This Privacy Statement was most recently amended on 4 May 2018.
ICS and your personal data
This Privacy Statement sets out how we handle your personal data. You can be confident that we handle your personal data with due care. For some of ICS’s apps or websites, the use of your personal data may differ from that described in this general Privacy Statement. In such cases, a different Privacy Statement is provided in the app or additional information is given in the specific online service.
Who is this Privacy Statement intended for?
Are you a client of ours or have you shown an interest in a specific product, for example by making an application? Or do you visit one of our websites or use one of our apps? If so, we use your personal data and this Privacy Statement applies to you.
It is possible that we process personal data relating to individuals who do not have a contract with us, for example when we record and use personal data relating to contact persons at companies to which we provide services, shareholders of these companies, or ultimate beneficial owners (UBOs) of these companies. We may also process personal data relating to individuals who, for example, act as guarantors for clients of ICS.
Our contact person for your questions about data protection
We have a designated Data Protection Officer within our group structure, the ABN AMRO Group. You may contact the Data Protection Officer at email@example.com.
Who controls your personal data?
The controller of your personal data is:
International Card Services B.V. (ICS)
1112 XP Diemen
Chamber of Commerce number: 33200596
What is personal data?
Personal data is information that says something about you. The best known forms of personal data are your name, address, email address, age and date of birth. Personal data also includes your bank account number, your phone number, your IP address and your national identification number. There are several special categories of personal data. These include data concerning your health. Another special category concerns biometric data. We may only use this personal data if this is permitted by law or if you give your consent for this. In all other situations, we are prohibited from using this personal data.
Personal data relating to you that we obtained from others
Imagine that your partner applies for a loan in both your names. In that case, we may use the data concerning you that we ask for. Occasionally, we are even required to do so. We may also decide to use personal data obtained from other sources, such as:
- Public registers that contain your personal data, such as the National Credit Register (Bureau Krediet Registratie - BKR);
- Public sources such as newspapers, the internet and public sections of social media accounts;
- Data files from other parties that have collected personal data about you, such as external marketing firms or credit agencies.
On what basis do we process your personal data?
Obviously, we may not request or use your personal data without good reason. By law, we are permitted to do this only if ‘the processing has a basis’. This means that we may only use your personal data for one or more of the following reasons:
We need your personal data to conclude a contract, for example if you want to open a credit card account with us or if you want to apply for a loan.
The law lays down many rules that we have to comply with as a bank. These rules state that we have to record your personal data and occasionally provide it to others. The following are just some examples of the legal obligations we have to comply with:
- Under the Dutch Financial Supervision Act (Wet op het financieel toezicht - Wft), we have a statutory duty of care. This means that we must assess your financial situation as accurately as we can. We can then take account of any changes you have to deal with.
- We have to take steps to prevent and combat fraud, tax evasion, terrorist financing and money laundering. These include asking you to provide information from your identity document, such as a passport number. We may also keep a copy or photo of your identity document.
- We have legal obligations under the Dutch Bankruptcy Act (Faillissementswet) and under other laws that require us to keep your personal data, such as the Dutch Civil Code or specific provisions of the Dutch Anti-Money Laundering and Anti-Terrorist Financing Act (Wet ter voorkoming van witwassen en financieren van terrorisme - Wwft).
Other organisations may occasionally ask banks to provide personal data. These organisations include the Dutch Tax and Customs Administration, the judicial authorities (financial fraud) and intelligence agencies (terrorism). In addition, banks are sometimes required to share personal data with supervisory authorities, such as the Netherlands Authority for the Financial Markets (AFM), the Dutch Central Bank (DNB) and the European Central Bank (ECB), for instance when they carry out research into business processes or specific clients or groups of clients. In the context of the banker’s code of conduct, banks may need to provide personal data to the disciplinary commission (Stichting Tuchtrecht Banken).
If the law or a supervisory authority stipulates that we must record or use your personal data, we are required to do this. In that case, it does not matter whether you are a client of ours or not. For example, every bank must check whether clients, and the representatives of clients (including corporate clients), are genuinely who they say they are. Your personal data may be used in fraud prevention activities such as transaction monitoring, or if we record your personal data in incident logs.
Legitimate interest of ICS or others
We also have the right to use your personal data if we have a legitimate interest in doing so. In that case, we must be able to demonstrate that our interest in using your personal data outweighs your right to data protection. We therefore balance all the interests. We explain the situations in which this happens using a few examples:
- We protect property and personal data belonging to you, to us and to others.
- We protect our own financial position (so that we can assess whether you are able to repay your loan, for example), your interests and the interests of other clients (in the event of a bankruptcy, for example).
- We carry out fraud detection activities so that clients and ICS do not suffer losses as a result of fraud. In this context, we keep the financial transaction history.
- We keep you up-to-date on product changes and send you tips, offers and other relevant news by means of direct marketing.
- We aim to keep efficient records. We centralise our IT systems, make use of other service providers, and conduct statistical and scientific research.
Even if you do not have a contract with us, we may still use your personal data on the basis of a legitimate interest. In that case, we will obviously first check whether this is permitted, for instance for security purposes. We assess whether we may use personal data for marketing purposes on a case-by-case basis, and separately for each type of personal data and for each group of data subjects. We ensure that we do this in accordance with the law and the subject matter of this Privacy Statement.
What does ICS use your personal data for?
We use your personal data to help make our operations and our services as effective, reliable and efficient as possible. This is done for the following six purposes:
- Contract. We enter into contracts with you and perform these contracts. If we do not have your personal data, we cannot offer you a credit card account nor make payments, for example.
- Research. Within ICS, we study possible trends, problems, root causes of errors and risks, for instance to check whether new rules are properly observed. This helps us prevent complaints and losses. In this way, we can intervene or issue a warning in time, for example if you are no longer able to repay your debts.
- Better or new products and services. Do our products still meet your wishes and expectations? We carry out research in this area, using your personal data. We study trends and use personal data with the aim of analysing and continuing to develop our products and services.
- Marketing. You receive offers and news that is appropriate for you. That is why you receive as little advertising as possible for products you are probably not interested in or already have. In this context, we use personal data that we received from you, for instance because you requested information in the past or because you are already a client of ours. We may also make use of personal data that we obtained from other parties.
- Security. We are required to guarantee the security and integrity of the financial sector. We may therefore use your personal data to prevent or combat attempted or actual criminal or objectionable acts, such as fraud or terrorism. We do this so that we can guarantee the security and integrity of the financial sector, ICS, our employees and you, as the client. We may also use your personal data for warning systems.
- Social responsibility and statutory requirements. As a bank, we play a key role in society. We help to prevent terrorist financing, money laundering and fraud, for instance by reporting unusual transactions or by identifying and stopping potentially fraudulent transactions and verifying transactions with you if necessary. Public authorities also ask us to provide personal data when they want to investigate problems or criminal offences. In this context, we check whether they have good reason to do so.
We may use your personal data for other purposes than the purpose for which you supplied the personal data to us. In that case, the new purpose must be in line with the purpose for which you initially provided your personal data to us. The law refers to this principle as ‘compatible use of personal data’. The law does not specify exactly when a use is compatible, although it does provide guidance:
- Is there a clear correlation with the purpose for which you initially provided the personal data? Is the new purpose appropriate to the initial purpose?
- How did we originally receive the personal data? Did we obtain the personal data directly from you or in another way?
- What kind of personal data are we talking about exactly? Is the personal data in question considered sensitive to a greater or lesser degree?
- How would you be affected? Would you benefit, suffer or neither?
- What can we do to ensure the highest possible level of protection for your personal data? Examples include anonymisation and encryption.
ABN AMRO Group and your personal data
ICS is part of the ABN AMRO Group. We may share your personal data within our group for internal back-office purposes or with a view to improving our services to you, or because the law requires that we do this.
Using personal data with or without your consent
In most cases, ICS uses your personal data without obtaining your consent for this. This is permitted by law.
Sometimes, however, we are required to ask you for your consent before we may use your personal data. Before you give consent, we recommend that you carefully read the information we provide concerning the use of your personal data. If you have given consent and you want to withdraw this consent, you can do that very simply. Read more about withdrawing your consent.
In which situations do we ask you for your consent? We will in any event ask you to give consent in the following situations:
- We always ask for your consent before we process special categories of your personal data. We do not use special categories of personal data without your consent unless the law states we are required or permitted to do this.
- Another party requests access to your payment details so that you can make use of external applications such as a financial journal.
- For sending you commercial offers of third parties.
- In some apps, we require access to information about your location.
- When we make use of automated decision-making and profiling and the law states that we require your consent for this.
Good to know: when we use your personal data on the basis of the law or a legitimate interest, we do not require your consent to use your personal data. In such cases, however, you may raise an objection.
Required personal data
If we need personal data from you in order to conclude a contract with you or to comply with a legal obligation and you refuse to provide this data, we cannot enter into a contract with you, or, if a contract already exists, we must terminate our contract with you. The required personal data is specified in the online forms and other forms we occasionally need you to complete.
Do you want us to remove your personal data from our systems? Unfortunately, we cannot remove required personal data. We need this data, for instance for the performance of the contract you have with us, or because we are required to keep this data by law or owing to a legitimate interest of ICS.
We may record your telephone calls with our staff. We do this for the purpose of improving our services or to record evidence. We handle audio recordings with due care. They are subject to the same rules as other personal data. You may exercise your rights, such as your right of access. Information about all your rights can be found here.
Other parties using your personal data
There are situations in which we need to provide your personal data to other people and entities involved in the provision of our services.
Our service providers
We work with other companies that help us provide services to you. We carefully select these companies and reach clear agreements with them on how they are to handle your personal data.
If you have a credit card that is issued in collaboration with a co-brander, we may exchange your personal data with the co-brander if that is required to comply with the contract you have with us or with the co-brander.
Your credit card is linked to a number of insurance contracts. For the performance of these insurance contracts we are authorised to pass on your personal data to the relevant insurance company, which is the responsible party with respect to the insurance contract. ICS is therefore not responsible for the use of your personal data by the insurance company.
Competent public authorities
Our supervisory authorities, the Dutch Tax and Customs Administration, the Netherlands Public Prosecution Service and other public authorities may ask us to provide data relating to you. The law specifies when we are required to provide this data. Bank officials are bound by the banker’s code of conduct. In this context, banks may need to provide personal data to the disciplinary commission (Stichting Tuchtrecht Banken).
National Credit Register (Bureau Krediet Registratie - BKR)
When you apply for a credit card or a loan, we will carry out a credit check, within which context we will consult the National Credit Register (BKR-register). We will also consult this register and/or registers of credit agencies during the term of the credit card agreement. We do this if we have a reasonable interest in doing so, for example if you apply for a change in your spending limit or if you are in arrears with payments.
Visa and Mastercard
We may pass on your personal data to Visa if you have a Visa Card, or to Mastercard if you have a Mastercard.
In the case of a Business Card or Corporate Card: Your employer
If you have a Business Card or Corporate Card of your employer, your employer will receive account statements which list the payments you made with the Business Card or Corporate Card.
Financial Services Providers
Do you want us to give your personal data to providers of financial services? This is possible if you give your consent first. We will then be required to provide your personal data to these third parties. If you share your personal data with other parties yourself, we are not responsible for how they use your personal data. In that case, the Privacy Statements of those third parties apply.
Use of your personal data for direct marketing purposes
If you have previously purchased a product or service from us, we are keen to keep you informed about similar products and services we offer that are suited to your needs. This also applies if you are a visitor to our website. In order to do this properly, we use various sources. These are described below.
- The personal data that we received from you in the context of the contract and what products you have with us.
- The use of social media depends on the privacy settings you use on social media sites.
- Other sources of information, including public sources. We will always check first whether a public or other source of information can be used reliably. Where applicable, we will check whether you, as a client, have consented to the use of personal data that comes from another party.
We use social media channels to discuss our organisation, products and/or services with clients, users of apps and visitors to the website. We do this so that we can offer useful, relevant information and/or answer questions we receive through social media. We use the internet and social media channels, such as Facebook and Twitter, for this purpose. In addition, we become involved in discussions on these channels and/or we reply to individual, relevant questions and comments from other participants. In such situations, it is of course possible that we record information that includes personal data. We will of course process this personal data in accordance with the terms of this Privacy Statement. If you have any questions or comments, please write to us at firstname.lastname@example.org.
As a bank, we make use of profiling. Below we explain why we do this, and when.
We have a great deal of knowledge and experience in the area of fraud prevention. Unfortunately, we are faced with increasingly sophisticated forms of fraud. We may take measures, including profiling, to prevent fraud. For the sake of security, we cannot go into detail about the measures to be taken.
Fraud detection and payments
We carry out fraud detection activities in an effort to prevent clients and ICS from suffering potential losses as a result of fraud. We do this by creating a profile of you with the data you generate by logging on to our website and apps, and by making payments. One of the purposes for which these profiles are used is to enable decisions to be taken quickly by automated means. This is necessary to prevent the immediate execution of potentially fraudulent transactions. It also gives us an opportunity to assess the transaction and, if necessary, contact you. Please note that these systems do not guarantee all fraud will be prevented. You remain responsible for the use of your credit card, as detailed in the General Card Conditions.
As a bank, we have to comply with the Dutch Anti-Money Laundering and Anti-Terrorist Financing Act (Wet ter voorkoming van witwassen en financieren van terrorisme - Wwft). We therefore pay particular attention to unusual transactions and to transactions that - by their nature - result in a relatively high risk of money laundering. To do this, we need to create and maintain a risk profile of you. If we suspect that a transaction is connected with money laundering or terrorist financing, we will report this to the authorities.
Duty of care and risk management
The supervisory authorities expect us to do everything possible to reduce excessive lending, and to take faster action when clients are likely to get into financial difficulties. We may make use of profiling for this purpose too. In that case, we first make a list of the most common characteristics of clients who have found themselves in financial difficulties. These characteristics are combined to create the profile. We then check whether there are any clients who meet this profile. Finally, we determine what we can do to help these clients.
Client and product acceptance
How do we make use of profiling when you want to purchase a product? The following example explains how we do this. Imagine that you apply online for a loan from us.
- We notify you in advance of the procedure we follow to create a profile and what you can expect.
- We carry out a risk assessment. We do this for new clients and also for existing clients who want to buy additional products. We know from experience that certain characteristics can indicate whether you are able to repay a loan easily. These characteristics include whether you have a job or any debts. We assess these characteristics.
- Clients who are normally able to pay back a loan share a number of characteristics, as do clients who are normally unable to do repay loans. Your characteristics are used as a basis for creating a profile.
- We compare your profile with our existing profiles. Finally, we assess how likely it is that you will not be able to repay the loan.
We use profiling to send you offers that are appropriate for you. For example, if you have a loan you will not receive any offers for loans from us. We attempt to identify your areas of interest, based on a number of characteristics. We then look at specific aspects, such as your age category and whether you already have any other products from us. You will only be selected for a relevant marketing campaign if you meet a specific profile. Obviously, we check the data protection rules to determine whether personal data may be used for that purpose. You may object to the creation of a personalised client profile for direct marketing purposes at any time. If you do not have a contract with us, we determine whether direct marketing is permitted in specific situations on a case-by-case basis, and separately for each type of personal data and for each group.
We may use automated decision-making if we enter into a contract with you, for instance for a loan.
If ICS makes a decision that has legal consequences for you or affects you to a significant degree, this will be done with the intervention of one or more competent employees. This also applies if the process that led to the decision is automated or if profiling was used. Examples include client acceptance or the reporting of unusual transactions to the authorities.
There are situations in which we use automated decision-making without any human intervention. This is permitted by law. These situations may concern decisions not to execute payments made using your credit card because they might be fraudulent. Such decisions may be made on the basis of an entirely automated process, without any human intervention, and where only the only checks relate to profile as explained under heading “fraud detection and payments”.
If, at any time in the future, we want to use automated decision-making that has legal consequences for you or affects you to a significant degree, we will make this clear to you beforehand. We will inform you of your rights, such as your right to be given an explanation of the decision reached by automated means, your right to express your point of view, your right to challenge the decision and your right to human intervention.
Personal data protection
We go to great lengths to ensure the highest possible level of protection for your information:
- We invest in our systems, procedures and people.
- We make sure that our working methods are in keeping with the sensitive nature of your information.
- We train our people how to keep your information safe and secure.
For security reasons, we are unable to provide details of the precise measures we take. But you may have come across some of the following procedures we use to protect your personal data:
- Security of our online services
- We follow a two-step process to establish your identity (authentication)
- Security questions when you call us
- Requirements for sending confidential documents
Security is our shared priority. If, for example, you encounter breaches in our security, you can report them to us confidentially through the website.
Warning system used by banks
The Dutch banking sector has developed a warning system to protect the safety and security of banks in the Netherlands. This system allows the banks to check whether a person has ever committed fraud, has tried to commit fraud, or somehow forms a threat to the safety and security of the banking sector. For more information about this warning system and its workings, go to the website of the Dutch Banking Association.
Your data outside Europe
Your personal data may be processed outside Europe. Additional rules apply in that case, the reason being that not all countries have the same strict data protection legislation as we do in Europe.
Sharing personal data within the ABN AMRO Group
We may share your personal data outside Europe with other group companies of ABN AMRO Group. Our sharing of personal data is governed by the global internal policy, the Binding Corporate Rules (BCRs). These have been approved by the Dutch Data Protection Authority (Dutch DPA).
Sharing personal data with other service providers
We may occasionally share your personal data with other companies or organisations outside Europe, for instance in the context of an outsourcing agreement. In that case, we ensure that we have concluded separate agreements with those parties, and that these agreements comply with the European standard, such as the EU’s model clauses.
International payment transactions
There are situations in which you make use of our international financial services, for instance if you use your credit card abroad. In such situations, foreign parties, such as local supervisory authorities, banks, government bodies and investigative authorities, may ask us for your personal data, for instance so that they can carry out an investigation. How do we determine the period for which your personal data is stored? We keep personal data in any event for as long as is necessary to achieve the purpose.
The General Data Protection Regulation does not stipulate specific storage periods for personal data. Other legislation may specify minimum storage periods, however. If it does, we are under the obligation to observe these periods. Such legislation includes tax laws or laws governing financial undertakings specifically (such as the Dutch Financial Supervision Act). If we become involved in a lawsuit or other legal proceedings, we keep personal data so that we can make a case for our position. We may store this personal data in an archive until any claims have expired and legal proceedings can no longer be brought against us.
What rights do you have?
Right to object to processing for direct marketing purposes
If you no longer want to receive offers for our products and services, you can unsubscribe at any time. All marketing messages include this possibility.
Right to object to profiling
It may be the case that you do not want us to use your personal data for profiling. Sometimes, however, we are allowed to do this, for instance to prevent fraud, manage risks or investigate unusual transactions. In such situations, we will of course comply with the law. You can object to the creation of a personalised client profile for direct marketing purposes at any time here.
Right of inspection, right to rectification, right to be forgotten, right to restriction
- You have the right to demand an overview of the data relating to you that we use.
- If your personal data is incorrect, you can ask us to rectify your personal data.
- You can ask us to erase your personal data at any time. We are not always able to do this, however, and we do not always have to agree to this, for example if we are required by law to keep your personal data for a longer period of time.
- You can also ask us to temporarily restrict our use of your personal data.
You can do that if:
- You think your personal data is incorrect;
- We are not supposed to use your personal data;
- We want to destroy your personal data but you still need it (for instance after the storage period has ended).
Right to data portability
Do you want to receive the data that you have provided to us and that we store by automated means for the purpose of performing a contract? We can arrange this, but only if we process your personal data on the basis of your consent or on the basis of the contract we concluded with you. This is referred to as data portability.
Please keep your personal data secure
- We urge you to check whether any party you want to provide your personal data to can be trusted and keeps your personal data as safe as we do.
- If you want to receive information, please make sure that your own equipment is adequately secure and has not been, or cannot be, hacked. Your financial information may be worth gold to criminals.
If you want to receive the personal data we hold on you or arrange for it to be passed on to another party, you can ask us to do this.
Do you have a complaint or want to ask a question?
Please contact us if you have any questions about the Privacy Statement. We will be happy to help you. If you do not agree with the way in which you handle your personal data, you can lodge a complaint with the management. You also have the right to take your complaint to the Dutch Data Protection Authority.
Do you want to read this Privacy Statement at another time?
You can open and save our Privacy Statement on your smartphone, tablet or computer.
Changes to the Privacy Statement
Changes to the law or our services and products may affect the way in which we use your personal data. If this happens, we will make changes to our Privacy Statement and notify you of these changes. We will post any changes on our website or in the app.