02 On what legal ground do we process your personal data?

Obviously, we may not request or use your personal data without good reason. By law, we are permitted to do this only if 'the processing has a basis'. 

This means that we may only use your personal data for one or more of the following reasons: 


We need your personal data to conclude a contract, for example if you want to open an account with us or take out a mortgage. 

Are you the representative of your company and has your company concluded, or does it want to conclude, a contract with us? Or are you the contact person, shareholder, managing director or ultimate beneficial owner (UBO) of this company or one of our corporate clients? If so, we use your personal data for other reasons than the performance of the contract. We also do this if you are merely the payee of a payment made by one of our clients.

Legal obligation

The law lays down many rules that we have to comply with as a bank. These rules state that we have to record your personal data and occasionally provide it to others. The following are just some examples of the legal obligations we have to comply with: 

  • Under the Dutch Financial Supervision Act (Wet op het financieel toezicht - Wft), we have a statutory duty of care. This means that we must assess your financial situation as accurately as we can. We can then take account of any changes you have to deal with.
  • We have to take steps to prevent and combat fraud, tax evasion, terrorist financing and money laundering. These include asking you to prove your identity so that we know who you are. This is why we keep a copy of your identity document.
  • We have legal obligations under the Dutch Bankruptcy Act (Faillissementswet) and under other laws that require us to keep your personal data, such as the Dutch Civil Code or specific provisions of the Dutch Anti-Money Laundering and Anti-Terrorist Financing Act (Wet ter voorkoming van witwassen en financieren van terrorisme - Wwft).

Other organisations may occasionally ask banks to provide personal data. These organisations include the Dutch Tax and Customs Administration, the judicial authorities (financial fraud) and intelligence agencies (terrorism). In addition, banks are sometimes required to share personal data with supervisory authorities, such as the Netherlands Authority for the Financial Markets (AFM), the Dutch Central Bank (DNB) and the European Central Bank (ECB), for instance when they carry out research into business processes or specific clients or groups of clients. 

If the law or a supervisory authority stipulates that we must record or use your personal data, we are required to do this. In that case, it does not matter whether you are a client of ours or not. For example, every bank must check whether clients, and the representatives of clients (including corporate clients), are genuinely who they say they are. In addition, banks must keep a photocopy of an identity document for each of their clients. This means that we are not required to establish your identity if we only use your personal data because you are the payee of a payment made by one of our clients. Your personal data may, however, be used in fraud prevention activities such as transaction monitoring, or if we record your personal data in incident logs [see 'Warning system used by banks'].

Legitimate interest of the bank or others

We also have the right to use your personal data if we have a legitimate interest in doing so. In that case, we must be able to demonstrate that our interest in using your personal data outweighs your right to data protection. We therefore balance all the interests. We explain the situations in which this happens using a few examples:

  • We protect property and personal data belonging to you, to us and to others.
  • We protect our own financial position (so that we can assess whether you are able to repay your loan, for example), your interests and the interests of other clients (in the event of a bankruptcy, for example). 
  • We carry out fraud detection activities so that clients and ABN AMRO do not suffer losses as a result of fraud. In this context, we keep the financial transaction history of the payer and the payee.
  • We keep you up-to-date on product changes and send you tips, offers and other relevant news by means of direct marketing.
  • We aim to keep efficient records. We centralise our banking systems, make use of other service providers, and conduct statistical and scientific research. 

Someone else may also have a legitimate interest. For example, someone may accidentally transfer money to your bank account. In that case, we may, under certain conditions, provide your personal data to the person who issued the payment instruction. That person can then ask you to pay the money back. 

Even if you do not have a contract with us, we may still use your personal data either because this is necessary to ensure compliance with the law or on the basis of a legitimate interest. We will of course first check whether this is the case, for instance if your personal data is used for security purposes or for marketing purposes.