login and password created at the time of filling in the registration form shall be entered by the registered User at https://gopsd2.bnpparibas.pl/.
7. The User shall be required to update without delay any of the data provided during the API Portal registration process.
8. The Bank reserves the right to collect data and statistics on registered and potential Users of the API Portal. Details of personal data processing are specified in § 10 of the Regulations.
§ 5. DEFINING THE USER APPLICATION
1. Upon logging into the API Portal, the registered User shall gain access to the API Portal under the terms and conditions set out in the Regulations.
2. The Bank reserves the right to verify the Application and the data provided by the User in the form.
3. Upon successful verification, the User shall receive confirmation of the Application’s acceptance, together with the text of the Regulations, to the email address provided by the User in the form.
4. As of the time that the Application is added to the API Portal, the User represents and undertakes that:
a) They hold and are able to freely use and exercise all the rights, including economic copyright or rights arising under the relevant license, permission or authorisation, that entitle them to add the Application to the API Portal;
b) The Application is free of any unlawful content;
c) The Application does not violate any personal rights or any other third-party rights, including but not limited to economic and moral copyright or related rights;
d) The Application is not encumbered by any third-party rights and is free of any legal defects;
e) No third-party rights shall be violated by adding the Application to the API Portal;
f) In the event that a third party files a claim for violation of its rights, the User shall, as the party solely responsible, indemnify and hold harmless the Bank for all damages and costs incurred in connection with the filing of claims against the Bank.
§ 6. RULES OF USE OF THE API PORTAL
1. The User shall use the API Portal in accordance with the provisions of the law, including the Legal Provisions, the Technical Specification, the principles of morality and the Regulations.
2. The Bank shall make available the Technical Specification in the API Portal.
3. The Technical Specification, the Production Environment, the Sandbox Environment or any other element of the API Portal shall not be used for any purpose other than:
a) For the Sandbox Environment – testing the connection and functionalities of the Application with regard to the selected Services, as well as the software and applications used by the User;
b) For the Production Environment – using the connection and functionalities of the Application with regard to the selected Services.
4. The Sandbox Environment makes use of non-authentic data.
5. The Production Environment makes use of authentic data.
6. It is prohibited for the User to use the API Portal to deliver any contents that are unlawful, derogatory, inappropriate or likely to mislead, contain malware or may cause disruption or damage to computer and data communications systems. The following shall in particular be considered as such use:
a) Attempted use, in the Production Environment, of data other than the genuine data of customers to whom the Entrepreneur provides Services;
b) Use of the API Portal, including without the Entrepreneur’s authorisation, to set up accounts which are fictitious or rely on fake data;
c) Use of the Technical Specification or the API Sandbox Environment for purposes other than those provided for in the Regulations.
7. Any issues that may be related to a breach of security of the API Portal shall be immediately reported by the User to the Bank by e-mail to open-banking@bnpparibas.pl.
8. The Bank reserves the right to maintenance breaks in the operation of the Portal API, such breaks being communicated by the Bank in advance through a notice published on the API Portal or sent to the e-mail address provided by the User.
9. The Bank reserves the right to make changes to the Technical Specification or the API Portal, including but not limited to introducing new services, expanding API Portal functionalities, and/or discontinuing certain services or API Portal functionalities in accordance with the Legal Provisions.
10. All information and contents presented on the API Portal shall be for information only. Contents on the API Portal shall not constitute an offer within the meaning of the Civil Code, or an act of provision of legal aid, tax advice, investment advice or any other advice.
11. The Bank does not guarantee or make any representations as to the functionality of the API Portal, the absence of any errors within the API Portal, or the existence of any deficiencies in the API Portal. The Bank’s liability in this regard shall be excluded to the extent permitted by the applicable provisions of the law.
§ 7. TECHNICAL REQUIREMENTS AND SUPPORT
1. Access to the API Portal shall be possible with the use of Internet-connected devices that meet the following technical requirements:
a) Supported browsers: Chrome, Firefox, Safari (supported up to the last three versions);
b) The User’s browser must accept cookies.
2. The Bank shall monitor the technical operation of the API Portal on an ongoing basis to ensure that it functions properly.
3. The Bank shall provide the Users with the API Portal technical support. To use technical support, the User should contact the Bank in one of the following ways:
a) by email to: open-banking@bnpparibas.pl,
b) via other contact channels specified at https://gopsd2.bnpparibas.pl/.
§ 8. RIGHT OF USE OF THE API PORTAL
1. The API Portal as a whole, as well as its individual elements, including the Technical Specification and other content made available on the API Portal, which may include, without limitation, graphics, data, distinctive marks, images, texts, interfaces (hereinafter referred to as the “Bank Content”), are subject to protection provided by law, including but not limited to the Act of 4 February 1994 on copyright and related rights, the Act of 27 July 2001 on the protection of databases, the Act of 16 April 1993 on combating unfair competition and the Act of 30 June 2000 – Industrial Property Law.
2. The User shall have the right to use the API Portal and the Bank Content for the duration of the Agreement for the sole purpose of using them within the limits of the functionalities provided by the Bank, in accordance with the currently applicable Technical Specification. Any other use of the API Portal shall be prohibited and shall constitute a material breach of the Regulations by the User.
3. In relation to the API Portal and the Bank Content, the User is specifically not entitled to:
a) Reproduction, distribution, sharing, marketing, excluding temporary reproduction, unless necessary for the use of available functionalities of the API Portal;
b) Lending or rental of an original or a copy,
c) Translation, adaptation, rearrangement or any other changes, including incorporation into other works;
d) Interference with the source code, including to correct its errors.
The Bank does not grant to the User any rights, including licenses, to trademarks or other industrial property rights owned by the Bank or third parties and made available within the API Portal.
§ 9. COMPLAINTS
1. Complaints relating to the operation the API Portal, as well as queries about its use, should be addressed to open-banking@bnpparibas.pl.
2. A complaint shall comprise:
a) the full name and e-mail address of the User or the person making the complaint,
b) a statement of the subject matter of the complaint,
c) a description of the circumstances justifying the complaint.
3. Complaints shall be processed within 14 days from the date of receipt by the Bank of a properly submitted complaint (not missing any of the required details that need to be supplemented).
4. The User shall be informed of the outcome of the complaint on paper or other durable medium.
§ 10. PRIVACY POLICY
1. Detailed information on the “Privacy Policy and the Use of Cookies on the BNP PARIBAS Bank Polska S.A. Website” is available in an electronic form on the Bank’s website at: https://www.bnpparibas.pl/repozytorium/polityka-prywatnosci .
2. Pursuant to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”), the controller of personal data processed in connection with the provision of Services made available by the Bank within the API Portal is BNP Paribas Bank Polska S.A. with its registered office in Warsaw (01-211), ul. Kasprzaka 2.
3. The Bank shall process personal data of Users, including their representatives for the following purposes:
a) taking steps to conclude and perform the Agreement with the Bank (Article 6(1)(b) of the GDPR),
b) compliance with the Bank’s legal obligations related to the maintenance of the API Portal in accordance with the Legal Provisions (Article 6(c) of the GDPR),
c) establishment and defence of claims, if any, related to the conclusion or non-conclusion of the Agreement (Article 6(1)(f) of the GDPR).
5. The data subject shall have the right to object to the processing of their data under Article 6(1)(f) of the GDPR, as well as the right of access (Article 15 GDPR), the right to rectification (Article 16 GDPR), the right to erasure (Article 17 GDPR), the right to restriction of processing (Article 18 GDPR), and the right to data portability (Article 20 GDPR). In order to exercise the rights set forth in the preceding sentence, the data subject may contact the Bank at: open-banking@bnpparibas.pl.
6. Personal data shall be kept for the term of the Agreement concluded with the Bank and, once the Agreement is terminated, for the period necessary for the establishment of claims, if any, and compliance with the obligations arising from the provisions of the law. Where the processing of personal data is carried out in accordance with the provisions of the law, the data shall be kept for the period of time set out in the specific provisions.
7. The provision of personal data shall be voluntary, but it may be necessary for the conclusion of the Agreement and for the fulfilment of the requirements arising from the provisions of the law. Failure to provide such personal data shall make it impossible to conclude the Agreement and fulfil the requirements to which the Bank is subject.
8. The data subject shall have the right to lodge a complaint with the supervisory authority competent for the personal data protection (President of the Personal Data Protection Office, ul. Stawki 2 00-193 Warsaw).
9. Personal data of Users shall not be processed outside the European Economic Area.
The Bank has appointed a Data Protection Officer who may be contacted by e-mail at iodo@bnpparibas.pl.
10. Details of how the Bank processes the personal data of Users are available at https://www.bnpparibas.pl/repozytorium/rodo.
§ 11. BLOCKED ACCESS AND TERMINATION OF THE AGREEMENT
1. The Bank shall inform the User, at the e-mail address provided by them, of blocked access to the API Portal prior to or, if impossible, immediately after blocking access to the API Portal, unless such information would be inadvisable for security reasons or prohibited by law.
2. Access shall remain blocked until the reason for its blocking ceases to exist.
3. The User may terminate the Agreement with one month’s notice by submitting a statement to this effect:
a) in documentary form – by e-mail to: open-banking@bnpparibas.pl , or
b) in writing – to the address of the Bank’s registered office.
4. The Bank may terminate the Agreement with immediate effect if the User fails to perform or improperly performs the Agreement, including breaching the Regulations, the provisions of the law, the principles of social conduct, or the principles of morality, including but not limited to:
a) The User’s breach of the provisions of the Regulations, in particular those contained in § 6(6);
b) The provision of data or submission of statements by the User that are false, not up-to-date, incorrect or incomplete;
c) The User’s acts or omissions that negatively affect the Bank’s reputation or otherwise cause material harm to the Bank;
d) The User’s failure to provide the documents or information required by the Bank that are necessary for the performance of the Agreement;
e) The negative risk assessment within the meaning of Article 33(2) of the Act of 1 March 2018 on the Prevention of Money Laundering and Terrorism Financing.
However, in the case the circumstance defined in section a) or c) occurs, the Bank shall first demand that the User desist from the behaviour constituting the aforementioned grounds for termination within a specified period of not less than 7 days from the service of the demand. The ineffective expiry of the time limit shall entitle the Bank to terminate the Agreement.
5. The Bank may terminate the Agreement upon one-month notice in the event of:
a) Withdrawal of the Service from the Bank’s offering; however, such withdrawal may take place not earlier than one month from the Bank’s resignation from offering the Service concerned to new persons/entities, of which the User shall be separately informed;
b) violation by the User of the law provisions related to anti-money laundering and financing of terrorism (other than the provisions in set out in section d) or e) of § 11(4)), or using the Bank's activity to carry out criminal or crime-related activities.
6. The Bank shall terminate the Agreement by submitting a statement:
a) in documentary form – to the User’s e-mail address provided for contacts in the API Portal, or
b) in writing – to the address of the User’s registered office or the User’s correspondence address.
7. Termination of the Agreement by the Bank to the User shall apply to all accounts set up for the User in the API Portal.
8. Termination of the Agreement shall be tantamount to the removal of the User’s access to the API Portal and discontinuation of the provision of Services by the Bank.
§ 12. FINAL PROVISIONS
1. The Regulations are available on the API Portal website in a manner that allows the User to obtain, reproduce and record their contents by printing or saving them on a data carrier at any time.
2. The Bank is authorised to unilaterally amend the Regulations for valid reasons such as:
a) Introduction of new or amendments to existing provisions of the law, or issuance by authorised state authorities of recommendations or interpretations, as well as a specific administrative decision, on the manner of application of these provisions of the law – to the extent that the Bank is required to introduce or apply them in order to duly perform the agreement on the provision of a service;
b) Changes in the Bank’s products and services resulting from technological and IT progress, which enhance security or facilitate the User’s use of the Bank’s services and products subject to the Regulations, insofar as this ensures proper performance of services and makes it necessary to adjust the Regulations;
c) Changes in the functionality of banking services or products offered by the Bank caused by changes in the Bank’s IT infrastructure, not causing any additional obligations on the part of the User, to the extent that this makes it necessary to adjust the Regulations.
3. The Bank shall make the new wording of the Regulations available to the User at https://gopsd2.bnpparibas.pl/ and by sending the proposed changes to the User’s e-mail address provided in the form.
4. The User may terminate the Agreement within 30 days from the date of receipt of the notice of amendment to the Regulations; if not, the amendment shall be deemed to have been accepted by the User and shall be effective as of the date indicated in the notice, but not less than 30 days from the date of sending the notice of amendment.
5. The Polish Financial Supervision Authority is the supervisory authority overseeing the Bank’s operations. The User may file a complaint with the Polish Financial Supervision Authority concerning the Bank’s conduct if the Bank’s conduct breaches the law.
6. The language used in the Bank’s relations with the User shall be Polish or English at the express request of the Entrepreneur.
7. The Agreement shall be governed by and construed in accordance with the Polish law.
8. The court having jurisdiction over disputes related to the performance of the Agreement shall be determined in accordance with the applicable laws on jurisdiction, including the Act of 17 November 1964 – the Code of Civil Procedure.
9. Electronic communications concerning the API Portal can be addressed to: open-banking@bnpparibas.pl. Written communications concerning the Agreement should be addressed to the Bank’s registered office.