Privacy statement

You share all kinds of personal data with Rabobank without noticing it. By using this platform, your contact with a relationship manager or our customer service. We naturally handle this data carefully. This Statement provides information on how Acorn as a service of Rabobank approaches processing your personal data. This is clarified through examples that make it easier to understand.

What does processing personal data mean?

Personal data

  • Information that says something directly or indirectly about you as an individual is referred to as personal data. Examples include your name and address, and also information such as your income.
  • Information relating to a sole trader, commercial partnership or professional partnership is also considered personal data.
  • Information relating to a legal entity is not personal data, but information relating to a legal entity’s contact person or representative does count as personal data.
Processing
  • Processing means anything that can be done with personal data. This includes the collection, storage, use, transfer and removal of data.

1. Whose personal data does Acorn as a service of Rabobank process?

We process personal data if you use our platform/website we have, want to have, or have had a business relationship with your company or other legal entity, you and/or your companies representatives. The people whose personal data we process includes:

  • People who show an interest in Rabobank or our products and services.
  • People who access our website or platform
  • People who are connected in another way with a business or organization with which we have, want to have, or have had a business relationship (e.g. employees, executive directors, authorized representative or (ultimate) beneficial owners).

2. What does Rabobank expect from businesses and organizations?

If your business or organization transfers any personal data concerning employees, executive directors or ultimate beneficial owners (UBO’s) to us, we expect your business or organization to inform them about this. We also collect personal data of employees or executive directors not being provided by your company or organization. For example by retrieving these data from the Chamber of Commerce or other publicly available sources. We process this data as well. You can give this Privacy Statement to them so that they can learn how we deal with their personal data.

3. Who is responsible for the processing of your personal data?

This Privacy Statement describes how we deal with personal data processing by Acorn as a service of Rabobank. Personal data may be shared within Rabobank Group to the extent that this is permitted by law. These Group divisions also contain other divisions like for example DLL. An overview of the Group divisions can be found here. When sharing data within the Rabobank Group, we comply with the rules that we have agreed within the Rabobank Group, the Rabobank Privacy Codes. These rules describe how the divisions of Rabobank Group deal with personal data.

4. Which personal data do we process?

Types of data What kinds of data might be involved? Examples of how Acorn (as a service by Rabobank) uses this data
Information that allows an individual to be identified directly or indirectly
  • Name, address, gender, telephone number, e-mail address of farmers
  • Name, address, telephone numbers information provided in your identity document of intermediaries and corporates.
For identification purposes, to draw up an agreement or to contact you.
Information relating to or used for agreements or financial statements for potential clients and business partners Information about the financial situation, the products you have your investment profile (if you invest) and information used for obtaining finance. Or other products and services that are offered. For example, to assess the financial situation as part of our business partner registration process
Location information of farmers and farm Information that shows where the farm is located Location information like GPS coordinates is needed to be able to make a biomass analysis of the plot of a farmer
Data that say something about the use of our website, e-mails and the app for all users
  • Cookies
  • Pixels
  • IP address
  • Data relating to the device on which you use our online services or our website.
Location information like GPS coordinates is needed to be able to make a biomass analysis of the plot of a farmer
Data we receive from other parties
  • For potential clients and business partners, Data obtained from the Chamber of Commerce, Dun & Bradstreet Registry and Mapping Agency (Kadaster).
  • If you are a farmer, businesses to which you have given consent to share your data (for example other banks)
We use this infomration to check Directors and UBO’s details, whether you can be granted credit, or to check the value of a residential property.
Data we share with other parties
  • Financial information.
  • Data we provide to other parties that we engage to help us provide services.
  • Data you have asked us to share with another party.
  • Data we have to share with our regulators or the UBO register
  • We are required to provide specific data to the Tax and Customs Administration and our regulators).
  • Other parties (such as marketing agencies) that process data on our behalf because they are involved in the provision of our services.
Data we require to combat fraud, to ensure your security and ours, and to prevent money laundering and the financing of terrorism for all users
  • The data we keep in our internal and external referral registers, sanction lists, location information, transaction data, identity information, camera images, cookies and IP address.
  • Data relating to the device on which you use online services.
  • In order to comply with legal obligations and prevent you, the financial sector, Rabobank or our employees from becoming the victims of fraud, in the Netherlands we check whether you appear in our external or internal referral registers and we have to check whether your name appears in sanction lists.
  • We may use your location information and transaction data in order to monitor payments if they are in keeping with your usual pattern of spending.
  • We may use your IP address, device details and cookies to combat online fraud (DDoS attacks) and botnets.

5. How does Rabobank come by your personal data?

We receive your personal data because your company and/or you provide it to us yourself. Examples include data you enter on our website yourself in order that we can contact you, and data arising from the services we provide in areas such as the generation of Carbon Removal Units. We may also receive your data from:

•  Business units within Rabobank Group for example:
  -  In the context of combating fraud, money laundering or terrorism
  -  Internal administrative business processes
  -  To facilitate the onboarding process
  -  In the context of our duty of care.
•  Suppliers or other parties we work with. For example Dun & Bradstreet. We might also receive information from the Kadaster (Cadaster/Land register), the CBS, EDM, Orbis, Reuter, Bloomberg and the Kamer van Koophandel (Chamber of Commerce).
•  Public sources like newspapers, public registers, websites and open sources of social media.
•  Another party in case you have given your consent to share data with us.

6. For which purposes, and on what basis, does Rabobank process personal data?

We can only provide you our best service when we know you and your company well. For that we need your personal data and have to process it. We do this because we have to carry out an agreement with you but also because we are obliged by law to do so. We process your data for the in 6a-6i mentioned purposes and legal basis.

Consideration legitimate interest

We use the “legitimate interest” basis to process your personal data. Then we make a trade-off between the interests of Rabobank and the violation of your privacy. Our interests are, for example, the following:

•  We protect our own financial position (for example to assess whether you can repay your loan or if we want to sell your loan or other obligations).
•  We combat fraud to prevent us, but also the financial sector, to ensure your security and ours and to prevent damage.
•  We need to improve our business processes, take measures in the context of company management and perform audits on our internal processes.
•  We may have an interest in direct marketing and we will keep you informed of new or existing products that we believe fit you.

We weigh our interests or the interests of third parties against your interests and your right to privacy. For example, we look at whether we cannot achieve the same goal in another way. And whether we really need all data. Do we want to use sensitive data? Then your right to privacy will have been overridden earlier and it will be less likely for us to use your data based on a legitimate interest. Sometimes it is not clear from the law or regulation on what legal basis we might process your data. Or the obligation is not in a law or the law does not apply directly to us. Such as the obligation to make risk models. Because we have an interest in keeping the financial sector healthy, we then use this data based on the legitimate interest.

a. To enter into a business relationship and agreement with your company and/or you

We need to have your personal data if your company and/or you want to become a client, or if you want to use a new product or service or contact us.

•  For example, we have to perform research to assess whether we can accept your company and/or you as a client. When your company and/or you become a client, we have to establish your identity for almost all our products and comply with our legal obligations. As part of this, we may make a photocopy of your proof of identity.
•  If your company and/or you wish to become a client, or are already a client of ours in the Netherlands, we will consult the incident registers and warning systems of Rabobank (the internal referral register) and the financial sector (the external referral register)
•  We also check that your company and/or you are not on any national or international sanction lists.
•  We assess whether the requested product or service is suitable for your company and/or you. When making this assessment, we may also use data that we obtain from other parties.

Legal basis

For the most part, we process your personal data because we are under a legal obligation to do so. If, however, this legal obligation does not apply directly to Rabobank, we have a legitimate interest in processing your personal data for the above mentioned purposes. We must then be able to demonstrate that our interest in using your personal data outweighs your right to privacy. We therefore weigh all interests. More information about this balancing of interests can be found here. We may also process such data where this is necessary to conclude the agreement.

b. To perform agreements and carry out instructions

When your company and/or you are a client of ours, we want to be of service to you. We execute the instructions we receive from your company and/or you and perform the agreements we have concluded. This is what we have agreed with your company and/or you. We process personal data for this purpose.

Legal basis

We process personal data because this is necessary in order to perform the agreement, and also because we are under a legal obligation to do so, for example in the context of payments. If your company and/or you do not provide certain information to us, we will not be able to perform the agreement. In a number of cases, we have a legitimate interest in processing your personal data, More information about this balancing of interests can be found here.

c. To ensure your security and integrity as well as the security and integrity of the bank and the financial sector

We process your personal data to ensure your security and ours, and also security of the financial sector. We also do this for the purpose of preventing fraud, money laundering and the financing of terrorism.

Customer Due Diligence

Not only when we enter into a business relation with your company and/or you, but also during our business relation, we might check you, your representatives and UBO’s or other controlling persons whether we can still accept you as our client. For example your financial position might be a reason for an additional check. Or the people your company and/or you do business with.

Incident registers and warning systems

If your company and/or you wish to become a client in the Netherlands, or are already a client of ours, we will consult the incident registers and warning systems of Rabobank (the internal referral register) and the financial sector (the external referral register). Not all bank employees consult these registers themselves. When a bank employee performs a check in the internal referral register or external referral register, the employee only sees whether an entry has been made in the register. Every financial institution has its own security department. If there is an entry in the register, the security department assesses whether the client may have a particular product or may use a particular service based on the information contained in the department’s own records or the incident register. We may share information that is included in the incident register with other financial institutions. We only do this in cases where this is permitted under the Protocol in respect of the Incident Warning System for Financial Institutions (PIFI). In addition, public authorities send us lists of individuals, which we have to enter in our warning registers. These are individuals with whom financial institutions must not do business, or to whom the financial sector must pay extra attention. We may consult the incident registers and warning systems, and we may also record your personal data in these registers. If we record information relating to you in these registers, we will notify you unless we are not allowed to do so, for example because the police ask us not to notify you in the interests of their investigation. If you do not agree to the recording of your personal data, you can object to this or ask that your data is corrected or erased. You can find more information here.

Publicly accessible sources

We consult publicly accessible sources, such as public registers, newspapers and the internet and public profiles of your social media, in an effort to combat fraud and protect the bank.

Fraud and money laundering

We may perform analyses aimed at preventing fraud and money laundering and protecting you and the bank.

Legal basis

We process your data because this is necessary in order to comply with a legal obligation. If we are not under a direct legal obligation to process your data, we process the data on the basis of a legitimate interest of Rabobank, the financial sector or our clients and employees. More information about this balancing of interests can be found here.

d. To help develop and improve products and services

In order that we can be of service to you and can innovate, we develop and improve products and services on an ongoing basis. We do this for ourselves, our corporate clients or other parties.

•  We sometimes combine data sources, such as information on the products and services you receive from us and the balance in your account. We may conduct benchmarking for our corporate clients, which provides these clients with additional information on how they perform in comparison to other businesses. The results of this study relate to a group of clients, and never an individual client (this is known as aggregate data).
•  We also process data when analyzing your visit to our website. We do this with the aim of improving our website. We use cookies for this.
•  Analyzing personal data allows us to see how you use our products and services. We also use the results of analyses to categorize clients into group. With this we create customer and interest profiles.
•  We sometimes use other parties to process your personal data for this purpose, for example in order to measure or ask you how we can improve our services. In that case, these other parties act on the instructions of Rabobank.

Legal basis

We process your data because we have a legitimate interest in this. We may also ask you for your consent to process your data for the purpose of developing and improving our products and services. If you do not give your consent for the purpose of developing and improving our products and services, this will not affect the services we provide to you. You can withdraw your consent at any time here. More information about this balancing of interests can be found here.

e. For relationship management purposes

We process your personal data for relationship management purposes. In doing so, we use data we have obtained from your company and/or you, such as your activity on our website, as well information not obtained directly from you, including public registers (such as the Chamber of Commerce), publicly available sources (such as the internet) and other parties (such as data brokers).

•  We may also use analyses to provide our clients with information for benchmarking purposes. If we use your data for these analyses or produce profiles, we will ensure that your data are pseudonymised to the greatest possible extent and that they are made only available to a few employees at the bank. If you do not want your data to be used by us for the purpose of direct marketing or by post, e-mail or telephone, you can contact your relationship manager.

Legal basis

We process your data because we have a legitimate interest in this. We may also request your consent to process your data for promotional and marketing purposes. If you do not give your consent, this will not affect the services we provide to you. You can always withdraw your consent. More information about can be found here.

f. To enter into and perform agreements with suppliers and other parties we work with

If you have contact with Rabobank for work-related reasons, we may process your personal data, for example so that we can establish whether you are permitted to represent your business. Where necessary, we may consult incident registers and warning systems before we enter into our agreement and also while the agreement is in effect in the context of screening.

Legal basis

We process your data so that we can perform the agreement we have concluded, because we are required to do so by law or because we have a legitimate interest in this. More information about this balancing of interests can be found here.

g. To comply with legal obligations

Legislation

Under various national and international legislation and regulations, we have to collect and analyze a large amount of data relating to you and sometimes transfer such information to European and other government authorities. We must comply with legislation, such as the Wet Financieel Toezicht (Dutch Financial Supervision Act), in order to be able to offer your company and/or you financial products and services. We also process personal data in order to fulfil our duty of care. We also have to comply with legislation designed to combat fraud, crime and terrorism, such as the Wet ter voorkoming van Witwassen en Financieren van Terrorisme (Dutch Money Laundering and Terrorist Financing (Prevention) Act. For example, we are required to perform customer due diligence and to conduct further inquiries if you hold specific assets or if an unusual transaction takes place in your account. If we spot an unusual transaction, we must notify the competent law enforcement agency. Under this law, we have to establish who the ultimate beneficial owner (UBO) is of a business or organization with which we have a business relationship. We might cooperate with other banks on this. We may receive requests for data from the (Dutch) Tax and Customs Administration, the police and the Public Prosecution Service as well as organizations such as the intelligence services. If they do this, we are required by law to cooperate with the investigation and transfer data relating to you. We might enter into partnerships with for example Police or the Public Prosecution Service to prevent large scale fraud, money laundering and financing of terrorism.

Providing data to the government

Legislation and regulations may require that we transfer data (analysed or otherwise) relating to you to a government institution, a tax authority or a regulator within or outside the Netherlands, such as the European Central Bank (ECB). As we have to comply with legal obligations and treaties, we sometimes have to provide data relating to you to the national tax authorities or a foreign tax authority.

Providing data to the government

Legislation and regulations may require that we transfer data (analyzed or otherwise) relating to you to a government institution, a tax authority or a regulator within or outside the Netherlands, such as the Netherlands Authority for the Financial Markets (AFM), the European Central Bank (ECB) or the Dutch Central Bank (DNB). As we have to comply with legal obligations and treaties, we sometimes have to provide data relating to you to the Dutch Tax and Customs Administration or a foreign tax authority.

Legal basis

We process your data because this is required by law, or because we would otherwise not be permitted to perform an agreement with you, or if we have a legitimate interest in processing your data so that we can comply with a statutory or other legal obligation. More information about this balancing of interests can be found here.

h. To carry out business processes and for the purpose of management reports and internal management

Know your customer

As a service provider, we believe it is important and necessary that we have a good picture of our clients. This includes knowing who your company and/or you work with.

Audits and investigations

We also use your data to perform our internal and external audits and investigations or a third party we call in, for example in order to examine how well new rules have been introduced or to identify

Improving our own business processes

We also use data to analyze and improve our business processes so that we can help your company and/or you more effectively or make our processes more efficient and create management reports. We will validate our models before using it. Where possible, we will pseudonymize your data first.

Legal basis

We process your data because this is required by law or because we have a legitimate interest. Processing your personal data may also be necessary for the performance of our agreement with you. More information about this balancing of interests can be found here.

i. For archiving purposes, scientific or historic research purposes or statistical purposes

We may also process your personal data if this is necessary for archiving purposes in the public interest, scientific or historic research purposes or statistical purposes. We might use universities and research institutes to help us with that. Where possible, we will pseudonymize your data first.

Legal basis

When processing personal data for archiving purposes, scientific or historic research purposes or statistical purposes, we process the date on the basis of the legitimate interest of Rabobank, the financial sector or our clients and employees. More information about this balancing of interests can be found here.

7. How long does Rabobank keep your personal data?

We do not keep your data for any longer than necessary to fulfil the purposes for which we collected the data or the purposes for which data are reused. We have adopted a data retention policy. This policy specifies how long we keep data. In the Netherlands, this is usually for seven years following the termination of the relevant agreement or the ending of your business relationship with Rabobank. Data are sometimes kept for longer, for example if the regulator asks us to keep specific data for longer in the context of risk models. In some cases, we use shorter retention periods. Once we no longer require the data for the purposes described in sections 6a to 6i, we may still keep the data for archiving purposes, in the event of legal proceedings, or for historic or scientific research purposes or statistical purposes.

8. Which people have access to your data?

Within Rabobank, your personal data can be accessed only by individuals who need to have access owing to their position. All of these people are bound by a duty of confidentiality.

9. Do we use personal data for any other purposes?

If we want to use information for any purpose other than the purpose for which it was obtained, we may do this as long as the two purposes are closely related. If there is not a sufficiently strong connection between the purpose for which we obtained the data and the new purpose, we will ask you to give your consent if we still want to use this data. You can always withdraw your consent. You can contact your relationship manager for this.

10. Does Rabobank transfer your personal data to other parties and to other countries outside the EU?

a. Within Rabobank Group

Your personal data may be shared with divisions of Rabobank Group, for example because you ask us to do this, or because you also purchase a product from a different division of Rabobank. Information that has been used to establish your identity may also be used by another division of Rabobank with which you want to do business, for example. We can also, for example, exchange your data to combat fraud, to prevent money laundering, risk management, internal administration, to improve services to you and in the context of the duty of care. These divisions of Rabobank may also be located in countries outside the European Union that apply less stringent data protection rules. We share your data with divisions of Rabobank Group, in which Rabobank holds a majority interest, only if the divisions comply with Rabobank’s rules, as set out in the Rabobank Privacy Code. The Rabobank Privacy Code describes the rules that all these divisions of Rabobank Group have to comply with. The Rabobank Privacy Code guarantees adequate protection of personal data.

b. Outside Rabobank Group

Your data is also transferred to other parties outside Rabobank if we are required to do this by law, because we have to perform an agreement with your company and/or you or because we engage another service provider.

Competent Authorities

We transfer your personal data to third parties if we are required to do so. Examples of such third parties include national and European regulators, such as the Netherlands Authority for the Financial Markets (AFM), the Dutch Central Bank (DNB), Authority for Consumers & Markets (ACM), the European Central Bank (ECB) and the Dutch Tax and Customs Administration. In order to comply to the ‘ethical Code of Conduct for the Dutch banking industry’, we sometimes have to provide personal data to the Foundation for Banking Ethics Enforcement (Stichting Tuchtrecht Banken). If your company and/or you file a complaint at KIFID or the Dutch Data protection authority (AP), we might have to provide them your personal data. The Dutch Tax and Customs Administration, the police and the prosecutor’s office, but also an intelligence agency or a benefit agency could ask us to provide information. We have a legal obligation to cooperate on investigations and provide them your data.

Our service providers

We also transfer data if this is necessary in order to perform our agreements with your company and/or you. For example, we use third parties such as remote sensing parties to identify the biomass on a plot. For them to provide their service, we will provide information regarding GPS coordinates of the plots that we want them to analyze. Also, if you are placed under administration, we might have to provide your data to your administrator.

Business partners/other parties

We sometimes engage other parties / business partners that process personal data on our instructions. Examples include printers that handle client mailshots for us and print names and addresses on envelopes, parties that perform market research on Rabobank’s behalf, and parties that store data for us. Before such parties are engaged, we must first ensure they are sufficiently reliable. We may only engage parties if this is in keeping with the purpose for which we processed your personal data, for example for promotional and marketing purposes. Moreover, this other party can be engaged by us only if it reaches specific agreements with us, has demonstrably implemented appropriate security measures and guarantees that your personal data will remain confidential. Your personal data may also be shared with other parties that we engage in the course of our business or for the provision of our services. If we transfer your data to other parties outside the European Union, we take additional measures to protect your data. In some countries outside the European Union, the rules for protecting your data are different from those that apply within Europe. Than we assess as good as possible whether this can be done safely. For some countries, the European Commission has determined that there is an ‘adequate’ level of protection for personal data. For other countries, we use the standard contractual clauses approved by the European Commission. In addition, we take additional (safety) measures if necessary.

11. What rights do you concerning your personal data held by us?

a. Right to information

This Privacy Statement describes what Rabobank does with your data. In certain cases, we provide additional or different information. For example, if Rabobank records your personal data in its incident registers, it will inform you about this separately (provided it is permitted to do so). We will also do this if there are other reasons for providing you with information in addition to the Privacy Statement. We may do that by means of a letter, by leaving a message in your secure inbox or in another way to be determined by us.

b. Right of access to and to rectification of personal data

You may ask us whether we process data relating to your company and/or you, and if so, which data this concerns. In that case, we can provide you with access to the data processed by us that relates to you. If you believe your personal data has been processed incorrectly or incompletely, you may request that we change or supplement the data (rectification).

c. Right to erasure (‘right to be forgotten’)

You may request that we erase data concerning yourself that we have recorded, for example if you object to the processing of your personal data. We don’t always have to do that. And sometimes we are not allowed to do this either. For example, if we still have to store your data due to legal obligations.

d. Right to restriction of processing

You may request that we temporarily restrict the personal data relating to you that we process. This means that we will temporarily process less personal data relating to you.

e. Right to data portability

You have the right to request that we supply you with data that you previously provided to Rabobank in the context of a contract with us or with your consent, in a structured, machine-readable format, or that we transfer such data to another party. If you ask us to transfer data directly to another party, we can do this only if this is technically feasible. In some cases, you do not need to submit a request to obtain the data you provided to us. For example, you can view your transaction data using our online services.

f. Right to object to processing

If we process your data because we have a legitimate interest in doing so, for example if we make recordings of telephone calls but this is not required by law, you may object to this. In that case, we will reassess whether it is indeed the case that your data can no longer be used for that purpose. We will stop processing your data if your interest outweighs our interest. We will inform you of our decision, stating the reason.

12. How can you use your data subject rights?

You can use your rights by reaching out to your relationship manager or via the contact button on our platform. If you make a request, we will respond no later than one month after we receive your request. We may ask you to explain your request for access in more detail. For example, if you request access to recorded calls, we may ask you to provide search keys, such as the time the call was made and the number from which it was made. In very specific cases, we may extend this period in which we must respond to a maximum of three months. In that case, we will keep you informed about the progress made with your request. If you make a request, we may ask you to provide proof of your identity. For example, if you submit a request to exercise your right of access or right to data portability, we would like to be certain that we provide your personal data to the right person. In that case, we will ask you to come to the bank so that you can make your identity known and we can verify your identity. In some cases, there may be doubts as to whether we can send you the data securely. If so, we may ask you to come to the bank to collect your data. In certain cases, we may not be able to comply with your request, for example because this would violate the rights of others, would be against the law or is not permitted by the police, the Public Prosecution Service or another public authority, or because we have weighed up the relevant interests and determined that the interests of Rabobank or others in processing the data take precedence. In that case, we will inform you. If we adjust your data or erase your data at your request, we will notify you of this and also inform the recipients of your data wherever possible.

13. Where can you go to in case of a question or complaint?

Do you have a general question or complaint on the processing of personal data? Please contact your relationship manager or via the contact button on our platform.

14. What can you approach our Data Protection Officer DPO for?

Rabobank has appointed a DPO. The DPO monitors the application and compliance with the General Data Protection Regulation (GDPR). Are you not satisfied with the way a question or complaint has been settled? You may contact the DPO via dpo@rabobank.nl. You also have the possibility to ask a question or file a complaint at the Dutch Data Protection Authority (AP) or your local data protection authority.

15. Can we change this Privacy Statement?

Yes, our Privacy Statement may change from time to time. This is possible if there are new data processes and these changes are important to you. We will of course keep you informed. You can always find the most current version of our Privacy Statement at: rabobank.com/privacy.