DNB is a "controller" as defined in the General Data Protection Regulation (GDPR). We handle the personal data we process with due care, in accordance with the principles of the GDPR. This includes refraining from processing more personal data than necessary and properly securing personal data. To this end, we take physical measures (e.g. storing documents in lockable cupboards), logical measures (e.g. restricting access to personal data), technical measures (e.g. encryption) and procedural measures (e.g. staff awareness programmes on careful handling of information).
This privacy statement for appointees who we assess for fitness or propriety, or both, explains why and how we process personal data.
Controller and data protection officer
We are the “controller”, and our data protection officer can be contacted by email at firstname.lastname@example.org and by regular mail at De Nederlandsche Bank, Privacy Office, Postbus 98, 1000 AB Amsterdam.
Why we process personal data for our fit and proper assessments
The purpose of our supervision is to ensure sound and ethical financial institutions that meet their obligations, and the assessment process is an important part of this. Fit and proper management and supervisory board members are essential to a firm’s strategy and corporate culture, and therefore to its soundness and future viability. We collect personal data because we need them to form an opinion on the fitness or propriety, or both, of the appointees we assess.
We assess the following categories of individuals for fitness and propriety:
- day to day policymakers and co-policymakers, which include at least the members of the management board
- members of a supervisory body, such as a supervisory board or committee
- individuals applying for a declaration of no-objection for holding or acquiring a qualifying holding
- members of a pension fund's committee responsible for making or advising on investments
- members of a pension fund's stakeholder body
- insurance firms’ legal representatives
- second-tier managers of banks and insurance firms
Legal basis for our assessments
The law obliges us to determine whether the categories of individuals listed above are fit and proper. The relevant provisions of the law are Sections 3:8, 3:9 and 3:99 of the Financial Supervision Act (Wet op het financieel toezicht), Section 4 of the Act on the Supervision of Trust Offices (Wet toezicht trustkantoren), Section 106 of the Pensions Act (Pensioenwet), Section 110(c) of the Mandatory Occupational Pension Scheme Act (Wet verplichte beroepspensioenregeling), and Sections 3:4 and 3:5 of the Financial Markets (BES) Act (Wet financiële markten BES).
More details are provided in Chapter 2 of the Decree on Prudential Rules for Financial Undertakings (Besluit prudentiële regels Wft), Chapter 7 of the Decree implementing the Pensions Act and the Mandatory Occupational Pension Scheme Act (Besluit uitvoering Pensioenwet en Wet verplichte beroepspensioenregeling), Chapter 3 of the Financial Markets (BES) Decree (Besluit financiële markten BES), the Policy Rule on Reliability (Beleidsregel betrouwbaarheid), and the Policy Rule on Suitability 2012 (Beleidsregel geschiktheid 2012).
Who provides personal data, and who receives them?
Firstly, we ask an appointee to provide personal data. Using those data, we then retrieve personal data from public sources and request them from other supervisory authorities at home and abroad. We also contact the Dutch Ministry of Justice, Tax and Customs Administration, the Fiscal Intelligence and Investigation Service (FIOD), the Dutch Healthcare Authority and the Financial Expertise Centre (FEC).
To form an opinion on someone's fitness or propriety, or both, we may provide personal data within DNB, to the extent necessary, only to the director of the relevant division, the head of the relevant department, staff members from the Expert Centre on Fit and Proper Assessments, staff members involved in regular supervision of the relevant supervised firm, the members of the Prudential Supervision Council, and the members of the Governing Board.
Relevant categories of personal data
The categories of personal data that are relevant to our assessments are information needed to establish an appointee's identity, contact details and criminal, financial, supervisory and other antecedents.
Rights of the data subject
Our general privacy statement can be found on our website. Among other things, it describes the right of access, rectification, erasure, restriction, and data portability, as well as the right to lodge an objection.