Rabobank Dublin Privacy Statement Effective from 25 May 2018
Rabobank Dublin processes personal data. We want to provide you with clear, transparent information about this matter. This privacy statement contains answers to the most important questions about personal data processing by Rabobank Dublin which is a branch of Coöperatieve Rabobank U.A. in the Netherlands (Rabobank Group).
This privacy statement describes how we deal with personal data processing. It also contains examples to make our explanation as clear as possible. If you have any questions about this privacy statement, please contact the Data Protection Officer by email at: email@example.com.
What does Rabobank mean by personal data processing?
This privacy statement concerns personal data processing. What do these words mean?
- Personal data
Information that says something directly or indirectly about you is referred to as personal data. Examples include your name and address, and also information such as your income.
Information relating to a sole trader, commercial partnership or professional partnership is also considered personal data.
Information relating to a legal entity is not personal data, but information relating to a legal entity’s contact person or representative does count as personal data.
Processing means anything that can be done with personal data. This includes the collection, storage, use, transfer and removal of data.
- Whose personal data does Rabobank process?
We process personal data if we have, want to have, or have had a business relationship with you, or if we have had contact with you.
The people whose personal data we process includes:
- clients and their representatives
- people who show an interest in Rabobank or our products and services
- people who are connected in another way with a business or organisation with which we have, want to have, or have had a business relationship
- security providers and guarantors
- potential clients.
- What does Rabobank expect from businesses and organisations?
If your business or organisation transfers any personal data concerning employees or ultimate beneficial owners (UBOs*) to us, we also expect your employees, executive directors or UBOs to be informed about this. You can give this privacy statement to them so that they can learn how we deal with their personal data.
*Ultimate beneficial owner: A natural person who holds a stake in a legal entity, can exercise voting rights or is the beneficiary of all or part of the legal entity’s capital. Banks are required by law to determine who the UBOs are.
- Who is responsible for the processing of your personal data?
This privacy statement considers the processing of personal data by Rabobank Dublin. Data may be shared within Rabobank Group to the extent that this is permitted by law. When sharing data within Rabobank Group, we comply with the rules that we have agreed within Rabobank Group (known as Corporate Binding Rules). These rules describe how the divisions of Rabobank Group deal with personal data.
- Which personal data does Rabobank process?
Rabobank processes different types of personal data:
|Types of data||What kinds of data might be involved?
|Examples of how Rabobank uses the data|
|Information that allows an individual to be identified directly or indirectly||Name, address, telephone number, e-mail address, information provided in your identity document.||For identification purposes, to draw up an agreement or to contact you.|
|Information relating to or used for agreements/contracts or financial statements||Information about your financial situation, and information used for obtaining finance.||To assess credit worthiness, or when appropriate, for source of funds/sources of wealth.|
|Payment and transaction data||When a payment is made, information about the person you paid or who paid you, when the payment took place and what the balance in your account is.||To ensure correct / timely processing of funds is performed. Also for anti-money laundering / counter terrorism financing and sanctions monitoring. For your security and ours.
|Special categories of personal data||Information concerning your health, biometric data, information about criminal convictions, data which reveal your ethnic origin or political inclinations, your PPSN or equivalent details||In the context of combating terrorism, we are required to record information about your country of birth. We are also required to do this in connection with tax obligations.
|Recorded calls and
documentation of e-mails.
|Conversations we have with you, and you have with us, by telephone.
E-mails you send to us and which we receive from you.
|We may use the recorded calls and e-mails to combat fraud, to fulfil legal obligations, to monitor quality, to provide proof, to improve our services and to train, coach and assess our employees.|
|Data we receive from other parties||Data obtained from the Company Registration Office, Credit Reference Agency.||We use this information to check Directors and UBO’s details.|
|Data we share with other parties||Financial information and transaction data upon request of the relevant enforcement agencies and regulator.
We share client identification documents with other Rabobank wholesale group entities.
Data we provide to other parties within the Group that we engage to help us provide services.
Data you have asked us to share with another party. Informant required to meet our regulator or legal reporting commitments.
We may be required to share customer and transaction data with the relevant authorities and regulatory bodies such as Revenue authorities in Ireland and national and international regulators as part of compliance with the Anti Money Laundering, Counter Terrorism Financing and Fraud prevention laws and/or regulations. We also share information with credit reference agencies.
|Data we require to combat fraud, to ensure your security and ours, and to prevent money laundering and the financing of terrorism||The data we keep in our internal and external referral registers, sanction lists, location information, transaction data, identity information and payment details.||In order to comply with legal obligations and prevent you, the financial sector, Rabobank or our employees from becoming the victims of fraud, for security reasons and to protect the financial markets, we check whether you appear in our external or internal referral registers and we have to check whether your name appears in sanction lists.|
- How does Rabobank come by your personal data?
We receive your personal data because you provide it to us yourself. Examples include entering into a contract with us or data you send to us in order that we can contact you, and data arising from the services we provide in areas such as payments.
We may also receive data from others, such as suppliers or other parties we work with. Or public sources like newspapers, public registers and websites. Or because you have given another party consent to share data with us.
- For which purposes, and on what basis, does Rabobank process personal data?
The types of personal data processed by Rabobank are described above. The purposes for which we process personal data are described below. In addition, we indicate the basis on which this processing is done. By law, every personal data processing operation must have a legitimate basis.
|Section||Purpose of personal data processing|
|6a||To enter into a business relationship and agreement with you|
|6b||To perform agreements and carry out instructions|
|6c||To ensure your security and integrity as well as the security and integrity of the bank and the financial sector|
|6d||To help develop and improve products and services|
|6e||For account management promotional and marketing purposes|
|6f||To enter into and perform agreements with suppliers and other parties we work with|
|6g||To comply with legal obligations|
|6h||To carry out business processes and for the purpose of management reports and internal management|
|6i||For archiving purposes, scientific or historic research purposes or statistical purposes|
- To enter into a business relationship and agreement with you
We need to have your personal data if you want to become a client, or if you want to use a new product or service or contact us.
For example, we have to perform research to assess whether we can accept you as a client. When you become a client, we have to establish your identity for almost all our products and comply with our legal obligations. As part of this, we may make a photocopy of your proof of identity.
If you wish to become a client, or are already a client of ours, we are required by law and Rabobank Policy to screen your name against relevant international sanctions lists and Rabobank internal warning lists.
For the most part, we process your personal data because we are under a legal obligation to do so. If, however, this legal obligation does not apply directly to Rabobank, we have a legitimate interest in processing your personal data for these purposes. We may also process such data where this is necessary to conclude the agreement.
- To perform agreements and carry out instructions
When you are a client of ours, we want to be of service to you. We execute the instructions we receive from you and perform the agreements we have concluded. This is what we have agreed with you. We process personal data for this purpose.
If you make a payment through us, we might need to transfer your data to another bank. The payee can also see and record your payment data, such as the address details relating to your account. Both the person who issues the payment instruction and the beneficiary (payee) may enquire about specific data relating to the account.
You may also ask us to divulge your personal data to a third party, in which case we will transfer your personal data to that party.
If you are a member of our cooperative, we process your personal data for this purpose. In addition, we sometimes record your preferences concerning matters such as meetings.
We may make recordings of telephone conversations and e-mail messages. The purposes for which this is to ensure a high standard of service and include proving that you issued a particular investment instruction. We may also do this if we are legally required to do so, or to provide proof and monitor quality, to investigate fraud and other matters, and for training, coaching and assessment purposes.
We process personal data because this is necessary in order to perform the agreement, and also because we are under a legal obligation to do so, for example in the context of payments. If you do not provide certain information to us, we will not be able to perform the agreement.
In a number of cases, we have a legitimate interest in processing your personal data, for example when making recordings of telephone calls.
- To ensure your security and integrity as well as the security and integrity of the bank and the financial sector
We process your personal data to ensure your security and ours, and also security of the financial sector. We also do this for the purpose of preventing fraud, money laundering and the financing of terrorism, and facilitation of tax evasion.
Incident registers and warning systems
If you wish to become a client, or are already a client of ours, we are required by law and Rabobank Policy to screen your name against relevant international sanctions lists and Rabobank internal warning lists.
We may consult the incident registers and warning systems, and we may also record your personal data in these registers. If you do not agree to the recording of your personal data, you can object to this or ask that your data is corrected or erased. However, it is an offence for a person in the regulated sector to “tip off” (i.e. inform) a person suspected of money laundering, unless an exemption applies, so we will neither confirm nor deny whether a Suspicious Activity Report has been made or the police ask us not to notify you in the interests of their investigation.
Publicly accessible sources
We consult publicly accessible sources, such as public registers, newspapers and the internet, in an effort to combat fraud and protect the bank.
We may perform analyses aimed at preventing fraud and protecting you and the bank. For example, we may create a profile of your usual payment/transaction behaviour at Entity level in order to reduce fraud. If the observed behaviour differs from your usual payment behaviour, this may form grounds for declining payments by fully automated means. If we have decided to do this, we will inform you as soon as possible.
We may make use of information that you did not supply to us in the context of combating fraud, such as information about the transactions in your account. The regulator and legislation in both Ireland and the EU also requires that we do this.
We may make recordings of telephone conversations and e-mail messages, for example, and may document these recordings. We do this in the context of investigating fraud. We may also do this if we are legally required to do so, or to provide proof and monitor quality, and for training, coaching and assessment purposes.
We process your data because this is necessary in order to comply with a legal obligation. If we are not under a direct legal obligation to process your data, we process the data on the basis of the performance of a contract of in the legitimate interest of Rabobank, the financial sector or our clients and employees.
- To help develop and improve products and services
In order that we can be of service to you and can innovate, we develop and improve products and services on an ongoing basis. We do this for ourselves, our corporate clients or other parties.
In addition, we sometimes combine data sources, such as information on the products you receive from us. We conduct benchmarking for our corporate clients, which provides these clients with additional information on how they perform in comparison to other businesses. The results of this study relate to a group of clients, and never an individual client (this is known as aggregate data).
We may make recordings of telephone conversations and e-mail messages and may document these recordings. We do this in order to improve the quality of our services, for example by providing training to our employees. We may also do this if we are legally required to do so, in order to provide proof, to investigate fraud and other matters, and to train, coach and assess employees.
Analysing personal data allows us to see how you use our products and services. We also use the results of our analyses to categorise clients into groups. This enables us to create client profiles and interest profiles. When producing these analyses, we sometimes also use information obtained from other parties and publicly accessible sources.
We also carry out research in order to improve our products and services. For example, we may ask you to give your reaction to a product or to review a product. You are not required to cooperate in such studies.
We sometimes use other parties to process your personal data for this purpose, for example in order to measure or ask you how we can improve our services. In that case, these other parties act on the instructions of Rabobank.
We process your data because we have a legitimate interest in this. We may also ask you for your consent to process your data for the purpose of developing and improving our products and services. If you do not give your consent for the purpose of developing and improving our products and services, this will not affect the services we provide to you. You can withdraw your consent at any time by contacting us.
- For account management of your account, promotional and marketing purposes
We process your personal data for account management, promotional and marketing purposes. In doing so, we use data we have obtained from you, such as payment data and your account activity , as well information not obtained directly from you, including public registers (such as the Companies Registration Office), publicly available sources (such as the internet) and other parties.
We may use your data to inform you about a product that might be of interest to you.
We may also use analyses to provide our clients with information for benchmarking purposes. If we use your data for these analyses or produce profiles, we will ensure that your data are pseudonymised to the greatest possible extent and that they are made only available to a few employees at the bank.
If you do not want us to use your data for the purpose of direct marketing by post, e-mail or telephone, you can let us know.
We process your data because we have a legitimate interest in this. We may also request your consent to process your data for promotional and marketing purposes. If you do not give your consent, this will not affect the services we provide to you. You can withdraw your consent by contacting us.
- To enter into and perform agreements with suppliers and other parties we work with
If you have contact with Rabobank for work-related reasons, we may process your personal data, for example so that we can establish whether you are permitted to represent your business, or so that we can give you access to our offices. Where necessary, we may consult incident registers and warning systems and all relevant international sanctions lists before we enter into our agreement and also while the agreement is in effect in the context of screening.
We process your data so that we can perform the agreement we have concluded, because we are required to do so by law or because we have a legitimate interest in this.
- To comply with legal obligations
Under various national and international legislation and regulations, we have to collect and analyse a large amount of data relating to you and sometimes transfer such information to European and other government authorities. We must comply with legislation, in order to be able to offer you financial products and services. We also process personal data in order to fulfil our duty of care.
We also have to comply with legislation designed to combat fraud, crime and terrorism, such as the Criminal Justice (Anti-Money Laundering) Acts (CJA). For example, we are required to perform customer due diligence and to conduct further inquiries if you hold specific assets or if an unusual transaction takes place in your account. If we spot an unusual transaction, we must notify the competent law enforcement agency. Under this law, we have to establish who the ultimate beneficial owner (UBO) is of a business or organisation with which we have a business relationship.
We may receive requests for data from the Taxation Authorities, the Garda Siochana and the Courts Service as well as organisations such as the intelligence services. If they do this, we are required by law to cooperate with the investigation and transfer data relating to you.
Providing data to the government
Legislation and regulations may require that we transfer data (analysed or otherwise) relating to you to a government institution, a tax authority or a regulator within or outside Ireland, such as the Central Bank of Ireland, the European Central Bank (ECB) or the Dutch Central Bank (DNB).
As we have to comply with legal obligations and treaties, we sometimes have to provide data relating to you to the Revenue Commissioners in Ireland or a foreign tax authority.
Making and documenting recordings
We may make recordings of telephone conversations and e-mail messages and may document these recordings. We do this to comply with legal obligations, for example in the context of banking services. We may also do this to provide proof, to monitor quality, to combat and investigate fraud, and to train, coach and assess employees.
We process your data because this is required by law, or because we would otherwise not be permitted to perform an agreement with you, or if we have a legitimate interest in processing your data so that we can comply with a statutory or other legal obligation.
- To carry out business processes and for the purpose of management reports and internal management
Know your customer
As a service provider, we believe it is important and necessary that we have a good picture of our clients. This includes knowing who you work with.
Determining credit risk associated with loans and credit facilities
Lending involves credit risk. We have to determine what that risk is, so that we can calculate the buffer we need to maintain. In connection with this, we process data relating to your loans and credit facilities.
Internal audits and studies
We also use your data to perform internal audits and investigations, for example in order to examine how well new rules have been introduced or to identify risks.
Improving our own business processes
We also use data to analyse and improve our business processes so that we can help you more effectively or make our processes more efficient. Where possible, we will anonymise (data that cannot be traced back to an individual in any way) or pseudonymise (data that can be linked to an individual if additional information is included) your data first.
We process your data because this is required by law or because we have a legitimate interest. Processing your personal data may also be necessary for the performance of our agreement with you.
- For archiving purposes, scientific or historic research purposes or statistical purposes
We may also process your personal data if this is necessary for archiving purposes in the public interest, scientific or historic research purposes or statistical purposes. Where possible, we will anonymise or pseudonymise your data first.
When processing personal data for archiving purposes, scientific or historic research purposes or statistical purposes, we process the data on the basis of the legitimate interest of Rabobank, the financial sector or our clients and employees.
- How long does Rabobank keep your personal data?
We do not keep your data for any longer than necessary to fulfil the purposes for which we collected the data or the purposes for which data are reused. We have adopted a data retention policy. This policy specifies how long we keep data. In Ireland, this is usually for seven years following the termination of the relevant agreement or the ending of your business relationship with Rabobank. Data are sometimes kept for longer, for example if the regulator asks us to keep specific data for longer in the context of risk models. In some cases, we use different retention periods.
In specific situations, we may also keep data for longer than we are required by the retention period fixed by us. We will do this if, for example, the judicial authorities request data, in which case we will keep the material for longer than one month.
Once we no longer require the data for the purposes described in sections 6 a to 6 h, we may still keep the data for archiving purposes, in the event of legal proceedings, or for historic or scientific research purposes or statistical purposes.
- Does Rabobank also process special categories of personal data?
Special categories of personal data include data concerning health, biometric data and data which reveal racial or ethnic origin. We only process such information if we are required to do so.
In addition, we process special categories of personal data where this is permitted by law, because this information was made public by you, or with your permission, for example if you inform us that you have a visual impairment so that we can try and facilitate your needs. We ask for your consent to record this information. If you have given us consent to record special categories of personal data, you may withdraw that consent at any time. To do this, please contact us.
- Does Rabobank use automated individual decision making including profiling?
We do not envisage that any decisions will be taken about you that produces legal effects or significantly affects you, based solely on automated individual decision making including profiling.
- Which people at Rabobank have access to your data?
Within Rabobank, your personal data can be accessed only by individuals who need to have access owing to their position. All of these people are bound by a duty of confidentiality.
- Does Rabobank use personal data for any other purposes?
If we want to use information for any purpose other than the purpose for which it was obtained, we may do this as long as the two purposes are closely related.
If there is not a sufficiently strong connection between the purpose for which we obtained the data and the new purpose, we will ask you to give your consent. If you have given us consent to record special categories of personal data, you may withdraw that consent at any time. To do this, please contact us.
- Does Rabobank transfer your personal data to other parties and to other countries outside the EU?
- Within Rabobank Group
Your personal data may be shared by divisions of Rabobank Group, for example because you ask us to do this, or because you also purchase a product from a different division of Rabobank. Information that has been used to establish your identity may also be used by another division of Rabobank with which you want to do business, for example.
These divisions of Rabobank may also be located in countries outside the European Union that apply less stringent data protection rules. We share your data with divisions of Rabobank Group, in which Rabobank holds a majority interest, only if the divisions comply with Rabobank’s rules, as set out in the Rabobank Privacy Code. The Rabobank Privacy Code describes the rules that all these divisions of Rabobank Group have to comply with. The Rabobank Privacy Code guarantees adequate protection of personal data.
- Outside Rabobank Group
Your data is also transferred to other parties outside Rabobank if we are required to do this by law, because we have to perform an agreement with you or because we engage another service provider.
We transfer your personal data to third parties if we are required to do so. Examples of such third parties include national and European regulators, such as the Central Bank of Ireland (CBI) the Dutch Central Bank (DNB) and the European Central Bank (ECB), and the various tax authorities.
We also transfer data if this is necessary in order to perform our agreements with you. For example, we use third parties such as SWIFT to enable you to make payments internationally. These third parties are subject to supervision by their local regulators. This may mean that your payment and transaction data are transferred to other parties in countries that do not enjoy the same level of personal data protection as the European Union.
If your personal data are processed in a country with a different level of data protection, this may mean that your personal data are the subject of investigations by competent national authorities in the countries where the relevant information is held.
We sometimes engage other parties / business partners that process personal data on our instructions. Examples include printers that handle client mailshots for us and print your name and address on envelopes, parties that perform market research on Rabobank’s behalf, and parties that store data for us. Before such parties are engaged, we must first ensure they are sufficiently reliable. We may only engage parties if this is in keeping with the purpose for which we processed your personal data, for example for promotional and marketing purposes. Moreover, this other party can be engaged by us only if it reaches specific agreements with us, has demonstrably implemented appropriate security measures and guarantees that your personal data will remain confidential. Your personal data may also be shared with other parties that we engage in the course of our business or for the provision of our services.
If we transfer your data to other parties outside the European Union, we take additional measures to protect your data. In some countries outside the European Union, the rules for protecting your data are different from those that apply within Europe. If we make use of a third party located outside the European Union, and if the European Commission believes that the country in which this third party is located does not offer adequate protection in the area of personal data processing, we will only transfer your data if other, suitable guarantees are in place, such as the contractual arrangement approved by the European Commission, or on the basis of the Privacy Shield (United States).
- What rights do you concerning your personal data held by Rabobank?
- right of information
This privacy statement describes what Rabobank does with your data. In certain cases, we provide additional or different information. For example, if Rabobank records your personal data in its incident registers, it will inform you about this separately (provided it is permitted to do so). We will also do this if there are other reasons for providing you with information in addition to the privacy statement. We may do that by means of a letter, by leaving a message in your inbox or in another way to be determined by us.
- right of access to and rectification of personal data
You may ask us whether we process data relating to you, and if so, which data this concerns. In that case, we can provide you with access to the data processed by us that relates to you. If you believe your personal data has been processed incorrectly or incompletely, you may request that we change or supplement the data (rectification).
- right to erasure (‘right to be forgotten’)
You may request that we erase data concerning yourself that we have recorded, for example if you object to the processing of your personal data. Your interest must also be greater than Rabobank’s interest in processing the data.
- right to restriction of processing
You may request that we restrict the personal data relating to you that we process. This means that we will process less personal data relating to you.
- right to data portability
You have the right to request that we supply you with data that you previously provided to Rabobank in the context of a contract with us or with your consent, in a structured, machine-readable format, or that we transfer such data to another party. If you ask us to transfer data directly to another party, we can do this only if this is technically feasible. In some cases, you do not need to submit a request to obtain the data you provided to us.
- right to object to processing based on a legitimate interest
If we process your data because we have a legitimate interest in doing so, for example if we make recordings of telephone calls but this is not required by law, you may object to this. In that case, we will reassess whether it is indeed the case that your data can no longer be used for that purpose. We will stop processing your data if your interest outweighs our interest. We will inform you of our decision, stating the reason.
- right to object to direct marketing
You have the right to request that we stop using your data for direct marketing purposes. It may be the case that your objection relates to being approached through a specific channel, for example if you no longer wish to be contacted by telephone but still want to receive our newsletters. We will then take steps to ensure you are no longer contacted through the relevant channel.
If you make a request as described above, we will respond no later than one month after we receive your request.
We may ask you to explain your request for access in more detail. For example, if you request access to recorded calls, we may ask you to provide search keys, such as the time the call was made and the number from which it was made. In very specific cases, we may extend this period in which we must respond to a maximum of three months. In that case, we will keep you informed about the progress made with your request.
If you make a request, we may ask you to provide proof of your identity. For example, if you submit a request to exercise your right of access or right to data portability, we will want to be certain that we provide your personal data to the right person. In some cases, we may ask you to come to the bank so that you can make your identity known and we can verify your identity. In some cases, there may be doubts as to whether we can send you the data securely. If so, we may ask you to come to the bank to collect your data.
In certain cases, we may not be able to comply with your request, for example because this would violate the rights of others, would be against the law or is not permitted by the Gardai, the DPP or another public authority, or because we have weighed up the relevant interests and determined that the interests of Rabobank or others in processing the data take precedence. In that case, we will inform you.
If we adjust your data or erase your data at your request, we will notify you of this and also inform the recipients of your data wherever possible.
- Who can you contact if you have a question or complaint concerning personal data held by Rabobank?
If you have any questions or complaints concerning the processing of personal data by us, please contact the Data Protection Officer by email at:
- Can Rabobank change this privacy statement?
Yes, our privacy statement may change from time to time. We will adjust the privacy statement when new data processing operations are introduced. If these changes are also relevant for you, we will draw your attention to these changes or clearly communicate them to you. The most recent version of our privacy statement is always made available online at www.rabobank.ie. You can also view previous versions on our website.