Issuing licences and performing supervisory and enforcement tasks

We issue licences and perform supervisory and enforcement tasks. In doing so, we process personal data.

We supervise financial institutions that are governed by Dutch supervisory legislation, including the Financial Supervision Act (Wet op het financieel toezicht – Wft), the Act on the Supervision of Trust Offices (Wet toezicht trustkantoren – Wtt) and the Pensions Act (Pensioenwet – PW). Our supervisory tasks include issuing licences, conducting fit and proper assessments and keeping records of registrations and notifications. For this purpose, we document information about supervised institutions. We also keep records to monitor the collection of fines, penalties and fees. In legal proceedings, we compile and manage case files.

Supervision and oversight

We collect information from and about supervised institutions to be able to perform our supervisory tasks, demanding them to submit information if necessary. We record all information that is relevant for our supervision in individual supervisory files and we manage these files.

A supervisory file may in any event contain the personal data and categories of personal data listed below:

  • the names and details of contacts at supervised institutions and reports of interviews with them
  • data on the fitness and propriety of directors and policymakers
  • personal data of officers having access to inside information
  • customer data of supervised institutions, including economic and financial information (e.g. mortgage data or balance details)
  • personal data in the incidents database
  • personal data included in research data

This personal data processing is necessary for compliance with a legal obligation to which we are subject (under Article 6(1)(c) of the GDPR) or for the performance of a taks carried out in the public interest as a supervisory authority (under Article 6(1)(e) of the GDPR). The majority of the personal data we process are submitted by the supervised institutions themselves.

Collection records

We keep records on the collection of amounts receivable, fines, cease and desist orders and fees, to monitor that these sums are effectively paid. These records include contact details of supervised institutions.

This personal data processing is necessary for compliance with a legal obligation to which we are subject (under Article 6(1)(c) of the GDPR) or for the performance of a task carried out in the public interest, as a supervisory authority (under Article 6(1)(e) of the GDPR).

Case files

In handling objections and conducting legal proceedings, we compile case files. Case files may contain personal data of natural persons affiliated with the parties involved, e.g. names and contact details. We collect these data from the relevant parties or retrieve them from the relevant supervisory file, or both.

This personal data processing is necessary for the performance of a task carried out in the public interest as a supervisory authority under Article 6(1)(e) of the GDPR.