Privacy Statement

Furthermore, you will find information on your privacy rights, such as the right of access and right to rectification, and how to exercise these rights. When processing your personal data, we observe applicable laws and regulations, including the General Data Protection Regulation (AVG).

This privacy statement applies to the processing of personal data by BNG Bank N.V. and BNG Gebiedsontwikkeling B.V. (hereinafter: BNG). As such, BNG is the “Controller” as referred to in the AVG.

Laws and regulations

In processing your personal data, we comply with the following laws and regulations:

• General Data Protection Regulation (GDPR, in Dutch: AVG) and the AVG Implementation Act
• Protocol Incident Warning System for Financial Institutions
• Telecommunications Act (where applicable to BNG)

Whom we process personal data from

We collect and process personal data of natural persons who:

• are contact persons, directors, representatives and ultimate beneficial owners of organisations with which BNG has, has had or intends to have a business relationship;
• are otherwise involved in our services or in a transaction of our customers. Such as individuals who make a payment to or receive a payment from a BNG bank account;
• are users of our websites and other digital channels.

Anyone whose personal data we collect and process can expect us to treat them with care and confidentiality.

What personal data do we process

Personal data provide characteristic information that can be associated with a person. We collect the following data:

Identity data, such as name, address, place of residence, date and place of birth, (certain) data from ID or passport.

Contact and relationship data, such as telephone number, e-mail address, moments of contact (what, when, how), interests and the recording of digital communication for verification of assignments, appointments and transactions or in the context of a legal obligation, fraud prevention or integrity monitoring.

Data resulting from client screening. This concerns the screening of persons in the context of the Anti-Money Laundering and Anti-Terrorist Financing Act (Wwft) and the Sanctions Act (Sw), including verification against PEP lists, sanction lists, adverse media and the recording of the results of the screening in the client file.

Contract and transactional data. Data linked to BNG's products and services, such as account numbers (IBAN), role (authorisations), transactions and payments, balance data and data on payment arrears.

Usage data from our websites and other digital channels, such as pages visited, devices used (desktop, mobile), login sessions, search queries, cookies and references to and from social media. IP addresses are stored anonymously.

Legal basis

A processing of personal data is only allowed if it is grounded on one of the legal bases in the AVG. We only process your personal data if:

• this is necessary for the conclusion and execution of a contract;
• this is necessary to comply with a legal obligation;
• this is necessary to pursue a legitimate interest that we have in processing;
• you have given your consent to do so.

Purposes of data processing

We use the data for the following purposes:

1. entering into or performing contractual agreements with a customer or other business relationship, including the settlement of payment transactions;
2. safeguarding the security and integrity of the financial sector;
3. complying with statutory obligations;
4. maintaining contacts with business relations;
5. performing analyses, compiling reports and web statistics;
6. improving the technical and functional operation of our systems, websites and other digital channels;
7. carrying out (targeted) marketing activities.

Retention periods

We do not retain personal data for longer than necessary for the purposes for which we have collected and process it. We have drawn up a policy document stating how long we keep personal data. In doing so, we take into account the legal retention periods.

Upon expiry of the retention period, personal data are destroyed or anonymised. In some cases and under certain conditions, we may keep personal data for longer, for example if you have filed a complaint for which the data are needed or if we use the data in legal proceedings or for historical or scientific research or statistical purposes.

Protection of personal data

We take appropriate technical and organisational measures to protect the availability, integrity and confidentiality of personal data. To this end, BNG uses an information security policy that is regularly reviewed on the basis of new regulations and market developments.

In addition, personal data are only processed by persons with a duty of confidentiality. All our employees have taken the Banker's Oath.

Provision of data to third parties

If necessary for our services, we may provide personal data to third parties involved in the provision of our services or when necessary to comply with legal obligations.

Execution of services

We use third parties to execute our services. For instance, we use Swift for international transactions and work together with service providers for:

• the technical infrastructure and payment transactions;
• daily statements and other financial reports;
• screening in the context of customer research;
• customer satisfaction surveys, printing, marketing and website management.

We only cooperate with carefully selected parties. Moreover, we conclude clear agreements with these organisations on how they process and secure your personal data.

Transfer of personal data outside the EEA

We only share your personal data with parties in countries outside the European Economic Area (EEA) if a sufficient level of data protection is present in that country or if we have ensured that sufficient additional security measures are in place.

Legal obligations

When we are obliged to do so, we provide personal data to:

• (European) supervisory authorities, such as the AP, AFM, DNB or the ECB
• the tax authorities
• investigative authorities
• other relevant government bodies

Automated decision-making

At BNG, there is no solely automated individual decision-making.

Your privacy rights

If we process your personal data, you have various privacy rights. These rights are explained below:

• the  right of access to the personal data BNG processes about you and to certain additional information about them;
• the right to rectification, if your data are incorrect or incomplete; right to deletion of your data ('the right to be forgotten'). There are exceptions to this right, such as when your data are still needed in connection with the purposes for which we process them or in connection with a statutory retention period;
• the right to erasure of your data (‘the right to be forgotten’). There are exceptions to this right, such as when your data is still needed in connection with the purposes for which we process it or in connection with a statutory retention period;
• the right to (temporary) restriction of data processing, e.g. if you believe your data to be inaccurate; right to object to data processing, if the processing of your data is based on a legitimate interest, e.g. in the case of direct marketing;
• the right to object to data processing, if the processing of your data is based on a legitimate interest, e.g. in the case of direct marketing;
• the right to revocation of your consent if the processing is based on your consent. A revocation does not affect the validity of personal data processing operations that took place before the revocation;
• the right to transfer your personal data if the processing is based on a contract or on your consent (data portability);
• the right not to be subject to automated decision-making without human intervention, if this produces legal effects concerning you or has other negative consequences for you.

If you want to exercise your rights, we ask you to be as specific as possible. You may submit your request by e-mail or in writing, accompanied by a secure copy of your proof of identity¹:

BNG
Attn: Compliance Department
PO Box 30305
2500 GH The Hague
compliance-officer@bngbank.nl

We will try to respond to your request as quickly as possible and in any event within 4 weeks. Sometimes we may ask you for additional information to clarify your request. We may also ask you to come to our office to identify yourself or when we cannot securely send your data to you. If we need more time to respond to your request, we will let you know and explain the reason for the delay.

We may not be able to comply with your request. For example, because this is not permitted by law or because the rights of others would be harmed. We will then inform you of this. There are no costs involved in processing a request to exercise your rights, unless answering would require disproportionate effort. We will inform you in advance if we charge any fees. Do you have a complaint about BNG's handling of your request? If so, please contact BNG's Data Protection Officer at FG@bngbank.nl. Please note that you also have the right to file a complaint with the Dutch Data Protection Authority.

Contact and questions

If you have any questions about this Privacy Statement or about the way we process your personal data, please email our BNG Data Protection Officer at FG@bngbank.nl. 

About this Privacy Statement

This is the Privacy Statement of BNG Bank N.V. and BNG Gebiedsontwikkeling B.V. We may amend this Privacy Statement, for example in connection with changes in laws and regulations or changes in the way we process personal data. The most recent version can be found on our website.

This version is dated 17 December 2024.  

⁽¹⁾ Instructions on how to securely make a copy your ID: https://www.government.nl/topics/identity-fraud/question-and-answer/how-do-i-prevent-a-copy-of-my-id-being-used-for-fraudulent-activities