Privacy Statement
You share data with us. You do this every time you pay from a Rabobank account, and if you receive money on it. You share data with us if you make use of Rabo App or Rabo Online Banking. You also share data with us if you email us, call us, send us a chat message or visit our websites. You share data with us if you purchase another service from us, such as a mortgage. Sometimes your personal data is shared with us for another reason. If – for example – you transfer a payment to a Rabobank account, we will process your personal data as well. We handle this data with care. This Privacy Statement explains how Rabobank handles your personal data.
Privacy Statement June 2025
This is data that directly or indirectly tells something about you, such as your name, address or income. Details about a sole proprietorship, general partnership or professional partnership can be considered personal data as well. This does not apply to the data of a legal entity, such as a private company with limited liability (BV) or a public limited liability company (NV). Details of the contact person or representative of a legal entity, however, are personal data.
We may collect, view, modify, provide, transfer, retain and delete your personal data. Anything that can be done with personal data is considered processing of personal data.
We process personal data of all those with whom we want to establish a relationship, or have or used to have a relationship. We also process personal data of persons who are not customers of Rabobank. We receive personal data from them directly or via others.
For example:
Sometimes, businesses or organizations provide us with personal data. For example, data of employees, directors, Ultimate Beneficial Owners (UBOs) or other stakeholders. We also collect personal data ourselves, without your company or organization providing it to us. We may request such data from the Commercial Register, for example. We also record this data. We expect you to inform your employees, directors and other stakeholders about this. You can provide them with this Privacy Statement or a link to it, so they can read how we handle their personal data.
That is Coöperatieve Rabobank U.A. This Privacy Statement covers the processing of personal data by Coöperatieve Rabobank U.A. in the Netherlands, and the processing of personal data by the following group entities:
Data can be exchanged within Rabobank Group. but only if the law allows it. Section 13 of this Privacy Statement explains how data exchange works within Rabobank Group.
To whom does this Privacy Statement not apply?
It does not apply to large (corporate) business customer that fall under Wholesale Banking, for whom separate Privacy Statements are available. Information on Rabobank Wholesale Banking's processing of personal data in the Netherlands can be found at Rabobank.com/privacy. It also contains information on Rabobank's processing of personal data outside the Netherlands. Other subsidiaries and associates of Rabobank Group have separate Privacy Statements. Rabobank employees and applicants in the Netherlands also have their own Privacy Statement, as do the members of Rabobank's local supervisory boards.
Cookies and information documents for other services
Our websites contain information about cookies. Some services have their own, separate Privacy Statement, or a separate information document. In such case, this applies in addition to this Privacy Statement. If we collaborate with another company, or another organization, information about the processing of personal data is sometimes provided by that other company or organization as well.
Type of data | What types of data can this be? | What are examples of using this data? |
Data about you | Name, address, date of birth, telephone number, email address, details that appear on the ID, signature, your education, marital status, your gender, whether you have children, and your profession. | • To establish who you are (identification and verification). • To draw up an agreement. • To answer your questions. • To contact you. • To comply with laws and regulations. |
Location details | Data showing where you are. | To know where and when you paid with a bank card. We do this to combat fraud. |
Financial data and data about and for agreements | Data about your financial situation, about the products you have, about your investment profile, and the data for your financing, such as payslips. Data about your home, such as its energy label and energy consumption. Or about other assets, such as your vehicles if you are a company or organization, or the business premises. Invoices, credit notes, payslips, payment behavior, the value of assets, your credit history, loan capacity, tax status, income and other revenue. Whether you are registered in a credit register and whether you have payment arrears. | • To assess whether a product suits you. If – for example – you have or apply for a mortgage with us, we want to know whether this loan is appropriate. • To identify arrears early. • To meet legal obligations, other reporting obligations and regulators’ expectations. • To comply with our duty of care. • To manage our risks. This is referred to as “risk management”. We manage – for example – our credit risks. • To do research, e.g. by Rabo Research. |
Payment and transaction details | Account numbers (IBAN) and other unique bank account details. We process these if – for example – you transfer a payment to a country outside the European Union where bank accounts do not have an IBAN. Details about the person you paid, from whom you received a payment, when a payment was made, and the balance on an account. We can enrich payment and transaction data. For example, by adding a category to it. Or by checking whether there is a recurring payment. We also process data from (digital) debit cards and credit cards, such as the card number. | • To assess whether a product suits you, or still suits you. • To make a payment for you. • To check whether the account number entered matches the name listed on a payment order (IBAN Name Check). • To perform an agreement with you. • To protect you and ourselves. • To assess whether you can continue to pay your loan or credit and to identify payment arrears at an early stage. • To give you insight into your finances. For example, through Insight in the Rabo App. • To develop and apply (risk) models. for example meet the expectations of regulators. • To help you with your financial affairs. • To do research, e.g. by Rabo Research. • To comply with the rules for preventing money laundering and financing terrorism. • To perform 'smart transfers'. |
Special categories of personal data, criminal data and Citizen Service Number (BSN) | Health data Biometric data Criminal data Data showing racial or ethnic origin Data about your political preference, religion or trade union membership Citizen Service Number (BSN) | • We use your BSN to pass on your savings and loan details to – among others – the Dutch Tax authority. • We record data about your health. For example, if you are blind and therefore want to receive Braille statements. We will do this if you give us permission. • In the context of payment transactions, special personal data may be insightful. e.g. if you transfer money to a political party, a trade union or a church. • We may also use biometric data, such as a facial scan or a recording of your voice, to establish and verify your identity. |
Call recordings, call reports, video calls, chat calls, camera surveillance, email messages, social media data | • Conversations that we have with you and of which we make a report. • CCTV footage we record in a branch office or at the ATM. • Recordings of telephone and video calls. • Messages you post on social media. • For improving our service provision. | • To be able to provide evidence. • To perform agreements. • To train our employees. • To perform checks. • To improve our services. • To secure our bank. • To train applications. This may include applications that help us respond to customer requests, applications that ensure that we can improve our services in a different way, and applications that enable us to work more efficiently, because, for example, they help make summaries of conversations. These may include applications that work on the basis of artificial intelligence, also known as “Artificial Intelligence” or “AI”. |
Data that says something about the use of our website, app, and emails | • Cookies • Pixels • IP address • Data about the device you use for interactions with online services or our website. This includes data about the technical performance and usage data of your device, and information on how you use your device, e.g. how you hold your device. • A technique that allows us to distinguish your computer from another computer, which enables us to find out if your computer is being controlled by someone else. With this, we try to protect you from unwanted actions. For example, against changing the contra account of a payment order unnoticed. • Information on how you use your device, e.g. how you hold your device. | • To track your internet behavior on our websites and apps. • To make our websites and apps work properly and safely for you. • To offer personalized messages, ads or banners. • We use analytical cookies (such as Piano Analytics) to improve the websites and apps. We can use these even if you have an adblocker installed. • To prevent fraud and abuse. • To discover and resolve errors in Rabobank apps. • To keep devices up to date and safe. • To improve our products and services. |
Data we need to combat fraud. Data we need to protect you and our safety. Data we need to combat money laundering and the financing of terrorism. | • Data that we store in referral registers, sanctions lists, location data, categorized or uncategorized transaction data, identity data, camera images, cookies and IP addresses. • Data about the device you use to use Rabo Online Banking, Rabo Business Banking or other services from us. • Details of the location from which you pay. • Data that you share with us in the context of a mortgage. • Information on how you use your device. | • To check whether you are listed in our internal or external referral register. • To check whether you appear on sanctions lists. • To combat internet fraud, so-called DDoS attacks and botnets. • TTo combat fraud. For example, we measure the way in which you enter a security code in the Rabo App, as this may be an indication of fraud. |
We receive your data because you yourself share it with us. This is the case if, for example, you enter into an agreement with us. Or if you leave your details on our website. We also process your data if you use our products and services, e.g. if you make a payment from a Rabobank account, or if you use the Rabo App.
Sometimes we do not obtain your information directly from you. We may – for example – also receive your data from:
- To combat fraud, money laundering and terrorist financing.
- To be able to keep our internal records.
- To create calculation models.
- To improve our services.
- As part of our duty of care.
Read more about this topic under 'What does Rabobank use your personal data for'.
If you apply for a credit or loan, or have a credit or loan, we will receive data from – for example – the Dutch Credit Registration Office (BKR). Other parties we work with include Calcasa and Dun & Bradstreet. We also receive data from the Land Registry, Company info, Statistics Netherlands (CBS), EDM, Post.nl and the Chamber of Commerce, among others. In addition, we receive data from parties that offer data sharing applications, which provide data about you. These are often referred to as “source data”. This is only possible if you agree to it. Companies like this include Ockto, Datakeeper and I-wise.
This allows us to use these sources to prevent fraud and money laundering, and protect Rabobank. But we also use public sources for relationship management and promotional and marketing purposes.
Because you have agreed to that party sharing data with us. For example, because you have given permission to another bank or payment service provider to transfer transaction data to us.
This is data that we do not obtain directly from you. For example:
- If your employer takes out an insurance policy with us and provides us with your details.
- If your (legal) representative, such as a fiduciary administrator or guardian or a third party you have engaged, discloses information to us. Examples of third parties include a broker appraiser, independent intermediary or tax advisor.
- If we fund a landlord and the landlord provides tenant information to us.
- If a customer has pledged claims to Rabobank and there is personal data on so-called 'debtor lists'.
- If the details of a beneficiary can be seen at the time of payment.
We use and process your personal data to conduct your banking business. Rabobank also offers other services for which personal data is processed. We also do this in collaboration with other companies and organizations. Examples of this include “Cooperative Isolation Budget”. This allows customers with a Rabobank mortgage to – under certain conditions – be eligible for energy advice from an energy consultant. Personal data are also processed when providing such a service. In addition, we process data because this is required by law, because we have a legitimate interest in doing so, or because you have given us your permission to do so.
Legal bases for processing
We may only process your personal data if there is a good reason for doing so. This is referred to as the “basis”. The law on the protection of personal data (the General Data Protection Regulation) specifies the possible bases.
These are the main bases we use:
Balance of interests
In this context, it is explained that “legitimate interest” is one of the bases for the processing of personal data. If we use “legitimate interest” as the legal basis for processing your data, we will balance Rabobank's interests or those of a third party against your right to privacy. Examples of our interests include the following:
We weigh our interests or the interests of other people, companies and organizations against your interests and your right to privacy. E.g. by trying to see if there are other ways to achieve the same goal, And whether we really need all that data. If we want to use sensitive data, or data on vulnerable people or children, your right to privacy will be more likely to prevail, and we will be less likely to use your data based on a legitimate interest.
We also have an interest in keeping the financial sector healthy. We therefore use data on the basis of a legitimate interest. A few examples:
We also sometimes process your data because someone else has a “legitimate interest” in this. For example, if someone has inadvertently transferred money to you and you do not want to pay it back. Or if someone has transferred money to you but you are not supplying any products. Then, in some cases, we may pass on your information to the person who (accidentally) transferred money to you.
If we process your data because we have a legitimate interest in doing so, and you think your interests outweigh this interest, you can object to this processing. You can read how to do this at 'What rights do you have with us?'
Purpose of processing
In addition to a basis, we always have a purpose when processing personal data. Below we explain what goals these are and give examples.
a. Establishing a relationship and entering into an agreement
For example, we do investigate to assess whether we can accept you or your organization as a customer. That is why we research you. This also applies if you are the legal representative of someone else or of an organization. Or if you are the “ultimate beneficial owner” (UBO) of an organization. Depending on our assessment of your risk profile, we are required to ask additional and more detailed questions in order to build a proper customer file. When you become a customer, we establish – for almost all products – your identity in order to comply with our legal obligations. When doing so, we may make a copy of your ID. This may also be a digital copy.
We use models to determine the price of a business loan. These models help us determine the risk associated with a loan. The risk associated with a business loan plays a role in its price.
b. Performing agreements and orders
If you are a customer with us, we like to properly perform the orders received and agreements concluded. We have, after all, agreed this with you. When doing so, we process personal data.
You can choose not to see these insights in the Rabo App or Rabo Online Banking. Or you can object. See the “Who can you contact if you have a question or complaint?” section to find out how to do this. If you want, you can also set a budget. This allows you to see how much you have already spent in a particular category. If we should wish to use the categories and information added to transaction data for other applications, we will verify that this is permitted, or ask for your permission first.
c. Your, the bank’s and the financial sector’s security and integrity
We process your personal data to ensure your security and ours, as well as the security of the financial sector. We also aim to prevent fraud, money laundering and the financing of terrorism.
Customer due diligence
The start of the customer relationship is not the only time we investigate whether we can accept you as a customer. We also need to investigate whether you can remain a customer of ours during the customer relationship. We may carry out these types of customer due diligence for other (financial) institutions, for example at the request of an insurer or a part of Rabobank Group, or we share the outcome with another part of Rabobank Group. Sometimes we also share data with other (financial) institutions so that the institution itself can fulfill its legal obligations. For this purpose, we process your personal data, but possibly also the personal data of third parties with whom you do business. For example, the transaction history of your account may warrant further investigation. Or the people you do business with or the industry you work in. Depending on our assessment of your risk profile, we are required to ask additional and more detailed questions in order to build a proper customer file (and you are required to answer these).
Incident registers and alert systems
To protect the security and integrity of customers, Rabobank and the financial sector from fraud and money laundering, among other things, banks must take protective measures. One of these measures is
the use of our own internal alert system (the Internal Referral Register, IVR) and that of the financial sector (the External Referral Register, EVR) and the register of the Foundation for Mortgage Fraud Prevention (Stichting Fraudebestrijding Hypotheken, SFH).
Events that attract our bank’s attention are called an “incident” and we record them in our “Incident Register”. An Internal Referral Register (IVR) is linked to the Incident Register. Your identifying information is included here if we want to be extra alert and issue alerts internally within the Rabobank Group. For example, in the areas of fraud, mandatory customer due diligence, terrorist financing and money laundering. We do not save your information just like that. We only do so after checking whether this is in line with our internal rules and is allowed under the law. For the IVR and EVR, only employees of our security departments and a limited number of other employees have access to that data.
Sometimes an incident is so serious that we want to issue an alert not only within the Rabobank Group, but also to other banks and other financial institutions. In this case, your information may be included in the Incidents Register, the External Referral Register (EVR) or the Foundation for Mortgage Fraud Prevention’s register. Saving your data in these registers is only allowed if it follows the rules of the Financial Institutions Incident Alert System Protocol (PIFI). These rules have been approved by the Dutch Data Protection Authority.
If we record your data in these registers, we will inform you of that. We will also inform you of our reason for doing this and how long the data will be recorded, except if that is not allowed because – for example – the police has asked that we not inform you in the interest of their investigation. If you do not agree with the recording of your data, you can lodge an objection or request that your data be corrected or deleted.
We consult these records when you become our customer, as well as when you already are our customer. Not all bank employees consult the data in these registers themselves. If a bank teller checks the IVR or EVR, the person performing the check will only see that there is something in the register, but not why someone is included in the IVR or the EVR. If there is such an indication that there is something in the register, the person performing the check must always contact his security department for advice. If necessary according to the EVR, Rabobank’s Security Department will consult with a security department of another Financial Institutions Incident Alert System Protocol (PIFI) participant regarding the nature of the registration.
Rabobank’s Security Department will assess whether the customer is allowed to have a particular product or use a particular service based on the information contained in the department’s own records or the Incident Register. Rabobank’s Security Department may share information, as recorded in the Incident Register, with other financial institutions. The Security Department may also receive information from another financial institution’s security department. We only do this if we are allowed to do so under the PIFI.
In addition, we receive lists from governments (e.g. sanctions lists) of individuals whom we have to record in our alert registers. Financial institutions are not permitted to not do business with these individuals, or these individuals require additional attention from the financial sector.
Public sources
We consult sources such as public registers, newspapers, the Internet and public profiles of your social media to prevent fraud and protect the bank. We may also – in order to prevent fraud and money laundering – consult and analyze information from public websites, in an automated manner or otherwise. We can search for information from public sources such as registers, newspapers, social media and the internet, such as information on Facebook or LinkedIn, or information we find through search engines. We do this for – among other things – security reasons, e.g. to comply with the rules against money laundering and the financing of terrorism.
Fraud, terrorist financing and money laundering
In order to prevent fraud, terrorist financing and money laundering, and to protect both you and us, we conduct analyses. These analyses enable us to create a profile of your usual (payment) behavior to reduce fraud, money laundering or misuse of debit and credit cards. If the behavior deviates from your usual payment behavior or there are other indications of – for example – fraud, this may be a reason to block or suspend payments fully automatically. Or to block your checking account. Once we have done this, we will contact you as soon as possible.
Sometimes we also use data that you have not provided to us in the context of fraud prevention. For example, the transaction history on your account or the characteristics of the device that you use for online banking. The Dutch Central Bank also requires us to use all kinds of data to prevent money laundering and terrorist financing.
For the prevention of fraud, we can perform an IBAN Name Check. We use this check to see whether the number you have entered when making a payment through Rabo Online Banking matches the name we have on record. If this is not the case, you will receive a notification from us. You can then decide whether to amend the payment order or issue it anyway. We may also carry out this IBAN Name Check for other parties in connection with preventing, detecting and combating misuse of the payment system. These other parties may also be established abroad.
As part of our efforts aimed at combating cybercrime and hacking, we transfer information relating to you to other organizations that fight cybercrime. e.g. companies that help us combat so-called DDOS attacks. We will do this if we find that your security or the security of the financial sector could be in danger. We only do this if we have made agreements with these other organizations with regard to the careful use of your data.
We make recordings of telephone conversations, email messages, camera images and chat sessions, for example, and may document these recordings. We do this in the context of – among other things – fraud investigation. Examples include the camera images we create to detect and prevent fraud involving debit cards and credit cards.
d. Developing and improving products and services
We are constantly improving our products and services. We do this for ourselves, for our customers and for other parties.
e. Relationship management, promotional and marketing purposes
If you do not want us to use your information for direct marketing by mail, email, phone, the Rabo App or online banking, please go to www.rabobank.com/privacy/je-rechten.
You can read how to opt out of direct marketing under "Right to object to direct marketing".
f. Entering into and performing agreements with vendors and other parties we work with
If you have contact with us for your work, we may process your personal data. For example, to establish whether you are permitted to represent your business, or to give you access to our offices, our online services or applications. Where necessary, we consult incident registers and alert systems. We do this prior to and during the term of the agreement. This is called “screening”. We may also process your personal data to manage our business relationships with you if – for example – we invite you to a meeting or ask your opinion about our products and services.
g. Complying with legal obligations
Legislation
Under various national and international laws and regulations, we have to collect and analyze a large amount of data relating to you and sometimes transfer such information to European and other government authorities. We have to comply with legislation, such as the Dutch Financial Supervision Act, in order to be permitted to offer you financial products and services. We also process personal data to fulfil the duty of care. And if you have a loan for which you have been behind on payments for some time or have a residual debt with us, we can pass this information on to the Dutch Credit Registration Office (BKR).
In addition, we have to comply with legislation aimed at combating fraud, money laundering and terrorism, such as the Prevention of Money-Laundering and Terrorist Financing Act (Dutch Wwft). Under this law, we have to establish who is the ultimate beneficial owner (UBO) of a business or organization with which we have a business relationship. We do this by conducting customer due diligence. We also perform customer due diligence if you have assets, and if there is an unusual transaction in your account. We have to report an unusual transaction to the competent investigative authority. We may cooperate with other banks in this regard.
When accepting business customers, we are obliged to check who is the ultimate beneficial owner of an organization. We do this with the UBO register kept by the Chamber of Commerce, if this is available. Is the information we have does not match the data recorded in the UBO register, we have to report the differences to the Chamber of Commerce.
The tax authority, the police and the public prosecution service, but also intelligence services, for example, may request data from us. If they do this, we are required by law to cooperate in the investigation and transfer data relating to you. We may also enter into partnerships with, for example, the police and the Public Prosecution Service in order to combat (large-scale) fraud, money laundering and terrorist financing.
Risk models
European rules require that we draw up risk models if you apply for a loan or credit or if you have received a loan or credit from us. Using these models we determine what risks we face and the size of the buffer we have to maintain. For this purpose, we process your personal data within Rabobank Group.
We are required by law to use these (risk) models before we offer you a loan or credit and if you want to change anything in your loan or credit. And we use these (risk) models during the term of a loan or credit. To create these models, we use – among other things – transaction data from your payment account or current account in order to – for example – determine with you whether you will be able to afford the loan after you retire. We use these models to – among other things – to prevent you from not being able to repay your loan or not being able to repay it on time. We also use them to determine the price of a business loan. We can do this on the basis of profiles, and using techniques that make the decisions (almost) fully automated.
These (risk) models also predict the likelihood of your falling behind on your payments. This enables us to prevent or deal more quickly with any payment problems, for example in consultation with you. We will then process your personal data for this purpose. We do this because it enables us to perform the agreement with you and because we are legally obliged to do so, but also because we have a “legitimate interest” in doing so.
Providing data to the government
Laws and regulations may require that we transfer data (analyzed or otherwise) relating to you to a government institution, a tax authority or a regulator within or outside the Netherlands, such as the Netherlands Authority for the Financial Markets (AFM), the European Central Bank (ECB) or the Dutch Central Bank (De Nederlandsche Bank, DNB). For example, we have to provide data to investigative authorities and the tax authority, among others, through the banking data referral portal. We must also share data with the Employee Insurance Administration Agency (UWV).
As we have to comply with legal obligations and treaties, we sometimes have to provide data relating to you to the Dutch tax authorities or a foreign tax authority. For example, the tax authority may request data from us in the context of a payment claim or under FATCA or the Common Reporting Standards. The FATCA and the Common Reporting Standards (CRS) provide for the exchange of information between tax authorities of different countries.
If an account holder is a beneficiary of 26 or more international payments per quarter, we will provide their details to the Dutch tax authority. The various tax authorities will combine the information into a European database managed by the European Commission.
Making and documenting recordings
We make recordings of, for example, telephone conversations, email messages, camera images and online chat sessions or CCTV images at offices and ATMs and may document these recordings. We do this to comply with legal obligations, for example in the context of investment services.
h. For implementing business processes, management reporting and internal management
Record-keeping and data management
We want to conduct our record-keeping and data management in an efficient manner and improve our data quality. There are legal obligations for banks to properly organize records and data management. It also allows data to be used for more applications, without differences between the data in different applications. We compare and combine customer data from different sources to get a more complete picture of you. This may also include information about you at other parts of Rabobank Group, if this is permitted by law. By means of these so-called “knowledge graphs”, we gain a better understanding of the relationship between data. We can use these insights to combat fraud and money laundering. We can also use these insights to improve our products and services, or to work more efficiently.
Know your customer
As a service provider, we believe it is important and necessary to have a good overview of our customer relationships. That includes knowing who you work with. We process data about you, but potentially also about other people, companies and organizations with whom you do business for that purpose as well.
Identifying credit risk in loans and credits
Lending involves credit risk. We need to establish what that risk is so that we can determine the financial buffers we need to maintain. To this end, we process your loan, credit and transaction information, for example. In the future, we will also have to pay more and more attention to the sustainability risks.
Transfer of claims and contract takeovers
Sometimes we transfer claims that we have against you, such as, for example, your mortgage loan, to another party. Personal data is processed as part of such transfers. We may need to make your personal data available to a potential acquisition candidate prior to such a transfer. Once the claims have been transferred, that other party will also process your personal data. We agree with such other party that it has to comply with personal data protection laws and regulations. This also applies in the event of a contract takeover, merger or demerger.
Audits and investigations
We also use your data for research. This may be an internal investigation, or an investigation by another company we have engaged. For example, to investigate whether new rules have been properly implemented, to determine whether our customers have suffered losses, or to identify risks.
Reporting and our own business processes
We also use data to map out and improve our business processes. and to create management reports so that we can better help you or make our processes more efficient. We also need to have the models we use validated. We also create reports to report externally on the sustainability of our clients. If we can, we will first pseudonymize your data.
We also make recordings and can save them – for example – telephone conversations, email messages, camera images and chat sessions, and may document these recordings. We do this for e.g. quality control and to train and coach our employees. For example, by letting them observe colleagues.
i. For archiving, scientific or historical research or for statistical purposes
We may also process your personal data if this is necessary for archiving purposes in the public interest, for scientific or historical research. and for statistical research or other statistical purposes. We also conducts research to determine and improve our position in the market. This is done by our own research department, among others. This department is called “Rabo Research”. This department measures – for example – economic developments. and also publishes about this.
We do not retain your data longer than necessary for the purposes for which we collected it or the purposes for which we reuse it. In the Netherlands, this is usually for seven years following the termination of the relevant agreement or the ending of your business relationship with Rabobank. Sometimes this period may be longer, – for example – a regulator, the police or the Public Prosecution Service. Sometimes we use shorter retention periods. For example, we usually retain data relating to a payment order for only two years, conversation recordings and camera recordings are usually retained for 6 months and 4 weeks, respectively. But sometimes, we have to keep these for longer, e.g. in the case of investment services
We may keep data longer in special situations. We will do this if, for example, the judicial authorities request camera images, in which case we will keep the images for longer than four weeks. Or if you have submitted a complaint as a result of which the underlying data have to be retained for longer.
If we no longer need the data for the purposes described in Chapter 6, we may still retain the data for archiving purposes. In such case, the data can be used in legal proceedings, and for historical or scientific research or statistical purposes.
Special categories of personal data, criminal data and Citizen Service Numbers (BSNs) are sensitive data. Special categories of personal data include data about your health, biometric data, ethnic data or data concerning race, for example. For some services, you can use your fingerprint, voice recognition or a facial scan. These are biometric data used for identification and in intermediate checks.
We process special categories of personal data where this is permitted by law, because you have made the relevant data public yourself, or because we have your consent. For example, if you ask us to record that you are blind and want to receive Braille bank statements. We will then ask your permission to record this data.
Special personal data may be disclosed in the context of payment transactions. For example, if you transfer money to a political party, this will be visible in the account information. We are required to provide this account information, and in some cases, it is also visible to other parties. For example, an account information service provider, if you have engaged one.
If you give us your consent to record special categories of personal data relating to you, or you have made this information public yourself, we will only process such information if this is necessary for the provision of our services. You can withdraw your consent for recording at any time. Please contact us in order to do so.
We only process data from children under the age of 16 if they purchase a product from us, and if the data is provided to us in the context of a product. If necessary, we will seek the legal representative’s permission to process children’s data. When a payment is made to a Rabobank account from an account of a minor at another bank, data of that minor is also processed in the context of payment transactions.
We participate in incident registers and alert systems of the financial sector and process criminal data for this purpose. We do this to protect our interests and those of financial institutions and their customers, for example by detecting and recording cases of fraud.
We will only use your BSN if this is permitted by law, for example, in order to pass on your savings balance or the amount of your loan to the Dutch tax authority. And also in the implementation of the Deposit Guarantee Scheme.
Automatic decisions are decisions about you made by computers instead of humans. If a decision adversely affects you, we are not allowed to make an automated decision about you. Except if this is necessary as part of an agreement of the bank, if it is permitted by the law or if you yourself give permission. In those situations, you have the right to consult with someone at the bank. And you have the right to object. You can also ask us to stop having the decision made by computers.
In the following situations, we sometimes use these fully automated decisions that affect you. This can also have negative consequences:
Rabobank uses artificial intelligence, for example, to make reports of customer conversations. Artificial intelligence is also used to support employees during conversations, e.g., to offer employees suggestions on how to answer customers' questions. Artificial intelligence can also be used to classify documents. Artificial intelligence can, for example, be used to recognize a payslip, and help to 'read' the contents. Artificial intelligence is also used in the creation and application of models, such as risk models, and when conducting customer due diligence.
Within Rabobank, people only have access to your personal data when they actually need it because of their job. All these people also have a duty of confidentiality.
We sometimes use data for a purpose other than that for which we received it. This is permitted when there is a close connection between the two purposes.
a. Within Rabobank Group
Your personal data may be exchanged between business units of the Rabobank Group. For example because you ask us to do this, or because you also purchase a product from another unit of Rabobank. Data that establishes your identity may also be used by another unit of Rabobank with which you want to do business. We may also exchange your data in the context of fraud prevention, for the prevention of money laundering, risk management, internal administration, to improve the provision of our services to you and in the context of the duty of care.
Business units of Rabobank Group are sometimes located in countries outside the European Union where less stringent privacy rules apply. If we share your data with units of Rabobank Group in which Rabobank has a controlling interest, Rabobank’s so-called binding company rules will apply in these cases. These are also referred to as the “Binding Corporate Rules”. More information about this can be found on our website.
b. Outside Rabobank Group
Your data is also transferred to other parties outside Rabobank if we are required to do so by law, but also within the framework of performing an agreement with you or because we are engaging another service provider.
If we transfer data to another party that is responsible for the processing of personal data itself, such a party will be under the supervision of their own data protection supervisor. This can be the Dutch regulator but also a foreign one.
Competent (public) authorities
We transfer your personal data to third parties if we are required to do so. Examples of such third parties include national and European regulators, such as the Dutch Authority for the Financial Markets (AFM), the Dutch Data Protection Authority, the Dutch Central Bank (DNB), the ECB, the Dutch Authority for Consumers and Markets (ACM) or the Dutch tax authority.
As part of the Code of Conduct for the Dutch banking sector, we sometimes have to provide personal data to the Foundation for Banking Ethics Enforcement (Stichting Tuchtrecht Banken). If you submit a complaint to the Financial Services Complaints Tribunal “Kifid”, a court or the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), it may also be necessary to provide your personal data. For example, to defend your complaint. This also applies if you object directly to the BKR. Sometimes a court determines that we must share certain personal data about you with another person. The law may also stipulate that we must give someone else access to your personal data if the person so requests, e.g. under Article 194 of the Dutch Code of Civil Procedure. We may provide access to another person, another company or another organization. It goes without saying that the relevant statutory requirements must be met.
The Tax and Customs Administration, the police and the Public Prosecutor’s Office may request data from us based on a legal duty or authorization, as may – for example – intelligence services and Employee Insurance Administration Agency (UWV). We are then required to cooperate in investigations and/or pass on data about you. Sometimes, we also pass on data to Safe at Home (Veilig Thuis).
If we give you a credit or a loan, we also have to pass on data to the BKR in certain cases, for example, regarding the amount of the credit or loan, or if you fail to make a payment on time.
Other service providers
We transfer your personal data to third parties if we are required to do so. Examples of such third parties include national and European regulators, such as the Dutch Authority for the Financial Markets (AFM), the Dutch Data Protection Authority, the Dutch Central Bank (DNB), the ECB, the Dutch Authority for Consumers and Markets (ACM) or the Dutch tax authority.
As part of the Code of Conduct for the Dutch banking sector, we sometimes have to provide personal data to the Foundation for Banking Ethics Enforcement (Stichting Tuchtrecht Banken). If you submit a complaint to the Financial Services Complaints Tribunal “Kifid”, a court or the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), it may also be necessary to provide your personal data. For example, to defend your complaint. This also applies if you object directly to the BKR. Sometimes a court determines that we must share certain personal data about you with another person. The law may also stipulate that we must give someone else access to your personal data if the person so requests, e.g. under Article 194 of the Dutch Code of Civil Procedure. We may provide access to another person, another company or another organization. It goes without saying that the relevant statutory requirements must be met.
The Tax and Customs Administration, the police and the Public Prosecutor’s Office may request data from us based on a legal duty or authorization, as may – for example – intelligence services and Employee Insurance Administration Agency (UWV). We are then required to cooperate in investigations and/or pass on data about you. Sometimes, we also pass on data to Safe at Home (Veilig Thuis).
If we give you a credit or a loan, we also have to pass on data to the BKR in certain cases, for example, regarding the amount of the credit or loan, or if you fail to make a payment on time.
Sometimes you can pass on your information yourself or have it passed on to another party. For example:
Intermediaries
If we act as an intermediary, we will exchange personal data. For example, if you take out an insurance policy with an insurer through us, we will share personal data with that insurer. We may also receive data about you from this insurer. We also act as an intermediary for FREO, a lender.
If you take out a mortgage with us through an intermediary, we will receive data about you through your intermediary. You can also use a data sharing app via your intermediary and share your information with us in this way. Examples of such data sharing apps are Ockto and Datakeeper. We then provide your data to this intermediary. At the start of the agreement but also during the term, we can share information with the intermediary. For example, we can let the intermediary know that the end of the fixed-interest period of the mortgage has been reached.
Referrals to other parties
If you agree, we may share your information with other parties. For example, with a provider of non-financial services whose products are shown in the Rabo App or with a debt counselor.
Business partners and our service providers
Sometimes, we engage other companies and organizations. As a result, these other companies process personal data on our instructions. In doing so, these companies act as a processor for Rabobank.
We only engage other companies and organizations if we find these parties sufficiently reliable. We can only engage other companies and organizations if this is in line with the purpose for which we processed your personal data. In addition, they must:
For example, we engage a printing company that produces customer mailings for us. Such a company prints your name and address details on envelopes. We also engage parties who place advertisements in apps and on websites on our behalf, or parties that perform market research on our behalf our store data for us.
These third parties may also be IT suppliers. We may also store your data online (in a cloud) through a third party.
We may also engage other parties as processors to fulfill our own legal obligations in a better way. For example, Rabobank engages a processor to make a better estimate of the number of homes you own. Under the Prevention of Money-Laundering and Terrorist Financing Act, we are obliged to know this.
Transfer to countries outside the European Union (EU)/European Economic Area (EEA)
If we transfer your data to other parties outside the European Union (EU)/European Economic Area (EEA), we will take additional measures to protect your data. In some countries outside the European Union, the rules for protecting your data are different from those that apply within Europe. If we make use of a third party located outside the EU/EEA, we will assess to the best of our abilities whether this is sufficiently safe. For some countries, the European Commission has determined that there is an "adequate" level of personal data protection. This applies – for example – to the United Kingdom. For other countries, we use the contractual agreements approved by the European Commission.
In addition, we take additional (safety) measures if necessary.
a. Right to information
With this Privacy Statement, we inform you about what we do with your data. Sometimes we need to provide more information. For example, when we record your data in our incident logs. Then – if permitted – we will inform you separately by letter, by email or by another means of our choosing.
b. Right of access and rectification
You may ask us whether we process personal data relating to you and if so, which data this concerns. In that case, we can give you access to the personal data that relates to you that we process or have processed. or – for example – give you the opportunity to listen back to a conversation. If you feel that your personal data has been processed incorrectly or incompletely, you may request that we change or supplement the data (rectification).
c. Right to erasure of personal data
You may request that we erase data concerning yourself that we have recorded. We are not always obliged to do this, however. And sometimes we are not even allowed to do it. For example, if we still need to retain your data because of legal obligations.
d. Right to restriction
You may request that we temporarily restrict the personal data relating to you that we process. This means that we will temporarily process less personal data relating to you
e. Right to data portability (transferability of data)
You have the right to request that we provide you with data that you previously provided to us in the context of an agreement with us or with your consent, in a structured, machine-readable format or that we transfer such data to another party. If you ask us to transfer data directly to another party, we will only be able to do this if it is technically feasible. Some data you have provided to us can be obtained by you yourself. For example, you can access your transaction details through our online services.
f. Right to object to the processing of your data
If we process your data because we have a legitimate interest in doing so you can object to this, with statement of the reason why you object. In that case, we will reassess whether it is indeed the case that your data can no longer be used for that purpose. We will stop processing your data if your interest outweighs our interest. We will inform you of our decision and the arguments on which we based this decision.
g. Right to object to direct marketing
You have the right to ask us to stop using your data for direct marketing purposes. You have this right even if you only object to being approached through a certain channel. For example, if you want to continue to receive offers via email, but no longer want to be contacted by phone. We will then ensure that you are no longer contacted through that channel.
On www.rabobank.nl/privacy/je-rechten you will find a description of how you can exercise each right. Sometimes you can exercise your rights immediately. For example, you can arrange the right to object to direct marketing yourself in the Rabo App or Rabo Online Banking. If this is not possible, you can submit a request using the online form.
If you have made a request to us, we will answer your request within one month of receiving it.
We may ask that you explain your request in more detail. For example, if you request access to recorded calls, we may ask you to provide search terms, such as the time the call was made and the number from which it was made.
In very specific cases, we may extend the period in which we will respond to a maximum of three months. In that case, we will keep you informed of the progress made on your request.
We may ask you to come to the bank to identify yourself when you make a request to us. For example, in the event of a request for access and data portability. This is because we want to be sure that we are providing your data to the right person. If we are not sure whether we can safely send the data to you, we may also ask you to come to the bank to collect your data.
Sometimes we will be unable to process your request. For example:
In such case, we will let you know if that is allowed.
If we amend your data or erase your data at your request, we will inform you.
If you have a general question or a complaint about the processing of personal data, please contact Rabobank. You can also submit a complaint online at www.rabobank.nl/particulieren/feedback.
We have a Data Protection Officer at the bank. This officer monitors the implementation of and compliance with the General Data Protection Regulation (GDPR). If you are dissatisfied with the way your question or complaint was handled by us, or you want to contact the Data Protection Officer for another reason, you may contact this officer at dpo@rabobank.nl. You can also contact us by post by writing a letter to the Global Privacy Office, for the attention of the Data Protection Officer, Postbus 17100, 3500 HG Utrecht. Of course, you can also submit your question or complaint about the processing of personal data by Rabobank to the Data Protection Authority.
Yes, our Privacy Statement may change. This happens from time to time. The current Privacy Statement applies to all customers. The latest version of our Privacy Statement is always made available online on this page.