RABOBANK – RaboDirect Ireland Privacy Statement
Rabobank Coöperatieve U.A. trading as Rabobank, the parent of RaboDirect, processes personal data. We want to provide you with clear, transparent information about this matter. This privacy statement contains answers to the most important questions about personal data processing by Coöperatieve Rabobank U.A..
This privacy statement describes how we deal with personal data processing. It also contains examples to make our explanation as clear as possible. If you have any questions about this privacy statement, please contact us by email: email@example.com
What does Rabobank mean by personal data processing?
This privacy statement concerns personal data processing. What do these words mean?
- Personal data
Information that says something directly or indirectly about you is referred to as personal data. Examples include your name and address, and also information such as your income.
Information relating to a sole trader, commercial partnership or professional partnership is also considered personal data.
Information relating to a legal entity is not personal data, but information relating to a legal entity’s contact person or representative does count as personal data.
Processing means anything that can be done with personal data. This includes the collection, storage, use, transfer and removal of data.
1. Whose personal data does Rabobank process?
We process personal data if we have had a business relationship with you, or if we have had contact with you.
The people whose personal data we process includes:
- Former customers who previously held a Deposit account or Current account with RaboDirect Dublin and which were closed in May 2018 following the withdrawal of RaboDirect from the Irish market,
- people who are connected in another way with a business or organisation with which we have, want to have, or have had a business relationship,
2. What does Rabobank expect from businesses and organisations?
If your business or organisation previously transferred any personal data concerning employees or ultimate beneficial owners (UBOs) to Rabobank, we also expect your employees, executive directors or UBOs to be informed about this. You can give this privacy statement to them so that they can learn how we deal with their personal data.
Ultimate beneficial owner: A natural person who holds a stake in a legal entity, can exercise voting rights or is the beneficiary of all or part of the legal entity’s capital. Financial institutions are required by law to determine who the UBOs are.
3. Who is responsible for the processing of your personal data?
This privacy statement considers the processing of personal data by Rabobank. Data may be shared within Rabobank Group to the extent that this is permitted by law. When sharing data within Rabobank Group, we comply with the Binding Corporate Rules that we have agreed within Rabobank Group. These rules describe how the divisions of Rabobank Group deal with personal data.
4. Which personal data does Rabobank process?
Rabobank processes different types of personal data:
|Types of data||What kinds of data might be involved?||Examples of how Rabobank uses the data|
|Information that allows an individual to be identified directly or indirectly||Name, address, telephone number, e-mail address, information provided in your identity document.||For identification purposes or to contact you.|
|Information relating to or used historically for agreements||Information about your financial situation, the products you have held, your risk profile (if you invest) and information used for obtaining finance, such as payslips and the value of your home.||To assess whether Rabobank would provide a product to you. For example, if you applied for a loan, we wanted to assess your ability to repay the amount borrowed|
|Payment and transaction data||When a payment was made, information about the person you paid or who paid you and when the payment took place.||
To execute a payment for you. To be able to check whether the number you entered matched the name you specified in a payment instruction.
For your security and ours.
|Special categories of personal data||Information concerning your health, biometric data, information about criminal convictions, data which reveal your ethnic origin or political inclinations.||
If you had given your consent for this, we recorded information concerning your health for purposes such as providing a tailored service to your needs.
In the context of combating terrorism, we were and are required to record information about your country of birth. We are also required to do this in connection with tax obligations.
|Recorded calls and documentation of e-mails.||
Conversations we may have had with you, and which you may have had with us, by telephone.
E-mails you sent to us and which we received from you.
|We may use the recorded calls and e-mails to combat fraud, to fulfil legal obligations, to monitor quality, to provide proof, to improve our services and to train, coach and assess our employees.|
|Data we receive from other parties||Data obtained from the Company Registration Office, Credit Reference Agency.||We use this information to check Directors and UBO’s details and your credit position.|
|Data we share with other parties||Financial information and transaction information.||We may be required to share customer and transaction data with the relevant authorities and regulatory bodies in Ireland as part of compliance with the Anti Money Laundering, Counter Terrorism Financing and Fraud prevention laws and/or regulations.|
|Data we require to combat fraud, to ensure your security and ours, and to prevent money laundering and the financing of terrorism||The data we keep in our internal and external referral registers, sanction lists, location information, transaction data, identity information, camera images, cookies, IP address and data relating to the device on which you use online services.||In order to comply with legal obligations and prevent you, the financial sector, Rabobank or our employees from becoming the victims of fraud, for security reasons and to protect the financial markets, we check whether you appear in our external or internal referral registers and we have to check whether your name appears in sanction lists.|
5. How does Rabobank come by your personal data?
We received your personal data because you provided it to us yourself. Examples include entering into a contract with us or data you send to us in order that we can contact you, and data arising from the services we provide in areas such as payments.
We may also receive your data from business units within Rabobank Group or from other financial institutions in the context of combating fraud, money laundering and terrorism.
We may also receive data from others, such as suppliers or other parties we work with. Or public sources like newspapers, public registers and websites. Or because you have given another party consent to share data with us.
6. For which purposes, and on what basis, does Rabobank process personal data?
The types of personal data processed by Rabobank are described above. The purposes for which we process(ed) personal data are described below. In addition, we indicate the basis on which this processing is done. By law, every personal data processing operation must have a legitimate basis.
|Section||Purpose of personal data processing|
|6a||To enter into a business relationship and agreement with you|
|6b||To perform agreements and carry out instructions|
|6c||To ensure your security and integrity as well as the security and integrity of Rabobank and the financial sector|
|6d||To enter into and perform agreements with suppliers and other parties we work with|
|6e||To comply with legal obligations|
|6f||To carry out business processes including management reports and internal management, and to conduct transactions, reorganisation and restructuring of our business and asset|
|6g||For archiving purposes, scientific or historic research purposes or statistical purposes|
a) To enter into a business relationship and agreement with you
We needed to have your personal data if you had wanted to become a customer, or if you wanted to use a new service or contact us.
For example, we may have had to perform research to assess whether we were able to accept you as a customer. When you become a customer, we had to establish your identity for almost all our products and comply with our legal obligations. As part of this, we may have made a photocopy of your proof of identity.
If you wished to become a customer, or were a customer of ours we are required by law and Rabobank Policy to screen your name against relevant international sanctions lists and Rabobank Group internal warning lists.
For the most part, we process(ed) your personal data because we were/are under a legal obligation to do so. If, however, this legal obligation does not apply directly to Rabobank, we have a legitimate interest in processing your personal data for these purposes. We may also process such data where this is necessary to conclude the agreement.
b) To perform agreements and carry out instructions
When you had previously been a Deposit/Current Account customer of Rabobank we wanted to be of service to you. We executed the instructions we received from you and perform the agreements we have concluded. This is what we agreed with you. We processed personal data for this purpose.
If you required us to make a payment, we might have needed to transfer your data to another financial institution. The payee can also see and record your payment data, such as the address details relating to your account. Both the person who issues the payment instruction and the beneficiary (payee) may enquire about specific data relating to the account.
You may also ask us to divulge your personal data to a third party, in which case we will transfer your personal data to that party.
We may make recordings of telephone conversations and e-mail messages. The purposes for which this is to ensure a high standard of service. We may also do this if we are legally required to do so, or to provide proof and monitor quality, to investigate fraud and other matters, and for training, coaching and assessment purposes.
We process personal data because this is necessary in order to perform the agreement, and also because we are under a legal obligation to do so, for example in the context of payments. If you do not provide certain information to us, we will not be able to perform the agreement.
In a number of cases, we have a legitimate interest in processing your personal data, for example when making recordings of telephone calls.
c) To ensure your security and integrity as well as the security and integrity of Rabobank and the financial sector
We process your personal data to ensure your security and ours, and also security of the financial sector. We also do this for the purpose of preventing fraud, money laundering and the financing of terrorism.
Incident registers and warning systems
If you were a customer of Rabobank, we will consult the incident registers and warning systems of Rabobank Group.
We may consult the incident registers and warning systems, and we may also record your personal data in these registers. If you do not agree to the recording of your personal data, you can object to this or ask that your data is corrected or erased.
Publicly accessible sources
We consult publicly accessible sources, such as public registers, newspapers and the internet, in an effort to combat fraud and protect Rabobank.
We may perform analyses aimed at preventing fraud and protecting you and Rabobank. We may make use of information that you did not supply to us in the context of combating fraud, such as information about historical transactions in the account previously held with Rabobank. We may make recordings of telephone conversations and e-mail messages, for example, and may document these recordings. We do this in the context of investigating fraud. We may also do this if we are legally required to do so, or to provide proof and monitor quality, and for training, coaching and assessment purposes.
We process your data because this is necessary in order to comply with a legal obligation. If we are not under a direct legal obligation to process your data, we process the data on the basis of a legitimate interest of Rabobank, the financial sector or our clients and employees.
d) To enter into and perform agreements with suppliers and other parties we work with
If you have contact with Rabobank for work-related reasons, we may process your personal data, for example so that we can establish whether you are permitted to represent your business, or so that we can give you access to our offices. Where necessary, we may consult incident registers and warning systems and all relevant international sanctions lists before we enter into our agreement and also while the agreement is in effect in the context of screening.
We process your data so that we can perform the agreement we have concluded, because we are required to do so by law or because we have a legitimate interest in this.
e) To comply with legal obligations
We are required to comply with legislation designed to combat fraud, crime and terrorism, such as the Criminal Justice (Anti-Money Laundering) Acts. For example, we are required to seek proof of your identity and account details where you are seeking repayment of the proceeds of a closed Deposit/Current Account previously held with Rabobank. If we have any concern relating to the payment, we must notify the competent law enforcement agency. Under this law, we have to establish who the ultimate beneficial owner (UBO) is of a business or organisation if the payment is to be made to that business or organisation.
We may receive requests for data from the Revenue Authorities, the Garda Síochána and the Courts Service as well as organisations such as the intelligence services. If they do this, we are required by law to cooperate with the investigation and transfer data relating to you.
Providing data to the government
Legislation and regulations may require that we transfer data (analysed or otherwise) relating to you to a government institution, a tax authority or a regulator outside Ireland, such as the European Central Bank (ECB) or the Dutch Central Bank (DNB).
Making and documenting recordings
We may make recordings of telephone conversations and e-mail messages and may document these recordings. We do this to provide proof, to monitor quality, to combat and investigate fraud, and to train, coach and assess employees.
We process your data because this is required by law, or because we would otherwise not be permitted to perform an agreement with you, or if we have a legitimate interest in processing your data so that we can comply with a statutory or other legal obligation.
f) To carry out business processes including management reports and internal management, and to conduct transactions, reorganisation and restructuring of our business and assets
Improving our own business processes
We also use data to analyse and improve our business processes so that we can help you more effectively or make our processes more efficient. Where possible, we will anonymise (data that cannot be traced back to an individual in any way) or pseudonymise (data that can be linked to an individual if additional information is included) your data first.
We process your data because this is required by law or because we have a legitimate interest in doing so, including to support business transactions of the type referred to above, to effectively manage our assets and protect their value.
Processing your personal data in the manner otherwise outlined above may also be necessary for the performance of our agreement with you.
g) For archiving purposes, scientific or historic research purposes or statistical purposes
We may also process your personal data if this is necessary for archiving purposes in the public interest, scientific or historic research purposes or statistical purposes. Where possible, we will anonymise or pseudonymise your data first.
When processing personal data for archiving purposes, scientific or historic research purposes or statistical purposes, we process the data on the basis of the legitimate interest of Rabobank, the financial sector or our customers and employees.
7. How long does Rabobank keep your personal data?
We do not keep your data for any longer than necessary to fulfil the purposes for which we collected the data or the purposes for which data are reused. We have adopted a data retention policy. This policy specifies how long we keep data. In Ireland, this is usually for seven years following the termination of the relevant agreement or the ending of your business relationship with Rabobank.
In specific situations, we may also keep data for longer than we are required by the retention period fixed by us. We will do this if, for example, the judicial authorities request data, in which case we will keep the material for longer than one month.
Once we no longer require the data for the purposes described in sections 6 a to 6 g, we may still keep the data for archiving purposes, in the event of legal proceedings, or for historic or scientific research purposes or statistical purposes.
8. Does Rabobank also process special categories of personal data?
Special categories of personal data include data concerning health, biometric data and data which reveal racial or ethnic origin. We only process such information if we are required to do so.
Rabobank Group participates in incident registers and warning systems for the financial sector and may process information about criminal convictions in this context. The purpose of these incident registers and warning systems is to protect the interests of financial institutions and their customers, for example by detecting and recording cases of fraud.
We process special categories of personal data where this is permitted by law, because this information was made public by you, or with your permission, for example if you inform us that you have a visual impairment so that we can try and facilitate your needs. We ask for your consent to record this information. If you have given us consent to record special categories of personal data, you may withdraw that consent at any time. To do this, please contact us.
9. Which people at Rabobank have access to your data?
Within Rabobank, your personal data can be accessed only by individuals who need to have access owing to their position. All of these people are bound by a duty of confidentiality.
10. Does Rabobank use personal data for any other purposes?
If we want to use information for any purpose other than the purpose for which it was obtained, we may do this as long as the two purposes are closely related.
If there is not a sufficiently strong connection between the purpose for which we obtained the data and the new purpose, we will ask you to give your consent. If you have given us consent to record special categories of personal data, you may withdraw that consent at any time. To do this, please contact us.
11. Does Rabobank transfer your personal data to other parties and to other countries outside the EU?
a. Within Rabobank Group
Your personal data may be shared by divisions of Rabobank Group, for example because you ask us to do this.
These divisions of Rabobank may also be located in countries outside the European Union that apply less stringent data protection rules. We share your data with divisions of Rabobank Group, in which Rabobank holds a majority interest, only if the divisions comply with Rabobank’s Binding Corporate Rules, which outline the rules that all these divisions of Rabobank Group have to comply with. The Rabobank Binding Corporate Rules guarantees adequate protection of personal data.
b. Outside Rabobank Group
Your data is also transferred to other parties outside Rabobank Group if we are required to do this by law, because we have to perform an agreement with you or because we engage another service provider, for example if we have an outsourcing arrangement.
We transfer your personal data to third parties if we are required to do so. Examples of such third parties include national and European regulators, such as the Central Bank of Ireland (CBI) the Dutch Central Bank (DNB) and the European Central Bank (ECB), and the various tax authorities.
We also transfer data if this is necessary in order to perform our agreements with you. For example, we use third parties such as SWIFT to enable us to make payments. These third parties are subject to supervision by their local regulators. This may mean that your payment and transaction data are transferred to other parties in countries that do not enjoy the same level of personal data protection as the European Union.
If your personal data are processed in a country with a different level of data protection, this may mean that your personal data are the subject of investigations by competent national authorities in the countries where the relevant information is held.
We sometimes engage other parties / business partners that process personal data on our instructions. Examples include printers that handle customer mailshots for us and print your name and address on envelopes and parties that store data for us. Before such parties are engaged, we must first ensure they are sufficiently reliable. We may only engage parties if this is in keeping with the purpose for which we processed your personal data. Moreover, this other party can be engaged by us only if it reaches specific agreements with us, has demonstrably implemented appropriate security measures and guarantees that your personal data will remain confidential. Your personal data may also be shared with other parties that we engage in the course of our business or for the provision of our services.
If we transfer your data to other parties outside the European Union, we take additional measures to protect your data. In some countries outside the European Union, the rules for protecting your data are different from those that apply within Europe. If we make use of a third party located outside the European Union, and if the European Commission believes that the country in which this third party is located does not offer adequate protection in the area of personal data processing, we will only transfer your data if other, suitable guarantees are in place, such as the contractual arrangement approved by the European Commission, or on the basis of the Privacy Shield (United States).
12. What rights do you have concerning your personal data held by Rabobank?
a. right of information
This privacy statement describes what Rabobank does with your data. In certain cases, we provide additional or different information. For example, if Rabobank records your personal data in its incident registers, it will inform you about this separately (provided it is permitted to do so). We will also do this if there are other reasons for providing you with information in addition to the privacy statement. We may do that by means of a letter, by leaving a message in your inbox or in another way to be determined by us.
b. right of access to and rectification of personal data
You may ask us whether we process data relating to you, and if so, which data this concerns. In that case, we can provide you with access to the data processed by us that relates to you. If you believe your personal data has been processed incorrectly or incompletely, you may request that we change or supplement the data (rectification).
c. right to erasure (‘right to be forgotten’)
You may request that we erase data concerning yourself that we have recorded, for example if you object to the processing of your personal data. Your interest must also be greater than Rabobank’s interest in processing the data.
d. right to restriction of processing
You may request that we restrict the personal data relating to you that we process. This means that we will process less personal data relating to you.
e. right to data portability
You have the right to request that we supply you with data that you previously provided to Rabobank in the context of a contract with us or with your consent, in a structured, machine-readable format, or that we transfer such data to another party. If you ask us to transfer data directly to another party, we can do this only if this is technically feasible.
f. right to object to processing based on a legitimate interest
If we process your data because we have a legitimate interest in doing so, for example if we make recordings of telephone calls but this is not required by law, you may object to this. In that case, we will reassess whether it is indeed the case that your data can no longer be used for that purpose. We will stop processing your data if your interest outweighs our interest. We will inform you of our decision, stating the reason.
If you make a request as described above, we will respond no later than one month after we receive your request.
We may ask you to explain your request for access in more detail. For example, if you request access to recorded calls, we may ask you to provide search keys, such as the time the call was made and the number from which it was made. In very specific cases, we may extend this period in which we must respond to a maximum of three months. In that case, we will keep you informed about the progress made with your request.
If you make a request, we may ask you to provide proof of your identity. For example, if you submit a request to exercise your right of access or right to data portability, we will want to be certain that we provide your personal data to the right person. In some cases, we may ask you to come to the offices so that you can make your identity known and we can verify your identity. In some cases, there may be doubts as to whether we can send you the data securely. If so, we may ask you to come to the offices to collect your data.
In certain cases, we may not be able to comply with your request, for example because this would violate the rights of others, would be against the law or is not permitted by the Garda Síochána or another public authority, or because we have weighed up the relevant interests and determined that the interests of Rabobank or others in processing the data take precedence. In that case, we will inform you. If we adjust your data or erase your data at your request, we will notify you of this and also inform the recipients of your data wherever possible.
13. Who can you contact if you have a question or complaint concerning personal data held by Rabobank?
If you have any questions or complaints concerning the processing of personal data by us, please contact:
1. by email at firstname.lastname@example.org or
2. by post at Operations Department, Rabobank Dublin, 76 Sir John Rogerson’s Quay, Dublin 2, D02 C9D0.
If you wish to make an access request in relation to your personal data, please apply in writing to the Operations Department, Rabobank Dublin, 76 Sir John Rogerson’s Quay, Dublin 2, D02 C9D0.
14. Can Rabobank change this privacy statement?
Yes, our privacy statement may change from time to time. We will adjust the privacy statement when new data processing operations are introduced. If these changes are also relevant for you, we will draw your attention to these changes or clearly communicate them to you. The most recent version of our privacy statement is always made available online at www.rabodirect.ie.