Privacy Statement Effective from 25 May 2018
You share all kinds of personal data with Rabobank without noticing it. We naturally handle this data carefully. This Statement provides information on how Rabobank approaches processing your personal data. This is clarified through examples that make it easier to understand. If you have any questions about this Privacy Statement, please contact us.
In this Privacy Statement we will use certain terms. Below is an explanation of those terms
- Personal data
Information that says something directly or indirectly about you is referred to as personal data. Examples include your name and address, and also information such as
Information relating to a sole trader, commercial partnership or professional partnership is also considered personal data. Information relating to a legal entity is not personal data, but information relating to a legal entity’s contact person or representative does count as personal data.
Processing means anything that can be done with personal data. This includes the collection, storage, use, transfer and removal of data.
1. Whose personal data does Rabobank process?
We process personal data if we have, want to have, or have had a business relationship with you, or if we have had contact with you.
The people whose personal data we process includes:
- clients and their representatives
- people who show an interest in Rabobank or our products and services
- people who are connected in another way with a business or organisation with which we have, want to have, or have had a business relationship, such as third party participants
- security providers and guarantors
- potential clients
2. What does Rabobank expect from businesses and organisations?
If your business or organisation transfers any personal data concerning employees or ultimate beneficial owners (UBOs) to us, we also expect your employees, executive directors or UBOs to be informed about this. You can give this Privacy Statement to them so that they can learn how we deal with their personal data.
3. Who is responsible for the processing of your personal data?
This Privacy Statement considers the processing of personal data by
- Rabobank in the Netherlands Wholesale banking
- Rabobank London branch
- Rabobank Madrid branch
- Rabobank Paris branch
- Rabobank Milan branch
2. Rabobank outside Europe except:
- Rabobank in Australia
- Rabobank in New Zealand
- Rabobank in Turkey
Data may be shared within Rabobank Group to the extent that this is permitted by law. When sharing data within Rabobank Group, we comply with the rules that we have agreed within Rabobank Group, the Rabobank Privacy Codes. These rules describe how the divisions of Rabobank Group deal with personal data.
4. Which personal data does Rabobank process?
Types of dataWhat kinds of data might be involved?Examples of how Rabobank uses the data
|Types of data||What kinds of data might be involved?||Examples of how Rabobank uses the data|
|Information that allows an individual to be identified directly or indirectly||me, address, telephone number, e-mail address, information provided in your identity document.||For identification purposes, to draw up an agreement / contract or to contact you.|
|Information relating to or used for agreements / contracts or financial statements||Information about your financial situation, the products you have. Information used for obtaining finance.||To assess credit worthiness, or to assess whether a product is suitable for you.|
|Payment and transaction data||When a payment is made, information about the person you paid or who paid you, when the payment took place and what the balance in your account is.||
|Special categories of personal data/ criminal data||Information concerning your health, information about criminal convictions, data which reveal your ethnic origin or political inclinations, your social security number or equivalent.||
|Recorded calls, documentation of e-mails and physical access, cctv||
||We may use the recorded calls, and e-mails to combat fraud to fulfil legal obligations, to monitor quality, to provide proof, to improve our services and to train, coach and assess our employees, or to fulfil other legal obligations. We may also process records of physical access to our banking premises.|
|Data that say something about the use of our website and the app||Cookies, IP address and data relating to the device on which you use our online services or our website.||
|Data we receive from other parties||Data obtained from the Chamber of Commerce, Credit Reference Agencies.||We use this information to Check Directors and UBO’s details.|
|Data we share with other parties||
|Data we require to combat fraud, to ensure your security and ours, and to prevent money laundering and the financing of terrorism||The data we keep in our internal and external referral registers, sanction lists, location information, transaction data, identity information, camera images and payment details, cookies, and IP address.||
5. How does Rabobank come by your personal data?
We receive your personal data because you provide it to us yourself. Examples include entering into a contract with us or data you send to us in order that we can contact you, and data arising from the services we provide in areas such as syndicated loans. We may also receive your data from business units within Rabobank Group or from other financial institutions in the context of combating fraud, money laundering or terrorism. We may also receive data from others, such as suppliers or other parties we work with, or because you have given another party consent to share data with us. We may also receive data from others, such as public sources like newspapers, public registers and websites.
6. For which purposes, and on what basis, does Rabobank process personal data?
The types of personal data processed by Rabobank are described above. The purposes for which we process personal data are described below. In addition, we indicate the basis on which this processing is done. By law, every personal data processing operation must have a legal basis.
a. To enter into a business relationship and agreement with you
We need to have your personal data if you, or the company you represent, want to become a client, or if you want to use a new product or service or contact us.
For example, we have to perform an assessment to determine whether we can accept you as a client. When you become a client, we have to establish your identity for almost all our products and comply with our legal obligations. As part of this, we will make a photocopy of your proof of identity.
If you wish to become a client, or are already a client of ours, we are required by law and Rabobank Policy to screen your name against relevant international sanctions lists and Rabobank internal warning lists.
For the most part, we process your personal data because we are under a legal obligation to do so. If, however, this legal obligation does not apply directly to Rabobank, we also have legitimate interest in processing your personal data for these purposes. We may also process such data where this is necessary to conclude the agreement.
b. To perform agreements and carry out instructions
As a client of ours, we want to be of service to you. We execute the instructions we receive from you and perform the agreements we have concluded. This is what we have agreed with you. We process personal data for this purpose.
- If you make a payment through us, we might need to transfer your data to another bank e.g. a settlement bank, or agency. The payee can also see and record your payment data, such as the address details relating to your account. Both the person who issues the payment instruction and the beneficiary (payee) may enquire about specific data relating to the account.
- We may make recordings of telephone conversations, e-mail messages and camera images. The purpose for which this is done includes proving that you issued a particular instruction. We may also do this if we are legally required to do so, or to provide proof and monitor quality, to investigate fraud and other matters, and for training, coaching and assessment purposes.
We process personal data because this is necessary in order to perform a contract. We could also be under a legal obligation to do so, for example in the context of payments. If you do not provide certain information to us, we will not be able to perform the agreement / contract. In a number of cases, we have or a legitimate interest in processing your personal data, for example when making recordings of telephone calls
c. To ensure your security and integrity as well as the security and integrity of the bank and the financial sector
We process your personal data to ensure your security and ours, and also security of the financial sector. We also do this for the purpose of preventing fraud, money laundering and the financing of terrorism, and facilitation of tax evasion.
Customer Due Diligence
Not only when we enter into a business relation with you but also during our business relation, we might check whether we can still accept you as our client. For example your transaction data on your account might be a reason for an additional check. Or the people you do business with.
If you wish to become a client, or are already a client of ours, we are required by law and Rabobank Policy to screen your name against relevant international sanctions lists and Rabobank internal warning lists.
Publicly accessible sources
We consult publicly accessible sources, such as public registers, newspapers and the internet, in an effort to combat fraud and protect the bank.
We may perform analyses aimed at preventing fraud and protecting you and the bank. We may make use of information that you did not supply to us in the context of combating fraud, such as information about the transactions in your account or any financial crime. Local National and EU law also requires that we do this.
As part of efforts aimed at combating cybercrime and computer attacks such as botnets, we transfer information relating to you to parties that fight cybercrime. We will do this if we detect that your security or the security of the financial sector could be in danger. We will only do this if we have reached agreements with these parties concerning the careful use of your data.
We make recordings of telephone conversations, e-mail messages, and camera images. We do this in the context of investigating fraud. We may also do this if we are legally required to do so, or to provide proof and monitor quality, and for training, coaching and assessment purposes.
We process your data because this is necessary in order to comply with a legal obligation. If we are not under a direct legal obligation to process your data, we process the
data on the basis of the performance of a contact or in the legitimate interest of Rabobank, the financial sector or our clients and employees.
d. To help develop and improve products and services
In order that we can be of service to you and can innovate, we develop and improve products and services on an ongoing basis. We do this for ourselves, our corporate clients or other parties.
- In addition, we sometimes combine data sources, such as information on the products you receive from us.
- Analysing personal data allows us to see how you use our products and services. We also use the results of our analyses to categorise clients into groups. This enables us to create client profiles and interest profiles. When producing these analyses, we sometimes also use information obtained from other parties and publicly accessible sources.
- We also carry out research in order to improve our products and services. For example, we may ask you to give your reaction to a product or to review a product. You are not required to cooperate in such studies.
- We sometimes use other parties to process your personal data for this purpose, for example in order to measure or ask you how we can improve our services. In that case, these other parties act on the instructions of Rabobank.
We process your data because we have a legitimate interest in this. We may also ask you for your consent to process your data for the purpose of developing and improving our products and services. Not giving your consent will not affect the services we provide to you. You can withdraw your consent at any time by contacting your relationship manager.
e. For account management, promotional and marketing purposes
We may process your personal data for account management, promotional and marketing purposes. In doing so, we use data we have obtained from you, such as payment or transaction, as well information not obtained directly from you, including public registers (such as the Chamber of Commerce), publicly available sources (such as the internet) and other parties.
- We may use your data to inform you about a product that might be of interest to you.
- We also use the services of advertisers in order to display advertisements to a specific target group. We indicate which target group or type of profile our advertisement is intended for. The advertiser then displays the advertisement to the people who are in the target group or fulfil the profile. We never share data relating to individual clients with such advertisers.
- We may also use analyses to provide our clients with information for benchmarking purposes. If we use your data for these analyses or produce profiles, we will ensure that your data are pseudonymised to the greatest possible extent and that they are made only available to a few employees at the bank.
If you do not want us to use your data for the purpose of direct marketing or contact you by post, e-mail or telephone, you can contact your relationship manager.
We process your data because we have a legitimate interest in this. We may also request your consent to process your data for promotional and marketing purposes. If you do not give your consent, this will not affect the services we provide to you. You can withdraw your consent by contacting your relationship manager.
f. To enter into and perform agreements with suppliers and other parties we work with
If you have contact with Rabobank for work-related reasons, we may process your personal data, for example so that we can establish whether you are permitted to represent your business, or so that we can give you access to our offices. Where necessary, we may consult our internal warning list and all relevant international sanctions lists before we enter into an agreement and also while the agreement is in effect in the context of screening.
We process your data so that we can perform the agreement we have concluded, because we are required to do so by law or because we have a legitimate interest in this.
g. To comply with legal obligations
Under various national and international legislation and regulations, we have to collect and analyse a large amount of data relating to you and sometimes transfer such information to European and other government authorities. We must comply with legislation, in order to be able to offer you financial products and services. We also process personal data in order to fulfil our duty of care.
We also have to comply with legislation designed to combat fraud, crime and terrorism, such as the Anti-Money Laundering, Counter Terrorism Financing and Fraud prevention laws and/or regulations. For example, we are required to perform customer due diligence and to conduct further inquiries if you hold specific assets or if an unusual transaction takes place in your account. If we spot an unusual transaction, we must notify the competent law enforcement agency. Under this law, we have to establish who the ultimate beneficial owner (UBO) is of a business or organisation with which we have a business relationship.
We may receive requests for data from the, tax authorities, the police and the other law enforcement agencies as well as organisations such as the intelligence services. If they do this, we are required by law to cooperate with the investigation and transfer data relating to you.
Providing data to the government
Legislation and regulations may require that we transfer data (analysed or otherwise) relating to you to a government institution, a tax authority or a regulator within oroutside the Netherlands, such as the European Central Bank (ECB).
As we have to comply with legal obligations and treaties, we sometimes have to provide data relating to you to the national tax authorities or a foreign tax authority.
European rules require that we produce risk models if you apply for a loan or credit or if you have received a loan or credit from us. This is so that we are able to determine which risks Rabobank is exposed to and the size of the buffer we need to maintain. We process your personal data for this purpose.
Making and documenting recordings
We make recordings of telephone conversations, e-mail messages, camera images and may document these recordings. We do this to comply with legal obligations, for example in the context of services. We may also do this to provide proof, to monitor quality, to combat and investigate fraud, and to train, coach and assess employees.
We process your data because this is required by law, or because we would otherwise not be permitted to perform an agreement with you, or if we have a legitimate interest in processing your data so that we can comply with a statutory or other legal obligation.
h. To carry out business processes and for the purpose of management reports and internal management
Know your customer
As a service provider, we believe it is important and necessary that we have a good picture of our clients. This includes knowing who we work with.
Determining credit risk associated with loans and credit facilities
Lending involves credit risk. We have to determine what that risk is, so that we can calculate the buffer we need to maintain. In connection with this, we process data relating to your loans and credit facilities.
Transfer of receivables
It can happen that we transfer to another party loans that we have made to you, such as your mortgage loan. If such a transfer takes place, your personal data will be processed. Once the loans have been transferred, the other party will also process your personal data. We agree with the other party that it must comply with legislation and regulations on personal data protection. We also do this when a contract is taken over. In the event of a merger or demerger, the legislation on protecting personal data will of course be followed.
Internal audits and studies
We may also use your data in order to perform internal audits and investigations, for example in order to examine how well new rules and processes have been implemented or to identify risks.
Improving our own business processes
We also use data to analyse and improve our business processes so that we can help you more effectively or make our processes more efficient. Where possible, we will anonymise (data that cannot be traced back to an individual in any way) or pseudonymise (data that can be linked to an individual if additional information is included) your data first.
We process your data because this is required by law or because we have a legitimate interest. Processing your personal data may also be necessary for the performance of our agreement with you.
i. For archiving purposes, scientific or historic research purposes or statistical
We may also process your personal data if this is necessary for archiving purposes in the public interest, scientific or historic research purposes or statistical purposes. Where possible, we will seek to anonymise or pseudonymise your data first.
When processing personal data for archiving purposes, scientific or historic research purposes or statistical purposes, we process the date on the basis of the legitimate interest of Rabobank, the financial sector or our clients and employees.
7. How long does Rabobank keep your personal data?
We do not keep your data for any longer than necessary to fulfil the purposes for which we collected the data or the purposes for which data are reused. We have adopted a data retention policy. This policy specifies how long we keep data. In general we will keep your data for seven years following the termination of the relevant agreement or the ending of your business relationship with Rabobank, unless there is a legal obligation to preserve the data longer e.g. if the regulator asks us to keep specific data for longer in the context of risk models. In some cases, we use shorter retention periods.
In specific situations, we may also keep data for longer than we are required by the retention period fixed by us. We will do this if, for example, the judicial authorities request camera images, in which case we will keep the images for longer than we usually do, or if you have submitted a complaint, in which case the underlying data must be kept for longer.
Once we no longer require the data for the purposes described in sections 6 a to 6 i, we may still keep the data for archiving purposes, in the event of legal proceedings, or for historic or scientific research purposes or statistical purposes.
8. Does Rabobank also process special categories of personal data?
Special categories of personal data, information about criminal convictions and for the Netherlands citizen service numbers (BSNs) are sensitive data. Special categories of personal data include data concerning health, and data which reveal racial or ethnic origin. We only process such information if we are required to do so.
For the Netherlands: we use your citizen service number only if this is permitted by law.
We process special categories of personal data where this is permitted by law, because this information was made public by you, or with your permission. If you give us consent to record special categories of personal data relating to you, or you have made this information public yourself, we will only process the information if this is necessary so that we can provide our services. If you have given us consent to record special categories of personal data, you may withdraw that consent at any time. To do this, please contact your relationship manager.
9. Does Rabobank use automated individual decision making including profiling?
We will only make a decision based solely on automated processing including profiling which produces legal effects concerning you or significantly affects you, in case it is
allowed by law and we have notified you.
We do not envisage that any decisions will be taken about you that produces legal effects or significantly affects you.
10. Which people at Rabobank have access to your data?
Within Rabobank, your personal data can be accessed only by individuals who need to have access owing to their role and for official business purposes. All of these people are bound by a duty of confidentiality.
11. Does Rabobank use personal data for any other purposes?
If we want to use information for any purpose other than the purpose for which it was obtained, we may do this as long as the two purposes are closely related.
If there is not a sufficiently strong connection between the purpose for which we obtained the data and the new purpose, we will ask you to give your consent. If you have given us consent you may withdraw that consent at any time. To do this, please contact your relationship manager.
12. Does Rabobank transfer your personal data to other parties and to other countries outside the EU?
a. Within Rabobank Group
Your personal data may be shared by divisions of Rabobank Group, for example because you ask us to do this, or because you also purchase a product from a different division of Privacy Statement | Version 1.1, July 2018 | Page 15 Rabobank. Information that has been used to establish your identity may also be used by another division of Rabobank with which you want to do business, for example.
These divisions of Rabobank may also be located in countries outside the European Union that apply less stringent data protection rules. We share your data with divisions of Rabobank Group, in which Rabobank holds a majority interest, only if the divisions comply with Rabobank’s rules, as set out in the Rabobank Privacy Code. The Rabobank Privacy Code describes the rules that all these divisions of Rabobank Group have to comply with. The Rabobank Privacy Code guarantees adequate protection of personal data.
b. Outside Rabobank Group
Your data is also transferred to other parties outside Rabobank if we are required to do this by law, because we have to perform an agreement with you or because we engage another service provider.
We transfer your personal data to third parties if we are required to do so. Examples of such third parties include national and European regulators, such as your central bank, the European Central Bank (ECB) and your national and tax authorities.
We also transfer data if this is necessary in order to perform our agreements with you. For example, we use third parties such as SWIFT to enable you to make payments. These third parties are subject to supervision by their local regulators. This may mean that your payment and transaction data are transferred to other parties in countries that do not enjoy the same level of personal data protection as the European Union.
If your personal data are processed in a country with a different level of data protection, this may mean that your personal data are the subject of investigations by competent national authorities in the countries where the relevant information is held. We also provide your data to other parties that we need to involve in the context of providing our services, such as lawyers.
We sometimes engage other parties / business partners that process personal data on our instructions. Examples include parties that perform market research on Rabobank’s behalf and parties that store data for us. Before such parties are engaged, we must first ensure they are sufficiently reliable. We may only engage parties if this is in keeping with the purpose for which we processed your personal data. Moreover, this other party can be engaged by us only if it reaches specific agreements with us, has demonstrably implemented appropriate security measures and guarantees that your personal data will remain confidential. Your personal data may also be shared with other parties that we engage in the course of our business or for the provision of our services.
If we transfer your data to other parties outside the European Union, we take additional measures to protect your data. In some countries outside the European Union, the rules for protecting your data are different from those that apply within Europe. If we make use of a third party located outside the European Union, and if the European Commission believes that the country in which this third party is located does not offer adequate protection in the area of personal data processing, we will only transfer your data if other, suitable guarantees are in place, such as the contractual arrangement approved by the European Commission, or on the basis of the Privacy Shield (United States).
13. What rights do you have concerning your personal data held by Rabobank?
a. right of information
This Privacy Statement describes what Rabobank does with your data. In certain cases, we provide additional or different information. We will do this if there are other reasons for providing you with information in addition to the Privacy Statement. We may do that by means of a letter, by leaving a message in your inbox or in another way to be determined by us.
b. right of access to and rectification of personal data
You may ask your relationship manager whether we process data relating to you, and if so, which data this concerns. In that case, we can provide you with access to the data processed by us that relates to you. If you believe your personal data has been processed incorrectly or incompletely, you may request that we change or supplement the data (rectification).
c. right to erasure (‘right to be forgotten’)
You may request that we erase data concerning yourself that we have recorded, for example if you object to the processing of your personal data. Your interest must also be greater than Rabobank’s interest in processing the data.
d. right to restriction of processing
You may request that we restrict the personal data relating to you that we process. This means that we will process less personal data relating to you.
e. right to data portability (only applicable if the GDPR applies to the processing of your personal data)
You have the right to request that we supply you with data that you previously provided to Rabobank in the context of a contract with us or with your consent, in a structured, machine-readable format, or that we transfer such data to another party. If you ask us to transfer data directly to another party, we can do this only if this is technically feasible.
f. right to object to processing based on a legitimate interest
If we process your data because we have a legitimate interest in doing so, you may object to this. In that case, we will reassess whether it is indeed the case that your data can no longer be used for that purpose. We will stop processing your data if your interest outweighs our interest. We will inform you of our decision, stating the reason.
g. right to object to direct marketing
You have the right to request that we stop using your data for direct marketing purposes. It may be the case that your objection relates to being approached through a specific channel, for example if you no longer wish to be contacted by telephone but still want to receive our newsletters. We will then take steps to ensure you are no longer contacted through the relevant channel.
If you make a request as described above, we will respond no later than one month after we receive your request. You may send your request to your relationship manager.
We may ask you to explain your request for access in more detail. For example, if you request access to recorded calls, we may ask you to provide search keys, such as the time the call was made and the number from which it was made. In very specific cases, we may extend this period in which we must respond to a maximum of three months. In that case, we will keep you informed about the progress made with your request.
If you make a request, we may ask you to provide proof of your identity. For example, if you submit a request to exercise your right of access or right to data portability, we will want to be certain that we provide your personal data to the right person. In that case, we will ask you to come to the bank so that you can make your identity known and we can verify your identity. In some cases, there may be doubts as to whether we can send you the data securely. If so, we may ask you to come to the bank to collect your data.
In certain cases, we may not be able to comply with your request, for example because this would violate the rights of others, would be against the law or is not permitted by
the police, the Public Prosecution Service or another public authority, or because we have weighed up the relevant interests and determined that the interests of Rabobank or others in processing the data take precedence. In that case, we will inform you.
If we adjust your data or erase your data at your request, we will notify you of this and also inform the recipients of your data wherever possible.
14. Who can you contact if you have a question or complaint concerning personal data held by Rabobank?
If you have any questions concerning the processing of personal data by us, please contact:
- Your relationship manager or the Rabobank division with which you do business in the case of matters concerning the exercising of your rights and other questions about the processing of your personal data; or
- The Data Protection Officer
If you have a complaint concerning the processing of your personal data by Rabobank, please contact:
- The Data Protection Officer or
- Your relationship manager or the Rabobank division with which you do business; or
- Your local Data Protection Authority (DPA)./li>
15. Can Rabobank change this Privacy Statement?
Yes, our Privacy Statement may change from time to time. We will adjust the Privacy Statement when new data processing operations are introduced. If these changes are also relevant for you, we will draw your attention to these changes or clearly communicate them to you. The most recent version of our Privacy Statement is always made available online at www.rabobank.com. You can also view previous versions on our website.