Achmea Bank respects your privacy. This means that we comply with privacy legislation and make every effort to protect your personal data. We think that you should know how we handle your personal data. But it is also important that you know your rights, so you can rest confident that, with us, your data are in good hands. This privacy statement, which describes how Achmea Bank handles your personal data, is applicable to all the data that we process.
About Achmea Bank
Achmea Bank N.V., with its registered offices in The Hague, and listed in the trade register of the Chamber of Commerce under number 27154399, trades under the following brand names:
- Centraal Beheer (savings and mortgage products
- Woonfonds (mortgage products
- Acier Financieringen (mortgage products)
Achmea Bank N.V. is part of Achmea B.V.
Sometimes, at your own initiative, you will be referred via Achmea Bank to one of our partners, a social media channel or to another provider. These parties bear responsibility for the processing of personal data and will inform you about this. This privacy statement expressly does not apply to them.
Achmea B.V. is responsible
Achmea Bank N.V. is part of Achmea B.V. Achmea B.V. is responsible for the proper processing of your personal data by all Achmea brands.
Which data do we use?
Are you requesting a quote, taking out a mortgage
or savings product, visiting our website, subscribing to a newsletter or
contacting us via other means? Then we need your details. These details often
reveal information about you or they can be linked to you as a person in a
variety of ways.
We usually request your name, address, e-mail address, telephone number and date of birth. We sometimes request additional data, such as financial details and information about collateral in case you are taking out a mortgage. We might also request a copy of your proof of identity or your bank account number for the automatic debiting of your interest. The data we require depends on the product in question.
Generally, you will provide us with your data yourself. Consider, for example, purchasing a banking product or subscribing to a newsletter or other marketing message. We sometimes receive your data via a different channel. If you engage an independent advisor, we might receive your data from this person. We can request your information from the [Dutch] Bureau of Credit Registration (Stichting Bureau Krediet Registratie, BKR) for example. But we can also request data on you from the Netherlands’ Cadastre, Land Registry and Mapping Agency (Kadaster) or the Chamber of Commerce (KvK). Public sources, such as credit agencies, public registers, newspapers, the internet or social media also provide us with your data. At times, we purchase information from companies that you have authorised to collect and sell your data.
We can process the following categories of personal data from you.
Categories of personal data
Username, user-id and avatar
Camera and image recordings, recorded chat and telephone conversations
Profession, function, employer and business location
Address, e-maladdress and telephone number
Due Diligence data
Saction list, IVR and EVR review
Bank account number, transactions, income, balance data, financial capital, loan details, payment arrears and debts
Data about devices, operating systems, online behavior and preferences
IP address, MAC address, operating system, device type, version and/or brand and cookie settings
(Personal) Identification Information
Name, address, place of residence, zip code, date of birth, place of birth, BSN/TIN, customer number and nationality
Relationship status, marital status and family composition
Address collateral, purchase and contract price, market value
Education and level of education enjoyed
Sensitive personal data
Criminal convictions and offenses
We only process personal data on minors (persons under the age of 16) in our systems if they themselves are using a product or if their parent or guardian provides us with information about them in relation to a product being purchased. We always ask for written permission from the parent, guardian or legal representative to process data on minors.
In principle, our products and services are not intended for minors. For this reason, the website and app do not intend to collect data from website or app visitors who are minors. We are not able to verify whether a visitor is over the age of 16 or has received permission from his or her parent or guardian. Therefore, we advise parents to be involved in their children's online activities to prevent their data from being collected without their permission.
Read our cookies statement to learn about what cookies are and how we use them. Cookies ensure that the information on our website can be found quickly and easily, and they enable us to show or send you information, offers and advertisements that may suit you. Cookies may even be necessary for the security of our website. They also help us keep track of your visit to our website and any app. Visit the website of one of our brands, such as centraalbeheer.nl or woonfonds.nl, for more information about cookies that are placed via that website or app.
What is our basis for processing your data?
We only process your data when we have a legitimate basis for doing so.
· To execute an agreement;
· To comply with statutory obligations;
· If you have given your consent (this can be withdrawn at any time);
· To represent our legitimate interests This only happens when, upon consideration, we find that our interests outweigh your privacy interests.
We need to process your personal data, when we are obliged on the basis of a law or for entering into an agreement. For example for a customer survey or concluding a product agreement. Unfortunately, we cannot enter into and execute an agreement without this information.
What do we use your data for?
We use your data to:
· maintain contact with you and to be able to answer your questions.
· record when and how we have contact with you.
· offer you a product or service.
· conclude a product or service with you.
· enter into and execute an agreement with you.
· identify your needs and preferences.
· tailor our products and services to better suit your needs.
· develop and/or improve products and services.
· manage and develop IT systems.
· make you a personal offer at the right time.
· track your visit to our website and any app.
· provide account information services and payment initiation services for you (PSD2).
· carry out financial and balance sheet transactions.
· assess our (financial) risks.
· limit your payment arrears.
· ensure the security of our customers, ourselves and the financial sector. To mitigate risks and to preventing fraud. For this purpose, we conduct a customer due diligence before and during the customer relationship and we monitor your transactions. For this purpose we use data provided by you or that we consult form external sources. In doing so, we may use analyses, risk parameters, risk profiles or other indicators. For this we also use Achmea Bank’s event administration, the incident register and/or the External Reference Register (Externe Verwijzingsregister, EVR) in the context of the PIFI protocol.
· be able to handle complaints and disputes.
· to settle a bank and mortgage product after the death of a customer.
· enter into and perform agreements with suppliers and other parties with whom we work.
· provide data to the government (we are sometimes obliged to do so).
· to be able to carry out audits and investigations (or have them carried out).
· conduct market, scientific, statistical, historical research and archiving.
· execute business processes, perform internal management of (financial) risks for the bank and to draft management reports.
· be able to train, coach and develop our employees.
· determine the general strategy and policy.
· process your applications.
· abide by the law.
When do we record our contact with you?We record the agreements we have made with you. We also use these contact moments to improve our communication. We record the following contact moments:
· letters and e-mail messages that we send or that we receive from you.
· telephone calls, e-mail messages and chat messages.
· your visiting behaviour on our websites.
· when you log into the client portal or use the mortgage check module.
· your activity (what you do and look at) in our apps.
· our contact with you via social media, such as Facebook, Twitter and WhatsApp.
Who provides us with your data and who do we share it with?
· other Achmea parts and brand
· other financial institutions with which we have entered into a financial or balance sheet transaction or in the context of combating fraud, terrorism or money laundering.
· our suppliers and
business partners, such as:
Quion and Stater for the processing of the mortgage administration.
o Topicus for the processing of the savings administration.
o Equens for the processing of payment transactions.
o iDIN (Currence Holding BV) for the identification and verification of (new) customers
o SurePay B.V., for the ascription of (contra) accounts
o Calcasa for valuation of securities and
o DM Interface - Impress B.V., Koninklijke Kampert en Helm Rotaform B.V. and PostNL for printing and sending of postals.
· external registers, such as:
o Bureau of Credit Registration (BKR), for your BKR/credit score and the joint fraud prevention system called the External Reference Register (Externe Verwijzingsregister, EVR) for identifying and communicating fraudsters with other Dutch financial institutions.
o Verwijzingsportaal Bankgegevens, for the automated provision of data requested by investigative authorities and the tax authorities.
o Verification Identification System for checking the validity of an identity document.
o Foundation for Mortgage Fraud Prevention (Stichting Fraudebestrijding Hypotheken (SFH).
o National Mortgage Guarantee Scheme (Nederlandse Hypotheek Garantie, NHG)
o The Property Valuation Register (WOZ-Register, Dutch Ministry of Finance).
o the Netherlands’ Cadastre, Land Registry and Mapping Agency (Kadaster).
o the Dutch Banking Association (Nederlandse Vereniging van Banken, NVB).
o Kamer van Koophandel.
o CreditNavigator for identifying payment arrears
o GGN and EDR for debt collection services
the Dutch Tax
In some cases we are obliged to share your data with a foreign tax authorities. We are obliged to do this under the International Tax Assistance Act (WIB) or the Foreign Account Tax Compliance Act (FATCA). If that is the case, your account details will be sent to the Dutch tax authorities, which will then forward them to the foreign tax authorities. More information about the WIB or FATCA.
o the Dutch National Bank (De Nederlandsche Bank, DNB)
o the European Central Bank (ECB)
o the Netherlands Authority for Consumers and Markets (Autoriteit Consument en Markt, ACM)
o the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP)
· complaint bodies, lawyers and judicial authorities, in case of a dispute, such as:
o Bank Disciplinary Law Foundation (Stichting Tuchtrecht Banken)
· our accountant(s) and auditors.
· Central Bureau of Statistics (Centraal Bureau voor de Statistiek, CBS) for statistical analysis and work.
· Central Information System Foundation (Stichting Centraal Informatiesysteem, CIS), for the PEP and sanction list control.
· public sources, such as public registers, newspapers, the internet and (public) social media.
· other parties for which you have given permission.
When you transfer money from an Achmea Bank product to a different (checking) account with another financial institution, your data will also end up at this financial institution.
Where do we process your data?
We store your data in various databases, which are typically hosted on servers but may also be cloud based. This means that we store and process your data in an online location. In certain situations, we might also share your data with the aforementioned parties.
Strict security measures are in place for these databases. For example, we only contract with reliable service providers, encrypt our data as much as possible and, in principle, only store your data in databases located in the European Economic Area (EEA) or only share it with parties in the EEA. Because the same privacy rules apply throughout the EEA, we can ensure that your privacy is well protected.
In exceptional circumstances, it may be necessary to store or share your data outside the EEA. In which case, we will do so very carefully. We will review this in advance with our data processor(s) and ensure that the appropriate agreements are in place to protect your privacy. For example, agreeing standard provisions drafted by the European Commission and carrying out a Data Transfer Impact Assessment.
Many social media providers are based outside the EEA, so data stored with them may not receive the same level of protection as it would within the EEA. We recommend that you read the privacy statement of any social media channel carefully if you are redirected to it from our website (e.g. after clicking a social media button). Achmea Bank has no control over how these messaging services secure and use your personal data.
How do we ensure that your data is safe with us?
We always take appropriate technical and organisational (security) measures to prevent the loss or unlawful processing of your data. We always take into account your privacy and the security of your data when developing new services and processes. As an example, your data is only accessible to those employees who require it, and our employees have been clearly instructed on how to handle your data.
Found a vulnerability in our services? You can submit a report via the website Responsible Disclosure of Achmea. We appreciate it if you let us know, so that we can take measures. This way, we can work together to improve the security of our data and systems.
We handle sensitive data with extra caution
By sensitive data, we mean:
Your Citizen Service Number (BSN) and banking details
o If you decide to become a customer with us, we are legally obliged to verify your identity. That is why we ask you to provide a copy of your proof of identity. Your BSN is stated on your proof of identity.
o We are also legally obliged to annually provide information about your financial product to the tax authorities. We must use your BSN for this. So the authority is able to use your information in an effective and correct manner during the implementation and supervision process.
o For products that fall under the Deposit Guarantee Scheme, we are obliged to communicate your BSN to the National Bank of The Netherlands (De Nederlandsche Bank).
If you have a Dutch IBAN account with us, we are obliged to pass on your details in the context of the Banking Reference Portal in certain situations. We may use your BSN.
· Your credit check information
o We are also legally obliged to check your creditworthiness when you are applying for a loan.
· Your health data
o We are required to ask you for an independent medical certificate, for example, in order to execute a living will. This is health data.
· Data gathered from criminal law
If we need to determine the risk for a financial product, we may ask whether you have a criminal history. If you were suspected and/or convicted of a crime more than eight years ago, you do not have to report this.
How long do we store your data?We do not store your data any longer than is necessary or required by law. We have a retention policy for this. This specifies how long we keep data. In most cases this is 7 years after the end of the agreement or your relationship with Achmea Bank.
We will then delete your data or pseudonymise your data. If we pseudonymise your data, we will delete all data that refers to you. The data is then used to give us a better picture of our risks, products and services.
In specific situations, we may keep data for longer than the retention period prescribed by us. For example, if you have filed a complaint that makes it necessary to keep the underlying data for longer or for legal proceedings.
Automated decision making
Are you taking out a product with us? In that case we are obliged by law and regulations to screen you for the purpose of combating fraud and preventing money laundering and financing of terrorism. Profiling is part of this, because a risk profile must be linked to you. For security reasons, we are unable to provide further details on how we do this.
If you have a mortgage with us. Then we are obliged to make an accurate and current estimate of your credit risk, in other words an estimate that a mortgage is suitable for you and that you can (re)pay a mortgage. Based on this information, we try to estimate the risks we run and to assess whether we can offer you a mortgage.
>For the financial assessment of you as a customer we use (risk) models, which automatically make a risk estimate based on various data, including your personal data, and assign you a credit score. We can use profiling methods for this. The credit score is only an indication. The final assessment and decision is always made by an authorized employee so that there is always personal involvement in making a sensible, fair and unbiased decision.
If it appears on the basis of this assessment that you run a higher risk, we may decide not to provide you with a mortgage.
The GDPR Counter
The General Data Protection Regulation (GDPR) has been in force since 25 May 2018. This gives you rights to keep control over your personal data. The GDPR counter is an Achmea-wide initiative. Here you can submit a question or request about privacy. The counter will then deal with your question. And will contact you about this. Below you can read what your rights are.
When we are your data processor, we want to be fully transparent about how we handle your data. To this end, you can exercise your legal rights. You may:
- request your data from us
- So are able to check your data.
- have your data changed if it is inaccurate
- So you are able to ask us to change or supplement your data if it is incorrect or incomplete.
- have your data deleted
- Often, we are unable to delete your data because we still require it or in order for us to abide by a law, for example.
- object to certain usage of your data
- If, for example, you no longer wish to receive e-mail offers from us. Our e-mails contain a link you can use to unsubscribe. You may also telephone us, should you wish. In other instances, you will need to clearly indicate why you are lodging an objection in order for us to properly assess it.
- If you do not want us to pass on your details to SurePay for name-number verification. We do this so that you can check whether you have entered the correct account number when transferring to your savings account.
- In other cases, you need to be clear why you object so that we can assess this.
- withdraw your permission
- If you gave us permission to use your data, you may withdraw this at a later date. From that moment on, we will no longer use your data.
- Should you no longer wish to receive our newsletter, use the link found at the bottom to unsubscribe. After this, you will no longer receive our newsletter.
If you are not a customer of ours, we will delete your data.
- transfer your data
- If you have provided us with data, either by consenting to this or on the basis of our agreement, you can transfer data to another party or to yourself.
- temporarily restrict the use of your data
- If, for example, you have objected to the use of your data.
Please let us know when you wish to exercise your rights
To exercise your rights, please send an e-mail to: firstname.lastname@example.org
You can also post a letter to:
7300 HZ Apeldoorn
Remember to include a copy of your passport or ID card, so that we can verify your identity and prevent misuse. To protect your privacy, please ensure that your passport photo, citizen service number (BSN) and the number series at the bottom of your passport or ID card are not decipherable. You can use the Dutch national government’s KopieID app to obscure your sensitive information.
We will respond within one month of receiving your letter or e-mail. In some cases we may ask you to further specify your request or we may extend our response time to a maximum of three months.
You can also view or change much of your data through your personal environment.
Do yo have a question, tip or complaint?
If so, send an e-mail to Achmea’s Data Protection Officer at: email@example.com
You can also post a letter to:
Compliance & Operational Risk Management
T.a.v. Privacy Manager
3700 AW Zeist
If we are unable find a solution together and your complaint concerns personal data, please submit your complaint to the Dutch Data Protection Authority.
Privacy rules and regulations
We comply with the prevailing laws and regulations on privacy. These include:
- The General Data Protection Regulation (GDPR).
- The GDPR Implementation Act (Uitvoeringswet Algemene verordening gegevensbescherming, UAVG).
- The Telecommunications Act.
- The Incident Alert System Protocol for Financial Institutions (Protocol Incidentenwaarschuwingssysteem Financiële Instellingen).
- The Code of Conduct for the Processing of Personal Data by Financial Institutions (Gedragscode Verwerking Persoonsgegevens Financiële Instellingen).
- The Personal Investigation Code of Conduct (Gedragscode Persoonlijk Onderzoek).
This privacy statement is subject to change
We are constantly on the lookout for better services, which we try to tailor as much as possible to meet your personal needs. This sometimes requires new or modified data processing protocols. This may also prove necessary if we develop new products or services or if there are any changes to the relevant rules or regulations. In which case, we can and will amend our privacy statement.
The latest version is from 1st of June 2022. Our website always has the latest privacy statement. We advise you to consult this on a regular basis.
You can also request a written copy by e-mailing: firstname.lastname@example.org