With whom we share personal data – External

Would you like to know more about the external parties with whom we may share your personal data? Please read the full explanation  below.

Performance of services

We use carefully selected external parties for certain parts of our services. For example, we use Swift in international transactions and work with service providers for:

• technical infrastructure and payment traffic;
• daily statements and financial reports;
• screening in the context of client due diligence;
• customer satisfaction surveys;
• suppliers who supply and/or maintain security cameras and systems for issuing access passes;
• security guards;
• caterers;
• printed matter;
• marketing and website management;
• photographers and videographers commissioned to make and/or edit visual and sound material.

In addition, we work with AMP Logistics, which acts as a processor on behalf of BNG for the identification of persons associated with our clients, within the framework of our legal identification obligations. Additional information on these obligations can be found here.

Identification can take place in the following ways:

• Remote: natural persons are identified via a secure mobile application.
• On location: when a client does not consent to the use of biometric and/or identity data in the mobile application, or cannot complete the digital process. In that case, the client makes an appointment and a courier from AMP physically carries out the identification on behalf of BNG.

In all cases, BNG remains the controller for these processes. We conclude clear agreements with third parties on how they process and secure personal data on behalf of BNG.

External parties providing services to BNG

We sometimes engage external parties who support us in our business operations, such as:

• lawyers;
• notaries;
• auditors;
• tax advisers;
• bailiffs;
• collection agencies;
• insurers.

These parties are controllers in their own right for the personal data they process in the context of their services. They determine the purpose and means of the processing and are responsible for compliance with the GDPR.

Authorised (public) authorities

We share your personal data with third parties if we are legally obliged to do so. These may include, for example:

• (European) supervisory authorities, such as the Netherlands Authority for the Financial Markets (AFM), the Dutch Data Protection Authority, the Dutch Central Bank (DNB), the European Central Bank (ECB) or the Netherlands Authority for Consumers & Markets (ACM);
• the Tax and Customs Administration (Belastingdienst)
• In addition, in specific situations, it may be necessary to provide personal data to other authorities, such as:
• Stichting Tuchtrecht Banken, within the framework of disciplinary law for banks.

If you file a complaint with the Financial Services Complaints Institute (Kifid), a court or the Dutch Data Protection Authority, it may be necessary for us to process your personal data, for example to prepare or conduct a defence.

A court may also require us to share certain data with another party. In addition, the law may stipulate that we must provide access to your data, for example pursuant to Section 194 Dutch Code of Civil Procedure.

Financial Institutions Incident Alert System

BNG participates in the Protocol Financial Institutions Incident Alert System. This warning system consists of an internal Incident Register and an associated External Referral Register. In the Incident Register, BNG records data on (legal) persons whose behaviour has led or may lead to harm to financial institutions, their clients or employees, or which may endanger the integrity of financial institutions. These data may be exchanged for the purpose of investigating incidents. Data subjects whose data is included in the incident register and the External Referral Register are informed accordingly.

The Dutch Data Protection Authority has granted a permit for the processing of personal data relating to criminal offences in accordance with the Protocol.

The External Referral Register contains referral data that can be consulted by other financial institutions on the basis of a “hit/no hit” system via a Referral Application. The Referral Application (EVA) is managed by Stichting Bureau Krediet Registratie (BKR), which acts as a processor. Each participating financial institution, including BNG, enters into a separate data processing agreement with BKR.

Applicants

BNG may engage external parties to support the recruitment and selection process. This may include, for example:

• Providers of recruitment marketing services;
• organisations organising recruitment events;
• communication tool providers.

Pre-employment screening is part of the recruitment process for all vacancies. This screening is largely carried out on behalf of BNG by International Security Partners (ISP).

Applicants’ personal data is stored in BNG’s HR system Emply. Successful applicants will have access to this system in order to enter the data necessary for the drafting of the employment contract and to initiate the screening process.

Reporting an integrity violation or wrongdoing

Suspicions of an integrity violation or wrongdoing in work-related activities can be reported to the internal or external reporting channels of BNG.

BNG has engaged Dutch Compliance and Integrity Professionals (NCIP) as an external BNG reporting channel for reports under the BNG Reporting Scheme for Irregularities. BNG and NCIP are joint controllers in this respect.

It has been agreed with NCIP that it shall not share any information with BNG that reveals the identity of a reporter, unless the reporter gives their prior written consent.

For reports submitted via the external BNG reporting channel, or reports that have been transferred to NCIP by the internal BNG reporting channel, NCIP serves as the primary point of contact for data subjects.

If necessary, BNG may engage legal or forensic experts to investigate and handle a report.

If during an investigation there is a suspicion that a criminal offence has been committed, BNG may report this to the police, an investigative authority, or the Public Prosecutor's Office.

If the reporter chooses to report (also) to competent authorities and/or the House of Whistleblowers, BNG may share data with these authorities in this context.