Privacy Statement

Personal data say something about you. The best known personal data are name, (email) address, age and date of birth. Your bank account, telephone number, IP address and your BSN are also personal data.

A special type of personal data are special categories of personal data. These are, for example, data about your health. But biometric data can also be a special category of personal data. Think of the use of facial recognition when becoming a digital customer, when this is used to identify you. We may only use this personal data if the law states that it is allowed or if you give your explicit consent. Otherwise, we do not.

Your personal data that we have received from others

We may use the personal data we retrieve about you and in some cases we are even obliged to do so. This is the case, for example, if your partner also applies for a loan on your behalf. It may also involve data from other sources. For example:

(Public) registers containing your data, such as the Central Curate and Administration Register, the Land Registry, the BKR and the Chamber of Commerce;

Public sources such as newspapers, the internet and sections of social media that are not private. We do this, for example, because we need to be able to investigate fraud or other forms of crime;

Monitoring and compliance with Sanctions legislation;

Files of other parties who have collected data about you, such as external marketing agencies or trade information agencies. We use this information if permitted by law.

Of course, we are not allowed to request or use your personal data just like that. The law states that this is only allowed if there is ‘a basis for processing’. This means that we may only use your personal data if there are one or more of the following reasons for doing so:

Agreement

We need your personal data to enter into and also perform an agreement, for example if you want to open an account with us or take out a mortgage. This also applies when we provide innovative services to you, for example in the context of payment services for contactless payments.

Are you the representative of your company and does or does your company want to enter into an agreement with us? Or are you the contact person, shareholder, director or UBO of this company or one of our business customers? If so, we will use your personal data for reasons other than concluding or executing the agreement. We do this even if you are only a beneficiary of a payment from one of our customers.

Legal obligation

There are many rules laid down by law to which we, as a bank, must adhere. These rules state that we must record your personal data and sometimes give it to others. We give below some examples of legal obligations we have to comply with:

• Under the Financial Supervision Act (Wft), for example, we have a duty to take measures to prevent over- crediting. This means that we must use your personal data to have a clear picture of your financial situation when you take out a personal loan or mortgage with us . We also use your personal data to inform you about changes in interest rates and conditions.

• When granting a loan and during the term of the agreement with you, we must also comply with European laws and regulations. We are required to understand both our customers’ financial risks and the bank’s financial risks when granting loans, and to assess whether customers continue to meet their payment obligations during the term of a personal loan or mortgage you have taken out with us. To do this, we need information about your financial situation. We may also request this from you or from third parties (e.g. BKR).

• We must take measures to prevent and combat fraud, tax evasion, terrorist financing and money laundering. What do you notice? For example, we ask you to identify yourself so that we know who you are. This is why we keep a copy of your identity document with a watermark. In this case, you may not hide your BSN and yourpassport photograph. Sometimes the bank asks for a copy of your passport, for example to be more certain that contracts have been signed by the right person or when applying for a new product. In that case, you may shield your BSN and passport photo and we will not keep the copy.

• We may also ask you questions about certain transactions, what your source of income is or ask for an explanation about the origin of your assets. More information on this can be found on the website of De Nederlandsche Bank (DNB).

• There are laws that require us to keep your personal data, for example, the Civil Code (BW), the Financial Supervision Act (Wft), the Money Laundering and Terrorist Financing Act (Wwft) or the Bankruptcy Act (Fw).

Other organisations may sometimes request data from banks and in some cases we are obliged to provide this data to this third party. Examples include the Tax Authorities (for information reporting purposes, a reporting obligation with the aim of preventing tax evasion, CESOP or DAC 6) and investigation services that request data for the purpose of criminal investigations such as financial fraud and in the case of money laundering or terrorist financing. Furthermore, banks, and therefore we too, sometimes have to share personal data with regulators, such as the Financial Markets Authority (AFM), De Nederlandsche Bank (DNB) and the European Central Bank (ECB). For instance, if they are investigating business processes or certain (groups of) customers. In the context of the Banking Disciplinary Act, we sometimes have to provide personal data to the Banking Disciplinary Foundation.

If the law or the regulator indicates that we must record or use your data, we are obliged to do so. In such cases, it does not matter whether you are a customer with us or not. For example, every bank must check whether customers or representatives of (business) customers are really who they say they are. Identification is again not necessary for example if we only use your personal data because you are a beneficiary of a payment from one of our customers and you are not a customer of ours.

Legitimate interest of the bank or others

We may use your personal data if we ourselves have a ‘legitimate interest’ in doing so. We therefore weigh up all interests. But when is this?

• We protect property and personal data belonging to you, to us and to others.

• We protect our own financial position (e.g. by assessing whether you can repay your loan or if we sell your loan or other obligations), your interest and the interest of others (e.g. in case of bankruptcy).

• We engage in fraud detection to help prevent harm to you and to us as a result of fraud.

• You will receive relevant tips and offers on the bank’s products and services. Regardless of whether you bank with us privately or professionally. And if you have taken out a mortgage with us, for example, we can also offer you a current account or an investment account.

• We want to run our administration efficiently and improve our data quality. We do this to provide you with the best possible service. We also need to organise our banking systems optimally and efficiently to meet our legal obligations.

• We research how we can improve our current core processes, (further) develop products and services and how we can better comply with legal obligations. To this end, we may use new technologies such as artificial intelligence. For each situation, we will consider which data we can use to develop, train and test new technologies.

• We are constantly looking for appropriate ways to secure your and our data as well as possible.

• The Economic Bureau of ABN AMRO conducts independent statistical research on the basis of aggregated data into, among other things, macro-economic trends such as growth of Dutch industry, consumer behaviour or economic impact on climate change. ABN AMRO’s Economics Department sometimes collaborates with universities to conduct academic research.

• Given our social role in society, we can conduct research on socially relevant topics such as improving fraud prevention including online bank fraud.

Someone else may also have a legitimate interest. Suppose someone has accidentally or under false pretences transferred money to your bank account. Then, under certain conditions, we may give your personal data to the originator of the payment. He can then ask you to refund the amount. You can find more information on the website of the Payments Association.

Even if you do not have an agreement with us, we may use your personal data because this is necessary to comply with the law or on the basis of a legitimate interest. Of course, we first check whether this is the case.

We usually use your personal data without your legal consent. The law allows this. We do this because:

• this is necessary because of the agreement we have with you. After all, we need personal data from you to enter into and perform the agreement.

• the law states that we must use your personal data, for example to identify you as a customer.

• there is a legitimate interest of the bank or a third party, such as when fighting fraud and if we want to send you a message about Safe Banking.

Sometimes we do have to ask for your consent. We will then first explain to you what we use the personal data for before you consent and provide us with your personal data. We advise you to carefully read the information we give you on the use of your personal data first.

Have you given consent? And would you like to withdraw it? This can be done very simply. You can read how to do this for example in the form or in the app where your consent is explicitly asked for.

When do we ask for your permission?

At least in the following cases:

1. If we use biometric technologies, such as facial recognition for identity verification, for example.

2. If we place cookies and similar techniques on our websites and/or apps to provide you with personalised offers. You can read more about this in the Cookie Statement.

3. If we want to send you commercial messages about products or services of one of our Partners, for example in the context of sustainable real estate for entrepreneurs. On our website doorpakken.abnamro.nl, we ask your consent to contact you if you are interested in a product of one of our Partners,

4. If we send you commercial messages based on your individual payment details. You can read more about this under “Tips and Offers”.

5. If we use automated decision-making based on profiling and the law states that we need your consent to do so.

6. Before we categorise your transaction data for the ABN AMRO app functionality “Insight into Money Matters” to give you insight into income and expenses such as fixed charges and subscriptions.

7. Before we share your financial data within the ABN AMRO Group for the purpose of our marketing activities. This includes sharing balance data from Bux with ABN AMRO for the purpose of customer segmentation for our Preferred Banking service.

Access to payment accounts with permission

You can give third parties access to your payment data. The PSD2 Directive allows this. If another party requests access to your payment data and your account information so that you can use external (payment) services, you first give permission to the provider of this service. You will then confirm to us that this party obtains access to your account information at ABN AMRO. If you wish to add your accounts held at other banks to ABN AMRO Internet Banking and the ABN AMRO app, you will also give permission.

We use your personal data to make our organisation and our services as good, reliable and efficient as possible. This includes the following 7 purposes:

1. Agreement. To enter into and perform agreements with you. For example, without your personal data we cannot offer you a current account, transfer money to or from your accounts for you or enter into a mortgage agreement with you. We also check during the term of your mortgage or credit agreement whether you can continue to meet your payment obligations. This allows us to intervene or warn you in time if we expect that you will no longer be able to repay your debts (on time).

2. Research to improve our internal operations, products and services. We research trends and use personal data to analyse and further develop our products and services. We conduct research to check whether new and existing rules can be properly complied with. In this way, we can prevent complaints and damages.We also need to test whether systems (that enable us to provide our services to you or that we need to use to comply with the law) are working properly or investigate whether new technologies help us to better comply with the law, for example, or to serve you best.

3. Macroeconomic research. We also do research on economic trends. Sometimes in collaboration with universities. This helps us better understand the economy. We do not share and/or publish research results or reports with other parties from which your personal data can be derived.

4. Marketing. You will receive tips and offers that suit you and can benefit you as a customer. In doing so, we use personal data that we have received from you. For example, because you once requested information about sustainable products and services. Or because you are already a customer with us. We may also use personal data obtained from others. For example, from public data sources and from marketing agencies. Only if this is allowed by law.

5. Security and integrity of our bank and our industry. We are obliged to safeguard the security and integrity of the financial sector. Therefore, we may use your personal data to combat or prevent (attempted) criminal or reprehensible behaviour. For example, in cases of fraud or terrorism. This allows us to safeguard our security and integrity, that of the financial sector, our employees and you as a customer. We may also use your data for our internal and external warning systems.

6. Social responsibility and research. As a bank, we play an important role in society. Within the limits of the law, we take our own responsibility and may also participate in partnerships with public parties and with other (financial) institutions. From our specific social position, we want to contribute positively to certain social problems such as human rights violations, environment and climate. Examples include helping customers make their homes or businesses more sustainable and participating in joint ventures with other (financial) institutions in the field of combating terrorist financing or undermining crime and serious crimes. From our social position, we also want to contribute to our customers’ financial wellbeing within the limits of the law. We offer customers insight into money matters and provide budget coaching.

7. Legal Obligation. We help fight terrorist financing, money laundering and fraud. For example, by reporting unusual transactions or by recognising, stopping and, if necessary, verifying possible fraudulent transactions with you. (Foreign) government bodies also request data from us if they want to investigate problems or criminal offences. We then check whether there is a good reason for this.

The right to privacy protection is always central. We will always check whether use of personal data is permitted. Banks are one of the most regulated industries. This means we have to comply with many regulations.These are not only European or Dutch rules but also laws from other countries. This therefore also requires usto record, store and sometimes give personal data to authorised bodies. Here too, we always check first whether this is permitted.

Have you not concluded an agreement with us? Then we do not process your personal data to conclude and execute an agreement with you. However, we may use your personal data for other purposes, such as fraud detection. We always check first whether the use for other purposes is permitted.

Other purposes

We may use your personal data for purposes other than those for which you have given us the personal data. The new purpose must then fit in with the purpose for which you initially gave us your personal data. This is called ‘compatible use of data’ in the law. The law does not say exactly when this is the case, but does provide pointers:

• Is there a clear connection to the purpose for which you previously gave the personal data? Does the new purpose fits within the original purpuse?

• How did we ever receive the personal data? Did we receive the personal data from you or by some other means?

• Exactly what kind of personal data is involved? Are they sensitive or less sensitive?

• What are the consequences for you? Is it to your advantage, disadvantage or does it not matter?

• What can we do to best protect your personal data? Consider anonymising, masking or encrypting your personal data.

Our group and your personal data

We may share your personal data within our group for certain purposes. This may be for internal administrative purposes such as optimising data quality and to improve our service to you, as required by law. Or to better and more efficiently comply with the law or to fulfil our duty of care. We give some examples:

• We aim to provide you as a customer with added value in our services if you bank with us for both business and private purposes. If you have a checking account with ABN AMRO, we can also offer you a business loan. We are happy to offer you access to a full range of products and services that best meet your needs and wishes. Only if allowed by law.

• Under the banking oath and legal obligations, we always weigh your customer interests in our decisions.For example, if you apply for a loan with us or one of our subsidiaries, it is necessary to know whether you already have a loan, current account or savings with us or one of our group companies and whether you meet your obligations. If you are not meeting your obligations, it is necessary to know what other products you have with us or a subsidiary and whether you can meet these obligations. This allows us to get a more complete picture of your financial situation for your own financial wellbeing and our group’s risk management. In order as a group, to better comply with the rules against money laundering and terrorist financing This may mean, for example, that in case we have detected certain illegal activities on your bank account at ABN AMRO,we share this information with our subsidiaries if you are also a customer there.

• Personal data may also need to be shared within our group in fraud investigations. ABN AMRO uses central IT systems that allow sharing of relevant personal data between parent and subsidiary companies only for justified purposes. To this end, we have taken appropriate technical and organisational measures to ensure that the sharing of personal data is secure and shared only for those specific purposes so as to prevent any unlawful use of your personal data. For example, ABN AMRO and its group companies may share personal data in this way in order to respond to regulatory requests adequately and within a specific timeframe, always in compliance with privacy laws and any applicable local laws and regulations.

ABN AMRO Insurance and other insurers

If you have a payment account with us and you want to take out insurance with ABN AMRO Verzekeringen (joint venture ABN AMRO and NN Group), as an intermediary we will share the data you provide with ABN AMRO Verzekeringen in order to be able to take out the insurance and to fulfil our legal obligations. The privacy policy of ABN AMRO Verzekeringen applies if you have taken out insurance with ABN AMRO Verzekeringen. The same applies to other insurers if ABN AMRO acts as intermediary.

Mandatory personal data

Do we need personal data from you to conclude an agreement with you? And do you not want to provide them even though the law states that you must? Or are these personal data necessary for the agreement? Then, unfortunately, we cannot enter into an agreement with you. In the (online) forms you sometimes have to fill in, you can see which personal details are required and we explain how to use specific data.

Do you want us to delete your personal data from our systems? Unfortunately, this is not possible for mandatory or other personal data we need. For example, for the performance of the agreement you have with us.

Or because we are obliged to keep your data by law. The bank may also have a legitimate interest to keep your personal data.

Camera images, telephone calls, video banking, chats and chatbots

If you visit a bank branch, we may make camera recordings of you. This is necessary to prevent burglary, theft and vandalism and for the safety of our customers and employees. It is also possible to contact us by phone, video banking and chat, for example for mortgage advice. We may make recordings of these conversations. We do this in order to:

• improve our services, for example to support our employees with new techniques, e.g. the automated summarisation and recording of telephone calls from our customer service,

• coach and assess employees,

• because of a legal obligation,

• to provide evidence, or

• to prevent fraud.

Recording falls under the same rules as other personal data. You can exercise your rights such as the right to access.

There are situations when we need to give your personal data to persons and bodies involved in our services. You can read below who these are. Do you transfer money to another bank? Then, of course, your personal data will also end up there. There is no other way.

Our service providers

We work together with other companies that help us with our services, such as companies that develop internet tools and web applications. This means that these companies only process personal data on behalf of ABN AMRO.

Sometimes service providers process personal data for their own purposes but only if permitted by law with sufficient privacy safeguards. An example is the company that handles the IBAN Name Check.

For the use and creation of an iDEAL profile, we work together with Currence. This is the owner of iDEAL.When you create an iDEAL profile, ABN AMRO will share your selected IBAN numbers masked with Currence to be saved in your iDEAL profile that will make it easier to select this account when making an iDEAL payment. Furthermore, ABN AMRO will share a unique identification number with Currence so that we can link the iDEAL profile to your bank profile and recognise it in subsequent transactions and/or authorisation requests. This unique identification number is different from your contract number and IBAN number. Currence’s own privacy statement applies if you have created an iDEAL profile.

Sometimes we engage other parties who also provide services, such as lawyers, accountants or bailiffs. These parties are always responsible themselves for the use of personal data.

Mediators

We also work with intermediaries. So it may be that you have a mortgage with us, but that you took it out through an intermediary. Or you may have taken out an ABN AMRO Insurance policy via a sub intermediary, such as Independer. This (sub)broker processes your personal data and is responsible for its use. Check the website of the (sub)broker to read how it handles personal data.

Competent (public) bodies

Our regulators, the tax authorities, the public prosecutor, and other (government) bodies (national and inter- national) may request personal data from you. The law states when we must give it. Employees in the financial sector are bound by the Banking Disciplinary Act. In the context of a disciplinary case, personal data may be provided to the Banking Disciplinary Law Foundation.

Providers of financial services

Do you want us to give your data to other providers of financial services? For example, to a company offering a particular financial service through an app? This is possible if you give your permission first. We are then obliged to provide your personal data to these third parties. We are not responsible for how these third parties handle your personal data. If you yourself share your data with others, for example by using payment methods of other parties, we are not responsible for the use of your personal data by the recipients. In that case, the third parties’ privacy policy applies.

Potential buyers or investors

We may also transfer personal data to other parties when we consider transferring our legal position towards you to a potential buyer or investor. We do this, for example, if we want to sell your loan, enabling the other parties to make decisions about and for the transfer. Or if we are selling a business unit of ABN AMRO and this allows other parties to make decisions about the acquisition. This is a legitimate interest of ABN AMRO Bank and enables

the acquiring party to fulfil its legal obligations, for example. Once this party becomes your contracting party as a result of this sale or acquisition, for example, this party will be the new data controller for the personal data it processes about you. Do you have any questions about how this party handles your personal data? If so, please contact this party. We may still need to retain data from you. For example, to comply with legal obligations, or for research or statistics.

Business partners

Sometimes we work together with other parties, for example in the context of offering additional services such as solutions for sustainable real estate, cyber security and to enable mobile payments. We always check first whether sharing data with business partners is permitted. Sometimes we are jointly responsible with a business partner for the use of personal data (joint controllers). We make agreements with these parties about who fulfils which role, and how we jointly safeguard your privacy rights.

Other banks or entities involved in payment transactions

We only provide necessary personal data to other banks or parties in the payment chain involved in payment processing. Several parties are involved in the payment chain, such as the supplier of ATMs who may offer additional services to shops or a payment platform of an online shop. These parties are themselves responsible for the use of your personal data.

Investing

Do you invest through us? Then we also provide your data to parties involved in the execution of investments.

If you are a customer with us, we will send you product messages and service messages. You will always receive these messages. We also like to send you marketing messages such as relevant tips and offers. Don’t want these (any more)? If so, you can simply unsubscribe from every tip or offer you receive via an unsubscribe link.

Product and service messages

If you are a customer of the bank, you will receive messages about the product or service you have purchased. We will send you information so that we can keep you informed about, for example, new product conditions or an interest rate change.

You will also receive service messages from us about, for example, a new functionality in the ABN AMRO app, secure banking, malfunctions and we will send you notifications if, for example, a credit no longer suits your situation (update) as part of Customer Interest Central. This is required by law and is in line with what is expected of us by regulators. You will always receive product messages and service messages from the bank and you cannot turn them off.

Tips and offers

We like to think with you. This also means that we want to be relevant to you. You indicate whether we can, for example, send you personalised tips and offers based on your individual payment data. We only do this with your consent. In order to send you tips and offers, we may use various sources:

1. The personal data we have received from you as part of the agreement such as your contact details, your age, your loan or mortgage details and personal data you have shared with us, e.g. your personal interests.

2. When you visit our websites or our apps, we investigate how you use them. We do this through your IP address, for example. We can then provide you with personally relevant offers. You must then have consented to the use of cookies and similar techniques such as JavaScript. The use of social media partly depends on your privacy settings on the various social media sites.

3. Aggregated transaction data such as total account balance to offer, for example, Preferred Banking as an additional service provided by the bank.

4. Your individual payment details to send you personalised tips and offers only with your consent.

5. Other (public) information sources such as from external marketing agencies. We will always check beforehand whether the use of a (public) source of information is permitted for the purpose we intend to use it for and whether the source is reliable.

Please note: as a visitor to our website, we may show you personalised banners on the website and in the ABN AMRO app if you have accepted cookies and similar techniques on our website. You can withdraw consent to cookies at any time. For more information see Cookie settings.

Have you not given us permission to place advertising and social media cookies? Then you may still see general advertising or personalised banners on the website or in the ABN AMRO app based on the actual information we have about you such as the products and services you have purchased from us. You can read more about cookies in our Cookie Statement.

For sending product messages, service messages, tips and offers and newsletters, we may use innovative techniques to measure the reach of messages sent.

If we send you messages about products or services from a party other than the bank, for example our business partners, we will only do so with your prior consent.

Social media

We engage with customers and visitors to our websites about our organisation, products and/or services through our own communication channels, such as our chatbot and social media channels. We do this to provide useful and relevant information and/or answer questions. We use the social media channels WhatsApp, Facebook, LinkedIn, X, Snapchat, TikTok and Pinterest. In addition, we answer individual, relevant questions and comments from other participants. We also use social media channels for marketing purposes. For more information on the use of cookies, similar techniques and your settings, please see our Cookie Statement.

We are constantly looking for more efficient, safe and reliable technologies that support us to offer our products and services to you or to better comply with the law, or with what our regulators expect from us. When we want to use new technology such as artificial intelligence, we always first test whether the use is necessary to work better and more efficiently and whether the use complies with the law, is ethically and socially responsible and reliable. For example, we use ABN AMRO GPT - a secure and proprietary internal version of Chat GPT -for summarising customer conversations, among other things. Chatbot Anna also uses its own internal version of Chat GPT.

ABN AMRO and profiling

Profiling

In certain cases, the bank may use profiling. Sometimes it is necessary before we can enter into an agreement with you, because we have to comply with the law or because we want to represent your interests or the interests of someone else. Below you will see examples of profiling.

Fraud prevention

We have extensive knowledge and experience in fraud prevention. Unfortunately, we face increasingly sophisticated forms of fraud. We can take measures to prevent fraud as best we can, including the use of profiling. For security reasons, we cannot go into detail about the measures to be taken.

Unusual transactions

As a bank, we have to comply with the Wwft. This is the Money Laundering and Terrorist Financing (Prevention) Act. Therefore, we pay special attention to unusual transactions and those that by their ‘nature’ carry a higher risk of money laundering. For example, we look for transactions that deviate from your normal transaction pattern or transactions that have characteristics of money laundering or terrorist financing. If we suspect that a transaction is unusual within the meaning of the law, we must report it to the authorities. This investigation and possible reporting do not take place in a fully automated way. There is human intervention: specialised bank employees are closely involved. Again, we do not go into detail about how transactions are looked at. Criminals could take advantage of this.

Duty of care, Customer centricity and bank risk management

To prevent overcrediting among customers and intervene more quickly when customers are in danger of getting into payment difficulties, we can use profiling. We then first make a list of the most common characteristicsof customers who have encountered financial difficulties. These characteristics make up the profile. Then we look to see if there are customers who fit this profile. The regulator on duty of care and Customer Interest Central expects banks to continuously and actively monitor the financial situation of its customers to identify and prevent (potential) payment problems. We always check the use of your data against the requirements of privacy legislation.

Customer and product acceptance

How do we use profiling when you want to take out a product and during the term of your product? We explain this using an example. Suppose you have a credit with us:

1. To properly assess the risks for you and us, we make a risk analysis. We can do this when you want to take out a credit with us and during the term of your credit. We know from experience that certain characteristics are an indication of whether you can easily repay a credit. For example, whether you have a job or debts. We assess these characteristics in the risk analysis.

2. Customers who can normally repay a credit share some characteristics. And so do customers who cannot or run into problems during the term of the credit. Based on your characteristics, we create a risk profile.

3. We compare your data with our existing profiles. Then we estimate the risk of whether you can repay the credit. We use further information besides the outcome of the risk analysis to assess whether we can grant you a credit.

Financial Health

We use profiling to support customers aged 18 and above in their financial wellbeing. For example, based on actual product data, such as a rejection for a personal loan and total account balance over a number ofmonths, we can help customers understand more about financial wellbeing. We encourage the use of Insights functionality in the ABN AMRO app, offer a savings coach or budget coach to customers, give lectures at (high) schools and provide tips on the website.

Marketing

We also use profiling for the purpose of our customer service. For example, we use customer segmentation so that we can inform you of relevant products and services from the bank. For example, we make customer selection based on a customer group that has taken out a mortgage. We inform this group of customers, forexample, about making their house more sustainable and the options for taking out a loan for renovation. We can also select a customer group based on aggregated data such as total account balance over a number of months.

When we send you tips and offers, we try to find out where your interests lie based on a number of characteristics. For example, we will look at an age category and whether you already have other products with us. We will always first check whether you have objected to the use of personal data for marketing purposes and/or registered a right to object to receiving tips and offers.

We may go further to be even more relevant to you and meet your needs even better, if you give your prior consent. Think about offering specific products from our partners in the context of sustainable business or receiving specific energy saving tips based on your individual transaction data. You can withdraw your consent at any time.

Of course, we test the use of personal data against the privacy rules. You can always object to profiling for direct marketing purposes. If you do not have an agreement with us, we will check whether direct marketing is permitted in certain situations.

Automated decision-making

We may use automated decision-making when we enter into an agreement with you, e.g. to close a savings account online.

We may use automated decision-making without human intervention. This is permitted by law. These may include decisions that lead to not carrying out transactions because they may be fraudulent, for example in iDEAL transactions. These decisions can be made on the basis of a fully automated process without human intervention.

If we apply automated decision-making that has legal consequences for you or affects you significantly, we will clearly indicate this in advance. We will let you know what rights you have, for example the right of receiving an explanation of the automated decision, the right to let us know your point of view, the right to challenge this decision and the right to human intervention. Sometimes you will find more detailed information about the use of your personal information on our websites when you apply for a product or service. Suppose you want to apply for the Rood Staan (overdraft) product, you will find more information about the use of personal information on the page where you can digitally apply for the Rood Staan product.

We do our utmost to protect your personal data as much as possible:

• We invest in our systems, procedures and people on an ongoing basis.

• We ensure that our ways of working are appropriate to the sensitivity of your personal data.

• We train our people to handle your personal data securely.

Precisely because of your security, we cannot go into detail about the exact measures we take. Examples of security measures you may have encountered:

• Securing our online services.

• Establishing who you are in two steps (authentication).

• Control questions when you call us.

• Requirements for how confidential documents are sent.

• Extra secure messages in the ABN AMRO app and Internet Banking for confidential information.

Security is something we also want to work on together with you. For instance, have you experienced security leaks? You can report this confidentially to us via the secure banking page on our website.

The bank’s warning system

Imagine: you are involved in the damage or loss of our property, there is a suspicion of fraud or the government or police are investigating you. There may also be certain outcomes of Customer Due Diligence (CDD) checks under the Wft and Wwft or you do not comply with agreements with the bank.

These are examples of occurrences that require the bank’s special attention. The bank must be able to record and store these so that it can take appropriate action or follow-up steps. The bank has a legitimate interest to do this.

Such occurrences are called “events”. They are recorded in a special internal administration of the bank, generally called “Event Administration”, which can only be accessed by authorised employees.

The Internal Reference Register (IVR)

Linked to the Events Administration is an Internal Referral Register (IVR). This ensures that if we feel that a customer’s involvement in an event is serious enough, we can alert our relevant departments. This also applies to our group companies. This alert only has internal effect (within our organisation). Whether an event can be shared within our organisation via the IVR is tested against the AVG rules. Among other things, we explicitly informabout the reasons for inclusion, the consequences of the inclusion for the customer and his or her relationship with us and with our group companies. We also inform the customer about the duration of the recording and the customer’s rights, e.g. the right to object.

The CAAML list

We also record when we have end the contractual relationship if it follows from the Wwft. For example, when you have not adequately informed us where your money comes from, or you are involved in money laundering or terrorist financing. In these cases, we may include your data in what we call the CAAML list. This registration, like the IVR, only has internal effect. The purpose of this registration is that we, as a group, can remember that we have had to say goodbye to you because we cannot (anymore) comply with our Wwft obligations. We also have a legitimate interest for this. If you are included in the CAAML list, you will also be explicitly informed about this. In this communication, we will inform you, among other things, of the reasons for inclusion and what consequences this has for your relationship with the bank and its subsidiaries. You will then be informed about the duration of the inclusion and your customer rights, e.g. the right to object.

The External Reference Register (EVR)

In addition, financial institutions in the Netherlands, including ABN AMRO, have developed an alert system that, unlike the Event Administration, the IVR and the CAAML list, has external effect.

It allows them to check whether someone:

• ever defrauded,

• attempted to commit fraud,

• or otherwise poses a threat to the security of the banking sector. You can read more about this warning system and how it works on the NVB website. The rules governing how banks, and therefore also ABN AMRO, can use the external warning system have been approved by the Personal Data Authority. You can also read these rules on the site of the NVB. If you are included on this external alert system, according to these rules you will be informed about the registration and how you can exercise your (privacy) rights.

If you want to become a customer with us or you want to purchase a new product from us or one of our group companies, we test for these registers. Only those dealing with customer and product acceptance are allowed to test against these lists. These employees only receive a signal if you are registered. Only a limited number of authorised staff can see details about the reasons for inclusion on the lists. It is always considered on the basis of this information whether the bank can accept you or grant the product and if so - under what conditions.

Do we also share your personal data outside Europe?

Your personal data are also processed outside Europe. Additional rules apply to this. This is because not all countries have the same strict privacy rules as in Europe.

Sharing personal data within our group

We may share your personal data outside Europe within our group. We do this on the basis of our internal policies, the Binding Corporate Rules (BCRs). These are published on our website and are periodically amended as required by laws and regulations. European regulators approve a version before it is published on our website.

Sharing personal data with other service providers

Sometimes we give your personal data to other companies or entities outside Europe. For example, as part of an outsourcing agreement. We then ensure that we have concluded a separate agreement with those parties that complies with European standard, such as the EU Standard Contractual Clauses, and additional requirements. In addition, we assess on a case-by-case basis whether it is necessary to implement organisational and technical (such as encryption) security measures so that your personal data are adequately protected.

International payments and international investing

You may be affected by our international financial services. For example, when you transfer money abroad or when you have investments abroad through us. In that case, foreign parties may request your personal data from us, such as local regulators, banks, governments and investigation authorities. They do this, for example, to conduct investigations. Incidentally, additional rules apply to the use of personal data if you purchase investment products from us. Read the provisions in article 11.3 of the Investment Conditions for this.

We keep personal data in any case as long as necessary to achieve the purpose.

The General Data Protection Regulation (AVG) and Implementing Act (Uavg) do not have specific retention periods for personal data. Other laws may, however, contain minimum retention periods that we must comply with. Consider, for example, the general administration obligation for companies (as stated in the Civil Code), tax legislation or legislation that applies specifically to financial companies (Financial Supervision Act).

How long we keep personal data varies. This can vary from months to years. In many cases it is 7 years after the end of your relationship with ABN AMRO. We keep personal information from a prospect for a maximum of 1 year. After the end of the retention periods, the personal data is deleted or anonymised. There are reasons to keep certain personal data longer. This applies, for example, to our risk management, model development and review, for security reasons or because of claims, investigations or lawsuits.

If personal data is kept longer, we take measures to ensure that it is only used for the purposes for which a longer retention period is necessary.

What rights do you have when it comes to your personal data? And what do these rights entail?

Right of objection

If we use your personal data on the basis of a “legitimate interest”, you have the right to object. You may not want us to use your personal data for profiling. Yet sometimes we may do so even if you object. For example, to fight fraud, manage risks or investigate unusual transactions. Of course, we comply with the law in doing so.

However, you can always object to the creation of a personalised customer profile for direct marketing purposes. You can do this via your cookie settings and privacy preferences in Internet Banking or via the ABN AMRO app.

Right of objection for marketing

Do you no longer wish to receive offers for our products and services? Then you can unsubscribe from this at any time. You can also do this with every marketing message. You can easily exercise this right.

Are you not a customer (anymore) of the bank and do you want to use the right to object to marketing? Then you can submit a request via the Customer rights page on our website. If you are a Florius customer, please use the contact details below.

Access, rectification, erasure, restriction

• You have the right to request an overview of all the personal data we use about you.

• Are your personal data incorrect? If so, you can ask us to change your personal data.

• You can always ask us to delete your personal data. However, we cannot always do this and we do not always have to. For example, if the law requires us to keep your personal data for longer.

• You can also ask us to temporarily restrict the processing of your personal data. You can do this in the following cases:

  • You think your personal data is incorrect.

  • We are using your personal data incorrectly.

  • We no longer need your personal data, but you still need it (e.g. after the retention period) for the establishment, exercise or substantiation of a legal claim).

  • When you object.

Right to data portability (right to transferability of personal data)

Would you like to have the personal data you have given to us that we automatically store? You can, but only if we process your personal data on the basis of your consent or on the basis of the agreement we have concluded with you. This is called ‘data portability’.

Pay attention to the security of your personal data

• Check what the party you want to give your personal data to will use it for. For example, read the privacy statement on that party’s website.

• Do you want to receive your personal data? Then make sure your own equipment is secure enough and has not been or cannot be hacked, for example. Your financial data could be very interesting to criminals.