Privacy statement

This privacy statement explains how BNG handles your personal data. We describe what data we collect, why we collect it and how we use it. We also inform you about your privacy rights and how you can exercise them.

This privacy statement applies to the processing of personal data by BNG Bank N.V. and BNG Gebiedsontwikkeling B.V. (hereinafter: BNG). BNG is the “Controller” as referred to in the General Data Protection Regulation (GDPR).

Contact information

If you have any questions about how we process your personal data after reading this privacy statement, please contact our Privacy Office:

• By email: privacy-office@bngbank.nl
• By post: BNG, t.a.v. Privacy Office, Postbus 30305, 2500 GH Den Haag

All other contact details for BNG can be found here.

Key terms

In this privacy statement, we use a number of key terms, such as ‘personal data’, ‘data subject’, ‘processing’ and ‘controller’. You can read what these mean here.

Your privacy rights

When we process your personal data, you have several rights. Would you like to know what these rights are and how you can exercise them? You can find an overview of your privacy rights here, including how to submit a request. 

Which personal data do we process and why?

Would you like to know which personal data we process and why? Select your situation below to view the details about the purposes of processing and the legal basis.

I am a:

• (Potential) client or a person related to a client – such as a contact person, director, representative or (pseudo) ultimate beneficial owner (UBO) – with whom BNG has or has previously had a business relationship.
• Person making or receiving a payment from a BNG bank account
• Visitor to the BNG office
• Visitor to the BNG website
• Participant in a webinar, seminar or event organised by BNG
• Job applicant
• Former BNG employee
• Reporter regarding an irregularity (violation of integrity or wrongdoing)

With whom do we share personal data?

Internal

Within BNG, employees only have access to your personal data when this is necessary for the performance of their job and based on proper authorization. These employees took the banker's oath and are bound by a strict duty of confidentiality.

External

We may share your personal data with external parties in a number of situations. Examples of situations where we share data include:

• performing our services, such as engaging service providers for technical infrastructure, payment traffic, identification of legal representatives or screening in the context of client due diligence;
• professional and legal support, for example from accountants, lawyers or other advisors;
• compliance with legal obligations, such as providing data to regulators or the Tax and Customs Administration;
• recruitment and selection processes, in which external parties support us in recruitment and pre-employment screening;
• reports of integrity violations or wrongdoing, in which external reporting channels or experts may be involved;
• the exchange of reference data within the framework of the External Referral Register (EVR), which allows financial institutions to check under strict conditions whether a person appears in the EVR;
• security and facility services, such as security system suppliers, caterers and printed matter.

We make clear agreements with all parties about the processing and security of personal data.

Would you like to know more about the external parties with whom we may share your personal data? Please read the full explanation here.

Other banks or entities involved in payment transactions

When making or receiving payments through your BNG account, your personal data is also processed by other banks or parties in the payment chain. We only provide the information necessary for the execution of the payment. These parties are themselves controllers for the use of your personal data and for complying with privacy regulations.

How do we determine the retention period for personal data?

We do not store your personal data for longer than is necessary for the purpose for which we collected it. If a statutory retention obligation applies, we apply the prescribed periods.

The retention period depends on the nature of the data, the type of document in which it is recorded, the purpose of the processing and any legal retention periods that BNG must comply with. As a result, retention periods may vary for each processing purpose.

Examples of retention periods:

• Administrative data: for many types of administrative data, such as agreements with our clients and invoices, a statutory retention period of 7 years applies, in accordance with obligations from the Dutch Civil Code and the Dutch General Law on State Taxes. 
• Applicants: we will keep data of rejected applicants for a maximum of 4 weeks, unless you give permission to keep your data for a longer period (up to 1 year). 
• Camera footage (CCTV): we retain footage from our security cameras for a maximum of 4 weeks, unless an incident has occurred. 
• Wwft data: data processed under the Dutch Anti-Money Laundering and Terrorist Financing Act (Wwft) is retained for 5 years, calculated from the moment when the business relationship ends or the transaction in question is executed.
• Communication about transactions in financial instruments: correspondence (including call recordings) and documentation relating to transactions of BNG and its clients in financial instruments is stored for 5 years. 
• Cookies: the storage period for cookies that we use on our website differs from cookie to cookie. You can find these storage periods in our cookie statement

In some cases, we retain personal data for longer than the specified retention periods. This may be the case, for example, when we are obliged to do so on the basis of a request from the police or the Public Prosecution Service, or when a legal hold is in force. A legal hold is established if data may be necessary as evidence in legal proceedings, disputes, claims, audits, investigations by regulators or other circumstances.

Transfer of personal data outside the EEA

BNG generally processes personal data within the European Economic Area (EEA). When we share data with parties outside the EEA, or when personal data is processed there, we make sure that your data remains adequately protected. We do so by implementing appropriate safeguards, such as:

• the use of Standard Contractual Clauses (European Model Contract Clauses);
• cooperation with organisations in countries for which the European Commission has taken an adequacy decision;
• cooperation with organisations participating in the EU-US Data Privacy Framework.

In addition, for each situation we assess whether additional organisational or technical measures are necessary to maintain an adequate level of protection.

Protection of personal data

We take appropriate technical and organisational measures to protect the availability, integrity and confidentiality of personal data. To this end, BNG applies an information security policy that is regularly reviewed on the basis of new regulations and internal and external developments.  

In addition, personal data is only processed by persons with a duty of confidentiality. All of our employees have taken the Dutch bankers’ oath.

Automated decision-making

BNG does not use automated decision-making with regard to natural persons, including profiling. This means that we do not make decisions that are based solely on automated processing and that produce legal effects concerning them or similarly significantly affect them.

Questions and complaints

Do you have any questions or would you like to file a complaint about the processing of your personal data? Please contact our Privacy Office or our Data Protection Officer (DPO). The DPO monitors BNG’s compliance with the GDPR.

You can reach the DPO:

• By email: FG@bngbank.nl
• By post: BNG, t.a.v. de Functionaris Gegevensbescherming, Postbus 30305, 2500 GH Den Haag

If you are not satisfied with our response, you can submit a complaint to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). The contact details of the DPA can be found on their website.

Changes to this privacy statement

We may update this privacy statement from time to time, for example due to changes in laws and regulations or changes in how we process personal data. The most up-to-date version is always available on our website.

This version is dated 15 April 2026.