Privacy

Achmea Bank has its registered office in The Hague (under Chamber of Commerce number 27154399). It holds a banking licence from De Nederlandsche Bank (DNB) and is listed in the register of the Dutch Authority for the Financial Markets under number 12000011. The following brands are part of Achmea Bank: 

• Achmea Bank (savings products offered through Raisin)
• Centraal Beheer (savings products, PSD2 and investment services)
• Centraal Beheer (mortgages with lenders Achmea Bank N.V. and Achmea Hypotheken B.V.)
• Acier Financieringen (mortgages with lender Achmea Bank N.V.)
• Attens Hypotheken (mortgages with lender Attens Hypotheken B.V.)
• Other brands that have been outsourced to Syntrus Achmea Hypotheekdiensten B.V. (Tellius Hypotheken and Syntrus Achmea Hypotheken).

Achmea Bank and Achmea B.V. are joint controllers
Achmea Bank is a subsidiary of Achmea B.V. Achmea Bank N.V. and Achmea B.V. are jointly responsible for processing your personal data correctly.

If you request a quotation, take out a savings or mortgage product, visit our website, subscribe to a newsletter, are already an existing customer, or have been in contact with us by other means, then we require your data. This data often reveals something about you or can be linked to you as an individual in various ways.

We usually ask for your name, address, e-mail address, telephone number and date of birth, but sometimes we also ask for additional information depending on the product you choose. Examples include your financial data and information about the collateral when you are taking out a mortgage, or your bank account number for the automatic deduction of the monthly mortgage payments. 
We may also request data in order to verify your identity. This often occurs via iDIN or personal identification on-site by AMP. 

Usually, you provide us with your data yourself, for example when taking out a product and subscribing to a newsletter. We may sometimes receive your data by different means. For instance, if you have an independent consultant, they will provide us with your data. We can also request your data from external public and semi-public sources or registers, for example from the Credit Registration Office (BKR).

We may process the following categories of personal data relating to you.

Personal data category	Example
Account data	Username, user ID and avatar
Audiovisual data	Camera and video recordings, recorded chat and telephone conversations
Professional information	Occupation, position, employer, company location
Contact data	Address, e-mail address, phone number
Due Diligence data	PEP, Sanctions list, IVR and EVR assessments
Financial data	Bank account number, transactions, income, balance data, assets, loan information, payment arrears, debts/arrears
Data concerning devices, operating systems, online behavior and preferences	IP address, MAC address, operating system, device type, version and/or brand, and cookie settings
Personal identification data	Name, address, place of residence, postcode, date of birth, place of birth, citizen service number (BSN)/tax identification number (TIN), customer number and nationality
Legal status	Relationship status, marital status and family composition
Collateral data	Address of the collateral property, purchase and contract sum, market value
Education data	Education completed and level of education achieved
Sensitive personal data	Special personal data
Criminal record data	Criminal convictions and offences

In general, our products are not meant for use by minors. For that reason, the website and app are not intended for collecting data from website/app visitors who are minors. We cannot verify whether a visitor is over 16 years of age or has obtained consent from their parents or guardian. We therefore advise parents to be involved in their children's online activities, in order to prevent data about children from being collected without consent.

Our cookies statement explains what cookies are and how we deal with them. We use cookies to ensure that information on our website can be quickly and easily retrieved. We may also use them to display or send you information, offers and advertisements that could be relevant to you. In addition, cookies may be necessary for the security of our website. We can also track your visit to the website and app, where applicable. We may therefore also process personal data in this context.

If you visit the website of one of our brands, such as centraalbeheer.nl, syntrusachmeahypotheken.nl, or acierfinancieringen.nl, you will find a cookie statement on that website explaining the use of cookies placed on the website or in the app. 

Similarly, if you have a product with us, you may receive e-mail messages. Our brands can also register your click behaviour in our e-mails. Specifically, we register whether you open an e-mail and click the links and articles. This enables us to make our e-mail messages more relevant to you. If you do not want us to do this, you can usually disable this registration activity through the online customer portal. You can also click the unsubscribe link in the newsletter if you wish.

We only process your data when we have a legal basis for doing so. We process your personal data on the basis of the following:

• entering into and performing a contract, for example, if you wish to open a savings account with us or take out a mortgage.
• complying with a statutory obligation. Examples include performing our statutory duty of care (Financial Supervision Act, Wft), preventing fraud, preventing tax evasion, preventing money laundering and terrorist financing (Money Laundering and Terrorist Financing (Prevention) Act, Wwft), or sharing your data with the Tax Administration or other regulators.
• if you have given explicit consent (you can withdraw consent at any time). An example is consent for forwarding your data to an external party. 
• safeguarding our legitimate interests or those of a third party. This only applies when we determine after consideration that processing is necessary, there is no less intrusive way to achieve the objective, and our interests or those of a third party outweigh your privacy interest. Examples include cases such as the IBAN Name Check, conducting a test with the Credit Registration Office (BKR) during a mortgage application, if the regulatory authority requires us to undertake the processing but this has not yet been enshrined in law, in order to carry out our administration efficiently or to provide you with relevant tips and offers.

We process certain personal data because we are required by law to do so, for example pursuant to the Money Laundering and Terrorist Financing (Prevention) Act (Wwft). In addition, we require data to enter into and perform an agreement with you; without the data, we will be unable to do these things.

We sometimes use data for a purpose other than the one for which we receive it. This is only permissible if there is a close correlation between both objectives.

We always process your data with a purpose, and only if your data is necessary to achieve that purpose. For instance, we may use your data to:

• enable you to perform an online calculation on our website. This data will then be used solely for that calculation, unless you decide to take out the product. 
• to maintain contact with you so we can answer your questions.
• to keep records on how and when we contacted you.
• to assess whether the desired product is suitable. This may also be a credit score if that is necessary.
• to offer you a suitable product (including, but not limited to relationship management, promotion and marketing).
• to enter into and perform an agreement with you. 
• to identify your products at Achmea, as well as assess your needs, satisfaction and preferences.
• to better align our products with your needs.
• to develop and/or improve products.
• to manage, administer, develop and test IT systems.
• to monitor your visit to the website and app, where applicable. 
• to enable you to make use of your personal environment (such as Centraal Beheer and Acier Financieringen).
• to provide you with account information services and payment initiation services (PSD2).
• to perform financial and balance transactions.
• to assess/estimate our financial and other risks in order to protect our financial position, including through our Advanced Internal Ratings-Based (AIRB) risk model for determining financial reserves and stress testing.
• to enhance your financial resilience and avoid payment arrears, for example by using models to identify potential payment issues at an early stage.
• to protect your interests and ours from fraud and other types of crime.
• to ensure the security of our customers, ourselves and the financial sector by reducing risks and detecting and preventing fraud. For this purpose, we conduct a customer survey prior to and during the customer relationship, and we monitor your transactions using data that you have provided, or by consulting data held by external sources. We may use analyses, risk parameters, risk profiles or other indicators for this purpose. We can also make use of our incident management system and the internal reference register, as well as the incident registration system and the external reference register (EVR) in the context of the Financial Institutions Incident Warning System (PIFI) protocol. You can find more information later on in this statement under ‘incident management/incident registration system/IVR/EVR’.
• to fulfil our gatekeeper function and to combat money laundering and the financing of terrorism.
• to map the sustainability and climate risks of the properties we have financed for internal purposes and regulators/regulatory reports, or to offer assistance to customers or to make offers with respect to improving the sustainability of financed collateral properties.
• to be able to handle complaints and disputes.
• to settle a product after the death of a customer.
• to enter into and perform contracts and agreements with suppliers and other parties with whom we collaborate.
• to provide to the government, if we are required to do so.
• to be able to conduct audits, accountancy controls and investigations, or have them conducted.
• to conduct material, formal checks and horizontal monitoring.
• to conduct market, scientific or historical research, research for statistical purposes, and archiving.
• to implement and improve business processes and their quality control.
• to manage financial and other risks for the bank.
• to prepare management reports.
• for the development and validation of risk and other models. 
• to be able to train, coach, develop and assess our employees.
• to determine our general strategy and policy.
• for benchmarking purposes (for example, making a comparison with other organisations). 
• to process your job application.
• for the electronic signing of documents.
• to comply with the legislation and regulations.

You can find the complete list in the Achmea privacy statement.

If you request another product from us, then we can also take into account information about other products you have with us when assessing your application. 

We will record the agreements with you and use our contact with you to improve our communication. The following are some examples of contact with you that we document:

• letters and e-mail messages that we send to and receive from you.
• telephone calls, e-mail messages, and chat messages.
• what you view and do on our websites and apps.
• the occasions you log into the online customer portal or use the mortgage check module.
• during an investigation (including a personal investigation), if there is good reason to do so, we may also use data obtained from camera footage, information we find about you on the internet, and telephone conversations or chat/video chat conversations with our colleagues.
• the contact we have with you through social media, such as WhatsApp.

We may make use of social media. There are social media buttons on some websites, for example, and you can also contact us via social media. This privacy statement does not apply to these social media providers. The providers are responsible themselves for the processing of personal data, and will inform you about how they go about this in their own privacy statement.  

Because many social media providers are located outside the European Economic Area (EEA), personal data may not be adequately protected. We therefore recommend that you always read the privacy policies of those social media channels carefully before using them, so that you know what happens to your data. 

Achmea Bank has no influence over the manner in which these social media providers secure and use your personal data and is therefore not responsible for the content that social media providers post or how they handle personal data.

Usually, you provide us with your data yourself, but sometimes we receive your data by different means. In addition, we sometimes share your data or verify it with other companies, depending on the product you choose. We do not sell your personal data.

We may exchange data with the following:

• other Achmea entities, components and brands, such as Centraal Beheer.
• other financial institutions, in relation to:
• a financial/balance transaction or in the context of combating fraud, terrorism, or money laundering;
• individual savings and investment transactions of customers.
• our suppliers and business partners, such as:
• Quion and Stater for processing mortgage administration.
• Topicus for processing savings and investment administration.
• Equens and Currence IDEAL B.V. (Wero) for the settlement of online payment transactions.
• iDIN for identification and verification of new and existing customers and the use of Secure Login (2FA) on the online customer portal.
• AMP Group for identification and verification of new and existing customers on-site (in person).
• Ockto(ID) or I-Wise for providing us with information or documents for the purpose of a mortgage application (including identification).
• SurePay for verification of account/contra account holder names (IBAN Name Check).
• Aryza (CreditNavigator) for preventive and special management.
• I-Tek for security matters and preventive and special management.
• Calcasa for the valuation of collateral.
• DM Interface – Impress B.V., Koninklijke Kampert and Helm Rotaform B.V. and PostNL for the printing and mailing of postal items.
• Raisin, if you have taken out a product with us through the Raisin platform.
• investors in our mortgage portfolios (such as pension funds).
• Cloud providers.
• public and/or external registers, such as:
• the Credit Registration Office (BKR, Stichting Bureau Krediet Registratie) for matters such as access to or registration (if applicable) in your BKR/credit registrations (Central Credit Information System), the BKR score, and the joint fraud prevention system known as the external reference register (EVR, Externe Verwijzingsregister) for identifying and reporting fraudsters with other Dutch financial institutions.
• Foundation for the Combating of Mortgage Fraud (SFH, Stichting Fraudebestrijding Hypotheken).
• Verification Identification System via the Dutch Credit Registration Office (BKR) for checking the validity of an identity document.
• The banking information reference portal, for the automated provision of data requested by investigative authorities or the Tax Administration (Verwijzingsportaal Bankgegevens).
• Valuation of Immovable Property Act (WOZ) register (Ministry of Finance).
• The Land Registry, for consulting collateral data (Kadaster).
• the Dutch Banking Association sector organisation (NVB, Nederlandse Vereniging van Banken) and the Dutch Association of Insurers (VvV, Verbond van Verzekeraars).
• Chamber of Commerce (KVK, Kamer van Koophandel) for the general KVK register (Commercial Register) and UBO register.
• intermediaries, mortgage consultants, service providers, appraisers, brokers, legal service providers, administrators, bailiffs, collection agencies, credit intermediaries and/or notaries.
• Tax Administration (Belastingdienst).
• In certain cases, we are required to share your data with a foreign tax administration. We are obliged to do this under the International Assistance (Levying of Taxes) Act (WIBB) or the Foreign Account Tax Compliance Act (FATCA). In this event, your account details will be sent to the Dutch tax administration, which will then forward them to the relevant foreign tax administration. For more information, visit the WIB or FATCA sites.
• investigative authorities, such as the police, the Public Prosecution Service, and intelligence services.
• regulatory authorities, such as:
• the Dutch Authority for the Financial Markets (AFM, Autoriteit Financiële Markten).
• De Nederlandsche Bank (DNB).
• the European Central Bank (ECB).
• the Netherlands Authority for Consumers and Markets (ACM, Autoriteit Consument en Markt).
• the Dutch Data Protection Authority (AP, Autoriteit Persoonsgegevens).
• complaint bodies, such as the Financial Services Complaints Tribunal (Kifid) and judicial authorities or lawyers in the context of a dispute.
• our internal and external accountant(s) and auditors.
• Homeownership Guarantee Fund (WEW, Stichting Waarborgfonds Eigen Woningen), in connection with National Mortgage Guarantee (NHG).
• Statistics Netherlands (CBS, Centraal Bureau voor de Statistiek) for statistical analyses and activities.
• Foundation Central Information System (CIS, Stichting Centraal Informatiesysteem) for PEP and sanctions list checks.
• public sources, such as public registers, newspapers, the internet, and public social media.
• municipalities, in connection with payment arrears (Early Warning Pilot). We are participating in a national pilot in which lenders and municipalities collaborate to identify mortgage payment arrears at an early stage. The aim is to prevent arrears from developing into problematic debts, and to provide timely support. We can provide limited information to your municipality. This data does not concern other financial products or your complete financial situation. You will be informed in advance about this provision of data, and may object to it at that time if you wish.
• members of the Association for Debt Counselling and Social Banking (NVVK) in the context of debt assistance regarding residual debt on mortgages.
• companies, for the purpose of benchmarking
• heirs and executors who succeed you in your rights and obligations in the event of your death.
• other parties to whom you have granted consent, such as service providers from Centraal Beheer Climate Store (Klimaatwinkel).

When you transfer money from an Achmea Bank product to a payment or other account at another financial institution, this financial institution will also receive your data. 

We store your data in various systems and databases. These may also be cloud services, which means that we store and process your data at an online location. In some circumstances, we may also share data with the previously listed parties. 

These databases are subject to strict security measures. We therefore only conduct business with reliable service providers, we encrypt our data wherever possible, and in principle, we only store your data in databases within the European Economic Area (EEA) or share this data only with parties within the EEA. Since the EEA and the Netherlands are subject to the same privacy regulations, we can ensure that your privacy is protected effectively.

In exceptional situations, it may be necessary for your data to be stored or shared outside the EEA. In this event, we will do so very carefully. We and our processor(s) make an assessment in advance and ensure that appropriate agreements are made in order to protect your privacy. We can also perform a Data Transfer Impact Assessment. Examples of such agreements include the adoption of a model agreement approved by the European Commission (Standard Contractual Clauses) and the EU-US Data Privacy Framework. 

Our websites, apps, and IT systems are properly secured, and we make clear agreements about this with our processors.

For this purpose, we consistently implement appropriate technical and organisational security measures to prevent the loss or unlawful processing of your data. This enables us to monitor the security of our data traffic 24 hours a day. We also have an information security policy, and we take your privacy and the security of your data into account when developing new products and processes. One example is that your data is only accessible to those employees who need to work with it. Our employees have also received clear instructions on how to handle your data, and they are all subject to a duty of confidentiality.

If you happen to discover a vulnerability in our internet services, then you can report it through Achmea's Responsible Disclosure page. We would appreciate it if you would inform us of this so that we can take appropriate measures and work together to improve the security of our data and systems.

Sensitive data includes the following: 

• Your citizen service number (BSN)
• When you become our customer, we are required by law to verify your identity. We therefore sometimes ask you for a copy of your identification, upon which your BSN also appears.
• We are also required by law to provide information annually about your financial product (for example, your savings account) to the Tax Administration. In order to do so, we need to use your BSN (Articles 47b and 53 of the State Taxes Act (AWR). The Tax Administration uses your BSN as a unique identification number in order to effectively and accurately utilise information during the implementation and monitoring process.
• For those Achmea Bank products coming under the Dutch deposit guarantee, we are obliged to communicate your BSN to De Nederlandsche Bank (Article 3:17 Financial Supervision Act (Wft).
• If you have a Dutch IBAN account with us, we are required to share your data in certain situations in the context of the banking information reference portal. We may make use of your BSN for this purpose (Article 3:267i Financial Supervision Act (Wft).
• Your banking information (including debts and payment arrears)
• Your creditworthiness check
• We are also required to check your creditworthiness when you apply for a loan.
• Criminal law data
• When assessing the risk relating to a financial product, we may inquire whether you have a criminal record. If you were a suspect or were sentenced more than eight years ago, then you do not need to report this.
• We may also process your criminal records in the context of the PIFI protocol.
• Your health data
• In general, we do not process health data. We process your health data only when it is necessary to do so, and with your consent.

We do not retain your data any longer than necessary for the purpose(s) for which it was collected or processed, or as required by law. We adhere to a retention policy for this purpose, which specifies how long we retain data. In most cases, this is at least seven (7) years after the end of the agreement or your relationship with Achmea Bank (or with one of our brands). After this period has elapsed, we will remove, aggregate, pseudonymise or anonymise your data. When we pseudonymise your data, the data can no longer be traced back to you. The data is subsequently used for our risk management (historical dataset).

In specific situations, we may retain personal and other data for longer periods than the retention period we have established. An example is if the regulator requests this from us in the context of risk models or the development and review thereof, risk management, a complaint you have submitted that necessitates the retention of the underlying data for a longer period, or for legal proceedings. We may also retain it for historical or scientific research or statistical purposes.

If personal data is retained for a longer period, we take measures to ensure that the data is only used for the purposes for which a longer retention period is necessary.

In certain cases, we use automated decision-making and create a profile of you based on the data we have about you (profiling). You can read more about this below.

What if you take out a savings product or investment service directly online (through one of our brands)? 
In this case, we will automatically process your personal data in order to evaluate certain personal aspects. We use this information to automatically assess whether or not you meet our acceptance criteria, which may directly result in automated rejection. We also obtain data from external sources or registers. We will then examine matters such as whether the information you provided about yourself is accurate and whether you are not registered externally (for example in sanctions lists). We also check for fraud indicators and make a risk assessment based on your data and other public sources and registers. This risk assessment can have repercussions for acceptance. In this regard, we can make use of profiling, which involves analysing some of your personal aspects such as your preferences, behaviour or financial situation. After you have applied for a product, the acceptance may take place automatically without human intervention. Before we decide not to offer you a product, at least one employee will conduct a substantive assessment, after which the employee will make the actual decision. 

What happens if you submit a mortgage application to us yourself or through your consultant? 
In this event, we are required to make an accurate and up-to-date assessment of your credit risk; in other words, we have to assess whether a mortgage is suitable for you and whether you will be capable of consistently repaying a mortgage in the long term.  We do this based on data we have received from you and from external public sources and registers (such as the Credit Registration Office, BKR). Based on this information, we will endeavour to make a risk assessment in order to determine whether we can offer you a mortgage. This also involves the use of risk and other models, which automatically assess a risk and assign you a credit score. We may make use of profiling for this purpose. The credit score is merely an indication for us. The final assessment or the decision is always made by at least one authorised employee, so that there is always human intervention involved that ensures a wise, fair and unbiased decision. In this process, only profiling is involved - we do not use automated decision-making for this. If the assessment appears to reveal that you are at a higher risk, we may decide not to grant you a mortgage. 

Are you a customer with us? 
If so, then we are required to take measures to prevent fraud, money laundering, and the financing of terrorism (just as we do if you apply for a product). We are also required by law to know our customers well and regularly check that the information is still current. We want to be certain about who our customers are and prevent our products from being misused for fraud, money laundering or other illegal activities. For example, we monitor payment transactions and repayments in an automated manner. To ensure effectiveness, we also create risk profiles (profiling) relating to our customers, which we maintain periodically. If there is suspicion of an unusual transaction or if there is a possibility that your information is no longer up to date, our employees may contact you. In the event of a suspicion of fraud, we must report this immediately to the authorities. We also check periodically whether you are on a sanctions list. No automated decisions are ever made about you in this regard.

We also utilise profiling to tailor our marketing communications to suit your personal preferences, behaviour and interactions on our website. We process things such as your personal data, click behaviour and stated interests for this purpose. We do this on the basis of legitimate interest in order to provide you with more relevant offers and to improve our services. You can always unsubscribe from a marketing message.

If you have a mortgage with us, our risk and other models can automatically assess the risk relating to your loan and the likelihood of you experiencing a payment default. We may make use of profiling for this purpose. The reason for this is to identify and mitigate any risks for you and us as early as possible. To minimise this risk as effectively as possible, a staff member from Preventive and Special Management may assess the situation and contact you. 

Provision of information in automated decision-making
We always inform you prior to an automated decision being made. If you disagree with an automated decision, you may always inquire about it or submit an objection. You may also inquire about the reasons and ask us to make a new decision. For security reasons, we may not be able to provide all or any further details regarding the manner in which we conduct the aforementioned investigations.

We process your personal data for the protection of the interests of Achmea Bank, its employees and customers, and also other financial institutions. This may sometimes also involve criminal records. This personal data is necessary for risk management and for preventing and combatting fraud. Achmea Bank therefore maintains an incident management system. The Department of Security Affairs may decide to enter the personal data from the incident management system into an internal reference register (IVR). Other Achmea business units can also consult the data in this IVR. 

If an incident meets the conditions specified in the Financial Institutions Incident Warning System Protocol (PIFI), Achmea Bank records the relevant personal data in an incident registration system (IR), and if necessary, a limited amount of personal data in the external reference register (EVR). Other Dutch financial institutions may also access the EVR under very strict conditions as outlined in the PIFI protocol.

By placing your data in these registers, we and sometimes other Achmea entities or other Dutch financial institutions may use it for matters such as verifying whether you have ever committed fraud or attempted to do so. 

You will receive a message if your data is included in one of the registers. In most cases, this occurs before your data is entered into the registers, unless disclosure would compromise the investigation. In that event, after the conclusion of the investigation, you will receive notification that we will proceed with registering you in the IVR, IR or EVR.

Achmea Bank has received a permit from the Dutch Data Protection Authority for the processing of criminal personal data in the context of the PIFI protocol.

Achmea Bank may make use of AI (artificial intelligence). This may also involve the processing of personal data, but only when it is necessary and ethically justified, and complies with the Achmea AI policy. Examples include use in processes that support employees during their work, or for scanning documents. Accordingly, AI can be used to determine whether documents meet requirements, by allowing AI to ‘read’ the content of the document. Finally, we can also apply this in our risk and other models and in customer investigations. 

The General Data Protection Regulation (GDPR) has been in force since 25 May 2018. This legislation gives you the right to maintain control over your personal data. The GDPR service desk (AVG-loket) operates throughout Achmea. You can submit a question or request regarding privacy, and the service desk will process your inquiry and contact you about it. You can find more information about your rights below.

When we process your personal data, our intention is to do so transparently. To this end, you may make use of your legal rights, which are as follows:

• the right to request your personal data from us or view it.
• This enables you to check your personal data.
• the right to correct your personal data if it is inaccurate.
• You can ask us to amend or supplement your personal data when it is incorrect or incomplete.
• the right to have your personal data deleted.
• Bear in mind we may often be unable to delete your personal data, either because we still require it, or because we are required to retain it in compliance with a law.
• the right to object to certain use of your personal data.
• For example, you may no longer wish to receive e-mails from us with offers. You can use the unsubscribe link in our e-mails to unsubscribe, or you can call us. 
• You may also prefer that we do not share your personal data with SurePay for the purpose of the IBAN Name Check. Please note that we do this so that you can check whether you have entered the correct account number when transferring to your savings account. 
• Whatever the situation, you should always clearly indicate the reasons for your objection so that we can assess it properly.
• the right to withdraw your consent or unsubscribe
• If you gave us consent to use your personal data, for example for personal offers or newsletters, you may withdraw your consent at a later date. We will no longer use your personal data from that moment on. To unsubscribe from the newsletter, please use the link at the bottom of the newsletter. After that, you will no longer receive the newsletter.
• the right to have your personal data transferred.
• If you have provided us with personal data based on our agreement or with your consent, you can have it transferred to another party or to yourself.
• the right to have the use of your personal data temporarily restricted.
• An example is if you have objected to the use of your personal data. We will always assess this on its merits.

We may not always be able to comply with your request, or we may require more information to fulfil your request. In either case, we will contact you.

For this purpose, please send us an e-mail or a letter. In order to ensure that we use the data of the correct individual and to prevent misuse, we must be able to establish the identity of the person who wishes to exercise their rights. We can do this with customer or contract numbers, date of birth, or name, address and place of residence details. Please provide this information when you wish to exercise your rights. In certain cases, for example when your identity cannot be established based on the data we have, we may request a copy of your passport or identity card. We can also ask for this when very sensitive data is concerned, such as information about your health. When we request a copy of your passport or identity card, please obscure your passport photo, Citizen Service Number (BSN) and the series of numbers at the bottom of the passport or identity card. You can use the KopieID (CopyID) app from the Dutch government for this purpose.

We will respond within one month of receiving your e-mail or letter. In some cases, we may ask you to provide further details for your request or we may extend our response time to a maximum of three months. 

You can view or change many of your details through the personal online customer environment you have with the brand concerned.

Send an e-mail to: avgloket@achmea.nl
If you choose to send an e-mail, please do so by means of a secure method.

You can also send a letter to:
Achmea B.V.
Attn. AVG-Loket
Postbus 9150
7300 HZ Apeldoorn 

If you have any questions, tips or complaints, please send an e-mail to the Achmea Data Protection Officer at privacymanager@achmea.nl

You can also send a letter to:
Achmea B.V.
Compliance & Operational Risk Management
Attn. Privacy Manager
Postbus 866
3700 AW Zeist

If this is the case, then you can submit your complaint to the Dutch Data Protection Authority.

These include:

• The General Data Protection Regulation (GDPR).
• The General Data Protection Regulation (Implementation) Act (GDPR Implementation Act).
• The Telecommunications Act (Tw).
• The Financial Institutions Incident Warning System Protocol.
• The Code of Conduct for Personal Investigations.

We are continuously seeking to improve our services, and we strive to tailor them as much as possible to suit your personal preferences. For this reason, we may sometimes introduce new processes or amend existing ones, or develop new products. The legislation and regulations, including those relating to privacy, are also constantly evolving. As a result, we may need to amend our privacy statement. 

This latest version is dated 9 January 2026. You will always find the latest version on our website. We recommend that you regularly review this privacy statement when visiting our website.

You may also request a written copy by sending an e-mail to: privacymanager@achmea.nl.