Visitors to the BNG website

Forms and documents

Processing	Description/purposes	Categories of personal data	Special category personal data and criminal offence data	Basis
BNG online services forms and documents	Facilitating requests, changes and communication regarding BNG's online services. The forms and documents are made available via the website for download and completion. The data subject must then send the completed documents to BNG by post or email. No personal data is processed via the website itself.	Name, address and Chamber of Commerce number for the organisation Client contact person (nickname, initials, official first names and surname) Client ID - Client IBAN For an overview of the available forms and documents, please refer to our website.	Not applicable	Necessary for the performance of a contract to which the data subject is a party (Article 6(1)(b) GDPR) – if the client with whom BNG concludes a contract is a general partnership (VOF) or limited partnership in which a natural person also participates. Legitimate interest (Article 6 (1)(f) GDPR) – if the client with whom BNG concludes a contract is a legal entity (e.g. a private limited company (BV) or public limited company (NV)) or a legal person governed by public law. BNG processes data from contacts to enable communication and execution of the contract.
My BNG account	Creating user accounts for My BNG (Mijn BNG) Providing secure access to online banking functionalities Managing account requests The application form is made available via the website for download and completion. The form must then be printed and, together with a copy of the ID, sent to BNG by post or email. No personal data is processed via the website itself.	Preferred name, initials, official first names and surname of the user User email address and mobile number Copy of the user's passport/ID Organisation name, Chamber of Commerce and client number Choice of login method (Digipass app for mobile or with the Digipass) Date and place of signature of the application Name and position of legal representative of the client See the application form for requesting a My BNG account.	Not applicable	Necessary for the performance of a contract to which the data subject is a party (Article 6 (1)(b) GDPR) – if the new user works for a general partnership (VOF) or a limited partnership Legitimate interest (Article 6.1.f GDPR) – if the new user is a contact person, representative, shareholder or UBO of a legal entity (e.g. private limited company (BV) or public limited company (NV)) or a legal entity governed by public law. BNG processes user data in order to provide business customers and their authorised users with secure and reliable access to online banking functionalities.

Processing

BNG online services forms and documents

Description/purposes

Facilitating requests, changes and communication regarding BNG's online services.
The forms and documents are made available via the website for download and completion. The data subject must then send the completed documents to BNG by post or email. No personal data is processed via the website itself.

Categories of personal data

Name, address and Chamber of Commerce number for the organisation
Client contact person (nickname, initials, official first names and surname)
Client ID - Client IBAN

For an overview of the available forms and documents, please refer to our website.

Special category personal data and criminal offence data

Not applicable

Basis

Necessary for the performance of a contract to which the data subject is a party (Article 6(1)(b) GDPR) – if the client with whom BNG concludes a contract is a general partnership (VOF) or limited partnership in which a natural person also participates.
Legitimate interest (Article 6 (1)(f) GDPR) – if the client with whom BNG concludes a contract is a legal entity (e.g. a private limited company (BV) or public limited company (NV)) or a legal person governed by public law. BNG processes data from contacts to enable communication and execution of the contract.

Processing

My BNG account

Description/purposes

Creating user accounts for My BNG (Mijn BNG)
Providing secure access to online banking functionalities
Managing account requests
The application form is made available via the website for download and completion. The form must then be printed and, together with a copy of the ID, sent to BNG by post or email. No personal data is processed via the website itself.

Categories of personal data

Preferred name, initials, official first names and surname of the user
User email address and mobile number
Copy of the user's passport/ID
Organisation name, Chamber of Commerce and client number
Choice of login method (Digipass app for mobile or with the Digipass)
Date and place of signature of the application
Name and position of legal representative of the client

See the application form for requesting a My BNG account.

Special category personal data and criminal offence data

Not applicable

Basis

Necessary for the performance of a contract to which the data subject is a party (Article 6 (1)(b) GDPR) – if the new user works for a general partnership (VOF) or a limited partnership
Legitimate interest (Article 6.1.f GDPR) – if the new user is a contact person, representative, shareholder or UBO of a legal entity (e.g. private limited company (BV) or public limited company (NV)) or a legal entity governed by public law.
BNG processes user data in order to provide business customers and their authorised users with secure and reliable access to online banking functionalities.

Use of cookies

Processing	Description/purposes	Categories of personal data	Special category personal data and criminal offence data	Basis
Cookies	Providing for the correct functioning of the website (for technical and functional purposes) Gaining insight into the use of the website by visitors in order to improve performance, content and user-friendliness (analytical purposes).	Session ID Language settings IP address (anonymised) Unique visitor ID Session data (information about session behaviour, such as page views and click actions) Timestamp of the visit Device type and browser information Navigation behaviour Error messages or technical problems (information about faults during use of the website) For a list of the cookies that are placed, see our Cookiestatement.	Not applicable	Data subject’s consent (Article 6 (1)(a) GDPR) – to place analytical cookies Legitimate interest (Article 6(1)(f) GDPR) – for the use of necessary technical and functional cookies. BNG has an interest in making sure that its website functions well technically and is accessible to visitors. This includes loading pages correctly, remembering user settings (such as language selection), securing the website and facilitating basic functionalities such as navigation and session management.

Processing

Description/purposes

Providing for the correct functioning of the website (for technical and functional purposes)
Gaining insight into the use of the website by visitors in order to improve performance, content and user-friendliness (analytical purposes).

Categories of personal data

Session ID
Language settings
IP address (anonymised)
Unique visitor ID
Session data (information about session behaviour, such as page views and click actions)
Timestamp of the visit
Device type and browser information
Navigation behaviour
Error messages or technical problems (information about faults during use of the website)

For a list of the cookies that are placed, see our Cookiestatement.

Special category personal data and criminal offence data

Not applicable

Basis

Data subject’s consent (Article 6 (1)(a) GDPR) – to place analytical cookies
Legitimate interest (Article 6(1)(f) GDPR) – for the use of necessary technical and functional cookies. BNG has an interest in making sure that its website functions well technically and is accessible to visitors. This includes loading pages correctly, remembering user settings (such as language selection), securing the website and facilitating basic functionalities such as navigation and session management.

IT security issue notification

Processing	Description/purposes	Categories of personal data	Special category personal data and criminal offence data	Basis
Vulnerability reporting	Receiving, registering and following up reports of (suspected) security issues or vulnerabilities in BNG’s systems. Being able to communicate with the reporter about the report, progress and resolution. Providing for and improving the security of the IT systems of BNG.	Name Email address of the reporter Telephone number of the reporter (optional; when provided) Any technical information that may (accidentally) contain personal data, such as: IP addresses URLs/screenshots Logging Information For more information on vulnerability reporting, see ou website.	Not applicable	Legitimate interest (Article 6 (1)(f) GDPR) – BNG’s interest in securing its systems, detecting and resolving vulnerabilities and protecting customer and BNG data.
Notification of a cyber incident to BNG-CERT	Receiving, registering and following up reports of cyber incidents that may have an impact on BNG’s systems, services or data. Analysing the report, performing incident response and taking appropriate action. Communicating with the reporter regarding additional required information, progress and the resolution. - Handling reports in a secure and confidential manner, in accordance with CERT policy	Name Email address of the reporter Telephone number of the reporter (optional; if provided) Any technical information that may (accidentally) contain personal data, such as: IP addresses URLs / screenshots Logging Information For more information about reporting a cyber incident, see our website.	Not applicable	Legitimate interest (Article 6 (1)(f) GDPR) – BNG has an important interest in providing for digital security and continuity of its services. This legitimate interest includes, inter alia: compliance with legal cybersecurity obligations applicable to financial institutions compliance with the obligations under the Digital Operational Resilience Act (DORA) protecting the integrity, availability and confidentiality of BNG’s IT systems; limiting and preventing harm to customers, BNG itself and the financial sector as a whole.

Processing

Vulnerability reporting

Description/purposes

Receiving, registering and following up reports of (suspected) security issues or vulnerabilities in BNG’s systems.
Being able to communicate with the reporter about the report, progress and resolution.
Providing for and improving the security of the IT systems of BNG.

Categories of personal data

Name
Email address of the reporter
Telephone number of the reporter (optional; when provided)
Any technical information that may (accidentally) contain personal data, such as:
IP addresses
URLs/screenshots
Logging Information

For more information on vulnerability reporting, see ou website.

Special category personal data and criminal offence data

Not applicable

Basis

Legitimate interest (Article 6 (1)(f) GDPR) – BNG’s interest in securing its systems, detecting and resolving vulnerabilities and protecting customer and BNG data.

Processing

Notification of a cyber incident to BNG-CERT

Description/purposes

Receiving, registering and following up reports of cyber incidents that may have an impact on BNG’s systems, services or data.
Analysing the report, performing incident response and taking appropriate action.
Communicating with the reporter regarding additional required information, progress and the resolution. - Handling reports in a secure and confidential manner, in accordance with CERT policy

Categories of personal data

Name
Email address of the reporter
Telephone number of the reporter (optional; if provided)
Any technical information that may (accidentally) contain personal data, such as: IP addresses URLs / screenshots
Logging Information

For more information about reporting a cyber incident, see our website.

Special category personal data and criminal offence data

Not applicable

Basis

Legitimate interest (Article 6 (1)(f) GDPR) – BNG has an important interest in providing for digital security and continuity of its services. This legitimate interest includes, inter alia:

compliance with legal cybersecurity obligations applicable to financial institutions
compliance with the obligations under the Digital Operational Resilience Act (DORA)
protecting the integrity, availability and confidentiality of BNG’s IT systems;
limiting and preventing harm to customers, BNG itself and the financial sector as a whole.