Achmea Bank respects your privacy. This means that we comply with privacy legislation and make every effort to protect your personal data. We think that you should know how we handle your personal data. But it is also important that you know your rights, so you can rest confident that, with us, your data are in good hands. This privacy statement, which describes how Achmea Bank handles your personal data, is applicable to all the data that we process.
About Achmea Bank
Achmea Bank N.V., with its registered offices in The Hague, and listed in the trade register of the Chamber of Commerce under number 27154399, trades under the following brand names:
- Centraal Beheer (savings, mortgages, PSD2 and trading services)
- Woonfonds (mortgage products)
Financieringen (mortgage products)
Sometimes, at your own initiative, you will be referred via Achmea Bank to one of our partners, a social media channel or to another provider. These parties bear responsibility for the processing of personal data and will inform you about this. This privacy statement expressly does not apply to them.
Achmea B.V. is responsible for the proper processing of your personal data by all Achmea brands.
Which data do we use
Are you requesting a quote, taking out a mortgage or savings product, visiting our website, subscribing to a newsletter or contacting us via other means? Then we need your details. These details often reveal information about you or they can be linked to you as a person in a variety of ways. We usually request your name, address, e-mail address, telephone number and date of birth. We sometimes request additional data, such as financial details and information about collateral in case you are taking out a mortgage. We might also request a proof of your identity, for example iDIN or personal identification via by AMP. Or your bank account number for the automatic debiting of your interest. The data we require depends on the product in question.
Generally, you will provide us with your data yourself. Consider, for example, purchasing a banking product or subscribing to a newsletter or other marketing message. We sometimes receive your data via a different channel. If you engage an independent advisor, we might receive your data from this person. We can request your information from the [Dutch] Bureau of Credit Registration (Stichting Bureau Krediet Registratie, BKR) for example. But we can also request data on you from the Netherlands’ Cadastre, Land Registry and Mapping Agency (Kadaster) or the Chamber of Commerce (KvK). (Semi) public sources, such as credit agencies, public registers, newspapers, the internet or social media also provide us with your data. At times, we purchase information from companies that you have authorised to collect and sell your data.
We can process the following categories of personal data from you.
Categories of personal data
Username, user-id and avatar
Camera and image recordings, recorded chat and telephone conversations
Profession, function, employer and business location
Address, e-maladdress and telephone number
Due Diligence data
Saction list, IVR and EVR review
Bank account number, transactions, income, balance data, financial capital, loan details, payment arrears and debts
Data about devices, operating systems, online behavior and preferences
IP address, MAC address, operating system, device type, version and/or brand and cookie settings
(Personal) Identification Information
Name, address, place of residence, zip code, date of birth, place of birth, BSN/TIN, customer number and nationality
Relationship status, marital status and family composition
Address collateral, purchase and contract price, market value
Education and level of education enjoyed
Sensitive personal data
Criminal convictions and offenses
We only process personal data on minors (persons under the age of 16) in our systems if they themselves are using a product or service if their parent or guardian provides us with information about them in relation to a product or service being purchased. We always ask for written permission from the parent, guardian or legal representative to process data on minors.
In principle, our products and services are not intended for minors. For this reason, the website and app do not intend to collect data from website or app visitors who are minors. We are not able to verify whether a visitor is over the age of 16 or has received permission from his or her parent or guardian. Therefore, we advise parents to be involved in their children's online activities to prevent their data from being collected without their permission.
Read our cookies statement to learn about what cookies are and how we use them. Cookies ensure that the information on our website can be found quickly and easily, and they enable us to show or send you information, offers and advertisements that may suit you. Cookies may even be necessary for the security of our website. They also help us keep track of your visit to our website and any app. We may also process personal data.
Do you receive e-mail messages from us? Then we can register your click behavior in our e-mails. For example, to see whether an e-mail has been opened and which links and articles you have clicked on. This allows us to make our e-mail messages more relevant to you.
What is our basis for processing your data?
We only process your data when we have a legitimate basis for doing so:
- to execute an agreement;
- to comply with statutory obligations;
- if you have given your consent (this can be withdrawn at any time);
- to represent our legitimate interests This only happens when, upon consideration, we find that our interests outweigh your privacy interests.
We need to process your personal data, when we are obliged on the basis of a law or for entering into an agreement. For example for a customer survey or concluding a product agreement. Unfortunately, we cannot enter into and execute an agreement without this information.
What do we use your data for?
We may use your data when permitted by law and regulations. For example, we may use your data to:
· maintain contact with you and to be able to answer your questions.
· record when and how we have contact with you.
· offer you a product or service.
· conclude a product or service with you.
· enter into and execute an agreement with you.
· identify your Achmea products or services, needs and preferences.
· tailor our products and services to better suit your needs.
· develop and/or improve products and services.
· manage, develop and testing IT systems.
· make you a personal offer at the right time.
· track your visit to our website and any app.
· provide account information services and payment initiation services for you (PSD2).
· carry out financial and balance sheet transactions.
· assess our (financial) risks.
· limit your payment arrears.
· ensure the security of our customers, ourselves and the financial sector. To mitigate risks and to detect and preventing fraud. For this purpose, we conduct a customer due diligence before and during the customer relationship and we monitor your transactions. For this purpose we use data provided by you or that we consult form external sources. In doing so, we may use analyses, risk parameters, risk profiles or other indicators. For this we also use Achmea Bank’s event administration, the incident register and/or the External Reference Register (Externe Verwijzingsregister, EVR) in the context of the PIFI protocol.
· comply with our gatekeeper function and counter money laundering and terrorist financing.
· be able to handle complaints and disputes
· to settle a bank product or service after the death of a customer.
· enter into and perform agreements with suppliers and other parties with whom we work.
· provide data to the government (we are sometimes obliged to do so).
· to be able to carry out audits and investigations (or have them carried out).
· conduct market, scientific, statistical, historical research and archiving.
· execute business processes, perform internal management of (financial) risks for the bank and to draft management reports.
· be able to train, coach and develop our employees.
· determine the general strategy and policy.
· process your applications.
· abide by the law or regulations.
The complete list can be found in the privacy statement of Achmea.
When do we record our contact with you?
We record the agreements we have made with you. We also use these contact moments to improve our communication. We record the following contact moments:
· letters and e-mail messages that we send or that we receive from you.
· telephone calls, e-mail messages and chat messages.
· your visiting behaviour on our websites.
· when you log into the client portal or use the mortgage check module.
· your activity (what you do and look at) in our apps.
· our contact with you via social media, such as Facebook, Twitter and WhatsApp.
Who provide us with your data and who do we share it with?
Usually you provide us with your data yourself. Sometimes we receive your data in a different way. We might pass on your data, but we also might verify your data with other companies. It depends on which product you purchase. We do not sell your data. We can exchange data with:
· other Achmea parts and brands.
· other financial institutions with which we have entered into a financial or balance sheet transaction or in the context of combating fraud, terrorism or money laundering.
· our suppliers and
business partners, such as:
o Quion and Stater for the processing of the mortgage administration.
o Topicus for the processing of the savings and trading administration.
o Equens for the processing of payment transactions.
o iDIN (Currence Holding BV) for the identification and verification of (new) customers.
o SurePay B.V., for the ascription of (contra) accounts.
o Calcasa for valuation of securities.
o DM Interface - Impress B.V., Koninklijke Kampert en Helm Rotaform B.V. and PostNL for printing and sending of postals.
· external registers, such as:
o Bureau of Credit Registration (BKR), for your BKR/credit score and the joint fraud prevention system called the External Reference Register (Externe Verwijzingsregister, EVR) for identifying and communicating fraudsters with other Dutch financial institutions.
o Verwijzingsportaal Bankgegevens, for the automated provision of data requested by investigative authorities and the tax authorities.
o Verification Identification System for checking the validity of an identity document.
o Foundation for Mortgage Fraud Prevention (Stichting Fraudebestrijding Hypotheken (SFH).
o National Mortgage Guarantee Scheme (Nederlandse Hypotheek Garantie, NHG)
o The Property Valuation Register (WOZ-Register, Dutch Ministry of Finance).
o the Netherlands’ Cadastre, Land Registry and Mapping Agency (Kadaster).
o the Dutch Banking Association (Nederlandse Vereniging van Banken, NVB).
o Kamer van Koophandel for the general register and UBO register.
o CreditNavigator for identifying payment arrears.
o GGN and EDR for debt collection services.
the Dutch Tax
Authority and onward delivery to foreign tax authorities.
In some cases we are obliged to share your data with a foreign tax authorities. We are obliged to do this under the International Tax Assistance Act (WIB) or the Foreign Account Tax Compliance Act (FATCA). If that is the case, your account details will be sent to the Dutch tax authorities, which will then forward them to the foreign tax authorities. More information about the WIB or FATCA.
o the Dutch National Bank (De Nederlandsche Bank, DNB).
o the European Central Bank (ECB).
o the Netherlands Authority for Consumers and Markets (Autoriteit Consument en Markt, ACM).
o the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP).
· complaint bodies, lawyers and judicial authorities, in case of a dispute, such as:
o Bank Disciplinary Law Foundation (Stichting Tuchtrecht Banken).
· our accountant(s) and auditors.
· Central Bureau of Statistics (Centraal Bureau voor de Statistiek, CBS) for statistical analysis and work.
· Central Information System Foundation (Stichting Centraal Informatiesysteem, CIS), for the PEP and sanction list control.
· public sources, such as public registers, newspapers, the internet and (public) social media.
other parties for which you have given permission.
When you transfer money from an Achmea Bank product to a different (checking) account with another financial institution, your data will also end up at this financial institution.
Where do we process your data?
We store your data in various databases, which are typically hosted on servers but may also be cloud based. This means that we store and process your data in an online location. In certain situations, we might also share your data with the aforementioned parties.
Strict security measures are in place for these databases. For example, we only contract with reliable service providers, encrypt our data as much as possible and, in principle, only store your data in databases located in the European Economic Area (EEA) or only share it with parties in the EEA. Because the same privacy rules apply throughout the EEA as in the Netherlands, we can ensure that your privacy is well protected.
In exceptional circumstances, it may be necessary to store or share your data outside the EEA. In which case, we will do so very carefully. We will review this in advance with our data processor(s) and ensure that the appropriate agreements are in place to protect your privacy. For example, agreeing standard provisions drafted by the European Commission (Standard Contractual Clauses) and carrying out a Data Transfer Impact Assessment.
Many social media providers are based outside the EEA, so data stored with them may not receive the same level of protection as it would within the EEA. We recommend that you read the privacy statement of any social media channel carefully if you are redirected to it from our website (e.g. after clicking a social media button). Achmea Bank has no control over how these messaging services secure and use your personal data. We are not responssible for the content that social media providers post or how they handle personal data.
How do we ensure that your data is safe with us?
Our website, app and IT systems are highly secure. We also make clear agreements about this.
We always take appropriate technical and organisational (security) measures to prevent the loss or unlawful processing of your data. We monitor the security of our data traffic and have an information security policy. And always take into account your privacy and the security of your data when developing new services and processes. As an example, your data is only accessible to those employees who require it, and our employees have been clearly instructed on how to handle your data.
Found a vulnerability in our services? You can submit a report via the website Responsible Disclosure of Achmea. We appreciate it if you let us know, so that we can take measures. This way, we can work together to improve the security of our data and systems.
We handle sensitive data with extra caution
By sensitive data, we mean:
- Your Citizen Service Number (BSN)
o If you decide to become a customer with us, we are legally obliged to verify your identity. That is why we ask you to provide a copy of your proof of identity. Your BSN is stated on your proof of identity.
o We are also legally obliged to annually provide information about your financial product to the tax authorities. We must use your BSN for this. So the authority is able to use your information in an effective and correct manner during the implementation and supervision process.
o For products that fall under the Deposit Guarantee Scheme, we are obliged to communicate your BSN to the National Bank of The Netherlands (De Nederlandsche Bank).
o If have a Dutch IBAN account with us, we are obliged to pass on your details in the context of the Banking Reference Portal in certain situations. We may use your BSN.
· Your credit check information
o We are also legally obliged to check your creditworthiness when you are applying for a loan.
· Your health data
o We are required to ask you for an independent medical certificate, for example, in order to execute a living will. This is health data.
· Data gathered from criminal law
If we need to determine the risk for a financial product, we may ask whether you have a criminal history. If you were suspected and/or convicted of a crime
more than eight years ago, you do not have to report this.
How long do we store your data?
We do not store your data any longer than is necessary or required by law. We have a retention policy for this. This specifies how long we keep data. In most cases this is minimum 7 years after the end of the agreement or your relationship with Achmea Bank.
We will then delete your data or pseudonymise your data. If we pseudonymise your data, we will delete all data that refers to you. The data is then used to give us a better picture of our risks, products and services.
In specific situations, we may keep data for longer than the retention period prescribed by us. For example, if you have filed a complaint that makes it necessary to keep the underlying data for longer or for legal proceedings. But also for historical or scientific research or statistical purposes.
Automated decision making
Are you taking out a product with us? In that case we are obliged by law and regulations to screen you for the purpose of combating fraud and preventing money laundering and financing of terrorism. We do this based on data we have received from you and from external (public) sources. In addition, we check whether your data is correct. We also test your application against a number of fraud and risk indicators and we make a risk assessment. Profiling is part of this, because a risk profile must be linked to you based on law and regulation. For security reasons, we are unable to provide further details on how we do this.
If you have a mortgage with us. Then we are obliged to make an accurate and current estimate of your credit risk, in other words an estimate that a mortgage is suitable for you and that you can (re)pay a mortgage. We do this based on data we have received from you and from external (public) sources. Based on this information, we try to estimate the risks and to assess whether we can offer you a mortgage.
For the financial assessment of you as a customer we use (risk) models, which automatically make a risk estimate based on various data, including your personal data, and assign you a credit score. We can use profiling methods for this. The credit score is only an indication. The final assessment and decision is always made by an authorized employee so that there is always personal involvement in making a sensible, fair and unbiased decision.
If it appears on the basis of this assessment that you run a higher risk, we may decide not to provide you with a mortgage.
If you don't not with the decision taken, you can always inquire about the reasons and ask us to have an employee make a new decision.
External Reference Index (EVR)
We process your personal data to protect the interests of Achmea Bank, employees, custeromers and other Dutch financial institutions. These institutions may record persons in the Incidents Register that has led or may lead to prejudicing financial institutions. An External Reference Index is linked to this Incidents Register. This External Reference Index only contains referral data (e.g. a name and date of birth or Chamber of Commerce number) to the Incidents Register that may be included under strict conditions in accordance with the Protocol on the Financial Institutions Incident Warning System Protocol (PIFI). Every financial institution that is affiliated to one of the participating industry associations has access to (part of) the External Reference Index.
Achmea Bank has received a license form the Autoriteit Persoonsgegevens for processing of criminal personal data in the context of PIFI.
The GDPR counter
- request your personal data from us
- So you are able to check your personal data.
- have your personal data changed if it is inaccurate
- So you are able to ask us to change or supplement your personal data if it is incorrect or incomplete.
- have your personal data deleted
- Often, we are unable to delete your personal data because we still require it or in order for us to abide by a law, for example.
- object to certain usage of your personal data
- If, for example, you no longer wish to receive e-mail offers from us. Our e-mails contain a link you can use to unsubscribe. You may also telephone us, should you wish. In other instances, you will need to clearly indicate why you are lodging an objection in order for us to properly assess it.
- If you do not want us to pass on your details to SurePay for name-number verification. We do this so that you can check whether you have entered the correct account number when transferring to your savings account.
- In other cases, you need to be clear why you object so that we can assess this.
- withdraw your permission or unsubscribe from personalized offers
- If you gave us permission to use your personal data, you may withdraw this at a later date. From that moment on, we will no longer use your personal data.
- Should you no longer wish to receive our newsletter, use the link found at the bottom to unsubscribe. After this, you will no longer receive our newsletter. If you are not a customer of ours, we will delete your data.
- transfer your personal data
- If you have provided us with personal data, either by consenting to this or on the basis of our agreement, you can transfer personal data to another party or to yourself.
- temporarily restrict the use of your personal data
- If, for example, you have objected to the use of your personal data.
Please note we cannot always cooperate with your request or if we need more information to fulfill your request, then we will contact you.
Please let us know when you wish to exercise your rights
To exercise your rights, please send an e-mail to: firstname.lastname@example.org
You can also post a letter to:
7300 HZ Apeldoorn
Please send an email or letter. To ensure we use the data of the right person and to prevent misuse, we have to verify the identity of the person who wants to make use of his or her rights. We can do this with customer or policy number, name, address, date of birth and/or place of birth. In some cases, for example when the identity cannot established from the information we have or your request comes to highly sensitive data, we may ask for a copy of your passport or identity card. Please ensure that your passport photo, citizen service number (BSN) and the number series at the bottom of your passport or ID card are not decipherable. You can use the Dutch national government’s KopieID app to obscure your sensitive information.
We will respond within one month of receiving your letter or e-mail. In some cases we may ask you to further specify your request or we may extend our response time to a maximum of three months.
You can also view or change much of your data through your personal environment.
Do you have a question, tip or complaint?
If so, send an e-mail to Achmea’s Data Protection Officer at: email@example.com
You can also post a letter to:
Compliance & Operational Risk Management
T.a.v. Privacy Manager
3700 AW Zeist
If we are unable find a solution together and your complaint concerns personal data, please submit your complaint to the Dutch Data Protection Authority.
Privacy rules and regulations
We comply with the prevailing laws and regulations on privacy. These include:
- The General Data Protection Regulation (GDPR).
- The GDPR Implementation Act (Uitvoeringswet Algemene Verordening Gegevensbescherming, UAVG).
- The Telecommunications Act.
- The Incident Alert System Protocol for Financial Institutions (Protocol Incidentenwaarschuwingssysteem Financiële Instellingen).
- The Code of Conduct for the Processing of Personal Data by Financial Institutions (Gedragscode Verwerking Persoonsgegevens Financiële Instellingen).
- The Personal Investigation Code of Conduct (Gedragscode Persoonlijk Onderzoek).
This privacy statement is subject to change
We are constantly on the lookout for better services, which we try to tailor as much as possible to meet your personal needs. This sometimes requires new or modified data processing protocols. This may also prove necessary if we develop new products or services or if there are any changes to the relevant rules or regulations. In which case, we can and will amend our privacy statement.
The latest version is from the 7th of december 2022. Our website always has the latest privacy statement. We recommend you to consult this privacy statement on a regular basis.
You can also request a written copy by e-mailing: firstname.lastname@example.org