U bent succesvol uitgelogd.

How do we ensure your personal data is secure?

We go to great lengths to ensure the highest possible level of protection for your personal data:

  • We invest in our systems, procedures and people.
  • We make sure that our working methods are in keeping with the sensitive nature of your personal data.
  • We train our people how to keep your personal data safe and secure.

How exactly do we do that?

For security reasons, we are unable to provide details of the precise measures we take. Some of the security measures you may have come across include: 

  • Security of our online services
  • We follow a two-step process to establish your identity (authentication) 
  • Security questions when you call us
  • Requirements for sending confidential documents 
  • Extra secure messages for confidential information in the ABN AMRO app and Internet Banking

Security is our shared priority. If, for example, you encounter breaches in our security, you can report this to us confidentially through the ‘Secure banking’ page on our website.

Warning system used by banks

Imagine that you are involved in damage to, or the loss of, our property, that there are suspicions that you have committed fraud, that you are being investigated by the authorities or the police, that client due diligence (CDD) carried out into you under the Dutch Financial Supervision Act (Wft) and Dutch Anti-Money Laundering and Anti-Terrorist Financing Act (Wwft) has led to certain outcomes, or that you have failed to keep to the arrangements you agreed with the bank. 

These are all examples of incidents to which the bank must pay special attention. The bank must be able to record and remember these incidents so that it can take appropriate measures or further action. The bank has a legitimate interest in this. 

Incidents of this kind are referred to as “events". These events are recorded in a special internal record kept by the bank, generally referred to as "event records", which can only be accessed by authorised employees. 

The internal reference register

An internal reference register (Dutch acronym: IVR) is linked to the event records. Consequently, if we believe a client's involvement in an event is sufficiently serious, we can warn the appropriate departments and group companies within ABN AMRO. 

This warning does not have any effect outside our organisation. We check the GDPR rules to determine whether it is permissible to share a specific event through the internal reference register within our organisation. When a client is included in this register, we provide specific information about the reasons for the inclusion in the internal reference register, the consequences of inclusion for the client and also the client's relationship with us and our group companies, as well as the duration of the inclusion and the client's rights, such as the right to object. 

The CAAML list

We also record if we have been forced to terminate our contractual relationship with you in accordance with the provisions of the Dutch Anti-Money Laundering and Anti-Terrorist Financing Act, for example because you failed to provide us with sufficient information about where your money comes from or you are involved in money laundering or terrorist financing. In such cases, we may record your data in the CAAML list.
This record is similar to the internal reference register in that it has no effect outside ABN AMRO. The aim of this record is to enable us to remember that we were forced to terminate our relationship with you because we could no longer fulfil our obligations under the Dutch Anti-Money Laundering and Anti-Terrorist Financing Act. Once again, we have a legitimate interest in this. 
If you are included in the CAAML list, you will be explicitly informed about this, as well as, among other things, the reasons for inclusion, the consequences for your relationship with the bank and its subsidiaries, and the duration of the inclusion and your rights, such as the right to object. 

The external reference register (ERR)

In addition to this, financial institutions in the Netherlands, including ABN AMRO, have developed a warning system that, in contrast to the event records, internal reference register and CAAML list, also has an effect externally. This system allows the banks to check whether a person:
    • has ever committed fraud,
    • has tried to commit fraud,
    • or forms a threat to the safety and security of the banking sector in some other way. 
For more information about this warning system and its workings, please visit the website of the Dutch Banking Association . The rules governing how banks, and therefore ABN AMRO, can use the external warning system have been approved by the Dutch Data Protection Authority. These rules can also be found on the website of the Dutch Banking Association (NVB). If you are included in this external warning system, you will be provided with information about your inclusion in the register and how to exercise your data protection rights. 
We check these registers if you apply to become a client of ours or you decide to purchase a new product from us or one of our group companies. Only people who handle client acceptance and product acceptance are permitted to check these lists. These employees will be alerted by a signal if you are included in the register. 
Only a limited number of authorised employees have access to details of the reasons for inclusion in the lists. This information is always used as a basis when assessing whether the bank can accept a client or grant a product, and determining the applicable conditions.

Do we also share your personal data outside Europe?

Your personal data is processed outside Europe too. Additional rules apply in that case. This is because not all countries have the same strict data protection rules as we do in Europe.

Sharing personal data within our group

We may share your personal data outside Europe within our group. Our sharing of personal data is governed by our global internal policy, the Binding Corporate Rules (BCRs). These are published on our website and have been approved by the Dutch Data Protection Authority (Dutch DPA).

Sharing personal data with other service providers

We may occasionally share your personal data with other companies or organisations outside Europe, for instance in the context of an outsourcing contract. In that case, we ensure that we have concluded separate contracts with those parties, and that these contracts comply with the European standard, such as the EU's standard contractual clauses, and additional requirements.

International payment transactions and cross-border investing

In some situations, you make use of our international financial services, for instance if you transfer money abroad or if you hold investments abroad through us. In such situations, foreign parties, such as local supervisory authorities, banks, government bodies and investigative authorities, may ask us for your personal data, for instance so that they can carry out an investigation. Additional rules governing the use of personal data apply if you purchase investment products from us. For details, please see the provisions of Article 11.3 of the  Investment Conditions .