Login

Clients

(Potential) client or a person related to a client – such as a contact person, director, representative or (pseudo) ultimate beneficial owner (UBO) – with whom BNG has or has previously had a business relationship.

Below, you will find an overview of the personal data that we may process, including the associated purposes and legal bases.

Processing in the context of client management and client acceptance
Processing
Contract management
Description/purposes
  • Recording client data in core systems for administration and service delivery
  • Executing agreements and communicating with clients
  • Sending and collecting invoices and payment requests
  • Responding to client questions
Categories of personal data
  • Name and contact details of contact persons, directors, representatives and (pseudo) UBOs
  • Job title / role
  • Chamber of Commerce number, organisation data
  • Client number, IBAN
Special category personal data and criminal offence data
Not applicable
Basis
Legal obligation (Article 6 (1)(c) GDPR) – Book 2 of the Dutch Civil Code, Dutch Financial Supervision Act (licence conditions and administrative obligation); tax retention obligations
Processing
Identification and verification
Description/purposes
  • Establishing the identity of representatives and (pseudo) UBOs of clients, in accordance with the legal obligation to conduct customer due diligence under the Wwft, with the aim of preventing money laundering and the financing of terrorism
Categories of personal data
  • Initials and surname
  • Contact information
  • Date and place of birth
  • Address (if the person concerned chooses to complete the ID&V process in person)
  • Copy of proof of ID
  • Citizen Service Number (BSN) (for directors of organisations that have a term deposit or payment account with BNG, in the context of the Dutch deposit guarantee)
Special category personal data and criminal offence data
Biometric data for identification: facial recognition (if the data subject chooses to perform the ID&V process digitally)
Basis
  • Legal obligation (Article 6 (1)(c) GDPR) – Article 3 paragraphs 1 and 2 in conjunction with Article 33 Dutch Anti-Money Laundering and Anti-Terrorist Financing Act (Wwft)
  • Use of biometric data: Consent of the data subject (Article 6 (1)(a) and Article 9 (2)(a) GDPR)
Processing
Customer Due Diligence (CDD)
Description/purposes
  • Building and maintaining a client file
  • Assessing the integrity and risks of the client relationship
  • Compliance with legal obligations under the Wwft (prevention of money laundering and financing of terrorism), AMLR and the Dutch Sanctions Act
  • Carrying out integrity and fraud prevention checks, including:
  • VIS (Verification Identification System) test: check whether the client's identity document is registered as stolen, missing or invalid;
  • EVA (External Referral Application) test: check whether the client appears in the internal or external referral register (IVR/EVR), part of the sector-wide fraud prevention system
  • Periodic reassessment of existing clients.
  • CDD is part of the broader KYC (Know Your Customer) process, which includes all steps to know customers and manage risks.
Categories of personal data
  • Name and contact details of contact persons, directors, representatives and (pseudo) UBOs
  • Date and place of birth
  • Nationality
  • Copy of identity document (incl. Citizen Service Number (BSN) if required by law)
  • UBO information (nature and scope of interest)
  • Financial data (IBAN, transaction patterns)
  • Data from public sources (Chamber of Commerce, sanctions lists, Publicly Exposed Persons (PEP) information)
  • Outcomes of integrity and fraud prevention checks (such as VIS/EVA), including signs of possible irregularities with the identity document or involvement in previous incidents
Special category personal data and criminal offence data
  • Information on possible criminal offences (the sanctions list, suspicions of fraud or terrorist financing)
  • Data that may reveal political opinions (e.g. information on political functions or party involvement)
  • An identity document contains a passport photo. We process these solely within the framework of the Wwft. We do not process the passport photo for the purpose of determining special category personal data such as ethnic origin.
Basis
  • Legal obligation (Art. 6 (1)(c) GDPR) – EU Anti-Money Laundering Regulation (AMLR), Dutch Sanctions Act 1977, Dutch Financial Supervision Act (Wft)
  • Data revealing political opinions: the personal data has apparently been made public by the data subject (Article 9 (2)(e) GDPR)
  • Data on possible criminal offences (Article 10 GDPR) – processing of criminal data insofar as this is necessary to meet AML obligations as referred to in the Wwft and AMLR.
Processing
Adverse media screening
Description/purposes
  • Checking for negative publicity about customers and their directors, representatives and (pseudo) UBOs to identify and control integrity risks, credit risks and sustainability risks (ESG).
  • Supporting Customer Due Diligence (CDD)
Categories of personal data
  • Names and dates of birth of directors, representatives and (pseudo) UBOs
  • Function/relationship with the client
  • Status indicating whether someone is a director, representative or (pseudo) UBO
  • PEP status
  • Data from public sources (online and traditional media)
  • Result of the check
Special category personal data and criminal offence data
  • Information on possible criminal offences (in the event of reports of fraud, corruption, money laundering)
  • Data that may reveal political opinions (e.g. information on political functions or party involvement)
Basis
  • Legitimate interest (Article 6 (1)(f) GDPR) – managing integrity, credit and sustainability risks. This is necessary to comply with legal obligations for sound and ethical business operations (Wft, Wwft) and risk management and to protect the bank's financial soundness and reputation.
  • Data revealing political opinions: the personal data has apparently been made public by the data subject (Article 9 (2)(e) GDPR)
Processing
Standard Bank Confirmation (Standaard Bankverklaring) (SBV)
Description/purposes
  • Preparing and providing an SBV for the benefit of the client’s auditor, at the client’s request to verify the financial information in the financial statements.
  • As a bank, providing evidence to the client’s auditor of the accuracy of the client’s financial reporting
Categories of personal data
  • Name and contact details of the authorised client representative
  • Consent/request to provide the SBV to the auditor (incl. signature data)
  • Name and contact details of auditor
Special category personal data and criminal offence data
Not applicable
Basis
Legitimate interest (Article 6 (1)(f) GDPR) – the interest of the client in enabling the auditor to obtain an SBV for the audit of the financial statements
  
Processing for potential clients
Processing
Follow-up of information and contact requests
Description/purposes
  • Registering and responding to enquiries, requests for information or requests for contact from prospective clients, including providing information about products and services
Categories of personal data
  • Name and contact details of applicant (email, telephone)
  • Content of the request
Special category personal data and criminal offence data
Not applicable
Basis
Legitimate interest (Article 6 (1)(f) GDPR) – BNG’s interest in being able to respond adequately to requests for information and contact.
Processing
Preparing and providing quotations
Description/purposes
  • Preparing a quotation or proposal at the request of a potential client, including determining the requested service and lending rates
Categories of personal data
  • Name and contact details of requester (email, telephone)
  • Information about desired products/services
  • Relevant basic information required to prepare a quotation (e.g. Chamber of Commerce number of the client, sector, type of institution, financial key data, product or service specifications (e.g. desired term, amount, type of financing)
Special category personal data and criminal offence data
Not applicable
Basis
Legitimate interest (Article 6 (1)(f) GDPR) – BNG’s interest in providing a quotation to potential clients.
 
My BNG
Processing
My BNG account (Mijn BNG)
Description/purposes
  • Creating user accounts for My BNG
  • Providing secure access to online banking functionalities
  • Managing account requests
  • The application form is made available via the website and can be completed online. The form must then be printed and, together with a copy of the ID, sent to BNG by post or email. No personal data is processed via the website itself.
Categories of personal data
  • Nickname, initials, official first names and surname of the user
  • User email address and mobile number
  • Copy of the user's passport/ID
  • Organisation name, Chamber of Commerce and client number
  • Choice of login method (Digipass app for mobile or with the Digipass)
  • Date and place of signature of the application
  • Name and position of legal representative of the client
 See the application form for requestiong a My BNG account
Special category personal data and criminal offence data
Not applicable
Basis
  • Necessary for entering into or performing a contract (Article 6 (1)(b) GDPR) – if the new user works for a general partnership (VOF) or a limited partnership (CV).
  • Legitimate interest (Article 6 (1)(f) GDPR) – if the new user is a contact person, representative, shareholder or (pseudo) UBO of a legal entity (e.g. a private limited company (BV) or public limited company (NV)) or a legal entity governed by public law. BNG processes user data in order to provide business customers and their authorised users with secure and reliable access to online banking functionalities.
 
Compliance with legal obligations
Processing
Transaction monitoring
Description/purposes
  • Detecting money laundering and the financing of terrorism
  • Protecting the integrity of the financial system
  • Complying with legal obligations (Dutch Anti-Money Laundering and Anti-Terrorist Financing Act, Dutch Sanctions Act)
Categories of personal data
  • Initials and surname
  • Account number/IBAN
  • Transaction details (amount, date, description)
  • Details of the bank of origin/destination
  • Risk profile
Special category personal data and criminal offence date
  • The transaction description may reveal special category personal data
  • Information on possible criminal offences (the sanctions list, suspicions of fraud or terrorist financing)
Basis
Legal obligation (Article 6 (1)(c) GDPR) – Dutch Anti-Money Laundering and Anti-Terrorist Financing Act (Wwft), Dutch Sanctions Act 1977 
Processing
Deposit Guarantee Scheme (DGS)
Description/purposes
  • Preparing and submitting the Individual Customer Profile File (IKB) to DNB for the Deposit Guarantee Scheme
  • Providing up‑to‑date information to DNB to enable compensation of account holders in the event of a bank failure
  • Carrying out data quality checks and processing validation reports issued by DNB
Categories of personal data
  • Initials, first names, surname
  • Nationality
  • Place and date of birth
  • Telephone number
  • Email address
  • Address (customer’s residential address)
  • Citizen Service Number (BSN)
  • ID document number
  • Country where the ID document was issued
Special category personal data and criminal offence date
Not applicable
Basis
Legal obligation (Article 6(1)(c) GDPR) – Deposit Guarantee Scheme Directive and Article 3:17(6) of the Dutch Financial Supervision Act (Wft)
Processing
Provision of personal data to regulators and institutions
Description/purposes
  • Providing personal data to regulators, supervisory authorities, the Tax and Customs Administration, the Public Prosecutor’s Office and other (government) authorities to comply with legal obligations, such as supervision, taxation, investigation and enforcement.
Categories of personal data
  • Name and contact details of contact persons, directors, representatives and (pseudo) UBOs
  • Identification data (e.g. copy of an ID, date of birth)
  • Client and transaction data (account information, payment data)
  • Details of the business relationship (function, role, powers)
  • Logged digital communications
Special category personal data and criminal offence date
Possible criminal data (in case of reports to investigation institutions)
Basis
Legal obligation (Article 6 (1)(c) GDPR) – for example on the basis of the Dutch Money Laundering and Terrorist Financing Act (Wwft), the Dutch Financial Supervision Act (Wft), tax legislation. 
  
Fraud, security and integrity
Processing
IBAN Name Check
Description/purposes
  • Performing an IBAN name check when a BNG client initiates a payment order
  • Verifying whether the name provided by the client matches the IBAN number
  • Preventing errors and fraud in payments
  • Informing clients of possible deviations
Categories of personal data
  • Name (as specified in the payment order)
  • Account number/IBAN
  • Result of the check (match, no match, suggestion)
Special category personal data and criminal offence data
Not applicable
Basis
Legal obligation (Article 6 (1)(c) GDPR) – Instant Payments Regulation
Processing
Register of incidents/Internal Reference Register (IVR)
Description/purposes
  • Internal registration of incidents (e.g. identity fraud, phishing, skimming, embezzlement, intentional deception)
  • Supporting activities aimed at providing for the security and integrity of the financial sector:
  • Identifying, preventing, investigating and combating conduct that could lead to harm to BNG, its clients/employees, and/or the financial sector
  • Preventing improper use of products/services and violation of legal regulations
  • Use of and participation in alert systems, in accordance with the Financial Institutions Incident Warning System Protocol
Categories of personal data
  • Characteristics of the incident;
  • Personal data of the person involved in the incident, such as name and address details, date of birth, nationality, IBAN, and Chamber of Commerce number;
  • Measures taken as a result of the incident;
  • Indication whether inclusion in the External Referral Register has taken place;
  • Duration of registration
  • Data carriers related to the incident, such as audio recordings;
  • Name and address, telephone number, IP address of persons related to the incident
Special category personal data and criminal offence data
  • Potentially identifying information about race, ethnicity or health (e.g. CCTV footage)
  • Personal data relating to criminal offences (suspected fraud or other financial and economic crime)
Basis
  • Legitimate interest (Article 6 (1)(f) GDPR) – safeguarding the integrity of the financial sector by preventing and combating fraud, abuse and other financial and economic crime, protecting clients, employees and institutions and promoting safe and reliable financial services
  • The Dutch Data Protection Authority has granted a permit to process criminal personal data under the Financial Institutions Incident Alert System Protocol (Article 33.5 GDPR)
Processing
External Referral Register (EVR)
Description/purposes
  • Sector-wide alert system for financial institutions, whereby data from the interbank incident register is shared with or received from other participants in the Financial Institutions Incident Warning System Protocol
  • Supporting activities aimed at safeguarding the security and integrity of the financial sector
  • Identifying, preventing, investigating and combating conduct that could lead to harm to BNG, its clients/employees, and/or the financial sector
  • Preventing improper use of products/services and violation of legal regulations
Categories of personal data
  • Characteristics of the incident;
  • Personal data of the person involved in the incident, such as name and address details, date of birth, nationality, IBAN, and Chamber of Commerce number;
  • measures taken as a result of the incident;
  • indication whether inclusion in the External Referral Register has taken place;
  • Duration of registration
  • Data carriers related to the incident, such as photographs, video and audio recordings;
  • Name and address, telephone number, IP address of persons related to the incident
  • Result of the check in the Financial Institutions Incident Alert System
Special category personal data and criminal offence data
  • Potentially identifying information about race, ethnicity or health (e.g. CCTV footage)
  • Personal data relating to criminal offences (suspected fraud or other financial and economic crime)
Basis
  • Legitimate interest (Article 6 (1)(f) GDPR) guaranteeing the integrity of the financial sector by preventing and combating fraud, abuse and other financial-economic crime, to protect clients, employees and institutions, and promoting safe and reliable financial services, all in accordance with the Financial Institutions Incident Warning System Protocol
  • The Dutch Data Protection Authority has granted a permit to process criminal-law data under the Financial Institutions Incident Alert System Protocol ( Article 33.5 GDPR)
 
Maintaining contacts with clients
Processing
Sending product and service notifications
Description/purposes
  • Sending notifications about the product or service that clients have purchased
  • Informing clients about new functionality
Categories of personal data
  • Name, address, Chamber of Commerce number of the organisation
  • Client contact person (name and contact details)
  • Client number
Special category personal data and criminal offence data
Not applicable
Basis
Legitimate interest (Article 6 (1)(f) GDPR) – informing clients of functionality of existing products/services used by the client to support the provision of services
Processing
Client satisfaction surveys
Description/purposes
  • Conducting surveys to measure and improve client satisfaction with the identification process, products and/or services. This helps the bank to make provision for the quality of its services and implement improvements where necessary.
Categories of personal data
  • Name, address, Chamber of Commerce number of the organisation
  • Client contact person (name and contact details)
  • Answers to survey questions (feedback, opinions, suggestions)
Special category personal data and criminal offence data
Not applicable
Basis
Legitimate interest (Article 6 (1)(f) GDPR) – improving products and services and maintaining a good client relationship by gaining insight into client satisfaction. 
Processing
Marketing
Description/purposes
  • Sending information about new or existing products and services of BNG
Categories of personal data
  • Name, address, Chamber of Commerce number of the organisation
  • Contact person (name and contact details)
Special category personal data and criminal offence data
Not applicable
Basis
  • Legitimate interest (Article 6 (1)(f) GDPR) – maintaining a good client relationship and promoting the use of our products and services by clients, by informing them about similar products and services
  • Consent (Article 6 (1)(a) GDPR) for sending marketing messages about the products and services of BNG to non-clients or to existing clients about non-comparable products and services
 
Recording digital communication
Processing
Logging of communications relating to the execution of transactions in financial instruments
Description/purposes
  • Recording communications about the execution of transactions in financial instruments (such as bonds and interest rate derivatives) with customers and financial counterparties in order to comply with legal obligations
Categories of personal data
  • Name and contact details of BNG employees and of clients/counterparties
  • Position and role
  • Conversation content (voice recordings, email, chat))
  • Metadata (timestamp, duration of the conversation)
Special category personal data and criminal offence data
Special category personal data are not intentionally processed, but a data subject may share such data on his or her own initiative during the communication.
Basis
  • Legal obligation (Article 6 (1)(c) GDPR) – pursuant to MiFID II, the Dutch Financial Supervision Act (Wft) and the Decree on Conduct of Business Supervision of Financial Enterprises (Wft) (Bgfo Wft).
  • For the non-intentional processing of special category personal data: the personal data has manifestly been made public by the data subject (Article 9 (2)(e) GDPR)
Processing
Logging of communications in which arrangements are made with external commercial parties
Description/purposes
  • Recording communications, in which arrangements are made about the services provided by BNG and transactions, in order to have evidence of agreements and obligations made.
Categories of personal data
  • Name and contact details of BNG employees and of clients/counterparties
  • Position and role
  • Content of communications (voice recordings)
  • Metadata (timestamp, duration of interview)
Special category personal data and criminal offence data
Special category personal data are not intentionally processed, but a data subject may share such data on his or her own initiative during the contact.
Basis
  • Legitimate interest (Article 6 (1)(f) GDPR) – the need to have evidence that an agreement has been concluded. In particular, in the case of transactions in financial instruments, where orders must be executed immediately, continuous recording is essential. Because of the urgency, this evidence cannot be captured in any other, less intrusive manner.
  • For the non-intentional processing of special category personal data: the personal data has manifestly been made public by the data subject (Article 9 (2)(e) GDPR)
Processing
Recording incoming calls to reception, emergency number and security
Description/purposes
  • Having evidence available in situations where there is a potential serious threat, such as (suspected) serious crimes, bomb reports or other serious threats.
 
Categories of personal data
  • Name and contact details of the caller (if provided)
  • Conversation content (voice recordings)
  • Metadata (timestamp, duration of the call)
  • Caller phone number
Special category personal data and criminal offence data
Special category personal data are not intentionally processed, but a data subject may share such data on his or her own initiative during the communication.
Basis
  • Legitimate interest (Article 6 (1)(f) GDPR) – protection of employees, visitors, the BNG office and its operational operations. In exceptional cases, recordings can be crucial for establishing the facts and implementing security measures.
  • For the non-intentional processing of special category personal data: the personal data has manifestly been made public by the data subject (Article 9 (2)(e) GDPR)
 
Processing
Recording and summarising meetings
Description/purposes
Recording meetings for: 
  • Accurate documentation of decisions and actions;
  • internal documentation;
  • quality improvement of services and processes;
  • training and coaching of employees (where applicable).
Categories of personal data
  • Name, position and contact details of the participants
  • Conversation content (voice recordings)
  • Transcripts or summaries of meetings
  • Metadata (timestamp, duration of the meeting)
Special category personal data and criminal offence data
Special category personal data is not intentionally processed, but a data subject may share such data on his or her own initiative during the contact.
Basis
  • Legitimate interest (Article 6 (1)(f) GDPR) – the interest in reliably documenting and reconstructing decisions, actions and communications, and in improving the quality of service delivery.
  • For the non-intentional processing of special category personal data: the personal data has manifestly been made public by the data subject (Article 9 (2)(e) GDPR)
 
Complaints procedure
Processing
Complaints
Description/purposes
  • Receiving, registering and handling complaints submitted by email or post.
  • Communicating with the complainant about the receipt, progress, assessment and the final response to the complaint.
  • Investigating the complaint, including gathering relevant additional information if necessary.
  • Reassessing a complaint when it is submitted to management, after the complainant indicates that he is not satisfied with the original handling.
Categories of personal data
  • Name and contact details (postal address, email, telephone number) 
  • Position or relationship with the client (e.g. contact person, director or representative)
  • Content of the complaint (may include personal data of employees or third parties involved)
  • Any attached documents or information to substantiate the complaint
  • Internal correspondence and notes relating to the assessment and handling of the complaint
 More information about the complaints procedure can be found on the website.
Special category personal data and criminal offence data
Special category personal data is not intentionally processed, but such data may be included in a complaint or in additional documents relevant to the assessment. 
Basis
Legitimate interest (Article 6 (1)(f) GDPR) – BNG has a legitimate interest in carefully registering, investigating and handling complaints from clients and persons associated with them, with a view to improving services, resolving issues and maintaining a transparent client relationship. 
 
Research to improve internal operations, products and services
Processing
Testing and researching systems and technologies
Description/purposes
  • Testing whether systems (which enable products and services to be provided to clients or to comply with the law) are working properly
  • Researching whether new technologies help to better comply with the law or to provide clients with the best possible service
Categories of personal data
  • Technical user data (user ID, login data, system logs)
  • Name and contact details of internal testers or employees involved
  • Client data used in test environments (anonymised if possible)
  • Functional data on system use (e.g. transaction simulations)
Special category personal data and criminal offence data
Not applicable
Basis
Legitimate interest (Article 6 (1)(f) GDPR) – BNG’s interest in improving systems and processes, enabling compliance with laws and regulations and serving clients optimally.  
 
Data sharing in case of sale, merger or acquisition
Processing
Sale/merger/acquisi tion
Description/purposes
  • Sharing relevant client data with potential buyers or investors of (parts of) our portfolio
  • Conducting due diligence investigations
  • Assessing and completing mergers or acquisitions
  • Providing continuity of service to clients
  • Complying with legal and contractual obligations when transferring assets
Categories of personal data
  • Name and contact details of contact persons, directors, representatives and (pseudo) UBOs
  • Organisational data (name, address, Chamber of Commerce number)
  • Contract data (client number, IBAN, product information)
  • Customer Due Diligence information
Special category personal data and criminal offence data
Not applicable, except for any special category/criminal data in CDD information (see Customer Due Diligence processing)
Basis
Legitimate interest (Article 6 (1)(f) GDPR) – the interest of the bank to restructure, sell or merge its business activities and to enable investments