Privacy Statement

Personal data is information that says something about you. The best known forms of personal data are your name, address, email address, age and date of birth.

Personal data also includes your bank account number, your phone number, your IP address and your national identification number. There are several special categories of personal data. These include data concerning your health. Another special category concerns biometric data, such as facial recognition or your fingerprint when you log on to the Mobile Banking app. We may only use this personal data if this is permitted by law or if you give your consent for this. In all other situations, we are prohibited from using this personal data.

Personal data relating to you that we obtained from others

Imagine that your partner applies for a loan in both your names. In that case, we may use the data concerning you that we ask for. We may also decide to use personal data obtained from other sources, such as: 

• public registers that contain your personal data, such as the National Credit Register;

• public sources such as newspapers, the internet and public sections of social media accounts; 

• data files from other parties that have collected personal data about you, such as external marketing firms or credit agencies. 

Obviously, we may not request or use your personal data without good reason. By law, we are permitted to do this only if 'the processing has a basis'.

This means that we may only use your personal data for one or more of the following reasons: 

Contract

We need your personal data to conclude a contract, for example if you want to open an account with us or take out a mortgage. 

Are you the representative of your company and has your company concluded, or does it want to conclude, a contract with us? Or are you the contact person, shareholder, managing director or ultimate beneficial owner (UBO) of this company or one of our corporate clients? If so, we use your personal data for other reasons than the performance of the contract. We also do this if you are merely the payee of a payment made by one of our clients.

Legal obligation

The law lays down many rules that we have to comply with as a bank. These rules state that we have to record your personal data and occasionally provide it to others. The following are just some examples of the legal obligations we have to comply with: 

• Under the Dutch Financial Supervision Act (Wet op het financieel toezicht - Wft), we have a statutory duty of care. This means that we must assess your financial situation as accurately as we can. We can then take account of any changes you have to deal with.

• We have to take steps to prevent and combat fraud, tax evasion, terrorist financing and money laundering. These include asking you to prove your identity so that we know who you are. This is why we keep a copy of your identity document.

• We have legal obligations under the Dutch Bankruptcy Act (Faillissementswet) and under other laws that require us to keep your personal data, such as the Dutch Civil Code or specific provisions of the Dutch Anti-Money Laundering and Anti-Terrorist Financing Act (Wet ter voorkoming van witwassen en financieren van terrorisme - Wwft).

Other organisations may occasionally ask banks to provide personal data. These organisations include the Dutch Tax and Customs Administration, the judicial authorities (financial fraud) and intelligence agencies (terrorism). In addition, banks are sometimes required to share personal data with supervisory authorities, such as the Netherlands Authority for the Financial Markets (AFM), the Dutch Central Bank (DNB) and the European Central Bank (ECB), for instance when they carry out research into business processes or specific clients or groups of clients. 

If the law or a supervisory authority stipulates that we must record or use your personal data, we are required to do this. In that case, it does not matter whether you are a client of ours or not. For example, every bank must check whether clients, and the representatives of clients (including corporate clients), are genuinely who they say they are. In addition, banks must keep a photocopy of an identity document for each of their clients. This means that we are not required to establish your identity if we only use your personal data because you are the payee of a payment made by one of our clients. Your personal data may, however, be used in fraud prevention activities such as transaction monitoring, or if we record your personal data in incident logs [see 'Warning system used by banks'].

Legitimate interest of the bank or others

We also have the right to use your personal data if we have a legitimate interest in doing so. In that case, we must be able to demonstrate that our interest in using your personal data outweighs your right to data protection. We therefore balance all the interests. We explain the situations in which this happens using a few examples:

• We protect property and personal data belonging to you, to us and to others.

• We protect our own financial position (so that we can assess whether you are able to repay your loan, for example), your interests and the interests of other clients (in the event of a bankruptcy, for example). 

• We carry out fraud detection activities so that clients and ABN AMRO do not suffer losses as a result of fraud. In this context, we keep the financial transaction history of the payer and the payee.

• We keep you up-to-date on product changes and send you tips, offers and other relevant news by means of direct marketing.

• We aim to keep efficient records. We centralise our banking systems, make use of other service providers, and conduct statistical and scientific research. 

Someone else may also have a legitimate interest. For example, someone may accidentally transfer money to your bank account. In that case, we may, under certain conditions, provide your personal data to the person who issued the payment instruction. That person can then ask you to pay the money back. 

Even if you do not have a contract with us, we may still use your personal data either because this is necessary to ensure compliance with the law or on the basis of a legitimate interest. We will of course first check whether this is the case, for instance if your personal data is used for security purposes or for marketing purposes. 

We use your personal data to help make our operations and our services as effective, reliable and efficient as possible. Purposes

This is done for the following six purposes:

1. Contract: To be able to enter into contracts with you and perform these contracts. If we do not have your personal data, we cannot offer you a current account or transfer money from or to your account for you, for example.

2. Research: We study possible trends, problems, root causes of errors and risks, for instance to check whether new rules are properly complied with. This helps us prevent complaints and losses. It also allows us to intervene or issue a warning in time, for example if you are no longer able to repay your debts.

3. Better or new products and services: Do our products still meet your wishes and expectations? We carry out research in this area, using your personal data. We study trends and use personal data with the aim of analysing and continuing to develop our products and services. 

4. Marketing: You receive offers and news that is appropriate for you. That is why you receive as little advertising as possible for products you are probably not interested in or already have. In this context, we use personal data that we received from you, for instance because you requested information in the past or because you are already a client of ours. In this context, we may also use personal data that we received from other parties.

5. Security and the integrity of our bank and our sector: We are required to guarantee the security and integrity of the financial sector. We may therefore use your personal data to prevent or combat attempted or actual criminal or undesirable acts, such as fraud or terrorism. This enables us to guarantee the security and integrity of the financial sector, our organisation, our employees and you, as the client. We may also use your personal data for warning systems.

6. Social responsibility and statutory requirements: As a bank, we play a key role in society. We help to prevent terrorist financing, money laundering and fraud, for instance by reporting unusual transactions or by identifying and stopping potentially fraudulent transactions and verifying transactions with you if necessary. Public authorities also ask us to provide personal data when they want to investigate problems or criminal offences. In that context, we check whether they have good reason to do so. The banking sector is also one of the most regulated industries around. This means we have to comply with many rules. Besides European and Dutch rules, these rules also include the laws of other countries. We must therefore also record and keep personal data for this purpose, and sometimes also provide personal data to the competent authorities. We always check first whether this is permitted.

If you have not concluded a contract with us, we do not process your personal data on the basis of a contract. We may, however, use your personal data for other purposes, such as fraud detection. We always check first whether using your personal data for those other purposes is permitted. 

• Public authorities also ask us to provide personal data when they want to investigate problems or criminal offences. In this context, we check whether they have good reason to do so. The banking sector is also one of the most regulated industries around. This means we have to comply with many rules. Besides European and Dutch rules, these rules also include the laws of other countries (read more about the rules on transferring personal data [link]). ABN AMRO must therefore also record and keep personal data for this purpose, and sometimes also provide personal data to the competent authorities. [link to 'Other parties that use your personal data / Competent public authorities']. We always check first whether this is permitted.

If you have not concluded a contract with us, we do not process your personal data on the basis of a contract. We may, however, use your personal data for other purposes, such as fraud detection. We always check first whether using your personal data for those other purposes is permitted.

Other purposes

We may use your personal data for other purposes than the purpose for which you supplied the personal data to us. In that case, the new purpose must be in line with the purpose for which you initially provided your personal data to us. The law refers to this principle as ‘compatible use of personal data’. The law does not specify exactly when a use is compatible, although it does provide guidance.

• Is this purpose clearly related to the purpose for which you initially provided the personal data? Is the new purpose appropriate to the initial purpose?

• How did we originally receive the personal data? Did we obtain the personal data directly from you or in another way?

• What kind of personal data is concerned exactly? Is the personal data in question considered sensitive to a greater or lesser degree?

• How would you be affected? Would you benefit, suffer or neither?

• What can we do to ensure the highest possible level of protection for your personal data? Examples include anonymization and encryption.

In most cases, ABN AMRO uses your personal data without obtaining your consent for this. This is permitted by law.

Subsidiaries are also allowed to contact you with offers. In that context, it must be possible for you to tell that the undertaking is affiliated with our group, for instance because our name or logos are used, or because this is clearly stated on the website or in advertising.

We do this because

• this is necessary because of the contract we have with you or that we intend to conclude with you;

• the law requires us to use your personal data;

• the bank or a third party has a legitimate interest [link to 'On what basis do we process your personal data?'

Sometimes, however, we are required to ask you for your consent. Before you give consent, we recommend that you carefully read the information we provide concerning the use of your personal data. If you have given consent and you want to withdraw this consent, you can do that very simply. Read more about withdrawing your consent. [withdrawing consent]. 

In which situations do we ask you for your consent?

We will in any event ask you to give consent in the following situations:

• We always ask for your consent before we process special categories of your personal data. We do not use special categories of personal data without your consent unless the law states we are required or permitted to do this.

• Another party requests access to your payment details so that you can make use of external applications such as a financial journal.

• Another party wants to make a payment for you, for example when an online purchase is made.

• We make use of cookies and similar technology on our websites and/or in apps in order to make you personalised offers. For more details, see our Cookie Statement.

• In some apps, we require access to information about your location.

• When we make use of automated decision-making and profiling and the law states that we require your consent for this.

Important information

In certain situations we do not ask for your consent. This is the case if we require your personal data to comply with the law, if a legitimate interest exists, or if this is necessary in the context of the contract that we conclude with you. In such cases, however, you may submit an objection.

We may share your personal data within our group for specific purposes. We may do this for internal administrative purposes, to improve our services to you, because we are required to do so by law, or to fulfil our duty of care. If, for example, you apply to us for a loan, we need to know whether you have already obtained a loan from one of our subsidiaries. This allows us to gain a more complete picture of your financial situation.

Subsidiaries are also allowed to contact you with offers. In that context, it must be possible for you to tell that the undertaking is affiliated with our group, for instance because our name or logos are used, or because this is clearly stated on the website or in advertising.

Required personal data

If we need personal data from you in order to conclude a contract with you, and you refuse to provide this data even though this is required by law, or these personal data are required for the contract, we will unfortunately not be able to enter into the contract with you. The required personal data is specified in the online forms and other forms we occasionally need you to complete.

Do you want us to remove your personal data from our systems? We are unfortunately unable to remove required or other personal data that we need, for instance for the performance of the contract you have with us, or because we are required to keep this data by law or owing to a legitimate interest of the bank.

Camera images, telephone calls, chat messages and video chat sessions

We will in any event ask you to give consent in the following situations.

If you visit a branch of our bank, we may capture images of you on camera. We do this for security purposes. We can also be contacted by telephone, by chat messages or in video chat sessions, for instance for mortgage advice. We may also record your telephone calls, chat messages or video chat sessions with our advisers. We do this for the following purposes:

• to improve our services, for example so that we can coach or assess the performance of our employees, 

• owing to a legal obligation, 

• in order to be able to provide evidence, or 

• to prevent fraud. 

We handle video and audio recordings with due care. They are subject to the same rules as other personal data. You may exercise your rights, such as your right of access. 

Social Media

We use social media channels to discuss our organization, products and/or services with clients, users of apps and visitors to the website. We do this so that we can offer useful, relevant information and/or answer questions we receive through social media. We use the internet and social media channels, such as Facebook and Twitter, for this purpose. In addition, we become involved in discussions on these channels and/or we reply to individual, relevant questions and comments from other participants. In such situations, it is of course possible that we record personal data. We will of course process this personal data in accordance with the terms of this privacy statement. 

There are situations in which we need to provide your personal data to other people and entities involved in the provision of our services. These are described below. If you transfer money to another bank, your personal details will also end up with that bank. This is unavoidable.

Our service providers

We work with other companies that help us provide services to you. This is referred to as outsourcing. We are not permitted to pass your personal data on to them without good reason. There are rules that banks must comply with in such situations. We carefully select these companies and reach clear agreements with them on how they are to handle your personal data. We remain responsible for your personal data. Sometimes we engage other parties that also provide services, such as lawyers, auditors or bailiffs. These parties bear their own responsibility for their use of your personal data.

Intermediaries

We also work with intermediaries. It is therefore possible that you have a mortgage with us, but you took it out through a mortgage broker. This intermediary processes your personal data and is responsible for how it uses your personal data. Please visit the intermediary's website to find out how it handles personal data. 

Competent public authorities

Our supervisory authorities, the Dutch Tax and Customs Administration, the Netherlands Public Prosecution Service and other public authorities may ask us to provide personal data relating to you. The law specifies when we are required to provide this data. Persons employed in the financial sector are bound by the disciplinary law for banks in the Netherlands. Personal data may be provided to Stichting Tuchtrecht Banken in the context of disciplinary proceedings. 

Financial services providers

Do you want us to give your personal data to providers of financial services? This is possible if you give your consent first. We will then be required to provide your personal data to these third parties. If you share your personal data with other parties yourself, we are not responsible for how they use your personal data. In that case, the privacy statements of those third parties apply.

If you have previously purchased a product or service from us, we are keen to keep you informed about similar products and services we offer that are suited to your needs. This also applies if you are a visitor to our website. In order to do this properly, we use various sources. These are described below.

1. The personal data that we received from you in the context of the contract. When you visit our website, we study how you use the website. We do this using your IP address. We can then make you offers that are relevant to you personally. In that case, you must have agreed to the use of cookies and similar technology such as JavaScript. For more information about cookies, please see our Cookie Statement. 

2. The use of social media depends on the privacy settings you use on social media sites. 

3. Other sources of information, including public sources. We will always check first whether a public or other source of information can be used reliably. Where applicable, we will check whether you, as a client, have consented to the use of personal data that comes from another party.

You can use the Internet Banking privacy settings (under 'Use of your personal data') to specify whether we may use your personal data to make you relevant offers.

As a bank, we make use of profiling. Below we explain why we do this, and when.

Fraud prevention

We have a great deal of knowledge and experience in the area of fraud prevention. Unfortunately, we are faced with increasingly sophisticated forms of fraud. We may take measures to prevent fraud where possible, which may include the use of profiling. For security reasons, we are unable to provide details of the precise measures to be taken.

Unusual transactions

As a bank, we have to comply with the Dutch Anti-Money Laundering and Anti-Terrorist Financing Act (Wet ter voorkoming van witwassen en financieren van terrorisme - Wwft). We therefore pay particular attention to unusual transactions and to transactions that - by their nature - result in a relatively high risk of money laundering. To do this, we need to create and maintain a risk profile of the client, in other words you. If we suspect that a transaction is connected with money laundering or terrorist financing, we will report this to the authorities.

Duty of care and risk management

The supervisory authorities expect us to do everything possible to avoid excessive lending, and to take faster action when clients are likely to get into financial difficulties. We may make use of profiling for this purpose too. In that case, we first make a list of the most common characteristics of clients who have found themselves in financial difficulties. These characteristics are combined to create the profile. We then check whether there are any clients who meet this profile. Finally, we determine what we can do to help these clients.

Client and product acceptance

How do we make use of profiling when you want to purchase a product? The following example explains how we do this. Imagine that you apply online for a loan from us. 

1. We notify you in advance of the procedure we follow to create a profile and what you can expect.

2. We carry out a risk assessment. We do this for new clients and also for existing clients who want to buy additional products. We know from experience that certain characteristics can indicate whether you are able to repay a loan easily. These characteristics include whether you have a job or any debts. We assess these characteristics.

3. Clients who are normally able to pay back a loan share a number of characteristics, as do clients who are normally unable to repay loans. Your characteristics are used as a basis for creating a profile. 

4. We compare your profile with our existing profiles. Finally, we assess how likely it is that you will not be able to repay the loan. 

Direct marketing

We also use profiling to send you offers that are appropriate for you. For example, if you have a mortgage you will not receive any offers for mortgages from us. We attempt to identify your areas of interest, based on a number of characteristics. We then look at specific aspects, such as your age category and whether you already have any other products from us. You will only be selected for a relevant marketing campaign if you meet a specific profile. Obviously, we check the data protection rules to determine whether personal data may be used for that purpose. You may object to the creation of a personalised client profile for direct marketing purposes at any time. If you do not have a contract with us, we determine whether direct marketing is permitted in specific situations. 

We may use automated decision-making if we enter into a contract with you, for instance for an online loan.

If we make a decision that has legal consequences for you or affects you to a significant degree, this will be done with the intervention of one or more competent bank employees. This also applies if the process that led to the decision is automated or if profiling was used. Examples include client acceptance or the reporting of unusual transactions to the authorities.

There are situations in which we use automated decision-making without any human intervention. This is permitted by law. These situations may, among other things, concern decisions not to execute transactions, such as iDEAL transactions, because they might be fraudulent. These decisions may be taken on the basis of a fully automated process without any human intervention. 

If, at any time in the future, we want to use automated decision-making that has legal consequences for you or affects you to a significant degree, we will make this clear to you beforehand. We will inform you of your rights, such as your right to obtain an explanation of the decision reached by automated means, your right to express your point of view, your right to challenge the decision and your right to obtain human intervention. 

We go to great lengths to ensure the highest possible level of protection for your information

• We invest in our systems, procedures and people. 

• We make sure that our working methods are in keeping with the sensitive nature of your information. 

• We train our people how to keep your information safe and secure.

For security reasons, we are unable to provide details of the precise measures we take. But you may have come across some of the following procedures we use to protect your personal data:

• Security of our online services 

• We follow a two-step process to establish your identity (authentication)

• Security questions when you call us

• Requirements for sending confidential documents

• Extra secure bankmail for confidential messages in Internet Banking and the Mobile Banking app

Security is our shared priority. If, for example, you encounter breaches in our security, you can report them to us confidentially through our website.

Warning system used by banks

The Dutch banking sector has developed a warning system to protect the safety and security of banks in the Netherlands. This system allows the banks to check whether a person: 

• has ever committed fraud 

• has tried to commit fraud 

• somehow forms a threat to the safety and security of the banking sector. 

For more information about this warning system and its workings, go to the website of the Dutch Banking Association.

Your personal data is processed outside Europe too. Additional rules apply in that case. This is because not all countries have the same strict privacy rules as we do in Europe.

Sharing personal data within the ABN AMRO Group

We may share your personal data outside Europe within our group. Our sharing of personal data is governed by our global internal policy, the Binding Corporate Rules (BCRs). These have been approved by the Dutch Data Protection Authority (Dutch DPA).

Sharing personal data with other service providers

We may occasionally share your personal data with other companies or organisations outside Europe, for instance in the context of an outsourcing agreement. In that case, we ensure that we have concluded separate agreements with those parties, and that these agreements comply with the European standard, such as the EU's model clauses. 

International payment transactions and cross-border investing

There are situations in which you make use of our international financial services, for instance if you transfer money abroad or if you hold investments abroad through us. In such situations, foreign parties, such as local supervisory authorities, banks, government bodies and investigative authorities, may ask us for your personal data, for instance so that they can carry out an investigation. Additional rules governing the use of personal data apply if you purchase investment products from us. For details, see the provisions of Article 11.3 of the Investment Conditions.

We keep personal data in any event for as long as is necessary to achieve the purpose.

The General Data Protection Regulation does not stipulate specific storage periods for personal data. Other legislation may specify minimum storage periods, however, which we must comply with. Such legislation includes the general requirement for businesses to keep records, as set out in the Dutch Civil Code, tax laws or laws governing financial enterprises in particular (such as the Dutch Financial Supervision Act).

Client data may be kept for even long for various reasons, such as for risk management purposes, for security reasons or so that claims, investigations or legal proceedings can be handled properly.

Where possible, such client data is stored in an archive that is separate from our day-to-day systems.