On what legal ground do we process your personal data?

Obviously, we may not request or use your personal data without good reason. We are allowed to do this only if the processing of personal data is based on one of the ‘grounds’ permitted by law. This means that we may only use your personal data for one or more of the following reasons:


We need your personal data for concluding and performing a contract, for example if you want to open an account with us or take out a mortgage. 

Are you the representative of your company and has your company concluded, or does it want to conclude, a contract with us? Or are you the contact person, shareholder, managing director or ultimate beneficial owner (UBO) of this company or one of our corporate clients? If so, we use your personal data for other reasons than the conclusion or performance of the contract. We also do this if you are merely the payee of a payment made by one of our clients.

Legal obligation

The law lays down many rules that we have to comply with as a bank. These rules state that we have to record your personal data and occasionally provide it to others. The following are just some examples of the legal obligations we have to comply with:

  • Under the Dutch Financial Supervision Act (Wet op het financieel toezicht - Wft), we have a statutory duty of care. For example, as a bank we are required to take measures to avoid excessive lending. This means that we have to use your personal data to obtain a good picture of your financial situation. 
  • We have to take steps to prevent and combat fraud, tax evasion, terrorist financing and money laundering. In that context, we ask you to prove your identity so that we know who you are. This is why we keep a copy of identity documents.
  • We are required to keep your personal data owing to our obligations under various acts, such as the Dutch Civil Code or specific provisions of the Dutch Anti-Money Laundering and Anti-Terrorist Financing Act (Wet ter voorkoming van witwassen en financieren van terrorisme - Wwft) and the Dutch Bankruptcy Act (Faillissementswet).

Other organisations may occasionally ask banks to provide personal data. These organisations include the Dutch Tax and Customs Administration, the judicial authorities (financial fraud) and intelligence agencies (terrorism). In addition, banks - and therefore we - are sometimes required to share personal data with supervisory authorities, such as the Netherlands Authority for the Financial Markets (AFM), the Dutch Central Bank (DNB) and the European Central Bank (ECB), for instance when they carry out research into business processes or specific clients or groups of clients. In the context of disciplinary law for banks in the Netherlands, we may be required to provide personal data to Stichting Tuchtrecht Banken. 

If the law or a supervisory authority stipulates that we must record or use your personal data, we are required to do this. In that case, it does not matter whether you are a client of ours or not. For example, every bank must check whether clients, and the representatives of clients (including corporate clients), are genuinely who they say they are. In addition, banks must keep a photocopy of an identity document for each of their clients. Please note that we are not required to establish your identity if we only use your personal data because you are the payee of a payment made by one of our clients.

Legitimate interest of the bank

We also have the right to use your personal data if we have a legitimate interest in doing so. In that case, we must be able to demonstrate that our interest in using your personal data outweighs your right to data protection. We therefore balance all the interests. Here are a few examples of when this might happen:

  • We protect property and personal data belonging to you, to us and to others.
  • We protect our own financial position (so that we can assess whether you are able to repay your loan, for example), your interests and the interests of other clients (in the event of a bankruptcy, for example).
  • We carry out fraud detection activities to help you and us avoiding suffering losses as a result of fraud. In this context, we keep the financial transaction history of the payer and the payee.
  • We keep you up-to-date on product changes and send you tips, offers and other relevant news by means of direct marketing
  • We aim at organising ourselves efficiently. We centralise our banking systems, make use of other service providers, and conduct statistical and scientific research.

Someone else may also have a ligitimate interest. For example, someone may accidentally transfer money to your bank account. In that case, we may, under certain conditions, provide your personal data to the person who issued the payment instruction. That person can then ask you to pay the money back. For more information, please visit the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) website .

Even if you do not have a contract with us, we may still use your personal data either because this is necessary to ensure compliance with the law or on the basis of a legitimate interest. We will of course first check whether this is the case, for instance if your personal data os used for security purposes or for marketing purposes.