In our privacy statement, we use a number of key terms, such as ‘personal data’, ‘data subject’, ‘processing’ and ‘controller’. Below you can read what these mean.
Personal data is any information relating to an identified or identifiable natural person — that is, information that can be used to identify a person, directly or indirectly. Examples include name, (email) address, telephone number, IBAN and Citizen Service Number (BSN).
Personal data may also include information relating to a sole proprietorship, general partnership (VOF) or limited partnership (CV). This does not apply to data of a legal entity, such as a private limited company (BV) or a public limited company (NV). However, information relating to a contact person, shareholder or representative of a legal entity is considered personal data.
Information relating to municipalities, provinces and water authorities is also not considered personal data because they are legal entities governed by public law. However, information relating to individual employees or representatives of these entities is personal data.
Special categories of personal data (‘special category personal data’) are types of information that are given enhanced protection under the law.
According to the General Data Protection Regulation (GDPR) these are:
We may only process special category personal data if permitted by law or if you give your explicit consent.
Example: BNG may use biometric data for your identification, such as facial recognition, when the organisation you represent becomes a client at BNG and you give your explicit consent.
Processing is any operation or set of operations which is performed on personal data. Examples of processing operations are collecting, recording, storing, updating, changing, retrieving, consulting, making available, forwarding, (online or remote) accessing and deleting personal data.
A data subject is a natural person whose personal data is processed and who is or can be identified.
The controller is a person or an organisation that determines the purposes and means of processing personal data. The controller can do this alone or jointly with others. This means that the controller ultimately decides whether an organisation processes personal data and, if so:
The controllers responsible for the processing operations covered by this privacy statement are BNG Bank N.V. and BNG Gebiedsontwikkeling B.V.
The Data Protection Officer (‘DPO’) is a person who monitors the application and compliance of the GDPR within the organisation. More information about the role of the DPO can be found on the website of the Dutch Data Protection Authority.
The DPO of BNG can be reached via FG@bngbank.nl.
The General Data Protection Regulation (‘GDPR’) is the privacy regulation applicable in Europe. The GDPR applies directly in the Netherlands. Where the GDPR leaves room for national choices in the implementation of the GDPR, these have been laid down in the Dutch GDPR Implementation Act (Uitvoeringswet Algemene verordening gegevensbescherming (‘UAVG’).
The GDPR regulates what is and is not permitted when organisations handle the personal data of data subjects. It also defines the privacy rights individuals have when their personal data is processed. For example, individuals are entitled to information about how their data is used and may request access to and rectification of their data.
The GDPR stipulates that organisations may only process personal data if there is a lawful basis for doing so. The GDPR provides six lawful bases, including the consent of the data subject, the performance of a contract to which the data subject is party, compliance with a legal obligation or the performance of a task carried out in the public interest. In addition, personal data may be processed on the basis of a legitimate interest. This can be the legitimate interest of BNG – such as preventing fraud or providing security for our systems and offices – as well as the legitimate interest of a third party, for example other financial institutions or parties involved in the performance of our services. In all cases, we carefully balance these interests against your privacy rights.
More information about these concepts can be found on the website of the Dutch Data Protection Authority.
Our privacy statement explains how BNG handles your personal data. We describe what data we collect, why we collect it and how we use it.