Privacy Statement

You share data with us. You do this every time you pay from a Rabobank account, and if you receive money on it. You share data with us if you make use of Rabo App or Rabo Online Banking. You also share data with us if you email us, call us, send us a chat message or visit our websites. You share data with us if you purchase another service from us, such as a mortgage. Sometimes your personal data is shared with us for another reason. If – for example – you transfer a payment to a Rabobank account, we will process your personal data as well. We handle this data with care. This Privacy Statement explains how Rabobank handles your personal data.

Privacy Statement June 2025

Personal data

This is data that directly or indirectly tells something about you, such as your name, address or income. Details about a sole proprietorship, general partnership or professional partnership can be considered personal data as well. This does not apply to the data of a legal entity, such as a private company with limited liability (BV) or a public limited liability company (NV). Details of the contact person or representative of a legal entity, however, are personal data.

Processing

We may collect, view, modify, provide, transfer, retain and delete your personal data. Anything that can be done with personal data is considered processing of personal data.

We process personal data of all those with whom we want to establish a relationship, or have or used to have a relationship. We also process personal data of persons who are not customers of Rabobank. We receive personal data from them directly or via others.

For example:

Everyone who is interested in Rabobank or our products and services and, in that context, provides us with data, e.g. via our website

Anyone who has a product with or through us or uses one of our services; which may also be a product or service that we offer together with another company or organization

Persons who are otherwise affiliated with a company or an organization with whom we want to establish a relationship, or have or have had a business relationship, e.g. employees, directors, stakeholders or ultimate beneficial owners

Collateral providers, e.g. someone who is a guarantor for someone else

Anyone who transfers money to a Rabobank account

Anyone who receives money from a Rabobank account

Someone who visits a Rabobank website

Representatives of our customers. e.g. a director of a business customer

Tenants of our customers

Other persons who are involved in a transaction with our customers or with us.

Sometimes, businesses or organizations provide us with personal data. For example, data of employees, directors, Ultimate Beneficial Owners (UBOs) or other stakeholders. We also collect personal data ourselves, without your company or organization providing it to us. We may request such data from the Commercial Register, for example. We also record this data. We expect you to inform your employees, directors and other stakeholders about this. You can provide them with this Privacy Statement or a link to it, so they can read how we handle their personal data.

That is Coöperatieve Rabobank U.A. This Privacy Statement covers the processing of personal data by Coöperatieve Rabobank U.A. in the Netherlands, and the processing of personal data by the following group entities:

Rabo Groen Bank B.V.

Rabo Vastgoedgroep B.V.

Rabo Lease B.V.

Rabo Environmental Lease B.V.

Rabo Factoring B.V.

Schretlen Estate Management Services B.V.

Data can be exchanged within Rabobank Group. but only if the law allows it. Section 13 of this Privacy Statement explains how data exchange works within Rabobank Group.

To whom does this Privacy Statement not apply?

It does not apply to large (corporate) business customer that fall under Wholesale Banking, for whom separate Privacy Statements are available. Information on Rabobank Wholesale Banking's processing of personal data in the Netherlands can be found at Rabobank.com/privacy. It also contains information on Rabobank's processing of personal data outside the Netherlands. Other subsidiaries and associates of Rabobank Group have separate Privacy Statements. Rabobank employees and applicants in the Netherlands also have their own Privacy Statement, as do the members of Rabobank's local supervisory boards.

Cookies and information documents for other services

Our websites contain information about cookies. Some services have their own, separate Privacy Statement, or a separate information document. In such case, this applies in addition to this Privacy Statement. If we collaborate with another company, or another organization, information about the processing of personal data is sometimes provided by that other company or organization as well.

*Type of data*	*What types of data can this be?*	*What are examples of using this data?*
Data about you	Name, address, date of birth, telephone number, email address, details that appear on the ID, signature, your education, marital status, your gender, whether you have children, and your profession.	• To establish who you are (identification and verification). • To draw up an agreement. • To answer your questions. • To contact you. • To comply with laws and regulations.
Location details	Data showing where you are.	To know where and when you paid with a bank card. We do this to combat fraud.
Financial data and data about and for agreements	Data about your financial situation, about the products you have, about your investment profile, and the data for your financing, such as payslips. Data about your home, such as its energy label and energy consumption. Or about other assets, such as your vehicles if you are a company or organization, or the business premises. Invoices, credit notes, payslips, payment behavior, the value of assets, your credit history, loan capacity, tax status, income and other revenue. Whether you are registered in a credit register and whether you have payment arrears.	• To assess whether a product suits you. If – for example – you have or apply for a mortgage with us, we want to know whether this loan is appropriate. • To identify arrears early. • To meet legal obligations, other reporting obligations and regulators’ expectations. • To comply with our duty of care. • To manage our risks. This is referred to as “risk management”. We manage – for example – our credit risks. • To do research, e.g. by Rabo Research.
Payment and transaction details	Account numbers (IBAN) and other unique bank account details. We process these if – for example – you transfer a payment to a country outside the European Union where bank accounts do not have an IBAN. Details about the person you paid, from whom you received a payment, when a payment was made, and the balance on an account. We can enrich payment and transaction data. For example, by adding a category to it. Or by checking whether there is a recurring payment. We also process data from (digital) debit cards and credit cards, such as the card number.	• To assess whether a product suits you, or still suits you. • To make a payment for you. • To check whether the account number entered matches the name listed on a payment order (IBAN Name Check). • To perform an agreement with you. • To protect you and ourselves. • To assess whether you can continue to pay your loan or credit and to identify payment arrears at an early stage. • To give you insight into your finances. For example, through Insight in the Rabo App. • To develop and apply (risk) models. for example meet the expectations of regulators. • To help you with your financial affairs. • To do research, e.g. by Rabo Research. • To comply with the rules for preventing money laundering and financing terrorism. • To perform 'smart transfers'.
Special categories of personal data, criminal data and Citizen Service Number (BSN)	Health data Biometric data Criminal data Data showing racial or ethnic origin Data about your political preference, religion or trade union membership Citizen Service Number (BSN)	• We use your BSN to pass on your savings and loan details to – among others – the Dutch Tax authority. • We record data about your health. For example, if you are blind and therefore want to receive Braille statements. We will do this if you give us permission. • In the context of payment transactions, special personal data may be insightful. e.g. if you transfer money to a political party, a trade union or a church. • We may also use biometric data, such as a facial scan or a recording of your voice, to establish and verify your identity.
Call recordings, call reports, video calls, chat calls, camera surveillance, email messages, social media data	• Conversations that we have with you and of which we make a report. • CCTV footage we record in a branch office or at the ATM. • Recordings of telephone and video calls. • Messages you post on social media. • For improving our service provision.	• To be able to provide evidence. • To perform agreements. • To train our employees. • To perform checks. • To improve our services. • To secure our bank. • To train applications. This may include applications that help us respond to customer requests, applications that ensure that we can improve our services in a different way, and applications that enable us to work more efficiently, because, for example, they help make summaries of conversations. These may include applications that work on the basis of artificial intelligence, also known as “Artificial Intelligence” or “AI”.
Data that says something about the use of our website, app, and emails	• Cookies • Pixels • IP address • Data about the device you use for interactions with online services or our website. This includes data about the technical performance and usage data of your device, and information on how you use your device, e.g. how you hold your device. • A technique that allows us to distinguish your computer from another computer, which enables us to find out if your computer is being controlled by someone else. With this, we try to protect you from unwanted actions. For example, against changing the contra account of a payment order unnoticed. • Information on how you use your device, e.g. how you hold your device.	• To track your internet behavior on our websites and apps. • To make our websites and apps work properly and safely for you. • To offer personalized messages, ads or banners. • We use analytical cookies (such as Piano Analytics) to improve the websites and apps. We can use these even if you have an adblocker installed. • To prevent fraud and abuse. • To discover and resolve errors in Rabobank apps. • To keep devices up to date and safe. • To improve our products and services.
Data we need to combat fraud. Data we need to protect you and our safety. Data we need to combat money laundering and the financing of terrorism.	• Data that we store in referral registers, sanctions lists, location data, categorized or uncategorized transaction data, identity data, camera images, cookies and IP addresses. • Data about the device you use to use Rabo Online Banking, Rabo Business Banking or other services from us. • Details of the location from which you pay. • Data that you share with us in the context of a mortgage. • Information on how you use your device.	• To check whether you are listed in our internal or external referral register. • To check whether you appear on sanctions lists. • To combat internet fraud, so-called DDoS attacks and botnets. • TTo combat fraud. For example, we measure the way in which you enter a security code in the Rabo App, as this may be an indication of fraud.

We receive your data because you yourself share it with us. This is the case if, for example, you enter into an agreement with us. Or if you leave your details on our website. We also process your data if you use our products and services, e.g. if you make a payment from a Rabobank account, or if you use the Rabo App.

Sometimes we do not obtain your information directly from you. We may – for example – also receive your data from:

Group entities within Rabobank Group, for example:
- To combat fraud, money laundering and terrorist financing.
- To be able to keep our internal records.
- To create calculation models.
- To improve our services.
- As part of our duty of care.

Other (financial) institutions in order to combat fraud, money laundering and financing terrorism.
Read more about this topic under 'What does Rabobank use your personal data for'.

Suppliers or other parties we collaborate with
If you apply for a credit or loan, or have a credit or loan, we will receive data from – for example – the Dutch Credit Registration Office (BKR). Other parties we work with include Calcasa and Dun & Bradstreet. We also receive data from the Land Registry, Company info, Statistics Netherlands (CBS), EDM, Post.nl and the Chamber of Commerce, among others. In addition, we receive data from parties that offer data sharing applications, which provide data about you. These are often referred to as “source data”. This is only possible if you agree to it. Companies like this include Ockto, Datakeeper and I-wise.

Public sources such as public registries, newspapers, the Internet and (public) social media.
This allows us to use these sources to prevent fraud and money laundering, and protect Rabobank. But we also use public sources for relationship management and promotional and marketing purposes.

Another party
Because you have agreed to that party sharing data with us. For example, because you have given permission to another bank or payment service provider to transfer transaction data to us.

Other indirect sources
This is data that we do not obtain directly from you. For example:
- If your employer takes out an insurance policy with us and provides us with your details.
- If your (legal) representative, such as a fiduciary administrator or guardian or a third party you have engaged, discloses information to us. Examples of third parties include a broker appraiser, independent intermediary or tax advisor.
- If we fund a landlord and the landlord provides tenant information to us.
- If a customer has pledged claims to Rabobank and there is personal data on so-called 'debtor lists'.
- If the details of a beneficiary can be seen at the time of payment.

We use and process your personal data to conduct your banking business. Rabobank also offers other services for which personal data is processed. We also do this in collaboration with other companies and organizations. Examples of this include “Cooperative Isolation Budget”. This allows customers with a Rabobank mortgage to – under certain conditions – be eligible for energy advice from an energy consultant. Personal data are also processed when providing such a service. In addition, we process data because this is required by law, because we have a legitimate interest in doing so, or because you have given us your permission to do so.

Legal bases for processing

We may only process your personal data if there is a good reason for doing so. This is referred to as the “basis”. The law on the protection of personal data (the General Data Protection Regulation) specifies the possible bases.

These are the main bases we use:

Processing personal data is necessary to enter into and perform an agreement with you and/or others.

The processing of personal data is necessary to comply with a legal obligation imposed on us.

The processing of personal data is necessary because the bank or others have a “legitimate interest” in processing your data. Our interest in using your personal data then outweighs your right to privacy.

Because you have given your consent for the processing of personal data.

Balance of interests

In this context, it is explained that “legitimate interest” is one of the bases for the processing of personal data. If we use “legitimate interest” as the legal basis for processing your data, we will balance Rabobank's interests or those of a third party against your right to privacy. Examples of our interests include the following:

We protect our own financial position We do this by – for example – assessing whether you can repay your loan, or if we want to resell your loan or other obligations.

We combat fraud, money laundering and the financing of terrorism in order to prevent us or other persons, companies and organizations from being harmed, or to prevent damage to the financial sector. Our internal records must be in order. We must take measures within the framework of business management, and need to check our internal processes.

We do statistical research. This research is performed by – among others – our own research department. This department is called “Rabo Research”. This department measures, for example, economic developments. We also carry out research for internal control purposes, and to be able to – for example – answer questions from regulators.

We create models and calculate risk scores. We do this to assess whether you can repay your credit or loan. And to determine the level of buffers that we as a bank must maintain.

We transfer claims, merge or acquire companies.

We have an interest in ensuring that our customers are and remain financially sound. This is why we are taking steps to help you. We also try to spot early on that you might have payment problems. Or that you will no longer be able to afford your mortgage in the long term.

We also collect information about customers' sustainability or their efforts to become more sustainable in relation to our services or products, for example, about energy labels of houses. or the energy labels of business premises for which we provide a loan. We do this because we have to report on this because – for example – we have made commitments or have obligations. In addition, we can also use this information when making you an offer. We will – for example – also ask you about your sustainability preferences if you want to invest (asset management or investment advice). We do this so that, to the extent possible, we can take your preferences into account within your portfolio. We also do this because we are obliged to do so.

We record data in our basic systems in order to keep our records and services in order. This allows us to use the same data within the bank.

We have an interest in direct marketing and informing you about new or existing products and services that we think will suit you. You can read more about this topic at “e. Relationship management, promotional and marketing purposes”.

Sometimes the law isn’t clear on exactly what obligations we have when processing your data. Doing so is not an obligation under any law, the law does not apply directly to us, or the law does not apply yet, but we are already taking measures to comply with it. In some of these cases, a regulator requires that we process certain data. In that case, we may also use your data based on legitimate interest.

We weigh our interests or the interests of other people, companies and organizations against your interests and your right to privacy. E.g. by trying to see if there are other ways to achieve the same goal, And whether we really need all that data. If we want to use sensitive data, or data on vulnerable people or children, your right to privacy will be more likely to prevail, and we will be less likely to use your data based on a legitimate interest.

We also have an interest in keeping the financial sector healthy. We therefore use data on the basis of a legitimate interest. A few examples:

An IBAN Name Check to reduce the chances of you becoming a victim of fraud.

Making telephone (video) chat and image recordings for investigating fraud and improving the quality of the service provision. Both when you call us and when we call you. This helps us to properly train and coach employees.

When you apply for a credit or loan, we often perform a check with the Dutch Credit Registration Office (BKR). This helps us in the prudent granting of credit.

We also sometimes process your data because someone else has a “legitimate interest” in this. For example, if someone has inadvertently transferred money to you and you do not want to pay it back. Or if someone has transferred money to you but you are not supplying any products. Then, in some cases, we may pass on your information to the person who (accidentally) transferred money to you.

If we process your data because we have a legitimate interest in doing so, and you think your interests outweigh this interest, you can object to this processing. You can read how to do this at 'What rights do you have with us?'

Purpose of processing

In addition to a basis, we always have a purpose when processing personal data. Below we explain what goals these are and give examples.

a. Establishing a relationship and entering into an agreement

If you want to become our customer, if you contact us or if you are already a customer and request a new product, we will need and process your personal data.
For example, we do investigate to assess whether we can accept you or your organization as a customer. That is why we research you. This also applies if you are the legal representative of someone else or of an organization. Or if you are the “ultimate beneficial owner” (UBO) of an organization. Depending on our assessment of your risk profile, we are required to ask additional and more detailed questions in order to build a proper customer file. When you become a customer, we establish – for almost all products – your identity in order to comply with our legal obligations. When doing so, we may make a copy of your ID. This may also be a digital copy.

We use the copy of your ID for establishing and verifying your identity. If you agree, we also use biometric data, such as a face scan or voice recognition, to identify and/or verify your identity. Sometimes, you can also choose to have your identity established and verified remotely. In such case, we will ask that you scan your ID and make a video of yourself.

We consult our Internal Referral Register (the IVR) and external referral registers for the financial sector (the EVR and the register of the Foundation for the Prevention of Mortgage Fraud, SFH). We also check that you are not on any national or international sanction lists. and check your passport details in the VIS. This enables us to check that your passport is genuine.

We assess whether the requested product or service is suitable for you. For example, we assess whether we can provide you with a credit facility. When making this assessment, we also use data that we obtain from other parties, such as the BKR or Calcasa.

We perform analyses to assess whether we can provide you with a loan or another product. For example, to assess whether you can repay a loan. In some cases we have to do this, because, for example, we are required to do so under Dutch or European laws and regulations.

If necessary, we will calculate your credit score. For this purpose we use, for example, your balance data or the number of times a direct debit is reversed. We can also see if you are using your credit and how much you are withdrawing. Sometimes, we are required to use these credit scores when deciding whether or not to grant you a credit, to calculate the price you will have to pay for professional funding and to identify arrears at an early stage.
We use models to determine the price of a business loan. These models help us determine the risk associated with a loan. The risk associated with a business loan plays a role in its price.

To make sure a product suits you well, we sometimes use a profile. For example, when you apply for a mortgage or a loan. We have looked into the characteristics of customers with payment arrears. We can also use data from external parties such as BKR. This allows us to develop models that we can use when you apply for a mortgage or a loan. If that model shows that you run a higher risk, then we may decide not to give you a mortgage or loan. or discuss alternatives with you.

To assess whether or not we can offer you a mortgage, we collect data about you and the home you want to buy, such as your income data, a valuation report of your new home and its energy label. We can also request this data from you during the term of the agreement, for example, if you apply for an increase in your mortgage.

If you apply for product, such as a loan, or want to start investing, we may also consider information about other products you have with us, such as a payment account or savings account, when reviewing the application. We do this by – for example – checking how much money is in your savings account.

b. Performing agreements and orders

If you are a customer with us, we like to properly perform the orders received and agreements concluded. We have, after all, agreed this with you. When doing so, we process personal data.

Are you making a payment? Then we will transfer your data to another bank, if it is involved in the payment. Sometimes another party is also involved, such as Currence iDEAL BV if you’re making an iDEAL payment. In the future, this will also include EPI, the company behind Wero. Wero is the European successor to iDEAL. The recipient (beneficiary) of the payment will be able to see and record your payment details as well. A person making a payment can inquire about certain details of the account from which or to which a payment has been transferred. This also applies to someone who is a recipient of a payment.

If you contact us, for example by telephone, we can ask additional questions to verify who you are. These questions may relate to personal data known to us about you. This is how we reduce the chances of you becoming a victim of fraud.

If you issue a payment order, we can perform the IBAN Name Check. We use this check to see whether the IBAN you have entered when making a payment using online banking or mobile banking matches the name we have on record. If this is not the case, you will receive a notification. You can then decide whether to amend the payment order or issue it anyway. In the future, we will also offer the IBAN Name Check if you make a payment via Rabofoon or via an employee of the bank.

If you make use of the switching service ('overstapservice'), we will forward the credits to the new bank. You will receive an account statement with an overview of all transfers made. We may use the services of other companies to ensure that debits and credits go to the correct account. If you make use of the switching service ('overstapservice'), and your account with Rabobank is the new account, we can show someone who pays via Rabo Online Banking a notification of this.

When you become a member of our cooperative, we record your personal data. In addition, we sometimes record your preferences concerning matters such as meetings. We also keep track of which initiatives you participate in through the member section of the Rabo App. For example, if you vote for a club as part of Club Support, then we record that data as well.

We may retain telephone and video calls, chat sessions, email traffic, and camera images. In some cases, we are actually required to keep them. We do this, for example, to prove that you have placed a particular investment order. We also record data because we are required to do so by law, and to provide evidence.

We will inform you about the transactions in your bank accounts and with your credit card, and about changes in your credit or financing. Or, if you are at risk of falling behind on your payments, we will contact you to look for a solution. At your request, we will pass on your data to other companies and organizations – for example, if you use iDIN, or if you share data with another payment service provider. Or if you want to create a user profile with iDEAL or already have such a user profile. Such other company or organization is responsible for the way in which it handles your personal data itself. Please refer to the Privacy Statement of the other company or organization if you would like to know more about this. You can also have a Wero profile in the future. Wero is the European successor to iDEAL. And also a Click-to-Pay profile. You can use this profile for online payments with a debit card or credit card.

Do we act as an intermediary for another service provider, such as an insurer or authorized agent? We will then exchange data in order to carry out our work.

Do you use the iDEAL user profile to share your address details with a retailer? Your data will also be processed by the retailer's bank or payment service provider. We may be the retailer's bank as well. This will also apply to the Wero profile and the Click-to-Pay profile in the future.

We add categories to your transaction data and ascertain whether there is a recurring payment. This way you can see your expenditures and what fixed expenses you have each month. In addition, you will receive an annual overview from us, the Rabo Recap. We also use the categories to make smart transfers possible.
You can choose not to see these insights in the Rabo App or Rabo Online Banking. Or you can object. See the “Who can you contact if you have a question or complaint?” section to find out how to do this. If you want, you can also set a budget. This allows you to see how much you have already spent in a particular category. If we should wish to use the categories and information added to transaction data for other applications, we will verify that this is permitted, or ask for your permission first.

You can create a piggy bank in the Rabo App and Rabo Online Banking. If you set a savings target, we will save that.

To make sure a product suits you well and remains suitable for you, we sometimes use a profile. We have conducted research on the characteristics of customers with payment arrears, as part of which we may also use data from external parties such as the BKR. With this we develop models that we can use during the term of a mortgage or loan. If that model shows that you run a higher risk based on your profile, and if you already have a mortgage or loan, we may contact you to discuss your existing mortgage or loan with you.

We can also collect information about our customers' sustainability or their efforts to become more sustainable in relation to our services or products. We may, for example, collect information about energy labels for houses, in order to be able to assess whether you are eligible for the sustainability discount.

If you are a private customer and make a payment with a debit card or credit card in an EU currency other than the euro, you will receive a message from us with information about the costs of such payments.

c. Your, the bank’s and the financial sector’s security and integrity

We process your personal data to ensure your security and ours, as well as the security of the financial sector. We also aim to prevent fraud, money laundering and the financing of terrorism.

Customer due diligence

The start of the customer relationship is not the only time we investigate whether we can accept you as a customer. We also need to investigate whether you can remain a customer of ours during the customer relationship. We may carry out these types of customer due diligence for other (financial) institutions, for example at the request of an insurer or a part of Rabobank Group, or we share the outcome with another part of Rabobank Group. Sometimes we also share data with other (financial) institutions so that the institution itself can fulfill its legal obligations. For this purpose, we process your personal data, but possibly also the personal data of third parties with whom you do business. For example, the transaction history of your account may warrant further investigation. Or the people you do business with or the industry you work in. Depending on our assessment of your risk profile, we are required to ask additional and more detailed questions in order to build a proper customer file (and you are required to answer these).

Incident registers and alert systems

To protect the security and integrity of customers, Rabobank and the financial sector from fraud and money laundering, among other things, banks must take protective measures. One of these measures is

the use of our own internal alert system (the Internal Referral Register, IVR) and that of the financial sector (the External Referral Register, EVR) and the register of the Foundation for Mortgage Fraud Prevention (Stichting Fraudebestrijding Hypotheken, SFH).

Events that attract our bank’s attention are called an “incident” and we record them in our “Incident Register”. An Internal Referral Register (IVR) is linked to the Incident Register. Your identifying information is included here if we want to be extra alert and issue alerts internally within the Rabobank Group. For example, in the areas of fraud, mandatory customer due diligence, terrorist financing and money laundering. We do not save your information just like that. We only do so after checking whether this is in line with our internal rules and is allowed under the law. For the IVR and EVR, only employees of our security departments and a limited number of other employees have access to that data.

Sometimes an incident is so serious that we want to issue an alert not only within the Rabobank Group, but also to other banks and other financial institutions. In this case, your information may be included in the Incidents Register, the External Referral Register (EVR) or the Foundation for Mortgage Fraud Prevention’s register. Saving your data in these registers is only allowed if it follows the rules of the Financial Institutions Incident Alert System Protocol (PIFI). These rules have been approved by the Dutch Data Protection Authority.

If we record your data in these registers, we will inform you of that. We will also inform you of our reason for doing this and how long the data will be recorded, except if that is not allowed because – for example – the police has asked that we not inform you in the interest of their investigation. If you do not agree with the recording of your data, you can lodge an objection or request that your data be corrected or deleted.

We consult these records when you become our customer, as well as when you already are our customer. Not all bank employees consult the data in these registers themselves. If a bank teller checks the IVR or EVR, the person performing the check will only see that there is something in the register, but not why someone is included in the IVR or the EVR. If there is such an indication that there is something in the register, the person performing the check must always contact his security department for advice. If necessary according to the EVR, Rabobank’s Security Department will consult with a security department of another Financial Institutions Incident Alert System Protocol (PIFI) participant regarding the nature of the registration.

Rabobank’s Security Department will assess whether the customer is allowed to have a particular product or use a particular service based on the information contained in the department’s own records or the Incident Register. Rabobank’s Security Department may share information, as recorded in the Incident Register, with other financial institutions. The Security Department may also receive information from another financial institution’s security department. We only do this if we are allowed to do so under the PIFI.

In addition, we receive lists from governments (e.g. sanctions lists) of individuals whom we have to record in our alert registers. Financial institutions are not permitted to not do business with these individuals, or these individuals require additional attention from the financial sector.

Public sources

We consult sources such as public registers, newspapers, the Internet and public profiles of your social media to prevent fraud and protect the bank. We may also – in order to prevent fraud and money laundering – consult and analyze information from public websites, in an automated manner or otherwise. We can search for information from public sources such as registers, newspapers, social media and the internet, such as information on Facebook or LinkedIn, or information we find through search engines. We do this for – among other things – security reasons, e.g. to comply with the rules against money laundering and the financing of terrorism.

Fraud, terrorist financing and money laundering

In order to prevent fraud, terrorist financing and money laundering, and to protect both you and us, we conduct analyses. These analyses enable us to create a profile of your usual (payment) behavior to reduce fraud, money laundering or misuse of debit and credit cards. If the behavior deviates from your usual payment behavior or there are other indications of – for example – fraud, this may be a reason to block or suspend payments fully automatically. Or to block your checking account. Once we have done this, we will contact you as soon as possible.

Sometimes we also use data that you have not provided to us in the context of fraud prevention. For example, the transaction history on your account or the characteristics of the device that you use for online banking. The Dutch Central Bank also requires us to use all kinds of data to prevent money laundering and terrorist financing.

For the prevention of fraud, we can perform an IBAN Name Check. We use this check to see whether the number you have entered when making a payment through Rabo Online Banking matches the name we have on record. If this is not the case, you will receive a notification from us. You can then decide whether to amend the payment order or issue it anyway. We may also carry out this IBAN Name Check for other parties in connection with preventing, detecting and combating misuse of the payment system. These other parties may also be established abroad.

As part of our efforts aimed at combating cybercrime and hacking, we transfer information relating to you to other organizations that fight cybercrime. e.g. companies that help us combat so-called DDOS attacks. We will do this if we find that your security or the security of the financial sector could be in danger. We only do this if we have made agreements with these other organizations with regard to the careful use of your data.

We make recordings of telephone conversations, email messages, camera images and chat sessions, for example, and may document these recordings. We do this in the context of – among other things – fraud investigation. Examples include the camera images we create to detect and prevent fraud involving debit cards and credit cards.

d. Developing and improving products and services

We are constantly improving our products and services. We do this for ourselves, for our customers and for other parties.

We also process data when analyzing your visits to our websites and app. For example, we use cookies to improve our websites and apps. We also use the search terms used for this purpose.

You can change the category of a payment in the Rabo App and Rabo Online Banking. If you change the category of a payment, we can also use that information to improve our model.

Of course, we want to prevent you from getting behind on your payments. Or being at risk of getting into financial trouble. For this purpose, we use your data in models in which we look at your situation and may compare it with other customers. Or we may use your transaction data, reversals or other data that can help prevent payment arrears in good time. We can also do this because a regulator requests that we do so. If we anticipate that you may have financial problems, we will be happy to make efforts to help you. We do this by drawing your attention to possible financial problems in the future, and by providing you with information on organizations that can help you organize your financial records.

We also conduct research to improve our products and services. For example, we may ask you to comment on a product. Or to review a product. You do not have to participate in such research.

In the Rabo App, we offer a test environment in which we conduct experiments. We conduct these experiments to develop products and services. As part of such an experiment, personal data is also processed. You decide whether or not to participate in experiments.

We test whether a new or updated service or application works properly, and sometimes use customer data for this purpose.

Sometimes we ask other parties to process your data, for example for customer due diligence. These other parties then act on our behalf. We will first conclude agreements with these parties about the use of your data.

e. Relationship management, promotional and marketing purposes

We process your personal data for relationship management, promotion and marketing. For these purposes, we use data that we have about you, such as your balance details, transaction data or data that we receive indirectly through cookies, such as your clicking behavior on our website. We also use data that has not been obtained directly from you, such as public registers (e.g. the Chamber of Commerce), public sources (such as the Internet) and other parties (such as data brokers).

We may use your data to inform you about a product that may be of interest to you. This may be a Rabobank product, or one offered by one of Rabobank's group entities or other companies or organizations. For example, if you take out a mortgage with us, we may contact you to inform you about insurance products. We will only share your data with another company or organization for marketing purposes if you agree to that.

If we use email in campaigns, we can keep track of whether you open the e-mail, and on which links you click. We use this data to see if a campaign is successful.

For purposes of marketing and relationship management, we create analyses and profiles. For example, we can combine the products you currently have with the bank with data about your visit to our website, so that we can display information that is relevant to you. If you accept cookies, then we can show personalized offers through banners on our website or a notification in the Rabo App or Rabo Online Banking, for example. We also use these profiles for marketing communications, for example to inform you about an insurance product if you have taken out a mortgage with us. When performing these analyses, we sometimes also use information we have received from other parties. You can always object to the use of your personal data for these analyses.

We also use advertiser services to place advertisements on external websites. These advertisements are then intended for a specific target group or people with a specific profile. We never share personal data of individual customers with such advertisers.

We process your data in collaboration with providers of social network services if – for example – you post comments, videos, photos, likes and public messages on our corporate social media pages, as well as when you post comments about Rabobank on a website or social network that is not operated by us. We use your information for posting a comment, sharing information or answering questions. For the processing of data by the provider of social media and other network services, please refer to the website of these providers. We follow posts and responses about Rabobank on social media.

We may create and use analytics and profiles to provide our customers with insights for the purpose of benchmark studies. This way, a business relationship of ours can determine how it performs compared to competitors. If we use your data for this purpose, we will pseudonymize it as much as possible. And this data will only be available to employees within the bank who conduct the study. The business customer does not receive any customer information.

If you do not want us to use your information for direct marketing by mail, email, phone, the Rabo App or online banking, please go to www.rabobank.com/privacy/je-rechten.

You can read how to opt out of direct marketing under "Right to object to direct marketing".

f. Entering into and performing agreements with vendors and other parties we work with

If you have contact with us for your work, we may process your personal data. For example, to establish whether you are permitted to represent your business, or to give you access to our offices, our online services or applications. Where necessary, we consult incident registers and alert systems. We do this prior to and during the term of the agreement. This is called “screening”. We may also process your personal data to manage our business relationships with you if – for example – we invite you to a meeting or ask your opinion about our products and services.

g. Complying with legal obligations

Legislation

Under various national and international laws and regulations, we have to collect and analyze a large amount of data relating to you and sometimes transfer such information to European and other government authorities. We have to comply with legislation, such as the Dutch Financial Supervision Act, in order to be permitted to offer you financial products and services. We also process personal data to fulfil the duty of care. And if you have a loan for which you have been behind on payments for some time or have a residual debt with us, we can pass this information on to the Dutch Credit Registration Office (BKR).

In addition, we have to comply with legislation aimed at combating fraud, money laundering and terrorism, such as the Prevention of Money-Laundering and Terrorist Financing Act (Dutch Wwft). Under this law, we have to establish who is the ultimate beneficial owner (UBO) of a business or organization with which we have a business relationship. We do this by conducting customer due diligence. We also perform customer due diligence if you have assets, and if there is an unusual transaction in your account. We have to report an unusual transaction to the competent investigative authority. We may cooperate with other banks in this regard.

When accepting business customers, we are obliged to check who is the ultimate beneficial owner of an organization. We do this with the UBO register kept by the Chamber of Commerce, if this is available. Is the information we have does not match the data recorded in the UBO register, we have to report the differences to the Chamber of Commerce.

The tax authority, the police and the public prosecution service, but also intelligence services, for example, may request data from us. If they do this, we are required by law to cooperate in the investigation and transfer data relating to you. We may also enter into partnerships with, for example, the police and the Public Prosecution Service in order to combat (large-scale) fraud, money laundering and terrorist financing.

Risk models

European rules require that we draw up risk models if you apply for a loan or credit or if you have received a loan or credit from us. Using these models we determine what risks we face and the size of the buffer we have to maintain. For this purpose, we process your personal data within Rabobank Group.

We are required by law to use these (risk) models before we offer you a loan or credit and if you want to change anything in your loan or credit. And we use these (risk) models during the term of a loan or credit. To create these models, we use – among other things – transaction data from your payment account or current account in order to – for example – determine with you whether you will be able to afford the loan after you retire. We use these models to – among other things – to prevent you from not being able to repay your loan or not being able to repay it on time. We also use them to determine the price of a business loan. We can do this on the basis of profiles, and using techniques that make the decisions (almost) fully automated.

These (risk) models also predict the likelihood of your falling behind on your payments. This enables us to prevent or deal more quickly with any payment problems, for example in consultation with you. We will then process your personal data for this purpose. We do this because it enables us to perform the agreement with you and because we are legally obliged to do so, but also because we have a “legitimate interest” in doing so.

Providing data to the government

Laws and regulations may require that we transfer data (analyzed or otherwise) relating to you to a government institution, a tax authority or a regulator within or outside the Netherlands, such as the Netherlands Authority for the Financial Markets (AFM), the European Central Bank (ECB) or the Dutch Central Bank (De Nederlandsche Bank, DNB). For example, we have to provide data to investigative authorities and the tax authority, among others, through the banking data referral portal. We must also share data with the Employee Insurance Administration Agency (UWV).

As we have to comply with legal obligations and treaties, we sometimes have to provide data relating to you to the Dutch tax authorities or a foreign tax authority. For example, the tax authority may request data from us in the context of a payment claim or under FATCA or the Common Reporting Standards. The FATCA and the Common Reporting Standards (CRS) provide for the exchange of information between tax authorities of different countries.

If an account holder is a beneficiary of 26 or more international payments per quarter, we will provide their details to the Dutch tax authority. The various tax authorities will combine the information into a European database managed by the European Commission.

Making and documenting recordings

We make recordings of, for example, telephone conversations, email messages, camera images and online chat sessions or CCTV images at offices and ATMs and may document these recordings. We do this to comply with legal obligations, for example in the context of investment services.

h. For implementing business processes, management reporting and internal management

Record-keeping and data management

We want to conduct our record-keeping and data management in an efficient manner and improve our data quality. There are legal obligations for banks to properly organize records and data management. It also allows data to be used for more applications, without differences between the data in different applications. We compare and combine customer data from different sources to get a more complete picture of you. This may also include information about you at other parts of Rabobank Group, if this is permitted by law. By means of these so-called “knowledge graphs”, we gain a better understanding of the relationship between data. We can use these insights to combat fraud and money laundering. We can also use these insights to improve our products and services, or to work more efficiently.

Know your customer

As a service provider, we believe it is important and necessary to have a good overview of our customer relationships. That includes knowing who you work with. We process data about you, but potentially also about other people, companies and organizations with whom you do business for that purpose as well.

Identifying credit risk in loans and credits

Lending involves credit risk. We need to establish what that risk is so that we can determine the financial buffers we need to maintain. To this end, we process your loan, credit and transaction information, for example. In the future, we will also have to pay more and more attention to the sustainability risks.

Transfer of claims and contract takeovers

Sometimes we transfer claims that we have against you, such as, for example, your mortgage loan, to another party. Personal data is processed as part of such transfers. We may need to make your personal data available to a potential acquisition candidate prior to such a transfer. Once the claims have been transferred, that other party will also process your personal data. We agree with such other party that it has to comply with personal data protection laws and regulations. This also applies in the event of a contract takeover, merger or demerger.

Audits and investigations

We also use your data for research. This may be an internal investigation, or an investigation by another company we have engaged. For example, to investigate whether new rules have been properly implemented, to determine whether our customers have suffered losses, or to identify risks.

Reporting and our own business processes

We also use data to map out and improve our business processes. and to create management reports so that we can better help you or make our processes more efficient. We also need to have the models we use validated. We also create reports to report externally on the sustainability of our clients. If we can, we will first pseudonymize your data.

We also make recordings and can save them – for example – telephone conversations, email messages, camera images and chat sessions, and may document these recordings. We do this for e.g. quality control and to train and coach our employees. For example, by letting them observe colleagues.

i. For archiving, scientific or historical research or for statistical purposes

We may also process your personal data if this is necessary for archiving purposes in the public interest, for scientific or historical research. and for statistical research or other statistical purposes. We also conducts research to determine and improve our position in the market. This is done by our own research department, among others. This department is called “Rabo Research”. This department measures – for example – economic developments. and also publishes about this.

We do not retain your data longer than necessary for the purposes for which we collected it or the purposes for which we reuse it. In the Netherlands, this is usually for seven years following the termination of the relevant agreement or the ending of your business relationship with Rabobank. Sometimes this period may be longer, – for example – a regulator, the police or the Public Prosecution Service. Sometimes we use shorter retention periods. For example, we usually retain data relating to a payment order for only two years, conversation recordings and camera recordings are usually retained for 6 months and 4 weeks, respectively. But sometimes, we have to keep these for longer, e.g. in the case of investment services

We may keep data longer in special situations. We will do this if, for example, the judicial authorities request camera images, in which case we will keep the images for longer than four weeks. Or if you have submitted a complaint as a result of which the underlying data have to be retained for longer.

If we no longer need the data for the purposes described in Chapter 6, we may still retain the data for archiving purposes. In such case, the data can be used in legal proceedings, and for historical or scientific research or statistical purposes.

Special categories of personal data, criminal data and Citizen Service Numbers (BSNs) are sensitive data. Special categories of personal data include data about your health, biometric data, ethnic data or data concerning race, for example. For some services, you can use your fingerprint, voice recognition or a facial scan. These are biometric data used for identification and in intermediate checks.

We process special categories of personal data where this is permitted by law, because you have made the relevant data public yourself, or because we have your consent. For example, if you ask us to record that you are blind and want to receive Braille bank statements. We will then ask your permission to record this data.

Special personal data may be disclosed in the context of payment transactions. For example, if you transfer money to a political party, this will be visible in the account information. We are required to provide this account information, and in some cases, it is also visible to other parties. For example, an account information service provider, if you have engaged one.

If you give us your consent to record special categories of personal data relating to you, or you have made this information public yourself, we will only process such information if this is necessary for the provision of our services. You can withdraw your consent for recording at any time. Please contact us in order to do so.

We only process data from children under the age of 16 if they purchase a product from us, and if the data is provided to us in the context of a product. If necessary, we will seek the legal representative’s permission to process children’s data. When a payment is made to a Rabobank account from an account of a minor at another bank, data of that minor is also processed in the context of payment transactions.

We participate in incident registers and alert systems of the financial sector and process criminal data for this purpose. We do this to protect our interests and those of financial institutions and their customers, for example by detecting and recording cases of fraud.

We will only use your BSN if this is permitted by law, for example, in order to pass on your savings balance or the amount of your loan to the Dutch tax authority. And also in the implementation of the Deposit Guarantee Scheme.

Automatic decisions are decisions about you made by computers instead of humans. If a decision adversely affects you, we are not allowed to make an automated decision about you. Except if this is necessary as part of an agreement of the bank, if it is permitted by the law or if you yourself give permission. In those situations, you have the right to consult with someone at the bank. And you have the right to object. You can also ask us to stop having the decision made by computers.

In the following situations, we sometimes use these fully automated decisions that affect you. This can also have negative consequences:

when granting a credit or loan, we can make an automated decision whether or not to grant you the credit or loan.

in the event of a payment that deviates from your usual payment pattern, we may use fully automated decision-making to stop a payment (temporarily or otherwise) or to block the account. We do this to prevent fraud with your account. If a payment is stopped or an account blocked, we will contact you about this as soon as possible.

Rabobank uses artificial intelligence, for example, to make reports of customer conversations. Artificial intelligence is also used to support employees during conversations, e.g., to offer employees suggestions on how to answer customers' questions. Artificial intelligence can also be used to classify documents. Artificial intelligence can, for example, be used to recognize a payslip, and help to 'read' the contents. Artificial intelligence is also used in the creation and application of models, such as risk models, and when conducting customer due diligence.

a. Within Rabobank Group

Your personal data may be exchanged between business units of the Rabobank Group. For example because you ask us to do this, or because you also purchase a product from another unit of Rabobank. Data that establishes your identity may also be used by another unit of Rabobank with which you want to do business. We may also exchange your data in the context of fraud prevention, for the prevention of money laundering, risk management, internal administration, to improve the provision of our services to you and in the context of the duty of care.

Business units of Rabobank Group are sometimes located in countries outside the European Union where less stringent privacy rules apply. If we share your data with units of Rabobank Group in which Rabobank has a controlling interest, Rabobank’s so-called binding company rules will apply in these cases. These are also referred to as the “Binding Corporate Rules”. More information about this can be found on our website.

b. Outside Rabobank Group

Your data is also transferred to other parties outside Rabobank if we are required to do so by law, but also within the framework of performing an agreement with you or because we are engaging another service provider.

If we transfer data to another party that is responsible for the processing of personal data itself, such a party will be under the supervision of their own data protection supervisor. This can be the Dutch regulator but also a foreign one.

Competent (public) authorities

We transfer your personal data to third parties if we are required to do so. Examples of such third parties include national and European regulators, such as the Dutch Authority for the Financial Markets (AFM), the Dutch Data Protection Authority, the Dutch Central Bank (DNB), the ECB, the Dutch Authority for Consumers and Markets (ACM) or the Dutch tax authority.

As part of the Code of Conduct for the Dutch banking sector, we sometimes have to provide personal data to the Foundation for Banking Ethics Enforcement (Stichting Tuchtrecht Banken). If you submit a complaint to the Financial Services Complaints Tribunal “Kifid”, a court or the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), it may also be necessary to provide your personal data. For example, to defend your complaint. This also applies if you object directly to the BKR. Sometimes a court determines that we must share certain personal data about you with another person. The law may also stipulate that we must give someone else access to your personal data if the person so requests, e.g. under Article 194 of the Dutch Code of Civil Procedure. We may provide access to another person, another company or another organization. It goes without saying that the relevant statutory requirements must be met.

The Tax and Customs Administration, the police and the Public Prosecutor’s Office may request data from us based on a legal duty or authorization, as may – for example – intelligence services and Employee Insurance Administration Agency (UWV). We are then required to cooperate in investigations and/or pass on data about you. Sometimes, we also pass on data to Safe at Home (Veilig Thuis).

If we give you a credit or a loan, we also have to pass on data to the BKR in certain cases, for example, regarding the amount of the credit or loan, or if you fail to make a payment on time.

Other service providers

If we give you a credit or a loan, we also have to pass on data to the BKR in certain cases, for example, regarding the amount of the credit or loan, or if you fail to make a payment on time.

Sometimes you can pass on your information yourself or have it passed on to another party. For example:

if you want a third party to be able to verify your identity through iDIN

if you want to provide access to your data to another party, such as an account information service provider that you provide with access to your account

Currence iDEAL B.V., if you want to create an iDEAL user profile

EPI, if you have a Wero profile in the future

Mastercard or Visa, if you have a Click to pay profile

Ease2Pay, if you use parking in the Rabo App;

Ockto, Datakeeper or I-Wise, if we work with those parties to provide source information, other information or documents to us

your energy advice via the energy consultants with whom we work in connection with the Cooperative Isolation Budget

Intermediaries

If we act as an intermediary, we will exchange personal data. For example, if you take out an insurance policy with an insurer through us, we will share personal data with that insurer. We may also receive data about you from this insurer. We also act as an intermediary for FREO, a lender.

If you take out a mortgage with us through an intermediary, we will receive data about you through your intermediary. You can also use a data sharing app via your intermediary and share your information with us in this way. Examples of such data sharing apps are Ockto and Datakeeper. We then provide your data to this intermediary. At the start of the agreement but also during the term, we can share information with the intermediary. For example, we can let the intermediary know that the end of the fixed-interest period of the mortgage has been reached.

Referrals to other parties

If you agree, we may share your information with other parties. For example, with a provider of non-financial services whose products are shown in the Rabo App or with a debt counselor.

Business partners and our service providers

Sometimes, we engage other companies and organizations. As a result, these other companies process personal data on our instructions. In doing so, these companies act as a processor for Rabobank.

We only engage other companies and organizations if we find these parties sufficiently reliable. We can only engage other companies and organizations if this is in line with the purpose for which we processed your personal data. In addition, they must:

make certain arrangements with us, e.g. with regard to confidentiality

take appropriate security measures

cooperate in audits, if we so request

For example, we engage a printing company that produces customer mailings for us. Such a company prints your name and address details on envelopes. We also engage parties who place advertisements in apps and on websites on our behalf, or parties that perform market research on our behalf our store data for us.

These third parties may also be IT suppliers. We may also store your data online (in a cloud) through a third party.

We may also engage other parties as processors to fulfill our own legal obligations in a better way. For example, Rabobank engages a processor to make a better estimate of the number of homes you own. Under the Prevention of Money-Laundering and Terrorist Financing Act, we are obliged to know this.

Transfer to countries outside the European Union (EU)/European Economic Area (EEA)

If we transfer your data to other parties outside the European Union (EU)/European Economic Area (EEA), we will take additional measures to protect your data. In some countries outside the European Union, the rules for protecting your data are different from those that apply within Europe. If we make use of a third party located outside the EU/EEA, we will assess to the best of our abilities whether this is sufficiently safe. For some countries, the European Commission has determined that there is an "adequate" level of personal data protection. This applies – for example – to the United Kingdom. For other countries, we use the contractual agreements approved by the European Commission.

In addition, we take additional (safety) measures if necessary.

a. Right to information

With this Privacy Statement, we inform you about what we do with your data. Sometimes we need to provide more information. For example, when we record your data in our incident logs. Then – if permitted – we will inform you separately by letter, by email or by another means of our choosing.

b. Right of access and rectification

You may ask us whether we process personal data relating to you and if so, which data this concerns. In that case, we can give you access to the personal data that relates to you that we process or have processed. or – for example – give you the opportunity to listen back to a conversation. If you feel that your personal data has been processed incorrectly or incompletely, you may request that we change or supplement the data (rectification).

c. Right to erasure of personal data

You may request that we erase data concerning yourself that we have recorded. We are not always obliged to do this, however. And sometimes we are not even allowed to do it. For example, if we still need to retain your data because of legal obligations.

d. Right to restriction

You may request that we temporarily restrict the personal data relating to you that we process. This means that we will temporarily process less personal data relating to you

e. Right to data portability (transferability of data)

You have the right to request that we provide you with data that you previously provided to us in the context of an agreement with us or with your consent, in a structured, machine-readable format or that we transfer such data to another party. If you ask us to transfer data directly to another party, we will only be able to do this if it is technically feasible. Some data you have provided to us can be obtained by you yourself. For example, you can access your transaction details through our online services.

f. Right to object to the processing of your data

If we process your data because we have a legitimate interest in doing so you can object to this, with statement of the reason why you object. In that case, we will reassess whether it is indeed the case that your data can no longer be used for that purpose. We will stop processing your data if your interest outweighs our interest. We will inform you of our decision and the arguments on which we based this decision.

g. Right to object to direct marketing

You have the right to ask us to stop using your data for direct marketing purposes. You have this right even if you only object to being approached through a certain channel. For example, if you want to continue to receive offers via email, but no longer want to be contacted by phone. We will then ensure that you are no longer contacted through that channel.

On www.rabobank.nl/privacy/je-rechten you will find a description of how you can exercise each right. Sometimes you can exercise your rights immediately. For example, you can arrange the right to object to direct marketing yourself in the Rabo App or Rabo Online Banking. If this is not possible, you can submit a request using the online form.

If you have made a request to us, we will answer your request within one month of receiving it.

We may ask that you explain your request in more detail. For example, if you request access to recorded calls, we may ask you to provide search terms, such as the time the call was made and the number from which it was made.

In very specific cases, we may extend the period in which we will respond to a maximum of three months. In that case, we will keep you informed of the progress made on your request.

We may ask you to come to the bank to identify yourself when you make a request to us. For example, in the event of a request for access and data portability. This is because we want to be sure that we are providing your data to the right person. If we are not sure whether we can safely send the data to you, we may also ask you to come to the bank to collect your data.

Sometimes we will be unable to process your request. For example:

Because the rights of others would be violated.

Because this would be against the law or is not permitted by the police, the Public Prosecution Service or any other public authority.

Because we have weighed the relevant interests and determined that the interests of Rabobank or others take precedence.

In such case, we will let you know if that is allowed.

If we amend your data or erase your data at your request, we will inform you.

We have a Data Protection Officer at the bank. This officer monitors the implementation of and compliance with the General Data Protection Regulation (GDPR). If you are dissatisfied with the way your question or complaint was handled by us, or you want to contact the Data Protection Officer for another reason, you may contact this officer at dpo@rabobank.nl. You can also contact us by post by writing a letter to the Global Privacy Office, for the attention of the Data Protection Officer, Postbus 17100, 3500 HG Utrecht. Of course, you can also submit your question or complaint about the processing of personal data by Rabobank to the Data Protection Authority.

Downloads

Privacy Statement 2025 ENG

Products

Themes

Our Bank

Help

Privacy Statement

Privacy Statement June 2025

What is personal data processing?

Whose personal data does Rabobank process?

What does Rabobank expect from businesses and organizations?

Who is responsible for processing your personal data?

What personal data does Rabobank process?

How does Rabobank obtain your personal data?

What does Rabobank use your personal data for?

How long does Rabobank retain your personal data?

Does Rabobank also process special categories of personal data, children’s data, criminal data and the Citizen Service Number (BSN)?

Does Rabobank make automated decisions about you?

Does Rabobank use artificial intelligence as well?

Who has access to your data?

Does Rabobank use personal data for other purposes as well?

Does Rabobank transfer your personal data to others and to other countries outside the EU?

What rights do you have with Rabobank?

How can you exercise your rights?

Who can you contact if you have a question or complaint?

What can you contact our Data Protection Officer for?

Can Rabobank amend this Privacy Statement?

Downloads

Previous versions Privacy Statement

Privacy Statement October 2023

Privacy Statement July 2022

Privacy Statement July 2021

Privacy Statement May 2020

Privacy Statement June 2019

Privacy Statement July 2018