As a rule, we do not disclose your personal data to third parties. Dutch law provides for several exceptions to this rule. For instance, your personal data may be used for intelligence purposes if you use our website to commit a criminal offence or make false statements that are liable to punishment. For the purpose of supervising and protecting the integrity of the financial sector, we also collaborate with other supervisory authorities including the AFM and with the relevant departments of the Financial Expertise Centre (FEC).
Recipients of personal data, your rights, and contact details
Our collaborations with the AFM and as part of the FEC are laid down in agreements (available in Dutch only). See Dutch Government Gazette,10 July 2007, No 130 (AFM) and Dutch Government Gazette, 7 February 2014, No 2351 (FEC).
Transfer to third countries
Your personal data may be processed outside of the EEA. For instance when we outsource a service. Also outside the EEA personal data must be adequately protected because of which additional rules apply. We ensure there will be an agreement with this party that meets the EU requirements. This may be through concluding Standard Contractual Clauses.
Right of access
The right of access is your right of access to the personal data we have collected concerning you. This right is laid down in Article 15 of the GDPR.
Right to rectification
The right to rectification is your right to amend or supplement your personal data. You have this right whenever your personal data, bearing in mind the purposes for which they are processed, are inaccurate or incomplete. The right to rectification is laid down in Article 16 of the GDPR.
Right to erasure
The right to erasure is your "right to be forgotten". You have the right to ask us to erase your personal data in any of the following situations:
- in your opinion, the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
- you withdraw consent on which the processing of your personal data is based
- you have legitimately objected to the processing of your personal data
- we have unlawfully processed your personal data, for instance because there is no legal basis for the processing
- we have retained your personal data for longer than necessary
- you are below the age of 16 and we have collected your personal data using an app or website (an "information society service")
Right to restriction
The right to restriction of processing is the right to restrict the use of your personal data. You have the right to ask us to restrict the processing of your personal data in any of the following situations:
- you have notified us that, in your opinion, we process inaccurate personal data, in which case you can ask us to refrain from using these personal data while we verify their accuracy
- we have unlawfully processed your personal data but you do not want us to erase them (for instance because you wish to be able to retrieve them at a later stage)
- we no longer need your personal data for the purposes for which they were collected but you require them for a legal action (for instance legal proceedings to which you are a party)
- you have objected to the processing of your personal data, in which case you can ask us to restrict the processing of these personal data pending our assessment of your objection
Right to data portability
The right to data portability is your right to receive the personal data we have collected concerning you and transmit them to another controller. You have the right to ask us to transmit your personal data to you, for instance to enable you to transfer them to another organisation without hindrance. You also have the right to ask us to transmit your personal data directly to another organisation. This right applies where we process your personal data by automated means on the basis of your consent or a contract. The right to data portability is laid down in Article 20 of the GDPR.
Right to object
The right to object is your right to object to the processing of your personal data. You have the right to object to our processing of your personal data for the performance of our tasks carried out in the public interest or for a legitimate interest. We will assess whether your interests, rights and freedoms override our interest in processing the personal data involved. We may reject the objection if processing of your personal data is necessary for a legal claim. If the objection is well-founded, we will cease processing your personal data.
The right to object is laid down in Article 21 of the GDPR.
You have the right to withdraw your consent at any time.
Lodging a complaint with the Dutch DPA
You have the right to lodge a complaint with the Dutch DPA if you are of the opinion that our processing of your personal data infringes the GDPR. The right to lodge a complaint is laid down in Article 77 of the GDPR.
Decisions DNB and objecting
In case you exercise your rights then DNB will make a decision as regards your request. In case you do not agree with a DNB decision you may file an objection.
Limitation of your rights
We are not required to meet requests for access, rectification, erasure, restriction or data portability, or objections, at all times. Your rights may be limited if such limitation is necessary to safeguard other interests, for instance if exercising your rights could jeopardise the effectiveness of our supervision of financial institutions or present risks to the monetary system. Article 41 of the GDPR Implementation Act (Uitvoeringswet Algemene verordening gegevensbescherming) lists the interests that could prevent you from exercising your rights.
Note: We use personal data solely for the purposes for which they are intended and for compatible purposes. We will never offer you any unsolicited information or services.
If you have any questions concerning our processing of your personal data or wish to exercise your right of access, to rectification, to erasure, to restriction, to data portability or to object, please contact our Privacy Office. You can also use one of our standard forms to make your request:
DNB needs to verify the identity of the person that makes a request in relation to personal data. Therefore you are requested to provide information that allows DNB to verify your identity. You may refer to information DNB already possesses to check your identity or you may send a copy of a valid ID. You can make use of the KopieID App to hide your citizen service number (BSN). DNB may not be able to deal with your request when your identity can’t be verified.
You can contact us by email at email@example.com or by post:
De Nederlandsche Bank
Attn Privacy Office
1000 AB Amsterdam
Please also use this email: firstname.lastname@example.org or postal address if you wish to contact our Data Protection Officer or withdraw your consent.
Information on how to use secure e-mail can be found here.