By accepting our use of cookies, you allow us to improve your experience on our website, so that it is faster, more personalised and more secure. You can change the cookie settings in your browser at any time. Find out more about cookies.

Privacy Policy

Update 17/09/2020

Protection of privacy is a primary consideration for Keytrade Bank (the "Bank").

This Policy aims to explain clearly and simply to you how the Bank collects, processes and stores your personal data.

This Policy applies both to data which are initially collected when you visit the Bank's Website and when you contact the Bank, and data which are subsequently obtained by the Bank (for example, when you subscribe to an additional product or service, or when you update data you initially provided).

Your data are currently processed in compliance with Regulation (EU) No. 2016/679 of 27 April 2016, the General Data Protection Regulation (known as "GDPR"), as well as any regulations applying to personal data. For more detailed information about data protection, please visit the Data protection authority website (https://www.dataprotectionauthority.be/citizen).

This Policy is updated regularly. The Bank invites you to check its Website on a regular basis to see the version of the Policy currently in force.

  1. Who is the data controller of your personal data?
  2. What do we mean by personal data?
  3. When does the Bank collect your personal data?
  4. Where does the Bank collect data about you?
  5. In what circumstances are you required to provide your personal data to the Bank?
  6. For what purposes and on what basis do we process your personal data?
    1. Statutory obligations
    2. Contractual and pre-contractual relations
    3. Legitimate interests
    4. Consent
    5. Direct marketing
  7. Cookies and similar technologies
  8. Automated decision-making and profiling
    1. Profiling in general
    2. Human decisions based on profiling results
    3. Automated decision-making which have legal effects or similarly significantly affects you
  9. Storage period
  10. Data security
    1. The Bank's security system
    2. Actions you can take
  11. Who receives your data? To whom may your data be transferred?
  12. What are your rights?
    1. Right of access
    2. Right of rectification
    3. Right to be forgotten
    4. Right to restriction of processing
    5. Right to data portability
    6. Right to withdraw your consent
    7. Right to object
  13. How can you exercise your rights?
  14. Who should you contact in the event of a complaint?

1. Who is your data controller?

Your data controller is KEYTRADE BANK, the Belgian branch of ARKEA DIRECT BANK SA (France), which is situated at Boulevard du Souverain 100, 1170 Brussels, and registered under number BE 0879.257.191.

As a branch of Arkéa Direct Bank SA (France), itself a subsidiary of Crédit Mutuel Arkéa, the Bank is part of the Crédit Mutuel Arkéa group.

Within Keytrade Bank, the DPO Team is responsible for the daily monitoring of GDPR issues (first point of contact) and for compliance with the regulations applicable to personal data.

If you have any questions, would like to submit a request to exercise one of your rights under the GDPR or are faced with a problem concerning your personal data, you can contact our DPO Team by e-mail at dpo@keytradebank.com or by post at Boulevard du Souverain 100, 1170 Brussels.

Keytrade Bank has appointed a Data Protection Officer ("DPO"), whose role is in particular to inform and advise the Bank on all matters relating to the protection of personal data within Keytrade Bank. You can contact the Data Protection Officer:

- By post: Data Protection Officer – Crédit Mutuel Arkéa – 1 rue Louis Lichou, 29808 Brest Cedex 9, France
- By e-mail: protectiondesdonnees@arkea.com

2. What do we mean by personal data?

By personal data, we mean not only data that identify you directly, but also data that identify you indirectly.

The Bank generally needs to collect the following different types of personal data (this list is not exhaustive):

Identification data: your last names, first names, addresses, identity card number, national registration number, e-mail addresses, telephone numbers, username;
Transaction data: these are any data relating to your bank and stock market transactions, including your account numbers, card numbers, banking communications, withdrawals, transfers relating to your accounts, any defaults on loan repayments to the Bank, etc.;
Financial data: your bills, payslips, income, the value of your personal property or real estate, repayment capacity, the origin of your funds or assets, etc.;
Personal data: your age, gender, date of birth, place of birth, marital status and nationality;
Household composition data: your family situation, details about other members of your household, etc.;
Data relating to your investor profile: your knowledge and experience of financial instruments and your financial situation, including your ability to bear losses, your investment objectives and your risk tolerance;
Data relating to satisfaction surveys or from the contact you have with the Bank;
Audiovisual and electronic data: video surveillance recordings from our branches, telephone recordings from our customer service department or records of e-mail communications;
Data obtained via third parties: from the national register and from the Central Individual Credit Register of the National Bank of Belgium, as well as data supplied by public bodies, etc.;
Data obtained via cookies and similar technologies: IP address, browser version, how you behave on the website, how many times you have visited our site. For more information, please read our Cookies Policy

3. When does the Bank collect your personal data?

When you become a customer or when a customer discloses your data (for example, when you are the beneficial owner of a legal entity);
When you contact us via one of the channels available to you;
When you sign up for a new product or service;
When you take part in a survey, a tutorial, an information session or any other event organized by Keytrade Bank;
When you use one of the Bank's products or services;
When you log in to the Bank's mobile app or its Website;
When you fill in one of our forms or sign a contract with the Bank.

4. Where does the Bank collect data about you?

In most cases, you provide the personal data that the Bank processes. However, the Bank does also sometimes obtain these data from third parties. In particular, this happens when:

your data are disclosed to us by a customer (for example, because you are a beneficial owner or the representative of a legal entity, you are acting as an interim administrator or you have been named as a beneficiary of a KEYPLAN for Kids);
the Bank views your data with an authorised third party (for example: publications in the Belgian Official Gazette or the Crossroads Bank for Enterprises ("BCE");
in connection with our legal obligations, the Bank consults some external files, such as the database of the Central Individual Credit Register and the database of non-regulated registrations held by the National Bank of Belgium.

5. In what circumstances are you required to provide your personal data to the Bank?

If you wish to open an account with the Bank or use our products and/or services, you will be required to provide us with some information about yourself. The Bank is obliged to comply with the legislation in force and, in certain circumstances, this entails obtaining personal data (e.g. the law on the prevention of money laundering, MiFID, etc.)

You do, of course, have the right to refuse to disclose this information, but if this refusal prevents the Bank from complying with its legal obligations, it will be obliged to refuse you the service and/or product.

6. For what purposes and on what basis do we process your personal data?

Generally, the Bank processes your personal data either:

in order to comply with any statutory and regulatory provisions to which the Bank is subject;
in connection with the performance of the contract or with pre-contractual steps;
in order to pursue the Bank's legitimate interests, maintaining a balance between these legitimate interests and respect for your privacy, or;
when you have given your consent for a specific purpose(s).

6.1 Statutory obligations

The Bank is bound by a number of statutory and regulatory obligations that require us to process your data. These obligations mainly fall within the following areas:

the obligation to manage risks. The Bank calculates risk scores and uses statistical risk modelling using your personal data, enabling it to assess the risk and offer you the products and services best suited to your situation;
the obligation to help prevent money laundering and the financing of terrorism, by identifying customers, representatives and beneficial owners, establishing risk profiles, and monitoring operations and transactions;
the obligation to help combat tax fraud and evasion, by identifying customers, their accounts and contracts, and by working with the relevant authorities;
the obligation to help combat market abuse, by identifying particular information and reporting it to the relevant authorities;
the obligation to protect consumers of financial products and services, by identifying, for some services, their investor profile and category, and their investment capabilities and objectives;
the obligation to register you in the Central Individual Credit Register or in the database of non-regulated registrations in the event you take out a loan..

The list of statutory and regulatory fields which require the Bank to process your data is non-exhaustive and may change.

6.2 Contractual and pre-contractual relations

Before entering into a contract, the Bank may – and in some cases, must – obtain and process certain items of personal data, in particular in order to:

respond to your application;
help you if you encounter a problem during the online registration process for a product or service;
take an application further, assess suitability and evaluate the risks associated with a potential contract;
assess your creditworthiness or possibly the creditworthiness of people connected to you during a credit application.

More specifically, in the execution of contracts, the Bank processes your data as follows:

central management of your different types of accounts;
management and checking of transactions;
central management and a 360-degree view of customers;
management and provision of products the execution of services, including:
  • trading in financial instruments and subscription to financial products;
  • management and granting of credit facilities, by assessing the overall credit risk;;
consolidation and monitoring of reporting on financial and accounting data;
protecting you and your assets against any fraudulent activity as a result of identity theft, data leaks or data hacking, for example.
the management of your personal data as part of the account information service (aggregation) and payment initiation and account information services.

6.3 Legitimate interests

The Bank also processes your data in order to pursue its legitimate interests. For this purpose, whenever it processes data the Bank strives to maintain a fair balance between its data processing needs and respect for your rights and freedoms, and particularly privacy.

Personal data are therefore processed in order to:

prepare studies, models (risk, marketing and other types) and statistics, by using techniques to anonymise and/or pseudonymise the data of the individuals involved
promote products and services marketed by the Bank in compliance with regulations (see 6.5);
complete in advance data that we already know for existing customers when they apply for additional products or services;
improve the performance of the Bank's services:
  • we use transaction data in order to better understand how our services are used, in order to improve them
  • we also analyse the results of our marketing activities to measure how effective our campaigns have been, in order to offer you more relevant services and products;
  • we analyse the results of surveys conducted among our customers and customer views expressed when they come into contact with us, in order to improve customer relationships and our products and services;
store evidence and files within the limits provided for by regulations;
train Bank staff, through staff interactions with customers;
monitor the Bank's activities, in particular measuring sales, the number of calls and the number of people visiting the Bank's Transaction Website, as well as ascertaining the most frequently asked questions by customers, etc.
safeguard property and people, combat fraud and attempted hackings, malpractice and other offences: this means that images recorded by the surveillance cameras are only saved in order to safeguard property and people and to prevent malpractice, fraud and other offences that may be committed against our customers or the Bank;
establish, exercise, defend and safeguard the rights of the Bank, for example during recovery or dispute procedures.

6.4 Consent

In some cases, the Bank will only process your personal data if it has specifically obtained your consent to do so.

For example:

Only functional (login) cookies and other similar technologies, which are necessary for the proper functioning of the Bank's Website, will be automatically enabled during your visit. Other cookies (usability, statistical, advertising or tracking cookies) will only be enabled once you have given your consent. You can find more information about how cookies work and how you can restrict or delete cookies in our Cookies Policy.
The Bank will only disclose data needed for some payment service providers to take action (such as payment service initiators and account aggregators) if you have provided your consent for the Bank to do so.
Participation in games, competitions and events organised by the Bank also requires the processing of your personal data. In this case, the terms and conditions for processing your data are detailed in the rules of the promotional game or event.
For customers who have given their consent when entering into a banking relationship, the Bank relies on this consent to send them advertising communications (opt in/opt out – see point 6.5).

6.5 Direct marketing

Depending on the date on which you entered into the banking relationship, you may or may not have needed to give your consent to receive advertising communications.

If you gave your consent to receive advertising communications when entering into the banking relationship, the Bank will process your personal data, and in particular your contact details, to send you advertising communications (opt-in). If you did not give your consent when entering into the banking relationship, the Bank will not send you any advertising communications or process your data for this purpose (opt-out).

If the Bank did not request your consent when the banking relationship was entered into, the Bank sends advertising communications on the basis of its legitimate interests (soft opt-in).

In practice, this means that you may be contacted in the following cases, for example:

about products in which you have shown an interest (for example, by registering for an information session or by running a simulation on the product);
when the Bank markets new products or services related to your needs;

To send its advertising communications, the Bank may contact you by e-mail, telephone or ordinary mail. The Bank will choose the most appropriate and least intrusive method of communication, depending on the purpose of the communication. The Bank favours e-mail communications in order to inform you of (new) products and services.

Any advertising communication sent by the Bank contains a link enabling you to easily withdraw your consent and/or object to the processing of your data for marketing purposes.

You can also indicate at any time that you no longer wish to receive advertising communications by logging in to the Transaction Site > Preferences > Personal Data > Communication. The Bank will never process your data if you have withdrawn your consent or have objected to the processing of your personal data for marketing purposes.

The Bank does not send advertising communications if you do not have an active banking relationship with it (prospective customers and customers whose accounts are closed are therefore excluded).

7. Cookies and similar technologies

Generally speaking, cookies are small data files stored on your computer. They may have different functions. The Bank uses cookies on its Website in order to enhance its performance, to enable it to remember your preferences and to bring you information that we think will be interesting or useful to you. We also use data recorded by cookies to compile statistics for our Website and to ensure that its performance and content are improved.

For more detailed information about how we use cookies, please read the Bank's Cookies Policy.

When third parties place cookies on the Bank's website, you will be able to access their data protection policy via links on the Bank's website. We recommend that you read their data protection policies carefully.

8. Profiling and automated decision-making

Profiling is the automated processing of your personal data to assess certain personal factors such as your interests, your personal preferences, etc.

In order to offer you certain products and services quickly and efficiently, your personal data may occasionally be processed in an automated manner either fully or in part, which may result in a decision with legal effects or similarly significant effects on you. This is automated decision-making.

There are three forms of profiling:

Profiling in general (which has no legal effect on you);
Human decision-making based on the results of profiling (which has no legal effect on you);
A fully automated decision-making (which has legal effects or similarly significantly affects you).

8.1 Profiling in general

The Bank markets a huge range of financial products and services (savings accounts, investment services, pension savings, insurance, mortgage loans, consumer credit, etc.). In order to identify the products and services that actually correspond to your needs, the Bank implements profiling based on some of your personal data.

Thanks to profiling, the Bank is able to write tailor-made advertising communications and limit correspondence to communications which it truly believes are relevant to you. The products and services will remain accessible to all the Bank's customers, unless excluded by law, even if the profiling has not identified that the products correspond to the needs or interests of certain categories of customers.

You can object to profiling for marketing purposes at any time by logging in to the Transaction Site > Preferences > Personal Data > Communication. Each advertising communication also contains a link which allows you to easily object to profiling for marketing purposes.

The Bank also performs profiling for other purposes, such as:

for statistical purposes;
to better understand the behaviour and needs of the Bank's customers and to improve services;
to analyse the browsing behaviour of visitors to the Bank's Website

Where the Bank uses profiling based on its legitimate interests, it will carefully assess the legitimate interest in advance to determine whether the implementation of profiling is justified. It will also, in any event, take the necessary measures to minimise any impact on your rights and freedoms.

8.2 Human decisions based on profiling results

These occur when an application is made for a mortgage loan or credit card. The decision of the case manager to grant or refuse you a loan or a credit facility will in part be based on the result of profiling carried out by an algorithm. This algorithm uses the data you have sent to us as part of your application for credit, as well external data (from the Central Individual Credit Register and non-regulated registrations). This algorithm assesses your ability to repay the loan or credit facility you have applied for, and aims to enable the case manager to make a quick and non-discriminatory decision.

8.3 Automated decision-making which have legal effects or similarly significantly affects you

A fully automated decision is a decision made with regard to an individual using an algorithm applied to their personal data, without the involvement of any human being in the process.

This is the case with KEYHOME and KEYPRIVATE simulations, which are available on the Bank's Website. In the event of a refusal by the algorithm, for whatever reason, this is a decision that may have legal effects on you.

In some cases, the decision not to grant a credit card is also made on the basis of fully automated decision-making. The algorithm takes into account various elements of your application and consults the Central Individual Credit Register and database of non-regulated registrations in order to determine whether it should deny the application.

In the case of fully automated decision-making, you will receive an immediate response to your application.

In all cases where an automated decision has legal effects or similarly significantly affects you, you have the right to request human intervention and to be provided with an explanation of the decision taken following this type of assessment, and to potentially contest this decision.

9. Storage period

The Banks ensures it does not store your personal data for any longer than we need for the processing activity that requires us to collect them. When assessing how long we need to store your personal data, we must also take into account the applicable regulatory requirements (requirements arising from legislation against money laundering and the financing of terrorism, for example).

As a prospective customer, your data will be stored for a maximum period of one year.

If you are a customer of the Bank, the data we will have collected as part of our contractual relationship will be stored for the duration of this relationship and for a period of 10 years after your account is closed. This period may be longer in some cases, for example, when it involves a mortgage (30 years) or a dispute (until there is an outcome to the dispute).

Other data, such as data collected using surveillance cameras, are stored for a shorter period (a period of a month on a rolling basis for images recorded by surveillance cameras).

10. Data security

10.1 Our security system

The Bank takes appropriate technical and organisational measures in order to guarantee that your personal data are adequately protected against loss or their disclosure to unauthorised individuals. In order to protect your data, the Bank has put in place security technology which complies with international rules and current standards in force.

The Bank has also taken organisational measures, by setting up teams dedicated to information security.

More generally, the Bank's employees are made aware of the question of protecting personal data, and the Bank ensures that they comply with the code of ethics setting out the instructions on the protection of personal data.

The Bank works exclusively with data processors and partners who offer a high level of guarantees regarding the protection of personal data.

If the Bank identifies an incident with an impact on personal data, it ensures, in line with regulatory requirements, that it reports it to the Data Protection Authority (DPA) as soon as possible, that it informs the data subjects and takes the necessary steps to minimise any damaging consequences that the incident may have for them.

10.2 Actions you can take

Data security is everyone's business.

You can also help keep your personal data secure by following the advice below:

use the most recent operating system on your device and install all security updates;
use the most recent version of your web browser and install all security updates;
install antivirus software, anti-spyware software and a firewall, and adjust your preferences so that these safeguards are updated regularly;
do not leave your device or your login details unattended;
sign out of the Transaction Site or the app if you are no longer using it;
keep your codes confidential;
only log in from devices that you trust and do not use shared computers/devices for sensitive transactions.

The Bank will never ask you for your account numbers, debit or credit card numbers, passwords or codes via e-mail or telephone. Therefore, never communicate this information by any means under any circumstances! If you call the Bank, it may need to identify you. It will do this by asking some personal questions.

11. Who receives your personal data? To whom can your personal data be transferred?

Within the Bank, your personal data can only be accessed by people who need to access them for their work.
Some of your personal data may be transmitted to Arkéa Group entities.
In some cases, we are required by law to disclose your personal data to third parties:
  • to market and regulatory authorities (particularly in Belgium and France), similar foreign authorities, the Central Point of Contact ("CPC"), and to Belgian and foreign tax authorities when the Bank is required to disclose customers' personal data;
  • to the National Bank of Belgium or the Bank of France in cases covered by Regulation (EU) No. 2016/867 of 18 May 2016 (the AnaCredit Regulation) relating to credit facilities granted to you;
  • to public or judicial authorities, such as the police, prosecutors, law courts, etc. This can only be done at their express request and in compliance with regulations;
  • to lawyers (for example, in relation to the dissolution of a marriage or a bankruptcy), notaries (for example, when it involves a mortgage or inheritance), guardians or interim administrators, etc.;
  • to third-party banks in accordance with the Law of 18 September 2017 on the prevention of money laundering and the financing of terrorism and limitations on the use of cash.
In some cases, the Bank calls upon third parties to provide you with services to which you have subscribed or in order to process your personal data. For example, this may mean:
  • specialist providers from the financial sector, who must also fulfil their statutory obligations in relation to personal data
    (for example Card Stop, VISA, related banking institutions in foreign countries, etc.);
  • service providers who help the Bank to:
    • devise and maintain our tools
    • market its activities, organise events and manage communications with customers;
    • develop and/or manage its products and services

For some services, the Bank calls upon specialist partners who work as data processors. The Bank ensures the protection of your personal data by appropriate provisions in its contracts with data processors, and only uses data processors which implement the appropriate technical and organisational measures. If necessary, the Bank supplements the data processor's contracts and documentation with other appropriate measures (tests, on-site inspections, etc.)

When personal data are transferred to a data processor, the Bank only provides the third party with the personal data necessary for it to carry out the specific tasks required.

When we work with data processors outside of the European Economic Area (EEA), we take appropriate measures to guarantee that your personal data will be properly protected in the recipient country. In such cases, the Bank takes action (for example, through contractual measures and checks on the technical and organisational measures implemented) to ensure that personal data are processed with the same level of security as that required under European regulations.

Your data may also be disclosed, with your consent, to certain payment service providers, such as payment initiation and account information service providers in connection with PSD2: these data (pseudonymised) will only be stored on the Cloud when you use payment initiation and account information services.

Under no circumstances will the Bank share your personal data with third parties without a specific purpose justifying the transfer of personal data.

12. What are your rights?

12.1 Right of access

You have a right of access to the personal data concerning you that are processed by the Bank:

The Bank takes all necessary measures to ensure that your personal data are correct, up-to-date, complete and relevant. For this reason, the Bank asks you to keep it informed of any changes (new addresses, new identity card, acquisition of a new nationality, etc.) If you discover that your data are inaccurate or incomplete, you can ask us to make rectifications (see point 13).

12.2 Right to rectification

You can amend some of your personal data yourself by logging in to the Transaction Site > Preferences > Personal Data > Communication. For certain changes to personal data made by you, the Bank consults the national register as the Bank must ensure that the change made corresponds to the official databases.

There are certain items of personal data that you cannot change yourself. For certain categories of customers, for example, the Bank must draw up reports for the relevant authorities. Some of these reports must be communicated to you.

For data that you cannot change yourself on the Transaction Site, you also have the right of rectification in the event of error or omission: you can send an e-mail to dpo@keytradebank.com, clearly specifying the reasons why you think the data should be rectified and attaching any documents that show this to be the case.

If the Bank corrects data concerning you which it had previously shared with a third party, it will also notify the third party.

12.3 Right to be forgotten

In some specific cases, the regulations allow you to have your personal data deleted from the Bank's database.

This is the case, in particular, if the data are no longer necessary for the purposes for which the Bank collected them, if the processing of your data is based solely on your consent and you decide to withdraw it, or if you have objected to the processing of your data and there are no legitimate grounds for the Bank which prevail over yours (for example, because you provided your personal data with a view to submitting an application for a mortgage loan that you did not ultimately take out).

However, the Bank may store your personal data when they are needed for establishing, exercising or defending its rights in court, or for the Bank to comply with its statutory obligations. The Bank will therefore be required to comply with storage periods stipulated by different laws, particularly when the data concern transactions which you have carried out or have been collected in connection with our obligations relating to combating money laundering and the financing of terrorism.

12.4 Right to restriction of processing

This right of objection enables you to ask the Bank to stop processing your personal data temporarily in specific cases defined by regulations.

You can ask for your data to be blocked:

when the data in question are inaccurate, incomplete, ambiguous or out of date, for the amount of time needed to enable us to check the accuracy of your data;
when collecting, processing, disclosing or storing them is prohibited;
when the data are no longer needed for the processing purposes;
for the period of time needed by the Bank to assess the merits of an objection request.

If you have exercised this right, the Bank may retain your data but it will no longer be able to process them unless you provide your consent to do so, or in order to establish, exercise or defend its rights (or the rights of another person) or in the cases provided for by regulations.

12.5 Right to data portability

By virtue of this right, you may ask the Bank to send your personal data to you or to send them directly to another data controller, where this is technically possible for the Bank. This right only applies to data which you yourself have supplied to the Bank and which are automatically processed on the basis of the contract or when you have provided your consent.

You can submit a request using the following form

12.6 Right to withdraw your consent

When your data are processed because you have provided your consent, you have the right to withdraw this consent at any time. However, withdrawing your consent does not call into question the legality of the processing carried out during the period before you withdrew your consent.

12.7 Right of objection

You always have the right to object to the use of your personal data for marketing purposes, without providing any justification and at no cost to you (see 6.5). If you do so, your data will no longer be used for this purpose.

Furthermore, you also have the right to object, for reasons relating to your particular circumstances, to any processing of your personal data which is based on the Bank's legitimate interests. However, the Bank will be unable to grant your request if there are legitimate and overriding reasons that prevail over your interests, rights and freedoms, or if the processing of your data is required in order to establish, exercise or defend its legal rights.

13. How can you exercise your rights?

In order to exercise your rights, you may send the Bank a signed and dated request together with a legible copy of the front and back of your identity card to the e-mail address dpo@keytradebank.com.

Customers can also send their request from their authenticated e-mail address (i.e. either the e-mail address they entered when opening their account, or any e-mail address they provided subsequently which has been validated by the Bank) to dpo@keytradebank.com.

Following receipt of a complete request from you, the Bank will assess its validity and, if you are entitled to exercise the right invoked, take the necessary action as swiftly as possible.

In all cases, the Bank will respond within one month. If your request is complex, the Bank will inform you within one month and will contact you again with the information requested within a maximum additional period of two months.

If you request any additional copies when exercising your right to access your personal data, we may charge you a reasonable amount for administrative costs.

14. Who should you contact in the event of a complaint?

In the event of a complaint regarding the processing of your personal data, you may submit a request for mediation to the Data Protection Authority at the following address:


Data Protection Authority
Rue de la Presse 35
1000 Bruxelles
Tél : +32 2 274 48 00
Mail : contact@apd-gba.be