Privacy Statement

You share all kinds of personal data with Rabobank without noticing it. This Statement provides information on how Rabobank UK approaches processing your personal data. This is clarified through examples that make it easier to understand.

Personal data

Information that says something directly or indirectly about you as an individual is referred to as personal data. Examples include your name and address, and also information such as your income or personal wealth.

Information relating to a sole trader, commercial partnership or professional partnership is also considered personal data when it relates to a natural person affiliated with or working for the legal entity.

Information relating to a legal entity is not personal data, but information relating to a legal entity’s contact person or representative does count as personal data.

Processing

Processing means anything that can be done with personal data. This includes the collection, storage, use, transfer and removal of data.

We process personal data if we have, want to have, or have had a business relationship with your company or other legal entity, you and/or your company’s representatives. The people whose personal data we process include:

People who show an interest in Rabobank or our products and services;

People who are connected in another way with a business or organisation with which we have, want to have or have had a business relationship (e.g. employees, executive directors, authorised representatives or (ultimate) beneficial owners);

Security providers and guarantors.

If your business or organisation transfers any personal data concerning employees, executive directors or ultimate beneficial owners to us, we expect your business or organisation to inform them about this. We also collect personal data of employees or executive directors not being provided directly by your company or organisation. For example, by retrieving these data from the Chamber of Commerce or other publicly available sources. We process this data as well. You can give this Privacy Statement to them so they can learn how we deal with their personal data.

This Privacy Statement describes how we deal with personal data processing by Coöperatieve Rabobank U.A trading as Rabobank London and also known as Rabobank UK, hereinafter Rabobank UK. Specifically, this Privacy Statements considers the processing of personal data by Rabobank UK. Personal data may be shared within the Rabobank Group to the extent that this is permitted by law. When sharing data within the Rabobank Group, we comply with the Rabobank Group Binding Corporate Rules referred to as the ‘Rabobank Privacy Codes’. These rules describe how the divisions of Rabobank Group deal with personal data.

Types of Data	What kinds of data might be involved?	Examples of how Rabobank uses this data
Information that allows an individual to be identified directly or indirectly.	Name, address, telephone number, e-mail address, information provided in your identity document.	For identification purpose, to draw up an agreement or to contact you.

Information relating to or used for agreements or financial statements.	Information about yours and/or your company’s financial situation, the products it has. Information used for obtaining finance.	To assess credit worthiness, or to assess whether a product / service is suitable.

Payment and transaction data.	When a payment is made, information about the person/entity you paid or who paid you and when the payment took place.	To ensure correct / timely processing of funds is performed. Also for anti-money laundering / counter terrorism financing and sanctions monitoring. For your security and ours.
Payment and transaction data.
Special categories of personal data / criminal data.	Information concerning your data related to criminal convictions and offences, data which may reveal your racial or ethnic origin or political opinions.	In the context of combating terrorism and tax obligations, we are required to record information about your country of birth. In addition, we may record special categories of personal data / criminal data in the context of anti-money laundering and facilitation of tax evasion and regulatory reporting from open sources.
Special categories of personal data / criminal data.
Recorded calls, conversations with Rabobank employees, recordings of video calls, online chat sessions, video surveillance, recorded e-mails and social media.	Conversations we have with you, and you have with us, by telephone.	We may use the recorded calls and e-mails to combat fraud, to fulfil any legal obligations.

	E-mails you send to us and which we receive from you.	We may also process records of physical access to our banking premises.

	Camera images that we take in banking premises.

Data that says something about the use of our website.	Cookies, IP address and data relating to the device on which you use our online services or our website.	To enable our online services to be used and to combat fraud.

		To improve our website.
Data we receive from other parties.	Data may be obtained from the Chamber of Commerce, Credit Reference Agencies.	We use this information to check Directors and ultimate beneficial owners' details.

	Businesses to which you have given consent to share your data (e.g. other banks and data brokers).

Data we share with other parties.	Financial information and transaction data upon request of the relevant enforcement agencies and regulators.	We are required to provide specific data to tax authorities and to relevant national regulators.

	We share client identification documents with other Rabobank wholesale group entities.	You may also ask us to share specific data with a third party.

	Data we provide to other parties within the Group that we engage to help us provide services.	We may be required to share data with the relevant authorities and regulatory bodies as part of compliance with the anti-money laundering, counter terrorism financing, anti-bribery & corruption, tax evasion and fraud prevention laws and / or regulations.

	Data you have asked us to share with another party.

	Information required to meet our regulatory or legal reporting commitments.

Data we require to combat fraud, to ensure your security and ours, and to prevent money laundering and the financing of terrorism or other financial crime.	The data we keep in our internal and external referral registers (where permitted by law), sanction lists, location information, transaction data, identity information, camera images and payment details, cookies, IP address and data relating to the device on which you use online services.	In order to comply with legal obligations and prevent you, the financial sector, Rabobank or our employees from becoming the victims of fraud, for security reasons and to protect the financial markets, we might check whether you appear in our external or internal referral registers and we have to check whether your name appears in sanction lists.

		We may use your IP address, device details and cookies to combat online fraud (DDoS attacks) and botnets.

We receive your personal data because your company provides it to us. Examples include data you enter on our website yourself in order that we can contact you, and data arising from the services we provide in areas such as syndicated loans and payments. We may also receive your data from:

Business units within Rabobank Group, for example
a) In the context of combating fraud, money laundering, terrorism or other financial crime
b) Internal administrative business processes
c) To create and execute risk models
d) To improve our services
e) In the context of our duty of care
Other financial institutions in the context of combatting fraud, money laundering or terrorism or other financial crime, suppliers or other parties we work with. For example, Accuity, Reuters or Bloomberg.
Public sources like newspapers, public registers, websites and open sources of social media.
Another party in case you have given your consent to share data with us.

We need to know you and your company well in order to provide you with our services. It is for this reason that we need to collect and process your personal data. There are a number of purposes for which we process data, such as to conclude a business arrangement with you or to meet our legal obligations. The purposes and legal basis for which we process your personal data are described in section 7a – 7i.

A. To enter into a business relationship and agreement with your company

We need to have your personal data if your company wants to become a client, or if you want to use a new product or service or contact us.

For example, we have to perform research to assess whether we can accept your company as a client. When your company becomes a client, we have to establish your identity to comply with our legal obligations. As part of this, we may make a photocopy of your proof of identity.

We check that your company and / or you are not on any national or international sanction lists.

Legal Basis

For the most part, we process your personal data because we are under a legal obligation to do so. If, however, this legal obligation does not apply directly to Rabobank, we have a legitimate interest in processing your personal data for the above mentioned purposes. We must then be able to demonstrate that our interest in using your personal data outweighs your right to privacy. We therefore weigh all interests. We may also process such data where this is necessary to conclude the agreement.

B. To perform agreements and carry out instructions

We execute the instructions we receive from your company and perform the agreements we have concluded. This is what we have agreed with your company. We process personal data for this purpose.

If your company makes a payment through us, we transfer your data to another bank. The payee can also see and record your payment data. Both the person who issues the payment instruction and the beneficiary (payee) may enquire about specific data relating to the other party’s account.

When executing a payment instruction. If it does not, we will bring this to your notice. Your company and / or you can then decide whether to continue with the payment instruction or adjust it.

We might make recordings of telephone conversations, e-mail messages, camera images, for example, and may document these recordings. The purposes for which may include proving that you issued a particular investment instruction. We may also do this if we are legally required to do so, o to provide proof, during a fraud investigation.

Your company may also ask us to divulge your personal data to a third party, in which case we will transfer your personal data to that party.

Legal Basis

We process personal data because this is necessary in order to perform the agreement and / or because we are under a legal obligation to do so (e.g. in the context of payments). If your company and / or you do not provide certain information to us we will not be able to perform the agreement. In a number of cases, we have a legitimate interest in processing your personal data, for example, when making recordings of telephone calls (except for in the case of investments, in which case telephone calls must be recorded by law).

C. To ensure your security and integrity as well as the security and integrity of the bank and the financial sector

We process your personal data to ensure the security of you, us and the financial sector. We also do this for the purpose of preventing fraud, money laundering, the financing of terrorism or other financial crime.

Customer Due Diligence

When we enter into a business relationship with your company, but also throughout our business relationship, we will check whether we can still accept you, your representatives, ultimate beneficial owners or other controlling persons as our client. For example, we may re-perform customer due diligence assessments on the basis of the persons your company do business with.

Fraud and money laundering

We may perform analysis aimed at preventing fraud and money laundering and protecting you and the bank. We may also use the IBAN-Name-Check for other parties in connection with preventing, detecting and combating the misuse of the payment system.

We might make recordings of telephone conversations, e-mail messages and camera images, for example, and may document these recordings. We do this in the context of investigating fraud. We may also do this if we are legally required to do so.

Legal Basis

We process your data because this is necessary in order to comply with a legal obligation. If we are not under a direct legal obligation to process your data, we process the data on the basis of a legitimate interest of Rabobank, the financial sector or our clients and employees.

D. To enter into and perform agreements with suppliers and other parties we work with

If you have contact with Rabobank for work-related reasons, we may process your personal data, for example, so that we can establish whether you are permitted to represent your business, or so that we can give you access to our offices. Where necessary, we may consult incident registers and warning systems before we enter into our agreement and also while the agreement is in effect in the context of screening.

Legal Basis

We process your data on one of the following lawful bases, to perform the agreement we have concluded, to comply with the law or on the basis of our legitimate interest.

E. To comply with legal obligations

Legislation

Under various national and international legislation and regulations, we have to collect and analyse data relating to you and sometimes transfer such information to competent government authorities. We must comply with legislation, in order to be able to offer your company financial products and services. We also process personal data in order to fulfil our duty of care.

We also have to comply with legislation designed to combat fraud, crime and terrorism. For example, we are required to perform customer due diligence and to conduct further inquiries if your organisation holds specific assets or if an unusual transaction takes place in the related accounts. If we spot an unusual transaction, we must notify the competent law enforcement agency. Under the existing legal and regulatory framework which applies to the entities in scope of this statement, we have to establish who the ultimate beneficial owner is of a business or organisation with which we have a business relationship. We might be required to cooperate with other banks.

We may receive requests for data from tax authorities, the police or other investigatory bodies as well as organisations such as the intelligence services. If they do this, we are required by law to cooperate with the investigation and transfer data relating to you. We might collaborate with, for example, the police to prevent large scale fraud, money laundering, financing of terrorism or other financial crime.

Providing data to the government

Legislation and regulations may require that we transfer data (analysed or otherwise) to you to a government institution, a tax authority or a regulator. As we have to comply with legal obligations and treaties, we sometimes have to provide data relating to you to the relevant tax authorities.

Making and documenting recordings

We might make recordings of telephone conversations and e-mail messages for example, and may document these recordings. We do this to comply with legal obligations, for example in the context of investment services. We may also do this to provide proof, to combat and investigate fraud.

Legal Basis

We process your data because this is required by law, or because we would otherwise not be permitted to perform an agreement with you, or if we have a legitimate interest in processing your data so that we can comply with a statutory or other legal obligation.

F. To carry out business processes and for the purpose of management reports and internal management

Audits and investigations

We also use your data to perform our internal and external audits and investigations or a third party we call in, for example in order to examine how well new rules have been introduced or to identify risks.

Legal Basis

We process your data because this is required by law or because we have a legitimate interest.

G. For archiving purposes

We may also process your personal data if this is necessary for archiving purposes in accordance with our data retention obligations.

Legal Basis

When processing personal data for archiving purposes we process the data on the basis of legal obligation or the legitimate interest of Rabobank, the financial sector or our clients and employees.

We may use the “legitimate interest” basis to process your personal data. In this instance, we make a trade-off between the interests of Rabobank and the violation of your privacy. Our interests include, for example, the following:

We protect our own financial position (for example, to assess whether you can repay your loan or if we want to sell your loan or other obligations).

We combat fraud to protect us, (and the financial sector), to ensure security (yours and ours) and to prevent damage.

We need to improve our business processes, take measures in the context of company management and perform audits on our internal processes.

We transfer loans, merge or take over companies to remain a financially sound bank.

We have an interest in the financial well-being of our clients. We take measures to help you. We try to identify at the earliest stage possible, payment arrears from running up.

When we process data on the basis of our legitimate interests, we must weigh our interests (or the interests of third parties) against your interests and your right to privacy. We must consider whether we could achieve the same objectives in another way and we must determine whether we really need all the data we wish to collect.

Sensitive data is not processed on the basis of our legitimate interests. This is because the processing of sensitive data to achieve legitimate interests would likely fail the weighting test described above.

Sometimes laws and regulations do not clearly establish an obligation to process your personal data ()or perhaps the law or regulation might not apply directly to us). In these instances, we may process personal data on the basis of a legitimate interest, for example, our legitimate interest of maintaining the safety and security of the financial sector (e.g. when we make risk models). An example of processing on the basis of legitimate interest includes making telephone recordings during an inbound or outbound call in order to combat fraud.

We do not keep your data for any longer than necessary and only retain the information if there is a legitimate business requirement such as complying with applicable laws and regulations.

When there is no ongoing business relationship and no legitimate business need to retain your personal data, the data will either be anonymised or deleted. In limited occasions where this is not possible (data in backup and archiving systems), the information is segregated and securely stored until it is possible to delete.

Within Rabobank Group

Your personal data may be shared with divisions of Rabobank Group, for example, because you ask us to do this, or because you also purchase a product from a different division of Rabobank. For example, information that has been used to establish your identity may also be used by another division of Rabobank with which you want to do business. We may also exchange your data to combat fraud, prevent money laundering or other financial crime, for risk management purposes, internal administration, to improve services or in the context of the duty of care.

These divisions of Rabobank may also be located in countries outside the United Kingdom or the European Union that may apply less stringent data protection rules. We share your data with divisions of Rabobank Group, in which Rabobank holds a majority interest, only if the divisions comply with Rabobank’s rules, as set out in the Rabobank Privacy Code. The Rabobank Privacy Code describes the rules that all these divisions of Rabobank Group have to comply with. The Rabobank Privacy Code guarantees adequate protection of personal data.

Outside Rabobank Group

Your data may also be transferred to other parties outside Rabobank if we are required to do this by law, because we have to perform an agreement with your company or because we engage another service provider. Where personal data is shared with third parties we ensure necessary safeguards are in place to ensure adequate levels of security.

Competent Authorities

We transfer your personal data to third parties if we are required to do so. If your company and / or you file a complaint with a data protection authority, we might have to provide them with your personal data. National tax authorities, the police, and intelligence agencies could ask us to provide information. We have a legal obligation to cooperate on investigations and provide them with your data.

Our service providers

We also transfer data if this is necessary in order to perform our agreements with your company.

These third parties are subject to supervision by their local regulators. This could mean that your payment and transaction data are transferred to other parties in countries that do not enjoy the same level of personal data protection as the United Kingdom or the European Union. If your personal data are processed in a country with a different level of data protection this may mean that your personal data are the subject of investigations by competent national authorities in the countries where the relevant information is held.

We also provide your company and / or your data to other parties that we need to involve in the context of providing our services, such as bailiffs, lawyers, accountants, collection agencies and consultants. If you are placed under administration, we might have to provide your data to your administrator.

Business partners / other parties

We sometimes engage other entities / business partners that process personal data on our instructions. Examples include printers that handle client mailouts for us and print names and addresses on envelopes or parties that store data for us. Before such parties are engaged, we must first ensure they are sufficiently reliable. We may only engage parties if this is in keeping with the purpose for which we process your personal data. Moreover, we can only engage third parties who enter into specific agreements with us (e.g. Data Processing Agreements), have demonstrably implemented appropriate security measures and who guarantee that your personal data will remain confidential. Your personal data may also be shared with other parties that we engage in the course of our business or for the provision of our services.

If we transfer your data to other parties outside the United Kingdom or the European Union, we take additional measures to protect your data. In some countries outside the United Kingdom or the European Union, the rules for protecting your data are different from those that apply within the United Kingdom or the European Union. Then we assess, as far as is possible, whether this can be done safely. For some countries, the United Kingdom Government and the European Commission has determined that there is an ‘adequate’ level of protection for personal data. For other countries, we use the standard contractual clauses approved by the United Kingdom Regulator or the European Commission. In addition, we take additional (safety) measures if necessary.

A. Right to transparency of information

This Privacy Statement describes what Rabobank does with your data. In certain cases, we provide additional or different information. We may do that by means of a letter, by leaving a message in your secure inbox or in another way to be determined by us.

B. Right of access to and right to rectification of personal data

You may ask us whether we process data relating to you, and if so, which data this concerns. In that case, we can provide you with access to the data processed by us that relates to you. If you believe your personal data has been processed incorrectly or incompletely, you may request that we change or supplement the data (rectification).

C. Right to be forgotten

You may request that we erase data concerning yourself that we have recorded, for example, if you object to the processing of your personal data. This may not always be possible if for example, we still have to store your data due to legal obligations.

D. Right to restriction of processing

You may request that we temporarily restrict the processing of personal data relating to you. This means that we will temporarily process less personal data relating to you.

E. The right to not be subject to fully automated decision-making

Automated decisions are decisions about you that are made by computers and not / no longer by people. Rabobank is legally entitled to make use of automated decision-making including profiling. But this is subject to certain rules. Does a decision have legal consequences for you, or could you be disadvantaged by it? If so, then we would not be allowed to make an automatic decision on you.

F. Right to data portability

The right to data portability is only provided when processing is in the scope of the United Kingdom or European Union General Data Protection Regulation and processing is: on the basis of a contract or consent and processing is carried out by automated means. If these conditions have been met, then you have the right to request that we supply you with data that you previously provided to Rabobank in the context of a contract with us or with your consent, in a structured, machine-readable format, or that we transfer such data to another party. If you ask us to transfer data directly to another party, we can do this only if this is technically feasible.

It should be noted that the right to data portability is limited in the scope of wholesale banking as natural persons do not hold accounts with Rabobank.

G. Right to object to processing

If we process your data because we have a legitimate interest in doing so, for example if we make recordings of telephone calls but this is not required by law, you may object to this. In that case, we will reassess whether it is indeed the case that your data can no longer be used for that purpose. We will stop processing your data if you interest outweighs our interest. We will inform you of our decision, stating the reason.

H. Right to object to direct marketing

In principle, we do not process personal data for the purposes of direct marketing. However, should this become relevant you have the right to request that we stop using your data for direct marketing purposes. It may be the case that your objection only relates to being approached through a specific channel, for example, if you no longer wish to be contacted by telephone but still want to receive our offerings per e-mail. We will then take steps to ensure you are no longer contacted through the relevant channel.

If you make a request as described above, we will respond no later than one month after we receive your request. In very specific cases, we may extend this period in which we must respond to a maximum of three months. In that case, we will keep you informed about the progress made with your request.

If you make a request, we may ask you to provide proof of your identity. For example, if you submit a request to exercise your right of access, we would like to be certain that we provide your personal data to the right person. In that case, we will ask you to produce identification documents so that we can verify your identity.

In certain cases, we may not be able to comply with your request, for example, because this would violate the rights of others, would be against the law or is not permitted by the police or other public authority, or because we have weighed up the relevant interests and determined that the interests of Rabobank or others in processing the data take precedence. In that case, we will inform you.

If we adjust your data or erase your data at your request, we will notify you of this and also inform the recipients of your data wherever necessary.

If you have any questions concerning the processing of personal data by us, please contact:

The Rabobank division with which you do business in the case of matters concerning the exercising of your rights and other questions about the processing of your personal data; or
The Rabobank UK Data Privacy team which can be contacted by email via: fm.uk.london.dataprivacy; or
The Data Protection Officer who can be contacted by email via: dpo@rabobank.nl

If you have a complaint concerning the processing of your personal data by Rabobank UK, please contact the Rabobank contacts provided in the section above; or you also have the right to file a complaint with the United Kingdom Data Protection Authority: The Information Commissioner’s Office (ICO)

The Information Commissioner’s Office
Water Lane, Wycliffe House
Wilmslow, Cheshire SK9 5AF
Tel: +44 1625 545 745

Email Rabobank UK Data Privacy team: fm.uk.london.dataprivacy

Email Data Protection Officer: dpo@rabobank.nl

Email The Information Commissioner’s Office: international.team@ico.org.uk

Website The Information Commissioner’s Office