Privacy Statement

Every time you make a payment, receive money, engage in online banking, use our app, interact with us by email, chat or telephone or browse our website, you are sharing data with us. We also process personal data about you if you use other services from us. For example, if you are applying for a mortgage. Or want to become a customer with us. That data may tell something about you personally or about your behavior. We handle this data with care. This Privacy Statement explains how Rabobank handles the processing of your personal data. We illustrate this with examples

Privacy Statement October 2023

Personal data

This is data that directly or indirectly tells something about you. This could be, for example, your name and address or your income. Details about a sole proprietorship, general partnership or professional partnership are also personal data. This does not apply to the data of a legal entity, such as a private limited company (Dutch BV) or public limited company (Dutch NV). Details of the contact person or representative of a legal entity, however, are personal data.

Processing

Anything that can be done with your personal data is covered by processing. This includes the collection, storage of, access to, modification, disclosure and deletion of your data.

We process personal data of persons with whom we want to establish, have or have had a relationship. Or if we have had contact with you and/or your representatives. And of persons who are not customers of Rabobank and from whom we receive personal data directly or through others.

Some examples:

Anyone who shows an interest in Rabobank or our products and services and leaves data behind with data (e.g. online) for this purpose;

Anyone who has a product with or through us or uses one of our services;

Persons who are otherwise affiliated with a company or an organization with whom we seek to establish, have or have had a business relationship. For example, employees, directors or (ultimately) beneficial owner of organizations that Rabobank works with);

Collateral providers, for example, someone who is a guarantor for someone else;

Anyone who makes a payment into a Rabobank account or to whom money is transferred from a Rabobank account.

Persons who are not customers of Rabobank. For example, someone who visits the Rabobank website, (legal) representatives of our customers, tenants of our customers or other persons involved in a transaction with our customers or with us

Sometimes, businesses or organizations provide us with personal data. For example, data of employees, directors, Ultimate Beneficial Owners (UBOs) or other stakeholders. We also collect personal data ourselves, without your company or organization providing it to us. We may request such data from the Commercial Register, for example. We also record this data. We expect you to inform your employees, directors and other stakeholders about this. You can provide them with this Privacy Statement or a link to it, so they can read how we handle their personal data.

This Privacy Statement does not apply to very large corporate customers covered by Wholesale Banking. This Privacy Statement covers the processing of personal data by Coöperatieve Rabobank U.A. in the Netherlands and the following Group entities:

Rabo Direct Financing B.V.

Rabo Groen Bank

Rabo Vastgoedgroep

Rabo Lease

Rabo Environmental Lease

Rabo Factoring

Schretlen Estate Management Services B.V.

Data may be shared within Rabobank Group to the extent that this is permitted by law. This includes for example Obvion and DLL, in addition to the aforementioned group entities. You can see an overview of the Group entities here. When exchanging information, we adhere to the internal rules we have agreed within Rabobank Group: the Rabobank Privacy Codes. These rules describe how units of the Rabobank Group to which these Rabobank Privacy Codes apply handle personal data.

If you want to know more about the processing of personal data by Rabobank Wholesale Banking in the Netherlands or the processing of this data by Rabobank outside the Netherlands, you can read more about it at Rabobank.com.

We have separate privacy statements for some of our services. In these statements we explain how we handle your personal data for a specific service. This includes things like questions and answers in the Rabo App. Such a separate privacy statement or explanation supplements this Privacy Statement.

*Type of data*	*What types of data can this be?*	*What are examples of using this data?*
Data about who you are.	Name, address, phone number, email address, information that can be found on your ID.	To identify you, to draw up an agreement, to answer your questions or to contact you.
Location details.	Data showing where you are.	To know where and when you paid with a bank card. We do this to combat fraud.
Data on and for agreements.	Data about your financial situation, about the products you have, about your investment profile and the data for your loan, such as pay slips and the value of your home.	To assess whether a product suits you. For example, if you have or apply for a mortgage loan with us, we want to know whether this loan is appropriate.
Payment and transaction details.	Details about the person you paid, from whom you received a payment, when a payment was made and what the balance is on your account. We can enrich payment and transaction data. For example, by adding a category to it. Or to see if it is a recurring payment.	• To make a payment for you. • To check if the account number entered matches the name included on a payment order. • To execute an agreement with you. • For the protection of your and our safety. • To identify arrears early. • To give you insight into your finances. For example, through Insight in the Rabo App. • For research by Rabo Research.
Special categories of personal data, criminal data and Citizen Service Number (BSN).	Health data, biometric data, criminal data, data revealing racial or ethnic origin, data about your political affiliation, Citizen Service Number (BSN).	• We use your BSN to pass on your savings and loan details to the Dutch tax authority, among other things. • We record data about your health. For example, if you are blind and therefore want to receive Braille statements. We will do this if you give us permission. • In the context of payment transactions, special personal data may be visible. For example, if you transfer money to a political party. • We may also use biometric data, such as a facial scan, for establishing and verifying your identity.
Interview recordings, conversations with employees in our office, video calls, chat recordings, CCTV monitoring, emails and social media.	• Conversations that we have with you and of which we make a report. • CCTV footage we record in the banking hall or at the ATM.	• As proof. • For training our employees. • For improving our service provision.
Data that says something about the use of our website, app, and emails.	• Cookies • Pixels • IP address • Data about the device you use for interactions with online services or our website. • Fingerprinting. This technique allows us to distinguish your computer from another computer, which enables us to find out if your computer is controlled by someone else. With this, we try to protect you from unwanted actions. For example, against changing the contra account of a payment order unnoticed.	• To track your internet behavior on our website and app. • To make our website and app work properly and safely for you. • To provide personalized messages, advertisements or banners. • We use analytical cookies (such as Piano Analytics) to improve the website and app. We can use these even if you have an adblocker installed. • To combat fraud.
Data that we need for combating fraud, for your and our security and for the prevention of money laundering and terrorist financing.	• Data that we store in our internal and external referral registers, sanctions lists, location data, transaction data, identity data, camera images, cookies and IP addresses. • Data about the device, if you use it for online services or other services of or through us. • Data of the location where you pay.	• We conduct checks to see if you appear in our external or internal referral registers or on sanctions lists. • We may use your IP address, device data and cookies to combat online fraud, DDoS attacks and botnets.

We receive your data because you yourself share it with us. For example, when you enter into an agreement with us or leave your details on our website. We also process your data when you use our services. An example of our services are the payment services we offer.

Sometimes we do not obtain your information directly from you. For example, we can receive your data from:

Group entities within Rabobank Group, for example:
On fraud, money laundering or terrorist financing;
For internal administrative purposes;
For creating calculation models;
For improving our service provision;
As part of our duty of care.

Other (financial) institutions in the context of combating fraud, terrorist financing or money laundering.
Read more about this topic under “What does Rabobank use your personal data for”.

Suppliers or other parties we work with
If you apply for a loan, we receive data from the Credit Registration Office (BKR), for example. Other parties we work with include Calcasa and Dun & Bradstreet. We also receive data from the Land Registry, Company info, Statistics Netherlands (CBS), EDM, Post.nl and the Chamber of Commerce, among others.

Public sources such as public registers, newspapers, the Internet and (public) social media.
We can use these sources to prevent fraud and money laundering and protect the bank. But we also use public sources for relationship management, promotional and marketing purposes.

Another party
Because you have given that party permission to share data with us. For example, because you have given permission to another bank or payment service provider to transfer transaction data to us.

Indirect sources
This is data that we do not obtain directly from you. For example:
- If your employer takes out an insurance policy with us and provides us with your details.
- If your (legal) representative, such as a fiduciary administrator (in Dutch: bewindvoerder) or guardian (in Dutch: curator) or a third party engaged by you, discloses information to us. Examples of third parties include a broker appraiser, independent intermediary or tax advisor.
- If we fund a landlord and the landlord provides tenant information to us.
- If a customer has pledged receivables to Rabobank and there are personal data on so-called debtor lists.
- If other persons are involved in a transaction and the details of a payee can be seen.

We do not retain your data longer than necessary for the purposes for which we collected it or the purposes for which we reuse it. We have a retention policy in place. This policy specifies how long we retain data. In most cases, this is 7 years following the termination of the relevant agreement or the end of your (business) relationship with

Rabobank. Sometimes this period may be longer, such as if the regulatory body asks us to do so for risk modeling. Sometimes we use shorter retention periods. For example, we usually retain data relating to a payment order for only two years, conversation recordings for 6 months and camera recordings for 4 weeks.

We may keep data longer in special situations. We will do this if, for example, the judicial authorities request camera images, in which case we will keep the images for longer than four weeks. Or if you have submitted a complaint as a result of which the underlying data have to be retained for longer.

If we no longer need the data for the purposes described in Chapter 6, we may still retain the data for archiving purposes. The data can then be used in legal proceedings or for historical or scientific research or statistical purposes.

Special categories of personal data, criminal data and citizen service numbers (BSNs) are sensitive data. Special categories of personal data include data about your health, biometric data, ethnic data or data concerning race, for example. For some services, you can use your fingerprint, voice recognition or a facial scan. These are biometric data used for identification and in intermediate checks.

In addition, we process special categories of personal data where this is permitted by law, because this information was made public by you yourself or if we have your consent. For example if you ask us to record that you have a visual impairment and want to receive Braille bank statements. We will then ask your permission to record this data.

Special personal data may be disclosed in the context of payment transactions. For example, if you transfer money to a political party, this will be visible in the account information. We are required to provide this account information, and it is sometimes visible to other parties. For example, an account information service provider, if you have engaged one.

If you give us your consent to record special categories of personal data relating to you, or you have made this information public yourself, then we will only process such information if this is necessary for the provision of our services. You can withdraw your consent for recording at any time. Please contact Rabobank for this purpose.

We only process data from children under the age of 16 if they purchase a product from us or if the data is provided to us in the context of a product. If necessary, we will seek the legal representative’s permission to further process children’s data. When a payment is made to a Rabobank account from a minor's account with another bank, data of minors is also processed as part of the payment process.

We participate in incident registers and alert systems of the financial sector and we process criminal data for this purpose. We do this to protect our interests and those of financial institutions and their customers, for example by detecting and recording cases of fraud.

We will only use your BSN if this is permitted by law, for example, in order to pass on your savings balance or the amount of your loan to the Dutch tax authority.

Automatic decisions are decisions about you made by computers instead of humans. If a decision adversely affects you, we are not allowed to make an automated decision about you.

Except if this is necessary as part of an agreement of the bank, if it is permitted by the law or if you yourself give consent. In those situations, you have the right to consult with someone at the bank. And you have the right to object. You can also ask us to stop having the decision made by computers.

In the following situations, we sometimes use these fully automated decisions that affect or may affect you:

When calculating your credit score if you apply for a credit with us. We are required to use these credit scores when deciding whether or not to grant you a credit. Authorized employees use this score to determine whether or not you will be granted a credit. The decision not to grant you a credit is sometimes not made in a fully automated manner.

If a payment is made that deviates from your usual payment pattern, we may use fully automated decision-making to stop a payment (temporarily or otherwise) or to block the account. We do this to prevent fraud with your account. If a payment is stopped or an account is blocked, we will contact you about this as soon as possible.

We sometimes use data for a purpose other than that for which we received it. This is permitted when there is a close connection between the two purposes.

When taking out a mortgage loan, we sometimes share data with the insurance department. They can see if there are any implications for your insurance portfolio. This is because concluding a mortgage loan and maintaining the insurance portfolio are closely connected.

If there is not a sufficiently strong connection between the purpose for which we obtained the data and the new purpose, we will ask you for your consent if we want to use this data anyway. You can withdraw that consent at any time. Please contact Rabobank for this purpose.

a. Within Rabobank Group

Your personal data may be exchanged between business units of the Rabobank Group. For example because you ask us to do this, or because you also purchase a product from another unit of Rabobank. Data that establishes your identity may also be used by another unit of Rabobank with which you want to do business. We may also exchange your data in the context of fraud prevention, for the prevention of money laundering, risk management, internal administration, to improve the provision of our services to you and in the context of the duty of care.

Business units of Rabobank Group are sometimes located in countries outside the European Union where less stringent privacy rules apply. If we share your data with units of the Rabobank Group in which Rabobank

has a controlling interest, we will only do this if they comply with Rabobank's rules, as set out in the Rabobank Privacy Codes. The Rabobank Privacy Codes apply as so-called binding corporate rules (BCRs). They give a description of the rules that all these units of Rabobank Group have to comply with. The Rabobank Privacy Codes ensure an adequate level of personal data protection. Because of those codes, the same rules apply to those units of Rabobank and we are permitted to share data within the Rabobank Group.

b. Outside the Rabobank Group

Your data is also transferred to other parties outside Rabobank if we are required to do this by law, because we have to perform an agreement with you or because we deploy another service provider.

If we transfer data to another party that is itself the data controller, such a party is itself under the supervision of their own data protection supervisor. This can be the Dutch data protection authority but also a foreign one.

Competent (public) authorities

We transfer your personal data to third parties if we are required to do so. Examples of such third parties include national and European supervisory authorities, such as the Dutch Authority for the Financial Markets (AFM), the Dutch Data Protection Authority, the Dutch Central Bank (DNB), the ECB, the Dutch Authority for Consumers and Markets (ACM) or the Dutch tax authority.

As part of the Code of Conduct for the Dutch banking sector, we sometimes have to provide personal data to the Foundation for Banking Ethics Enforcement (Stichting Tuchtrecht Banken). If you submit a complaint to the Financial Services Complaints Tribunal Kifid, a court or the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), it may also be necessary to provide your personal data. For example, to defend your complaint. This also applies if you lodge a complaint with the BKR. Sometimes a court determines that we must share certain personal data about you with another person.

The tax authority, the police and the public prosecutor’s office, but also intelligence services and benefit agencies, for example, may request data from us based on a legal task or authorization. We are then required to cooperate in investigations and/or pass on data about you.

If we give you a credit or a loan, we also have to pass on data to the BKR in certain cases,

For example regarding the amount of the credit or loan, or if you fail to make a payment on time.

Our service providers

We also transfer data if this is necessary for keeping our agreements with you. For example, third parties – such as Swift, Mastercard and Visa – are involved to enable payments in the context of payment transactions. Also, the beneficiary of the payment, such as a web store, may have engaged a payment service provider.

Some international transfers involve not only the bank of the payment’s beneficiary, but often one or more correspondent banks. All of these banks then process your personal data. Currence iDEAL B.V. is involved in IDEAL payments. When you make a payment to an account of another bank or via another bank within or outside of Europe, this bank may also ask us to provide your data. This allows this other bank to fulfill its (legal) obligations. In that case we may also forward your date and place of birth, in addition to the usual data we provide along with the payment. We may also provide data to other (financial) service providers if this is necessary for fulfilling agreements made between Rabobank and these service providers. For example, if a payment requires further investigation.

Your personal data is sometimes transferred when making payments to or from countries outside the European Union to other parties in countries that do not have the same level of personal data protection as the European Union. If your personal data is processed in a country with a different level of protection, this may result, for example, in your personal data being used in investigations by competent national authorities in the countries where such data is located. Or your personal data may be used for other purposes which are not allowed in the Netherlands.

We also provide your information to other parties we use as part of our services or in our business operations. This includes bailiffs, accountants, collection agencies, administration offices, consultants and lawyers, for example.

If you have a legal representative, such as a fiduciary administrator (in Dutch: bewindvoerder) or guardian (in Dutch: curator) , we may provide your information to your fiduciary administrator or guardian . Also, your fiduciairy administrator or guardian can usually access your information through Rabo Online Banking and the Rabo App.

Sometimes you can pass on your information yourself or have it passed on to another party. For example:

if you want a third party to be able to verify your identity through iDIN;

if you want to provide access to your data to another party, such as an account information service provider that you provide with access to your account;

iDEAL, if you want to create or have an iDEAL user profile;

Ease2Pay, if you use parking in the Rabo App;

Net2Grid, if you use Energy Insight in the Rabo App. Net2Grid then retrieves data from your smart meter.

Intermediaries

If we act as an intermediary, we will exchange personal data. For example, if you take out an insurance policy with an insurer through us, we will share personal data with that insurer. We may also receive data about you from this insurer. We also act as an intermediary for FREO, a lender.

If you take out a mortgage with us through an intermediary, we will receive data about you through your intermediary and provide your data to this intermediary. At the start of the agreement but also during the term, we can share information with the intermediary. For example, we can let the intermediary know that the end of the fixed-interest period of the mortgage has been reached.

Referrals to other parties

If you agree, we may share your information with other parties. For example, with a provider of non-financial services whose products are shown in the Rabo App or with a debt counselor.

Business partners and our service providers

We sometimes engage other business partners as processors. As a result, they process personal data on our instructions. We will only do so if we consider these parties to be sufficiently reliable. We may only engage other parties if this is in keeping with the purpose for which we processed your personal data. Moreover, these other parties can only be engaged by us if they make specific agreements with us, have implemented demonstrably appropriate security measures and guarantee that your personal data will remain confidential.

For example, we may engage a printing company to handle a customer mailing for us which will print your name and address details on envelopes, or hire parties that place advertisements in apps and on websites on our behalf, or parties that perform market research on our behalf or store data for us.

These third parties may also be an IT or ICT provider. We may also store your data online (in a cloud) through a third party.

We may also engage other parties as processors to fulfill our own legal obligations in a better way. For example, we use Transaction Monitoring Netherlands (TMNL) to improve transaction monitoring by banks. Rabobank also engages a processor to make a better estimate of the number of homes owned by you. Under the Prevention of Money Laundering and Terrorist Financing Act, we are obliged to know this.

If we transfer your data to other parties outside the European Union (EU)/European Economic Area (EEA), we will take additional measures to protect your data. In some countries outside the European Union, the rules for protecting your data are different from those that apply within Europe. If we make use of a third party located outside the EU/EEA, we will assess to the best of our abilities whether this is sufficiently safe. For some countries, the European Commission has determined that there is an "adequate" level of personal data protection. For other countries, we use the standard contractual clauses approved by the European Commission.

In addition, we take additional (safety) measures if necessary.

a. Right to information

With this Privacy Statement, we inform you about what we do with your data. Sometimes we need to provide more information. For example, when we record your data in our incident logs. Then – if permitted – we will inform you separately by letter, by email or by another means of our choosing.

b. Right of access and rectification

You may ask us whether we process personal data relating to you and if so, which data this concerns. In that case, we can give you access to the personal data processed by us that relates to you. If you feel that your personal data has been processed incorrectly or incompletely, you may request that we change or supplement the data (rectification).

c. Right to erasure of personal data

You may request that we erase data concerning yourself that we have recorded. However, we are not always obliged to do this. And sometimes we are not even allowed to do it. For example, if we still need to retain your data because of legal obligations.

d. Right to restriction

You may request that we temporarily restrict the personal data relating to you that we process. This means that we will temporarily process less personal data relating to you.

e. Right to data portability (transferability of data)

You have the right to request that we provide you with data that you previously provided to us in the context of an agreement with us or with your consent, in a structured, machine-readable format or that we transfer such data to another party. If you ask us to transfer data directly to another party, we will only be able to do this if it is technically feasible. Some data you have provided to us can be obtained by you yourself. For example, you can access your transaction details through our online services.

f. Right to object to the processing of your data

If we process your data because we have a legitimate interest in doing so you can object to this, with statement of the reason why you object. In that case, we will reassess whether it is indeed the case that your data can no longer be used for that purpose. We will stop processing your data if your interest outweighs our interest. We will inform you of our decision and the arguments on which we based this decision.

g. Right to object to direct marketing

You have the right to ask us to stop using your data for direct marketing purposes. You have this right even if you only object to being approached through a specific channel. For example, if you want to continue to receive offers via email, but no longer want to be contacted by phone. We will then ensure that you are no longer contacted through that particular channel.

On rabobank.com/yourrights you will find a description of how you can exercise each right. Sometimes you can exercise your rights immediately. For example, you can arrange the right to object to direct marketing yourself in the Rabo App or Rabo Online Banking. If this is not possible, you can submit a request using the online form.

If you have made a request to us, we will answer your request within one month of receiving your request.

We may ask you to explain your request for access in more detail. For example, if you request access to recorded calls, we may ask you to provide search terms, such as the time the call was made and the number from which it was made.

In very specific cases, we may extend the period in which we will respond to a maximum of three months. In that case, we will keep you informed of the progress made on your request.

We may ask you to come to the bank to identify yourself when you make a request to us. For example, in the event of a request for access and data portability. This is because we want to be sure that we are providing your data to the right person. If we are not sure whether we can safely send the data to you, we may also ask you to come to the bank to collect your data.

Sometimes we will be unable to process your request. For example:

Because the rights of others would be violated.

Because this would be against the law or is not permitted by the police, the public prosecution service or any other public authority.

Because we have weighed the relevant interests and determined that the interests of Rabobank or others in processing the data take precedence.

In that case, we will also inform you.

If we amend your data or erase your data at your request, we will inform you. And where possible, we will also inform the recipients of your data.

We have appointed Data Protection Officer at the bank. This officer monitors the implementation of and compliance with the General Data Protection Regulation (GDPR). If you are dissatisfied with the way your question or complaint was handled by us, you can contact this officer at dpo@rabobank.nl. Of course, you can also submit your question or complaint to the Dutch Data Protection Authority.

dpo@rabobank.nl

Dutch Data Protection Authority

Downloads

Privacy Statement 2023 ENG

Privacy Statement